
GDPR compliance as a service - bmurray7jhu
https://gdpr-shield.io/
======
lillesvin
> Simply paste our JavaScript snippet into your website's code. We'll check
> every visitor of your site and will block access to users located within the
> EU.

See, the problem here is that you actually have to send an HTTP request to the
site that's trying to block you, then you load it along with their JavaScript
which _then_ blocks you, but at that point the initial request(s) has already
been logged and now they have to comply with the GDPR.

I refuse to believe this is not a joke.

~~~
niko001
Not a joke :). GDPR Shield as a product is GDPR compliant. Customers sign a
data processor agreement with the service. It anonymizes IP addresses, they
aren't transferred to any other third-party provider and aren't stored.

~~~
ezekg
But like I mentioned on Indie Hackers, _your_ customers still have their own
logs that need to be GDPR-compliant, which defeats the whole purpose. The page
that requests your JS still has to be sent by a server, which will likely log
the EU citizen’s IP. And then there’s the case where the EU citizen is using a
VPN server in the US...

~~~
lucio
Maybe, but it's clear that your company doesn't specifically target its
services at individuals in the EU. Your company is actually using active
measure to not do that.

------
tylermenezes
The idea that simply having an EU visitor load your site can subject you to a
$2M fine is a recurring bit of FUD.

Directly from the EU:

> Provided your company doesn't specifically target its services at
> individuals in the EU, it is not subject to the rules of the GDPR.

([https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/enforcement-and-
sanctions/sanctions/what-if-my-company-organisation-fails-comply-data-
protection-rules_en))

~~~
niko001
How a company "specifically targets its services at individuals in the EU" is
not clearly defined within GDPR. Even if you just set your AdWords targeting
to 'global', it might be enough to trigger this. GDPR Shield is a clear signal
that you're not targeting EU users.

~~~
rhabarba
> How a company "specifically targets its services at individuals in the EU"
> is not clearly defined within GDPR.

Does that mean that (e.g.) German bloggers are not bound to the GDPR when they
just add "made for the Swiss" to their header?

~~~
DanBC
What personal data are German bloggers gathering?

~~~
rhabarba
IP addresses, e-mail addresses from those who comment...

~~~
DanBC
IP addresses alone are not personal data. They're only personal data if they
can be used to identify a natural person.

If someone is gathering and storing email addresses and ip addresses it seems
reasonable to ask them to take industry standard measures to protect that
data, and to let users know that the data is being collected.

~~~
rhabarba
> IP addresses alone are not personal data.

According to the GDPR, they are. [https://eugdprcompliant.com/personal-
data/](https://eugdprcompliant.com/personal-data/)

"The conclusion is that the GDPR does consider it as such."

------
esya
niko001 / Niklaus or whatever. This is extremely shady. You've copy pasted
your whole terms and conditions from this page :

[https://buffer.com/terms](https://buffer.com/terms) VS: [https://gdpr-
shield.io/terms](https://gdpr-shield.io/terms) \- Saved here
[https://web.archive.org/web/20180504020320/https://gdpr-
shie...](https://web.archive.org/web/20180504020320/https://gdpr-
shield.io/terms) for good measure

Which is illegal to begin with. You even forgot to replace the part that
explains what the service does and left the part that says that gdpr shield
"provides a social media management tool".

You're selling something that just basically does a geoip lookup, and then
tries to block people from an entire continent, with pure JS, which can be
easily avoided, by the way. I'm shooting buffer an email to let them know
you're infringing on their legal material.

~~~
nostrademons
Copying legal documents isn't illegal, and in fact many lawyers will just run
a search & replace on an existing client's T&C to generate a new T&C. This is
also how T&C generator websites work. It's actually recommended, as then you
have standardized language that is all well-defined in the eyes of the courts.

~~~
AliAdams
You are going to have to do a better job of backing that claim up. It
certainly seems to be an obvious breach of intellectual property law at the
very least. Citing that some lawyers do this does not automatically make it
legal.

~~~
nostrademons
My initial claim is perhaps a bit too strong. Case law is basically that the
_unique_ portions of a T&C or other contract are protected by copyright law,
but boilerplate terms that have appeared in lots of different firms' documents
are considered public domain.

[http://pub.bna.com/ptcj/1051462Jan11.pdf](http://pub.bna.com/ptcj/1051462Jan11.pdf)

GDPR-shield's original T&C was actually copied from ShareKit, which is another
product from the same company:

[https://www.sharekit.io/terms](https://www.sharekit.io/terms)

But going paragraph by paragraph down the terms, you get this list of
companies, all with the same language:

[https://www.google.com/search?q=%22Except+for+certain+kinds+...](https://www.google.com/search?q=%22Except+for+certain+kinds+of+disputes+described+in+Section+17%2C+you+agree+that+disputes+arising+under+these+Terms+will+be+resolved+by+binding%2C+individual+arbitration%2C+and+BY+ACCEPTING+THESE+TERMS%2C+YOU+AND+SHAREKIT+ARE+EACH+WAIVING+THE+RIGHT+TO+A+TRIAL+BY+JURY+OR+TO+PARTICIPATE+IN+ANY+CLASS+ACTION+OR+REPRESENTATIVE+PROCEEDING.+YOU+AGREE+TO+GIVE+UP+YOUR+RIGHT+TO+GO+TO+COURT+to+assert+or+defend+your+rights+under+this+contract+\(except+for+matters+that+may+be+taken+to+small+claims+court\).+Your+rights+will+be+determined+by+a+NEUTRAL+ARBITRATOR+and+NOT+a+judge+or+jury.+\(See+Section+16\).%22&oq=%22Except+for+certain+kinds+of+disputes+described+in+Section+17%2C+you+agree+that+disputes+arising+under+these+Terms+will+be+resolved+by+binding%2C+individual+arbitration%2C+and+BY+ACCEPTING+THESE+TERMS%2C+YOU+AND+SHAREKIT+ARE+EACH+WAIVING+THE+RIGHT+TO+A+TRIAL+BY+JURY+OR+TO+PARTICIPATE+IN+ANY+CLASS+ACTION+OR+REPRESENTATIVE+PROCEEDING.+YOU+AGREE+TO+GIVE+UP+YOUR+RIGHT+TO+GO+TO+COURT+to+assert+or+defend+your+rights+under+this+contract+\(except+for+matters+that+may+be+taken+to+small+claims+court\).+Your+rights+will+be+determined+by+a+NEUTRAL+ARBITRATOR+and+NOT+a+judge+or+jury.+\(See+Section+16\).%22)

[https://www.google.com/search?q=%22You+must+be+at+least+%5B1...](https://www.google.com/search?q=%22You+must+be+at+least+%5B18%5D+years+old+to+use+the+Service.+By+agreeing+to+these+Terms%2C+you+represent+and+warrant+to+us+that%3A+%28a%29+you+are+at+least+%5B18%5D+years+old%3B+%28b%29+you+have+not+previously+been+suspended+or+removed+from+the+Service%3B+and+%28c%29+your+registration+and+your+use+of+the+Service+is+in+compliance+with+any+and+all+applicable+laws+and+regulations.%22&oq=%22You+must+be+at+least+%5B18%5D+years+old+to+use+the+Service.+By+agreeing+to+these+Terms%2C+you+represent+and+warrant+to+us+that%3A+%28a%29+you+are+at+least+%5B18%5D+years+old%3B+%28b%29+you+have+not+previously+been+suspended+or+removed+from+the+Service%3B+and+%28c%29+your+registration+and+your+use+of+the+Service+is+in+compliance+with+any+and+all+applicable+laws+and+regulations.%22)

[https://www.google.com/search?q=%22To+access+most+features+o...](https://www.google.com/search?q=%22To+access+most+features+of+the+Service%2C+you+must+register+for+an+account.+When+you+register+for+an+account%2C+you+may+be+required+to+provide+us+with+some+information+about+yourself%2C+such+as+your+name%2C+email+address%2C+or+other+contact+information.+You+agree+that+the+information+you+provide+to+us+is+accurate+and+that+you+will+keep+it+accurate+and+up-
to-
date+at+all+times.%22&oq=%22To+access+most+features+of+the+Service%2C+you+must+register+for+an+account.+When+you+register+for+an+account%2C+you+may+be+required+to+provide+us+with+some+information+about+yourself%2C+such+as+your+name%2C+email+address%2C+or+other+contact+information.+You+agree+that+the+information+you+provide+to+us+is+accurate+and+that+you+will+keep+it+accurate+and+up-
to-date+at+all+times.%22)

[https://www.google.com/search?q=%22The+Service+will+require+...](https://www.google.com/search?q=%22The+Service+will+require+you+to+pay+monthly+fees.+Before+you+pay+any+fees,+you+will+have+an+opportunity+to+review+and+accept+the+fees+that+you+will+be+charged.+All+fees+are+in+U.S.+Dollars+and+are+non-
refundable.+Fees+vary+based+on+the+plan,+with+different+pricing+schemes+for+individual+users+and+organizations.%22&filter=0&biw=1268&bih=723)

[https://www.google.com/search?q=%22may+seek+pre-
authorizatio...](https://www.google.com/search?q=%22may+seek+pre-
authorization+of+your+credit+card+account+prior+to+your+purchase+to+verify+that+the+credit+card+is+valid+and+has+the+necessary+funds+or+credit+available+to+cover+your+purchase.%22&oq=%22may+seek+pre-
authorization+of+your+credit+card+account+prior+to+your+purchase+to+verify+that+the+credit+card+is+valid+and+has+the+necessary+funds+or+credit+available+to+cover+your+purchase.%22)

[https://www.google.com/search?q=%22The+Service+may+include+a...](https://www.google.com/search?q=%22The+Service+may+include+automatically+recurring+payments+for+periodic+charges%22)

[https://www.google.com/search?q=%22may%20suspend%20or%20term...](https://www.google.com/search?q=%22may%20suspend%20or%20terminate%20access%20to%20the%20Service%20for%20any%20account%20for%20which%20any%20amount%20is%20due%20but%20unpaid.%22)

That's only through section 4, but so far every clause is legal boilerplate
except for the first paragraph of section 4, which is unique to ShareKit (and
ThreadRadar, another product by the same entrepreneur).

------
jloughry
The privacy of EU persons coming in from a non-EU IP address still need to be
protected under GDPR. This solution is a start but it's not bulletproof.

Edit: I don't want anyone to think I believe it's a _good_ start but it is a
kind of solution. I wonder if lots of US companies, once they begin to realize
GDPR is a problem for them, won't decide to try one of two things:

1\. This: block access from IP addresses believed to belong in Europe.

2\. Lobby Congress for a law (or a quick Executive Order) saying that US
companies don't have to comply with GDPR.

A few weeks ago on Twitter [1], I speculated about #2. It was too early, I
guess. Few people in USA seem to be aware of GDPR at the present time. That'll
change in a couple of weeks.

[1]
[https://twitter.com/CnAdoctor/status/978849723808301057](https://twitter.com/CnAdoctor/status/978849723808301057)

~~~
niko001
When you make a reasonable effort to block access to EU users, EU citizens
aren't covered under GDPR if they happen to access your site from a non-EU
country temporarily:

"This won't apply to every U.S. business — just the ones that are knowingly,
and actively, conducting business in the EU. In this vein, EU courts have the
discretionary ability to determine if a U.S. company was purposely collecting
EU resident data and subverting GDPR compliance. So, in some cases, the
inadvertent collection of personal data will be forgiven if it is found to
have been occasional and "unlikely to result in a risk to the rights and
freedoms of natural persons."

(from [https://community.spiceworks.com/topic/2007530-how-the-eu-
ca...](https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-
companies-for-violating-gdpr) )

~~~
saf2002
That is an interpretation of the law and is not in accord with what the ICO
(the regulator) is saying. If you have a site called "UK Expats" and you block
EU IPs you will still be liable since your site is offering a service to EU
citizens. A less extreme use case but equally applicable, you have a shoe
store in the US and your style is liked by french citizens living in the US,
since a considerable amount of traffic is coming from EU citizens you are
under GDPR. even if it is only 20%, even if they are in the US, even if you
blocked all European IPs

------
quickthrower2
I'm currently an EU-ish Citizen, not residing in the EU. Will it block me?

Also will it block JS-blocking EU Citizens residing in the EU?

Let's not mention VPNs. Let's not mention Tor.

This feels like a "registry cleaner" for GDPR

o. xkcd: [https://xkcd.com/1969/](https://xkcd.com/1969/)

~~~
jwilliams
On my (and other's) current read, it only applies when you are resident in the
EU. Specifically:

> It applies to all companies processing and holding the personal data of data
> subjects residing in the European Union, regardless of the company’s
> location.

------
privacypoller
A "GDPR Compliance" service with a _6000_ word terms of service including such
gems as agreeing to binding arbitration, no class-action lawsuits, and
royalty-free use of your logo and name, a privacy policy that allows them to
use your personal information to promote "new features and special offers" and
runs google analytics...

This is a joke, right? You'd have to be crazy to protect these guys with
anything to do with personal information protection and privacy.

------
CorpOverreach
Maybe I'm missing something - but as a US citizen, with a US company, how can
EU laws be enforced against me?

What's the legal channel here? Do they plan on arresting me if I decide to
vacation to an EU country? Will the US gov't comply with levying fines due to
some treaty/agreement between the countries?

~~~
kuschku
The most likely solution is the same way the US enforces US laws (e.g.
Megaupload case) in other countries: Seizing their assets (through cooperation
with banks) and then asking for extradition.

~~~
paulddraper
Frightening to think something as innoculus as making a website of chocolate
chip recipes and logging visitor IPs could provoke that.

~~~
tzahola
Tip: don’t log the IPs then.

~~~
reificator
I spin up a Wordpress site with default options to host my chocolate chip
recipes. Is it GDPR compliant?

I go through and toggle all the settings the internet tells me to, even though
I don't know their meaning or effect. Am I GDPR compliant?

I install a Wordpress plugin that sets up a Really Simple Chocolate Chip
Syndication server, or RSCCS. That plugin logs IPs. If I was GDPR compliant
previously, now I'm not, and how would I ever know?

~~~
ams6110
If you don't know what you're doing, don't involve others.

~~~
reificator
Since I don't quite get the point you're making here, I think I should specify
that I was playing the role of someone who wants to start up a website on the
side but isn't an expert on computers, networking, software development, or
international privacy law.

I know plenty of people with a get rich quick scheme to sell widgets, but who
don't know the difference between WordPress and Microsoft Word.

Expecting them to know that starting a website with a plug and play webserver
could collect sensitive information on their behalf is pushing it a bit.
Expecting them to know they have to comply with a law passed by a governing
body they've never come within 1k miles of...

~~~
majewsky
> I was playing the role of someone who wants to start up a website on the
> side but isn't an expert on computers, networking, software development, or
> international privacy law.

If you're not an expert, you have to get one. Same reason why you cannot just
go and plan a non-trivial building by yourself when you're not a architect or
civil engineer.

~~~
redblacktree
> > I was playing the role of someone who wants to start up a website on the
> side but isn't an expert on computers, networking, software development, or
> international privacy law. > If you're not an expert, you have to get one.
> Same reason why you cannot just go and plan a non-trivial building by
> yourself when you're not a architect or civil engineer.

This attitude is really sad to me. It was and is one of the greatest things
about the internet, that pretty much anyone anywhere could publish something.
If you now need an "expert" to do that, we've lost something.

~~~
reificator
Unfortunately, copy/pasting a formatted comment on HN doesn't have enough
newlines to quote the post properly.

Anywhere you want one newline in your output, you have to use two.

------
rjv
I have this eerie suspicion that GDPR cases will be a haven for trollish
and/or opportunist behavior. Instead of huge corporations having to shell out
significant money to swallow up start-up competitors, they could much more
cheaply pay EU citizens to exploit the huge burden of the law on small
companies or even solo endeavors. I hope I can be convinced to be optimistic.

~~~
encoderer
Yes, government regulation is unquestionably more of a burden to companies
without legal teams. If you’re smaller it’s an eternal calculus of flying
under the radar and trying not to be the bug that gets the windscreen.

------
nightcracker
From GDPR-shield's terms and conditions ([https://gdpr-
shield.io/terms](https://gdpr-shield.io/terms)):

1\. GDPR Shield Service Overview

The Service provides a social media management tool that enables users to
customize the link preview window of websites under their control on social
platforms, in addition to other analytics tools to help bolster users' social
media content.

...what? Is this a botched copy/paste job?

~~~
esya
Yep, it's copy pasted from
[https://buffer.com/terms](https://buffer.com/terms)

He's running a really shady business.

------
cddotdotslash
Put your site behind CloudFront, block EU countries. There, we've solved the
problem without a shady SaaS.

Edit: which wasn't even a problem to start with but if this is the route you
want to go, the above is nearly fool proof and costs next to nothing.

~~~
niko001
There are many ways to achieve this goal, I just wanted to provide a drop-in
solution that's independent of the underlying infrastructure.

------
threeseed
I can't tell if this is a joke or not.

Don't pay "thousands" for GPDR compliance work which will improve your product
by providing basic privacy and security features.

Instead pay up to $79 a month for a service to block a large percentage of
your traffic.

~~~
niko001
Not a joke :). The pricing is actually cheaper than "bare" geolocation APIs,
which don't do the blocking-part. Have a look at
[https://ipstack.com/product](https://ipstack.com/product) for example.

If you get a quote from an experienced data protection lawyer for GDPR
compliance, this will be an order of magnitude cheaper in the long run.
There's a real risk of getting sued / getting cease and desist letters from
predatory law firms who aim to collect fees for small mistakes in your privacy
policy.

~~~
threeseed
> There's a real risk of getting sued / getting cease and desist letters from
> predatory law firms who aim to collect fees for small mistakes in your
> privacy policy

No there isn't.

When the GPDR fines are 2% of revenue there isn't the incentive for lawyers to
go after businesses earning less than a million a year in revenue.

~~~
niko001
You're mixing up the member states' enforcement (4% of worldwide turnover or
€20 million, whichever is higher) and civil suits. There are law firms that
send out thousands of cease and desist letters (which is a civil action) based
on automated searches for mistakes. It absolutely makes economic sense for
lawyers to pursue out-of-court settlements from businesses if it's mostly
automated.

~~~
GordonS
This is just nonsense. I don't see how the GDPR possibly allows civil actions
for infractions, doubly so for countries outside the EU.

------
CLGrimes
I can't tell if this is a fake service or not, but blocking users from EU IP
address ranges (which I'm assuming how it works) will still not stop the EU
from following a trail of data that could originate from your organization.

That's the biggest thing from the EU's GDPR rules - what is your
organization's data inventory, how does it map outside of your organization,
and how are you securing PII?

If a complaint is made from someone who is an EU citizen, and another
organization shows logs that they got this information from your web app or
service, that will trigger an audit from the EU. Blocking access to a subset
of IP ranges will do absolutely nothing to stop this, and will not stop the
sharks once they have smelled blood.

In a sense, the EU has plain rules that you can protect against, unlike the
FTC/FDA (for HIPPA etc) who are vague and will not disclose how you can
protect your own organization.

------
troydavis
Disclaimer: This is not legal advice.

Blocking EU visitors by IP doesn’t eliminate the need to comply with GDPR,
because GDPR jurisdiction isn’t based on where the service thinks think the
user is (whether from IP geocoding or another source).

If an EU resident is using a VPN, or using an IP that incorrectly geocodes to
a non-EU country, or behind a private corporate network and NAT that egresses
traffic in a non-EU country, GDPR still applies. Any site with more than
trivial traffic will have some users with those characteristics.

Experts debate whether explicitly requiring users to confirm that they aren’t
in the EU - say, a country dropdown - is even a solution. If an EU resident
visitor lies, they may well still be protected by GDPR (and the EU is large
enough for enforcement to matter even if a site doesn't have an EU presence).

~~~
tripletao
> If an EU resident visitor lies, they may well still be protected by GDPR
> (and the EU is large enough for enforcement to matter even if a site doesn't
> have an EU presence).

What's your basis for this statement? If it's true, then literally everyone in
the world is covered by the GDPR, because they might be from the EU and lying.
That seems (a) absurd--you think an American court is going to enforce a
judgment against an American company that accidentally violated the GDPR
because an EU resident lied to it?--and (b) inconsistent with the statements
of Facebook et al. that they will comply with the GDPR only for those subject
to it.

~~~
paulddraper
> What's your basis for this statement?

Lying does not necessarily waive rights. E.g. purgery does not waive 5th
amendment rights. Hence "may well still". If you know this _not_ to be case
here, do share.

> If it's true, then literally everyone in the world is covered by the GDPR

You mean GDPR is a massive overreach where one organization is trying to
regulate effectively the entire internet? Yeah, that about sums it up.

~~~
tripletao
In a certain sense, no one can know any law until the judge rules; but it
seems there are people who believe:

1\. To within some threshold of certainty, it is not yet possible to determine
whether blocking EU visitors by IP, asking the remainder if they are subject
to the GDPR, and blocking them if they say yes complies.

2\. To within that same threshold, I can determine that some other plan (e.g.,
whatever troydavis is implementing) complies.

For anyone who thinks both of these can be true: Are you sure that you're
basing those statements on the law? Or do you mean that the regulators will
view (1) unfavorably and go after you, but they'll treat (2) as a good-faith
effort and be nice?

The latter is probably true, but it's not the rule of law. Are you okay with
that? How sure are you that all those regulators (and courts) will always
behave in the way that you predict, or a way that you personally consider
right?

I am disturbed by how willing most commenters are here to abandon the rule of
law when it gets them something they want. Selective enforcement of
regulations on business is a routine tactic of unfree states--remember the guy
with the leopard-print fabric in Russia? I don't think it's a good idea to
create powerful new tools for that, just because Europe--a continent that
within living memory harbored some of the worst dictators of modern history--
is well-governed right now.

------
emddudley
This is GDPR _non_ compliance as a service...

~~~
niko001
You're right, not my title/submission. This is meant for companies that aren't
primarily targeting EU users from a business perspective and don't want to
deal with GDPR.

------
esya
The more I look into this, the shadier it seems.

They're selling at a whooping $79/month, a single php script that does not
even check any sort of authentication or API key, and only does a dumb lookup
against a GeoIP database : [https://gdpr-shield.io/check.php](https://gdpr-
shield.io/check.php)

And this is called by this tiny javascript script [https://code.gdpr-
shield.io/script.js](https://code.gdpr-shield.io/script.js) that just..
displays an overlay div when you're in the EU. Smells like scam when you're
willing to sell a whole product that can be coded in 20 minutes for up to
$1000 a year.

~~~
niko001
The pricing is actually cheaper than "bare" geolocation APIs, which don't do
the blocking-part. Have a look at
[https://ipstack.com/product](https://ipstack.com/product) for example.

If you get a quote from an experienced data protection lawyer for GDPR
compliance, GDPR Shield will be an order of magnitude cheaper in the long run.
There's a real risk of getting sued / getting cease and desist letters from
predatory law firms who aim to collect fees for small mistakes in your privacy
policy.

You're making assumptions about how the service works, which happen to be
wrong. Even if they were true, the time it takes to develop something isn't a
measure of the value it provides.

~~~
endless1234
>There's a real risk of getting sued / getting cease and desist letters from
predatory law firms who aim to collect fees for small mistakes in your privacy
policy.

What do you base that assesment on? GDPR mostly just consolidates multiple
privacy laws into one.

------
sbuk
_" The European Union's new GDPR (General Data Protection Regulation), which
takes effect on 25th May 2018, creates uncertainty and risk for website
owners. It applies to businesses world-wide, because it protects all users
accessing your site from the EU, regardless of where your business is located.
GDPR threatens website owners with fines of 4% of turnover or €20 million
(whichever is higher). If you don't have an in-house legal team, complying
with the law requires you to consult with a lawyer specializing in data
protection law. In addition, you're at risk of vindictive reporting from no-
win-no-fee legal firms."_

Total, unmitigated FUD.

------
judge2020
Thought this was a joke SaaS offering, but inputting google.com as the domain
and a burner card, it's real [0].

[0] [https://judge.sh/3Bc2E0GR.png](https://judge.sh/3Bc2E0GR.png)

~~~
quickthrower2
-

~~~
jonatanheyman
JavaScript doesn't break if you don't supply all arguments in a function call.

------
vemv
Anyone can expand on what "vindictive reporting from no-win-no-fee legal
firms" would exactly consist of?

~~~
CLGrimes
If an EU citizen believes that their personally identifiable information was
obtained without their consent, the EU GDPR allows firms to do an audit on the
company. The citizen who filed the complaint would enlist help from a no-win-
no-fee legal firm, meaning, if they don't win (with infractions being $10
million minimum), the citizen, who is now a client of the firm, would not be
out any money. If they do win, most likely the firm would make a windfall
after carving out their share of the proceeds.

~~~
smnrchrds
Wait! I was under the impression that fines due to GDPR are just that, fines.
They are paid to the government, not individuals. At most, getting fined due
to non-compliance can suggest that if individuals bring civil lawsuits against
the company, they may win and be awarded damages, the amount of which depends
on how much damages they can prove they have incurred as a result of misuse of
their data, not statutory amounts. Is that not the case? Is the fine actually
paid to the individuals?

Or are your suggesting that some patriotic legal firms would do all the
legwork for free so that the government treasury would get a boost?

~~~
Lazare
Yes, your understanding is completely correct. Only EU member states can levy
fines under the GDPR, and it's likely few will have any interest in trying to
fine small businesses. Lawsuits are possible, but only for damages, and good
luck showing any damages from a minor technical violation by a small SaaS
tool. And without any prospect of large damages from a deep-pocketed
defendant, good luck finding a law firm willing to work on contingency.

The whole thing is FUD, although mad props to the people behind the linked
service for making a play at profiting from it.

~~~
Matticus_Rex
I don't have a lot of actual information on this, but the buzz in my privacy
professional listservs is that EU courts have been VERY expansive about what
constitutes "damage" in related legal spheres, and that those of us coming
from a US legal background should not rely on our instincts about what kinds
of damage could actually create a cause of action worth suing over.

~~~
DanBC
No. EU courts tend to define damage conservatively, and people suing for
damage normally have to demonstrate actual financial losses.

But it's irrelevant here, because the law isn't based on damages.

------
hartator
I wonder if you can do something like this directly in Cloudflare.

~~~
_Chief
you could use cloudflare IP geolocation to block EU countries based on the Cf-
Ipcountry header they provide. Though just by checking their IP I think you
may need to comply with gdpr

~~~
tchock23
Is just checking IP with no other personal information a violation of GDPR?
Particularly if that IP is not retained in a database (just temporarily in
production logs)? Asking for a friend...

~~~
tscs37
If you don't keep it around and only use it to block traffic then I don't see
which parts of the GDPR would cause any problem.

IPs may be personal data but if you don't store it there is no problem.

------
corobo
Another site going with the light grey on white text theme. What happened to
the accessibility binge everyone was on a few years back :(

------
cdancette
I think this is actually good for privacy. We will know that companies using
this service don't care about privacy, even for non-european users.

We could then can design a tool detecting the use of this service and
notifying the user "this service doesn't care about your personal data".

------
kruhft
"God Damn Protection Racket"

------
pietroglyph
This appears to be Javscript based... Assuming then that it works on the
client side, I wonder how long it will take for someone to release a browser
plugin to bypass it.

~~~
niko001
That's of course possible, but shouldn't matter: When you make a reasonable
effort to block access to EU users, EU citizens aren't covered under GDPR if
they take active measures (through a browser plugin, for example) to
circumvent the ban: "This won't apply to every U.S. business — just the ones
that are knowingly, and actively, conducting business in the EU. In this vein,
EU courts have the discretionary ability to determine if a U.S. company was
purposely collecting EU resident data and subverting GDPR compliance. So, in
some cases, the inadvertent collection of personal data will be forgiven if it
is found to have been occasional and "unlikely to result in a risk to the
rights and freedoms of natural persons."

(from [https://community.spiceworks.com/topic/2007530-how-the-eu-
ca...](https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-
companies-for-violating-gdpr) )

------
drivingmenuts
Argh. Just sent a note to a game company I did some work for that they need to
be aware of this.

Might have to shut off access to the game for the EU.

Dammit.

------
shiado
Are European TOR users protected under GDPR? What about VPN users? Seems like
IP-based services might be tricky.

------
tscs37
Is there some example page I can look at to see if this even works?

------
rdiddly
You spelled "avoidance" wrong...

------
asn1parse
lol fqdn registered on 2018-04-24? gmafb

~~~
asn1parse
here:

Domain Name: GDPR-SHIELD.IO Registry Domain ID: D503300000096633167-LRMS
Registrar WHOIS Server: Registrar URL:
[https://www.gandi.net/whois](https://www.gandi.net/whois) Updated Date:
2018-04-24T15:25:22Z Creation Date: 2018-04-24T15:25:19Z Registry Expiry Date:
2019-04-24T15:25:19Z Registrar Registration Expiration Date: Registrar: Gandi
SAS Registrar IANA ID: 81 Registrar Abuse Contact Email:
abuse@support.gandi.net Registrar Abuse Contact Phone: +33.170377661 Reseller:
Domain Status: clientTransferProhibited
[https://icann.org/epp#clientTransferProhibited](https://icann.org/epp#clientTransferProhibited)
Domain Status: serverTransferProhibited
[https://icann.org/epp#serverTransferProhibited](https://icann.org/epp#serverTransferProhibited)
Registrant Name: Nikolaus Fischer Registrant Organization: InnoWire UG
(haftungsbeschrankt) Name Server: NS-86-B.GANDI.NET Name Server:
NS-78-C.GANDI.NET Name Server: NS-61-A.GANDI.NET DNSSEC: unsigned URL of the
ICANN Whois Inaccuracy Complaint Form:
[https://www.icann.org/wicf/](https://www.icann.org/wicf/) >>> Last update of
WHOIS database: 2018-05-04T01:38:30Z <<<

For more information on Whois status codes, please visit
[https://icann.org/epp](https://icann.org/epp)

×××@@@@xxx The value for the Created field will show domain age. No serious
offering was erected 1 month before open season begins. lmao.

