I don't mean to be confrontational, but as an American with websites in the US- why would I care? The most basic tenet of sovereignty is that a country's laws stop at their border, unless otherwise agreed in a treaty. I may be violating GPDR, I may be violating some Internet content laws in Zimbabwe and Cambodia as well, but laws don't cross borders.
Just as an example off the top of my head- in Thailand, it's illegal to insult their king. Would anyone here refrain from posting anti-Thai monarch content on their website, in fear of breaking the laws in Thailand? If not, why would I care about GPDR? Imagine what a non-sequitur it would be if if someone told an American employer based here in the states, that you're violating EU employment law. By definition it.... doesn't apply.
I do understand that if I ran a business with European customers, I would need to be in compliance with EU law- I get that- but genuinely confused why I would care otherwise. Are your websites in compliance with Zimbabwean Internet law?
You and your business are crossing borders when you serve traffic to foreign customers, and are thus party to their laws.
No I'm not a lawyer, but if you really never intend to have any customers in Europe you'll probably be fine (ask a lawyer, not the Internet) but if you do or might then you're playing a game with whether or not you'll be caught or if the consequences will be more advantageous than mitigating them.
America projects it's laws worldwide with the global financial system and anything with even a remote connection to the states is a poison pill that is used to prosecute behavior which is almost exclusively outside its borders. Other legal entities can do the same, but to a lesser extent.
IANAL so I honestly can't answer that, and I can totally understand some US sites blocking EU IP ranges because of their business model as an ad outlet for Google or whatever third-party ads.
But even if you don't agree with EU privacy regulations, I hope you can understand that the race to the bottom we've seen in the last decade or so when it comes to online content must somehow be stopped, especially if it is only benefitting very few quasi-monopolies.
My hope would be that we could see a return to direct sponsoring or other first-party ad model, but perhaps I'm being naive here, and I'd appreciate insights from others. Personally, I don't have a problem with ads per se at all, provided they're respecting my privacy and don't come in the form of a JavaScript bomb.
The law applies to websites, not businesses. If your website has European visitors, then it is making the relevant interaction even without business happening. I’ve come across websites that simply deny me access, guaranteeing they don’t have any European visitors. US law spreads in a few ways, eg licence to use the dollar, though that may be broader than the exact wording.
Even if you don't think GDPR compliance is important, you probably need to consider the California Consumer Privacy Act and California Privacy Rights Act, if you are running a business that's big enough to be subject to them. These laws are broadly similar to GDPR.
The GDPR explicitly only affects businesses selling to Europeans¹, so you're correct: you don't have to care about it.
¹GDPR Article 3, section 2a. A broad reading would assume that any use of a site by Europeans is also covered (section 2b), but IIRC the various data protection authorities issued guidance that you're fine so long as your material isn't aimed at Europeans: e.g., no European pricing, etc.. https://gdpr-info.eu/art-3-gdpr/
You are absolutely right. Unfortunately, the European lawmakers doesn't understand how international law works, so they created a "worldwide" law without any possibility to enforce that law outside of the EU. For that reason some people call GDPR a paper tiger.
Yes! I thought about that but had a few issues with storing URLs in the sharable URL and don’t want to store any information to create an unique id for every url.
To provide further assurances to users, all of the code[1] to run the service is made available to the public, including logging/analytics functionality[2].
It's (currently?) hard to guarantee to end users that there aren't any other tricks going on, and to match the version running in production (on a single computer in my office room) to the relevant git commit, but the goal is to incrementally move in the direction of additional (verifiable) transparency for the service.
The most recent court rulings that that because of the US CLOUD Act, all transfers of personal data to the United States are unlawful. Personal data includes IP addresses. These rulings are under appeal, but at the end of the day it's basically true that GDPR and CLOUD are fundamentally incompatible.
Hm, this seems to work incorrectly. The login website of https://www.personio.de/login/ after you specify a company to login for does load Google Fonts and those do not show up in the results as violation or at all.
Yes. It doesn’t pick up everything. I’m just parsing the dom and checking for apparent things like script tags etc. I could have used puppeteer or similar to check all requests made, but the user experience became very slow, so I skipped that.
After reading that German court has ruled that embedding Google Fonts violates GDPR because IP addresses are sent to the US, I made a webtool to check which servers websites requests.
It told me my site is probably violating GDPR. It's a static blog and doesn't collect any information or use any cookies, but it's hosted in the US. There would be ip addresses in the nginx logs, but those would be the ips of the proxy load balancer from my cloud provider.
The problem here is the IP address is classified as personal data.
So, it might be illegal to allow an EU residents browser to even request a website hosted by e.g. AWS Ireland in Region Germany as AWS belongs to Amazon US.
We're actually thinking to serve EU customers via Hetzner and Bunny.net CDN to guarantee GDPR compliance.
Hmm. My site itself is hosted in the US, so it catches my site as one of the violations. Does GDPR differentiate between first-party and third-party servers in this case?
The solution doesn’t differentiate between first-party or third-party servers. As long as any servers are outside Europe, it marks the site as in violation.
It always feels like the failed EU cookie policy and the GDPR would be better served by an "EU mode browser". It would have third party cookies disabled and first party cookies would prompt for approval the way all browsers used to work. It would disable third party image, css, js, and font hosting without prompting for approval and warning of privacy implications, since all of those can be used to take IP addresses by the third parties. It could even serve up a 'do not track' style indicator for certain privacy settings.
Yes, it does a very superficial job. But to check for third-party cookies and if they are being set without consent is very difficult to normalize and check for.
For now, this is just a simple tool to check where a website fetches its information. However, it takes a shortcut by only traversing the DOM. It would be more precise if it checked all network activity from a site, but then it would have to fire up a browser for every search, and the loading times would be much, much longer (yes, I tried).
But if people find this helpful, I could work more on it to add more features as you suggest.
I know some folks really like GDPR but I think it overreaches in a number of areas which probably were not fully recognized before the law was created.
[+] [-] hash872|4 years ago|reply
Just as an example off the top of my head- in Thailand, it's illegal to insult their king. Would anyone here refrain from posting anti-Thai monarch content on their website, in fear of breaking the laws in Thailand? If not, why would I care about GPDR? Imagine what a non-sequitur it would be if if someone told an American employer based here in the states, that you're violating EU employment law. By definition it.... doesn't apply.
I do understand that if I ran a business with European customers, I would need to be in compliance with EU law- I get that- but genuinely confused why I would care otherwise. Are your websites in compliance with Zimbabwean Internet law?
[+] [-] colechristensen|4 years ago|reply
No I'm not a lawyer, but if you really never intend to have any customers in Europe you'll probably be fine (ask a lawyer, not the Internet) but if you do or might then you're playing a game with whether or not you'll be caught or if the consequences will be more advantageous than mitigating them.
America projects it's laws worldwide with the global financial system and anything with even a remote connection to the states is a poison pill that is used to prosecute behavior which is almost exclusively outside its borders. Other legal entities can do the same, but to a lesser extent.
[+] [-] TacticalCoder|4 years ago|reply
What about all the users on HN who have websites and who happen to be from the EU though?
It's not because you don't care that no-one here cares.
[+] [-] tannhaeuser|4 years ago|reply
But even if you don't agree with EU privacy regulations, I hope you can understand that the race to the bottom we've seen in the last decade or so when it comes to online content must somehow be stopped, especially if it is only benefitting very few quasi-monopolies.
My hope would be that we could see a return to direct sponsoring or other first-party ad model, but perhaps I'm being naive here, and I'd appreciate insights from others. Personally, I don't have a problem with ads per se at all, provided they're respecting my privacy and don't come in the form of a JavaScript bomb.
[+] [-] tobylane|4 years ago|reply
[+] [-] davidjytang|4 years ago|reply
[+] [-] actually_a_dog|4 years ago|reply
[+] [-] jdlshore|4 years ago|reply
¹GDPR Article 3, section 2a. A broad reading would assume that any use of a site by Europeans is also covered (section 2b), but IIRC the various data protection authorities issued guidance that you're fine so long as your material isn't aimed at Europeans: e.g., no European pricing, etc.. https://gdpr-info.eu/art-3-gdpr/
[+] [-] oi23joi|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] teddyh|4 years ago|reply
[+] [-] hauken|4 years ago|reply
[+] [-] NmAmDa|4 years ago|reply
[+] [-] hauken|4 years ago|reply
[+] [-] jka|4 years ago|reply
https://www.reciperadar.com/ does (potentially, as per the notes on the page) pass.
To provide further assurances to users, all of the code[1] to run the service is made available to the public, including logging/analytics functionality[2].
It's (currently?) hard to guarantee to end users that there aren't any other tricks going on, and to match the version running in production (on a single computer in my office room) to the relevant git commit, but the goal is to incrementally move in the direction of additional (verifiable) transparency for the service.
[1] - https://github.com/openculinary/
[2] - https://github.com/openculinary/api/blob/24ac611b1c14b754f23...
[+] [-] smlavine|4 years ago|reply
[+] [-] lmkg|4 years ago|reply
[+] [-] zelphirkalt|4 years ago|reply
[+] [-] hauken|4 years ago|reply
[+] [-] rovr138|4 years ago|reply
[+] [-] hauken|4 years ago|reply
[+] [-] hauken|4 years ago|reply
[+] [-] Advent_Poetry9|4 years ago|reply
[+] [-] sleepydog|4 years ago|reply
[+] [-] bryanrasmussen|4 years ago|reply
[+] [-] pabe|4 years ago|reply
The problem here is the IP address is classified as personal data.
So, it might be illegal to allow an EU residents browser to even request a website hosted by e.g. AWS Ireland in Region Germany as AWS belongs to Amazon US.
We're actually thinking to serve EU customers via Hetzner and Bunny.net CDN to guarantee GDPR compliance.
[+] [-] kjhughes|4 years ago|reply
Minor bug report: URL input field hangs in spinning state if given URL does not exist, forcing page reload to try again.
[+] [-] hauken|4 years ago|reply
The map state also persist from second search on, but I soon have a fix on that.
[+] [-] vollmond|4 years ago|reply
[+] [-] hauken|4 years ago|reply
[+] [-] bombcar|4 years ago|reply
[+] [-] worg|4 years ago|reply
[+] [-] hauken|4 years ago|reply
But the way the courts interpret GDPR essential parts of the internet are technically illegal if you are based in Europe.
[+] [-] JohnTHaller|4 years ago|reply
[+] [-] amar-laksh|4 years ago|reply
[+] [-] jtbayly|4 years ago|reply
[+] [-] kuba-orlik|4 years ago|reply
It could at least check if third-party cookies are being set without consent, which is a major GDPR red flag
[+] [-] hauken|4 years ago|reply
For now, this is just a simple tool to check where a website fetches its information. However, it takes a shortcut by only traversing the DOM. It would be more precise if it checked all network activity from a site, but then it would have to fire up a browser for every search, and the loading times would be much, much longer (yes, I tried).
But if people find this helpful, I could work more on it to add more features as you suggest.
[+] [-] jpdpeters|4 years ago|reply
[+] [-] dekhn|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]