1. 14

  2. 17

    Personal Opinion: No. RFC725 says, HTTP-451 should be used “when a server operator has received a legal demand to deny access to a resource” and “This type of legal demand typically most directly affects the operations of ISPs and search engines.” Sure, there is no explicit mention of the word censorship, but that is what is implied by the RFC and explicitly stated the author of the original proposal.

    The GDPR doesn’t require a website owner to block EU users, just to respect their rights as data subjects. Since they refuse service, a 403 code seems most appropriate (”[403] indicates that the server understood the request but refuses to authorize it.”).

    1. 2

      I agree. If a website operates in a way that violates the GDPR, serving the content to a EU citizen is accompanied by a violation of the GDPR. It is illegal for the website to serve them the content, not because of the content itself, but because of the technical process used to serve the content. With the enactment of the GDPR, the server operator has effectively received a demand to deny access to all resources of the website to EU citizens, as long as the technical process has not changed. But it’s about the process, not about the content. And 451 is about the content.

    2. 4

      Blocking EU IP addresses seems pretty dumb when the GDPR seems to apply to EU users outside of the EU

      1. 2

        The comments in the post discuss a 5XX vs a 4XX error and that client-side errors should be fixed by the client. Now I am wondering if the GDPR applies to European citizens or people that are currently in Europe (maybe a day trip or what ever). I usually thought that these GDPR filters are using geoIp. But what if a European citizen is in the US and the other way around? I only checked Wikipedia for this and they say the GDPR applies to EU-citizens. So how to figure out if a web client is a EU-citizen? What am I doing wrong?

        1. 4

          The companies are just trying to protect themselves as best they can. Realistically, a European citizen suing a US-only company in a European court over European law is being frivolous and the company will likely not be affected in any way, so the butt-covering of geoip blocking is more a political statement to potential sue-ers than it is actual legal protection.

          1. 6

            What is the actual message to European users of such political statement?

            We don’t want your money? We don’t want your data? You do not deserve our technology? We are the Spiders of the Web and you are just a fly?

            Btw, as an European I would really appreciate a clear statement on a website saying “we are sorry but we cannot protect your data and respect your rights, please search for one of our competitor that can do it better”.

            I’m not ironic.
            GDPR defines several important rights for the data subject that imply certain investments in cybersecurity and a basic quality of service. Being able to say “I cannot do this right, please ask to someone else” is a sign of professionalism.

          2. 3

            You figure it out by asking them. There are many sites that don’t serve US citizens for various reasons. When you enter them, they ask you to declare you are not a US citizen. It’s as simple as that. If they lie, it’s on them.

            Honestly, this GDPR thing has gotten many Americans acting indignated and generally quite irrational over something that hardly changes anything and is not without a slew of precedent. It’s just the first time US companies are visibly seriously affected by law elsewhere. Now you know how it feels. Get over the feeling and deal with it.

            1. 1

              Well, in principle, I would guess that European courts might be apprehensive about dictating law globally, which would essentially be the case if it was found that GDPR applies to European citizens wherever they may be, and even if a website operator had taken all reasonable precautions to block European citizens from using their cite.

              1. 3

                GDPR apply to data of European citizens worldwide and to data of non European citizens collected while they are in the Union.

                However, if your registration form have a mandatory checkbox “I’m NOT a European citizen and I’m not going to use your services while in the European Union” AND the such checkbox is uncheked by default AND you block all European IPs, I think no European court will ever annoy you.