What, are we going to ban links that are blocked by the Great Firewall of China because the 1.3 billion mainland Chinese can't view it (a group about 2x the population of Europe)? Region-blocked content due to legal reasons is extremely common and it long predates GDPR. Plenty of YouTube videos are region blocked due to copyright differences.
There's no region blocking being forced on this poor site by anybody. The site is choosing this absurd behavior itself.
And that's fine and all. But unless HN aims to be local-interest only, pretty please don't bother me with junk like this. At least redirect me to some nice rick astley, so I can appreciate the sad joke.
> There's no region blocking being forced on this poor site by anybody. The site is choosing this absurd behavior itself.
Well, it's "choosing this absurd behavior itself" insofar as risking tens of millions of dollars in fines for violating murky and ambiguous that can be interpreted differently in any of the 28 member states counts as "choosing the behavior itself". And companies blocked by the great firewall can simply choose to comply with whatever the CCP tells them to do, too. So in a sense they're choosing to be blocked as well.
> And that's fine and all. But unless HN aims to be local-interest only, pretty please don't bother me with junk like this. At least redirect me to some nice rick astley, so I can appreciate the sad joke.
The EU consists makes up 7% of the global population. The fact that EU residents can't access the content hardly makes it "local-interest".
> Well, it's "choosing this absurd behavior itself" insofar as risking tens of millions of dollars in fines for violating murky and ambiguous that can be interpreted differently in any of the 28 member states counts as "choosing the behavior itself". And companies blocked by the great firewall can simply choose to comply with whatever the CCP tells them to do, too. So in a sense they're choosing to be blocked as well.
That's just nonsense. It could (shocking I know) (1) try not to save personally identifiable data for undefined periods of time; and (2) accept that it has no business presence in the EU and thus flout the law with no repercussions; or (3) use a modicum of common sense and notice that just because there exist maximum penalties for truly egregious behavior doesn't mean they're in any risk of those if they're non-malicious, especially given the not-exactly hard-to-find actually assessed penalties are nothing like what you're saying there for behavior that's much worse than anything I can imagine a local news station doing unless they really are Machiavellian; and (4) note that GDPR regulators have approximately a googleplex of more relevant cases, and are literally never ever going to be interested in them; and (5) not forget they;re likely in some technical sense breaking untold laws in all kind of jurisdictions even closer to home, and the sky isn't falling.
This is just FUD. And comparing the censorship by the great firewall with the truly onerous restriction not to cyber-stalk all of your users is a farce.
It takes a hell of a lot more than a "modicum of common sense" to comply with GDPR. If you really just think that saying "well I'm not going to save PII indefinitely" is enough, you're setting yourself up for a lawsuit.
Did you go through every layer of your stack and ensure that every tool and platform you use doesn't log or persist PII? Did you think of justifications for every use of PII? Did you consult with attorneys on these justifications, or are you just hoping that all 28 member states of the EU agree with your personal opinion? And don't forget you need to build a system to give people all the info you have on them at their request.
Points 3, 4, and 5 basically amount to, "well, as long as I have good intentions I'm sure the government won't sue me even if I do screw up and violate GDPR". You might be willing to risk your business on this assumption. But if that's the case then I sure wouldn't want my retirement funds invested in your company.
Put yourself in the shoes of a West Virginia local news station. What percentage of your revenue comes from EU users? Does it even remotely justify the cost to audit all of your tech and make it GDPR compliant - let alone run the risk that one of the 28 EU member states interprets GDPR differently than you do? Chances are, it doesn't. This is the natural consequence of regulation. People who don't have interest in complying with it leave the market.
I understand the worries; and the fact that it's a local interest site. Hence the appeal to HN to block such links, since HN is presumably not local-interest.
But while the massive media blitz on the GDPR makes it appear terrifying; it doesn't magically grant jurisdiction over a local west virginia site. The enforcement agency isn't likely to bother, because they have no means to enforce any sanction.
It's not even clear to me whether the GDPR even applies; article 3(1) says that "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
Is a west virginia site "established" in the EU? That's dubious enough that I doubt they need to worry - for now.
Yes, if a hostile foreign regulator wanted to fine them - they probably could find some pretext. But that's likely the case under any number of other laws too! But there's simply no motivation for a foreign regulator to do so; and numerous motivations for them not to. (A) they might fail, (B) there's not much to win, even if they do, (C) they do actually need evidence, and if the site at least attempted not to collect PII, then there is likely not to be any easily accessible evidence, so it's going to be a lot of work, (D) the politics are terrible, which regulators are far from immune from; (E) even if they "win" it's not clear they can collect.
The real risk here seems overstated - as in, does anybody think there is ever going to be a single case like this resulting in a fine? Literally ever?
Note furthermore that their IP filter is likely insufficient anyhow. IP filters are never reliable for all kinds of reasons, e.g. VPNs, out of date filtering rules, etc, and the law applies to natural persons in the EU regardless of where you think they are. And it's not entirely clear to me that it doesn't apply to EU persons that happen to be on vacation (even if it does not, it almost certainly does the moment the vacation is over and the site has not wiped the PII - it's not like that magically dissappears).
The only tricky bit in avoiding PII (for news sites!) is going to be embeds (i.e. ads). But this affects the adtech firms much more than them; most of them need to have some solution (e.g. a contextual ad mode). Some local news site almost certainly doesn't need to solve this; they likely only need to check the right box for the adtech firm to do so; which is probably not a lot harder than the solution they've chosen now.
Finally: none of this is happening in a vacuum, nor overnight. The few cases so far have been either pretty egregious, limited to largely symbolic fines, or both. And that's just natural (given the way the GDPR was set up): the worst excesses are the most likely to be addressed first (don't forget that the GDPR is not enforceable by an individual no matter how egregious the violation, all they can do is refer a site, which serves as a filter).
All in all: this sounds like an overreaction. Maybe it's a cultural thing too; lawsuits with huge punitive fines are much more common in the US, so the habit of avoiding liability is perhaps more deeply ingrained. But again, the risk seems trivial. And you know, if you don't care about overseas readers, would it kill you to be so polite as to say so? It currently says only: "Our European visitors are important to us. This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws." That's just a lie, likely both parts of it.
But back to my original request: even if the site has zero costs from doing this, and it really wants to avoid accidental mistakes: that doesn't make them any less spam in the HN feed, which was my initial point: HN is less valuable to EU residents if contains spam like this.
> But while the massive media blitz on the GDPR makes it appear terrifying; it doesn't magically grant jurisdiction over a local west virginia site. The enforcement agency isn't likely to bother, because they have no means to enforce any sanction.
Yeah, they do. The EU issues them a fine, and they don't pay. Okay, nothing happens to them. But now if any of the the executives or board members or anyone else who can be held liable for their failure to pay the fine can never visit an EU country without fear of being held accountable for their failure to pay that fine.
>Is a west virginia site "established" in the EU? That's dubious enough that I doubt they need to worry - for now.
This is false. GDPR applies to any company that collects data on customers in the US. If you run a site, and an EU user connects to it then GDPR mandates that you follow the GDPR rules for that EU user. [1] This is pretty screwed when you really think about it. Can Saudi Arabia outlaw Facebook from letting Saudi women post profiles without Burkas? Can they outlaw Facebook from allowing Saudi users from blaspheming Islam? Granted in practice, US companies are probably just going to tell the Saudis to eat shit. But that introduces the other gnarly question: which countries or pan-national organizations do have the right to govern beyond their borders (and, crucially, why do they get to do this and not others)?
> All in all: this sounds like an overreaction. Maybe it's a cultural thing too; lawsuits with huge punitive fines are much more common in the US, so the habit of avoiding liability is perhaps more deeply ingrained. But again, the risk seems trivial. And you know, if you don't care about overseas readers, would it kill you to be so polite as to say so? It currently says only: "Our European visitors are important to us. This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws." That's just a lie, likely both parts of it.
It's pretty clear that the EU wants tech companies, especially American ones, to bleed. Headline after headline in European articles from the Economist to The Guardian and others are calling for fines against American tech companies. You're right that showing a message, "This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws" is misleading. It should really read, "Your government has instituted vague and overly broad regulation on data collection which, coupled with a hostile attitude towards American tech companies, makes us unwilling to serve EU visitors".
> Yeah, they do. The EU issues them a fine, and they don't pay. Okay, nothing happens to them. But now if any of the the executives or board members or anyone else who can be held liable for their failure to pay the fine can never visit an EU country without fear of being held accountable for their failure to pay that fine.
If a long particular chain of events were to come to pass then it's theoretically possible a director might be issued a fine. But the sequence of events required is absurd and long; west virginia is more likely to be exterminated by meteor strike than this. And even then: that's assuming the website and director are actively self-destructive because even with this long chain of events you can't convince me there isn't some moment before then that they could intervene to avoid meaningful consequences. I don't think we will ever, in the history of the GDPR enforcement, ever see a case like the one you're describing leading to a meaningful fine. Sure, that's just my guess, and IANAL, and cultural differences in litigation and all that, but hey.
>> Is a west virginia site "established" in the EU? That's dubious enough that I doubt they need to worry - for now.
>This is false. GDPR applies to any company that collects data on customers in the US. If you run a site, and an EU user connects to it then GDPR mandates that you follow the GDPR rules for that EU user. [...]I confirmed this for myself in the GDPR text. If you insist, I'll dig it up for you.
> It's pretty clear that the EU wants tech companies, especially American ones, to bleed. Headline after headline in European articles from the Economist to The Guardian and others are calling for fines against American tech companies.
I don't think you're wrong here, but I think you're misplacing the emphasis. And as an American I can understand it feels hostile. But the actual emphasis here is not on bleed, nor on American, but on tech-company.
There's a definite feeling here that tech companies are acting with impunity, that they feel like they can do whatever they want without serious repercussions and ask forgiveness later. So far, by the way: even with the GDPR, that is true, because it was affected by lobbying and thus the large tech companies are not quite as helpless as they at first appear; the fines (even in the GDPR) are actually quite low given what's at stake (i.e. to the extent that large specifically-tech firms are likely to be willing to take a few risks and skirt the law), and furthermore the law is quite vulnerable to regulatory capture precisely because only one DPA has jurisdiction - if the tech firms do their paperwork, and then national interest means things get messy. Time will tell if they get away with it, I have no idea.
But the law isn't as crazy as you make it out. There is no personal mandate; so all you can do as an individual is refer it to the DPA, and that means that small and unclear cases are automatically going to be irrelevant - which is by design, because it means the goalposts will naturally shift as firms get their acts together. In short; nobody can sue you under the GDPR, fixing the most egregious cases is going to be fine for years. Yes - that's not a guarantee, so it's scary, and that too, is by design. If you don't need to have all that privacy sensitive stuff flying around, you shouldn't.
Don't forget that the damage isn't hypothetical here: all that PII obviously distorts democracy and enables identity theft. It's already happening on a massive scale; if anything the GDPR is years late and much too lenient.
But your focus on bleed and American is wrong. People want them to stop collecting PII. The GDPR isn't well suited to make companies bleed; it's too easy to avoid it; it's never going to amount to a significant tax. Nor is the focus on American - it just so happens the large tech firms are American. But people are more worried about Russia or China getting their hands on the American data on Europeans, than specifically Americans. Where activities were in the EU (e.g. Cambridge Analytica) it's not like the kid gloves are on.
Incidentally that's not to say people don't want a tax on tech firms; certainly France does. But that's a different issue and the only relation to the GDPR really is that the systematic tax-evasion techniques exacerbate the sense of impunity.
> You're right that showing a message, "This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws" is misleading. It should really read, "Your government has instituted vague and overly broad regulation on data collection which, coupled with a hostile attitude towards American tech companies, makes us unwilling to serve EU visitors".
That would be a much better message. Honestly! If that's there opinion I really respect that. I hope we can both agree that there are no easy answers on jurisdiction on the internet, and that the GDPR is at least understandable even if it's onerous to some, and certainly not an ideal solution.
I don't believe the current state of affairs - mass surveillance; extremely asymmetric power imbalance between collector and subjects; news filtered largely through tech-facilitated bubbles; democracy; an internet without any walls - is stable. Something is going to give. And I hope it's not democracy - but I'm not convinced.
Once something like this turns into a nationalist, patriotic issue, you can be absolutely sure that what's definitely going to die first is jurisdictional restraint and the wall-less internet. And that would be a shame.
