Ask HN: Has anyone made a GDPR graveyard?
You know, sites that are shuttering because of the risk/burden GDPR is placing on them. I've seen a few so I'm wondering if anyone is compiling a list. Such a list would be politically really bad for politics in the EU, I think.
130 comments
[ 3.2 ms ] story [ 218 ms ] threadThe GDPR is made to protect people from scrupleless companies and practices.
Not all companies are good citizen (Cambridge Analytics comes to mind), and as a european I say "Good riddance".
For normal companies doing normal things with their data, the effort is mostly documentation and good-willed "try to abide the rules".
If you followed the spirit of the pre-GDPR rules, you would almost certainly be compliant without much work even for the GDPR - at least here in Denmark.
But if you business is exploiting data, you collected with questionable methods - then yes, you are going to have a problem...
I would also like to see the graveyard site, mostly because I would then have something to point to when showing that the GDPR works as intented...
This ignores the vast amount of legislation that creates an enormous legal burden for small companies.
> Not all companies are good citizen (Cambridge Analytics comes to mind), and as a european I say "Good riddance".
Not all companies in violation of GDPR are bad or negligent.
> For normal companies doing normal things with their data, the effort is mostly documentation and good-willed "try to abide the rules".
> If you followed the spirit of the pre-GDPR rules, you would almost certainly be compliant without much work even for the GDPR - at least here in Denmark.
Until someone sues you and you have to prove that.
> But if you business is exploiting data, you collected with questionable methods - then yes, you are going to have a problem...
Quite often, data can be both in the "public interest" (not the definition legally defined by GDPR, just that there's no reasonable expectation of privacy by the data creator) and "expoiting" -- such as data derived from pseudonymous sources but could be argued as PII, even though practically speaking, it isn't really.
> I would also like to see the graveyard site, mostly because I would then have something to point to when showing that the GDPR works as intented...
Most of the sites I've seen that are dead-by-GDPR are small businesses that weren't doing anything any reasonable person would be against, but a single takedown request could be over-burdening for them to respond to as it may have merits by the letter of the law.
Running a project/company means taking on risk. Financially and otherwise. Why is data-care risk so much worse?
And sueing is only going to happen in the US. In Europe getting sued is extremely rare. I expect most DPA (gov bodies handling this) starts out with a kindly worded letter. You comply, nothing happened.. (Most other legislation works this way in Europe already). Fines are mostly for repeat-offenders or clearly black sheep.
In the US, who knows... Most europeans are baffled by the courts and cases in the US. But I think US companies have to be handled by an EU DPA anyways, so we are back to the letter again..
I run a small company (two employees) and I am not concerned. I know a lot of small companies, they are mostly not concerned. I know a few larger companies, they are not concerned (unless they have data handling as their main business).
My own work in this has been somewhere in the neighbourhood of a workweek. Not any worse than complying with tax-law...
There is also no "automatic 20M euro fine". Most matters are likely handled by a kindly- or sternly worded letter, or a small fine (in the 5-20k EUR range for small companies, which sucks but shouldn't kill you....
We're not that concerned. The general consensus is be responsible with the data, make it possible to actually delete something, and show reasonable effort to implement the directives or have a reasonable plan on how and when to implement it reasonably. It's not a big deal as this is how it should have been done in the first place. Only not it's formalized into law.
Also, EU tax-law is one of the reasons that small digital businesses have suffered in recent years. The VAT fiasco was very poorly handled and it's still ongoing.
(disclaimer: i don't sell services outside a few countries)
There is a solution called One Stop VAT where all comminication and reporting goes to your home-country (given you are an EU company).
All your taxes are then calculated at your local rate (as I understand it), execpt for companies with a valid VAT-number, where reverse tax is standard (i.e. zero-rated tax).
https://europa.eu/youreurope/business/vat-customs/moss-schem...
If a company is unable to remove your personal data, then by all means let them go under.
Why, in the case of a single individual running a website, is it suddenly their responsibility to properly manage someone else's PII? Where is the responsibility on the individual whose PII it is? How did the PII get there in the first place? Surely it should be considered negligent to hand out PII to a company whose business model is transparently selling user data.
For one, downvoting for disagreement is fine, see https://news.ycombinator.com/item?id=117171
Secondly, guidelines state that talking about voting is frowned upon, see https://news.ycombinator.com/newsguidelines.html
Have you deleted all of your blog's comments and/or asked everyone who previously commented on your blog for new GDPR compliant consent? Because that's one of the GDPR Graveyard events I'm seeing - people deleting their personal blogs and disabling comments as the easiest way to remain compliant.
Article 2c (excemptions): "by a natural person in the course of a purely personal or household activity"
Either way, it's vaguely worded enough that for someone who doesn't want to deal with compliance and laws and doesn't want to pay a lawyer just to know if they can keep writing a blog, the path of least resistance is just to delete everything.
Also which protection worthy data does the comments contain? Most likely none.
And as said, a personal blog is except by definition...
(edit: they are allowed, not excempt due to normal-use)
You are right. I apologize.
I doubt these people have actually read the law. Its always easier to overreact and panic, rather than adopt a measured response.
None of the actual businesses I work with, in Europe, most of which actually do handle personal data, are actually worried or even annoyed (much less considering shutting down).
From what I see, these overreactions are also in great part due to a lack of understanding of how law works outside the US - ie. maximum fines are just a maximum, letter of the law is not what counts most, the government isn't out to get you, judges don't have any incentive to extract money from you, etc.
If anything, I’d prefer an internet without inane comments from mouth breathers.
If the answer is "I'm not sure", why take the risk?
Either you earn pennies (and it shouldn't matter) or you should follow the commercial rules...
If you want to block them, you would most likely have to ask them their nationality or require them to attest that they are not from within the EU...
What I challenge, though, is the assertion that it's easy to comply with if you're not doing "shady" things with data. The law is so broad and sometimes subtle/ambiguous that it COULD turn out to be a nightmare for just about any company. The safety here really is in not being on the short shit list of regulators. And one might end up on that list for any number of reasons unrelated to data protection (eg. size, market position, media coverage/populism).
In (western) european law there is a "bonus pater" consideration, which means did you expend a reasonable effort to know and be compliant.
The same goes for all other legislation.
I for one am awaiting a visit by the work-safety agency within the next month (the have notified me, that they drop in unannonced with the next 1 to 3 months) two months ago.
That too is neboulus legislation, but I am confident that I have offered my best effort to make the workplace safe, and I am likely to not have any greater reactions that a verbal instruction to be better on certain points (if I have overlooked something).
You might find reassurance if you look at how the regulators already work. They've never sought the maximum fines, and they only apply fines in the worst cases. The vast majority of infringements are dealt with by sending letters asking the company to come back into compliance and explaining how that might happen.
http://alastairjohnston.co.uk/oh-gdpr-what-have-you-done/
> "what I can’t be sure of is what happens to data that passes through the various apps, WordPress plugins, cookies etc that are part of this blog, but not controlled or run by me."
This is a dumb argument, it's his personal blog, it's controlled by him. That including how much JS and social media trackers to stuff into each page.
With comments, it's easy. Somebody wants you to post the comment, which is why they submitted it. No extra consent needed, although maybe they'll want it deleted in future. Of course, an email address is required to post, but "it will not be published". Why exactly is it required then?
No, that's the point - consent is required for that. And for the consent to be explicit, some are advising it needs to be a Modal blocking dialog that prevents the user from using any other part of the website before dealing with it, and that demonstrates the user did actually scroll through all the privacy terms, not just ignored them and clicked the checkbox.
> This is a dumb argument, it's his personal blog, it's controlled by him. That including how much JS and social media trackers to stuff into each page.
That's fair. I know I've personally been deleting Google Fonts and Adobe Typekit and hosting my own webfonts instead as a result of this. I'm still figuring out how to best replace Google Analytics, and looking to remove any Twitter & YouTube embeds I had in old posts that could possibly track visitors. (I agree that is all a good outcome of GDPR.)
MailChimp recently sent out an email to their customers advising that all their current HTTPS Submit forms are not GDPR compliant. They're rolling out all new submit forms in May that have legalese that must be explicitly agreed to, in addition to the Email field & Submit button. It's a Modal blocking form so the visitor can't possibly do anything else.
Here is an example of their new modal submit form, it's a doozy:
https://kb.mailchimp.com/binaries/content/gallery/mailchimpk...
I don't do any "customized ads" or "direct mail", but apparently that boilerplate of legalese and "we use your email address to send you email, tick here to confirm you want email" is still required. It's a bit like the Cookie notifications all over again.
I realize I haven't directly responded to your blog comment submit button, but I hope this explains the motivation / understanding behind my comments here. I too would have thought an email field & submit form would be a reasonable expectation, but the form designed by MailChimp's lawyers is way more legalese & boilerplate than I ever anticipated would be required by GDPR.
(Honestly, I do also get the comments here about "you're not going to be caught or made an example of so don't worry" too. In practice I will do what I can to be compliant, listen to what my visitors & customers want, and hope for the best.)
If you say, "hey, provide your email, and I'll send you newsletters and you can unsubscribe at any time", and I say "sweet, sign me up", and then you only send me newsletters with no tracking or adtech, that's legitimate interest.
If you use a third party, if they store only the minimum necessary and don't use it for anything else, that'd be fine to. E.g. obviously they need my email address, but only for sending the emails.
And if Mailchip were decent, they'd just send out plain emails. The problem is probably their emails are full of tracking links and other adtech garbage, and who knows who they sell info on to?
Then again, they call themselves a marketing platform, not a newsletter service, or email sender. Kind of obvious.
Also, that's a shitty dialog. Mailchimp's private policy and terms are probably largely void under EU law anyway, just by being almost incomprehensible by the lay person. How am I supposed to give consent freely when it would take days to read? Probably best to avoid Mailchimp. Thanks GDPR!
Edit: ordering
[0] https://ico.org.uk/for-organisations/guide-to-the-general-da...
It seems obvious that comments won't cause an issue but because of the fluffy language of GDPR some interpretations could make simple things like this problematic.
Also, people seem to get hung up on consent. There are several lawful basis for processing data, consent is one of them. It's also the most abused, so it's the most heavily regulated in the GDPR. Ad-tech and the scummy parts on the web rely on "consent" (or lack thereof).
Normal website usage like eCommerce or even posting a comment can use other bases, like most legitimate interests - that's why they call it that.
Right to erasure is also fairly obvious as far as deletions go. Right to restrict processing is a bit trickier. Server location is also much more interesting, due to the infamous and rather shaky Privacy Shield.
Why so? I'd be happy to see such a list of shame. You know, companies already quoted here on HN as "clearly unable to get the consent" (of the people whose data they're processing). Let's see who they are and what they were doing.
> Streetlend made its money by selling your privacy data to advertisers through Amazon.
Source: https://news.ycombinator.com/item?id=16955709
AFAIK, slander is still a problem in some parts of the world.
- Don’t keep data unless you have to
- Get explicit consent for keeping data
- Keep the data you have secure
- Allow users to see their data and know how it’s used
- Allow users to delete their data
This is inline with regulation in other fields: worker rights, food hygiene, health and safety etc.
I look forward to seeing your list, because it will be a list of companies you are lucky you will never transact with.
https://news.ycombinator.com/item?id=16956379
Misuse of personal data has a cost. If companies do not want to deal with data in a responsible way, it is correct that they no longer do business in the EU.
But in that situation the regulator writes to you and asks you to come back into compliance. And so you then either write back and explain that you don't think you're not complying, or you write back with a plan to come back into compliance and ask if that's ok.
Europe will get less innovation but have more privacy. Not sure what’s better for society but time will tell.
You know Europeans can build software too right? The start-up culture is a lot less than in the USA - but we're getting there. Perhaps Americans will also realize the importance of privacy and data protection, and thus opt for European software. It's hard to predict.
I am sure you (as a european in country A) could ask your local DPA to assist or forward a complaint to my DPA (country B).
The same goes for the financial regulation and lots of other stuff already...
https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-top...
Curious: why did you reply to yourself instead of editing your post?
"Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State."
Article 55 (1)
Most of article 55 and 56 are relevant in this case..
As a European it sure doesn't seem to be that way. I'm using Windows, Google, Wikipedia, Youtube, ycombinator, Reddit etc. Very little European stuff in sight, despite the fact that the EU has a much higher population than the US.
This kind of extra regulation is one of the reasons why Europe is so much weaker in digital technology. It's not the only piece either.
Because things are quite different when you start digging and trying to implement GDPR as opposed to just reading about it.
Number Two: If your software's a mess, then unanticipated forced changes are a worse mess.
If it is for fraud-prevention, then that is sufficient reason to keep it unanonymised...
Anonymizing it does not seem to solve anything, since the anonymized version "can be used to build a profile" so "it's PII"...
Just because something it murky, doesn't mean businesses get to ignore it. The entire point is to force companies to actually think about what their data is and decide if they need to store PII. If they do it have implications. Have a reasonable explanation for choices, and are willing to rectify issues pointed out by consumers and/or DPA.
That's exactly why GDPR is a good thing. It prevents anybody from doing statistics and keeping analytics about the users. Want to collect this information in order to profile your users and offer them a better product (ndr. better ads)? Well tough luck. You either anonymize and stop profiling and tracking your users or you close shop in Europe. I don't see how this is a bad thing in any possible way. You say it costs money? I guess then some of the money they made by targeting users and selling their personal data so far can be put to good use.
Just regular analytics and statistics of usage and environment to simply improve the product.
In general, and especially if you want to play it safe, any information the user gives you about themselves (this includes things they don't explicitly give you such as IP address) is considered personal data.
[0]https://gdpr-info.eu/art-4-gdpr/
From the Wikipedia article about GDPR [1]
[1]: https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
An IP addres, for example, isn't automatically personal data. It might be if you can link it with other information that can be used to identify someone.
Name alone is probably not as many people share names, unless you have an unusual name. Add address and phone number and it will be. IP address on its own is not.
Is "1.8m tall guy in green T-shirt who is head of team X" enough to identify them? If so it's personal data.
Most of this applied to the Data Protection Act too. GDPR adds some items like biometrics
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
My emphasis.
1) Define "unless you have to". Am I allowed to keep business correspondence with a bad customer? With a prospective sale? With an old customer who may come back some day?
2) Define "data". Is the IP address any user sends to my site in order to simply access it "personal"? Does that mean I can't have logs? How about backups of those logs? Do I need to change the tools I am using that already generate logs? How straightforward is that?
3) Can I have analytics of my visitor base in order to optimize their experience? To understand churn and conversion rate?
5) Can I have statistics in my apps in order to understand and optimize their usage for the users?
6) Keeping data secure and allowing users to see and delete it will simply require other tools. That is not gonna be cheap or straightforward in any way.
Now I am not saying this is impossible. I am just saying that it's expensive and difficult, especially for a small business. NOT straightforward.
No. Something is only personal data if it can be used to identify a natural person.
You can be compliant by either only storing an anonymized IP address (set the last/couple of last to 0) or by not storing the IP logs at all. However, there might be resonable situations where you need the full IP address and the GDPR allows to store it in this case, but only for a specific reason and a limited time, and only if you documented it so the user is aware about the process. Reasons could be fraud protection, consent documentation (mailing list opt-in), error handling and so on ... but not "we don't really need it but store the IP address anyways without informing our users".
See here: https://ec.europa.eu/info/law/law-topic/data-protection/refo...
"Examples of personal data: a name and surname; a home address; an email address such as name.surname@company.com; an identification card number; location data (for example the location data function on a mobile phone); an Internet Protocol (IP) address; a cookie ID; the advertising identifier of your phone; data held by a hospital or doctor, which could be a symbol that uniquely identifies a person."
- Understand the big ball of legacy you've deployed over the years.
BigCorps, I work with, have been working on this for years...
If you start now, then you have a problem.
Also, I expect there will be quite some years before the book is thrown on companies, that do not willfully disobey the law..
As most new major legislation, there is a long process of dialing it in (for the lack of better terms), and in most north- and western european contries (at least, I don't know that much about eastern and southern european) most regulatory handling is dialogue-based and not fine-based unless you are a black sheep..
But that is a process without fines (unless the companies are entirely unreasonable)...
At least here in Denmark, the DPA is really reasonable and willing to work with the companies to get compliance...
And GDPR has been in place for 2 years already. It just comes into effect now. Businesses have had about 5 years to get ready for GDPR.
Companies that cannot handle GDPR was breaking EU law in the first place and probably have since "The Internet" was a thing. If GDPR puts your business down, then good riddance. You'd gambled with the law and now pay the price.
[1] https://en.wikipedia.org/wiki/Data_Protection_Directive
If yes, you can't have a web server log.
Yes you can, you just need to take all possible precations to keep that data safe, which by and large means encrypting it properly and ensuring only people who need to have access to it have access to it.
If your weblogs are used to prevent crime (fraud, for example), you're allowed to keep them.
People are making the mistake of thinking that "user permission" is the only reason you can keep data, but that's not true.
For example, on my silly little blog, I've got logging for each http request that records the url hit, the ip address, and a browser user agent. I can trace that session through, and have a pretty good fingerprint of that user from that alone. If that person goes and sends me an email or leaves a comment with some tidbit of information that correlates (name, where they are from, email, what post they were reading, etc), have I now accidentally collected enough information that it violates GPDR?
GDPR doesn't necessarily make having such info illegal. It's more what you do with it and how you inform and allow the individual to control/delete it.
123.123.123.123 200 https://news.ycombinator.com/user?id=DanBC referrer https://news.ycombinator.com/news 123.123.123.123 200 https://news.ycombinator.com/changepw referrer https://news.ycombinator.com/user?id=DanBC
This log now links this ip address to user account DanBC (since the change password link is only present on the page when the user themselves visits it). Your user page has information that identifies you as a natural person. Now what?
It seems like anyone could be entitled to collect the logs to prevent fraud (and abuse). What about providing people with "their" data if they request it? If they want to delete their account, does that include deleting these lines in the logs?
There are lots of good reasons to whine about EU. I think the GDPR is not one of them.
(a) That weakens the rule of law. It transfers power from the elected officials who draft and vote on laws to the agencies that enforce them. Most Americans think that's bad, and I agree. (Like, now that Trump is the American president, are you happy or sad that he finds his power limited by the judiciary? How sure are you that your own governments' regulators will always be staffed by people whose judgment you trust?)
(b) The extraterritoriality is weird. Let's say Turkey passed a law banning criticism of Erdogan on any website accessible to people in Turkey, and tried to enforce a judgment against an EU national running such a website in the EU. I hope we'd then all agree that's not how international law works. What's the difference between that and the GDPR? Is it just that you think data privacy is good, and banning criticism of Erdogan is bad? I agree, but what's the legal framework here? What countries do you think have the right to impose a similar burden on the EU?
Thats the problem the internet runs on data and who decides what data is personal. For the past 20 years the MPAA has argued that IP's are personally identifiable and have won this argument in court cases, of course this is silly as it would make the internet illegal but that wont stop someone who has no idea how the internet works.
The EU has tried to fix privacy on the internet before with explicit consent of cookies, now every website tells you they can use cookies and gets a default ok, I agree, go away popup, from every user in the EU.
Will this stop facebook from spying on people tracking stuff that has nothing to do with facebook like who you phone? Nope, they make billions from spying on you and will spend a few million on lawyers to find them a loop hole.
Edit: Someone in the office just had to accept a new privacy policy from Office 365, I assume its because of GDPR. The privacy policy was 25,000 words long, we don't have the legal knowledge or time to read and understand that. We have work to do so it was just accepted blindly.
What data did he explicitly consent to Microsoft keeping? Without a team of expensive lawyers we don't and won't know.
source: https://forums.warpportal.com/index.php?/topic/235548-import...
Because as interpreted today, GDPR compliance for google analytics on any website would simply kill the UX for the first-time visitor of that website. Which is pretty much the most important UX for any website...
2) Those sites used GA to statistically analyse and understand their user base, in order to better serve them. How do you propose to do it instead? How to find out what was a bad redesign? A bad landing page? How to understand a conversion ratio? The churn?
2) You can write a book without tracking my every page-flip. You can write a desktop app without phoning-home and tracking my usage. You can operate a store without secretly selling my shopping habits and purchase information to other companies behind my back.
Do something honest, or don't do it at all.
Analytics and statistics are in every modern developer's tool belt. Because they ultimately benefit users.
StreetLend.com - https://news.ycombinator.com/item?id=16954306
Super Monday Night Combat - https://www.polygon.com/2018/4/28/17295498/super-monday-nigh...
Tunngle - https://www.tunngle.net/en/
Ragnarok Online - http://massivelyop.com/2018/04/26/ragnarok-online-shuts-down...
Verve - https://adexchanger.com/mobile/verve-closes-european-busines...
SteamSpy - https://www.reddit.com/r/pcgaming/comments/8bdkuz/steam_sale...
This is more of a result of their shaky business model than the GDPR. And nothing in the GDPR is preventing Steam from publishing anonymized game stats via an official API, or for people to make their profiles public again, or SteamSpy collecting this data with consent some other way.
[0] https://support.steampowered.com/kb_article.php?ref=4113-YUD...
Or even a github page with just a list.
[UPDATE] I took the liberty to get the ball rolling.
https://github.com/killed-by-gdpr/killed-by-gdpr.github.io and
https://killed-by-gdpr.github.io/
Contributions welcome.