
GDPR: US news sites unavailable to EU users over data protection rules - vincvinc
http://www.bbc.com/news/world-europe-44248448
======
flohofwoe
Alternatively there's this:
[https://eu.usatoday.com/](https://eu.usatoday.com/)

No ads, no tracking, no cookies, not even Javascript. Just plain HTML+CSS and
JPEG images. The whole front page is around 650 KByte, and by far most of this
is in the image files. As a result the page looks very clean and loads very
fast.

This is what all news web sites should look like, not just for EU readers
(although I fear that this is just a temporary solution until they've figured
out that whole GDPR thing...

~~~
tzfld
And how can be a business sustainable in this way?

~~~
alkonaut
Hopefully what will happen is that it will be more expensive to advertise and
publishers will earn more on dumber ads

Obviously if ads are less targeted then they may be less effective so
advertisers will make less on ads that cost more. This will hurt their bottom
line, which in turn will make the _products_ we buy more expensive. But that's
exactly the end goal. I want to pay for things (information, products) with
more money rather than with slightly less money and all my integrity.

~~~
lajhsdfkl
>Obviously if ads are less targeted then they may be less effective so
advertisers will make less on ads that cost more. This will hurt their bottom
line, which in turn will make the products we buy more expensive. But that's
exactly the end goal. I want to pay for things (information, products) with
more money rather than with slightly less money and all my integrity.

I'm sure you considered all the poor people across the world that are
subsidized by the ad driven model we use today. What we truly need on the
internet is data gated behind pay walls to protect important information such
as which facebook groups you clicked like on.

~~~
danieldk
_I 'm sure you considered all the poor people across the world that are
subsidized by the ad driven model we use today._

A lot of them are poor, because we don't want to pay a decent amount for the
products that we consume and instead rely on people working in sweatshops in
third-world countries.

You don't solve poverty by giving them 'free' products that require them to
give you all their private data. You solve poverty by giving people a decent
wage, so that they make these decisions themselves.

~~~
jimmaswell
This is a false dilemma. There's no reason we can't both work towards better
wages for everybody and support cheaper services for poor people in the
meantime.

------
kartan
Business don't comply with regulations because it is easy, but because it's
needed to do business.

If a service didn't had a big user base in Europe, most countries don't speak
English, it may be cheaper to remove the service.

The New York Times or The New Yorker that even have physical copies available
in Europe work as usual.

I work in a gambling company and this is our day to day business. To enter a
new market means to follow a new set of regulations. To do the adaptation or
not is an strategic decision based in complexity, expected revenue and other
factors. GDPR is just another regulation to add to the long list related to
tax evasion, responsible gambling, fair play, etc.

~~~
rdlecler1
Regulations tend to favor incumbents, decreasing competition, and thereby
increase monopoly and creating central hubs of systemic risk. There is no free
lunch with one-size-fits-all rule making. Unfortunately regulators think there
is.

~~~
tommorris
I was thinking about getting in to the car market but all these pesky
requirements that I sell a car with airbags and seatbelts and fuel efficiency
compliance are just there to protect existing incumbents.

~~~
bmelton
Snark aside, that doesn't dispute the thesis that regulations _tend_ to favor
incumbents.

Some regulations are good. Some regulations are bad. Some regulations are
smart. Some regulations are dumb. Reasonable people can disagree on the
quality or intelligence of a given regulation, or its impact on a given
industry, but that doesn't change that most regulations _do_ tend to make
products more expensive to manufacture and by proxy, more expensive to buy.

In Europe, if you want to sell eggs, you're required not to wash them or get
them wet, because doing so erodes the natural coating that protects them from
diseases. This is a regulation implemented to prevent salmonella.

In America, if you want to sell eggs, you're required to wash them in water at
least 90 degrees, to make sure that they're clean, then rinse them with a
chemically infused spray, then because you've got them wet, they need to be
thoroughly dried to prevent bacterial growth. Further, because you've now
washed and dried them, removing the natural protective coating, they need to
be refrigerated in transit, at the store, and at home.

Both regulations are imposed to defend against Salmonella, and both are
apparently quite effective, but the American regulations in play require the
purchase of (conservatively) thousands of dollars in washing, sanitizing and
drying equipment, and at least a partnership with a refrigerated trucking
company. If you're selling the eggs in California, there's the additional
requirement that the eggs were laid by free-range hens, which of course
increases the amount of land required to raise the chickens upon, which of
course makes it harder to prevent and protect the hens against predators.

Like I said, reasonable people can disagree on any given regulation, but it's
hard to make the claim that egg regulations in America are more effective than
those in Europe, or that the American regulatory environment doesn't make it
the egg business a more capital intensive affair.

~~~
eyeinthepyramid
There are benefits to washing the eggs, isn't there? I have read that in
Europe as a consumer it's a lot more important to wash the eggs before using
them.

~~~
bmelton
You should definitely wash the eggs before you cook with them. As you mention,
that is de rigueur for Europeans, as it is in America for things like lettuce
and potatoes.

~~~
globuous
What ? Is this legitimate or are you being funny ?

I'm European and have never washed an egg before cooking it in my life. what
is this ? I crack it open and cook it and am still here.

I do wash my tomatoes when I make a salad with raw tomatoes though. And that's
mostly to get stuff off since I'd argue my vinegrette would kill all the
bacteria.

And washing your potato ? I'm so confused. Don't we all cook potatoes in
boiling hot water ?

~~~
bmelton
The incidence rate for salmonella is pretty low either way, but you should
definitely wash eggs before cracking them open, for the same reasons you wash
your tomatoes.

As for potatoes, no, we don't all cook them by boiling them in water -- many
of us bake them, fry them, or use them for making hash browns. This might just
be cultural, but I would actually be more inclined to wash them before boiling
them, since the reason you wash potatoes is because they have dirt on them,
and just as I wouldn't want to toss dirt into my boiling water, I would prefer
to clean (or peel) my potatoes before boiling them.

~~~
RugnirViking
Nope. In fact when I was in cookery school here in the EU, I was told that it
is perfectly safe to eat raw egg here, but that in the US this is never
advisable.

~~~
bmelton
You can eat raw egg (yolks and whites) in the EU because chickens are
inoculated against salmonella. This has absolutely nothing to do with whether
or not salmonella is allowed to accumulate and/or incubate on the outside of
the shell.

------
firic
Things like this will test how much EU citizens value their privacy. Of course
there will be some sites they will not be able to visit but time will show if
they are okay with that.

These rules are very similar to rules limiting loans. No matter how desperate
a person is and how low credit they have, in the US you can't give them a loan
for above a certain amount of interest. That could be terrible for a poor
person who is about to be evicted if they don't get some money right away. But
we as a society are willing to accept that if the result is that more loans
will be "reasonable".

If GDPR is enforced as HN people say it will be (in a good way) then the
result will probably be that a lot of free websites ban EU users and smaller
companies take their place with products that either cost money or will be a
bit worse.

If it enforced in a bad way then big companies who can navigate the law will
get bigger because their small competitors will be to afraid of the law and
shut EU users out.

~~~
imdutch
You can still run a free website and be compliant with the GDPR. The EU/EEA is
the largest market in the world, closing yourself for an market that size will
hurt more than changing a few thing to be compliant.

~~~
ghaff
>closing yourself for an market that size will hurt more than changing a few
thing to be compliant

Only if I make significant money from that market. If most of my
revenue/profit comes from the US and it's problematic to "do business" in the
EU or China, why wouldn't I want to just cut access off rather than dealing
with potential hassles? The fact that it's potentially a large market is
irrelevant to me. In this case, any moderately tech-savvy consumers can get to
my site anyway using a VPN. But I've sent a clear message that I'm not
marketing to European consumers.

~~~
roel_v
I see this 'VPN' argument a lot, but it's wrong. If the Chicago Tribune tracks
users accessing their site through a VPN, without informed consent, they are
in violation. Art 3 para 2 in b makes the Regulation apply to them and doesn't
make provisions about whether the controller or processor has a way to find
out if the behaviour of the data subject takes place within the Union. I don't
see any reason for a different interpretation in the Recitals, either.
Furthermore note that subs a and b in art 3 para 2 are alternative, not
cumulative requirements.

Let me rephrase: when you collect data on people with the goal to do
behavioral / preference analysis on it, it doesn't matter any more whether or
not you're 'marketing' to them, or even that you 'send them a clear message'
you don't 'market to them'. The GDPR still applies to you.

~~~
ghaff
The relevant language is in recital 24. “Factors such as the use of a language
or a currency generally used in one or more Member States with the possibility
of ordering goods and services in that other language, or the mentioning of
customers or users who are in the Union, may make it apparent that the
controller envisages offering goods or services to data subjects in the
Union.”

If the Chicago Tribune doesn't envisage offering goods or services to EU
residents, it's not covered. And geofencing out EU residents is a pretty good
indicator it's not. (Frankly, it probably doesn't have to--it's unclear why
someone would think the Chicago Tribune was actively marketing to EU residents
anyway--but geofencing them out certainly eliminates any ambiguity.)Someone
can't find their way to a site, fake being outside the EU, yell gotcha, and
expect European regulators to do anything about it whatever people may wish.

~~~
chopin
I've been served ads on US outlets for products which clearly target my home
market (Germany). This will make a hard time arguing that you are not
targeting that audience. In my opinion, if you serve ads on your site which
target EU consumers, you're doing business here. I don't think it matters
whether you do that through a third party.

By blocking EU ip-ranges, that may change, I admit that. However, if by other
measures like finger-printing the browser you serve EU-specific ads to vpn'd
users you may be up to problems.

------
abcd_f
What else can they do when they have this laundry list of tracking scripts on
a front page:

[https://i.imgur.com/hKEItPS.png](https://i.imgur.com/hKEItPS.png)

They obviously have NO idea what's being collected on every user and how it is
being used.

~~~
hartator
That’s the whole point of GDPR, selectively kill the web businesses they want.
BBC will never be concerned.

~~~
yulaow
If those businesses are heavy shadow tracking/ads companies which don't even
know which user data are they collecting, to who are they sending them and for
which final use, man, I am so damn happy.

~~~
kodablah
This reads to me like a warmonger justifying innocent casualties. Surely you
don't believe this only takes out the bad do you?

~~~
kinsomo
> This reads to me like a warmonger justifying innocent casualties. Surely you
> don't believe this only takes out the bad do you?

How would it take out GDPR compliant websites? It they're not complaint,
they're not exactly "innocent."

~~~
kodablah
Because the risk and costs of compliance are borne by all, not just the non-
compliant. I would hope that "but laws only affect the bad guys" or "if you're
doing nothing wrong you have nothing to worry about" would no longer be
reasonable arguments these days.

~~~
kinsomo
> Because the risk and costs of compliance are borne by all, not just the non-
> compliant. I would hope that "but laws only affect the bad guys" or "if
> you're doing nothing wrong you have nothing to worry about" would no longer
> be reasonable arguments these days.

That's like saying that drug regulations are bad, because _all_ opiate
producers take on "the risk and costs of compliance," not just the street
pushers.

The whole point is to actually raise standards for all of society. What you're
criticizing is enforcing higher standards than the current status quo.

~~~
kodablah
If you had used drug laws, e.g. marijuana laws, in your analogy it would make
more sense. They think they are raising standards too. It's not about what the
point is, it is about the implementation. It's so tough to have reasonable
discourse about the topic because if you are against the approach people think
you are against the whole point.

------
rdlecler1
They claim that everyone had a lot of time, but what about the 1-3 person
startup that’s been around for 4-5 years who is just getting by and didn’t
have the resources to re-engineer their entire application or to write up a
complex privacy policy or hire an EU Representative (Yes, apparently that is
required as well). If the EU does clamp down on forced consent I think the
long tail of small startups and publications and side projects will simply
block EU visitors because they won’t have the means to become compliant.

I’d be interested to hear how problematic this is for new startups who are
building GDPR complianance into the systems from scratch. It would seem to
amount to needed bespoke permissioning for every user because forced consent
is not permitted (although being widely used).

~~~
lima
> hire an EU Representative

It's called Data Protection Officer and you only need to appoint one if
processing personal data is your core business, which is reasonable.

[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/accountability-and-governance/data-protection-
officers/)

And yes, I expect the EU to enforce the consent rules. It's very central to
the GDPR.

~~~
lajhsdfkl
>It's called Data Protection Officer and you only need to appoint one if
processing personal data is your core business, which is reasonable.

Not commenting on the validity of this statement but it's interesting how I
can tell from which continent you are from just by you saying that the
regulation forcing a business to hire DPO is reasonable.

~~~
oaiey
I am writing replies on GDPR topics the other way around ("I see you are from
the US"). GDPR is a regulation for a topic which is important in the European
societies. Not so much in the US (free capitalism) or China (social score).

~~~
lajhsdfkl
I mean, fine. I'm not an EU citizen, I think GDPR is a pain in ass but
ultimately is not my decision no matter how much I judge you all.

But it does frustrate me that you all believe that GDPR will somehow be good
for you. I've seen it said multiple times that when a massive American media
company decides to pull out of the EU that a European alternative will emerge
that is GDPR compliant and replace it.

Do you actually believe that if the economics of GDPR compliance did not work
for a large American business that it will somehow work out for a small EU
startup? The only way I can see it work out is if GDPR is selectively enforced
against American business which it seems obvious to me that will be the case.

~~~
oaiey
I never believed that the GDPR is a protective regulation. It is a focused on
huge players which coincidentally are all US based.

The winners of GDPR continue to be the big five. Hopefully, they will adjust
their behaviors (after paying some painful fines) in spirit of this
regulation. Despite he GDPR, these companies will stay the technology and
innovation leaders they are today. This will not change by that. This
regulation will hopefully just enforce them to consider data privacy as
something a lot of people really value.

------
awat
On one hand I can understand why some orgs are having trouble with GDPR.

On the other hand it’s pretty clear the actions of more than a few have gotten
GDPR to where it is.

My takeaway at the moment is something along the lines of this is why we can’t
have nice things.

~~~
dominotw
I attribute it to European jealously over american tech success. Hi tech
success that flies in the face of their supposed social, cultural and moral
superiority.

User tracking is not really why we don't have nice things, look at the success
of moviepass even after they publicly admitted what they were tracking. People
want part of the spoils which is exactly the purpose of GDPR.

~~~
gcthomas
Isn't Moviepass hæmmoraging $20 million a day while its share price tanks?

No, if you knew how Europeans think, you'd realise that this is really just
about securing privacy. Most of the regulators are really focussed on ensuring
compliance, not levying fines.

~~~
dominotw
> Isn't Moviepass hæmmoraging $20 million a day while its share price tanks?

Correct me if I am wrong. But that just proves my point rather than yours,
correct?

They are losing so much from ppl using not because ppl are quitting it due to
privacy concerns.

~~~
gcthomas
They are losing money because they have an unsustainable pricing model. Other
cinema services were saying Movie pass would fail as soon as they started.

------
rdlecler1
GDPR is significant because for the first time in this history of the Internet
an (EU) user no longer has a marginal cost of zero. The cost to write an
application to be GDPR compliant is high and frankly will not be worth it for
many entepreurs developing an MVP.

~~~
riantogo
Last night I fired up my laptop to go shut down my side project. But I came up
with a band-aid solution that might hold up for now:
[https://medium.com/@riantogo/gdpr-band-
aid-b619d0b17e5b](https://medium.com/@riantogo/gdpr-band-aid-b619d0b17e5b)

I don’t need email addresses any more than, say, Pinterest. But now it is one
more barrier to entry for side projects. It is definitely not easy to be
compliant as many here suggest.

~~~
sbuk
You can collect email addresses still, so long as you have a legitimate reason
to, you seek consent, you store them securely and remove them if consent is
withdrawn. These are things that you _should_ be doing anyway! Even if it's an
open source side project.

~~~
lajhsdfkl
>You can collect email addresses still, so long as you have a legitimate
reason to, you seek consent, you store them securely and remove them if
consent is withdrawn. These are things that you should be doing anyway! Even
if it's an open source side project.

Where in your statement do you refute the fact that it is hard to comply with
GDPR?

Even if you have a legitimate use case you still need to provide users a way
to access all their information and delete all their information.

If you already are using more than one database this is not trivial.

This is my guesstimate but I am confident in saying that GDPR adds $25k worth
of work to the cost of starting up a business in the EU assuming an
experienced software engineer is worth $150k a year. There will simply be a
huge layer of boiler plate code added to every project now that will be
necessary whenever you are processing data.

~~~
M2Ys4U
>Even if you have a legitimate use case you still need to provide users a way
to access all their information and delete all their information.

Which, in the EU at least, you have had to do for decades under the Data
Protection Directive.

------
adders
The response to GDPR is interesting. If they are handling and selling your
data in ways that are not compatible with GDPR, then you should seriously
consider using someone else for that information.

~~~
kasey_junk
Essentially every publisher that integrates with google might be out of
compliance with the GDPR.

Until that gets sorted out lots of sites are going to start doing this out of
desperation.

~~~
jonbarker
That and the facebook pixel.

------
TorKlingberg
I am worried regulations will make the Internet more geographically
fragmented. The best thing about the Internet is how it captures the long
tail. A random person in Slovenia can read a local news site in Kansas if they
wish. Even if spending just one minute of effort making itself available in
Slovenia would be a loss for said news site. The Internet is by default global
and everything is available to everyone. It takes extra effort to block
regions, but I'm afraid regulations will make people spend that extra effort.

~~~
adventured
There's no scenario where the 'open' Internet doesn't rip apart.

Globally there will be dozens of GDPR type regulations, and that's just
covering privacy. There will be a lot more for economic rules, cultural rules
(eg governing speech), etc.

Want to operate a service in 100+ countries? You'll have to comply with
thousands of rules. Only giant companies will be able to do it. It's already
extremely difficult to do. In the physical goods world, generally only very
large companies can operate in 100+ countries; that's exactly how it will be
for Internet companies in the near future.

In the case of the US, there will be an immense advantage for tech services &
sites. I can make a lot of money on ads just in the single large US market,
far more than necessary to support a global operation. I can then project out
into the rest of the world, without concern for complying with everyone's
individual rules (unless it makes economic sense). For those localities to
stop me, they all have to implement draconian Chinese-style repression of
their people and what they can see online (which most will not do).

~~~
lajhsdfkl
I really think the EU guaranteed US tech dominance with this law. How many
months of work did the EU just add to getting out an MVP? How are EU startups
even going to do AB testing to improve their product without collecting user
data?

~~~
M2Ys4U
I suggest you actually _read_ the GDPR (for legislation it's actually quite
readable) before spouting off nonsense like this.

>How many months of work did the EU just add to getting out an MVP?

None.

>How are EU startups even going to do AB testing to improve their product
without collecting user data?

The same way they always have.

------
chatmasta
I'm in the UK atm. I just took a look at CNN.com, and uBlock is still blocking
dozens of trackers there. I disabled it to see if I would get a GDPR consent
popup, but all I saw was an accept cookies notification, nothing about the
dozens of third party trackers on the site, other than some sparse
information. There is no way to opt out of them, and there is only an “I
accept” option on the accept cookies box. So CNN is not GDPR compliant, even
though they've been running stories about it recently?

------
ams6110
_Facebook, Google, Instagram and WhatsApp are accused of forcing users to
consent to targeted advertising to use the services.

Privacy group noyb.eu, led by activist Max Schrems, said people were not being
given a "free choice"._

I mean, that just isn't a valid complaint IMO. You have a choice -- you can
not use Facebook, or not use Google, or not use Instagram, or not use
WhatsApp.

If you're using a "free" service that is ad-funded, why do you think you have
a right to use it without consenting to the ads?

~~~
king_phil
Then you don't understand the most fundamental thing about the GDPR:
"Kopplungsverbot" (german privacy law had that for ages before GDPR). You
can't force someone to consent to marketing because he wants to use your
service. Everything that is not part of the core service needs consent that
can be withdrawn at every time. The core service of facebook is access to the
network, not that my data is processed to show me better advertising. The
advertising is in facebook's interest, not mine. "But we make our revenue from
ads" is not a valid explanation. If your service was "sign up to see better
ads", then that would be your core business and no consent needed. Best thing
ever happend.

~~~
agensaequivocum
That is insane. As a private company they have the right to do business with
whom they please. If a company refuses service because a potiential customer
doesn't agree to their term, it is the companies right. No one is entitled to
a good or service of some one else.

~~~
joepie91_
That is absolutely incorrect for a multitude of reasons, ranging from anti-
discriminatory laws, to antitrust laws, to contract law, to indeed privacy
legislation.

This kind of "corporations have absolute rights to do whatever they want as
long as it's agreed to" stance is specific to the US. The rest of the Western
world doesn't do that, and for very good reason - it makes for an extremely
unhealthy society where corporations no longer act in the best interest of
society.

------
mrmekon
I'm in the EU, and a couple of the corporate VPNs I have used here have had
their exit IP in the U.S. or Canada. Which means that when I'm at work, I
appear to be in Seattle, and these sites are not blocked.

Based just on that, I'd argue that "Blocking 500M Users Easier Than Complying
with GDPR" is probably not even a true statement.

I doubt EU regulators will go after these sites because they really aren't
that consequential, but I wonder if setting up an IP block isn't just painting
a target on yourself. It's basically a statement that the company was and
still is violating GDPR.

~~~
ryanwaggoner
What exactly do you want here? Do you want every site to have you upload your
passport? Or are you just saying that any jurisdiction in the world should be
able to effectively force every company globally to comply with their laws,
and that they can’t pull out of those markets if they find the law too
onerous?

Forget about the intent of the GDPR, what about the broader principle when
applied to laws you don’t like?

What if the US passes the anti-GDPR next week, that you MUST track all
available data for US residents or citizens, no matter where in the world they
are? What then?

~~~
mrmekon
My comment doesn't make a statement about how things should be. It's a
statement about the complexities of a technical implementation:

_If_ it is true that the GDPR covers an EU person's data held by any company
worldwide, regardless of how or whether it should, an IP block might not be
accepted as compliance. Or it might, if the EU regulators decide that best-
effort is enough.

The important point is that many Europeans are browsing the net through non-EU
IP addresses without the knowledge that they are doing so. Most people do not
pay attention to what their corporate public IP address is. They may use "non-
EU" services entirely unintentionally, and EU regulators may or may not take
that into account in the unlikely case that they investigate one of these
companies.

~~~
stale2002
Well then these EU users are illegally accessing a computer and have broken
the computer fraud and abuse act.

These users should be prosecuted to the fullest extent in the US for their
illegal computer usage.

~~~
ryanwaggoner
Eh, I'm not sure we want to go down that road either, but it's an interesting
thought experiment. If you declare that EU visitors are unwelcome and
unauthorized, are they violating the law by working around that? I find the
idea both horrifying and interesting. So many GDPR fans here seem outraged at
sites blocking access to them, which seems an acknowledgement that they want
to have their cake and eat it too. What if criminal penalties for attempting
such enter the mix?

~~~
stale2002
Yeah, I was mostly making my comment in jest, and I find the idea ridiculous.

But I ALSO find it just as ridiculous to prosecute companies for not providing
protections to users that they have banned.

It should be fully within everyone's rights to not do business with countries
that make silly laws.

------
Yabood
There are so many wrong things with this approach. First, what do you do when
you have existing users, delete them? Second, I believe the law protects EU
citizens regardless of where they are. If you're an EU citizen and register
for a service somewhere in the US using VPN or while physically being outside
the EU, that service/company will still need to comply. The safest approach is
to comply. We're a tiny startup, but we decided to bite the bullet and comply
because its much easier and quite frankly better for all in the long run. Oh
and, disclosure sets you free.

~~~
adventured
> Second, I believe the law protects EU citizens regardless of where they are.

That's incorrect. That is the attempted naive reach of the EU in action. The
correct formulation is: the EU would like for GDPR to apply to all EU citizen
data globally.

US sites/services with no business reach into the EU, do not need to comply
with EU privacy laws. 99% of businesses around the world (most small
businesses), those outside of the EU, will entirely disregard GDPR - because
they have no business dealings with the EU.

The EU has no jurisdiction over the US economy or its laws. That will remain
the case. The EU also doesn't control China, or India, or Japan, or Brazil, or
South Africa.

A simple example for illustration: I can establish a new US service that is ad
based (with eg 100% of revenue being derived from the US market), I can keep
all of my infrastructure & business operations outside of the EU, I can take
on EU users at will, and I can do anything I want to - in compliance with US
law - with their information without concern for GDPR: because the EU does not
lord over the US, their laws do not rule the US. This is legally how GDPR
actually works, despite the amusing propaganda campaign to pretend GDPR
requires global compliance.

~~~
strictnein
> the EU does not lord over the US, their laws do not rule the US. This is
> legally how GDPR actually works

The number of people who have lost sight of this is unbelievable. It actually
seems especially rampant on HN, which is kind of surprising, to be honest.

~~~
ryanwaggoner
I think it's because of a deep cultural divide. EU users who are big fans of
the GDPR genuinely admire the law, both its intent and implementation, and
also have a very positive view of the government. They believe that regulators
will try to help companies comply, and will only fine as a last resort.
Whereas in the US, we tend to be fairly skeptical of government. And as a
consequence, since EU users think this law is a good thing for user privacy
and the world at large, they want to see it applied globally by any means
necessary.

But aside from that, I can't understand how EU users are unable or unwilling
to separate the intent of this specific law from the broader principle that it
represents, and how other countries might misuse this principle.

If any jurisdiction in the world can pass a law no matter how ridiculous that
forces any business in the world with a website to comply with, on the chance
that a user from that jurisdiction might stumble on that site, AND there's any
kind of enforcement mechanism, then the Internet will cease to exist. Either
that or become ultra-balkanized, where every user has an identifier that will
ONLY give them access to sites which are fully compliant with their
jurisdictions.

What if the US to passes a law that Americans are too fat and are no longer
allowed to be sold gelato (they're allowed to _buy_ gelato, but no longer
allowed to _be sold_ gelato), and then levy a multi-million dollar fine
against every gelato shop in Italy where Americans visit on vacation?

That makes as much sense to me as this does.

~~~
repolfx
Bear in mind GDPR seems to have become some sort of totemic issue for the
small minority of people in Europe who are true-blue died in the wool
ideological supporters of the EU project. They are flooding GDPR discussions
with these sorts of views. A good give away is they say "speaking as a
European" or use the term "EU citizen" (there is no such thing, the EU as an
institution does not have citizens or issue passports, it's only member states
that do that).

But Europe is full of people who aren't so in thrall to the EU as an idea, as
evidenced by one of its most important countries voting to leave despite the
population being threatened with massive chaos and severing of all cooperation
and trade relationships with their neighbours should they choose to do so. Bad
regulation was one of the most common talking points during the Brexit
campaigns and GDPR is a good example of why.

These sort of people aren't posting so much on HN but they are quite common.

~~~
semigroupoid
EU citizenship was introduced as part of the Maastricht treaty in 1992. See
[https://en.m.wikipedia.org/wiki/Citizenship_of_the_European_...](https://en.m.wikipedia.org/wiki/Citizenship_of_the_European_Union)

~~~
repolfx
Yeah? Show me someone who's a citizen of the EU but not a member state.

They don't exist. The EU loves to dress itself in the clothes of nation
states, that which it so desires to become, but ultimately the concept of
"citizenship" in the EU sense has nothing to do with the normal concept of
citizenship.

------
koolba
> News sites within the Tronc and Lee Enterprises media publishing groups were
> affected.

> Tronc's high-profile sites include the New York Daily News, Chicago Tribune,
> LA Times, Orlando Sentinel and Baltimore Sun.

Why would either of these papers be subject to the GPDR? Am I wrong in
assuming they’re purely US based companies? Or is there a chain of ownership
that includes EU jurisdiction?

~~~
akie
If they have readers that are physically in the EU, then those readers would
be covered by the GDPR.

~~~
jannes
As long as there is no business relationship to any EU entity they would not
be "doing business in the EU", would they?

I doubt making a website available on the global internet would be seen as
"doing business in the EU".

~~~
danbruc
Doing business in the EU is only one path that causes the GDPR apply to you,
processing personal data of people located within the EU, not necessarily EU
citizens, is another one and probably the one relevant here.

 _Article 3(2): This Regulation applies to the processing of personal data of
data subjects who are in the Union by a controller or processor not
established in the Union, where the processing activities are related to: (a)
the offering of goods or services, irrespective of whether a payment of the
data subject is required, to such data subjects in the Union; or (b) the
monitoring of their behaviour as far as their behaviour takes place within the
Union._

~~~
Double_a_92
But what's the worst that could happen? Your site would get dns blocked in the
EU?

~~~
danbruc
Maybe they could arrest employees on a visit to the EU? Maybe you could even
get arrested at home due to extradition agreements? Or get assets in the EU
frozen or seized? But that is all pure speculation, I have no idea what
actually can and can not be done or what is likely to happen.

------
nhebb
I wouldn't be at all surprised if they were caught off guard on GPDR. There
are some who seem to feel that the pending deadline was universal knowledge,
but I don't think it was for many of us in the US. I hadn't heard of it until
the recent Monal kerfuffle here on HN.

------
AJRF
Blocking access at geographic level across pretty clear signal they don't care
about users/readers in those regions (I think it's hard to argue otherwise,
the law has been coming for 2 years).

Obviously they cater to people interested in local news in those regions.
However, I hope they will rectify and allow access again for EU users at some
point soon. It seems to go against the idea of a borderless internet, and I
blame the companies for that, not the EU.

~~~
dorfsmay
> clear signal they don't care

Or, it could mean they hadn't realised how much work it'd take to be GDPR
compliant, and decided to temporarily use geographical blocking until they can
be compliant.

~~~
AJRF
It took them 2 years to realise that? That’s the same as not caring.

~~~
dorfsmay
When you have competing priorities and finite time and budget, people often
don't investigate external requirements, assuming that they'll just comply
when they no longer have a choice.

That's why the first few audits (SOX, PCI, etc...) for a company new to them,
are always such a struggle, people starting to look at the months of work
needed the same week the auditors are planned to come in.

edit/PS: Did you notice how many "We changed our policy" emails you've
received in the past 2 weeks, including from very large international
companies like google, yahoo, etc... Companies for which not being open for
business in Europe would have financially impact. Probably a good indication
that they ended up with a lot more work to comply that they had anticipated,
and still made it just in time. Now imagine the same situation in smaller
companies running on very thin resources that cannot afford a sudden increase
in staff!

------
tracker1
Honest hypothetical question... my website is in the US, my servers in the US,
why would I care about the GDPR?

~~~
khamoud
The US and EU have a good relationship. The EU can (probably will) use
international law to hold you accountable and the US is likely to comply.

EDIT: _you_ is the hypothetical you. If the EU targets you then they will use
international law to do so.

~~~
bcoates
Enforcement in practice is almost certain to be "at the edge" with things like
payment processors and ad networks that have direct business operations in the
EU and are easy to demand third-party compliance from.

If you literally don't do any business with EU entities, even at arm's length,
enforcement is going to be impractical and unlikely.

~~~
khamoud
I also believe this. If you run a side project by yourself and you don't
target EU users directly, but might have a few, it most likely won't be worth
the effort to actually follow through on enforcement.

However, that seems like a very arbitrary line and governments love to waste
money.

------
TomAnthony
(Reply to a deleted comment on the burden of compliance as a US business)

If you truly do intend to take good care of your users’ data, then the goal
should be to have you demonstrate that whilst making it as easy as possible
for you to do so (without compromising the said care).

I’m hoping that over the coming weeks and months the enforcement of GDPR and
various court cases will add clarity and allow the development of improved
guidelines for becoming compliant. If a random SaaS company that users emails
for logins and communication with active customers could look at a simple 5
point check list which they could check though in a day then things would be
better for everyone.

Less burden for customers, wider services for users, and those firms that can
see they could make a few small changes to become compliant would be more
incentivised to do so.

------
ashelmire
...and little of value was lost. American news sites are overwhelmingly filled
with nonsense.

But really, I’m surprised they even bother to block EU users. Not like the
GPDR can really be enforced in the US.

------
nedsma
Here's what I get when I try to visit the LA Times:

> Unfortunately, our website is currently unavailable in most European
> countries. We are engaged on the issue and committed to looking at options
> that support our full range of digital offerings to the EU market. We
> continue to identify technical compliance solutions that will provide all
> readers with our award-winning journalism.

------
AndrewKemendo
This seems 100% rational.

If the sites determined that they cannot or will not show ads in compliance
with GDPR, then why would they pay for the bandwidth it takes, knowing they
can't monetize it without being in violation?

It's the equivalent of the whole of the EU putting uBlock on their computers.
Companies that make the majority of their money on advertising are responding.

------
Tomte
We're so acclimated to having no choice that I was genuinely surprised when I
clicked on "Do not accept" at the [http://politico.com](http://politico.com)
web site and... nothing bad happened. I could read it as always.

Clicking "Do not accept" made me nervous and feel somewhat rebellious.

------
miabiel
What about EU citizens residing outside the EU? Banning visits from EU aren't
avoiding the GDPR problem.

~~~
pluma
The GDPR is about EU residents, not citizens. You don't need to be a EU
citizen but you do need to be in the EU at the time.

------
textmode
The limitations of internet technology means that any computer located in the
EU, whether or not the user controlling it is in the EU, can enjoy the
beneficial effects of the GDPR. (Those limitations and effects being in part
that companies will attempt to distinguish EU natural or legal persons based
on IP address.)

The GDPR finally provides a legitimate, compelling rationale for users to
employ longstanding methods of partially controlling the flow of their traffic
through the internet, e.g. setting up a hosting account that uses servers
located in the EU and using those computers to access www sites. An ssh
account on a server located in the EU has gained new value.

Accessing the www from a computer located in the EU has new advantages, thanks
to the GDPR. To users who are aligned with the goals of the GDPR, it is
possible that www sites located in the EU have become more appealing than
those located outside the EU.

How will _EU news sites_ treat users from outside the EU? Is there a benefit
to using EU news sites from outside the EU?

~~~
M2Ys4U
>GDPR only applies to EU citizens.

No, it doesn't. It applies to natural persons _in the EU_.

Article 3 GDPR:

\---

Territorial scope

1\. This Regulation applies to the processing of personal data in the context
of the activities of an establishment of a controller or a processor in the
Union, regardless of whether the processing takes place in the Union or not.

2\. This Regulation applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not established in
the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of
the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place
within the Union.

\---

Note that the above does not reference citizenship.

------
rdiddly
Europeans just found out which US sites were tracking and profiling them.

------
ryanwaggoner
What if the US to passes a law that Americans are too fat and are no longer
allowed to be sold gelato (they're allowed to _buy_ gelato, but no longer
allowed to _be sold_ gelato), and then levy a multi-million dollar fine
against every gelato shop in Italy where Americans visit on vacation.

How is that different from the GDPR?

~~~
craigsmansion
The difference is that one is an example of actual and well-thought out
legislation in the EU which is generally welcomed by the people most affected
by it: EU citizens.

The other is a trumped up example by someone on whom the GDPR self-admittedly
has hardly any bearing but who still insists on throwing a hissy fit because
legislation is somehow un-american or something.

~~~
ryanwaggoner
I disagree on "well thought out", but it doesn't really matter. I don't think
that legislation is "un-american" or that the EU shouldn't have passed this
law for its citizens. My issue is with the attempt to declare that it applies
so broadly to organizations in other countries who have no connection to the
EU except that EU visitors might come to their website. I'm going to assume
you're intentionally not trying to understand the broader principle here, but
just in case:

 _Reposted from another comment:_

My primary argument is that the GDPR's attempt to regulate companies in other
jurisdictions because EU citizens go INTO those jurisdictions and do business
is a dangerous precedent. If there was an enforcement mechanism for all such
laws, it implies that any business or individual anywhere in the world with a
website should therefore have to comply with any laws from any jurisdiction
that are similarly constructed.

If my website says things about Islam that Saudi Arabia passes a law against,
I should be fined.

If my website disrespects the king of Thailand, I should be extradited for
imprisonment.

If I encourage NK citizens to revolt against their oppressive regime, I should
end up in a labor camp.

After all, those governments have a right to say that if I want to "do
business in their jurisdiction", I must respect their laws, right?

(To be clear, I'm not talking about enforcement of these kinds of laws,
because all of those countries might do the above if given the chance. I'm
talking about what I SHOULD do as a matter of morality or ethics or civic duty
or whatever, or what my government should cooperate with those governments on,
because it's just.)

But the problem is that they're describing "doing business in their
jurisdiction" as a citizen from their country (maybe even one who is currently
visiting my country) going online and sending my server requests, data, and
money. And apparently explicitly telling those citizens to please NOT do that,
or blocking them, is not sufficient. The only way to make the majority of the
EU users on HN happy is to comply. Why would that same logic not apply to all
other kinds of laws?

~~~
craigsmansion
There is no conspiracy here.

If you don't do business with the EU, the EU has nothing on you. They have no
other mechanism for enforcing compliance.

If you would disrespect the king of Thailand, and you would go to Thailand,
they might act on their laws and lock you up.

If you would break Eu privacy laws, and you would try and do business with the
EU, they might act on their laws and enforce their fines.

There is no precedent being set here. Even the US is more than willing to
freeze assets of foreign actors when they believe they have been wronged
abroad.

If you ignore the EU and the GDPR completely, nothing can touch you, you just
can't do business with them until you stop ignoring them

~~~
ryanwaggoner
You're focusing on the enforcement issue, and I agree with all the points
you've listed here.

My concern is that they're even trying to make this claim, and that so many
fans of the GDPR think it's a reasonable one.

------
nominated1
As a non EU member I'm jealous. I would love to see a uBlock filter list
targeting all non GPDR compliant addresses. Maybe something like the 'Badware
risks' list that allows you to proceed but not before displaying a warning.

------
shadowtree
Well - what does this mean for US citizens then?

If those site violate GDPR laws, what exactly are they doing with user data,
how are they securing it? Do they even know what's going on?

Good litmus test for privacy/info sec readiness in corporations.

------
qilo
If anyone curious to see those blocking messages for themselves, LA Times and
Chicago Tribune redirect EU users to these respective URLs:
[http://www.tronc.com/gdpr/latimes.com/](http://www.tronc.com/gdpr/latimes.com/)
and
[http://www.tronc.com/gdpr/chicagotribune.com/](http://www.tronc.com/gdpr/chicagotribune.com/)

------
lcfg
GDPR hysteria.

~~~
losvedir
I could buy "hysteria" as an explanation for the little startup apps or blogs
that have shown up on HN these last few days, but these papers have revenues
in excess of $2 billion. I have to assume there was _some_ due diligence
involved.

~~~
ghaff
In general, the online site of a newspaper doubtless does a lot of ad
tracking. To the degree that readership is mostly local (as it is for most
newspapers with relatively few exceptions), geofencing seems like a pretty
rational response to potential compliance headaches. More trouble than it's
worth is a wholly rational business justification for a case where a geo is
currently unimportant and there's no business plan to expand there in the
future.

------
t0mbstone
Can someone explain to me how the EU is planning on enforcing GDPR on US-based
companies?

And even with EU companies, without some kind of third party auditing, how can
you actually believe anyone's privacy policies which claim to conform?

What's actually preventing everyone from just claiming that they are following
it, and then secretly breaking the rules?

------
Double_a_92
All those pages seem to block the entire continent not just the EU. I'm in
Switzerland (not in EU) and still get blocked.

------
Beltiras
GDPR does not have the full force of law in Iceland but yet I am blocked. Not
that I will miss those publications.

~~~
werid
That's so strange, in Norway, I can still load LA Times.

------
_Codemonkeyism
In 1y every website will have a click through EULA with 20 pages that loads
before everything else and doesn't store IPS - and which no one is reading -
privacy served. Just when they install from the App store or install Microsoft
Office.

~~~
akie
"Click here to agree to everything we do" schemes are explicitly forbidden by
the GDPR. You need to individually opt-in to every single use case, and you
need to consent to every transfer to each individual third party as well.

~~~
_Codemonkeyism
IANAL

No, coupling is forbidden. A 20 page, non-legalese EULA is allowed if you
don't couple acceptance to using your site.

"You need to individually opt-in to every single use case"

No. But I would be happy for your source on that.

You can't change the usage purpose after collecting, but if you declare what
you do before (20 pages EULA) data collection, you're fine.

"and you need to consent to every transfer to each individual third party as
well."

Yes, foggy data privacy declaration from the past are no longer allowed, but
20 pages EULA, 10 pages with company listings you transfer data to are.

I'd also add a teaser on top with the most important things, like here
[https://juro.com/#privacy-popup](https://juro.com/#privacy-popup)

If Paypal can do it, so can you.

~~~
icebraining
_I would be happy for your source on that._

It's in the "Guidelines for Consent" document, in "3.1.3 Granularity":

"A service may involve multiple processing operations for more than one
purpose. In such cases, the data subjects should be free to choose which
purpose they accept, rather than having to consent to a bundle of processing
purposes."

And they give an example:

"Within the same consent request a retailer asks its customers for consent to
use their data to send them marketing by email and also to share their details
with other companies within their group. This consent is not granular as there
is no separate consents for these two separate purposes, therefore the consent
will not be valid."

[http://ec.europa.eu/newsroom/article29/document.cfm?action=d...](http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030)

~~~
_Codemonkeyism
Looks like we're both right, if you base your legality on consent, each case
needs to be presented on their own.

If you do not base it on consent, which many lawyers in Germany say you should
only as a last resort, you can have a large declaration.

Just as I've predicted, the Washington Post implemented a click-through EULA.

------
millette
From Canada, [http://www.thesuburban.com/](http://www.thesuburban.com/) too is
unavailable in Europe due to GDPR.

------
mrfusion
Is blocking a legal way to comply with gdpr? Surely you can’t identify all Eu-
ians? Does the law just care that you made an effort to block them?

~~~
Sargos
Yes. Intent matters. The website is showing that they do not want EU visitors
as they don't want to deal with the high cost of GDPR. If an EU visitor
manages to bypass this restriction in some way like a VPN then they lose their
EU protection as they are hiding their identity as a EU citizen.

------
zerostar07
Well we still have HN, even if non-compliant.

~~~
jacquesm
Why is HN non-compliant?

They use Cloudflare which has gone out of their way to be compliant (to the
point of offering US citizens and the rest of the world the same protections
as EU citizens), and nothing else is included on the page that could track you
(check it if you don't believe me).

You can anonymize your profile, you can edit it and you can use one of several
services to get your data out. On the whole it is pretty good.

~~~
nostalgeek
AFAIK you can't delete all your messages on HN, nor even delete your profile.
They also do fingerprinting, or else how can they detect people with multiple
accounts?

~~~
jacquesm
> AFAIK you can't delete all your messages on HN

Not in an automated way. Have you asked the moderators to remove all your
messages?

> nor even delete your profile.

You can anonymize it.

> They also do fingerprinting, or else how can they detect people with
> multiple accounts?

Who says they do?

Or is that written from personal experience?

Note that 'for the purpose of running the service' is a lawful basis for
processing.

------
natch
Are there any publicly traded VPN providers?

------
ryanwaggoner
I hope we get a LOT more of this.

If the EU wants to pass laws that say every company around the world (almost
all of which have ZERO democratic representation in EU government) has to
fully comply or face huge fines that will drive them out of business, let’s
see how they feel when all those companies just shrug and turn their back on
the market.

I know the GDPR fans here will just say “good, we’re better off without them!”
and I guess on that we agree. Go in peace.

~~~
mark_l_watson
Hello Ryan (I like your business advice newsletter), honest question: In the
USA we have FICA laws that can fine foreign banks, in foreign countries, not
here, for most of a year’s income if they make a single error in reporting
financial,records of US citizens. Most banks in foreign countries simply
refuse US citizens as customers.

How ae laws like FICA OK but not GPDR?

~~~
ryanwaggoner
Thanks for the kind words re: newsletter :)

Are you thinking of FATCA? I’m not an expert, but from what I can tell, I’m
not a fan. I think telling US citizens that they have to report is fine,
asking foreign banks to report is fine, and requiring foreign banks _that also
have a US presence_ to comply is fine.

But if FATCA applies to some small community bank in Japan, then that’s
ridiculous.

------
Agathos
Obligatory link to the original tronc vision:
[https://www.youtube.com/watch?v=OtwiWd1LTeg](https://www.youtube.com/watch?v=OtwiWd1LTeg)

------
dmitriid
""" USA Today stops tracking EU citizens.

Americans/others are still fair game.

When it comes to privacy, Americans are now formally 2nd-class world citizens.
"""

[https://mobile.twitter.com/aral/status/1000005956493770753](https://mobile.twitter.com/aral/status/1000005956493770753)

------
tomatotomato37
Explain to me again how this won't functionally turn into the EU version of
FOSTA?

------
muzani
Can't break privacy laws if you don't have any customers.

------
fiatjaf
Shameless self-promoting an easy solution for your small site, if you too want
to get rid of EU people: [https://euroshield.xyz/](https://euroshield.xyz/)

------
OrganicMSG
Technically, this would seem true for a lot of things.

------
notananthem
Trib and Daily News are not journalism lol

------
WindowsFon4life
s/news/propaganda

------
yeeeeeeeeee
Regardless of GDPR, this is good in the short term. Organizations can comply
with regulations (and ostensibly reduce market failures) or not comply and
lose market share. If all regulations fell into the former camp we haven't
_tried_ enough strict regulations.

More generally I think a big problem with compliance is

1) Current business model practices. We don't know how all the ways to make
money on the Internet because it hasn't been around that long so we just sell
data/ads.

2) Technical limitations. The Internet is organized around centralized systems
but this doesn't have to be the case. It's just hard to build a comparable
decentralized system easily with the current tools.

~~~
fredley
I agree with this, and hope that it will cause innovation on both points. I
know there are a lot of regulation-phobes on here, but good regulation is a
driver of (good) innovation, as opposed to further innovation in fields like
spying on customers and exfiltrating as much data on them as possible.

Innovation will always be made, and I feel that currently, many great minds
are being utilised to make people click on ads. Hopefully this is a step
towards changing that.

------
jannes
I won't miss them. Why would I need to know about local news from places over
5000 km away?

Luckily there is still archive.is and the Internet Archive for exceptional
articles that pop up on HN.

~~~
akhatri_aus
For many of us the meaning of the internet itself is being able to access
things at 5000 km away.

~~~
hartator
No one needs that kind of access, crazy thoughts.

~~~
joering2
Bill gates agrees with you ;)

------
_Codemonkeyism
In 1y every website will have a click through EULA with 20 pages that loads
before everything else and doesn't store IPs - and which no one is reading -
privacy served. Just when they install from the App store or install Microsoft
Office.

~~~
simongray
Forcing users to accept a 20 page EULA is not compliant, that's what's so
great about this directive. If all you have to do to be compliant is add a new
clause to your 20 page EULA, then the law would have no purpose - we're
already trained to just click accept when presented with any kind of
lawyerese. The whole point is to get away from that.

~~~
_Codemonkeyism
IANAL

I've not said that this is the only thing you need to do. EULAs don't make you
compliant. I've said websites will have EULAs (and be internally compliant)
and do everything - except selling - with your data that they do now.

The only real benefit of the GDPR for users is that old (e.g. 2y) data needs
to be deleted and companies can't keep your personal data 10y for future use
cases.

But you can do most of the things you like with consent and if you do not
couple it to your offer.

But the GDPR does not prevent any business model or collecting any data as
long as there is consent, you are transparent, you can export the data,
consent can be revoked and data can be deleted on request.

~~~
simongray
That's not the only real benefit. The strongest benefit is that all tracking
and sharing of collected data is made explicit to all users _in plain
language_ and now requires _explicit_ opt-in. Before this directive, companies
could just hide that shit somewhere in their EULA. It's this practice that's
being regulated.

