Companies Respond To The GDPR By Blocking All EU Users

from the the-splinternet dept

We’ve talked a bunch about the GDPR recently. While the effort is well-meaning (some may disagree with this) and does have some good ideas concerning data control and transparency, we still feel that it was put in place by people who had little idea of the impact it would actually have, and will have disastrous consequences on online speech, in particular. And, since the GDPR has a long-arm aspect that will impact people across the globe (not just in the EU), there has been plenty of scrambling by companies to “become compliant” with the GDPR. This is almost certainly going to lead to a huge number of lawsuits over the next few years, with an awful lot of uncertainty. While some consultants have cleaned up in helping companies become what they hope is “compliant” (hence you probably receiving dozens of updated privacy agreements and terms of service notices lately), some companies have realized it’s just too much of a hassle and decided to block all access to EU users.

F-Secure’s Mikko Hypponen has been tracking a bunch of examples and also highlighted a (currently offline, but can be seen at the Internet Archive) site called GDPR Shield that gives you some simple javascript to block EU visitors (assuming they have Javascript turned on, and their location is determined accurately — both of which may be big assumptions). Among those that Hypponen has noted cutting off EU users are the following: Ragnarok Online, Verve, Brent Ozar,, SMNC, Tunngle, Drawbridge and Steel Root.

Hypponen also notes the very different reactions to all of this from EU readers and US readers. EU folks seem to be generally supportive of the GDPR and think that companies shutting down service are either stupid & ignorant or evil and thus should shut down. On the US side, he notes people are smug about how this serves the EU right and will harm the EU.

It’s entirely possible both are right.

But the larger issue to me is how this is increasingly splintering the internet, and doing so in a way that we’re not entirely prepared for. The GDPR has significant problems — even if it does also have some good stuff. The fact that it feels like supporters of the GDPR refuse to fix the problems seems troubling. It’s going to have quite an impact and there seems to be little concern among those who support it. They automatically default to the idea that opposing the GDPR means that you want to do something bad, no matter how inaccurate that statement is.

It would have been much better if those crafting the GDPR had actually bothered to listen to the wider concerns. And, barring that, if they hadn’t made the reach of the law go so far beyond EU borders where it will rule over the internet and the rest of us have to deal with. They could have preserved some of the good ideas concerning control and transparency, without creating so much of a mess for everything else. But they chose not to, and now we’re all going to leap off the cliff together and see how everyone ends up.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Companies Respond To The GDPR By Blocking All EU Users”

Subscribe: RSS Leave a comment
fred smith says:


Quoting “if they hadn’t made the reach of the law go so far beyond EU borders where it will rule over the internet” will be a widely shared sentiment I expect, in a similar fashion to the one we hear in “leftpondia” which is, “who the heck do the US financial regulatory bodies think that they are messing with our banks and companies?”.

Beta (profile) says:

Re: Re: GDPR

In order to make that argument work, you must show where the symmetry breaks. You must argue that the EU has more right to meddle with my newspaper than the US has to meddle with your bank, and that the US has less imperative to protect US citizens (and their money) than the EU has to protect its citizens (and their data).

Sharur (profile) says:

Re: Re: Re:2 GDPR

Legally, that is not the case .

There are, in general, four main types of jurisdiction (that is areas under which a court can take a case) for any government to act under:
1) Territorial: What happens in the EU/US/Anywhere else is under the purview of that government.
2) Actor: Governments always have recourse over the actions of their citizens, regardless as to where those actions occur. Governments MAY choose to (or be self-barred from) taking actions outside their borders, but they still can.
3) Subject-matter: If what transpires effects the nation or people or government, the government has jurisdiction. You can think of this as being about who the victim is.
4) Universal: Things that any nation can punish, because they are universal transgressions. War crimes and piracy go here. So if person from country A attacks person from country B while they are in country C (or international territory), in a piratical or war criminal nature, any country D has jurisdiction.

So an offshore bank dealing with a US Citizen IS actually under the providence of the US Government.

There is also the mechanism to consider. The EU has power over any company who does business in their territory; If they do not comply, they can fine you, seize your assets or prevent you from doing business. An entity solely outside of the EU can only be affected by the EU if the local government allows.

The US “meddling” with a foreign bank is, “if you do not comply with X, Y, and Z, we will not allow US companies to do business with you (including banks transferring funds)”.

Anonymous Coward says:

Re: Re: GDPR

Big difference is the US has no right meddling with my bank.

Whether or not they have this "right" hasn’t been litigated, but the USA has managed to bully a lot of foreign banks and governments into compliance with FATCA. In particular, European countries have relaxed their privacy laws so this information can be given to the IRS. The page has a map showing international agreements.

Anonymous Coward says:

They have to start somewhere

If they try to pass a perfect act, then nothing will ever be passed. Much better to pass something flawed and see what the consequences are then tweak or revoke down the road. So far, I think it’s been mostly positive.

Now I wish US legislature would pick the best parts of GPDR and do something similar for Americans.

Anonymous Coward says:

Re: They have to start somewhere

You know, this is the big elephant in the room. The EU has been hammering out GDPR for years, and the US has been mostly ignoring privacy issues, considering them something between the individual and the organizations handling their data (except in the case of HIPAA).

So when the EU decides they’ve gone far enough and it’s time to make GDPR go live for it, and all companies doing business in the EU, the US has lost the leadership role and no longer has the power to nudge the EU away from some of the more dangerous clauses.

But couldn’t the US at least take the best parts of GDPR and say “this part is good, we’re going to do that too?” Then they’d have more bargaining power when it came to getting rid of the troublesome bits.

For a case study on how all this works out: Canada generally has to de-facto comply with many US regulations. Often it tries to get out ahead to limit the damage it sees could arise from developing regulations in the US. This has generally turned out to be a successful strategy. But when it drops the ball, it generally has no choice but to go along with what the US decides.

It seems to me that the US is now getting to experience being in the situation where Canada usually finds itself. Hopefully the US will learn from this and get out ahead on PII issues in the future.

To be a leader, you need to be in a position to lead. In the case of privacy, the US is definitely not in that position anymore.

Anonymous Coward says:

In one way it is good that the US is getting a dose of it own stupidity. That is applying US law to all countries and people of the world.

In other points:
Why would a firm or web site whose target audience lived and operated in a particular regional location such as one’s a US local pizza delivery have any interest in providing in internet service to the EU or any place in which it can not feasible deliver pizzas to?

As far as data firms collection such as Facebook: Why any sane government allow an on line data collection and control firm to attempt to establish a 1984 form of government is beyond me. Look at this this way what if the Soviet KGB was keeping records, voluntarily supplied, on all US, UK, and all other citizens of they world while loudly claiming they were doing it for the worlds own good and not as a listing sorting means for gulag labor and Siberian vacations. What would the world do?

Mason Wheeler (profile) says:

Is it even possible for this to apply in the USA? Last I heard, we had the SPEECH Act that says that foreign libel judgments against US citizens regarding protected speech that doesn’t violate US law are unenforceable in the USA. It seems to me it wouldn’t take much–particularly in the current political climate–to apply the same principle to the GDPR.

Anonymous Coward says:

Re: Re:

as the USA seems to think that it can have it’s laws apply in any and all countries it wants, when it suits, over whichever people it wants at the time and whatever subjects it wants at the time, why should anywhere/everywhere else think that their laws dont apply in the USA? cant have what you want when it suits then turn them off when they dont!

Roger Strong (profile) says:

Re: Re:

If you’re a small business in the US doing no business in the EU, it doesn’t apply to you. It’s only relevant if you do business in the EU.

This is similar to court rulings from the EU, Canada and the US: They apply to Google because while Google is Bermuda-based (according to its tax filings), it has offices and does business in those other countries.

Mason Wheeler (profile) says:

Re: Re: Re:

If you’re a small business in the US doing no business in the EU, it doesn’t apply to you. It’s only relevant if you do business in the EU.

And if you put something on the World Wide Web, it becomes accessible world-wide… including in the EU. Then you’re "doing business" there whether you meant to or not. That’s the nightmare scenario here.

Dean P (user link) says:

Re: Re: Re: "Mason's Comment and Free Speech???"

Hi Mason, I’m hoping help me by clarify your comments below, so I can understand exactly what you mean? I’ll provide much more detail of my current situation. My request is based on someone you quoted who said:

"If you’re a small business in the US doing no business
in the EU, it doesn’t apply to you. It’s only relevant if you do business in the EU."

First, let me explain how I view the GDRP based on my discussions with two enterprises, Elastic Grid (Ziff Davis) and Structured Web. Both sent the GDRP forms I needed to Accept in order to continue to receive their services which I would really like to do. Part of what my small US based Company (75 employees) does is in my second year I launched a Channel Business Unit and Partnered a number of companies, but our Top 8 Parners, where our designation is either a VAR/System Integrator, or an Enterprise Reseller, ate Intel, LSI (Avago), ASUS, VMware, NVIDIA, PNY, EMC and Juniper. The rest are not official Partners, but we buy mostly components for Server and Workstation Builds, etc. Our top 8 Partners contract out to Elastic Grid (Ziff Davis) and Structured Web, who provides our business with, let’s just say, a great deal of costly marketing and Sales programs, i.e., Professional Social Media, Professional Direct Mail and they even provide what is called cross domain hosting, that allows me to include them in our Corporate Website, while the Assets (mostly images, case studies, etc.) reside on their servers. There is much more they provide, but the bottom line is this: Any direct mail we do is to our Install Base Clients, who have opted in. Social Media is based on the types of content I select, and they create the professional Tweet or LinkedIn shares, which I also can reuse with, (one example, Google Ads, but lately, I have been using more LinkedIn and other types of Ads, since (this has nothing to do with my question) I can’t stand Google. Talk about invasive, they take the cake. FaceCROOK I have never had an account with. That said, here is what I have been told and these two companies also conduct the same type of Marketing for our our main Partners who resell Intel, etc. in the EU.

I was told there are two ways I can be effected by this new GDRP:

Our company website. Another service they offer is Event Management, so using social media and Direct Mail invites (AGAIN, ONLY WITH MY INTERNAL LISTS, ALL EXISTING US CLIENTS) but, if for some reason, since the invite is public via social media they explained, let’s say you are doing an event on Big Data and someone who lives in the EU is interested in the subject, follows the link to my Website, where they will fine some new Pages I have created allowing them to confirm their attendance, where we collect Name, Company Name (not a mandatory field) address, Phone, email and to check the selection next to the Lunch they would like.

Let’s say some day (BTW this has not happened since I launched the company, and we do about 2 events a month) the scenario happens, on our Web Signup form, there is also a checkbox to let us know if the Company or person attending is an active client, or a new Business. If new, they agree to the normal legal statements of permission to send emails or call, BUT it’s limited to the specific Event. That’s how we do things, since this way I know for sure any "new people or companies" at the people are known beforehand and are approached and qualified to ascertain if they may be a prospect for what we offer. If they are not (WHICH SOMEONE visiting from the EU who attended just because he was interested in Big Data) their record is destroyed. Maybe most companies do not do this, but I don’t like taking in 100’s of emails if the business or person will never do business with us. I like "clean lists."

Also, I began my business in 2010, and about two years later, I received at least 6-8 calls from Companies in the UK & France, mostly France) who proposed an international joint venture (IJV) and wanted us to provide a unique service I do for Oracle Tier I ERP Clients and also wanted us (even worse) to assist them with some of our security offerings, which most people today know as Penetration Testing, but in 2012 having a license for Offensive Security and what began as an EU standard, "Ethical Hacking" was not as common as it is now, many companies offer it. I still get a few calls each year for the Tier I ERP Service.


WHAT DO YOU MEAN MASON, when you say:

"And if you put something on the World Wide Web, it becomes accessible world-wide… including in the EU. Then you’re doing business" there whether you meant to or not. That’s the nightmare scenario here."

What exactly do you mean? I might agree with you if our Website was not just informational, and accepted Logins and took in information from people outside the US, but we don’t even do this in the US except for an event and then it’s destroyed.

Now, if you are saying, well, during that Event registration, like I said, it’s possible some day a person from the EU may want to attend and just when that unlikely event happens, I’m hacked before the attendee’s information is destroyed. BTW, we do not use Passwords, since event are simple registrations. Well, anything is possible, but part of what I and about 5 others at my company are licenses for is what is legal hacking (assuming you want to you that term). Typically, the few times we’ve been alerted there was an attempt to hit our site, (we’re just NOT that important) as I knew based on the type of entry, it was kids. It ended up being kids who tried and to keep it short, let’s just say they learned a lesson. They needed to replace their devices (sometimes who people try that on the wrong side, the defense can be a Trojan they leave with and no what they think is 10,000 credit card numbers).
Also, I did not press charges, they were terrified 15 and 16-year-old kids, who learned a hard lesson. So, here are my questions Mason.

  1. What EXACTLY would I have to put on the web, that will all of a sudden mean I’m doing business in the EU? It can’t be our website, I’ve always had it in all the correct places, "WE ONLY OFFER GOODS AND OR SERVICE TO US COMPANIES."
    So even if someone from France, wanted to purchase $10MM in EMC Storage where my margin is 60% and he sent me a secure note through our secure contact form asking? Not only would answer NO because we never have and never will, we are also NOT AUTHORIZED by any of our partners to resell outside of the United States.

Please let me know what you mean ANYTHING I put on the web, just because it can be accessed in the EU, it means I am doing business there. THANK YOU.

  1. LASTLY, NOT SURE IF YOU SAID this, or know, but I’ll take a reply from ANYONE: How can the GDRP have negative effect and suppress Free Speech? Impossible.
    First, in the United States. 99% of the Media, probably 80% of colleges, 90% of public schools and to a MUCH lesser extent, (maybe 10%) a few small REALLY weird cities and towns, have ALREADY REMOVED FREEDOM OF SPEECH and also, constantly create new words and try to add them to the Dictionary.
    THAT is an INTERNAL problem to the US, caused by GUTLESS politicians we need to fix. If Parents were responsible these days, that would free the curtailing of Free Speech, since the nonsense begins at Colleges. IF PARENTS STOP PAYING $50-100K YEARLY for their kids to be educated by professors who channel Karl Marx, guarantee these colleges would QUICKLY change nonsense CUT OFF THE MONEY always changes morons into bright people. But I digress.
    REALLY, How would this GDRP also chip away at our 1st Amendment? I’d LOVE to see a lawsuit hit the SCOTUS, my guess is even with the different views on the court, any claim by a foreign country to curtail our first amendment, would lose 7-2, or 9-0, depending on the type of free speech, we really only have two Justices left, who are loons, hopefully one will be gone soon.
    Thanks, and sorry for the LONG post, but detail is important with this type of stuff.


Richard (profile) says:

Not really as bad as you might think

Havinf had to look at this in more detail because of personal involvement I would conclude:

1. The headline demands look pretty horrific.

2. The detail includes an enormous number of exceptions that in fact nullify most of (1) except in the most egregious cases.

3. Lots of companies and organisations are overreacting.

4. Because of (3) the consultants are having a field day.

In short if you’re not a large corporation and your not doing anything that most reasonable people would regard as immoral the chances of this impacting you are ~0

Anonymous Coward says:

Re: Not really as bad as you might think

I work in the field of personal data management and have recently completed work to implement GDPR compliance in our software. It’s really not that bad. It boils down to providing opt-in/out options to the owners of said data and informing them how their data is to be used. The only real downside to any company is they might have less personal data to use for marketing and total people count purposes. Of course, there are plenty of companies that collect personal data but have no UI or interaction with those persons at all; For them GDPR represents a significant problem.

Anonymous Coward says:

Re: Re: Re:2 Not really as bad as you might think

I’m on about why people need their data managed … as if they are incompetent and unable to keep their own files in order.

The corporate nannies are drooling all over themselves dreaming of pirating all your private information and offering it up for sale to the highest bidder.

This is not needed for proper operation of – well, anything.

Richard (profile) says:


I note the reaction of the IEEE:

“To ensure compliance, as well as respect the privacy of all individuals, IEEE has decided to apply GDPR standards to all individuals and not only European citizens.”


“Other countries have already created regulations similar to the GDPR and additional countries are expected to follow the trend in the future. IEEE believes that by treating all individuals interacting with us as if the GDPR were applicable to them now we will be able to more easily respond to any additional requirements in the future.”

ryuugami says:

Re: All USA

Obviously. If you don’t do business in the EU, EU laws and regulations do not apply to you.

(From various online discussions about GDPR, I’ve come to the conclusion that a lot of Americans have a problem with some basic concepts, e.g., that laws have jurisdiction, that private information can be private, and that not all regulators are sociopaths.)

Vikarti Anatra (profile) says:

Re: All USA

It’s possible it will depend on interpetation of GDPR by EU Courts.
Some online shops do exactly same and they STILL have non-US customers (Those customers use mail forwarding services to actually get goods).
If you try to block non-USA cards, some of mail forwarding services will be be glad to provide ‘assisted purchase’ service.
IP Geoblocking will not help too.

It will be interesting how EU will interpret such situations where USA-based company tried hard NOT to sell to non-USA customers but still did it. How much ‘hard’ is enough?

coward (anon) says:

IP addresses

The biggest problem we see is the GDPR’s inclusion of IP addresses as PII data. Like many (most?) companies with websites, our web servers log the IP address of all incoming connections. This presents a couple of potential problems with being GDPR compliant. GDPR requires active consent before storing PII data (which might be technically feasible with some major changes to the web server) and GDPR gives EU users the right to ask us to remove all PII that we have. We have terabytes, going back 15 years, of web server logs (much of it on backup tapes) and removing all of the log entries that match a specific IP address is not practically possible. We said “potential” above because the GDPR text can be read that way, but until this is litigated through the EU courts, the interpretation is unknown.

Anonymous Coward says:

Re: IP addresses

IP address is PII only if your website stores other data that makes it possible to tie the IP address to personality (for example it allows for logging into an account). Additionally, gaining consent is only one of several ways you can lawfully store data.

As it is stated in article 6, "Processing shall be lawful (…) if (…) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

Server security and prevention of abuse is a legitimate interest of a server owner. You don’t need consent for that unless you use IP data harvested from logs for other purposes.

Steel Root (user link) says:

Is blocking European visitors a valid GDPR strategy?

My company Steel Root was mentioned in this article in the context of blocking EU visitors from our website. I think what has been most clear in this broader discussion is that there is widespread confusion as to precisely which situations the GDPR applies to, particularly from the perspective of a US company.

We blogged about our findings here:

Anonymous Coward says:

Re: Is blocking European visitors a valid GDPR strategy?

I think your company has made a number of errors in interpretation, and some assumptions that are incorrect.

For example, you say that you say in the linked post that you have been blocking non-us access since 2015. That is not accurate. I visited your site from outside the US with no problem whatsoever.

Article 3 (2) of the GDPR states the following:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

– the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
– the monitoring of their behaviour as far as their behaviour takes place within the Union.

Since you have stated that you are not offering products or services in the EU, then the first item would fail. If your services would not fall under the second item (monitoring of behaviour), then GDPR would not apply.

For the occasional visitor from the EU, you could rely on the “occasional processing” exemptions.

Basically, if you are ‘established in the EU’ – meaning you actively target EU data subjects in your sales/marketing – or your services are offered to entities in the EU who sale/market to data subjects, then GDPR applies.

There is a lot of fear that a single visit to a website exposes you to GDPR, but that is not consistent with the wording in the GDPR or the guidance from a number of Information Commissioners in the EU.

You might find the details posted at these sites helpful:
Isle of Man Information Commissioner:
UK Information Commissioner:

Anonymous Coward says:

There us yet antoher possible future country where EU laws could never be enforced.

There is a movement to create a “Republic Of Nortehrn Mexico”, which is beginning to gain some steam.

The country, consisting of the northern tier of Mexican states, along with California, Arizona, New Mexico, Texas, and Nevada (south of the 37th parellel) would have some of biggest tech giants in the world in its borders.

Companies in this cou8ntry would not be subject to GDPR, and would also be not subject to SESTA, either. And this includes GoDaddy, one of the biggest registrars, which would be in the Republic Of Northern Mexico, since it is in Arizona.

Websites hosted in the Republic Of Northern Mexico would only subject to and have to obey Norteño law. United States laws and European Union laws would not apply in the Republic Of Northern Mexico.

If this country should ever come into existence, the US government will quickly find that SESTA could not be enforced on companies in the Republic Of Northern Mexico, and likewise the EU would find that they could not enforce GDPR in the Republic Of Northern Mexico.

Anonymous Coward says:

GDPR is over broad

..I say that as someone in the EU.
As someone who helps run a small amateur sport club (non profit, it organises a league / cup, has websites of results / league tables, people text or email in match results, club sends out results and other information emails
We had to send all our members GDPR communications and get their permission to continue (although non profit, because we take subscriptions as e.g. need to cover some basic costs e.g. equipment, venue hire, officials)
Lots of small clubs / societies similarly affected by extra “paperwork” – but the intentions of GDPR are good, though I’m sure big data abusing companies that are the real targets will get their legal teams to find some loopholes

Joshua Smith says:

I blocked Europe on all 10 of my web properties

I make and own websites in my free time as a side-hustle to supplement my full time job.

I charge for access to literally 0 of my websites, and I use data as a means to make my websites more efficient. I’m not going to make my free websites less profitable just to appease the tyrants in Europe.

Freedom is key to prosperity, and I strongly believe that US websites should do what I did and create a firewall block on all countries covered by the GDPR.

The danger, as always, with legalism is the selective enforcement. Small businesses in Europe who are opposed to authoritarianism will be targeted far more intensely than big government companies with lobbyists. Thus the cycle of suppressing competition, creating poverty, and oppressing people for political ideals.

Needless to say, I don’t support it.

Dazza (profile) says:

Blocking EU countries by default.

The websites on our servers are initially block EU access across the board for safety sake.
Some sites chose not to but surprisingly the majority elected to use the script.
Main fear is the EUs attitude of trying to sue everybody for any minor discrepancy and since bloggers and news type sites are easy targets, its best to play safe.
The local impact is minimal but saves possible litigation by any 2 bit EU organisation.
In the end its more of an impact on small to medium business who can’t afford to spend $$$$$ to comply with the EU paranoia.
The loss really is to the EU users.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...