Basically, the GDPR is a law that aims to protect the internet user, and more particularly allows him to better manage his personal data, and generally any information that could be used by a website, whether the data is explicitly provided (contact form, newsletter subscription, survey, etc.) or implicitly provided (environment data such as operating system, browser used, browsing history, etc.)
This is the legislation’s basis. Since I am not a jurist, I will not dwell on the GDPR, nor scrutinize or argue its content.
However, I will linger on its consequences for watchers, and for everyone needing to search for information at the international level and working in Europe.
This is the GDPR second layer, or more precisely how to shoot your own country’s foot in terms of access to information, and information protection.
Let’s recall a fundamental principle of the law, the plaintiff may request the law to be applied where he notices an infringement of his rights unless a contract has been signed between the parties, or unless there are specific international agreements (such as the Vienna agreement).
Here again, I accept any correction from jurists and hope I’m not wrong.
What does this mean for the internet and more precisely for the GDPR?
Basically, if I am a French internet user, and if, take a completely random example, I visit a US site, and it does not respect the GDPR, then I am entitled to file a claim against him in France.
Several options are then possible for the said US site (or as you understand, every site outside the European area):
1) it implemented everything needed to respect the GDPR, a European-European text either because the European readership is important or because it was already compatible with the GDPR.
- NB: the award in the the category “best LULZ” goes to… NPR.org which, in order to propose an option conform to the GDPR without tracking, offers no more no less to take you back to the 90s with a text version of its site, which, joking aside, is rather a good thing if you use crawlers.
- Article edited on July, 3rd, 2019 : since the publishing date of my pst, nor.org seems to have changed this.
2) it is not in conformity with GDPR and considers the legal risk not sufficient enough to take into account.
3) The option 3 is the one that justifies this article. In this last option, the site is concerned with the GDPR and with the legal risk, and since it determined you connected from Europe, it kindly tells you to go elsewhere. This is what you get in real life:
The message has no ambiguity. Selected extracts from the life of a French and European watcher abroad:
You can find out for yourselves by clicking the pictures.
As we thought we were too many and too well informed in France (and Europe), we probably thought that a law that would require all other countries in the world outside Europe to adopt our law so that Europeans deign to access their websites would be a good idea.
Yet here it is, the problem lies with these two: Groupes US Tronc and Lee Enterprises, who between them own 77 news sites in English as well as many ezines, and don’t care about kicking the Europeans out.
According to Mathew Ingram, the Tronc executives also said that they had no intention of updating themselves to follow the GDPR, and that it would not be profitable at all. So, if you were hoping a better one in the weeks/months to come, do not count too much on it.
What is the impact for the watcher?
So first of all, the impact is quite clear on a daily basis. It is impossible to access these sites without using a good VPN. But I will come back to this point.
Another point, the French watchers use monitoring software. Yet, if these are based on Europe-based SaaS cloud infrastructures, this means that their servers will simply not be able to monitor these non-European sites that have implemented these banning strategies.
In practice, this means that the SaaS monitoring software from the French/European market must have an infrastructure that offers the option to crawl all or parts of the sources outside Europe.
And ideally, these websites should have the option to visualize information collected on the site in embed through proxies outside the European zone.
For the independent watcher, or in SMEs that are relatively flexible on their information System, we can manage to get by. In an international company where the SI is locked, it will be hard for knowledge workers to put in place alternative solutions.
The butterfly effect
In the end, this law offers protection for the European internet user, here are some of the side effects already identified and the potential ones to come:
- Difficulty accessing international news sites. QED the beginning of this article.
- Weakening of the IT security for those who want to bypass the protection and would have to install solutions like VPN or other. While we already know that SMEs are not necessarily at the top in terms of protection, it seems to me, a non-negligible risk. #rememberransomware
- Potential data leaks when installing crawling infrastructures from monitoring software editors who should localize some of their servers outside Europe. At a time when some news sites point the finger at Palantir, the GDPR has just sown the seeds to ruin any effort toward securing the French data infrastructure by establishing a de facto Maginot line of information.
- The loss of information outside major media, for example for European blogs or small sites who would give up when facing legal risks and close the door. As small merchants or micro-enterprises often complain about it, with good reason in my opinion, the law around the information and around the web sites turns into a nightmare for those who are not in the trade or who can’t afford a provider. While voices are rising in Europe to find alternatives to Google, Facebook, and other US giants, we are doing, here too, everything so that the small merchants prefer to go through Amazon or the independent journalist opens a LinkedIn blog or a Facebook page, reinforcing the dominance of these massively American web giants.
These are the points that come to mind first, but there are and will certainly be other negative effects on this piece of legislation.
The technical solutions
For an information worker, the best solution is to use a paid VPN. There are certainly things like Tor but frankly the flow is very random…
Besides, when using the Tor network, you don’t really know where your data goes, and so we come back to point 3) side effects. We do not necessarily know it either with a company that provides a paid VPN, but contract conditions provide better security and transparency of what is happening.
There are plenty of VPNs. Personally, I use Proton VPN which I find fast, ergonomic and with a list of well-dispersed servers around the world, and which also offers an interesting iPhone application.
You launch Proton VPN, you identify yourself and you choose on a map the country and the server to which you want to connect.
However, there are tons of other VPNs such as nordvpn.com, expression.com, etc.
Choose your weapon !
Photo Credits : Frédéric Martinet (me in short) – Bardenas Desert