Recently, someone gave me a link to a website www.tucson.com. It’s a newspaper. Wikipedia calls it “the major morning daily newspaper that serves Tucson and surrounding districts of southern Arizona in the United States.” Hardly a terrorist organization; so why should any reasonable government want to block people going to their website?
Yet when I follow that link, I get a message that says:
451: Unavailable due to legal reasons
We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this time. For any issues, contact jspitz@tucson.com or call 800-695-4492.
Now I’m no admirer of the United Nations, but Article 19 of the Declaration of Human Rights says: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”
A couple of questions from this (maybe) naïve observer:
(1) Is this not a clear breach of my (and their) human rights under Article 19?
(2) Why have EU directives and regulations like this not been rejected, or at the very least suspended, by the UK government since the Brexit vote?
It looks to me as though the website owners themselves have made up that message. If you see that message, you are already accessing the website, but only the page containing that message. If you want to know why, write to the email address given, jspitz@tucson.com, or telephone the number given +1 800 695 4492, and ask.
You’re right John, the website owners have created that message, but why did they need to do it? To avoid prosecution… for what? Opening their website to people who want to use it. On whose say-so? OK, I’ll stop there.
I’ve emailed, asking for an explanation.
John: You seem to have more confidence in the website owner’s PR department than I do. But thanks for your effort. And please report back to us on the reply you get (if any).
Similarly, you cannot access the BBC iPlayer from the States (or US channels from the UK for that matter). On the wider picture, I am in the transport industry, and I have noticed that several EU Directives, which are not due to come into force until after we have ‘left’ the EU, are being implemented as though nothing had happened. I believe that will be the pattern from now on – EU Directives will be implemented as though we were still in the EU. EU Regulations, on the other hand, will be more interesting. At present, they come into force automatically, without any input from our elected representatives in Westminster. After next April, they will either not come into force (although I don’t know what provisions the ‘transition period’ has in this regard, or they will have to be implemented in the same way as Directives are at present, by Statutory Instrument, although this will again happen without any reference to our elected representatives. The laws pour onto our Statute Book, as they have for forty five years, regardless of whether our MPs are sitting or sunning themselves on some foreign beach. They are an irrelevance to the governance of this country.
Note that the GDPR is something of a special case: It is intentionally and explicitly extra-territorial. The EU specifically states that it applies worldwide to any resource or entity in the world that handles information of an EU citizen. And so, no matter where you are in the world, EU law has suddenly reached out and tried to usurp your local legal system’s power.
You can kind of see why many foreign newspapers have simply decided to block the EU entirely. I don’t blame them.
Similar steps of blocking the EU might well have been taken if Article 13 of the EU’s Copyright Directive[1][2][3] had been passed. It might still come back and be passed and, if so, I expect even more of the Internet will become off-limits to EU users due to rational self-defence by non-EU businesses and organisations.
One thing that hasn’t been explained as yet is how the EU will enforce the GDPR in countries outside of the EU. Within EU countries, enforcement of GDPR is the responsibility of local enforcement authorities (e.g. ICO in the UK) but how this would work in non-EU countries I don’t know. Would the courts in non-EU countries uphold EU law against their own native businesses and organisations who are in fact complying with their own national laws? In some cases I actually suspect so but not everywhere.
Footnote:-
1: Guardian: ‘EU votes for copyright law that would make internet a ‘tool for control”: https://www.theguardian.com/technology/2018/jun/20/eu-votes-for-copyright-law-that-would-make-internet-a-tool-for-control
2: Letter to the EU parliament by concerned experts: https://www.eff.org/files/2018/06/13/article13letter.pdf
3: The Register: ‘European Parliament balks at copyright law reform vote’: https://www.theregister.co.uk/2018/07/05/eu_copyright_vote/
Hugo: Yes, when the “ship of state” begins to turn, the former steerers have a problem, no? Let’s hope they end up in “steerage.”
This is very common indeed. A lot of US news/newspaper websites have simply decided they can do without EU visitors due to the cost and hassle of implementing GDPR (i.e. it negatively impacts their business model and/or adds to their costs and risks in a way they simply don’t want to have to endure). This is not governmental blocking; it’s just business.
To address your specific questions:
(1) (a) I don’t think this is realistically a breach of Article 19 of the UDHR. The language used in the passage you quoted could be read to mean that there should be no limits whatsoever on what websites, including commercial ones, anyone can read but I can’t believe that the authors of the Declaration meant that businesses or organisations worldwide should provide totally unlimited access worldwide to their information resources no matter what.
In reality, certain businesses have simply taken a commercial decision to not do business with certain customers. Regardless of the UDHR, I see nothing wrong with this. The websites in question are the property of the owners and it seems only reasonable that the owners should be able to do with their property as they please. Just because their property is an information resource should not change this.
(1)(b) Is Article 19 of the UDHR actually law in the USA, anyway? The UDHR is not itself a law, as I understand it. The UDHR Wikipedia article[1] tells me that the International Covenant on Civil and Political Rights[2] may have made the UDHR law in signatory countries (which includes the USA) but I haven’t bothered to read further to find out if Article 19 of the UDHR is included.
(2) EU directives, regulations, etc. have not been suspended by the UK government because the UK is still part of the EU and so is still subject to EU laws, directives, and so on. It would have been most satisfying to see certain EU rules or regs rejected immediately but then, if the UK had decided not to play by the rules and gone its own way immediately (whilst still actually in the EU), we would have had no moral grounds on which to demand that the EU and its other member states play by the rules.(Whether or not the UK government has actually had the competence and/or need to use this moral highground is another matter, but playing by the rules is definitely the right thing to do for the time being).
Furthermore, all EU laws, directives, regulations, etc. in force at the moment of Brexit will remain as native UK law after Brexit in exactly the form that they hold at the moment of Brexit. This is legislated for in the European Union (Withdrawal) Act 2018[3]. Remainders have used this to ridicule Leavers but of course it’s the only sensible approach: It means that the British people, Parliament and government can consider what needs to change at a pace that is suitable for us (as long as the government does not negotiate away British sovereignty!).
If you really want to access a blocked site then you need to use a VPN service provider with an outlet port in the USA (most do have such a thing). That way you will appear to the website that you are in the USA and will be able to see it.
Footnotes:-
1: Wikipedia article on UDHR: https://en.wikipedia.org/wiki/Universal_Declaration_of_Human_Rights
2: Wikipedia article on the International Covenant on Civil and Political Rights: https://en.wikipedia.org/wiki/International_Covenant_on_Civil_and_Political_Rights
3: European Union (Withdrawal) Act 2018: http://www.legislation.gov.uk/ukpga/2018/16/contents
Business done under “governmental blocking” isn’t truly business.
As I said, there is no governmental blocking whatsoever in this case. It is entirely a commercial decision by individual businesses outside of the EU who don’t want risk being attacked by EU laws or have to bear costs associated with accepting access by EU residents.
I agree about the toxic nature of state meddling in what should be private business and/or personal decisions but that’s (sort of) a different thing to the specific non-EU businesses’ responses to GDPR. The businesses are choosing to block and no government is requiring them to do so.
None of this explains why you cannot access UK sites from the US. I actually thought it was something to do with advertising.
With regard to the status of EU Directives and Regulations from next April, the Directives will remain in force anyway, as they are already implemented by UK law. Regulations will (obviously) have to be incorporated into UK law when we leave, or else there would be legislative chaos. We will then ‘own’ them and be able to get rid of them at our own pace. A while ago I calculated that if we abolished ten EU Directives per day, it wold take us forty years to get through them all. Of more concern are the Directives that are not due to take effect until after we ‘leave’ the EU. In theory, of course, these will never take effect, but the government seems to be implementing them just the same, as though the referendum had never happened. I predict that this will become the norm. The difference, of course, is that we will no longer be legally obliged to implement Directives after next April. But that doesn’t mean we are not going to implement them! Plus ca change ….
Where is that happening?
It could well be due to advertising or content licensing (or in the case of the BBC the licence fee) but I’ve not seen it otherwise.
I get the same thing on both sides of the Atlantic – I can neither get US content in the UK nor UK content in the US. I haven’t kept a log, but it is a familiar occurrence, and very irritating. Same with DVDs & their various ‘regions’.
Ah, sounds like licensing issues. Very silly and old fashioned but it makes a few people wealthy and happy.
As I said, there is no governmental blocking whatsoever in this case. It is entirely a commercial decision by individual businesses outside of the EU who don’t want risk being attacked by EU laws or have to bear costs associated with accepting access by EU residents.
I agree about the toxic nature of state meddling in what should be private business and/or personal decisions but that’s (sort of) a different thing to the specific non-EU businesses’ responses to GDPR. The businesses are choosing to block and no government is requiring them to do so.
The point about the UN declaration is surely not a legalistic one but a statement of profound significance for the respect of human beings and their rights. If an EU directive itself, or through its entirely predictable effects on others, causes a restriction on access to opinions then it should not be passed. If passed it should not be enacted here.
There can be no doubt that if Mrs May’s advisors’ version of Brexit comes about we will continue to implement future EU directives.
Do not put much hope on revised legislative procedures for implementing them after a faux Brexit – there is already a Select Committee of the HoC and the HoL to review all EU legislation but they are understaffed and their recommendations are routinely swatted away by Europhile governments. In short, there is virtually no oversight of EU directives in Britain and we know there is almost none either in Brussels.
Many Directives are drafted by or for particular interest groups (including big business) and subsequently nodded through.
Is that declaration worth the paper it’s written on in practice?
John Allman has responded as follows. For some reason, his comment dropped to my spam box, and I had to approve it. Unfortunately, I don’t have the privilege to approve comments. (Keir needs to look into this).
Here’s what John said:
JohnAllman.UK commented on Why can’t people in the UK access the website of the Arizona Daily Star?
Recently, someone gave me a link to a website http://www.tucson.com. It’s a newspaper. Wikipedia calls it “the major morning daily …
Here is the correspondence. I’m afraid I don’t understand what it is anybody is worried about. The EU isn’t a jurisdiction. It is a treaty between nation states, each of which is itself a jurisdiction. None of the nation states contracted into the EU has any jurisdiction in Tucson, Arizona.
Subject: Re: Please could you explain the “legal reasons” why I am seeing this?
Date: Fri, 31 Aug 2018 05:37:08 +0000
From: Jorden Spitz, Jill JSpitz@tucson.com
To: John Allman John_W_Allman@hotmail.com
He. Allman,
You’re getting that message because the company that controls our content management systems put GDPR blocks in place and getting them removed has proven to be very difficult.
Here’s a story that has more information:
https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html
Thanks for writing, and sorry for the inconvenience.
Jill Jorden Spitz
Editor
4850 S Park Ave | Tucson | AZ | 85714
o 520-573-4177 | f 520-573-4107
jspitz@tucson.com
Y’all can make of that what you will.
“The EU isn’t a jurisdiction. It is a treaty between nation states, each of which is itself a jurisdiction.” Sorry, you are behind the times. The ‘old’ EU was indeed an inter-governmental organisation which derived its authority from the Treaties signed by sovereign ‘Member States’. That all changed with Lisbon (a.k.a. the Constitution for Europe). Lisbon abolished the ‘old’ inter-governmental EU and created a new unitary state in its place, also called the EU. This derived its authority from the Constitution itself. Many of the changes were subtle – for instance, the European Council, which consists of the prime ministers or heads of state of the Member States – in the old inter-governmental EU, each head of state represented his own Member State in the Council. Now, post-Lisbon, they all represent the European Union. True, the EU’s reach does not extend to Arizona, but bear in mind that Many EU Directives simply enact U.N. Resolutions, which are generally applied in the United States also. That is why things like the ‘war on tobacco’, to take just one example, is being implemented world-wide. People often warn of an impending world government. It is here already.
If you are right in saying that I am behind the times, and that the EU has been (in some sense) a nation-state, since LIsbon, it still isn’t a nation-state with any jurisdiction in Arizona.
I did make that point – but it sort of does (have jurisdiction in Arizona) – see my comments about the UN, which is usually behind these things and is applied in the US as well as the EU.
This is nothing to do with the UN.
As I described in an earlier comment:-
Note that the GDPR is something of a special case: It is intentionally and explicitly extra-territorial. The EU specifically states that it applies worldwide to any resource or entity in the world that handles information of an EU citizen. And so, no matter where you are in the world, EU law has suddenly reached out and tried to usurp your local legal system’s power.
You can kind of see why many foreign newspapers have simply decided to block the EU entirely. I don’t blame them.
[…]
One thing that hasn’t been explained as yet is how the EU will enforce the GDPR in countries outside of the EU. Within EU countries, enforcement of GDPR is the responsibility of local enforcement authorities (e.g. ICO in the UK) but how this would work in non-EU countries I don’t know. Would the courts in non-EU countries uphold EU law against their own native businesses and organisations who are in fact complying with their own national laws? In some cases I actually suspect so but not everywhere.
I should add that enforcement is not an issue where the target business has a presence in any EU country. In that case, the tools of EU enforcement (that is the agencies in each individual country, such the ICO in the UK) can enforce via a local branch.
The EU issues directives, which have applicability in member states by virtue of domestic legislation in each such state, such as the UK’s European Communities Act. But it has no police, no Information Commissioner and no courts except the ECJ, which construes the treaties that bin the EU together, at the request of domestic courts of member states. The EU really isn’t a jurisdiction as such. One is subject to one or other EU jurisdiction so-to-speak, only in the sense that one is subject to the jurisdiction of this or that member state of the EU.
^ bind
To my great annoyance, I typed a reply to this and it seems to have disappeared. Here is another attempt.
Everything you say above about the EU is factually correct but it seems to me that it also doesn’t matter in practice. You have chosen to define “legal jurisdiction” as needing the things to which you refer but, from the point of view of many people and businesses, especially people and businesses outside of the EU, the EU in practice looks and acts exactly like a legal jurisdiction. That is to say that it makes laws that cover the entire EU and it enforces them (and it doesn’t matter whether the enforcements comes from the enforcement agencies of individual member countries who from the the EU itself, the point is that the EU’s laws are enforced).
Thus, from the point of view of most of the rest of the world, the EU most certainly is a “legal jurisdiction” because, as far as they are concerned, it looks and act just like one. Note also that the EU itself can and does take enforcement action (without needing any member countries involvement) if the target is big enough, e.g. EU vs. Google.
Now we come to GDPR specifically. The EU worded the GDPR specifically to apply to the data of every EU citizen, no matter where in the world that data is being handled. This is an explicitly extra-territorial law and, yes, it seeks to impose itself on organisations and businesses who are otherwise entirely outside of the EU. Can the EU get away with this? Mostly yes, I suspect.
And so an Arizona newspaper (and its content management subcontractors) find themselves, in practice, needing to comply with EU law when handling the data of EU citizens.
This EU law impacts their business in a number of ways: It can prevent them from exercising their business model fully (e.g. by preventing them posting targeting advertising or extracting behavioural or interest data), it adds costs since they must implement new infrastructure to accommodate EU citizens’ preferences, and it opens them up to legal attack by the EU or EU member countries’ enforcement agencies.
As you can see, it just makes sense for some businesses to simply choose not to do business with EU citizens. Many US newspaper website have done this. And that is what this Arizona newspaper (and/or their content management subcontractor) have done. It’s just a sensible business decision taking the regulatory reality into account.
The only real unanswered issue is the machanism of enforcement. Can the EU or EU member countries’ enforcement agencies take legal action, under EU law, via non-EU countries’ courts? Can an EU enforcement agency sue the Arizona newspaper in an Arizona court? I don’t know for sure but I do know that similar extra-territorial legal action has occurred and has been taken seriously by the local courts. And so, from a business perspective, it makes sense to eliminate the risk and the otherwise unnecessary cost.
Furthermore, many newspaper groups and content management services companies are very large and so do have some kind of branches or representation in the EU. As such this brings them under direct EU jurisdiction (or jursidction of EU member states, if you prefer) for any worldwide contravention of EU law. As such, it makes even more sense to avoid putting themselves at risk by rejecting business with EU citizens.
And so, whilst you make good points about what could be taken to define a “legal jurisdiction”, it just doesn’t matter in practice. From the point of view of the Arizona newspaper and/or its content management subcontractor, the EU looks and acts exactly like a legal jurisdiction, and it’s a jurisdiction that is not particular friendly to them. Thus, where it demands that they treat EU citizens as special cases, these foreign businesses would rather just avoid doing business with EU citiizens.
Apologies for the typos in that. I typed it quickly because my previous message had disappeared. Also we can’t edit comments here which doesn’t help.
Ok, but this situation has pertained since long before the GDPR came into force. So there must be something else at play here.
It is also worth pointing out that EU Regulations take effect (at least until the 29th March next year) without any input from domestic parliaments. Directives are implemented by domestic legislation, but Parliament’s only role there is to rubber-stamp the Statutory Instrument.
My strong suspicion is that after next April, both EU Directives and Regulations will continue to be surreptitiously implemented by S.I., rubber-stamped by Parliament. The only thing that will change post-‘Brexit’ will be that EU Regulations will need to be enforced by domestic legislation. Watch this space!
Somebody said that the GDPR was nothing to do with the UN. maybe so, but many if not most things that emanate from the EU have their origins in the UN. The ‘war on tobacco’ is an example I cited. Obama was always eager to give these things force in the US also. Whether Trump will be similarly inclined remains to be seen.
What situation exactly? If you mean blocking in this way, no, it certainly did not exist before GDPR. This type of blocking of EU citizens is explicitly due to GDPR and did not exist beforehand.
Blocking due to licensing reasons is a different matter. This certainly did exist before GDPR and of course continues to exist.
It was me who said that GDPR had nothing to do with the UN. It certainly isn’t anything to do with the UN.
As for your comments about the British parliament rubber stamping EU directives after Brexit, we’ll see. I fear you might be right. But at least the ultimate solition to that will now be within the UK and within the control, if they wish to exercise it, of the British people.
Again, I will say ok – I’m sure you are correct – I’m not specifying WHY the blocking used to take place, just saying that it did.
Just as the blocking of BBC and other British sites in America, – it’s a nuisance – that’s all I know. But this GDPR business is a pain in the @rse even domestically. As with everything the EU touches, it has made life more difficult.
“The only real unanswered issue is the mechanism of enforcement.”
That is a rather important unanswered question though. I mean, the Ayatollah Ruhollah Khomeini of Iran issued a fatwa ordering Muslims to kill Salman Rushdie. That’s the analogy I thought of when I learned of the pretensions to worldwide jurisdiction of the GDPR.
If a Pole living in France enters into a contract with a company in Ireland owned by a parent company in the USA, that says “this contract shall be construed in accordance with the laws of the State of California”, and sues in London for an alleged breach of that contract that accrued whilst the Pole was in London, the British court will probably try out of politeness to construe the contract according to Californian law, insofar as English law does not forbid this, because that was the expressed intention of the contracting parties. But this is not the same as saying that the legislature of California passes laws that apply in England and Wales.
I agree that enforcement is an issue. However, it seems that many US businesses are concerned enough about the possibility of enforcement that they feel it is safer to simply cease doing business with EU citizens.
Could or would a civil court in Arizona consider legal action under EU law by an EU enforcement agency in support of EU citizens against a local business? I don’t know but I bet there’s a chance of it. An EU court would certainly consider such an action, even if the defendent wasn’t local.
More substantively, however, as I mentioned, many US businesses have branches somewhere in the EU. In that case, they certainly do come under direct EU jurisdiction (or EU member state jurisdiction, if one prefers that terminology) for their worldwide conduct, even if that conduct relates to an Arizona newspaper. (Who knows where the server might actually be. It could even be in the EU).
I’m notorious in the UK for being an eccentric, an amateur (or at least only semi-professional) litigator. You’ve given me an idea. Another test case to notch on my belt. Thank you.
Maybe I should write to Google head office in California, making a subject access request for all information they hold about me, pursuant not even to real the British legislation, the Data Protection Act (an implementation in one member state of the EU of the EU’s GDPR), but rather pursuant to my asserted worldwide subject access rights under the pretentious GDPR, a piece of meta-legislation decreed by the bureaucracy of a non-existent nation-state, a mere treaty organisation. When Google tells me to go forth and multiply (or words to that effect), I can take Google to court in California, and it’s UK-registered subsidiary to court in England. We’ll soon see what happens.
When both claims have been struck out summarily, as misconceived, for want of jurisdiction, incorrect defendant and want of substantive law in either jurisdiction enabling such claims, perhaps you (and this paranoid newspaper in Tucson) will believe me.
The GDPR’s pretensions to global jurisdiction are as pretentious as the Ayatollah’s fatwa against Rushdie. If somebody needs to sue Google in this manner to prove this, knowing that they are bound to lose, before businessmen will believe this and make commercial decisions to take non-existent “risks” now avoided, then so be it.
Mr Allman, if I were to launch a frivolous or vexatious law suit against you in England, I would be ordered to pay your costs when I (inevitably) lost the case. In Florida (and probably the rest of the U.S.?) that is not the case. Each party would foot the bill for their own costs. So there is no deterrent against bringing such cases. This is why, in the US (or at least in Florida) people will simply cave in and settle when somebody issues a frivolous law suit, rather than spend a fortune defending it in court. This is all excellent business for American lawyers of course.
By the way, somebody mentioned @Hugo Miller. I have no idea what this is.
I postulated the “frivolous” or “vexatious” lawsuits, as a thought experiment. The results of the experiment are that you at least seem to think, like me, that the idea of the GDPR being enforced in Arizona is a tad far-fetched. QED.
You say “….you at least seem to think, like me, that the idea of the GDPR being enforced in Arizona is a tad far-fetched. QED.”
Actually, if anything the reverse is true.
If you or anybody else launched a lawsuit in Arizona, the defendant would be faced with a choice of settling with you, or paying lawyers a fortune to defend their case in court. Even if they win their case it will cost them a small fortune (I am assuming that Arizona is the same as Florida in this regard, i.e. each side pays their own costs regardless of the outcome). They might conclude that the easier option might be to simply comply with the GDPR & save all the bother and expense.
That is not quite the same as ‘enforcing’ the GDPR in Arizona I grant you, but the end result would be the same.
Thanks for your good work, John. “The company that controls our content management systems” is a giveaway.
I hope you don’t mind me copying it elsewhere; notably to http://writerbeat.com/articles/24790-Why-can-rsquo-t-people-in-the-UK-access-the-website-of-the-Arizona-Daily-Star-.
I suspect that what Jill means, by “The company that controls our content management systems”, is “the company we have contracted to manage our content for us, and who can read it”. Probably there is a term/condition of the contract, that the contracting company plays safe, denying access to content that is actionable. The phrase said to be a “giveaway”, doesn’t give away what I wish to understand.
Since attempting to publish the comment that needed to pass moderation, which quoted emails, and which wasn’t published, except a garbled quote from a moderator who found himself unable to permit the comment cut and paste into a comment of his own, I have further asked:
66
Thank you for the quick response. I’ve read the NY Times article. I’m afraid I still don’t understand the problem.
The EU isn’t a legal jurisdiction. It is a treaty between independent, sovereign nation-states, each of which is legal jurisdiction in its own right. None of the member states of the EU has any jurisdiction in Tucson, Arizona. I therefore do not know what harm, from whom, a news source in Arizona fears, if it allows persons who are living in, visiting or travelling through EU member states, to access news stories published on its website. What do the owners of these news sources imagine can go wrong?
If you would prefer me to take up this enquiry with “the company that controls [your company’s] content management”, would it be possible for you to give me some contact details for that. I wish to undestand this new development. In the UK, unlike China, we have enjoyed unfetter access to news sources worldwide for the entire life of the internet. I am minded to get to the bottom of this, and to write about it on my JohnAllman.UK blog (q.v.), and to my elected representative in our Parliament. It is an unprecedented depature from liberty to impart and to receive information, a First Amendment right in Arizona, and a Convention right in the countries that have signed the European Convention on Human RIghts.
You are welcome to publish this email exchange to whomever you wish.
99
I am pursuing this. In view of the problems I seem to be having posting to this page, I may blog about this on my own blog. Anybody reading this who wants to receive an email alerts when I do so, should follow my JohnAllman.UK blog. I shall try also to post a comment here, about what I discover. However, as we have seen, any such comment of mine here is likely to end up in a moderation queue, so also following my blog, as well as this page, is safest.
Of course the EU is a legal jurisdiction. It creates laws that all EU member states are required to implement. That is surely in essence the very definition of a “legal jurisdiction”.
By all means, enforcement of EU rules and laws are usually left to the enforcement agencies of individual member countries (e.g. the ICO in the UK when it comes to GDPR) but the EU can and does take regulatory action in its own right if it chooses. See “EU vs. Google”, for example.
As I wrote above, there’s no secret. It’s already a well known and very common issue. As I said, many non-EU content businesses (such as newspapers), particularly US ones, have simply taken a commercial decision not to do business with EU citizens (as detected by IP address) since (a) GDPR negatively impacts their advertising revenue business model, (b) GDPR negatively impacts any business model they might have that is based upon collecting behavioural/interest information about their users, (c) it costs money to implement systems to deal properly with handling the permissions required for GDPR compliance, and (d) allowing access by EU citizens opens them up to legal risk from EU member state enforcement agencies or from the EU itself if they (the content businesses) are in any way non-compliant. If they are big enough then the EU can and will go after them itself.
The only question is what would the mechanism of enforcement be? Can EU member state enforcement agencies go after a business in Arizona either in the Arizona or US federal courts? The answer is quite possibly yes. In some cases, foreign courts will allow other state’s laws to apply. However, it is worth noting that many businesses have a branch in a EU member country. In this case, they are of course now open to the full range of EU countermeasures by any EU member state enforcement agency.
And so, taking all this into account, it is just simpler, less risky, and cost-effective for some online businesses to simply block EU citizens. It’s simply a business decision taking the regulatory/legal situation into account.
Do any of these documents force a business to do with business with you? I doubt it. And that’s all it is: They are choosing not to do business with you because you are potentially too costly, due to your location.
And, as I also wrote previously above, there could be other EU legislation to come that will only increase blocking of EU IP addresses by US websites. They simply don’t want the hassle if they can avoid it. I rather take thier point.
What Mr. Miller says is, indeed, true in all jurisdictions in the USA. Tort law there does not adhere to what is generally known as “the British rule”. And yes, tort lawyers just love it. All this is why L. Neil Smith, the American political and science fiction writer has advocated in his manual on libertarian policy “Down With Power” that this be implemented in the US, regardless of whether the mercantilist tort lawyers like it.
And as far as the UN Declaration of “Human Rights” goes, it is a statist pile of crap that does not, the way the US Bill of Rights (i.e. Amendments I-X of the Constitution) does, recognize the pre-existence of natural, individual rights and guarantee their protection by the UN. It is based on the premise that there are no individual, natural rights, but only privileges, to be granted to the politically favoured (as long as they remain that way…) and withheld from the politically incorrect by the absolutist, authoritarian would-be rulers of the world who run that disgusting body. I get the impression that Angela Merkel wants to have her own mini version of that in Europe. I applaud the actions of the Arizona Daily Star and any other American businesses who don’t want to have anything to do with this bullshit. I hope there are Canadian businesses taking the same actions.
[…] https://misesuk.org/2018/08/30/why-cant-people-in-the-uk-access-the-website-of-the-arizona-daily-sta… […]
@Hugo Miller
(Replying here as there is no Reply link at @Hugo Miller’s message for some reason)
I agree with you about everything the EU touches.
GDPR is an emormous cost to bear for any business or organisation worldwide that wants to do business with EU citizens. It has undoubtedly, if not obviously, increase costs to consumers and, as this blog observes, effectively reduced choice to EU consumers (although of course geo-blocks like this can be very easily bypassed using VPNs).
That said, GDPR has had some benefits. It does reduce the ways in which personal data can be misused and, even though companies will try to get around this, it does seem to be having some effect that the market alone was not able to achieve. I hate to admit it but it’s true. In particular in this context, it was GDPR that finally forced Microsoft to publicly document what data Windows 10 and, most importantly of all, to document where it is sent. The ‘where it is sent’ information is so important is because this allows users to more efficiently firewall those locations. If GDPR achieves nothing else, I will have be thankful for this one thing.
Whatever the pros and cons of GDPR, there is quite possibly more to come in this sort of vein from the EU. I.e. Plans that will cost businesses money and add risk if they touch the EU in any way, which will thus encourage them to further cut off EU customers or access from the EU. I mentioned it earlier on in the comment thread but one of these is Article 13 of the Copyright Direcive. This has been rejected by MEPs for now but, as the EU never gives up until it gets the ‘right’ answer, it will very likely be back.
@JohnAllman.UK
No Reply link on your post so I am replying here.
I presume you mean the Data Protection Act 2018 (whch replces the Data Protection Act 1998). The 2018 Act is, as you say, the UK’s implementation of the GDPR.
As an aside abd as far as I can see, it’s quite interesting that the government chose to implement it in this way. It’s actually a UK Act of Parliament which seems to do somewhat more than simply implement the GDPR. This means that it would be UK law after Brexit even if the European Union (Withdrawal) Act 2018 had not been passed.
You know it’s not “meta-legislation”: It is legislation, both of the EU Parliament and of every EU member state. It’s real law.
No “mere” about it. Just because the EU is born of treaties doesn’t meant that its power is not real. The reality of its power is pretty much why the UK public voted to leave, isn’t it.
Two things:
(1) California has very recently passed a GDPR-like law of its own. Google might actually be obliged to respond to your SAR under their own local laws! (I’ve not read read AB-375 but it’s here if you want to read it: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375 ).
(2) If you litigate in the UK then you’ll very likely win since Google did not comply with EU law incorporated into UK law. The fact that they did not comply in Calirfornia won’t get them off the hook with GDPR/DPA2018. If Google has an EU presence, which of course it does, then there is no doubt that they are on the hook for their worldwide GDPR compliance. And any legal action in California would then be moot and you wouldn’t prove anything.
You have prompted me to do a tiny bit of research (well, Googling) on how the EU and/or EU nation state enforcement agencies may pursue non-EU businesses (ones without an EU presence, that is) for GDPR breaches and this makes interesting reading (amongst many other articles on the same subject): https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr
(a) It is entirely possible that Google might take your SAR seriously, both in the UK and California.
(b) If they do fail to respond, then (assuming your claim is properly made) then it certainly wouldn’t be struck out in the UK. It would be an entirely legitimate claim.
(c) With the right lawyers it might very well not be struck out in California, especially (I reckon) if you can show equivalence of GDPR with California law.
(d) The UK, as an EU country in which Google does business and has a presence, definitely would be the correct jurisdiction.
(e) As above and as per the article I linked to, it’s even possible that California could be a correct jurisdiction.
(f) In both cases, the defendent would be the correct one as far as I can see.
(g) Substantive law in the UK (and anywhere else inthe EU) certainly does exist to enable such a claim.
(h) And, although I haven’t read California’s AB-375, it seems likely that substantive law may well exist there too.
I don’t believe I’ve disbelieved anything that you have stated factually. I just think you are tilting at windmills
I detest the EU as much as you do but I also recognise that things are as they are.
You have chosen to define the EU as not a “legal jurisdiction” for the factual reasons you have which I accept are entirely valid. It’s just that, in practice, they just don’t matter. When the EU makes laws that automatically apply throughout the EU and when all businesses who wish to trade in the EU or, as in the case of GDPR, wish to do business with EU residents (not citizens as I earlier said), then it really is to all intents and purposes a “legal jurisdiction”. And the key point here is that, as far as non-EU businesses are concerned, the EU both looks and acts exactly like a single legal jurisdiction. That’s just the way it is.
The EU and the GDPR may well be pretentious (I don’t disagree!) but I think they are way more likely to be upheld, even in some non-EU courts, than the Ayatollah’s fatwa.
Feel free to put in the SARs to Google in California and the UK using the format defined in DPA2018/GDPR and/or AB-375 and see what happens. Doing at least this much won’t cost you much. It will be interesting to see what happens.
Your ego and mine, in being proved right or wrong, about this argument, are more-or-less equally small considerations, in comparison with the greater mischief, which we’d both live to combat. Let you and I get out heads together, to a agree, if we can, a plan of litigation-activism. Please email me or phone me, if you seriously wish to take on the “one world, one jurisdiction” globalist cabal, with a test case we’ve cooked up together.
Hehe, I am sorry to say that I absolutely do NOT want to join you in such litigation. But I’d be interested to see you do it if you really, really want to. 😉 (But I truly, honestly, think it would be a waste of time and possibly a very great deal of money).
In actual fact, if you seriously fancy entering SARs then this would be the starting point and it needn’t cost much (or anything perhaps) and your experiences would be informative. A GDPR-compliant SAR to Google UK would obviously bring a legally compliant response. The real test is a GDPR-compliant SAR direct to Google in California. That would be interesting.
But I suggest very thoroughly reading the UK’s DPA2018 and California’s AB-375 first in order to understand exactly what your rights might be under those pieces of legislation so as to know for sure whether or not Google (either in the UK and/or CA) is properly complying.
Good luck, but please don’t spend any money on this!
You don’t even wish to help me to draft any such “interesting” test litigation? Even though test litigation is the only method of determining who wins the “bet” between us, over the predicted outcome of such litigation? You say (if I understand correctly) that I’d win one or both of the test cases of my thought experiment, whilst I predict that I’d lose them both, proving that the EU’s GDPR after all had no jurisdiction in California, as falsely rumoured, and therefore nor in Arizona.
Sorry, I’m just too lazy. 😉 It would genuinely be an interesting exercise but a potentially costly one and, worse, if the drafting of any claim was wrong then it would potentially provie nothing.
In case, litigation is not yet relevant. The first step is simply to make SARs and to see what happens (and this can be done for little or no cost). Furthermore, if Google refuses to comply with the SARs then personal litigation may not be appropriate anyway. The correct response would very likely to be to copmplain to the ICO.
To be clear:
(1) If you issue a GDPR SAR in the UK against Google then (a) they will fulfil it and (b) if they don’t then you’d undoutedly win a case against them to force them to provide it. However, note that it would probably by the ICO’s responsibility to enforce the legislation, so I have no idea whether or not you’d need to issue a claim yourself.
(2) If you issue a GDPR SAR in California against Google then, according to GDPR, they should indeed respond. I think there’s a 50:50 chance in my opinion that they would actually do so. If they don’t do so then:
(a) Litigation in California could well succeed (I think) but, if if it does it could well succeed under Californian law rather than GDPR. Once again, a complaint to the ICO here would still be the most appropriate way to go since they are your local EU data protection enforcement agency and can, one presumes, liaise with their US federal and/or Californian counterparts on your behalf.
(b) Were you to litigate against Google’s UK branch for its Californian HQ’s breach of GDPR, you’d probably succeed since they would indeed have breached GDPR (assumingthe SAR was definitely compliant with the necessary terms defined by GDPR) and, as far as EU law is concerned, they are on the hook for it. But, once again, a complaint to ICO would be the conventional way to go.
Before proceeding, it needs very thorough reading of DPA2018 and AB-375 to be certain of exactly what one’s rights are under those laws and how to correctly exercise them. And speaking to ICO about it all to get their interpretation might be helpful too.
You say “Just because the EU is born of treaties doesn’t meant that its power is not real.”.
It is important to note that the inter-governmental treaty based EU (born of the Treaty of Rome & all subsequent amendments) was abolished by Lisbon, and a new organisation, also confusingly called the European Union, was created in its stead. This ‘new’ EU is a unitary state, which derives its authority from the ‘Constitution for Europe’ a.k.a. Lisbon Treaty.
For this reason, I have always questioned the validity of the approach advocated by Gerard Batten and others, of repealing the 1972 European Communities Act as a means of withdrawing from the EU.
Prior to Lisbon that would have been a piece of cake, but post-Lisbon, we would be putting ourselves in breach of our treaty obligations under Lisbon, which require us to invoke Lisbon Article 50 in order to leave.
We would say we had repudiated the Treaty of Rome (& all subsequent amendments) and were no longer an EU Member State. The ECJ, no doubt, would tell us that we had repudiated a Treaty which was now obsolete, and were still bound by Lisbon.
The EU would then be legally entitled to settle the matter ‘by traditional means’ as I believe Helmut Kohl put it – i.e. tanks through the Channel Tunnel.
Elsewhere in your post you refer to ‘EU countries’ and ‘nations’. The EU consists of Member States, Regions and Administrative Areas. Any mention of countries or nations is heresy as far as they are concerned.
A very good point and thank you for pointing this out. I had not fully realised this.
Hah, quite.
@Hugo Miller
I’m replying again here as there’s no Reply link on your comment.
The @Hugo Miller thing is inspired by Twitter but is now used in many forums and similar on the Internet. It’s just a way of showing that I am responding to/referring to you.
Having done a bit more reading, it looks like they might have done it this way to facilitate data protection equivalence between the UK and EU when the UK becomes a “third country” after Brexit.
You say “Having done a bit more reading, it looks like they might have done it this way to facilitate data protection equivalence between the UK and EU when the UK becomes a “third country” after Brexit.”.
I presume the GDPR is an EU ‘Regulation’. In which case, it will automatically have the force of law in all EU Member States, but only until March 29 2019 in the UK.
I BELIEVE, although I haven’t checked, that the ‘Great Withdrawal Bill’ or whatever it’s called, will be giving legal force to all EU Regulations post-April next year. Directives already have legal force in the UK by dint of domestic legislation, and will continue to do so after we have ‘left’ the EU, so there is no need to touch them. But Regulations will cease to have legal force, so we need to legislate them into force PDQ, in order to avoid the legislative chaos that would otherwise ensue.
We will then ‘own’ both Regulations and Directives, and we will be able to do with them as we please.
I did once calculate, in an idle moment, that if we dumped ten of these things every working day, it would take us forty years to be rid of them all.
It’s the European Union (Withdrawal) Act 2018 that will convert all EU Regulations, etc. that apply to the UK at the moment of Brexit into UK law.
However, if I read things correctly, this Act is superfluous in the case of the GDPR and Data Protection Act 2018 (DPA2018) since the DPA2018 explicitly brings the GDPR into UK law right now. In other words, the European Union (Withdrawal) Act 2018 will have no effect on GDPR since it wil already have been in UK law via the DPA2018.
My inference is that the government chose to do it this way for the GDPR because it will facilitate the UK being able to prove ‘equivalence’ of its own data protection laws to EU data protection laws when the UK leaves the EU and becomes a ‘third country’ for the purposes of GDPR.
A clever move, if I may say so.
And I also look forward to swathes of former EU Regulations being deleted by the British Parliament after Brexit.
I may have to wait a long time, I suspect. 🙁
“…..the European Union (Withdrawal) Act 2018 will have no effect on GDPR since it wil already have been in UK law via the DPA2018.”
I have a rather more cynical interpretation. I believe this is a foretaste of things to come. The DPA 2018 is, at present, superfluous, since the Regulation automatically has the force of law in the UK, with or without the 2018 DPA.
I strongly suspect – and only time will tell – that we will in future (after next April) see more and more EU Regulations, and Directives also, brought into effect via UK legislation, even though there is absolutely no need to do this.
The end result will be that, post-Brexit, nothing will change. The only difference will be that Regulations will be brought into force via UK legislation rather than automatically by dint of our EU membership as they are at present. This will all be done on the Q T by means of Statutory Instruments, rubber-stamped by Parliament.
Perhaps this is what Mrs May means by a ‘common rule book’?
We shall see.
It would have force of law but not be UK law, as I understand it. I think this fine distinction could well matter when it comes to the UK proving its bona fides as a ‘third country’ after Brexit. The longer that equivalent (exactly equivalent) legislation is in place 9via DPA2018), the easier it will be for the UK to be authorised for EU entities to share data with UK ones. I cannot over-state how important this is. Maybe it’s just luck but it’s a very good idea.
I share your cynicism about the nature of the British government (particuarly under Theresa May) but at least any future such attempted rubber-stamping will ultimately be under the control of Parliament and the British people.
It will (ultimately) be within our power to fix the problem and we won’t have to kowtow to the EU’s dictats at present.
Of course, some British governments will want to kowtow but my point is that neither Parliament nor the British people have to put up with it, as long as they can be roused to do something about it. (This is where the natural small-c conservatism of the British people works against them and in favour of centralising statists).
As an aside, this, http://www.itpro.co.uk/encryption/31822/five-eyes-nations-hand-tech-giants-encryption-ultimatum, is a far greater threat to safety, security and liberty for British citizens.