Considered this before, but it doesnt work. IIRC, the law applies to euro citizens both living in country and abroad. As such, geoip blocking is not a working strategy. (a french citizen who lives in japan still had GDPR rights) A better one would likely be a clickwrap agreement for all users stating "European citizens are not allowed on this service" which they have to click a "I am not european" tickbox to.
You hear wildly different takes on this depending on the source. Troy hunt had a (now seemingly deleted) article where he claimed you have to be targeting EU users specifically, ie offering products in a european currency, EU domain, eu language (other than english).
Dropping a IP block on the EU seems to be a pretty clear indication that you arent targeting EU users.
I'm the author of the post, and yes: blocking 500 million geolocated people is crazy. That's not the spirit of the law.
I just wrote the post because if you want to overkill and you are lazy, you can follow our recipe to 'implement' GDPR. I just wanted to be sarcastic and also show how easy to implement Cloudworkers + Apility.io.
On the contrary, if you are running a business where 99% of your customers are outside of the EU, its totally rational versus opening yourself up to massive liability.
You need to purge that 1% customer data though. If you're accepting EU citizens data through any channel - another business, them using a VPN, via smoke signals, you need to comply.
You need to comply with the laws of the jurisdiction you operate in. If you don't operate in the EU (and having a presence on a global communication network does not qualify), EU laws are not applicable.
The onus is on concerned EU citizens to stick to .eu domains with a feel-good GDPR-VERIFIED banner if they are so inclined, not on the rest of the world to bend over.
As a non-EU business, I will pay my GDPR "fines" right after I'm done paying my Iran and North Korea issued fines. Cheers!
Seriously though, I made no comment on the law itself so I'm not sure what your point is. Most reasonable people would agree it's a good law in spirit, and I wish I had some of those protections where I live.
But the notion that it can be enforced on non-EU entities is ludicrous.
You have a responsibility to your users, be they EU or not. The fact you consider "they keep sending it to me" means that you are not considering the whole privacy issue. This data is not yours to do with as you please. Yes they send it to you -- but you are listening, You are the active party here. There is a duty to protect your users data.
I have a responsibility to treat users in a way that I consider fair, which includes protecting data such that it doesn't get used in a way that I wouldn't want my data used, or that a person who is more sensitive than me wouldn't want their data used.
I do not agree that I have any sort of implicit responsibility to treat my users in a way that an EU bureaucrat deems fair.
The question I was answering was why my company is collecting this data. We have email subscribers from the EU because...they subscribed to our email list. We don't advertise in the EU, we have no EU-specific languages or currency on any of our projects, etc. But EU users still want to subscribe to our content, visit our site, etc. So we're "collecting their info" because they voluntarily send it to us and we're not specifically trying to block them. Perhaps we should.
We're not compliant with the letter of the law of GDPR (and according to some it doesn't apply to us at all due to the above), but we treat all user data seriously, regardless of where they come from. If that's not good enough, then people can stop visiting / subscribing / purchasing, or the EU can try to levy a fine and collect it. I'm not particularly worried about either scenario.
You should consider making this a bit clearer in the beginning. There is already a lot confusion about GDPR lately and people could take your post seriously. As pointed out by others already, geo-blocking isn’t a proper way to become GDPR compliant.
> Considered this before, but it doesnt work. IIRC, the law applies to euro citizens both living in country and abroad.
No. The law applies to people physically in the EU, not blanket to EU citizens. An American in Paris is protected by GDPR laws - a German living in NYC is not.
> IIRC, the law applies to euro citizens both living in country and abroad.
GDPR doesn't mention citizenship, it applies to any Data Subject who is a 'natural person'. The scope is stated as 'whatever their nationality or place of residence' which is universal.
So just blocking EU residents is not enough, one would have to also ensure that no other data is processed (1) within any country implementing GDPR or (2) anywhere in the world if you have a controller in the EU, his role being a sort of GDPR proxy.
Even saying 'within EU' is actually inadequate; the Isle of Man has implemented GDPR but isn't in the EU and there are probably other examples.
So much this. So many people conflate citizenship and residency, and it leads to no end of confusion. GDPR applies to EU residents, accessing services from the EU, and some more edge cases. But not to EU citizens.
(There are countries with up to 30% non-citizens, and there are plenty of multi citizens. The distinction is entirely relevant.)
Not even residents (meaning permanent residents). People who are in the Union's territories (including tourists / visitors). Like most laws it applies wherever EU countries have jurisdiction. It applies to all your users if your business is located in the EU though.
