top | item 16987282

Show HN: GDPR Shield – Block EU users from accessing your website

20 points| niko001 | 8 years ago | reply

While I love the EU's new data privacy regulation from a user's perspective, it's a nightmare for businesses to achieve compliance, because of the (sometimes intentionally) vague language of the law. And even if you pay an experienced lawyer to draft the policies and procedures required by GDPR, there's a very real residual risk of predatory law firms collecting penalties from mass-mailed cease-and-desist letters based on technicalities. Even if your business isn't located within the EU, you are required to comply with GDPR because the location of the user matters.

I've built a tool that blocks users who are trying to access your website from within the EU as a short-cut to compliance, which makes sense if your business isn't reliant on EU users and you don't want to spend thousands in legal fees to achieve GDPR compliance.

You can check it out here: https://www.gdpr-shield.io

11 comments

[+] anon5368|8 years ago|reply

Except GDPR also covers EU citizens outside of the EU, so this service is useless.

[+] unknown|8 years ago|reply

[deleted]

[+] fiatjaf|8 years ago|reply

Amazing idea. Thank you for doing this.

Indeed, I feel like europeans must prohibited from using my services, if they're making unnaceptable demands through their regulation malpractices.

[+] usr1106|8 years ago|reply

If that would gain popularity in the US, it were yet another for Europeans not to visit the US. You couldn't reasonably prepare your trip, because you cannot get up local businesses. Of course VPN is cheap and simple but why bother if you are not forced too. You can spend your travel money elsewhere.

[+] hjek|7 years ago|reply

https://www.gdpr-shield.io/ gives me a `503 Service Unavailable`. But maybe that's the point, as I'm trying to access it from Germany?

[+] lkurusa|8 years ago|reply

Even if I am not presently outside the EU, I might want to browse your products so that when I do go outside the EU, I will be able to buy such a product from you.

A website that would do this is a huge sign that I should look for the said product somewhere else.

[+] niko001|8 years ago|reply

I recently wanted to check the menu of one of the top 10 US restaurant/cafe chains (which only has locations within the US) while I was abroad and was surprised that they block all non-US traffic. I completely agree that "actual GDPR-compliance" is always superior, but some companies have spent months preparing for GDPR, involving their engineering and legal team. For some, outright avoiding the headache and potential financial fallout if they get something wrong can be the better option, even if it may mean losing a few potential customers.

[+] vernonmorris|8 years ago|reply

I would use this for my websitew, which get few EU visitors;however, it'll be cheaper to just use https://www.maxmind.com/en/geoip2-databases which I was hoping to avoid, but this is too pricey to be worth it when we can simply code a bit and have pay a lower fee.

[+] foobarbazetc|8 years ago|reply

Lol.

[+] dikalup|8 years ago|reply

[deleted]

[+] dang|8 years ago|reply

This comment breaks the HN guidelines. We ban accounts that do that, so please follow them when commenting here: https://news.ycombinator.com/newsguidelines.html.

[+] ronreiter|8 years ago|reply

First of all - it does not make you fully compliant as it cannot know your country of origin when you visit the website. (Origin means where you REALLY are from, not your current GeOIP country).

And second thing - I actually think that it's a great idea as a way to protest and to show how senseless it is to impose such broad restrictions on the act of collecting the data.

Don't get me wrong - I don't think GDPR is a bad idea in general. I just think that people haven't even began to realize the implications of it. It's not just a "you had one thing" type of thing to follow through. It's a terrible manifesto which completely redefines how user data should be treated, without proper guidance on what's really expected.

For example - if a user logs in and decides to opt-out of all data collection but there's no cookie on him - how are you supposed to know it's the same person if you've logged his IP address the last time he used your website? And if you are using a storage medium that doesn't support one-off removals of data, what are you expected to do? This is just one out of thousands of potential examples of how broad this is, and that's even before talking the legal fees and UI changes you need to do to make sure you're letting your users know everything they have to know about what you do with their data.

BTW - MaxMind are going to get sued by so many companies because of misidentification :)