28 comments

[ 2.7 ms ] story [ 286 ms ] thread
>Well, if the user is a begginer-level hacker it will easily be able to bypass the block.

Or alternatively, operating uMatrix at default settings. Didn't even see anything.

I experienced the same thing. I wonder if this qualifies as "explicitly blocking EU residents", since someone taking privacy measures (like using uMatrix) wouldn't even receive the message.

If this is the case, then perhaps javascript is not the best place to put the EU blocking functionality.

I'm going to offer a full website proxy service for a small price so the external JS isn't needed and hopefully these cases can be mitigated.

But surely it is dubious (another reason to fear and dislike the GDPR as it is) if a visitor is actively bypassing website contents and features - effectively changing the website - and that makes the website liable.

It's like if I have a browser extension that rewrites landing page contents to racial offenses, then I browse landing pages, get offended by them all and sue the websites.

It should be possible soon to build this as a Cloudflare App using Workers, rather than needing to build your own proxy service.
Shh! That was my idea. Don't tell other people about it.
Such a person would just be considered a "hacker". (The law doesn't care if real hacking is necessary, they go by how a typical person would experience things.)
Under the GDPR, you'll have to explicitly ask users to agree for their visit data to be shared with euroshield _before_ you load this external JS.
Even if this was true (and that depend on euroshield implementation), this is not the spirit of the law. You don't even have to take a european lawyer (and those are at least an order of magnitude cheaper than US ones) to win your case (i'm joking, please take a lawyer). European courts don't like bullshit, even when it come from big company, so if you're afraid of trolling (a la patent trolls), please don't be.
This is pretty appealing. A quick and easy CYA to keep you out of trouble while you work on compliance (or not).
Have we seen any actual enforcement of the "cookie law" on non-EU entities (or even on EU entities?)

If you're not physically in the EU and run a service platform, could you just ignore it until you get hit with a notice?

I'm really puzzled at how the EU realistically thinks they can enforce these types of restrictions on an international scale.

I'm interested to know this from the non-EU perspective, as well as the best way to comply with the GDPR that's feasible for a small business.
> enforce

People keep saying "enforce". That's the wrong word. Enforcement is a last resort. What actually happens is that the regulator writes you a letter asking you to come back into compliance, and points you to latest best practice.

At that point you decide what you want to do. If you have a European presence it's easier for them to impose fines. If you don't I guess they can declare you non-compliant which makes it harder for EU businesses to send you data.

Here's a case where a large firm was handling sensitive personal details and didn't bother with their legal duty to register with the Information Commissioner.

If the fear-mongering about fines is correct they'd get hit with a huge fine.

https://www.bloomberg.com/news/articles/2018-04-26/u-k-healt...

> The U.K.’s Data Protection Act requires all organizations processing personal information to register with the U.K. data regulator. Although handling sensitive data on recent patients and those needing regular health care, Cera also failed to register with the Information Commissioner’s Office until February this year. The ICO said in a statement that it would only consider “enforcement action” if a company failed to register despite ICO advice.

The entire cookie law seems pointless, by the way. It does nothing but annoys people with useless pop-ups. Every website uses cookies (and more) and everybody knows this. Concerned users just install extensions that remove them automatically.
I'm of two minds about this.

Companies who are buying into the idea of the GDPR being scary, and who think this sort of thing is a good way to ignore the GDPR, are leaving money on the table.

But those other companies, who actively want to defy the GDPR; who don't want to protect their servers from hacking and think they can ignore my requests to stop calling me or emailing me, those are companies that I don't want any involvement with anyway. This sort of script doesn't protect them, and they deserve what they get.

So, yes and no. These approaches to blocking EU visitors do somewhat protect you from having to comply with GDPR. However, "targeting" can mean a lot of things. If you have global adsense campaigns that advertise your service for EU customers, you're still targeting those data subjects. If you end up sponsoring any events in the EU with your company name where people may be able to draw a connection between your service and it being available in the EU, you're still targeting those data subjects. I mean, if you write a blog post on your branded company blog about a subject you know people in the EU would care about (let's say you're selling $foo_service and you are musing about $foo_field in the EU) and it gets really popular in EU circles, one could say that you were really just targeting advertising to those data subjects (a stretch, but I don't like to leave things up to lawyers).

Something like this needs to be a multi pronged approach - warnings displayed to EU customers, complete non-advertisement to EU sectors, and you should probably include terms of service as well.

A single page insert does not completely cut it. A lot is left open to interpretation in this regulation, and you need to effectively black out any interaction you have with the EU.

Well, I imagine in your examples you're considering medium-sized businesses or larger. I'm thinking about smaller ones who will never sponsor an event on another continent.
Something like this needs to be a multi pronged approach - warnings displayed to EU customers, complete non-advertisement to EU sectors, and you should probably include terms of service as well.

Ironically, likely to be more work than not being an ass with customers' data in the first place.

>Ironically, likely to be more work than not being an ass with customers' data in the first place.

Your comment is pretty rude. Every business is going to have different things that work for them. Some businesses aren't going to have resources to get counseling and make changes to comply with the regulation. Some businesses don't exist in the EU and have no interest in servicing the EU (most businesses in the world), and want to make sure they aren't going to run afoul of GDPR. And, some people are upset that they're having to spend brain cycles on a law that heavily modifies business and tech processes, that was enacted in a foreign government, and had no elected representation to present their concerns.

I think the amount of data leaks and irresponsible data handling that companies take part in nowadays is completely awful, and shows disregard for people's well being. I think that companies need to treat personal data as a liability instead of an asset. I think that companies that choose to forgo EU business are leaving a lot of money on the table and put themselves at a competitive disadvantage. I also think that companies in foreign countries should have the right to opt-out of doing business with whoever they want, and exempt themselves of regulation by not doing business in the host state.

And no, "not being an ass with customers' data" is not going to be less work than the few steps necessary to exempt yourself from GDPR.

(comment deleted)
I'm sorry to be mean, but this is as dumb as the rest of this GDPR panic that seems to have swept the less informed parts of the US tech community.

GDPR basically means: "Do all the stuff you should have already been doing to protect user data."

Paradoxically, I suppose it's pretty good as an EU citizen if sites that don't do this are blocked, since it's a massive flashing red flag.

People are going to install shit like this even if they are already protecting user data. Or not even collecting any in the first place.
The script's default message says that you are very sorry, twice. But you're not really sorry are you? You just install the script rather than address the problem of data privacy.
It's a crude weapon... for a less civilized age.
I highly encourage all my competitors to use this immediately
Definitely just turn away 30-40% of your customers. Good idea for everyone. :)
Money isn't everything. Kudos for challenging the narrative.
New browser extension idea for people outside the EU: automatically spot sites using tools like this, and put enormous great big warnings all over the page.

Seriously, _most_ of GDPR is good practice don't-screw-your-users' personal data steps. Don't store personal data for uses that isn't strictly necessary without their consent. Make sure users can find out what data you do store, and how you'll use it. Have a way they can ask you about it, or ask you to remove it.

If complying with GDPR isn't reasonably practical with your product/business model it's a _huge_ red flag imo, EU or no.