
Unroll.me to close to EU users saying it can’t comply with GDPR - prostoalex
https://techcrunch.com/2018/05/05/unroll-me-to-close-to-eu-users-saying-it-cant-comply-with-gdpr/
======
lol768
Hadn't heard of unroll.me prior to this, but it looks like nothing of value
was lost. GDPR doing its job and it hasn't even come into (en)force(ment) yet!

Do they do anything that a quick grep for "Unsubscribe" can't? I guess the
digests are somewhat niche

~~~
Hamuko
Sorry, but GDPR came into force in 2016.

~~~
apexalpha
That's when they passed the bill I think, but as the article says:

> [...] is to stop serving users in Europe ahead of a new data protection
> enforcement regime incoming under GDPR, which applies from May 25.

~~~
Hamuko
Nope, GDPR was adopted in 2016. It just hasn't been enforced for the last two
years in order to give companies time to transition.

~~~
jsiepkes
It hasn't been enforced because the law itself says it shall apply from the
25th of may 2018 (art.99 par. 2).

So no, the GDPR is not in force yet.

~~~
Hamuko
[https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:...](https://eur-
lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN)

> This Regulation shall enter into force on the twentieth day following that
> of its publication in the Official Journal of the European Union.

"This Regulation" referring to the General Data Protection Regulation. The
date on the journal is 4 May 2016, so GDPR entered into force on 20 May 2016.

~~~
YeGoblynQueenne
To quote the whole thing:

    
    
      Article 99
    
      Entry into force and application
    
      1.   This Regulation shall enter into force on the twentieth day following that 
      of its publication in the Official Journal of the European Union.
    
      2.   It shall apply from 25 May 2018.
    
      This Regulation shall be binding in its entirety and directly 
      applicable in all Member States.
    
      Done at Brussels, 27 April 2016.
    

I guess you're arguing about a fine point and being downvoted for pedantry,
then?

------
hedora
I am increasingly tempted to VPN everything through Europe, and maintain a
token postal address there.

~~~
bastawhiz
I don't mean this sarcastically, but why? It sounds like this impacts users
that willingly signed up for this service. Why would you VPN/forward mail
through Europe to be locked out of services that you signed up for?

~~~
dijit
Because a company being unable to comply with GDPR is a red flag for how they
treat user data. GDPR is written in such a way that you as a company are given
freedom to use data if its for business reasons. But you need you need to keep
track of it.

Enhanced data protections are a good reason to (by default) be a European.

~~~
lucb1e
Same with the cookiewall, by the way: if you need a cookie wall, that means
you do more than aggregated statistics such as building profiles of
individuals. Even if you have accounts, you don't need a cookie wall for a
login system. Only if you do tracking. People see it as "govt doesn't
understand tech again" but I think in reality, it's the people that completely
missed the point here.

~~~
oneeyedpigeon
[https://www.youtube.com/watch?v=loVjrNFJAik](https://www.youtube.com/watch?v=loVjrNFJAik)

The form on the ICO's website is still exactly as absurd today as it was 6
years ago.

------
mplewis
I'm waiting to see what happens in the class action (COOPER v. SLICE
TECHNOLOGIES, INC.,
[https://www.leagle.com/decision/infdco20170920f18](https://www.leagle.com/decision/infdco20170920f18)).

"UnrollMe does not adequately disclose its true business model to users.
Instead, UnrollMe disguises itself as an email-management service to mislead
users to sign up for the service so that it (and Slice) can access their
data."

------
elahd
I prodded unroll.me a couple of years ago about their data retention policy.
Their answer was sketchy so I ended up not using the service. Unroll.me users
irreversibly hand over all of their emails to an unknown entity -- it's crazy
to subscribe.

Original thread:
[https://twitter.com/elahd/status/575692415132135425](https://twitter.com/elahd/status/575692415132135425)

DMs: [http://imgur.com/H0UABYa](http://imgur.com/H0UABYa)

------
akerro
Good, this way we can filter shitty services that don't care about my data but
only care about using me as a product when I'm not looking.

~~~
ddtaylor
I'm sure there are still many services operating as "complying" that do in
fact only care about the data they can extract from you, eg. Facebook.

------
Barrin92
>Put on your best unsurprised face: Unroll.me, a company that has, for years,
used the premise of ‘free’ but not very useful ’email management’ services to
gain access to people’s email inboxes in order to data-mine the contents for
competitive intelligence — and controversially flog the gleaned commercial
insights to the likes of Uber — is to stop serving users in Europe ahead of a
new data protection enforcement regime incoming under GDPR, which applies from
May 25. [...]

>"We may share personal information we collect with our parent company, other
affiliated companies, and trusted business partners. We also will share
personal information with service providers that perform services on our
behalf. Our non-affiliated business partners and service providers are not
authorized by us to use or disclose the information except as necessary to
perform services on our behalf or comply with legal requirements".

If that's going to be the sort of business that the GDPR makes unprofitable
and unworkable then I'm very proud to be a European citizen.

~~~
downandout
_If that 's going to be the sort of business that the GDPR makes unprofitable
and unworkable then I'm very proud to be a European citizen. _

This _is_ the sort of business that GDPR makes unprofitable and unworkable -
but unfortunately it's not the _only_ sort. Normal, everyday services - sites
that you might use and enjoy - will also have to close to EU traffic simply to
avoid the liability.

At my company, we do nothing nefarious with user data. We have a combined
total of a few million visitors per month across a handful of sites. After
consultation with experts, we had to make the decision to either spend high
six/low seven figures to _hopefully_ comply and buy special liability
insurance that would help pay any fines (this law is subject to unique
interpretations in 28 distinct countries, so nobody can actually know what
"full" compliance is), or simply block EU traffic. We chose the latter, and
many thousands of other sites that have no intention of doing anything
nefarious with your data will as well.

~~~
lucb1e
I've heard this sentiment being expressed by at least one person in all of
these threads, but you're one of the first that actually mentions having
consulted with a lawyer. The thing I keep asking is: what is new? I have yet
to hear anything non-trivial which a company suddenly has to do, which wasn't
required by any EU country before.

The only new thing seems to be higher fines and aligning laws in all EU
countries, rather than having different implementations of roughly the same
thing. But if you don't comply with GDPR, odds are that you should never have
been able to do business with a lot of European countries. To the best of my
knowledge, you should have geoblocked the Netherlands long ago (the only
country I know the laws well enough of, to say that there is truly only a
small difference between the 2002 WBP and the new GDPR) if you have to close
to the EU for GDPR.

~~~
downandout
The biggest 2 issues (at least for non-EU companies) are the extraterritorial
reach, and the absurd maximum fines that can indeed be assessed for a first,
single violation. Whether or not that is the public's understanding of the
law, that is how it is written, and when it comes to enforcement, the letter
of the law is the only thing that matters.

So we have a foreign government (to us) that has asserted authority to reach
beyond its borders and into our pockets with an absurdly complex regulation,
where a single violation would financially destroy the company. Since I don't
have $20 million to give to them, and the families of my employees depend on
their income for things like food and housing, I have to either carry
expensive liability insurance to protect against that, or block EU traffic.
For us, and I suspect most other sites on the planet, that's an easy decision
to make. I'll take a 5%-10% hit in revenue from the loss of EU traffic and be
able to sleep at night knowing that someone in a country I've never been to
isn't out there filing documents that have the ability to destroy my and my
employees' livelihoods.

I won't go into the minutiae of why it's so easy to violate and why most of
the experts we have spoken to agree that being compliant is an uncertain
endeavor at best, even if you want to comply, because that would be a very
long winded comment. But if you do a Google search, you'll see the gist of the
problems.

~~~
amyjess
If you don't have offices in the EU, and you don't keep your money in any
accounts controlled by EU banks, then why not just refuse to pay the fines?

Might be a good opportunity to make some contacts in the Trump administration
too, who will be interested in asserting US sovereignty.

~~~
deecewan
And then also say goodbye to any chance of European expansion, ever.

That's a big risk, given the size of Europe and the fact that it the US is
your current target demographic, it's not a far stretch to think Europe might
be, too.

~~~
jlarocco
> And then also say goodbye to any chance of European expansion, ever.

Blocking the EU effectively means the same thing, though, because it's
announcing to everybody that you're ignoring that market and leaving the door
open for companies who can copy your business model but are willing to respect
user's privacy. Not to mention the reputation damage from snubbing their
privacy laws. The door's still technically open, but it's going to be much
more difficult.

I also wonder if this kind of announcement will backfire a bit for these
companies. When I see a "We're dropping the EU over GDPR," article, I don't
think about how bad the GDPR must be, but instead I wonder what shady
activities these companies are doing that makes them unable to comply, and
that makes me avoid them.

The general public are pretty clueless on these things (look at the surprise
around Facebook lately), but I do feel it'll cost them some users.

~~~
taysic
I don't think big companies will back out of the EU at all. In fact, they now
have a big more of a competitive advantage because they have the money and
time needed to get GDPR right over a smaller company. And transparency about
how they use data will isolate less users, now that they already built their
name. I think it will affect smaller companies more whose new innovative
product will be tested on the US market first before demand is recognized and
then adapted to the EU. Of course it really depends on the regulatory reach of
this law.

------
michaelgiba
Judging from the other comments I guess I’m in the vast minority, but I think
the fine structure is really bad for small businesses. I’m not a GDPR fan.

~~~
DanBC
I think you're making the mistake of thinking the fines mentioned are the
minimum fines, when they're the maximum possible fines for the worst repeat
deliberate violations.

EU regulators tend not to apply fines for companies making simple mistakes.
They do want the companies to come back into compliance.

------
dawhizkid
I feel like we’re living in the golden age of free personal financial apps -
shocking to me how much we care when it comes to protecting our likes but so
careless we are to giving third parties logins to our online banking and all
balance and transactional data that comes with it

------
blatherard
I’m no GDPR expert, but wouldn’t it apply to data of European citizens even if
they’re not the customer? Since unroll.me slurps up email, don’t they still
have to comply with all the rules for data because presumably some of that
email data originates from the EU?

~~~
crispyporkbites
No, because they’re pulling out of the EU market there is no judiciary
oversight from the EU of their business, so the rules simply don’t apply.

------
kelnos
If there's one good thing that's coming out of stories like this, it's that I
(as a non-EU citizen) can avoid companies like this that clearly don't care
enough about being good stewards of my personal data.

~~~
gerdesj
Yes, GDPR really is a force for good.

It is also a bit of a bugger to prepare for (I own a small UK based IT
business) but it is a good thing in my opinion.

There are ~0.5 billion EU citizens and GDP is roughly 22% of the world. So it
has some clout. The EU as a whole has decided that people's data is important
and have come up with some rules about the same. Bear in mind the EU is a very
diverse place and getting 28 states to agree on something is akin to cat
herding.

I am still in shock about it. I am also very happy about it but it is only a
start. Getting FB and Co into line will take a lot longer as will the world
getting a decently diversified and mutually compatible, healthy social
presence environment working.

------
kowdermeister
Unroll.me's ToS was one of the first I checked in detail and it shocked me how
invasive it is. I noped the f* out before I granted access to all my mail.

------
dvfjsdhgfv
That's great! I hope more companies like these follow their footsteps.

~~~
Grue3
I hope so too. Countries that try to regulate Internet don't deserve Internet.
I wish more websites had the balls to not give in to every ridiculous law
passed around the globe (e.g. Github removing perfectly normal files because
Roskomnadzor asked them too [1]).

[1]
[https://en.wikipedia.org/wiki/Censorship_of_GitHub#Russia](https://en.wikipedia.org/wiki/Censorship_of_GitHub#Russia)

~~~
nukeop
This is a basic protection that should have been passed a long time ago, don't
try to frame it as "censorship", it was created to give you control over your
own personal information.

------
dmitriid
Everytime you see news of a company" not being able to operate due to" or
"shutting down because of" GDPR, the _only_ actual reason is "our business
model is unsolicited unrestricted access to, processing of, and selling of
personal data."

So sad to see these businesses go (not)

~~~
megaman22
Or they are not actually doing anything shady, but the revenue coming in from
the EU is not sufficient to justify the increased costs and liabilities.

~~~
geofft
Do you have an example of this? I totally believe this is possible, but every
thing I've seen _in practice_ has matched GP's description.

~~~
megaman22
There was at least one that landed on the front page this week.

[https://news.ycombinator.com/item?id=16954306](https://news.ycombinator.com/item?id=16954306)

~~~
geofft
Thanks. Interesting that some folks in the comments say "actually, this site
was abusing your data to make money" \- but I don't have a good sense of
whether a similar site that didn't use Amazon ads, and either took a small
membership fee or was run out of the founder's pocket as a side project, would
have things to worry about from GDPR.

On the flip side, does anyone know of side projects or community projects that
have said "We chatted with a European lawyer, who said we don't have anything
to worry about, and we'll keep doing our thing"? I know Debian is having that
chat ([https://lists.debian.org/debian-devel-
announce/2018/04/msg00...](https://lists.debian.org/debian-devel-
announce/2018/04/msg00012.html) \- and there are some privacy things I think
Debian _should_ change, like not keeping people's support emails from years
ago public) but I'm curious about projects that are smaller in scope and are
basically not trying to hold personal data at all.

~~~
y_molodtsov
There also was some online game that did the same, I doubt they had a lot of
user data.

------
mvid
I'm curious to know how they enforce the limit on EU users

~~~
Hamuko
Whatever they are thinking of, I can guarantee that it doesn't work.

------
toyg
Score one for GDPR. Between this and the umpteen services forced to purge my
address unless I "resubscribe" (when of course I never subscribed in the first
place), it has already achieved concrete results. If only the EU could also
fix the mess with cookies and VAT, we could say we're finally entering an era
of decent lawmaking over the digital space.

------
mirimir
I suspect this strategy will fail. I'm currently using a VPN with an exit in
Germany. But through some sort of geolocation glitch, it's being identified as
UAE. So unroll.me doesn't display the warning for EU residents.

Given the chaos around IPv4 assignments, I doubt that only VPN services are
affected.

------
JeanMarcS
So they don’t think privacy matters?

~~~
apexalpha
Selling your privacy / data is 100% of their business. The service they
provide is 'free' as in a 'free toolbar' that then steals data off your
system.

------
fiatjaf
That's amazing. I hope more and more companies will forbid the entrance of
european users. If at the moment you put your feet on my company you're
already making unreasonable demands the most decent thing to do is to put you
out and refuse to serve you.

I hope GDPR defenders will understand that if more and more companies adopt
this strategy.

------
hidiegomariani
It won't be missed

------
jacquesm
Excellent. The GDPR is working as intended. Let's see how many other
unscrupulous actors will try to pin the blame for their own malicious behavior
on the new legislation.

~~~
apexalpha
Just like Uber circumventing labour laws to beat taxi firms. "EU not good for
innovation".

Ehm, no. These laws represent how we want (our data) to be treated. If you're
business model can't exist within that legal realm than your business model is
one we don't want.

------
nukeop
This is fantastic news, if a company can't behave responsibly with user data,
it deserves to go bankrupt. It's like a restaurant saying it can't comply with
health regulations. Absolutely unacceptable. If the business model is to
exploit and sell personal information, then the world is better off without
that company.

~~~
ocdtrekkie
The only thing I am sad about with this news: Unroll.me is still able to
function in the United States.

------
jMyles
So, everyone seems to be celebrating the blow stricken against this seemingly
unscrupulous company. Fair enough.

But doesn't anybody else think this has at least some worrying optics of
censorship?

Are we going to end up with another great firewall around Europe? And are you
sure that only companies which enjoy a consensus as evil will be clawing the
outside?

Won't the internet interpret this as damage and route around it?

~~~
matthewmacleod
_But doesn 't anybody thinks this has at least some worrying optics of
censorship?_

No. No more than I think being able to sell fake medicine is a censorship.

~~~
jMyles
I just don't have a great deal of confidence in my own ability to tell the
difference between an arbiter who is making good judgments about which
medicines are real and someone who is censoring a competitor by adjudicating
their medicine as "fake."

In fact, I think I have better instincts about detecting fake medicine than I
do about detecting the fake arbiter.

~~~
thefifthsetpin
Since I like torturing metaphors, let's say that the GDPR was instead a law
prohibiting the sale of fake medicine.

What happened in this case is that the Unroll me pill manufacturer announced
that they'd not be selling their pills in the EU anymore due to the GDPR.

So, though your concerns remain valid in the general case, in this particular
case there could be no shifty arbiter. Unroll me self-assessed and decided
that their own pills are fake.

~~~
jMyles
In this case, you're probably right.

...but what if you were selling a medicine that you knew worked, that you
really believed in, but that you knew was going to be labeled fake by an
arbiter in the employ of your competitor (and I think it's not unfair to say
that the FDA is, at times, exactly this)?

Might you decide not to spend the money to attempt to achieve compliance?

Don't you think that some well-meaning organizations, knowing that they have
powerful, well-connected beasts who wish failure for them, might opt to just
stay out of Europe (either initially or always) instead of facing the costs of
assuring compliance?

