The practice you're alluding to is currently restricted to one surprisingly specific segment, which I'll term the 'hillbilly newspaper'. Seriously: I do not remember ever seeing that message, except when clicking a link to some small-town newspaper in a non-coastal US state. But among these newspapers, the rate is somewhere above 50 %.
EU visitors are obviously a small fraction of their traffic, which allows them to do this. But there are millions of other websites where that's true. And yet, none of them feel the need to implement geoblocking. I just tried Four Seasons Total Landscaping, and it works fine.
So there's something else going on. To cut to the chase, it's publishers being ideological and idiotic: they are trying to make some point about EU imperialism and US sovereignty, by pretending that the EU has powers it doesn't have.
> Yes, that's what regulations do, and it is for the _benefit_ of the citizens.
Purportedly for the benefit of citizens. Whether citizens in actual fact benefit from any given regulation is specific to the given regulation and the given citizen's preferences.
The law applies to any service targeted at EU citizens. It does not apply to services that any EU citizen happens to be using even though they're primarily intended for citizens of other countries.
A "local" Bavarian news site hosted in the US would be in scope, but a local Nebraskan news site hosted in the US wouldn't.
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
> The law applies to any service targeted at EU citizens. It does not apply to services that any EU citizen happens to be using even though they're primarily intended for citizens of other countries.
> A "local" Bavarian news site hosted in the US would be in scope, but a local Nebraskan news site hosted in the US wouldn't.
That's a pretty optimistic interpretation of this recital. It doesn't talk about who is primarily being targeted, but the mere intent (or possibility) of "offering goods or services to data subjects in the Union". If all local EU news websites are covered because they're offering a service just by being a news website, then it follows that US sites are offering a service too. The only remaining part is to prove intent. Most of these local US sites blocking the EU are operated by big players like MNI targeted media and Chicago Tribune publishing. Even 1% of the traffic being from the EU would be a big number.
Conversely, if this would indeed exempt them from GDPR, then are all general purpose US news sites not specifically targeting the EU exempt too? Or let's go further, if I have a social media site and 99% of my users are Americans talking about US-related stuff, am I exempt too even if I let EU citizens register and participate?
> If all local EU news websites are covered because they're offering a service just by being a news website, then it follows that US sites are offering a service too. The only remaining part is to prove intent.
They aren't because
... the mere accessibility of the ... website in the Union ... is insufficient to ascertain such intention
Local EU websites are covered by virtue of being EU websites, not because they're accessible in the EU.
> Conversely, if this would indeed exempt them from GDPR, then are all general purpose US news sites not specifically targeting the EU exempt too?
Yes.
> if I have a social media site and 99% of my users are Americans talking about US-related stuff, am I exempt too even if I let EU citizens register and participate?
Yes, unless you're targeting EU citizens by e.g. offering interface localization in EU languages or setting growth targets for the European market in statements to your investors etc.
> ... the mere accessibility of the ... website in the Union ... is insufficient to ascertain such intention
> Local EU websites are covered by virtue of being EU websites, not because they're accessible in the EU.
None of this talks about nature of the content. None of this talks about how few EU users you have. It clearly talks about providing goods or services to EU citizens with some degree of intent[0]. If providing news to people isn't providing a service then any news site should be exempt regardless of content and userbase.
The "mere accessibility" part says it wouldn't be enough to prove your intention to provide goods or services to EU citizens. If you're a local bakery that only sells locally it's pretty clearly you're safe. The information on your website is not the service you're providing. And it would be very hard to argue you're somehow benefiting from or expecting EU visitors.
[0] and the "envisages offering" language is arguably an even lesser standard than the also mentioned "intention"
Thank you, that is an important distinction I did not know about.
So after all geofencing is a sufficient signal to avoid falling under GDPR, unless there are other explicit ways to do business with them from the EU.
For example, if a web store blocks my IP, but I can place an order with an EU country address through a VPN, they are nonetheless obligated to process my data according to EU regulations.
I have some doubts on several points. First, that sounds like a pretty clear signal that the business is pointedly not targeting EU citizens. Such a business would not be envisaging "offering services to data subjects in one or more Member States in the Union".
Second, that business probably does not operate in any meaningful way in the EU, making any obligations under GDPR a matter of legal fiction. With no kind of enforceability, any GDPR rights or obligations are meaningless.
If some online store is getting payments from EU credit cards and sending goods to EU, then they obviously do offer services in EU. There are also some plausible options for enforceability (e.g. seizing all payments from EU), however, the major obstacle is that no regulator will care enough to try and enforce anything for a small scale foreign site. Their #1 enforcement priority is on EU businesses mishandling private data (e.g. loyalty programs of brick-and-mortar shops, telecommunications providers, lenders, etc), and #2 priority is the major online players that each affect millions of people. Most regulators still have a backlog on #1, they're just starting the first enforcement actions on #2, so any attempt for small foreign sites is years away at best.
It costs money to build protections for customer data now?
Oh I'm sure the service providers took information security very seriously as they proclaimed to. In which case, GDPR is only a legal framework they had no trouble (and serious expenses) to adhere to.
> So there's something else going on. To cut to the chase, it's publishers being ideological and idiotic: they are trying to make some point about EU imperialism and US sovereignty, by pretending that the EU has powers it doesn't have.
Could be, but another explanation is that the newspapers have heard of GDPR and don’t understand it (detailed legalese that they can skip by not serving EU citizens, I can’t really blame them), while Four Seasons Total Landscaping hasn’t even heard of it (weird foreign thing about tech — who cares? We sell spades, not computers!)
That would be a dream come true for European tech companies. Imagine the race to fill the gap of Google.com. EU may not be the US when it comes to software but there are many smart people here that would have a huge motivation.
