[sschueller]

Instead of the article I get:

"A MESSAGE FROM USA TODAY NETWORK It appears that you’re visiting us from a location in the European Union. We are directing you to our EU Experience.

This site does not collect personally identifiable information or persistent identifiers from, deliver a personalized experience to, or otherwise track or monitor persons reasonably identified as visiting our Site from the European Union. We do identify EU internet protocol (IP) addresses for the purpose of determining whether to direct you to USA TODAY NETWORK’s EU Experience.

This site provides news and information of USA TODAY NETWORK. We hope you enjoy the site. "

I am not in the EU and I am not using an EU ip address.

So I guess you can't find out about police misconduct unless you are trackable...

[ar0]

I get the same treatment (and I am also not in the EU), but I have to say: apart from this specific link not working, their "European Union Experience" seems so much more uncluttered than all the other news sites out there!

It seems to be just news articles without all the bullshit. (It redirected me to https://eu.usatoday.com/, so maybe U.S. viewers can also experience it.)

It's even better than lite.cnn.io and thin.npr.org, because it is not all text but also has some pictures to the articles, which I want to see.

[tyingq]

I imagine they get a pretty low amount of EU traffic, and so went for the least effort path to deal with GDPR. And, yeah, IP location databases are often wrong. Or maybe they just treat "non US IP" as "redirect to sparse GDPR site".

It is an odd publication. They have some sort of deal with many US hotels where guests get a paper copy for free. I suspect that represents the overwhelming share of anyone that reads it. It's commonly thought of as low quality here.

Archived copy: https://outline.com/FdzvqY

Their database as a csv: https://gofile.io/?c=bEbPGv

[localhostdotdev]

there are pdf and txt files available also:

e.g. https://assets.documentcloud.org/documents/5977583/New-York-... and https://assets.documentcloud.org/documents/5977583/New-York-...

(url can be easily derived from the urls in the csv, "https://www.usatoday.com/documents/5977583-New-York-Decertif... in this case)

[_m7bj]

>I imagine they get a pretty low amount of EU traffic, and so went for the least effort path to deal with GDPR.

But they haven't actually dealt with it. This is a common misunderstanding among websites that do this.

EU citizens are not required to identify themselves to you preemptively for GDPR to apply. If I connect to their website via a US VPN and they start tracking me without asking my consent assuming I'm from the US, that's a violation of GDPR.

So, in reality, there are two cases here:

1. They do not operate under EU jurisdiction, and thus might as well not have bothered making the EU specific page since the EU has no leverage over them any more than china can force them to take down articles that paint the chinese government in a negative light.

2. They do operate under EU jurisdiction, in which case their EU specific website is not in and of itself enough to handle their GDPR liability. Regardless on your opinion on VPNs, they must still for example nominate a specific data protection officer if they fall under EU jurisdiction.

I suspect that at least some of the websites with EU specific experiences know that the EU experience legally speaking doesn't achieve anything and are attempting to use them as a protest movement disguised as a self-righteous compliance effort. A whole bunch of other websites then didn't do their homework and are blindly hopping on the bandwagon.

The funny thing is the whole thing is backfiring, since a common reaction is "the EU experience is really nice I wish it was like this for americans as well".

[tzs]

Article 37 says that a DPO is needed if the controller and processor (a) is a public authority or body (except for courts), (b) their core activities require regular and systematic monitoring of data subjects on a large scale, or (c) their core activities include processing on a large scale of special categories of data from Article 9 or data related to criminal convictions and offences referred to in Article 10.

It sounds like their EU site would not fall under any of those.

Their US site might, but their US site seems like it would be out of scope for GDPR according to Article 3, because it is not offering goods or services to data subjects in the Union.

[_m7bj]

In fairness, you're probably right about them not requiring a DPO. I thought that was required for any organization over a certain size, but it seems it's required for any sized organization that tracks people with a certain amount of enthusiasm. A court would have to determine if they meet that criteria, I guess.

However, with response to this:

>but their US site seems like it would be out of scope for GDPR according to Article 3, because it is not offering goods or services to data subjects in the Union.

You're referring to Article 3.a. The argument on whether the US site is offering services to EU citizens if it does not take active steps to forbid VPNs or place "are you currently in the EU?" gates in place is something only a court could rule on.

However, more importantly, you're skipping over 3.b.

>the monitoring of their behaviour as far as their behaviour takes place within the Union.

That's unquestionably happening for anyone in the EU that uses a VPN to connect to their US website. Hence, their GDPR obligation is not discharged if they are under EU jurisdiction.

The GDPR does not lay out a set of ways to handle EU citizen data. If you ctrl-f search "citizen" in the GDPR document[1] you'll get no hits. It lays out the way /companies are expected to handle personal data/. Americans may not realise this, but they have the right under EU law to file GDPR requests against EU companies. They may even be able to file them against American companies, although which companies are or are not in scope gets complex at that point and I really don't know enough about who is incorporated or has subsidiaries where to know which companies that would work against if it came down to lawyers in courtrooms.

The point is, if a company falls under the territorial scope, they have to extend GDPR rights to /everyone/, because it's not about who you're allowed to track, it's about how you're allowed to use tracking technologies.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...