Saturday 20th October 2018

More than 1,000 US news organizations are still blocking EU users – but that doesn’t mean they are contravening or circumventing the GDPR

According to a database of records compiled by archivist Joseph O'Connor, at least 1,071 US news organizations are blocking EU visitors; however, whether an organization is compliant with the GDPR may depend on whether they intend to target EU visitors or are merely accessible to them.
Jason Smith
by on 8th August 2018

More than 1,000 US news organizations are still blocking traffic originating from the EU, according to records compiled by archivist Joseph O’Connor.

O’Connor’s database currently features 1,071 news organizations and includes prominent brands like the Chicago Tribune and the Los Angeles Times, both of which are Tronc properties.

Some online commentators have taken the view that some of the news organizations featured are circumventing or refusing to comply with the GDPR; however, according to some internet law experts, it isn’t always that clear cut.

In an interview with Indivigital, Lillian Edwards, a Professor in Internet Law from the University of Strathclyde, believes it depends on the organization’s business model and its intent.

“Your answer is in Recital 23 [of the GDPR],” she said.

“The Articles [of the GDPR] are authoritatively interpreted by the Recitals and Recital 23 states that if a person is offering goods or services for the purposes of Article 3 then it should be ascertained whether its apparent that the controller or processor envisages offering services to data subjects”.

The key word in Recital 23 is “envisages”. It also makes it clear that the intent of the organization’s business model is all important.

If a news organization’s business model is based on subscriptions rather than monetizing personal data, it’s arguable its approach is nothing more than a legitimate business decision and the GDPR merely provides the context to make that model clear (through blocking EU visitors).

Consumers may expect to be able to access all news services; however, news organizations do not have a duty to provide for every audience. Moreover, it’s often economically unfeasible to do so.

That said, Professor Edwards also believes if a news organization is monetizing personal data and serving EU users, the situation may be different.

“It’s not on [or] off, it’s not strict liability,” she said.

“This [the GDPR] follows the approach that has been taken in other regulations and directives which have also used a sort of targeting jurisdiction…it’s [about whether] you’re targeting it’s not just that you’re merely accessible…”

Maintaining a subscription model, where users pay to access premium content, makes it easier for news organizations to geotarget their services; however, Edwards also made it clear it depends on the approach.

“Even if you did accept they were managing to work out who was from the EU and offer them a subscription then they [news organizations blocking EU traffic] would need to halt all tracking [monetizing personal data] and it seems from what people are saying to me that they haven’t.

“So they are actually trying to have their cake and eat it a bit. They’re trying to still track, possibly in a way that’s illegal under the GDPR, and they’re charging a subscription.

“I think in an ideal universe the way to go is a low-cost subscription package and as a replacement for monetizing personal data”.

A quick glance at the website of the LA Times, which is one of the 1,071 news organizations blocking EU users, signifies it sets numerous cookies from third-party platforms like Facebook, Google and Bing.

In the months following the enactment of the GDPR on 25th May, many internet commentators have viewed compliance as a black and white outcome: either an organization is compliant or it’s not.

Edwards doesn’t agree with this assessment. She likened the notion that compliance with the GDPR boils down to a list of steps to saying “someone can lose weight if they eat well and exercise; it’s often at that level of generality”.

In the interview with Indivigital, Edwards also argued that the modern definition of personal data is “beginning to swallow everything” and highlighted a paper recently published by Nadezhda Purtova, an Associate Professor from Tilburg University. In the paper, Purtova states:

“…European data protection law is facing a risk of becoming ‘the law of everything’, meant to deliver the highest legal protection under all circumstances, but in practice impossible to comply with and hence ignored or discredited as conducive to abuse of rights and unreasonable”.

Edwards also stated that she believes EU data protection laws may “destroy free-to-user business models”.

Many news organizations took the decision to block EU traffic immediately prior to the enactment The General Data Protection Regulation (GDPR) on 25th May.

The decision isn’t confined to news organizations: many other organizations, including gaming websites and internet platforms, have also restricted or blocked EU visitors.