Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
EU Businesses Privacy The Almighty Buck

New Service Blocks EU Users So Companies Can Save Thousands on GDPR Compliance (bleepingcomputer.com) 553

Catalin Cimpanu, reporting for BleepingComputer: A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance. GDPR, or General Data Protection Regulation, is a new user and data privacy regulation slated to come into effect in the EU three weeks from now, on May 25, 2018.

The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.

This discussion has been archived. No new comments can be posted.

New Service Blocks EU Users So Companies Can Save Thousands on GDPR Compliance

Comments Filter:
  • by Dorianny ( 1847922 ) on Monday May 07, 2018 @09:45AM (#56566618) Journal
    geofencing is not exactly a new concept. At least it finally is being used for good (privacy protection) rather then for evil (arbitrary geographical media blocking)
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      It's also totally unnecessary. Either:

      1. You do business in the EU, therefore you fall under EU jurisdiction and have to follow EU laws. This service will not help because you still need to follow GDPR to do business there.
      2. You do not do business in the EU, therefore you do not fall under EU jurisdiction and do not have to follow EU laws. This service will not help you because the EU can't touch you in order to enforce GDPR.

      They're selling snake oil.

      • Also, embedding some JavaScript into your website will probably not help, anyway. If your website logs the IP address of every visitor, you've logged the IP of every EU citizen visiting your site, even with this JavaScript active.

        Also, any account data of EU citizens that registered with your service prior to GDPR doesn't magically disappear. So you store data from EU citizen and fall under the GDPR, but since you're now blocking those people from accessing your page you stop them from contacting you about

        • Unless you have a server or office in the EU, they don't have shit.

          The law should be ignored by all non-EU web sites.

          • by Z00L00K ( 682162 )

            It's not as simple as that - if you have operations in the EU even with servers elsewhere then you will still have problems with the GDPR.

            We will have to wait and see what happens, but it will be challenging for those that tries to work around GDPR if they want to keep EU customers. It may also be that similar regulations comes into effect in the US as well.

      • by Z00L00K ( 682162 )

        Recently I registered for a Fitbit and they had an added option that I had to select to opt out of data protection laws.

        But they don't understand that laws in the EU trumps any user agreement. EULAs are null and invalid if they break the law.

    • You're missing an important point.

      Geofencing is fine for blocking users extant to your area, but it's suicide to block customers inside your fence.

    • geofencing is not exactly a new concept. At least it finally is being used for good (privacy protection) rather then for evil (arbitrary geographical media blocking)

      So, am I liable for serving EU visitors who are already using VPNs (to lie about where they are coming from due to arbitrary geographical media blocking)?

  • by ranton ( 36917 ) on Monday May 07, 2018 @09:48AM (#56566638)

    A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance.

    This is just the type of service you would hope exists to make sure citizens can decide what levels of privacy they want and companies can decide what level of privacy they are willing to provide. For some time now we will see many stories of companies improving their privacy, companies pulling out of the EU market, and companies being fined by the EU. All are good and expected outcomes of rules such as the GDPR.

    • Re: (Score:2, Insightful)

      They aren't all "good and expected outcomes". Good being subjective. Being fined into oblivion for being on the web by an entity that you have never had interaction with, should be problematic for everyone.

      Compliance within tyranny is always "expected", and rarely all that "good".

      I run a website with worldwide audience. I've also never been to Europe. Tell me why I should comply or face fines to a jurisdiction I've never been to?

      No, there is nothing good about any of this, even if the goal is admirable.

      • by ranton ( 36917 ) on Monday May 07, 2018 @10:35AM (#56567028)

        I run a website with worldwide audience. I've also never been to Europe. Tell me why I should comply or face fines to a jurisdiction I've never been to?

        You are servicing their citizens while they reside in their country, so you should follow their laws. Just because the Internet makes it so easy to reach those customers doesn't mean you should be able to ignore their laws.

      • You don't have to comply, any more then you have to comply with Saudi laws (unless you set foot in their jurisdiction).

        • Re: (Score:2, Insightful)

          by DarkOx ( 621550 )

          yea keep telling yourself that story. Lets say you do decided hey I don't have any EU presence, I'll just ignore this issue. Some EU citizen access your site and complains you violated some GDPR provision. Now the EU fines you. You decided to tell them to politely stick their judgement where the sun don't shine.

          All is well until you realize your bank does business in the EU and they demand they freeze your accounts etc. No this BS and our government needs to step up to plate and take steps to protect

      • Have you even bothered to take a look at the law? We're not talking about a company asking for your name and mail address so they can deliver a box with shit you buy in it. You take that information, you store it, you don't distribute it, you're golden.

        Once you start selling it, you're in deep shit. As you effin' should be!

        • by ranton ( 36917 )

          Have you even bothered to take a look at the law? We're not talking about a company asking for your name and mail address so they can deliver a box with shit you buy in it. You take that information, you store it, you don't distribute it, you're golden.

          Once you start selling it, you're in deep shit. As you effin' should be!

          There are plenty of GDPR laws regarding how you store and eventually purge customer data even if you don't sell it.

          • None of them are a problem to the average store. Most have already finished implementing it, I recently got a flood of emails from stores I used ages ago, telling me that they'd be really sorry to lose me as a customer but they are going to delete my data now if I don't (click here) to tell them I'm still interested in staying with them.

            • by ranton ( 36917 )

              None of them are a problem to the average store. Most have already finished implementing it, I recently got a flood of emails from stores I used ages ago, telling me that they'd be really sorry to lose me as a customer but they are going to delete my data now if I don't (click here) to tell them I'm still interested in staying with them.

              I didn't say they were hard to implement, just that your statement was inaccurate.

    • Discuss the impact of EU websites whose entire business model is collecting and selling EU user data.

      Also: How does this impact Google, Facebook, Instagram, Snapchat, Twitter, and others?

  • Just like China has their own websites that comply with the great firewall we will have a world where large chunks of the internet will be GDPR walled. I expect most US companies will find it more profitable to block than comply.
    • If the US does similar legislation then suddenly the Internet will align to us and people will figure out new ways to make money.

    • by JaredOfEuropa ( 526365 ) on Monday May 07, 2018 @10:05AM (#56566762) Journal
      It depends on how onerous the GDPR really is. The biggest one is the requirement to have a Data Protection Officer, but this is required "only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences." For the rest it is pretty basic stuff: you need to be aware of the rules, and prepared to take action e.g. in case of a data leak. A lot of it really is common sense stuff, that is if you're a conscientious operator.

      The big companies will have no trouble complying, paying lip service or working around the rules. The smaller companies might at first decide to forget about Europe. This happened with a couple of smaller service providers when the EU VAT rules were changed: I got a few notices that such-and-such company was no longer able to provide their service in Europe. However they probably looked at the amount of business they were getting from Europe, had another look at the rules and found them not that hard to comply with, and removed the block.
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Monday May 07, 2018 @09:59AM (#56566712)
    Comment removed based on user account deletion
    • yeah, but how usefull is the internet when half of it pulls out of your location??
      • by dave420 ( 699308 )

        There is no evidence that will happen, so I fail to see what your point is.

        Can you stop spreading nonsense about Europe, please? It seems every comment you make regarding it is factually incorrect.

        • An argument between ganjadude and dave420? Where's my popcorn?

          Also, there's no evidence it won't happen. I see no nonsense being spread here, only someone positing something that might actually happen. Time will tell; perhaps you shouldn't go around screaming "that won't happen" (an absolute) in response to someone positing that it might, lest you look like a fool if it does?
      • If it's the half I didn't want anyway, that's perfectly fine.

      • This half that want to abuse you? Very good! In fact 100% better.

      • Opening up the market to new, local competition? It just sounds better and better.

      • You mean you'd be sad if all the spammers went away and the trojan in your computer can't connect to its control server anymore?

        That part of the internet can as far as I'm concerned go to hell as well. Just like the data miners that now wail about their lost hunting grounds. Good riddance!

      • yeah, but how usefull is the internet when half of it pulls out of your location??

        Just as useful, since they will just use the same VPNs that they use now to watch that awful American TV that they hate.

    • It's probably not that simple. Some people who don't care are going to use proxies to get around the block. Also, you don't need to be a member of a website in order for them to be able to build a profile of you and your information. You probably have friends and acquaintances who are members that will gladly supply some information about you in fairly innocuous manners such as tagging you in photos or indicating a shared work history.

      Even if you follow GDPR and are compliant, all it takes is one data br
    • Enjoy using Yandex instead of google then.

  • by PhYrE2k2 ( 806396 ) on Monday May 07, 2018 @10:02AM (#56566740)

    This is for all the right reasons and there is nothing wrong with it.

    Many businesses don't target foreign visitors, but get them anyway. Websites target local content (small businesses, retail locations, etc) that really gain no monetary benefit in showing their products to EU customers. Why deal with any compliance?

    Keeping up with the laws of hundreds of foreign countries (and the states/provinces within them) is a full-time job. It's also very technical. A business in Canada or USA or any other country can either study EU legislation and adjust their web site for no real benefit (avoiding the risk of hefty fines) or just block the EU and move on with life.

    Until countries unify their data protection and online laws for the greater good of society as a whole, this is the new state of the Internet. Focus on your own markets which makes you money, block everyone else. Saves risking non-compliance with foreign laws.

    • The EU can't fine you unless you actually do business in the EU. Websites that aren't targeting Europe have no need for geofencing.

    • When you don't deliver to the EU, there is no sensible reason for anyone but a shyster to register with your webpage and then try to abuse this. And that's easily thwarted by only accepting addresses in the US, because he'll have a hard time explaining how you're required to protect his private information when he himself made sure all the private information you have about him is false.

      Judges in the EU in general aren't dumb enough to let shit like this fly.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Monday May 07, 2018 @10:08AM (#56566788)

    Disclaimer: I've worked myself into GDPR details to shape my employer up for it.

    GP is a little off on some details.

    You have to *name* a Data Protectoin Officer. This can be anybody empowered to check compliance. Usually this is done by some administrative or IT specialist. Germany has had this for decades. No need for an extra hire.

    You don't have to spend thousands or millions. You just need to have a proper setup and due diligence in place. The new thing is that you need to document procedures in a standardized manner. The big difference between the law that come in on 25.4.2018 is that someone could only sue you if he was damaged and only if he could prove a data breach of critical personal data. The fines up to this point also were laughable.

    Now anyone involved, including customers, can ask how data is handled and the authorities and others have the right to review documentation of your SOPs for data protection. Also you're in for big trouble with massive fines (up to 4% of global anual revenue) if you're careless with data and aren't willing to comply with the GDPR.

    In short: If you have your IT in order GDPR compliance isn't that much of a big deal.
    Documentation is, but compliance is not.

    If however your IT is shit, then you're in for trouble if they come for you. Big time.
    Since they *will* eventually come for you *and* most companies (online *and* brick and mortar) IT setups are somewhere between disorganized shite and abysmal, companies would rather opt out than go through the hassle of complying. Which means only companies with proper procedures and due diligence in their IT will remain doing business in the EU. ... Can't really complain about that actually.

    Thus endeth some real-world details on GDPR.
    You're welcome.

    • Documentation is, but compliance is not.

      What are the parameters for determining if you must supply them with documentation and how are they triggered?

    • Re: (Score:2, Insightful)

      by HornWumpus ( 783565 )

      What would you say to an American cop that wanted to search your EU located servers based on American laws?

      That's the same answer the EUcrats will get.

  • Don't want to deal with a country's rules? Don't let their citizens use their service or open an office there.

    Should be everyone's right. Yeah privacy gets a hit but free market, someone else will fill the void and the world keeps on going.

  • by Sloppy ( 14984 ) on Monday May 07, 2018 @10:12AM (#56566824) Homepage Journal

    While trusting users to load and execute Javascript is hopelessly naive (any company relying on this to avoid huge fines, is about to pay some huge fines) how is wanting to avoid huge fines the "wrong reasons?"

    This is shockingly stupid implementation, not stupid motivation.

    • While trusting users to load and execute Javascript is hopelessly naive (any company relying on this to avoid huge fines, is about to pay some huge fines) how is wanting to avoid huge fines the "wrong reasons?"

      This is shockingly stupid implementation, not stupid motivation.

      Personally, I'd do it server side, sure .. but it raises the question: since IP geolocation is inherently fuzzy, how good is good enough?

      Something less than perfect is going to have to suffice as due diligence. The WWW is in fact world wide, and the world is full of different regulatory environments. It isn't reasonable for every website to have to ask every visitor where they are from (even if you could trust the answer).

      Some EU people already use VPNs for various reasons to appear as though they come

    • by sinij ( 911942 )

      While trusting users to load and execute Javascript is hopelessly naive

      I don't think this meant to be a working technical solution, rather a legal solution. That is, it isn't conceptually different from "Warning, explicit content. Are you are least 18 years of age?". As a web master you are not actually interested in blocking anyone from accessing your site, so it is only minimum sufficient effort to satisfy legal requirements.

  • Brilliant idea (Score:5, Insightful)

    by gurps_npc ( 621217 ) on Monday May 07, 2018 @10:17AM (#56566860) Homepage

    If you don't want to have to deal with the laws of a certain country, should have the right to not do business inside that country.

    Of course, that leaves a big underserved market. In less than 4 years someone will come along and serve them, while abiding by the laws they hate.

    Which could very well lead to those companies losing world wide market share as those new, privacy conscience companies expand out of their underserved market into the general world wide marketplace.

    As for the laws they are trying to avoid? We need them in our country.

  • That's as it should be. If the regulatory costs of serving a region exceed the benefits to the company, then they don't serve that region.

    If visitor lie about where they are from because they are just dying to use that juicy non-EU website, then fine, they don't get the regulatory protection. The company did due diligence to keep them out.

    Seems reasonable.

  • by Falos ( 2905315 )

    Good.

    When countries have congressmen/equivalent that pretend they can control the internet as part of their endless life of posturing, the correct answer is to move them off the adult table and block them.

    Repeat until they decide they want to sit at the grown-up's table again, instead of playing Imaginary Level Of Reach And Obligations.

  • by btroy ( 4122663 ) on Monday May 07, 2018 @11:00AM (#56567254)
    People you do business with don't have to be sitting in the EU when they visit your site for you to be liable.

    A EU citizen sitting in Starbucks in the US is equally as protected as if they were sitting in France.

    Also, if you stored the shipping label to let's say...send them a package to their vacation home in Iowa, you're still liable ... as long as they are EU citizens.

    If all you do is Geo-fence, you're already not going to make it.
    • Re: (Score:3, Interesting)

      by Brett Buck ( 811747 )

      They aren't protected AT ALL. Unless you want to try to invade the US to enforce your rules, you can call all the cops you want, file some diplomatic grievances, quote some EU law, and they will laugh at you.

      EU people are always on about the US trying to police the world. Well, this is the EU trying to enforce their laws globally. We tell the Chinese to piss off and they have *real* power. The EU is a bunch of backwater corrupotocrats trying to replicate the USSR who have no power what

      • by bsolar ( 1176767 )

        The point is that geo-fencing is a misguided attempt to avoid liability since a user can be outside the EU and still be protected by the law.

        You argue that the law might be unenforceable for companies not having a legal presence in the EU, but assuming this to be correct, it makes the geo-fencing even more useless: why geo-fencing away users when by your assumption you can ignore EU liabilities anyway?

  • by account_deleted ( 4530225 ) on Monday May 07, 2018 @11:32AM (#56567584)
    Comment removed based on user account deletion

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...