Getting Email Delivered - the ISIPP SuretyMail Blog

Why You Can’t Just Block EU Visitors, EU Customers, or Any EU Traffic Under GDPR

 

Got a question about GDPR? Submit Your GDPR Question Here
This information provided by ISIPP SuretyMail Email Reputation Certification. The only email reputation and deliverability service with a money-back guarantee!

As we have mentioned in other articles on GDPR compliance, GDPR specifically prohibits the automated profiling of individuals, including of their online identifiers or locations, which means that it is a violation of GDPR to note, in an automated fashion, from what region in the world they are surfing over to your website.

Many of you have asked for the actual language of GDPR which prohibits automated profiling and, by extension, prohibits a site from excluding traffic from the EU. So here it is. (You can read the full text of GDPR here.)

From the prefatory language:

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.

From the actual law – in particular pay attention to the first two paragraphs:

Article 4 (1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 4 (4): ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Article 35 provides for a “Data protection impact assessment” which must be carried out *before* implementing profiling by automated means, and this includes that “A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of…a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;”

And before such implementation a supervisory authority has to sign off on it, and even the data subjects themselves may need to agree to it.

So, basically, automated profiling of personal data is prohibited unless you jump through all of these hoops.

And that’s how GDPR prohibits the automated detection of IP addresses in order to geolocate and exclude EU visitors and traffic.

Summary
Why You Can't Just Block EU Visitors, EU Customers, or Any EU Traffic Under GDPR
Article Name
Why You Can't Just Block EU Visitors, EU Customers, or Any EU Traffic Under GDPR
Description
As we have mentioned in other articles on GDPR compliance, GDPR specifically prohibits the automated profiling of individuals, including of their online identifiers or locations, which means that it is a violation of GDPR to note, in an automated fashion, from what region in the world they are surfing over to your website.
Author

This information provided by ISIPP SuretyMail Email Certification. The only email reputation and deliverability service with a money-back guarantee!

Follow Us!

    Next: » Mailing List MR Most Important Metric of All!

« Previously: What Your Contracts MUST Contain to be GDPR Compliant and GDPR Proof

6,499 views

4 Comments

    GDPR does not and can not prevent wholesale blocking of EU visitors by non-EU controlled service providers. Geo-location cannot be used to identify a person alone so a decision to block access from the EU based on IP address range has nothing to do with personal identification. Simply blocking the establishment of TCP/IP connections from IP addresses known to be in the EU is even more impersonal approach to reducing GDPR risks.

    It is perfectly valid and even reasonable for non-EU service providers to refuse to serve Europeans due to the likelihood of excessive risks and costs of service such visitors based on the GDPR law. In most cases, such service providers will have no actual business in the EU and thus, the EU would have no way to enforce their local laws on them.

    Of course, if some European still managed to infiltrate the service (e.g. by using public VPN or by flying to the US and connecting from there), then the GDPR language would still cover the scenario but if the service provider has no European presence and does not care about serving Europeans, then again, the EU would have no way to force their local laws on the service provider.

    The GDPR is one of the worst laws ever enacted by the dysfunctional EU and it will hurt Europeans for sure.

    Even the language of the law makes clear that it discusses EU service providers: “…decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including…” – hence if the controller (= service provider) is not subject to the EU or its member state, the above is not relevant.

  • This post is entirely incorrect. Recital 23 of the GDPR explicitly states that no foreign site is subject to the GDPR unless “it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union”. It explicitly states that “the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention”.

    In other words, no provisions of GDPR apply to foreign websites that block EU residents because they have made it clear that they do not intend to serve EU residents. Since none of the regulation applies, sites cannot be punished for violating the automated profiling provisions you mentioned.

  • You people are delusional if you think the EU can suddenly start making up global law.

    The rest of the world laughs at the EU for making crap up.

  • why it seems so complicated to me

Leave a Reply




This article originally written on May 15, 2018, and is as relevant now as when it was first written.