With the General Data Protection Regulation (GDPR) set to go into effect on May 25th, 2018, many organizations are scrambling to ensure their compliance with the law, while many are unlikely to have compliance sorted out in time.
In search for a solution to GDPR compliance, one organization is simply advocating excluding any user from an EU country. GDPR Shield is offering website owners a JavaScript-based solution to block users in the European Union, seemingly circumventing the compliance requirements of the GDPR (to say nothing of the “world wide” meaning of “world wide web”). Seemingly, interest in the website has been high enough to knock the service offline, as the website has been returning server errors since at least late Sunday night. (A cached version from the Internet Archive is available here.)
Users with script blockers–such as, ironically, the EFF’s Privacy Badger–would be able to trivially override the block, as the JavaScript-based system would be susceptible to filtering as any other webpage-facing JavaScript package would be.
SEE: Getting ready for the GDPR: An IT leader’s guide (Tech Pro Research)
In a series of tweets, F-Secure CRO Mikko Hypponen catalogued a number of services that are limiting operations in Europe or shutting down completely in response to the GDPR. Mobile marketing firm Verve, as well as cross-device advertising platform Drawbridge, has shuttered European operations, while SQL how-to training firm Brent Ozar Unlimited stopped selling training products to EU-based customers. Ozar noted that: “As a consumer, I love a lot of things about the GDPR,” though pointed out that the penalties for noncompliance–€20 million or 4% of annual worldwide revenue–“are terribad.”
Similarly, TechCrunch reported that Unroll.me–an organization that offers the “service” of unsubscribing users from unwanted mailing lists while using the access to mine inboxes for marketing data–has declared the end of services for users in the EU. This particular announcement is probably somewhat more natural, as there is seemingly no way to make harvesting and selling data to third parties GDPR compliant. (If you were unaware of Unroll.me’s practices, CNET has a handy guide on how to remove Unroll.me from your Gmail account.)
Steel Root, a Boston-based IT services company was cited by Hypponen as blocking users from the EU due to the GDPR, though the company claims to have been blocking users from outside of the US since 2015, as the company does not have any business outside the United States to begin with. The company stressed that the move is “to design for privacy in our business practices,” rather than rely on the move as a shortcut to GDPR compliance.
Hypponen notes that reactions from users in the EU echo sentiments such as “Our freedom is more important than their business,” and “This weeds out trashy websites,” while users in the US are voicing opinions such as “This should teach those smug EU regulators a lesson.”
The big takeaways for tech leaders:
- One company is providing a JavaScript-based blocking solution to block users from the EU from accessing protected websites, in an effort to remain GDPR compliant.
- Many companies have announced that services for users in the EU will stop when GDPR comes into effect on May 25, 2018.
