
Why You Can't Just Block EU Visitors, EU Customers, or Any EU Traffic Under GDPR - _csoz
http://www.gettingemaildelivered.com/why-you-cant-just-block-eu-visitors-eu-customers-or-any-eu-traffic-under-gdpr
======
shiado
As somebody who values privacy greatly something about the GDPR just doesn't
sit right with me, which is confusing and conflicting because somebody who
values privacy should be naturally aligned with it.

After thinking long and hard about the GDPR the part that bothers me the most
is the expectation from the EU that foreign entities enforce their regulations
because the EU cannot bare the political consequences of doing it themselves.

Imagine if China decided that Chinese citizens accessing foreign servers was a
breach of national security due to the ability of these foreign servers to
collect private browsing information, and imagine if China decided to make
laws that fined these foreign entities in violation of their laws. It would be
a fucking joke and it would be ridiculed internationally for good reason.
China obviously knows this and they are prepared to get their hands dirty and
implement the Great Firewall of China because they have no problem appearing
as a controlling and authoritarian state.

So why doesn't Europe just do what China does and build their own firewall? If
they really wanted to restrict collection by foreign servers which exist in
non-EU jurisdictions and apply the regulation internally in the EU then they
have the technical capacity to do so with a firewall.

Europe just can't bare the consequences of building such a firewall because it
would destroy them in the court of public opinion. If EU citizens suddenly
lost access to American services all hell would break loose. On a more
political level the EU is a place which is generally known as being liberal
and open and the construction of a mechanism designed to enforce their
regulations by closing them off from the outside internet would be the
construction of an authoritarian tool of censorship and restriction of
freedom.

~~~
lurena
>After thinking long and hard about the GDPR the part that bothers me the most
is the expectation from the EU that foreign entities enforce their regulations
because the EU cannot bare the political consequences of doing it themselves.

That sort of thing happens all the time - except the US is usually the one
coercing foreign entities. Remember the DMCA? ThePirateBay's raid in 2006? Or
the Megaupload debacle? Or how Japan was pressured by the US to adopt stricter
child pornography laws?

Note, I'm not saying the people behind these were supporting moral and noble
causes that the US was wrong to clamp down on. I'm certainly _not_ saying
people should comply to China's expectations on free speech and flow of
information. Simply, if you feel infuriated that a foreign power is enforcing
its worldview and related regulations onto you, an American citizen, know that
that's what _literally everyone else_ has been experiencing for the last
decades from the people you've put in power.

But then, what the EU is trying to enforce here - more power to Internet
users, essentially - is fairly benign when compared to what other foreign
powers would like to enforce. If there were matters of infuriation to be had
on that account, I'd start with the Mariott debacle [1].

[1] [https://boingboing.net/2018/01/15/willfull-
liking.html](https://boingboing.net/2018/01/15/willfull-liking.html)

~~~
dogma1138
The DMCA does not magically apply extra territorially.

It’s applied through an established legal framework either through bilateral
trade agreements or through WTO rules.

The majority of copyright enforcement outside of the US has nothing to do with
the DMCA but rather copyright holders using local legal frameworks.

The problem with the GDPR is that it’s extraterritorial application as
expected by the EU is also extrajudiciary.

I would have no problem with the EU seeking ways to expand GDPR through new
legal frameworks which the people that would be impacted by these changes can
actually control through their own political system.

What I have a problem with is the EU essentially forcing compliance through
extortion and sooner rather than later it will employ the companies that the
GDPR was in spirit intended to protect us from to enforce it.

I don’t see the EU being able to enforce the GDPR even internally without
essentially deputizing the likes of Google, Amazon and PayPal to enforce it
across all of their customers in order for them themselves to be compliant.

Even with the fines possible under the GDPR the EU can not enforce compliance
by targeting 100,000’s of small companies without going essentially bankrupt.
It can however effectively target the big ones and worse make it impossible to
operate within the EU without using their “GDPR complaint” platforms.

The GDPR might be a great thing on paper and even in spirit but the
uncertainty and the inability to enforce complex regulation on a mass of small
entities would likely cause it’s real world repercussions to be quite
different than from what was imagined or intended.

~~~
lurena
>The DMCA does not magically apply extra territorially.

>It’s applied through an established legal framework either through bilateral
trade agreements or through WTO rules. >The majority of copyright enforcement
outside of the US has nothing to do with the DMCA but rather copyright holders
using local legal frameworks.

That means essentially the same, in effect. Very few countries have copyright
laws that do not align with interests of US lobbies. If any country with
significant partnerships with the US decided to tell "screw the MPAA, you can
now download anything from the Internet" to its citizens, the said lobbies
would pressure the US government to pressure that country through the trade
agreements you mentioned, until it relented. This is something that actually
happened, during e.g. the TPB raid. We can argue about the moral legitimacy of
such things but the reality of the matter is, it's all power plays.

>What I have a problem with is the EU essentially forcing compliance through
extortion and sooner rather than later it will employ the companies that the
GDPR was in spirit intended to protect us from to enforce it.

>I don’t see the EU being able to enforce the GDPR even internally without
essentially deputizing the likes of Google, Amazon and PayPal to enforce it
across all of their customers in order for them themselves to be compliant.

>Even with the fines possible under the GDPR the EU can not enforce compliance
by targeting 100,000’s of small companies without going essentially bankrupt.
It can however effectively target the big ones and worse make it impossible to
operate within the EU without using their “GDPR complaint” platforms.

Three objections:

-The use of 'extortion' is rather harsh - the EU isn't out there to suck money out of the poor American startups, they simply want them to treat user data in a sensible manner. Now you may object to what is considered 'sensible' just like someone in Sweden (e.g. anakata) may object to what is considered a 'copyright breach' but the point here is that they are not looking to make money from fines. If you are found to be noncompliant you wouldn't get sued by troll lawyers, you'd get a couple warnings along with guidance on how to be compliant again. Fines are simply there to say they mean business so people stop ignoring the regulations like they've done with existing country-specific ones for the last decades. Again, power play.

-I really doubt Google, Amazon and Paypal would cut off the entire EU market just to avoid going through the hassle of setting up an updated privacy policy. The EU population is 500 million, way more than the US. More likely, they'll do a cost-benefit analysis that will tell them it's worth paying their lawyers to do the compliance work. It's not actually a big deal. Also, these tech giants do have offices in the EU, usually in Ireland, so it hardly counts as extraterritorial extortion.

-As for the poor hundreds of thousands of companies - well, see the above. They don't want your money, they want compliance. A fine is the absolute worst case if you are repeatedly and outrageously negligent on a very large scale. The most likely case, however, is that the GDPR isn't going to care about these startups because the European public doesn't care about them either. I don't mean to be harsh or condescending, but while lurking HNs and reading headlines about such and such service shutting its doors to European user, I couldn't recognize any of the names. No one is going to sue your ten-man startup that develops a niche/superficial app whose use cases only fit twice that many people to a EU court. It is far more likely that it will fail by itself, because that's what startups do. Should it grow, however, and be in a position to deal with enough customers data that negligence or nefarious intent when handling it would cause significant harm - that's where actual GDPR enforcement would step in.

You may say: 'but there is no guarantee', 'it's all very vague', 'this much
vagueness only opens the way to corruption and preferential treatment', but
that's mostly how most of the law is written here in the EU - clarity of
intent and concision over clarity of wording and exhaustiveness. Against all
odds I'd say it's working out pretty well for us and the vast majority of
people here do not feel any defiance toward their institutions (at least when
compared to other countries), so I feel confident in the GDPR's enforcement,
jurisprudence cases and their future effects on the handling of my data. You
may feel slighted that a foreign entity, its views and its legal culture are
being imposed on you, though, and I understand. Again, power play.

------
joshuamorton
No. (Usual caveats, not a lawyer, not an expert).

If you aren't storing the data tied to a specific person, you aren't
profiling, otherwise "receiving an http request and logging that" would
violate the GDPR, which it doesn't.

Second, country isn't pii under the GDPR, the location would need to be more
precise to be relevant.

I think blocking the entire EU is lazy, but this is the non-est of nonsense.

~~~
quickben
Whenever I read "Blocking entire EU" I classify it as a romanticized revenge
daydreaming.

No sane western corporation will willingly eliminate an entity about the site
of USA out of spite and take a profit hit just because of new PII protocol.
Just look at FB, Google and the rest of the advertising companies. They bent
over backwards trying to accodomate the law.

But: GDRP _will_ filter out businesses that existed in the legaly grey area
because technology was faster than the law in this type of busines competitive
advantage features.

~~~
krschultz
FWIW the first serious startup I worked at chose not to do CE compliance (the
EU governing body for electronic devices that may interfere with RF). Thus we
did not sell our product to Europe.

Every single blog post had a set of people raging that we were assholes for
doing this, but the reality was the cost of compliance just didn't make sense
for the MVP. It was high 5 figures in cost which was just too much at the
time. If we had achieved product market fit then the obvious move would have
been to do that compliance to gain more customers, but we never quite got
there.

I doubt GDPR gets to that level of cost, so the ROI looks a bit different. But
I still think it's a reasonable decision to say "I simply won't do business in
the EU because it costs more than I'll gain". A lot of companies also don't
bother to go through the effort of printing the dual language labels required
to sell their products in Canada, even though it's a decent sized market close
to the US.

Tech, specifically the internet, has grown without regulation for a long time.
But that era is over. These kind of decisions are routine in non-internet
businesses where distribution, borders, and regulations exist. I suspect we're
going to have to think a lot more about this in our work in the future.

------
dahdum
So the GDPR was vague, and while I would say poorly written, many have claimed
that the EU will focus more on the spirit of the law vs the law itself.

Anyone really believe they’ll litigate against companies that block them
entirely? That want nothing to do with the EU market as a result of this law?

I seriously doubt it, but this is a great example of the 2 years of legal
arguments and debates happening in companies because of GDPR.

~~~
JumpCrisscross
> _Anyone really believe they’ll litigate against companies that block them
> entirely?_

All it takes is a single populist data regulator in one of the EU's twenty-
eight members,. Will they win? I don't think so. But in the meantime, you'll
be dragged through costly regulatory negotiations. Those negotiations would
become much more expensive if one had any European users.

~~~
dahdum
Allowing 28 separate, politically diverse and motivated data regulators to
litigate a vague law against publicly unpopular multinationals is a recipe for
capricious and arbitrary action, but I believe that was rather the intent.

Litigating on this particular issue would be an incredible stretch though.
Offends basic sense of fair play imo.

If Turkey gets EU membership, it would be a hoot to see how Erdogan uses this
law.

~~~
JumpCrisscross
> _Litigating on this particular issue would be an incredible stretch_

At least litigation has a clear end. The problem is more endless requests for
information, each requiring research and drafting by expensive EU lawyers. A
burden irrespective of whether you did anything wrong.

------
eksu
The E.U. has no legal authority or enforcement mechanism to stop foreign,
online companies from not doing business in the E.U.

~~~
TomK32
It's NOT about stopping them from doing business, it's about businesses taking
personal data more serious.

E.g. the right to be forgotten, EU has it US doesn't. sanctions when you
forget to disclose a massive data-leak on your private escort website? $0 in
the US, hopefully very expensive in the EU. Your nemesis publishes lies on the
net? EU helps you have that deleted. Your supermarket tracks your shopping and
knows you are pregnant before you do (this happened in the UK!), won't happen
anymore in the EU. Shady Sunshine Ltd bought your email address and purchase
data to spam you, bad and expensive for them. facebook won't allow you to
continue unless you agree to face-recognition? This might be the first case in
courts.

Wait and see for the good sides once the panic has quieted down.

~~~
gizmo686
Thats all well and good. However, if a company chooses not to do bussiness in
the EU, then it does not matter what the GDPR says; even if the mechanism they
use to block the EU violates the GDPR.

------
zenovision
I have ~600 small business customers from the EU who are using my SaaS product
and until now I received zero requests regarding GDPR. It seems it was the
right decision to ignore this law, because no one cares about it. The same
thing was with the cookie banner. Never built it into the product and in 6
years not even a single person asked about it...

~~~
taejo
The GDPR has been in effect for less than three days, two of which have been
weekend. A bit premature to say, "nobody's enforcing this law", isn't it?

The cookie banner is different because everyone knew it was completely
meaningless. Whether GDPR is or not remains to be seen; it's certainly not an
"everybody knows" situation yet.

------
beefhash
There's still the issue of enforcement. If the operators and servers are all
outside the EU, how would a user effectively get courts to enforce the GDPR?

~~~
CM30
Arrests when an operator visits an EU country? I mean, that's how the US seems
to get gambling company CEOs and internet betting site operators...

~~~
Zak
I find it pretty problematic that the US does that to gambling site operators.
People who do things that are legal where they live should not have to fear
that they'll get arrested when they visit a foreign country just because those
things are not legal in that country.

------
gizmo686
Assuming the article is correct in its interperatation of the law, it is still
missing the point. If you do neot operate out of, or do business in, the EU,
then the EU has no claim for jurisdiction.

The only simmilar case I can think of is the Isreali law which prohibits entry
into the country by anyone supporting BDS. Notably, in this case they are not
even claiming that everyone on the planet is required to not support BDS;
because it is obvious that they have no jurisdiction to do so.

EDIT: You also have China and Saudi Arabia who have internet restrictions.
However, they also do not claim jurisdiction over foreign sites. They only
require compliance by sites that operate within their jurisdiction; and have
built the infrastructure to enforce their digital border.

~~~
MatthewWilkes
Then why block the EU to begin with? The argument is clear, blocking users is
not a panacea.

~~~
gizmo686
Because if you do not block the EU then the EU can claim to have jurisdiction.

------
ddtaylor
Juristiction. By this same logic you have to comply by the rules of the Great
Firewall of China.

~~~
ceejayoz
Or Saudi Arabia's content rules.

------
eivindga
This is a ridiculous interpretation of the law. Brought to you by some
«experts» in Colorado.

If you had followed EU policy discussions over the last 10 years, you would
realize this is about creating a single, unified online market.

Meaning a citizen living in Poland should have access to the same online
services as a German, unless there are valid reasons for denying him.

------
eganist
Site got hugged. Google cache:
[http://webcache.googleusercontent.com/search?q=cache:www.get...](http://webcache.googleusercontent.com/search?q=cache:www.gettingemaildelivered.com/why-
you-cant-just-block-eu-visitors-eu-customers-or-any-eu-traffic-under-
gdpr&strip=1)

In short: the opinion expressed by that link appears to be _plainly wrong_ as
the organization using IP addresses to restrict EU traffic for the sake of
GDPR would need the ability to actually identify people from that information,
a power arising from access to other information. The vast majority of
entities lack that additional, so for them, IP addresses are not 'personal
data' under existing case law.

In long: I'm not providing legal advice, only forwarding details (again, non-
representative) conversations I've had or been party to with various lawyers
on this topic. Notably: the consensus opinion is that determining a potential
IP range is specific to the EU is not the same as geolocating them as that
location information is not specific enough to determine who the person is,
and partly as a result of a lack of this capability and others, IP addresses
cannot alone be determined to be personal data.

Related: [https://www.whitecase.com/publications/alert/court-
confirms-...](https://www.whitecase.com/publications/alert/court-confirms-ip-
addresses-are-personal-data-some-cases)

> The CJEU decided that a dynamic IP address will be personal data in the
> hands of a website operator if:

> 1\. there is another party (such as an ISP) that can link the dynamic IP
> address to the identity of an individual; and

> 2\. the website operator has a "legal means" of obtaining access to the
> information held by the ISP in order to identify the individual.

> On the facts, if the BRD has the legal power to compel the relevant ISP to
> disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP
> address will be personal data in the hands of the BRD.

By precedent (unless I'm missing more recent case law), for the vast majority
of entities possessing IP addresses e.g. through request logs, an IP address
is not "personal data," and determining the continental whereabouts of an IP
would therefore not be considered "profiling."

I'm not a lawyer; I'm only relaying what's come up in conversation between
attorneys covering the topic. I'm open to seeing the position I'm relaying
above proven wrong.

------
zerostar07
Someone on reddit noted that this may be true for one more reason: the law
does not allow automatic profiling of the user (Article 22)

> The data subject shall have the right not to be subject to a decision based
> solely on automated processing, including profiling, which produces legal
> effects concerning him or her or similarly significantly affects him or her.

~~~
eganist
"Article 4 (4): ‘profiling’ means any form of automated processing of
_personal data_ "

CJEU case law has determined that IP addresses are not considered "personal
data" except in certain cases
([https://www.whitecase.com/publications/alert/court-
confirms-...](https://www.whitecase.com/publications/alert/court-confirms-ip-
addresses-are-personal-data-some-cases))

> The CJEU decided that a dynamic IP address will be personal data in the
> hands of a website operator if:

> 1\. there is another party (such as an ISP) that can link the dynamic IP
> address to the identity of an individual; and

> 2\. the website operator has a "legal means" of obtaining access to the
> information held by the ISP in order to identify the individual.

> On the facts, if the BRD has the legal power to compel the relevant ISP to
> disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP
> address will be personal data in the hands of the BRD.

The vast majority of entities do not meet the requirements for #2. Therefore,
automatic profiling rules could not apply since the automatic analysis being
performed is not against personal data.

~~~
zerostar07
I hope that IPs will stop being considered PII for the same reason. It's much
easier to anonymize them at the ISP level rather than doing all these
acrobatics.

------
JumpCrisscross
There is a lot of discussion about GDPR from an American perspective. I'm
curious about the Chinese one. Does the EU really expect Baidu, WeChat and
Tencent to comply with these rules? Or is this just a roundabout way of
extracting bureaucratic benefits from American technology companies?

~~~
eivindga
Yes, of course. If they do business in the eu, they will need to comply.

If they don’t do business in EU, then they dont have to follow eu rules.

~~~
JumpCrisscross
If Facebook certifies deletion of certain data, and somebody doesn't believe
them, they can sue in an American court. If WeChat certifies deletion of
certain data, and somebody doesn't believe them, they're SOL.

------
IshKebab
This is a clear mis-reading of the law. Look at the examples that you can't
use profiling (including geo-IP) for:

> which produces legal effects concerning him or her or similarly
> significantly affects him or her, such as automatic refusal of an online
> credit application or e-recruiting practices without any human intervention.

Blocking someone from reading a news website is clearly not a decision along
these lines. Obviously this would need to be tested in court, but I would bet
on it being allowed.

Also, the GDPR only applies _at all_ if the business operates in the EU. If
they clearly don't (e.g. by blocking European visitors) then the GDPR does not
apply and you obviously can't use text in the GDPR itself to prove that you
can't do that.

This article is nonsense.

------
MaikuMori
I'm a traveler, just because I'm not coming from EU IP address range, doesn't
mean I'm not EU citizen with rights established by EU.

~~~
Silhouette
The GDPR's scope is based on geography, not citizenship. If you're an EU
citizen currently in the US, you do not necessarily enjoy whatever rights and
protections the GDPR might offer you if you were within the EU. If you're a US
citizen currently in the EU, you do enjoy those protections.

~~~
MaikuMori
Hmm, that's interesting, I was convinced it's based on citizenship.

~~~
Silhouette
It's a common misconception, and has been widely reported even in the
mainstream media. FYI it's Article 3 of the GDPR that specifies the
territorial scope authoritatively.

Fun fact: The word "citizen" doesn't actually appear in the GDPR at all.

------
johnchristopher
Except the purpose of that block is clearly defined and it doesn't need to
_store_ personnal/private data to work.

------
rdl
I predict secretive offshore entities which exploit activities banned under
GDPR which have sufficient economic value. Entities which are essentially
judgment proof in EU. Maybe directly affiliated with a foreign government.

Being able to do certain kinds of background checks or financial risk
calculations is the first use case which comes to mind.

------
wildguyd
ignore the gettingmaildelivered blog... one certainly can take active measures
to exclude EU visitors as a way of avoiding scope of GDPR. Get real legal
advice if curious rather than relying on a blog.

~~~
wildguyd
rest assured you would not see major newspapers doing exactly that without
them having checked the legality. The analysis in the blog is wrong because
the first question to be asked is "is the business within the scope of the
GDPR", and _if you are a business in scope_, then you can't process personal
data or track/monitor EU residents. However, you are not a business in scope
of GDPR if you don't have a business presence in the EU and don't hold out
your services to EU residents. Blocking that region demonstrates clear intent
_not_ to offer services to EU residents and thus puts your business out of
GDPR scope.

------
verdverm
What happens when an EU citizen travels to the US and accesses a website?

~~~
labster
U.S. law applies, just like normal, unless the website is located in the EU.
The EU claiming jurisdiction over transactions entirely in another country
would be a major breach of sovereignty, which is why the law uses the phrase
"data subjects in the Union".

Note that EU law does apply for visitors, so look forward to data tourism!

------
majewsky
Is it intentional that the site is blank for me (in the EU), or is their JS
just crap?

~~~
StreamBright
I guess the site got hackernewsd (old lingo is slashdotted).

------
marcoperaza
You can’t force people to operate in your country. The EU does not have
sovereignty over the whole world. This is nonsense and is certainly not what
is contemplated by the law.

Making it undesirable for some businesses to operate in your country is part
of the cost-benefit analysis you have to do when passing laws.

~~~
Bizarro
The EU is overplaying its hand by claiming global sovereignty. If the EU
really wants to play hard ball, the rest of the world can impose sanctions
against the EU and bureaucrats who try to enforce illegal laws

~~~
mbroncano
Nobody is claiming global anything, the rest of the world is not the US, and
illegal law is an oximoron.

~~~
petraeus
The supreme court and the constitution would beg to differ.

