Companies Respond To The GDPR By Blocking All EU Users
from the the-splinternet dept
We've talked a bunch about the GDPR recently. While the effort is well-meaning (some may disagree with this) and does have some good ideas concerning data control and transparency, we still feel that it was put in place by people who had little idea of the impact it would actually have, and will have disastrous consequences on online speech, in particular. And, since the GDPR has a long-arm aspect that will impact people across the globe (not just in the EU), there has been plenty of scrambling by companies to "become compliant" with the GDPR. This is almost certainly going to lead to a huge number of lawsuits over the next few years, with an awful lot of uncertainty. While some consultants have cleaned up in helping companies become what they hope is "compliant" (hence you probably receiving dozens of updated privacy agreements and terms of service notices lately), some companies have realized it's just too much of a hassle and decided to block all access to EU users.
F-Secure's Mikko Hypponen has been tracking a bunch of examples and also highlighted a (currently offline, but can be seen at the Internet Archive) site called GDPR Shield that gives you some simple javascript to block EU visitors (assuming they have Javascript turned on, and their location is determined accurately -- both of which may be big assumptions). Among those that Hypponen has noted cutting off EU users are the following: Ragnarok Online, Verve, Brent Ozar, Unroll.me, SMNC, Tunngle, Drawbridge and Steel Root.
Hypponen also notes the very different reactions to all of this from EU readers and US readers. EU folks seem to be generally supportive of the GDPR and think that companies shutting down service are either stupid & ignorant or evil and thus should shut down. On the US side, he notes people are smug about how this serves the EU right and will harm the EU.
It's entirely possible both are right.
But the larger issue to me is how this is increasingly splintering the internet, and doing so in a way that we're not entirely prepared for. The GDPR has significant problems -- even if it does also have some good stuff. The fact that it feels like supporters of the GDPR refuse to fix the problems seems troubling. It's going to have quite an impact and there seems to be little concern among those who support it. They automatically default to the idea that opposing the GDPR means that you want to do something bad, no matter how inaccurate that statement is.
It would have been much better if those crafting the GDPR had actually bothered to listen to the wider concerns. And, barring that, if they hadn't made the reach of the law go so far beyond EU borders where it will rule over the internet and the rest of us have to deal with. They could have preserved some of the good ideas concerning control and transparency, without creating so much of a mess for everything else. But they chose not to, and now we're all going to leap off the cliff together and see how everyone ends up.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: blocking, compliance, eu, free speech, gdpr, privacy, splinternet
Reader Comments
The First Word
“Subscribe: RSS
View by: Time | Thread
GDPR
[ link to this | view in chronology ]
Re: GDPR
The EU has an imperative to protect EU citizens (and by extension their data).
[ link to this | view in chronology ]
Re: GDPR
[ link to this | view in chronology ]
Re: Re: GDPR
An offshore bank not dealing with a US citizen is nothing to do with the US Gov.
A US firm selling an EU citizens data without consent IS firmly under the EUs imperative.
Seems cut and dry, please explain what you objection is.
[ link to this | view in chronology ]
Re: Re: Re: GDPR
There are, in general, four main types of jurisdiction (that is areas under which a court can take a case) for any government to act under:
1) Territorial: What happens in the EU/US/Anywhere else is under the purview of that government.
2) Actor: Governments always have recourse over the actions of their citizens, regardless as to where those actions occur. Governments MAY choose to (or be self-barred from) taking actions outside their borders, but they still can.
3) Subject-matter: If what transpires effects the nation or people or government, the government has jurisdiction. You can think of this as being about who the victim is.
4) Universal: Things that any nation can punish, because they are universal transgressions. War crimes and piracy go here. So if person from country A attacks person from country B while they are in country C (or international territory), in a piratical or war criminal nature, any country D has jurisdiction.
So an offshore bank dealing with a US Citizen IS actually under the providence of the US Government.
There is also the mechanism to consider. The EU has power over any company who does business in their territory; If they do not comply, they can fine you, seize your assets or prevent you from doing business. An entity solely outside of the EU can only be affected by the EU if the local government allows.
The US "meddling" with a foreign bank is, "if you do not comply with X, Y, and Z, we will not allow US companies to do business with you (including banks transferring funds)".
[ link to this | view in chronology ]
You two are talking across each other...
[ link to this | view in chronology ]
Re: Re: Re: Re: GDPR
A small local bank with no presence in the USA does not have to follow US laws, as long as that customer does not live in the United States.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: GDPR
[ link to this | view in chronology ]
Re: Re: GDPR
[ link to this | view in chronology ]
Re: Re: GDPR
Whether or not they have this "right" hasn't been litigated, but the USA has managed to bully a lot of foreign banks and governments into compliance with FATCA. In particular, European countries have relaxed their privacy laws so this information can be given to the IRS. The page has a map showing international agreements.
[ link to this | view in chronology ]
Re: Re: Re: GDPR
By that logic even though Ted Cruz renounced his Canadian citizenship going into the 2016 election, he'll always be a "Canadian person."
[ link to this | view in chronology ]
They have to start somewhere
Now I wish US legislature would pick the best parts of GPDR and do something similar for Americans.
[ link to this | view in chronology ]
Re: They have to start somewhere
I don't honestly recall any legislation ever being passed that was perfect the first time. The hard part in the US is getting any legislation passed that's designed to protect consumers or the public, so you have a good point.
[ link to this | view in chronology ]
Re: Re: They have to start somewhere
I have no idea what you are going on about.
[ link to this | view in chronology ]
Re: Re: Re: They have to start somewhere
In political parlance, that would be, "Everyone else who can't give me political favours or donations with at least 6 zeros attached". It's only 99% of the country; I wouldn't worry about it too much.
[ link to this | view in chronology ]
Re: They have to start somewhere
So when the EU decides they've gone far enough and it's time to make GDPR go live for it, and all companies doing business in the EU, the US has lost the leadership role and no longer has the power to nudge the EU away from some of the more dangerous clauses.
But couldn't the US at least take the best parts of GDPR and say "this part is good, we're going to do that too?" Then they'd have more bargaining power when it came to getting rid of the troublesome bits.
For a case study on how all this works out: Canada generally has to de-facto comply with many US regulations. Often it tries to get out ahead to limit the damage it sees could arise from developing regulations in the US. This has generally turned out to be a successful strategy. But when it drops the ball, it generally has no choice but to go along with what the US decides.
It seems to me that the US is now getting to experience being in the situation where Canada usually finds itself. Hopefully the US will learn from this and get out ahead on PII issues in the future.
To be a leader, you need to be in a position to lead. In the case of privacy, the US is definitely not in that position anymore.
[ link to this | view in chronology ]
In other points:
Why would a firm or web site whose target audience lived and operated in a particular regional location such as one's a US local pizza delivery have any interest in providing in internet service to the EU or any place in which it can not feasible deliver pizzas to?
As far as data firms collection such as Facebook: Why any sane government allow an on line data collection and control firm to attempt to establish a 1984 form of government is beyond me. Look at this this way what if the Soviet KGB was keeping records, voluntarily supplied, on all US, UK, and all other citizens of they world while loudly claiming they were doing it for the worlds own good and not as a listing sorting means for gulag labor and Siberian vacations. What would the world do?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The US sends people to prison for some data breaches.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The last decades of US foreign policy suggest otherwise.
[ link to this | view in chronology ]
Re:
This is similar to court rulings from the EU, Canada and the US: They apply to Google because while Google is Bermuda-based (according to its tax filings), it has offices and does business in those other countries.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
"We"
Who is "we"?
What organization or group(s) of people do you claim to represent? Are you certain you're not schizophrenic?
> Take care
Yeah, you do the same. Professional care that is.
Also I'm sure Roger appreciates how you misspelled his name.
E
[ link to this | view in chronology ]
Re: Re:
And if you put something on the World Wide Web, it becomes accessible world-wide... including in the EU. Then you're "doing business" there whether you meant to or not. That's the nightmare scenario here.
[ link to this | view in chronology ]
Re: Re: Re: "Mason's Comment and Free Speech???"
Hi Mason, I'm hoping help me by clarify your comments below, so I can understand exactly what you mean? I'll provide much more detail of my current situation. My request is based on someone you quoted who said:
"If you're a small business in the US doing no business
in the EU, it doesn't apply to you. It's only relevant if you do business in the EU."
First, let me explain how I view the GDRP based on my discussions with two enterprises, Elastic Grid (Ziff Davis) and Structured Web. Both sent the GDRP forms I needed to Accept in order to continue to receive their services which I would really like to do. Part of what my small US based Company (75 employees) does is in my second year I launched a Channel Business Unit and Partnered a number of companies, but our Top 8 Parners, where our designation is either a VAR/System Integrator, or an Enterprise Reseller, ate Intel, LSI (Avago), ASUS, VMware, NVIDIA, PNY, EMC and Juniper. The rest are not official Partners, but we buy mostly components for Server and Workstation Builds, etc. Our top 8 Partners contract out to Elastic Grid (Ziff Davis) and Structured Web, who provides our business with, let's just say, a great deal of costly marketing and Sales programs, i.e., Professional Social Media, Professional Direct Mail and they even provide what is called cross domain hosting, that allows me to include them in our Corporate Website, while the Assets (mostly images, case studies, etc.) reside on their servers. There is much more they provide, but the bottom line is this: Any direct mail we do is to our Install Base Clients, who have opted in. Social Media is based on the types of content I select, and they create the professional Tweet or LinkedIn shares, which I also can reuse with, (one example, Google Ads, but lately, I have been using more LinkedIn and other types of Ads, since (this has nothing to do with my question) I can't stand Google. Talk about invasive, they take the cake. FaceCROOK I have never had an account with. That said, here is what I have been told and these two companies also conduct the same type of Marketing for our our main Partners who resell Intel, etc. in the EU.
I was told there are two ways I can be effected by this new GDRP:
Our company website. Another service they offer is Event Management, so using social media and Direct Mail invites (AGAIN, ONLY WITH MY INTERNAL LISTS, ALL EXISTING US CLIENTS) but, if for some reason, since the invite is public via social media they explained, let's say you are doing an event on Big Data and someone who lives in the EU is interested in the subject, follows the link to my Website, where they will fine some new Pages I have created allowing them to confirm their attendance, where we collect Name, Company Name (not a mandatory field) address, Phone, email and to check the selection next to the Lunch they would like.
Let's say some day (BTW this has not happened since I launched the company, and we do about 2 events a month) the scenario happens, on our Web Signup form, there is also a checkbox to let us know if the Company or person attending is an active client, or a new Business. If new, they agree to the normal legal statements of permission to send emails or call, BUT it's limited to the specific Event. That's how we do things, since this way I know for sure any "new people or companies" at the people are known beforehand and are approached and qualified to ascertain if they may be a prospect for what we offer. If they are not (WHICH SOMEONE visiting from the EU who attended just because he was interested in Big Data) their record is destroyed. Maybe most companies do not do this, but I don't like taking in 100's of emails if the business or person will never do business with us. I like "clean lists."
Also, I began my business in 2010, and about two years later, I received at least 6-8 calls from Companies in the UK & France, mostly France) who proposed an international joint venture (IJV) and wanted us to provide a unique service I do for Oracle Tier I ERP Clients and also wanted us (even worse) to assist them with some of our security offerings, which most people today know as Penetration Testing, but in 2012 having a license for Offensive Security and what began as an EU standard, "Ethical Hacking" was not as common as it is now, many companies offer it. I still get a few calls each year for the Tier I ERP Service.
So, I AM IN VERY MUCH THE SAME SITUATION AS YOUR QUOTE:
WHAT DO YOU MEAN MASON, when you say:
"And if you put something on the World Wide Web, it becomes accessible world-wide... including in the EU. Then you're doing business" there whether you meant to or not. That's the nightmare scenario here."
What exactly do you mean? I might agree with you if our Website was not just informational, and accepted Logins and took in information from people outside the US, but we don't even do this in the US except for an event and then it's destroyed.
Now, if you are saying, well, during that Event registration, like I said, it's possible some day a person from the EU may want to attend and just when that unlikely event happens, I'm hacked before the attendee’s information is destroyed. BTW, we do not use Passwords, since event are simple registrations. Well, anything is possible, but part of what I and about 5 others at my company are licenses for is what is legal hacking (assuming you want to you that term). Typically, the few times we've been alerted there was an attempt to hit our site, (we're just NOT that important) as I knew based on the type of entry, it was kids. It ended up being kids who tried and to keep it short, let's just say they learned a lesson. They needed to replace their devices (sometimes who people try that on the wrong side, the defense can be a Trojan they leave with and no what they think is 10,000 credit card numbers). Also, I did not press charges, they were terrified 15 and 16-year-old kids, who learned a hard lesson. So, here are my questions Mason.
Please let me know what you mean ANYTHING I put on the web, just because it can be accessed in the EU, it means I am doing business there. THANK YOU.
Dean
[ link to this | view in chronology ]
Sometimes you have to hit the bottom of Hell before you realize you are doing it very wrong, stand up and climb again. Won't be the first time humans did it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not really as bad as you might think
1. The headline demands look pretty horrific.
2. The detail includes an enormous number of exceptions that in fact nullify most of (1) except in the most egregious cases.
3. Lots of companies and organisations are overreacting.
4. Because of (3) the consultants are having a field day.
In short if you're not a large corporation and your not doing anything that most reasonable people would regard as immoral the chances of this impacting you are ~0
[ link to this | view in chronology ]
Re: Not really as bad as you might think
[ link to this | view in chronology ]
Re: Re: Not really as bad as you might think
Why does personal information need management? This smells.
[ link to this | view in chronology ]
Re: Re: Re: Not really as bad as you might think
[ link to this | view in chronology ]
Re: Re: Re: Re: Not really as bad as you might think
The corporate nannies are drooling all over themselves dreaming of pirating all your private information and offering it up for sale to the highest bidder.
This is not needed for proper operation of - well, anything.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Not really as bad as you might think
[ link to this | view in chronology ]
IEEE
"To ensure compliance, as well as respect the privacy of all individuals, IEEE has decided to apply GDPR standards to all individuals and not only European citizens."
and
"Other countries have already created regulations similar to the GDPR and additional countries are expected to follow the trend in the future. IEEE believes that by treating all individuals interacting with us as if the GDPR were applicable to them now we will be able to more easily respond to any additional requirements in the future."
from
https://supportcenter.ieee.org/app/answers/detail/a_id/3023/kw/gdpr
[ link to this | view in chronology ]
All USA
[ link to this | view in chronology ]
Re: All USA
(From various online discussions about GDPR, I've come to the conclusion that a lot of Americans have a problem with some basic concepts, e.g., that laws have jurisdiction, that private information can be private, and that not all regulators are sociopaths.)
[ link to this | view in chronology ]
Re: All USA
Some online shops do exactly same and they STILL have non-US customers (Those customers use mail forwarding services to actually get goods).
If you try to block non-USA cards, some of mail forwarding services will be be glad to provide 'assisted purchase' service.
IP Geoblocking will not help too.
It will be interesting how EU will interpret such situations where USA-based company tried hard NOT to sell to non-USA customers but still did it. How much 'hard' is enough?
[ link to this | view in chronology ]
Re: Re: All USA
And however hard they've tried it would be irrelevant, as the EU won't be able to seize any of their assets, since they have no presence there.
[ link to this | view in chronology ]
IP addresses
[ link to this | view in chronology ]
Re: IP addresses
[ link to this | view in chronology ]
Re: IP addresses
IP address is PII only if your website stores other data that makes it possible to tie the IP address to personality (for example it allows for logging into an account). Additionally, gaining consent is only one of several ways you can lawfully store data.
As it is stated in article 6, "Processing shall be lawful (...) if (...) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
Server security and prevention of abuse is a legitimate interest of a server owner. You don't need consent for that unless you use IP data harvested from logs for other purposes.
[ link to this | view in chronology ]
Is blocking European visitors a valid GDPR strategy?
My company Steel Root was mentioned in this article in the context of blocking EU visitors from our website. I think what has been most clear in this broader discussion is that there is widespread confusion as to precisely which situations the GDPR applies to, particularly from the perspective of a US company.
We blogged about our findings here: https://steelroot.us/is-blocking-european-visitors-to-your-website-a-valid-gdpr-strategy/
[ link to this | view in chronology ]
Re: Is blocking European visitors a valid GDPR strategy?
For example, you say that you say in the linked post that you have been blocking non-us access since 2015. That is not accurate. I visited your site from outside the US with no problem whatsoever.
Article 3 (2) of the GDPR states the following:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
Since you have stated that you are not offering products or services in the EU, then the first item would fail. If your services would not fall under the second item (monitoring of behaviour), then GDPR would not apply.
For the occasional visitor from the EU, you could rely on the "occasional processing" exemptions.
Basically, if you are 'established in the EU' - meaning you actively target EU data subjects in your sales/marketing - or your services are offered to entities in the EU who sale/market to data subjects, then GDPR applies.
There is a lot of fear that a single visit to a website exposes you to GDPR, but that is not consistent with the wording in the GDPR or the guidance from a number of Information Commissioners in the EU.
You might find the details posted at these sites helpful:
Isle of Man Information Commissioner: www.inforights.im
UK Information Commissioner: ico.org.uk
[ link to this | view in chronology ]
[ link to this | view in chronology ]
There is a movement to create a "Republic Of Nortehrn Mexico", which is beginning to gain some steam.
The country, consisting of the northern tier of Mexican states, along with California, Arizona, New Mexico, Texas, and Nevada (south of the 37th parellel) would have some of biggest tech giants in the world in its borders.
Companies in this cou8ntry would not be subject to GDPR, and would also be not subject to SESTA, either. And this includes GoDaddy, one of the biggest registrars, which would be in the Republic Of Northern Mexico, since it is in Arizona.
Websites hosted in the Republic Of Northern Mexico would only subject to and have to obey Norteño law. United States laws and European Union laws would not apply in the Republic Of Northern Mexico.
If this country should ever come into existence, the US government will quickly find that SESTA could not be enforced on companies in the Republic Of Northern Mexico, and likewise the EU would find that they could not enforce GDPR in the Republic Of Northern Mexico.
[ link to this | view in chronology ]
Re:
Fuck off, Russian bot.
[ link to this | view in chronology ]
GDPR is over broad
As someone who helps run a small amateur sport club (non profit, it organises a league / cup, has websites of results / league tables, people text or email in match results, club sends out results and other information emails
We had to send all our members GDPR communications and get their permission to continue (although non profit, because we take subscriptions as e.g. need to cover some basic costs e.g. equipment, venue hire, officials)
Lots of small clubs / societies similarly affected by extra "paperwork" - but the intentions of GDPR are good, though I'm sure big data abusing companies that are the real targets will get their legal teams to find some loopholes
[ link to this | view in chronology ]
I blocked Europe on all 10 of my web properties
I charge for access to literally 0 of my websites, and I use data as a means to make my websites more efficient. I'm not going to make my free websites less profitable just to appease the tyrants in Europe.
Freedom is key to prosperity, and I strongly believe that US websites should do what I did and create a firewall block on all countries covered by the GDPR.
The danger, as always, with legalism is the selective enforcement. Small businesses in Europe who are opposed to authoritarianism will be targeted far more intensely than big government companies with lobbyists. Thus the cycle of suppressing competition, creating poverty, and oppressing people for political ideals.
Needless to say, I don't support it.
[ link to this | view in chronology ]
Blocking EU countries by default.
Some sites chose not to but surprisingly the majority elected to use the script.
Main fear is the EUs attitude of trying to sue everybody for any minor discrepancy and since bloggers and news type sites are easy targets, its best to play safe.
The local impact is minimal but saves possible litigation by any 2 bit EU organisation.
In the end its more of an impact on small to medium business who can't afford to spend $$$$$ to comply with the EU paranoia.
The loss really is to the EU users.
[ link to this | view in chronology ]