[_o_]

Hm, that seems like a good advice, I was thinking about that too, and came to quite tricky problem, hypothetical situation: EU user uses technical measures (or just click the checkbox) to circumvent your blocking and then sues your ads provider which is US based and does operate in EU, due to personal data collection without consent. And they figure out they are having legal/operational costs due to you, as operator, serving them poisoned data.

Can they (ads provider) sue you? And if they do, even if you are not guilty, how much money would it cost to win at the court?

[downandout]

Talk to any proponent of the GDPR, and they’ll tell you that it’s all about principles and intentions. But that’s a double-edged sword. Sites can’t lure EU users in and ignore GDPR, but at the same time, users cannot lie to you, and then go file a complaint with a regulator or demand rights that they told you they don’t have (either by using a VPN, which means they are lying about their location, or checking the box attesting to something they know to be false).

When looking at whether an action can proceed under the GDPR (either against you or an ad network whose code you have on your site), their regulators will review your site and see that the checkbox was required to register. That, combined with not having content or services targeted to EU users, should stop any GDPR action in its tracks before it is filed.

This of course all depends on the GDPR being enforced in good faith. They have every incentive to be abusive with it, and no incentive not to be. But we just have to hope that newly self-declared privacy overlords in the EU are kind and benevolent.

[scruple]

> Talk to any proponent of the GDPR, and they’ll tell you that it’s all about principles and intentions.

Here's a random and perhaps unfounded thought that I've had a couple of times regarding this line of thought re: GDPR.

What to stop some foreign bad actors from abusing the hell out of this legislation and burning up more useful time and energy on it? Moving beyond that, it would very likely serve to further divide and erode the trust between the EU and the US.

For example, if we're to assume that Russia is seriously meddling in everything that they currently stand accused of meddling in, essentially engaging in some loose, and seemingly effective (depending on who you ask), forms of cyber warfare, then what is to stop them from turning this regulation in to a complete nightmare for US/EU relations and further driving us away from our common goals?

It just seems to me that these sorts of good faith and intentions based laws don't work as effectively in the modern era as they maybe once did.

edit/ It honestly doesn't even need to be so malicious. I could imagine trolls causing more than enough trouble for small businesses just for the lulz.

[downandout]

What to stop some foreign bad actors from abusing the hell out of this legislation and burning up more useful time and energy on it?

Nothing, and in fact it incentivizes each of the 28 countries to act in bad faith. The crippling fines authorized by GDPR have the potential to both create enormous revenue streams and hobble foreign competitors of local companies. GDPR advocates say this won’t happen, but there is nothing to stop it.

[tomp]

> further divide and erode the trust between the EU and the US.

You mean more than all the leaks of EU data by US companies that go unpunished because of loose/nonexistent US privacy laws?

[_o_]

Yes, but doesn't the checkbox you mentioned, does exactly that, force the users to ignore their rights for the sake of using your site? If this would be acceptable, it would put GDPR into position of cookie law nonsense and if I understood ICOs correctly, this doesn't create a consent as user had no free choice. There is a human rights interpretation here, for example, if we create a contract, that I will be your slave and you give me a car in return, it is quite simple for me to sign it, that contract would be void even if you prove, that I signed it.

The ICO put a market of live human organs as example.

In same manner, even if I would click that I agree, that your site is designed for US privacy laws and not for people under GDPR protection, it would be the same as you would warn me, that I will be your slave before signing and that I can just walk away and don't take the car. But if I take the car, the contract would still be void. I don't think that this would fly.

The problem is not in the GDPR requirements but rather in right to privacy as fundamental human right and GDPR is just an advice how to respect it - it is actually a free help.

What you want to avoid is something much bigger than the checkbox on your site or ip blocking, check here "The Bill of Rights":

https://en.wikipedia.org/wiki/Fundamental_rights

This is something you shouldn't even think to violate, not to EU or US users. Or anyone else.

[downandout]

Yes, but doesn't the checkbox you mentioned, does exactly that, force the users to ignore their rights for the sake of using your site?

It doesn’t force them to do anything, nor does it ask them to waive any of their rights (which is often illegal and/or unenforceable). Instead, it asks them to certify that they are not subject to laws more restrictive than those in the US. If they are, they are not allowed to register. As the site owner, you have a legal right to rely on your users not lying to you. Your slavery example is an entirely different scenario - you are asking people to waive rights they have (to not be a slave in this case). That’s not what this checkbox says.

The main point of the checkbox is to signify your intention to not offer services to people subject to the GDPR or other restrictive laws. We have been advised (by actual attorneys) that this should meet the standard built into the GDPR that we do not “envisage” the offering of goods or services to those subject to it.

[_o_]

Exactly this is the problem of GDPR, user can lie, and you have no passive defense against it, you can't even make an excuse, you didn't know. You shouldn't even offer him a choice. The only defense is that the user gives you consent to it (at least GDPR is giving that choice). Everything else is void. Same as with slavery. You can't violate fundamential human rights even if user begs you to do it, except in states like South Korea, China (actually, you don't need to beg there =/)

I think that at the end, world will be better place due to GDPR, but there is surely some rough ride ahead - not due to respect of privacy but due to violating it so often that it became normal to us.

[downandout]

Again, if they lie to you, you’re covered. It’s about your intent. Do you intend to offer goods and services in GDPR-affected countries? If you have a checkbox like this, then you clearly don’t, and GDPR does not apply to you.

[_o_]

Yes, I understood your point, but I think you are struggling with mine, you might not offer goods to EU, but your ads provider might. And by feeding it with GDPR protected data it might sue you, on local courts, just for the PR reasons or something else. I am not saying they will, I am just showing you the justification why they might.

I think that much greater threat is comming from a direction of US companies you use than from EU courts this (again, might) become another "patent trolling"-like action from some US companies.