Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Block all EU visitors due to GDPR

GDPR imposes million-dollar fines for who-knows-what infractions, which is insane. Is there a simple no-cost solution in PHP to dealing with it for my personal website? I don't need to track people but I'd like to at least have some idea who's visiting e.g. I want to know browser, OS, organization. I am certainly open to blocking all EU visitors but I know many set their browser to English, so blocking by language is ineffective.

As a non-lawyer and a maintainer of just a simple website that makes no money, I recognize that I'll never fully understand the GDPR and I'll never have the funds to keep up to date on it as it changes. Only large companies can even afford to spend the required amount of time, effort and money. So I need a simple mechanism to block EU users or else, I'll have to take a conservative approach of either collecting no data on visitors.

This GDPR law threatens people with economic death for non-compliance, but the vast majority of people have no idea what its vague rules really require. It's a law that favors big companies with resources and is an attack on small companies and individuals.

like image 292
ndk Avatar asked May 19 '18 20:05

ndk


People also ask

Does GDPR apply to all EU countries?

The EEA GDPR applies to all 27 member countries of the European Union (EU). It also applies to all countries in the European Economic Area (the EEA). The EEA is an area larger than the EU and includes Iceland, Norway, and Liechtenstein.

How do I bypass the GDPR?

GDPR blocking of EU users can be bypassed the same way that the geo-blocking employed by entertainment companies and video streaming platforms can be bypassed. This is by hiding or masking the user's IP address and replacing it with an IP that is not associated with the blocked location or country.

How does the GDPR protect the personal data of EU and EEA residents?

The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. This means that consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language.

Does GDPR protect EU personal data?

GDPR is specifically designed to protect the personal information of EU citizens and residents. Therefore, it only applies to EU citizens and residents inside the EU. However, it also applies to all companies that process the personal data of EU citizens, regardless of whether or not a company is based in the EU.


3 Answers

MaxMind has APIs for detecting the country in just about every programming language. They are also modules for Apache, Varnish, and Nginx. If you want to go more granular with detecting the correct city, then you have to pay, otherwise, it's all free.

See https://dev.maxmind.com/geoip/geoip2/downloadable/#MaxMind_APIs

And since this question was specifically about PHP, you can Block EU countries in PHP by first installing the composer package:

php composer.phar require geoip2/geoip2:~2.0

And then using it like so

const EU_COUNTRY_CODES = [
   'AT', 'BE', 'BG', 'CY', 'CZ', 'DK', 'EE', 'FI', 'FR', 'DE', 'GR', 'HU', 'IE', 'IT',
   'LV', 'LT', 'LU', 'MT', 'NL', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE', 'GB'
];

require_once 'vendor/autoload.php';
use GeoIp2\Database\Reader;

$reader = new Reader('/usr/local/share/GeoIP/GeoIP2-City.mmdb');

$ip = $_SERVER['REMOTE_ADDR'];
// If you're behind a reverse proxy, you may need to do
// $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
// or whatever IP address header your proxy sets when forwarding the request

$record = $reader->country($ip);

if (in_array($record->country->isoCode, EU_COUNTRY_CODES), true){
    echo "We detected you where connecting from ";
    echo $record->country->name;
    echo ". We do not currently allow connections from the EU";
    die();
}
like image 101
hostingutilities.com Avatar answered Oct 21 '22 19:10

hostingutilities.com


First of all, it's probably best to read about legitimate interests first -- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/ -- then ask what's your legal basis for collecting personal data from users?

Related to your question, there's actually a possibility via nginx and GeoIP database.

Install the GeoIP Database for nginx:

apt-get install geoip-database-contrib -y

Update your nginx configuration (outside the server {} block):

# Block the EU continent from accessing the site

geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_city /usr/share/GeoIP/GeoLiteCity.dat;
map $geoip_city_continent_code $allow_visit {
   default 1;
   EU 0;
}

Inside your server {} block, disable logging of EU users and return 403:

# Disable logging for EU users
access_log /var/log/nginx/access.log combined if=$allow_visit;
# Block and return 403 error message to EU users
default_type text/plain;
if ($allow_visit = 0) {
        return 403 'You are prohibited from visiting this website due to GDPR compliance requirements.';
    }

Restart nginx

service nginx restart

Credits to https://medium.com/@jacksonpalmer/gdpr-for-side-projects-blocking-all-eu-traffic-with-nginx-in-3-simple-steps-136ddd8078a4

like image 28
TermsFeed Avatar answered Oct 21 '22 20:10

TermsFeed


For those not confident, or not able to access and modify server configurations, there is a simple plugin available for this also which may be much easier for many people to implement. You just add a JavaScript tag to the opening tag in your page(s) code, according to the install instructions provided on the site.

https://www.ezigdpr.com/products/eu-visitor-blocker

By firing the blocking script at the first instance of a page load, it prevents any tracking scripts, plugins or pixels from loading.

If you have the technical ability and access, you can then also consider turning off IP logging at the server level; though it is arguable that if you don't know how to access this, then it may not be in scope of GDPR.

You may also want to read the following blog article, which outlines the different considerations and compliance pitfalls relating to blocking EU traffic.

https://www.ezigdpr.com/blog/2018/06/05/6/is-it-gdpr-compliant-to-block-eu-visitors

like image 37
Jamie M Avatar answered Oct 21 '22 19:10

Jamie M