0

The last time I built a serious website was back in the early 90s. Web construction back then was straightforward -- build the site and publish for the world to access.

Today's web technology has vastly improved, but various artificial impediments seem to have been introduced. Today's question revolves around GDPR.

As I understand it, GDPR is European legislation advertised as protecting EU citizen's privacy and granting EU citizens rights to control how websites use data/whether the websites can store said data.

My initial impression of GDPR is that if an EU citizen wants GDPR rights, they should only use servers residing in the EU which would be subject to GDPR legislation.

However, there apparently is some notion that EU legislation can somehow affect servers outside of the EU? I'm not a lawyer, but I would expect that each nation defines and enforces their own laws -- which may or may not be in alignment with another nation's legislation. How is GDPR even applicable to servers residing in the US (or any other non-EU nation?)

Based on several articles I've read online, it seems somehow the US allows EU's GDPR legislation to be enforced on US soil. That seems like mistake #1, but I digress.

Since I don't want to deal with GDPR headaches, I seemingly have no choice but to block all EU users from using my websites and services. What is the best way to block them? Have them affirm when attempting to logon to the website that they are not an EU citizen (or are they allowed to consent to the website not adhering to the GDPR scheme, in which case they could still use it?)

To be clear, my websites and services are not planning to use any information collected from visitors for spam or any other nefarious purpose -- I just don't want to deal with any of the GDPR requirements and I am willing to block/forbid all EU users from using my sites and services in exchange.

Ideally, I would prefer the old days where everyone in the world can access the resources I make available, but if that is not possible a legal means to forbid EU citizens access (such that if they violated the legal directive, GDPR expectation would be void) is fine.

Thanks in advance for any ideas/approaches you might use for your websites and services.

Charles T.
  • 11
  • 2
  • a) Do not process personal information of individuals inside the EEA.. otherwise b) play by their their rules. If you want to host an old-school website, just stay with the old-school option a), done. - If this, the only *general* answer there is to this, does not resolve your headache, try to be more *specific* in your question. – anx Dec 18 '20 at 06:56
  • @anx it keeps looking like blocking will be a large part of the solution. For EU citizens in the US (or accessing via VPN) or CCPA/etc how do you inform them/tell them that they may not use your site unless they agree to using the site without any GDPR/CCPA/XYZ jurisdiction legalities? – Charles T. Dec 18 '20 at 07:12
  • It does not work that way, and that is both intentional and essential to the purpose of such regulations. They empower their subjects with rights that cannot be surrendered. (This is not necessarily the best place to discuss *legal* details) – anx Dec 18 '20 at 07:51
  • 1
    The Law Stack Exchange has a tag specifically related to GDPR. My suggestion would be to search there, because this is likely a common question that can be answered there where people understand the law. https://law.stackexchange.com/questions/tagged/gdpr Another choice would be the Webmasters Stack https://webmasters.stackexchange.com/ – Rowan Hawkins Dec 18 '20 at 08:32
  • Thanks all for the input. – Charles T. Dec 18 '20 at 18:26
  • I will repost to legal; Thanks for the pointer – Charles T. Dec 18 '20 at 18:26

1 Answers1

-1

First let me say that there is no requirement to store the data on a European server. It really depends on what PII (Personally identifiable information) you are collecting and how you are using and sharing it.

In most cases all you need is to ask for consent or have some legitimate reason to have that information. For example if you run an online store you are fine recording the client name and address so you could ship the order.

Please not that this is not an EU only issue. California recently passed the CCPA (California Consumer Privacy Act) which is not that strict but has similar repercussions.

Dobromir Velev
  • 364
  • 1
  • 4
  • Thanks for the response. I am familiar with PII, but I simply don't want to deal with managing any of that. I use usernames, email addresses (for password reset), IP address, etc. and that falls under PII. But there is also messaging/forums. I'm pretty much convinced that I will need to block all IP address space assigned to an EU entity and then I'll just have to have visitors make the declaration that by using my site they acknowledge my site/services do not provide GDRP/COPA/whatever else artificial protection scheme they have. I want responsibility on the users for anything they do. – Charles T. Dec 18 '20 at 07:04
  • Unfortunately you cannot avoid those completely - however as long as you don't share the data with third parties without consent and take reasonable measures to protect it you are safe. You still have Safe Harbour protection for any user generated content. Still you should be prepared to serve any privacy related requests like providing a copy of all PII of a specific user or deleting that information. – Dobromir Velev Dec 18 '20 at 07:30
  • I was talking about DMCA Safe Harbor provisions (section 512) there. Privacy Shield did nothing for both sides and was correctly invalidated. – Dobromir Velev Dec 20 '20 at 04:55