Tentatively scheduled for a May 2019 departure, but still sticking to EU rules until end of 2020. And finally the UK will probably always adhere to the GDPR, member of EU or not, otherwise it will be at a massive disadvantage for tech companies dealing with Europe.
> And finally the UK will probably always adhere to the GDPR, member of EU or not, otherwise it will be at a massive disadvantage for tech companies dealing with Europe.
I really don't see how this is the case. A small website will be going after product market fit, then they can scale and do compliance. Not adhering to GDPR means your websites can always become compliant later.
To put it another way, Facebook and Google started in the US. Any founder in the EU might consider moving to the US first, getting product market fit before worrying about GDPR compliance, then get compliance once you know your product is good and you aren't just throwing that work away.
GDPR applies to all data controllers anywhere on the earth, if you hold private data of EU citizens or residents and don't follow the GDPR then any EU country's data protection authority can choose to prosecute.
The only way to avoid the GDPR is to not hold personal identifying information on any EU citizens or EU residents.
That is our understanding of it too. It doesn't matter where your company is incorporated, or where your hosting provider stores the data - as long as an EU resident uses your service, you have to comply. I could be wrong, but we are erring on the side of caution with our SaaS app and treating this as the case.
edit: I understand this is an unpopular fact. However it is a fact that the EU does not have global jurisdiction to overrule foreign national sovereignty and dictate legislation. US businesses do not need to comply with GDPR if they are doing no business in the EU, period.
No, you do not have to comply if you're outside of the EU's jurisdiction. They can only hit you if you've got business in the EU that they can directly touch. Facebook, Google, etc. are aggressively complying because they want to continue making money in the EU.
They'll have to overrule eg US or Chinese jurisdiction to force outside companies to comply with GDPR.
How exactly do they intend to force compliance upon the two global superpowers with $34 trillion in economic output? It's laughable. US Federal courts will bury any attempts by the EU to legislate US laws/regulations on these matters.
If I'm a US service/site, I do no business in the EU, and I store information from EU residents on my servers in the US, the EU can't force me to comply with GDPR. They have no means to force that compliance, and to overrule or dictate US domestic laws. The EU doesn't govern the world's laws, if they didn't already realize that they're about to discover it.
Does that still apply if we are a 'data processor' according to their definition? We are an Australian company, with servers based in the US, and we have EU companies actually using our SaaS to manage their employee's information (also based in the EU). We haven't had formal legal advise on this, but upon discussions with other service providers, it seems we still have to be compliant because our paying customers who actually own the data are based in the EU.
If you're doing business with the EU, my opinion is that you should comply to GDPR. Your EU business customers will very likely demand / require it, if not today then sooner than later. Those EU businesses will be assessing the services they utilize and trying to make sure there are no holes in their own GDPR compliance as a consequence.
As a counter example. A US-based service I'm building now, will have zero business dealings with the EU, although it may store EU resident data (people that sign up that are from the EU). I have no concern about complying any time soon. I may choose to never comply, as I doubt I'll be drawing revenue from the EU. It's about the last thing on my list of things to worry about (GDPR, not user privacy in general).
If you're doing business with companies doing business with the EU, you should probably comply. GDPR compliance requires certain affiliated businesses that are involved with the data you collect to also be compliant. The US-based company I work for is in the process of switching to Stripe for ACH invoicing because bill.com isn't going to be GDPR compliant.
Yes, EU companies are going to want legal guarantees that you'll fulfill your duties as a data processor under EU law. Common term for such a thing is "data processing agreement", quite a few services offer them in a more-or-less self-service fashion.
EU law says that it's only legal to transfer personal data to companies that have adequate level of protection for personal data. Certain countries are considered to meet the adequacy requirement, but Australia is not one of them[1], so you probably need to meet the requirement using a contract[2]. You should probably consult a lawyer.
> The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.
To me there's still a minuscule risk that goes something like: "Hey, we think your company is violating GDPR. Come to court." US company ignores. EU court finds in favor of whoever is launching these lawsuits. They can't collect any fines, but maybe they could prevent the company owners / other employees from entering the EU even as a tourist until they pay up. Though that goes against the whole philosophy of the LLC, EU perspectives on business generally seem kinda screwy...
I agree unless you have business in EU it's not really worth worrying about it... And even with business in EU, depending on how much of a hassle it would be to overhaul everything, an underconsidered option in all the panicked headless running about is just to have code branches that don't collect any data if the context is EU. Overhaul only what's needed for business, but no need to run around fixing all the other data vacuuming / data laziness going on just yet.
this is actually true, while in theory EU says GDPR applies abroad, it simply doesn't because its not law of the land. Only indirectly can it be enforced, e.g. a US based payment processor would want to comply because otherwise EU businesses would not be able to use it.
I take it as applying to expats too living in non EU countries and their natural or adopted children, depending on how they inherit citizenship and maybe their grandchildren.
(not OP) I scrolled down and didn't find an answer. The section labeled "why shut down" mentions (paragraph by paragraph):
- "[GDPR] creates uncertainty and risk" -- which?
- "fines of 4% of turnover or €20 million (whichever is higher)" -- as if a small infraction is going to get the maximum punishment. He can't be serious here.
- "ambiguously-defined hoops" -- which requirements are ambiguous?
- "parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting" -- if you ever needed one of those companies (I did unfortunately), you'd know that someone always ends up paying the lawyers. Either the sued company or the client. It's definitely not risk-free for the client.
- "this new EU law hurts small and ethical startups" -- what clause of GDPR would ethical startups run afoul of anyway? It's aimed at unethical ones. And as for "small", then you can't get a big fine anyway right? At least, unless you intentionally cause big damages, I don't see how a small firm like this could unintentionally cause such big damages that large fines are in order.
So it's not answered. And I am still wondering what part of GDPR he doesn't already comply with in the website's current form, as the Dutch "WBP" from 2001 required 95% the same things. I assume the UK generally has somewhat similar laws.
Some people are under the impression that ip addresses fall under "personal information". So if the user account is deleted and the associated ip logs are not deleted this would be a GDPR violation.
Another potential violation would be asking a users age(like asking their birthday), but not needing their age for the operation of the service.
It is currently unclear how rigorously GDPR will be enforced. In the extreme case of rigorous enforcement nearly all current server/frameworks would cause violations by default and would need to be overhauled.
There are a bunch of other examples in the comments that are likely violations for the site as well. It is unclear how many of these apply since it is unclear how the GDPR will be enforced.
> Another potential violation would be asking a users age(like asking their birthday), but not needing their age for the operation of the service.
In theory, in the US this could be driven by COPPA, but I havn't seen a birthday asked for that reason in a long time. It also wouldn't be a reason to store it, only to ask and process ephemerally. I believe it's also common in the US for alcohol-related websites to ask age, although that could be misguided, it is common. Again, not a reason to store, but to ask.
Yeah I was not clear. My intent was to talking about storing of a birthday vs storing a boolean indicating if the user was the age of majority or a boolean for weather they were 13+ for COPPA.
Storing the value, rather than ephemerally processing it, is a matter of convenience so you do not have to ask your authenticated user to re-input their age/birthday/<are you an adult> all of the time.
That said it seems unlikely that a regulator would come down hard on a data processor that stored a date vs storing a boolean value.
I admit to being baffled as to why they shut down. If a user of the service has given permission for their location to be shared on the 'nearby' map, then they still comply with all the legislation because they have tacit permission from the user that their location will be shared with others.
If the user then decides NOT to share their location or want their data deleted entirely, then the as long as the site stops sharing their location or removes their data completely (within 30 days), then they are still GDPR compliant, AFAIK.
EDIT: Sounds to me like a side project started getting a little unwieldy or had too much technical debt for the developer to manage, and he decided to shut it down using GDPR as a vague justification?
They explained why. Obviously you may still disagree, however their opinion of acceptable risk is subjective (ie it's silly to tell someone what their tolerance for risk should be).
> GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops. The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.
> Perversely, this new EU law hurts small and ethical startups, but helps reinforce the dominance of Facebook, Google and Twitter, who are able to prepare and defend themselves using established legal teams and cash reserves, and who now face less competition from startups. The EU Cookie Law, EU VAT regulation and now the EU GDPR are all examples of poorly-implemented laws that add complexity and unintended side-effects for businesses within the EU.
You are right in that I don't agree. I don't think this is a question of tolerance of risk, but that he doesn't seem to want to study all the implications.
I will be first to admit that GDPR is full of holes and ambiguities and has never been tested in a court of law yet, but rather than (as the two quotes you pulled from his site) assume that GDPR has been set up to give the 'big boys' free reign and punish small operators, I'd like to think that GDPR actually puts a LOT more accountability on the larger players and actually will put smaller players on a semi-equal footing.
I really don't think that the EU will be spending the money and time (and open themselves to the PR disaster) of suing websites that might make $1000/mo for the full EUR20Million, do you?
> of suing websites that might make $1000/mo for the full EUR20Million, do you?
I expect some early chilling cases that will scare the shit out of small operators. That's almost guaranteed to happen. I don't expect the EU to need to be aggressive in pursuing small operators (spending lots of money & time on it), a few demonstrative examples will do the job. They'll need to do that to make sure they're all in line. It's too great of a task to force compliance on millions of small businesses otherwise, they will have to make an example of some small businesses. If they don't, compliance by those millions of small businesses will erode over time.
In the US copyright trolls, for example, go after small sites first. They are not able to provide the huge amount of money needed to fund a solid legal defense. The trolls can use the precedent to attack larger more well funded targets. It is not unheard of for US law enforcement to do the same thing. That is why groups like the ACLU and EFF are so important here.
But trolls can't go after any sites. The only entity with the power to issue fines is the national regulatory entity. Trolls would only be able to present a complaint with them and let them to the assessing and investigation. Also precedent doesn't work the same way in EU jurisdictions like in the US (although it's irrelevant in this case).
You're just citing the article, which your parent comment seems to have read. How is this a justification? Like, I can face huge consequences if I kill someone, so I just don't do it. Similarly, just mention that you're sharing data with third parties, and act on emails that ask you to remove data of an account... it's not rocket science.
And it's not as if you'll get fined €20 million if one email ended up in a spam box and you didn't remove someone's account in time... it's really blowing things out of proportion to mention that without further qualification. The big money is to threaten companies like Microsoft, not small businesses that don't even make a profit.
Your premise doesn't make sense. You're arguing against someone's subjective regard for risk. That's like telling someone that their love of skydiving is stupid because it's too risky. If the operator has a very low tolerance for risk - assume it's extraordinarily low for these illustrative purposes, as we're discussing a principle that applies regardless of scale - then that's down to their preferences. It does no good to argue against subjective preferences.
> he decided to shut it down using GDPR as a vague justification?
That's my theory as well.
It's just too bad that he drags GDPR through the mud with this as well, since there are indeed a bunch of people (just like anyone can, apparently be against net neutrality) who would prefer things to remain lawless. They'll point to this article as justification, after which the other party will have to go and read it thoroughly and attack its points, and win that sub-argument, before they're even back to square one with the original discussion.
As far as I understand, to make this site GDPR compliant you would have to:
1. Get consent when someone creates an account, saying what you do with the data including how you make automatic decision (e.g. which amazon pages you recommend).
2. Allow people to unconsent/delete accounts
3. Have a page that allows a user to download their data.
4. Have a way for them to fix mistakes in that information
That doesn't seem that burdensome. In fact some flavor of that is pretty much what you get with standard a standard create account/view account/change account/delete account workflow.
The guy apart from crying without ever having read those 80 pages (english language text), doesn't see the big picture. The fact that I can force Facebook, Google, etc. to tell me what they are doing with my data (which I btw had given consent to treat like yesterday's newspaper), and subsequently asking the various Cambridge Analytica's the same question, gives the people a power they never had.
Now they do.
He wants to leave the game? Feel free! He wants people to be completely powerless? Well.. the kitchen has a door. Feel free to open and leave if it gets too hot.
This is the classic unintended effect of this kind of regulation. It is harder for small and new companies to comply and crowds them out, further entrenching the power and control of Facebook and Google.
Actually, it's easier for small and especially new companies to comply. Now, maybe they don't want to, but I don't feel any kind of sympathy for cost cutting on my privacy.
What you say it's an unintended side effect, I think is very much intended. That's why the GDPR (if it doesn't fail for other reasons) is a very welcome regulation.
That's true, but frankly I'd rather that the large companies I already deal with be forced to interact on better terms than encourage competition by well-meaning startups.
Once upon a time Facebook was the fresh new competition. Once upon a time Google took pains to maintain their "Don't be evil" motto. Everyone starts out starry-eyed, keen to destroy the oppressive incumbent. Very few stay that way.
Yes, regulation changes. Companies that infringe consumer privacy cannot continue business as usual and will be hurt. It's a good thing.
McDonald's has it easier to comply with food safety regulations than the cozy mom and pop cafe down the street. Would you be willing to shit your guts out because the ambiance is better there?
> McDonald's has it easier to comply with food safety regulations than the cozy mom and pop cafe down the street. Would you be willing to shit your guts out because the ambiance is better there?
People cooking for themselves at home aren't required to comply with (the same) food safety regulations. Obviously, you never eat at home or at the home of a friend or relative either, right?
Similarly how food safety regulations don't apply to people's homes, neither does GDPR. It does not apply to processing personal data for personal usage.
People collecting phone numbers in their personal phonebooks aren't required to comply with data security and privacy regulations.
So the answer is a blanket law that affects all startups big and small. Think Google & Facebook are going to go out of business because of this? No. Think it’s going to be more difficult and risky for startups?
You clearly don’t run a startup that is affected by these rules. Use cookie? Use Google analytics? Have emails and passwords? Send email to your userlist? Now figure out all the legal consent language, and write your own privacy policy that doesn’t get you a $20m fine for running a blog...
How does knowing what data Facebook has on you change anything? You already know the data they have by virtue of the fact that you give it to them. I just don’t get what damage this protects you from?
What about the data they have on people without accounts on their service, but who they track across sites and through friends? I can keep myself from having an account, but I can’t stop my family and friends, and I can only do my best to block their trackers. I’d like to know what shadow profiles they have on me, despite the fact that I gave them nothing.
To be clear before I answer, you’re acknowledging that this isn’t actually just about data willingly given, right?
What does it change? Not much just by knowing, but it can allow for change, including exercising a right to delete that data under GDPR. That is a positive change in my opinion.
Having data on someone doesn’t constitute any kind of damage. So I don’t understand how I benefit from this at all. If my data is hacked, I’m not compensated. If my data is misused, I’m not compensated. Nothing has really changed to protect me from actual damages resulting from personal data collection. But apparently lots of small businesses and startups are now hurt, and Facebook is in a stronger position to collect PII.
This is an incredibly unfair conclusion. Beyond the time it would make it to make the actual technical changes, he's right in saying that GDPR is written in a very ambiguous way that is going to open up the possibility of litigation that smaller shops will not be equipped to absorb. He's made a calculated decision that for him personally it is not worth the additional legal/financial risk to continue operating the business. GDPR is complicated and we dont know what the enforcement side is going to look like yet.
It's really funny because the blog post is far more ambiguous than the GDPR. He cites no specific provision of the GDPR, he doesn't quote the law, all he does is offer up the big scary $20m number.
It's pure FUD.
But since we're throwing out wild speculations it's more than possible this guy was doing something really shady. (He admits to affiliate links which are perfectly fine under GDPR). There would definitely be a market for user data even about who's borrowing what, where. Certainly the vast majority of these "the GDPR killed our free business" are precisely these shady businesses who knew they were dead anyways if they had to actually ask their users for consent in plain language.
Saying that some data that you enter will be shared with Amazon, doesn't seem all that far from reasonable expectations and shouldn't need to be codified in law anyway. So number 1 should be there already.
Number 2 could be an "email me if you want your account removed". This will trigger like two emails a year, and you just run a DELETE FROM command. If it becomes more, you make a page.
For numbers 3 and 4, see number 2. I expect that this won't be much either.
The page doesn't mention a single thing that would be a good reason to quit over GDPR. I think the author was looking for a reasonable-sounding exit, especially since he was operating at a loss (and apparently cared about it, since he was cooperating with Amazon to begin with).
What were the previous data protection laws in the UK anyway? In the Netherlands, none of the 4 points above are new. Our data protection law from 2001 also required all of this.
Poster indicated they weren't making money on it. If you're already operating at a loss and have been for years, the GDPR can be an easy way out .. and if you're literally not making anything and working a full time gig, any changes (even these seemingly trivial ones) do increase the burden to where it's probably not worth it.
So the owner might be making an excuse, yes, but I don't blame them as it seems like a legit way out if they wanted to close up.
It's just some guy's side project. He probably doesn't make any money on it, doesn't care about the tech stack (which is from 2013), doesn't want to pay a lawyer for advice, and couldn't be bothered working out how to package all the data for release to users.
If you administer a free service that takes an hour a month to keep running, and suddenly you're faced with an immediate upfront time cost plus the likelihood of spending many more hours every few months responding to user requests, shutting your service down might be a rational decision when you would otherwise have kept it running.
This is a bit offtopic and I apologise in advance for that.
However, I felt the need to comment on the assumption that an application that is only 5 years old would imply that it uses a tech stack that no one would care about.
How is it that after a quarter of a century of web development, that the state of the software used is so bad that people still assume that something that is a few years old is assumed to be useless?
I might have been a bit unclear there, sorry: if he built it as a side project five years ago, he either knows that stack pretty well by now, or has decided that it wasn't very good, and either way wouldn't care to work with it solely for the tech.
Five years ago I was messing around with Fortran 2008. Having done so, it's not as interesting anymore. That's not a function of Fortran, which was created when my grandparents were 20-somethings, but of the time spent with it.
You know, until someone opportunistically sues you using a legal firm that costs the plaintiff nothing, and then you're out the cost of getting a lawyer and trying to defend that all of your actions and interpretations of the GDPR are correct. And if your business is already small/not making money, you're adding to the hole you're already in.
Which, you know, the guy directly cites as the reason he's shutting down if you actually read the site.
There's plenty of ambiguity in the GDPR, especially around logging, backups, and third parties (e.g. login through Facebook/Twitter/Google, you know, that thing that five years ago everyone was trying to sell at the way to do user authentication). This guy just decided it's not worth the potential of being sued while we wait for the dust to settle on how those ambiguities shake out (because, honestly, the only way we're going to get those cleared up is if someone is sued and they're made clear by case law).
I would guess there is no requirement data is wiped.
Your file system doesn't wipe data, it just marks it as deleted. At some point it's a technicality, the important part is that you stop using the data.
I get the impression the GDPR expects you to not keep data around forever, as a general best practice.
When you collect data, you have to tell your users at collection what your retention policy is (this is part of Right to Transparency). So, right there, you should probably have a retention policy, and "forever, always" isn't really a well-thought-out policy.
The Right to Erasure is not as far-reaching as some people seem to think it is. If the Legal Basis of the data collection is Consent, then that consent is revocable and processing (including storage) pretty much has to end as soon as consent is revoked. But if the Legal Basis of collecting the data is something else, and I really feel like 90% of the time in practice it's going to be Legitimate Interest, then the Data Controller gets to balance their own needs against the rights of the Data Subject when handling a Right to Erasure or Right to Object request. And you can probably make a good argument that you don't need to modify back-ups. Your argument is stronger if a) your restore-from-back-up procedure can ignore or delete the user's data during/after restore b) your data retention policy eventually deletes the back-up.
You're assuming that I knew I wanted to do said analysis, or that I would never want to go back to an order's record for more information. (What was ordered, or perhaps the US county someone is in that I need to figure out from the shipping address.)
It's not that the analysis can't be done anonymously, but to do so requires foreknowledge of everything you would like to analyze.
You can most certainly do that...Unless you've been incompetant with your data organisation and scattered PII where it really has no business being. In which case, how about sorting out your poor data practices before worrying about how you can optimise your shipping costs?
Not pii, but personal data, which is more broadly defined in the gdpr than pii is.
Second, I think you're missing the context here. If I need to encryption each log entry that pertains to a user, even if it doesn't contain pii, then adhoc analysis is nearly impossible to do.
Is it truly a WORM store that cannot delete any data ever never? If so, you'll need to encrypt the data in a way that allows you to make records inaccessible.
If the WORM store rotates out old data (webserver logs, tape backups with retention and rotation, etc.) then you simply inform the user of that and that's it.
> If the WORM store rotates out old data (webserver logs, tape backups with retention and rotation, etc.) then you simply inform the user of that and that's it.
Can you point me to where that's allowed? What if retention is reasonably long (a year)? or not (10 years)?
> s it truly a WORM store that cannot delete any data ever never? If so, you'll need to encrypt the data in a way that allows you to make records inaccessible.
So now I can't perform impromptu analysis of my own data in any computationally easy way? Security analysis? Analyzing shipping information to optimize in the future?
Acronis, a german corporation, is implementing the GDPR too [0] and they recommend that if possible, you split backups per customer, if that is not practical atleast do your best to protect the data and don't keep it for unnecessary time frames. You should have a retention policy and encrypt your backups.
>So now I can't perform impromptu analysis of my own data in any computationally easy way? Security analysis? Analyzing shipping information to optimize in the future?
Any analysis will have to be done in a way to make sure you're not exceeding the bounds of network security or you're outside legitimate interest.
Analyzing shipping information is the same, as long as you do everything to make sure the data is pseudonimized or not otherwise in risk of leaking personal data, it's fine or alternatively you ask customers about it.
>What if retention is reasonably long (a year)? or not (10 years)?
Use your own judgement of what is reasonable, worst case you get a letter from the EU asking you to reduce the retention timeframe as long as you made an actual effort to implement the regulation.
My question wasn't so much about doing the analysis, but about being unable to do it without fetching keys and decrypting on a per-log-entry basis. Not only would this be insufferably slow, I've not seen a feature like this in any COTS software and quite frankly seems incredibly difficult to write properly and securely, specifically the key management portion.
Why do you think that's a given? It seems like an implementation detail with a couple of easy solutions such as caching or batching, and it should encourage better system design in many cases where the analysis doesn't require PII and thus it's better from a security perspective not to have access to it there to begin with.
There have been a ton of breaches over the years where reporting or test systems had data which they didn't even need but which had been loaded anyway since it was less work than subsetting the data.
> analysis doesn't require PII and thus it's better from a security perspective not to have access to it there to begin with.
Unless I'm pulling from a raw dump of shipping I've bought, which would contain the address so that it can be cross-checked if there is an issue and I didn't know ahead of time that I wanted to perform this analysis.
If you want this analysis you should plan for it. Mozilla does this for example. Any kind of profiling or monitoring goes through several layers to ensure the minimum amount of data necessary is collected.
If you want shipping analytics you'll have to decide that ahead of time. That way you reduce the risk for your customer in case you don't want to do this and if you do want it you still make an effort to reduce the data necessary.
You should keep in mind that the basic premise of the GDPR is that the shipping address isn't yours to begin with. It's personal data of your customer and ultimately belongs to them.
If they don't allow you to use it for analytics, tough luck.
> If you want this analysis you should plan for it.
Yes, I should be omniscient. Thanks for clearing that up.
> Any kind of profiling or monitoring goes through several layers to ensure the minimum amount of data necessary is collected.
Yes, because they need to collect it. It's not about looking at what they have.
> If you want shipping analytics you'll have to decide that ahead of time.
Again, I'm not omniscient. I can't figure out what my company will be doing in a year, and waiting another year to collect the data I already have could see me hemorrhaging money.
> You should keep in mind that the basic premise of the GDPR is that the shipping address isn't yours to begin with. It's personal data of your customer and ultimately belongs to them.
Which is an absolutely silly notion. It is the company's data, not the users.
> If they don't allow you to use it for analytics, tough luck.
Which is silly. It's the company's data; they should be able to use it to improve their business.
>Yes, I should be omniscient. Thanks for clearing that up.
Not omniscient but being able to plan ahead does help a lot, yes.
> It's not about looking at what they have.
Yes, because they only collect what's necessary and if they don't have that they ask if it's necessary and collect it.
>I can't figure out what my company will be doing in a year, and waiting another year to collect the data I already have could see me hemorrhaging money.
Then simply ask your customers to hand over data with consent to use it for analytics, problem solved, no?
>Which is an absolutely silly notion. It is the company's data, not the users.
No. Under GDPR this is no longer the case. The data belongs to the user now because corporations have shown time and time again that owning the user data is too much responsibility for them.
You do not own the customer data anymore, the customers own it. And they can decide what you're allowed to do with it.
It's perfectly in line with existing German Data Regulations (although they get a minor update too with the DSGVO coming along with the GDPR). Data retention laws in Germany supersede the GDPR. The GDPR itself also mentions that any regulation and law in your jurisdiction may supersede anything in it.
Even that data isn't owned by you. You are merely responsible for keeping it safe while you have to store it. Ultimately it's the customers data. End of story.
Handling delivery problems is normal and expected usage. As long as your lawyer is remotely competent, your ToS will cover that and no government on earth is going to disagree.
If you’re trying to do analytics, you don’t need PII - anonymized locations, sizes, bucketed prices, etc. will cover that and usually makes the process faster, too.
Look at it from a different perspective: does ignorance of food handling procedures or electrical wiring codes remove your obligation to follow safety regulations? This is the same thing for data: yes, it requires you to act as if you care about users’ privacy but that’s another way of saying that you’re no longer being subsidized by being allowed to fob the cost of negligence onto the users rather than being responsible. Everything which people have been talking about in this thread is already covered by accepted security best practices.
Another point, what about "personal data" that isn't really? Webserver log, for instance, contains an IP, which is covered under the law as personal information I believe. This is could be part of carrier grade Nat serving thousands (or even just regular Nat of 2 or 3 people), must I delete everyone? Who's keep would these be encrypted with in your solution?
Webserver logs should for most intents be covered under legitimate interest as part of securing your network. As long as you rotate your server logs, which is default for any distro installation (AFAIK), you don't have to delete those when a user requests them.
Most companies collect and centralize logs, making logrotate irrelevant. What prevents a company from having decade long rotations? Also, who decides what is a legitimate interest?
Even centralized logs can have rotation and retention.
The company will have to decide for themselves, primarly, if some interest is legitimate.
This means you weigh the data you collect by the single user against the continued function of the company, the great good and all other users. The company should then be able to demonstrate this process to the regulatory body.
There is no nailed process but keeping logs for a short amount of time to ensure network security and keeping some logs longer for legal compliance will most certainly pass as legitimate interest.
Network security benefits the user themself, the company and all other users by ensuring their data is secured against breaches. It goes beyond simple self-interest of the company and protects the users too.
Similarly having an email address to contact a user can be legitimate interest. If you only send them informative mail, ie "Someone changed your password" and "We had a databreach" or even "Someone tried to login from Uganda using your password, check if that's alright please" it serves primarly to protect you, the customer and the relationship you build up.
IMO that means it's legitimate.
On the other hand, of course an adcorp could claim their personal tracking data is legitimate. The data collected does not benefit the user other than showing them ads and selling it to others. Of the three groups, only one benefits.
Or keeping a webserver log for 20 years including usernames and emails.
IMO that would mean it's not legitimate.
If you are wrong in what you think is legitimate, you get a sternly worded letter from your favorite regulatory body asking you to fix it.
If you think they are wrong about that, the best option is to write them back and explain why you think it's legitimate. You can work out a solution with them that satisfies both sides.
> Even centralized logs can have rotation and retention.
That was a response to the comment about the default installs in most distros, not the ability of centralized services to rotate logs. It was pedantic and I regret derailing the discussion with it.
> The company will have to decide for themselves, primarly, if some interest is legitimate.
Until a regulator comes and makes a separate decision, and you have to plead with them that you're not wrong even when they think you are.
> If you are wrong in what you think is legitimate, you get a sternly worded letter from your favorite regulatory body asking you to fix it.
From a regulatory body that has no real authority over me, except it might?
I think my biggest issue is that I don't deem data a company has on me _my_ data or that they have to explain everything they do with _their_ data about me. I was never under the impression that it was my data, and in fact, I assume anything I put on a computer I don't control or have a paid, contractual agreement around is public. I fundamentally don't agree with or understand the premise that the situation is otherwise.
(The biggest exception being that I do expect companies to honor their contractual obligations under their credit card processing agreements, but that's not really about _me_ or data about me.)
Start by reading the actual regulation, provided here in a easy online format without the extraneous formatting: https://gdpr-info.eu/
If you want a shortcut, you can try the EnterpriseReady site which has a great overview specific to SaaS companies: https://www.enterpriseready.io/gdpr/
As always though, your best resource is to talk to a lawyer. Do not trust any internet comments about legal decisions for your business.
A reasonable approach that we're following is to have a documented backup retention policy and a procedure to re-delete data for any users who have asked to be deleted when those backups are restored. That retention policy can be longer than 30 days as it's impossible or infeasible to delete individual user data from all the backups.
One easy way to do this is with an expiration policy on s3 objects. You need to have an independent backup of those deletion requests though.
If you have a years-old tape archive you probably have a massive legal team who is much better equipped to answer this question.
You decide on a timeframe for deletion of backups (ie. X days). You keep a record of deletion requests you receive for X days. If you need to restore to a backup, you delete data again for the users that requested it.
Then you delete the backups and records of deletion (or the tables in it that contain personally-identified information) after X days.
> You decide on a timeframe for deletion of backups (ie. X days). You keep a record of deletion requests you receive for X days. If you need to restore to a backup, you delete data again for the users that requested it.
All of which requires a good deal of development work.
Unless I'm mistaken, you can't actually sue over your interpretation of the GDPR. You can report companies to the appropriate authority, who can then investigate, and with whom you can communicate. Just like the many other authorities of the kind[1].
Yeah but in the EU/UK I'm not sure people sue for this kind of thing. The US is different. In the UK we don't really have class actions, you can only sue for the damage caused to you which in the case of a website like this isn't going to be much and legal fees are expensive making the whole thing not worth while.
Any UK examples? I haven't heard of it though it's not really my field. If you are worried you can always set up a ltd company which is quite cheap and quick in the UK (like £40, same day - company bank account longer).
I am an architect for a company that does ABM, B2B ads, so I am well versed in the subject. We had to move all of our PI data in the raw form to a different AWS account, and only certain individuals with "legal" clearance can access it. This forced us to re-architect almost our entire stack, and rethink our main API.
The whole thing was a massive endeavor that took a whole engineering team two quarters. If this was three years ago, when we were less than a dozen engineers, we would have most likely thrown the towel and forego cookies and business in the EU altogether.
> You know, until someone opportunistically sues you using a legal firm that costs the plaintiff nothing, and then you're out the cost of getting a lawyer and trying to defend
Absolutely. As currently outlined, (big or legal) companies with any legal resources can harass regular people all day long. They can bring a million dollar suit and if you don't defend it, they get a default judgment, meaning they win by default. Defending it can cost a lot. It costs nearly nothing to file a lawsuit too. An example of this in action is the NRAA and patent trolls.
And that is exactly how it works in all EU jurisdictions (and indeed most of the world besides the US)[1]. This is a big reason the US is a far more litigious place than similarly developed countries.
No-win-no-fee lawyers don't just take any case that walks through the door.
The expected value of the case to the lawyers is the probability of winning, multiplied by the minimum of the expected award and the resources the defendant has available to pay, multiplied by the fee percentage that the lawyers are charging, minus the costs involved in litigating the case.
In the cases we're considering here, the probability of winning is low, the expected award is low, and the resources available to the defendant are low. They're simply not going to take them on.
I’ve been in this situation before, I was sued for copyright infringement for something I shared on my blog by someone who had obviously gone through lawyers until she found someone to take her case.
She alleged I colluded with and stole manuscripts from her publisher (I published my content before she did). I knew I was in the right, and had proof to back it up. Then I found out it would cost tens of thousands to take the case to court and then if I won, I could claim the lawsuit was frivolous and sue for legal fees.
People can use the legal system to rope you into an expensive game that you don’t want to play. Even if you win, that victory might come at a huge cost financially and emotionally. Irrational and vindictive people can hire lawyers too.
Presumably that was in the US. In the UK, which is where StreetLend.com seems to be located, costs are generally awarded to the prevailing party in the judgement.
Yes, it was in the US. I’m not American but unbeknownst to me I moved to the same US state she lived in shortly before she decided to sue me.
Even in the case where fees are awarded, there is absolutely zero upside in being sued. The best possible outcome is to tie up tens of thousands of your own money in legal fees, and invest huge amounts of time and energy in a court battle. And of course there is always a risk you could lose the case.
For a passion project that is a big investment. I cut my losses, and I’m glad I did.
Sure! The same by holds for life itself, we all have limitations, physically and mentally. Well, since that's the case, I'll go ahead and take one of your kidneys out. Anyway "nothing has changed", you're still a human with some limitations.
You argument is so comically simplistic and shortsighted that it actually makes me a bit depressed, holy shit!
Sue you for what? Gdpr grants no new right to sue. The only thing that's changed is that if someone emails you saying "delete the stuff on me please" you have to do so unless you have a good excuse. And if you refuse, it goes to arbitration and if you refuse unlawfully, you get a fine.
All you have to do to be Gdpr compliant is delete user data when asked. There is no "trap card" provision.
You're right, there is also (gasp!) the right for users to request all of the data you hold about them, and also (shriek!) to be told how you use their data!
I just do not get what there is to complain about here - the GDPR is a good thing for consumers, and as a business owner than gives a damn about privacy, it is not onerous to comply with.
For having an unfair competitive advantage over competitors who properly follow the law. This is a well-known tactic to get rid of competitors or just companies you don’t like.
Incorrect. That "someone" cannot sue you over a GDPR claim; only the national entity responsible for that can take complaints, which they analyze and emit a fine if deemed appropriate.
No, EU is not USA, it doesn't work this way here. You can't sue companies for violating GDPR directly as a person, you can only write a complain to authorities that will decide how to proceed (issue a warning, start an investigation, issue a fine etc.)
Want to host the data on aws? You need a documented data processor agreement with them. Same thing with cloudflare and any other service you might want to use.
Want to use google analytics or some other javascript? Those cookies aren't required so you need a way to let users opt-in to using those cookies. And opt-out and delete any third party cookies. I'm still not clear on how the regulations expect you to delete third party cookies.
Amazon affiliate links also aren't necessary to use the service, and that sets cookies. Have to get consent before users can click on those links.
Don't forget that ip addresses are considered personal data.
And all of this might have to be written down and documented per Article 30 as well. The organization is smaller than 250 people, so that might be an out, but people are using the site daily so one could argue the processing is not occasional.
Be careful about interpreting the law if you aren’t a lawyer:
1) IP addressed aren’t a personal identifier since more than one person can use the same IP
2) Google analytics is a processor of data and the general consent you get from your users can grant you the ability to use google analytics since its use helps you enhance the site and make a better user experience
3) You need a data processor agreement to provide access to data that the processor has collected on your user’s behalf. Given you run your aws services, that should be straightforward to provide access.
If IPs aren’t personal because more than one person can have them, how is the name John Smith a piece of personal information? Anyone can have that name and a lot of people do have that name.
John Smith is personal information, but not a personal identified, so you couldn’t let the user access their data based on IP address or their John Smith name.
> Amazon affiliate links also aren't necessary to use the service, and that sets cookies. Have to get consent before users can click on those links.
Assuming that these cookies are only set after clicking the link, and that there is no personal information in the links, then what is the problem? In any case, Amazon setting cookies is not your problem, it is Amazon's.
Affiliate links could be between the user and amazon. I’m not super familiar with affiliate marketing, but you’re right it probably depends on if the cookie is set when the page loads or when the user clicks on the link.
That's a solid 50 hours of engineering and QA. At a $75/hr contracting rate, that is $3,750 (50 * $75/hr).
And that's just the engineering work. The website owner cannot know whether or not the engineering work and website meets the requirements of GDPR by himself. He does not have the ability to interpret the GDPR policies. The website owner would need to consult with a compliance lawyer or expert to assess the website for compliance. I would guess it would take a lawyer 10 hours at minimum (assuming the lawyer is a GDPR expert and already knows GDPR in and out) to assess a website for GDPR compliance, billed at a low $250/hr is $2500.
Are you going to purge all your logs of IP addresses, since those are considered personal information too? Also if your website is ad supported in any way, are you sure they are in compliance, or will you get nailed because your ad provider wasn't completely compliant?
"All of these logs contains personal information by default under the new regulation. IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49. The logs can also contain usernames if your web service use them as part of their URL structure, and even the referral information that is logged by default can contain personal information (e.g. unintended collection of sensitive data; like being referred from a sensitive-subject website).
If you don’t have a legitimate need to store these logs you should disable logging in your web server. You’re not even allowed to store this type of information without having obtained direct consent for the purposes you intend to store the information"
Are you going to either 1) completely disable logging on your webserver or 2) ask for consent just to use a default Apache/Nginx logging configuration? The law makes no technical sense.
> Are you going to either 1) completely disable logging on your webserver or 2) ask for consent just to use a default Apache/Nginx logging configuration? The law makes no technical sense.
3) Change your webserver not to store IPs or to delete them relatively quickly?
The default Apache/Nginx configurations aren't suitable for production in many other ways but most distributions ship them with log rotation enabled which would prevent this from being a problem in the default install.
>GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops. The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.
I get the point about legal trolls,but how are the hoops ambigously defined?
- don't store data you don't need for your business' stated purpose
- get active consent before you do so
- be ready to delete data on command
- store the data with best principles (i.e., instead of having ID and other stuff connected, centralize identifiying information and protect,use pseudonyms otherwise)
He said the site does not make money. So why would he spend more of his time to make the changes needed to be compliant?
That said, I think the fear of no win, no fee legal firms is a little overblown. You can't get blood out of a turnip and if he's not making money there's no reason any law firm would be interested in suing him.
> He said the site does not make money. So why would he spend more of his time to make the changes needed to be compliant?
I'm honestly wondering what the law previously said regarding data protection. The Dutch WBP from 2001 already covers everything that he would have to do under GDPR given this website, so unless the UK has some very weird laws (or unless we're weird), nothing would change. Perhaps an extra tickbox on signing up that says "yeah yeah I'm really very aware that my data is shared with third parties".
Most likely, this is a good excuse to go "I refuse to read the long legalese [even if it's 95% the same as before] and I'm just going to quit this loss-turning website without the community turning sour on me because I have a good excuse".
The main difference is that you have to tell people ahead of time what you are going to do with the data and what lawful basis you are going to use to justify that usage. Later you can't change your mind. Additionally, you have to record what you have previously told people (so you can say, "On this date we informed you that we would use the data in this way, are we are doing so"). One other potential difference is that you need to be able to inform the user specifically with which 3rd parties you have shared the information.
Generally speaking, I think most sites will require some additional development work to update their UI and to store the data. If you have been compliant with the previous laws then it should be no problem. One wrinkle is that in the previous laws there was no way for your customer to find out if you were following the law or not (without suing you). With GDPR they have a right to both be notified what you plan to do and the right to request evidence that you are following that plan. There will be many companies that will have to alter their processes significantly to account for this.
I just mentioned the Dutch variant because I know of it and since both counties are in the EU, laws are typically very similar. I'm wondering if he was compliant with whatever the current (pre-GDPR) UK law is.
> I'm honestly wondering what the law previously said regarding data protection.
In the businesses I'm working with, I'm finding the biggest problems with GDPR aren't with GDPR - they're because the business wasn't compliant with the UK's Data Protection Act (1998). So the pain is the scramble to catch up.
>He said the site does not make money. So why would he spend more of his time to make the changes needed to be compliant?
I think you could ask that question about all the other formalities you have to engage in as well if you run a business? Managing his taxes probably takes more time than making that kind of business GDPR compliant
I haven't seen his tax return of course, but perhaps he's not running it as a "business" at all. From the sounds of things it was a side project and could easily be classified as a hobby even if it were generating a little income.
>- don't store data you don't need for your business' stated purpose
>- get active consent before you do so
These are mutually exclusive. The GDPR specifically warns against soliciting consent for collection and processing activities that are actually needed, as consent is not considered meaningful when the alternative is to avoid doing business. Consent is only valid if you can "degrade gracefully" in its absence. (I'm not a lawyer).
It makes more sense to ask for literally everything, and provide no feedback on whether the user should join or not until the next page. Literally everything. Even things they can't avoid sharing. Don't check it until the end - preferably several pages later. Then, if they didn't consent to a required thing instead of an optional thing (which should look identical), their entire setup process should be voided, with a great banner blaming European Regulation.
If you didn't check a required item, you're uncomfortable with a fundamental feature of the service, and shouldn't be using it at all. It seems like a feature, not a bug, that it's hard for you to override your values about privacy and use the service anyway. (But anyone designing for user engagement will be aware of this).
Well, just in this thread, two people providing 4-point lists of _simple_ things that can be done to abide by the GDPR provide two different lists that they themselves are ambiguously defined.
So, perhaps it's not as _simple_ as you make it out to be.
I've noticed most people are not sure of what exactly they need to do to comply (me included). With the ambiguity, it seems the best way to cover yourself is to just be able to say you consulted a legal team in the past and did what they told you to comply. This has obvious costs associated with it.
Deletion of data from all external services that you use and internal services. If you have some processed data from internal data pipelines you will have to clear that as well. What about error reporting services? Internal logs? I think for data backups you can have it encrypted and that works as a good alternative but if you have to delete data from there it is not at all feasible.
- store the data with best principles (i.e., instead of having ID and other stuff connected, centralize identifiying information and protect,use pseudonyms otherwise)
Even if in the main data stores you store them in a well normalized way. It becomes a pain to do the same thing to do the same in data pipelines, sinks etc. If you are having a reporting DB it would make sense to denormalize data there.
GPDR explicitly lets organizations keep data if they need to. Do you think it just turned into a magical get-out-of-your-past switch that means "my employer will have to delete records of firing me!"?
Your example "my employer will have to delete records of firing me!" is exactly how the GDPR works.
There are exceptions -e .g. if the firing is now leading to a court case, but they are less than you think.
In an ironic twist, after deleting the data subject's personal information, you must be left with nothing that identifies them, so you don't even know that they have requested this in the past - only that someone exercised their right to erasure (not who).
Yes, I have read it, although I am not a lawyer. Have you? Because the exceptions include "necessary in relation to the purposes for which they are collected or otherwise processed", and avoiding re-hire of a bad employee seems pretty related to the purpose of identifying employees in the first place. If you have professional legal advice to the contrary I would definitely be interested in knowing more.
I'm not a lawyer but I've read it fairly thoroughly. From the ico, the exceptions to the right to erasure are below (none of them cover your example):
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;
or for the establishment, exercise or defence of legal claims.
Article 17.1
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
https://gdpr-info.eu/art-17-gdpr/
If you read further down the page, you come to the section you are quoting, 17.3, which says that the above right from 17.1 does not apply even if one of the conditions in 17.1 is met. However the scenario we are talking about is one where none of those conditions were met in the first place, so we never had to look at 17.3.
You can argue that 17.1.b/c would require an employer to remove any demographic/political data it had stored on you, but absolutely not that it requires the employer to remove the record of your existence at the company.
Again, IANAL, but according to 17.1.b, the data subject..shall have the right to obtain from the controller the erasure of personal data concerning him or her ... where one of the following grounds applies:
(17.1.b) the data subject withdraws consent on which the processing is based
17.1.b appears to be the trump card held by the data subject. They can withdraw consent at any time and request erasure.
Once they do, the data controller can then use any of the exceptions in 17.3 to deny them. However none of these is "because I want to keep records of all firings".
My further understanding is that you certainly could keep a record that someone was fired, just not a record that included any personal information that could identify who that was.
No, I addressed that. 17.1.b doesn't cover identifying data, it covers data about their characteristics. That's what my last sentence was about - you can demand that they remove the information that you are black, but not that they remove the information that you were there.
(edit - and I think you could keep the information about their race/etc if it was properly pseudonymized, but I haven't tried working that out so I'm not sure).
Who lost his business because of GDPR? I see a man who decided not to bother with informing himself about how to treat user data properly, and instead shut down his app.
that's not quite correct.... "The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location."
meaning you can be doing business with EU residents as a US only company.
I'm not quite sure how they intend to enforce the GDPR on foriegn companies, but they are making that claim.
Well, the EU basically says that if you store data on people who fall under EU law, you're doing business in the EU.
This doesn't sound crazy to me.
If I'm in europe and I sell to an american, I have to adhere to certain US laws just the same. I have to fill in a W8-BEN form or whatnot.
I can elect not to, but next time I'm in the US, things might get awkward at customs. Also, my customers might be fined or more or less 'ordered' not to do business with me. That's within the US's right.
That's just how it works. Everywhere. For all countries.
GDPR (EU Law) requires companies to delete private data upon request.
SOX (US Law) requires companies do not delete private data, in case the government wants to investigate those companies later on.
SOX has existed since 2002. Did the EU lawmakers even consider this when crafting GDPR? I'm betting not, considering the damage they've done to the WHOIS system as well.
This kind of fallout is the result of poor planning and pushing incomplete legislation for political purposes and I think all of us realize that, so let's not pretend otherwise.
GDPR is pretty clear that a users “right to be forgotten” isn’t absolute and that businesses should be weighing up (and documenting) a users right to privacy against their other legal obligations.
Well, european countries usually didn't shy away from bureaucracy. Now that there is the EU, there is another big layer of bureaucracy, and it doesn't help at all. Even worse is the fact that these bureaucrats are really distant from the people, both physically and with their hearts.
We are still going on because we're wasting the capital we accumulated in hundreds of years, otherwise we would have succumbed long time ago.
Of course, this is a summary of my political analysis, I don't pretend to know the truth or really anything. Don't want to offend people with my opinion.
GDPR is a great example of the kinds of disasters that happen when nations try to force the entire planet to follow their unilateral actions.
(Shrug) It's a public response to abuses by private actors. It's a great example of the kinds of disasters that happen when the user is the product and not the customer.
> (Shrug) It's a public response to abuses by private actors.
I disagree, I think it's a political move and won't have the kind of positive impact that we want it to.
GDPR, as it is written, should put Facebook and Google out of business. Invading people's privacy is a huge part of their revenue stream. I'm all in favor of protecting privacy of individuals but I'm cynical that we'll see any real progress as a result of this and the negative consequences are real, and possibly more significant than any positive effects. Time will tell.
It seems like more research into GDPR could have prevented this.
Firstly, there's nothing this site does that is so unusual. If the user gives explicit and informed consent for their data to be used in this way, then you are likely to be covered.
Secondly, it's looking unlikely that the rules will be enforced that strictly in the near term, especially against a small, hobby website. IANAL but you likely have a couple of years until you have any chance of being on the ICO's radar (ICO is the UK's enforcer). And even then, you can reasonably expect the find to be << €4M.
Thirdly, if you run this site from a limited company (about £100/year to maintain), then the very worst case would be that you are investigated under the GDPR in the future, and you can fold the site then at which point your liability ends. No need to do it now, in fear of something that may never happen.
I hope it's not too late to change your mind about shutting down!
I am currently working in one of this multi-$bn companies. They run/are preparing GDPR.
So far I haven't found ANY person who has read the full 80 pages. Everyone is asking eveyrone else, they download whatever presentations they find on the internet, but NOT ONE have bothered reading the damn thing.
It will be a massacre for many companies, only because very few do their homework.
the damn thing is more abstract than poetry. it s indicative that all these months, i have not seen a single article / presentation that provides a concrete example of how to shield a website.
The law is completely readable by non-lawyers, IMHO. It's one of the better written laws I've seen. But here's a website by the UK government that explains what all the terms mean and exactly what you have to do: https://ico.org.uk/for-organisations/guide-to-the-general-da...
There are 28 member states. Under some circumstances, a company headquartered in the EU can have the headquarters country's authority act as its "one stop shop." But it would be a mistake for a foreign website to rely on the opinions of 1/28th of the agencies that might prosecute it.
There is a missunderstanding on your part. The law is not what’s written but what the courts make out of it. Lawyers may have the experience to foretell that.
On the other hand I bet you have a better life with your belief until - if ever- you learn the difference the hard way.
Take the simple question: can you look at personal data on your monitor? What about Van Eck phreaking? Basically you are broadcasting the data. Do you need to protect against that?
The GDPR says that at the current state of technology it would take an undue effort to infringe someone's privacy in such a way, so the risk is unreasonable.
It's like worrying that someone will be struck by lightning because they're located on your property near an antenna you set up, and you'll be charged with murder because of that. Yes, it's possible, and about equally as likely.
It's worth noting, as well, that this part of the law hasn't changed at all. The changes to GDPR are about notification and a variety of rights. Protection for leaking data to unknown 3rd parties is exactly the same as it was.
I would estimate the frequency of the attack similar to Lightnings killing people. I’m quite sure it happens but only in very small scale because you have to get so close to the victim.
If the customer is choosing to display his data on his screen while under risk of Van Eck phreaking, it's on him.
If you choose to display customer data on your screen while raising funds for launching a new cryptocurrency in the Sultanate of Kinakuta from sketchy Chinese generals, it's on you.
I have a theory about this. It's a kind of intentional incompetence. You won't get praised in an organisation for implementing GDPR because it is seen as a cost. In some cases it is even restricting revenue (or at least making it more difficult). By only having a surface understanding of the issue, you can intentionally misunderstand it while later having a plausible excuse. When/if you have a big lawsuit directed at you, you can blame the summary websites, consultants, etc for being insufficient. Indeed, you can blame the GDPR for be "too complicated". "Even the experts got it wrong".
But if you read the law, claim to understand it and don't implement it properly, you are screwed. It's just another case where savy managers are avoiding personal risk at the expense of corporate risk.
Having engineers read and interpret regulation personally is not a remotely sane legal risk management strategy. Read the thing on your own time if you're curious, but the engineering work should start with specialized outside counsel/consultants and percolate down to engineers as company policy via the CTO.
You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.
> You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.
Is that a bad thing? The vast majority of regulations exist because someone's "critical thinking" went too far in the name of profit.
Your mistake is assuming that the idea being sold internally under the heading "compliance" is required by, or even tangentially related to, an actual regulation.
Unfortunately for you, the ICO was directly asked about this and responded that they do not envision a grace period
> Steve Wood, ICO Deputy Commissioner: Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy.
Except the lazy morons running the privacy orgs couldn't be arsed to give us final guidance until, well, mid April.
And that definitely includes the ICO. I mean, I understand it's a lot to expect to have final guidance on running a balancing test more than a month before the deadline, but I guess grace periods are just for the regulators.
If you're a big multinational, these uncertainties are a cost of doing business. You have a dedicated team of in-house attorneys and many other high priced lawyers on retainer. If the worst happens, you start private negotiations on settlements. When I worked for a firm owned by a very large multinational, our parent company basically had an IRS auditor with a dedicated office inside of the parent's headquarters. But you can absorb that cost across multiple entities.
Within society "in general" there are usually other forms for quantifying, and spreading, the cost of uncertainty among larger groups. We usually call those markets "insurance." Car insurance, life insurance, health insurance, disability insurance, homeowners insurance, landlord insurance... all of it exists to "cope" with uncertainty.
If you're running a small operation that's hovering at or below breakeven, it's reasonable to look at the existing uncertainty surrounding GDPR and find that the only winning move is to not play.
I'm not a FUD guy; I'm a numbers guy. Uncertainty is real and entire markets exist to deal with them. Where there are _not_ markets that allow you to quantify uncertainty, it is reasonable to look at the potential downside and say, "that's not worth the risk."
I'd be very hard pressed to run a business that catered to the EU at this point until the first N lawsuits happen. There's a reason why in the US people prefer to incorporate in Delaware: it's not because it's the most business friendly state, it's because there is so little uncertainty in case law.
I am making no claims as to whether GDPR is a good thing or a bad thing. Simply that it's an unknown thing. And unless you have the pockets to play in unchartered legal territory, it is perfectly reasonable to shake one's head and walk away.
The GDPR is about 68 to 90 pages depending on which language you're reading it in. It is trying to be futureproof by leaving measures defined in terms of 'current state of technology', 'reasonable security considering the risk' and other such ambiguous terms.
I run a small business and I like this. Just about anybody can read it and understand what rights and requirements are being set out in it.
The GDPR specifically refers to the concept of "micro, small and medium-sized enterprises" [GDPR 40p1 and 42p1 use this text; they direct member states about the spirit of the law, referring that the needs of such businesses need to be taken into account].
GDPR 58p2 sets out that regulatory bodies in a member state have the power to issue warnings. As in, if you mess up, unless the mess-up is malicious or excessively negligent, you get a written warning and reasonable time to fix the problem. My government (The Netherlands) has taken the effort, as have a significant number of third parties, of creating a legal document of 3 to 10 pages covering some details, and they generally set out more explicitly that you grant yourself a week or so to fix problems without penalty. Whilst the GDPR is intentionally ambiguous in order to try to be somewhat futureproof and remain short enough to read back to back in an afternoon, it's fairly clear this is perfectly fine.
The most strenuous sections of the GDPR involve requests from those whose data you store. If they ask you to supply what data you have of them, and whom you've shared it with, you have to comply. Within reasonable timeframes, and you cannot lie about it. If they ask that you delete this data, you must be capable of doing so, and you must do so within a reasonable timeframe. However, the GDPR is nice enough to grant you exceptions for reasonable measures which nevertheless make it hard to comply. Things like a backup tape are specifically called out. It's okay if data that's been requested to be removed, stays on those. You would have to show that this data is pseudonimized (GDPR-ese for encrypted, pretty much).
Any service which has a hard time supporting requests to explain what data you store and where you've stored it, or which cannot delete it from the main service on demand... should indeed just call it a day and shut down. I don't think a service like streetlend would have a hard time supporting such requests, however.
> The GDPR is about 68 to 90 pages depending on which language you're reading it in [...] I run a small business and I like this. Just about anybody can read it and understand what rights and requirements are being set out in it.
I don't run a small business, I make small things on the internet, this is not why I got into tech, I don't want to read 68 pages of yuk. If I made a small site that saves some user data i'd just pull it down too, I don't want the burden of worrying about being sued for some small thing I created, you just wont have it anymore.
FB fucked it up for everyone, ultimately people gota learn that when you give data to someone you implicitly entrust them with it. FB had to go and be evil and now the EU is overreaching demanding everyone spend their time bubble wrapping everything... everyone backing them up are the village people taking to the streets with torches and burning shopkeepers after the king was found doing witchcraft. Go burn the king.
Arguing the EU is overreaching in demanding basic protections its citizens data, and that the only people who support it are... rioters (?) is a pretty vacuous and idiotic argument to make.
If you're making something that stores personally identifiable information outside of what you need, and don't care enough to secure it or offer ways for a user to manage that data then yes, take it down. Good riddance.
Or, just don't store that data in the first place. If you're storing usernames, passwords and the like then you have nothing to worry about.
>If you're storing usernames, passwords and the like then you have nothing to worry about.
Absolutely false. Anything pertaining to a person in any way is personal data. All default web server installations are GDPR violations, unless nginx grew an "edit the access.log entries pertaining to you" endpoint recently. (Although you can maybe argue "legitimate interest" for web access logging if you invest the time, and implement the right to erasure).
Webserver logs are totally fine since you need them for information security (ie, finding out who has been spamming your webserver with requests), just use the default NGINX settings, in most distros that means deleting old logs automatically.
You are incorrect. Even an IP address that dynamically changes with your ISP is considered personal data and is under strict guidelines. You have absolutely have a lot to worry about if you want to be in compliance.
Something as simple as running Google Analytics without a processing agreement in place is a liability.
No. This is a fundamental misunderstanding of the law. IP addresses are considered PII if and only if they can actually be legally used to identify an individual. And even where they can be, what on earth are you doing with them that you imagine is non compliance?
I was thinking about GA (Google Analytics) the other day, and how I can follow the GDPR guidelines. The articles I read, both from Google and other sources said to not use user IDs to identify users without consent, to anonymize IP addresses, and to not send PII information to Google, such as in URLs. Ok, that sounds simply enough, but then... I started thinking about it more.
1. User profiles can't be sent to GA. For example, hacker news has /user?id=JohnDoe for profiles, and that contains a username, which is personal data that should not be shared with GA. Ok, so I could rewrite my profile URLs before sending them to GA without the usernames.
2. I haven't heard a single source mention referrals. If I'm on a user profile on my site and click a link, that's going to send /user?id=JohnDoe to GA as the referral. I would need to overwrite the referrals before sending them to GA as well.
3. What about 404 pages that I make up? What if I visit https://www.example.com/JohnDoe? That's sending my personal name to GA again. Hmm, ok, the site could exclude GA from 404 pages.
4. What about search boxes? What if I use the search field on a blog? https://www.example.com/posts?search=JohnDoe. Hmm, that's my personal data being sent again. Ok, we need to make sure any data from search boxes is now stripped and not sent to GA.
5. What if I manually add a query parameter or modify one? A homepage might have https://www.example.com/?page=2, but what if I change it to https://www.example.com/?page=JohnDoe. Hmm, yes, that's personal data being sent again. I guess I need to validate the page parameter to ensure it's an integer before sending the URL to GA. What if I then type in a personal phone number as the page number?
> (83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
also:
> Section 2, art. 32, Security of processing:
> Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: [..]
> [...] If I made a small site that saves some user data i'd just pull it down too, I don't want the burden of worrying about being sued for some small thing I created, you just wont have it anymore.
> this is not why I got into tech, I don't want to read 68 pages of yuk
One of the goals of this law and similar efforts is to make it clear that you need to consider the social, ethical, and legal ramifications of the things you crate. You are not creating neutral things in a vacuum; there is no neutral ground in a burning world[1]. That "small thing on the internet" might be reuniting families that were separated by work or politics, or it might be undermining the support structures of an entire industry or community. Maybe you are creating a social space*, which includes a duty to manage that space to keep so it doesn't become a tool of abuse[2]. Maybe your small site stays small. Obviously you cannot be expected to foresee every potential consequence of your creation, but you at least need to make the effort and catch the low-hanging fruit (e.g. the basic privacy features enforced by the GDPR).
> One of the goals of this law and similar efforts is to make it clear that you need to consider the social, ethical, and legal ramifications of the things you create.
One often wonders whether lawmakers heed their own advice here with what they create.
In the US, I've always found it humorous that there is no legal penalty for lawmakers continually and knowingly violating the constitution. The worst that happens is they get their bill struck down in court, then their state's legislature can vote in the next law.
Well, as a german, where this happens often enough: If a law gets truck down by the Federal Constitutional Court ("Bundesverfassungsgericht") as being in violation of the constitution, this universally can be seen as a bad job performance for the lawmakers.
They know the law was in violation of the constitution, still they agreed upon it. It's their fucking job to make sure laws are not in violation of the constitution.
This clearly justifies a strike.
Is that really true? I'd expect there to be cost associated with shitty law. Uncertainty and frequent changes shouldn't be in the interest of anyone but those whishing for extremes. Thus i'd hope for companies to support politicians who's legislature achievements will last. I'd hope, but am of cause not sure this can overcome those seeking short term benefits and political tribal blood sport thanks to the shitty US two party voting system.
Research shows people support of basic different options like more generous or stricter welfare programs change based just on which party they were told supported which option (chosen randomly by the researchers). In the face of that it's hard to believe that people particularly care about deeper things like that.
It’s safe to say people create hobby projects that fit within their ethical framework. This is about forcing a very slanted set of ethics on pretty much every creator.
I personally find regulation like this abhorrent and against my morals. Sadly I don’t have the money to fight the EU so my creations will be blocked to its citizens going forward.
The end result of this is that EU citizens will be the ones that suffer from lack of access to technology and the smart ones will end up VPNing into non-EU networks to stay on the cutting edge.
This is a relatively simple regulation that basically required anybody processing user data to do so responsibly. How does one have an ethical objection to that?
Far better details? It gives vague info on what might be considered personal data... I would not call it very detailed. In most cases just says personally identifiable information.
> The end result of this is that EU citizens will be the ones that suffer from lack of access to technology and the smart ones will end up VPNing into non-EU networks to stay on the cutting edge.
Right, because everyone who lives in Europe is too incapable of coming up with technology and businesses themselves (that have the added benefit of being GDPR compliant) and without access to American firms they will surely fall into a technological dark dark age.
Instead of viewing GDPR as some nightmarish spectre coming to ruin everything, why not think of it as a potential opportunity? You're familiar with making money in a borderline no-holds-barred approach, now try and come up with some innovative business ideas that _don't_ rely on scraping and selling as much data as mechanically possible to prop up a business. This is a great for the disruption hackernews loves so much.
> Right, because everyone who lives in Europe is too incapable of coming up with technology and businesses themselves (that have the added benefit of being GDPR compliant) and without access to American firms they will surely fall into a technological dark dark age.
Cite one EU startup that you’ll miss if the issue was reversed.
> Instead of viewing GDPR as some nightmarish spectre coming to ruin everything, why not think of it as a potential opportunity?
That's the best way to think about it. When the EU started imposing VAT taxes on non-EU companies on internet sales to EU customers, a bunch of businesses sprouted to handle all of that accounting for you. (So instead of me selling my software online directly, technically all of my EU customers now buy from a US company called FastSpring instead. Fastspring remits VAT on EU sales for me so I don't have to deal with EU tax law, just my own Australian tax law.)
There's probably similar opportunity for a GDPR service that stores customer data via API service, that shields small / micro businesses from all the GDPR compliance. (Eg all your personal Wordpress blog comments are actually stored, hosted and served by a service that handles GDPR modal-consent forms and deletion requests on your behalf.)
>... now try and come up with some innovative business ideas that _don't_ rely on scraping and selling as much data as mechanically possible...
The problem is a lot of us who would never scrape or sell data and have no interest in exploiting our customers, are still worried about not being GDPR compliant, and the EU choosing to pursue us an example for something that none of our customers actually care about.
> The problem is a lot of us who would never scrape or sell data and have no interest in exploiting our customers, are still worried about not being GDPR compliant, and the EU choosing to pursue us an example for something that none of our customers actually care about.
Why would you be worried about being pursued as an example? Is there any data that supports this as a reasonable fear? Isn't this exactly the "GDPR is a nightmarish spectre that can destroy anyone at any time" mentality?
> [...] You are not creating neutral things in a vacuum; there is no neutral ground in a burning world[1]. That "small thing on the internet" might be reuniting families that were separated by work or politics, or it might be undermining the support structures of an entire industry or community [...]
Your points are well argued - especially regarding the ethical and social implications of what we create, and I agree with them, however we have differing definitions of "small" in this context.
Your arguments apply to things that are maturing and are reasonably big already, but big things have small beginnings... and the internet/web is a fantastic place for nurturing those very very small ideas for basically free, this law appears to threaten those small ideas.
Or every independent software developer who isn’t doing anything nefarious with your data but doesn’t have the resources to implement a bunch of new, EU mandated features.
Proper encryption, limited data collection and exposure, and deletion are not fancy features. If this is onerous, it is hard to imagine you are shipping much.
How hard is it to just not collect data that isn't directly related to the running of your business?
Do you find yourself accidentally including data sales SDK's? Do you finish your website or app and realise you've accidentally set it up to fingerprint the user, scrape everything you can from them and sell it?
If your business is just a tool supported by wanton data scraping are you actually doing anything innovative and worthwhile or are you just making an MVP to pack full of advertising and jump on that bandwagon?
If you aren't doing that, then it's just a matter of checking what data you are harvesting and thinking about why you have it and if you really need it. Because if it's actually critical to the running of your business then GDPR does allow you to keep it. If it's not, why waste space, effort and now risk in bothering to harvest and keep it in the first place.
Let me play devil's advocate, and say that some personal data may not be immediately useful, but if continued to get collected, may become useful (for commercial exploitation) later.
For example, an online shop might collect customer addresses, even if the sale is purely digital. If the shop ever decides to expand to physical goods, those addresses will be very useful to find an optimal location.
However, GDPR prevent the shop from collecting (or more accurately, raises the cost of doing so), since the use, and value of, said data only becomes apparent in the future. So the shop makes the best choice now to remove the collection, and then suffer the future disadvantage.
Save the data, tell them about it in your privacy policy (i.e. that you remember that data and how you have in mind to use it), and add a "delete account" button that deletes that data.
Maybe show a notice just below the address input fields that "we remember your address for a while, this is why" and link to the relevant section in the privacy policy.
I'm more likely to hand over sensitive (or even obvious data) if I'm confident it's being handled responsibly. So it could be an opportunity for the markets for your products to increase.
Not all laws, nor all legal systems, are equally vague. It would be really helpful if the regulations had been accompanied with a large set of 'example applications' demonstrating how EU members should be expected (or required) to implement the law in specific scenarios.
> The GDPR is about 68 to 90 pages depending on which language you're reading it in. It is trying to be futureproof by leaving measures defined in terms of 'current state of technology', 'reasonable security considering the risk' and other such ambiguous terms.
1 page or 1,000 pages, most people are not in a position to accurately interpret it and understand what does or does not comply.
They would be if they read it. Every complaint I've seen about how the law is obviously going to be misapplied is called out specifically in the text in a way that makes it a non-issue.
I've read it. It's a wonderfully written document on basic human rights and inter-government interaction. As regulation I can code to, it's a goddamn clusterfuck. It's like someone tried to invent TCP/IP but in the middle there's a paragraph that says something like "appropriate networking stuff happens here and data is reliably moved around!".
> Did it turn a profit? No, sadly not, but running at a loss was fine as my day job covered the bills.
It seems the root of the issue would be financing the changes.
In a way, looking further into the regulations to clear how to deal with ambiguous parts or even straight hire a lawyer to look at the details would be a simple move if the expense could be justified.
Could it be summed up as “unexpected but mandatory changes kill unprofitable business” ?
Yes. Starting a business is already a huge mental effort, I've done it once when I was 19 and never since, even though it's pretty much expected of me (programmer after 40). Adding "you might have to pay 20 million euros" to the list of risks is... indescribable.
It's not like he ever intended to turn it into the next Facebook, though, is it? It's like your grandmother's unprofitable home-made scone business shutting down because she doesn't have a certified kitchen.
If her scone business started accepting payments by card then I think it should be held to the similar standards as larger businesses when it comes to securing card details.
Which is kind of what GDPR wants to do for personal data: if you want to collect it from me, there are a minimum set of standards that you need to adhere to because it’s my data.
"few". Handling customers individually in terms of logs and database backups, for instance, is not a small undertaking. Deleting all traces of a customer is neigh impossible; I bet even "compliant" places don't do it right.
The pci DSS has nothing in it like the gdpr; I'm not even sure why you would compare them.and it makes me think you know nothing about either.
It depends how you do it.
For me dealing with PCI DSS compliance was mainly to get rid of unwanted traces in the logs and anything permanent (backed up), and separating services dealing with sensible information.
While doing these changes, there will usualy be a rethinking of how user data is handled at its core. For instance I worked in the past on dissociating user account with it’s profile and private info, so we could get rid of personal info and only keep behaviors.
With GDPR you get similar leeway for keeping most of your data as long as you get rid of identifying info in a reasonable manner. If I’m not mistaken backups are also safe up to a point, but I don’t have the details at hand.
My main point was that if someone had the occasion to think thoroughly about user data policy and cleaning unwanted traces at leadt once in the past, GDPR was a lot easier than one might think at first.
Not really. The GDPR covers "personal data," which is much broader than the category of "personally identifiable information" that other legislation covers. A user identifier, even if opaque and not related to any personal information, counts as personal data.
Yeah, and the crazy thing is if you talk with a lawyer they would label anything and everything as personal data just because of how abstract some of the things are in the regulation.
For example, IP address is PII and if you derive city, region or country from that it becomes personal data. Now if you are a small project or startup there is high chance that you are using some of the external analytics tools like GA or mixpanel(as building a good analytics tool is an effort on its own). Now you have to take care of data like country there as well and be very careful that you delete data like this as well.
> if you derive city, region or country from that it becomes personal data
I don't think city itself is a personal data. You could use user's IP address to get the city and then discard it and this way you know user's city but don't have to keep their IP address.
Google Analytics can be a problem; Google or someone else should make the analytics that doesn't store IP addresses.
And I think ISPs should randomly rotate IP addresses of their customers so they cannot be used for identification.
Any identifier can be a "personal data" only if it allows to link it to some real person. If you don't store IP address, email, real name, ID card number, SSN, bank card number, phone number, then user id is just a number.
Quote [1]:
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
So at best this is going to be a dumb boilerplate consent message, like the cookie consent popup that's annoying and always trains users to click yes immediately anyway?
Yes, except if you're found to be in violation of how you store or use the data they consented you to use, you're liable. Also they can at any point remove the consent and you need to deal with that.
The best would be to encrypt IP addresses with a key that is regenerated every week. This way you can identify unique visitors over a week but cannot restore their IP address. I hope it will be the default option for popular web server software.
You don't have to keep IP addresses in the log. You could encrypt them with a key that is regenerated every week for example. This way you can identify requests from the same visitor over a week but you cannot restore their IP address.
I think that soon there will be extensions for popular servers that implement something like this. I wish it were the default configuration.
Also I think if IPSs rotated IP addresses among their customers daily it would not be a problem at all.
You should anyway implement some basic stuff related to GDPR as that is good for other users as well. But it would make sense for you to cut off the access to EU citizens as full compliance is definitely a big pain and probably not worth it for just few users.
If your contact with EU customers is only accidental/incidental then I don't believe you're under the GDPR cover. [ https://gdpr-info.eu/recitals/no-23/ ]
The actual law is here and it applies when you offer services or goods to people in the EU or if you monitor their behavior in the EU.
The recitals are a pretty good commentary to clear up the law, the same recitals will be used by regulatory bodies and judges later on, as a guideline.
> The recitals are a pretty good commentary to clear up the law, the same recitals will be used by regulatory bodies and judges later on, as a guideline.
But they are not law. The law says anyone "in the Union".
That law says if you offer service or goods to anyone or monitor them while they are in the EU. It does not say "anyone in the EU" as people you aren't offering services or goods to and you aren't monitoring are not included.
Afaict from summaries on court cases in germany, "offering goods or services" definitely means you have to have more than accidental contact with EU customers. Monitoring is hopefully obvious.
That doesn't feel wholesome to me. I'm a software engineer in the US. I don't know German case law or if German case law can/will be used in, say, Spain.
The law says anyone in the EU (or is it EEA?) that you're interacting with.
Article 3:
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(This also seems to mean a forum with no monetary value at all, but that's another issue.)
A forum with a few european users obviously goes beyond incidental contact.
The thing is, if you want to do business in the EU, you better know the legal system there. The US forces people in the EU to adhere to their legal system all the time.
> It's possible I've targeted no one by location or nationality.
It's not about targeting but about offering services to people in the EU. A silly forum that has a few EU users is beyond incidental/accidental contact and will have to adhere to the EU laws.
A silly forum may not be a business but atleast under german law it can be classified as business-like or otherwise commercial even if you don't make any money on it.
This is the problem. We've went from one guy's "It's a non-commercial entity that has incidental EU users" to your "It's a business-like entity that has beyond incidental contact" with the same facts. They've made a law that applies extraterritorially which requires knowledge of European cultural context to interpret correctly!
Business-like and non-commercial are not mutually exclusive.
Atleast under german law, you are business-like if you offer a website beyond personal interest (ie, a webpage about you, your family or your hobby). A forum is certainly business-like.
The same forum can still be non-commercial, you don't have to make any money to fall under business-like.
In total, a non-commercial entity, which is business-like, and has more than incidental EU users will fall under GDPR.
>They've made a law that applies extraterritorially which requires knowledge of European cultural context to interpret correctly!
I'm sorry, the US made extraterritorial laws that require US cultural context to interpret correctly. You don't get any special treatment here.
EU people can buy my courses. And maybe once per year someone does. Does that mean I should shut off access to EU billing addresses or even EU visitors?
No, if all the data you keep around from EU visitors is strictly for the conduction of business or a legal requirement (taxes for example) then you don't need to do anything (maybe add a text that you do save these things for business purposes). Once the data is no longer needed you should delete it within a certain timeframe (a month or so).
If you save data beyond what is strictly necessary to conduct business, like doing analytics, then you will need to ask your EU users if they are OK with that. If you don't want to do that you can simply exclude EU users from any analytics.
So, in practice this probably means that google analytics, woocommerce, etc will come up with some compliance box and I should enable it for the EU region I'm guessing.
Or exclude them from google analytics. Wouldn't be a giant effect.
Sure, but isn't that a huge chunk of the web. Full of small games, services and tools that are only used by a handful of people, but those people enjoyed that thing. Just because it's niche doesn't mean it's useless. Just because Facebook has 10 orders of magnitude more users doesn't mean it's 10 orders of magnitude more useful.
There are plenty of devs out there who were running things probably at a loss, but for the sake of their community and users. Sure a few bug fixes here and there was a pain, but it was so small that it was worth it to make a couple people happy. Now they have one big reason to not keep it up.
A house seems like a good analogy... if the owner isn't willing to do maintenance, he'll probably fence it of to avoid fines and liability. A local group might loose their meeting spot, but we still usually consider it worth it.
Our dependency on services that will go away is a problem, but I'd prefer we'd search for different ways to preserve software once unmaintained. Government requires authors to send a few copies of books&newspapers to libraries... maybe something like that with source code?
Here's the thing: if you already cared about your users' privacy and security, and had some level of common decency in your approach to users, none of this is a big deal or indeed different to what you'd already be doing.
The gdpr is ill-specified for starters. The commentary conflicts with the law itself, and the law makes it nearly impossible to know if you're dealing with a gdpr data subject.
I firmly believe that companies need to protect their data better as the consequences of loss aren't shouldered by them, which the gdpr says nothing about.
I also firmly believe that it's their data. When I send data to another machine, I was never under the impression that said information was mine. I was never under the impression that anything I have on Facebook was ever or will ever be private. I consider order information vital information _of the company_. When I choose to load thea Google analytics tracker, I have no notion that I own that tracking information.
Splitting basic infrastructure like backups and logs by customer or introducing a whole system of flimsy cryptography to support that is no where near reasonable and well beyond common decency.
Explaining all uses of data and why decisions are made isn't common decency. Again, I sent you my data, it is now the server's/company's. I expect them to do what they will with it.
The gdpr is well intentioned, but ultimately nothing more than toxic smoke and carnavel mirrors. It is an underspecified mess and burden creating the notion that you can renege on data you send someone else.
Unless the owner is doing something shady (or just doesn't understand the GDPR), the issue is pretty clear.
He's running an unprofitable business (by his own admission), and likely is running it as some sort of sole proprietorship and doesn't want to take the risk on himself.
The solution is to create a company so that the company can shoulder most of the risk so the company goes bankrupt in the event he finds himself unwilling to comply with regulatory requests.
I'm guessing he just doesn't want to dump any more money into a failing project, which is his decision to make.
Is this a failure of the GDPR though, or a success?
Personally I think fly-by-night websites should be the last people responsible for handling personal data. If they're unwilling to attempt to comply with regulations, then perhaps the internet is a better place without these sites.
While creating a company does shield you from some level of personal liability, you're (a) still exposed to directors' duties and similar obligations that attach to a director personally, and (b) still at risk of having your name attached to a company that has gone into liquidation.
In the US, as a sort of general non-lawyerly rule of thumb, incorporation shields owners from contract liability, but not from tort liability, which is what they'd face from GDPR screwups.
Depends on the screwup. If he were directly involved in doing something malicious or extremely negligent towards his customers he could be liable. If he can't trust himself not to be in this category though, I would argue that shutting down is still the desired result.
I think there's stigma around GDPR among some entrepreneurs because of a complete refusal from some people to see personal data as something they need to treat carefully.
Let's look at an alternate universe for a moment, where online shopping developed with very barebones regulations, PCI-DSS isn't a thing and fraud is far more rampant. Now the EU introduces new regulations much like PCI-DSS with heavy fines attached to it.
Suddenly you would have every small business coming out of the woodwork, claiming PCI compliance is a huge hassle, the fines are unreasonable, etc. Yeah, PCI compliance is a hassle (which is why we have companies such as Stripe taking care of it for you). But to protect and empower the users, it's needed. This isn't about your business, it's about your users and how they can, today thanks to PCI-DSS, generally trust that their credit card is safe to enter online (which is a net good for any industry that needs online payments).
But that universe is crazy because, who wouldn't treat credit card numbers as extremely sensitive data? Well, many companies who today aren't actually PCI-DSS compliant. Sometimes devs just don't know why, when or even how to encrypt the data and nobody audits that until there's a breach.
So my opinion is this is a success of GDPR. Clearly nobody in this comment section thinks the person in question would really have had a hard time complying with it, and probably wanted to shut down anyway. Either its users are better off because the service is a data vampire that doesn't care about compliance, or it's a no-op because it would have shut down either way. Make room for competition that does care, I'm all for that.
> PCI-DSS isn't a thing and fraud is far more rampant. Now the EU introduces new regulations much like PCI-DSS with heavy fines attached to it.
That would be amazing! Then we'd actually have to adopt a push-based or one-time-use transaction model, rather than living under the fantasy (disproven on a daily basis) that merchants should be in the business of keeping secrets, or are even capable of it. It's hard for me to take anything someone says seriously after they express admiration for the credit card number security model.
The point of your post was that companies should treat all data like credit numbers. The point of my post is that the need for a large number of parties to keep secrets is indicative of a fundamental design issue, not a caller for stricter secret-keeping standards.
I've not expressed any particular admiration towards PCI-DSS (and if you perceived any, I didn't mean to give that impression). Furthermore, the point of my post was certainly not to treat PII/Pseudo-PII like credit card numbers.
Payment card data is secret information, that's a given of the industry. If you disagree with that, I welcome you to share your credit cards in a reply here. Is it a design flaw? Yeah, you could say that; there's much better models and PSD2 will fix many things (not all) at the core of your complaints.
In the mean time, having to treat credit card numbers as highly sensitive is a fact of life, and when you're trying to protect users, you have to be pragmatic, you can't live in an ideal world with theoretical technology; you have to regulate what's there.
The GDPR's definition of PII is broad and contains many things which aren't secrets. I can tell you my full name, it's easy to figure it out from my profile, that's not a secret but it's still PII and GDPR asks that you treat it as such. Same for usernames, which are most often publicly visible on websites.
GDPR, more than dictating what you should encrypt, gives the users a set of rights over a class of data they share with companies in order to give (european) users more trust and comfort when choosing whether to share data with those companies. Things like "I should be able to know what a company has on me, and I should be able to download it and delete it".
I can't tell you the number of websites I've seen that don't let you delete accounts properly. That don't let you edit your real name (even if you get married or you legally change it!). That don't allow you any insight into where your email address ends up after you sign up with it. This is the problem that GDPR is trying to solve.
>In the mean time, having to treat credit card numbers as highly sensitive is a fact of life
It's a fact of life because the payment card industry found a legal way to externalize the risk of its idiotic architecture onto others. The networks are as motivated as can be to continue having transactions to intermediate, and had the technology for what I describe 20+ years ago. Smart cards are a 1990s technology. (Magstripes are a 1960s technology). They continue to drag their feet on the migration because we've made it cheaper to implement "security" through the legal system. Fraud losses are low enough for the industry to prefer the status quo, but high enough that credit card fraud is still a fact of life, because we have allowed it to create liability around data security.
> I can't tell you the number of websites I've seen that don't let you delete accounts properly.
So? Why should you be able to delete an account?
> That don't let you edit your real name (even if you get married or you legally change it!).
This seems like an issue for the company and one they should fix for their own good, not yours.
> That don't allow you any insight into where your email address ends up after you sign up with it.
I also don't have control over who my friends give my email or phone number out to, or if they sign up for facebook and facebook slurps that data (even if facebook becomes 100% truly gdpr compliant which I doubt they will even if they claim it). Why should I be able to control what other people do with something I gave them? If they breach my trust, maybe I should look elsewhere.
>If they're unwilling to attempt to comply with regulations
This is an obtuse, bordering on malicious misreading of the post. They're not unwilling to implement the necessary features. They're unwilling to shoulder the risk.
> Personally I think fly-by-night websites should be the last people responsible for handling personal data. If they're unwilling to attempt to comply with regulations, then perhaps the internet is a better place without these sites.
This isn't a data broker, a credit reporting agency, someone with a giant sensor fleet, etc. It's extremely straightforward to not share data with a "fly-by-night" website like this.
Yes, they're unwilling to shoulder the risk.. so why should they get to keep people's data? Because it's a small operation? Because the owner doesn't have time to secure it?
Yeah, it's extremely easy to not share your data with them.. if you know they don't care about protecting it.. But what about all of the other people on the internet that don't know this guy doesn't care about your privacy?
Convincing businesses to take your personal data seriously is the whole point, and you shouldn't get a free pass just because you only handle people's personal data in your spare time.
> But what about all of the other people on the internet that don't know this guy doesn't care about your privacy?
Governments confront problems with this general shape all the time... the result is usually labeling requirements. Sure, this guy should not be allowed to claim he has a crack team of elite cybersecurity engineers when he doesn't. Regardless, no one is asking him keep secrets for them. It's a niche Craigslist.
>Because it's a small operation?
You're actively campaigning to degrade privacy (and also user freedom, competition, and choice) to a much greater degree by displacing these activities onto large, centralized platforms. Especially those which are monetizing your data to a high enough degree that it's worthwhile to staff a compliance team for the privilege of continuing to do so.
Voluntary or not, there are some rights that you cannot give up to someone else. In Europe, one of those rights is control over your own personal information.
There's also the issue of information symmetry. Just because I voluntarily bought your product doesn't mean that you should be 100% free from any liability that it may cause.
>In Europe, one of those rights is control over your own personal information.
If that were true, you would not be able to post this comment (the most highly sensitive category of personal data, political views) in a public forum.
If you do not see the differences between collecting PII, and communicating your opinion in public, I'm not sure that a good faith discussion is possible.
But if it's all the same, would you mind sharing your credit card numbers, SSN, and date of birth? I won't leak it, pinky swear.
I don't control the money I hand over to my bank, but short of complete societal collapse, Mad Max style, it will be used, and accessible in ways that are very clearly defined. It's not just going to dissapear to the Bahamas one day.
And if the bank decides to break that agreement and run off with the cash (Or just lose it), there exists a regulatory framework that will resolve 99% of these sorts of issues.
This is also where GDPR is at. Without it, in theory, you have a shrinkwrap tl;dr agreeement with the service, but in practice, they can do whatever they want with your data, with no repercussions.
See: Facebook and CA. Facebook misused my data (Because my friends opted in to sharing it), CA misused my data (Because they weren't even supposed to be given access to it), and the outcome? Nothing of consequence.
GDPR does three things:
1. It makes those repercussions have teeth.
2. It makes sure that you give informed consent to use of your data. (Unsurprisingly, similar laws exist for banks!)
3. It clarifies what has to happen when you stop being a user of a service. (Prior to it, de-facto, your data would be opted into whatever changes of the data usage policy the service made - regardless of whether or not you still had an active account, whether you agreed with the ToS, etc. If you deleted your Facebook account, you had zero leverage of how your data would be used.)
Yes, and as banks are repositories of money (sort of like Dropbox and iCloud are repositories of personal data) that makes sense. But banks are not the only institutions authorized to possess money.
Even at a bank, if you open a joint account (enable sharing) and the other person absconds with the contents, you’re out of luck.
GDPR is a sham. It's a ham-fisted attempt to protect citizens data (which is mostly unimportant even if leaked) due to the transgressions of a few corporate behemoths. In the end it only serves to solidify the market position of said behemoths as it adds another barrier to entry for small innovative startups that are already difficult enough to start without this bs. My main worry related to GDPR is that once implemented it will be near impossible to reverse once we see what a total clusterfuck it actually is.
They said, as their primary point "make a C-corp (or equivalent) so you don't have to pay if you are wrong". That solves the risk problem, unless you think they have positive equity.
Will a court pierce the corporate veil of a single-member company for a GDPR fine? Doesn't seem outside the realm of possibility, but what single-member company has the resources to a pay a lawyer to find out?
> This is an obtuse, bordering on malicious misreading of the post. They're not unwilling to implement the necessary features. They're unwilling to shoulder the risk.
I think your reading of the comment you're replying to is itself obtuse, bordering on malicious. They clearly understood that the core issue with GDPR for the OP is risk, and suggested a reasonable solution to address it:
> The solution is to create a company so that the company can shoulder most of the risk
Further:
> It's extremely straightforward to not share data with a "fly-by-night" website like this.
Not if you're using the site. The €20 million fine OP is worried about is only triggered in case of an actual leak of personal data. If you're seriously worried that you might end up leaking personal data, maybe you shouldn't be storing it to start with?
The fines are imposed by the government; in the UK that means the ICO. They cannot be levied as the result of a lawsuit brought by private parties. The ICO also has discretion when levying fines, and they've stressed repeatedly they will not be reaching for maximum penalties.
GDPR offers the prospect of big fines if you screw up badly enough. It also is likely to lead to a lot of lawsuits. But there are totally separate issues, and cannot be conflated as you are doing.
OP might get sued. And he might get fined for €20 million (although realistically...no, of course not). But he won't get sued for €20 million.
> The fine is the bait that draws the true threat.
That's simply incorrect. You're looking at a normal civil case, with normal damages.
We started out talking about the risk of an opportunistic civil suit filed by a law firm working on a contingency basis seeking a €2m payout; now that we've established that isn't possible, we're talking about the risk of an actual fine for breaking an actual law levied by an actual regulator (who is on record as saying that large fines would be a weapon of last resort in the most extreme cases).
So other than the risk being much lower, the likely penalties much lower, the chance of an unfair outcome being much lower, and the incentives and mechanisms being completely different...
sounds like you are willing to eliminate hobby websites and nights and weekends startups, forcing every new idea to incorporate first. that's the sort of thing that the internet was supposed to route around.
Pretty much any start up starts out as a "fly-by-night website". Maybe this guy's just an idiot, but regulations like this harm small businesses and innovation. You can debate the merit of them, but this is what they cost.
You're being downvoted unfairly. It is what they cost. Those costs can be mitigated though; there's a lot of businesses that make it their goal to solve regulations for small startups.
The question is more on the side of, is the cost worth it? A good and much longer-running example of this is in the medical industry. There are massive regulations around development of new drugs and treatments. Massive regulations around experimentation on humans. This stifles innovation and prevents potentially life-changing drugs from making it to the market faster, or sometimes ever. It also prevents a lot of other things, such as crackpots from entering the mass market and selling poison as an anti-aging drug.
Is it worth it? There's still debate about this today, especially when promising cancer treatments are taking years/decades to reach the market (=> how many lives are lost during that time? What's the tradeoff for someone who is terminally ill anyway? etc). I'm not nearly informed enough to pick a side in that debate, but it goes to show it's not necessarily a bad thing for "fly by night websites" to be heavily impacted by regulations like these.
> Those costs can be mitigated though; there's a lot of businesses that make it their goal to solve regulations for small startups.
Part of my concern is that in order for those regulation-solving businesses to have a working business model, they can't just support every stack under the Sun. Instead, you'll get something like GDPR for Azure™ — which means that it'll be that much more expensive for a startup using an outside-the-box stack to get started.
That's the point of a lot of regulation, really: to insulate firms which already exist from disruption.
The difference here is that the GDPR is widely believed to be aimed at Facebook, Google, and friends, and those companies are a threat to privacy partly because of the enormous scale of their data collection in addition to the intrinsically private nature of the data itself.
The question, then, is whether a small "business" that's closer to a charity or a resume padder needs to be regulated in the same way as Facebook when it doesn't collect data on the same scale. I don't think this applies to medical startups, where human lives are at the same risk regardless of how many customers are using the tech.
Have there been any exemptions for smaller businesses? If not, it seems pretty clear the GDPR is targeted at them too.
The online ad-tech industry is pretty fragmented [1] and widespread data-sharing would certainly be a problem even without the larger companies. It's not like Google or Facebook invented it; this goes back to nearly the beginning of the web. And the offline component goes back even further.
You're spot on with your observation in the medical industry. I've been researching stem cell treatment for a condition i have and the impact regulations (which i fully support btw) have had is that now there are a bunch of hucksters and a bunch of legit businesses offering stem cell treatments and it is practically impossible to separate the two. Despite being well versed in reading scientific papers and internet research in general it is impossible for me to separate fact from fiction. Added to that there is also a significant number of people spreading FUD which adds unwanted noise not only in the marketing side but also on the flip side making it all the more difficult to decipher the landscape.
Related to GDPR i can definitely see a similar situation developing where large entrenched player leverage it to gain an unfair competitive advantage against startups who could threaten then in their market, using the same FUD tactics. This is a silent killer which will wipe out grass roots innovation in Europe.
I get what you’re saying, but I’m not sure it’s fair to compare PII management to the medical industry. Personally I think the new regulations are rather ham fisted, with so many edge cases that it looks more like a denial of reality than an attempt to regulate it.
I also think it’s going to be pretty harmful to startups, and that we’ll see more businesses just trying to avoid Europe at all costs. Regulation like this can either be easy to comply with, or they can be effective, you can’t really have both at the same time. Even then it just boils down to the old tension between security and compliance. I work with a lot of PCI orgs, all of them have AoCs, very few of them are actually what I would view as compliant. They all managed to satisfy the box checkers, but the DSS doesn’t do much to protect the consumers in most situations. The reality is that the DSS is just a mechanism of shifting accountability around, which is what I see the GDPR as. A bunch of politicians using poorly written regulations to shift accountability on to the market.
The medical industry is a decent analogy though. Highly regulated, high barrier to entry. Which is bad. Overall though, probably better than a free-for-all (e.g. Theranos), as we've learned from several millennia of humans being awful or incompetent.
God forbid we try and apply some of those ethics to IT. (Europe is big on privacy, again a somewhat hard-learned lesson.)
Except that approach ignores the nature of risk. The impact of getting a drug wrong is catastrophic, the impact of disclosing some PII is far less. This impact also decreases proportional to the size of the organisation, unlike the regulatory burden.
To compare PII to medicine is trying to invoke an emotional reaction, not a reasoned one. I don’t think this regulation is well designed at all, I don’t even think it’s going to achieve half of what it’s trying to do. But it will achieve increases compliance costs to pretty much every company, costs that will put startups at a serious disadvantage to established companies. Europe thinks they’ll have some protection by claiming every company in the world must comply, but only time will tell how that will work out for them.
First, European law works differently, and the way we write laws is different. You can't interpret them in the context of the US law system, where everything must be ultra-explicit and overworked. Also, only regulators can levy the fines/sanctions, they don't result from law suits from individuals.
Second, Europeans take privacy serious, and it's a right for us, similar to free speech in America. Also, while not as bad as some medical risks, identity theft is not fun. But, yeah, the risks are different, and the GDPR is pretty mild compared to medical laws, no? I mean in Europe, you can't advertise prescription drugs.
Third, Europe is not claiming every company in the world must comply.
But if you're mad at governments overreaching, maybe you could sort out the requirements FATCA/US tax law puts on foreign banks, or the US attempting to extradite "cyber criminals" before you get to the GDPR?
I am not personally the federal government of the US, so I’m not sure why you’re directing that whataboutism at me. However, comparing identity theft to death or permanent disability is not equivalent no matter which way you look at it.
In any case, none of that responds to any of the points I made. The EU does think this regulation applies to every company in the world (unless you can somehow prove you don’t handle any EU data subjects data - which almost no company could do). One of the reasons being that they don’t want to only hamstring European company’s with it, as that would be a very poor strategic move for their markets. How enforceable this ends up being is entirely unknown at this point, and you can bet there’ll be a lot of legal challenges ahead regarding this.
I'm making the point government "overreach" or whatever you feel it is happens daily, and IMO, GDPR is the least inappropriate of those.
I would imagine it's incredibly easy for many US companies, like e.g. a restaurant or a tire-repair shop to prove they don't explicitly go after EU subjects.
Since I was elaborating on how the EU and EU nationals feel like the GDPR is appropriate in addressing the risk of privacy violations - which part of that did you feel like didn't address your comment of "Except that approach ignores the nature of risk"?
I think you’ve misunderstood how GDPR works. If you handle the PII of a single EU data subject, then you are in scope for it, regardless of whether you intentionally solicit EU customers or not. Even a small restaurant or auto shop is likely to have a mailing list, or a CRM, or other records containing PII. It would be almost impossible to prove they don’t have a single piece of EU PII.
This does completely ignore the nature of risk, because it does not consider impact at all, which traditionally accounts for 50% of total magnitude. A SaaS company with 50 customers has to comply with exactly the same set of regulations as Google does, and faces €20,000,000 fines, regardless of the fact that the small company poses a quantifiably smaller risk to PII. There’s also an argument to be made that the small company is less likely to become the target of a sophisticated attack, as an adversary is much less likely to invest huge amounts of effort into breaching a small set of PII.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
So it's simply not true that "you are in scope for it, regardless of whether you intentionally solicit EU customers or not." I could continue, but I suggest you actually read it if you're going to argue about it.
So spare me with all this "risk" bollocks. You're just another person willfully misunderstanding our laws, and spreading FUD to try and impose your culture and your rules on our society.
"Failing" seems a bit harsh. Lots of people run websites that don't make money, and lots of users get value from such sites. Sometimes the operator still hopes to gain from the site (in publicity or whatever), or sometimes it's just a gift.
The GDPR just made that gift more expensive. If he's not doing anything deliberately shady, then the probability that he'll get fined is small; but a small probability times 20M EUR is still a big number.
Maybe I don't understand the GDPR well enough, but the statutory fines seem insane to me. Why do you think 20M EUR is the right number here? Or am I missing details of the law (the law, not how you expect it will be enforced) that mean his actual maximum liability is smaller? Do you just have extraordinary confidence in the regulators to "do the right thing", and thus no qualms about giving them the legal authority to ruin his life?
Perhaps it was unintended to increase the potential burden of monetary cost to running services that were created and provided as hobbies or otherwise as a goodwill gesture to others. Or maybe the regulators didn't care to consider the impact on such services. Or maybe ...
Regardless, thanks to regulators and data/service silos the web we once new or dreamed of is fading from reality. With just the silos to contend with such services could hitherto continue to exist with little concern for the actions of the behemoths; but now such an existence is threatened by regulatory concerns which blanket all regardless of their role and activity.
The owner is just focusing on their startup, as they should be. It's up to the owner to decide their tolerance of risk against regulations which hold them to account.
A defensive piece you've made completely misunderstands how a business works in terms of the decisions made regarding risk, especially to an individual who lacks bandwidth/resources.
According to your post, you only expect well endowed individuals/large businesses to be compliant, which is precisely the problem.
When I was reading about the GDPR today, I read that email address and IP are considered private data as well. This means any website with an email login or subscription or that even logs hits with the request IP must take action.
I fully support protection against physical locations and personal information (name, address, etc), but to include email and IP address seems a little excessive.
Friend works in data law and says that it's ambiguous. One of the problems is that people use personal information in their email. Also, you have no idea if it's actually personal information or just a nickname they've given themselves. For these reasons it looks unlikely that emails will be considered personally identifiable information.
That's unlikely to be true. And people are stupid, and will use their email address - just look at e.g. the Ashley Madison hack. So for most people, it's personal information, and the law will probably treat it as such.
I get and somewhat agree with your point, but on the flipside, excluding certain types of data means that companies will focus on abusing them to skirt regulations. I can see why they just went all-in on the types of data that are considered PII, because in different contexts, different data are possibly PII.
It's not a perfect solution, but I'm not sure there is one.
Kinda weird that the whole post is an advertisement for the website which is anyways shutting down, but contains no explanation for WHY the regulations aren't feasible to implement.
Have you actually looked at GDPR? It's virtually infeasible for any small company to adhere to, based on the decades worth of software that we've built the world's economy around. Logs, databases, backup systems, analytics, metrics, sign in systems, e-commerce systems, fundamental algorithms were all built without any concept of users being able to legally claw back their data. Actually implementing this stuff in the real world is a fucking nightmare. It means rebuilding your entire stack if you actually intend to comply with the laws to their fullest extent. And even then, someone can hire a lawyer and sue you, which then burdens you as you struggle to prove your compliance, wasting valuable time and resources for someone who didn't have the forethought to decide ahead of time if they wanted you to have access to their data or not.
Cool, looking forward to the magical solutions people come up with for performing full text search on encrypted PII, lest you get sued for $10M for keeping someone's name in your database that they willingly handed over to you.
> GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops.
Disregarding the "hoops" -- shouldn't this 4% go entirely to the affected users? I thought this was meant to protect the users. Seems like a cash-grab by the government. Can someone make a good argument as to why the fines should be paid to a third party (the state) when this issue is between the service provider and the customers?
The only thing I can think of is that the state is the only entity which can enforce the new rights, meaning they get paid for violations of the rights. Still, if someone threatens the integrity and privacy of your data, shouldn't the damages be paid to you?
Much like class action lawsuits, the end user doesn't make much. The lawyers or the state, which go to great expense may recover their expenses, or they may not. The largepunitive fine is to prevent the suits from ever happening in the first place.
> [...]Can someone make a good argument as to
> why the fines should be paid to a third
> party (the state) when this issue is between
> the service provider and the customers?[...]
The same reason you pay speeding tickets to the
state instead of personally to each person living
on the street you sped on, or who could otherwise
have been directly affected by that specific
occurrence of speeding. Or the same reason health
inspection fines for restaurants in the US are
paid to the city or state, not everyone who's ever
visited the restaurant.
There's no concept in the GDPR that the violation only exists between the site and the users whose privacy it violated, where are you getting that idea from?
> pay speeding tickets to the state instead of personally to each person living on the street you sped on
Roads are usually state-owned property, whereas your personal information is your property, right? If Alice mishandles Bob's property, why is Charlie getting paid for it?
> There's no concept in the GDPR that the violation only exists between the site and the users whose privacy it violated
Why not? The site-customer relationship is the only relevant one here. What prevents a profitable, large-scale data mining company from simply accepting the Max(4%,$20m) = 4% tax for mishandling data?
A $20m dollar fine would surely deter smaller actors, but the 4% fine doesn't seem like a deterrent for large-scale data-mining operations, which can be incredibly lucrative. For example, if Facebook had the choice between not using the data and making $60b per year, versus using the data and making $90b - .04 x $30b, wouldn't they accept the tax and continue using the data? If this is the case, I don't see GDPR making a big difference if the highest-market-share companies can "get away" with paying the fee.
This would increase the gap of viable profit models between smaller and larger companies, at the sole benefit of the state, with little, if any, benefit for the victims (the users). Of course, I am assuming that there is no criminal penalty for noncompliance. The government might think: why impose a criminal penalty if the state can simply tax large corporations for the mountains of profit they are making off of insights from personal data?
I think your questions come down to general European v.s. US
jurisprudence.
> If Alice mishandles Bob's property,
> why is Charlie getting paid for it?
If Alice and Bob both join Fight Club and have a consensual fight and
one of them dies, even in the US the survivor will be charged by the state for
that.
The reason is that certain violations aren't simply seen as
person-to-person violations, but disturbances of the general order
that have ripple effects on the rest of society.
European countries in general are more prone to seeing something like
the violation of business law as being a crime against the state, not
just a violation of the specific people who were victims in that
specific instance.
It has upsides and downsides, but I think in general it's better than
the US system. American companies tend to have to worry about
compliance with regulators and the possibility of huge payouts from
court cases filed by individuals. If you have a small company and
screw something up (but not much more than other companies in general)
you can go bankrupt mainly due to bad luck.
In Europe companies tend to mostly have to worry about just the
regulators and the state, except in cases of gross negligence, which
makes it easier to predict when you need to be compliant etc.
There's also the practical matter that the state has a lot more
leverage against the likes of Facebook and can exercise collective
bargaining. You can see how well this "your personal information is
your property" idea is going in the US with the likes of Equifax,
Facebook etc. In practice the little guy just has to eat the TOS of
these services and doesn't have anything like a property right over
his information.
As to your question of whether some companies will simply eat the 4%
fine. We'll see, but that's a topic unrelated to who the fine is being
paid to.
If some company like Facebook were to publicly flaunt the GDPR you can
bet they'll find something else to charge them with. The GDPR isn't
the only privacy regulation in effect, there's also various national
regulations that could be brought to bear. The threat of the 4% fine
is mainly intended as a big stick to bring companies into compliance.
GDPR is having a massive chilling affect at my job as well. I think some brand new web frameworks need to be born that focus on compliance. It feels like a solid opening to me to get some new ideas out.
I went to a conference recently and attempted to have a discussion about GDPR. Two other people showed up, none of whom had not done any research into the issue at all.
My fear is that patent-lawyer-style firms will start aggressively blackmailing companies for "settlements" or they will begin tons of GDPR-based violations aimed at your business.
I'm not sure "needless" is the right word here. Even if you think this law is bad, there is clearly a need for data privacy and protection laws.
People's reaction to their data being scooped up by Cambridge Analytica just because a facebook friend did a survey proves the need. What CA did was probably legal, but in most people's minds should not have been legal.
> there is clearly a need for data privacy and protection laws
Is there? What if people just accepted responsibility for carelessly handing out information to third parties? Certainly there is much more individuals can do to protect themselves before the government steps in and slaughters small business like the EU did.
> but in most people's minds should not have been legal
Do people think a company selling user data to another company should be illegal? Or are most people more concerned with the relation said company has with Russia, and their potential involvement in influencing the US election? I think it's the latter. And certainly there should be laws about data transactions involving the state's democratic security.
if your business isn’t viable without respecting some basic privacy rules, you should not be in business - big or small.
> What if people just accepted responsibility for carelessly handing out information to third parties?
Without being legally compelled to, few companies have been forthcoming about providing users with information about what they are disclosing and when. Consent is being given, but not informed consent.
> People's reaction to their data being scooped up by Cambridge Analytica just because a facebook friend did a survey proves the need. What CA did was probably legal, but in most people's minds should not have been legal.
It's not _their_ data. This is the part that drives me nuts. When you give something to facebook, it's no longer yours and you loose control of it. It's like this for _everything_. That nude you send your SO? It's out of your control. That nude your SO took of you? It's even less in your control.
If you don't have a service agreement with someone, it's not your data. It will never be your data. Stop pretending.
It's dangerous to let people think they control data they hand to other people. They don't. They never will. Why perpetuate the illusion?
And yet we have “revenge porn” laws that say there are things your SO can and cannot do with that photo.
If I put my money in the bank, that does not actually make it the bank’s money. They have the right to do things with it - invest it, loan it, but there is an agreement that it has not been perminantly given. That agreement is backed by consumer protection, insurance, etc. and the bank, no matter how much they would like to, can’t make me sign a EULA that makes my deposits theirs.
> And yet we have “revenge porn” laws that say there are things your SO can and cannot do with that photo.
Which are mainly extensions of harassment law (again, not something you control, but a penalty after action).
> If I put my money in the bank, that does not actually make it the bank’s money.
You also have an agreement with the bank as such. If I just gave it to some guy on the corner (or PayPal) then, you know, whatever is just as possible.
> not something you control, but a penalty after action
I’m fine with punishing companies after they violate data protection/privacy laws.
> You also have an agreement with the bank as such
I’ve not read many bank agreements but I don’t believe they say anything like “the bank can’t take my money to the casino and put it all on black”. Yet if they do that they’ve broken the law.
I wonder if I take data from facebook, download video from youtube, or rip a movie from some streaming service, would you also say that the content is mine now?
Is there any kind of blanket CYA waiver that we can put on sign-up pages like "if you're an EU citizen, sorry you can't use this site because GDPR. Definitely don't click 'sign up' below anyway" ? What is the opt-out criteria for a site?
That is a false choice. According to that, you A) love this law or B) exist only to profit off tracking pixels and JavaScript beacons mwa he ha
Or it could be the people running 100-user-or-less sites are trying to see if they can just leave their sites up, ignore the "oh yeah, well your web server has IP addresses in your LOGS doesn't it!? Well guess what, OUR logs show an EU IP address, so you know what the letter of the law let's us do? €20 million fine, you data slurping fiend!!" frivolous lawsuits in hopes of keeping their little side project which while (maybe) technically noncompliant, aren't actually using the data for those nefarious purposes, only DDoS and spam mitigations.
Here's an even dumber question. If you don't live in the EU and your site is not hosted there, do they have any legal power to get to you? What is the worst case scenario if you don't respond and don't pay any fines? Will they block your site from the EU or get your provider to take it down? What kind of power do they have to come at you?
No, waivers don't make personal data of EU disappear. Just like you can't put a waiver on front of a restaurant and start poisoning people with in unhygienic food, you also can't just waiver yourself away from being responsible with users data.
Regulation always has unintended consequences. This is an example of it. Although they mean well regulation never accomplishes its goal and restricts the freedom of many.
> Although they mean well regulation never accomplishes its goal
Yeah man, that's why we have the safest cars and airplanes in history, because of the free market, not because of regulations. I'm sure that United Airlines, who literally dragged a passenger from their airplane, would have invested a ton in passenger safety if not forced by regulators.
Sarcasm aside, laws do work. There's a reason the most developed countries in the world have a very strong legal system. You give up a bit of freedom (which is a bit of an obsession for Americans) in exchange for a lot of protection from various nasty things people do to each other. As a result you sleep better and you get the side benefit of a special brand of freedom: freedom from fear from your fellow human beings, from their arbitrary whims (to a reasonable degree). Unregulated societies look like Somalia. Trust me, you wouldn't like that brand of freedom ;)
1,168 comments
[ 4.0 ms ] story [ 426 ms ] threadI really don't see how this is the case. A small website will be going after product market fit, then they can scale and do compliance. Not adhering to GDPR means your websites can always become compliant later.
To put it another way, Facebook and Google started in the US. Any founder in the EU might consider moving to the US first, getting product market fit before worrying about GDPR compliance, then get compliance once you know your product is good and you aren't just throwing that work away.
The only way to avoid the GDPR is to not hold personal identifying information on any EU citizens or EU residents.
No, you do not have to comply if you're outside of the EU's jurisdiction. They can only hit you if you've got business in the EU that they can directly touch. Facebook, Google, etc. are aggressively complying because they want to continue making money in the EU.
They'll have to overrule eg US or Chinese jurisdiction to force outside companies to comply with GDPR.
How exactly do they intend to force compliance upon the two global superpowers with $34 trillion in economic output? It's laughable. US Federal courts will bury any attempts by the EU to legislate US laws/regulations on these matters.
If I'm a US service/site, I do no business in the EU, and I store information from EU residents on my servers in the US, the EU can't force me to comply with GDPR. They have no means to force that compliance, and to overrule or dictate US domestic laws. The EU doesn't govern the world's laws, if they didn't already realize that they're about to discover it.
As a counter example. A US-based service I'm building now, will have zero business dealings with the EU, although it may store EU resident data (people that sign up that are from the EU). I have no concern about complying any time soon. I may choose to never comply, as I doubt I'll be drawing revenue from the EU. It's about the last thing on my list of things to worry about (GDPR, not user privacy in general).
[1]: https://ec.europa.eu/info/law/law-topic/data-protection/data...
> The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.
[2]: https://ec.europa.eu/info/law/law-topic/data-protection/data...
I agree unless you have business in EU it's not really worth worrying about it... And even with business in EU, depending on how much of a hassle it would be to overhaul everything, an underconsidered option in all the panicked headless running about is just to have code branches that don't collect any data if the context is EU. Overhaul only what's needed for business, but no need to run around fixing all the other data vacuuming / data laziness going on just yet.
(It's possible decent companies will not limit GDPR provisions though.)
2. The GDPR is already law, it just had a 2 year delay before it fully came in to force
- "[GDPR] creates uncertainty and risk" -- which?
- "fines of 4% of turnover or €20 million (whichever is higher)" -- as if a small infraction is going to get the maximum punishment. He can't be serious here.
- "ambiguously-defined hoops" -- which requirements are ambiguous?
- "parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting" -- if you ever needed one of those companies (I did unfortunately), you'd know that someone always ends up paying the lawyers. Either the sued company or the client. It's definitely not risk-free for the client.
- "this new EU law hurts small and ethical startups" -- what clause of GDPR would ethical startups run afoul of anyway? It's aimed at unethical ones. And as for "small", then you can't get a big fine anyway right? At least, unless you intentionally cause big damages, I don't see how a small firm like this could unintentionally cause such big damages that large fines are in order.
So it's not answered. And I am still wondering what part of GDPR he doesn't already comply with in the website's current form, as the Dutch "WBP" from 2001 required 95% the same things. I assume the UK generally has somewhat similar laws.
Another potential violation would be asking a users age(like asking their birthday), but not needing their age for the operation of the service.
It is currently unclear how rigorously GDPR will be enforced. In the extreme case of rigorous enforcement nearly all current server/frameworks would cause violations by default and would need to be overhauled.
There are a bunch of other examples in the comments that are likely violations for the site as well. It is unclear how many of these apply since it is unclear how the GDPR will be enforced.
In theory, in the US this could be driven by COPPA, but I havn't seen a birthday asked for that reason in a long time. It also wouldn't be a reason to store it, only to ask and process ephemerally. I believe it's also common in the US for alcohol-related websites to ask age, although that could be misguided, it is common. Again, not a reason to store, but to ask.
Storing the value, rather than ephemerally processing it, is a matter of convenience so you do not have to ask your authenticated user to re-input their age/birthday/<are you an adult> all of the time.
That said it seems unlikely that a regulator would come down hard on a data processor that stored a date vs storing a boolean value.
If the user then decides NOT to share their location or want their data deleted entirely, then the as long as the site stops sharing their location or removes their data completely (within 30 days), then they are still GDPR compliant, AFAIK.
EDIT: Sounds to me like a side project started getting a little unwieldy or had too much technical debt for the developer to manage, and he decided to shut it down using GDPR as a vague justification?
> GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops. The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.
> Perversely, this new EU law hurts small and ethical startups, but helps reinforce the dominance of Facebook, Google and Twitter, who are able to prepare and defend themselves using established legal teams and cash reserves, and who now face less competition from startups. The EU Cookie Law, EU VAT regulation and now the EU GDPR are all examples of poorly-implemented laws that add complexity and unintended side-effects for businesses within the EU.
I will be first to admit that GDPR is full of holes and ambiguities and has never been tested in a court of law yet, but rather than (as the two quotes you pulled from his site) assume that GDPR has been set up to give the 'big boys' free reign and punish small operators, I'd like to think that GDPR actually puts a LOT more accountability on the larger players and actually will put smaller players on a semi-equal footing.
I really don't think that the EU will be spending the money and time (and open themselves to the PR disaster) of suing websites that might make $1000/mo for the full EUR20Million, do you?
I expect some early chilling cases that will scare the shit out of small operators. That's almost guaranteed to happen. I don't expect the EU to need to be aggressive in pursuing small operators (spending lots of money & time on it), a few demonstrative examples will do the job. They'll need to do that to make sure they're all in line. It's too great of a task to force compliance on millions of small businesses otherwise, they will have to make an example of some small businesses. If they don't, compliance by those millions of small businesses will erode over time.
And it's not as if you'll get fined €20 million if one email ended up in a spam box and you didn't remove someone's account in time... it's really blowing things out of proportion to mention that without further qualification. The big money is to threaten companies like Microsoft, not small businesses that don't even make a profit.
Your premise doesn't make sense. You're arguing against someone's subjective regard for risk. That's like telling someone that their love of skydiving is stupid because it's too risky. If the operator has a very low tolerance for risk - assume it's extraordinarily low for these illustrative purposes, as we're discussing a principle that applies regardless of scale - then that's down to their preferences. It does no good to argue against subjective preferences.
That's my theory as well.
It's just too bad that he drags GDPR through the mud with this as well, since there are indeed a bunch of people (just like anyone can, apparently be against net neutrality) who would prefer things to remain lawless. They'll point to this article as justification, after which the other party will have to go and read it thoroughly and attack its points, and win that sub-argument, before they're even back to square one with the original discussion.
Truth is, for most tech people, law is a huge extra expense -- of time, money and tons of risk.
1. Get consent when someone creates an account, saying what you do with the data including how you make automatic decision (e.g. which amazon pages you recommend).
2. Allow people to unconsent/delete accounts
3. Have a page that allows a user to download their data.
4. Have a way for them to fix mistakes in that information
That doesn't seem that burdensome. In fact some flavor of that is pretty much what you get with standard a standard create account/view account/change account/delete account workflow.
Now they do.
He wants to leave the game? Feel free! He wants people to be completely powerless? Well.. the kitchen has a door. Feel free to open and leave if it gets too hot.
What you say it's an unintended side effect, I think is very much intended. That's why the GDPR (if it doesn't fail for other reasons) is a very welcome regulation.
Once upon a time Facebook was the fresh new competition. Once upon a time Google took pains to maintain their "Don't be evil" motto. Everyone starts out starry-eyed, keen to destroy the oppressive incumbent. Very few stay that way.
Show us some proof the GDPR is harder for small and new businesses to comply.
McDonald's has it easier to comply with food safety regulations than the cozy mom and pop cafe down the street. Would you be willing to shit your guts out because the ambiance is better there?
People cooking for themselves at home aren't required to comply with (the same) food safety regulations. Obviously, you never eat at home or at the home of a friend or relative either, right?
People collecting phone numbers in their personal phonebooks aren't required to comply with data security and privacy regulations.
What does it change? Not much just by knowing, but it can allow for change, including exercising a right to delete that data under GDPR. That is a positive change in my opinion.
You understand, you just disagree and you seem intent on moving the goalposts as needed to make your “GDPR = bad” point.
Regulation allowing me to delete that is good.
It's pure FUD.
But since we're throwing out wild speculations it's more than possible this guy was doing something really shady. (He admits to affiliate links which are perfectly fine under GDPR). There would definitely be a market for user data even about who's borrowing what, where. Certainly the vast majority of these "the GDPR killed our free business" are precisely these shady businesses who knew they were dead anyways if they had to actually ask their users for consent in plain language.
Number 2 could be an "email me if you want your account removed". This will trigger like two emails a year, and you just run a DELETE FROM command. If it becomes more, you make a page.
For numbers 3 and 4, see number 2. I expect that this won't be much either.
The page doesn't mention a single thing that would be a good reason to quit over GDPR. I think the author was looking for a reasonable-sounding exit, especially since he was operating at a loss (and apparently cared about it, since he was cooperating with Amazon to begin with).
What were the previous data protection laws in the UK anyway? In the Netherlands, none of the 4 points above are new. Our data protection law from 2001 also required all of this.
So the owner might be making an excuse, yes, but I don't blame them as it seems like a legit way out if they wanted to close up.
If you administer a free service that takes an hour a month to keep running, and suddenly you're faced with an immediate upfront time cost plus the likelihood of spending many more hours every few months responding to user requests, shutting your service down might be a rational decision when you would otherwise have kept it running.
However, I felt the need to comment on the assumption that an application that is only 5 years old would imply that it uses a tech stack that no one would care about.
How is it that after a quarter of a century of web development, that the state of the software used is so bad that people still assume that something that is a few years old is assumed to be useless?
Five years ago I was messing around with Fortran 2008. Having done so, it's not as interesting anymore. That's not a function of Fortran, which was created when my grandparents were 20-somethings, but of the time spent with it.
Which, you know, the guy directly cites as the reason he's shutting down if you actually read the site.
There's plenty of ambiguity in the GDPR, especially around logging, backups, and third parties (e.g. login through Facebook/Twitter/Google, you know, that thing that five years ago everyone was trying to sell at the way to do user authentication). This guy just decided it's not worth the potential of being sued while we wait for the dust to settle on how those ambiguities shake out (because, honestly, the only way we're going to get those cleared up is if someone is sued and they're made clear by case law).
My concern has been the account deletion provision. Does the GDPR expect us to be able to go back and modify past backups? Years-old tape archives?
I would guess there is no requirement data is wiped. Your file system doesn't wipe data, it just marks it as deleted. At some point it's a technicality, the important part is that you stop using the data.
I suspect intent matters more than technicality.
When you collect data, you have to tell your users at collection what your retention policy is (this is part of Right to Transparency). So, right there, you should probably have a retention policy, and "forever, always" isn't really a well-thought-out policy.
The Right to Erasure is not as far-reaching as some people seem to think it is. If the Legal Basis of the data collection is Consent, then that consent is revocable and processing (including storage) pretty much has to end as soon as consent is revoked. But if the Legal Basis of collecting the data is something else, and I really feel like 90% of the time in practice it's going to be Legitimate Interest, then the Data Controller gets to balance their own needs against the rights of the Data Subject when handling a Right to Erasure or Right to Object request. And you can probably make a good argument that you don't need to modify back-ups. Your argument is stronger if a) your restore-from-back-up procedure can ignore or delete the user's data during/after restore b) your data retention policy eventually deletes the back-up.
Also, that data is still associated with the user. Is it to the letter of the law to keep it, even if it's unreadable?
Also, how does this mesh with pci retention rules. (Yes, they are not law, but it's still an awkward place to be.)
You couldn't possibly anonymize the data and then do the analytics, unheard of.
It's not that the analysis can't be done anonymously, but to do so requires foreknowledge of everything you would like to analyze.
Second, I think you're missing the context here. If I need to encryption each log entry that pertains to a user, even if it doesn't contain pii, then adhoc analysis is nearly impossible to do.
If the WORM store rotates out old data (webserver logs, tape backups with retention and rotation, etc.) then you simply inform the user of that and that's it.
Can you point me to where that's allowed? What if retention is reasonably long (a year)? or not (10 years)?
> s it truly a WORM store that cannot delete any data ever never? If so, you'll need to encrypt the data in a way that allows you to make records inaccessible.
So now I can't perform impromptu analysis of my own data in any computationally easy way? Security analysis? Analyzing shipping information to optimize in the future?
[0]: https://www.acronis.com/en-us/blog/posts/backups-and-gdpr-ri...
[A0]: http://www.gdprarticles.com/gdpr-articles/data-subject-right...
[A1]: GDPR Art. 5 §1 a, b, c and f, §2
[A2]: GDPR Art. 17 §1 b and c, §3 b and e
>So now I can't perform impromptu analysis of my own data in any computationally easy way? Security analysis? Analyzing shipping information to optimize in the future?
Any analysis will have to be done in a way to make sure you're not exceeding the bounds of network security or you're outside legitimate interest.
Analyzing shipping information is the same, as long as you do everything to make sure the data is pseudonimized or not otherwise in risk of leaking personal data, it's fine or alternatively you ask customers about it.
>What if retention is reasonably long (a year)? or not (10 years)?
Use your own judgement of what is reasonable, worst case you get a letter from the EU asking you to reduce the retention timeframe as long as you made an actual effort to implement the regulation.
Why do you think that's a given? It seems like an implementation detail with a couple of easy solutions such as caching or batching, and it should encourage better system design in many cases where the analysis doesn't require PII and thus it's better from a security perspective not to have access to it there to begin with.
There have been a ton of breaches over the years where reporting or test systems had data which they didn't even need but which had been loaded anyway since it was less work than subsetting the data.
Unless I'm pulling from a raw dump of shipping I've bought, which would contain the address so that it can be cross-checked if there is an issue and I didn't know ahead of time that I wanted to perform this analysis.
If you want shipping analytics you'll have to decide that ahead of time. That way you reduce the risk for your customer in case you don't want to do this and if you do want it you still make an effort to reduce the data necessary.
You should keep in mind that the basic premise of the GDPR is that the shipping address isn't yours to begin with. It's personal data of your customer and ultimately belongs to them.
If they don't allow you to use it for analytics, tough luck.
Yes, I should be omniscient. Thanks for clearing that up.
> Any kind of profiling or monitoring goes through several layers to ensure the minimum amount of data necessary is collected.
Yes, because they need to collect it. It's not about looking at what they have.
> If you want shipping analytics you'll have to decide that ahead of time.
Again, I'm not omniscient. I can't figure out what my company will be doing in a year, and waiting another year to collect the data I already have could see me hemorrhaging money.
> You should keep in mind that the basic premise of the GDPR is that the shipping address isn't yours to begin with. It's personal data of your customer and ultimately belongs to them.
Which is an absolutely silly notion. It is the company's data, not the users.
> If they don't allow you to use it for analytics, tough luck.
Which is silly. It's the company's data; they should be able to use it to improve their business.
Not omniscient but being able to plan ahead does help a lot, yes.
> It's not about looking at what they have.
Yes, because they only collect what's necessary and if they don't have that they ask if it's necessary and collect it.
>I can't figure out what my company will be doing in a year, and waiting another year to collect the data I already have could see me hemorrhaging money.
Then simply ask your customers to hand over data with consent to use it for analytics, problem solved, no?
>Which is an absolutely silly notion. It is the company's data, not the users.
No. Under GDPR this is no longer the case. The data belongs to the user now because corporations have shown time and time again that owning the user data is too much responsibility for them.
You do not own the customer data anymore, the customers own it. And they can decide what you're allowed to do with it.
End of story.
Which is entirely silly and basically contrary to everything else, e.g. data retention regulations that assume the company owns the data.
Even that data isn't owned by you. You are merely responsible for keeping it safe while you have to store it. Ultimately it's the customers data. End of story.
If you’re trying to do analytics, you don’t need PII - anonymized locations, sizes, bucketed prices, etc. will cover that and usually makes the process faster, too.
Look at it from a different perspective: does ignorance of food handling procedures or electrical wiring codes remove your obligation to follow safety regulations? This is the same thing for data: yes, it requires you to act as if you care about users’ privacy but that’s another way of saying that you’re no longer being subsidized by being allowed to fob the cost of negligence onto the users rather than being responsible. Everything which people have been talking about in this thread is already covered by accepted security best practices.
The company will have to decide for themselves, primarly, if some interest is legitimate.
This means you weigh the data you collect by the single user against the continued function of the company, the great good and all other users. The company should then be able to demonstrate this process to the regulatory body.
There is no nailed process but keeping logs for a short amount of time to ensure network security and keeping some logs longer for legal compliance will most certainly pass as legitimate interest.
Network security benefits the user themself, the company and all other users by ensuring their data is secured against breaches. It goes beyond simple self-interest of the company and protects the users too.
Similarly having an email address to contact a user can be legitimate interest. If you only send them informative mail, ie "Someone changed your password" and "We had a databreach" or even "Someone tried to login from Uganda using your password, check if that's alright please" it serves primarly to protect you, the customer and the relationship you build up.
IMO that means it's legitimate.
On the other hand, of course an adcorp could claim their personal tracking data is legitimate. The data collected does not benefit the user other than showing them ads and selling it to others. Of the three groups, only one benefits.
Or keeping a webserver log for 20 years including usernames and emails.
IMO that would mean it's not legitimate.
If you are wrong in what you think is legitimate, you get a sternly worded letter from your favorite regulatory body asking you to fix it.
If you think they are wrong about that, the best option is to write them back and explain why you think it's legitimate. You can work out a solution with them that satisfies both sides.
That was a response to the comment about the default installs in most distros, not the ability of centralized services to rotate logs. It was pedantic and I regret derailing the discussion with it.
> The company will have to decide for themselves, primarly, if some interest is legitimate.
Until a regulator comes and makes a separate decision, and you have to plead with them that you're not wrong even when they think you are.
> If you are wrong in what you think is legitimate, you get a sternly worded letter from your favorite regulatory body asking you to fix it.
From a regulatory body that has no real authority over me, except it might?
I think my biggest issue is that I don't deem data a company has on me _my_ data or that they have to explain everything they do with _their_ data about me. I was never under the impression that it was my data, and in fact, I assume anything I put on a computer I don't control or have a paid, contractual agreement around is public. I fundamentally don't agree with or understand the premise that the situation is otherwise.
(The biggest exception being that I do expect companies to honor their contractual obligations under their credit card processing agreements, but that's not really about _me_ or data about me.)
If you want a shortcut, you can try the EnterpriseReady site which has a great overview specific to SaaS companies: https://www.enterpriseready.io/gdpr/
As always though, your best resource is to talk to a lawyer. Do not trust any internet comments about legal decisions for your business.
One easy way to do this is with an expiration policy on s3 objects. You need to have an independent backup of those deletion requests though.
If you have a years-old tape archive you probably have a massive legal team who is much better equipped to answer this question.
You decide on a timeframe for deletion of backups (ie. X days). You keep a record of deletion requests you receive for X days. If you need to restore to a backup, you delete data again for the users that requested it.
Then you delete the backups and records of deletion (or the tables in it that contain personally-identified information) after X days.
All of which requires a good deal of development work.
[1]: https://www.citizensadvice.org.uk/consumer/get-more-help/how...
If you care about consumer's rights over companies's profits that is.
I am an architect for a company that does ABM, B2B ads, so I am well versed in the subject. We had to move all of our PI data in the raw form to a different AWS account, and only certain individuals with "legal" clearance can access it. This forced us to re-architect almost our entire stack, and rethink our main API.
The whole thing was a massive endeavor that took a whole engineering team two quarters. If this was three years ago, when we were less than a dozen engineers, we would have most likely thrown the towel and forego cookies and business in the EU altogether.
This has always been true, nothing has changed
[1] http://www.pointoflaw.com/loserpays/overview.php
The expected value of the case to the lawyers is the probability of winning, multiplied by the minimum of the expected award and the resources the defendant has available to pay, multiplied by the fee percentage that the lawyers are charging, minus the costs involved in litigating the case.
In the cases we're considering here, the probability of winning is low, the expected award is low, and the resources available to the defendant are low. They're simply not going to take them on.
She alleged I colluded with and stole manuscripts from her publisher (I published my content before she did). I knew I was in the right, and had proof to back it up. Then I found out it would cost tens of thousands to take the case to court and then if I won, I could claim the lawsuit was frivolous and sue for legal fees.
People can use the legal system to rope you into an expensive game that you don’t want to play. Even if you win, that victory might come at a huge cost financially and emotionally. Irrational and vindictive people can hire lawyers too.
Even in the case where fees are awarded, there is absolutely zero upside in being sued. The best possible outcome is to tie up tens of thousands of your own money in legal fees, and invest huge amounts of time and energy in a court battle. And of course there is always a risk you could lose the case.
For a passion project that is a big investment. I cut my losses, and I’m glad I did.
You argument is so comically simplistic and shortsighted that it actually makes me a bit depressed, holy shit!
She tried the same stunt on someone else who went to a reporter, and tried to case the in the court of public opinion. She was resoundingly defeated.
All you have to do to be Gdpr compliant is delete user data when asked. There is no "trap card" provision.
I just do not get what there is to complain about here - the GDPR is a good thing for consumers, and as a business owner than gives a damn about privacy, it is not onerous to comply with.
For having an unfair competitive advantage over competitors who properly follow the law. This is a well-known tactic to get rid of competitors or just companies you don’t like.
Want to host the data on aws? You need a documented data processor agreement with them. Same thing with cloudflare and any other service you might want to use.
Want to use google analytics or some other javascript? Those cookies aren't required so you need a way to let users opt-in to using those cookies. And opt-out and delete any third party cookies. I'm still not clear on how the regulations expect you to delete third party cookies.
Amazon affiliate links also aren't necessary to use the service, and that sets cookies. Have to get consent before users can click on those links.
Don't forget that ip addresses are considered personal data.
And all of this might have to be written down and documented per Article 30 as well. The organization is smaller than 250 people, so that might be an out, but people are using the site daily so one could argue the processing is not occasional.
So that maybe someday we'll have a web without tracking again.
Assuming that these cookies are only set after clicking the link, and that there is no personal information in the links, then what is the problem? In any case, Amazon setting cookies is not your problem, it is Amazon's.
And that's just the engineering work. The website owner cannot know whether or not the engineering work and website meets the requirements of GDPR by himself. He does not have the ability to interpret the GDPR policies. The website owner would need to consult with a compliance lawyer or expert to assess the website for compliance. I would guess it would take a lawyer 10 hours at minimum (assuming the lawyer is a GDPR expert and already knows GDPR in and out) to assess a website for GDPR compliance, billed at a low $250/hr is $2500.
https://www.ctrl.blog/entry/gdpr-web-server-logs
"All of these logs contains personal information by default under the new regulation. IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49. The logs can also contain usernames if your web service use them as part of their URL structure, and even the referral information that is logged by default can contain personal information (e.g. unintended collection of sensitive data; like being referred from a sensitive-subject website).
If you don’t have a legitimate need to store these logs you should disable logging in your web server. You’re not even allowed to store this type of information without having obtained direct consent for the purposes you intend to store the information"
Are you going to either 1) completely disable logging on your webserver or 2) ask for consent just to use a default Apache/Nginx logging configuration? The law makes no technical sense.
3) Change your webserver not to store IPs or to delete them relatively quickly?
The default Apache/Nginx configurations aren't suitable for production in many other ways but most distributions ship them with log rotation enabled which would prevent this from being a problem in the default install.
You don't.
I get the point about legal trolls,but how are the hoops ambigously defined?
- don't store data you don't need for your business' stated purpose
- get active consent before you do so
- be ready to delete data on command
- store the data with best principles (i.e., instead of having ID and other stuff connected, centralize identifiying information and protect,use pseudonyms otherwise)
IANAL, but this seems pretty sensible?
That said, I think the fear of no win, no fee legal firms is a little overblown. You can't get blood out of a turnip and if he's not making money there's no reason any law firm would be interested in suing him.
I'm honestly wondering what the law previously said regarding data protection. The Dutch WBP from 2001 already covers everything that he would have to do under GDPR given this website, so unless the UK has some very weird laws (or unless we're weird), nothing would change. Perhaps an extra tickbox on signing up that says "yeah yeah I'm really very aware that my data is shared with third parties".
Most likely, this is a good excuse to go "I refuse to read the long legalese [even if it's 95% the same as before] and I'm just going to quit this loss-turning website without the community turning sour on me because I have a good excuse".
Generally speaking, I think most sites will require some additional development work to update their UI and to store the data. If you have been compliant with the previous laws then it should be no problem. One wrinkle is that in the previous laws there was no way for your customer to find out if you were following the law or not (without suing you). With GDPR they have a right to both be notified what you plan to do and the right to request evidence that you are following that plan. There will be many companies that will have to alter their processes significantly to account for this.
In the businesses I'm working with, I'm finding the biggest problems with GDPR aren't with GDPR - they're because the business wasn't compliant with the UK's Data Protection Act (1998). So the pain is the scramble to catch up.
I think you could ask that question about all the other formalities you have to engage in as well if you run a business? Managing his taxes probably takes more time than making that kind of business GDPR compliant
>- get active consent before you do so
These are mutually exclusive. The GDPR specifically warns against soliciting consent for collection and processing activities that are actually needed, as consent is not considered meaningful when the alternative is to avoid doing business. Consent is only valid if you can "degrade gracefully" in its absence. (I'm not a lawyer).
Well, just in this thread, two people providing 4-point lists of _simple_ things that can be done to abide by the GDPR provide two different lists that they themselves are ambiguously defined.
So, perhaps it's not as _simple_ as you make it out to be.
Deletion of data from all external services that you use and internal services. If you have some processed data from internal data pipelines you will have to clear that as well. What about error reporting services? Internal logs? I think for data backups you can have it encrypted and that works as a good alternative but if you have to delete data from there it is not at all feasible.
- store the data with best principles (i.e., instead of having ID and other stuff connected, centralize identifiying information and protect,use pseudonyms otherwise)
Even if in the main data stores you store them in a well normalized way. It becomes a pain to do the same thing to do the same in data pipelines, sinks etc. If you are having a reporting DB it would make sense to denormalize data there.
GDPR is a great example of the kinds of disasters that happen when nations try to force the entire planet to follow their unilateral actions.
If a tribunal gets asked to delete the personal data of the accused, they will keep the data.
There is a principle of public interest and public obligations to keep data.
What part do you think that is a disaster?
uh... this post is about a guy losing his business because of the GDPR. What part of that isn't a disaster?
>If you are a bank and a client asks you to delete their data. The bank will still keep it for the tax agencies.
> If a tribunal gets asked to delete the personal data of the accused, they will keep the data.
> There is a principle of public interest and public obligations to keep data.
In other words, GDPR has no teeth outside of Europe.
In other words, GDPR has no teeth outside of Europe.
Your example "my employer will have to delete records of firing me!" is exactly how the GDPR works.
There are exceptions -e .g. if the firing is now leading to a court case, but they are less than you think.
In an ironic twist, after deleting the data subject's personal information, you must be left with nothing that identifies them, so you don't even know that they have requested this in the past - only that someone exercised their right to erasure (not who).
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;
or for the establishment, exercise or defence of legal claims.
Article 17.1 The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; https://gdpr-info.eu/art-17-gdpr/
If you read further down the page, you come to the section you are quoting, 17.3, which says that the above right from 17.1 does not apply even if one of the conditions in 17.1 is met. However the scenario we are talking about is one where none of those conditions were met in the first place, so we never had to look at 17.3.
You can argue that 17.1.b/c would require an employer to remove any demographic/political data it had stored on you, but absolutely not that it requires the employer to remove the record of your existence at the company.
17.1.b appears to be the trump card held by the data subject. They can withdraw consent at any time and request erasure.
Once they do, the data controller can then use any of the exceptions in 17.3 to deny them. However none of these is "because I want to keep records of all firings".
My further understanding is that you certainly could keep a record that someone was fired, just not a record that included any personal information that could identify who that was.
i.e. pseudonymization..
(edit - and I think you could keep the information about their race/etc if it was properly pseudonymized, but I haven't tried working that out so I'm not sure).
The GDPR applies to trying to do business in europe. Seems simple enough.
meaning you can be doing business with EU residents as a US only company.
I'm not quite sure how they intend to enforce the GDPR on foriegn companies, but they are making that claim.
This doesn't sound crazy to me.
If I'm in europe and I sell to an american, I have to adhere to certain US laws just the same. I have to fill in a W8-BEN form or whatnot.
I can elect not to, but next time I'm in the US, things might get awkward at customs. Also, my customers might be fined or more or less 'ordered' not to do business with me. That's within the US's right.
That's just how it works. Everywhere. For all countries.
GDPR (EU Law) requires companies to delete private data upon request.
SOX (US Law) requires companies do not delete private data, in case the government wants to investigate those companies later on.
SOX has existed since 2002. Did the EU lawmakers even consider this when crafting GDPR? I'm betting not, considering the damage they've done to the WHOIS system as well.
This kind of fallout is the result of poor planning and pushing incomplete legislation for political purposes and I think all of us realize that, so let's not pretend otherwise.
That is literally a disaster. I wonder if this kind of thing is why the EU is crumbling.
(Shrug) It's a public response to abuses by private actors. It's a great example of the kinds of disasters that happen when the user is the product and not the customer.
I disagree, I think it's a political move and won't have the kind of positive impact that we want it to.
GDPR, as it is written, should put Facebook and Google out of business. Invading people's privacy is a huge part of their revenue stream. I'm all in favor of protecting privacy of individuals but I'm cynical that we'll see any real progress as a result of this and the negative consequences are real, and possibly more significant than any positive effects. Time will tell.
Firstly, there's nothing this site does that is so unusual. If the user gives explicit and informed consent for their data to be used in this way, then you are likely to be covered.
Secondly, it's looking unlikely that the rules will be enforced that strictly in the near term, especially against a small, hobby website. IANAL but you likely have a couple of years until you have any chance of being on the ICO's radar (ICO is the UK's enforcer). And even then, you can reasonably expect the find to be << €4M.
Thirdly, if you run this site from a limited company (about £100/year to maintain), then the very worst case would be that you are investigated under the GDPR in the future, and you can fold the site then at which point your liability ends. No need to do it now, in fear of something that may never happen.
I hope it's not too late to change your mind about shutting down!
So far I haven't found ANY person who has read the full 80 pages. Everyone is asking eveyrone else, they download whatever presentations they find on the internet, but NOT ONE have bothered reading the damn thing.
It will be a massacre for many companies, only because very few do their homework.
On the other hand I bet you have a better life with your belief until - if ever- you learn the difference the hard way.
Take the simple question: can you look at personal data on your monitor? What about Van Eck phreaking? Basically you are broadcasting the data. Do you need to protect against that?
Tell me what GDPR says about that.
It's like worrying that someone will be struck by lightning because they're located on your property near an antenna you set up, and you'll be charged with murder because of that. Yes, it's possible, and about equally as likely.
[1] https://en.m.wikipedia.org/wiki/Van_Eck_phreaking#LCDs
I would estimate the frequency of the attack similar to Lightnings killing people. I’m quite sure it happens but only in very small scale because you have to get so close to the victim.
If you choose to display customer data on your screen while raising funds for launching a new cryptocurrency in the Sultanate of Kinakuta from sketchy Chinese generals, it's on you.
But if you read the law, claim to understand it and don't implement it properly, you are screwed. It's just another case where savy managers are avoiding personal risk at the expense of corporate risk.
You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.
Is that a bad thing? The vast majority of regulations exist because someone's "critical thinking" went too far in the name of profit.
Your mistake is assuming that the idea being sold internally under the heading "compliance" is required by, or even tangentially related to, an actual regulation.
> Steve Wood, ICO Deputy Commissioner: Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy.
All those concerns about the GDPR are, as far as I can tell, younger than a year, most of them even younger than a few months.
You had two years grace period.
If 6 years wasn't a long enough period for companies to prepare I submit that no amount of time would ever be.
I can understand why a small project that isn't immediately profitable can take a look at the uncertainty and say, "no thanks."
Within society "in general" there are usually other forms for quantifying, and spreading, the cost of uncertainty among larger groups. We usually call those markets "insurance." Car insurance, life insurance, health insurance, disability insurance, homeowners insurance, landlord insurance... all of it exists to "cope" with uncertainty.
If you're running a small operation that's hovering at or below breakeven, it's reasonable to look at the existing uncertainty surrounding GDPR and find that the only winning move is to not play.
I'm not a FUD guy; I'm a numbers guy. Uncertainty is real and entire markets exist to deal with them. Where there are _not_ markets that allow you to quantify uncertainty, it is reasonable to look at the potential downside and say, "that's not worth the risk."
I'd be very hard pressed to run a business that catered to the EU at this point until the first N lawsuits happen. There's a reason why in the US people prefer to incorporate in Delaware: it's not because it's the most business friendly state, it's because there is so little uncertainty in case law.
I am making no claims as to whether GDPR is a good thing or a bad thing. Simply that it's an unknown thing. And unless you have the pockets to play in unchartered legal territory, it is perfectly reasonable to shake one's head and walk away.
I run a small business and I like this. Just about anybody can read it and understand what rights and requirements are being set out in it.
The GDPR specifically refers to the concept of "micro, small and medium-sized enterprises" [GDPR 40p1 and 42p1 use this text; they direct member states about the spirit of the law, referring that the needs of such businesses need to be taken into account].
GDPR 58p2 sets out that regulatory bodies in a member state have the power to issue warnings. As in, if you mess up, unless the mess-up is malicious or excessively negligent, you get a written warning and reasonable time to fix the problem. My government (The Netherlands) has taken the effort, as have a significant number of third parties, of creating a legal document of 3 to 10 pages covering some details, and they generally set out more explicitly that you grant yourself a week or so to fix problems without penalty. Whilst the GDPR is intentionally ambiguous in order to try to be somewhat futureproof and remain short enough to read back to back in an afternoon, it's fairly clear this is perfectly fine.
The most strenuous sections of the GDPR involve requests from those whose data you store. If they ask you to supply what data you have of them, and whom you've shared it with, you have to comply. Within reasonable timeframes, and you cannot lie about it. If they ask that you delete this data, you must be capable of doing so, and you must do so within a reasonable timeframe. However, the GDPR is nice enough to grant you exceptions for reasonable measures which nevertheless make it hard to comply. Things like a backup tape are specifically called out. It's okay if data that's been requested to be removed, stays on those. You would have to show that this data is pseudonimized (GDPR-ese for encrypted, pretty much).
Any service which has a hard time supporting requests to explain what data you store and where you've stored it, or which cannot delete it from the main service on demand... should indeed just call it a day and shut down. I don't think a service like streetlend would have a hard time supporting such requests, however.
I don't run a small business, I make small things on the internet, this is not why I got into tech, I don't want to read 68 pages of yuk. If I made a small site that saves some user data i'd just pull it down too, I don't want the burden of worrying about being sued for some small thing I created, you just wont have it anymore.
FB fucked it up for everyone, ultimately people gota learn that when you give data to someone you implicitly entrust them with it. FB had to go and be evil and now the EU is overreaching demanding everyone spend their time bubble wrapping everything... everyone backing them up are the village people taking to the streets with torches and burning shopkeepers after the king was found doing witchcraft. Go burn the king.
If you're making something that stores personally identifiable information outside of what you need, and don't care enough to secure it or offer ways for a user to manage that data then yes, take it down. Good riddance.
Or, just don't store that data in the first place. If you're storing usernames, passwords and the like then you have nothing to worry about.
Absolutely false. Anything pertaining to a person in any way is personal data. All default web server installations are GDPR violations, unless nginx grew an "edit the access.log entries pertaining to you" endpoint recently. (Although you can maybe argue "legitimate interest" for web access logging if you invest the time, and implement the right to erasure).
Something as simple as running Google Analytics without a processing agreement in place is a liability.
1. User profiles can't be sent to GA. For example, hacker news has /user?id=JohnDoe for profiles, and that contains a username, which is personal data that should not be shared with GA. Ok, so I could rewrite my profile URLs before sending them to GA without the usernames.
2. I haven't heard a single source mention referrals. If I'm on a user profile on my site and click a link, that's going to send /user?id=JohnDoe to GA as the referral. I would need to overwrite the referrals before sending them to GA as well.
3. What about 404 pages that I make up? What if I visit https://www.example.com/JohnDoe? That's sending my personal name to GA again. Hmm, ok, the site could exclude GA from 404 pages.
4. What about search boxes? What if I use the search field on a blog? https://www.example.com/posts?search=JohnDoe. Hmm, that's my personal data being sent again. Ok, we need to make sure any data from search boxes is now stripped and not sent to GA.
5. What if I manually add a query parameter or modify one? A homepage might have https://www.example.com/?page=2, but what if I change it to https://www.example.com/?page=JohnDoe. Hmm, yes, that's personal data being sent again. I guess I need to validate the page parameter to ensure it's an integer before sending the URL to GA. What if I then type in a personal phone number as the page number?
There’s no damage that GDPR protects you from, and it doesn’t add any liability for stolen, hacked, or misused data.
Facebook can do the same shit they were doing under GDPR!
> (83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
also:
> Section 2, art. 32, Security of processing:
> Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: [..]
Actually I think that's a good thing then.
One of the goals of this law and similar efforts is to make it clear that you need to consider the social, ethical, and legal ramifications of the things you crate. You are not creating neutral things in a vacuum; there is no neutral ground in a burning world[1]. That "small thing on the internet" might be reuniting families that were separated by work or politics, or it might be undermining the support structures of an entire industry or community. Maybe you are creating a social space*, which includes a duty to manage that space to keep so it doesn't become a tool of abuse[2]. Maybe your small site stays small. Obviously you cannot be expected to foresee every potential consequence of your creation, but you at least need to make the effort and catch the low-hanging fruit (e.g. the basic privacy features enforced by the GDPR).
[1] http://opentranscripts.org/transcript/no-neutral-ground-burn...
[2] http://www.gdcvault.com/play/1024060/Still-Logged-In-What-AR
One often wonders whether lawmakers heed their own advice here with what they create.
Well, not really: That's the constitutional court's job.
I personally find regulation like this abhorrent and against my morals. Sadly I don’t have the money to fight the EU so my creations will be blocked to its citizens going forward.
The end result of this is that EU citizens will be the ones that suffer from lack of access to technology and the smart ones will end up VPNing into non-EU networks to stay on the cutting edge.
This is a relatively simple regulation that basically required anybody processing user data to do so responsibly. How does one have an ethical objection to that?
Alternatively, hire a lawyer, like you would for any other regulatory requirement.
Far better details? It gives vague info on what might be considered personal data... I would not call it very detailed. In most cases just says personally identifiable information.
Right, because everyone who lives in Europe is too incapable of coming up with technology and businesses themselves (that have the added benefit of being GDPR compliant) and without access to American firms they will surely fall into a technological dark dark age.
Instead of viewing GDPR as some nightmarish spectre coming to ruin everything, why not think of it as a potential opportunity? You're familiar with making money in a borderline no-holds-barred approach, now try and come up with some innovative business ideas that _don't_ rely on scraping and selling as much data as mechanically possible to prop up a business. This is a great for the disruption hackernews loves so much.
Cite one EU startup that you’ll miss if the issue was reversed.
That's the best way to think about it. When the EU started imposing VAT taxes on non-EU companies on internet sales to EU customers, a bunch of businesses sprouted to handle all of that accounting for you. (So instead of me selling my software online directly, technically all of my EU customers now buy from a US company called FastSpring instead. Fastspring remits VAT on EU sales for me so I don't have to deal with EU tax law, just my own Australian tax law.)
There's probably similar opportunity for a GDPR service that stores customer data via API service, that shields small / micro businesses from all the GDPR compliance. (Eg all your personal Wordpress blog comments are actually stored, hosted and served by a service that handles GDPR modal-consent forms and deletion requests on your behalf.)
>... now try and come up with some innovative business ideas that _don't_ rely on scraping and selling as much data as mechanically possible...
The problem is a lot of us who would never scrape or sell data and have no interest in exploiting our customers, are still worried about not being GDPR compliant, and the EU choosing to pursue us an example for something that none of our customers actually care about.
Why would you be worried about being pursued as an example? Is there any data that supports this as a reasonable fear? Isn't this exactly the "GDPR is a nightmarish spectre that can destroy anyone at any time" mentality?
Your points are well argued - especially regarding the ethical and social implications of what we create, and I agree with them, however we have differing definitions of "small" in this context.
Your arguments apply to things that are maturing and are reasonably big already, but big things have small beginnings... and the internet/web is a fantastic place for nurturing those very very small ideas for basically free, this law appears to threaten those small ideas.
What you call overeaching other's call protecting the interests of consumers.
Nah, just for companies that trade personal information as if it was cattle feed. As an individual, I have no problem with the GDPR.
If you won't handle my personal information with proper care, you should shutdown or get sued out of existence.
Cheers.
Do you find yourself accidentally including data sales SDK's? Do you finish your website or app and realise you've accidentally set it up to fingerprint the user, scrape everything you can from them and sell it?
If your business is just a tool supported by wanton data scraping are you actually doing anything innovative and worthwhile or are you just making an MVP to pack full of advertising and jump on that bandwagon?
If you aren't doing that, then it's just a matter of checking what data you are harvesting and thinking about why you have it and if you really need it. Because if it's actually critical to the running of your business then GDPR does allow you to keep it. If it's not, why waste space, effort and now risk in bothering to harvest and keep it in the first place.
For example, an online shop might collect customer addresses, even if the sale is purely digital. If the shop ever decides to expand to physical goods, those addresses will be very useful to find an optimal location.
However, GDPR prevent the shop from collecting (or more accurately, raises the cost of doing so), since the use, and value of, said data only becomes apparent in the future. So the shop makes the best choice now to remove the collection, and then suffer the future disadvantage.
Maybe show a notice just below the address input fields that "we remember your address for a while, this is why" and link to the relevant section in the privacy policy.
Then you already had a ton of legal obligations, you were just not aware of them, since only now everyone is talking about the GDPR.
"FB fucked it up for everyone"
A lot of the things people are complaining about right now were already illegal, before the GDPR. People were just not caring about it.
Questions without answers in the GDPR:
* how to carry out a legitimate interest balancing test
* who is your lead regulator (do you have a lead regulator?)
* When do you need a DPO (large scale is left undefined, as is systematic)
* How reasonable will any particular regulator be towards inadvertent violations
* what precisely counts as the required technical and organizational measures in art24
* how do you define what is one purpose and what is two purposes?
Painful when needing to implement? Absolutely (not my favourite either, I want definite answers). The way it is? Yes.
Not all laws, nor all legal systems, are equally vague. It would be really helpful if the regulations had been accompanied with a large set of 'example applications' demonstrating how EU members should be expected (or required) to implement the law in specific scenarios.
Uncertainty is a real cost too.
1 page or 1,000 pages, most people are not in a position to accurately interpret it and understand what does or does not comply.
It seems the root of the issue would be financing the changes.
In a way, looking further into the regulations to clear how to deal with ambiguous parts or even straight hire a lawyer to look at the details would be a simple move if the expense could be justified.
Could it be summed up as “unexpected but mandatory changes kill unprofitable business” ?
Which is kind of what GDPR wants to do for personal data: if you want to collect it from me, there are a minimum set of standards that you need to adhere to because it’s my data.
In particular if you already went though PCI DSS, it’s only a few additional things here and there.
The pci DSS has nothing in it like the gdpr; I'm not even sure why you would compare them.and it makes me think you know nothing about either.
While doing these changes, there will usualy be a rethinking of how user data is handled at its core. For instance I worked in the past on dissociating user account with it’s profile and private info, so we could get rid of personal info and only keep behaviors.
With GDPR you get similar leeway for keeping most of your data as long as you get rid of identifying info in a reasonable manner. If I’m not mistaken backups are also safe up to a point, but I don’t have the details at hand.
My main point was that if someone had the occasion to think thoroughly about user data policy and cleaning unwanted traces at leadt once in the past, GDPR was a lot easier than one might think at first.
Super Monday Night Combat wich was developed in the US by Uber Entertainment [1]
Ragnarok Online terminates the access from Europe. They are in Korea. [2]
1 https://steamcommunity.com/games/104700/announcements/detail...
2 http://blog.warpportal.com/?p=10892
For example, IP address is PII and if you derive city, region or country from that it becomes personal data. Now if you are a small project or startup there is high chance that you are using some of the external analytics tools like GA or mixpanel(as building a good analytics tool is an effort on its own). Now you have to take care of data like country there as well and be very careful that you delete data like this as well.
I don't think city itself is a personal data. You could use user's IP address to get the city and then discard it and this way you know user's city but don't have to keep their IP address.
Google Analytics can be a problem; Google or someone else should make the analytics that doesn't store IP addresses.
And I think ISPs should randomly rotate IP addresses of their customers so they cannot be used for identification.
Quote [1]:
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
[1] https://gdpr-info.eu/art-4-gdpr/
I think that soon there will be extensions for popular servers that implement something like this. I wish it were the default configuration.
Also I think if IPSs rotated IP addresses among their customers daily it would not be a problem at all.
The actual law is here and it applies when you offer services or goods to people in the EU or if you monitor their behavior in the EU.
The recitals are a pretty good commentary to clear up the law, the same recitals will be used by regulatory bodies and judges later on, as a guideline.
But they are not law. The law says anyone "in the Union".
Afaict from summaries on court cases in germany, "offering goods or services" definitely means you have to have more than accidental contact with EU customers. Monitoring is hopefully obvious.
The law says anyone in the EU (or is it EEA?) that you're interacting with.
Article 3:
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(This also seems to mean a forum with no monetary value at all, but that's another issue.)
The thing is, if you want to do business in the EU, you better know the legal system there. The US forces people in the EU to adhere to their legal system all the time.
Why? That's such a silly thing to assume. It's possible I've targeted no one by location or nationality.
> The thing is, if you want to do business in the EU, you better know the legal system there.
How is a silly forum a business?
It's not about targeting but about offering services to people in the EU. A silly forum that has a few EU users is beyond incidental/accidental contact and will have to adhere to the EU laws.
A silly forum may not be a business but atleast under german law it can be classified as business-like or otherwise commercial even if you don't make any money on it.
Atleast under german law, you are business-like if you offer a website beyond personal interest (ie, a webpage about you, your family or your hobby). A forum is certainly business-like.
The same forum can still be non-commercial, you don't have to make any money to fall under business-like.
In total, a non-commercial entity, which is business-like, and has more than incidental EU users will fall under GDPR.
>They've made a law that applies extraterritorially which requires knowledge of European cultural context to interpret correctly!
I'm sorry, the US made extraterritorial laws that require US cultural context to interpret correctly. You don't get any special treatment here.
If you save data beyond what is strictly necessary to conduct business, like doing analytics, then you will need to ask your EU users if they are OK with that. If you don't want to do that you can simply exclude EU users from any analytics.
Or exclude them from google analytics. Wouldn't be a giant effect.
1. https://steamdb.info/app/104700/graphs/
There are plenty of devs out there who were running things probably at a loss, but for the sake of their community and users. Sure a few bug fixes here and there was a pain, but it was so small that it was worth it to make a couple people happy. Now they have one big reason to not keep it up.
Our dependency on services that will go away is a problem, but I'd prefer we'd search for different ways to preserve software once unmaintained. Government requires authors to send a few copies of books&newspapers to libraries... maybe something like that with source code?
I firmly believe that companies need to protect their data better as the consequences of loss aren't shouldered by them, which the gdpr says nothing about.
I also firmly believe that it's their data. When I send data to another machine, I was never under the impression that said information was mine. I was never under the impression that anything I have on Facebook was ever or will ever be private. I consider order information vital information _of the company_. When I choose to load thea Google analytics tracker, I have no notion that I own that tracking information.
Splitting basic infrastructure like backups and logs by customer or introducing a whole system of flimsy cryptography to support that is no where near reasonable and well beyond common decency.
Explaining all uses of data and why decisions are made isn't common decency. Again, I sent you my data, it is now the server's/company's. I expect them to do what they will with it.
The gdpr is well intentioned, but ultimately nothing more than toxic smoke and carnavel mirrors. It is an underspecified mess and burden creating the notion that you can renege on data you send someone else.
He's running an unprofitable business (by his own admission), and likely is running it as some sort of sole proprietorship and doesn't want to take the risk on himself.
The solution is to create a company so that the company can shoulder most of the risk so the company goes bankrupt in the event he finds himself unwilling to comply with regulatory requests.
I'm guessing he just doesn't want to dump any more money into a failing project, which is his decision to make.
Is this a failure of the GDPR though, or a success?
Personally I think fly-by-night websites should be the last people responsible for handling personal data. If they're unwilling to attempt to comply with regulations, then perhaps the internet is a better place without these sites.
Let's look at an alternate universe for a moment, where online shopping developed with very barebones regulations, PCI-DSS isn't a thing and fraud is far more rampant. Now the EU introduces new regulations much like PCI-DSS with heavy fines attached to it.
Suddenly you would have every small business coming out of the woodwork, claiming PCI compliance is a huge hassle, the fines are unreasonable, etc. Yeah, PCI compliance is a hassle (which is why we have companies such as Stripe taking care of it for you). But to protect and empower the users, it's needed. This isn't about your business, it's about your users and how they can, today thanks to PCI-DSS, generally trust that their credit card is safe to enter online (which is a net good for any industry that needs online payments).
But that universe is crazy because, who wouldn't treat credit card numbers as extremely sensitive data? Well, many companies who today aren't actually PCI-DSS compliant. Sometimes devs just don't know why, when or even how to encrypt the data and nobody audits that until there's a breach.
So my opinion is this is a success of GDPR. Clearly nobody in this comment section thinks the person in question would really have had a hard time complying with it, and probably wanted to shut down anyway. Either its users are better off because the service is a data vampire that doesn't care about compliance, or it's a no-op because it would have shut down either way. Make room for competition that does care, I'm all for that.
That would be amazing! Then we'd actually have to adopt a push-based or one-time-use transaction model, rather than living under the fantasy (disproven on a daily basis) that merchants should be in the business of keeping secrets, or are even capable of it. It's hard for me to take anything someone says seriously after they express admiration for the credit card number security model.
Payment card data is secret information, that's a given of the industry. If you disagree with that, I welcome you to share your credit cards in a reply here. Is it a design flaw? Yeah, you could say that; there's much better models and PSD2 will fix many things (not all) at the core of your complaints.
In the mean time, having to treat credit card numbers as highly sensitive is a fact of life, and when you're trying to protect users, you have to be pragmatic, you can't live in an ideal world with theoretical technology; you have to regulate what's there.
The GDPR's definition of PII is broad and contains many things which aren't secrets. I can tell you my full name, it's easy to figure it out from my profile, that's not a secret but it's still PII and GDPR asks that you treat it as such. Same for usernames, which are most often publicly visible on websites.
GDPR, more than dictating what you should encrypt, gives the users a set of rights over a class of data they share with companies in order to give (european) users more trust and comfort when choosing whether to share data with those companies. Things like "I should be able to know what a company has on me, and I should be able to download it and delete it".
I can't tell you the number of websites I've seen that don't let you delete accounts properly. That don't let you edit your real name (even if you get married or you legally change it!). That don't allow you any insight into where your email address ends up after you sign up with it. This is the problem that GDPR is trying to solve.
It's a fact of life because the payment card industry found a legal way to externalize the risk of its idiotic architecture onto others. The networks are as motivated as can be to continue having transactions to intermediate, and had the technology for what I describe 20+ years ago. Smart cards are a 1990s technology. (Magstripes are a 1960s technology). They continue to drag their feet on the migration because we've made it cheaper to implement "security" through the legal system. Fraud losses are low enough for the industry to prefer the status quo, but high enough that credit card fraud is still a fact of life, because we have allowed it to create liability around data security.
So? Why should you be able to delete an account?
> That don't let you edit your real name (even if you get married or you legally change it!).
This seems like an issue for the company and one they should fix for their own good, not yours.
> That don't allow you any insight into where your email address ends up after you sign up with it.
I also don't have control over who my friends give my email or phone number out to, or if they sign up for facebook and facebook slurps that data (even if facebook becomes 100% truly gdpr compliant which I doubt they will even if they claim it). Why should I be able to control what other people do with something I gave them? If they breach my trust, maybe I should look elsewhere.
This is an obtuse, bordering on malicious misreading of the post. They're not unwilling to implement the necessary features. They're unwilling to shoulder the risk.
> Personally I think fly-by-night websites should be the last people responsible for handling personal data. If they're unwilling to attempt to comply with regulations, then perhaps the internet is a better place without these sites.
This isn't a data broker, a credit reporting agency, someone with a giant sensor fleet, etc. It's extremely straightforward to not share data with a "fly-by-night" website like this.
Yeah, it's extremely easy to not share your data with them.. if you know they don't care about protecting it.. But what about all of the other people on the internet that don't know this guy doesn't care about your privacy?
Convincing businesses to take your personal data seriously is the whole point, and you shouldn't get a free pass just because you only handle people's personal data in your spare time.
Because people voluntarily provide it to them.
> But what about all of the other people on the internet that don't know this guy doesn't care about your privacy?
Governments confront problems with this general shape all the time... the result is usually labeling requirements. Sure, this guy should not be allowed to claim he has a crack team of elite cybersecurity engineers when he doesn't. Regardless, no one is asking him keep secrets for them. It's a niche Craigslist.
>Because it's a small operation?
You're actively campaigning to degrade privacy (and also user freedom, competition, and choice) to a much greater degree by displacing these activities onto large, centralized platforms. Especially those which are monetizing your data to a high enough degree that it's worthwhile to staff a compliance team for the privilege of continuing to do so.
Voluntary or not, there are some rights that you cannot give up to someone else. In Europe, one of those rights is control over your own personal information.
There's also the issue of information symmetry. Just because I voluntarily bought your product doesn't mean that you should be 100% free from any liability that it may cause.
If that were true, you would not be able to post this comment (the most highly sensitive category of personal data, political views) in a public forum.
But if it's all the same, would you mind sharing your credit card numbers, SSN, and date of birth? I won't leak it, pinky swear.
The GDPR concerns all information related to people. It doesn't treat PII (i.e. identifiers) separately.
Which is a dangerous illusion. You don't control anything you hand over to someone else.
You do have control, actually. You and the bank have an agreement as such.
This is also where GDPR is at. Without it, in theory, you have a shrinkwrap tl;dr agreeement with the service, but in practice, they can do whatever they want with your data, with no repercussions.
See: Facebook and CA. Facebook misused my data (Because my friends opted in to sharing it), CA misused my data (Because they weren't even supposed to be given access to it), and the outcome? Nothing of consequence.
GDPR does three things:
1. It makes those repercussions have teeth.
2. It makes sure that you give informed consent to use of your data. (Unsurprisingly, similar laws exist for banks!)
3. It clarifies what has to happen when you stop being a user of a service. (Prior to it, de-facto, your data would be opted into whatever changes of the data usage policy the service made - regardless of whether or not you still had an active account, whether you agreed with the ToS, etc. If you deleted your Facebook account, you had zero leverage of how your data would be used.)
Even at a bank, if you open a joint account (enable sharing) and the other person absconds with the contents, you’re out of luck.
I think your reading of the comment you're replying to is itself obtuse, bordering on malicious. They clearly understood that the core issue with GDPR for the OP is risk, and suggested a reasonable solution to address it:
> The solution is to create a company so that the company can shoulder most of the risk
Further:
> It's extremely straightforward to not share data with a "fly-by-night" website like this.
Not if you're using the site. The €20 million fine OP is worried about is only triggered in case of an actual leak of personal data. If you're seriously worried that you might end up leaking personal data, maybe you shouldn't be storing it to start with?
The author is clear that they are concerned with having to defend themselves in court.
The fine is the bait that draws the true threat.
The fines are imposed by the government; in the UK that means the ICO. They cannot be levied as the result of a lawsuit brought by private parties. The ICO also has discretion when levying fines, and they've stressed repeatedly they will not be reaching for maximum penalties.
GDPR offers the prospect of big fines if you screw up badly enough. It also is likely to lead to a lot of lawsuits. But there are totally separate issues, and cannot be conflated as you are doing.
OP might get sued. And he might get fined for €20 million (although realistically...no, of course not). But he won't get sued for €20 million.
> The fine is the bait that draws the true threat.
That's simply incorrect. You're looking at a normal civil case, with normal damages.
The risk remains.
We started out talking about the risk of an opportunistic civil suit filed by a law firm working on a contingency basis seeking a €2m payout; now that we've established that isn't possible, we're talking about the risk of an actual fine for breaking an actual law levied by an actual regulator (who is on record as saying that large fines would be a weapon of last resort in the most extreme cases).
So other than the risk being much lower, the likely penalties much lower, the chance of an unfair outcome being much lower, and the incentives and mechanisms being completely different...
...sure, the risk remains.
The question is more on the side of, is the cost worth it? A good and much longer-running example of this is in the medical industry. There are massive regulations around development of new drugs and treatments. Massive regulations around experimentation on humans. This stifles innovation and prevents potentially life-changing drugs from making it to the market faster, or sometimes ever. It also prevents a lot of other things, such as crackpots from entering the mass market and selling poison as an anti-aging drug.
Is it worth it? There's still debate about this today, especially when promising cancer treatments are taking years/decades to reach the market (=> how many lives are lost during that time? What's the tradeoff for someone who is terminally ill anyway? etc). I'm not nearly informed enough to pick a side in that debate, but it goes to show it's not necessarily a bad thing for "fly by night websites" to be heavily impacted by regulations like these.
Part of my concern is that in order for those regulation-solving businesses to have a working business model, they can't just support every stack under the Sun. Instead, you'll get something like GDPR for Azure™ — which means that it'll be that much more expensive for a startup using an outside-the-box stack to get started.
That's the point of a lot of regulation, really: to insulate firms which already exist from disruption.
The question, then, is whether a small "business" that's closer to a charity or a resume padder needs to be regulated in the same way as Facebook when it doesn't collect data on the same scale. I don't think this applies to medical startups, where human lives are at the same risk regardless of how many customers are using the tech.
The online ad-tech industry is pretty fragmented [1] and widespread data-sharing would certainly be a problem even without the larger companies. It's not like Google or Facebook invented it; this goes back to nearly the beginning of the web. And the offline component goes back even further.
[1] http://static.adweek.com/adweek.com-prod/wp-content/uploads/...
Related to GDPR i can definitely see a similar situation developing where large entrenched player leverage it to gain an unfair competitive advantage against startups who could threaten then in their market, using the same FUD tactics. This is a silent killer which will wipe out grass roots innovation in Europe.
I also think it’s going to be pretty harmful to startups, and that we’ll see more businesses just trying to avoid Europe at all costs. Regulation like this can either be easy to comply with, or they can be effective, you can’t really have both at the same time. Even then it just boils down to the old tension between security and compliance. I work with a lot of PCI orgs, all of them have AoCs, very few of them are actually what I would view as compliant. They all managed to satisfy the box checkers, but the DSS doesn’t do much to protect the consumers in most situations. The reality is that the DSS is just a mechanism of shifting accountability around, which is what I see the GDPR as. A bunch of politicians using poorly written regulations to shift accountability on to the market.
God forbid we try and apply some of those ethics to IT. (Europe is big on privacy, again a somewhat hard-learned lesson.)
To compare PII to medicine is trying to invoke an emotional reaction, not a reasoned one. I don’t think this regulation is well designed at all, I don’t even think it’s going to achieve half of what it’s trying to do. But it will achieve increases compliance costs to pretty much every company, costs that will put startups at a serious disadvantage to established companies. Europe thinks they’ll have some protection by claiming every company in the world must comply, but only time will tell how that will work out for them.
Second, Europeans take privacy serious, and it's a right for us, similar to free speech in America. Also, while not as bad as some medical risks, identity theft is not fun. But, yeah, the risks are different, and the GDPR is pretty mild compared to medical laws, no? I mean in Europe, you can't advertise prescription drugs.
Third, Europe is not claiming every company in the world must comply.
But if you're mad at governments overreaching, maybe you could sort out the requirements FATCA/US tax law puts on foreign banks, or the US attempting to extradite "cyber criminals" before you get to the GDPR?
In any case, none of that responds to any of the points I made. The EU does think this regulation applies to every company in the world (unless you can somehow prove you don’t handle any EU data subjects data - which almost no company could do). One of the reasons being that they don’t want to only hamstring European company’s with it, as that would be a very poor strategic move for their markets. How enforceable this ends up being is entirely unknown at this point, and you can bet there’ll be a lot of legal challenges ahead regarding this.
I would imagine it's incredibly easy for many US companies, like e.g. a restaurant or a tire-repair shop to prove they don't explicitly go after EU subjects.
Since I was elaborating on how the EU and EU nationals feel like the GDPR is appropriate in addressing the risk of privacy violations - which part of that did you feel like didn't address your comment of "Except that approach ignores the nature of risk"?
This does completely ignore the nature of risk, because it does not consider impact at all, which traditionally accounts for 50% of total magnitude. A SaaS company with 50 customers has to comply with exactly the same set of regulations as Google does, and faces €20,000,000 fines, regardless of the fact that the small company poses a quantifiably smaller risk to PII. There’s also an argument to be made that the small company is less likely to become the target of a sophisticated attack, as an adversary is much less likely to invest huge amounts of effort into breaching a small set of PII.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
So it's simply not true that "you are in scope for it, regardless of whether you intentionally solicit EU customers or not." I could continue, but I suggest you actually read it if you're going to argue about it.
So spare me with all this "risk" bollocks. You're just another person willfully misunderstanding our laws, and spreading FUD to try and impose your culture and your rules on our society.
[0] http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...
The GDPR just made that gift more expensive. If he's not doing anything deliberately shady, then the probability that he'll get fined is small; but a small probability times 20M EUR is still a big number.
Maybe I don't understand the GDPR well enough, but the statutory fines seem insane to me. Why do you think 20M EUR is the right number here? Or am I missing details of the law (the law, not how you expect it will be enforced) that mean his actual maximum liability is smaller? Do you just have extraordinary confidence in the regulators to "do the right thing", and thus no qualms about giving them the legal authority to ruin his life?
Perhaps it was unintended to increase the potential burden of monetary cost to running services that were created and provided as hobbies or otherwise as a goodwill gesture to others. Or maybe the regulators didn't care to consider the impact on such services. Or maybe ...
Regardless, thanks to regulators and data/service silos the web we once new or dreamed of is fading from reality. With just the silos to contend with such services could hitherto continue to exist with little concern for the actions of the behemoths; but now such an existence is threatened by regulatory concerns which blanket all regardless of their role and activity.
Perhaps the correct action is to blackhole .EU?
A defensive piece you've made completely misunderstands how a business works in terms of the decisions made regarding risk, especially to an individual who lacks bandwidth/resources.
According to your post, you only expect well endowed individuals/large businesses to be compliant, which is precisely the problem.
I fully support protection against physical locations and personal information (name, address, etc), but to include email and IP address seems a little excessive.
It's not a perfect solution, but I'm not sure there is one.
Single member LLCs allow piercing of corporate veil pretty easily.
Ah, that's exactly it. Decades worth of software irrevocably centred around tracking and analytics.
It would be glorious to see it all thrown in the fire. We can write software and protocols that don't spy on people. Let's get back to that.
Disregarding the "hoops" -- shouldn't this 4% go entirely to the affected users? I thought this was meant to protect the users. Seems like a cash-grab by the government. Can someone make a good argument as to why the fines should be paid to a third party (the state) when this issue is between the service provider and the customers?
The only thing I can think of is that the state is the only entity which can enforce the new rights, meaning they get paid for violations of the rights. Still, if someone threatens the integrity and privacy of your data, shouldn't the damages be paid to you?
Much like class action lawsuits, the end user doesn't make much. The lawyers or the state, which go to great expense may recover their expenses, or they may not. The largepunitive fine is to prevent the suits from ever happening in the first place.
There's no concept in the GDPR that the violation only exists between the site and the users whose privacy it violated, where are you getting that idea from?
Roads are usually state-owned property, whereas your personal information is your property, right? If Alice mishandles Bob's property, why is Charlie getting paid for it?
> There's no concept in the GDPR that the violation only exists between the site and the users whose privacy it violated
Why not? The site-customer relationship is the only relevant one here. What prevents a profitable, large-scale data mining company from simply accepting the Max(4%,$20m) = 4% tax for mishandling data?
A $20m dollar fine would surely deter smaller actors, but the 4% fine doesn't seem like a deterrent for large-scale data-mining operations, which can be incredibly lucrative. For example, if Facebook had the choice between not using the data and making $60b per year, versus using the data and making $90b - .04 x $30b, wouldn't they accept the tax and continue using the data? If this is the case, I don't see GDPR making a big difference if the highest-market-share companies can "get away" with paying the fee.
This would increase the gap of viable profit models between smaller and larger companies, at the sole benefit of the state, with little, if any, benefit for the victims (the users). Of course, I am assuming that there is no criminal penalty for noncompliance. The government might think: why impose a criminal penalty if the state can simply tax large corporations for the mountains of profit they are making off of insights from personal data?
The reason is that certain violations aren't simply seen as person-to-person violations, but disturbances of the general order that have ripple effects on the rest of society.
European countries in general are more prone to seeing something like the violation of business law as being a crime against the state, not just a violation of the specific people who were victims in that specific instance.
It has upsides and downsides, but I think in general it's better than the US system. American companies tend to have to worry about compliance with regulators and the possibility of huge payouts from court cases filed by individuals. If you have a small company and screw something up (but not much more than other companies in general) you can go bankrupt mainly due to bad luck.
In Europe companies tend to mostly have to worry about just the regulators and the state, except in cases of gross negligence, which makes it easier to predict when you need to be compliant etc.
There's also the practical matter that the state has a lot more leverage against the likes of Facebook and can exercise collective bargaining. You can see how well this "your personal information is your property" idea is going in the US with the likes of Equifax, Facebook etc. In practice the little guy just has to eat the TOS of these services and doesn't have anything like a property right over his information.
As to your question of whether some companies will simply eat the 4% fine. We'll see, but that's a topic unrelated to who the fine is being paid to.
If some company like Facebook were to publicly flaunt the GDPR you can bet they'll find something else to charge them with. The GDPR isn't the only privacy regulation in effect, there's also various national regulations that could be brought to bear. The threat of the 4% fine is mainly intended as a big stick to bring companies into compliance.
My fear is that patent-lawyer-style firms will start aggressively blackmailing companies for "settlements" or they will begin tons of GDPR-based violations aimed at your business.
People's reaction to their data being scooped up by Cambridge Analytica just because a facebook friend did a survey proves the need. What CA did was probably legal, but in most people's minds should not have been legal.
Is there? What if people just accepted responsibility for carelessly handing out information to third parties? Certainly there is much more individuals can do to protect themselves before the government steps in and slaughters small business like the EU did.
> but in most people's minds should not have been legal
Do people think a company selling user data to another company should be illegal? Or are most people more concerned with the relation said company has with Russia, and their potential involvement in influencing the US election? I think it's the latter. And certainly there should be laws about data transactions involving the state's democratic security.
> What if people just accepted responsibility for carelessly handing out information to third parties?
Without being legally compelled to, few companies have been forthcoming about providing users with information about what they are disclosing and when. Consent is being given, but not informed consent.
It's not _their_ data. This is the part that drives me nuts. When you give something to facebook, it's no longer yours and you loose control of it. It's like this for _everything_. That nude you send your SO? It's out of your control. That nude your SO took of you? It's even less in your control.
If you don't have a service agreement with someone, it's not your data. It will never be your data. Stop pretending.
It's dangerous to let people think they control data they hand to other people. They don't. They never will. Why perpetuate the illusion?
If I put my money in the bank, that does not actually make it the bank’s money. They have the right to do things with it - invest it, loan it, but there is an agreement that it has not been perminantly given. That agreement is backed by consumer protection, insurance, etc. and the bank, no matter how much they would like to, can’t make me sign a EULA that makes my deposits theirs.
Which are mainly extensions of harassment law (again, not something you control, but a penalty after action).
> If I put my money in the bank, that does not actually make it the bank’s money.
You also have an agreement with the bank as such. If I just gave it to some guy on the corner (or PayPal) then, you know, whatever is just as possible.
I’m fine with punishing companies after they violate data protection/privacy laws.
> You also have an agreement with the bank as such
I’ve not read many bank agreements but I don’t believe they say anything like “the bank can’t take my money to the casino and put it all on black”. Yet if they do that they’ve broken the law.
Or it could be the people running 100-user-or-less sites are trying to see if they can just leave their sites up, ignore the "oh yeah, well your web server has IP addresses in your LOGS doesn't it!? Well guess what, OUR logs show an EU IP address, so you know what the letter of the law let's us do? €20 million fine, you data slurping fiend!!" frivolous lawsuits in hopes of keeping their little side project which while (maybe) technically noncompliant, aren't actually using the data for those nefarious purposes, only DDoS and spam mitigations.
> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union;
I mean this should really be:
> the offering of goods or services to such data subjects in the Union, irrespective of whether a payment of the data subject is required;
I mean why put that sub-clause in the middle of the sentence to which it relates? Seems bizarre to me.
Yeah man, that's why we have the safest cars and airplanes in history, because of the free market, not because of regulations. I'm sure that United Airlines, who literally dragged a passenger from their airplane, would have invested a ton in passenger safety if not forced by regulators.
Sarcasm aside, laws do work. There's a reason the most developed countries in the world have a very strong legal system. You give up a bit of freedom (which is a bit of an obsession for Americans) in exchange for a lot of protection from various nasty things people do to each other. As a result you sleep better and you get the side benefit of a special brand of freedom: freedom from fear from your fellow human beings, from their arbitrary whims (to a reasonable degree). Unregulated societies look like Somalia. Trust me, you wouldn't like that brand of freedom ;)