You can still run a free website and be compliant with the GDPR. The EU/EEA is the largest market in the world, closing yourself for an market that size will hurt more than changing a few thing to be compliant.
>closing yourself for an market that size will hurt more than changing a few thing to be compliant
Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles? The fact that it's potentially a large market is irrelevant to me. In this case, any moderately tech-savvy consumers can get to my site anyway using a VPN. But I've sent a clear message that I'm not marketing to European consumers.
> Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles?
If you run a free website that depends on targeted ads to make money, you might want to expand to the EU but now you'd need to totally change your business model to do so. For some that would basically mean inventing a new company because their service is not the type people would pay for. So in this case, it may not be worth it.
> There are 6.5 billion non-Europeans, there's plenty of market outside of Europe.
The world doesn't have uniform GDP per capita. Potential European customers have more money to spend than most of those other potential customers. If you're looking for a new market, Europe is a juicy one.
They could still make some money from showing non-tracking ads to European users and tracking ads to American ones. Perhaps not as much, but as they have already written the content I don't see why you would just give up on that revenue stream.
The point is that, if I'm not making material money from EU residents today, it may be easier for me to just make it clear that I'm not trying to do business in the EU than figuring out if I need to do anything to become compliant. I may in fact be 100% compliant, but it may take effort to figure that out and there's potentially still some risk.
Personally, I do no tracking on my sites so it's irrelevant to me but I understand why news sites with primarily local readership would decide dealing with the EU is more trouble than it's worth.
This could definitely happen, but would not make sense for the Chicago Tribune and LA Times, which are big corporate entities united as subsidiaries of Tronc, Inc., and could even pool resources to have one compliance office among them from the parent company.
For a large, well-capitalized company to make this choice, it’s an indication of a few possibilities:
- Tronc doesn’t practice anything close to adequate IT practices to even know its compliance status, and pefers not to invest in doing so.
- Tronc can’t remain profitable if displaying GDPR-compliant pages in EU (this seems fleetingly unlikely, given the specific attempts to grow digital subscribership by marketing the papers as more global).
- Tronc is trying to make a political statement, like a boycott, hoping that many companies do this and it puts pressure on mitigating GDPR.
So while I agree with you for some small businesses just not wanting to mess with GDPR compliance or risks, however small, it certainly isn’t aviable explanation for these newspapers.
It's likely that it's just side effect of months of institutional paralysis. The Chairman of Tronc stepped down earlier this year after allegations of misconduct and I believe they were negotiating the sale of the LA Times to an investor and the rest of the company to Softbank.
I see this 'VPN' argument a lot, but it's wrong. If the Chicago Tribune tracks users accessing their site through a VPN, without informed consent, they are in violation. Art 3 para 2 in b makes the Regulation apply to them and doesn't make provisions about whether the controller or processor has a way to find out if the behaviour of the data subject takes place within the Union. I don't see any reason for a different interpretation in the Recitals, either. Furthermore note that subs a and b in art 3 para 2 are alternative, not cumulative requirements.
Let me rephrase: when you collect data on people with the goal to do behavioral / preference analysis on it, it doesn't matter any more whether or not you're 'marketing' to them, or even that you 'send them a clear message' you don't 'market to them'. The GDPR still applies to you.
The relevant language is in recital 24. “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
If the Chicago Tribune doesn't envisage offering goods or services to EU residents, it's not covered. And geofencing out EU residents is a pretty good indicator it's not. (Frankly, it probably doesn't have to--it's unclear why someone would think the Chicago Tribune was actively marketing to EU residents anyway--but geofencing them out certainly eliminates any ambiguity.)Someone can't find their way to a site, fake being outside the EU, yell gotcha, and expect European regulators to do anything about it whatever people may wish.
Sure, that's a criterion for art 3 para 2 sub a. What I am talking about is sub b, for which the question whether one offers goods and services is irrelevant (that's what I meant when I said 'a and b are alternative, not cumulative').
So the question is - does the Chicago Tribune 'monitor user behavior'. The recitals say about that
In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
If I look at the list of tracking scripts, it's rather obvious that this is what their 'data processors' are doing. Hence, the territorial scope extends to them.
I've been served ads on US outlets for products which clearly target my home market (Germany). This will make a hard time arguing that you are not targeting that audience. In my opinion, if you serve ads on your site which target EU consumers, you're doing business here. I don't think it matters whether you do that through a third party.
By blocking EU ip-ranges, that may change, I admit that. However, if by other measures like finger-printing the browser you serve EU-specific ads to vpn'd users you may be up to problems.
IANAL but it would seem pretty obvious that any content a visitor might seek on a website would fall under the rubric of "services." It seems like a tough position to argue that since e.g. the Chicago Tribune doesn't offer subscriptions denominated in Euros, that it isn't offering services ("news") globally.
The only thing that today makes clear is that this law is a mess, and it will take a lot of litigation before anybody really knows what it means.
So you're saying that if I block my site to EU IPs, and someone uses a VPN to look like they're coming from the US and bypass that, they can then sue me under the GDPR? No way.
No, they can't 'sue' you; they can make a complaint to their data authority who will then decide if and what to do about it. So if your site blocks EU IPs and you then violate the privacy of someone in the EU grossly enough to warrant the data authority to make a case out of it, then yes. (provided everything else also applies, e.g. the things being talked about in the rest of this thread).
Put it in your TOS that European users are forbidden from using your site, and then if they complain to a data authority press charges under the CFAA, and sue them for damages you incurred due to their violation. Then let the courts hash it out.
Such TOS would most likely be 'unduely onerous' or whatever the local term for this concept is in other EU jurisdictions.
I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.
This is only your opinion. It doesn't say that on the page you pasted. To be complaint you probably must clearly state that the service is not for EU resident and ask them to leave. Even that could be too little.
"...the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union [...] is insufficient to ascertain such intention"
I don't even see in the law whether or why the dpa would disclose the identity of the complainant. Maybe there are procedural situations where it would happen, I haven't really thought about it. I think people are too hung up on a specific person making a complaint. It's the dpa that will take action, probably removed a few steps from the initial complainant(s). This is not Law and Order style legal proceedings.
When you don't a competitor steps in and if the day comes that you want some EU sales, you will have to spend huge sums to establish your brand if you are not a huge brand that's on TV shows and the News all the time.
Geo-locked products are nothing new. I lived in a communist country, few EU countries and a middle eastern country and I can promise you that when a certain brand is not available a local competitor pops up and after the original brand becomes available it stays remain a curiosity unless it's a massive pop culture icon(McDonald's, CocaCola, Amazon, Netflix etc. - stuff that's on American TV shows all time. The TV Shows are also geo-locked but local pirates make them available few hours after the USA. Even in Cuba).
So, it's not a simple problem of if(profit < feel like worth it) then block EU.
False. The marginal cost of an EU customer is no longer zero. Why should I put in a bunch of work for GDPR compliance if the cost to implement it exceeds the initial marginal cost of an EU user. There is still the rest of the world.
Good. if you do not value my privacy, I dont want you to do business here. another product will replace your own. And in all likeness an EU one, meaning less euros leaving the eurozone.
Exactly. The most basic/outrageous example: anyone in the EU who installs Apache and leaves it in its default configuration which logs all page visits indefinitely is now a criminal.
Spin up a DO/Linode/etc. instance and apt-get install apache2? You're now theoretically liable for a 20 million Euro fine.
Nobody would have said this a year ago. How are people getting so swept up in this privacy zeitgeist that they think web admins keeping logs is horrendous?
I know! Just imagine...your (likely dynamic) IP address exists in forgotten log files all over the web. The horror!
One of the most annoying things about the GDPR fandom is the black and white nature it seems to inevitably take. If your log files store IP addresses, you're clearly evil and shady and are violating human rights, just as bad as if you're recording people's conversations at home with the intent to deprive them of insurance or publish their sexual histories or whatever.
What possible "horrendous" harm is there from apache's default config storing IP addresses? Can you give me an actual harm that has befallen someone as a result of this that isn't some freak one-in-a-billion example?
Do the same, but from any country in the world, and make sure your welcome page has multiple languages, including some EU ones. Now you're specifically targeting EU users and you're liable for up to $20 million euros.
The response from GDPR fans is that: a) regulators would never levy such a fine, or b) they can't enforce it, or even c) that of course you should be fined because you're a filthy scammer who is stealing people's data and violating their human rights!
But all that misses the point: in what universe is it reasonable to even make such a claim to begin with? And why should I have to trust that the regulators will be more reasonable than the law requires, or that they won't be able to enforce what they'd like to do? And why should I have to comply because you sent me your info voluntarily??
Is there something that makes the internet different here? If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?
> If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?
Everyone I've tried to make this point to has ultimately said something to the effect of "yes, you're violating their rights by not throwing out the letter." It's baffling.
That's optimistic ... but there is no reason to believe in many niche areas that another equally good product will do that. It is very plausible that in fact what will happen is that EU customers will be significantly delayed in accessing valuable services and products. And in many cases the web sites provide those would be making no meaningful intrusion on privacy in the first place.
Please don't believe your own propaganda. EU/EEA revenue is a fraction of US revenue for all large multinationals. Small businesses probably make even less from the EU.
Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles? The fact that it's potentially a large market is irrelevant to me. In this case, any moderately tech-savvy consumers can get to my site anyway using a VPN. But I've sent a clear message that I'm not marketing to European consumers.