[mrmekon]

I'm in the EU, and a couple of the corporate VPNs I have used here have had their exit IP in the U.S. or Canada. Which means that when I'm at work, I appear to be in Seattle, and these sites are not blocked.

Based just on that, I'd argue that "Blocking 500M Users Easier Than Complying with GDPR" is probably not even a true statement.

I doubt EU regulators will go after these sites because they really aren't that consequential, but I wonder if setting up an IP block isn't just painting a target on yourself. It's basically a statement that the company was and still is violating GDPR.

[ryanwaggoner]

What exactly do you want here? Do you want every site to have you upload your passport? Or are you just saying that any jurisdiction in the world should be able to effectively force every company globally to comply with their laws, and that they can’t pull out of those markets if they find the law too onerous?

Forget about the intent of the GDPR, what about the broader principle when applied to laws you don’t like?

What if the US passes the anti-GDPR next week, that you MUST track all available data for US residents or citizens, no matter where in the world they are? What then?

[mrmekon]

My comment doesn't make a statement about how things should be. It's a statement about the complexities of a technical implementation:

_If_ it is true that the GDPR covers an EU person's data held by any company worldwide, regardless of how or whether it should, an IP block might not be accepted as compliance. Or it might, if the EU regulators decide that best-effort is enough.

The important point is that many Europeans are browsing the net through non-EU IP addresses without the knowledge that they are doing so. Most people do not pay attention to what their corporate public IP address is. They may use "non-EU" services entirely unintentionally, and EU regulators may or may not take that into account in the unlikely case that they investigate one of these companies.

[sb8244]

I am curious how this will play out. I am not sure how else EU regulators could play it out without essentially saying that all users must identify themselves honestly to a site.

What happens if a person marks their country of origin as US even if they aren't in the US and their IP isn't. They lie in that case, but are they still protected?

[stale2002]

Well then these EU users are illegally accessing a computer and have broken the computer fraud and abuse act.

These users should be prosecuted to the fullest extent in the US for their illegal computer usage.

[ryanwaggoner]

Eh, I'm not sure we want to go down that road either, but it's an interesting thought experiment. If you declare that EU visitors are unwelcome and unauthorized, are they violating the law by working around that? I find the idea both horrifying and interesting. So many GDPR fans here seem outraged at sites blocking access to them, which seems an acknowledgement that they want to have their cake and eat it too. What if criminal penalties for attempting such enter the mix?

[stale2002]

Yeah, I was mostly making my comment in jest, and I find the idea ridiculous.

But I ALSO find it just as ridiculous to prosecute companies for not providing protections to users that they have banned.

It should be fully within everyone's rights to not do business with countries that make silly laws.

[Sargos]

Intent matters. The website clearly indicates that they do not want to serve EU users. EU law does not apply to them unless they have a physical presence in the EU.

It's trivial for end users to bypass any restriction through technical means (whether legal or illegal). The fact that they bypassed the block is an act that indicates that they are bypassing the rules and thus are forfeiting some of the protections they would enjoy otherwise.