As somebody who values privacy greatly something about the GDPR just doesn't sit right with me, which is confusing and conflicting because somebody who values privacy should be naturally aligned with it.
After thinking long and hard about the GDPR the part that bothers me the most is the expectation from the EU that foreign entities enforce their regulations because the EU cannot bare the political consequences of doing it themselves.
Imagine if China decided that Chinese citizens accessing foreign servers was a breach of national security due to the ability of these foreign servers to collect private browsing information, and imagine if China decided to make laws that fined these foreign entities in violation of their laws. It would be a fucking joke and it would be ridiculed internationally for good reason. China obviously knows this and they are prepared to get their hands dirty and implement the Great Firewall of China because they have no problem appearing as a controlling and authoritarian state.
So why doesn't Europe just do what China does and build their own firewall? If they really wanted to restrict collection by foreign servers which exist in non-EU jurisdictions and apply the regulation internally in the EU then they have the technical capacity to do so with a firewall.
Europe just can't bare the consequences of building such a firewall because it would destroy them in the court of public opinion. If EU citizens suddenly lost access to American services all hell would break loose. On a more political level the EU is a place which is generally known as being liberal and open and the construction of a mechanism designed to enforce their regulations by closing them off from the outside internet would be the construction of an authoritarian tool of censorship and restriction of freedom.
>After thinking long and hard about the GDPR the part that bothers me the most is the expectation from the EU that foreign entities enforce their regulations because the EU cannot bare the political consequences of doing it themselves.
That sort of thing happens all the time - except the US is usually the one coercing foreign entities. Remember the DMCA? ThePirateBay's raid in 2006? Or the Megaupload debacle? Or how Japan was pressured by the US to adopt stricter child pornography laws?
Note, I'm not saying the people behind these were supporting moral and noble causes that the US was wrong to clamp down on. I'm certainly not saying people should comply to China's expectations on free speech and flow of information. Simply, if you feel infuriated that a foreign power is enforcing its worldview and related regulations onto you, an American citizen, know that that's what literally everyone else has been experiencing for the last decades from the people you've put in power.
But then, what the EU is trying to enforce here - more power to Internet users, essentially - is fairly benign when compared to what other foreign powers would like to enforce. If there were matters of infuriation to be had on that account, I'd start with the Mariott debacle [1].
The DMCA does not magically apply extra territorially.
It’s applied through an established legal framework either through bilateral trade agreements or through WTO rules.
The majority of copyright enforcement outside of the US has nothing to do with the DMCA but rather copyright holders using local legal frameworks.
The problem with the GDPR is that it’s extraterritorial application as expected by the EU is also extrajudiciary.
I would have no problem with the EU seeking ways to expand GDPR through new legal frameworks which the people that would be impacted by these changes can actually control through their own political system.
What I have a problem with is the EU essentially forcing compliance through extortion and sooner rather than later it will employ the companies that the GDPR was in spirit intended to protect us from to enforce it.
I don’t see the EU being able to enforce the GDPR even internally without essentially deputizing the likes of Google, Amazon and PayPal to enforce it across all of their customers in order for them themselves to be compliant.
Even with the fines possible under the GDPR the EU can not enforce compliance by targeting 100,000’s of small companies without going essentially bankrupt.
It can however effectively target the big ones and worse make it impossible to operate within the EU without using their “GDPR complaint” platforms.
The GDPR might be a great thing on paper and even in spirit but the uncertainty and the inability to enforce complex regulation on a mass of small entities would likely cause it’s real world repercussions to be quite different than from what was imagined or intended.
>The DMCA does not magically apply extra territorially.
>It’s applied through an established legal framework either through bilateral trade agreements or through WTO rules.
>The majority of copyright enforcement outside of the US has nothing to do with the DMCA but rather copyright holders using local legal frameworks.
That means essentially the same, in effect. Very few countries have copyright laws that do not align with interests of US lobbies. If any country with significant partnerships with the US decided to tell "screw the MPAA, you can now download anything from the Internet" to its citizens, the said lobbies would pressure the US government to pressure that country through the trade agreements you mentioned, until it relented. This is something that actually happened, during e.g. the TPB raid. We can argue about the moral legitimacy of such things but the reality of the matter is, it's all power plays.
>What I have a problem with is the EU essentially forcing compliance through extortion and sooner rather than later it will employ the companies that the GDPR was in spirit intended to protect us from to enforce it.
>I don’t see the EU being able to enforce the GDPR even internally without essentially deputizing the likes of Google, Amazon and PayPal to enforce it across all of their customers in order for them themselves to be compliant.
>Even with the fines possible under the GDPR the EU can not enforce compliance by targeting 100,000’s of small companies without going essentially bankrupt. It can however effectively target the big ones and worse make it impossible to operate within the EU without using their “GDPR complaint” platforms.
Three objections:
-The use of 'extortion' is rather harsh - the EU isn't out there to suck money out of the poor American startups, they simply want them to treat user data in a sensible manner. Now you may object to what is considered 'sensible' just like someone in Sweden (e.g. anakata) may object to what is considered a 'copyright breach' but the point here is that they are not looking to make money from fines. If you are found to be noncompliant you wouldn't get sued by troll lawyers, you'd get a couple warnings along with guidance on how to be compliant again. Fines are simply there to say they mean business so people stop ignoring the regulations like they've done with existing country-specific ones for the last decades. Again, power play.
-I really doubt Google, Amazon and Paypal would cut off the entire EU market just to avoid going through the hassle of setting up an updated privacy policy. The EU population is 500 million, way more than the US. More likely, they'll do a cost-benefit analysis that will tell them it's worth paying their lawyers to do the compliance work. It's not actually a big deal. Also, these tech giants do have offices in the EU, usually in Ireland, so it hardly counts as extraterritorial extortion.
-As for the poor hundreds of thousands of companies - well, see the above. They don't want your money, they want compliance. A fine is the absolute worst case if you are repeatedly and outrageously negligent on a very large scale. The most likely case, however, is that the GDPR isn't going to care about these startups because the European public doesn't care about them either. I don't mean to be harsh or condescending, but while lurking HNs and reading headlines about such and such service shutting its doors to European user, I couldn't recognize any of the names. No one is going to sue your ten-man startup that develops a niche/superficial app whose use cases only fit twice that many people to a EU court. It is far more likely that it will fail by itself, because that's what startups do. Should it grow, however, and be in a position to deal with enough customers data that negligence or nefarious intent when handling it would cause significant harm - that's where actual GDPR enforcement would step in.
You may say: 'but there is no guarantee', 'it's all very vague', 'this much vagueness only opens the way to corruption and preferential treatment', but that's mostly how most of the law is written here in the EU - clarity of intent and concision over clarity of wording and exhaustiveness. Against all odds I'd say it's working out pretty well for us and the vast majority of people here do not feel any defiance toward their institutions (at least when compared to other countries), so I feel confident in the GDPR's enforcement, jurisprudence cases and their future effects on the handling of my data. You may feel slighted that a foreign entity, its views and its legal culture are being imposed on you, though, and I understand. Again, power play.
The point wasn’t if the laws are compatible with DMCA or not but that we had the ability to influence them.
If you as a Swedish person are blaming the US for Pirate Bay then you are wrong you have had full control over your copyright laws and enforcement and some of it is actually stricter than in the US.
I’ve also that the EU will deputize the giants not that they’ll block services to the EU resulting in even more consolidation and less freedom for EU residents.
In fact that is the expectation of many MEPs.
Combined with a government run one stop shop for data accesss like those that already exist in some EU countries the actual prospects of GDPR can be quite dystopian.
People would say that it would be better than it’s now and that companies would stop abusing your information but I have no doubt that the existing business models will not differ even in the slightest the only thing that would differ is your ability to compete and operate within a free market.
Imagine your country claiming taxes from you even though you are an ex-patriate and not living in that country. Oh, that does happen.
You can't just build a firewall for data, especially as users will actually willingly export data.
You look at the GDPR from a business side only and miss that it is about personal data and how that data has become a commodity that is being traded, mishandled and often abused.
So far none of the US-based services that I use has shut down or blocked me just because I'm under the protection of the GDPR. Those websites we see blocking users have either no interest in the European market (fair enough) or are indeed using shady practices.
The UDHR is "not legally binding" [1]. It was analogous to a House Resolution, i.e. setting out general principles upon which actual law would be negotiated. "International law" most properly refers to ratified treaties, which have the force of law in their applicable jurisdictions.
I'm sorry, but what part of the GDPR do you think demands invisibility? It doesn't even mention privacy because the GDPR stands of General Data PROTECTION Regulation.
The IP itself isn't much use in the context of personal identifiable information with more data say from the person's internet provider. Also, having http logs with IP addresses (stored for a reasonable short amount of time) is still allowed as it is a necessity to provide any service at all.
The regulation isn't about fucking IP addresses, it's about big data collection information about, what you buy, where you go, who you are friends with and doing shady things with that data.
As somebody who values privacy greatly something about the GDPR just doesn't sit right with me, which is confusing and conflicting because somebody who values privacy should be naturally aligned with it.
After thinking long and hard about the GDPR the part that bothers me the most is the expectation from the EU that foreign entities enforce their regulations because the EU cannot bare the political consequences of doing it themselves.
I might be reading this wrong but you are saying that as a privacy valuing individual GDPR your issue is that because it is a single entity - EU has come up with the law. And the solution is not that every country in the world should pass privacy laws rather European countries should build a China-like firewall?
If you want to sell your wine-picker in the EU you have to adhere to the local regulations. If you want to offer your services in the EU you have to adhere to local regulations.
Imagine if China decided that Chinese citizens accessing foreign servers was a breach of national security due to the ability of these foreign servers to collect private browsing information, and imagine if China decided to make laws that fined these foreign entities in violation of their laws.
I agree with you. Fortunately, at least in the case of GDPR, we don't have to worry about it, as this article is completely off base legally. While I'm sure there are many in the EU that would love for it to be illegal for foreign entities to block EU residents, here's the reality of this. Under Recital 23 [1], you are not subject to the GDPR if you are outside of the EU and it cannot be established that you "envisage" servicing EU customers. This Recital explicitly states that the mere accessibility of a foreign website from within the EU does not by itself subject the site to the GDPR.
In other words, none of the GDPR applies to foreign websites that are blocking EU residents, because they have shown that they don't intend to serve EU residents. Since the law doesn't apply, its restrictions on automated profiling don't apply either (and you can legally store their IP address and any other information gleaned from HTTP requests for eternity and not bother responding to their "nightmare letters").
I find articles written in bad faith like this odd on a number of levels. Do people in the EU really want to falsely make sites in other parts of the world believe that they must comply with this absurd legislation? It's almost like they are trying to say "HA! We have power over you and can force you to do whatever we want!". It seems like a weird and desperate power struggle.
Block the EU, and GDPR doesn't apply (as long as you don't already hold EU resident data). It's as simple as that.
If you aren't storing the data tied to a specific person, you aren't profiling, otherwise "receiving an http request and logging that" would violate the GDPR, which it doesn't.
Second, country isn't pii under the GDPR, the location would need to be more precise to be relevant.
I think blocking the entire EU is lazy, but this is the non-est of nonsense.
IP address is PII, though. The fact that you're processing it into broader categories in order to make an automated decision is neither here nor there.
Logging HTTP requests is allowed not because it contains no sensitive data, but because you have a legitimate interest in logging usage of the web server in order to defend yourself against computer crimes, for example. What you aren't allowed to do is retain these logs indefinitely as if they weren't sensitive.
Your premise appears to be flawed in the context of established case law. IP addresses alone are not considered 'personal data' unless you have the capacity to readily add other information to add color. See below:
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
> 1. there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
> 2. the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
> On the facts, if the BRD has the legal power to compel the relevant ISP to disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP address will be personal data in the hands of the BRD.
The vast majority of entities do not meet the requirements for #2.
Fair point. Pretty much all of my data protection work recently has been with sites that can identify the person, sorry, I let thay context affect what I said.
That said, doesn't this assume the user has a dynamic IP address? You can't easily tell a dynamic from a static, so wouldn't you have to plan for the worst?
Maybe, but firewalling an IP range doesn't actually require logging the specific ips. I don't think gdpr has any teeth for information that isn't actually stored.
> I don't think gdpr has any teeth for information that isn't actually stored.
But if it 1. isn't stored && 2 there is a good reason (e g. be able to block attacks) && 3. it isn't abused for any other illegal reason then I think they are fine, no extra consent needed to store the IP address temporarily.
But then the law has already been followed.
Edit: also I wouldn't expect anyone outside of IT to care if something is "stored" in RAM or on disk. Kn this case that might be a good thing.
By the way, why is IP so important to this many? The only reason I can think of is browser fingerprinting, but for that, IP is actually secondary. Why even bother storing IP apart from temporary/ephemeral security, say, fail2ban?
Not just IPs, The regulation knows about all of them (including RFID):
Preamble paragraph 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
You need IP addresses for forensic investigation. As the statute of limitations for most forms of fraud is 10 years or more, shouldn’t everyone be storing logs with full IPs and source ports for at least that long?
No, it wouldn't make any sense, and an IP address is a very bad measurement as well. Think of airports, public hotspots, etc - even if you do keep the data, nothing else will be kept that log (or at lease I believe at this point in time), so what would storing the IP get you? An approximate location of a now potentially already recycled device and nothing else, really.
If you have a log time stamp, IP and source port of a compromise, you at least have a chance at attribution by working with the source network operator who can potentially correlate to a MAC or subscriber. The police can even pull video of a coffee shop to see who was there during an attack.
Without the time stamp and IP information you have zero chance at attribution during a security event.
PCI and a bunch of other regs require log retention for 1 year or even more for this reason.
Whenever I read "Blocking entire EU" I classify it as a romanticized revenge daydreaming.
No sane western corporation will willingly eliminate an entity about the site of USA out of spite and take a profit hit just because of new PII protocol. Just look at FB, Google and the rest of the advertising companies. They bent over backwards trying to accodomate the law.
But: GDRP will filter out businesses that existed in the legaly grey area because technology was faster than the law in this type of busines competitive advantage features.
FWIW the first serious startup I worked at chose not to do CE compliance (the EU governing body for electronic devices that may interfere with RF). Thus we did not sell our product to Europe.
Every single blog post had a set of people raging that we were assholes for doing this, but the reality was the cost of compliance just didn't make sense for the MVP. It was high 5 figures in cost which was just too much at the time. If we had achieved product market fit then the obvious move would have been to do that compliance to gain more customers, but we never quite got there.
I doubt GDPR gets to that level of cost, so the ROI looks a bit different. But I still think it's a reasonable decision to say "I simply won't do business in the EU because it costs more than I'll gain". A lot of companies also don't bother to go through the effort of printing the dual language labels required to sell their products in Canada, even though it's a decent sized market close to the US.
Tech, specifically the internet, has grown without regulation for a long time. But that era is over. These kind of decisions are routine in non-internet businesses where distribution, borders, and regulations exist. I suspect we're going to have to think a lot more about this in our work in the future.
> No sane western corporation will willingly eliminate an entity about the site of USA out of spite and take a profit hit just because of new PII protocol. Just look at FB, Google and the rest of the advertising companies.
That's true for big companies.
The calculation changes for small companies, and really changes for hobby projects.
No sane western corporation will willingly eliminate an entity about the site of USA out of spite and take a profit hit just because of new PII protocol.
Maybe, maybe not. It all depends on your business and your market.
We're in the UK. If we'd understood how much trouble the EU VAT rules were going to cause when they came in three years ago, we would have excluded customers from the remaining EU member states rather than adapting our systems and processes to comply -- and it would have been one of the clearest and easiest business decisions we'd ever made.
Given the amount of uncertainty and liability involved with the GDPR, it seems entirely possible that some non-EU services will take a similarly conservative approach.
>No sane western corporation will willingly eliminate an entity about the site of USA out of spite and take a profit hit just because of new PII protocol.
Considering how many US-only startups I see on HN every day, this is patently false.
It will take some time to play out. People will sue, costs of lawsuits payout will be weighed against continuing the existing practices (IBM vs Xerox style) etc.
Two things: they are still operating in EU, and it didn't go well for Microsoft itself when they tried to disobey EU.
Lets say your a hot upcoming startup and you dont have the funds to pay GDRP lawyers. In the early stages, blocking EU customers entirely may be tempting...
> No sane western corporation will willingly eliminate an entity about the site of USA out of spite and take a profit hit just because of new PII protocol
Probably not. It would make sense to roll out services on a country-by-country basis, limiting exposure to those where the national data regulator is known. EU lobbyists and lawyers were just granted a massive break.
> No sane western corporation will willingly eliminate an entity about the site of USA
that's ridiculous, small companies grow by targeting audiences and computing expected future cash flow
the cost of legal action is a risk that affects the bottom line (it also affects reputation, but for new laws, the issue of reputation isn't as relevant because the laws haven't been tested by the society yet, they are fresh laws)
the idea that a corporation is "insane" for estimating the future cash flows and legal expenses for providing services to an audience is comedy
no, that's how a good, well-run, intelligent organization grows
the GDPR represents a risk to the bottom line when services are provided to European customers, and that risk must be factored in; this risk directly affects the corporate financial structure, and investors may have some input in terms of when and how to extend service to the EU
pretending that spite or some petty or small emotional frame of mind is required to apply basic sound financial principles of running a business is bizarre
when running a business, you are expected to win, and winning means not going bankrupt because some psycho lawyer in the EU wants to make money by destroying your reputation, destroying your life, and destroying your business
GDPR gives fuel to psycho lawyers. If you don't want to get sued by psycho lawyers, don't provide services to people who hire psycho lawyers, don't provide service to the EU.
If you have deep pockets and you know the expected cost of fighting off psycho lawyers is less than the expected revenue of providing service to the EU, then it may be time to expand to the EU; you and your investors should both have an understanding of the risks and rewards of expanding service.
Let me repeat: this is not an emotional matter, it is a matter of doing business.
> Anyone really believe they’ll litigate against companies that block them entirely?
All it takes is a single populist data regulator in one of the EU's twenty-eight members,. Will they win? I don't think so. But in the meantime, you'll be dragged through costly regulatory negotiations. Those negotiations would become much more expensive if one had any European users.
Allowing 28 separate, politically diverse and motivated data regulators to litigate a vague law against publicly unpopular multinationals is a recipe for capricious and arbitrary action, but I believe that was rather the intent.
Litigating on this particular issue would be an incredible stretch though. Offends basic sense of fair play imo.
If Turkey gets EU membership, it would be a hoot to see how Erdogan uses this law.
> Litigating on this particular issue would be an incredible stretch
At least litigation has a clear end. The problem is more endless requests for information, each requiring research and drafting by expensive EU lawyers. A burden irrespective of whether you did anything wrong.
> How will they do that to a company that has no presence in that country and is actively blocking any access from that country?
One of the EU's twenty-eight members will try to extradite an American executive. That will be shot down by U.S. courts. We'll throw tariffs at each other for a few months until whatever administration that happens under negotiates a compromise.
There is no extradition in civil offences. For example extradition under Europe Arrest Warrant require criminal offence carrying maximum panelty of >=1 year [1].
GDPR only fines and sanctions. Dont hold EU assets and you would be ok.
I only have basic knowledge of the law (I'm in the US) and I'm curious. If you're not operating at all in the EU and outright block EU IP ranges, can the EU take any action against you if an EU citizen manages to access the site and you do not comply with GDPR? Surely that is out of their jurisdiction, right?
I have US-only clients currently freaking out because they think they are going to be sued into oblivion, but I can't imagine they have anything to worry about (we've been giving them the whole "we can't provide legal advice, talk to your lawyer about what you need to do and we'll work with you to make it happen" line)
> 2 years of legal arguments and debates happening in companies because of GDPR.
That's seriously optimistic. From what I can tell, most companies realized about a week and a half ago that this was going to be an issue and freaked the hell out.
I'm still getting a stready stream of better-late-than-never GDPR emails.
Large ones certainly, small ones kicked the can out of ignorance or just waiting for consensus to develop. That articles like this are so popular show how muddled the consensus still is.
It's NOT about stopping them from doing business, it's about businesses taking personal data more serious.
E.g. the right to be forgotten, EU has it US doesn't. sanctions when you forget to disclose a massive data-leak on your private escort website? $0 in the US, hopefully very expensive in the EU. Your nemesis publishes lies on the net? EU helps you have that deleted. Your supermarket tracks your shopping and knows you are pregnant before you do (this happened in the UK!), won't happen anymore in the EU. Shady Sunshine Ltd bought your email address and purchase data to spam you, bad and expensive for them. facebook won't allow you to continue unless you agree to face-recognition? This might be the first case in courts.
Wait and see for the good sides once the panic has quieted down.
Thats all well and good. However, if a company chooses not to do bussiness in the EU, then it does not matter what the GDPR says; even if the mechanism they use to block the EU violates the GDPR.
I have ~600 small business customers from the EU who are using my SaaS product and until now I received zero requests regarding GDPR. It seems it was the right decision to ignore this law, because no one cares about it. The same thing was with the cookie banner. Never built it into the product and in 6 years not even a single person asked about it...
The GDPR has been in effect for less than three days, two of which have been weekend. A bit premature to say, "nobody's enforcing this law", isn't it?
The cookie banner is different because everyone knew it was completely meaningless. Whether GDPR is or not remains to be seen; it's certainly not an "everybody knows" situation yet.
There's still the issue of enforcement. If the operators and servers are all outside the EU, how would a user effectively get courts to enforce the GDPR?
> how would a user effectively get courts to enforce the GDPR?
Most Americans would prefer not to have European court judgments against them. That said, I agree this is absurd. If I choose to do business in your country, that is one thing. But extending that to blocking my right not to do business in your jurisdiction is silly.
There is no enforcement because if GDPR claims that it has jurisdiction over entities not having physical presence in the EU, then the law isn't lawful to begin with.
And if the EU started going after companies/individuals who don't have presence in the EU because they claim "we say so", well, then the rest of the world can play that game to.
Maybe the rest of the world will put sanctions on EU bureaucrats if EU bureaucrats start trying to shake down companies that have no presence in the EU.
That's not how most regulations work. If you are a chemical company selling something that is legal in the US but illegal in the EU, the EU doesn't use your bank to enforce their regulations on your business in the US.
Using the banks to cut off commerce across borders is an enforcement action for what countries agree are crimes - terrorism, money laundering, fraud, etc. It takes a lot of political willpower and negotiation to use that tool. I sincerely doubt it would be used against American websites that choose to not serve the EU.
That's a perfect illustration of my point. The US went to pretty great lengths to have specific bans on import / export from Cuba. German train companies build plenty of things that would not meet FRA standards in the US, the US does nothing about it. But Cuba is seen as a special case. So do you think GDPR and PII are more like Cuba and terrorism, or more like chemicals and transportation standards? I think the latter.
Definitely the former: the way Europeans are talking about GDPR, insufficient respect for privacy is a human rights violation. We don't sanction Cuba because it makes trains the wrong way, we sanction it because we feel it violates its citizens' human rights.
For U.S. companies that have a physical presence in the EU, the GDPR can be enforced directly.
For the other cases, EU uses intentional law. EU-U.S. Privacy Shield data sharing agreement for example.
In the case that the law can't be enforced directly against the violating company, EU can enforce it trough companies that provide the infrastructure for handling user data and have dealing with EU.
This includes trackers, online ad-selling companies, clouds providers, CDN provides, ISP's that have physical presence in EU and who handle user data when people visit the site. Like Google, FB, Amazon, cloufare, Akamai, Rackspace, Digital Ocean, ......
Also, if the company takes any money from the user from EU, they can get into trouble when banks with business in EU stop transferring payments.
Only if the company is handling all user data using companies with no EU presence and are not violating any US-EU privacy agreements, they should be safe.
If the company does not have a data protection officer (or if the DPO doesn't comply with users' requests), users can go to their national government's data protection regulator. No need to go to court.
I find it pretty problematic that the US does that to gambling site operators. People who do things that are legal where they live should not have to fear that they'll get arrested when they visit a foreign country just because those things are not legal in that country.
It's not the EU but the member states that are enforcing the regulation. They are also free to make minor changes to the regulation (e.g. Austria won't allow NGOs to make complaints and releases state-run companies from the regulation's duties).
Assuming the article is correct in its interperatation of the law, it is still missing the point. If you do neot operate out of, or do business in, the EU, then the EU has no claim for jurisdiction.
The only simmilar case I can think of is the Isreali law which prohibits entry into the country by anyone supporting BDS. Notably, in this case they are not even claiming that everyone on the planet is required to not support BDS; because it is obvious that they have no jurisdiction to do so.
EDIT: You also have China and Saudi Arabia who have internet restrictions. However, they also do not claim jurisdiction over foreign sites. They only require compliance by sites that operate within their jurisdiction; and have built the infrastructure to enforce their digital border.
In short: the opinion expressed by that link appears to be plainly wrong as the organization using IP addresses to restrict EU traffic for the sake of GDPR would need the ability to actually identify people from that information, a power arising from access to other information. The vast majority of entities lack that additional, so for them, IP addresses are not 'personal data' under existing case law.
In long: I'm not providing legal advice, only forwarding details (again, non-representative) conversations I've had or been party to with various lawyers on this topic. Notably: the consensus opinion is that determining a potential IP range is specific to the EU is not the same as geolocating them as that location information is not specific enough to determine who the person is, and partly as a result of a lack of this capability and others, IP addresses cannot alone be determined to be personal data.
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
> 1. there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
> 2. the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
> On the facts, if the BRD has the legal power to compel the relevant ISP to disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP address will be personal data in the hands of the BRD.
By precedent (unless I'm missing more recent case law), for the vast majority of entities possessing IP addresses e.g. through request logs, an IP address is not "personal data," and determining the continental whereabouts of an IP would therefore not be considered "profiling."
I'm not a lawyer; I'm only relaying what's come up in conversation between attorneys covering the topic. I'm open to seeing the position I'm relaying above proven wrong.
Someone on reddit noted that this may be true for one more reason: the law does not allow automatic profiling of the user (Article 22)
> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
> 1. there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
> 2. the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
> On the facts, if the BRD has the legal power to compel the relevant ISP to disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP address will be personal data in the hands of the BRD.
The vast majority of entities do not meet the requirements for #2. Therefore, automatic profiling rules could not apply since the automatic analysis being performed is not against personal data.
I hope that IPs will stop being considered PII for the same reason. It's much easier to anonymize them at the ISP level rather than doing all these acrobatics.
There is a lot of discussion about GDPR from an American perspective. I'm curious about the Chinese one. Does the EU really expect Baidu, WeChat and Tencent to comply with these rules? Or is this just a roundabout way of extracting bureaucratic benefits from American technology companies?
If Facebook certifies deletion of certain data, and somebody doesn't believe them, they can sue in an American court. If WeChat certifies deletion of certain data, and somebody doesn't believe them, they're SOL.
This is a clear mis-reading of the law. Look at the examples that you can't use profiling (including geo-IP) for:
> which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.
Blocking someone from reading a news website is clearly not a decision along these lines. Obviously this would need to be tested in court, but I would bet on it being allowed.
Also, the GDPR only applies at all if the business operates in the EU. If they clearly don't (e.g. by blocking European visitors) then the GDPR does not apply and you obviously can't use text in the GDPR itself to prove that you can't do that.
The GDPR's scope is based on geography, not citizenship. If you're an EU citizen currently in the US, you do not necessarily enjoy whatever rights and protections the GDPR might offer you if you were within the EU. If you're a US citizen currently in the EU, you do enjoy those protections.
It's a common misconception, and has been widely reported even in the mainstream media. FYI it's Article 3 of the GDPR that specifies the territorial scope authoritatively.
Fun fact: The word "citizen" doesn't actually appear in the GDPR at all.
I predict secretive offshore entities which exploit activities banned under GDPR which have sufficient economic value. Entities which are essentially judgment proof in EU. Maybe directly affiliated with a foreign government.
Being able to do certain kinds of background checks or financial risk calculations is the first use case which comes to mind.
ignore the gettingmaildelivered blog... one certainly can take active measures to exclude EU visitors as a way of avoiding scope of GDPR. Get real legal advice if curious rather than relying on a blog.
rest assured you would not see major newspapers doing exactly that without them having checked the legality. The analysis in the blog is wrong because the first question to be asked is "is the business within the scope of the GDPR", and _if you are a business in scope_, then you can't process personal data or track/monitor EU residents. However, you are not a business in scope of GDPR if you don't have a business presence in the EU and don't hold out your services to EU residents. Blocking that region demonstrates clear intent _not_ to offer services to EU residents and thus puts your business out of GDPR scope.
U.S. law applies, just like normal, unless the website is located in the EU. The EU claiming jurisdiction over transactions entirely in another country would be a major breach of sovereignty, which is why the law uses the phrase "data subjects in the Union".
Note that EU law does apply for visitors, so look forward to data tourism!
You can’t force people to operate in your country. The EU does not have sovereignty over the whole world. This is nonsense and is certainly not what is contemplated by the law.
Making it undesirable for some businesses to operate in your country is part of the cost-benefit analysis you have to do when passing laws.
The EU is overplaying its hand by claiming global sovereignty. If the EU really wants to play hard ball, the rest of the world can impose sanctions against the EU and bureaucrats who try to enforce illegal laws
After thinking long and hard about the GDPR the part that bothers me the most is the expectation from the EU that foreign entities enforce their regulations because the EU cannot bare the political consequences of doing it themselves.
Imagine if China decided that Chinese citizens accessing foreign servers was a breach of national security due to the ability of these foreign servers to collect private browsing information, and imagine if China decided to make laws that fined these foreign entities in violation of their laws. It would be a fucking joke and it would be ridiculed internationally for good reason. China obviously knows this and they are prepared to get their hands dirty and implement the Great Firewall of China because they have no problem appearing as a controlling and authoritarian state.
So why doesn't Europe just do what China does and build their own firewall? If they really wanted to restrict collection by foreign servers which exist in non-EU jurisdictions and apply the regulation internally in the EU then they have the technical capacity to do so with a firewall.
Europe just can't bare the consequences of building such a firewall because it would destroy them in the court of public opinion. If EU citizens suddenly lost access to American services all hell would break loose. On a more political level the EU is a place which is generally known as being liberal and open and the construction of a mechanism designed to enforce their regulations by closing them off from the outside internet would be the construction of an authoritarian tool of censorship and restriction of freedom.