[ghaff]

>closing yourself for an market that size will hurt more than changing a few thing to be compliant

Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles? The fact that it's potentially a large market is irrelevant to me. In this case, any moderately tech-savvy consumers can get to my site anyway using a VPN. But I've sent a clear message that I'm not marketing to European consumers.

[kinsomo]

> Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles?

Because you would rather grow your market?

[taysic]

If you run a free website that depends on targeted ads to make money, you might want to expand to the EU but now you'd need to totally change your business model to do so. For some that would basically mean inventing a new company because their service is not the type people would pay for. So in this case, it may not be worth it.

[eyeinthepyramid]

There are 6.5 billion non-Europeans, there's plenty of market outside of Europe.

[kinsomo]

> There are 6.5 billion non-Europeans, there's plenty of market outside of Europe.

The world doesn't have uniform GDP per capita. Potential European customers have more money to spend than most of those other potential customers. If you're looking for a new market, Europe is a juicy one.

[IshKebab]

They could still make some money from showing non-tracking ads to European users and tracking ads to American ones. Perhaps not as much, but as they have already written the content I don't see why you would just give up on that revenue stream.

[ghaff]

The point is that, if I'm not making material money from EU residents today, it may be easier for me to just make it clear that I'm not trying to do business in the EU than figuring out if I need to do anything to become compliant. I may in fact be 100% compliant, but it may take effort to figure that out and there's potentially still some risk.

Personally, I do no tracking on my sites so it's irrelevant to me but I understand why news sites with primarily local readership would decide dealing with the EU is more trouble than it's worth.

[mlthoughts2018]

This could definitely happen, but would not make sense for the Chicago Tribune and LA Times, which are big corporate entities united as subsidiaries of Tronc, Inc., and could even pool resources to have one compliance office among them from the parent company.

For a large, well-capitalized company to make this choice, it’s an indication of a few possibilities:

- Tronc doesn’t practice anything close to adequate IT practices to even know its compliance status, and pefers not to invest in doing so.

- Tronc can’t remain profitable if displaying GDPR-compliant pages in EU (this seems fleetingly unlikely, given the specific attempts to grow digital subscribership by marketing the papers as more global).

- Tronc is trying to make a political statement, like a boycott, hoping that many companies do this and it puts pressure on mitigating GDPR.

So while I agree with you for some small businesses just not wanting to mess with GDPR compliance or risks, however small, it certainly isn’t aviable explanation for these newspapers.

[JackFaker]

It's likely that it's just side effect of months of institutional paralysis. The Chairman of Tronc stepped down earlier this year after allegations of misconduct and I believe they were negotiating the sale of the LA Times to an investor and the rest of the company to Softbank.

[akie]

Well, you could! We’d be happy for you to make some space for a competitor who doesn’t make his money selling personal data.

[roel_v]

I see this 'VPN' argument a lot, but it's wrong. If the Chicago Tribune tracks users accessing their site through a VPN, without informed consent, they are in violation. Art 3 para 2 in b makes the Regulation apply to them and doesn't make provisions about whether the controller or processor has a way to find out if the behaviour of the data subject takes place within the Union. I don't see any reason for a different interpretation in the Recitals, either. Furthermore note that subs a and b in art 3 para 2 are alternative, not cumulative requirements.

Let me rephrase: when you collect data on people with the goal to do behavioral / preference analysis on it, it doesn't matter any more whether or not you're 'marketing' to them, or even that you 'send them a clear message' you don't 'market to them'. The GDPR still applies to you.

[ghaff]

The relevant language is in recital 24. “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

If the Chicago Tribune doesn't envisage offering goods or services to EU residents, it's not covered. And geofencing out EU residents is a pretty good indicator it's not. (Frankly, it probably doesn't have to--it's unclear why someone would think the Chicago Tribune was actively marketing to EU residents anyway--but geofencing them out certainly eliminates any ambiguity.)Someone can't find their way to a site, fake being outside the EU, yell gotcha, and expect European regulators to do anything about it whatever people may wish.

[roel_v]

Sure, that's a criterion for art 3 para 2 sub a. What I am talking about is sub b, for which the question whether one offers goods and services is irrelevant (that's what I meant when I said 'a and b are alternative, not cumulative').

So the question is - does the Chicago Tribune 'monitor user behavior'. The recitals say about that

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

If I look at the list of tracking scripts, it's rather obvious that this is what their 'data processors' are doing. Hence, the territorial scope extends to them.

[chopin]

I've been served ads on US outlets for products which clearly target my home market (Germany). This will make a hard time arguing that you are not targeting that audience. In my opinion, if you serve ads on your site which target EU consumers, you're doing business here. I don't think it matters whether you do that through a third party.

By blocking EU ip-ranges, that may change, I admit that. However, if by other measures like finger-printing the browser you serve EU-specific ads to vpn'd users you may be up to problems.

[runako]

>> "offering goods or services"

IANAL but it would seem pretty obvious that any content a visitor might seek on a website would fall under the rubric of "services." It seems like a tough position to argue that since e.g. the Chicago Tribune doesn't offer subscriptions denominated in Euros, that it isn't offering services ("news") globally.

The only thing that today makes clear is that this law is a mess, and it will take a lot of litigation before anybody really knows what it means.

[philipov]

So you're saying that if I block my site to EU IPs, and someone uses a VPN to look like they're coming from the US and bypass that, they can then sue me under the GDPR? No way.

[roel_v]

No, they can't 'sue' you; they can make a complaint to their data authority who will then decide if and what to do about it. So if your site blocks EU IPs and you then violate the privacy of someone in the EU grossly enough to warrant the data authority to make a case out of it, then yes. (provided everything else also applies, e.g. the things being talked about in the rest of this thread).

[rblatz]

Put it in your TOS that European users are forbidden from using your site, and then if they complain to a data authority press charges under the CFAA, and sue them for damages you incurred due to their violation. Then let the courts hash it out.

[roel_v]

Such TOS would most likely be 'unduely onerous' or whatever the local term for this concept is in other EU jurisdictions.

I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.

So no, that's not how it works.

[pythonaut_16]

Unduly onerous to say you're not allowed to access the site if you're in the EU?

So the EU regulators can say my TOS have to allow EU citizens to access my site and my site must follow the GDPR.

That seems unlikely, and the fact that there's so much ambiguity around this is why so many websites are opting to block the EU rather than dealing with it.

[Kerrick]

> Intent matters

So shouldn't the website's intent to block you from accessing it matter?

[rdlecler1]

The Cambridge Analytica whistleblower is using Facebook and Google for incomplete compliance so yes, you can get sued.

[roel_v]

I don't quite understand what you're saying here.

[lmkg]

The relevant part of GDPR is Recital 23.

https://gdpr-info.eu/recitals/no-23/

Short version: GDPR does not apply if you happen to collect data on a few EU residents by accident (assuming you're not otherwise based in the EU).

[merinowool]

This is only your opinion. It doesn't say that on the page you pasted. To be complaint you probably must clearly state that the service is not for EU resident and ask them to leave. Even that could be too little.

[lmkg]

"...the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union [...] is insufficient to ascertain such intention"

[roel_v]

This only applies to sub a (of art 3 para 2). So no, this quote does not confirm your assertion.

[stale2002]

If you use a VPN to access a server that does it want you to access it, then you are breaking the computer fraud and abuse act in the United States.

Shouldnt you be the one sent to jail, as you are illegally accessing a computer that you were sepecially told not to access?

[roel_v]

Maybe. That's entirely orthogonal to the question whether or not the person who's server it is, is affected by the GDPR though.

[taysic]

But if that person could get sent to jail for that, then I don't see why they would file a complaint.

[roel_v]

I don't even see in the law whether or why the dpa would disclose the identity of the complainant. Maybe there are procedural situations where it would happen, I haven't really thought about it. I think people are too hung up on a specific person making a complaint. It's the dpa that will take action, probably removed a few steps from the initial complainant(s). This is not Law and Order style legal proceedings.

[merinowool]

If they are from poor EU village that could be tempting to get to US jail to learn language and have free food and bed.

[mrtksn]

When you don't a competitor steps in and if the day comes that you want some EU sales, you will have to spend huge sums to establish your brand if you are not a huge brand that's on TV shows and the News all the time.

Geo-locked products are nothing new. I lived in a communist country, few EU countries and a middle eastern country and I can promise you that when a certain brand is not available a local competitor pops up and after the original brand becomes available it stays remain a curiosity unless it's a massive pop culture icon(McDonald's, CocaCola, Amazon, Netflix etc. - stuff that's on American TV shows all time. The TV Shows are also geo-locked but local pirates make them available few hours after the USA. Even in Cuba).

So, it's not a simple problem of if(profit < feel like worth it) then block EU.

[jenscow]

> But I've sent a clear message that I'm not marketing to European consumers.

More like, sent a clear message you're not concerned of your user's data.

(Nothing personal, the signal may not necessarily echo the reality)