On Twitter a nice thread of services blocking EU users so they can “comply” with GDPR (General Data Protection Regulation) so that they don’t need to change how they manage and keep data. This may work for them but it also shows users in other markets that the sites just don’t want to comply with what should be basics on data protection. Long story short the services on the list should not be trusted at all by any users in any country.
This entire thread. If a service you use is shutting down, or filtering out, EU users ahead of the #GDPR, then it's a good indication that they're doing things that you probably don't want them to do with your data in the first place. #privacy https://t.co/KwxQcTR4Ay
— Alasdair Allan (@aallan) May 11, 2018
List of services blocking
Here are a few examples of services that are just blocking users instead of following some basic rules on keeping data safe and giving users basic rights to content they created.
Online game Ragnarok shutting down servers for European users, because of GDPR. https://t.co/bq0qyslIgp
— Mikko Hypponen (@mikko) May 5, 2018
Unrollme to stop serving European customers, because of GDPR. https://t.co/tYrmsXlHvS pic.twitter.com/j4W0cBBHYR
— Mikko Hypponen (@mikko) May 5, 2018
SMNC online game to shut down, blaming GDPR. https://t.co/R6XPTJR2Y2
— Mikko Hypponen (@mikko) May 5, 2018
Steel Root is the first security company that I know that’s blocking access to their site from EU, because of GDPR. https://t.co/9HxmGzycHl
— Mikko Hypponen (@mikko) May 5, 2018
What does GDPR require services to do?
The rules are simple, and easy to follow if you take a bit of time to see how your service works and stores data.
Use plain language
The new GDPR explicitly says that you must use plain language, not a giant pile of legalese.
Consent must be explicitly given
If you are going to collect personally identifiable information (name, email, phone, etc), then you must have explicit consent.
Notification of data breaches
You must notify data subjects of a data breach within 72 hours of you becoming aware of it.
Right to access their data
Upon request, and at no charge, you must provide a data subject a copy of the personal data you have stored about them.
Right to be forgotten
People have the right to leave your website and have you not store personally identifiable information about them. Provided, of course, that doesn’t violate any other laws.
Right to take your data elsewhere
Data must be in a commonly used and machine-readable format upon user request.
Privacy by Design
Only ask for data you actually need.