2

Let's say I have a service that asks registration details from the user and for some reason I, as a provider of that service, can't comply to GDPR and therefore want to refuse registration of new users protected by GDPR or similar law. Is it possible to add a clause in the registration form requiring user to cancel registration of their new account if they are covered by GDPR (or, better, any similar law)?

For simplicity let's assume that I don't have to worry about existing users.

Update: I see similar question that seeks to achieve the same effect by means of introducing filters or by other disruptive means, this is different as it relies on EULA that user should accept before proceeding to use the website.

Alex
  • 135
  • 4
  • 3
    Possible duplicate of Is it possible for non-EU companies to avoid GDPR regulatory issues through filters and firewalls? –  Jun 16 '18 at 04:54
  • It is related, but it is not the same: question above is trying to achieve similar result by disrupting the website completely for EU user whereas I'd like to prohibit registration (while providing an access to website). And then again, I'm seeking to prohibit registration via EULA clause, not by means of guessing the country by IP and blocking some resources on the website. – Alex Jun 16 '18 at 06:11
  • Your website should already have an EULA, its called the sites 'Terms of Use' and 'Privacy Policy'. Within your 'Terms of Use' should be a clause that states what legal jurisdiction is governing the site. Visitors agree to these terms in order to legally be able to use the website, irregardless of the GDPR. Being under GDPR protection does not supersede or nullify the legal rights you have stated in your site 'Terms of Use'... that's for everyone that visits the website. And it is the legal agreement visitors voluntarily make by visiting the website. – Epiphany Jul 26 '18 at 08:01

4 Answers4

3

Yes, you could do this be means of the EULA, provided you are not in the EU yourself.

You only have to comply with the GDPR if you are offering a product or service to people that are in the EU. If you are making it clear that whatever you offer is not available to Europeans, you make your site exempt from the GDPR.

Free Radical
  • 3,212
  • 15
  • 28
  • Makes sense. I was thinking about adding a line stating that in registration, something like 'you should not proceed with registration if you live in the country that enacted GDPR; if your country enacts GDPR you agree to promptly remove account from the website.' – Alex Jun 16 '18 at 18:48
  • I am not sure about asking if you live/stay in a country that enacted GDPR. I doubt if EU citizens must know whether the GDPR applies to them. But more importantly, it is only called GDPR in countries where they speak English. The alternative would be asking whether they live/stay in the EU. But keep in mind that Iceland, Liechtenstein and Norway will also introduce a slightly modified version the coming months. – wimh Jun 16 '18 at 20:27
  • 5
    @Alex: the "you agree to remove" part implies the existence of a contract that's being agreed to. That is the opposite of what you're intending to achieve. You want to make it clear that there is no contract, no obligations on either side, and nothing which can be done to change that. – MSalters Jun 17 '18 at 20:36
2

Technically blocking EU ips may fall under article 22 section 1:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

And to scope: Article 3 section 2:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

So by processing a users ip to designate whether or not they can access a website violates article 3 section 2.b. And more than likely violates article 22 section 1.

Shinrai
  • 403
  • 2
  • 8
  • 1
    How would you invoke Art 22? If you contact the company directly (as would be your right under Art22) they'd still refuse service and thus the company would not fall under the GDPR, making Art 22 irrelevant. IOW, you first have to show the GDPR applies before you can apply the GDPR articles. – MSalters Jun 17 '18 at 20:39
  • You fall under article 3 section 3.b for monitoring their behavior. Therefore GDPR would apply. – Shinrai Jun 17 '18 at 21:04
  • However recital 23.3 may provide a counter to my above arguement but it would be a case by case basis. https://gdpr-info.eu/recitals/no-23/ – Shinrai Jun 17 '18 at 21:09
  • The 'catch-22' clause. – Ask About Monica Jun 19 '18 at 00:02
  • Basically, personally I don’t think the GDPR is specific enough. There are far to many grey areas and far to many catch 22 instances. – Shinrai Jun 19 '18 at 01:34
  • As a programmer, I can tell you that establishing a geo-location from the IP address does not monitor any individuals behavior, and therefore by definition, is not profiling. Any site operator would walk away from any EU GDPR claims by simply stating that the geo-location from IP is required in order to facilitate controlling bandwidth expenses within a range the site owner is able to afford, and also improve the functionality and security of the website (such as removing bot traffic - the very automated profiling being discussed). What's good for the goose, is good for the gander... – Epiphany Jul 26 '18 at 07:40
2

You can outright refuse service to EU citizens. What you can't do is offer them service but only if they accept your terms which include processing their data for non-essential reasons. But an outright block is fine.

user
  • 1,876
  • 1
  • 10
  • 23
  • That's not true. Being a EU citizen does not give them priviledge to over-ride the websites own 'Terms of Use' and 'Privacy Policy'. That in itself is a legal agreement between the visitor and site owner in exchange for use of the website. – Epiphany Jul 26 '18 at 08:06
  • @Epiphany National and international laws and regulations always take priority over legal agreements made between legal entities. Put differently, if a EULA or other legal document has a conflict with the GDPR, the GDPR ruling supersedes the EULA. Imagine if the situation was the other way around. People could write their own EULAs for websites that consist of just a single page and put crazy nonsense in them so they could break the laws of their own country. – Nzall Aug 03 '18 at 07:13
  • @Nzall. That's the point... The GDPR is not an international law. That process generally takes place at the United Nations, and is developed in consensus of the global community. The GDPR is only a national law within GDPR countries as well. The GDPR attempts to make an elite class of users on the internet, awarding protections to only a select group of countries at this point. I will respect the spirit and merit of the GDPR concept... but not it's implementation. – Epiphany Aug 15 '18 at 08:50
  • @Epiphany think about the practical implications. You can only ignore GDPR if you also avoid doing any business in the EU. But as long as you do that then EU citizens can pretty much ignore your ToS because you have no way to enforce them. – user Aug 15 '18 at 10:03
  • @user. Not true. Here is the WhoIs contact information for the network abuse for the largest retailer in the world, Amazon, and read down in the comments section what they require for abuse notifications. You can hardly say they are following the GDPR, as they store IP's themselves in order to facilitate network security. https://whois.arin.net/rest/poc/AEA8-ARIN – Epiphany Aug 18 '18 at 16:37
0

I don't think this will achieve what you want to achieve. It's well known that a general rule users don't read anything.

So whatever you write on your registration form, users from EU countries where the GDPR applies will register for the service if they want to.

I don't see any reason to think that the fact that they didn't follow the registration instructions would prevent the GDPR being enforced against you if you don't comply with it.

bdsl
  • 892
  • 7
  • 15
  • Are you saying that EULAs are not enforceable? – Alex Jun 27 '18 at 17:27
  • No, not in general. Whether a eula is enforceable, and what form the enforcement would take depends on the content of the eula. – bdsl Jun 27 '18 at 19:05
  • How would you expect your eula to be enforced? – bdsl Jun 27 '18 at 19:06
  • There was an answer above referring to EULA. I expect EULA to be an agreement between service provider (me) and user. If registered user violated that agreement, I expect the law to be on my side, provided that (1) EULA is within the bounds of law and (2) EULA expressly prohibits using the service in a way that would make me (service provider) to violate the law. – Alex Jun 27 '18 at 19:28
  • Law to be on your side in what dispute? The law only gets involved when someone invokes it. Are you thinking you would sue the user for disobeying the EULA, or that you would be able to use the EULA as a defence against enforcement of the provisions of the GDPR? Both? Or that the law would be involved by some other way. – bdsl Jun 28 '18 at 14:58
  • If I sign a document agreeing not to stand near you while you practice a Karate kata, I stand there and you see me and decide to continue the kata, you can still be convicted of assault. – bdsl Jun 28 '18 at 15:03

  • Are you thinking you would sue the user for disobeying the EULA, or that you would be able to use the EULA as a defence against enforcement of the provisions of the GDPR?

    Latter, use EULA agreement against enforcement of the provisions of the GDPR. EULA will clearly state that service is not provided to EU citizens, I'm thinking to also require the user to enter country of residence and disallow registration for EU countries (in addition to EULA terms and conditions).

     – Alex Jun 30 '18 at 21:50
  • @bdsl. Not true. If you signed the agreement, and violate that agreement with knowledge and on your own accord, then you have waived any right to prosecution of events that directly occur as a result of that breach of contract. This is especially true if that waiver of rights is actually stated in the agreement itself (as it should be if your smart). – Epiphany Aug 18 '18 at 16:49
  • @Epiphany do you have a source for that? In England and Wales, prosecutions are generally brought by the CPS, officially on behalf of The Crown, or of society at large. They aren't brought by or on behalf of any specific victim. The Crown didn't sign this contract. – bdsl Aug 19 '18 at 05:40