back to article US websites block netizens in Europe: Why are they ghosting EU? It's not you, it's GDPR

Folks trying to read the NY Daily News, say, or the Chicago Tribune – the third-biggest US daily newspaper – online from a location within the EU have been blocked from visiting the websites due to new data protection laws. Visitors in the bloc trying to load articles from the Tribune, or stablemates the Los Angeles Times – …

Anonymous Coward

Two years was not long enough, these plans were (wait for it)...

on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying

"Beware of the Leopard"

98
7
Silver badge

I also find it amusing how many companies have now emailed me with consent begging letters. I had no idea 3/4 of the shysters had my details. Wankers.

115
0

Re: Wankers

Not only that, but nearly all of the emails asking me for consent are doing it via MailChimp whose terms and conditions make it clear they will be taking this info for themselves, aggregating it and then using it to spam me from outside the GDPR zone.

This includes my landlord who claimed he needed consent to have a copy of my email address in order to communicate with me, and in order to allow him to email me, I would have to give my email address to this US based email marketing firm.

None of the companies who send me emails need to get consent under GDPR as they are using the data for the purpose for which it was collected, are keeping it securely, and are not passing it to others. However this GDPR consent via MailChimp is breaking all those rules and more.

94
0
Anonymous Coward

Re: Wankers

I thought I was the only one to have noticed this supplementary threat. Welcome to the club.

26
0
Silver badge

Re: Wankers

MailChimp have it so spectacularly wrong - pretty much on every point, not helped by some of the, ahem, "less well informed", staff at the ICO.

One totally wrong claim that they tried making is that they are not a Data Processor, because somebody at the ICO said they were exempt, for no valid reason whatsoever. They are categorically a Data Processor, with the client organisation being the Data Controller. This isn't an uncommon arrangement and is very simple and needs nothing much more than a simple Data Processing Agreement between the two parties. On MailChimp's side they must ensure that they stick to the terms of the Data Processing Agreement and in particular do not export or the data to third countries, which is pretty much any country outside the EU - in particularly regimes like the US which have no data protection laws whatsoever (Safe Harbor was worthless, Privacy Shield is equally worthless). "All" MailChimp really needed was to implement EU servers and to restrict access to these to MailChimp EU staff, which is something that they should largely have had in place anyway.

Just one of the reasons why we recently chose a different bulk mailer...

43
0

locked filing cabinet...

But that's the point. The plans were NOT on display in the bottom of a locked filing cabinet... They WERE on display wide in the open, with people megaphoning that something was going to happen.

It took less than five seconds to find this:

https://www.theregister.co.uk/2016/06/24/gdpr_post_brexit/

43
1
Silver badge
Mushroom

Re: Wankers

You probably did not sign up to their sites. They probably bought a mailing list and added it.

I ran a company that closed down in 1998. I still get emails from all sorts of companies wanting to do business with the long extinct company.

Just one of the costs of .... I can't think of a reply that would not get censored.

See Icon for what I'd like to do to the people selling my old company email address on after all these years.

25
0
Silver badge

Slightly odd for us as we are currently engaged on a project for Los Angeles Times, but now we are getting the same message. Nice to see that they have left the X-Clacks-Overhead in their response headers though :)

21
0
Silver badge

Two years was not long enough, these plans were (wait for it)...

No amount of years may be enough if what you are doing with the users private parts is not legal to start off with.

Goodbye and thank you for admitting to be utter scum. You will not be missed. Can we have a bit more of that please.

47
2
Silver badge

Agreed.

Personally, I am overjoyed with all the mails I am getting that are telling me that I will no longer receive their mails if I do not click on some damn link and approve.

You think I'm that stupid ?

Finally, a true end to all the spam (well, most of it anyway).

Thanks, GDPR !

66
1
Silver badge

or,....

.... signed in triplicate, sent in, sent back, queried, lost, found, subjected to public inquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters.

21
1
Silver badge
Thumb Up

@Pascal Monett

I suspect that many people will have been using this as a handy means of cutting down on "near spam".

Its a bit early to say how this has worked but I am hopeful.

27
0
Silver badge

on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of the Leopard"

Happy Towel Day by the way. Are you a real hoopy frood who knows where his towel is?

17
0

Re: Wankers

There seem to be a lot of businesses lingering on directory sites. Several list the Scunthorpe HMV store which closed in 2013. So you search for a business, Google connects you to a directory site, and you are targeted by several adverts. It doesn't matter to any of them that they're handling false data.

When they're so obviously getting data wrong, I can't really expect them to stay within the law on personal data.

Oh, you used to hear about a "Chattels Auctioneers", and it looked like a defunct business, with part of the sign remaining. Problem is, "goods and chattels" is a term of art in the auctioneering trade, the sort of general auctioneering business associated with house clearance. I found an older picture showing the complete sign, with a business name and that phrase.

The GDPR isn't going to do anything to stop that sort of bad data.

4
0

"Happy Towel Day by the way. Are you a real hoopy frood who knows where his towel is?"

I'm sitting on my towel.

3
0
Thumb Down

Re: Wankers

Indeed - I noticed before that if I google my company name that many sites are selling my data - but much of it is massively out-of-date (by many years): wrong address, wrong company officer details, defunct phone number(s), etc.

5
0

"There's no point in acting surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years, so you've had plenty of time to lodge any formal complaint and it's far too late to start making a fuss about it now…"

8
0

Re: or,....

coincidentally I'm dropping a grunty mcPew as I read this and will use tronc provided material for clean up, about all their product is useful for.

0
0

Re: "The former policy wonk -

no they were not, this is been public knowledge for a long time, sites has been posting articles about it for a long time, bloggers have been blogging about it for a long time.

But in typical fashion, lazy companies stuck their heads in the sand and ignored the issue and left it until the minute to take action, so we all get a billion emails in the last couple of weeks about new privacy policies.

2
1
Unhappy

Overreach

I'm in the UK. I fully expect EU sites to comply to EU regulations. If I choose to visit a site in a different jurisdiction I fail to see why the EU should have anything to do with that. I know that the EU says it is so, therefore it is, but still it sticks in the craw.

This feels like the thin end of a very wide wedge. Possibly, the end of the world (wide web) as we know it.

I am discombobulated by this.

31
79
Anonymous Coward

Re: Overreach

I agree with you but you have to take into account the purpose of the legislation given the atrocious attitude to privacy by internet companies.

47
1

Re: Overreach

If US sites want to do business here - and that includes selling advertising - then they have to comply with our laws.

If it's the end of the advertising-based world wide web, then so much the better.

113
2
Silver badge
Facepalm

Re: Overreach

There's no right answer here though. The principle of an EU citizen owning their data is a solid base. Applying that to EU companies only would make the whole thing pointless.

Applying that to all companies sets unfortunate precedents. (Precedence? Not sure which is correct)

In my mind, the relevant thing is that the data is about an EU citizen and if you want to hold data on that citizen, you need to follow the jurisdiction of the governing body.

But on the other hand, we all came down on the US like a ton of bricks with the data held on Irish servers (I think that was an American's data), and certain countries with even more questionable attitudes to personal freedom than the Land of the Free and the UK could push this further.

But on the other other hand, as mentioned above, only applying this to EU companies would make it pointless.

34
1

Re: Overreach

It is getting closer to where we should be.

There will be lots of kicking and screaming, much like when my parents told me it was bedtime when I wanted to stay up and watch The Sweeney (UK reference, non-UK peeps may need to google it).

But it seems we have at last made a start, if the work is kept up we might have a better WWW.

Hopefully in time companies will realise that giving some respect to their readers privacy will reward them,

Not sure I even believe that previous statement myself, but I'm an idealist dreamer.

Government mass spying on innocent civilians and other shenanigans will of course carry on unperturbed.

60
1
Flame

Re: Overreach

>> but you have to take into account the purpose of the legislation

Oh, puh-lease! Think of the children. We only did it to protect you. It's in your own best interests. The EU knows best. Along with patriotism, the restrictions for the greater good, are the last refuge of a tyrant. What I'm seeing here is tyranny writ large. Why should a US corp have to jump through hoops to satisfy the megalomaniac leanings of whoever it is who drafts and passes these EU laws?

I was getting on pretty well with my ad-blockers thank you very much. If a site required them to be disabled to enable me to view its content then I could make my own decision as to whether that was a trade I was prepared to make. If a site required registration, again, I could decide for myself.

Now, I have no choice. Except being of a technical bent I could always subvert the ban. But why should I have to?

16
110
Silver badge

Re: Overreach

im shocked that these sites are trawling so much data on you. Afterall if they didnt then they wouldn need to do anything short of a privacy notice of "we dont have any data on you so we dont need to tell you". That is effectively what "moodle" did - we only have data needed to run your service. we dont market so dont need consent. if you dont want the service then tell us and we will erase.

The fact these websites are blocking means they are doing shitty things with your data. Probably best to keep avoiding them.

56
2
Facepalm

Re: Overreach

you have to take into account the purpose of the legislation

The road to hell is paved with good intentions. Purpose is not an excuse for idiotic implementation. "Right to be forgotten", please! If I committed your personal data to memory, will I have to undergo brain surgery when you request to be forgotten? The very idea is mind-bogglingly stupid.

17
73

Re: Overreach

In the case of the US vs Microsoft, it wasn't a matter of whether or not the US could get that data, it was data held for a US citizen and the US justice department, FBI, etc. definitely had a right to get a court order to get it.

The problem was that they tried to enforce a US court order against a US company for data held by a subsidiary in Ireland, with which the US has agreements on how to handle this kind of thing.

On a related point, all of those websites now shuttered to EU people? If any EU people EVER visited them and they hold data on them from that visit, they are subject to GDPR anyways. Shuttering the website because you're not compliant just makes you look like a target because you're admitting non-compliance.

54
0

Re: Overreach

The principle of an EU citizen owning their data is a solid base.

The principle of an EU citizen owning their data means an EU citizen has the right decide what to do with their data. Including shipping it wholesale to any evil US or Chinese megacorp.

In this case however, the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data". Not cool.

13
83

Re: Overreach

Nonsense - you can ship your data abroad under GDPR still for whatever you like to be done with it. You just have to give informed consent to do so, with a really clear UX. That's fair and reasonable.

Also going back to the original comment in this thread - no it isn't over reach. Every other industry that exports things to Europe is regulated. Think, for example, about food safety regulation or car safety regulation.

This is absolutely standard stuff in every industry. It's only new for the internet because it is a new industry.

Basically, a bunch of whiners who don't understand that global capitalism only functions because of regulations. Like they just don't know that there are regulations that make the products they use every day actually any good.

86
4

Re: Overreach

the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data"

The EU doesn't decide what you can do with your data, but what the companies can do with your data once you've shared it with them:

- they need to inform your clearly of what they'll do with it, who they'll share it with, and you have the right to refuse (opt-out must be the default)

- they need to give you the right to access, rectify and delete your data

- they need to keep it secure and notify you as soon as they detect a breach

It's basically more rights for you, more obligations for them.

77
0
Silver badge

Re: Overreach

I feel obliged to point out yet again, that if a US company has no presence in the EU (i.e. an office) then it can feel free to ignore the GDPR and stick it's middle finger up at the ICO.

The GDPR is a law that only applies to entities within EU borders.

5
35
Silver badge
Thumb Up

Re: Overreach (@ FrogsAndChips)

^This!

And "It's basically more rights for you, more obligations for them."...

It couldn't be otherwise, as in the old status quo, "We" had no rights whatsoever and "They" had basically no obligations!

22
1

Re: Why should a US corp have to jump through hoops...?

If they have no physical infrastructure, advertising/marketing/sales operations, tax obligations, etc, etc, etc within the EU then they don't. My credit card lets me make purchases in any currency (and charges for the 'service',) anywhere in the world. So there's no difficulty buying huhkl-flendlegroodlers from a one-man-band in Finknottlestan, whose entire operation is run out of a self-hosted website in his outside toilet. In such a scenario the vendor has no GDPR obligations.

15
2

Re: Why should a US corp have to jump through hoops...?

This answer is spot on.

No idea why some political commissars in the Polit Bureau in Brussels think that whenever a citizen of an EU wants to hand personal data to an US based company, using an US website, European laws apply to this transaction.

Nobody sane would think it is. But maybe the idea behind GDPR is to bar Europeans from US sites, why would they otherwise accept a law which conflicts with US regulations like the CLOUD act.

8
57
Silver badge

Re: Why should a US corp have to jump through hoops...?

"...that whenever a citizen of an EU wants to hand personal data to an US based company..."

The "wants" part is meaningless without informed consent, and that's just what the GDPR provides. What data is being taken, whith whom it's shared and for which uses. Doing otherwise would be similar to allowing people to sell themselves into slavery by signing an obscure/incomplete contract.

35
2
Bronze badge

Re: Overreach

The road to hell is paved with good intentions. Purpose is not an excuse for idiotic implementation. "Right to be forgotten", please! If I committed your personal data to memory, will I have to undergo brain surgery when you request to be forgotten? The very idea is mind-bogglingly stupid.

Hardly, though your apparent understanding of it seems to be... suboptimal. Unless you work for Facebook or something?

If you really want to subvert GDPR, please feel free to post all your personal details, bank statements, life story, movements and contacts for the past year and diary appointments online. Make sure to sign up with every dodgy injury lawyer call centre so they can phone you regularly to check you haven't been in an accident that wasn't your fault yet. It's still entirely your right to do that. However, bafflingly, not everyone chooses to. And companies that want to do business in Europe now have to respect that choice.

As for US sites crying "woe is us, GDPR doesn't let us serve you pages", they're basically saying they can't serve a page without collecting *identifiable* information on you. That's astonishing given the basic requirement to serve up a news story and a few ads. If you popped into the newsagents to buy a paper and got into a conversation about what you'd been up to that morning and where you were going on holiday, that might seem a normal human interaction. If they started writing it down you might get worried. If they asked to inspect your phone you'd think things were getting weird. If during that conversation a stranger enters the shop and gives a report on your movements over the last 24 hours because they've been following you on behalf of the local shopkeepers you'd leave and consider calling the police.

56
3
Anonymous Coward

Re: Overreach

Its a little different, you are not visiting a site in a different jurisdiction, rather, that site is entering the EU and doing its business in it, subtle but big difference.

It doesn't have to enter the EU, it could be restricted to US only if it wanted to. An example here would be netflix and streaming sites who limit content in different regions depending on licencing agreements.

Its like a US site selling guns to folk, completely legal and ok in the US, but then it makes itself available in the EU, just because its in a different jurisdiction doesn't mean it can start selling guns to EU citizens, local law applies.

EU gun laws make it illegal for people to sell us guns, EU GPDR laws make it illegal for people to abuse our personal information.

31
2

Re: Overreach

It's basically more rights for you, more obligations for them.

Your rights are worthless when they decide that it's easier to withdraw that to fulfil their obligations.

Informed consent is actually a good part, I have nothing against it.

But the "right to be forgotten" means the companies are back to the 90's w.r.t. data storage technologies: no (true) event sourcing, no blockchain. Data has to be mutable, and as a consequence, less reliable. All for the goal of "unlearning" information, that is theoretically unachievable.

4
30
Silver badge

Re: Overreach

will I have to undergo brain surgery when you request to be forgotten? The very idea is mind-bogglingly stupid.

As is "reductio ad absurdiam" - but you seem quite wedded to that..

31
0
Silver badge

Re: Overreach

the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data". Not cool.

Not so. The GDPR is UK legislation (and will be in place post-Brexit). You, as a data subject, are free to give someone consent to use your data for any purpose.

What it doesn't allow is for someone to take PI about you, sell it and/or use it for marketing *without your consent*.

Which is entirely different from your (somewhat slanted - the "EU Parliament" bit gives it away) view.

33
1
Silver badge

Re: Overreach

then it can feel free to ignore the GDPR and stick it's middle finger up at the ICO

Not if it wishes to do business in the EU..

30
2
Anonymous Coward

Re: Why should a US corp have to jump through hoops...?

>political commissars in the Polit Bureau in Brussels

I'm going to do something I rarely do and respond to a troll.

@naive - You sir or madam, are an arsehole. Pure and unmitigated. Your post is absent of any logic, thought, basis in reality or fact. Not only do you fail to understand the whole purpose of GDPR, you fail to understand how the EU works.

54
1

Re: Overreach

I feel like that 'doing business' rule or method of governance is too broad a brush to be used effectively. It seems like if a website which is listed on google can be accessed from anywhere in the world, anyone who runs a website has to keep track of more than a hundred different codes for operating their website. For something like GDPR, which has generally overwhelming support, and makes sense on paper, it seems silly to worry about such a thing. After all, any company that doesn't comply with the rules is probably shady anyhow, and you don't lose much by losing its business. Lets say, for arguments sake that a certain country finds pictures of women's bare hands to be pornographic in nature, and the country has a blanket ban on pornography of any kind. Also, your companies website uses female models using the product in its promotional material. It seems unfair to me that such a company should have to pay a fine if anyone in that country stumbles across the website, and it seems not in the spirit of the modern age, almost isolationist, to block people from that country from accessing the website at all. What about human rights? If china dislikes mentions of the tiananmen square, under this system do websites making mention do the blocking for them? Any answer other than yes is hypocritical.

6
11
Silver badge

Re: Overreach

The principle of an EU citizen owning their data means an EU citizen has the right decide what to do with their data. Including shipping it wholesale to any evil US or Chinese megacorp.

In this case however, the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data". Not cool.

I'm sorry, but that's Total Bollocks™.

What the GDPR says is that if those vil US or Chinese megacorps want to process your data, they must get your informed consent to do so. There is nothing in GDPR that prevents you from saying, "hey evil megacorp, here's my data, process away!" That would be known as consent.

38
1
Silver badge

Re: Why should a US corp have to jump through hoops...?

>political commissars in the Polit Bureau in Brussels

I'm going to do something I rarely do and respond to a troll.

@naive - You sir or madam, are an arsehole. Pure and unmitigated. Your post is absent of any logic, thought, basis in reality or fact. Not only do you fail to understand the whole purpose of GDPR, you fail to understand how the EU works.

You may also want to note that it is one word, spelt Politburo, comes from the Russian, and refers to the main decision-making body of a communist party. The merits or otherwise of communism as a political system aside (there are many long books on the subject), to imply that the EU Parliament is a manifestation of communism is so mind-bogglingly ignorant and stupid that I can only assume that the OP was repeatedly dropped on their head at some point in their early childhood, but miraculously survived the head-injuries.

40
3
Silver badge
FAIL

Re: Overreach

yeah, there's the "has a presence in the EU" problem, as well as an advertising model that's incompatible. So just like those viewers who happen to be running ad blockers and/or script blockers, anyone affected by GDPR is now in "the ghetto" as far as they're concerned.

My opinion: if they're gonna be like THAT about it, I don't WANT their damned content!

19
1
Silver badge
Coffee/keyboard

Re: Why should a US corp have to jump through hoops...?(@ Loyal Commenter)

ROFLMAO++

9
0

Re: Overreach

Until the EU decides to arrest the company's CEO when he's on vacation in Europe.

The US isn't the only one that does that sort of thing.

21
0
Silver badge

Re: Overreach

There should be no problem deleting a person's record from current data. Soon after that, the record should disappear from backup areas.

Archives are another matter. Yes, archives are different from backups. It may be difficult in practice to delete from an archive; but it is also morally wrong.

Readers of the novel 1984 may remember Winston's day job: editing archived newspapers to harmonise old stories with modern political requirements. (Only the government was permitted to keep archived newspapers, of course.) Most of us will, I hope, feel uncomfortable with that.

9
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018