Im surprised this place is called "hacker" news and iid actually filled with privacy conscious people but nobody bats an eye about not being able to delete comments. I have to create new accounts every so often to avoid being doxxed by the alt-right.
It's not "hacker" news you monkey with a keyboard. If it were you'd be able to delete your comments. Also alt-right and Russia are everywhere and very dangerous
"The extraterritorial nature of these two frameworks..."
I've noticed that this is something the EU has tried to do lately, to just sort of push their regulations on the rest of the world. I don't see what sort of authority they'd have to impose this on citizens of other countries.
I wonder if Europe pushes the issue, if this will be treated like libel tourism, where US citizens and companies without a Eurpoean nexus will be explicitly protected from judgements against them.
> I don't see what sort of authority they'd have to impose this on citizens of other countries.
The authority they have is that delegated by the sovereign members of the EU, and the fact that the authority of a sovereign power is limited only by its own decisions and it's practical capabilities.
(The US also imposes it's ruled extraterritorially when it feels like it.)
I agree but I think a similar question would be: how would this ever be enforced on a US based company/website where it had a EU visitor. I wrote this in another comment but I think outside of just blocking your site in the EU, they would need a further agreement (or I guess precedent) with the US government to actually enforce a penalty on the US company.
> but I think outside of just blocking your site in the EU, they would need a further agreement (or I guess precedent) with the US government to actually enforce a penalty on the US company.
The US has given lots of precedent cases for that. The usual approach the US takes is to force the banks the foreign site is operating with to seize all assets. The EU likely would do the same.
It's quite simple. If you want to do business in the EU or with people who reside in the EU, you need to comply with the EU's regulations.
Don't like it? Don't do business in/with the EU. Then you're free to ignore their frameworks, rules and regulations.
They are not trying to "impose their regulations on the rest of the world", they're trying to protect the privacy of their inhabitants. That this leads to measures that need to be taken by companies doing business with (the data of) their inhabitants is a side-effect and only logical.
Geoblocking IPs is not a solution, unless you're willing to let some people slip through and block people who you don't need to block. Also, not everyone connecting from a EU country is a citizen thereof.
GDPR doesn’t just apply to citizens of EU countries, it also applies to residents and potentially people just passing through (e.g. changing flights at an EU hub).
If a business decides to opt-out of doing business with the EU as a result, what measures do they need to take? Would a banner asking "Are you an EU citizen? Yes/No" suffice? Or would we have to use some kind of Geo IP tool? How would that defend against EU citizens using a VPN or Tor, and what would a business's liability be in that case?
Simply stop accepting European credit cards. Just like many EU online shops do not accept non-EU (or what blacklist do they have) cards. At least I haven't been able to buy an ebook without a proper European card and/or billing address.
ok, but maybe combined with the notice that if you're from EU, you should leave, that would be an effective measure to show you mean it when you say 'no business with EU'.
What kind of business exists where it would be cheaper to drop European revenue than comply with GDPR?
The major tech companies impacted by the law are already likely taking steps to comply. Is anyone seriously saying they’d rather just wave goodbye to an entire continent?
Not all organisations will need to be compliant with GDPR. By that I mean, if your organisation only do marketing in, for example, the US and Canada, only accepts USD/CAD and they are no legitimate appearance that you do/want to do business in Europe, you are not required to be GDPR compliant, even if an european customer goes on your website and purchases a product/service.
If your website accepts Euros, has multiple european languages (e.g. spanish, german, etc.), you do marketing in Europe, then we can conclude that you legitimely do business in Europe, you are then required to be GDPR compliant. This is indicated in one of the GDPR article (can't remember which one)
"[...]Whereas the mere accessibility of the controller's,
processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use
of a language generally used in the third country where the controller is established, is insufficient to ascertain
such intention, factors such as the use of a language or a currency generally used in one or more Member States
with the possibility of ordering goods and services in that other language, or the mentioning of customers or
users who are in the Union, may make it apparent that the controller envisages offering goods or services to data
subjects in the Union."
So what, English and French? Those are the two major languages of the union, but are also the two official languages of canada. Seems like you can easily get hamstrung on a technicality.
Those are factors, not hard and fast rules. If you are a Canadian company and you provide services in English and French, that alone wouldn't indicate that you are targeting EU users. There would need to be other factors indicating your intent to target EU users.
This are all limitation/qualification upon whether you qualify as providing goods/services.
Yet, that is only one of two reasons why you would be subject to GDPR, the other is "the monitoring of their behaviour as far as their behaviour takes place within the Union".
As far as I can tell, logging a european IP address together with urls (i.e. an access log like every server has) would qualify you even if you aren't doing business there.
You might need to add something to your terms asking the lines of users certifying that they are not EU residents or citizens and agree to not move to any EU country, and if they do any of those things they agree to indemnify you for any legal expenses or fines resulting from that.
There's a big difference between "in the EU" and "with people who reside in the EU". When I come to the EU to do business, sure, I'll comply with their laws.
But it's very different to expect people who live outside the EU to respect EU laws, just because someone from the EU happens to choose to visit their website. I don't see this as any different than if someone in the EU was to visit a convenience store in the US - should the convenience store owner be bound by EU regulations in that case?
For the same reason that downloading a song is different than stealing with a CD. Digital stuff is innately different.
You aren't doing business unless you're accepting payments/selling/shipping things to people in the EU. And as with any law, if you're sufficiently small fry the EU isn't going to care about you until you actually screw up. Don't accept euros as currency. Don't offer to ship to EU nations. Done. If you do accept payments/ship/etc, unless you're a multinational, the EU probably won't care anyway, as you'll fly under the radar, unless you leak customer information. Do that in a sufficiently extravagant way, and they -will- care, but unless you have assets in the EU they can't/won't do anything about it anyway.
I see multiple comments mentioning this. Do American banks restrict which currencies your credit card can be charged in? As far as I've been able to tell, my bank lets me pay in any currency I'd like, and they will convert the amount to SEK before charging my account.
If dealing with digital products, allow people to purchase without creating an account, or require them to select a country as part of account creation (and prevent those selecting the EU, or don't make it an option). If the bank processes the payment, but you've collected no information, you can't run afoul of the law (since you have no information).
> If the bank processes the payment, but you've collected no information, you can't run afoul of the law (since you have no information).
Don't have server logs with IP addresses? Don't collect an email for the user to use to log in? Don't receive customer support recieve from these users?
> You aren't doing business unless you're accepting payments/selling/shipping things to people in the EU.
I wonder how ads play into all this. E.g. are people who watch an ad on YouTube considered YouTube customers? Are they considered customers of the ad company?
My concern is that we will see more (non-EU) companies implement something where users "pay" for services/features by watching ads. I do also wonder how it then affects the ad companies if they collect personal information about the user. Does the user count as a "customer" if the ad company is the one paying?
The simple answer to that is that the advertisers pay you to show ads to EU users because they want to get money from EU users; so these advertisers are/have to be GDPR compliant, especially if they're using user information to target ads, and they'll have to be sure that this user information is legal for them to use.
The advertising networks are clearly doing business in EU as they're getting paid by these advertisers - so all the major advertising networks will have to be GDPR compliant. So in this regard, the ads (and user info used for these ads) shown to EU users will (in practice) have to be GDPR compliant even if your site doesn't care about it, because everyone who'd want to pay for these ads has to be compliant.
> advertisers pay you to show ads to EU users because they want to get money from EU users; so these advertisers are/have to be GDPR compliant
This is the part I'm not sure is true.
Sure, if the ad agency's company motto is "delivering ads to EU users since XXXX", they obviously have to be compliant, but what if they are a US-based ad agency and none of the companies selling them ad space are in the EU? How many layers does one need to circumvent this?
I'm not talking about ad agencies, but about the actual advertisers. Why would a company buy ad impressions if they're not selling to these users?
Almost every ad I see is from some company that is actually eager to sell stuff to me, so they're doing business in EU, and have to be compliant.
All advertisers who care about me won't be allowed to buy my data from US-based ad agencies, so even if such US-based agencies can gather the data, it's worthless, since noone would buy that.
> You aren't doing business unless you're accepting payments/selling/shipping things to people in the EU.
This is false.
If you offer a free product and one of the companies you publicly list as a user has a presence in the EU, then you need to be compliant.
If your signup page has been localized to Estonian, you also probably need to be compliant.
"Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
The comparison to the convenience store fails because in the digital realm, the customer does not need to physically travel outside the EU to do business with somebody outside the EU.
Or, to look at it another way: If it weren't extraterritorial, ad providers (for example) could simply close their local branches, and EU citizens would not be protected from consent-less data gathering. To realistically be able to fulfill its mission, the GDPR _has_ to be global in scope.
Why don't ad providers simply close their local branches, stop accepting these tainted Euros, and collect the data anyway? As mentioned elsewhere in the thread, there's limited mechanism of enforcement.
It's something that basically every big block is trying to do, the US has enforced DMCA and other stuff on other providers as well.
Though in principle, GDPR only covers EU citizens - if you would be selling a product from Australia that exploded upon using it for the first time to an EU citizen, wouldn't you expect EU authorities to go after you as well?
Hmm, if you're selling into the EU, it's EU regulations that you have to follow, not Australian. Maybe we just misunderstood each other, I'm talking about shipping a product to the EU.
The GDPR applies to transactions with a nexus in the Union. If a US or Chinese traveler books a hotel in Germany, the GDPR protects their data. If a Chinese hotel chain offers a room to a German guest, the GDPR applies to processing of that guest’s data, even if the chain has no other presence in the Union. If that chain stays out of EU data protection agency reach, enforcement is a non-issue. But if Germany and China were to enter a bilateral agreement (as the US will), or if the Chinese hotel chain wants to establish a presence in Europe, then compliance is not optional. Fines are up to 4% of “global turnover”, which is a serious risk to take lightly.
> If that chain stays out of EU data protection agency reach, enforcement is a non-issue. But if Germany and China were to enter a bilateral agreement (as the US will).
this is a very good point actually, GDPR will probably also be used in trade agreements as a requirement, in which the EU has a lot of leverage compared to most other nations/trading blocks across the world.
In the end, the reason the EU can do it is simply because it has enough political leverage to make this happen.
edit: To add to this, I think these kind of things will be good in the long run, especially when the EU starts more trading talks with smaller nations, which are usually very eager to get into a trade agreement with the EU, especially for african nations as it usually allows more ways for legal migration and includes foreign aid a lot of the times.
If you have ever opened a bank account in Europe, you have come across a checkbox, where you have to specify that you are not an American citizen. The US pushes their regulations on companies outside their jurisdiction, too.
the result for banking is that European banks refuse to let Americans open bank accounts
depending on the levels enforcement I suspect the same will be true of many popular online services for GDPR: you check the "EU citizen" checkbox and you're banned
Any multinational is working on mitigation right now (including my own company) since GDPR compliance is based on having customers in affected regions, not being located/headquartered in those regions.
Absolutely! Anybody who does business in Europe or even has users in Europe is subject to this law.
The amount of effort being put into GDPR compliance within my organization is just staggering. It really makes me think about these kind of laws from a new perspective, because they cost businesses so much to implement.
(I'm not saying whether GDPR is right or wrong! Just that it's expensive.)
I would (maybe naively) think that the cost of GDPR compliance would be small if your company is already safeguarding user data and respecting user privacy. If a company’s cost is “staggering“ doesn’t that say a lot about its existing privacy practices?
It says a lot about the cost of privacy, period. The cost would be staggering whether they're modifying existing things, or creating new things, just in terms of ensuring "Yes, we're doing this correctly".
I just find it hard to believe that the law is a significant cost to companies already doing the right thing. Sure, there is a non zero cost to ensuring your existing practices are lawful, which everyone must pay. But companies already in compliance shouldnt have to modify or create anything.
The companies that have to spend significant coin are the ones who are not already complying.
Part of the cost is -documenting- what you're doing. Ensuring the right stakeholders are involved and signed off on it. Etc. When there's a regulation to do it, suddenly you have to involve legal, and the business stakeholders want to better understand it, whereas before it may have just been the developers.
I'm not sure. I think this is a very absolutist and probably naive way to look at it, frankly.
For a simple example, let's say you use an immutable data store. What do you do if a customer wants every info about them redacted, but you did something like store their IP, name, or email. All common things. Now you must build mutability into your store and all assumptions that used to be made can be removed.
This is just a very small piece of something that even a small or medium company may be using or doing.
Will this satisfy GDPR requirements fully? What if that key had somehow been involved in an unknown leak in the past (of just the keys) and then the data is exposed somehow in the future?
Leaks are punished, as they probably should be, under gdpr anyways. But now do we have to account for all of the keys over time and have it be probably gone? What if we take backups of the systems that stores the keys? Do we have to purge those backups as part of the deletion request? What if they're terabytes in size?
Right, but you had assumptions built into your data store before, namely that you could keep all info about someone for eternity, and that you'd never have to correct it.
Definitely not true. GDPR significantly broadens the types of data subject to legal requirements. Whereas yesterday I only had to protect PII and content, now even telemetry and performance data becomes subject to new rules.
This is a huge problem for an org that relies on huge amounts of such data to keep our product running and uses systems which were never built with these new rules and classifications in mind.
Furthermore, there are huge complications surrounding "data processor" scenarios (in other words, Enterprise SaaS products). For example, what takes precedence, GDPR deletion or our contractual security/auditing obligations?
Again, I'm not saying that any of this isn't worth while, just that when you get down into the weeds things look a little different.
I think the main issue that I see is that whilst GDPR doesn't massively expand the scope of what is personal data beyond that under existing data protection law, it does expand the territorial reach of data protection law.
US companies who previously had the narrow scope of PII to handle, now have to consider the much broader scope of 'personal data'. I am sure that for lots of US companies providing services to EU citizens/residents that will definitely represent a substantial burden.
Even for EU companies, the reality is that many will have previously taken a view that the size of potential fines was not high enough to warrant giving certain matters that much attention or at least spend money on areas they considered more important. For example, if I have a choice between implementing additional security measures to protect my network versus building functionality to delete on command, many companies will have gone with the former.
On retention, my view is that if you consider it necessary to retain information for purposes of auditing/security, and have made that clear in your contract with the client (who would then should make that clear in their privacy notice if they don't already have a general caveat around that), then the right to delete under Art 17 does not kick in because Art 17(1)(a) is not engaged. Also, dependent on the grounds on which you are looking to retain Art 17(3) gives a controller a clear ground to retain.
Also the right to erasure is one that will generally be directed at the controller. The controller would then flow down that request to a processor but that is where the contractual protections would come in, which in my experience, most clients are generally willing to accept.
I presume you're talking about things like informing users how their data might be used, storing user data securely, and not selling it to third parties. That sort of stuff is relatively easy.
The GDPR imposes some new requirements that were not previously part of any privacy best-practices that I'm aware of, and that create some system complexity. Chief among these is the right for users to retract consent after it has previously been granted. This effectively requires processors to be able to delete individuals' data from their records, something that was not a design requirement of many systems. This becomes increasingly more difficult as user data has often been aggregated, and joined with other data sources.
Another key differentiation of the GDPR compared to previous legislation is that it applies not only to data that identifies a person (such as by containing a name or social), but to data that could in theory be linked back to the user through a common identifier. Previous best practices have considered the user's privacy protected if they were identified through a hashed email or an opaque database identifier, but the GDPR does not consider this sufficient anymore.
Thanks for the details! I can see how this could get costly for complex systems. As a user though I would think all those things you listed would be existing privacy best practices but I guess that’s being way too optimistic. Scary what companies are currently getting away with, too but not surprising.
I think you're right in that those things would be (or should be) considered "privacy best practices", but, unfortunately, most companies don't have "following privacy best practices" all that high on their list of priorities.
It's not even malicious; in the absence of regulation to the contrary, companies -- especially companies still in search of a revenue model -- have an incentive to collect as much information as possible.
Just for starters, you will need to decide which data you have to process and which is optional. Some data will need to be kept for compliance purposes. How much anonymization will be applied. What data is in every single internal db in your org? Do you even know of all the internal dbs? Each data will have to be tagged with the collection basis, either legitimate interest or consent.
The GDPR is also -- as I've complained on here before -- less of a regulation and more of a framework for 30-odd individual country privacy regulators. Some parts of the GDPR, eg on consent, are laid out in black and white. Other parts aren't at all. And the EU wankers have declined to issue final guidance on the latter even by this date, less than 3 months from the compliance deadline.
There's also cute stuff in there like if you have more than 250 employees or engage in "widespread processing of personal data" (widespread processing left, of course, undefined) you will have to hire a Data Protection Officer. Said DPO must be in the EU and report to the ceo. This will be quite a nice cottage industry for EU lawyers.
American companies are probably unable to pick a lead regulator and hence will be subject to the individual regulators of each EU country. What happens when some french person (France has a very aggressive privacy regulator) complains to the regulator, and you are dealing with a regulator in a language you don't speak? I hope you enjoy paying legal $600/hour.
The GDPR does specify enough around consent (ie all consent-basis contacts must be default opt-out) to make it highly unlikely that any of your email or newsletter opt-ins are compliant. You will have to re-consent all of your marketing emails, and this may come with significant attrition. This will be painful for outbound sales, even outbound sales that currently is very respectful of opt-outs.
Data subjects can also do things like request a copy of all data (a so-called Subject Access Request or SAR), request deletion, and even freeze processing, which is supposed to stop processing without deletion. This must percolate through all third party systems, of which most companies will have a lot. Just start with your two mailing systems (transactional + marketing), logs, analytics, billing, salesforce, billing, etc. And as mentioned above, it is required to percolate through internal systems.
You will have to have an ugly discussion about backups. Are you going to roll backups at 30 days? That's probably not ideal. But what should happen when a data deletion request is received and that data is, of course, sitting in backups?
The short story is this is expensive and painful enough that, if I only had incidental European customers, I'd probably ignore it and close their accounts if they complain. This is very much not GDPR compliant, but as an American company, I'd do it anyway because of the expense of dealing with the above.
From the article, the thing that jumped out at me was documenting it all. Sure, your processes may be perfectly pristine. Where's your document that shows that you considered everything? Don't forget to include development processes. And don't forget to update your documentation when your processes change.
Changing the processes may not be hard, if you're doing things close to right to begin with. Complying with the documentation requirements? That's going to be painful.
Yeah, but is it expensive because of how you were set up before? In other words, if you weren't set up to be so cavalier with user's data before, would it be as expensive now?
> Anybody who does business in Europe or even has users in Europe is subject to this law.
Anybody? Sure technically in the same way that going 58 in a 55mph zone is speeding and could get you a ticket. So the question remains assessing the probability of enforcement of a hypothetically a small US based organization who has European customers. As I read the replies on this page it seems to be a mix of people who have a great deal of theory and not a large amount of practical experience assessing the probability of something actually happening given breaking a European law.
GDPR is the Paris Climate Accord of the technology world. It is a self-imposed handicap for European/Western (and American, by extension) technology companies that makes engineering and business significantly more complex and expensive. China will never impose such restrictions on her industry. Watch as Western firms continue to accelerate their loss of market share and innovation to communist China.
Apart from the deserved mocking in the other answers, I'd like to point out that GDPR applies to Chinese companies doing business in the EU as much as US companies doing the same.
It should also be said that China has far more onerous regulations of commerce than the EU and US, for example in regards to foreign ownership. But you actually know that, otherwise you wouldn't preface "China" with "communist". Which, however, isn't terribly accurate, because modern China really have much of all to do with communism.
I will show you another case, company that isnt "bitching" over laws that are good for all humans not just EU and does the right thing, you know backblaze, right?
"The changes that are being made by companies such as Backblaze to comply with GDPR will almost certainly apply to customers from all countries. And that’s a good thing. The protections afforded to EU citizens by GDPR are something all users of our service should benefit from."
Get it? It is shamefull what a couple of technological leeches did to basic human right for their profit, not to mention turning the whole internet into clickbait maze. Stop complaining, it is right thing to do, like it or not.
It's good to see Backblaze confirming that their GPDR compliance will benefit all of their users. That's definitely been a hope of mine as someone who doesn't live in the EU, so hearing that is encouraging.
For any greenfield development, why would we develop it twice? We have to solve every business problem we have for the EU; why would we solve it differently, to address the same problems, elsewhere?
For non-greenfield development, why would we keep two codebases and sets of infrastructure around that we have to support? Better to consolidate. Especially given the positive word of mouth it would generate compared with "Yeah, we're not as careful about your privacy because you're not in the EU".
The -only- case where it makes sense to do something different outside of the EU is if there's a key bit of value that we literally can't capture in the EU due to the GDPR, and we want to capture it elsewhere. Now, that's still alarming (in that we could have the privacy haves and have nots), but I just don't know how common that will be, or whether companies would find it worth doing.
And remember that GDPR applies to EU citizens outside the EU too, so you’d need to confirm with the user upfront that they aren’t an EU citizen before capturing the information.
"This Regulation applies to the processing of personal data of data subjects who are in the
Union by a controller or processor not established in the Union..."
That’s not what it means: A company in the US could aquire a US citizen as customer and consider itself safe. Now that customer moves to the EU - et voilá, the company is subject to the GDPR.
There’s many other regulations that only apply to citizens and not based on location.
So nice to see progress in privacy but please someone explains how GDPR will help EU startups!
GDPR is inevitably going to hinder any new company forced to abide by it. So the next Uber/Wechat will first flourish in US/China/Russia and then come to the EU, not the other way around.
Entrepreneurs / investors also want their time & money to be used to build value first rather than solve yet another accidental complexity that is irrelevant until your revenue model is proven.
What am I missing? Is GDPR implementation cost marginal?
It is very costly for existing (!) companies, for startups it comes with fraction of cost, if taken into account from first line of code, from first create table. In few years it will be normal.
I wouldn't say marginal, but it is a lot easier to implement GDPR if you do it up-front, from day one. If you start off with a policy of just not collecting or storing information unless you've made a conscious decision that you really do need it, that's a huge start. From there, you your main obligations are to ensure that any personal data you do collect can be deleted at a reasonably granular level, and that you document your policies around data storage.
Is it free? No. But if you're spending a significant amount of time on it as a new startup building from scratch, something is very wrong.
And hell, if you started a company recently, you were given the chance to catch up to the incumbents in your market while they've slowed down to retrofit all their systems for GDPR compliance. ;)
Besides implementation costs, you're simply leaving money on the table. You can make lots of profit by selling user's tertiary preference data, often enough to buoy for a few months. It's ridiculous that some Europeans are forcing us to give up money for some fee-fees.
Let's say you're a business in the EU that needs a sales management system. In it, you store personal data of your clients. You are considered a "controller"; the SaaS sales management system (that will store this data for you) is considered a "processor."
GDPR states that to remain compliant, Controllers must only use GDPR-compliant Processors.[1]
Assuming that EU startups will take GDPR more seriously than non-EU companies (a safe assumption judging from the posts here on HN), non-tech EU companies (Controllers) will tend to gravitate towards EU tech companies (Processors) to ensure they remain compliant.
It is non-EU (primarily US) tech companies' game to lose. If US tech companies get a reputation for not caring about GDPR, there could be a real sea-change in EU buying behavior.
[1] Article 28, paragraph 1: "Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject."
> Assuming that EU startups will take GDPR more seriously than non-EU companies
It’s also easier in terms of jurisdiction. A non-EU company might just pretend they’re compliant but your legal options in case they’re not are somewhat limited.
"So nice to see progress in privacy but please someone explains how GDPR will help EU startups!"
Why does everything have to help startups?
"GDPR is inevitably going to hinder any new company forced to abide by it."
I disagree. You simply shouldn't be collecting that data in most instances anyway. And if you truly do need it, you should have been asking permission before. Somehow we got it into our heads that it was perfectly acceptable to just take things without asking. I'm fairly certain I learned not to do this in Kindergarten.
"Entrepreneurs / investors also want their time & money to be used to build value first rather than solve yet another accidental complexity that is irrelevant until your revenue model is proven."
The GDPR has no impact on this, unless the only way you can create "value" is by disrespecting your users. You can still build value the old fashioned way, by providing something of use to your users.
Very simplified, you can not use or give personal data to someone else without optin given consent (where you must state in non legal, non tech speech for what they will be used) and same goes for enabling others (ad networks, google,..) to get those data. Or you are breaking the law. Further, user must be allowed to view, change or delete those data and remove consent to use them in whole chain (your site, ad network used on your site,...) Furthermore the consent must be freely given (forget trackwalls).
And also, there's also the slightly grey-area requirement that (if you're using it as your legal basis) consent should not be required in order to utilise your product, merely to utilise the feature set that requires the data.
If you need everything, then you'll need to use "fulfilment of a contract" as the basis, and in that case, you probably need to make your ToS pretty tight too.
Question about the freely given consent -
Say I'm a car company like Tesla and I collect telemetry from the car to train a self-driving car model. I ask the user for consent to collect this data to train the self-driving model.
For the users that refuse this consent, can I prevent them from accessing the self-driving feature of the car? If not, how would the company deal with the free-rider problem - nobody opts in because they want their privacy but they also want the feature?
The number of potential free-riders is tiny, so there's no reason to retaliate against them. The same problem exists in Internet services. If blekko (a startup search engine) saw a DNT do not track header from a user, we wouldn't even include their queries in our anonymized dataset. That slowed our learning-to-rank process, but only by a little.
In that instance, I (personally, IANAL) wouldn't use consent as the legal basis. You could (esp with a legal team like Tesla could afford) pretty easily work that into either fulfilment of a contract, or legitimate interests.
AI and ML have to be careful [0], as you need to be explicit about the data's use and impact on the end-user. The most given example for this is ML algos that determine eligibility for financial products, but we could probably twist that Tesla example to fit a similar to be "my data is used to inform an algo that determines what the car does in a dangerous situation", so you might have to abide by rights to explanation and data editing.
So here in Sweden (and I imagine a couple other EU countries) there is the Patient Data Law (PDL) that regulates the use of health data.
This will probably have to change a bit with GDPR but will still supersede GPDR when it comes to health data. Are you providing compliance with those laws as well?
This article is all very well and good, my only concern is that, imagine in a few years someone wants to find the list of all the laws and regulations and frameworks and whatnot that they need to comply with to run a truly international website... where would they find that information?
I think that problem will in some ways solve itself.
Ideally you want to consult with a lawyer to ensure you're in compliance. Certainly that's what we're doing where I work (we have dedicated in-house legal staff dedicated to privacy issues who have been taking point on this), but when you're smaller that can be prohibitively expensive.
Within a couple years, though, I expect any serious commercial or open source platform available that deals with data to have GDPR-related features. It's already starting to happen, and hopefully GDPR compliance won't be something you have to go out of your way to do; it'll just be a normal part of doing business that everyone understands.
The transition period will likely be rocky, and it's my hope that the EU will be initially lenient dealing with honest mistakes that companies work to quickly fix once discovered.
>GDPR will require developers to know the legal and policy landscape of their profession. (This has been the norm for other fields for centuries: how embarrassing for us.)
A lot of what you might call 'avoiding recklessness' is demonstrably bad for some people so it's not clear that the current tradeoffs are optimal. And it's not at all obvious that, overall, regulation does much more than protect incumbents in a given field or industry at the expense of everyone else.
Based on my own experience, I've 'known' about regulations that governed the industries with which I've worked. I'm not sure what evidence specifically you or the author have that leads you to believe software developers should be embarrassed.
> A lot of what you might call 'avoiding recklessness' is demonstrably bad for some people
And? Making sure that the bridge will hold under the weight that its required to is demonstrably bad for my profits (if I were the construction company). That doesn't mean that we should loosen the regulations or whatever. We don't owe anyone the right to profits, regulations are meant to protect us and keep the playing field fair. Of course that will always negatively affect someone.
It isn't obvious that is a case. Some companies make bad short-term decisions. But many take a longer-term view. Who would hire the construction company again that made the bad bridge? Or consider food and drug regulation. Countries with more lax requirements for proof of drug efficacy and large-scale trails don't have worse health outcomes. In fact, the countries with stricter policy regimes are often slower to have receive life-saving drugs. Does the suppression of a drug with adverse effects that only shows up in a wider population or after more prolonged exposure have a stronger benefit than that the suppression of drugs without such downsides? Often countries optimize in the wrong direction here. Many licensing laws fall in this category too. Do barbers and hair stylists need a license? Probably not to ensure safety and we have plenty of comparable jurisdictions with and without such rules to prove it. People don't just start doing bad things in the absence of rules.
Construction companies circumvent this by going bankrupt all the time and setting up the next shell company. Big projects will often be done by a pool of companies. Which would you hold accountable then.
As well, some things are so bad that you don't want to punish after the fact.
> Construction companies circumvent this by going bankrupt all the time and setting up the next shell company.
This would be a much more difficult thing for them to do if it was easy to track the history of bad behavior of the relevant people. This seems like something that should be relatively easy to do nowadays, module some probably not-too-significant obstacles like the 'right to be forgotten'.
> Big projects will often be done by a pool of companies. Which would you hold accountable then.
In the absence of detailed information, one would reasonably hold them all partially accountable.
> As well, some things are so bad that you don't want to punish after the fact.
There's no perfect way to do this. Murder seems like it's "so bad that you don't want to punish after the fact" but I don't think either of us would want to live in a society that was perfectly capable of preventing any murders.
If we want to accept that privacy is important and valuable then we need to accept that it is not okay for our industry to continue to do what it has been doing.
I challenge you to give me an example of some "demonstrably bad" effect caused by "avoiding recklessness" that isn't the direct result of shirking responsibility.
To go along with your devil's advocate argument: I could argue that "taking extra measures to ensure the security of sensitive data" would have been "demonstrably bad" for Equifax. But don't you agree that it was extremely irresponsible of them to not do that?
> No. Professionals in engineering or the trades have to know the regulations that govern their industry and abide by them.
Eh, not substantially or consistently more than in software. It's possible to cherry-pick examples where engineers in other fields are more aware of relevant regulations, but overall, it's roughly comparable.
I'm generally very critical of the move-fast-and-break-things mentality, but engineers in other fields are generally not more knowledgeable about industry regulations than software engineers are.
American engineer building a bridge or tunnel in EU is certainly going to know EU regulations. An EE designing circuits for EU needs to know about lead-free solder requirements. On the other side, Mies van der Rohe needed to work with a US-certified architect to build the Seagrams.
Having been in the software industry for a while, it is often discouraging to see how both explicitly and often inadvertently move-fast-and-break-things has resulted in some pretty bad software industry wide.
Just look at the sense of most of the comments here--there seems to be a consensus of how to get around this, or how it doesn't apply to me.
EEs everywhere know about ROHS simply because it makes no sense to have seperate designs for Europe and everywhere else. Also lead free solder really isn't that bad...
Right, but the point is that you KNOW the country your bridge or tunnel is going to be used in, because you build it there. If I build a web app and deploy it on a server in California, it can immediately be used by people in almost any country in the world.
Is it my responsibility to follow the censorship rules from China on my webapp in California? Is it my responsibility to know all the regulations on web apps from Sri Lanka?
Building software with care and professionalism is unrelated to understanding all the rules in place all around the world.
That "recital" is still pretty vague; the relevant text:
> Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Note that "the use of a language or a currency generally used in one or more Member States ... may make it apparent that the controller envisages offering goods or services to data subjects in the Union". So simply using a language in use in a EU member country may be sufficient that you "envisage" offering your goods or services. That seems significantly different than your claim that one need merely not "specifically target those countries".
Yes, but these things are assessed by judged, not by dice-throwing. I'm sure we can devise contrived examples that fall into gray area, but for the most part I think what I wrote is correct.
The comparison is disingenuous. The internet makes anything you build automatically global. You're blasting software engineers for not knowing worldwide regulations. How many New York lawyers know the regulations of France? How many local UK construction companies know the building codes of Japan? None.
Knowing all regulations in the world for any given industry would be a full time job. The people you seem to be implying exist do not exist.
So, the GDPR is doing you a favour by forcing you to think in advance "who will my users be?". So far web applications were "accidentally" global, now you have to be more careful and deliberate. Which is a good thing.
Ah yes, digital isolationism and segregated networks are great. Have we given up on the idea of the internet being a force for global human interaction? Are vague and impotent privacy protections more important?
I live in EU.
-> Are vague and impotent privacy protections more important ?
More important than "global human interaction" ? Yes, in my opinion. "Global human interaction" doesn't mean it should be the Far-West gold rush. It aims at fair and equal human interactions with the respect for the freedom of each single human on Earth. Freedom means equality for all, and to ensure more equality, we created laws. Laws are not perfect, but sometime they are the only tool we have. Laws are not fixed in stone, they can be improved over-time. Essentially we want global human interaction with respect of individuals.
I assume GDPR would only impact you if you operate a business from European locations, right? Not like they can enforce their laws on my small business run from the other side of the planet.
So long as my country isn't willing to extradite me, I don't really care what their laws are and I will adamantly refuse to comply with them as they're entirely irrelevant to me.
Your reasoning sounds like an easy excuse to not bother looking at any regulations period. Because knowing every single regulation is too onerous and you probably know all your local ones intuitively, right?
> How many New York lawyers know the regulations of France?
New York lawyers who do business in France do.
If you're accepting ~dollars~ euros to place French ads on your pages targeting French customers, seems reasonable to know the relevant French regulations.
It's a bit more strict than that. If I have customers in France, this affects me, no matter how many, no matter if it's one dude in Florida who happens to also be French. The reach is absurd.
Yes, that's incorrect, unless you are an EU business yourself. If not, you are only subject if your customers are in the EU. And more, "the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established" is not enough to show that you're targeting customers in the EU.
Don't slurp up data worldwide, then. If you don't do that, you're fine. If you do business you'd better know the law of your target audience, isn't it?
You don’t see the humor (at least) of a privacy regulation requiring me to learn more about the consumers hitting the site? Previously they were so private I knew nothing but an IP.
Now I’m instrumenting my systems with geo lookup databases which usually also include much more fine grained data (such as home/business) than that.
In any case, your original point was to just not interact with those people, which requires active filtering and isn’t the same thing as saying ‘just don’t watch that tv show’ in that it demands actions on my part due to behaviors and preferences on someone else’s.
There is no active filtering required if you don't store anything. I don't understand why this is so hard to grasp.
You can learn as much as you want as long as you don't store it or provide that information to a third party.
I believe our industry has too long gotten away with a "store everything" mentality. I have zero sympathy for web sites which slurp up everything from their visitors.
> I'm pretty sure other fields rely on lawyers to know the relevant legal landscape just like we do.
I have plenty of friends and relatives who work in construction or architecture and knowing the building codes and everything related to it is something you learn at university, update every year and is something every person involved in planning and constructing a building is aware of. Lawyers only get involved if a building fails.
Construction workers and architects don't tend to work internationally. If they do, they hire lawyers to sort out legal requirements for them before they even sign a contract.
The same should be true for most software companies going forward. The approach to just assume it's the obligation of the user to ensure compliance won't work for much longer.
Imagine the EU made a law requiring every country in the world follow their building codes whenever an EU citizen enters one of their buildings, even if the building was made before the law was created. And if you don't comply, they will fine you millions of dollars.
McDonalds goes and retrofits all of their buildings in the world because they have shops in the EU at great cost. Some pizza shop that does delivery in the USA, and the owners go on vacation once in a while in Europe? ️They probably are not even aware of it.
> Imagine the EU made a law requiring every country in the world follow their building codes whenever an EU citizen enters one of their buildings
You are reaching. I give you a better example: it does not matter where a building part is being produced, if it ends up in a building in Europe it needs to be up to the local building codes and to the regulations of the single market.
You think I am reaching, but the GDPR does act this way.
Lets say your visiting the USA as an EU citizen and you get a pizza delivery from a local small pizza shop. They put your name and delivery address in their computer in an MS Access database that makes stickers, emails the delivery guy's gmail account and a person delivers a pizza to you.
They have no idea your an EU citizen and they just put enough information into their computer that would violate the GDPR. They have no real way to comply unless they retrofit their computer system to some vendor that is GDPR compliant, if it even exists. Just deleting your info from the msaccess db and asking the delivery guy to delete their emails isn't enough for the GDPR. And a computer system retrofit for most business might as well be like asking them to retrofit their building as far as costs go.
The end effect might be just outright banning all EU citizens from doing business with various places, because it's just not worth the hassle.
'Sorry you cant stay at our hotel, we are not GDPR compliant'
'Sorry we won't deliver to you, we are not GDPR compliant'
'Sorry you can't enroll in our classes, we are not GDPR compliant'
'Sorry we won't treat you at this hospital, we are not GDPR compliant'
'Sorry you can't get a bank account with us, we are not GDPR compliant' (Like a lot of EU banks with US citizens with FATCA)
> Lets say your visiting the USA as an EU citizen and you get a pizza delivery from a local small pizza shop
If that pizza store has no relation to the EU then there is no legal ground by which the GDPR could become relevant. There is no treaty which would establish some sory of leverage here.
//EDIT: which btw is unlike FATCA for which there actually are bilateral agreements.
You don't need a treaty to enforce the law, you just need a pizza shop owner who likes to vacation in europe sometimes. You carry out the default judgement if they ever arrive in the EU. The GDPR explicitly has a very global scope because it is targeting companies in and out of the EU.
I wouldn't really have much of a problem with the GDPR if it had some small business and non-eu business exceptions. It doesn't and regulators saying 'trust us we wont prosecute the easy to prosecute!' makes most businesses uneasy.
The law itself does not even put itself into scope. You either need a treaty (Article 3, paragraph 3) or the data subject or processing is in the union.
It doesn't and regulators saying 'trust us we wont prosecute the easy to prosecute!' makes most businesses uneasy.
Indeed.
Let's not forget that the EU and national governments have form when it comes to this sort of thing. The new EU VAT rules on digital sales a few years back were similarly overweight, and they really did result in a lot of microbusinesses either literally shutting down or just plain breaking the law.
A lot of slightly larger ones, my own included, went to considerable lengths to update systems to comply, but with hindsight would have simply declined custom from any (other) EU nation instead because the overheads were and continue to be excessive.
Those same rules really did also result in national tax authorities abusing their new-found powers to go after businesses in other countries within the EU, sometimes through their own incompetence rather than any legitimate grievance, resulting in some very scary threats being received by other small businesses.
It's tough to give much credit to arguments about regulators exhibiting common sense and moderation when the evidence of previous sweeping EU rule changes suggests we shouldn't count on that.
How is that different from say Dimitry Sklyarov, a Russian who broke a US law while living in Russia, who later goes to the US for a convention and gets arrested and thrown in jail?
That's how it should be. Sadly the EU is taking a very different approach of trying to set laws for the whole world based on very unclear (and definitely unprecedented) requirements. It's true that they will have no jurisdiction over the pizza guy - just until he comes to the EU or to an allied country. Another comment talks about how it's very likely that GDPR will be a requirement of trade deals.
Even then not. The territorial scope in Article 3 of the GDPR is not that far reaching. It applies to processors with establishment in the EU, non union data processors who perform a service to data subjects in the union or the case of the pizza guy:
> 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
So unless there is a treaty that puts GDPR into scope, the pizza guy is fine.
You clearly don't know what you are talking about.
Article 3 clearly states that it applies to
> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> the monitoring of their behaviour as far as their behaviour takes place within the Union.
It does not apply EU citizens while traveling outside of the EU. It applies when you are monitoring or offering goods or services to someone in the EU.
Unlikely. Lawyers are an invisible hand, always present.
They’re the ones who prepare the trainings for your relatives and the other architectural students, or at the minimum the changes that a policy-wonk will react to when creating curriculum.
The site operator has the limited range to act (we’ll call them decision rights) under the CEO who is ultimately guided by his counsel (firm or in-house).
Lawyers also oversee zoning, permitting, and certifying every step of the way - not limited to, but including licensing and contracting.
Sure, and it is one of the main reasons those professions require licensure. It seems to me that most people in the industry would like to avoid that for software development. Speaking purely for myself, I would welcome it. But it would be a large and disruptive change that we may not be ready for.
Developers should already know the "legal and policy landscape."
Sending email? You should know the CAN-SPAM act. Do business with CA citizens? You'd better know about CA's privacy policy requirements. Doing ecommerce? You need to learn about sales tax and PCI requirements.
In this article the author states: "The latter definition is important for developers. It includes things like IP addresses, mobile device IDs, browser fingerprints, RFID tags, MAC addresses, cookies, telemetry, user account IDs, and any other form of system-generated data which identifies a natural person.". This information does NOT automatically qualify as personal data. Information being unique is not the same as personally identifiable. A random cookie sent by the browser is not PII. A cookie stored in conjunction with say an email address could be.
Certain information can be classified as PII if it possible to cross reference it with other stored information to identity a user. For example a European court in a recent ruling stated that a full IP address could be considered PII because an ISP would have a record of IP address and time with a persons name.
To me it seems quite simple, if the information can be used to identify user it is personal information and you need explanation why you need it and opt in. If this is a problem for you, maybe avoid collecting what you don't need. The idea of "collect everything and audio & canvas fingerprint them, maybe I will need it later" wont pass, you will never get consent. Collect only what you really need.
Right. So you'd have to have a business case for the user to have a persistent login, if you want to offer login functionality, beyond simply "track the user to see what they want". It's ridiculous.
What's troubling to me is that it's very unclear what specifically is required. I know the linked post isn't legal advice, but in the page about 'privacy by design' linked to by the origin link, they list "Minimize the amount of collected data" as as an item (supposedly to be achieved to be in compliance with the law).
What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected? If so, that seems like it'd be likely as helpful as current terms of service.
Another item mentioned is "Where possible, pseudonymize personal data.". What's a practical example of that?
Yet another item – "Don’t enable social media sharing by default.". Is the thinking that user's shouldn't be able to share something via social media without first explicitly enabling that option? That just seem unfriendly. Or is the idea that doing so protects someone from doing so accidentally? This seems a lot like the 'cookie law', itself an annoying mandated nagging that probably backfired (because everyone was effectively trained to just do whatever necessary to get rid of the corresponding notification on every site they visited).
Again from the privacy-by-design page:
> There is no checklist of ready-made questions that will get you there; General Data Protection Regulation requires developers to come up with the questions as well as the answers.
> Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected?
No: a consent from a user must be for granular information with a specific listed purpose.
You’re thinking about it in terms of pieces of information, but GDPR thinks about it more in terms of the uses of that information. You wouldn’t expect to ask a user “Can we store your email address?“. The granular action for storing the email address is “Can we email you from time to time product offers?”. Once the user consents then that email address (and potentially full name, etc etc) can only be used for that consented action.
The problem I have is that a site could tie acceptance with allowance.
e.g., I run a free, ads and promotion funded site, but I actually supplement revenue by selling the user's actions on the site to a third party. users can also have accumulated virtual currency as rewards, which can be used for premium sections of the site.
then along comes GDPR, and I tie acceptance of some virtual currency rewards with acceptance of the GDPR consent, with the threat of site access being cut off if they don't consent.
is that still legal?
No, that's not presumed to be freely given consent.
https://gdpr-info.eu/recitals/no-43/ "Consent is presumed not to be freely given if ... the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
If the data is actually needed to execute the contract (i.e. a delivery address if you're mailing stuff to the user), then you don't need separate consent; but if it's not (e.g. just revenue) then any "confirmation clicks" that are tied to site access being cut off would be just that - simply clicks that don't count as freely given consent.
Also, if you consider giving a reward for acceptance of GDPR consent, then you must also consider that consent can be revoked at any time (including 5 seconds afterward) and it must be literally as easy to withdraw consent as it is to give it.
> As one dramatic example, PayPal’s recent updated notice lists over 600 third-party service providers. The fact that PayPal shares data with up to 600 third parties is not news. That information is simply being brought into the open.
From what I can see of the list of those "600 third parties", a large number are banks and other financial institutions.
This is one of the things that's bothered me with it - in a similar vein to VATMOSS, GDPR will probably have more of a burden on smaller businesses, whereas larger business will have the development/consultant resource to get it right, and have those larger law firms to provide that "extra context" to brush things under the carpet if something goes awry.
The ICO seems reasonable, so hopefully they won't crush a small software shop for fucking up on something, but they're going to want to go after some people to send a message at some point. I'd guess you'd want to check that professional indemnity insurance policy, just in case.
It is, of course, all down to context. You need to show that you at least took the guidance seriously and tried to mitigate things. A notice of "collect ALL THE THINGS" won't fly, as you're basically admitting you're not prepared to consider it.
I think you're right on the social media sharing thing, it should be fairly well handled by the OAuth notices from most networks (I'd have guessed - "allow this app to post on my behalf" counts as consent?), but yeah, can't be taken as a given. IANAL, of course.
> This is one of the things that's bothered me with it - in a similar vein to VATMOSS, GDPR will probably have more of a burden on smaller businesses
In a weird way, VATMOSS and GDPR kind of work together on this...most things we collect at work that will be covered by GDPR are collected because of VATMOSS.
VATMOSS requires that we be able to justify what country's VAT we collect on a given online purchase with two pieces of "non-contradictory" evidence. So, right there we have to collect at least two things that provide location data about the customer, and GDPR expands the definition of personal data to include location data. I say "at least" because since it is required to have two non-contradictory pieces of evidence, it's prudent to collect at least three.
I think we currently use: (1) country the person selected from the "Country" drop-down on our site, (2) GeoIP at time of purchase, (3) GeoIP at time of filling out quarterly VATMOSS report, (4) GeoIP on IP addresses that they have used when downloading updates, (5) Country of bank that issued the credit card or debit card used for the purchase.
> What do you do about users who have used plaintext or silly passwords?
I don't even know what to write about that. The whole tone of the page is lecturing – about "fundamental human rights"! – and yet it's suggested that developers handle "plaintext or silly passwords"!
> ...they list "Minimize the amount of collected data" as as an item (supposedly to be achieved to be in compliance with the law).
> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
The GDPR says when you collect data, you have to tell the user what you intend to use it for. "Minimization" applies within the context of those stated uses. So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.
As a corollary, if you can't link a piece of data to a business use, you shouldn't be collecting it. This was a good idea before, but GDPR makes it more relevant.
Note that this is similar to the ethical guidelines for medical research. "Harm Minimization" is a central pillar of ethical research. Harm, and risk of harm, is acceptable, but there is an affirmative duty to seek the least-harmful means of achieving your goal from those available.
> That's a really unsettling description of a law.
That's how HIPAA works, actually. I have a professor who argues this model of legislation is more effective than traditional sector-specific regulation, because it puts the onus of subject-matter expertise onto the people who are actually subject-matter experts, and because it allows for creative and adaptive solutions.
> The GDPR says when you collect data, you have to tell the user what you intend to use it for.
Then that part is worthless, just another click-through "agreement" practically nobody reads.
That part won't change anything.
> So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.
I always wonder one thing: Is the penalty going to be high enough to justify not breaking this law?
All business decisions are cost-benefit. If the costs of doing something outweigh the benefit, you don't do that. This includes following the law: If you can reliably get more money by breaking the law, you break the law, and pay the penalty if you get caught. Unless you're very unlucky, you're still right-side-up after you pay the penalty, so your behavior was, on the whole, justified.
GDPR requires that the use cases be itemized, and the user can opt out of each one individually. So if the user opts out of receiving a mailing but not the store locator, you have to manage how much data you collect about that person. I agree that for the most part this will just be another click-through like the cookie law was, but companies will be required to accommodate those minority that do care.
> Is the penalty going to be high enough to justify not breaking this law?
The penalty is up to 4% of annual global revenue. Global revenue.
Let me get it straight: if your global revenue is €10 million, you won't pay 4%(€400k) penalty, you'll pay €20 million, because it's greater of the two? It seems like this will be especially harmful to small companies.
Up to $20 million, depending on the severity of the infringement. I think the reason that floor is there is to handle cases where an organization doesn’t have much revenue, either through accounting shenanigans or because it is a non-profit (made up example: a free PDF to text converter that claims to be stateless but mines passwords and information to blackmail people with)
Not every little thing needs to be opted into individually. If you have a legitimate use of data for the user’s benefit, you can collect that data after a general consent as long as you provide a way for the user to see that data and delete it. If you use that data for your own benefits (like building an advertising profile), that needs to be opted into separately.
The fines are up to €20 million, or 4% annual global turnover – whichever is higher.
Of course, paying the fine doesn't mean that you can continue with the action - it'd also likely involve imposing a temporary or permanent ban on data processing and ordering the rectification, restriction or erasure of data gathered unlawfully.
The GDPR, as with existing EU data protection law requires technical & organisational measures in place to protect data. The GDPR specifically calls out (Article 32 if you're interested) encryption as one measure that entities should consider in determining whether their technical & organisational measures are fit for purpose.
Generally speaking, encryption is an obvious choice when it comes to measures designed to protect user data.
Of course—if you don't store personal data (trivially).
In fact, encryption (security) is mostly orthogonal to how you track and handle personal and sensitive data (privacy protection). You could encrypt everything and still be wildly GDPR non-compliant, if the encrypted information you're storing lacks clear purpose and explicit consent.
To further emphasize your point You could encrypt everything and still be wildly GDPR non-compliant, we need to be able to respond to a request by each and every individual user to delete the information that they no longer wish us to carry.
A) leaves no room for misunderstanding with different regulators or their respective auditors, and
B) provides a computationally infeasible barrier against accidental personal information disclosure even if the storage system was improperly decommissioned
Point B in particular can be explained to auditors without problems. They understand both the intent and the technical measures put in place. But how we store data is only tangentially relevant to how we handle data. Let alone what we need to collect in the first place.
(The KYC/AML/SOW requirements in gambling are quite demanding; they impose significant data collection and retention needs.)
> So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.
I would also like to stress out that, from my understanding, this data would rather be deleted immediately after use. That is, not saved at all after the query, or the delivery, unless the user explicitly opted-in to give you such data for advertising, etc...
> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
You decide, based on context and consent. I think consent now needs to be non-blanket.
> That's a really unsettling description of a law
I know it's not ideal, but it's far from the only vague area. The law of negligence is very important to anyone running a business and is almost entirely caselaw, for example.
It's also a lot like CE certification, which takes a while to get your head around but is similarly based around both standards and self-certification.
You must provide the user with a detailed description of what personal data of theirs you are collecting, who you are sharing it with and what your business purpose for collecting it is, and if the data is something that you need their consent to collect, you get their explicit consent to collect that data and you must let them opt-out of providing that consent without preventing them from doing business with you.
If you want a practical example of psuedonymisation then consider a case where you have two internal systems that serve different purposes (say one is used as a CRM, the other is used for business reporting).
The CRM database is copied over to a separate database that the reporting system feeds from. Now in reality the reporting system (which will generally give you aggregated trend reporting) doesn't need a full copy of all production data as it only needs to utilise a limited subset of the overall data.
So instead of the full copy of the CRM database being copied over to the reporting database, you filter the data so you only copy over an anonymised dataset. That is pseudonymisation in a nutshell. Because you still retain the separate dataset in your system, the data is not truly anonymised, so is said to be pseudonymised. Overall I see it as linked to the requirement for data minimisation. Any particular system should only have access to the data it needs to perform its role.
> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
Elizabeth Denham, UK's information commissioner in charge of data protection enforcement, had this to say:
"Having larger fines is useful but I think fundamentally what I'm saying is it's scaremongering to suggest that we're going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm. Our office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven't made any effort."
In other words, the compliance decision is not in your hands, but there's a promise of certain lenience. At least to start with.
A practical trouble is that once a company reaches a certain size, they no longer even know what data they have, never mind why. Do we already store personal data? Where? Is it important data such as "names + credit cards", or some god-forgotten IP addresses in a log? Email archives and attachments? How about GoogleDrive and SharePoint? Then, do we redact it, or delete it? How? How do we answer Subject Access Requests?
We've built a product to help companies take care of the most common "private data" cases (https://gdpr-tools.eu), but we're not fooling ourselves that we've solved "personal data". Or that the task is even solvable. That whole space is very much in turmoil and how hard the GDPR whip will get cracked remains to be seen.
Funnily, one of the common fears that clients have is not about the general public. It comes from disgruntled employees ratting on the company. Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage by reporting their employer to the "authorities".
Indeed, and not only yours. The same issue crops up in B2B due diligence and risk management, irrespective of GDPR.
The automated inventory analysis tools, like ours and others, are only just becoming useful thanks to ML. The previous generation was mostly regex-based and mired by constant false alarms.
Except that's precisely 1/28 of the regulators to which you are subject if you are an American company and, therefore, most likely don't have a lead regulator.
> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
> Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected? If so, that seems like it'd be likely as helpful as current terms of service.
Under the GDPR you're not allowed to store personal data.
However, if you have purpose, and need data to fulfil that purpose, you can.
You can also ask for data, in clear terms, and if an informed user, freely choose to share, you might store that.
So, you sell shoes and magazines online. You need an address to ship both. You need a shoe size to ship the right shoes. You can demand to know the shoe size before you ship shoes - but not before you ship a magazine.
You can store order information (indeed have to, due to financial regulation). So you have a record of shipped shoe size and customer data.
You may not, without consent, store a permanent profile with shoe size and magazine preference. But it's OK to let users opt in to a profile.
> Another item mentioned is "Where possible, pseudonymize personal data.". What's a practical example of that?
Good question. Off the top of my head I can't think of useful pseudonymyzation related to the GDPR.
Perhaps things like hashing IP addresses for traffic stats, or using opaque identifiers for storing session interactions rather than linking directly to IP or real names. Useful pseudonymyzation is hard.
In e-commerce, order data and item level data can be exported to reported engines to gather info but you can pseudorandom the names to prevent data leakage
> Yet another item – "Don’t enable social media sharing by default.". Is the thinking that user's shouldn't be able to share something via social media without first explicitly enabling that option? That just seem unfriendly. Or is the idea that doing so protects someone from doing so accidentally? This seems a lot like the 'cookie law', itself an annoying mandated nagging that probably backfired (because everyone was effectively trained to just do whatever necessary to get rid of the corresponding notification on every site they visited).
Most social media sharing buttons are in fact scripts hosted outside the website currently visited. So even without using them a lot of data is send to Facebook, G+ and other social medias. If you want to see a good implementation of the idea, check Schneier's website: https://www.schneier.com/
I am curious, if you offered a service that allowed users to post their own data to your service. How do you protect against customers posting data that violates the GDPR. I.e. peoples personal information being posted in plaintext?
Is this type of case covered by the GDPR?
Also how are things like access logs supposed to handled according to the GDPR? Our software records all requests made to our API, they log your userid, ip address, and what you were trying to do.
We have clients who are in the US who required the above feature for auditing purposes.
Typically, privacy violations are instances where the user has not consented to sharing the information. In the scenario you describe, if someone willingly posts their own personal information they have forfeited their right to privacy.
The law is meant to protect people from companies rather than people from themselves.
Your joe blogger using somesmallwordpresshosting.com and you have a freeform comments page. People post 'private' comments of others. Who is responsible for what? How the fuck do you know if its of an 'EU citizen' if that isn't made obvious? Can you get fined literal millions because you fucked up some detail for your blog newsletter's email list?
I am not a lawyer nor a security expert but we've decided at the place where I work that unstructured fields which are unlikely to contain personal data—but might in edge cases where a user chooses to enter it—don't fall under the GDPR purview.
An extreme example of this is in hosted email—if Alice writes an email to bob@gmail.com with some of Charlie's personal information, it would be absurd if Charlie could ask Google to remove the email. (Although maybe reasonable if Charlie could request to not have his data used by Google to target him or anyone else with ads.)
I have to guess this is why gmail stopped (or at least announced stopping) personalized targeting: the difficulty of deciding if anyone on the email is subject to GDPR.
It should be very clear to the user how the data will be used and shared. If a hotel asks for free-form feedback, it shouldn't magically post the response as a review, under the user's name, on a public site, for example.
> I am curious, if you offered a service that allowed users to post their own data to your service. How do you protect against customers posting data that violates the GDPR. I.e. peoples personal information being posted in plaintext?
You ensure that those users have a way to delete the data again.
I'd actually considered implementing a "soft delete" function for my service (knowledge management SaaS), out of fear that a user would accidentally delete something important.
Now with GDPR pending, I think I won't. I'll just leave my 'no sh*t delete' function in place. If I get a request to restore any data I can say, "Sorry, the Europeans made me burn your data when you unwittingly clicked the red 'delete' button (as well as the confirmation dialog you didn't read)."
If you purge soft-deleted records after (say) 2 months, and don't use those records for anything unless they are undeleted by the users request, I don't think that should cause any problems with GDPR.
The GDPR defines two types of companies: processors and controllers. The crucial distinction is (roughly) if a company makes decisions. Someone performing targeting or operating a website is probably a controller, whereas AWS, who makes no decisions and just follows directions, is a processor.
If you don't want to be a processor, the best thing to do is probably in your contracts disallow usage of your service for anything containing GDPR covered personal data.
As for access logs, those will be some mixture of the two bases offered in the GDPR. Some will be required by legitimate interests (such as those collected for legal requirements) and some will be subject to consent. This is a complex discussion.
It's probably safe to err on the side of caution and assume that any application that stores personal data in permanent storage is a data-intensive application.
With a documented data retention and deletion policy. You don't need to keep your DB backups forever, and a request to delete someone's data comes with some reasonable amount of leeway as to how long it takes you to delete it. Obviously you can't drag that out for a year, but from what I've been hearing, a month or two isn't unreasonable.
If you're doing DB backups daily, expiring backups after a month (or even, say, two weeks), should be no problem and not an operational risk at all.
Purging a user's data is probably a matter of writing a short SQL/Python/Bash script for most databases (don't forget the audit tables, though it kind of defeats the purpose of audit tables, but whatever). It's something I'd only do on request (I'd expect it to be a rare occurrence), certainly not going to automate that sort of thing.
I'm not about to go risk corrupting my backups trying to scrub old customer data out of them. Perhaps only keep the last X days of backups and let the paranoid customer's data attrit out naturally?
This is a great question that unfortunately doesn't have a good answer. Ignoring the question of backups, GDPR's requirements have the implication of imposing a workload on database engines that, in most modern architectures, is either pathologically expensive or not currently possible. Some companies are approaching this from a "best effort" standpoint rather than conforming to the spirit of the regulation because the technology simply isn't there to make it feasible for some cases. I've been working on this problem for the last year and this is (IMO) a major gap in the regulation; it presumes that something is possible that isn't for existing applications that are otherwise universally viewed as harmless and permissible.
Scalable database engines that can support the letter of the GDPR in terms of data handling don't really exist. This is not a problem that can be trivially solved by patching an existing database engine; the requirements of strict GDPR data handling violates fundamental design assumptions of common database architectures. If you look at, for example, high-assurance databases which have a similar set of requirements for data handling as GDPR, they are never used when at all possible because their performance and scalability is terrible. (These databases are conventional architectures with GDPR-like data handling controls added.)
A database engine capable of strict conformance with GDPR while maintaining vaguely comparable performance and scalability relative to what we are used to would require a comprehensive new database engine design from first principles. This is something only a small number of people are capable of designing and implementation would be a very substantial engineering effort. Possibly a business opportunity -- one of the reasons I've been thinking about it, having worked on high-assurance databases in the past.
One approach may be to tokenize user information. Ensure that any personal data is separated from other data and mapped via tokens and kept in one place. Handle backups of this database with special care.
You can then have the rest of your systems work as normal.
All this is easier said than done if you have a large investment in existing systems, but it is probably a design approach you can enforce from the beginning if you are a startup.
I built an app that displays geolocations of tweets on an OpenStreetMap. That data is publicly available from Twitter and users share their location willingly, I presume. Will an app like that become illegal, as far as European tweeters are concerned?
What? Of course not. This law doesn't make apps "illegal".
What the law does is put regulations around what kind of personal data you can collect and store from your users, require you to explain what you're doing with that data, and allow your users to opt out of having that data collected.
It's unclear. The GDPR definitely covers personal data even if publicly available, so just because you grabbed it from twitter doesn't make it kosher.
That said, realistically, I'd have a hard time imagining you would have too much difficulty as long as you allowed people to delete their data upon request. If they post something to twitter, the obvious intent is to make it very public.
For a real life example, there is a group of people that collect Facebook posts and process them through a ML filter which judges if the post contains hate speech, and if it does, it reports the post to the police, supposedly after manual review.
Does this processing comply with GDPR? I'm pretty sure none of the people would allow this processing to take place if they were asked for permission.
My best guess is they will be able to shut this down hard, unless there is some alternative processing basis to be leaned on. See (6)1 for a list of potential bases.
For your particular scenario, the main impact of GDPR would be not on your actions but on Twitter obtaining the data (which is personal information at the tweet level) and distributing it publicly to third parties like you.
I don't see any clear restrictions for you, but perhaps GDPR will result in your data source becoming unavailable.
I've been digging into GDPR for the last year or so and the major conclusion I came away with was that, in effect, it is a massive effort to educate the population about data collection and processing online while also beefing up guarantees for data security.
As in, it's not illegal to to do most of the same things we do now with data, however we now need to educate our users on what data we are using and exactly how we are using it, in a way that is understandable to the average user.
With all due respect to the average user, I cannot fathom how anyone doing anything with user data more complicated than a basic record will explain it simply enough to be in compliance.
Suppose you were a small startup based in America, accepting online payments from users/advertisers using American platforms or financial institutions. Suppose you make no effort to comply with GPDR - what realistic consequences can you face?
I suspect that this is the kind of thing which larger/established companies would worry about. If you're a seed/series-A startup, it seems like you have far more important things to focus on, because there's nothing that the EU can realistically do to you anyway.
So if I ignore a law in Canada or the EU (extradition request, default judgement, etc) as an officer of a corporation, I wouldn't get arrested when I show up on the border? Really?
For ignoring the GDPR as a small business owner operating on the internet the chances of individual consequences are nil.
High profile cases would have a much higher risk and companies that went out of their way to advertise the fact that they are going to break the law would run a significant risk.
Show me just one example of a company located outside the EU without a legal presence inside the EU that had an executive detained upon entry for breaking an EU law that does not normally result in criminal prosecution.
Does the EU have any other extra-territoral law as far reaching as the GDPR? Or any other extra-territoral law? A business shipping something to the EU doesn't count.
The only other extra-territorial laws I know of currently is FATCA and the FCPA, which are from the USA.
If the law applies outside the EU (for instance, if EU citizens travel to a non-EU country), then it is an extra-territorial law. As far as I understand the discussion here (which may or may not correspond with the actual law), the GDPR goes with the person. Wherever an EU citize goes, that EU citizen must be able to be forgotten, despite if the location they are in is outside EU jurisdiction. That is practically the definition of extra-territorial.
Now, would an EU court rule that someone who kept permanent records of an EU citizen be violating the GDPR if the business has no EU presence? In the American system (imagining if the US passed a GDPR and prosecuted a non-US citizen), no, because the government would not have standing to sue: the violation took place outside of US sovereignty. If the EU takes a similar approach, then the law is not extra-territorial in enforcement, otherwise it is.
So having been through the preliminaries of GDPR, I took away a few things.
First of all, the enforcement path is as yet unclear. If they (europe) see you are doing something (like not responding to "right to be forgotten" request) it is not clear what enforcement they will attempt.
Second, there is the customer perception. If you have one European customer that buys something from you, or enters their email for you to give them some product information, and they request later to be forgotten and you don't, there is then a chance of public perception that you don't comply.
But there can be other avenues of exposure. For example, if you are dealing with a US bank that does comply with GDPR and you don't, there may be some pushback from the bank. So while EU may not come for you directly, there could be a secondary effect.
From a little conversation with European partners, I got the sense that US was taking GDPR more seriously than some EU companies.
You attest so legally binding. The legal system does not function on mathematical proofs. If it turns out you did not speak the truth, you can be fined, and maybe even jailed. That's how it works.
Also, we are not talking about forgetting someone personally, but deleting their data. I assume that's clear.
Considering this is not about human memory but about computers and data storage, and those things are traditionally pretty bad at lying, it seems like a bad path to take, personally.
Depending on your industry, or your global customer requirements, you might have to have an audit that shows that you have such procedures in place. If you are small, don't get breached, and attest that you have done the deletion.
If your company is not targeting the EU as a market you are out of scope of GDPR.
If you explicitly accept Sterling/Euros, provide localisations for EU countries, talk explicitly about your EU shipping options etc. then you would probably be seen as accommodating the EU market and might find yourself in scope.
Technically true, but what does the enforcement action actually look like against the small town ice cream shop that doesn't know or care about the rights under the GDPR of a tourist from Spain?
This is exactly what I was coming to HN to query about. Without some agreement with the US federal government, I don't believe they would have any mechanism of enforcement that would affect your business in the U.S. I imagine they could do something like block your site from EU ip addresses but nothing like coming after you or your company for damages.
This sort of argument is like saying you can commit murder then flee to Algeria, and the US will have no mechanism of enforcement. It's true, but heaven help you if they figure some mechanism out.
The EU really isn't a single large market though for most practical purposes. For the purposes of complying with regulations and accepting payment it is, but for every other practical consideration that matters to a company doing business there, it's a few dozen separate markets.
Are you arguing with my point or just trying to be contradictory? I never said blocking the EU was a good solution, but calling it a single market makes it sound more enticing than it is.
The collective economic effect of that will be massive. Please do. And realize that you are ceding the single largest market to your competition.
That doesn't necessarily follow.
For example, EU but non-UK customers represent only a small fraction of the user base for one of my businesses. With hindsight, we would have done better to exclude those customers entirely, avoid spending time and money complying with ever-more-onerous EU rules, and invest that time and money in growing our business in more lucrative markets instead.
It is entirely possible for the EU to make itself so unattractive as a market that this will be the case for others too. Indeed several of the near-future measures it is already working on may have exactly that effect. The saddest part is that those running the EU have so little idea about how small business works that they don't even realise they're doing it.
That would be a plausible theory if the EU even realised that many thousands of these smaller businesses exist, but as we learned with the VAT mess, they literally didn't.
Yes, the VAT mess definitely does not deserve the beauty prize but with the MOSS it is actually manageable. I've done it for a couple of years and as long as your IPSP cooperates it shouldn't be more than 15 minutes of work per quarter.
I've done it for a couple of years and as long as your IPSP cooperates it shouldn't be more than 15 minutes of work per quarter.
That might be true if you're lucky enough to have a single third-party payment service that collects all of your revenues including administering the VAT parts for you. Unfortunately, there are many reasons why that might not be the case or even possible. Even if you do use one of those services, it can't magically cope with all the edge cases any more than you or I can, and of course they tend to take an extra cut out of your revenue.
For everyone who needs to manage their taxes a bit closer to home, it takes longer than your suggested time just to check the rates regularly in case some member state decided to increase them with about a week's notice again. There's not really any good answer to VAT MOSS, there are just more inconvenient and/or expensive and slightly less inconvenient and/or expensive.
We've had some emails from them as well, but we still assume it's our responsibility to check the rates weekly, based on the fact that at least one rate change has come into effect with little more notice than that and nobody (including HMRC) actively notified us first.
Publishing the rates is certainly better than not publishing them, but unless that information is updated in close to real time so it picks up those short-notice changes and unless it's supplied in a machine-readable format so that you can use it as a basis for automatically calculating correct VAT at the time of sale, it's of limited value for anything other than spotting mistakes retrospectively.
Most businesses are tiny businesses. In the UK, 96% of all businesses are microbusinesses (classed as having 0-9 employees) and 99.9% of all businesses are SMEs (classes as having up to 250 employees).
Governments tend to obsess about big businesses, and the EU more than most. However, in the entire UK, there are only about seven thousand large businesses. Smaller businesses collectively contribute the majority of almost every important economic metric (jobs, tax revenues, etc.).
And of course, even the successful large businesses used to be successful smaller businesses.
Given that heavyweight EU regulations disproportionately affect those smaller businesses, because their compliance costs are relatively high, and given that excessive regulation makes it harder or in some cases impractical for businesses to trade within the EU, it is kind of crazy that the EU keeps putting these barriers up. Its own economic fortunes and those of its member states fundamentally depend on maintaining a good environment for smaller businesses to start and grow. Things rarely end well for economies that fail to do so.
Some people may find that a valuable trade-off, because the alternative would be to permit their customers to demand that they rewrite their logs at any time. I, personally, believe that logs should be fundamentally append-only, and thus will not be doing business with EU subjects (since the GDPR requires that I delete records from my logs on demand).
Guess what? The EU agrees with you. That's why the recommendation is that you strip PII from your logs for everybody. That way they can still be append only and you won't have to do any rewriting.
> I, personally, believe that logs should be fundamentally append-only, and thus will not be doing business with EU subjects (since the GDPR requires that I delete records from my logs on demand).
That statement does not hold a lot of force without a link to your business and how big a %age of your turnover you are willing to throw out.
> That's why the recommendation is that you strip PII from your logs for everybody.
The problem is that IP addresses — a fundamental requirement for an acceptable network logging system — are considered PII.
If this were about things like names, dates of birth &c. then I'd be in full agreement. But considering an IP address personal information which must be deleted on demand is IMNSHO insane.
> That statement does not hold a lot of force without a link to your business and how big a %age of your turnover you are willing to throw out.
I'm just a guy, y'know? I'm not going to pretend that it would be easy or cheap for others to make the same decision. But it is easy & cheap for me.
For a network logging system yes. But for a commercial entity on the web: no. Beyond a class 'C' you're not going to get much mileage out of IP addresses, unless you're trying to track people without using cookies and that would be one very good reason why you should not be keeping those IP addresses in the first place.
If you're an ISP that changes, in that case there is a retention requirement. But a regular business in the normal course of performing its expected activities has no business retaining IP addresses longer than necessary. If that to you is unacceptable because you want append-only logs that stretch back years then that's your choice.
But if I had to choose between cutting off roughly half of my turnover because I didn't want to comply with the law or complying with the law and slightly re-arranging my logging then I'd happily pick the latter.
So no need to delete on demand, simply don't store them longer than you feel you need to in order to meet your business goals. 30 days or so should do it. Six months or longer would require a detailed explanation.
And most importantly: disclose what you do. That way your customers can make informed decisions and you won't look bad in the eyes of the law if they decide to decide on whether or not you meant to act in good faith or if you took to interpreting things in the way that suits you best.
Perhaps you could encrypt your logs after a predefined “live data” period passes. Each log line’s key would be derived from a key that is itself derived from the data subject’s unique identifier. If that subject invokes their “right to be forgotten” then the subject’s key is destroyed, rendering all thus-encrypted log lines irretrievable. This does mean analysis of “cold logs” would first require a potentially burdensome decryption process — but it would be possible, and the resulting logs would only contain data relating to permitted data subjects.
If you have a customer from the EU, you must comply with GPDR. Full stop.
Also, if any component of your cloud ecosystem(AWS, GCS, etc.) are based in the EU, you must comply with GPDR. Which in today's world means almost everyone is affected by this.
Make sure those "American" platforms you speak have every single component of their infrastructure based physically in America.
The whole thing may be difficult to enforce, but meh why risk it?
In the typical web/e-commerce context someone whose IP address geolocates to an EU based end point or someone who lists their delivery address as inside the union.
The problem is that the law applies to them even if they use a proxy. If they report/sue you afterwards, you might be looking at a huge amount of trouble.
That's not very comforting when your goal is avoid having unforeseen problems like being arrested on your European vacation due to violating a law that doesn't apply to your country but you still violated because it applies to all EU citizens regardless of their geographical location.
The general direction is correct, but not the specific implementation - since it applies to everyone in the EU, no matter what their citizenship, you can just reject all transactions where the shipping address (or credit card address for virtual goods) is in the EU; and that should probably be fine.
On the other hand, if you actually want to sell stuff to EU and get a nontrivial number of deals, then no amount of weird checkboxes is going to convince the regulator that it's okay, they aren't stupid.
What you do or do not do should not be grounded in the consequences that you will face but in what's the best for your users.
If you feel that your users rights are of no concern to you then you are of course entirely able to ignore this law and to pretend it does not exist because in practice there will most likely not be any consequences whatsoever. You do not have a place of business in the EU, you do not transact any business there to begin with so you are free to ignore the law. And this is doubly true because you are 'small fry', nobody will notice.
Except for your customers maybe. And then that time that you got hacked and you lost all the data you collected over the years because you forgot to implement life cycle management. And this will then marginally affect the ability of other companies like yours to be able to do business.
And little by little the people that chose to ignore the law will start to become a large enough problem that something will be done about it (I hope). Which might mean harmonizing EU law and US law, or it might mean that you can be fined just as if you were in the EU for those breaches were you are clearly deficient.
In the end I don't think that you will enjoy the results much. But since you are small fry you probably will get away with it. But collectively, you and your buddies will harm American enterprise more than you probably realize.
He'd be exposed to increased risk by not complying(lawsuits, criminal action, etc.). It's based on his risk tolerance, the problem is it's hard to quantify at this point.
Based on a pretty thorough bit of search I can confidently say that no small (or even mid sized) US company has ever been fined or any executives detained or extradited because of breaking an EU law that would have not normally resulted in a criminal conviction.
The EU tends to go after the larger entities and tends to fine rather than arrest.
I've read most of it and I disagree that it has been written badly. As laws come it is accessible, has some pretty clearly defined goals and it is for the most part something you could easily comply with.
Yes the first 90% is reasonable, it is the last 10% that is a nightmare.
I comply with the general intent (always have), but the law as currently written is near impossible to comply with. My feeling is this will be realised by the EU and a more rational set of guidelines will emerge.
Acting in good faith is the best protection you can have. In your case if there are parts that you can not comply with I would note these as clearly as possible and disclose those specifically to customers and why you can't comply with them. And another thing you could do is to get yourself a $500/hour lawyer specializing in privacy for an hour or two to tell you what to do on a sheet of letterhead.
Since we are not based in the EU and don’t have a business presence there I think I might just keep following the intent and wait for the EU to be more sensible.
I really do wonder how EU companies are going to comply with all this. What an enormous waste of resources to catch a few bad actors.
It really does feel like a lot of policymakers don't actually realize how onerous their requirements are, and in turn, how much this hurts smaller businesses that can't afford dedicated resources to keep up with all these issues.
Of course, for the policymakers, it's a win, because as part of a rent-seeking bureaucracy, they can expand their empires as they produce more policies.
If you have a customer from the EU (...) you must comply with GPDR.
Nope, you have to specifically target people in the EU:
"In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. (...) the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention"
> What you do or do not do should not be grounded in the consequences that you will face but in what's the best for your users.
I agree with the above. I disagree however that "what's best for your users" is universally a superset of GDPR regulations.
My personal view is that if your company/service becomes so powerful that people can't escape from its influence, the above regulations are a necessary evil in order to counter your outsized influence.
For a tiny startup on the other hand, you have so little influence on the world that if a consumer doesn't like the way you operate, they can just choose not to interact with you. Such startups can best serve both themselves and society at large, by focusing on building valuable features/services.
Reasonable people can disagree about the specifics of a law. As a EU citizen, I can understand your wishes for everyone to comply with EU regulations. It helps to put yourself in others' shoes, and ask yourself how much time/energy you, as a startup founder, would be willing to put into regulatory compliance with Canadian/Russian/Indian laws.
> It helps to put yourself in others' shoes, and ask yourself how much time/energy you, as a startup founder, would be willing to put into regulatory compliance with Canadian/Russian/Indian laws.
If I were to target my business at Canadians, Russians or Indians I would definitely make an effort to comply, especially if those laws in general did not originate from protectionism or were particularly hard to implement (which I don't think the GDPR is, at least not in spirit).
It's hard to say at this point, or even after. It's on a nexus of vague things. First "internet laws" have a history of leading to nothing much, like the EU "cookie law" which everyone "complies" with by popping up a nag. Second because online jurisdictions and how these get enforced is ambiguous. Third, because the enforcement path is still pretty unclear. It may be all about a handful of high priority cases, with small sites getting a pass.
Ultimately, there are all sorts of laws all over the world. With an online, potentially global business, you're breaking some of them. Turkey does not really expect some international user generated content site to comply with their political content laws. A bigger site based in Istanbul... You'll get a knock on the door.
About ten years ago, I had a client with an e-commerce site, for workplace safety gear in Australia. They sold to the US, but rarely. During bird flue, they somehow got on the radar of some US advertising standard. There were some politicians actively policing it anyway they could (not courts).
Tldr is that they had their payment gateway and PayPal shut them down immediately (someone got scary phone calls). Even shutting off all US shipping, and adding a big red "No US" sign didn't help. They had to drop the products. So.. jurisdiction is often erratic.
I think the last (possibly most important) point is cultural. If it takes, GDPR may impact consumer expectations and you may need to do it for that reason.
If you want to avoid GDPR, just hold back for 3-6 months until after the date. It'll get clearer as it progresses and if you're as outside the purview as you suggest, you're probably going to be fine ignoring it at the start (or forever).
The realistic consequences would probably be the following:
1) When you grow sufficiently large to go global, it will suddenly start to matter a lot, as EU is one of the largest markets worldwide. In the best case scenario you'd have to change your processes and systems to comply (i.e. you'd have technical debt which you could've avoided if you did it properly in the first place); in the worst case you'd have some complaints from EU users resulting in fines that aren't enforced yet but would be as soon as you'd want to actually get money from EU. This would be a meaningful impact to your valuation at that point.
2) As the risks implied in the first part have an impact on your valuation if you succeed and go global (which is the only scenario that matters to investors, the exit valuation about which they're thinking), you'd expect this compliance to be included in the due diligence done by series B/C investors and any acquisitions; if you've made no effort to comply, this will result in a lower valuation in those rounds of funding.
If you're a high-growth startup whose valuation is not based on current revenue but on the (long) future market size and you declare that you're choosing to be incompatible with, say, 25% of the global market (to a very rough approximation, EU revenue share is something like that for many major tech companies), then investors will discount your future value (and thus current value) by 25%. So at the very least this is something that you should have on your roadmap for investors i.e. "we're planning to do that diligence and related work in quarter X after we've done A, B and C" instead of simply ignoring the issue.
No one is forcing you to follow it, but I suspect this is just the begining, GDPR is comming from EU due to history reasons, Europe has a lot of bad memories about keeping lists and tracking users. From Nazis to Stasi, USSR and so on and on. What is today done by google, fb, twitter is a light years ahead of that. Try to understand that GDPR is not something bad, it is rasing credibility for your bussiness and is doing something right. I bet a lot of, lets say, USA cityzens will value text "we are GDPR compliant for whole world" on web site. It is oportunity that Backblaze grabbed and soon sites that don't follow it will be on fishy side of the internet. And I also believe, a lot of non EU contries will adapt similar laws, the attack on privacy has gone too far, don't blame EU, blame ggl and fb.
It's not related to the Nazis. Please. If it were really related to memory of abusive governments they wouldn't have just written a law with phenomenal penalties and ultra-vague language that everyone can be argued to violate - exactly the sort of law that all totalitarian states love to have.
GDPR exists because the EU wants to be the primary legislating entity in Europe, replacing local governments, and because it likes the idea of funding itself through huge fines. It exists to serve political ends.
If you're consumer focused, you're probably fine and will just need to clean up some mess later when you get big enough to care.
If you're B2B, it's going to be a problem from day one. GDPR has a defacto viral component for service providers. Basically, any the business that wants to become your customer that is itself GDPR compliant needs to ensure that you too are GDPR compliant. Accordingly, GDPR will come up with a large portion of web-facing B2B sales, even for US companies.
Note that this doesn't actually provide any useful anonymization. That feature is a placebo designed to give minimal compliance with privacy policies and pre-GDPR data protection requirements.
They're anonymized for things like logs. When the computers aren't talking to each other, the reasons to know the exact IP address are rather minimized. If you feel you have a real need to do so, then you just need to inform your users what you're doing.
Will the GDPR eventually make bitcoin or other immutable public distributed databases illegal in the EU? Do you have default judgements on thousands john doe node operators around the world? Will EU ISPs be required to censor any kind of blockchain node eventually when someone has a GDPR complaint for that network? Will we arrest teenagers for running ethereum miners on their gaming computers after all of this?
Will any information that enables identification of the individual (or the other ancillary information spelled out in the article and regulations) be in the blockchain? If not, doesn't sound like it.
Here is one way to think of this. Any EU citizen has a "right to be forgotten". If there is nothing in your records to identify that person, the you don't need to provide that ability.
There are also blockchain style social networks such as steem that create things that are like reddit: https://steem.io / https://steemit.com . Again, freeform public text blobs that can have private info.
If you create any censorship resistant publishing software, lets say to report on human rights violations in some sort of dictatorship, you also create something that can be used to violate the GDPR.
Isn't a public key a potentially identifiable piece of info that becomes personal information if anyone (like an exchange) stores it in conjunction with other personal information? I don't see how it is any different than an IP address.
OK, but what the parent is suggesting is that someone might store someone's personally identifiable information on "the blockchain", thus making the entire bitcoin network in violation of GDPR. It's a fairly on-point criticism, IMO.
it's not Bitcoin network that's in violation, but the company that owns the transaction in which the data is in.
let's say I'm a shop and i allow btc payments, but I include the customers info in the transaction or something to such an effect. then I'm in violation, and must pay a fine (since I can never delete that info). The network has nothing to do with this, and nobody else on the network is party to the violation.
You've raised a really good point with this. Honestly, the whole "right to be forgotten" thing is utter BS. Might as well call it "the memory hole act". Or better yet, "the right to silence the opposition".
"the personal data are no longer necessary in relation to the
purposes for which they were collected or otherwise processed"
The data you submitted to a blockchain database is inherently needed
forever for it to function, so I think there's zero chance that this
will be interpreted as to make Blockchains illegal.
What might happen is that this in combination with the "Conditions
for consent"[1] will force people who ship blockchain software to have
prominent warnings saying that you're about to ship data that'll be
public forever.
One more interesting thought. If you are using ad provider/tracker/data reseler X/... located in USA which is GDPR compliant and is doing bussiness with EU, and you are feeding them with toxic information you didn't get consent for, the EU can pick on them. As you have damaged their bussiness they can sue you. In USA.
I have been through a number of GDPR resources and seminars and I am still of the opinion that there is nothing in it to worry people who are acting in good faith with their customers data. The organisations fined under existing laws seem to have been breathtakingly negligent or just deliberately callous.
Q: would I still be able to keep session logs of user journeys through my site without explicit consent? If not, this seems like huge issue for ecommerce analytics. If I need to obtain explicit consent, that the user isn't required to provide to continue accessing the site then I don't see how these technologies are not basically dead in the EU.
Can you even legally do a customer churn analysis under the GDPR without explicit consent?
One of the biggest complaints I have about this is that the uses for data keep growing, and legally, you can't even test a hypothesis before getting consent, which you won't be able to do frequently because users hate being asked about anything.
My intuitive response to this law is to want to split my data into EU/non-EU parts, do all my work on the non-EU parts and hope that the insights gained there can be applied to EU users.
No, put up a “trap” page, tell the user you need to collect certain data to operate the site and make the user clicks Accept before they can use your it.
Yes you can keep session logs, it is a 'legitimate interest'.
Are you just trying to see which deals interest people (zero issue, but you could annonymise this) or profiling the customer based on the logs and offering different prices (you are going to have to be more careful and transparent).
> Can you even legally do a customer churn analysis under the GDPR without explicit consent
There a lots of ways to look at churn with anonymised data. I do it with account ID's. If you are looking at churn rate of Asian people vs Afro-Caribbean then GDPR is going to be amongst your problems,
708 comments
[ 3.1 ms ] story [ 337 ms ] threadI've noticed that this is something the EU has tried to do lately, to just sort of push their regulations on the rest of the world. I don't see what sort of authority they'd have to impose this on citizens of other countries.
I wonder if Europe pushes the issue, if this will be treated like libel tourism, where US citizens and companies without a Eurpoean nexus will be explicitly protected from judgements against them.
The authority they have is that delegated by the sovereign members of the EU, and the fact that the authority of a sovereign power is limited only by its own decisions and it's practical capabilities.
(The US also imposes it's ruled extraterritorially when it feels like it.)
The US has given lots of precedent cases for that. The usual approach the US takes is to force the banks the foreign site is operating with to seize all assets. The EU likely would do the same.
Don't like it? Don't do business in/with the EU. Then you're free to ignore their frameworks, rules and regulations.
They are not trying to "impose their regulations on the rest of the world", they're trying to protect the privacy of their inhabitants. That this leads to measures that need to be taken by companies doing business with (the data of) their inhabitants is a side-effect and only logical.
So, should you just start blocking IPs from EU-based citizens?
OTOH it just shows your remaining customers that you're willing to do shitty things to them, as long as America is trailing in privacy legislation.
The major tech companies impacted by the law are already likely taking steps to comply. Is anyone seriously saying they’d rather just wave goodbye to an entire continent?
If your website accepts Euros, has multiple european languages (e.g. spanish, german, etc.), you do marketing in Europe, then we can conclude that you legitimely do business in Europe, you are then required to be GDPR compliant. This is indicated in one of the GDPR article (can't remember which one)
Edit: fix typos
Quote from GDPR, page 5, recital 23 (http://www.privacy-regulation.eu/en/recital-23-GDPR.htm). I'm no lawyer, but that's the way I'm understanding it.
Yet, that is only one of two reasons why you would be subject to GDPR, the other is "the monitoring of their behaviour as far as their behaviour takes place within the Union".
As far as I can tell, logging a european IP address together with urls (i.e. an access log like every server has) would qualify you even if you aren't doing business there.
Completely unenforceable though.
But it's very different to expect people who live outside the EU to respect EU laws, just because someone from the EU happens to choose to visit their website. I don't see this as any different than if someone in the EU was to visit a convenience store in the US - should the convenience store owner be bound by EU regulations in that case?
You aren't doing business unless you're accepting payments/selling/shipping things to people in the EU. And as with any law, if you're sufficiently small fry the EU isn't going to care about you until you actually screw up. Don't accept euros as currency. Don't offer to ship to EU nations. Done. If you do accept payments/ship/etc, unless you're a multinational, the EU probably won't care anyway, as you'll fly under the radar, unless you leak customer information. Do that in a sufficiently extravagant way, and they -will- care, but unless you have assets in the EU they can't/won't do anything about it anyway.
I see multiple comments mentioning this. Do American banks restrict which currencies your credit card can be charged in? As far as I've been able to tell, my bank lets me pay in any currency I'd like, and they will convert the amount to SEK before charging my account.
If dealing with digital products, allow people to purchase without creating an account, or require them to select a country as part of account creation (and prevent those selecting the EU, or don't make it an option). If the bank processes the payment, but you've collected no information, you can't run afoul of the law (since you have no information).
Don't have server logs with IP addresses? Don't collect an email for the user to use to log in? Don't receive customer support recieve from these users?
I wonder how ads play into all this. E.g. are people who watch an ad on YouTube considered YouTube customers? Are they considered customers of the ad company?
My concern is that we will see more (non-EU) companies implement something where users "pay" for services/features by watching ads. I do also wonder how it then affects the ad companies if they collect personal information about the user. Does the user count as a "customer" if the ad company is the one paying?
The advertising networks are clearly doing business in EU as they're getting paid by these advertisers - so all the major advertising networks will have to be GDPR compliant. So in this regard, the ads (and user info used for these ads) shown to EU users will (in practice) have to be GDPR compliant even if your site doesn't care about it, because everyone who'd want to pay for these ads has to be compliant.
This is the part I'm not sure is true.
Sure, if the ad agency's company motto is "delivering ads to EU users since XXXX", they obviously have to be compliant, but what if they are a US-based ad agency and none of the companies selling them ad space are in the EU? How many layers does one need to circumvent this?
Almost every ad I see is from some company that is actually eager to sell stuff to me, so they're doing business in EU, and have to be compliant.
All advertisers who care about me won't be allowed to buy my data from US-based ad agencies, so even if such US-based agencies can gather the data, it's worthless, since noone would buy that.
This is false.
If you offer a free product and one of the companies you publicly list as a user has a presence in the EU, then you need to be compliant.
If your signup page has been localized to Estonian, you also probably need to be compliant.
"Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
Or, to look at it another way: If it weren't extraterritorial, ad providers (for example) could simply close their local branches, and EU citizens would not be protected from consent-less data gathering. To realistically be able to fulfill its mission, the GDPR _has_ to be global in scope.
this is a very good point actually, GDPR will probably also be used in trade agreements as a requirement, in which the EU has a lot of leverage compared to most other nations/trading blocks across the world.
In the end, the reason the EU can do it is simply because it has enough political leverage to make this happen.
edit: To add to this, I think these kind of things will be good in the long run, especially when the EU starts more trading talks with smaller nations, which are usually very eager to get into a trade agreement with the EU, especially for african nations as it usually allows more ways for legal migration and includes foreign aid a lot of the times.
depending on the levels enforcement I suspect the same will be true of many popular online services for GDPR: you check the "EU citizen" checkbox and you're banned
The amount of effort being put into GDPR compliance within my organization is just staggering. It really makes me think about these kind of laws from a new perspective, because they cost businesses so much to implement.
(I'm not saying whether GDPR is right or wrong! Just that it's expensive.)
The companies that have to spend significant coin are the ones who are not already complying.
Best practices are funny because context and history are important. Actual regulation is not so forgiving.
For a simple example, let's say you use an immutable data store. What do you do if a customer wants every info about them redacted, but you did something like store their IP, name, or email. All common things. Now you must build mutability into your store and all assumptions that used to be made can be removed.
This is just a very small piece of something that even a small or medium company may be using or doing.
Doesn’t help for pre-GDPR data but that’s the way you should be building going forwards.
Leaks are punished, as they probably should be, under gdpr anyways. But now do we have to account for all of the keys over time and have it be probably gone? What if we take backups of the systems that stores the keys? Do we have to purge those backups as part of the deletion request? What if they're terabytes in size?
Just thinking through edge cases here
That makes selects & joins on the data quite a bit more complex. Per-record & per-subject keys are … tricky.
This is a huge problem for an org that relies on huge amounts of such data to keep our product running and uses systems which were never built with these new rules and classifications in mind.
Furthermore, there are huge complications surrounding "data processor" scenarios (in other words, Enterprise SaaS products). For example, what takes precedence, GDPR deletion or our contractual security/auditing obligations?
Again, I'm not saying that any of this isn't worth while, just that when you get down into the weeds things look a little different.
US companies who previously had the narrow scope of PII to handle, now have to consider the much broader scope of 'personal data'. I am sure that for lots of US companies providing services to EU citizens/residents that will definitely represent a substantial burden.
Even for EU companies, the reality is that many will have previously taken a view that the size of potential fines was not high enough to warrant giving certain matters that much attention or at least spend money on areas they considered more important. For example, if I have a choice between implementing additional security measures to protect my network versus building functionality to delete on command, many companies will have gone with the former.
On retention, my view is that if you consider it necessary to retain information for purposes of auditing/security, and have made that clear in your contract with the client (who would then should make that clear in their privacy notice if they don't already have a general caveat around that), then the right to delete under Art 17 does not kick in because Art 17(1)(a) is not engaged. Also, dependent on the grounds on which you are looking to retain Art 17(3) gives a controller a clear ground to retain.
Also the right to erasure is one that will generally be directed at the controller. The controller would then flow down that request to a processor but that is where the contractual protections would come in, which in my experience, most clients are generally willing to accept.
The GDPR imposes some new requirements that were not previously part of any privacy best-practices that I'm aware of, and that create some system complexity. Chief among these is the right for users to retract consent after it has previously been granted. This effectively requires processors to be able to delete individuals' data from their records, something that was not a design requirement of many systems. This becomes increasingly more difficult as user data has often been aggregated, and joined with other data sources.
Another key differentiation of the GDPR compared to previous legislation is that it applies not only to data that identifies a person (such as by containing a name or social), but to data that could in theory be linked back to the user through a common identifier. Previous best practices have considered the user's privacy protected if they were identified through a hashed email or an opaque database identifier, but the GDPR does not consider this sufficient anymore.
It's not even malicious; in the absence of regulation to the contrary, companies -- especially companies still in search of a revenue model -- have an incentive to collect as much information as possible.
Just for starters, you will need to decide which data you have to process and which is optional. Some data will need to be kept for compliance purposes. How much anonymization will be applied. What data is in every single internal db in your org? Do you even know of all the internal dbs? Each data will have to be tagged with the collection basis, either legitimate interest or consent.
The GDPR is also -- as I've complained on here before -- less of a regulation and more of a framework for 30-odd individual country privacy regulators. Some parts of the GDPR, eg on consent, are laid out in black and white. Other parts aren't at all. And the EU wankers have declined to issue final guidance on the latter even by this date, less than 3 months from the compliance deadline.
There's also cute stuff in there like if you have more than 250 employees or engage in "widespread processing of personal data" (widespread processing left, of course, undefined) you will have to hire a Data Protection Officer. Said DPO must be in the EU and report to the ceo. This will be quite a nice cottage industry for EU lawyers.
American companies are probably unable to pick a lead regulator and hence will be subject to the individual regulators of each EU country. What happens when some french person (France has a very aggressive privacy regulator) complains to the regulator, and you are dealing with a regulator in a language you don't speak? I hope you enjoy paying legal $600/hour.
The GDPR does specify enough around consent (ie all consent-basis contacts must be default opt-out) to make it highly unlikely that any of your email or newsletter opt-ins are compliant. You will have to re-consent all of your marketing emails, and this may come with significant attrition. This will be painful for outbound sales, even outbound sales that currently is very respectful of opt-outs.
Data subjects can also do things like request a copy of all data (a so-called Subject Access Request or SAR), request deletion, and even freeze processing, which is supposed to stop processing without deletion. This must percolate through all third party systems, of which most companies will have a lot. Just start with your two mailing systems (transactional + marketing), logs, analytics, billing, salesforce, billing, etc. And as mentioned above, it is required to percolate through internal systems.
You will have to have an ugly discussion about backups. Are you going to roll backups at 30 days? That's probably not ideal. But what should happen when a data deletion request is received and that data is, of course, sitting in backups?
The short story is this is expensive and painful enough that, if I only had incidental European customers, I'd probably ignore it and close their accounts if they complain. This is very much not GDPR compliant, but as an American company, I'd do it anyway because of the expense of dealing with the above.
Changing the processes may not be hard, if you're doing things close to right to begin with. Complying with the documentation requirements? That's going to be painful.
Anybody? Sure technically in the same way that going 58 in a 55mph zone is speeding and could get you a ticket. So the question remains assessing the probability of enforcement of a hypothetically a small US based organization who has European customers. As I read the replies on this page it seems to be a mix of people who have a great deal of theory and not a large amount of practical experience assessing the probability of something actually happening given breaking a European law.
Google and Dropbox promise to do so by May 2018.
It has taken up a majority of the last year.
Also "communist" China? Have you been living under a rock for the past 30 years?
It should also be said that China has far more onerous regulations of commerce than the EU and US, for example in regards to foreign ownership. But you actually know that, otherwise you wouldn't preface "China" with "communist". Which, however, isn't terribly accurate, because modern China really have much of all to do with communism.
"The changes that are being made by companies such as Backblaze to comply with GDPR will almost certainly apply to customers from all countries. And that’s a good thing. The protections afforded to EU citizens by GDPR are something all users of our service should benefit from."
https://www.backblaze.com/blog/gdpr-compliance/
Get it? It is shamefull what a couple of technological leeches did to basic human right for their profit, not to mention turning the whole internet into clickbait maze. Stop complaining, it is right thing to do, like it or not.
For any greenfield development, why would we develop it twice? We have to solve every business problem we have for the EU; why would we solve it differently, to address the same problems, elsewhere?
For non-greenfield development, why would we keep two codebases and sets of infrastructure around that we have to support? Better to consolidate. Especially given the positive word of mouth it would generate compared with "Yeah, we're not as careful about your privacy because you're not in the EU".
The -only- case where it makes sense to do something different outside of the EU is if there's a key bit of value that we literally can't capture in the EU due to the GDPR, and we want to capture it elsewhere. Now, that's still alarming (in that we could have the privacy haves and have nots), but I just don't know how common that will be, or whether companies would find it worth doing.
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union..."
(Ch 1, art 3, para 2)
There’s many other regulations that only apply to citizens and not based on location.
GDPR is inevitably going to hinder any new company forced to abide by it. So the next Uber/Wechat will first flourish in US/China/Russia and then come to the EU, not the other way around.
Entrepreneurs / investors also want their time & money to be used to build value first rather than solve yet another accidental complexity that is irrelevant until your revenue model is proven.
What am I missing? Is GDPR implementation cost marginal?
Is it free? No. But if you're spending a significant amount of time on it as a new startup building from scratch, something is very wrong.
And hell, if you started a company recently, you were given the chance to catch up to the incumbents in your market while they've slowed down to retrofit all their systems for GDPR compliance. ;)
GDPR states that to remain compliant, Controllers must only use GDPR-compliant Processors.[1]
Assuming that EU startups will take GDPR more seriously than non-EU companies (a safe assumption judging from the posts here on HN), non-tech EU companies (Controllers) will tend to gravitate towards EU tech companies (Processors) to ensure they remain compliant.
It is non-EU (primarily US) tech companies' game to lose. If US tech companies get a reputation for not caring about GDPR, there could be a real sea-change in EU buying behavior.
[1] Article 28, paragraph 1: "Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject."
It’s also easier in terms of jurisdiction. A non-EU company might just pretend they’re compliant but your legal options in case they’re not are somewhat limited.
Why does everything have to help startups?
"GDPR is inevitably going to hinder any new company forced to abide by it."
I disagree. You simply shouldn't be collecting that data in most instances anyway. And if you truly do need it, you should have been asking permission before. Somehow we got it into our heads that it was perfectly acceptable to just take things without asking. I'm fairly certain I learned not to do this in Kindergarten.
"Entrepreneurs / investors also want their time & money to be used to build value first rather than solve yet another accidental complexity that is irrelevant until your revenue model is proven."
The GDPR has no impact on this, unless the only way you can create "value" is by disrespecting your users. You can still build value the old fashioned way, by providing something of use to your users.
If you need everything, then you'll need to use "fulfilment of a contract" as the basis, and in that case, you probably need to make your ToS pretty tight too.
For the users that refuse this consent, can I prevent them from accessing the self-driving feature of the car? If not, how would the company deal with the free-rider problem - nobody opts in because they want their privacy but they also want the feature?
AI and ML have to be careful [0], as you need to be explicit about the data's use and impact on the end-user. The most given example for this is ML algos that determine eligibility for financial products, but we could probably twist that Tesla example to fit a similar to be "my data is used to inform an algo that determines what the car does in a dangerous situation", so you might have to abide by rights to explanation and data editing.
[0] https://ico.org.uk/for-organisations/guide-to-the-general-da...
(links to actual text at http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN... )
For anything (eg. questions, feedbacks) i'm here.
This will probably have to change a bit with GDPR but will still supersede GPDR when it comes to health data. Are you providing compliance with those laws as well?
Ideally you want to consult with a lawyer to ensure you're in compliance. Certainly that's what we're doing where I work (we have dedicated in-house legal staff dedicated to privacy issues who have been taking point on this), but when you're smaller that can be prohibitively expensive.
Within a couple years, though, I expect any serious commercial or open source platform available that deals with data to have GDPR-related features. It's already starting to happen, and hopefully GDPR compliance won't be something you have to go out of your way to do; it'll just be a normal part of doing business that everyone understands.
The transition period will likely be rocky, and it's my hope that the EU will be initially lenient dealing with honest mistakes that companies work to quickly fix once discovered.
Favourite takeaway.
What many SVers call "innovation", other industries would call "reckless".
How embarrassing for us!
EDIT: In terms of regulation, we're practically chiropractors.
Based on my own experience, I've 'known' about regulations that governed the industries with which I've worked. I'm not sure what evidence specifically you or the author have that leads you to believe software developers should be embarrassed.
And? Making sure that the bridge will hold under the weight that its required to is demonstrably bad for my profits (if I were the construction company). That doesn't mean that we should loosen the regulations or whatever. We don't owe anyone the right to profits, regulations are meant to protect us and keep the playing field fair. Of course that will always negatively affect someone.
As well, some things are so bad that you don't want to punish after the fact.
This would be a much more difficult thing for them to do if it was easy to track the history of bad behavior of the relevant people. This seems like something that should be relatively easy to do nowadays, module some probably not-too-significant obstacles like the 'right to be forgotten'.
> Big projects will often be done by a pool of companies. Which would you hold accountable then.
In the absence of detailed information, one would reasonably hold them all partially accountable.
> As well, some things are so bad that you don't want to punish after the fact.
There's no perfect way to do this. Murder seems like it's "so bad that you don't want to punish after the fact" but I don't think either of us would want to live in a society that was perfectly capable of preventing any murders.
I challenge you to give me an example of some "demonstrably bad" effect caused by "avoiding recklessness" that isn't the direct result of shirking responsibility.
To go along with your devil's advocate argument: I could argue that "taking extra measures to ensure the security of sensitive data" would have been "demonstrably bad" for Equifax. But don't you agree that it was extremely irresponsible of them to not do that?
Eh, not substantially or consistently more than in software. It's possible to cherry-pick examples where engineers in other fields are more aware of relevant regulations, but overall, it's roughly comparable.
I'm generally very critical of the move-fast-and-break-things mentality, but engineers in other fields are generally not more knowledgeable about industry regulations than software engineers are.
Having been in the software industry for a while, it is often discouraging to see how both explicitly and often inadvertently move-fast-and-break-things has resulted in some pretty bad software industry wide.
Just look at the sense of most of the comments here--there seems to be a consensus of how to get around this, or how it doesn't apply to me.
Is it my responsibility to follow the censorship rules from China on my webapp in California? Is it my responsibility to know all the regulations on web apps from Sri Lanka?
Building software with care and professionalism is unrelated to understanding all the rules in place all around the world.
[1] https://gdpr-info.eu/recitals/no-23/
> Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Note that "the use of a language or a currency generally used in one or more Member States ... may make it apparent that the controller envisages offering goods or services to data subjects in the Union". So simply using a language in use in a EU member country may be sufficient that you "envisage" offering your goods or services. That seems significantly different than your claim that one need merely not "specifically target those countries".
Knowing all regulations in the world for any given industry would be a full time job. The people you seem to be implying exist do not exist.
So long as my country isn't willing to extradite me, I don't really care what their laws are and I will adamantly refuse to comply with them as they're entirely irrelevant to me.
New York lawyers who do business in France do.
If you're accepting ~dollars~ euros to place French ads on your pages targeting French customers, seems reasonable to know the relevant French regulations.
That's not true.
Am I misunderstanding? Why is this incorrect?
https://gdpr-info.eu/recitals/no-23/
The obvious answer is by geographically identifying them by IP. Which GDPR makes pains to point out is personal data.
It seems you can't be bothered to not store data.
Now I’m instrumenting my systems with geo lookup databases which usually also include much more fine grained data (such as home/business) than that.
In any case, your original point was to just not interact with those people, which requires active filtering and isn’t the same thing as saying ‘just don’t watch that tv show’ in that it demands actions on my part due to behaviors and preferences on someone else’s.
You can learn as much as you want as long as you don't store it or provide that information to a third party.
I believe our industry has too long gotten away with a "store everything" mentality. I have zero sympathy for web sites which slurp up everything from their visitors.
If those local UK construction companies want to do business in Japan they'll have to know the building codes of Japan.
But seriously, the GDPR standardize the body law for the whole Europe. That makes thing easier for devs.
I have plenty of friends and relatives who work in construction or architecture and knowing the building codes and everything related to it is something you learn at university, update every year and is something every person involved in planning and constructing a building is aware of. Lawyers only get involved if a building fails.
McDonalds goes and retrofits all of their buildings in the world because they have shops in the EU at great cost. Some pizza shop that does delivery in the USA, and the owners go on vacation once in a while in Europe? ️They probably are not even aware of it.
That is what the GDPR is in a nutshell.
You are reaching. I give you a better example: it does not matter where a building part is being produced, if it ends up in a building in Europe it needs to be up to the local building codes and to the regulations of the single market.
Lets say your visiting the USA as an EU citizen and you get a pizza delivery from a local small pizza shop. They put your name and delivery address in their computer in an MS Access database that makes stickers, emails the delivery guy's gmail account and a person delivers a pizza to you.
They have no idea your an EU citizen and they just put enough information into their computer that would violate the GDPR. They have no real way to comply unless they retrofit their computer system to some vendor that is GDPR compliant, if it even exists. Just deleting your info from the msaccess db and asking the delivery guy to delete their emails isn't enough for the GDPR. And a computer system retrofit for most business might as well be like asking them to retrofit their building as far as costs go.
The end effect might be just outright banning all EU citizens from doing business with various places, because it's just not worth the hassle.
'Sorry you cant stay at our hotel, we are not GDPR compliant'
'Sorry we won't deliver to you, we are not GDPR compliant'
'Sorry you can't enroll in our classes, we are not GDPR compliant'
'Sorry we won't treat you at this hospital, we are not GDPR compliant'
'Sorry you can't get a bank account with us, we are not GDPR compliant' (Like a lot of EU banks with US citizens with FATCA)
If that pizza store has no relation to the EU then there is no legal ground by which the GDPR could become relevant. There is no treaty which would establish some sory of leverage here.
//EDIT: which btw is unlike FATCA for which there actually are bilateral agreements.
I wouldn't really have much of a problem with the GDPR if it had some small business and non-eu business exceptions. It doesn't and regulators saying 'trust us we wont prosecute the easy to prosecute!' makes most businesses uneasy.
The law itself does not even put itself into scope. You either need a treaty (Article 3, paragraph 3) or the data subject or processing is in the union.
Indeed.
Let's not forget that the EU and national governments have form when it comes to this sort of thing. The new EU VAT rules on digital sales a few years back were similarly overweight, and they really did result in a lot of microbusinesses either literally shutting down or just plain breaking the law.
A lot of slightly larger ones, my own included, went to considerable lengths to update systems to comply, but with hindsight would have simply declined custom from any (other) EU nation instead because the overheads were and continue to be excessive.
Those same rules really did also result in national tax authorities abusing their new-found powers to go after businesses in other countries within the EU, sometimes through their own incompetence rather than any legitimate grievance, resulting in some very scary threats being received by other small businesses.
It's tough to give much credit to arguments about regulators exhibiting common sense and moderation when the evidence of previous sweeping EU rule changes suggests we shouldn't count on that.
> 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
So unless there is a treaty that puts GDPR into scope, the pizza guy is fine.
Article 3 clearly states that it applies to
> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> the monitoring of their behaviour as far as their behaviour takes place within the Union.
It does not apply EU citizens while traveling outside of the EU. It applies when you are monitoring or offering goods or services to someone in the EU.
They’re the ones who prepare the trainings for your relatives and the other architectural students, or at the minimum the changes that a policy-wonk will react to when creating curriculum.
The site operator has the limited range to act (we’ll call them decision rights) under the CEO who is ultimately guided by his counsel (firm or in-house).
Lawyers also oversee zoning, permitting, and certifying every step of the way - not limited to, but including licensing and contracting.
Sending email? You should know the CAN-SPAM act. Do business with CA citizens? You'd better know about CA's privacy policy requirements. Doing ecommerce? You need to learn about sales tax and PCI requirements.
Certain information can be classified as PII if it possible to cross reference it with other stored information to identity a user. For example a European court in a recent ruling stated that a full IP address could be considered PII because an ISP would have a record of IP address and time with a persons name.
A user alias on some random site would meet that criteria, assuming they took name/address/etc when you signed up.
Unless PII has some other significance than I'm interpretting it to have?
Screw you data vampires.
What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected? If so, that seems like it'd be likely as helpful as current terms of service.
Another item mentioned is "Where possible, pseudonymize personal data.". What's a practical example of that?
Yet another item – "Don’t enable social media sharing by default.". Is the thinking that user's shouldn't be able to share something via social media without first explicitly enabling that option? That just seem unfriendly. Or is the idea that doing so protects someone from doing so accidentally? This seems a lot like the 'cookie law', itself an annoying mandated nagging that probably backfired (because everyone was effectively trained to just do whatever necessary to get rid of the corresponding notification on every site they visited).
Again from the privacy-by-design page:
> There is no checklist of ready-made questions that will get you there; General Data Protection Regulation requires developers to come up with the questions as well as the answers.
That's a really unsettling description of a law.
No: a consent from a user must be for granular information with a specific listed purpose.
That seems sensible but is that really based on the actual text of the law or is this just your own summary?
e.g., I run a free, ads and promotion funded site, but I actually supplement revenue by selling the user's actions on the site to a third party. users can also have accumulated virtual currency as rewards, which can be used for premium sections of the site.
then along comes GDPR, and I tie acceptance of some virtual currency rewards with acceptance of the GDPR consent, with the threat of site access being cut off if they don't consent. is that still legal?
https://gdpr-info.eu/recitals/no-43/ "Consent is presumed not to be freely given if ... the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
If the data is actually needed to execute the contract (i.e. a delivery address if you're mailing stuff to the user), then you don't need separate consent; but if it's not (e.g. just revenue) then any "confirmation clicks" that are tied to site access being cut off would be just that - simply clicks that don't count as freely given consent.
Also, if you consider giving a reward for acceptance of GDPR consent, then you must also consider that consent can be revoked at any time (including 5 seconds afterward) and it must be literally as easy to withdraw consent as it is to give it.
> As one dramatic example, PayPal’s recent updated notice lists over 600 third-party service providers. The fact that PayPal shares data with up to 600 third parties is not news. That information is simply being brought into the open.
From what I can see of the list of those "600 third parties", a large number are banks and other financial institutions.
The ICO seems reasonable, so hopefully they won't crush a small software shop for fucking up on something, but they're going to want to go after some people to send a message at some point. I'd guess you'd want to check that professional indemnity insurance policy, just in case.
It is, of course, all down to context. You need to show that you at least took the guidance seriously and tried to mitigate things. A notice of "collect ALL THE THINGS" won't fly, as you're basically admitting you're not prepared to consider it.
I think you're right on the social media sharing thing, it should be fairly well handled by the OAuth notices from most networks (I'd have guessed - "allow this app to post on my behalf" counts as consent?), but yeah, can't be taken as a given. IANAL, of course.
In a weird way, VATMOSS and GDPR kind of work together on this...most things we collect at work that will be covered by GDPR are collected because of VATMOSS.
VATMOSS requires that we be able to justify what country's VAT we collect on a given online purchase with two pieces of "non-contradictory" evidence. So, right there we have to collect at least two things that provide location data about the customer, and GDPR expands the definition of personal data to include location data. I say "at least" because since it is required to have two non-contradictory pieces of evidence, it's prudent to collect at least three.
I think we currently use: (1) country the person selected from the "Country" drop-down on our site, (2) GeoIP at time of purchase, (3) GeoIP at time of filling out quarterly VATMOSS report, (4) GeoIP on IP addresses that they have used when downloading updates, (5) Country of bank that issued the credit card or debit card used for the purchase.
> What do you do about users who have used plaintext or silly passwords?
I don't even know what to write about that. The whole tone of the page is lecturing – about "fundamental human rights"! – and yet it's suggested that developers handle "plaintext or silly passwords"!
> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
The GDPR says when you collect data, you have to tell the user what you intend to use it for. "Minimization" applies within the context of those stated uses. So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.
As a corollary, if you can't link a piece of data to a business use, you shouldn't be collecting it. This was a good idea before, but GDPR makes it more relevant.
Note that this is similar to the ethical guidelines for medical research. "Harm Minimization" is a central pillar of ethical research. Harm, and risk of harm, is acceptable, but there is an affirmative duty to seek the least-harmful means of achieving your goal from those available.
> That's a really unsettling description of a law.
That's how HIPAA works, actually. I have a professor who argues this model of legislation is more effective than traditional sector-specific regulation, because it puts the onus of subject-matter expertise onto the people who are actually subject-matter experts, and because it allows for creative and adaptive solutions.
Then that part is worthless, just another click-through "agreement" practically nobody reads.
That part won't change anything.
> So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.
I always wonder one thing: Is the penalty going to be high enough to justify not breaking this law?
All business decisions are cost-benefit. If the costs of doing something outweigh the benefit, you don't do that. This includes following the law: If you can reliably get more money by breaking the law, you break the law, and pay the penalty if you get caught. Unless you're very unlucky, you're still right-side-up after you pay the penalty, so your behavior was, on the whole, justified.
GDPR requires that the use cases be itemized, and the user can opt out of each one individually. So if the user opts out of receiving a mailing but not the store locator, you have to manage how much data you collect about that person. I agree that for the most part this will just be another click-through like the cookie law was, but companies will be required to accommodate those minority that do care.
> Is the penalty going to be high enough to justify not breaking this law?
The penalty is up to 4% of annual global revenue. Global revenue.
Of course, paying the fine doesn't mean that you can continue with the action - it'd also likely involve imposing a temporary or permanent ban on data processing and ordering the rectification, restriction or erasure of data gathered unlawfully.
Can you be GDPR complaint ( in theory) with zero encryption?
Generally speaking, encryption is an obvious choice when it comes to measures designed to protect user data.
In fact, encryption (security) is mostly orthogonal to how you track and handle personal and sensitive data (privacy protection). You could encrypt everything and still be wildly GDPR non-compliant, if the encrypted information you're storing lacks clear purpose and explicit consent.
We store data encrypted because it
A) leaves no room for misunderstanding with different regulators or their respective auditors, and
B) provides a computationally infeasible barrier against accidental personal information disclosure even if the storage system was improperly decommissioned
Point B in particular can be explained to auditors without problems. They understand both the intent and the technical measures put in place. But how we store data is only tangentially relevant to how we handle data. Let alone what we need to collect in the first place.
(The KYC/AML/SOW requirements in gambling are quite demanding; they impose significant data collection and retention needs.)
I would also like to stress out that, from my understanding, this data would rather be deleted immediately after use. That is, not saved at all after the query, or the delivery, unless the user explicitly opted-in to give you such data for advertising, etc...
You decide, based on context and consent. I think consent now needs to be non-blanket.
> That's a really unsettling description of a law
I know it's not ideal, but it's far from the only vague area. The law of negligence is very important to anyone running a business and is almost entirely caselaw, for example.
It's also a lot like CE certification, which takes a while to get your head around but is similarly based around both standards and self-certification.
You must provide the user with a detailed description of what personal data of theirs you are collecting, who you are sharing it with and what your business purpose for collecting it is, and if the data is something that you need their consent to collect, you get their explicit consent to collect that data and you must let them opt-out of providing that consent without preventing them from doing business with you.
The CRM database is copied over to a separate database that the reporting system feeds from. Now in reality the reporting system (which will generally give you aggregated trend reporting) doesn't need a full copy of all production data as it only needs to utilise a limited subset of the overall data.
So instead of the full copy of the CRM database being copied over to the reporting database, you filter the data so you only copy over an anonymised dataset. That is pseudonymisation in a nutshell. Because you still retain the separate dataset in your system, the data is not truly anonymised, so is said to be pseudonymised. Overall I see it as linked to the requirement for data minimisation. Any particular system should only have access to the data it needs to perform its role.
Elizabeth Denham, UK's information commissioner in charge of data protection enforcement, had this to say:
"Having larger fines is useful but I think fundamentally what I'm saying is it's scaremongering to suggest that we're going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm. Our office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven't made any effort."
In other words, the compliance decision is not in your hands, but there's a promise of certain lenience. At least to start with.
A practical trouble is that once a company reaches a certain size, they no longer even know what data they have, never mind why. Do we already store personal data? Where? Is it important data such as "names + credit cards", or some god-forgotten IP addresses in a log? Email archives and attachments? How about GoogleDrive and SharePoint? Then, do we redact it, or delete it? How? How do we answer Subject Access Requests?
We've built a product to help companies take care of the most common "private data" cases (https://gdpr-tools.eu), but we're not fooling ourselves that we've solved "personal data". Or that the task is even solvable. That whole space is very much in turmoil and how hard the GDPR whip will get cracked remains to be seen.
Funnily, one of the common fears that clients have is not about the general public. It comes from disgruntled employees ratting on the company. Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage by reporting their employer to the "authorities".
That's a very good reason to do a little inventory then. Not knowing what data you have is a real problem in my book.
The automated inventory analysis tools, like ours and others, are only just becoming useful thanks to ML. The previous generation was mostly regex-based and mired by constant false alarms.
> Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected? If so, that seems like it'd be likely as helpful as current terms of service.
Under the GDPR you're not allowed to store personal data.
However, if you have purpose, and need data to fulfil that purpose, you can.
You can also ask for data, in clear terms, and if an informed user, freely choose to share, you might store that.
So, you sell shoes and magazines online. You need an address to ship both. You need a shoe size to ship the right shoes. You can demand to know the shoe size before you ship shoes - but not before you ship a magazine.
You can store order information (indeed have to, due to financial regulation). So you have a record of shipped shoe size and customer data.
You may not, without consent, store a permanent profile with shoe size and magazine preference. But it's OK to let users opt in to a profile.
> Another item mentioned is "Where possible, pseudonymize personal data.". What's a practical example of that?
Good question. Off the top of my head I can't think of useful pseudonymyzation related to the GDPR.
Perhaps things like hashing IP addresses for traffic stats, or using opaque identifiers for storing session interactions rather than linking directly to IP or real names. Useful pseudonymyzation is hard.
Most social media sharing buttons are in fact scripts hosted outside the website currently visited. So even without using them a lot of data is send to Facebook, G+ and other social medias. If you want to see a good implementation of the idea, check Schneier's website: https://www.schneier.com/
Is this type of case covered by the GDPR?
Also how are things like access logs supposed to handled according to the GDPR? Our software records all requests made to our API, they log your userid, ip address, and what you were trying to do.
We have clients who are in the US who required the above feature for auditing purposes.
The law is meant to protect people from companies rather than people from themselves.
An extreme example of this is in hosted email—if Alice writes an email to bob@gmail.com with some of Charlie's personal information, it would be absurd if Charlie could ask Google to remove the email. (Although maybe reasonable if Charlie could request to not have his data used by Google to target him or anyone else with ads.)
You ensure that those users have a way to delete the data again.
Now with GDPR pending, I think I won't. I'll just leave my 'no sh*t delete' function in place. If I get a request to restore any data I can say, "Sorry, the Europeans made me burn your data when you unwittingly clicked the red 'delete' button (as well as the confirmation dialog you didn't read)."
Of course, IANAL.
If you don't want to be a processor, the best thing to do is probably in your contracts disallow usage of your service for anything containing GDPR covered personal data.
As for access logs, those will be some mixture of the two bases offered in the GDPR. Some will be required by legitimate interests (such as those collected for legal requirements) and some will be subject to consent. This is a complex discussion.
What is a "data-intensive" project?
If you're doing DB backups daily, expiring backups after a month (or even, say, two weeks), should be no problem and not an operational risk at all.
I'm not about to go risk corrupting my backups trying to scrub old customer data out of them. Perhaps only keep the last X days of backups and let the paranoid customer's data attrit out naturally?
Scalable database engines that can support the letter of the GDPR in terms of data handling don't really exist. This is not a problem that can be trivially solved by patching an existing database engine; the requirements of strict GDPR data handling violates fundamental design assumptions of common database architectures. If you look at, for example, high-assurance databases which have a similar set of requirements for data handling as GDPR, they are never used when at all possible because their performance and scalability is terrible. (These databases are conventional architectures with GDPR-like data handling controls added.)
A database engine capable of strict conformance with GDPR while maintaining vaguely comparable performance and scalability relative to what we are used to would require a comprehensive new database engine design from first principles. This is something only a small number of people are capable of designing and implementation would be a very substantial engineering effort. Possibly a business opportunity -- one of the reasons I've been thinking about it, having worked on high-assurance databases in the past.
You can then have the rest of your systems work as normal.
All this is easier said than done if you have a large investment in existing systems, but it is probably a design approach you can enforce from the beginning if you are a startup.
What the law does is put regulations around what kind of personal data you can collect and store from your users, require you to explain what you're doing with that data, and allow your users to opt out of having that data collected.
That said, realistically, I'd have a hard time imagining you would have too much difficulty as long as you allowed people to delete their data upon request. If they post something to twitter, the obvious intent is to make it very public.
Does this processing comply with GDPR? I'm pretty sure none of the people would allow this processing to take place if they were asked for permission.
So no. Not GDPR compliant in the slightest.
I don't see any clear restrictions for you, but perhaps GDPR will result in your data source becoming unavailable.
As in, it's not illegal to to do most of the same things we do now with data, however we now need to educate our users on what data we are using and exactly how we are using it, in a way that is understandable to the average user.
With all due respect to the average user, I cannot fathom how anyone doing anything with user data more complicated than a basic record will explain it simply enough to be in compliance.
I suspect that this is the kind of thing which larger/established companies would worry about. If you're a seed/series-A startup, it seems like you have far more important things to focus on, because there's nothing that the EU can realistically do to you anyway.
And a default judgement.
High profile cases would have a much higher risk and companies that went out of their way to advertise the fact that they are going to break the law would run a significant risk.
Show me just one example of a company located outside the EU without a legal presence inside the EU that had an executive detained upon entry for breaking an EU law that does not normally result in criminal prosecution.
The only other extra-territorial laws I know of currently is FATCA and the FCPA, which are from the USA.
Now, would an EU court rule that someone who kept permanent records of an EU citizen be violating the GDPR if the business has no EU presence? In the American system (imagining if the US passed a GDPR and prosecuted a non-US citizen), no, because the government would not have standing to sue: the violation took place outside of US sovereignty. If the EU takes a similar approach, then the law is not extra-territorial in enforcement, otherwise it is.
Edit: GDPR Recital 23, Article 3(2)(a). Excellent!
First of all, the enforcement path is as yet unclear. If they (europe) see you are doing something (like not responding to "right to be forgotten" request) it is not clear what enforcement they will attempt.
Second, there is the customer perception. If you have one European customer that buys something from you, or enters their email for you to give them some product information, and they request later to be forgotten and you don't, there is then a chance of public perception that you don't comply.
But there can be other avenues of exposure. For example, if you are dealing with a US bank that does comply with GDPR and you don't, there may be some pushback from the bank. So while EU may not come for you directly, there could be a secondary effect.
From a little conversation with European partners, I got the sense that US was taking GDPR more seriously than some EU companies.
How do you prove you have forgotten someone?
Also, we are not talking about forgetting someone personally, but deleting their data. I assume that's clear.
If you explicitly accept Sterling/Euros, provide localisations for EU countries, talk explicitly about your EU shipping options etc. then you would probably be seen as accommodating the EU market and might find yourself in scope.
The EU really isn't a single large market though for most practical purposes. For the purposes of complying with regulations and accepting payment it is, but for every other practical consideration that matters to a company doing business there, it's a few dozen separate markets.
That doesn't necessarily follow.
For example, EU but non-UK customers represent only a small fraction of the user base for one of my businesses. With hindsight, we would have done better to exclude those customers entirely, avoid spending time and money complying with ever-more-onerous EU rules, and invest that time and money in growing our business in more lucrative markets instead.
It is entirely possible for the EU to make itself so unattractive as a market that this will be the case for others too. Indeed several of the near-future measures it is already working on may have exactly that effect. The saddest part is that those running the EU have so little idea about how small business works that they don't even realise they're doing it.
That might be true if you're lucky enough to have a single third-party payment service that collects all of your revenues including administering the VAT parts for you. Unfortunately, there are many reasons why that might not be the case or even possible. Even if you do use one of those services, it can't magically cope with all the edge cases any more than you or I can, and of course they tend to take an extra cut out of your revenue.
For everyone who needs to manage their taxes a bit closer to home, it takes longer than your suggested time just to check the rates regularly in case some member state decided to increase them with about a week's notice again. There's not really any good answer to VAT MOSS, there are just more inconvenient and/or expensive and slightly less inconvenient and/or expensive.
https://www.gov.uk/government/collections/vat-information-sh...
Publishing the rates is certainly better than not publishing them, but unless that information is updated in close to real time so it picks up those short-notice changes and unless it's supplied in a machine-readable format so that you can use it as a basis for automatically calculating correct VAT at the time of sale, it's of limited value for anything other than spotting mistakes retrospectively.
Governments tend to obsess about big businesses, and the EU more than most. However, in the entire UK, there are only about seven thousand large businesses. Smaller businesses collectively contribute the majority of almost every important economic metric (jobs, tax revenues, etc.).
And of course, even the successful large businesses used to be successful smaller businesses.
Given that heavyweight EU regulations disproportionately affect those smaller businesses, because their compliance costs are relatively high, and given that excessive regulation makes it harder or in some cases impractical for businesses to trade within the EU, it is kind of crazy that the EU keeps putting these barriers up. Its own economic fortunes and those of its member states fundamentally depend on maintaining a good environment for smaller businesses to start and grow. Things rarely end well for economies that fail to do so.
> I, personally, believe that logs should be fundamentally append-only, and thus will not be doing business with EU subjects (since the GDPR requires that I delete records from my logs on demand).
That statement does not hold a lot of force without a link to your business and how big a %age of your turnover you are willing to throw out.
The problem is that IP addresses — a fundamental requirement for an acceptable network logging system — are considered PII.
If this were about things like names, dates of birth &c. then I'd be in full agreement. But considering an IP address personal information which must be deleted on demand is IMNSHO insane.
> That statement does not hold a lot of force without a link to your business and how big a %age of your turnover you are willing to throw out.
I'm just a guy, y'know? I'm not going to pretend that it would be easy or cheap for others to make the same decision. But it is easy & cheap for me.
If you're an ISP that changes, in that case there is a retention requirement. But a regular business in the normal course of performing its expected activities has no business retaining IP addresses longer than necessary. If that to you is unacceptable because you want append-only logs that stretch back years then that's your choice.
But if I had to choose between cutting off roughly half of my turnover because I didn't want to comply with the law or complying with the law and slightly re-arranging my logging then I'd happily pick the latter.
So no need to delete on demand, simply don't store them longer than you feel you need to in order to meet your business goals. 30 days or so should do it. Six months or longer would require a detailed explanation.
And most importantly: disclose what you do. That way your customers can make informed decisions and you won't look bad in the eyes of the law if they decide to decide on whether or not you meant to act in good faith or if you took to interpreting things in the way that suits you best.
Also, if any component of your cloud ecosystem(AWS, GCS, etc.) are based in the EU, you must comply with GPDR. Which in today's world means almost everyone is affected by this.
Make sure those "American" platforms you speak have every single component of their infrastructure based physically in America.
The whole thing may be difficult to enforce, but meh why risk it?
The only country that does this sort of thing is the US.
It does not. Article 3[1] clearly limits it to people in the EU. It says nothing about applying to EU citizens.
[1] https://gdpr-info.eu/art-3-gdpr/
[] I affirm that I an not an EU citizen.
Edit: downvotes? Really? Did you guys read the law at all?
On the other hand, if you actually want to sell stuff to EU and get a nontrivial number of deals, then no amount of weird checkboxes is going to convince the regulator that it's okay, they aren't stupid.
If you feel that your users rights are of no concern to you then you are of course entirely able to ignore this law and to pretend it does not exist because in practice there will most likely not be any consequences whatsoever. You do not have a place of business in the EU, you do not transact any business there to begin with so you are free to ignore the law. And this is doubly true because you are 'small fry', nobody will notice.
Except for your customers maybe. And then that time that you got hacked and you lost all the data you collected over the years because you forgot to implement life cycle management. And this will then marginally affect the ability of other companies like yours to be able to do business.
And little by little the people that chose to ignore the law will start to become a large enough problem that something will be done about it (I hope). Which might mean harmonizing EU law and US law, or it might mean that you can be fined just as if you were in the EU for those breaches were you are clearly deficient.
In the end I don't think that you will enjoy the results much. But since you are small fry you probably will get away with it. But collectively, you and your buddies will harm American enterprise more than you probably realize.
Wrong. If you have a customer from the EU or any component of your infrastructure in the EU, you must comply with GPDR.
The EU tends to go after the larger entities and tends to fine rather than arrest.
I comply with the general intent (always have), but the law as currently written is near impossible to comply with. My feeling is this will be realised by the EU and a more rational set of guidelines will emerge.
Since we are not based in the EU and don’t have a business presence there I think I might just keep following the intent and wait for the EU to be more sensible.
I really do wonder how EU companies are going to comply with all this. What an enormous waste of resources to catch a few bad actors.
Of course, for the policymakers, it's a win, because as part of a rent-seeking bureaucracy, they can expand their empires as they produce more policies.
Nope, you have to specifically target people in the EU:
"In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. (...) the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention"
https://gdpr-info.eu/recitals/no-23/
I agree with the above. I disagree however that "what's best for your users" is universally a superset of GDPR regulations.
My personal view is that if your company/service becomes so powerful that people can't escape from its influence, the above regulations are a necessary evil in order to counter your outsized influence.
For a tiny startup on the other hand, you have so little influence on the world that if a consumer doesn't like the way you operate, they can just choose not to interact with you. Such startups can best serve both themselves and society at large, by focusing on building valuable features/services.
Reasonable people can disagree about the specifics of a law. As a EU citizen, I can understand your wishes for everyone to comply with EU regulations. It helps to put yourself in others' shoes, and ask yourself how much time/energy you, as a startup founder, would be willing to put into regulatory compliance with Canadian/Russian/Indian laws.
If I were to target my business at Canadians, Russians or Indians I would definitely make an effort to comply, especially if those laws in general did not originate from protectionism or were particularly hard to implement (which I don't think the GDPR is, at least not in spirit).
Ultimately, there are all sorts of laws all over the world. With an online, potentially global business, you're breaking some of them. Turkey does not really expect some international user generated content site to comply with their political content laws. A bigger site based in Istanbul... You'll get a knock on the door.
About ten years ago, I had a client with an e-commerce site, for workplace safety gear in Australia. They sold to the US, but rarely. During bird flue, they somehow got on the radar of some US advertising standard. There were some politicians actively policing it anyway they could (not courts).
Tldr is that they had their payment gateway and PayPal shut them down immediately (someone got scary phone calls). Even shutting off all US shipping, and adding a big red "No US" sign didn't help. They had to drop the products. So.. jurisdiction is often erratic.
I think the last (possibly most important) point is cultural. If it takes, GDPR may impact consumer expectations and you may need to do it for that reason.
If you want to avoid GDPR, just hold back for 3-6 months until after the date. It'll get clearer as it progresses and if you're as outside the purview as you suggest, you're probably going to be fine ignoring it at the start (or forever).
1) When you grow sufficiently large to go global, it will suddenly start to matter a lot, as EU is one of the largest markets worldwide. In the best case scenario you'd have to change your processes and systems to comply (i.e. you'd have technical debt which you could've avoided if you did it properly in the first place); in the worst case you'd have some complaints from EU users resulting in fines that aren't enforced yet but would be as soon as you'd want to actually get money from EU. This would be a meaningful impact to your valuation at that point.
2) As the risks implied in the first part have an impact on your valuation if you succeed and go global (which is the only scenario that matters to investors, the exit valuation about which they're thinking), you'd expect this compliance to be included in the due diligence done by series B/C investors and any acquisitions; if you've made no effort to comply, this will result in a lower valuation in those rounds of funding.
If you're a high-growth startup whose valuation is not based on current revenue but on the (long) future market size and you declare that you're choosing to be incompatible with, say, 25% of the global market (to a very rough approximation, EU revenue share is something like that for many major tech companies), then investors will discount your future value (and thus current value) by 25%. So at the very least this is something that you should have on your roadmap for investors i.e. "we're planning to do that diligence and related work in quarter X after we've done A, B and C" instead of simply ignoring the issue.
GDPR exists because the EU wants to be the primary legislating entity in Europe, replacing local governments, and because it likes the idea of funding itself through huge fines. It exists to serve political ends.
If you're B2B, it's going to be a problem from day one. GDPR has a defacto viral component for service providers. Basically, any the business that wants to become your customer that is itself GDPR compliant needs to ensure that you too are GDPR compliant. Accordingly, GDPR will come up with a large portion of web-facing B2B sales, even for US companies.
Google Analytics (https://developers.google.com/analytics/devguides/collection...):
Web server (here nginx, https://stackoverflow.com/a/45405406): Only if you store more data about your customers/users you need to act further.Note that this doesn't actually provide any useful anonymization. That feature is a placebo designed to give minimal compliance with privacy policies and pre-GDPR data protection requirements.
https://news.ycombinator.com/item?id=13639921
Here is one way to think of this. Any EU citizen has a "right to be forgotten". If there is nothing in your records to identify that person, the you don't need to provide that ability.
There are also blockchain style social networks such as steem that create things that are like reddit: https://steem.io / https://steemit.com . Again, freeform public text blobs that can have private info.
If you create any censorship resistant publishing software, lets say to report on human rights violations in some sort of dictatorship, you also create something that can be used to violate the GDPR.
https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
let's say I'm a shop and i allow btc payments, but I include the customers info in the transaction or something to such an effect. then I'm in violation, and must pay a fine (since I can never delete that info). The network has nothing to do with this, and nobody else on the network is party to the violation.
Now we have a way to estimate the cost and we can just put that on top of the cost of using the service.
Boom, privacy bought.
You don't realise how absurd GDPR is?
What might happen is that this in combination with the "Conditions for consent"[1] will force people who ship blockchain software to have prominent warnings saying that you're about to ship data that'll be public forever.
1. https://gdpr-info.eu/art-17-gdpr/
2. https://gdpr-info.eu/art-7-gdpr/
Can you even legally do a customer churn analysis under the GDPR without explicit consent?
One of the biggest complaints I have about this is that the uses for data keep growing, and legally, you can't even test a hypothesis before getting consent, which you won't be able to do frequently because users hate being asked about anything.
My intuitive response to this law is to want to split my data into EU/non-EU parts, do all my work on the non-EU parts and hope that the insights gained there can be applied to EU users.
Are you just trying to see which deals interest people (zero issue, but you could annonymise this) or profiling the customer based on the logs and offering different prices (you are going to have to be more careful and transparent).
> Can you even legally do a customer churn analysis under the GDPR without explicit consent
There a lots of ways to look at churn with anonymised data. I do it with account ID's. If you are looking at churn rate of Asian people vs Afro-Caribbean then GDPR is going to be amongst your problems,