GDPR

Blocking EU IPs doesn’t mean you comply with GDPR…

The EU General Data Protection Regulation (GDPR)

According to the EU GDPR Information Portal, “The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years”.
It’s arrival has definitely made a big splash and the hyping has definitely made a lot of website owners scared, leading to a lot of incorrect information being spread around as well the rise of companies trying to benefit from the confusion by selling fake certifications.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
~ EU GDPR Information Portal

If you haven’t heard about GDPR yet and don’t know where to start, I’d advise to visit the FAQ page of the aforementioned portal. There are some sections that contain information that is vital to understand the scope of the GDPR. I copied two of these sections and added some highlighting.

Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What constitutes personal data?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The quoted sections above make clear that not only companies, organisations or even servers located within the EU have to be compliant with GDPR, but any organisation that touches personal data of EU citizens. The definition of personal data is pretty wide, so you’re almost certain to be touching personal data when running a website.

The Good

The GDPR aims to provide strong privacy controls to individuals and force organisations to take more, better and stronger measures to safeguard the confidentiality of the personal data they collect.

The need for such regulation has become apparent due to recent news stories on high-profile platforms using personal data of their users to identify, group and target them in ways most users never could have imagined. In an effort to stay relevant in the advertisement sector, to create an additional revenue stream or for advanced market research, companies have been collecting personal information on their clients and visitors and use this big pile of data *cough* Big Data *cough* to reveal trends, market shifts, marketing holes, and more. However, the data that is being collected at this moment allows for much more detailed identification/grouping of users and for tracking users across other websites and platforms compared to old-fashioned loyalty cards. The granularity through which users can nowadays be targetted has been abused by actors seaking to disrupt important events or change (political) opinions of masses of people.

The GDPR wants to limit the amount of data that is being collected and the access that is granted to the data, change the way the data is processed, better inform the user of what is happening behind the curtains, and increase the power of the user in updating or removing the data collected on him/her.

The Bad

In the months and weeks leading up to the end of the two-year transition period many companies still had to start working on getting their processes compliant. During this period it became apparent that there was still a lot of confusion on the content of the GDPR, resulting in a lot of incorrect information being broadcasted. It also appeared that the text of the GDPR was not always consistent or too vague. While these were golden days for Data Protection Officers (DPO), other less-legitimate companies saw their chances in taking a piece of the emergency GDPR budgets companies were making available by selling fake GDPR certifications or tools that don’t help companies getting compliant at all.

Also, since GDPR also affects organisations based outside of the EU, many non-EU companies have been forced to redesign their websites and user analytics methodologieseven if they don’t intend to connect with EU citizens (e.g. local webshop or newspaper). These organisations now run the risks of being fined up to 4% of their annual global turnover or €20 Million for breaching GDPR. Small businesses often don’t have the budgets to perform the changes that are required to make their data processing processes GDPR compliant.

The Ugly

The amount of incorrect information being distributed in the last few months have lead to weird business decisions in an attempt to apply a temporary (or permanent?) patch. One of these decisions has been to simply implement geo-blocking on the website, denying access to all visitors accessing the site through an EU ip address. Some US newspaper websites have been observed blocking visitors or altering the website behaviour (e.g. limiting tracking) based on the visitor’s IP-based geolocation.

However, this methodology is completely flawed/ill-informed. The GDPR applies to all EU citizens, regardless of their locality. IP-based identification and blocking of visitors is a flawed technology (due to the ability to change or mask a user’s IP address) used because of the lack of a better alternative. Using IP-based blocking as such doesn’t make your site GDPR compliant and hinders (non-EU) visitors who are traveling in the EU or using a VPN or Tor.

Conclusion

The content of the GDPR is long and not easy to understand. There is a lot of misinformation in the open and shady companies are trying to benefit from the confusion. Some orginations are taking some weird and ill-informed decisions in the hope of getting their business GDPR compliant, often trying to cut corners and costs.

Since I’m not a GDPR expert/consultant I’m unable to provide you with sufficient advise on this topic. I’d suggest you get in touch with an actual expert if you’re still struggling in getting your processes GDPR compliant. Just be aware of companies trying to sell advice or tools that sounds to good/cheap to be true.

If you encounter a website that blocks access to it because you’re accessing it through a EU IP, contact the webmaster or their customer support desk, tell them to stop using this useless blocking, and advise them to contact a GDPR consultant.