HideOnly 1 day left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »
HideOnly 1 day left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »

Companies Respond To The GDPR By Blocking All EU Users

from the the-splinternet dept

We've talked a bunch about the GDPR recently. While the effort is well-meaning (some may disagree with this) and does have some good ideas concerning data control and transparency, we still feel that it was put in place by people who had little idea of the impact it would actually have, and will have disastrous consequences on online speech, in particular. And, since the GDPR has a long-arm aspect that will impact people across the globe (not just in the EU), there has been plenty of scrambling by companies to "become compliant" with the GDPR. This is almost certainly going to lead to a huge number of lawsuits over the next few years, with an awful lot of uncertainty. While some consultants have cleaned up in helping companies become what they hope is "compliant" (hence you probably receiving dozens of updated privacy agreements and terms of service notices lately), some companies have realized it's just too much of a hassle and decided to block all access to EU users.

F-Secure's Mikko Hypponen has been tracking a bunch of examples and also highlighted a (currently offline, but can be seen at the Internet Archive) site called GDPR Shield that gives you some simple javascript to block EU visitors (assuming they have Javascript turned on, and their location is determined accurately -- both of which may be big assumptions). Among those that Hypponen has noted cutting off EU users are the following: Ragnarok Online, Verve, Brent Ozar, Unroll.me, SMNC, Tunngle, Drawbridge and Steel Root.

Hypponen also notes the very different reactions to all of this from EU readers and US readers. EU folks seem to be generally supportive of the GDPR and think that companies shutting down service are either stupid & ignorant or evil and thus should shut down. On the US side, he notes people are smug about how this serves the EU right and will harm the EU.

It's entirely possible both are right.

But the larger issue to me is how this is increasingly splintering the internet, and doing so in a way that we're not entirely prepared for. The GDPR has significant problems -- even if it does also have some good stuff. The fact that it feels like supporters of the GDPR refuse to fix the problems seems troubling. It's going to have quite an impact and there seems to be little concern among those who support it. They automatically default to the idea that opposing the GDPR means that you want to do something bad, no matter how inaccurate that statement is.

It would have been much better if those crafting the GDPR had actually bothered to listen to the wider concerns. And, barring that, if they hadn't made the reach of the law go so far beyond EU borders where it will rule over the internet and the rest of us have to deal with. They could have preserved some of the good ideas concerning control and transparency, without creating so much of a mess for everything else. But they chose not to, and now we're all going to leap off the cliff together and see how everyone ends up.


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    fred smith, 10 May 2018 @ 3:53am

    GDPR

    Quoting "if they hadn't made the reach of the law go so far beyond EU borders where it will rule over the internet" will be a widely shared sentiment I expect, in a similar fashion to the one we hear in "leftpondia" which is, "who the heck do the US financial regulatory bodies think that they are messing with our banks and companies?".

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2018 @ 6:42am

      Re: GDPR

      Big difference is the US has no right meddling with my bank.
      The EU has an imperative to protect EU citizens (and by extension their data).

      reply to this | link to this | view in chronology ]

      • icon
        Beta (profile), 10 May 2018 @ 7:55am

        Re: GDPR

        In order to make that argument work, you must show where the symmetry breaks. You must argue that the EU has more right to meddle with my newspaper than the US has to meddle with your bank, and that the US has less imperative to protect US citizens (and their money) than the EU has to protect its citizens (and their data).

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 May 2018 @ 8:17am

          Re: Re: GDPR

          I felt I had done exactly that.
          An offshore bank not dealing with a US citizen is nothing to do with the US Gov.
          A US firm selling an EU citizens data without consent IS firmly under the EUs imperative.
          Seems cut and dry, please explain what you objection is.

          reply to this | link to this | view in chronology ]

          • icon
            Sharur (profile), 10 May 2018 @ 12:13pm

            Re: Re: Re: GDPR

            Legally, that is not the case .

            There are, in general, four main types of jurisdiction (that is areas under which a court can take a case) for any government to act under:
            1) Territorial: What happens in the EU/US/Anywhere else is under the purview of that government.
            2) Actor: Governments always have recourse over the actions of their citizens, regardless as to where those actions occur. Governments MAY choose to (or be self-barred from) taking actions outside their borders, but they still can.
            3) Subject-matter: If what transpires effects the nation or people or government, the government has jurisdiction. You can think of this as being about who the victim is.
            4) Universal: Things that any nation can punish, because they are universal transgressions. War crimes and piracy go here. So if person from country A attacks person from country B while they are in country C (or international territory), in a piratical or war criminal nature, any country D has jurisdiction.

            So an offshore bank dealing with a US Citizen IS actually under the providence of the US Government.

            There is also the mechanism to consider. The EU has power over any company who does business in their territory; If they do not comply, they can fine you, seize your assets or prevent you from doing business. An entity solely outside of the EU can only be affected by the EU if the local government allows.

            The US "meddling" with a foreign bank is, "if you do not comply with X, Y, and Z, we will not allow US companies to do business with you (including banks transferring funds)".

            reply to this | link to this | view in chronology ]

            • identicon
              Bruce C., 10 May 2018 @ 4:23pm

              You two are talking across each other...

              reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 10 May 2018 @ 5:23pm

              Re: Re: Re: Re: GDPR

              As far as offshore banks go, that depends on whether they have any outlets in the USA, and where said US citizen lives.

              A small local bank with no presence in the USA does not have to follow US laws, as long as that customer does not live in the United States.

              reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 May 2018 @ 8:57am

          Re: Re: GDPR

          Or maybe the grifters could keep their hands in their own pockets

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 May 2018 @ 12:19pm

        Re: Re: GDPR

        Big difference is the US has no right meddling with my bank.

        Whether or not they have this "right" hasn't been litigated, but the USA has managed to bully a lot of foreign banks and governments into compliance with FATCA. In particular, European countries have relaxed their privacy laws so this information can be given to the IRS. The page has a map showing international agreements.

        reply to this | link to this | view in chronology ]

        • icon
          Roger Strong (profile), 10 May 2018 @ 12:37pm

          Re: Re: Re: GDPR

          It's interesting that even if you renounce your US citizenship, if you're US-born you'll always be a "US person" under FATCA.

          By that logic even though Ted Cruz renounced his Canadian citizenship going into the 2016 election, he'll always be a "Canadian person."

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2018 @ 4:03am

    They have to start somewhere

    If they try to pass a perfect act, then nothing will ever be passed. Much better to pass something flawed and see what the consequences are then tweak or revoke down the road. So far, I think it's been mostly positive.

    Now I wish US legislature would pick the best parts of GPDR and do something similar for Americans.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2018 @ 4:43am

      Re: They have to start somewhere

      I don't honestly recall any legislation ever being passed that was perfect the first time. The hard part in the US is getting any legislation passed that's designed to protect consumers or the public, so you have a good point.

      reply to this | link to this | view in chronology ]

      • identicon
        Typical Politician, 10 May 2018 @ 8:58am

        Re: Re: They have to start somewhere

        "protect consumers or the public,"

        I have no idea what you are going on about.

        reply to this | link to this | view in chronology ]

        • icon
          Not an Electronic Rodent (profile), 11 May 2018 @ 6:41am

          Re: Re: Re: They have to start somewhere

          I have no idea what you are going on about.

          In political parlance, that would be, "Everyone else who can't give me political favours or donations with at least 6 zeros attached". It's only 99% of the country; I wouldn't worry about it too much.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2018 @ 8:52am

      Re: They have to start somewhere

      You know, this is the big elephant in the room. The EU has been hammering out GDPR for years, and the US has been mostly ignoring privacy issues, considering them something between the individual and the organizations handling their data (except in the case of HIPAA).

      So when the EU decides they've gone far enough and it's time to make GDPR go live for it, and all companies doing business in the EU, the US has lost the leadership role and no longer has the power to nudge the EU away from some of the more dangerous clauses.

      But couldn't the US at least take the best parts of GDPR and say "this part is good, we're going to do that too?" Then they'd have more bargaining power when it came to getting rid of the troublesome bits.

      For a case study on how all this works out: Canada generally has to de-facto comply with many US regulations. Often it tries to get out ahead to limit the damage it sees could arise from developing regulations in the US. This has generally turned out to be a successful strategy. But when it drops the ball, it generally has no choice but to go along with what the US decides.

      It seems to me that the US is now getting to experience being in the situation where Canada usually finds itself. Hopefully the US will learn from this and get out ahead on PII issues in the future.

      To be a leader, you need to be in a position to lead. In the case of privacy, the US is definitely not in that position anymore.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2018 @ 6:03am

    In one way it is good that the US is getting a dose of it own stupidity. That is applying US law to all countries and people of the world.

    In other points:
    Why would a firm or web site whose target audience lived and operated in a particular regional location such as one's a US local pizza delivery have any interest in providing in internet service to the EU or any place in which it can not feasible deliver pizzas to?

    As far as data firms collection such as Facebook: Why any sane government allow an on line data collection and control firm to attempt to establish a 1984 form of government is beyond me. Look at this this way what if the Soviet KGB was keeping records, voluntarily supplied, on all US, UK, and all other citizens of they world while loudly claiming they were doing it for the worlds own good and not as a listing sorting means for gulag labor and Siberian vacations. What would the world do?

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 10 May 2018 @ 8:15am

    Is it even possible for this to apply in the USA? Last I heard, we had the SPEECH Act that says that foreign libel judgments against US citizens regarding protected speech that doesn't violate US law are unenforceable in the USA. It seems to me it wouldn't take much--particularly in the current political climate--to apply the same principle to the GDPR.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2018 @ 8:19am

      Re:

      Libel isn't quite the same as a data breach.
      The US sends people to prison for some data breaches.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2018 @ 8:33am

      Re:

      as the USA seems to think that it can have it's laws apply in any and all countries it wants, when it suits, over whichever people it wants at the time and whatever subjects it wants at the time, why should anywhere/everywhere else think that their laws dont apply in the USA? cant have what you want when it suits then turn them off when they dont!

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 May 2018 @ 2:20pm

        Re: Re:

        cant have what you want when it suits then turn them off when they dont!

        The last decades of US foreign policy suggest otherwise.

        reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 10 May 2018 @ 10:39am

      Re:

      If you're a small business in the US doing no business in the EU, it doesn't apply to you. It's only relevant if you do business in the EU.

      This is similar to court rulings from the EU, Canada and the US: They apply to Google because while Google is Bermuda-based (according to its tax filings), it has offices and does business in those other countries.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 May 2018 @ 1:57pm

        Re: Re:

        Thank you Rodger. We have asked this question on many sites. It has not been easy getting an answer. Take care.

        reply to this | link to this | view in chronology ]

        • icon
          Ehud Gavron (profile), 11 May 2018 @ 3:58am

          "We"

          > We have asked

          Who is "we"?

          What organization or group(s) of people do you claim to represent? Are you certain you're not schizophrenic?

          > Take care

          Yeah, you do the same. Professional care that is.

          Also I'm sure Roger appreciates how you misspelled his name.

          E

          reply to this | link to this | view in chronology ]

      • icon
        Mason Wheeler (profile), 14 May 2018 @ 8:08am

        Re: Re:

        If you're a small business in the US doing no business in the EU, it doesn't apply to you. It's only relevant if you do business in the EU.

        And if you put something on the World Wide Web, it becomes accessible world-wide... including in the EU. Then you're "doing business" there whether you meant to or not. That's the nightmare scenario here.

        reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 10 May 2018 @ 8:19am

    "now we're all going to leap off the cliff together and see how everyone ends up"

    Sometimes you have to hit the bottom of Hell before you realize you are doing it very wrong, stand up and climb again. Won't be the first time humans did it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2018 @ 8:36am

    the problems are that those in control, anywhere, want to control the Internet as well as the countries/world! on top of that, they dont want us finding out any of the crap these fuckers are up to, but want to know everything that we're doing every second!!

    reply to this | link to this | view in chronology ]

  • icon
    Richard (profile), 10 May 2018 @ 8:44am

    Not really as bad as you might think

    Havinf had to look at this in more detail because of personal involvement I would conclude:

    1. The headline demands look pretty horrific.

    2. The detail includes an enormous number of exceptions that in fact nullify most of (1) except in the most egregious cases.

    3. Lots of companies and organisations are overreacting.

    4. Because of (3) the consultants are having a field day.

    In short if you're not a large corporation and your not doing anything that most reasonable people would regard as immoral the chances of this impacting you are ~0

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2018 @ 9:59am

      Re: Not really as bad as you might think

      I work in the field of personal data management and have recently completed work to implement GDPR compliance in our software. It's really not that bad. It boils down to providing opt-in/out options to the owners of said data and informing them how their data is to be used. The only real downside to any company is they might have less personal data to use for marketing and total people count purposes. Of course, there are plenty of companies that collect personal data but have no UI or interaction with those persons at all; For them GDPR represents a significant problem.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 May 2018 @ 10:54am

        Re: Re: Not really as bad as you might think

        Today I learned ... there is a field called "personal data management".

        Why does personal information need management? This smells.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 May 2018 @ 11:00am

          Re: Re: Re: Not really as bad as you might think

          It would smell if no one was managing the personal data.. not sure what you are on about?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 10 May 2018 @ 1:19pm

            Re: Re: Re: Re: Not really as bad as you might think

            I'm on about why people need their data managed ... as if they are incompetent and unable to keep their own files in order.

            The corporate nannies are drooling all over themselves dreaming of pirating all your private information and offering it up for sale to the highest bidder.

            This is not needed for proper operation of - well, anything.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 10 May 2018 @ 6:45pm

              Re: Re: Re: Re: Re: Not really as bad as you might think

              Right.. so no one should be responsible for managing your personal information at your employer or your bank or your doctor's or your insurance company.. makes sense. The world needs more brains. Like you ;)

              reply to this | link to this | view in chronology ]

  • icon
    Richard (profile), 10 May 2018 @ 8:48am

    IEEE

    I note the reaction of the IEEE:

    "To ensure compliance, as well as respect the privacy of all individuals, IEEE has decided to apply GDPR standards to all individuals and not only European citizens."

    and

    "Other countries have already created regulations similar to the GDPR and additional countries are expected to follow the trend in the future. IEEE believes that by treating all individuals interacting with us as if the GDPR were applicable to them now we will be able to more easily respond to any additional requirements in the future."
    from

    https://supportcenter.ieee.org/app/answers/detail/a_id/3023/kw/gdpr

    reply to this | link to this | view in chronology ]

  • identicon
    Sceptre, 10 May 2018 @ 10:34am

    All USA

    So, if I understand your previous posts correctly, if my USA based company sells online to ONLY USA customers, we are excluded from GDPR? We do not even allow anyone outside of the USA to register for an account. The only countries selectable from a Register form or Checkout form is USA.

    reply to this | link to this | view in chronology ]

    • identicon
      ryuugami, 10 May 2018 @ 1:10pm

      Re: All USA

      Obviously. If you don't do business in the EU, EU laws and regulations do not apply to you.

      (From various online discussions about GDPR, I've come to the conclusion that a lot of Americans have a problem with some basic concepts, e.g., that laws have jurisdiction, that private information can be private, and that not all regulators are sociopaths.)

      reply to this | link to this | view in chronology ]

    • icon
      Vikarti Anatra (profile), 11 May 2018 @ 10:23pm

      Re: All USA

      It's possible it will depend on interpetation of GDPR by EU Courts.
      Some online shops do exactly same and they STILL have non-US customers (Those customers use mail forwarding services to actually get goods).
      If you try to block non-USA cards, some of mail forwarding services will be be glad to provide 'assisted purchase' service.
      IP Geoblocking will not help too.

      It will be interesting how EU will interpret such situations where USA-based company tried hard NOT to sell to non-USA customers but still did it. How much 'hard' is enough?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 May 2018 @ 1:38am

        Re: Re: All USA

        > USA-based company tried hard

        And however hard they've tried it would be irrelevant, as the EU won't be able to seize any of their assets, since they have no presence there.

        reply to this | link to this | view in chronology ]

  • identicon
    coward (anon), 10 May 2018 @ 10:57am

    IP addresses

    The biggest problem we see is the GDPR's inclusion of IP addresses as PII data. Like many (most?) companies with websites, our web servers log the IP address of all incoming connections. This presents a couple of potential problems with being GDPR compliant. GDPR requires active consent before storing PII data (which might be technically feasible with some major changes to the web server) and GDPR gives EU users the right to ask us to remove all PII that we have. We have terabytes, going back 15 years, of web server logs (much of it on backup tapes) and removing all of the log entries that match a specific IP address is not practically possible. We said "potential" above because the GDPR text can be read that way, but until this is litigated through the EU courts, the interpretation is unknown.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2018 @ 12:21pm

      Re: IP addresses

      Any web server can be configured to not log, or to not log IPs. If logging is legally required, there's a GDPR exception.

      reply to this | link to this | view in chronology ]

  • identicon
    Steel Root, 10 May 2018 @ 12:22pm

    Is blocking European visitors a valid GDPR strategy?

    My company Steel Root was mentioned in this article in the context of blocking EU visitors from our website. I think what has been most clear in this broader discussion is that there is widespread confusion as to precisely which situations the GDPR applies to, particularly from the perspective of a US company.

    We blogged about our findings here: https://steelroot.us/is-blocking-european-visitors-to-your-website-a-valid-gdpr-strategy/

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2018 @ 1:37pm

      Re: Is blocking European visitors a valid GDPR strategy?

      I think your company has made a number of errors in interpretation, and some assumptions that are incorrect.

      For example, you say that you say in the linked post that you have been blocking non-us access since 2015. That is not accurate. I visited your site from outside the US with no problem whatsoever.

      Article 3 (2) of the GDPR states the following:

      This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

      - the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
      - the monitoring of their behaviour as far as their behaviour takes place within the Union.


      Since you have stated that you are not offering products or services in the EU, then the first item would fail. If your services would not fall under the second item (monitoring of behaviour), then GDPR would not apply.

      For the occasional visitor from the EU, you could rely on the "occasional processing" exemptions.

      Basically, if you are 'established in the EU' - meaning you actively target EU data subjects in your sales/marketing - or your services are offered to entities in the EU who sale/market to data subjects, then GDPR applies.

      There is a lot of fear that a single visit to a website exposes you to GDPR, but that is not consistent with the wording in the GDPR or the guidance from a number of Information Commissioners in the EU.

      You might find the details posted at these sites helpful:
      Isle of Man Information Commissioner: www.inforights.im
      UK Information Commissioner: ico.org.uk

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2018 @ 1:13pm

    If eu addresses are blocked, just use a VPN to get around it. Using a VPN for this purpose does not break the law in the US or eu

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2018 @ 5:20pm

    There us yet antoher possible future country where EU laws could never be enforced.

    There is a movement to create a "Republic Of Nortehrn Mexico", which is beginning to gain some steam.

    The country, consisting of the northern tier of Mexican states, along with California, Arizona, New Mexico, Texas, and Nevada (south of the 37th parellel) would have some of biggest tech giants in the world in its borders.

    Companies in this cou8ntry would not be subject to GDPR, and would also be not subject to SESTA, either. And this includes GoDaddy, one of the biggest registrars, which would be in the Republic Of Northern Mexico, since it is in Arizona.

    Websites hosted in the Republic Of Northern Mexico would only subject to and have to obey NorteƱo law. United States laws and European Union laws would not apply in the Republic Of Northern Mexico.

    If this country should ever come into existence, the US government will quickly find that SESTA could not be enforced on companies in the Republic Of Northern Mexico, and likewise the EU would find that they could not enforce GDPR in the Republic Of Northern Mexico.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 May 2018 @ 2:28am

    GDPR is over broad

    ..I say that as someone in the EU.
    As someone who helps run a small amateur sport club (non profit, it organises a league / cup, has websites of results / league tables, people text or email in match results, club sends out results and other information emails
    We had to send all our members GDPR communications and get their permission to continue (although non profit, because we take subscriptions as e.g. need to cover some basic costs e.g. equipment, venue hire, officials)
    Lots of small clubs / societies similarly affected by extra "paperwork" - but the intentions of GDPR are good, though I'm sure big data abusing companies that are the real targets will get their legal teams to find some loopholes

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.