[roel_v]

No, they can't 'sue' you; they can make a complaint to their data authority who will then decide if and what to do about it. So if your site blocks EU IPs and you then violate the privacy of someone in the EU grossly enough to warrant the data authority to make a case out of it, then yes. (provided everything else also applies, e.g. the things being talked about in the rest of this thread).

[rblatz]

Put it in your TOS that European users are forbidden from using your site, and then if they complain to a data authority press charges under the CFAA, and sue them for damages you incurred due to their violation. Then let the courts hash it out.

[roel_v]

Such TOS would most likely be 'unduely onerous' or whatever the local term for this concept is in other EU jurisdictions.

I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.

So no, that's not how it works.

[pythonaut_16]

Unduly onerous to say you're not allowed to access the site if you're in the EU?

So the EU regulators can say my TOS have to allow EU citizens to access my site and my site must follow the GDPR.

That seems unlikely, and the fact that there's so much ambiguity around this is why so many websites are opting to block the EU rather than dealing with it.

[roel_v]

In many civil law systems, there are limits to contracts. Sometimes these limits are codified, sometimes they're not. Let's take Dutch law here as an example, because well that's what my degree is in. The Dutch civil code has a list of so-called 'black' and 'gray' clauses in terms and conditions; the black ones are always void, the grey ones sometimes (obviously grossly simplifying here, I'm not going to type a paper on a phone). Many catch-all statements are either black or grey, especially when they are designed to absolve one party from their legal obligations. Nobody is saying anything about requiring you to allow EU citizens. What I'm saying is the GP's plan is an obvious scheme to avoid one's legal obligations, and will be treated as such - and hence won't be a defense or obstacle when an authority goes after a non-compliant processor.

Hence my comment up thread - the law is not a closed system you can program like a code wars game, where if you're clever enough a judge will say 'oh you outsmarted me here because your logic is internally perfectly consistent, have a good day sir'.

[Kerrick]

> Intent matters

So shouldn't the website's intent to block you from accessing it matter?

[roel_v]

That point was part of a general observation. When something 'matters', that doesn't mean there cam be other factors. In thi specific case I see no reason why the territorial scope would not extend to processors outside the EU when they monitor user behavior. Taking some limited technical measures to prevent access doesn't absolve them from the law to apply.

[rdlecler1]

The Cambridge Analytica whistleblower is using Facebook and Google for incomplete compliance so yes, you can get sued.

[roel_v]

I don't quite understand what you're saying here.