46 comments

[ 0.21 ms ] story [ 95.2 ms ] thread
Just in case you're not a WSJ subscriber, use this to bypass the pay wall: https://m.facebook.com/l.php?u=https%3A%2F%2Fwww.wsj.com%2Fa...
This leads straight to the Facebook login form.
That just opens the page via a FB referral, basically this bookmarklet:

    javascript:window.location.href='https://m.facebook.com/l.php?u='+encodeURIComponent(window.location.href);
Can confirm.

I tried the Archive.org copies, and I tried private browsing - not any better. Trying again now though, WSJ seems to be giving me the full article.

Looks like strictly specific to Tronc publishing, https://en.wikipedia.org/wiki/Tronc#Newspapers

Anyone else blocking?

Additionally, blocking access to the site that already has the data from the people of EU is violating GDPR more than simply keeping the site alive. GDPR is not about the data that is collected only after the May 25th.

(comment deleted)
Why block EU users instead of just disabling analytics and ads for them?
Because that would result in the EU users burning bandwidth and processor time without any offsetting revenue.

I'd imagine that the cost of providing (say) the Los Angeles Times to the EU is non-trivial.

That doesn't make a political statement.
Yet you can still get to tronc.com

Their HTTPS implementation is broken, though; Cert common name wasn't set properly. GJ!

Pretty sure WSJ is non-compliant to GDPR by not providing the option for EU readers to opt out of their cookie policy, ironic that that will be a reason for Tronc blocking EU readers altogether.
GDPR doesn’t apply to WSJ or any other site that doesn’t “envisage” offering its services to users in the EU. See recital 23.

Edit: apparently they accept EU currencies, which means they have subjected themselves to it.

What? It says the opposite - if you are providing services to EU residents outside of the EU GDPR applies to you.

http://www.privacy-regulation.eu/en/recital-23-GDPR.htm

> In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.

You completely ignored the relevant part of that recital:

In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.

Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union

If you are not “offering goods or services to data subjects who are in the Union” then you are not subject to GDPR. As stated in the recital, the mere fact that a site is accessible from within the EU DOES NOT make it subject to GDPR. This recital tells you the test that is used to determine whether or not you are. It isn’t necessarily even required to block EU traffic to be immune from it, though it’s a good idea since you’re playing with fire. You simply can’t translate your site to EU only languages, create content or services that might appeal specifically to EU residents, etc.

No targeting of EU residents = no GDPR liability.

>No targeting of EU residents = no GDPR liability.

I'm gonna have to disagree with that interpretation.

If I can use their services from within EU then they are providing services to EU residents regardless whether or they explicitly say that they want EU customers and thus are subject to GDPR.

Read the part of the recital that you seem to be ignoring on purpose for whatever reason. It literally says that the mere accessibility of a site from within the EU does not by itself mean that the site is offering services in the EU for the purposes of GDPR. It’s not really up for debate - it is written right there in black and white.

I’ve been through this with actual lawyers. There are things you can do that make you subject to GDPR without explicitly saying you want EU customers - an example might be creating a site in English but that exclusively reports German news. But, for example, if you have a US news site that doesn’t sell subscriptions to EU citizens, isn’t based in the EU, doesn’t specialize in news arising from EU countries, and doesn’t translate its content to EU-only languages, you aren’t subject to it. Again, as stated in the recital, the mere fact that an EU resident can access the site does not by itself trigger GDPR exposure.

The WSJ offers an European Edition and the subscription link is open to users from the EU.
> It says the opposite - if you are providing services to EU residents outside of the EU GDPR applies to you.

What the GDPR says is irrelevant in sovereign countries outside EU jurisdiction.

Or do you think NY hot dog cart vendors should also follow EU laws just because they happen to sell to EU citizens?

Does the WSJ accept subscriptions from non-US citizens? If so, they had better get GDPR compliant.
Make them.

edit: (prove that GDPR has teeth outside the EU)

They do '“envisage” offering its services to users in the EU'. That page has a massive ad (700x500 px) suggesting that I buy a subscription for "DKK10 FOR 3 MONTHS".

If offering their service priced in the local currency of an EU member state doesn't constitute offering services to users in the EU, then I'm not sure what could possibly qualify.

I’m not in the EU, so I wouldn’t have seen that. They’re stupid for doing that if that’s the case. If they’re accepting EU currencies, then you are correct that they have subjected themselves to GDPR. Go file a complaint, I assume your country will tag them for millions of euros in a hurry.
Where is it written that EU citizens can refuse cookies? As far as I know one must inform that cookies are stored and for what purpose.
If those cookies are not necessary for operating, like tracking cookies, you have to ask the user before you set the cookie. If you ask, you have to be specific for what the cookie is used. The checkbox or slider has not to be prechecked. You also have to provide a way to the user to withdraw his consent. And you have to keep an audit trail for the given consent.
> We are engaged on the issue

Dear Tronc,

You had two years to comply. You are being ridiculous. Good luck with complying.

EU Users

As a European who has many time been asked to comply with the various sillinesses coming from US legislators, I must say there is some strong schadenfreude on this current event.

And for once, I think that the law that annoys everybody actually comes from a good intent (protecting users instead of profits)

Yeah, I've got to agree on this point. Whenever I hear complaints from US citizens, I think to myself: imagine having your whole country need to learn another language in order to do business...we are very lucky that much of the world does business in English, and we are able to benefit greatly from that.
Almost nobody talked about it 2 years ago.
Exactly two years ago I was asked to prepare a list of all databases containing personal data that I have access to and briefly describe what I need them for. This was the moment my company started to prepare for the GDPR.
> Aggressive potential penalties are likely to affect some business decisions.

Aggressive user tracking and nonchalant attitude to users' personal data seems to be less problematic to them.

This regulation has been on its way for 2 years, and before that it was discussed extensively. Any big corporation not complying or making such a move as simply blocking EU users is ridiculous. Lobbying obviously didn't work so now they want users to revolt against EU lawmakers, or what is the endgoal here? There was enough time to comply, I find this behaviour unfair and short-sighted on the mid to long run.
"There was enough time to comply": how about I start up now, not 2 years ago? I will not have 2 years to implement all their nonsense. I can't wait until other countries/regions pass laws as stupid and coercitive as GDPR.

"I find this behaviour unfair and short-sighted on the mid to long run": exactly what I'm thinking of Europe's decisions (I'm a french citizen, living abroad, not in EU).

We should hang law makers when they pass legislation that affects everyone, for "crimes" without victims.

In the mean time, people mutilate women yet nobody cares: cutting a few clitoris won't cost you a thousandth of what GDPR can cost you. You can safely continue to ignore the issue.

Does the EU even know what Injustice is? or is it just blinded by ego and ideology.

Thanks in advance for down-voting my not-leftist, not pro-EU, not politically correct opinion

I did not downvote your comment, I flagged it instead. Insinuating to hang democratically elected law makers for doing their job, in this case protecting the privacy of their constituents, is beyond any discussion.
You're probably very aware of the fact not all EU law makers are elected... and that "protecting the privacy of their constituents" is probably not really their intentions either.

Arranging laws so they can fine US companies Billions for succeeding where EU companies fail? that's probably more like their goal.

The EU is full of countries (I can speak for France, "my" country) who show no respect for privacy (France has installed black boxes at every ISP to monitor everybody, and nobody cares). And now we're trying to "protect" EU citizens? Seriously?

People are so brain washed to accept limits to their own freedom... GDPR will not give you more freedom if it's used to prevent sane competition from outside the EU... GDPR will harm Europeans. Restrictions never make you more free.

I'm actually looking forward to seeing less US news. One of the downsides of being on the global English-speaking internet of social link propagation-discussion sites is that it's incredibly US centric. We need to pay more attention to our own countries and localities.
Japanese forum giant 5ch (formerly 2ch) has also decided to IP block all of EU in order to "comply" with GDPR, as of a few days ago.

I've been hoping it wouldn't spread, since it's depressing to be confined to a little internet bubble in this day and age. Guess I'll be needing a VPN.

Careful which countries you go to with that VPN. You don’t want to intentionally circumvent an access control restriction. ;)
As a non-European who has no problems complying with the GDPR and has resources at his disposal: Please, If someone knows of a list of all companies and services that refuse to comply with the GDPR, please point me to it.

To me, this seems like an incredible once-in-a-lifetime opportunity to get into previously captured markets.

Well, good riddance to all of those companies which do not want to comply with a law made to protect citizen’s privacy. Europeans now have an antispam, anticrooks filter for free.
So what happens with all the open-source projects that EU citizens are involved in? Some of those are (more or less) based in the US. Are they also covered by the GDPR or is it just businesses?
If your core values are we don't give a f.. to our user's privacy, obviously you don't do anything in 2 years for them.
To add some flavor to this, there are only a handful of vendors that sell cookie opt-in software in the US, and implementing one on our own tiny site was a nightmare. If the business model revolves around ads or third party services, I can't imagine how much worse it would be to get running.