> Simply paste our JavaScript snippet into your website's code. We'll check every visitor of your site and will block access to users located within the EU.<p>See, the problem here is that you actually have to send an HTTP request to the site that's trying to block you, then you load it along with their JavaScript which <i>then</i> blocks you, but at that point the initial request(s) has already been logged and now they have to comply with the GDPR.<p>I refuse to believe this is not a joke.
The idea that simply having an EU visitor load your site can subject you to a $2M fine is a recurring bit of FUD.<p>Directly from the EU:<p>> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.<p>(<a href="https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/sanctions/what-if-my-company-organisation-fails-comply-data-protection-rules_en" rel="nofollow">https://ec.europa.eu/info/law/law-topic/data-protection/refo...</a>)
niko001 / Niklaus or whatever. This is extremely shady. You've copy pasted your whole terms and conditions from this page :<p><a href="https://buffer.com/terms" rel="nofollow">https://buffer.com/terms</a>
VS:
<a href="https://gdpr-shield.io/terms" rel="nofollow">https://gdpr-shield.io/terms</a> - Saved here <a href="https://web.archive.org/web/20180504020320/https://gdpr-shield.io/terms" rel="nofollow">https://web.archive.org/web/20180504020320/https://gdpr-shie...</a> for good measure<p>Which is illegal to begin with. You even forgot to replace the part that explains what the service does and left the part that says that gdpr shield "provides a social media management tool".<p>You're selling something that just basically does a geoip lookup, and then tries to block people from an entire continent, with pure JS, which can be easily avoided, by the way. I'm shooting buffer an email to let them know you're infringing on their legal material.
The privacy of EU persons coming in from a non-EU IP address still need to be protected under GDPR. This solution is a start but it's not bulletproof.<p>Edit: I don't want anyone to think I believe it's a <i>good</i> start but it is a kind of solution. I wonder if lots of US companies, once they begin to realize GDPR is a problem for them, won't decide to try one of two things:<p>1. This: block access from IP addresses believed to belong in Europe.<p>2. Lobby Congress for a law (or a quick Executive Order) saying that US companies don't have to comply with GDPR.<p>A few weeks ago on Twitter [1], I speculated about #2. It was too early, I guess. Few people in USA seem to be aware of GDPR at the present time. That'll change in a couple of weeks.<p>[1] <a href="https://twitter.com/CnAdoctor/status/978849723808301057" rel="nofollow">https://twitter.com/CnAdoctor/status/978849723808301057</a>
I'm currently an EU-ish Citizen, not residing in the EU. Will it block me?<p>Also will it block JS-blocking EU Citizens residing in the EU?<p>Let's not mention VPNs. Let's not mention Tor.<p>This feels like a "registry cleaner" for GDPR<p>o. xkcd: <a href="https://xkcd.com/1969/" rel="nofollow">https://xkcd.com/1969/</a>
A "GDPR Compliance" service with a <i>6000</i> word terms of service including such gems as agreeing to binding arbitration, no class-action lawsuits, and royalty-free use of your logo and name, a privacy policy that allows them to use your personal information to promote "new features and special offers" and runs google analytics...<p>This is a joke, right? You'd have to be crazy to protect these guys with anything to do with personal information protection and privacy.
Maybe I'm missing something - but as a US citizen, with a US company, how can EU laws be enforced against me?<p>What's the legal channel here? Do they plan on arresting me if I decide to vacation to an EU country? Will the US gov't comply with levying fines due to some treaty/agreement between the countries?
I have this eerie suspicion that GDPR cases will be a haven for trollish and/or opportunist behavior. Instead of huge corporations having to shell out significant money to swallow up start-up competitors, they could much more cheaply pay EU citizens to exploit the huge burden of the law on small companies or even solo endeavors. I hope I can be convinced to be optimistic.
From GDPR-shield's terms and conditions (<a href="https://gdpr-shield.io/terms" rel="nofollow">https://gdpr-shield.io/terms</a>):<p>1. GDPR Shield Service Overview<p>The Service provides a social media management tool that enables users to customize the link preview window of websites under their control on social platforms, in addition to other analytics tools to help bolster users' social media content.<p>...what? Is this a botched copy/paste job?
Put your site behind CloudFront, block EU countries. There, we've solved the problem without a shady SaaS.<p>Edit: which wasn't even a problem to start with but if this is the route you want to go, the above is nearly fool proof and costs next to nothing.
I can't tell if this is a joke or not.<p>Don't pay "thousands" for GPDR compliance work which will improve your product by providing basic privacy and security features.<p>Instead pay up to $79 a month for a service to block a large percentage of your traffic.
I can't tell if this is a fake service or not, but blocking users from EU IP address ranges (which I'm assuming how it works) will still not stop the EU from following a trail of data that could originate from your organization.<p>That's the biggest thing from the EU's GDPR rules - what is your organization's data inventory, how does it map outside of your organization, and how are you securing PII?<p>If a complaint is made from someone who is an EU citizen, and another organization shows logs that they got this information from your web app or service, that will trigger an audit from the EU. Blocking access to a subset of IP ranges will do absolutely nothing to stop this, and will not stop the sharks once they have smelled blood.<p>In a sense, the EU has plain rules that you can protect against, unlike the FTC/FDA (for HIPPA etc) who are vague and will not disclose how you can protect your own organization.
Disclaimer: This is not legal advice.<p>Blocking EU visitors by IP doesn’t eliminate the need to comply with GDPR, because GDPR jurisdiction isn’t based on where the service thinks think the user is (whether from IP geocoding or another source).<p>If an EU resident is using a VPN, or using an IP that incorrectly geocodes to a non-EU country, or behind a private corporate network and NAT that egresses traffic in a non-EU country, GDPR still applies. Any site with more than trivial traffic will have some users with those characteristics.<p>Experts debate whether explicitly requiring users to confirm that they aren’t in the EU - say, a country dropdown - is even a solution. If an EU resident visitor lies, they may well still be protected by GDPR (and the EU is large enough for enforcement to matter even if a site doesn't have an EU presence).
The more I look into this, the shadier it seems.<p>They're selling at a whooping $79/month, a single php script that does not even check any sort of authentication or API key, and only does a dumb lookup against a GeoIP database : <a href="https://gdpr-shield.io/check.php" rel="nofollow">https://gdpr-shield.io/check.php</a><p>And this is called by this tiny javascript script <a href="https://code.gdpr-shield.io/script.js" rel="nofollow">https://code.gdpr-shield.io/script.js</a> that just.. displays an overlay div when you're in the EU. Smells like scam when you're willing to sell a whole product that can be coded in 20 minutes for up to $1000 a year.
<i>"The European Union's new GDPR (General Data Protection Regulation), which takes effect on 25th May 2018, creates uncertainty and risk for website owners. It applies to businesses world-wide, because it protects all users accessing your site from the EU, regardless of where your business is located. GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher). If you don't have an in-house legal team, complying with the law requires you to consult with a lawyer specializing in data protection law. In addition, you're at risk of vindictive reporting from no-win-no-fee legal firms."</i><p>Total, unmitigated FUD.
Thought this was a joke SaaS offering, but inputting google.com as the domain and a burner card, it's real [0].<p>[0] <a href="https://judge.sh/3Bc2E0GR.png" rel="nofollow">https://judge.sh/3Bc2E0GR.png</a>
I think this is actually good for privacy. We will know that companies using this service don't care about privacy, even for non-european users.<p>We could then can design a tool detecting the use of this service and notifying the user "this service doesn't care about your personal data".
This appears to be Javscript based... Assuming then that it works on the client side, I wonder how long it will take for someone to release a browser plugin to bypass it.
Argh. Just sent a note to a game company I did some work for that they need to be aware of this.<p>Might have to shut off access to the game for the EU.<p>Dammit.