New Service Blocks EU Users So Companies Can Save Thousands on GDPR Compliance (bleepingcomputer.com) 553
Catalin Cimpanu, reporting for BleepingComputer: A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance. GDPR, or General Data Protection Regulation, is a new user and data privacy regulation slated to come into effect in the EU three weeks from now, on May 25, 2018.
The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.
The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.
Nothing "new" here (Score:5, Insightful)
Re: (Score:2, Insightful)
It's also totally unnecessary. Either:
1. You do business in the EU, therefore you fall under EU jurisdiction and have to follow EU laws. This service will not help because you still need to follow GDPR to do business there.
2. You do not do business in the EU, therefore you do not fall under EU jurisdiction and do not have to follow EU laws. This service will not help you because the EU can't touch you in order to enforce GDPR.
They're selling snake oil.
Re: (Score:2)
Also, embedding some JavaScript into your website will probably not help, anyway. If your website logs the IP address of every visitor, you've logged the IP of every EU citizen visiting your site, even with this JavaScript active.
Also, any account data of EU citizens that registered with your service prior to GDPR doesn't magically disappear. So you store data from EU citizen and fall under the GDPR, but since you're now blocking those people from accessing your page you stop them from contacting you about
Re: (Score:3)
Unless you have a server or office in the EU, they don't have shit.
The law should be ignored by all non-EU web sites.
Re: (Score:2)
It's not as simple as that - if you have operations in the EU even with servers elsewhere then you will still have problems with the GDPR.
We will have to wait and see what happens, but it will be challenging for those that tries to work around GDPR if they want to keep EU customers. It may also be that similar regulations comes into effect in the US as well.
Re: (Score:2)
Recently I registered for a Fitbit and they had an added option that I had to select to opt out of data protection laws.
But they don't understand that laws in the EU trumps any user agreement. EULAs are null and invalid if they break the law.
Re: (Score:2)
You're missing an important point.
Geofencing is fine for blocking users extant to your area, but it's suicide to block customers inside your fence.
Re: (Score:2)
geofencing is not exactly a new concept. At least it finally is being used for good (privacy protection) rather then for evil (arbitrary geographical media blocking)
So, am I liable for serving EU visitors who are already using VPNs (to lie about where they are coming from due to arbitrary geographical media blocking)?
Re:Nothing "new" here (Score:5, Insightful)
for good (privacy protection)
Good is rather relative here: it's purpose here is evading privacy protection.
It's not so much as evading privacy restrictions as locking out users for which privacy protections have been mandated.
If anything you could use it as an indication to ether do or refuse to do business with a company based on what side of the GDPR fence you want to be.
Re: (Score:2)
Or maybe its an strategy to avoid harsh fines and being forced to hire personnel to ensure compliance to service just a few internet users from the EU states that visit your website.
Re: (Score:3)
You don't need to hire a data protection officer whatever the abstract says. You need to have some one designated in this role; it's like someone has to be responsible for safety, someone has to be responsible for first aid. A large company may well have a specific person whose job is only to do this, but most don't.
Re: (Score:3, Insightful)
It is definitely good. A Mom and Pop shop in the states selling homemade soap can't afford to have a DPO or respond to GDPR letters from hell [linkedin.com]. As per the GDPR law, even if a place doesn't do business in the EU, if an EU resident visits a site, the site has to comply.
Not every website is a multi-billion dollar operation that can spend the cash on this stuff.
So, they get blocked. $9 a month is cheap insurance compared to running afoul of the EU.
Re:Nothing "new" here (Score:4, Insightful)
Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?
This is the usual right-wing talking point about 'onerous regulation' and it is bullshit. It is not about the small businesses, unless they are merely a bait-and-switch operation trying to gain my data to sell it on to unscrupulous marketeers. It is about massive corporations that want to be free to pillage my life for their profits, and there is always an idiot falling for their 'but think of the poor small businessmen' shtick.
Re: (Score:3, Insightful)
> Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?
What about storing information on the products you purchased, so you can be notified if there are any recalls? What about storing information to prove that certain taxes have been paid? That's two items that fall under government requirements that also fall under GDPR, along with your billing and shipping information. "Giant evil corporation" and "Mom and Pop shop" both have to deal
Re:Nothing "new" here (Score:4, Informative)
Re: (Score:3, Insightful)
and there is always an idiot falling for their 'but think of the poor small businessmen' shtick
With any luck Slashdot will adopt this service and you will be cut off.
Re: (Score:3)
If you're a mom-and-pop soap shop, you don't employ any technical people - there's Bob's cousin who's "good with computers" who made your web site a couple years back. You don't ship outside the US, but people from the EU might still visit your web site.
This is indeed onerous regulation for a business at this scale. Geoblocking fixes it for you.
Now if you're a mom-and-pop soap in the EU, you use a vendor who takes care of this shit for you, and you just hope you won't go to jail because you once threw out
Re:Nothing "new" here (Score:4, Insightful)
Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?
This is the usual right-wing talking point about 'onerous regulation' and it is bullshit. It is not about the small businesses, unless they are merely a bait-and-switch operation trying to gain my data to sell it on to unscrupulous marketeers. It is about massive corporations that want to be free to pillage my life for their profits, and there is always an idiot falling for their 'but think of the poor small businessmen' shtick.
I think it was a pipe dream to think that GDPR would cause big corps to change how they do business in the US. It's clearly too profitable to let go of that sweet precious data.
However, if there were such a small shop that inadervtently took customers (and their personal info for shipping or order fulfillment) from EU and then got a GDPR request (perhaps automated by some legal-bot), they might be best positioned to just avoid those customers in the first place.
Re: (Score:2, Insightful)
Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?
So, a smaller company shouldn't be able to retain any information about which of their modest advertising expenditures resulted in which sales, and which search engine terms produced the traffic that led to the specific transactions that allow them to actually stay in business? The company's got no interest in retaining information when a customer or prospective customer uses a contact form to ask a question, or a chat tool to provide some guidance on a product? A business could easily do a million dollars
Re:Nothing "new" here (Score:5, Informative)
That canard again. IP address logging for the purposes of site operation has never fallen under EU privacy guidelines, unless that data is kept for longer than its intended purpose and used for data mining.
Which is exactly the point of the GDPR: it says 'Don't do that and you'll be fine'. If you look at the FAQ [eugdpr.org] you see that the GDPR does not cover this use of data.
Re: (Score:3)
If you look at the FAQ [eugdpr.org] you see that the GDPR does not cover this use of data.
Oh, let me just look at that...
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from ... a computer IP address.
Well, crap. Maybe I don't need to worry if it's just a log?
Unfortunately, the actual text [europa.eu] doesn't mention logs at all. Neither does it make any exemption for temporary storage, and it also doesn't actually define boundaries for what's "data mining", since it includes no mention of data mining at all. In fact, most of its restrictions are on the "processing" of personal data. Let's look at what that is:
'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
In other words, running grep on a log is processing. Looking at Article 6(1)
Re: (Score:3)
To address your points in reverse order:
So this is not "every piece of personal data is forbidden". That is a huge misconception.
Certainly not "forbidden" by the regulation, but in practice. If I go tell my manager "our server logs have IP addresses", he's not going to launch an inquiry into whether that personal data can be combined with anything else, and he's not going to let me get fully-encrypted storage for our highly-sensitive logs. He's going to say "get rid of them".
Practically, he doesn't have a choice. Keeping the personal data means our lowly web servers are now a focus for complian
Re: (Score:3)
From your link:
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
So that mom-and-pop shop with your name or e-mail address is completely subject to these regulations. I guess we cannot keep tracking numbers, invoice records, etc.
Of course, Mr. IRS (or your country's equivalent) doesn't look kindly on NOT having records of where the money came from, especially if they're a repeat or larger customer. I'm sure Mr. IRS will waive any and all actions on me if I say "I make everything a 100% cash sale and a 100% cash purchase so I do not store any data and do
Re: (Score:2)
That means your Apache logs can't have any actual log data.
No, it doesn't. This is a myth.
It looks like organisations are tending to shift towards processing based on their legitimate interests rather than consent, because the moment consent is necessary under the new regulations, all the new subject rights activate. There do still have to be legitimate interests, obviously, and they still have to be balanced against the privacy of the data subject, which is a horribly ambiguous situation. But if you need to keep server logs for genuine and reasonable purposes like
Re: (Score:3)
Having run a very large scale service, I can say that my legitimate interest was "log as much as we have storage for" so I don't have to go in front of the bosses and say "things are failing but we don't log enough to know why". Of course, this is a defensive position -- I hope there are no issues and that my logs remain forever unreviewed. But if there is an issue, I can't predict ahead of time what information will be needed to diagnose and fix it.
None of it was used for marketing purposes, and it was tig
Re:Nothing "new" here (Score:5, Informative)
Regulations have consequences.
Yes, and the GDPR really does have significant uncertainty and cause disproportionate overheads for a lot of smaller businesses, charities, etc.
This is the kind of thing that makes it difficult for you to pretend otherwise.
Well, yes and no. The article here isn't great: it perpetuates a lot of myths and exaggerations. The specific blocking service mentioned has been heavily criticised in other forums already for trying to cash in on the fear while providing questionable protection.
Anyone with two firing brain cells can anticipate that GPDR trolls will appear on day 1 to sue whomever has deep enough pockets to be worth suing.
Unless they'd actually used those brain cells to read, in which case they'd know that the GDPR is going to be enforced primarily through government regulators, not personal legal actions. There are plenty of problems with it, but attracting ambulance-chasing lawyers isn't likely to be one of them.
Re: (Score:3)
Re:Nothing "new" here (Score:4, Insightful)
It is definitely good. A Mom and Pop shop in the states selling homemade soap can't afford to have a DPO
Good thing they wouldn't need one, then. There are criteria for when you'd need one (e.g. your business is mass storage or processing of personal data), and the odds of a tiny shop meeting any of them would be extremely slim. Heck, we're a multinational company and we don't need one. For that matter, there's no requirement to _hire_ someone, it's a role that could be assigned to any employee with sufficient knowledge of privacy laws and best practice.
if an EU resident visits a site, the site has to comply.
Not quite. If your site collects personal data about a EU resident, the site has to comply. If your site does not collect personal data, GDPR does not apply.
Re: (Score:3)
I see because only big business should be able to profit from data. Smaller companies would not like to be able to do things too like say store your browsing history on the site to offer you discounts on products you looked at but did not buy etc.
Sorry your rules are crappy barriers to entire and they are THE REASON THE RICH GET RICHER and nobody else gets a break.
Re: (Score:2)
Logic fail. The rich already got richer without this law.
Re: (Score:3)
Generalization fail. The rich get richer because of regulatory capture - the more you regulate, the more the largest companies benefit, and the harder it is for the little guy to make good. Business regulation causes social immobility - might still be worth in in some cases, but don't pretend the cost isn't real.
Re:Nothing "new" here (Score:4, Insightful)
even if a place doesn't do business in the EU, if an EU resident visits a site, the site has to comply.
And they can kiss my ass as far as enforcement.
Re: (Score:3)
Exactly, just don't have a presence in the EU and they can pound sand.
Re: (Score:2)
What information that would require them to hire a DPO? If they would be required to hire one, I sure as fuck don't want to deal with them because no soap on this planet is worth handing over pretty much any and all of my personal data.
Re: (Score:3)
Not quite, it's purpose avoiding (not evading) the legal requirements for privacy protection, in the simplest, most direct way possible - by refusing service to those visitors whose privacy they would be required to protect.
Re: (Score:2)
If you filter me on location then you have enough information on me to fall under GDPR and you have to release your information on me if I demand it.
Catch-22 at its finest!
Re: (Score:2)
At the very least you now have a tool to see which companies consider the privacy of their customers some pesky nuisance that they try to avoid at all cost.
Re: (Score:3)
No. Its purpose is avoiding having customers in the EU.
Those of us in the EU have voted against having suppliers who know their business methods contravene the GDPR.
This solution is a gigantic win for everyone involved!
Seems like the right reasons to me (Score:3, Insightful)
A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance.
This is just the type of service you would hope exists to make sure citizens can decide what levels of privacy they want and companies can decide what level of privacy they are willing to provide. For some time now we will see many stories of companies improving their privacy, companies pulling out of the EU market, and companies being fined by the EU. All are good and expected outcomes of rules such as the GDPR.
Re: (Score:2, Insightful)
They aren't all "good and expected outcomes". Good being subjective. Being fined into oblivion for being on the web by an entity that you have never had interaction with, should be problematic for everyone.
Compliance within tyranny is always "expected", and rarely all that "good".
I run a website with worldwide audience. I've also never been to Europe. Tell me why I should comply or face fines to a jurisdiction I've never been to?
No, there is nothing good about any of this, even if the goal is admirable.
Re:Seems like the right reasons to me (Score:4, Insightful)
I run a website with worldwide audience. I've also never been to Europe. Tell me why I should comply or face fines to a jurisdiction I've never been to?
You are servicing their citizens while they reside in their country, so you should follow their laws. Just because the Internet makes it so easy to reach those customers doesn't mean you should be able to ignore their laws.
Re:Seems like the right reasons to me (Score:4, Insightful)
Okay, so what you're saying is that in a world wide economics, I have to comply with often mutually excusive rules and laws. I must do this in this jurisdiction, and I am forbidden to do the same thing in another. Good one.
Re: (Score:2)
You don't have to comply, any more then you have to comply with Saudi laws (unless you set foot in their jurisdiction).
Re: (Score:2, Insightful)
yea keep telling yourself that story. Lets say you do decided hey I don't have any EU presence, I'll just ignore this issue. Some EU citizen access your site and complains you violated some GDPR provision. Now the EU fines you. You decided to tell them to politely stick their judgement where the sun don't shine.
All is well until you realize your bank does business in the EU and they demand they freeze your accounts etc. No this BS and our government needs to step up to plate and take steps to protect
Re: (Score:2)
Have you even bothered to take a look at the law? We're not talking about a company asking for your name and mail address so they can deliver a box with shit you buy in it. You take that information, you store it, you don't distribute it, you're golden.
Once you start selling it, you're in deep shit. As you effin' should be!
Re: (Score:2)
Have you even bothered to take a look at the law? We're not talking about a company asking for your name and mail address so they can deliver a box with shit you buy in it. You take that information, you store it, you don't distribute it, you're golden.
Once you start selling it, you're in deep shit. As you effin' should be!
There are plenty of GDPR laws regarding how you store and eventually purge customer data even if you don't sell it.
Re: (Score:2)
None of them are a problem to the average store. Most have already finished implementing it, I recently got a flood of emails from stores I used ages ago, telling me that they'd be really sorry to lose me as a customer but they are going to delete my data now if I don't (click here) to tell them I'm still interested in staying with them.
Re: (Score:2)
None of them are a problem to the average store. Most have already finished implementing it, I recently got a flood of emails from stores I used ages ago, telling me that they'd be really sorry to lose me as a customer but they are going to delete my data now if I don't (click here) to tell them I'm still interested in staying with them.
I didn't say they were hard to implement, just that your statement was inaccurate.
Re: (Score:2)
Discuss the impact of EU websites whose entire business model is collecting and selling EU user data.
Also: How does this impact Google, Facebook, Instagram, Snapchat, Twitter, and others?
GDPR will fragment the internet (Score:2)
The sky is falling (Score:2)
If the US does similar legislation then suddenly the Internet will align to us and people will figure out new ways to make money.
Re:GDPR will fragment the internet (Score:4, Insightful)
The big companies will have no trouble complying, paying lip service or working around the rules. The smaller companies might at first decide to forget about Europe. This happened with a couple of smaller service providers when the EU VAT rules were changed: I got a few notices that such-and-such company was no longer able to provide their service in Europe. However they probably looked at the amount of business they were getting from Europe, had another look at the rules and found them not that hard to comply with, and removed the block.
Re: (Score:2)
Most US companies find it more profitable to hire illegal immigrants than comply. What else is new?
That isn't the same as this situation at all. Companies which use services like this are not breaking the law by not complying, they are mearly making sure their business model and customer base does not require them to comply. It would be like companies moving their operations to Mexico where the workers aren't illegals.
Re: (Score:2)
Which is a Shane, because this is exactly the sort of law that should be implemented world wide.
For example, I should be able to unsubscribe from a service without having to worry about my data being accessed by an intruder years later.
Well, it's closer to a Roger, but we get your general idea...
Re: (Score:2)
This law doesn't say that. Next the EU will block websites that simply ignore their overreach.
That will be the 'screw you'. But VPNs.
Perhaps the VPN operators in the EU will comply, but I wouldn't count on it.
Comment removed (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
There is no evidence that will happen, so I fail to see what your point is.
Can you stop spreading nonsense about Europe, please? It seems every comment you make regarding it is factually incorrect.
Re: (Score:2)
Also, there's no evidence it won't happen. I see no nonsense being spread here, only someone positing something that might actually happen. Time will tell; perhaps you shouldn't go around screaming "that won't happen" (an absolute) in response to someone positing that it might, lest you look like a fool if it does?
Re: (Score:2)
If it's the half I didn't want anyway, that's perfectly fine.
Re: (Score:2)
This half that want to abuse you? Very good! In fact 100% better.
Re: (Score:2)
Opening up the market to new, local competition? It just sounds better and better.
Re: (Score:2)
You mean you'd be sad if all the spammers went away and the trojan in your computer can't connect to its control server anymore?
That part of the internet can as far as I'm concerned go to hell as well. Just like the data miners that now wail about their lost hunting grounds. Good riddance!
Re: (Score:2)
yeah, but how usefull is the internet when half of it pulls out of your location??
Just as useful, since they will just use the same VPNs that they use now to watch that awful American TV that they hate.
Re: (Score:2)
Even if you follow GDPR and are compliant, all it takes is one data br
Re: (Score:2)
Enjoy using Yandex instead of google then.
Nothing Wrong- It's for all the right reasons (Score:3)
This is for all the right reasons and there is nothing wrong with it.
Many businesses don't target foreign visitors, but get them anyway. Websites target local content (small businesses, retail locations, etc) that really gain no monetary benefit in showing their products to EU customers. Why deal with any compliance?
Keeping up with the laws of hundreds of foreign countries (and the states/provinces within them) is a full-time job. It's also very technical. A business in Canada or USA or any other country can either study EU legislation and adjust their web site for no real benefit (avoiding the risk of hefty fines) or just block the EU and move on with life.
Until countries unify their data protection and online laws for the greater good of society as a whole, this is the new state of the Internet. Focus on your own markets which makes you money, block everyone else. Saves risking non-compliance with foreign laws.
Re: (Score:2)
The EU can't fine you unless you actually do business in the EU. Websites that aren't targeting Europe have no need for geofencing.
Re: (Score:2)
When you don't deliver to the EU, there is no sensible reason for anyone but a shyster to register with your webpage and then try to abuse this. And that's easily thwarted by only accepting addresses in the US, because he'll have a hard time explaining how you're required to protect his private information when he himself made sure all the private information you have about him is false.
Judges in the EU in general aren't dumb enough to let shit like this fly.
Let me correct some details on the GDPR (Score:5, Informative)
Disclaimer: I've worked myself into GDPR details to shape my employer up for it.
GP is a little off on some details.
You have to *name* a Data Protectoin Officer. This can be anybody empowered to check compliance. Usually this is done by some administrative or IT specialist. Germany has had this for decades. No need for an extra hire.
You don't have to spend thousands or millions. You just need to have a proper setup and due diligence in place. The new thing is that you need to document procedures in a standardized manner. The big difference between the law that come in on 25.4.2018 is that someone could only sue you if he was damaged and only if he could prove a data breach of critical personal data. The fines up to this point also were laughable.
Now anyone involved, including customers, can ask how data is handled and the authorities and others have the right to review documentation of your SOPs for data protection. Also you're in for big trouble with massive fines (up to 4% of global anual revenue) if you're careless with data and aren't willing to comply with the GDPR.
In short: If you have your IT in order GDPR compliance isn't that much of a big deal.
Documentation is, but compliance is not.
If however your IT is shit, then you're in for trouble if they come for you. Big time. ... Can't really complain about that actually.
Since they *will* eventually come for you *and* most companies (online *and* brick and mortar) IT setups are somewhere between disorganized shite and abysmal, companies would rather opt out than go through the hassle of complying. Which means only companies with proper procedures and due diligence in their IT will remain doing business in the EU.
Thus endeth some real-world details on GDPR.
You're welcome.
Question (Score:2)
What are the parameters for determining if you must supply them with documentation and how are they triggered?
Re: (Score:2, Insightful)
What would you say to an American cop that wanted to search your EU located servers based on American laws?
That's the same answer the EUcrats will get.
No Harm No Foul (Score:2)
Don't want to deal with a country's rules? Don't let their citizens use their service or open an office there.
Should be everyone's right. Yeah privacy gets a hit but free market, someone else will fill the void and the world keeps on going.
Wrong reasons? (Score:3)
While trusting users to load and execute Javascript is hopelessly naive (any company relying on this to avoid huge fines, is about to pay some huge fines) how is wanting to avoid huge fines the "wrong reasons?"
This is shockingly stupid implementation, not stupid motivation.
Re: (Score:2)
While trusting users to load and execute Javascript is hopelessly naive (any company relying on this to avoid huge fines, is about to pay some huge fines) how is wanting to avoid huge fines the "wrong reasons?"
This is shockingly stupid implementation, not stupid motivation.
Personally, I'd do it server side, sure .. but it raises the question: since IP geolocation is inherently fuzzy, how good is good enough?
Something less than perfect is going to have to suffice as due diligence. The WWW is in fact world wide, and the world is full of different regulatory environments. It isn't reasonable for every website to have to ask every visitor where they are from (even if you could trust the answer).
Some EU people already use VPNs for various reasons to appear as though they come
Re: (Score:3)
While trusting users to load and execute Javascript is hopelessly naive
I don't think this meant to be a working technical solution, rather a legal solution. That is, it isn't conceptually different from "Warning, explicit content. Are you are least 18 years of age?". As a web master you are not actually interested in blocking anyone from accessing your site, so it is only minimum sufficient effort to satisfy legal requirements.
Brilliant idea (Score:5, Insightful)
If you don't want to have to deal with the laws of a certain country, should have the right to not do business inside that country.
Of course, that leaves a big underserved market. In less than 4 years someone will come along and serve them, while abiding by the laws they hate.
Which could very well lead to those companies losing world wide market share as those new, privacy conscience companies expand out of their underserved market into the general world wide marketplace.
As for the laws they are trying to avoid? We need them in our country.
And? (Score:2)
That's as it should be. If the regulatory costs of serving a region exceed the benefits to the company, then they don't serve that region.
If visitor lie about where they are from because they are just dying to use that juicy non-EU website, then fine, they don't get the regulatory protection. The company did due diligence to keep them out.
Seems reasonable.
good (Score:2)
Good.
When countries have congressmen/equivalent that pretend they can control the internet as part of their endless life of posturing, the correct answer is to move them off the adult table and block them.
Repeat until they decide they want to sit at the grown-up's table again, instead of playing Imaginary Level Of Reach And Obligations.
**note - they don't have to be sitting in the EU (Score:4, Informative)
A EU citizen sitting in Starbucks in the US is equally as protected as if they were sitting in France.
Also, if you stored the shipping label to let's say...send them a package to their vacation home in Iowa, you're still liable
If all you do is Geo-fence, you're already not going to make it.
Re: (Score:3, Interesting)
They aren't protected AT ALL. Unless you want to try to invade the US to enforce your rules, you can call all the cops you want, file some diplomatic grievances, quote some EU law, and they will laugh at you.
EU people are always on about the US trying to police the world. Well, this is the EU trying to enforce their laws globally. We tell the Chinese to piss off and they have *real* power. The EU is a bunch of backwater corrupotocrats trying to replicate the USSR who have no power what
Re: (Score:3)
The point is that geo-fencing is a misguided attempt to avoid liability since a user can be outside the EU and still be protected by the law.
You argue that the law might be unenforceable for companies not having a legal presence in the EU, but assuming this to be correct, it makes the geo-fencing even more useless: why geo-fencing away users when by your assumption you can ignore EU liabilities anyway?
Comment removed (Score:3)
Re:Thousands, try millions. (Score:5, Informative)
We didn't find much trouble in compliance. Sure we had to write a few policies and work out a procedure for exporting and deleting data from our systems. We did not spend even 25k in work to pull this off. It was fairly trivial for companies that don't make a product out of consumers.
Re: (Score:3)
The trouble is, actually being in compliance isn't enough. You have to be able to afford the lawyers to defend against the accusations, even when they're completely invalid. All you've done is reduce your risk; you haven't eliminated it.
Re:Thousands, try millions. (Score:4, Informative)
A one person shop does not need a DPO:
(Source: GDPR FAQ [eugdpr.org])
Unless that one person shop does engage in large scale processing of sensitive personal data, of course, but then they either have enough revenue to afford a DPO, or they are a shady 'ethicul biznizman' (aka spammer).
Re: (Score:2)
Only big companies need DPO. As per GDPR, DPOs must be appointed where the core activities of the controller or the processor involve regular and systematic monitoring of data subjects on a large scale.
Also, an existing employee can function as DPO.
Re:EU needs to be careful... (Score:5, Insightful)
As a EU resident, I don't mind if companies are choosing to block EU if they can't comply with privacy rules. I'd rather not do business with those companies.
Re: (Score:3)
I actually want this to happen. Forks are good at times and allow for improvements. Maybe the european internet can create something better than the american one.
Re: (Score:2)
Seeing as neither of those things are true, want to try again?
Re: (Score:2)
Now companies will have to decide whether it'll cost them more to lose the EU market or comply to their regulations.
As someone living in the EU I'm curious how the outcome will look like. I expect most of the big businesses to comply but possibly a lot of smaller ones resorting to geoblocking. At any rate there's s
Re: (Score:2)
The little ones will ignore the EU, just as they ignore laws from Thailand and Saudi.
We'll see if the EU 'great firewalls' them in mass.
Re: (Score:2)
Actively locking them out of EU countries is the last resort of the EU if they do not comply in any way. Although that will probably have to happen on national basis, where every country may act in a different way.
But if
Re:EU needs to be careful... (Score:4, Insightful)
If the short-bus version actually respects people's privacy instead of spying on visitors, then maybe we need more short buses.
Re: (Score:3)
Yep. Now we can only hope that more markets follow in their footsteps and make it impossible for such sites to stay in business at all. It's not like compliance is hard - just stop recording information about your visitors. Unless of course your business model depends on spying on your visitors, in which case good riddance.
Re: (Score:2)
Block users and go out of business or at least cut down the operation would probably be the result.
Even businesses need a critical mass to operate and if you fall below a threshold you lose. But I suspect that most businesses will never even have a problem if they just follow the rules. The businesses that will suffer are all those pixel trackers and shit that are totally useless anyway.
Re: Why would an American site need to block GDPR? (Score:3)
Not necessarily. Treaties and a general good relationship with the EU means they could have US courts enforce judgment. Currently, the US is not under treaty to enforce the GDPR, but that could easily change.
Re: (Score:2)
It could get tricky, but in theory it's possible. In the end, unless you're storing private sensitive data about EU citizens in your database, why would you care?
Re: (Score:2)
Very obviously you haven't even looked at it.
Re: (Score:2)
With blackjack and hookers?