Is it possible for non-EU companies to avoid GDPR regulatory issues through filters and firewalls?

Question

Background

Most internet feeds are unfiltered. Everyone who has ever rented or set up a server knows malicious traffic comes in from all over the world, including the European Union (but mostly from other places), as soon as a server is online, and passwords, keys, and/or facilities to firewall malicious traffic need to be ready beforehand.

Scenario

Small Town News USA Inc. (a fictional company) operates a newspaper and web site about Small Town, USA. Primary customers live in Small Town, USA. Recently, their corporate lawyer has suggested they need to pay several thousand dollars to do preparation and paperwork for European GDPR regulatory compliance that affects businesses worldwide with any EU citizen data. Management, thinking it would be less expensive to filter and inconvenience maybe 5-10 travelers and remote viewers who are accessing the website from Europe, decides that the easiest way to deal with GDPR liability is to reject internet traffic from non-USA viewers.

Unfortunately, the commonly available technology to do this involves IP-sniffing. In more detail, a web server is designated as a "firewall/Nginx-reverse-proxy" and would take a connection , examine the IP address (personally identifiable information under GDPR; see FAQ What Constitutes Personal Data?) and then forward only USA connections to a different server containing the Small Town News web site. But "Rejected" connections are still processed by sending back a web page containing only: "Sorry, we can't serve you at your current location." IP addresses and times are recorded in the web server logs. Furthermore, IT staff want web server logs to include IP addresses so that they can ban malicious traffic. This involves automated processing of behavioral data and also storing bad-behavior IPs in other files that update the firewall data, which is held in an operating system table.

It turns out the USA-only filter is an imperfect technological measure. It does not filter out 100% of EU-resident traffic. First, there is no perfect mapping of IP addresses to locations. For instance, an IP address apparently owned by the US Navy could be traffic coming from an EU-resident civilian contractor on his lunch hour who works at a US naval base in, e.g. Italy. An EU-resident visitor to the USA could still access the full website from the USA. Another EU-resident could buy VPN (Virtual Private Network) service to disguise their computer's true location, and that could involve forwarding their traffic from a point within the USA which would allow fetching the full Small Town News website because the Small Town News firewall received a USA IP address.

Enforcement

For those who think this is scaremongering and unenforceable, perhaps read:

How the EU can fine US companies for violating GDPR which isn't entirely certain, but does suggest the possibility of US cooperation for collecting EU civil fines.

Maybe Location-sniffing is also illegal...

The article "Why the US and Other Non-European Companies Need to Comply with the GDPR" on busineessknowhow.com claims:

"... identifying people within the EU and refusing them access to your site or service based on the geolocation of their IP address - is actually specifically prohibited by GDPR. GDPR contains a prohibition against 'profiling', which GDPR defines as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, LOCATION or movements."

Since this doesn't cite specific sections of the 100+ page regulation, I don't know if it is correct. It all sounds like a great welfare project for lawyers, regulators, and IT pros who take the time to specialize in this area and bad for the creative entrepreneur who simply wants to put something online.

Question

Is Small Town News GDPR compliant under their (unfortunate) EU-blocking policy?

Or can they only become compliant by outsourcing the filtering to some other company, who can be the scapegoat when filtering is imperfect?

Answer 1

Yes, this is a viable option. And no, it doesn't need to be perfect.

The use of such a filter is a technical means, but it also serves to communicate that Small Town News explicitly does not envisage to provide service to Europeans or others resident in the EU.

If a user chooses to use a VPN to do visit Small Town News webpages, it's reasonable to expect that this would be comparable to buying the Small Town News paper in print while physically in the USA. It's a common principle that courts have to decide on jurisdiction, and actions of a party can factor in this decision.

Answer 2

this technological measure does not filter out 100% of EU-resident traffic

As a personal data processor not established in the EU, Small Town News will have to worry about data subjects in the EU only (Art. 3(2)):

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union

That said, Small Town News will not have to care about GDPR when it comes to serving EU residents who are currently outside the EU.

On the other hand, Small Town News will have to care about GDPR when anyone in the EU (residents as well as US or say Zimbabwean tourists) accesses the website:

Notably, Article 3(2) applies to the processing of personal data of any individual “in the EU.” The individual’s nationality or residence is irrelevant. The GDPR protects the personal data of citizens, residents, tourists, and other persons visiting the EU. So long as an individual is in the EU, any personal information of that person collected by any controller or processor who meets the requirements of Article 3(2) is subject to the GDPR. Where Article 3(2) applies, controllers or processors must appoint an EU-based representative.

From this point, Small Town News has two options (apart from complying with GDPR in full):

1. Ban EU traffic by IP address so that people in the EU cannot access it. As you noted, geo IP mapping may not be accurate, so this will not provide 100% protection. Also, people in the EU could use VPN/proxy, which will not negate the fact that they are still in the EU and therefore you have to comply with GDPR when treating them; or
2. Do not offer goods or services to people in the EU and do not monitor their behavior. Using a .us TLD, offering sales in US dollars only to people with a US address only and disabling any user analytics for non-US IP addresses should suffice.

Answer 3

If Small Town News USA is only serving webpages it need do nothing.

If you cannot identify a person from the IP addresses, the IP addresses are not personal data

In more detail, a web server is designated as a "firewall/nginx-reverse-proxy" and would take a connection , examine the IP address (personally identifiable information under GDPR; see FAQ What Constitutes Personal Data?)

That FAQ doesn't mention IP address and it isn't an official EU website - although some EU webpages are misleading too. But from GDPR:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

I can't identify anyone from my nginx logs alone - if I only have nginx logs the IP addresses in them are not "personal data". A name isn't personal data if I can't identify someone directly or indirectly from it. E.g. "John Smith" alone is not personal data because there are many John Smiths but "John Smith, 1 Imagined Street, Unrealtown, Nowhereshire" could be personal data. A unique name could be personal data: Aloysius Reginald Archibald Tarquin Quentin St John Smythe (let's hope this person doesn't exist). Can you/the business identify a person from the data to which you have access? If you can then the data is personal data.

If you're still worried, then mitigate/obviate the risk in your logs by setting the last octet of the IPv4 IP addresses and the last 80 bits of IPv6 addresses to zeros and and/or set up a retention schedule. You don't need to firewall or filter etc to block people in the EU.

Also remember that there are six lawful bases for processing personal data. One of them is that "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party". Is protecting your business from "malicious traffic" a legitimate interest?