157 comments

[ 3.3 ms ] story [ 215 ms ] thread
You spelled "avoidance" wrong...
I can't tell if this is a joke or not.

Don't pay "thousands" for GPDR compliance work which will improve your product by providing basic privacy and security features.

Instead pay up to $79 a month for a service to block a large percentage of your traffic.

I’m wondering the same, the submitter of the link is definitely having some fun with the title.
Not a joke :). The pricing is actually cheaper than "bare" geolocation APIs, which don't do the blocking-part. Have a look at https://ipstack.com/product for example.

If you get a quote from an experienced data protection lawyer for GDPR compliance, this will be an order of magnitude cheaper in the long run. There's a real risk of getting sued / getting cease and desist letters from predatory law firms who aim to collect fees for small mistakes in your privacy policy.

> There's a real risk of getting sued / getting cease and desist letters from predatory law firms who aim to collect fees for small mistakes in your privacy policy

No there isn't.

When the GPDR fines are 2% of revenue there isn't the incentive for lawyers to go after businesses earning less than a million a year in revenue.

or 10m euro, whichever is higher
You're mixing up the member states' enforcement (4% of worldwide turnover or €20 million, whichever is higher) and civil suits. There are law firms that send out thousands of cease and desist letters (which is a civil action) based on automated searches for mistakes. It absolutely makes economic sense for lawyers to pursue out-of-court settlements from businesses if it's mostly automated.
This is just nonsense. I don't see how the GDPR possibly allows civil actions for infractions, doubly so for countries outside the EU.
The privacy of EU persons coming in from a non-EU IP address still need to be protected under GDPR. This solution is a start but it's not bulletproof.

Edit: I don't want anyone to think I believe it's a good start but it is a kind of solution. I wonder if lots of US companies, once they begin to realize GDPR is a problem for them, won't decide to try one of two things:

1. This: block access from IP addresses believed to belong in Europe.

2. Lobby Congress for a law (or a quick Executive Order) saying that US companies don't have to comply with GDPR.

A few weeks ago on Twitter [1], I speculated about #2. It was too early, I guess. Few people in USA seem to be aware of GDPR at the present time. That'll change in a couple of weeks.

[1] https://twitter.com/CnAdoctor/status/978849723808301057

Yes. VPNs are definitely an issue.

The only foolproof solution is just to block all IP addresses.

(comment deleted)
When you make a reasonable effort to block access to EU users, EU citizens aren't covered under GDPR if they happen to access your site from a non-EU country temporarily:

"This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."

(from https://community.spiceworks.com/topic/2007530-how-the-eu-ca... )

That is an interpretation of the law and is not in accord with what the ICO (the regulator) is saying. If you have a site called "UK Expats" and you block EU IPs you will still be liable since your site is offering a service to EU citizens. A less extreme use case but equally applicable, you have a shoe store in the US and your style is liked by french citizens living in the US, since a considerable amount of traffic is coming from EU citizens you are under GDPR. even if it is only 20%, even if they are in the US, even if you blocked all European IPs
Why doesnt EU instead implement a continent wide firewall and allow access to only GDPR compliant sites
This is GDPR noncompliance as a service...
You're right, not my title/submission. This is meant for companies that aren't primarily targeting EU users from a business perspective and don't want to deal with GDPR.
I'm currently an EU-ish Citizen, not residing in the EU. Will it block me?

Also will it block JS-blocking EU Citizens residing in the EU?

Let's not mention VPNs. Let's not mention Tor.

This feels like a "registry cleaner" for GDPR

o. xkcd: https://xkcd.com/1969/

> This feels like a "registry cleaner" for GDPR

Probably. It seems like a quick "let's make some money" scheme to milk the GDPR panic.

On my (and other's) current read, it only applies when you are resident in the EU. Specifically:

> It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

When you make a reasonable effort to block access to EU users, EU citizens aren't covered under GDPR if they happen to access your site from a non-EU country temporarily:

"This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."

(from https://community.spiceworks.com/topic/2007530-how-the-eu-ca... )

Maybe I'm missing something - but as a US citizen, with a US company, how can EU laws be enforced against me?

What's the legal channel here? Do they plan on arresting me if I decide to vacation to an EU country? Will the US gov't comply with levying fines due to some treaty/agreement between the countries?

The most likely solution is the same way the US enforces US laws (e.g. Megaupload case) in other countries: Seizing their assets (through cooperation with banks) and then asking for extradition.
Frightening to think something as innoculus as making a website of chocolate chip recipes and logging visitor IPs could provoke that.
Tip: don’t log the IPs then.
Which is relatively easy when you’ve written the software stack powering the recipe site, or can at least grok its source (if available). It may not A) be clear to the operator of a recipe site that their stack is logging IPs and B) be reasonably straightforward for the owner of a recipe site to stop their software from doing so.

Some things are very deliberate, but others are the consequence of decisions far removed from those of site operators.

I spin up a Wordpress site with default options to host my chocolate chip recipes. Is it GDPR compliant?

I go through and toggle all the settings the internet tells me to, even though I don't know their meaning or effect. Am I GDPR compliant?

I install a Wordpress plugin that sets up a Really Simple Chocolate Chip Syndication server, or RSCCS. That plugin logs IPs. If I was GDPR compliant previously, now I'm not, and how would I ever know?

If you don't know what you're doing, don't involve others.
Since I don't quite get the point you're making here, I think I should specify that I was playing the role of someone who wants to start up a website on the side but isn't an expert on computers, networking, software development, or international privacy law.

I know plenty of people with a get rich quick scheme to sell widgets, but who don't know the difference between WordPress and Microsoft Word.

Expecting them to know that starting a website with a plug and play webserver could collect sensitive information on their behalf is pushing it a bit. Expecting them to know they have to comply with a law passed by a governing body they've never come within 1k miles of...

> I was playing the role of someone who wants to start up a website on the side but isn't an expert on computers, networking, software development, or international privacy law.

If you're not an expert, you have to get one. Same reason why you cannot just go and plan a non-trivial building by yourself when you're not a architect or civil engineer.

While I agree, if you're an American setting up a plug-and-play site with chocolate chip cookie recipes, that happens to collect data out of the box, where along the process are you going to realize that you even need to know anything about EU regulations?

I've never hired a Wumbologist because I don't know what Wumbology is or where it applies.

> > I was playing the role of someone who wants to start up a website on the side but isn't an expert on computers, networking, software development, or international privacy law. > If you're not an expert, you have to get one. Same reason why you cannot just go and plan a non-trivial building by yourself when you're not a architect or civil engineer.

This attitude is really sad to me. It was and is one of the greatest things about the internet, that pretty much anyone anywhere could publish something. If you now need an "expert" to do that, we've lost something.

Unfortunately, copy/pasting a formatted comment on HN doesn't have enough newlines to quote the post properly.

Anywhere you want one newline in your output, you have to use two.

Your chocolate chip recipe website will have to be compliant to a number of laws, GDPR isn't the only law in the internet.
It wouldn't, that's just pure FUD.
That's a very unlikely "solution" and is not going to happen unless the EU wants retribution in some form from the rest of the world.
As mentioned, this is the retribution. The US has been enforcing their laws on the rest of the world with equally radical methods for many years already.
I always found this interesting because surely no matter what effort you go through to prevent yourself from providing your service to EU citizens, you're probably going to collect enough information to be subjected to GDPR during the period where you did not remotely know a set of users were EU citizens. (e.g., those residing overseas, traveling, etc)

And then -- what if you finally have confirmation? You were attempting to avoid it, but now you cannot. If your attempt is to avoid it at all costs, you're effectively required to validate whether users are EU citizens much earlier in the process than before GDPR, which means GDPR already has had a big impact despite efforts to avoid its umbrella.

At the moment there is no way the EU can enforce you to comply with that law, unless you have a subsidiary in the EU. Only if USA sign a special agreement with the EU this may change, but I don't think this will ever happen (very unlikely). Otherwise every country on planet can create their own draconian laws and expect that every single company in the world comply with it...
this is true, but kinda pointless, you are not gonna fight the EU over this... Several countries in the EU (UK, Ireland, ...) can assign personal liability for intentionally ignoring privacy law, in which case someone in your company is basically going to end up a wanted man in Europe
> Several countries in the EU (UK, Ireland, ...)

UK is not part of the EU.

> assign personal liability

Citation needed? If CEO decides to ignore privacy law, everyone else is accountable?

well technically you're kind of operating on 2 continents,mainly because you're storing data about an EU citizen on your servers located in US. Since the data is originating from an EU citizen,i assume the GDPR is making sure you at least inform the user of the data collection. Also consider that GDPR is kind of a TOS for connecting with an EU citizen,some sort of a "copyright" system.

As an EU citizen, "cheap" wourkarounds like these ones will definitely not solve the problem, might actually make it worse.It's like an anti-adblocker, it won't work on the long run,people who are tech literate enough will just start using a VPN

International enforcement is a can of worms.

However, a lot of it is covered by:

1- US companies with a physical presence in the EU. They can fine that entity directly.

2- US companies will find they can't sell to EU businesses (B2B), as that means the EU company is carrying the can in terms of non-compliance.

3- The EU Member State could go via the International Courts. Or via some kind of bilateral agreement (e.g. Privacy Shield).

I expect #3 will need to egregious to really make sense.

However, I also expect a significant amount is already hovered up by #1 or #2. Certainly many of the cases that GDPR wants to target.

Additionally, the EU may cut deals with other states to bring in enforcement powers (fines).

Seems this is targeted mainly to the likes of uber, google.. small time websites who do not have much volume aren’t the target audience.
(comment deleted)
Despite the propaganda flying around HN for known political purposes, they can't and won't arrest you because there is no jurisdiction unless you have operations in the EU.
Anyone can expand on what "vindictive reporting from no-win-no-fee legal firms" would exactly consist of?
Law firms who proactively investigate infringing companies, then sell their service to citizens willing to sue. As an incentive for the potential customer, they agree to only charge if they win.
That's not how GDPR is enforced.

It's enforced by a regulator. The fines are fines, not compensation, and the fines go to the regulator.

There's no route for a private citizen to hire a lawyer and sue.

If an EU citizen believes that their personally identifiable information was obtained without their consent, the EU GDPR allows firms to do an audit on the company. The citizen who filed the complaint would enlist help from a no-win-no-fee legal firm, meaning, if they don't win (with infractions being $10 million minimum), the citizen, who is now a client of the firm, would not be out any money. If they do win, most likely the firm would make a windfall after carving out their share of the proceeds.
Wait! I was under the impression that fines due to GDPR are just that, fines. They are paid to the government, not individuals. At most, getting fined due to non-compliance can suggest that if individuals bring civil lawsuits against the company, they may win and be awarded damages, the amount of which depends on how much damages they can prove they have incurred as a result of misuse of their data, not statutory amounts. Is that not the case? Is the fine actually paid to the individuals?

Or are your suggesting that some patriotic legal firms would do all the legwork for free so that the government treasury would get a boost?

Cease and desist letters from predatory law firms are a very real thing, even in Europe. In Germany, entire law firms have been established for the sole purpose of collecting out-of-court settlement fees for small mistakes in websites' legal notices, which they find using automated searches: http://transblawg.eu/2003/10/13/u-s-comment-on-impressumgerm...

GDPR will give them new ammunition on a European scale.

Your link is from 15 years ago.
(comment deleted)
Yes, your understanding is completely correct. Only EU member states can levy fines under the GDPR, and it's likely few will have any interest in trying to fine small businesses. Lawsuits are possible, but only for damages, and good luck showing any damages from a minor technical violation by a small SaaS tool. And without any prospect of large damages from a deep-pocketed defendant, good luck finding a law firm willing to work on contingency.

The whole thing is FUD, although mad props to the people behind the linked service for making a play at profiting from it.

I don't have a lot of actual information on this, but the buzz in my privacy professional listservs is that EU courts have been VERY expansive about what constitutes "damage" in related legal spheres, and that those of us coming from a US legal background should not rely on our instincts about what kinds of damage could actually create a cause of action worth suing over.
No. EU courts tend to define damage conservatively, and people suing for damage normally have to demonstrate actual financial losses.

But it's irrelevant here, because the law isn't based on damages.

No, some firm will ask you to pay $100,000 as private settlement because you make a mistake, or else they'll will have to seek remedy by filing a complaint on the EU courts, potentially costing you around 10M
But unlike copyright trolls, the law firm in question can't guarantee that paying the protection money will actually protect you from being reported, so there isn't the same incentive to pay. A protection racket only works if the mafia monopolizes the threat, otherwise any random thug could destroy their business.
> with infractions being $10 million minimum

Stop talking nonsense. It is up to $10 million or 2% of revenue.

https://www.gdpreu.org/compliance/fines-and-penalties/

And so for most websites the fine would be significantly smaller than what lawyers typically earn to litigate.

Hence your entire "no win no fee" premise falls completely apart.

Both amounts are lower bounds. "No win no fee" falls apart because the lawyers don't get a fee for a fine collected by the government, not because the fine is too small.
> with infractions being $10 million minimum)

FFS, this is a maximum, not minimum.

Fines are up to $10 million or 2%, but it can go up to $20 million or 4% of annual global revenue, whichever is higher. That percent, whichever is higher is the key. Facebook's 2017 revenue was ~40.7 Billion. Four percent of that amount isis ~1.6 billion
You said 2 things:

> if they don't win (with infractions being $10 million minimum

But all of the numbers you give are the maximum possible fines. The actual fines imposed by the regulators will always bee smaller than that.

You also said:

> The citizen who filed the complaint would enlist help from a no-win-no-fee legal firm,

That's not how the fines work. They're fines, paid to the regulator. They're not compensation paid to the victim. There's no payout for no-win-no-fee solicitors, and so they're not going to get involved.

Thought this was a joke SaaS offering, but inputting google.com as the domain and a burner card, it's real [0].

[0] https://judge.sh/3Bc2E0GR.png

-
JavaScript doesn't break if you don't supply all arguments in a function call.
(comment deleted)
'a' and 'm' are assigned to in the body of the function. Having them as arguments that aren't provided (and thus initially set to undefined) just ensures that they can be assigned to without 'var', saving a character or two.
I can't tell if this is a fake service or not, but blocking users from EU IP address ranges (which I'm assuming how it works) will still not stop the EU from following a trail of data that could originate from your organization.

That's the biggest thing from the EU's GDPR rules - what is your organization's data inventory, how does it map outside of your organization, and how are you securing PII?

If a complaint is made from someone who is an EU citizen, and another organization shows logs that they got this information from your web app or service, that will trigger an audit from the EU. Blocking access to a subset of IP ranges will do absolutely nothing to stop this, and will not stop the sharks once they have smelled blood.

In a sense, the EU has plain rules that you can protect against, unlike the FTC/FDA (for HIPPA etc) who are vague and will not disclose how you can protect your own organization.

This appears to be Javscript based... Assuming then that it works on the client side, I wonder how long it will take for someone to release a browser plugin to bypass it.
That's of course possible, but shouldn't matter: When you make a reasonable effort to block access to EU users, EU citizens aren't covered under GDPR if they take active measures (through a browser plugin, for example) to circumvent the ban: "This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."

(from https://community.spiceworks.com/topic/2007530-how-the-eu-ca... )

(comment deleted)
Brilliant idea from a business standpoint, but rather a blunt tool.
Also to note, if your website and your company structure/gross income is below a certain monetary value, you can just tell the EU to f$%K off - - they cannot squeeeze blood out of a turnip, do you think they will go to the trouble to have a warrant prepared for you through Interpol ?
> Simply paste our JavaScript snippet into your website's code. We'll check every visitor of your site and will block access to users located within the EU.

See, the problem here is that you actually have to send an HTTP request to the site that's trying to block you, then you load it along with their JavaScript which then blocks you, but at that point the initial request(s) has already been logged and now they have to comply with the GDPR.

I refuse to believe this is not a joke.

Not a joke :). GDPR Shield as a product is GDPR compliant. Customers sign a data processor agreement with the service. It anonymizes IP addresses, they aren't transferred to any other third-party provider and aren't stored.
But like I mentioned on Indie Hackers, your customers still have their own logs that need to be GDPR-compliant, which defeats the whole purpose. The page that requests your JS still has to be sent by a server, which will likely log the EU citizen’s IP. And then there’s the case where the EU citizen is using a VPN server in the US...
Maybe, but it's clear that your company doesn't specifically target its services at individuals in the EU. Your company is actually using active measure to not do that.
sure but just handling ip addresses in your access logs is a whole lot easier than changing your entire site to comply with GDPR. major reduction in surface area
(comment deleted)
But if your JavaScript is inserted into your customers site, then the initial request that loads their site the first time + your script will be logged on their servers just like any other HTTP request.
And if your site loads their Javascript to block anyone from the EU from visiting, then it's clear that you're not targeting customers in the EU.
You're still gathering the data on every request. And since all requests go to the site anyway (to load the JS) you might as well just put a text saying, "nothing to see here for EU citizens"—that'd be a lot cheaper than buying this silly service and it would send the same signal.

This service isn't blocking requests to your site, it's just showing the visitors different content after the fact.

(comment deleted)
Niko, your implementation may not be right like others have mentioned (in that it triggers GDPR on your customers), but I fully support this methodology.

If it helps, I use AppEngine for my App which already provides geolocation information in the IP and my app blocks it the moment it receives the request. Users will only see a re-direction to a notice relating to GDPR and what they'll need to do if they still want to access the site.

Thanks! You're right, there are many ways to achieve this goal, I just wanted to provide a drop-in solution that's independent of the infrastructure.
You might as well be selling an image saying "EU customers go away!" With regards to GDPR compliance it's just as good in that, at best, you're showing intent not to serve EU customers (yet you still don't actually block requests, you just serve them different content and log all the same data).
Or an image saying "We don't care about keeping your personal data safe".
(comment deleted)
Check the terms and conditions. Their commitment to paying a portion of your legal fees if you’re sued is proof enough of their confidence.
Nope, I'm sorry but their terms and conditions are aweful, and do not protect you at all.
Perhaps I needed to indicate sarcasm more explicitly.
> at that point the initial request(s) has already been logged and now they have to comply with the GDPR.

Are you referring to the IP address, which is personal data?

I have this eerie suspicion that GDPR cases will be a haven for trollish and/or opportunist behavior. Instead of huge corporations having to shell out significant money to swallow up start-up competitors, they could much more cheaply pay EU citizens to exploit the huge burden of the law on small companies or even solo endeavors. I hope I can be convinced to be optimistic.
Yes, government regulation is unquestionably more of a burden to companies without legal teams. If you’re smaller it’s an eternal calculus of flying under the radar and trying not to be the bug that gets the windscreen.
> I hope I can be convinced to be optimistic.

I'm kinda hoping my pessimism becomes justified. At that point, I can then only hope that an epiphany is reached and other approaches used without resorting to large sweeping legislation (which, among many other things could include more timid and actually enforced legislation at first). However, regardless of which side of the Atlantic I look on, it seems legislators only double down when their desired effect is not achieved. They only know one direction.

(comment deleted)
I wonder if you can do something like this directly in Cloudflare.
you could use cloudflare IP geolocation to block EU countries based on the Cf-Ipcountry header they provide. Though just by checking their IP I think you may need to comply with gdpr
Is just checking IP with no other personal information a violation of GDPR? Particularly if that IP is not retained in a database (just temporarily in production logs)? Asking for a friend...
Not really sure as well but from https://www.gdpreu.org/the-regulation/key-concepts/personal-... personal data seems to include "online identifiers", further defines online identifiers as "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifier"
If you don't keep it around and only use it to block traffic then I don't see which parts of the GDPR would cause any problem.

IPs may be personal data but if you don't store it there is no problem.

The idea that simply having an EU visitor load your site can subject you to a $2M fine is a recurring bit of FUD.

Directly from the EU:

> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

(https://ec.europa.eu/info/law/law-topic/data-protection/refo...)

If there's a complaint,

Do you have to provide proof that your site doesn't specifically target its services at individuals in the EU?

How a company "specifically targets its services at individuals in the EU" is not clearly defined within GDPR. Even if you just set your AdWords targeting to 'global', it might be enough to trigger this. GDPR Shield is a clear signal that you're not targeting EU users.
> How a company "specifically targets its services at individuals in the EU" is not clearly defined within GDPR.

Does that mean that (e.g.) German bloggers are not bound to the GDPR when they just add "made for the Swiss" to their header?

Well, if you're in the EU you have to obviously implement the regulation either way.
What personal data are German bloggers gathering?
IP addresses, e-mail addresses from those who comment...
IP addresses alone are not personal data. They're only personal data if they can be used to identify a natural person.

If someone is gathering and storing email addresses and ip addresses it seems reasonable to ask them to take industry standard measures to protect that data, and to let users know that the data is being collected.

However specifically putting measures in place to block EU users should be sufficient to show that you are not specifically targeting them.
That explanation is the first one I've seen that makes GDPR sound reasonable.

The main problem overall is that the EU appears to consider information about someone as being owned by that person. That is quite foreign from a US individual perspective and having some blogs. I don't see how the learning I have acquired about people places and things, which I acquired without any promise of confidentiality, can be owned by anyone but me. Are libraries and newspapers required to scrub their shelves and archives? And if not, what is the limiting principle?

There are other interests that get balanced against the individual's right to privacy, including public interests like newsworthiness.

But indeed that can go both ways - the website of a newspaper might be required upon request to remove a 20-year-old crime blotter item reporting a single petty theft conviction for an otherwise law-abiding non-celebrity; they wouldn't be required to do that for a 2-year-old murder conviction.

Overall I'm content with the GDPR as it is a long needed corrective action for the path we've been treading in the West as a whole.

One requirement, imho, is quite ridiculous, however. That is the need for entities which need to abide by the GDPR but do not have a presence in the EU to assign a representative in the EU.

This part definitely needs some relaxation. Just complying with the regulation ought to be enough as the first step, especially for start-ups.

Yes! That was the part of the regulation to me that felt like a shake down. I get the need to be more careful with user data. Make me hire a rep in the EU? Now you're just trying to drum up fees for your lawyers...
> Just complying with the regulation ought to be enough as the first step, especially for start-ups.

It is enough; most start-ups won't need a representative.

That requirement only applies to large-scale processing of special categories ( i.e. sensitive ) of data or that relating to criminal convictions and offences.

Article 27 applies: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE...

It's basically to prevent big data processors from claiming 'we don't have an EU presence so you can't fine us'.

lol fqdn registered on 2018-04-24? gmafb
here:

Domain Name: GDPR-SHIELD.IO Registry Domain ID: D503300000096633167-LRMS Registrar WHOIS Server: Registrar URL: https://www.gandi.net/whois Updated Date: 2018-04-24T15:25:22Z Creation Date: 2018-04-24T15:25:19Z Registry Expiry Date: 2019-04-24T15:25:19Z Registrar Registration Expiration Date: Registrar: Gandi SAS Registrar IANA ID: 81 Registrar Abuse Contact Email: abuse@support.gandi.net Registrar Abuse Contact Phone: +33.170377661 Reseller: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Registrant Name: Nikolaus Fischer Registrant Organization: InnoWire UG (haftungsbeschrankt) Name Server: NS-86-B.GANDI.NET Name Server: NS-78-C.GANDI.NET Name Server: NS-61-A.GANDI.NET DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2018-05-04T01:38:30Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

×××@@@@xxx The value for the Created field will show domain age. No serious offering was erected 1 month before open season begins. lmao.

perhaps Nick is giving us a hint with his last name?
Closing the stable door after the horse has bolted as a service
(comment deleted)
From GDPR-shield's terms and conditions (https://gdpr-shield.io/terms):

1. GDPR Shield Service Overview

The Service provides a social media management tool that enables users to customize the link preview window of websites under their control on social platforms, in addition to other analytics tools to help bolster users' social media content.

...what? Is this a botched copy/paste job?

niko001 / Niklaus or whatever. This is extremely shady. You've copy pasted your whole terms and conditions from this page :

https://buffer.com/terms VS: https://gdpr-shield.io/terms - Saved here https://web.archive.org/web/20180504020320/https://gdpr-shie... for good measure

Which is illegal to begin with. You even forgot to replace the part that explains what the service does and left the part that says that gdpr shield "provides a social media management tool".

You're selling something that just basically does a geoip lookup, and then tries to block people from an entire continent, with pure JS, which can be easily avoided, by the way. I'm shooting buffer an email to let them know you're infringing on their legal material.

So you're saying that a service which targets businesses who are trying to avoid a piece of legislation that is shaping up to become a worldwide industry standard turns out to be shady and doesn't respect the law? Well I never.
Copying legal documents isn't illegal, and in fact many lawyers will just run a search & replace on an existing client's T&C to generate a new T&C. This is also how T&C generator websites work. It's actually recommended, as then you have standardized language that is all well-defined in the eyes of the courts.
You are going to have to do a better job of backing that claim up. It certainly seems to be an obvious breach of intellectual property law at the very least. Citing that some lawyers do this does not automatically make it legal.
My initial claim is perhaps a bit too strong. Case law is basically that the unique portions of a T&C or other contract are protected by copyright law, but boilerplate terms that have appeared in lots of different firms' documents are considered public domain.

http://pub.bna.com/ptcj/1051462Jan11.pdf

GDPR-shield's original T&C was actually copied from ShareKit, which is another product from the same company:

https://www.sharekit.io/terms

But going paragraph by paragraph down the terms, you get this list of companies, all with the same language:

https://www.google.com/search?q=%22Except+for+certain+kinds+...

https://www.google.com/search?q=%22You+must+be+at+least+%5B1...

https://www.google.com/search?q=%22To+access+most+features+o...

"God Damn Protection Racket"
(comment deleted)
Are European TOR users protected under GDPR? What about VPN users? Seems like IP-based services might be tricky.