
GDPR for side-projects? Blocking all EU traffic with Nginx in 3 simple steps - ummjackson
https://medium.com/@jacksonpalmer/gdpr-for-side-projects-blocking-all-eu-traffic-with-nginx-in-3-simple-steps-136ddd8078a4
======
salad77
But for compliance many interpretations say it's EU /citizens/; I don't think
there are 3 simple steps to block any EU citizen...

I'm sure many Governments would _love_ to be able to so simply identify what
their citizens do online though.

~~~
jiveturkey
those interpretations are wrong. but even so, blocking eu traffic by IP isn’t
sufficient.

~~~
silsha
> those interpretations are wrong.

Source?

~~~
kevsim
Not a lawyer myself, but according to the regulation ([https://eur-
lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...](https://eur-
lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN)): "In
order to ensure that natural persons are not deprived of the protection to
which they are entitled under this Regulation, the processing of personal data
of data subjects who are in the Union by a controller or a processor not
established in the Union should be subject to this Regulation where the
processing activities are related to offering goods or services to such data
subjects irrespective of whether connected to a payment"

So if the users are in the Union and you're not, you're still on the hook. If
the users aren't in the Union, you're free and clear.

Also applies to EEA countries like Norway and Lichtenstein btw (source: am
currently working on GDPR compliance in Norway).

------
cpc26
Unless your side project is a Bot-Net this article seems very FUDDY...

------
cpburns2009
While this sounds like an overreaction, I question the breadth of this method
(unrelated to the reliability of IP address origin).

> This tells nginx to assign the $allow_visit variable a 0 for any users the
> GeoIP database specifies as coming from the “EU” continent.

Europe is the continent. The EU does not encompass all European countries.
Doesn't this needlessly block non-EU European countries?

~~~
ummjackson
Good point, it likely does. Alternatively, you could set up the rules using
country and list out the 28 that make up the EU.

------
LinuxBender
Geo IP blocking will not block the EU citizens that are not physically in the
EU at the time.

Just for fun, I would add

    
    
        server {
            # snip....
            access_log  off;
            error_log   off;
            return 307 https://www.google.com/search?q=gdpr;
        }
    

That should block anyone that might be a EU citizen. /s

~~~
isbvhodnvemrwvn
Nor ones who use VPNs located in other countries.

------
ilovetux
Along with the author, I am hesitant to needlessly follow regulations which
only apply to a small portion of global population of which I am not a part.
Especially since there are simple ways to sidestep the liability.

This, however, does give me an idea. Does anyone have an interest in a web
framework which provides user/data management in a gdpr compliant way?

------
lrpublic
This seems to be flawed logic, many EU devices have IP addresses from non EU
address blocks.

Assuming there is any significant adoption of your proposed solution to avoid
GDPR rules the likelyhood is EU citizens will use VPN or Proxy services to
bypass the restrictions.

I don’t think the use of a VPN would remove the GDPR obligations on the data
controller or data processor.

~~~
icebraining
It pretty much does. Sites are not automatically subject to the GDPR, even if
they happen to be accessible, there must be some evidence that they intend to
be used by users in the EU. Blocking it seems pretty good evidence that they
don't.

See [https://gdpr-info.eu/recitals/no-23/](https://gdpr-
info.eu/recitals/no-23/)

------
olliej
If you have a side project that siphons personal information from people for
no reason, then maybe the gdpr isn’t the problem...

~~~
inetsee
My reading of the GDPR says that the MINIMUM fine is 20,000,000 Euros, which I
think would be a pretty big problem for an individual working on a side
project.

I also think the 403 error page explaining that the GDPR is the reason the
visitor can't access the page is a nice touch.

~~~
Sohcahtoa82
[https://gdpr-info.eu/art-83-gdpr/](https://gdpr-info.eu/art-83-gdpr/)

The wording says fines "up to 20,000,000 Euros"

"up to" usually implies a minimum, not a maximum.

~~~
dragonwriter
> "up to" usually implies a minimum, not a maximum.

“Up to” literally means a maximum.

~~~
Sohcahtoa82
Errr...I typoed my previous message and accidentally flipped them.

The previous commenter said the fine was a 20m "minimum" fine. The GDPR text
says it's "up to" 20m. I meant to say that that means it's a maximum.

------
hathathat
What would be a GDPR-compliant yet useful access_log setting?

~~~
ummjackson
You could just use a log format that excludes or obfuscates IP addresses, I
believe.

------
splintercell
HN crowd loves GDPR, so get ready for this never making to the front page.

~~~
matthewmacleod
The front page has had daily articles from mis-informed US tech startups
collectively shitting themselves about GDPR for weeks.

~~~
cft
How many former US startups such as Google or eBay do you use in the UK? And
how many former UK startups does an average US user use? There gotta be a
reason for this disparity. And the reason is regulatory capture in the EU.

~~~
lovich
Man, I think that's the first time I've seen someone compare the EU to the US
unfavorably on regulatory capture. They both have it, but the US has basically
perfected it. Just look at the FCC and it's current chair

