[fiiv]

Hi Brian! Thanks for taking part in the discussion.

But what part of GDPR was it that caused you to have to close off European Union users?

[TillE]

It's worth noting that GDPR applies to EU citizens regardless of where they happen to be in the world (or if they're using a proxy), so an IP ban does absolutely nothing to help comply with the law.

You'd think a real company would have talked to a lawyer about this.

[snowwolf]

That is incorrect.

GDPR makes no mention of EU citizens or residents.

The 2 main groups it applies to are:

1. activities of an establishment of a controller or a processor in the Union (so if the company is in the EU, ALL processing has to be GDPR compliant regardless of where the user is)

2. processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union (if the company is not in the EU, processing of data of people in the EU - note they just have to be in the EU and not residents or citizens - so if you are from the US and on holiday in the EU and you order pizza delivery to your hotel, that personal data has to be handled in a GDPR compliant way, notwithstanding that the pizza company is probably in group 1 anyway but hopefully you get the point. And the converse of that, if you live in the EU and are on holiday in America and order pizza, that personal data does NOT need to be GDPR compliant as you are not IN the EU)

There are a few other scenarios included too.

Edit: It's worth pointing out that 1 seems to have been completed missed in almost all GDPR coverage I have seen, possibly because most of the coverage has been heavily US centric. If the company is established in the EU, it has to comply with GDPR for ALL users, not just people in the EU. This is why Facebook [1] and others changed their terms so that only EU users have a contract with Facebook Ireland, and everyone else now has a contract with Facebook Inc (US) - previously everyone had a contract with Facebook Ireland.

[1] https://www.reuters.com/article/us-facebook-privacy-eu-exclu...

[crankylinuxuser]

And that's the companies' out. Make shell companies that exist only in Europe to exfiltrate liability for the multinationals.

There's no real difference in "Facebook US" and "Facebook Ireland". The only difference is this methodology skirts the law.

Hopefully, the EU will climb up these jokes of shell companies and rightly smack them down.

[ghaff]

How would that even make sense? A country enacts some arbitrary rule such as "You are not allowed to provide access to social media for its citizens." How do you possibly enforce that for citizens visiting or living in the US? (Short of demanding all users to verify their citizenship to access the site.)

[kgwgk]

No, it doesn't apply to EU citizens regardless of where they happen to be in the world.

[sleepyhead]

close off European Union users? I don't see any info about that.

[Sean1708]

Am I misunderstanding you here? Instapaper's email literally starts with:

> Starting tomorrow May 24, 2018, access to the Instapaper service will be temporarily unavailable for residents in Europe