Ask HN: Has anyone made a GDPR graveyard?

38 points by lwansbrough ↗ HN
You know, sites that are shuttering because of the risk/burden GDPR is placing on them. I've seen a few so I'm wondering if anyone is compiling a list. Such a list would be politically really bad for politics in the EU, I think.

130 comments

[ 3.2 ms ] story [ 218 ms ] thread
Why?

The GDPR is made to protect people from scrupleless companies and practices.

Not all companies are good citizen (Cambridge Analytics comes to mind), and as a european I say "Good riddance".

For normal companies doing normal things with their data, the effort is mostly documentation and good-willed "try to abide the rules".

If you followed the spirit of the pre-GDPR rules, you would almost certainly be compliant without much work even for the GDPR - at least here in Denmark.

But if you business is exploiting data, you collected with questionable methods - then yes, you are going to have a problem...

I would also like to see the graveyard site, mostly because I would then have something to point to when showing that the GDPR works as intented...

> The GDPR is made to protect people from scrupleless companies and practices.

This ignores the vast amount of legislation that creates an enormous legal burden for small companies.

> Not all companies are good citizen (Cambridge Analytics comes to mind), and as a european I say "Good riddance".

Not all companies in violation of GDPR are bad or negligent.

> For normal companies doing normal things with their data, the effort is mostly documentation and good-willed "try to abide the rules".

> If you followed the spirit of the pre-GDPR rules, you would almost certainly be compliant without much work even for the GDPR - at least here in Denmark.

Until someone sues you and you have to prove that.

> But if you business is exploiting data, you collected with questionable methods - then yes, you are going to have a problem...

Quite often, data can be both in the "public interest" (not the definition legally defined by GDPR, just that there's no reasonable expectation of privacy by the data creator) and "expoiting" -- such as data derived from pseudonymous sources but could be argued as PII, even though practically speaking, it isn't really.

> I would also like to see the graveyard site, mostly because I would then have something to point to when showing that the GDPR works as intented...

Most of the sites I've seen that are dead-by-GDPR are small businesses that weren't doing anything any reasonable person would be against, but a single takedown request could be over-burdening for them to respond to as it may have merits by the letter of the law.

If you are an European company, most of this stuff has been the law for decades!

Running a project/company means taking on risk. Financially and otherwise. Why is data-care risk so much worse?

And sueing is only going to happen in the US. In Europe getting sued is extremely rare. I expect most DPA (gov bodies handling this) starts out with a kindly worded letter. You comply, nothing happened.. (Most other legislation works this way in Europe already). Fines are mostly for repeat-offenders or clearly black sheep.

In the US, who knows... Most europeans are baffled by the courts and cases in the US. But I think US companies have to be handled by an EU DPA anyways, so we are back to the letter again..

I run a small company (two employees) and I am not concerned. I know a lot of small companies, they are mostly not concerned. I know a few larger companies, they are not concerned (unless they have data handling as their main business).

My own work in this has been somewhere in the neighbourhood of a workweek. Not any worse than complying with tax-law...

There is also no "automatic 20M euro fine". Most matters are likely handled by a kindly- or sternly worded letter, or a small fine (in the 5-20k EUR range for small companies, which sucks but shouldn't kill you....

I work at a company that stores highly confidential PII. Statements from doctors and the like are just some of the documents our system handle.

We're not that concerned. The general consensus is be responsible with the data, make it possible to actually delete something, and show reasonable effort to implement the directives or have a reasonable plan on how and when to implement it reasonably. It's not a big deal as this is how it should have been done in the first place. Only not it's formalized into law.

You're very naive about this situation. Just because the possibility legally exists already means that you're taking this into account when calculating risk.

Also, EU tax-law is one of the reasons that small digital businesses have suffered in recent years. The VAT fiasco was very poorly handled and it's still ongoing.

What?

(disclaimer: i don't sell services outside a few countries)

There is a solution called One Stop VAT where all comminication and reporting goes to your home-country (given you are an EU company).

All your taxes are then calculated at your local rate (as I understand it), execpt for companies with a valid VAT-number, where reverse tax is standard (i.e. zero-rated tax).

https://europa.eu/youreurope/business/vat-customs/moss-schem...

A single takedown request could be over-burdening for them to respond to

If a company is unable to remove your personal data, then by all means let them go under.

You pulled that statement out of context, which is that the site may be doing something that is perfectly acceptable, but with the addition of legislation, the claim is now much more serious and requires legal consideration. This is particularly troublesome if the request is made in bad faith, which is a great way to "DDoS" a company/individual.

Why, in the case of a single individual running a website, is it suddenly their responsibility to properly manage someone else's PII? Where is the responsibility on the individual whose PII it is? How did the PII get there in the first place? Surely it should be considered negligent to hand out PII to a company whose business model is transparently selling user data.

That is a straw man argument. No matter what I hand over to a business or single person running a website, it's their choice to store this information. It is absolutely their responsibility to do so transparently, securely and allow me to determine when to delete it again if I decide so, and you have no other reasonable reason to store it.
People are downvoting you because they don’t understand that downvote is not for disagreement, but for a comment that doesn’t add to the conversation while yours clearly does. I am going to be downvoted for saying this but functional illiterates are everywhere.
I downvoted you because you insinuated that the other side is only whining, which in itself is not adding to the conversation.
> If you followed the spirit of the pre-GDPR rules, you would almost certainly be compliant without much work even for the GDPR....

Have you deleted all of your blog's comments and/or asked everyone who previously commented on your blog for new GDPR compliant consent? Because that's one of the GDPR Graveyard events I'm seeing - people deleting their personal blogs and disabling comments as the easiest way to remain compliant.

Why?

Article 2c (excemptions): "by a natural person in the course of a purely personal or household activity"

Some of his blog also discusses his technical work, so it can be debated whether it is or is not "purely personal or household".

Either way, it's vaguely worded enough that for someone who doesn't want to deal with compliance and laws and doesn't want to pay a lawyer just to know if they can keep writing a blog, the path of least resistance is just to delete everything.

That is crystal clear personal activity to me.

Also which protection worthy data does the comments contain? Most likely none.

Email addresses, account user names (especially if they commented by logging in via Twitter account). Personal website URLs if they included it. Maybe IP addresses on the server end but hopefully not. All of those are personally identifiable user data.
And all of those are allowed (usually) due to normal "business-as-usual use" (fraud/spam prevention).

And as said, a personal blog is except by definition...

(edit: they are allowed, not excempt due to normal-use)

Please stop saying IP addresses are personal data. They might be.
Yes, you are totally correct. It could be personally identifiable if it's a static IP or something, but most often it isn't entirely personal.

You are right. I apologize.

> Why?

I doubt these people have actually read the law. Its always easier to overreact and panic, rather than adopt a measured response.

That's certainly the traditional response when complaining about Health & Safety legislation. Whine and overreact and get it wrong.
I'm pretty sure most overreacting responses I am reading about come from Americans and little-used services. I think many of them might just be trying to get some kind of publicity and sympathy, playing on the "regulation is bad" theme.

None of the actual businesses I work with, in Europe, most of which actually do handle personal data, are actually worried or even annoyed (much less considering shutting down).

From what I see, these overreactions are also in great part due to a lack of understanding of how law works outside the US - ie. maximum fines are just a maximum, letter of the law is not what counts most, the government isn't out to get you, judges don't have any incentive to extract money from you, etc.

But that's part of it: it's better to be safe than sorry. Having comments on your blog has very marginal benefits for you, but if you feel the risk is large, then just delete them. No single blog losing comments matters much, but in aggregate it can be a shift in culture to less discussion.
I doubt it. We had plenty of discussion before comments on blogs.

If anything, I’d prefer an internet without inane comments from mouth breathers.

If the blog has ads on it, is it still defined as "purely personal"?

If the answer is "I'm not sure", why take the risk?

No, but why not skip the ads then?

Either you earn pennies (and it shouldn't matter) or you should follow the commercial rules...

Or block everyone in the EU from your content perhaps, which would also solve the problem.
Except perhaps that BigCorp employees might exit their corporate network from an non-EU address, but they are still EU citizen and hence protected...

If you want to block them, you would most likely have to ask them their nationality or require them to attest that they are not from within the EU...

Because those "pennies" can and do matter when your monthly income is 500 euros otherwise.
A blog with ads that isn't compliant with GDPR is probably already not compliant with PECR or DPA.
I largely agree with you. I'm happy that GDPR is meant to protect consumers and frankly, it's about damn time something was done about protecting our personal data.

What I challenge, though, is the assertion that it's easy to comply with if you're not doing "shady" things with data. The law is so broad and sometimes subtle/ambiguous that it COULD turn out to be a nightmare for just about any company. The safety here really is in not being on the short shit list of regulators. And one might end up on that list for any number of reasons unrelated to data protection (eg. size, market position, media coverage/populism).

All laws are broad. The current practice is either written in more specific (easilier modifiable documents) from the agencies or defined by "current best practice".

In (western) european law there is a "bonus pater" consideration, which means did you expend a reasonable effort to know and be compliant.

The same goes for all other legislation.

I for one am awaiting a visit by the work-safety agency within the next month (the have notified me, that they drop in unannonced with the next 1 to 3 months) two months ago.

That too is neboulus legislation, but I am confident that I have offered my best effort to make the workplace safe, and I am likely to not have any greater reactions that a verbal instruction to be better on certain points (if I have overlooked something).

Obviously the preparation considered "resonable" differs for a three person and a thousand-person company...
> The safety here really is in not being on the short shit list of regulators. And one might end up on that list for any number of reasons unrelated to data protection (eg. size, market position, media coverage/populism).

You might find reassurance if you look at how the regulators already work. They've never sought the maximum fines, and they only apply fines in the worst cases. The vast majority of infringements are dealt with by sending letters asking the company to come back into compliance and explaining how that might happen.

(comment deleted)
I'd be interested in this, though I don't think it will have any political impact. Here is one person deleting their personal blog's comments & (already confirmed/double opted-in) MailChimp list as the easiest way to stay GDPR compliant:

http://alastairjohnston.co.uk/oh-gdpr-what-have-you-done/

That's cause his blog is full of Javascript shite, including something that prevents me selecting the text, or right-clicking.

> "what I can’t be sure of is what happens to data that passes through the various apps, WordPress plugins, cookies etc that are part of this blog, but not controlled or run by me."

This is a dumb argument, it's his personal blog, it's controlled by him. That including how much JS and social media trackers to stuff into each page.

With comments, it's easy. Somebody wants you to post the comment, which is why they submitted it. No extra consent needed, although maybe they'll want it deleted in future. Of course, an email address is required to post, but "it will not be published". Why exactly is it required then?

>With comments, it's easy. Somebody wants you to post the comment, which is why they submitted it. No extra consent needed...

No, that's the point - consent is required for that. And for the consent to be explicit, some are advising it needs to be a Modal blocking dialog that prevents the user from using any other part of the website before dealing with it, and that demonstrates the user did actually scroll through all the privacy terms, not just ignored them and clicked the checkbox.

> This is a dumb argument, it's his personal blog, it's controlled by him. That including how much JS and social media trackers to stuff into each page.

That's fair. I know I've personally been deleting Google Fonts and Adobe Typekit and hosting my own webfonts instead as a result of this. I'm still figuring out how to best replace Google Analytics, and looking to remove any Twitter & YouTube embeds I had in old posts that could possibly track visitors. (I agree that is all a good outcome of GDPR.)

I'd say posting somebody's comment they want posted qualifies as legitimate interest, and therefore doesn't need consent. What other reasonable expectation could a person have that you'd do with that information? No need to overthink or overengineer this.
My understanding is that's not sufficient. Here's where I personally got very worried (sorry this is so long):

MailChimp recently sent out an email to their customers advising that all their current HTTPS Submit forms are not GDPR compliant. They're rolling out all new submit forms in May that have legalese that must be explicitly agreed to, in addition to the Email field & Submit button. It's a Modal blocking form so the visitor can't possibly do anything else.

Here is an example of their new modal submit form, it's a doozy:

https://kb.mailchimp.com/binaries/content/gallery/mailchimpk...

I don't do any "customized ads" or "direct mail", but apparently that boilerplate of legalese and "we use your email address to send you email, tick here to confirm you want email" is still required. It's a bit like the Cookie notifications all over again.

I realize I haven't directly responded to your blog comment submit button, but I hope this explains the motivation / understanding behind my comments here. I too would have thought an email field & submit form would be a reasonable expectation, but the form designed by MailChimp's lawyers is way more legalese & boilerplate than I ever anticipated would be required by GDPR.

(Honestly, I do also get the comments here about "you're not going to be caught or made an example of so don't worry" too. In practice I will do what I can to be compliant, listen to what my visitors & customers want, and hope for the best.)

Of course it's fucking sufficient, that's literally the definition of "legitimate interest" [0]. I write comment. I want you to publish comment. You publish comment, and don't spam me - maybe even don't require my email.

If you say, "hey, provide your email, and I'll send you newsletters and you can unsubscribe at any time", and I say "sweet, sign me up", and then you only send me newsletters with no tracking or adtech, that's legitimate interest.

If you use a third party, if they store only the minimum necessary and don't use it for anything else, that'd be fine to. E.g. obviously they need my email address, but only for sending the emails.

And if Mailchip were decent, they'd just send out plain emails. The problem is probably their emails are full of tracking links and other adtech garbage, and who knows who they sell info on to?

Then again, they call themselves a marketing platform, not a newsletter service, or email sender. Kind of obvious.

Also, that's a shitty dialog. Mailchimp's private policy and terms are probably largely void under EU law anyway, just by being almost incomprehensible by the lay person. How am I supposed to give consent freely when it would take days to read? Probably best to avoid Mailchimp. Thanks GDPR!

Edit: ordering

[0] https://ico.org.uk/for-organisations/guide-to-the-general-da...

It'll be interesting to see how this plays out. How explicit does the consent need to be? How obvious do deletions need to be? Will server location cause problems?

It seems obvious that comments won't cause an issue but because of the fluffy language of GDPR some interpretations could make simple things like this problematic.

The GDPR is not fluffy language per se, just for people used to the overworked American style of legal documents where everything needs to be explicit.

Also, people seem to get hung up on consent. There are several lawful basis for processing data, consent is one of them. It's also the most abused, so it's the most heavily regulated in the GDPR. Ad-tech and the scummy parts on the web rely on "consent" (or lack thereof).

Normal website usage like eCommerce or even posting a comment can use other bases, like most legitimate interests - that's why they call it that.

Right to erasure is also fairly obvious as far as deletions go. Right to restrict processing is a bit trickier. Server location is also much more interesting, due to the infamous and rather shaky Privacy Shield.

> Such a list would be politically really bad for politics in the EU

Why so? I'd be happy to see such a list of shame. You know, companies already quoted here on HN as "clearly unable to get the consent" (of the people whose data they're processing). Let's see who they are and what they were doing.

Exactly this. Companies shutting down make it look like a bully GDPR made them do it but then HN commenters indicate that these companies primary business was selling customer data:

> Streetlend made its money by selling your privacy data to advertisers through Amazon.

Source: https://news.ycombinator.com/item?id=16955709

I am absolutley speechless about the number of people who seem to consider data protection to be an unreasonable burden for a company. Complying with GDPR is pretty straightforward:

- Don’t keep data unless you have to

- Get explicit consent for keeping data

- Keep the data you have secure

- Allow users to see their data and know how it’s used

- Allow users to delete their data

This is inline with regulation in other fields: worker rights, food hygiene, health and safety etc.

I look forward to seeing your list, because it will be a list of companies you are lucky you will never transact with.

I don’t agree with you. Here’s the reason, explained better than I would: https://news.ycombinator.com/item?id=16955013
> The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).

But in that situation the regulator writes to you and asks you to come back into compliance. And so you then either write back and explain that you don't think you're not complying, or you write back with a plan to come back into compliance and ask if that's ok.

I’m starting a company focused on consumer data. It’ll be opt in. I don’t have a lot of resources. I’ll just use Cloudflare to block Europe until I see if it works as a business elsewhere. If it does then I will add Europe by figuring out how to comply with the GDPR.

Europe will get less innovation but have more privacy. Not sure what’s better for society but time will tell.

> Europe will get less innovation but have more privacy

You know Europeans can build software too right? The start-up culture is a lot less than in the USA - but we're getting there. Perhaps Americans will also realize the importance of privacy and data protection, and thus opt for European software. It's hard to predict.

Until your competitors figure out they can sue you for non-compliance in your early stage, then you have to mount a defence proving that your software is in fact compliant, but by then it won't matter - your company is competing with an unrestricted American company that can profit off the data and is ready to acquire your company using the profits.
EU does not work as USA in that regard. No private entity can sue for anything relating to GDPR, that is up to the EU courts and the DPAs. What they can do it highlight issues with the appropriate DPAs and if you make reasonable efforts I doubt that much will come from it.
There are many EU countries with enough corruption that a deep pocketed incumbent could "suggest" that a DPA bring suit.
If you live in such a place, no amount of regulation is going to save you... Neither more or less...
Am I mistaken in thinking that any country in the EU can pursue any business in the EU for violations of the GDPR? Corruption in one country can affect businesses in other countries.
That would really surprise me. Each country has an independent DPA, and I would expect "foreign" cases has to be redirected to the local DPA. Only EU level stuff usually have interstate mandates...
There is also the language barrier and geographical considerations (travel).

I am sure you (as a european in country A) could ask your local DPA to assist or forward a complaint to my DPA (country B).

The same goes for the financial regulation and lots of other stuff already...

".... This means that if your organisation conducts cross-border data processing, the GDPR will require you to work primarily with the supervisory authority based in the same Member State as your main establishment (usually your EU headquarters) to achieve compliance. This enforcement body will be your ‘lead supervisory authority’ for all privacy related matters.... "

https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-top...

That sounds more reasonable for European businesses.

Curious: why did you reply to yourself instead of editing your post?

To keep the history.. I generally don't like to fix post except for typos or unclear passages..
And

"Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State."

Article 55 (1)

Most of article 55 and 56 are relevant in this case..

What are you talking about? Competitors cannot sue you over GDPR, this is not the US.
>You know Europeans can build software too right?

As a European it sure doesn't seem to be that way. I'm using Windows, Google, Wikipedia, Youtube, ycombinator, Reddit etc. Very little European stuff in sight, despite the fact that the EU has a much higher population than the US.

This kind of extra regulation is one of the reasons why Europe is so much weaker in digital technology. It's not the only piece either.

When judging a burden to be reasonable or unreasonable for a company are you talking from the perspective of the business owner or simply as a spectator of the whole shit-show?

Because things are quite different when you start digging and trying to implement GDPR as opposed to just reading about it.

Yeah, I’m pretty well-informed about what’s going on, and work for both a data-heavy tech company and a start-up. We’re implementing some changes to deal with the requirements, and it’s fine. I’ve yet to hear from anybody about what specifically is difficult to comply with, beyond “it’s all a mess” or “shit-show” etc.
Invariant Truth Number One: Any irritating issue in any sprint at any scrum shop will be described at shitshow, a mess, etc.

Number Two: If your software's a mess, then unanticipated forced changes are a worse mess.

Firstly - I yet have to get solid definition of "personal data". Is it my name or is it "1.8m tall guy in green T-shirt who is head of team X"? Definition is so blurred (or so board) you can virtually classify any data as personal.
We go by the definition of "if it can be used to build a profile, it's PII". So your example is PII. If you want to store that information, anonymize it and you might actually don't have to do much to comply with GDPR.
Does that include IP addresses? How do you anonymise it such as you can be sure it cannot "be used to build a profile"?
Why would you keep the ip-adress in the first place?

If it is for fraud-prevention, then that is sufficient reason to keep it unanonymised...

3 reasons to keep the IP: statistics, analytics, and fraud prevention.

Anonymizing it does not seem to solve anything, since the anonymized version "can be used to build a profile" so "it's PII"...

If the information can be used to build a profile linked to me, it's PII. If you do not and cannot link it to me, then it's no longer PII. That is kinda in the name, Personally Identifiable Information. In short, if the collection of information can point to me, it's PII. If it cannot point to me it's not PII.
Problem is, if we take it to extreme, we are basically playing Cluedo game. Is "18 year old" PII? - no Is "orders pizza every Friday" PII? - no Is "always misspells word cheese" PII? - no Is "leaves 10% tip" PII? - no Combine it and you have PII.
And rightfully so. If the collection points to me, then it's PII. Anonymized it might be "is between 18-25 years old", "orders fast food once a week", "tips between 0-10%".

Just because something it murky, doesn't mean businesses get to ignore it. The entire point is to force companies to actually think about what their data is and decide if they need to store PII. If they do it have implications. Have a reasonable explanation for choices, and are willing to rectify issues pointed out by consumers and/or DPA.

> 3 reasons to keep the IP: statistics, analytics

That's exactly why GDPR is a good thing. It prevents anybody from doing statistics and keeping analytics about the users. Want to collect this information in order to profile your users and offer them a better product (ndr. better ads)? Well tough luck. You either anonymize and stop profiling and tracking your users or you close shop in Europe. I don't see how this is a bad thing in any possible way. You say it costs money? I guess then some of the money they made by targeting users and selling their personal data so far can be put to good use.

Please note I was NOT talking about selling personal data, ads or ad-targeting in any way.

Just regular analytics and statistics of usage and environment to simply improve the product.

Have a login system? You're likely storing email addresses, which are considered personal data.
If the user gives you their email address to register, you can ask them for consent to store it. In fact, most European websites that collect any kind of personal data have already been doing this for over a decade.
Personal data is any data that can be used to identify the user, so yes "1.8m tall guy in green T-shirt who is head of team X" is absolutely personal data[0] (see specifically "an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;").

In general, and especially if you want to play it safe, any information the user gives you about themselves (this includes things they don't explicitly give you such as IP address) is considered personal data.

[0]https://gdpr-info.eu/art-4-gdpr/

> personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

From the Wikipedia article about GDPR [1]

[1]: https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

Not "relating to", but "can be used to identify a natural person".

An IP addres, for example, isn't automatically personal data. It might be if you can link it with other information that can be used to identify someone.

Is it enough to identify a person?

Name alone is probably not as many people share names, unless you have an unusual name. Add address and phone number and it will be. IP address on its own is not.

Is "1.8m tall guy in green T-shirt who is head of team X" enough to identify them? If so it's personal data.

Most of this applied to the Data Protection Act too. GDPR adds some items like biometrics

Everything you mentioned is considered PII according to GDPR.
From GDPR itself:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

My emphasis.

OK. I'll bite. Starting from your list of "straightforward compliance" here are a few things which a small business owner cannot figure our without an expensive lawyer.

1) Define "unless you have to". Am I allowed to keep business correspondence with a bad customer? With a prospective sale? With an old customer who may come back some day?

2) Define "data". Is the IP address any user sends to my site in order to simply access it "personal"? Does that mean I can't have logs? How about backups of those logs? Do I need to change the tools I am using that already generate logs? How straightforward is that?

3) Can I have analytics of my visitor base in order to optimize their experience? To understand churn and conversion rate?

5) Can I have statistics in my apps in order to understand and optimize their usage for the users?

6) Keeping data secure and allowing users to see and delete it will simply require other tools. That is not gonna be cheap or straightforward in any way.

Now I am not saying this is impossible. I am just saying that it's expensive and difficult, especially for a small business. NOT straightforward.

> Is the IP address any user sends to my site in order to simply access it "personal"?

No. Something is only personal data if it can be used to identify a natural person.

Are you willing to defend this answer in a court of law? Many GDPR lawyers disagree...
The IP address IS considered personal data by european courts.

You can be compliant by either only storing an anonymized IP address (set the last/couple of last to 0) or by not storing the IP logs at all. However, there might be resonable situations where you need the full IP address and the GDPR allows to store it in this case, but only for a specific reason and a limited time, and only if you documented it so the user is aware about the process. Reasons could be fraud protection, consent documentation (mailing list opt-in), error handling and so on ... but not "we don't really need it but store the IP address anyways without informing our users".

See here: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

"Examples of personal data: a name and surname; a home address; an email address such as name.surname@company.com; an identification card number; location data (for example the location data function on a mobile phone); an Internet Protocol (IP) address; a cookie ID; the advertising identifier of your phone; data held by a hospital or doctor, which could be a symbol that uniquely identifies a person."

To be honest, this one feels in conflict with keeping the data secure. The full IP address may be important to forensics in the instance of a data breach.
The point you forgot:

- Understand the big ball of legacy you've deployed over the years.

Tough luck. Really, it's no excuse not to handle PII properly.
Oh, I agree with that. But the phase-in could have been gentler on the unknown legacy software people do run.
The regulation has been known for years.

BigCorps, I work with, have been working on this for years...

If you start now, then you have a problem.

Also, I expect there will be quite some years before the book is thrown on companies, that do not willfully disobey the law..

As most new major legislation, there is a long process of dialing it in (for the lack of better terms), and in most north- and western european contries (at least, I don't know that much about eastern and southern european) most regulatory handling is dialogue-based and not fine-based unless you are a black sheep..

I suspect that there are many contours of the law that European regulators are not entirely decided on. The next few years will be a learning process for them as well as the tech industry (and their lawyers).
Sure, that is what I meant by dialing in.

But that is a process without fines (unless the companies are entirely unreasonable)...

At least here in Denmark, the DPA is really reasonable and willing to work with the companies to get compliance...

The source is eluding me, but I'm pretty sure that Datatilsynet (DPA in Denmark) have stated that as long as you have a reasonable plan for implementing GDPR in a reasonable timeframe, you're in the clear. I'd expect as much as they have only recently released their standard documents for Data Processor Agreements for instance.
We've had data protection law for 20 years.

And GDPR has been in place for 2 years already. It just comes into effect now. Businesses have had about 5 years to get ready for GDPR.

As others have stated, the GDPR have been a talking point in mainstream tech for 1 year, every one in the business with tabs on the current state have known this for at least 2 years when it was adopted. It was proposed 5 years ago, and before that we had DPD [1] from 1995 which more or less states the same, but without ability for the EU courts to do anything about companies not honoring it. It was up to the member states DPA to do this.

Companies that cannot handle GDPR was breaking EU law in the first place and probably have since "The Internet" was a thing. If GDPR puts your business down, then good riddance. You'd gambled with the law and now pay the price.

[1] https://en.wikipedia.org/wiki/Data_Protection_Directive

For company; sure. For a non-profit org, or for a smaller company in the field, the compliance costs might just be that extra burden that causes them to shut down. That's not to say the GDPR is a bad thing, but it's just a reality, that when retro-fitting it onto existing systems, will cause some of them to need to shut down, for better or worse. Change sometimes breaks things.
Is visitor's IP address a "data"?

If yes, you can't have a web server log.

>you can't have a web server log

Yes you can, you just need to take all possible precations to keep that data safe, which by and large means encrypting it properly and ensuring only people who need to have access to it have access to it.

An IP address is only personal data if you can link it with other stuff to identify a natural person.

If your weblogs are used to prevent crime (fraud, for example), you're allowed to keep them.

People are making the mistake of thinking that "user permission" is the only reason you can keep data, but that's not true.

How far does this go, though?

For example, on my silly little blog, I've got logging for each http request that records the url hit, the ip address, and a browser user agent. I can trace that session through, and have a pretty good fingerprint of that user from that alone. If that person goes and sends me an email or leaves a comment with some tidbit of information that correlates (name, where they are from, email, what post they were reading, etc), have I now accidentally collected enough information that it violates GPDR?

What do you mean 'violates GDPR'?

GDPR doesn't necessarily make having such info illegal. It's more what you do with it and how you inform and allow the individual to control/delete it.

Say the HN logs the ip, URL visited, and the referrer:

123.123.123.123 200 https://news.ycombinator.com/user?id=DanBC referrer https://news.ycombinator.com/news 123.123.123.123 200 https://news.ycombinator.com/changepw referrer https://news.ycombinator.com/user?id=DanBC

This log now links this ip address to user account DanBC (since the change password link is only present on the page when the user themselves visits it). Your user page has information that identifies you as a natural person. Now what?

It seems like anyone could be entitled to collect the logs to prevent fraud (and abuse). What about providing people with "their" data if they request it? If they want to delete their account, does that include deleting these lines in the logs?

That's not true. One of the bases for legal processing is legitimate interest, as long as it doesn't override data subject's legitimate interest or fundamental rights and freedoms. You can use the IP address for support, or for keeping track of bans, but you have to inform the user about it, keep the minimal amount of information you can, have a retention policy in place, restrict access to these logs to only people who legitimately need them. If you don't provide support then you don't need the data.
I agree. It seems like people are mostly just looking for a reason to whine about the EU.

There are lots of good reasons to whine about EU. I think the GDPR is not one of them.

Yes. And some of the things that are shutting down probably wouldn't have come under GDPR compliance anyway (they were personal projects, not run as a business) or were aready violating existing law such as PECR.
The burden is not about the technical processes of data protection. That is the least of my concern. The burden comes in the form of administration, continuous compliance (it is much more than what you listed!), managing takedown requests (especially when it's hard to verify a user's identity), and yes, getting sued, or having a lawsuit threatened. These are all real burdens that have nothing to do with the technical application of data security. So far the only response to real lawsuit concerns I've heard from GDPR defenders is "oh we don't sue people in the EU" -- WHAT? "Your honour, I was under the impression I wouldn't be sued, which is why I didn't make specific considerations for subsection 16 of article 6." sounds like a pretty shit defence to me.
The defenders of the GDPR mostly have great faith in their government to enforce vague regulations in a reasonable manner. They're probably right, but:

(a) That weakens the rule of law. It transfers power from the elected officials who draft and vote on laws to the agencies that enforce them. Most Americans think that's bad, and I agree. (Like, now that Trump is the American president, are you happy or sad that he finds his power limited by the judiciary? How sure are you that your own governments' regulators will always be staffed by people whose judgment you trust?)

(b) The extraterritoriality is weird. Let's say Turkey passed a law banning criticism of Erdogan on any website accessible to people in Turkey, and tried to enforce a judgment against an EU national running such a website in the EU. I hope we'd then all agree that's not how international law works. What's the difference between that and the GDPR? Is it just that you think data privacy is good, and banning criticism of Erdogan is bad? I agree, but what's the legal framework here? What countries do you think have the right to impose a similar burden on the EU?

"Get explicit consent for keeping data"

Thats the problem the internet runs on data and who decides what data is personal. For the past 20 years the MPAA has argued that IP's are personally identifiable and have won this argument in court cases, of course this is silly as it would make the internet illegal but that wont stop someone who has no idea how the internet works.

The EU has tried to fix privacy on the internet before with explicit consent of cookies, now every website tells you they can use cookies and gets a default ok, I agree, go away popup, from every user in the EU.

Will this stop facebook from spying on people tracking stuff that has nothing to do with facebook like who you phone? Nope, they make billions from spying on you and will spend a few million on lawyers to find them a loop hole.

Edit: Someone in the office just had to accept a new privacy policy from Office 365, I assume its because of GDPR. The privacy policy was 25,000 words long, we don't have the legal knowledge or time to read and understand that. We have work to do so it was just accepted blindly.

What data did he explicitly consent to Microsoft keeping? Without a team of expensive lawyers we don't and won't know.

(comment deleted)
It's not the burden that is the main issue. While complying may add more cost and complexity, the real issue is the additional risk of the possibility of getting sued for improper implementation.
The biggest problem is figuring out what things won't even exist because of this overreaching and ultimately pointless law.
A GDPR graveyard? Let's make it interesting and start a GDPR deadpool.
Honest question: can anybody predict if Google Analytics is going to be on the list?

Because as interpreted today, GDPR compliance for google analytics on any website would simply kill the UX for the first-time visitor of that website. Which is pretty much the most important UX for any website...

Then those websites should stop using Google Analytics, which DOES violate their users' privacy unless there is informed consent about what it's doing.
1) You do realize those sites are pretty much 99% of the web, right?

2) Those sites used GA to statistically analyse and understand their user base, in order to better serve them. How do you propose to do it instead? How to find out what was a bad redesign? A bad landing page? How to understand a conversion ratio? The churn?

1) 99% of websites are secretly sharing their users' identification and browsing habits with a single multinational advertising company. Yeah, let's shut that down as emphatically as possible.

2) You can write a book without tracking my every page-flip. You can write a desktop app without phoning-home and tracking my usage. You can operate a store without secretly selling my shopping habits and purchase information to other companies behind my back.

Do something honest, or don't do it at all.

Have YOU done it or are you talking from your imagination?

Analytics and statistics are in every modern developer's tool belt. Because they ultimately benefit users.

Here are a few stories about sites/services being shutdown...I expect the real deuluge won't happen until after it takes effect.

StreetLend.com - https://news.ycombinator.com/item?id=16954306

Super Monday Night Combat - https://www.polygon.com/2018/4/28/17295498/super-monday-nigh...

Tunngle - https://www.tunngle.net/en/

Ragnarok Online - http://massivelyop.com/2018/04/26/ragnarok-online-shuts-down...

Verve - https://adexchanger.com/mobile/verve-closes-european-busines...

SteamSpy - https://www.reddit.com/r/pcgaming/comments/8bdkuz/steam_sale...

SteamSpy is disingenuous in that yes, they can't scrape people's Steam profiles anymore because they're now private by default. That change could have come at any time, and in fact you've always been able to make profiles private [0], but probably the default is a result of the GDPR.

This is more of a result of their shaky business model than the GDPR. And nothing in the GDPR is preventing Steam from publishing anonymized game stats via an official API, or for people to make their profiles public again, or SteamSpy collecting this data with consent some other way.

[0] https://support.steampowered.com/kb_article.php?ref=4113-YUD...