
GDPR: Block EU Visitors with Cloudflare and .htaccess - xstartup
https://gist.github.com/zero-master/57ce7f5091503ca637747df5ba4fe71d
======
tpetrina
In Croatia you get fines for not having a valid fire extinguisher even though
there is one in the corner right there. Why? Because "they went out of their
office and cannot return empty handed, so let's write this small fine at
least".

Also, public companies (those owned partially by the state) are exempt from
GDPR...

That is why GDPR sucks, it is just another tool in almost despotic government.

------
therealmarv
Although I dislike this solution for 99% of websites out there, there are
valid short term reasons to use this solution.

Imagine e.g. a user survey on a US University which saves data not in a GDPR
compliant format. Why should this very local small group website be GDPR
compliant when it's almost 100% sure it's only used from the US?

OK, but now I ask myself what happens if a Europe exchange student also
participates...

~~~
bjpbakker
> Why should this very local small group website be GDPR compliant when it's
> almost 100% sure it's only used from the US

Because it’s the least one should do regarding privacy. When not mandated by
law, doesn’t mean you don’t have to do the right thing.

Many companies that sell your data are complaining at the moment because they
have to come clean about their malpractice. Don’t let them distract you from
the compnies that always did the right thing and were gdpr complient before
the laws were written.

------
messe
This is a massive overreaction. As somebody in the EU I hope this GPDR
hysteria that the tech industry seems to be experiencing passes quickly.

~~~
RobertRoberts
What do you recommend the small businesses in the US do that have no business
presences in the EU, but have EU visitors to their sites?

It's not hysteria if it's a legitimate legal threat that could destroy your
ability to feed your family.

~~~
mstolpm
Tell your users what PII you collect about them and why, ask for consent and
give an option to opt-out.

There is not "legal threat" if you are open about your business model, keep
the collected PII reasonable and safe and don't sell the data without consent.
Honoring requests for information or deletion is still a problem for you if
you served EU users in the past if you don't delete/anonymize that data - even
if you block access. If you're not open about your data processing and
handling and don't ask for consent, don't blame the GDPR for a business model
that can't be honest to your users.

~~~
RobertRoberts
You are confirming that all it takes is a little slip up, and your entire life
is ruined by legal fees. Or even just the "whiff" of potential slip up, not
even a real one, but only a perceived slip up, and your life is over.

I have been in court before, if you have not, perhaps that is why you are
ignorant of the horrendous dangers this law puts on everyone.

~~~
DanBC
No. After one small slip up nothing would happen, unless someone notices it
and reports it to the regulator. At that point they'd write you a letter and
explain where they think you're going wrong, and point to best practice, and
ask you to confirm what you're actually doing.

~~~
RobertRoberts
You mean like they did with Google and Facebook, on the FIRST day the law went
into effect?

[http://money.cnn.com/2018/05/25/technology/gdpr-
compliance-f...](http://money.cnn.com/2018/05/25/technology/gdpr-compliance-
facebook-google/index.html)

------
josteink
This is a great canary to weed out shady businesses and websites which cannot
account for how they treat their users data.

Meanwhile other businesses which takes the GDPR seriously gets a massive boost
in trust and reputation.

Guess which ones are going to get meaningful new business and which ones will
be deemed unreliable and untrustworthy?

~~~
RobertRoberts
I think this was meant as a hammer on Facebook/Google cartel. I doubt even MS,
Amazon, or other large companies will be as adversely affected.

The GDPR targets the very business models of companies that collect data and
sell it. For this I applaud it's effects, but it's a big nasty dragnet, and
innocents are likely to get hurt.

------
rudiv
Re: messe - the massive overreaction seems to be from Americans in this thread
insisting that since their perception of government regulators is as
inefficient, a drag on business, and intent on vindictively fining people
contrary to the provisions of their enabling legislation. (To me) seems like
hand-wavy alarmism about the threat of international law and supranationalism
to perceived individual freedom.

------
bitxbitxbitcoin
Blocking EU visitors doesn't actually make you GDPR compliant.

~~~
RobertRoberts
I am not compliant with Chinese, British or German anti-free speech laws
either. Why should anyone feel threatened by a foreign government's internal
laws? The US is a sovereign nation (as are almost all others) and EU laws do
not apply here.

~~~
messe
They certainly apply if you wish to do business in the EU.

~~~
RobertRoberts
Isn't that the crux of the matter?

The GDPR _explicitly_ states that it's irrelevant if you want to do business
there or not. It claims global authority over all nations and businesses that
interact with it's "citizens", NOT "do business in the EU".

This is an unprecedented legal overreach. Just because we want the hammer
brought down on the FB/Google beast, doesn't mean we should chop off our own
hands to accomplish it.

~~~
DanBC
> This Regulation applies to the processing of personal data in the context of
> the activities of an establishment of a controller or a processor in the
> Union, regardless of whether the processing takes place in the Union or not.

This one doesn't apply, because the controller or processor is outside the
union.

> This Regulation applies to the processing of personal data of data subjects
> who are in the Union by a controller or processor not established in the
> Union, where the processing activities are related to:

> the offering of goods or services, irrespective of whether a payment of the
> data subject is required, to such data subjects in the Union; or

This one does apply, and look, it mentions services, but also...

> the monitoring of their behaviour as far as their behaviour takes place
> within the Union.

...this applies too. You're monitoring the behaviour of EU citizens; those
people have protections.

~~~
RobertRoberts
Let's compare this idea. I should be able to sell verboten art in Germany
because I am an American citizen, and it's legal to do so here (but not
there), so I "have protections" by my laws in the US?

Or am I misunderstanding how you are justifying the GDPR?

~~~
candiodari
And Germany is free to stop that merchandise at the border, and then burns it.
They only very, very rarely do so, but when they do, they will go after the
customer that bought it.

Same thing when it became clear 2 years ago that sending large amounts of
opiates through the mail into Germany is not actually a problem.

So theoretically, you are allowed to sell that art, because those laws don't
apply to you. In theory it should be stopped at the border, and your customer
may get arrested for buying it.

In practice, you are allowed to sell that art, and nothing is stopping you.

Needless to say, Germany is crying foul ! We make rules, and don't enforce
them, and others don't automatically enforce them for us ! Evil capitalist
data-selling election-stealing swine !

~~~
RobertRoberts
So if American laws (free speech) don't protect Americans in Germany, why
should German laws (GDPR) protect Germans in the US?

(note, I fully support the spirit of this law, and am happy they are shutting
down the data cartels abuses)

------
amriksohata
This is almost spite from US companies that don't want to conform to EU
regulations

~~~
RobertRoberts
How do you recommend any company that makes less than a million a year to live
under the threat of accidental destruction at the whim of a foreign nation?

Do you think we should comply with every countries laws? What happens when
they conflict? (like US free speech laws vs China, or even Britain?)

~~~
amriksohata
I never said I was pro or anti EU regulations, the EU need to learn they are
not the only player in the market

