On the 25th May 2018, the EU’s General Data Protection Regulation (GDPR) went into effect.

Ripple effects from the new regulation were immediately felt across the internet – and not just in the form of a sudden dearth of unwanted emails arriving in people’s inboxes.

Even given the two-year period that companies have had to prepare themselves for the GDPR, it was inevitable that some would be caught on the back foot when the regulation officially came into force.

Facing the prospect of a fine of up to €20 million or 4% of annual turnover for non-compliance, several businesses decided that the best course of action was to deny EU users access to their service – or else to provide them with a drastically reduced user experience.

Let’s take a look at the businesses which are known to have pulled the plug on the EU in the wake of GDPR, and consider whether blocking EU users – whether temporarily or permanently – will be enough to get companies around the regulation.

The Association for National Advertisers (ANA)

Bad news for any EU users who wanted to visit the Association of National Advertisers website and read their insights into GDPR: the ANA is blocking all traffic from the European Union as of the 25th May.

ANA GDPR message

The ANA’s new “EU-only” homepage states that “Due to requirements placed upon the ANA as a result of the EU’s Global Data Protection Regulation (GDPR), we are not permitting internet traffic to our website from countries within the European Union at this time.”

To say this is ironic would be an understatement. While the ANA is not an international body, it positioned itself as a go-to source of advice and best practice on GDPR for US marketers in the run-up to the legislation taking effect – only to itself fall victim to the regulation.

There’s no word as of yet on which specific parts of the regulation the ANA is having trouble with, or when it will make its website accessible to EU traffic again.

The Los Angeles Times, New York Daily News, Orlando Sentinel and a number of other U.S. news websites

The news spread quickly on Twitter in the wake of GDPR taking effect that the Los Angeles Times, New York Daily News, Orlando Sentinel and a number of other US news sites were blocking traffic from the EU and EEA (European Economic Area) due to GDPR.

Specifically, the two media groups whose newspapers are blocking EU traffic are Tronc, Inc. and Lee Enterprises, which between them own some 77 American news titles, plus a handful of assorted magazines and websites. (The Los Angeles Times is currently mid-sale to entrepreneur Patrick Soon-Shiong, but for now falls under Tronc’s remit).

Again, while these might be newspapers aimed primarily at a US readership, news in the digital age is international. Millions of EU readers follow news developments in the US, which may well involve reading articles from newspapers like the New York Daily News.

Unfortunately, it seems as though Tronc has no intention of restoring the availability of its publications in the EU – journalist Mathew Ingram tweeted that Tronc currently has no plans to support the EU because doing so is seen as not economically viable.

Instapaper

If you’re an EU user who’s been stockpiling articles on Instapaper to read at a later date, you might wish that you’d read them there and then. Instapaper temporarily shut off European access to its read-it-later app starting on 24th May, a day before the GDPR regulation went into effect.

The move didn’t go down too well with Instapaper’s users, who were given less than 24 hours’ notice about the change:

Was the move necessary for Instapaper? An analysis by Tech Crunch noted that Instapaper already seemed to have clear and robust privacy policies in place which should by and large comply with GDPR, with functions allowing users to export data, delete their accounts, and “correct factual errors” in personally identifying information.

However, it noted that the policy is unclear on whether Instapaper might be passing information to parent company Pinterest – which, incidentally, doesn’t seem to have had the same trouble becoming GDPR-compliant in time for 25th May.

Unfortunately, by the time Instapaper does bring its app back to the EU, it may be too late to save the business. Disgruntled users are already switching to rival bookmarking services, and it will take some strong brand loyalty to bring them back to Instapaper once they’re already established on another app – particularly after such a sudden and unceremonious eviction.

Unroll.Me

Here’s another ironic one. Unroll.Me, a service which proports to help users unsubscribe more easily from unwanted emails, is unable to help users in the EU and EEA clean up their inboxes in the wake of GDPR.

“While we fully support and are working diligently toward meeting all GDPR requirements, we have determined that we will not complete this effort by the regulation’s start date later this month,” the notice on Unroll.Me’s website states.

As a result, Unroll.Me “temporarily” stopped providing its service to EU and EEA residents on 23rd May.

Unroll.me GDPR notice

However, Unroll.Me’s methods aren’t exactly foolproof: while the company deleted the accounts of all its European users on 23rd May, affected users can easily sign up again by visiting the Unroll.Me website and clicking “No” to the pop-up which asks them if they’re an EU or EEA resident.

In other words, Unroll.Me could easily still be processing the data of EU and EEA citizens, making its denial-of-service a little pointless.

NPR.org

The US National Public Radio website, NPR.org, got a few laughs on social media on GDPR Day thanks to its unique approach to GDPR compliance.

EU visitors to the NPR website are presented with a notice about the site’s use of cookies and tracking technology which requires them to opt in in order to visit the full site. If they decline, they are taken to a stripped-down plain-text version of the site which is (as Alec Muffett pointed out on Twitter) straight out of 1996.

plain-text NPR website

From there, they can browse the text of news articles, the site’s Terms of Use and its Privacy Policy to their heart’s content.

One catch, however: if you want to get in touch with NPR about its new policy, you’ll have to opt in to data tracking – clicking the “Contact Us” link on the plain-text site redirects to the full site, which can’t be accessed without opting in.

An honourable mention also goes to USA Today, which strips down its experience for EU visitors in a much less drastic fashion: with GDPR in effect, EU users are directed to a pleasantly minimalist version of the site, with no ads, no tracking, fast loading and no clutter.

The result is an eye-opening case study in the extent to which tracking cookies, JavaScript, ads and other clutter slow down a site, particularly on mobile. Experts in UX, SEO and digital publishing have been saying as much for years – but sometimes experiencing is believing.

A&E Networks

After GDPR came into effect, US media giant A&E Networks continued to allow EU traffic to its main website, but two of its subsidiaries – Lifetime and History, both UK channels – were temporarily unavailable to EU visitors.

For about six days after GDPR’s enforcement date, EU traffic to the Lifetime and History websites found itself redirected to https://eunotice.aenetworks.com with the message, “This content is not available in your area”. Other A&E channels remained accessible from the EU.

However, at the time of writing, A&E appears to have restored EU access to its Lifetime and History websites after less than a week’s outage.

Does blocking EU traffic in the wake of GDPR make any sense?

Many onlookers have commented on the pointlessness of non-GDPR-compliant companies blocking traffic from EU countries, when EU citizens who are located elsewhere in the world (e.g. studying abroad in the US) would still be protected by GDPR. But are they?

In an insightful blog post, David Froud points out that nowhere in the text of the GDPR is the word “citizen” actually used. Instead, the individuals protected by the regulation are referred to as “data subjects” – which is never explicitly tied to EU citizenship or residency.

In point of fact, the regulation states that, “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”

One of the Recitals (a type of text within EU law) also states that the data processing itself doesn’t even need to take place “in the Union”. So, if it’s not about citizenship or location, then what is the scope of the GDPR?

Two Articles in the regulation – Article 3(1) and Article 3(2) – give an answer of sorts. Paraphrasing slightly (with the caveat that I am in no way a legal expert), they state that GDPR applies if the data controller or processor is “established in the Union”, or if the “data subject” is “in the Union”, even if the data controller or processor isn’t.

Blocking traffic from the EU would probably take the second scenario out of the equation, but the first scenario can depend entirely on how the company processing the data is run, and what “established in the Union” actually means in practice. A blog post by data protection specialists Cyber Counsel points out that:

The definition of “establishment” is very wide; it could, for example, mean an airline having a General Sales Agent, or perhaps even a landing slot in an EU airport can be construed as having an “establishment”.

According to Cyber Counsel, this means that an EU citizen living or holidaying outside of the EU would not be protected by the GDPR, unless their data is processed by an EU-established “controller” – but Chinese nationals whose data is processed by an EU controller, or Indian nationals whose data is handled by an Indian IT company with a UK office, would be.

So, does blocking EU traffic get companies around the GDPR? It may do – as long as the company isn’t already holding onto any personal information from EU data subjects.

Julian Saunders, CEO of UK start-up Port, which sells software to help its clients control data access, told Bloomberg that companies who are blocking EU traffic “still hold data on EU citizens, and therefore they are required to comply and respond to subject access requests like everyone else.”

In other words, just because the company isn’t actively gathering new data from GDPR subjects post-25th May, it may not be exempt from the regulation if it has processed that data in the past – and still holds it.

Another common-sense argument against blocking EU traffic in the wake of GDPR is this: despite all the hype and anxiety around the 25th May enforcement date, the EU does not dole out instant fines to companies in violation of the GDPR.

True, Google and Facebook might have been hit by complaints from privacy advocates the minute the regulation came into effect, but most companies would not be so immediately in the crosshairs. And in the case of unintentional non-compliance, companies would first receive a written warning, giving them an opportunity to fall in line with the regulation before any penalties were applied.

(Again, as far as my non-expert understanding of the regulation goes).

Instead, the companies who chose to make their services unavailable in the EU have wound up drawing much more attention to themselves as a result.

On top of that, by blocking traffic and potential revenue from some 500 million EU users, they’ve hurt their reputations and their bottom lines in a way that could be difficult to come back from.

And as companies publicly shut off their services to EU users following GDPR, many people have been asking the obvious question: “What on earth were they doing with our data?”

Note that this article represents the views of the author solely, and is not intended to constitute legal advice.

Related articles:

gdpr workshop