Slashdot Mirror
New Service Blocks EU Users So Companies Can Save Thousands on GDPR Compliance (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance. GDPR, or General Data Protection Regulation, is a new user and data privacy regulation slated to come into effect in the EU three weeks from now, on May 25, 2018.
The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.
The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.
geofencing is not exactly a new concept. At least it finally is being used for good (privacy protection) rather then for evil (arbitrary geographical media blocking)
Wrong reasons? I suspect many websites can't afford complience. Sounds like a good reason to me. Block a minority of users or go out of business. I know what is do.
A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance.
This is just the type of service you would hope exists to make sure citizens can decide what levels of privacy they want and companies can decide what level of privacy they are willing to provide. For some time now we will see many stories of companies improving their privacy, companies pulling out of the EU market, and companies being fined by the EU. All are good and expected outcomes of rules such as the GDPR.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
No, compliance can not be achieved under a quarter of a million euros/year.
When I read Ender's game for the first time several years ago, I was struck by the idea that even though the story had been written long before the internet became what it is now, "the Nets" could still be in our future. The ever increasing geographic restrictions on the internet are taking us closer and closer to "the Nets". Now we just gotta hope that the bugs stay away...
Just like China has their own websites that comply with the great firewall we will have a world where large chunks of the internet will be GDPR walled. I expect most US companies will find it more profitable to block than comply.
If the US does similar legislation then suddenly the Internet will align to us and people will figure out new ways to make money.
“Common sense is not so common.” — Voltaire
The way I see it as a European, it will mean that they where selling my data anyway, so that means they won't do that anymore. It also means they will not be able to do that for any of the other 350+MM Europeans.
This was also the intended reason for the law. It is as if Europe is saying "You are not allowed to take our data" and these websites are saying "Well, if that is the case, as punishment, we are not going to take your data."
Don't fight for your country, if your country does not fight for you.
As a EU resident, I don't mind if companies are choosing to block EU if they can't comply with privacy rules. I'd rather not do business with those companies.
I actually want this to happen. Forks are good at times and allow for improvements. Maybe the european internet can create something better than the american one.
Avantgarde Hebrew science fiction
This is for all the right reasons and there is nothing wrong with it.
Many businesses don't target foreign visitors, but get them anyway. Websites target local content (small businesses, retail locations, etc) that really gain no monetary benefit in showing their products to EU customers. Why deal with any compliance?
Keeping up with the laws of hundreds of foreign countries (and the states/provinces within them) is a full-time job. It's also very technical. A business in Canada or USA or any other country can either study EU legislation and adjust their web site for no real benefit (avoiding the risk of hefty fines) or just block the EU and move on with life.
Until countries unify their data protection and online laws for the greater good of society as a whole, this is the new state of the Internet. Focus on your own markets which makes you money, block everyone else. Saves risking non-compliance with foreign laws.
when you see the word 'Linux', drink!
Europe has to offer plenty of customers or plenty of juicy data if you will. With about 511 million citizens of which probably 2/3 are relevant to the market there's a lot of money to be made.
Now companies will have to decide whether it'll cost them more to lose the EU market or comply to their regulations.
As someone living in the EU I'm curious how the outcome will look like. I expect most of the big businesses to comply but possibly a lot of smaller ones resorting to geoblocking. At any rate there's still VPNs and TOR available.
To regulate the rights citizens to a form of privacy within a market... Your business is welcome in our market â" if you provide a bit of privacy....
Disclaimer: I've worked myself into GDPR details to shape my employer up for it.
GP is a little off on some details.
You have to *name* a Data Protectoin Officer. This can be anybody empowered to check compliance. Usually this is done by some administrative or IT specialist. Germany has had this for decades. No need for an extra hire.
You don't have to spend thousands or millions. You just need to have a proper setup and due diligence in place. The new thing is that you need to document procedures in a standardized manner. The big difference between the law that come in on 25.4.2018 is that someone could only sue you if he was damaged and only if he could prove a data breach of critical personal data. The fines up to this point also were laughable.
Now anyone involved, including customers, can ask how data is handled and the authorities and others have the right to review documentation of your SOPs for data protection. Also you're in for big trouble with massive fines (up to 4% of global anual revenue) if you're careless with data and aren't willing to comply with the GDPR.
In short: If you have your IT in order GDPR compliance isn't that much of a big deal.
Documentation is, but compliance is not.
If however your IT is shit, then you're in for trouble if they come for you. Big time. ... Can't really complain about that actually.
Since they *will* eventually come for you *and* most companies (online *and* brick and mortar) IT setups are somewhere between disorganized shite and abysmal, companies would rather opt out than go through the hassle of complying. Which means only companies with proper procedures and due diligence in their IT will remain doing business in the EU.
Thus endeth some real-world details on GDPR.
You're welcome.
We suffer more in our imagination than in reality. - Seneca
Seeing as neither of those things are true, want to try again?
I would think that EU would not be able to force compliance or extract fines fron a US based company with no physical EU presence? Is this incorrect?
Don't want to deal with a country's rules? Don't let their citizens use their service or open an office there.
Should be everyone's right. Yeah privacy gets a hit but free market, someone else will fill the void and the world keeps on going.
While trusting users to load and execute Javascript is hopelessly naive (any company relying on this to avoid huge fines, is about to pay some huge fines) how is wanting to avoid huge fines the "wrong reasons?"
This is shockingly stupid implementation, not stupid motivation.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If you don't want to have to deal with the laws of a certain country, should have the right to not do business inside that country.
Of course, that leaves a big underserved market. In less than 4 years someone will come along and serve them, while abiding by the laws they hate.
Which could very well lead to those companies losing world wide market share as those new, privacy conscience companies expand out of their underserved market into the general world wide marketplace.
As for the laws they are trying to avoid? We need them in our country.
excitingthingstodo.blogspot.com
GDPR is one of the dumbest things I've ever seen
They're both true. Read the papers.
That's as it should be. If the regulatory costs of serving a region exceed the benefits to the company, then they don't serve that region.
If visitor lie about where they are from because they are just dying to use that juicy non-EU website, then fine, they don't get the regulatory protection. The company did due diligence to keep them out.
Seems reasonable.
If the short-bus version actually respects people's privacy instead of spying on visitors, then maybe we need more short buses.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
PRIVATE companies can exclude Eurofags if they want
What are the parameters for determining if you must supply them with documentation and how are they triggered?
Maybe it's time to remind them that they've screwed up things too many times already. Another VW-style "friendly warning" should do the trick.
Good.
When countries have congressmen/equivalent that pretend they can control the internet as part of their endless life of posturing, the correct answer is to move them off the adult table and block them.
Repeat until they decide they want to sit at the grown-up's table again, instead of playing Imaginary Level Of Reach And Obligations.
one or two (or even a dozen) events does not a systemic situation make
The little ones will ignore the EU, just as they ignore laws from Thailand and Saudi.
We'll see if the EU 'great firewalls' them in mass.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Haha sure thing, my dirt poor, lonely and frustrated American friend.
People you do business with don't have to be sitting in the EU when they visit your site for you to be liable.
... as long as they are EU citizens.
A EU citizen sitting in Starbucks in the US is equally as protected as if they were sitting in France.
Also, if you stored the shipping label to let's say...send them a package to their vacation home in Iowa, you're still liable
If all you do is Geo-fence, you're already not going to make it.
Depends on how important the EU market is for them. But yeah, I expect that a lot of small companies that operate outside of the EU don't have a lot of EU customers to begin with. So their decision will be to either ignore it completely or if they give a shit block the EU from their side.
Actively locking them out of EU countries is the last resort of the EU if they do not comply in any way. Although that will probably have to happen on national basis, where every country may act in a different way.
But if that happens I'm already looking forward to the inner political backlash and shitstorms caused by infuriated EU citizens.
"The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe."
Only a nightmare to those companies siphoning off data without consent. No sympathy for those scumbags.
As a EU resident, I don't mind if companies are choosing to block EU if they can't comply with privacy rules. I'd rather not do business with those companies.
Yeah, providing a GDPR Shield service is a bit like providing a shielding service that protects your business from customers in countries where there are regulations forbidding the sale of E. Coli infected food. The customer list would be a veritable consumer’s guide to where not to shop.
The rest of the world has been seeing this kind of stuff for a long time - geofenced US applications "sorry not available in your backwater country."
They aren't protected AT ALL. Unless you want to try to invade the US to enforce your rules, you can call all the cops you want, file some diplomatic grievances, quote some EU law, and they will laugh at you.
EU people are always on about the US trying to police the world. Well, this is the EU trying to enforce their laws globally. We tell the Chinese to piss off and they have *real* power. The EU is a bunch of backwater corrupotocrats trying to replicate the USSR who have no power whatsoever, and depend on us for both endless streams of money and for subsidizing their defense (in some cases because we don't trust them to have any power themselves, Germany being a repeat offender). You have NO control and the people that are currently paying their fines are doing it semi-voluntarily - it's extortion and designed to be.
If push comes to shove, US companies will tell you to piss off and there's not one damn thing you can do about it.
Comment removed based on user account deletion
I actually want this to happen. Forks are good at times and allow for improvements. Maybe the european internet can create something better than the american one.
Therein lies the problem for Europe though. What/who is going to make 'their' internet? They piggyback off Americans for pretty much all their IT. Search engines, streaming services, mobile platforms, OS'es, online retailers, and so forth.
As an example. We have a specific enumeratured right in the constitution permitting us to bear arms. So I am sitting in a coffee shop in, say, Berlin, with my Navy Colt in a holster on my hip. Do you think my rights are protected?
Because since corporations write our trade agreements and GDPR is not in their best interest in terms of profit, they'll just simply write an exemption into the next one. Or they'll go to the WTO and have it struck down that way.
Anonymous Cowards generally receive no replies because you're a coward and I'm a bitch
I haven't read even highlights of the new law other than what I have seen in these comments. We have a website that allows for people to register a bonus card for a bonus card program we market. This is sold in a small geographic area of NA. It would theoretically be possible for someone to register a card without having a physical card (guessing inside the ISO range). So what happens if some EU citizen registered on our site? Would we fall under the new law? I will be adding language to terms and conditions stating that the service is not intended for use in EU, etc..
So yeah, there are some small 'Mom & Pop' organizations out there that don't market globally and don't have the resources to comply with this law.
Don't get me wrong, I think the law is a great idea and if were were a EU company would have designed for this.
> nothing that really matters internet-wise comes from Europe
Whilst it's true that most of the popular websites are hosted in the US, nearly as much of their content is generated in the EU as the USA. And bear in mind that we aren't talking about a "net split" here; we're talking about US firms choosing to shut out EU visitors; it wouldn't go both ways.
If Facebook were to decide not to operate in the EU, for instance, then it'd be about ten minutes before someone launched "EUbook". Everyone in Europe would have to move to such a platform, and network effects are thus that people would conglomerate onto one platform/ecosystem. Anyone in the US who wanted to connect with anyone in Europe would have to create an EUbook account, and anyone who cared about privacy (that 0.1% of us that do...) would be pushing all our friends to move to EUbook. FB would be dead in the water. Which is precisely why they have taken the far more pragmatic and cynical path of allowing EU citizens privacy whilst denying it to others on the same platform. Sure, it hurts their data-harvesting and bottom line, but the alternative is oblivion.
Also, frankly, I think Europe should still get a little credit for our one significant contribution to the modern internet: the web. Yes, it was a while ago now, but if TBL had decided to license the shit out of it and make millions instead of giving it to humanity for free, there would never have been an open web for US companies to parasitise their way into.
To avoid the annoyance/inconvenience of dealing with this ruling, more and more non-EU web sites may choose to block EU traffic instead of adhering to the rule. How long will it take before Europeans notice they're basically locked out from the rest of the world because of this?
While you can block based on IP, this doesn't address EU citizens living abroad in non-EU countries like the US. GDPR applies to all EU citizens regardless of location.
I hope the EU becomes an internet dessert, it will serve the autocrats right.
The companies should work on circumvention instead of compliance with the tyrants.This is a social problem that only technology can overcome. We must make the internet indelible and fully accessible to everybody, first by obsoleting the ISP. And let's rub the tyrants' nose in new freedoms they can't take away.
The point is that geo-fencing is a misguided attempt to avoid liability since a user can be outside the EU and still be protected by the law.
You argue that the law might be unenforceable for companies not having a legal presence in the EU, but assuming this to be correct, it makes the geo-fencing even more useless: why geo-fencing away users when by your assumption you can ignore EU liabilities anyway?
A EU citizen sitting in Starbucks in the US is equally as protected as if they were sitting in France.
No they're not. The text of the GDPR doesn't mention "citizens" even once, but it does specify the cases where it applies:
Article 3(1): This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
I.e. All European companies must comply.
Article 3(2): This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b. The monitoring of their behavior as far as their behavior takes place within the Union.
I.e. Any foreign company selling to or monitoring someone physically located in the EU—regardless of their citizenship—must comply.
Article 3(3): This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
I.e. Any foreign company who is otherwise required to comply by international law must comply.
And that's it. That's the exhaustive list. There are no other cases where it applies.
Notably absent from that list is anything even remotely resembling your claims. In fact, EU citizens traveling abroad are, generally speaking, NOT protected by the GDPR so long as they are abroad. And really, that's how it should be since it'd be wholly unenforceable in a jurisdiction outside of EU control. Jurisdictionally, it'd be no different than the US' recent, wrongful attempt to enforce its will outside its jurisdiction when it demanded that Microsoft hand over data contained in its European data centers.
So, contrary to your claim, if all a foreign company does is geofence their service, then yes, they should be just fine.
seems pretty true, at least by germany's (the defacto leader of europes) own statements.
but mod it down because i hurt your feelz
have you seen my sig? there are many others like it but none that are the same
> If you aren't targeting EU users, simply use GDPR Shield to block all traffic from the EU
So, companies that don't want EU customers are blocking EU customers.
Nothing to see here.
> unintended consequence of shutting out millions of EU users off of thousands or more websites owned by companies that are not in the mood of spending thousands of dollars to become GDPR compliant
I think you main companies that don't want to stop selling your private info.
It means Europe matters less on the world stage. Already, China, Russia, and Asian countries are beginning to be the place to do business. Europe is becoming a place that businesses flee from, because the regulations are so constricting that it takes too much money to comply.
Feel free to isolate and run the world off. Even North Korea learned this is a bad thing.
... but when some other country (ish, EU) is expected to affect the US, seems to be bad.
Someone explain this to me
That is not true. Ask facebook or microsoft. You might have the headquarters, but we have their servers (and money).
Plus, linux, the world most used software, originated in Finland.
You're example isn't even valid. It only covers personal data collected on an individual while they are in the EU at that time it was collected. It's a residency law and it doesn't travel with you abroad. A US citizen visiting for a week in Germany is covered the same as an EU cititzen living in the EU their entire life, but only while they are within the EU territory. Once the US citizen leaves the EU and any data they generate outside the EU it is no longer under the GDPR. If they signed up for something online in the EU then that data is protected. The EU Citizen living the the US or Australia does not get the protections offered by the GDPR as if they were still present in the EU.
Personally, I think this is a great solution. You make onerous laws with costly teeth - you get blocked. Don't cry now because you will lose access to parts of the Internet.
Captcha: humbled
EU companies can pirate your product and call it even.
I manage the CRM of a US financial institution with EU clients and there is guidance
So, how many $hundreds of thousands did some legal team charge your employer that guidance, not to mention ongoing guidance and review?
Is there a clause in the GDPR that would allow a site to just prompt users in the EU and say something like...
This website does not adhere to the GDPR.
By continuing to use this site you acknowledge this.
[Leave] [Stay & Have Fun]
> Increasingly nervous amerimutt goes on rant about bureaucrats.
Haha, you wish you had some of that sweet European privacy protection. If a company has a presence in Europe, it won't escape that 4% of yearly revenue.
Surveillance capitalism is over. Privacy invading mutts, you are FUCKED.
and Tim Berners Lee is from where? and was working in which country? and founded what?
As a EU resident... I'd rather not do business with those companies.
And you'd rather impose that "choice" on hundreds of millions of your neighbors too, since GDPR can't be waived.
... but when some other country (ish, EU) is expected to affect the US, seems to be bad.
Someone explain this to me
It would be pointless to explain it to you. If you not an American you wouldn't understand. :)
Thank you for your business. Your slashdot account would be deleted in 5...4...3...2...1...good bye.
Wouldn't it be better if the company just said 'we don't do GDPR, you decide'?
Oh, it wouldn't, it would give you a choice and you *could* decide to do business with them, and that would be bad, because the government says so.
See, that post is why Germany doesn't get to have nice things.
GDPR is based on location, not citizenship. https://cybercounsel.co.uk/data-subjects/
In a way, it is the EU trying to enforce their laws globally. It does apply to any data collected about EU citizens.
In another way, it isn't. It only applies to data collected about EU citizens.
In any way "EU people" are not "always on about the US trying to police the world". It might not have occurred to you, but apart from the recent mild disagreements over trade and the Iran deal, the only time in the past 20 years when a majority of European citizens disagreed with a majority of Americans was over the Iraq war. I was personally in favor, actually, but given how it turned out, I'll concede that I was probably a mistake and I was in error. As it happens, a majority of Americans are now of the same opinion.
But instead of a rant about poorly understood geopolitics, why not talk about GDPR. It, after all, TFS.
For a mom and pop (or not so mom and pop) webshop, the consequences of GDPR are exactly zero. Provided that their shopping cart software uses https (they all do), allows the customer to change his contact details (they all do, because, you know, they actually want to ship this stuff to you), have a view of your past orders (they all do), allow you to delete your account (they all do) and don't default to "we'll email you shit you don't care about", that's pretty much it. They have nothing to do. They certainly don't have to name, never mind hire, a "Data Protection Officer". They don't even have to actually delete anything if the customer requests it, because GDPR specifically says they're allowed to retain data that may be necessary in a lawsuit, which all commercial transactions inherently are.
The only new thing is that GDPR says they're not allowed to give or sell that information to anyone else.
You may see this as a bad thing. If that's the case, if you think you benefit from any random person having personal information about you without your knowledge, if you think it's a good thing, feel free to post your name, address, phone number, SSN, and online shopping record here. It's all good after all.
You haven't? Well then you agree with the idea of GDPR, regardless of whether it's a bad foreign EU thing or not.
Estonian Digital Residents.
Does GDPR protect them or not?
And by nice things you mean consumer junk, corporations raeping you in the ass, and jew running your lives with capitalism, while bombarding you with propaganda so you can't even understand the manner in which you are not free.
It's the jews son. You need to gas them before it's too late.
(Haha you've got zero privacy protections)
"If push comes to shove, US companies will tell you to piss off and there's not one damn thing you can do about it."
Well, other than sue the ass of their EU assets. Which they will have because we're all global these days
The point is that geo-fencing is a misguided attempt to avoid liability since a user can be outside the EU and still be protected by the law.
You shouldn't believe everything you read online. Article 3 of the GDPR (see: page 110) specifies the "territorial scope" where the GDPR applies. While there are some details I'm glossing over, the gist of it is that the GDPR only applies when you, the company, or the target of the business is physically located in the EU. Notably, it makes no attempt at distinguishing between citizens and non-citizens, whether local or abroad, nor does it attempt to apply itself outside EU borders, except inasmuch as international law applies (e.g. reciprocal treaties, territories subject to EU member states, etc.).
So, if you're a person in Frankfurt trying to book a flight with Lufthansa, you get GDPR protection, regardless of if you're German, American, or anything else. The company is based in the EU and you're in the EU, so you get the protection.
If you're a person in New York trying to book a flight with Lufthansa, the company is still based in the EU, so you get GDPR protection, again without regard for your citizenship. This is a fact that—as an American—I am very much looking forward to, since it means that some of the benefits actually do extend to me over here.
If you're signing up for Netflix on its German-language site while in Frankfurt, you get GDPR protection. They're targeting people in the EU with their website, so they've made themselves subject to EU regulation. And again, the regulation applies, regardless of your nationality.
If you're signing up for Netflix on its English-language site while in New York, the company is neither targeting you in the EU nor is it based in the EU, so YOU DO NOT GET GDPR PROTECTION. And, as with the other examples, that's true whether you're from the EU or not.
As for what any of this has to do with geofencing, whether the GDPR applies to a foreign company boils down to whether they are targeting users located in the EU. If they engage in marketing in the EU, make their website available in the native language of an EU member state, or accept payment in Euros, those could be taken as proof that a company is targeting EU users and is subject to the GDPR. Conversely, geofencing the site to prevent users in the EU from accessing it is an effective way to proactively protect themselves from claims that they are targeting European users and should be subject to the terms of the GDPR.
All of which is to say, no, geofencing is not a misguided attempt at avoiding liability. It's actually a perfectly legal step that fully complies with the terms laid out in the GDPR. Moreover, the GDPR is completely unenforceable at a Starbucks in Iowa, not because the EU has no ability to enforce it there, but rather because the EU made no attempt to enforce it there. They respected the sovereignty of foreign regions.
Does this mean, as a U.S. user, I can list myself as living in the EU and instantly have better privacy?
As a neighbor, I ,for one, kindly ask you to go fist yourself. I never gave my agreement to any company to collect my data and exploit it. This is my choice. Nobody is prevented to enter in a agreement with those data thugs. More choice for everybody. NOw fist yourself.
I don't think americans have some magical talent for engineering that other nations don't, despite what propoganda says. I also don't believe that capitalism magically creates amazing things that no other discipline can't. Hell, the internet itself was made with government funding.
Avantgarde Hebrew science fiction
So all I need to do to protect my privacy in the US is to VPN myself via the EU? Of course that means the NSA + GCHQ will definitely collect all my metadata. Do the NSA + GCHQ have to comply with the GDPR?
They have been sending strongly worded letters to, say, North Korea for some time. This will be precisely as effective.
You think this is new ? Ever heard of FATCA (https://www.irs.gov/businesses/corporations/foreign-account-tax-compliance-act-fatca) ?
Learn what non-US banks do to comply with US laws.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
This sounds like a business opportunity. Some GDPR compliant EU company can have a single shipping address and the rest of a process to make EU customers anonymous to businesses outside the EU. Then, they can set up a server outside the EU and allow EU customers to anonymously shop the world. Businesses outside the EU don't have to worry about compliance and customers inside the EU will have access to products from anywhere. Plus, for the EU customers, another small delay and another fee will seem very ordinary. It won't be long before such a business will find non EU customers who prefer private shopping as well, especially when the customer data is stored in the EU, and organizations in the non-EU customer's government have to deal with delays and fees to obtain that data and de-anonymize the shopping.
Ganjadude, you need to stop smoking that shit! Apparently it is of so low quality you are getting really bad hallucinations.
If you want you can come over and see the hordes of migrants hell bent on blowing me up. If you can find them that is... I will even let you sleep on my couch for free. I am less afraid of those migrant hordes than the unstable politicians in the US. They can make more impact on my daily life here in Europe than people fleeing for their lives trying to get to a better place.
Comment removed based on user account deletion
The proper solution is to update your terms of service specifying that using the site as a EU citizen is expressly prohibited, therefore your logs and collected data is now protected as criminal evidence so when the GDPR compliance task force comes knocking, you can tell them that the data can not be deleted due to US law regarding unauthorized access to a computer system. Then you can let the state departments battle it out over which law has priority and you don't have to worry about anything for seven to fifteen years of red tape.
Lol, good point, I'm going to love seeing the headline Local police department fined 24 million dollars because the refused to delete an accident report of a EU tourist.
https://wordpress.org/plugins/iq-block-country/
I use it to block other countries from the backend of my sites, but it also works blocking countries on the front end, as well, returning a 403 Forbidden error instead. Easy to configure. Works like a charm.
I've no connection to the developers, just that it's the best I've found.
You completely misread my remark. It's about people -- not banks -- and US law certainly isn't what's at issue here.
I was remarking that the poster was blithely saying that he'd prefer to not do business with certain companies and that the poster's ok with a law that rams the poster's choice down the throats of neighbors, family, countrymen...
You completely misunderstood reality.
It's about people, not banks ? So banks ate not run by people ? And banks are not used by people, both within their country of origin and outside ?
Even this EU regulation is about internet companies, not people.
US laws are not an issue here ? It is called an example, an analogy. US lawmakers imposed their choice on all US citizens : the choice of not doing business with people running any bank that does not share information about US citizens doing business with their bank. This doesn't help the US citizen at all, except securing the revenue of the US government.
EU lawmakers also imposed their choice on all citizens of EU : to not do business with companies invading users' privacy. This actually helps citizens keep done privacy.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Anubis already demolished this claim.
Furthermore, if the TOS say that you agree not to assert certain rights against the company and your citizenship prevents you from making such a deal, then you simply can't use the service.
UNLESS you are actually a 'citizen' and subject to the EU jurisdiction, OR you have registered as an entity in their jurisdiction - just ignore it.
The EU can threaten, but as I am not part of the EU, I will continue to be free to engage with any EU citizen under the jurisdiction of MY government.
The EU wants, requests, and might get. Cannot enforce.
Though a firm outside the Union can designate an existing employee as its data protection officer, it still has to hire somebody in the Union to act as the firm's representative to customers in the Union pursuant to article 27. This service costs $2,700 per year (source, even for a business that has less than $40,000 per year of revenue from the Union.
Would you find it acceptable for a business to provide an opt-in marketing preference and charge a handling fee that's waived for customers who opt in?
Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?
The billing and shipping data themselves are enough personal data to trigger the obligations of the GDPR, including the obligation for a firm outside the Union to spend a substantial fee on designating a firm in the Union as its representative pursuant to article 27. The only payment methods I can think of that do not use personal data are cash and cryptocurrency, and the only shipping method I can think of that does not use personal data is in-store pickup.
I agree with you that the DPO requirement is not nearly as onerous as the requirement under article 27 for firms outside the Union to hire a representative within the Union. But article 27 alone is enough to warrant use of GDPR Shield if a firm doesn't do enough business with individuals in the Union to cover the cost of an article 27 representative service.