Not a joke :). The pricing is actually cheaper than "bare" geolocation APIs, which don't do the blocking-part. Have a look at https://ipstack.com/product for example.
If you get a quote from an experienced data protection lawyer for GDPR compliance, this will be an order of magnitude cheaper in the long run. There's a real risk of getting sued / getting cease and desist letters from predatory law firms who aim to collect fees for small mistakes in your privacy policy.
> There's a real risk of getting sued / getting cease and desist letters from predatory law firms who aim to collect fees for small mistakes in your privacy policy
No there isn't.
When the GPDR fines are 2% of revenue there isn't the incentive for lawyers to go after businesses earning less than a million a year in revenue.
You're mixing up the member states' enforcement (4% of worldwide turnover or €20 million, whichever is higher) and civil suits. There are law firms that send out thousands of cease and desist letters (which is a civil action) based on automated searches for mistakes. It absolutely makes economic sense for lawyers to pursue out-of-court settlements from businesses if it's mostly automated.
The privacy of EU persons coming in from a non-EU IP address still need to be protected under GDPR. This solution is a start but it's not bulletproof.
Edit: I don't want anyone to think I believe it's a good start but it is a kind of solution. I wonder if lots of US companies, once they begin to realize GDPR is a problem for them, won't decide to try one of two things:
1. This: block access from IP addresses believed to belong in Europe.
2. Lobby Congress for a law (or a quick Executive Order) saying that US companies don't have to comply with GDPR.
A few weeks ago on Twitter [1], I speculated about #2. It was too early, I guess. Few people in USA seem to be aware of GDPR at the present time. That'll change in a couple of weeks.
When you make a reasonable effort to block access to EU users, EU citizens aren't covered under GDPR if they happen to access your site from a non-EU country temporarily:
"This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."
That is an interpretation of the law and is not in accord with what the ICO (the regulator) is saying. If you have a site called "UK Expats" and you block EU IPs you will still be liable since your site is offering a service to EU citizens.
A less extreme use case but equally applicable, you have a shoe store in the US and your style is liked by french citizens living in the US, since a considerable amount of traffic is coming from EU citizens you are under GDPR. even if it is only 20%, even if they are in the US, even if you blocked all European IPs
The easy way to deal with EU persons coming from non-EU IP addresses is to mention in your terms of service that EU users are prohibited from using your website. Then if they use a VPN or otherwise access your website, they will be in violation of the CFAA https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
You're right, not my title/submission. This is meant for companies that aren't primarily targeting EU users from a business perspective and don't want to deal with GDPR.
On my (and other's) current read, it only applies when you are resident in the EU. Specifically:
> It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
When you make a reasonable effort to block access to EU users, EU citizens aren't covered under GDPR if they happen to access your site from a non-EU country temporarily:
"This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."
Maybe I'm missing something - but as a US citizen, with a US company, how can EU laws be enforced against me?
What's the legal channel here? Do they plan on arresting me if I decide to vacation to an EU country? Will the US gov't comply with levying fines due to some treaty/agreement between the countries?
The most likely solution is the same way the US enforces US laws (e.g. Megaupload case) in other countries: Seizing their assets (through cooperation with banks) and then asking for extradition.
Which is relatively easy when you’ve written the software stack powering the recipe site, or can at least grok its source (if available). It may not A) be clear to the operator of a recipe site that their stack is logging IPs and B) be reasonably straightforward for the owner of a recipe site to stop their software from doing so.
Some things are very deliberate, but others are the consequence of decisions far removed from those of site operators.
I spin up a Wordpress site with default options to host my chocolate chip recipes. Is it GDPR compliant?
I go through and toggle all the settings the internet tells me to, even though I don't know their meaning or effect. Am I GDPR compliant?
I install a Wordpress plugin that sets up a Really Simple Chocolate Chip Syndication server, or RSCCS. That plugin logs IPs. If I was GDPR compliant previously, now I'm not, and how would I ever know?
Since I don't quite get the point you're making here, I think I should specify that I was playing the role of someone who wants to start up a website on the side but isn't an expert on computers, networking, software development, or international privacy law.
I know plenty of people with a get rich quick scheme to sell widgets, but who don't know the difference between WordPress and Microsoft Word.
Expecting them to know that starting a website with a plug and play webserver could collect sensitive information on their behalf is pushing it a bit. Expecting them to know they have to comply with a law passed by a governing body they've never come within 1k miles of...
> I was playing the role of someone who wants to start up a website on the side but isn't an expert on computers, networking, software development, or international privacy law.
If you're not an expert, you have to get one. Same reason why you cannot just go and plan a non-trivial building by yourself when you're not a architect or civil engineer.
While I agree, if you're an American setting up a plug-and-play site with chocolate chip cookie recipes, that happens to collect data out of the box, where along the process are you going to realize that you even need to know anything about EU regulations?
I've never hired a Wumbologist because I don't know what Wumbology is or where it applies.
> > I was playing the role of someone who wants to start up a website on the side but isn't an expert on computers, networking, software development, or international privacy law.
> If you're not an expert, you have to get one. Same reason why you cannot just go and plan a non-trivial building by yourself when you're not a architect or civil engineer.
This attitude is really sad to me. It was and is one of the greatest things about the internet, that pretty much anyone anywhere could publish something. If you now need an "expert" to do that, we've lost something.
As mentioned, this is the retribution. The US has been enforcing their laws on the rest of the world with equally radical methods for many years already.
I always found this interesting because surely no matter what effort you go through to prevent yourself from providing your service to EU citizens, you're probably going to collect enough information to be subjected to GDPR during the period where you did not remotely know a set of users were EU citizens. (e.g., those residing overseas, traveling, etc)
And then -- what if you finally have confirmation? You were attempting to avoid it, but now you cannot. If your attempt is to avoid it at all costs, you're effectively required to validate whether users are EU citizens much earlier in the process than before GDPR, which means GDPR already has had a big impact despite efforts to avoid its umbrella.
At the moment there is no way the EU can enforce you to comply with that law, unless you have a subsidiary in the EU. Only if USA sign a special agreement with the EU this may change, but I don't think this will ever happen (very unlikely). Otherwise every country on planet can create their own draconian laws and expect that every single company in the world comply with it...
this is true, but kinda pointless, you are not gonna fight the EU over this...
Several countries in the EU (UK, Ireland, ...) can assign personal liability for intentionally ignoring privacy law, in which case someone in your company is basically going to end up a wanted man in Europe
well technically you're kind of operating on 2 continents,mainly because you're storing data about an EU citizen on your servers located in US.
Since the data is originating from an EU citizen,i assume the GDPR is making sure you at least inform the user of the data collection.
Also consider that GDPR is kind of a TOS for connecting with an EU citizen,some sort of a "copyright" system.
As an EU citizen, "cheap" wourkarounds like these ones will definitely not solve the problem, might actually make it worse.It's like an anti-adblocker, it won't work on the long run,people who are tech literate enough will just start using a VPN
Despite the propaganda flying around HN for known political purposes, they can't and won't arrest you because there is no jurisdiction unless you have operations in the EU.
Law firms who proactively investigate infringing companies, then sell their service to citizens willing to sue. As an incentive for the potential customer, they agree to only charge if they win.
If an EU citizen believes that their personally identifiable information was obtained without their consent, the EU GDPR allows firms to do an audit on the company. The citizen who filed the complaint would enlist help from a no-win-no-fee legal firm, meaning, if they don't win (with infractions being $10 million minimum), the citizen, who is now a client of the firm, would not be out any money. If they do win, most likely the firm would make a windfall after carving out their share of the proceeds.
Wait! I was under the impression that fines due to GDPR are just that, fines. They are paid to the government, not individuals. At most, getting fined due to non-compliance can suggest that if individuals bring civil lawsuits against the company, they may win and be awarded damages, the amount of which depends on how much damages they can prove they have incurred as a result of misuse of their data, not statutory amounts. Is that not the case? Is the fine actually paid to the individuals?
Or are your suggesting that some patriotic legal firms would do all the legwork for free so that the government treasury would get a boost?
Cease and desist letters from predatory law firms are a very real thing, even in Europe. In Germany, entire law firms have been established for the sole purpose of collecting out-of-court settlement fees for small mistakes in websites' legal notices, which they find using automated searches: http://transblawg.eu/2003/10/13/u-s-comment-on-impressumgerm...
GDPR will give them new ammunition on a European scale.
Yes, your understanding is completely correct. Only EU member states can levy fines under the GDPR, and it's likely few will have any interest in trying to fine small businesses. Lawsuits are possible, but only for damages, and good luck showing any damages from a minor technical violation by a small SaaS tool. And without any prospect of large damages from a deep-pocketed defendant, good luck finding a law firm willing to work on contingency.
The whole thing is FUD, although mad props to the people behind the linked service for making a play at profiting from it.
I don't have a lot of actual information on this, but the buzz in my privacy professional listservs is that EU courts have been VERY expansive about what constitutes "damage" in related legal spheres, and that those of us coming from a US legal background should not rely on our instincts about what kinds of damage could actually create a cause of action worth suing over.
No, some firm will ask you to pay $100,000 as private settlement because you make a mistake, or else they'll will have to seek remedy by filing a complaint on the EU courts, potentially costing you around 10M
But unlike copyright trolls, the law firm in question can't guarantee that paying the protection money will actually protect you from being reported, so there isn't the same incentive to pay. A protection racket only works if the mafia monopolizes the threat, otherwise any random thug could destroy their business.
Both amounts are lower bounds. "No win no fee" falls apart because the lawyers don't get a fee for a fine collected by the government, not because the fine is too small.
Fines are up to $10 million or 2%, but it can go up to $20 million or 4% of annual global revenue, whichever is higher. That percent, whichever is higher is the key. Facebook's 2017 revenue was ~40.7 Billion. Four percent of that amount isis ~1.6 billion
> if they don't win (with infractions being $10 million minimum
But all of the numbers you give are the maximum possible fines. The actual fines imposed by the regulators will always bee smaller than that.
You also said:
> The citizen who filed the complaint would enlist help from a no-win-no-fee legal firm,
That's not how the fines work. They're fines, paid to the regulator. They're not compensation paid to the victim. There's no payout for no-win-no-fee solicitors, and so they're not going to get involved.
'a' and 'm' are assigned to in the body of the function. Having them as arguments that aren't provided (and thus initially set to undefined) just ensures that they can be assigned to without 'var', saving a character or two.
I can't tell if this is a fake service or not, but blocking users from EU IP address ranges (which I'm assuming how it works) will still not stop the EU from following a trail of data that could originate from your organization.
That's the biggest thing from the EU's GDPR rules - what is your organization's data inventory, how does it map outside of your organization, and how are you securing PII?
If a complaint is made from someone who is an EU citizen, and another organization shows logs that they got this information from your web app or service, that will trigger an audit from the EU. Blocking access to a subset of IP ranges will do absolutely nothing to stop this, and will not stop the sharks once they have smelled blood.
In a sense, the EU has plain rules that you can protect against, unlike the FTC/FDA (for HIPPA etc) who are vague and will not disclose how you can protect your own organization.
This appears to be Javscript based... Assuming then that it works on the client side, I wonder how long it will take for someone to release a browser plugin to bypass it.
That's of course possible, but shouldn't matter: When you make a reasonable effort to block access to EU users, EU citizens aren't covered under GDPR if they take active measures (through a browser plugin, for example) to circumvent the ban:
"This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."
Also to note, if your website and your company structure/gross income is below a certain monetary value, you can just tell the EU to f$%K off - - they cannot squeeeze blood out of a turnip, do you think they will go to the trouble to have a warrant prepared for you through Interpol ?
> Simply paste our JavaScript snippet into your website's code. We'll check every visitor of your site and will block access to users located within the EU.
See, the problem here is that you actually have to send an HTTP request to the site that's trying to block you, then you load it along with their JavaScript which then blocks you, but at that point the initial request(s) has already been logged and now they have to comply with the GDPR.
Not a joke :). GDPR Shield as a product is GDPR compliant. Customers sign a data processor agreement with the service. It anonymizes IP addresses, they aren't transferred to any other third-party provider and aren't stored.
But like I mentioned on Indie Hackers, your customers still have their own logs that need to be GDPR-compliant, which defeats the whole purpose. The page that requests your JS still has to be sent by a server, which will likely log the EU citizen’s IP. And then there’s the case where the EU citizen is using a VPN server in the US...
Maybe, but it's clear that your company doesn't specifically target its services at individuals in the EU. Your company is actually using active measure to not do that.
sure but just handling ip addresses in your access logs is a whole lot easier than changing your entire site to comply with GDPR. major reduction in surface area
But if your JavaScript is inserted into your customers site, then the initial request that loads their site the first time + your script will be logged on their servers just like any other HTTP request.
You're still gathering the data on every request. And since all requests go to the site anyway (to load the JS) you might as well just put a text saying, "nothing to see here for EU citizens"—that'd be a lot cheaper than buying this silly service and it would send the same signal.
This service isn't blocking requests to your site, it's just showing the visitors different content after the fact.
Niko, your implementation may not be right like others have mentioned (in that it triggers GDPR on your customers), but I fully support this methodology.
If it helps, I use AppEngine for my App which already provides geolocation information in the IP and my app blocks it the moment it receives the request. Users will only see a re-direction to a notice relating to GDPR and what they'll need to do if they still want to access the site.
You might as well be selling an image saying "EU customers go away!" With regards to GDPR compliance it's just as good in that, at best, you're showing intent not to serve EU customers (yet you still don't actually block requests, you just serve them different content and log all the same data).
I have this eerie suspicion that GDPR cases will be a haven for trollish and/or opportunist behavior. Instead of huge corporations having to shell out significant money to swallow up start-up competitors, they could much more cheaply pay EU citizens to exploit the huge burden of the law on small companies or even solo endeavors. I hope I can be convinced to be optimistic.
Yes, government regulation is unquestionably more of a burden to companies without legal teams. If you’re smaller it’s an eternal calculus of flying under the radar and trying not to be the bug that gets the windscreen.
I'm kinda hoping my pessimism becomes justified. At that point, I can then only hope that an epiphany is reached and other approaches used without resorting to large sweeping legislation (which, among many other things could include more timid and actually enforced legislation at first). However, regardless of which side of the Atlantic I look on, it seems legislators only double down when their desired effect is not achieved. They only know one direction.
you could use cloudflare IP geolocation to block EU countries based on the Cf-Ipcountry header they provide. Though just by checking their IP I think you may need to comply with gdpr
Is just checking IP with no other personal information a violation of GDPR? Particularly if that IP is not retained in a database (just temporarily in production logs)? Asking for a friend...
Not really sure as well but from https://www.gdpreu.org/the-regulation/key-concepts/personal-... personal data seems to include "online identifiers", further defines online identifiers as "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifier"
How a company "specifically targets its services at individuals in the EU" is not clearly defined within GDPR. Even if you just set your AdWords targeting to 'global', it might be enough to trigger this. GDPR Shield is a clear signal that you're not targeting EU users.
IP addresses alone are not personal data. They're only personal data if they can be used to identify a natural person.
If someone is gathering and storing email addresses and ip addresses it seems reasonable to ask them to take industry standard measures to protect that data, and to let users know that the data is being collected.
That explanation is the first one I've seen that makes GDPR sound reasonable.
The main problem overall is that the EU appears to consider information about someone as being owned by that person. That is quite foreign from a US individual perspective and having some blogs. I don't see how the learning I have acquired about people places and things, which I acquired without any promise of confidentiality, can be owned by anyone but me. Are libraries and newspapers required to scrub their shelves and archives? And if not, what is the limiting principle?
There are other interests that get balanced against the individual's right to privacy, including public interests like newsworthiness.
But indeed that can go both ways - the website of a newspaper might be required upon request to remove a 20-year-old crime blotter item reporting a single petty theft conviction for an otherwise law-abiding non-celebrity; they wouldn't be required to do that for a 2-year-old murder conviction.
Overall I'm content with the GDPR as it is a long needed corrective action for the path we've been treading in the West as a whole.
One requirement, imho, is quite ridiculous, however. That is the need for entities which need to abide by the GDPR but do not have a presence in the EU to assign a representative in the EU.
This part definitely needs some relaxation. Just complying with the regulation ought to be enough as the first step, especially for start-ups.
Yes! That was the part of the regulation to me that felt like a shake down. I get the need to be more careful with user data. Make me hire a rep in the EU? Now you're just trying to drum up fees for your lawyers...
> Just complying with the regulation ought to be enough as the first step, especially for start-ups.
It is enough; most start-ups won't need a representative.
That requirement only applies to large-scale processing of special categories ( i.e. sensitive ) of data or that relating to criminal convictions and offences.
The Service provides a social media management tool that enables users to customize the link preview window of websites under their control on social platforms, in addition to other analytics tools to help bolster users' social media content.
Which is illegal to begin with. You even forgot to replace the part that explains what the service does and left the part that says that gdpr shield "provides a social media management tool".
You're selling something that just basically does a geoip lookup, and then tries to block people from an entire continent, with pure JS, which can be easily avoided, by the way. I'm shooting buffer an email to let them know you're infringing on their legal material.
So you're saying that a service which targets businesses who are trying to avoid a piece of legislation that is shaping up to become a worldwide industry standard turns out to be shady and doesn't respect the law? Well I never.
Copying legal documents isn't illegal, and in fact many lawyers will just run a search & replace on an existing client's T&C to generate a new T&C. This is also how T&C generator websites work. It's actually recommended, as then you have standardized language that is all well-defined in the eyes of the courts.
You are going to have to do a better job of backing that claim up. It certainly seems to be an obvious breach of intellectual property law at the very least. Citing that some lawyers do this does not automatically make it legal.
My initial claim is perhaps a bit too strong. Case law is basically that the unique portions of a T&C or other contract are protected by copyright law, but boilerplate terms that have appeared in lots of different firms' documents are considered public domain.
157 comments
[ 3.3 ms ] story [ 215 ms ] threadDon't pay "thousands" for GPDR compliance work which will improve your product by providing basic privacy and security features.
Instead pay up to $79 a month for a service to block a large percentage of your traffic.
If you get a quote from an experienced data protection lawyer for GDPR compliance, this will be an order of magnitude cheaper in the long run. There's a real risk of getting sued / getting cease and desist letters from predatory law firms who aim to collect fees for small mistakes in your privacy policy.
No there isn't.
When the GPDR fines are 2% of revenue there isn't the incentive for lawyers to go after businesses earning less than a million a year in revenue.
Edit: I don't want anyone to think I believe it's a good start but it is a kind of solution. I wonder if lots of US companies, once they begin to realize GDPR is a problem for them, won't decide to try one of two things:
1. This: block access from IP addresses believed to belong in Europe.
2. Lobby Congress for a law (or a quick Executive Order) saying that US companies don't have to comply with GDPR.
A few weeks ago on Twitter [1], I speculated about #2. It was too early, I guess. Few people in USA seem to be aware of GDPR at the present time. That'll change in a couple of weeks.
[1] https://twitter.com/CnAdoctor/status/978849723808301057
The only foolproof solution is just to block all IP addresses.
"This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."
(from https://community.spiceworks.com/topic/2007530-how-the-eu-ca... )
Also will it block JS-blocking EU Citizens residing in the EU?
Let's not mention VPNs. Let's not mention Tor.
This feels like a "registry cleaner" for GDPR
o. xkcd: https://xkcd.com/1969/
Probably. It seems like a quick "let's make some money" scheme to milk the GDPR panic.
> It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
"This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."
(from https://community.spiceworks.com/topic/2007530-how-the-eu-ca... )
What's the legal channel here? Do they plan on arresting me if I decide to vacation to an EU country? Will the US gov't comply with levying fines due to some treaty/agreement between the countries?
Some things are very deliberate, but others are the consequence of decisions far removed from those of site operators.
I go through and toggle all the settings the internet tells me to, even though I don't know their meaning or effect. Am I GDPR compliant?
I install a Wordpress plugin that sets up a Really Simple Chocolate Chip Syndication server, or RSCCS. That plugin logs IPs. If I was GDPR compliant previously, now I'm not, and how would I ever know?
I know plenty of people with a get rich quick scheme to sell widgets, but who don't know the difference between WordPress and Microsoft Word.
Expecting them to know that starting a website with a plug and play webserver could collect sensitive information on their behalf is pushing it a bit. Expecting them to know they have to comply with a law passed by a governing body they've never come within 1k miles of...
If you're not an expert, you have to get one. Same reason why you cannot just go and plan a non-trivial building by yourself when you're not a architect or civil engineer.
I've never hired a Wumbologist because I don't know what Wumbology is or where it applies.
This attitude is really sad to me. It was and is one of the greatest things about the internet, that pretty much anyone anywhere could publish something. If you now need an "expert" to do that, we've lost something.
Anywhere you want one newline in your output, you have to use two.
And then -- what if you finally have confirmation? You were attempting to avoid it, but now you cannot. If your attempt is to avoid it at all costs, you're effectively required to validate whether users are EU citizens much earlier in the process than before GDPR, which means GDPR already has had a big impact despite efforts to avoid its umbrella.
UK is not part of the EU.
> assign personal liability
Citation needed? If CEO decides to ignore privacy law, everyone else is accountable?
As an EU citizen, "cheap" wourkarounds like these ones will definitely not solve the problem, might actually make it worse.It's like an anti-adblocker, it won't work on the long run,people who are tech literate enough will just start using a VPN
However, a lot of it is covered by:
1- US companies with a physical presence in the EU. They can fine that entity directly.
2- US companies will find they can't sell to EU businesses (B2B), as that means the EU company is carrying the can in terms of non-compliance.
3- The EU Member State could go via the International Courts. Or via some kind of bilateral agreement (e.g. Privacy Shield).
I expect #3 will need to egregious to really make sense.
However, I also expect a significant amount is already hovered up by #1 or #2. Certainly many of the cases that GDPR wants to target.
Additionally, the EU may cut deals with other states to bring in enforcement powers (fines).
It's enforced by a regulator. The fines are fines, not compensation, and the fines go to the regulator.
There's no route for a private citizen to hire a lawyer and sue.
Or are your suggesting that some patriotic legal firms would do all the legwork for free so that the government treasury would get a boost?
GDPR will give them new ammunition on a European scale.
The whole thing is FUD, although mad props to the people behind the linked service for making a play at profiting from it.
But it's irrelevant here, because the law isn't based on damages.
Stop talking nonsense. It is up to $10 million or 2% of revenue.
https://www.gdpreu.org/compliance/fines-and-penalties/
And so for most websites the fine would be significantly smaller than what lawyers typically earn to litigate.
Hence your entire "no win no fee" premise falls completely apart.
FFS, this is a maximum, not minimum.
> if they don't win (with infractions being $10 million minimum
But all of the numbers you give are the maximum possible fines. The actual fines imposed by the regulators will always bee smaller than that.
You also said:
> The citizen who filed the complaint would enlist help from a no-win-no-fee legal firm,
That's not how the fines work. They're fines, paid to the regulator. They're not compensation paid to the victim. There's no payout for no-win-no-fee solicitors, and so they're not going to get involved.
[0] https://judge.sh/3Bc2E0GR.png
That's the biggest thing from the EU's GDPR rules - what is your organization's data inventory, how does it map outside of your organization, and how are you securing PII?
If a complaint is made from someone who is an EU citizen, and another organization shows logs that they got this information from your web app or service, that will trigger an audit from the EU. Blocking access to a subset of IP ranges will do absolutely nothing to stop this, and will not stop the sharks once they have smelled blood.
In a sense, the EU has plain rules that you can protect against, unlike the FTC/FDA (for HIPPA etc) who are vague and will not disclose how you can protect your own organization.
(from https://community.spiceworks.com/topic/2007530-how-the-eu-ca... )
See, the problem here is that you actually have to send an HTTP request to the site that's trying to block you, then you load it along with their JavaScript which then blocks you, but at that point the initial request(s) has already been logged and now they have to comply with the GDPR.
I refuse to believe this is not a joke.
This service isn't blocking requests to your site, it's just showing the visitors different content after the fact.
If it helps, I use AppEngine for my App which already provides geolocation information in the IP and my app blocks it the moment it receives the request. Users will only see a re-direction to a notice relating to GDPR and what they'll need to do if they still want to access the site.
Are you referring to the IP address, which is personal data?
I'm kinda hoping my pessimism becomes justified. At that point, I can then only hope that an epiphany is reached and other approaches used without resorting to large sweeping legislation (which, among many other things could include more timid and actually enforced legislation at first). However, regardless of which side of the Atlantic I look on, it seems legislators only double down when their desired effect is not achieved. They only know one direction.
IPs may be personal data but if you don't store it there is no problem.
Directly from the EU:
> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
(https://ec.europa.eu/info/law/law-topic/data-protection/refo...)
Do you have to provide proof that your site doesn't specifically target its services at individuals in the EU?
Does that mean that (e.g.) German bloggers are not bound to the GDPR when they just add "made for the Swiss" to their header?
If someone is gathering and storing email addresses and ip addresses it seems reasonable to ask them to take industry standard measures to protect that data, and to let users know that the data is being collected.
According to the GDPR, they are. https://eugdprcompliant.com/personal-data/
"The conclusion is that the GDPR does consider it as such."
The main problem overall is that the EU appears to consider information about someone as being owned by that person. That is quite foreign from a US individual perspective and having some blogs. I don't see how the learning I have acquired about people places and things, which I acquired without any promise of confidentiality, can be owned by anyone but me. Are libraries and newspapers required to scrub their shelves and archives? And if not, what is the limiting principle?
But indeed that can go both ways - the website of a newspaper might be required upon request to remove a 20-year-old crime blotter item reporting a single petty theft conviction for an otherwise law-abiding non-celebrity; they wouldn't be required to do that for a 2-year-old murder conviction.
One requirement, imho, is quite ridiculous, however. That is the need for entities which need to abide by the GDPR but do not have a presence in the EU to assign a representative in the EU.
This part definitely needs some relaxation. Just complying with the regulation ought to be enough as the first step, especially for start-ups.
It is enough; most start-ups won't need a representative.
That requirement only applies to large-scale processing of special categories ( i.e. sensitive ) of data or that relating to criminal convictions and offences.
Article 27 applies: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE...
It's basically to prevent big data processors from claiming 'we don't have an EU presence so you can't fine us'.
Domain Name: GDPR-SHIELD.IO Registry Domain ID: D503300000096633167-LRMS Registrar WHOIS Server: Registrar URL: https://www.gandi.net/whois Updated Date: 2018-04-24T15:25:22Z Creation Date: 2018-04-24T15:25:19Z Registry Expiry Date: 2019-04-24T15:25:19Z Registrar Registration Expiration Date: Registrar: Gandi SAS Registrar IANA ID: 81 Registrar Abuse Contact Email: abuse@support.gandi.net Registrar Abuse Contact Phone: +33.170377661 Reseller: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Registrant Name: Nikolaus Fischer Registrant Organization: InnoWire UG (haftungsbeschrankt) Name Server: NS-86-B.GANDI.NET Name Server: NS-78-C.GANDI.NET Name Server: NS-61-A.GANDI.NET DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2018-05-04T01:38:30Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
×××@@@@xxx The value for the Created field will show domain age. No serious offering was erected 1 month before open season begins. lmao.
1. GDPR Shield Service Overview
The Service provides a social media management tool that enables users to customize the link preview window of websites under their control on social platforms, in addition to other analytics tools to help bolster users' social media content.
...what? Is this a botched copy/paste job?
He's running a really shady business.
https://buffer.com/terms VS: https://gdpr-shield.io/terms - Saved here https://web.archive.org/web/20180504020320/https://gdpr-shie... for good measure
Which is illegal to begin with. You even forgot to replace the part that explains what the service does and left the part that says that gdpr shield "provides a social media management tool".
You're selling something that just basically does a geoip lookup, and then tries to block people from an entire continent, with pure JS, which can be easily avoided, by the way. I'm shooting buffer an email to let them know you're infringing on their legal material.
http://pub.bna.com/ptcj/1051462Jan11.pdf
GDPR-shield's original T&C was actually copied from ShareKit, which is another product from the same company:
https://www.sharekit.io/terms
But going paragraph by paragraph down the terms, you get this list of companies, all with the same language:
https://www.google.com/search?q=%22Except+for+certain+kinds+...
https://www.google.com/search?q=%22You+must+be+at+least+%5B1...
https://www.google.com/search?q=%22To+access+most+features+o...