Why not give the user control and have things such as crash reporting be opt-in?
We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Suggesting that XMPP federation isn't compatible with GDPR seems like an over-reaction, isn't that like saying that SMTP isn't compatible?
For example, IP addresses are considered personal information but what that means is you just can't blindly collect them. If the service you use relies on IP addresses as a basic point of operation then its fine.
> that means is you just can't blindly collect them
Genuinely curious, what about all of the web servers that log every request which usually by default includes the client IP? Not doing anything special with the IP, they are just there in log files and archives.
Also the section of the GDPR that talks about pseudonymization using a token how should my user DB table be GDPR compliant? Contains ID (primary key), username, password hash, email, etc and the ID is also in other DB tables for obvious reasons (such as user posts/actions).
I think it can simply be GDPR compliant if you inform your users that you are saving that data in your database, and they give you the explicit OK to do to. Explicit consent meaning they tick a checkbox saying "I understand that page x is saving the data y in a database and I am OK with it".
If you have a site where users can make posts, I'd say they pretty much give you consent by signing up. IANAL, though.
The consent has to be explicit. Of course, you can always just require consent in order to sign up. Just as long as it's clear what's going on and you can remove/anonymise the data if the user decides to revoke their consent and leave the service.
OK, but explicit in what sense? Does it have to refer to the GDPR, as in "I agree my dta will be stored according to GDPR"? I must admit I have trouble understanding it - how could anybody sign up anywhere without data being stored?
Personally, I'll activate anonymization of ip addresses in my logs coming next week. There are various solutions for that available.
I think you can also log the ip, you just have to get your user's explicit consent.
I will also remove Google Analytics, and switch AdSense to contextual ads. I am a bit worried about the latter step, but if the losses are too great I can still try to get consent from my visitors and switch to personalized ads again. As for Google Analytics, I never did get that much out of it, but perhaps I should have used it more. I never activated the "deep personalization" options in GA to begin with.
It bothers me to pester my visitors with consent popups. On the other hand, looking at what Google proposes for compliant AdSense, it also bothers me that apparently multiple companies get to track my users if I enable personalized ads. I wasn't really aware of that, and just accepted Google as tracking because they know everything anyway.
So much as I dislike the new privacy laws, at least the made me reconsider my AdSense settings.
It's fine to collect this information in your logs as it's part of the normal operation. I log them for security reasons and the logs do not persist for more than a week or two, which is less than the month I'd have to comply within. Provided you're not logging IP addresses for non-legitimate reasons and you're not keeping the data for longer than you reasonably need to, you have nothing to worry about.
>We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls
We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation (to this degree at least). Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time.
The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it.
> We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation (to this degree at least)
So someone having a copy of my data that I wish be removed is trampling on a webmaster's rights? That makes no sense whatsoever.
> Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers
This isn't even true. They have _a tiny bit more_ control of what you can do _with their_ data. That's it.
Buckle up because this type of regulation is only going to happen more frequently and in large part because of your attitude that it is "your" data versus the user's data.
But it's not "their" data. It's the webmaster's data. It rightfully belongs to the webmaster. It just happens to pertain to the user. There is no justification for that information still belonging to the user after the user surrenders it to the website.
> But it's not "their" data. It's the webmaster's data.
No
> It rightfully belongs to the webmaster.
No, you are completely wrong here. The basic point of the legislation (and other privacy legislation in the EU that came before GDPR) is that a users personal data absolutely does not belong to the someone else once collected.
I obviously wasn't talking in a legal sense, I was talking in a "what's actually right and good" sense. The law doesn't make something right. Rightfully, the information belongs to the webmaster. Under GDPR, users get to put a leash and muzzle on webmasters.
Well, I'd say it's also not at all rightful in a "what's actually right and good" sense.
And as others have pointed out, no the users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do with personal information about their users. But feel free to argue that it is your moral right to sell user's e-mail addresses to some spammer or whatever.
"users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do"
I'll let that excerpt speak for itself.
And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary.
> And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary
Views like this are exactly why we need the GDPR.
I find it utterly ridiculous - disgusting even - that you really believe you have the right to do whatever you want with someone else's personal information. When you provide an email address, physical address, name or other PI, it's with the expectation of it being used for a specific purpose - you should absolutely not give you the right to sell that information to the highest bidder.
Holy shit man, did you come right out of "Atlas Shrugged"?
This isnt even users feelings, this is data that can a:have monetary value and b:can be plain wrong and damage a user.
Do you think that merely by observing data you have right to it? Do you not believe in any IP law? If you agree with any type of IP law then you are just being hypocritical by insisting that webmasters get to take and use whatever data they come across
>Do you think that merely by observing data you have right to it?
Yes, with some exceptions for actual copyright and the like.
>Do you not believe in any IP law?
IP law, yes, but I don't feel a user's entries into a website automatically qualify as IP owned by the user. The terms of many websites actually say that whatever you upload to them is owned by the website, unless a prior IP applied to it. I've only ever heard the claim that your name et al. are your inherent IP from "Sovereign Citizens" before.
IP law is not a natural right. It's been encoded into existence by laws. The GDPR is encoding new rights into law in regard with personal data.
I don't see a way to declare one bad and not the other unless you're just saying that new things are bad.
Additionally the terms of websites can say whatever they want but it doesn't mean they are legally defensible. I could put into my terms "by finishing this sentence you agree to be enslaved by Lovich LLC" but that doesn't make it happen
The Equifax breach was already illegal - I assume you mean you think that websites shouldn't keep user information to prevent future data breaches.
This is a bad solution to that problem. So many people's data was stolen that preventing future data from being stolen isn't the most important thing we should be doing. Last I heard it was 150 million people - that's enough that it no longer really matters to the average person if their data is leaked in the future because there's such a high change it already has.
The real solution is to change our systems so that data leaks aren't a big deal. If people didn't ask for a 9 digit number to identify me, as if that's a reasonable thing to keep secret, then it wouldn't matter if everyone in the world knew it. That's the problem with data breaches like this. That's what we should be fixing in response to it.
A bunch of 3rd party trackers collecting every move you make with your cursor probably won't fit most people's definition of 'voluntarily entered into a website'.
As a webmaster, I have an absolute right to carve '192.0.2.7 requested /foo.html from me' into stone and store it for posterity.
The GDPR prohibits me from doing that, and in fact requires that I have the ability to rewrite history by removing that fact if the user who had 192.0.2.7 ever requests it.
Some people, on hearing this, say, 'well, that's fine, you can just store 192.0.2 or 192.0 instead.' That seems pretty silly to me, since the whole point of logs is that they contain full information.
The GDPR tries to do the right thing, but it's broken. Immutable logs are a fundamental right.
I also would prefer more clarity in the area of logging IP addresses, and would like to have a clearer consensus on what is allowed here. I think we will get a clearer picture after a bit of time.
It appears to me that as long as you don't use the logs for nefarious purposes you'd at least have legitimate interest in processing them (including the IP addresses), and so could keep them. This is the stance I am taking with respect to my personal webserver (together with a time limit after which logs are deleted); if a regulatory body informs me to change my approach, I'll gladly adapt.
Note also that IP addresses can be personal data, but do not have to be. Most claims here seem to relate to a ruling, where the IP address was deemed personal data in the hands of an ISP, who would be able to resolve it to a real person [1]. If you hold an IP address, but can't connect it to a real person (e.g. by having legal means to convince the ISP to give you that name based on the address), then it seems the IP address would not even be personal data in the first place. In the particularly ruling, the operator of the webserver was the German government, which presumably has more legal power to make an ISP turn over identifying data on a customer than a random website would have.
In any case, I hope some more clarity about this will emerge soon. But what you are talking about here would at best be a borderline infraction (and probably just be covered under legitimate interest). OTOH, what the person starting this thread had in mind seems to be that all the data he might collect on his users is fair game to do with as he pleases.
I'm sure the person you're replying to is also talking in the 'rightful' sense. While the data collected technically belongs to you, it can still be a privacy violation. This is extremely important on the web where it's very easy to share that data, make it public or accidentally leak it.
It can be a privacy violation but the idea of a fundamental right to privacy is not universally supported like free speech.
If it is a fundamental right, how far does it go? Should I be able to sue you for watching me walk in a public place? Photographing me? Video taping me? What about a privately owned but still public place?
There are a lot of questions here that I think people tend to skip over about users owning information about them and being able to control it.
There are lots of laws against following someone and observing/recording every move they make.
Making some observations out your window of cars passing by is something no one ever had a problem with. Taking down every single identifier you could and coordinating with others to track that person, for a profit, is something that would not be kosher in meat space.
Why this different just because it's on a computer?
The laws you talk about are, I think, laws about stalking. I'm not aware of any laws that apply to that kind of thing if it happens on a massive scale. Singling someone out is an important part of stalking.
Keeping detailed information about everyone that enters your store isn't illegal, as far as I know. Especially not information that is gained from observation (what color shirt they're wearing, their IP address) and information that is submitted willingly (their name given for a reservation at a restaurant, their username).
I wasn't trying to say it was - I was simply saying that when you base an argument on free speech, you don't have to explain why free speech is a good thing because it's generally accepted by everyone to be a good thing.
In this case, a lot of people base their argument on a fundamental right to privacy which is not generally accepted by everyone and therefore it has to be explained because it's an important part of the discussion.
I absolutely agree. If you feel a law is wrong, it is your absolute right to say so and demand change. This is the basis of all law and civilisation. The consensus of what is right-or-wrong is what makes a society.
> Rightfully, the information belongs to the webmaster.
What? Because you just decided that it does?
It's people like you why we need GDPR-like laws. I'm curious, what's your stance on the Equifax data breach? They had data that belongs to them and they could do with and treat it as they pleased, right?
Your personal info, username, account settings, marketing anayltics, etc. are definitley you're data and you should be free to have them deleted.
The two year old IPs in a server log sitting in backup, or a chance occurrence of your username in a random call stack for some web exception is not your data, and you shouldn't force a business to have to dig through that mound of digital noise to satisfy your deletion needs
If I get nude picutures of you, or your mother, daughter etc. is it then "my data"?
Am I therefore allowed to do with that data as I wish?
I think most people agree that unless those pictures are gathered with very specific consent, subject to many restrictions, they are not "my data". This is obviously an extreme example, but the reasoning extends to more data that is considered sensitive. The point being that "data ownership" is a complicated issue.
The credit card example was already illegal by other, more targeted legislation.
Nobody likes getting a lot of junk mail, but it's not the end of the world. I actually got my first credit card from a pre-approved offer found in junk mail.
As it seems that we are making society-wide sweeping statements here, I'll add mine:
In a society where the webmasters have shown that they can't uphold their duty to secure PII (or any kind of data really), as evidenced by ~monthly high-profile data leaks, they deserve to be restricted in their "rights to the fruits of their labor".
> [...] Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time.
You are saying that's a bad thing?
Services that require you to sign up, should provide the possibility for users to look at, modify and delete their user data - that's all. Where's the problem?
Yes, I'm saying that's a bad thing. Someone shouldn't have a right to come into my house and tear up a piece of paper in my drawer if I happened to write something about them on it.
The problem is that there's no justification for having the right to coerce other people just because they have information you gave them. If users enter names into your website, you're not allowed to run a statistical analysis of what names are most common on your website without asking. If people named Jane are more likely to eat ice cream, you can't target ice cream ads at them and help keep your site free, without asking them. Worse than just this kind of coercion of what you're not allowed to do, users can coerce you into taking time out of your day to expunge records about them. It's all entirely backwards.
>Oh no, that's a real pity. Oh no, poor webmasters.
Why are the rights of people who own websites less important to you than the rights of other people?
Regardless, you might not still be saying this once half the websites smaller than Google become subscription-based in the EU or just block the EU altogether.
I didn't really realise it until the GDPR got into full swing but I'd much rather pay with money than with data.
What you're describing is a good thing. If you're going to treat my data like an almost stale slice of pie selling it off cheap to anyone who will buy it - Please do block my access!
The point of GDPR is to switch collecting users’ personal data from being a benefit to being a liability. That will absolutely cause short term pain to some companies that hadn’t expected this, but it ends up as a long term benefit to society, the same as most legislation.
Do you have a source for most legislation being a long term benefit to society?
If forcing low-earning EU citizens off the internet because every website requires a subscription is a social good to you, then sure, it's a long term benefit.
Is the internet even a net benefit with this current trend towards turning everything into clickbait or some other psychological experiment to get traffic and harvest data off of it? How useful is the average website now compared to what the internet was like in the 2000's?
Even if it would all be a net benefit, why is it ok for all of these companies to be so misleading about it. No one out a simple EULA, for what is happening with the data. Hell half the agreements just say that the companies can do whatever with the data, but an average person does not have the ability to parse the output of the legal teams of every company they interact with every day. The only way this could get even close to an equal footing between users and companies is if every single person was a lawyer
The rate of high-quality content being added to the internet has surely been on the increase as the adoption of the web increased, even if the likes of clickbait and spam grew faster, shifting the "average" quality down.
I don't agree with that at all. In the 2000s I frequently could find new and useful websites for learning on every Google search. Now I have to wade through hundreds of sites that only host clickbait or repackage other sites content so they can deliver ads that end up containing malware. The internet has given me a commodity in the form of constant good data that is unequivocally an improvement, but the signal to noise ratio on the web has gotten worse every year
I'm not seeing exactly where you disagree there. There's more bad information now, and a higher ratio of bad to good, but I'm saying despite that, there's still more good than there used to be, and probably a higher rate of good being added.
For example, with small numbers for the argument's sake, say in 2000 there were 5 good webpages and 4 bad webpages added to the internet every day. Now there are 10 good webpages and 50 bad webpages added every day. That would mean we're getting more good information per day than before, but the signal to noise ratio has gotten worse, as you said.
I'd agree that the total amount of good information has increased but if bad infi is being added at an accelerating rate compared to good info then I wouldn't say the rate of good information is increasing in anything but the most technical sense.
For all intents and purposes the information doesn't exist if you can't find it, you can only find information as a certain rate, and a larger and larger chunk of that information bandwidth every day is bad information. The practical result is that the rate of good information someone has access to has decreased even if the total system has a nominally higher rate
> Someone shouldn't have a right to come into my house and tear up a piece of paper in my drawer if I happened to write something about them on it
They don't have that right. GDPR only applies to business. If you mean you wrote it in your house for some business reason then yeah they have the right to know you've done so and why and the right to ask you to remove it if you don't need to have that information.
In no situation do they have the right to come into your house. That's a touch too far into the absurd.
I find your view very interesting. You have a very capitalist and US law based perspective on it. For one, not everything in a society needs to allow to "collect the fruits" of individual work (which is essentially capitalism). Europe has much more socialism mixed into their understanding of their societies than the US.
Further, the US law is based on risks of heavy punishments but few regulations, while the law in many parts of Europe is based on strict regulations but less high fines. It looks like the EU has too many rules, but that is a subject of perspective.
Problem here: The internet gives a shit about borders and society.
Please don't just say this is a US perspective. This is a sociopaths perspective that the current US legal system promotes due to the machinations of the same group of sociopaths.
Every business owner here who would complain about how the GPDR is taking their rights to their personally earned data away would be the same people who launch a lawsuit because one of their competitior's products had a typeface that was vaguely similar to theirs
There are regular people here, they just don't go starting businesses that have abusing their customers as a business model because they couldn't sleep at night if they did that
Targeted ads hardly qualify as abuse to me. Getting to use a website for free in exchange for your browsing data being analyzed is a great deal and a win/win for everybody.
Surely anyone who disagrees with your feelings on this matter must be a sociopath, though.
You're not allowed to "degrade the service" or allow access contingent on consent to targeted ads/tracking, so the practice isn't going to be sustainable for websites when only a tiny percentage of users give consent, seeing how they get to use the site one way or the other - have their cake and eat it too.
Implying that the majority of user's wouldn't just instantly click the largest button that says "make this annoying wall of legal text go away" whether that is agreeing to tracking or not?
While the inability to target ads based on data about you and your search history searches removes some amount of advertising income. Websites would still be allowed to show ads, and I would imagine that those ads can be specific to the article currently being viewed.
This is exactly how conventional TV advertising works, just because you don't know the gender, race, political views and entire life story of a website user, doesn't mean you can't get almost the same effect. You can target ads in general at specific content and hit most of the correct users anyway rather than targeting specific users and the content they have viewed in the past.
"The study, which looked at ads run on member networks during 2009, showed that among users who clicked on a behaviorally targeted ad, 6.8% converted. That compared with only 2.8% of those who clicked on a run-of-network ad."
No one's arguing that the targeted ads don't make more money. We are arguing that the extra value from the ads is not worth violating everyone's privacy.
A quote I heard recently is "Some of you may die, but it's a sacrifice I'm willing to make." That's what the tone towards small businesses/websites in relation to GDPR sounds like to me. I can't understand valuing this right to the "privacy" of not having your (often anonymized) identity tied to a marketing profile so much that you'd rather some free small websites no longer exist and others move to subscriptions.
It's not just targeted ads. We see a new data breaches every week that leaks customer data and is used in identity theft that causes actual, quantifiable damages to users. The entire internet, and increasingly physical goods in our homes, has become the equivalent of a ghetto where every single person has to have bars on their doors and look over their shoulders constantly to avoid having shit stolen from them or their privacy violated.
The GDPR didn't arise out of some feeling that companies we're making too much money. It arose out of the fact that the industry refused to self regulate. They were given years to do this and the standard operating procedure for security around data right now is to lol because who cares if you have a breach, that's a problem for the people you harvested data from, not you.
The bad side effects from this data harvesting are called negative externalities. A similar set of negative externalities is pollution.
Do you think it's immoral for regulations to make certain business model that rely on dumping poison into the water or air unprofitable, just because those companies could have made some money if only they could do what they liked regardless of the harm to others?
I am sorry if I formalized it too general. Like you say, it is purely focused on the law system and unrestricted capitalism, which as an individual you either use or not.
Sociopath is a tough word, but in the original non insulting meaning of deviation from the common society, I think the word is right.
"We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation"
We still do. Nothing has changed on that front.
"Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time."
As it should have been from the beginning. Having the standard being that the company hoovers up all your data all the time without telling you what they're doing with it or why they need it was a terrible, terrible thing.
"The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it."
Indeed and TBH when the part about Crashlytics made me glad about GDPR (although the rest of the message does indeed sound like an overreaction). I do not like when applications i use try and do things that are irrelevant to what the application is all about, especially when these "things" involve communicating through the internet and even more so when i am not informed about it.
I think it's a weak argument to suggest that crash reports are not "what the application is about" it contributes to the ongoing development and stability of an application which you use.
That said I do think there should be an expectation that your participation in crash reporting would be voluntary and explicit.
> We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Government intelligence organizations like the NSA and foreign equivalents will now have a monopoly on unsolicited data collection. Which, combined with selective enforcement to prevent disruption of gov cartels, is one of the few reasons it went through.
There is so much misconception about GDPR. It is cleary directed at large data-tracking corps, not single person IM apps. Even if someone tries to "sue" you (which he can't, only report you to authorities), it first needs to go through many iterations where you can make your case.
From my German perspective this whole GDPR panic is so interesting. The GDPR is basically a carbon copy of the data protections laws that have evolved in Germany since 1977. Yet we still have many thousands of small companies dealing with data, individuals running web forums etc.
It's especially funny when small to medium German companies suddenly panic because of the GDPR and when you look at their situation all you can say is "yeah, you should have implemented that 15 years ago, it's already been German law that long".
In Germany not much will change, but at least companies like Facebook can no longer just move to another country with worse privacy laws (like Ireland) and call it a day. For us the GDPR means that protecting user data will no longer be a competitve disadvantage. But if you're a small company and handling data reasonably, the GDPR won't hurt you anyway.
It literally translates to "federal data protection law" and has been German law since 1978. In certain conditions it has also mandated a DPO (https://de.wikipedia.org/wiki/Datenschutzbeauftragter) since then, but in fact the first DPO position in Germany was created in 1971.
The right to a data export is mandated by article 34 BDSG (https://www.gesetze-im-internet.de/bdsg_1990/__34.html). It has always been common use this law to get a free copy of the data which our credit reporting agencies have about you, I've done that multiple times.
Thank you for those detailed links. They are kind of eye opening, and I am German. However, it is hard to understand how stuff like GEZ, Schufa and article 35 can exist concurrently in the same country.
Schufa (the biggest consumer credit reporting agency in Germany) and article 35 can certainly co-exist. In fact you can write to Schufa and request that they delete all your data.
However, if you do that, good luck ever getting a mortgage, credit card or other post-paid services ever again if all credit report requests come back with the reponse "no data available". So I wouldn't recommend that.
> However, if you do that, good luck ever getting a mortgage, credit card or other post-paid services ever again if all credit report requests come back with the reponse "no data available". So I wouldn't recommend that.
How does that work for people who never had a Schufa history? If for instance I decided to move today from Brazil to Germany, would I be unable to do all these things there, since they would have "no data available" on me?
There are thosuands of horror stories how the Schufa isn't able or willing to correct wrong data. And no data protection agency in Germany did ever brought such a case to a court.
issue isn't the business model, is the size. For a large company, handling GDPR is trivial. For a startup or small company, the cost is prohibitively high.
I'm not arguing for or against it, just pointing that the resulting unintended consequence is protecting large companies. Exactly the opposite of the original intent.
> For a startup or small company, the cost is prohibitively high.
Nonsense. I look at another high tech data driven start-up every week and not a single one has stated that the GDPR costs are 'prohibitively high'. Sure, there are some that need to do more work than others (medical, ad tech). But on the whole companies that were already doing their best to not fuck up with their customers data have very little to do in order to get to where they should be and the remainder has a bit more work but will mostly likely be more-or-less compliant by the 25th and what work remains will be done long before the eye of Sauron will turn their way by virtue of their size.
The cost is strongly related to the size of the organization and the amount of sensitive data you hold as well as whether or not you were a bad steward of the data in the past.
I'd go as far as saying that if you responsibly handled data before GDPR, what you have to do to be GDPR compliant is document the process and make it possible to delete data upon request.
I actually think it's entirely the other way round.
A small business or a startup should have a relatively limited amount of data capture, and that data should be stored in a relatively limited number of places. In most cases, it should be straightforward to make sure that this is documented and appropriate controls are in place.
On the other hand, large companies have vast quantities of uncontrolled data gathering that nobody is responsible for.
Spot on. The biggest problem cases are hospitals, banks, insurance companies, airlines and - funny enough - governments. They all hold mountains of data and the systems are old and in many cases no longer maintained by anybody that was there when the system was first created.
Suit yourself. But as mentioned elsewhere, the equivalent of GDPR has been law in Germany for over a decade, and small businesses have had no problem complying.
> If I want to put an open source app in the App Store, that’s not a business model for me. It’s more just personal expression.
Try convincing a regulator of that.
But it doesn't matter, you're still logging PII. GDPR doesn't make any distinction of profit vs. non-profit vs. personal ownership. You're as liable as an individual as an organization.
Your personal expression is writing the open source software and putting it on GitHub. However, once you make it available as a service, you should be responsible for it.
What do you imagine that fixed cost to be? Delete your logs and don't, you know, make an entire business out of misrepresenting your revenue model and you're most of the way there.
Any business that is shut down by GDPR is, to me, a good business to shut down.
Because European courts and regulatory authorities are not run by gibbering morons. The Data Protection Directive was materially similar to the GDPR and was enforced by the same supervisory authorities. The DPD gave member states total discretion as to the level of fines, with no upper limit. I have found no evidence whatsoever of irrationally large or unreasonable fines under the DPD.
You could be breaking the law in any number of countries. What steps are you taking to comply with the laws of Saudi Arabia or North Korea?
Well usually they aren't any kind of social or economic hubs, so I don't really worry if I can't enter or do business with north korea in my day to day life.
The EU on the other hand...
Also almost all laws stay in one jurisdiction, they don't go beyond their own country.
Sure, feel free to "leave", really, no offense. We talked to a lawyer in Germany regarding this (we are a small software company with 5 people). His response was: If you don't do shady shit with customer data, you'll probably don't have to worry. Also, if you are in a "contractual agreement" (e.g. EULA), you can apparently justify most data collection without any change at all.
Even though that's a personal risk you're willing to take, it might not be one everyone else is willing to. One might question a law that asks everyone to take risks (or pay/pray for peace of mind).
There are many other laws where you‘re taking risks. Maybe you‘re violating some US securities statute? Maybe you‘re violating some German accounting rule?
Why haven‘t all those doomsayers closed down their businesses long before the GDPR?
I mean, technically I'm taking a risk when I step out of my house every day. So why ever walk?
There are varying degrees to which people see laws as affecting them. Small business tech owners, when a law says they have work to do, are going to feel affected. If there was a securities or accounting law that felt similarly overreaching one could expect a similar reaction. This is especially true if there is an alternative (locking out markets) that is easier. It's not helpful to try and compare the situations. It's also not fair to consider people weighing the costs of these laws as doomsayers. They aren't closing down their business, they're just restricting it to more business-friendly environments in their view.
You've made many concrete, general statements in this discussion which turn out to be relevant to your personal situation and your personal appetite for risk. Maybe that's not an effective way of holding a conversation about the general issues around the GDPR?
I'm not sure what else I should reply to something like your comment before tbh. Neither can I predict the future, nor am I a lawyer. I'm just posting about my opinion, which I got by gathering information online and from consulting with a lawyer. I've stated the conclusion I've come to, based on this information and yes, I believe that to be correct (or as correct as one can be about a law with no reference cases in court yet).
I was just pointing out, that when a lawyer says "probably", he usually has a good reason to do so. And it's my strong belief that the reference cases in court will not be fought by small companies, because they rarely are.. There is just not enough money to make fit the effort you need to put in winning the first case. Before there is not one single case, I don't think it's necessary to panic and shut everyone out.
You don't need to believe me or agree with me, but reducing this to "my personal appetite for risk" is really weird.
You stated your extremely general conclusions, and only later mentioned that they were relevant to your personal business. And in this particular sub-thread, you made a very general statement about risk, again without qualifying it at all. And you only mentioned the lawyer after you were challenged about a general statement.
Maybe you have huge assumptions that people reading what you say will add all kinds of limitations to what you say? I don't. It leads to terrible discussions, like this one.
I'm sorry for making too generic statements, I'm not trying to have a bad discussion, really.
Regarding the personal risk comment, I could've been more clear: From what I got, no lawyer can give you a guarantee at the moment, that what he says is actually what will happen. So in the end you'll have to take action based on recommendations, and take a risk - or, as the op, shut out all European users completely. My personal risk is continuing to do business in the EU, even with this uncertainty. You couldn't have guessed all that from my earlier comment, so I agree it was bad..
Regarding that, i wonder how DPAs will handle cases. I can totally think of small businesses or professionals like doctors reporting each other to the DPA. Can DPAs easily dismiss complaints?
Citation needed. I have seen absolutely zilch about the implementation of GDPR in countries like Hungary, Romania or Bulgaria. And they are members of the EU as well, you know.
It's in the text of the legislation. Chapter 7 sets out the requirements for the European Data Protection Board to ensure consistent application of the regulations across all member states.
Article 83 states that any penalties must be proportionate to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, action taken to prevent or mitigate an infringement and the degree of cooperation with the supervisory authority.
However there is a grand plan to do the absolute opposite, which is to adopt the entirety of EU law into UK law. The so called "Great Repeal Bill" or whatever they are calling it this week.
Risk is a part of life. Even before GDPR there was a risk that you were violating some privacy law in countries that your customers were connecting from. By putting your product out there, you've taken on most of this risk already.
There was a previous 1995 directive for instance. It didn't have the teeth of GDPR, but was actually rather similar. It would be hard to be compliant with That and in breach of GDPR.
That rather makes the anti GDPR arguement sound like "yes I know that is the law, but I was breaking it over the internet so that doesn't count"
When it's a one man show, you can't afford these kinds of unknowns. And by afford, I don't just mean monetary, I also mean mental costs, like your mind spinning at night wondering of the ways you might be harmed, or the ways you might develop a solution to the problem, etc.
> When it's a one man show, you can't afford these kinds of unknowns.
One really can. It took me all of a few seconds to shrug of the GDPR when I first heard of it. Then, with all the scare mongering (webserver logs will be illegal!), I spent a few minutes reading up on it. It's all more than reasonable: if you're not doing anything shady, or are being negligent bordering on incompetent, you can just shrug it off and sleep soundly.
Corporate veil piercings happen a lot more when your a small or one man shop, and officers can often be directly liable for the actions of the company. It's not as bulletproof as you think.
But the usual requirement for piercing the corporate veil is that the owner/operator of the business is using the business with the sole reason of insulation from having their private assets in the line of fire. If the business is otherwise legit and a fine were levied against the business there would be a fairly strong barrier before the assets of the shareholder become part of the story. A good precaution against this is to have more than one shareholder (preferably more than a token percentage for the second shareholder).
IANAL, but that is not the requirement I've heard. It is perfectly valid to insulate one's other assets from corporate creditors. One must voluntarily commingle those assets with corporate assets in order to justify a piercing. It's not always obvious to the careless what will constitute commingling, but this is kind of the point of corporations.
Frankly this post has prompted me to reevaluate your other legal advice in this thread.
My exposure to this is limited to cases in Europe and ones that I was a direct witness to and in all those cases it was pretty clear that the company was created with the express purpose to commit bankruptcy fraud and the result was the owner of those companies lost his shirt. All other attempts to pierce the corporate veil that I've seen failed.
Presumably that fraud involved assets that belonged to the corporation (or were represented to creditors as such) being transferred outside the corporation to other entities controlled by the owner? That will pierce. Imagine instead someone who builds a store in a location with insufficient commercial traffic and whose corporation fails for that reason alone: her creditors can't take away her house, her retirement account, or some unrelated business.
Long story short: guy figured out a way to make money: create an LLC, rent some warehouse space, order hardware, sell hardware, pay invoices, order some more hardware, sell hardware, pay invoices. This cycle repeats a couple of times with higher and higher order values and then finally when the orders are really large (millions) holds a clearance sale, pockets the money and defaults on the invoice. Boom, company bankrupt.
He did this several times before the corporate veil was pierced and they took him for all he had.
The other case was one that is probably best described as mismanagement ('onbehoorlijk bestuur') where the CEO/sole shareholder of a company started using the corporate account as though it was his personal account. When the company was unable to meet payroll taxes the taxman seized his private assets after piercing the veil.
Both of these episodes are clear cases of commingling. "Pockets the money" and "as though it was his personal account" are key phrases that would command any forensic accountant's full attention. Without these or something like them there would be no justification for piercing.
Excellent, thank you for pointing out the exact reasons why that happened. It made good sense from my perspective but to know the exact bits that would flag it is useful information.
No. Compliance with GDPR for a small company is relatively straightforward if you aren't doing anything shady with private data. It's not even an unknown.
Well, it's wrong in the sense that profiling activities require a "lawful basis", consent is one of the possible lawful basis available.
So you can profile without consent IFF you can convincingly justify said profiling via one of the other lawful bases. But those won't really let you do blanket profiling willy-nilly either and come with other strings attached.
The op seems to be motivated more by politics than the reality of this as I understand it. The "reasonable" qualifier in most of it, while it will need to be litigated, does a lot to assuage my concerns about overreach from it.
Could you be sued to the poor house from it? Maybe. But that's the risk of operating a business in the US every single day.
Where in the law does it say they only do this when ignored? Surely if this were the case, they'd put it in the law like they did punishment limits. Or are you banking on subjective enforcement?
"The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests."
That seems like a request from a data subject. I was responding to a comment that said you will only be sued by a regulator if you ignored them. There are multiple blog posts and articles that regulators have posted about what they will and wont do that is not codified.
thats not it. From my understanding people say that because that is how the UK regulator has dealt with cases in the past. But there is a different regulator in every EU country
Regulators. "Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation".
So, 28 countries, each with 1+ organizations. So you could find yourself having to deal with multiple parties in different languages.
Do I misunderstand this section: "Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation." That sounds like you can be sued by any subject on their whim?
That is not how the EU works, in the US i would be very afraid reading that, in the EU nothing will happen if you do not violate in a spectacular way, and that, after many warnings. They are after companies tracking you across real estate and selling relevant data from their vast silos to companies that can market stuff to you. They tried many ways already to prevent this kind of practice in some countries but loopholes were found so this is the hammer. As a small company, if you answer and act on actual user complaints, you have no worries no matter what the language. It is not in their interest to go for small offences. And if your story is reasonable, like OP, they will just let it go.
What this gives the EU is the hammer to hit persistent abusers of user data. They want you to be careful with user data and not treat it like you own it; you do not. It is not yours to sell or share or publicize.
Edit; note as well that every country has a compliance office; if they know you are in complaince as in you are ‘good people’ (best effort, no giant holes etc; just best practice in our field which you should do anyway) they will not bother you with every (or any) user complaint after that. I have good experiences with this with far grave (and potentially criminally punishable) matters in a few EU countries.
It is reasonable to assume overreach by governing bodies will occur; this is no less true for the EU than for any national government. The EU is no less likely to misuse that hammer, intentionally or not.
"It is reasonable to assume overreach by governing bodies will occur"
No its not as they now have regulations in place to prevent that, before GDPR you could. You can only be sued to the poor house from it if you do something like leave your patients health information on the bus.
Even then you probably won't. If it's an incident that happened despite of having taken the necessary precautions, you would probably get only a small fine or a warning.
These laws have been in place since 2016, they are going to start enforcing them starting the 25th. If you actually read anything about it from the source, it's clear it's setup against data abusers. It's not aimed at small businesses. If you don't do anything with user data, you don't even have to do anything. Like in the case of the OP. Aside from that, the EU doesn't have a history of overreaching/abusing power such as this. If this was US legislation your worries would be justified.
So we've gone from you can't, to you won't, to you almost certainly won't. I completely agree, I'm just saying the 1% possibility is something you have to live with.
No - you cannot ignore it when you are a small company that's true. But you can (probably, we'll see) ignore it if you don't do shady shit with your customer data. You are allowed to process data, if it's used to fulfill the service you provide. That's reasonable, and probably applies to most of what OP is doing.
So when I get reported, I'll say I didn't worry because some guy on Hacker News said I'd be OK? That's not how it works. You can be as confident as you want without affecting the reasonable worries actual businesses have about this regulation.
I have an actual business, thank you. And I did my homework by talking to a lawyer about it. What I got from this talk is, that most of the stuff that is going around is pure panic mode.
Please, don't take my words as granted but talk to an actual lawyer. You'll probably even find a free session for startups somewhere in your city, at least in Europe.
Ask the regulators. The ICO provide comprehensive guidance documents, a wide range of tools to facilitate compliance and a dedicated helpline for small organisations. They're extremely busy at the moment, but they'll be more than happy to explain your obligations under the GDPR and the best way of achieving compliance.
False. If you do any sort of logging of network traffic - think server logs - or even backup your database and a single person comes asking for all their data to be removed from all your backups sitting in cold storage, you're in for a world of hurt.
The mere act of pulling all my database backups from glacier at once would cost enough to force me to just shut down my personal projects.
That's only the case if you store personally identifiable information in your logs. IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP. Plus, if you rotate out your logs and clean them up regularly, you don't really need to worry about it. (That's what the EU lawyers at my work told us.)
Database backups are only a problem if you save them forever, though it sounds like you are. GDPR generally requires that you regularly archive, rotate out, and clean up old data.
I spent near to $10,000 in 6 lawyers 2 in usa 4 in different european countries and all wrote detailed report for me negating what you just said. IP is one of the most PII identifiable elements of an internet user. Exception is when you can prove such IP is a merely a proxy. please get some other lawyers opinion!!
Note that I didn't say IPs aren't PII; I said they don't count as long as you are collecting them for the specific purpose of security and don't have any way to identify the person using that IP. Pretty much by definition that is not PII.
That came from the legal departments from our German, UK, and French entities.
You contradict yourself, either its PII or not. Common understanding in the industry is that it is. Purpose of security doesn't change if its PII or not. Although security/auditing might allow to hold on for longer because you need the PII as a feature (which you should be transparent about). For pure telemetry you don't need it, I'd claim.
If you're too worried about this, remove the last octet from the IP or and/or it with a mask. And especially don't associate the IP with the user (by default you can't find out who's the user only by IP).
> Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, ... or a computer IP address.
Emphasis mine.
I said:
> IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP.
I'm actually saying that both are a requirement for logging IPs in the circumstances being discussed here, but I certainly don't mean to suggest that either would grant you "carte blanche" to collect and log IPs.
I suspect that logging IP only for security purposes is fine, but the idea that it is a bulletproof defense is just wrong, we have no idea. Current indicators are that regulators think IP is personal & that legitimate interest defenses are suspect.
You might be thinking of this pseudonymization stuff. My advice is not to play with it. Just delete your logs after a month unless you have a demonstrable and immediate security need for them.
Wrong about what? I wasn't referring to pseudonymization; we thought that wasn't worth trying after the legal teams laid out what it involved. Log rotation is important, like I mentioned.
I can't see any way in which this interpretation can be valid. You'll always be able to "directly or indirectly" identify people from IP addresses. Just because I don't store IP and identity together, doesn't mean there's not many other ways to identify somebody based on an IP address.
I think the concern of the regulatory agencies (valid or not) is that there are db for sale that allow extremely precise locality information based on IP. Close enough to identify a household, which combined with other data can limit the data to a single person.
"The GDPR is open to interpretation, so we asked an EU Member State supervisory authority (CNIL in France) for clarification. CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it. Organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time (indicate the retention time in your communication with the data subject). Backups should only be used for restoring a technical environment, and data subject personal data should not be processed again after restore (and deleted again)."
I don't see the problem here (for small companies). If you have a database with user data, and a user deletes his account, you delete the data from production. At this moment, you have a live system without this users data, and some backups with the data. The moment you make a new backup, you have a dataset to restore from that does not include the user data.
You keep daily backups for 1 week, and after one week the users data is gone from all backups.
The only possible window for restoring deleted user data is the time window from deletion to backup. To "solve" this you need to make more backups, ideally live backup and replication with really frequent snapshotting. And this is something you would want even without the new law, because you don't want to lose user data in case of a server failure. Why would you restore from an old backup? (And if you really need to restore from an old backup you most likely want to merge this backup with the newest one to reduce data loss. In this case you can reapply all deletes.)
The new laws don't change anything. For me at least. Also my lawyer is totally fine with "only" minimizing the problematic time window. We both know that it will never be zero.
You have a very narrow view about what backups are used for. Which is fine for your business, but for many others, the backups are important business records. What if an employee is stealing from the company, and does it for longer than the time that your business keeps backups? You might say "oh but I keep logs", in which case you have the same problem with keeping the logs that you think you dodged by not keeping the backups.
Yes and no... the GDPR is all about purpose, and if you keep a log for the purpose of logging unauthorized access to data this is fine if you state this fact in the contract with the employee and only store and access the logs for this purpose.
You just can not keep backups of everything for the purpose of everything.
My example can not include all cases and was written in the spirit of "we are a bunch of devs with a small project". As is monal.im .
That agrees exactly with what CNIL said. Obviously you have to keep an index of requested deletes for the same length of time you keep backups in order to re-delete the relevant data in the event of restoring the backups.
Article 63 of the GDPR specifically covers consistency of enforcement across the regulatory agencies.
> The mere act of pulling all my database backups from glacier at once would cost enough to force me to just shut down my personal projects.
Okay: when you were writing this, you must been either drunk, you forgot how easy it is to find your projects via your HN profile and general googling, or you simply don’t have a single enemy out there who is waiting to hurt you/your business. I hope all of it together!!
My only still active side project to which this applies isn't open for public registration yet, and I fully intend to completely block the EU before going live.
There are other laws which require you to keep data for up to 10 years. This will require you to split up your backups and clean the ones for the longer storage from all unnecessary PII. That is already costly and challenging. Problem is nobody really knows what data you have to strip of and what do you have to retain for other laws.
You are talking about a very narrow set of legal reasons that need 10 years of archiving. This has nothing to do with the GDPR and these archives should really not be created from normal daily/... backups. If you fall into that category you need a lawyer even without the GDPR and this lawyer will tell you exactly what and how to archive. "Nobody really knows" does not apply here because your lawyer knows.
> very narrow set of legal reasons that need 10 years of archiving
Invoices for VAT MOSS have to be archived for ten years. And until today nobody really knows (it is another EU law disaster) which information you have to keep to prove the origin of your customer.
Why do you need to keep more information than the invoice itself? All invoices should include the invoice recipients name and address, and thus the country of origin. In many countries invoices below a certain amount can omit the recipient, but you don't need to omit it.
Do you invoice for a different country than the recipients country? Why?
> the information used to determine the place where the customer is established or has their permanent address or usually resides.
Sadly this regulation doesn't specify which kind of information this could be.
Your customer could try to get a better price by pretending to be from a country without VAT. Therefore the address given by the customer is more or less worthless in this regards. One more realistic information is the IP address. But as this also is pretty easy to spoof it might be reasonable to also keep information about the country were the cc card was issued, if possible.
You can still log accesses and aggregate them into statistics, just don't keep the IP addresses. You can still log IP addresses to detect DOS attacks or whatever, just delete the log when you don't need it anymore, after a day or so. There's no need to get backups from glacier, because you know there is no personal data in them.
Probably because that's a dumb exemption. Number of employees is pretty fucking irrelevant when it comes to data. By this standard, Cambridge Analytica would have had lessened burden on regarding objections to processing, demands for data deletion and so on.
And it's good that it wasn't allowed. Otherwise we'd just have medium sized companies worrying about GDPR while large companies spawn one-man shell companies that "specialise in data processing".
That is resolved today by subsidiary clauses in laws.
If owned or controlled by big-co in an non arms length manner, then it wont be considered a 'small company' in terms of the GDPR.
Edit: These corporate control laws have teeth, otherwise every small & large business owner would do something similar by making all of their corps 'offshore' in some zero tax jurisdiction and pay 0 tax locally except for business done actually in the territory itself.
Oh, but they're completely "independent", I don't understand what's the problem, Mr regulator ;-) This already exists in many ways for financial aspects. Sure, it's not super legal/moral, but...
Or the could be completely legitimate small businesses doing this device for anyone.
> would do something similar by making all of their corps 'offshore' in some zero tax jurisdiction and pay 0 tax locally except for business done actually in the territory itself
So it's a law that's arbitrarily enforced?
Kinda like giving limitless power to discriminate to someone?
There is no misconception on GDPR: the idea is good, the implementation is horrible and retarded and it is lead by people who do not understand a single thing about technology.
What if you don't want to deal with any of that. You can no longer just create some useful, free service and make it public.Heck, I don't even like having to be familiar with software licensing just to add something in Github.
If you don't want to follow the law you're welcome not to and will have to deal with the courts when they come knocking. This has always been true for all laws, not just GDPR. Try violating fiscal laws in the US just because "you don't want to deal with any of that" and let us know how well that works out for you.
Having an app that is non compliant out there induces anxiety. Having 10-20 old or fire-and-forget projects out there, it's anxiety multiplied. There is a non negligible chance that One disgruntled or trolling user or competitor will report you to their country's DPA . There are 28 DPAs and they are not all as good and fair as Germany's or the UK's , they may fine you even if there is no good reason. Example: in my country the DPA fined a company last week (3000 euros) because they searched a company's computer while the employee was not present, even though they found that the computer did not contain any personal information.
If there is a complaint against my small software company, are there limits on how much I'm required to spend on defense? Do I have to travel to Europe to defend my company or will investigators from Europe travel to my location at their own expense? Will I be reimbursed for reasonable expenses if the complaint is groundless? Are there parts of the regulation that act like strong anti-SLAPP laws in some states?
Can my small company be trivially bankrupted by any sociopathic gamer skid with an EU address and a grudge when DDOS attacks fail?
"You can beat the rap but you can't beat the ride."
> Can my small company be trivially bankrupted by any sociopathic gamer skid with an EU address and a grudge when DDOS attacks fail?
Your dude with a grudge can only lodge a complaint with the relevant regulatory entity, they're the ones who will verify whether you complied or not with his GDRP requests and if they deem that you are in violation fine you after negotiation fails.
This isn't the US: you can't be sued by random people for anything.
(1)A random person complain to his regulator that you are not complying with GDPR. If he asked for his personal data, jump to (3)
(2) His regulator contact you, tells you that wht you're doing is bad: you have some stuff in opt-out, not clicking "opt-in" cause a degradation of service, or you are sending him 3rd party cookies he did not accept.
(3) Depending on the complexity and your ressources, you have X months to comply.
> It is cleary directed at large data-tracking corps,
Then the law should say that. For instance when India implemented uniform goods and services tax processes, it explicitly excluded businesses below a certain revenue threshold and gave them a simple % of gross alternative to all the processes. GDPR doesn't make any such distinction, so such decisions to drop EU support are to be expected.
By law it is enforceable and directed at any entity that tracks European data. There is no clause the limits GDPR to large companies, just like there is no clause that limits or restricts fines outside of the 4%/20M number.
It would be entirely possible for someone to not be compliant with a side project and get fined 20M because there is nothing that explicitly forbids this it is entirely up to interpretation.
Given that US companies have already been targeted in the EU, unfairly [1], I find that law terrifying because I have to trust regulators that don’t have my best interests in mind with possible penalties that are very high.
Guessing: even if you don't have assets in EU, you have a Google (or Facebook, or Amazon) account, and Google has assets in EU. EU could ask Google to ban you, or else.
That seems like a bit of a stretch, unless you were actively using Google's services as a tool of your wrongdoing. The EU would be forcing an unrelated private company to act as an arm of law enforcement. It would be like the local police punishing you for speeding by leaning on Applebee's to refuse you service.
Maybe there's a legal precedent for that sort of thing, but I'm not aware of it.
I don't really get it. So what's the burden for the developer here - he argues that the IP is PII (personally identifiable information), which is true, but I don't think it means you can't log IPs in general anymore?
So is now every standard apache2 installation a non-compliant (illegal?) service, as it logs GETs?
I don't think that's the case.
//edit: It seems to be the case that you are ok if you do log-rotation and delete old ones - which makes sense, so you can still use them for debugging.
That makes a valid point: You should open a bug with Apache to remove IP address and User-Agent from the default log formats, as they should not be logged by default or else GDPR issues arise.
You can log IP addresses if there is a legitimate use for them. You just need to ensure that they are protected and that you do not keep them for any longer than is necessary (= use logrotate).
Logging them by default is a silent opt-in to a scenario where you are legally obligated to protect data you may not even know exists.
Anyone whose software logs IPs by default should stop, so that the admins who choose to log IPs must voluntarily choose to log protected information and handle it appropriately.
Pretty sure that is exactly the case. GDPR went all out on user privacy that is simply a burden for small businesses to deal with EU citizens, it's financially more sensible to just block the entire EU from their services.
The burden is if the EU does investigate him, for whatever reason whatsoever, even if he is 100% compliant he needs to spend money to prove he is compliant and deal with the EU.
Why would you think that? If he wanted to be compliant he only needs two things:
1. Some procedure that allows him to answer users privacy requests ("what information about me do you have?", "Please delete my personal data from your servers.")
2. A so called "directory of procedures" which states what data you collect and who's responsible for it.
If your fail to comply with 1. the user can call upon their local data protection agency who will contact you and request the contents of 2..
At no point would he need a lawyer or spend money, even if he were based in the EU. That's not saying it's a bad idea to ask a lawyer for advice if you do handle lots of user data.
Most of this stuff has been law in Germany for years, I've dealt with the German data protection agencies many times (from both sides of the aisle).
- They helped me force my university remove personal information about me from the public uni website (by constructively explaining to them why it's a bad idea to have this information about student online in the first place).
- When someone trolled me by registering me to a dating platform which refused to delete the fake profile and spammed me for a year, one mail to the agency was enough to stop these idiots.
- When I worked with social workers, the data protection agency (after a client accused us of mishandling their data) helped us go through our communication procedures and identified some point where client privacy could easily be improved.
As a US company, if you don't want to deal with this, just don't. If you do handle user data you should, though.
I think the majority of users on HN are from the US. And going by the GDPR related comments over the past few months, it seems the litigious US stereotype really is true - a lot of people seem to be prepared to "lawyer up" at the drop of a hat!
20m euro or 4% of revenue, whichever is higher, is the max fine. Up to the individual to say how truly likely it is a small revenueless project could possibly get fined, even with large amounts of malfeasance.
It has a maximum, not a minimum: The higher of 4% turnover OR €20m. That means even with 0 revenue, your fine can be up to €20m (It won't, because if you're not making money your small fry to them, but still, the fine can be greater than 0)
I'm convinced this is the start where EU citizens become second class Internet users. Many businesses just don't want to go through the troubles of GDPR regulatory hoops. For most businesses, there's enough customers to sustain their business in the US, Canada, rest of the world that they can ignore all EU customers.
Are you preparing to start such a company? I know zero funders excited about regulation. About technology and platforms, sure. But never about regulation. Only lawyers get excited about that.
Maybe, but GDPR is not the only business-hostile regulation EU has. Together they make an environment in which even 550m users may not be worth it for the small startup. They will simply pivot to the more competitive, but freer, US market.
In that case where there is a proven market demand for idea B you can either compete with company A (which presumably has more resources than you), or enter into a market that company A has willingly forfeited.
I think the second option will have plenty of takers if it turns out that US companies are that scared of GDPR.
It's "viral". If you ignore privacy while processing data, you are not only excluding EU customers. You are also excluding US/Canada/rest-of-world companies that want to operate in the EU market.
If a business blocks EU citizens what will happens is that either another one who cares about GDPR will pop up and be able to work with both EU and non-EU citizens, or the business in question wont be that important in the first place. In either case, nothing will change for most people.
Maybe, but imagine if Google, Microsoft, Facebook, Amazon, etc. had decided to pull out of the EU. Not that any of them aren't replaceable, but providing the suite of functionality that any one of them does to their customers would not be a simple feat.
"Second class citizens" might not be the right term, but would "segregation" be an appropriate term?
What would most likely happen is that companies that act as "middle men" would pop up that provide the functionality those sites do. But TBH i doubt that would ever happen in the first place, even with much stricter rules. There are way too big of an audience to be lost.
Except that Google, Microsoft, Facebook and Amazon have been at the table when GDPR was written and will be compliant with it. So it's a completely bogus argument.
> I'm convinced this is the start where EU citizens become second class Internet users.
This is free market with 550 mil potential users/citizens, void will be filled pretty quickly by other companies/developers that actually spent some time reading about what GDPR is.
> Europe doesn’t have a stellar record when it comes to high tech startups. For many reasons.
For many reasons indeed, this is broad topic and GDPR doesn't change anything if we are talking about big US players and their domination. None of them is getting out of EU.
> And I am afraid GDPR has just added another one.
I disagree, it's the other way around. Small single person companies/developers that will get out from EU market will could only strengthen local market. Any other US/EU/outside EU startup/developer can fill that void.
How is knowing and writing down what your actually do with user data (and employee data, btw) and who is responsible an onerous regulation?
In a world where lots of small shitty businesses (and some bigger ones) don't care what happens to your personal data it's long overdue for this being finally regulated.
> Europe doesn’t have a stellar record when it comes to high tech startups
Which automatically implies that you were talking about non-EU tech companies leaving EU because of GDPR and EU startups filling their space. And now you fail to see how this will make more likely succeed EU companies? What?
I think you fail to understand what the point of my argument was. It doesn't matter if this will be EU founder or US founder or XX founder, if there is a void it will be filled, doesn't matter who will fill it. This is an axiom describing the free market.
> onerous regulation
I am conducting online business in EU handling personal data and I don't find it onerous at all. Adding to that as EU citizen I am happy that this regulation was introduced in EU law system.
Yes, the void will be filled by megacorps like Google who were practically GDPR compliant 5 years ago because they have armies of developers and lawyers dedicated to data management and legal compliance.
Reading the FAQ, the only way to really safely ignore the DPO provision would be to hire a law firm with GDPR expertise to parse the vague language in the law and to give written guidance as to whether the law applies to each specific web site, which you can then present to EU authorities in the future to show you performed due diligence to try to meet the requirements of the law.
I can only think you are not familiar with European principle based law vs US rule based law. Where you see 'vague', I see 'flexible' and 'able to move with the times'
Have you considered that a law being "flexible" and "able to move with the times" is exactly why someone wouldn't like it being vague? A law that is "flexible" means that it's a law that can be arbitrarily applied. A law that can "move with the times" means that what might be fine now won't be fine later and just maybe you will be the first to find out.
It doesn't matter if European law has a history of being "principle based", if it can fuck you then someday it just might. Europeans might be fine with this, but I think most Americans would not be. If I was in OP's position I would do the same thing, by simply blocking an IP range all possibility of being made an example of by some people from another continent is flushed down the drain. I'm absolutely baffled why people think this is absurd, if you're not even making any income off of it, why would you ever open yourself up to such expensive potential liability?
The FAQ is referencing the legal concepts in the law's text. For example "sensitive data":
"(...) including for the processing of special categories of personal data (‘sensitive data’)", special categories are mentioned on Article 9. "(...) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation"
Do you store or transfer or process any of that data on a large scale? Is it personally identifiable? "Processing" is defined on Article 4.
I believe the original legal text, though not the easiest to read, gives you a fairly clear idea on where your organization or project should stand with respect to GDPR.
(1) What data do you process?
(2) How is it connected to your economic activity?
(3) How do users consent this use of the data?
(4) Is your data "sensitive data"?
If you're some random guy online doing large scale processing of "sensitive data" you better hire a law firm with GDPR expertise to understand and comply with the law, I mean, that's the whole point.
(1) The controller and the processor shall designate a data protection officer in any case where:
...
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or ....
Article 9 describes personal data as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, ...
I would say that messages send via IM are personal data like described in Article 9. I also would check the "large scale" checkbox. So in my interpretation he will need a DPO.
I don't think he has access to the messages, it's an IM client. If he did have access to the messages then I fail to see how having to hire a DPO in that case would be outrageous. If anything, that's the reasonable thing to do.
> Your evaluation of the impact of the law on your project is lazy
That seems a very pejorative way to describe it. You can say the same thing in terms of "you could probably keep operating if you put a lot of effort into understanding the details of the law" which kind of proves the author's point: this creates work for people and why should someone do that work for no return? Where does the presumption that people owe EU citizens these services at a higher standard than the rest of the world is content (legally) to accept?
> I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
A DPO is most certainly not required by all organisations[0], and I would be suprised if it applied to this project. I know lots of blogs are saying it is, but it is simply untrue. I'm not saying that this totally relieves the burden however.
A lot of people are claiming that a DPO is required. GP is saying that a DPO is most certainly not required and that the claim [that a DPO is required] is simply untrue.
>I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
>1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
I thought this guy was a single person who put something on Github. How is he required to appoint a DPO? What kind of large-scale processing of personal information is he doing?
I don't think he can. The DPO may not be assigned any tasks that would result in a conflict of interest between their role as a DPO and their other responsibilities. I suspect that means that the sole proprietor can't be the DPO. But, you know, not a lawyer, not even European, could be wrong. See article 38, paragraph 6, 2nd sentence.
Yup, I read that and I don't see how it would be in the conflict of interest for probably the vast majority of cases. But, yeah, I'm not a lawyer too.
Edit: DPO Network says this which I think is a pretty good summary (though it's not part of the explicit legal policy, it's someone's opinion)
> CAN WE ASSIGN ONE OF OUR EMPLOYEES AS OUR DPO?
> Yes. However, you must ensure that other professional duties of this employee must be compatible with his/her new duties as DPO and do not result in a conflict of interests.
I imagine when running a business one faces many stupid bureaucrats, this could be another one (or they could be competent and understand and accept the technical explanation of how my imaginary company complies with GDPR).
But yeah, why quit because of the n + 1th bureaucrat, when you've dealt with n of them while starting and running of your business?
> Being the sole owner and manager and being the DPO is clearly a conflict of interest.
Could you clarify why you think this is so? As an owner, my interests would align with the DPO's interests so it's hard to me to find where the conflict of interest would reside in the case of being the sole employee _and_ DPO.
Now if it's a large company where they make money per GDPR policy workaround then I could see it being required another person than the owner, but it could still certainly be an employee.
I would say there is a definite conflict of interest for the sole owner to be the DPO - you are responsible for the entire direction of the company, thus have considerations beyond data protection (rather than an individual who ONLY has to consider the data protection outcomes in the exercise of his duties). Even if you make data protection a paramount concern, and intend to be fully compliant, there is the possibility that you could e.g. make more money or provide a better service by making a different choice, therefore there is a conflict of interest.
That's a big assumption. In an executive/owner role where, say, you are the CTO, surely data protection (and therefore the risks and penalties involved in controlling this data) are a core concern? Owning or being in an executive position seems to me to be an investment of interest, not a conflict.
And even if such a conflict does arise, as it surely will somewhere, the text linked states that the controller and processor shall ensure that such a conflict does not exist. It does not say that "You can't do this because 'conflict of interest'", it just says those two roles will ensure there will be no conflict of interest. If you read all the guidance, you will see that the DPO is the most protected role. It has the least liability. The data controller and processor have their own responsibilities, from a liability pov.
Unless you are the business owner/executive, DPO, data controller and data processor...I can't see this being a conflict of interest. Ever.
I don't think it's a big assumption as the law as well as the guidelines clearly state that point (from "Guidelines on Data Protection Officers" [1] by WP29, pages 16 ff.):
> The absence of conflict of interests is closely linked to the requirement to act in an independent
manner. Although DPOs are allowed to have other functions, they can only be entrusted with other
tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular
that the DPO cannot hold a position within the organisation that leads him or her to determine the
purposes and the means of the processing of personal data. Due to the specific organisational structure
in each organisation, this has to be considered case by case.
> As a rule of thumb, conflicting positions within the organisation may include senior management
positions (such as chief executive, chief operating, chief financial, chief medical officer, head of
marketing department, head of Human Resources or head of IT departments) but also other roles lower
down in the organisational structure if such positions or roles lead to the determination of purposes
and means of processing. In addition, a conflict of interests may also arise for example if an external
DPO is asked to represent the controller or processor before the Courts in cases involving data
protection issues.
In summary, if you have power to decide how or for what purposes the processing of the data is to be carried out you're probably not allowed to serve as DPO. Of course in the end it's the company's decision who to give that role to, but not following the guidelines increases the chance of non-compliance.
That seems insane, and I'm definitely not a lawyer, so maybe there's an out, but I think maybe he's right. Article 37 is pretty clear that if your core business involves processing data that's subject to the GDPR, you need to appoint a DPO, and it can't just be you, because they also require that the DPO can't have a conflict of interest. Man, that's unfortunate.
you are a public authority (except for courts acting in their judicial capacity);
your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
In Germany the law has been that you only need a DPO if a) you are a public authority, b) at least 10 people in your organization/company handle or have access to personal data or c) you handle sensitive data (e.g. health records).
As far as I know the GDPR doesn't change these requirements here. So even if you're a company of 5 people and just handling some email addresses or similar data you certainly don't need a DPO.
No. That article says you only need a DPO if you're a public authority or if you're processing certain data or you're processing very large amounts of data.
I'm struggling to understand why that's unclear. Is it the use of "public authority or body"?
Monal is an XMPP chat system. User's messages are user data, and everything it does is processing that data, in the form of broadcasting it. I suppose as long as the data doesn't count as "very large", that'd be fine, but what does very large mean?
> To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.
Example: Parts of our software run on customer servers and as such they are processing data in their control and not ours, hence can for example used to filter out personal data before they are then sent to our servers, without causing any GDPR related triggering of sending personal information to a third party (our company).
For some reason, I can't reply to Max_aaa's question directly.
> How do you guaranty that nothing in the messages being handled by the server is "sensitive personal data".
You guarantee it by reading the rest of GDPR. It defines sensitive personal data separately than personal data. Sensitive personal data is defined by GDPR to be things that can be used to discriminate against the individual, such as race, ethnicity, religion, health information, credit information, age, etc.
EDIT: And what I mean to say is that if the messages aren't passing through the server or being stored on the servers, then the only info being handled by the server is the meta-data including IP address, which is not included in GDPR's definition of _sensitive_ personal data.
It's not “processing user data on a large scale” that requires a DPO, but “processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
First of all, you're saying "core business". Is this even a business?
And I copy-pasted direct text from the regulation. Note how it says "large scale". Twice. If he is actually processing personal data on a large scale, then maybe it is not unreasonable to have a DPO.
At a certain point, even if you are a single person, if you are processing and tracking enough data then you still shouldn't be allowed to do what you want. Company's could just outsource all liability to single person consultancies then like they outsource a lot of none core jobs to consultancies to get around employment law now
It really comes down to the definition of "systematically monitoring". On our service we capture behavior (say in FullStory) and Google Analytics at a "large scale". How the DPO clause gets interpreted is going to be a key finding in the next few months. This is imho the most confusing and potentially difficult part of GDPR
Not that's irrelevant in this case. The question is whether you're processing sentive PII on a large scale. DPO is only necessary when processing sensitive PII. Sensitive is very clearly defined in the law as race, religion, medical records or biometric data. And IP addresses certainly do not qualify as sensitive PII (they are PII though) so I don't understand the entire discussion here. Seems to be just a political kneejerk
That's fair in this case, at my company we track "pregnancy status" and "due date". It's unclear at this point whether that's considered sensitive PII.
XMPP does have presence functionality so I'd consider that to be systematic monitoring. I don't know if his service is doing that, but it's one of the most useful aspects and definitely seems to fit the definition to me.
I suspect it's going to be a bit like IR35 in the UK. Menacing on first glance, but so broad in it's definition that any court is going to struggle to draw the hard conclusions for anything that isn't what the law was explicitly created to prevent.
Having to rely so much on the discretion of the courts is not a good thing. Generally, it is better if all people who agree on what happened agree about the legality of that.
When instead it is up for interpretation, that comes with issues. The first is selective enforcement, there is also the chilling effect on both sides. Those who ought to be protected worry about the slack given to their potential predators. Meanwhile those who are 'potential predators' need to worry about the slightest move that is illegal under some interpretation.
The end result of this chilling effect is fewer willing customers, fever willing companies, and less mutual trust. Notably, this lack of trust persists even if you presume everyone still follows the law. At that point it seems to me a law has failed.
I don’t agree. All laws are up for interpretation. That’s why we have the judiciary. Law makers draft laws, courts decide where those laws fit into the wider body of law.
The kind of law making you’re implicitly advocating is tantamount to despotism. Drafting a law that outlaws islam might well be clear in it’s wording, but it needs to be tested against the law that allows freedom of religion, freedom from persecution, and a ton of other laws no doubt. The claritiy of language with which a ban on islam is articulated is all for nought if it’s contradicted by, and incompatible with other laws.
Although, GDPR has been explained very clearly. And we’ve been given a loooong time to digest, understand, implement, and question it. I don’t think any reasoable person can make a compelling case against GDPR. But unreasonable people can, and as we’re seeing, they will.
AFAICT, it's not a public authority or body (37(1)(a)), it's not "regular and systematic monitoring of data subjects on a large scale" (37(1)(b)) (it seems to be merely crash reports and minimal information required for the service, not systematic monitoring), nor is it one of the special classes of data (37(1)(c)). I'm not sure how you could could conclude a DPO is necessary.
Companies with less than 250 workers have fewer requirements, but the obligation of a DPO follows a different set of rules https://gdpr-info.eu/art-37-gdpr/
Edit: Art 30 "The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."
Recording IP addresses in a web server log does not qualify as "regular and systematic monitoring of data subjects on a large scale" by any stretch of any definition.
And that's besides the fact that they don't have any presence in the EU. GDPR's scope only includes companies with at least some presence in the EU. That's not just because it'd be unenforceable - the laws make no attempt to include a wider scope than that.
This was in one of the earlier drafts of the GDPR but was removed, so you can be required to appoint a DPO if you are a small startup as well, but only if one of the conditions mentioned in article 37 applies to you (which I think doesn't to the OP).
A designated DPO is a ROLE not a person, that's a huge difference. Just like a security officer in a small company is a role assigned to someone who most likely has other duties too in a large company it will be a dedicated person (and in a really large company there might even be more people working in a team under a CISO or something to that effect). So 'designated' means that the role has to be assigned to a person, it does not say 'dedicated' where you'd have to have a person whose exclusive job is DPO.
So, DPO is not necessarily a person with no other duties. In most smaller organizations that deal with sensitive data the DPO role will be shared with the CCO (Chief Compliance Officer), only at a certain scale of processing and with certain data would you need to budget for a dedicated DPO from day one, but presumably your business plan will also foresee in other things such as office space, computers and so on. Certain businesses come with implied costs.
Younneed a DPO if you 10 employees or more. Fornhiavcase, he most likely just needs to update his privacy policy and have a form to collect users requests (like TypeForm) and make sure that he handles them (event if it's manually deletion in database).
I'm both surprised that people react so strongly and... mostly ok with it. Majority of GDPR is pretty reasonable - know what data you have and make sure your users know it as well. Allow removing it, make sure you don't share with parties who don't need it. For normal services it doesn't appear to be a tough retirement.
You certainly don't need to hire extra people like author suggests and federation should be just fine. (it's essential to what the service does)
I was going to say the same thing. If you're an individual running an OSS service, or a small business, requests for information or deleting information really are going to be really rare.
We're talking about chat.. you shouldn't be logging the contents, at most a bit of metadata to prevent abuse (eg. a connection log to identify and block spammers).
If you don't store that metadata longer than needed (a couple of weeks? storing it for years would be hard to defend) you have legitimate reasons to keep it, and don't need to worry about deletion requests
That's why I mentioned I'm ok with projects reacting strongly and removing themselves. Removing my info (and many other GDPR points) is in my interest. If they can't do this, I'm glad I won't be their immortal user.
1. Isn't this person allowed to be the Data Protection Officer themselves?
2. Is APNS inherently not compliant or if there something unique about this use-case?
What's kind of great about this new regulation is that we get a clear view on businesses that can't adequately protect user's privacy. It's painful for businesses such as these, but ultimately it seems that consumers would come ahead of it.
If the weak link in this case may not have been the developer themselves, but external factors but it's still a pretty interesting data point.
>... I frequent Europe and do not want to get into legal trouble on vacation.
Does the author seriously believe this could happen? Enforcement of GDPR is similar to antitrust law. A regular police officer isn't going to fine you for that.
The author's anxiety makes as much sense as not traveling to the United States because you're worried that your one-person pottery business might be considered a monopoly under the Sherman Act.
BetOnSports, an AIM listed UK company took sports bets over the internet, including from US customers:
> In July 2006, their then-CEO, David Carruthers, was arrested while changing planes in Texas on the way to Costa Rica from the U.K. In April 2009 he pleaded guilty to federal racketeering charges, and in January 2010 was sentenced to 33 months in prison.
> BetonSports plc is a British online gambling company founded by Gary Kaplan in 1995. The company was one of the biggest players in the United States online gaming market, drawing in several billion US dollars in wagers in the early 2000s.[1] In June 2006 US authorities indicted the company and a number of its executives on RICO, mail fraud, and tax evasion charges arising from its supplying online betting to customers in the United States (the alleged crimes took place before the adoption of the Unlawful Internet Gambling Enforcement Act of 2006).
This is about federal crimes committed by executives of a billion-dollar company.
OP seems to be a solo open-source project, and violating the GDPR is not a criminal offense. This isn't even close to being comparable.
While I agree that violating the GDPR is much less likely to result in being pulled off a plane than running a company that allows people to gasp gamble on the internet, your characterisation of the problem as 'federal crimes' seems to suggest that there was something much more nefarious going on than simply allowing people in another jurisdiction to do something over the internet that is completely legal in the jurisdiction you are based in. I could be wrong, but according to my understanding, that's not the case.
The 'federal crimes', were precisely enabling US customers to gamble over their phone lines. That was enough to get a publicly traded company in a friendly nation categorised as 'organised crime'.
The other thing you mention about how it's not a criminal offense is something important a lot of people seem to be missing. If you're violating the GDPR and someone notices, the first thing that happens is that they work with you to try to correct the problem, not that they hit you with huge fines and laugh while twirling their mustaches.
Maybe we just misunderstood each other a bit: My point about the 'federal crime' is not to judge gambling as more nefarious, but to simply point out that the violated law in this case is a completely different type of law (criminal).
As you correctly note, the GDPR is an EU regulation that will be enforced by national regulatory bodies through warning letters and fines. Unlike for criminal offenses, there simply is no way for it to be enforced by a police force or through arrests.
Reading through the indictment, it appears that BetOnSports was actively (and repeatedly) advertising within the US. I feel there's a rather clear line between operating in one jurisdiction and merely accepting customers from overseas , vs. actively seeking out customers and doing business in a jurisdiction where your activities are illegal -- I'm not sure I would categorise it as "completely legal in the jurisdiction you are based in" when you are deliberately doing business, and spending money, in another jurisdiction.
Are you really can't imagine what state is capable of doing? Not so long ago they packed people on trains to gas them on an industrial scale, and there were people questioning whether this actually happened. Do you think jailing people for not complying with GDPR is not possible? Bookmark this comment and check in 5 years... if this site will even exist by then.
Well in the UK the only criminal offenses under gdpr are around falsifying records to fool the regulator or attempting to deanonymise data. Both of which are punishable by a fine, not prison. And since you can't go to prison for a civil offense I think your comment is misguided.
Now if the state has got to the levels of your tasteless gas-chamber example, i don't think you need worry about data protection law
> I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
Is there any actual requirement within the GDPR that this needs to be a dedicated person, or does being a DPO just need to be someone's responsibility, e.g. in the case of a one-man open source project the guy who runs the project?
No there is no requirement for most bodies at all. Please see my other comments on this discussion. A person at my company is called the DPO, but that is far from their main role in the business
> The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
I guess you could say that it is literally impossible for the DPO to not have conflicts of interest if the DPO is also the owner and manager of the company.
Well, if you're owner and manager, I think you've got the independence, adequately resourced and reporting about right.
If you're a sole proprietor and managing data at volume and sensitivity levels that a DPO is required, I hope you're an expert at protecting that data..
My understanding of GDPR, if the logs remain anonymized... i.e. the IP addresses are not correlated with user records, then the solution is compliant. The IP addresses are not considered PII.
When I worked with GDPR compliance we tried and tried but still ended up with the opnion that IP adresses are considered personal information.
Article 4 point 1 in the GDPR indicates this (unless you can somehow prove that the IP is not related to the person, which I think we all know it effectively is in most cases)
I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it.
All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn't have been handling personal data.
I don't have any knowledge about monal.im (don't know what it is - some kind of im client?), but this person is making some claims:
- he needs a data-protection officer: no, only larger orgs handling lots of personal data need this. If he's making an im-client and not servers that store data he certainly doesn't, but I don't know what his setup is.
- crash analytics: This can be handled by telling the users clearly that you'll be gathering the data (and defaulting to not gathering if they don't actively approve). As long as you have a proper PURPOSE for gathering and storing the data and don't use it for anything else you're golden. You do have to document this, in case of a review (hyper-unlikely).
- Push: he's getting a message and storing the device/ip combination. This seems to be central to the service he's providing. Therefore he can and should put that in the description/terms of his service (as he cannot deliver the service without this). As long as it is clearly explained to the end-user this is fine, and he can keep doing it. If he stores it and does anything with this data other than the central purpose that he informed the end-user of he's in violation. I'd suggest putting it in clear text in front of the end-user and deleting the data as soon as it's no longer needed. Don't do any non-approved analysis on it. If you want to analyse - ask for permission.
XMPP federation may be a problem, I agree with that. The problemer here (as I see it) is that each service getting the personal data must only process it for the purposes explicitly agreed to by the end-user and honour any subsequent notifications of rectification and deletion. This is a hard nut to crack indeed.
I am assuming the answer is no, but would a startup be able to build a SMTP or NNPT like system today? It would be a shame for the GDPR to be yet another force moving the Internet from its historical decentralization reinforcing the current centralization trend.
Article 1 (c): the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or ....
What makes you believe that the "large scale" refers to the size of the organisation and not on the amount of processed data.
> To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. 4In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. 5The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC¹.
> I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it.
> All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn't have been handling personal data.
What if I didn't want you to visit my website. Sure, by the letter of the law I am collecting PII (your IP address) but I think I can reasonably argue that it's quite a technical feat for a private layperson to go from "sudo apt-get install apache2" to "removing IP addresses from log files".
Sure, this is tongue in cheek - but most of that panicking I read was people concerned about their personal websites, especially with the "might be taken as professional work stuff just because of ads or you're blogging about tech as a tech freelancer.." - didn't really hear anyone with a company panic.
If you didn't want visitors to your site you shouldn't have put it on the web. If you want visitors to your site without any strings attached you should serve the content without grabbing and storing anything about the clients.
This is called the "technician's responsibility" where I come from. To only track/store/process what is absolutlely necessary, in order to not be liable for the consequences when someone you cannot feasibly stop wants to do something untoward with the date (i.e. unconcented analysis, government extraction of data, breaches)
I know the "logging by default" comes from a different age of the internet, and I'm absolutely for minimizing data collected - but I'm sticking to my opinion that as long as the default of every internet-facing package is logging IP addresses by default, it's not good that private owners have to face problems or a lot of work because of that.
I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it.
That person doesn't own those bits on that hard drive.
They don't own the bits. They own the data those bits represent. The person/company who does own the bits has to comply with the rights of the owner of the data.
How you decide to store it makes little difference as long as it's digital.
Fun aside: if you store it on paper you're not beholden to GDPR. Crazy.
Think about. A person doesn't own the random bits (data) about them that goes through and is stored on various systems they interact with. Under the GDPR in the EU, they might have a right to know what is stored about them on various systems, but they don't "own" that data.
This project is completely out of scope for GDPR, not having any presence whatsoever in the EU. You aren't going to be arrested when going on holiday. You wouldn't be breaking the law at all, even if it was possible to enforce anything.
Even if it was in the EU, it wouldn't require a DPO, and your use of IP addresses is very reasonable and within the standard allowances which don't require user consent.
Maybe bother reading _anything_ from an official source before coming to this conclusion? This reads to me more as something you want to have a rant about because you don't like it - rather than as any kind of pragmatic decision.
Disclaimer: I work on GDPR stuff for a company it certainly applies to, this is my opinion not my companies
We’ve spent tons of money & interacted with lots of official sources trying to get opinions about what GDPR means and it just isn’t available.
Everything is a risk mitigation technique right now with no real answers in sight. If I had any personal projects serving traffic in the EU right now that weren’t profitable I’d likely shut them down.
I think it’s likely that the regulatory agencies will act with restraint and this will all be hysteria without merit, but I’ve seen enough legal opinions to know that’s not the worst case scenario.
What are you talking about? There's a ton of information about what GDPR means, both from the EU and the national regulators (particularly the ICO). The best sign that the regulators aren't going to go crazy with this, is that they already have quite significant powers and they're not throwing their weight around now.
This lawsuit doesn't seem to stem from the GDPR, despite the article (mistakenly[1]) mentioning it. I don't even know if the regulatory bodies are enforcing the GDPR yet, much less in February this year, or even worse, 2015.
Here's a statement from the CPP, connected to the 2015 lawsuit. They mention Facebook being in breach of Belgian privacy laws from 1992.
[1] - none of the other reporting I found on the subject(Guardian, Bloomberg, etc) mentions the GDPR. They also don't show the court order, which is frustrating.
Please be nice to the developer. I didn't post it to shame him. I'm just very sad about the post because I was hoping to establish XMPP as the group chat in my family, of which half are iPhone users.
Just curious (to you or anyone else affected), would you be willing to give up your rights under the GDPR, with regards to this company specifically, to regain access? Do you believe you should have a right to trade these rights of yours or is it in the general good that companies cannot offer an easy GDPR opt out?
If the result of the GDPR is that only big companies, employing as much lawyers as developers, will be able in the future to provide the tools I need, then yes I would be willing to give up my rights under the GDPR. Because what is the alternative, if all small messenger provider have to give up everybody will be using FB? Is that better for privacy then the current state?
I think everyone already knows that more regulations hurt businesses. We don't have to wait for the result to find that out. The question is whether the help done to consumers outweighs that. There are many ways to tackle the privacy issue beyond a large, sweeping law.
> I think everyone already knows that more regulations hurt businesses.
That's not a given. Further, it's more important to look at what's better for society as a whole. Further, less regulation within banking caused some big profits.. but also some hefty problems.
Wouldn't a better alternative be to design a messenger that complies with GDPR? Simple user accounts that can be deleted at the request of the user, peer-to-peer encryption (and where possible, communication), a "storage cabinet" for each user where encrypted data end in when the user is offline (with an encryption/decryption key that is generated client-side and transmitted while both users communicate) and can easily be deleted and i think this covers most uses.
This is just an idea that i came up with right now, but if you start your design with the goal to store as little data as possible and anything you store needs to be both encrypted and easy to delete, then i believe you can come up with several ideas for most issues.
It also helps to see this as respecting the users' privacy and giving them control, as opposed to a development burden :-P.
I don't think you actually answered his point. Sure you could build an IM client that is GDPR compliant, but at what point do the costs become so high that everyone just defaults to using Facebook because (1) they can afford to be compliant and (2) they are trained well enough to not fuck up their encryption.
In other words, are we moving towards a world where unless you are VC backed (Signal, Telegram, Whatsapp, etc) don't bother building an IM client? Also note, I don't think there might be anything wrong with that - if we expect all our communications to be E2E encrypted, maybe Joe Shmoe shouldn't be writing an IM client.
There is an assumption that there is some additional "natural" cost involved because of GDPR, but where does that assumption come from? The cost might currently exist if you are not compliant and you need to convert (or you need to skirt the edge between what is allowed and what not), but if you start with being firmly compliant from the design phase, where does the cost come from?
The company would still be subject to the GDPR which they may consider an unacceptable risk. I'm specifically asking whether users would like to be able to give permission to ignore the GDPR altogether or if they see that ability as harmful for society in general.
Unfortunately every single one of these stories has turned into a long form ad-hominem attack against the site owner and their supposed alterior motives.
The developer has decided to spread misleading information and FUD about legislation protecting people. We shouldn't be "nice" to people deliberately spreading lies.
Comments here only show how terrible this law is, as nobody has a clue how to interpret the requirements. EU direction is simple - cripple the internet so that only handful of companies could afford to navigate regulational hurdles and that way it will be easier for bureaucrats to control it. Any small initiative kill with fines. In few years internet will be under full control of socialist regime and people are sleep walking into new reality with the help of do-gooders.
Many of the comments here are rebutting - saying that a DPO isn't needed or that this guy gave up unnecessarily. But the fact that he had to spend who knows how much of his time to even discover whether he needs to do anything (or what sort of trouble he could get into) is too much of a barrier for many people and their hobby side projects. This is unfortunate and not surprising collateral damage of the GDPR.
I'm a small businesses owner. When I first found out about the GDPR, this was exactly my view, and I even posted on HN to that effect.
Then I actually spent a little time to find out more and, as someone who cares about privacy, quickly realised the positive intent behind it, and how simple it is to comply with in principle: let users know what data you collect and what you do with it, and give them the possibility to request it or request it's deleted.
TBH, if someone requested any of this, I'd do it without the GDPR.
You don't need a DPO. I work with healthcare businesses and some of them don't even need a DPO.
You only need a DPO if you are a public authority, if you do large scale processing or large scale processing of sensitive data (ambiguous in the GDPR).
If you collect some data, all you need is a privacy policy outlining such, stating what you collect in general and that your legal basis for doing so is to provide the user a service and to monitor for app crashes / bugs - both within your legitimate interests.
Many people have interpreted GDPR to be stricter than it is. In fact, those who have to do the most work are those that cause incredible damage to individuals when they lose data - especially those that have had recent, massive data breaches e.g Equifax.
It really should be defined by company size or revenue. If I my site goes viral and a small web app suddenly has 2M lines of logs, but my revenue is small/non-existent, then there's no reason to comply. If that pushes my revenue over 1M euros a year, you now get pushed into a zone where you should be compliant, and you have enough revenue to afford it as well.
Another comment in this thread indicated that "large scale" was any business in which 5 employees or more had access to the data in the course of normal business operations.
Not exactly an ironclad source, but better than nothing, hopefully.
Possibly but they are not "sensitive data" (aka "special categories of personal data"). Article 9 of the GDPR outlines what these special categories are:
"personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, [...] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation"
Oddly, GDPR gives 3 reasons why you would need a DPO:
1. you're a public authority (NHS practices are an example)
2. Large scale processing
3. Large scale processing of sensitive data
They don't specify what large scale means. They also haven't specified how sensitive data qualifies the third statement. One can assume the threshold is lower but the GDPR doesn't specify any thresholds with regards to this.
It's not defined. It was left intentionally ambiguous in the GDPR so member states have some flexibility in definition.
I've got a call with a lawyer on Monday to clarify some bits of the GDPR. Number one Q for me is "how far can you take legitimate interests?".
Some lawyers are advising that marketing data and usage falls under legitimate interest, in a way that these higes drives for consent seem unnecessary.
If anyone else has any questions, I can ask and feedback. I'm sure I'll have those questions too.
> registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance. APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person.
Article 6, Paragraph 1, seems to cover those two parts of data collection. Logging a user's IP for security is acceptable, as is logging for a legitimate interests of the user (or operator) as long as it do not conflict with the interest of the data subject in regard to their need for data protection. APNS push tokens seems to fit that description quite well.
Agreed, I don't see how this possibly cannot be a legitimate interest - the user knows they need to be contacted for a push request to work, even if they don't understand or care about the underlying vagaries of IP addresses.
it covers it ... except when it doesn't. Which is open to 'interpretation'
Where is the scale balanced on this ... will it be the same in each of the different countries implemeting it?
>as long as it do not conflict with the interest of the data subject in regard to their need for data protection
Article 6.1.f
>processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
So ... I can retain IP records in my logs , as long as they aren't a child?
In regard to children I view it as part of two different interpretations. One is that data in regard to children need to be considered with extra care and in those cases that the process is written down or is more formal then that consideration need to addressed.
The other way to see it is a bridge to the US regulation COPPA, where operators in the US and EU now have to follow the same rules in regard to children. In this case Monal would have to move out of both EU and US in order to avoid the regulations in regard to children.
956 comments
[ 5.7 ms ] story [ 307 ms ] thread/Where dust == blocking EU
We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Suggesting that XMPP federation isn't compatible with GDPR seems like an over-reaction, isn't that like saying that SMTP isn't compatible?
For example, IP addresses are considered personal information but what that means is you just can't blindly collect them. If the service you use relies on IP addresses as a basic point of operation then its fine.
CDNs aren't going out of business for example.
Genuinely curious, what about all of the web servers that log every request which usually by default includes the client IP? Not doing anything special with the IP, they are just there in log files and archives.
Also the section of the GDPR that talks about pseudonymization using a token how should my user DB table be GDPR compliant? Contains ID (primary key), username, password hash, email, etc and the ID is also in other DB tables for obvious reasons (such as user posts/actions).
If you have a site where users can make posts, I'd say they pretty much give you consent by signing up. IANAL, though.
I think you can also log the ip, you just have to get your user's explicit consent.
I will also remove Google Analytics, and switch AdSense to contextual ads. I am a bit worried about the latter step, but if the losses are too great I can still try to get consent from my visitors and switch to personalized ads again. As for Google Analytics, I never did get that much out of it, but perhaps I should have used it more. I never activated the "deep personalization" options in GA to begin with.
It bothers me to pester my visitors with consent popups. On the other hand, looking at what Google proposes for compliant AdSense, it also bothers me that apparently multiple companies get to track my users if I enable personalized ads. I wasn't really aware of that, and just accepted Google as tracking because they know everything anyway.
So much as I dislike the new privacy laws, at least the made me reconsider my AdSense settings.
We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation (to this degree at least). Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time.
The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it.
So someone having a copy of my data that I wish be removed is trampling on a webmaster's rights? That makes no sense whatsoever.
> Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers
This isn't even true. They have _a tiny bit more_ control of what you can do _with their_ data. That's it.
Buckle up because this type of regulation is only going to happen more frequently and in large part because of your attitude that it is "your" data versus the user's data.
No
> It rightfully belongs to the webmaster.
No, you are completely wrong here. The basic point of the legislation (and other privacy legislation in the EU that came before GDPR) is that a users personal data absolutely does not belong to the someone else once collected.
And as others have pointed out, no the users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do with personal information about their users. But feel free to argue that it is your moral right to sell user's e-mail addresses to some spammer or whatever.
I'll let that excerpt speak for itself.
And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary.
Views like this are exactly why we need the GDPR.
I find it utterly ridiculous - disgusting even - that you really believe you have the right to do whatever you want with someone else's personal information. When you provide an email address, physical address, name or other PI, it's with the expectation of it being used for a specific purpose - you should absolutely not give you the right to sell that information to the highest bidder.
This isnt even users feelings, this is data that can a:have monetary value and b:can be plain wrong and damage a user.
Do you think that merely by observing data you have right to it? Do you not believe in any IP law? If you agree with any type of IP law then you are just being hypocritical by insisting that webmasters get to take and use whatever data they come across
Yes, with some exceptions for actual copyright and the like.
>Do you not believe in any IP law?
IP law, yes, but I don't feel a user's entries into a website automatically qualify as IP owned by the user. The terms of many websites actually say that whatever you upload to them is owned by the website, unless a prior IP applied to it. I've only ever heard the claim that your name et al. are your inherent IP from "Sovereign Citizens" before.
I don't see a way to declare one bad and not the other unless you're just saying that new things are bad.
Additionally the terms of websites can say whatever they want but it doesn't mean they are legally defensible. I could put into my terms "by finishing this sentence you agree to be enslaved by Lovich LLC" but that doesn't make it happen
This is a bad solution to that problem. So many people's data was stolen that preventing future data from being stolen isn't the most important thing we should be doing. Last I heard it was 150 million people - that's enough that it no longer really matters to the average person if their data is leaked in the future because there's such a high change it already has.
The real solution is to change our systems so that data leaks aren't a big deal. If people didn't ask for a 9 digit number to identify me, as if that's a reasonable thing to keep secret, then it wouldn't matter if everyone in the world knew it. That's the problem with data breaches like this. That's what we should be fixing in response to it.
The GDPR prohibits me from doing that, and in fact requires that I have the ability to rewrite history by removing that fact if the user who had 192.0.2.7 ever requests it.
Some people, on hearing this, say, 'well, that's fine, you can just store 192.0.2 or 192.0 instead.' That seems pretty silly to me, since the whole point of logs is that they contain full information.
The GDPR tries to do the right thing, but it's broken. Immutable logs are a fundamental right.
It appears to me that as long as you don't use the logs for nefarious purposes you'd at least have legitimate interest in processing them (including the IP addresses), and so could keep them. This is the stance I am taking with respect to my personal webserver (together with a time limit after which logs are deleted); if a regulatory body informs me to change my approach, I'll gladly adapt.
Note also that IP addresses can be personal data, but do not have to be. Most claims here seem to relate to a ruling, where the IP address was deemed personal data in the hands of an ISP, who would be able to resolve it to a real person [1]. If you hold an IP address, but can't connect it to a real person (e.g. by having legal means to convince the ISP to give you that name based on the address), then it seems the IP address would not even be personal data in the first place. In the particularly ruling, the operator of the webserver was the German government, which presumably has more legal power to make an ISP turn over identifying data on a customer than a random website would have.
In any case, I hope some more clarity about this will emerge soon. But what you are talking about here would at best be a borderline infraction (and probably just be covered under legitimate interest). OTOH, what the person starting this thread had in mind seems to be that all the data he might collect on his users is fair game to do with as he pleases.
[1] https://www.whitecase.com/publications/alert/court-confirms-...
No it doesn't.
> and in fact requires that I have the ability to rewrite history by removing that fact if the user who had 192.0.2.7 ever requests it.
No it doesn't.
https://gdpr-info.eu/art-17-gdpr/
If it is a fundamental right, how far does it go? Should I be able to sue you for watching me walk in a public place? Photographing me? Video taping me? What about a privately owned but still public place?
There are a lot of questions here that I think people tend to skip over about users owning information about them and being able to control it.
Making some observations out your window of cars passing by is something no one ever had a problem with. Taking down every single identifier you could and coordinating with others to track that person, for a profit, is something that would not be kosher in meat space.
Why this different just because it's on a computer?
That's the whole point of the law is to say it's illegal, the same way laws made stalking people illegal
Keeping detailed information about everyone that enters your store isn't illegal, as far as I know. Especially not information that is gained from observation (what color shirt they're wearing, their IP address) and information that is submitted willingly (their name given for a reservation at a restaurant, their username).
Also, no one who actually does this stuff for a living uses the term "webmaster".
Have I been hallucinating my workplace this whole time?
In this case, a lot of people base their argument on a fundamental right to privacy which is not generally accepted by everyone and therefore it has to be explained because it's an important part of the discussion.
I absolutely agree. If you feel a law is wrong, it is your absolute right to say so and demand change. This is the basis of all law and civilisation. The consensus of what is right-or-wrong is what makes a society.
Go for it.
What? Because you just decided that it does?
It's people like you why we need GDPR-like laws. I'm curious, what's your stance on the Equifax data breach? They had data that belongs to them and they could do with and treat it as they pleased, right?
Your personal info, username, account settings, marketing anayltics, etc. are definitley you're data and you should be free to have them deleted.
The two year old IPs in a server log sitting in backup, or a chance occurrence of your username in a random call stack for some web exception is not your data, and you shouldn't force a business to have to dig through that mound of digital noise to satisfy your deletion needs
I think most people agree that unless those pictures are gathered with very specific consent, subject to many restrictions, they are not "my data". This is obviously an extreme example, but the reasoning extends to more data that is considered sensitive. The point being that "data ownership" is a complicated issue.
Pictures probably aren't a good example because they are covered by intellectual property laws.
Months later, I discover that I can sell my stock of credit card information on the darknet for some nice extra income.
Should I be allowed to do that? What if it weren't credit card details but just postal addresses?
Nobody likes getting a lot of junk mail, but it's not the end of the world. I actually got my first credit card from a pre-approved offer found in junk mail.
If you think they might be used illegally, I believe there are already laws to charge you with that relate to facilitating a crime.
If you don't think they will be used illegally, then what's the harm in selling them to someone else?
In a society where the webmasters have shown that they can't uphold their duty to secure PII (or any kind of data really), as evidenced by ~monthly high-profile data leaks, they deserve to be restricted in their "rights to the fruits of their labor".
You are saying that's a bad thing?
Services that require you to sign up, should provide the possibility for users to look at, modify and delete their user data - that's all. Where's the problem?
The problem is that there's no justification for having the right to coerce other people just because they have information you gave them. If users enter names into your website, you're not allowed to run a statistical analysis of what names are most common on your website without asking. If people named Jane are more likely to eat ice cream, you can't target ice cream ads at them and help keep your site free, without asking them. Worse than just this kind of coercion of what you're not allowed to do, users can coerce you into taking time out of your day to expunge records about them. It's all entirely backwards.
Apart from the fact that people named Jane aren't more likely to eat ice cream, you seem to criticize that it gets harder to target ads?
Oh no, that's a real pity. Oh no, poor webmasters.
Why are the rights of people who own websites less important to you than the rights of other people?
Regardless, you might not still be saying this once half the websites smaller than Google become subscription-based in the EU or just block the EU altogether.
What you're describing is a good thing. If you're going to treat my data like an almost stale slice of pie selling it off cheap to anyone who will buy it - Please do block my access!
If forcing low-earning EU citizens off the internet because every website requires a subscription is a social good to you, then sure, it's a long term benefit.
Even if it would all be a net benefit, why is it ok for all of these companies to be so misleading about it. No one out a simple EULA, for what is happening with the data. Hell half the agreements just say that the companies can do whatever with the data, but an average person does not have the ability to parse the output of the legal teams of every company they interact with every day. The only way this could get even close to an equal footing between users and companies is if every single person was a lawyer
For example, with small numbers for the argument's sake, say in 2000 there were 5 good webpages and 4 bad webpages added to the internet every day. Now there are 10 good webpages and 50 bad webpages added every day. That would mean we're getting more good information per day than before, but the signal to noise ratio has gotten worse, as you said.
For all intents and purposes the information doesn't exist if you can't find it, you can only find information as a certain rate, and a larger and larger chunk of that information bandwidth every day is bad information. The practical result is that the rate of good information someone has access to has decreased even if the total system has a nominally higher rate
They don't have that right. GDPR only applies to business. If you mean you wrote it in your house for some business reason then yeah they have the right to know you've done so and why and the right to ask you to remove it if you don't need to have that information.
In no situation do they have the right to come into your house. That's a touch too far into the absurd.
Further, the US law is based on risks of heavy punishments but few regulations, while the law in many parts of Europe is based on strict regulations but less high fines. It looks like the EU has too many rules, but that is a subject of perspective.
Problem here: The internet gives a shit about borders and society.
Every business owner here who would complain about how the GPDR is taking their rights to their personally earned data away would be the same people who launch a lawsuit because one of their competitior's products had a typeface that was vaguely similar to theirs
There are regular people here, they just don't go starting businesses that have abusing their customers as a business model because they couldn't sleep at night if they did that
Surely anyone who disagrees with your feelings on this matter must be a sociopath, though.
Which is why you are perfectly capable of giving consent to other websites to do that.
"Surely anyone who disagrees with your feelings on this matter must be a sociopath, though."
No, just those who insist on a "take it or leave it" approach.
Implying that the majority of user's wouldn't just instantly click the largest button that says "make this annoying wall of legal text go away" whether that is agreeing to tracking or not?
While the inability to target ads based on data about you and your search history searches removes some amount of advertising income. Websites would still be allowed to show ads, and I would imagine that those ads can be specific to the article currently being viewed.
This is exactly how conventional TV advertising works, just because you don't know the gender, race, political views and entire life story of a website user, doesn't mean you can't get almost the same effect. You can target ads in general at specific content and hit most of the correct users anyway rather than targeting specific users and the content they have viewed in the past.
https://www.emarketer.com/Article/Behavioral-Targeting-Doubl...
The GDPR didn't arise out of some feeling that companies we're making too much money. It arose out of the fact that the industry refused to self regulate. They were given years to do this and the standard operating procedure for security around data right now is to lol because who cares if you have a breach, that's a problem for the people you harvested data from, not you.
The bad side effects from this data harvesting are called negative externalities. A similar set of negative externalities is pollution.
Do you think it's immoral for regulations to make certain business model that rely on dumping poison into the water or air unprofitable, just because those companies could have made some money if only they could do what they liked regardless of the harm to others?
Sociopath is a tough word, but in the original non insulting meaning of deviation from the common society, I think the word is right.
We still do. Nothing has changed on that front.
"Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time."
As it should have been from the beginning. Having the standard being that the company hoovers up all your data all the time without telling you what they're doing with it or why they need it was a terrible, terrible thing.
"The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it."
I highly doubt it.
That said I do think there should be an expectation that your participation in crash reporting would be voluntary and explicit.
Government intelligence organizations like the NSA and foreign equivalents will now have a monopoly on unsolicited data collection. Which, combined with selective enforcement to prevent disruption of gov cartels, is one of the few reasons it went through.
At the very least read this: https://privacylawblog.fieldfisher.com/2016/what-you-think-y...
It introduces a fixed cost for operating with any user-related data, which effectively kills any companies operating below that cost.
You're required to have a fire safety officer at these companies too, but it's not a full-time position.
I’m fairly left leaning for a US citizen & find the idea that the default should be big companies abhorrent.
But I recognize my bias & am not st all convinced it’s in any way objectively correct.
AFAIK, most of the "safety committee" regulations usually have waivers for small companies.
It's especially funny when small to medium German companies suddenly panic because of the GDPR and when you look at their situation all you can say is "yeah, you should have implemented that 15 years ago, it's already been German law that long".
In Germany not much will change, but at least companies like Facebook can no longer just move to another country with worse privacy laws (like Ireland) and call it a day. For us the GDPR means that protecting user data will no longer be a competitve disadvantage. But if you're a small company and handling data reasonably, the GDPR won't hurt you anyway.
Can you hint me to one of those German laws which do require one of the above?
It literally translates to "federal data protection law" and has been German law since 1978. In certain conditions it has also mandated a DPO (https://de.wikipedia.org/wiki/Datenschutzbeauftragter) since then, but in fact the first DPO position in Germany was created in 1971.
The right to be forgotten is mandated by article 35 BDSG (https://www.gesetze-im-internet.de/bdsg_1990/__35.html).
The right to a data export is mandated by article 34 BDSG (https://www.gesetze-im-internet.de/bdsg_1990/__34.html). It has always been common use this law to get a free copy of the data which our credit reporting agencies have about you, I've done that multiple times.
However, if you do that, good luck ever getting a mortgage, credit card or other post-paid services ever again if all credit report requests come back with the reponse "no data available". So I wouldn't recommend that.
How does that work for people who never had a Schufa history? If for instance I decided to move today from Brazil to Germany, would I be unable to do all these things there, since they would have "no data available" on me?
I'm not arguing for or against it, just pointing that the resulting unintended consequence is protecting large companies. Exactly the opposite of the original intent.
Nonsense. I look at another high tech data driven start-up every week and not a single one has stated that the GDPR costs are 'prohibitively high'. Sure, there are some that need to do more work than others (medical, ad tech). But on the whole companies that were already doing their best to not fuck up with their customers data have very little to do in order to get to where they should be and the remainder has a bit more work but will mostly likely be more-or-less compliant by the 25th and what work remains will be done long before the eye of Sauron will turn their way by virtue of their size.
The cost is strongly related to the size of the organization and the amount of sensitive data you hold as well as whether or not you were a bad steward of the data in the past.
There is a correlation between the number of GB you store and eg. how many DPOs you require?
A small business or a startup should have a relatively limited amount of data capture, and that data should be stored in a relatively limited number of places. In most cases, it should be straightforward to make sure that this is documented and appropriate controls are in place.
On the other hand, large companies have vast quantities of uncontrolled data gathering that nobody is responsible for.
If I want to put an open source app in the App Store, that’s not a business model for me. It’s more just personal expression.
Try convincing a regulator of that.
But it doesn't matter, you're still logging PII. GDPR doesn't make any distinction of profit vs. non-profit vs. personal ownership. You're as liable as an individual as an organization.
Any business that is shut down by GDPR is, to me, a good business to shut down.
Compliance. It doesn't matter if you delete your logs, if you had them in the first place you're subject to compliance.
Like the example in the article. Not sure why people are still thinking this doesn't happen, this is exactly what is happening in the article.
You could be breaking the law in any number of countries. What steps are you taking to comply with the laws of Saudi Arabia or North Korea?
The EU on the other hand...
Also almost all laws stay in one jurisdiction, they don't go beyond their own country.
Not the courts, but "Brexit"
However, this cases will be fought with the Googles & Facebooks, not with 5 person companies.
Why haven‘t all those doomsayers closed down their businesses long before the GDPR?
There are varying degrees to which people see laws as affecting them. Small business tech owners, when a law says they have work to do, are going to feel affected. If there was a securities or accounting law that felt similarly overreaching one could expect a similar reaction. This is especially true if there is an alternative (locking out markets) that is easier. It's not helpful to try and compare the situations. It's also not fair to consider people weighing the costs of these laws as doomsayers. They aren't closing down their business, they're just restricting it to more business-friendly environments in their view.
People in other parts of the world have gotten used to that. As a current example, see US threats re: European business with Iran.
Even if the GDPR were overreaching (and I vigorously dispute that notion), it would simply be a taste of America‘s own medicine.
I was just pointing out, that when a lawyer says "probably", he usually has a good reason to do so. And it's my strong belief that the reference cases in court will not be fought by small companies, because they rarely are.. There is just not enough money to make fit the effort you need to put in winning the first case. Before there is not one single case, I don't think it's necessary to panic and shut everyone out.
You don't need to believe me or agree with me, but reducing this to "my personal appetite for risk" is really weird.
Maybe you have huge assumptions that people reading what you say will add all kinds of limitations to what you say? I don't. It leads to terrible discussions, like this one.
Regarding the personal risk comment, I could've been more clear: From what I got, no lawyer can give you a guarantee at the moment, that what he says is actually what will happen. So in the end you'll have to take action based on recommendations, and take a risk - or, as the op, shut out all European users completely. My personal risk is continuing to do business in the EU, even with this uncertainty. You couldn't have guessed all that from my earlier comment, so I agree it was bad..
I'll try to do better.
Article 83 states that any penalties must be proportionate to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, action taken to prevent or mitigate an infringement and the degree of cooperation with the supervisory authority.
https://gdpr-info.eu/
Anyway, how should the ICO be able to be more concrete then the GDPR?
That rather makes the anti GDPR arguement sound like "yes I know that is the law, but I was breaking it over the internet so that doesn't count"
One really can. It took me all of a few seconds to shrug of the GDPR when I first heard of it. Then, with all the scare mongering (webserver logs will be illegal!), I spent a few minutes reading up on it. It's all more than reasonable: if you're not doing anything shady, or are being negligent bordering on incompetent, you can just shrug it off and sleep soundly.
The monetary and time cost is minimal, but the mental benefit is pretty damn good.
Frankly this post has prompted me to reevaluate your other legal advice in this thread.
He did this several times before the corporate veil was pierced and they took him for all he had.
The other case was one that is probably best described as mismanagement ('onbehoorlijk bestuur') where the CEO/sole shareholder of a company started using the corporate account as though it was his personal account. When the company was unable to meet payroll taxes the taxman seized his private assets after piercing the veil.
Well that's a disappointment.
So you can profile without consent IFF you can convincingly justify said profiling via one of the other lawful bases. But those won't really let you do blanket profiling willy-nilly either and come with other strings attached.
Could you be sued to the poor house from it? Maybe. But that's the risk of operating a business in the US every single day.
https://gdpr-info.eu/art-12-gdpr/
"The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests."
Regulators. "Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation".
So, 28 countries, each with 1+ organizations. So you could find yourself having to deal with multiple parties in different languages.
What this gives the EU is the hammer to hit persistent abusers of user data. They want you to be careful with user data and not treat it like you own it; you do not. It is not yours to sell or share or publicize.
Edit; note as well that every country has a compliance office; if they know you are in complaince as in you are ‘good people’ (best effort, no giant holes etc; just best practice in our field which you should do anyway) they will not bother you with every (or any) user complaint after that. I have good experiences with this with far grave (and potentially criminally punishable) matters in a few EU countries.
No its not as they now have regulations in place to prevent that, before GDPR you could. You can only be sued to the poor house from it if you do something like leave your patients health information on the bus.
The regulator is the effective judicial remedy.
In the UK there's also a First Tier Tribunal and probably an upper tribunal. These are when the regulator has made an error in law.
And then the next would be that it's inexpensive to "make your case" if you get reported.
Please, don't take my words as granted but talk to an actual lawyer. You'll probably even find a free session for startups somewhere in your city, at least in Europe.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
https://ico.org.uk/global/contact-us/advice-service-for-smal...
https://gdpr-info.eu/chapter-7/
What hav the Danish & Belgian regulators been doing lately?
The mere act of pulling all my database backups from glacier at once would cost enough to force me to just shut down my personal projects.
Database backups are only a problem if you save them forever, though it sounds like you are. GDPR generally requires that you regularly archive, rotate out, and clean up old data.
That came from the legal departments from our German, UK, and French entities.
> Purpose of security doesn't change if its PII or not.
Security is the legitimate interest, an important part of collection under GDPR.
If you're too worried about this, remove the last octet from the IP or and/or it with a mask. And especially don't associate the IP with the user (by default you can't find out who's the user only by IP).
> Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, ... or a computer IP address.
Emphasis mine.
I said:
> IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP.
- the ip addresses never uniquely identify someone or
- you have a legitimate interest to collecting this data.
Neither provides carte blanche for collecting IP address.
You might be thinking of this pseudonymization stuff. My advice is not to play with it. Just delete your logs after a month unless you have a demonstrable and immediate security need for them.
If you have "other ways to identify somebody based on an IP address" then that wouldn't meet the criteria laid out by the lawyers.
http://blog.quantum.com/backup-administrators-the-1-advice-t...
"The GDPR is open to interpretation, so we asked an EU Member State supervisory authority (CNIL in France) for clarification. CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it. Organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time (indicate the retention time in your communication with the data subject). Backups should only be used for restoring a technical environment, and data subject personal data should not be processed again after restore (and deleted again)."
Other opinions have concluded that you must keep an index of requested deletes in the face of backups, for instance.
You keep daily backups for 1 week, and after one week the users data is gone from all backups.
The only possible window for restoring deleted user data is the time window from deletion to backup. To "solve" this you need to make more backups, ideally live backup and replication with really frequent snapshotting. And this is something you would want even without the new law, because you don't want to lose user data in case of a server failure. Why would you restore from an old backup? (And if you really need to restore from an old backup you most likely want to merge this backup with the newest one to reduce data loss. In this case you can reapply all deletes.)
The new laws don't change anything. For me at least. Also my lawyer is totally fine with "only" minimizing the problematic time window. We both know that it will never be zero.
You just can not keep backups of everything for the purpose of everything.
My example can not include all cases and was written in the spirit of "we are a bunch of devs with a small project". As is monal.im .
Article 63 of the GDPR specifically covers consistency of enforcement across the regulatory agencies.
Okay: when you were writing this, you must been either drunk, you forgot how easy it is to find your projects via your HN profile and general googling, or you simply don’t have a single enemy out there who is waiting to hurt you/your business. I hope all of it together!!
They aren't a global superpower who will or can invade your country to enforce their laws
You do need to have a documented and implemented backup retention policy and communicate this if you receive a request to delete a user's data.
Invoices for VAT MOSS have to be archived for ten years. And until today nobody really knows (it is another EU law disaster) which information you have to keep to prove the origin of your customer.
Do you invoice for a different country than the recipients country? Why?
> the information used to determine the place where the customer is established or has their permanent address or usually resides.
Sadly this regulation doesn't specify which kind of information this could be.
Your customer could try to get a better price by pretending to be from a country without VAT. Therefore the address given by the customer is more or less worthless in this regards. One more realistic information is the IP address. But as this also is pretty easy to spoof it might be reasonable to also keep information about the country were the cc card was issued, if possible.
You can still log accesses and aggregate them into statistics, just don't keep the IP addresses. You can still log IP addresses to detect DOS attacks or whatever, just delete the log when you don't need it anymore, after a day or so. There's no need to get backups from glacier, because you know there is no personal data in them.
https://iapp.org/news/a/polands-proposed-gdpr-exemptions-spa...
If owned or controlled by big-co in an non arms length manner, then it wont be considered a 'small company' in terms of the GDPR.
Edit: These corporate control laws have teeth, otherwise every small & large business owner would do something similar by making all of their corps 'offshore' in some zero tax jurisdiction and pay 0 tax locally except for business done actually in the territory itself.
Or the could be completely legitimate small businesses doing this device for anyone.
It's not 0, but large corps already do this. https://en.m.wikipedia.org/wiki/Double_Irish_arrangement
There is no misconception on GDPR: the idea is good, the implementation is horrible and retarded and it is lead by people who do not understand a single thing about technology.
1. Enforcement is not arbitrary, but like all regulation the goal is compliance rather than punishment.
2. The idea is good, and the implementation is widely regarded as good by anybody familiar with data protection regulation.
3. Most of the panic seems to be from woefully misinformed US tech companies.
What if you don't want to deal with any of that. You can no longer just create some useful, free service and make it public.Heck, I don't even like having to be familiar with software licensing just to add something in Github.
What if you don't want to deal with the rules of the road?
"protecting people's rights is expensive, therefore we shouldn't do it".
That's your argument? Really?
Also, i think the DPAs can fine any company in the EU, not just the companies of the country the DPA is in.
Sure, but that's not actually written anywhere.
Can my small company be trivially bankrupted by any sociopathic gamer skid with an EU address and a grudge when DDOS attacks fail?
"You can beat the rap but you can't beat the ride."
Assuming you are American, the only court you need to worry about is American court. Your company is American? Your bank is American?
What's the actual liability here? Worst case?
Your dude with a grudge can only lodge a complaint with the relevant regulatory entity, they're the ones who will verify whether you complied or not with his GDRP requests and if they deem that you are in violation fine you after negotiation fails.
This isn't the US: you can't be sued by random people for anything.
(1)A random person complain to his regulator that you are not complying with GDPR. If he asked for his personal data, jump to (3)
(2) His regulator contact you, tells you that wht you're doing is bad: you have some stuff in opt-out, not clicking "opt-in" cause a degradation of service, or you are sending him 3rd party cookies he did not accept.
(3) Depending on the complexity and your ressources, you have X months to comply.
(4) You got caught again, you are fined.
Then the law should say that. For instance when India implemented uniform goods and services tax processes, it explicitly excluded businesses below a certain revenue threshold and gave them a simple % of gross alternative to all the processes. GDPR doesn't make any such distinction, so such decisions to drop EU support are to be expected.
It would be entirely possible for someone to not be compliant with a side project and get fined 20M because there is nothing that explicitly forbids this it is entirely up to interpretation.
Given that US companies have already been targeted in the EU, unfairly [1], I find that law terrifying because I have to trust regulators that don’t have my best interests in mind with possible penalties that are very high.
[1] https://www.treasury.gov/resource-center/tax-policy/treaties...
Maybe there's a legal precedent for that sort of thing, but I'm not aware of it.
So is now every standard apache2 installation a non-compliant (illegal?) service, as it logs GETs?
I don't think that's the case.
//edit: It seems to be the case that you are ok if you do log-rotation and delete old ones - which makes sense, so you can still use them for debugging.
The GDPR has really made me think about minimising the collection of data that I don't need - absolutely a good thing.
Anyone whose software logs IPs by default should stop, so that the admins who choose to log IPs must voluntarily choose to log protected information and handle it appropriately.
> I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR. I do not have designated EU contacts.
If a single user decides to send him/her the letter (https://www.linkedin.com/pulse/nightmare-letter-subject-acce...), he/she would either have to spend an enormous amount of resources to reply, or be non-compliant and risk him/herself.
Agree, that's why I never implied that.
The EU is not the USA.
The authorities have limited resources, and are only interested in large-scale privacy abuses.
1. Some procedure that allows him to answer users privacy requests ("what information about me do you have?", "Please delete my personal data from your servers.")
2. A so called "directory of procedures" which states what data you collect and who's responsible for it.
If your fail to comply with 1. the user can call upon their local data protection agency who will contact you and request the contents of 2..
At no point would he need a lawyer or spend money, even if he were based in the EU. That's not saying it's a bad idea to ask a lawyer for advice if you do handle lots of user data.
Most of this stuff has been law in Germany for years, I've dealt with the German data protection agencies many times (from both sides of the aisle).
- They helped me force my university remove personal information about me from the public uni website (by constructively explaining to them why it's a bad idea to have this information about student online in the first place).
- When someone trolled me by registering me to a dating platform which refused to delete the fake profile and spammed me for a year, one mail to the agency was enough to stop these idiots.
- When I worked with social workers, the data protection agency (after a client accused us of mishandling their data) helped us go through our communication procedures and identified some point where client privacy could easily be improved.
As a US company, if you don't want to deal with this, just don't. If you do handle user data you should, though.
I think the majority of users on HN are from the US. And going by the GDPR related comments over the past few months, it seems the litigious US stereotype really is true - a lot of people seem to be prepared to "lawyer up" at the drop of a hat!
Yes:
https://gdpr-info.eu/art-84-gdpr/
> Member States shall lay down the rules on other penalties applicable to infringements of this Regulation
So every country can create whatever penalties they want, as long as they are "effective, proportionate and dissuasive".
- US company A controls the market for idea B
- EU creates GDPR which scares away company A
In that case where there is a proven market demand for idea B you can either compete with company A (which presumably has more resources than you), or enter into a market that company A has willingly forfeited.
I think the second option will have plenty of takers if it turns out that US companies are that scared of GDPR.
"Second class citizens" might not be the right term, but would "segregation" be an appropriate term?
This is free market with 550 mil potential users/citizens, void will be filled pretty quickly by other companies/developers that actually spent some time reading about what GDPR is.
For many reasons indeed, this is broad topic and GDPR doesn't change anything if we are talking about big US players and their domination. None of them is getting out of EU.
> And I am afraid GDPR has just added another one.
I disagree, it's the other way around. Small single person companies/developers that will get out from EU market will could only strengthen local market. Any other US/EU/outside EU startup/developer can fill that void.
In a world where lots of small shitty businesses (and some bigger ones) don't care what happens to your personal data it's long overdue for this being finally regulated.
> Europe doesn’t have a stellar record when it comes to high tech startups
Which automatically implies that you were talking about non-EU tech companies leaving EU because of GDPR and EU startups filling their space. And now you fail to see how this will make more likely succeed EU companies? What?
I think you fail to understand what the point of my argument was. It doesn't matter if this will be EU founder or US founder or XX founder, if there is a void it will be filled, doesn't matter who will fill it. This is an axiom describing the free market.
> onerous regulation
I am conducting online business in EU handling personal data and I don't find it onerous at all. Adding to that as EU citizen I am happy that this regulation was introduced in EU law system.
Being a first class citizen means being tracked like an animal with an implanted chip.
And let's face it, 99% of web sites and tools aren't really needed, more like a waste of time.
Read the law or, at least, read the official FAQ. Your evaluation of the impact of the law on your project is lazy.
It doesn't matter if European law has a history of being "principle based", if it can fuck you then someday it just might. Europeans might be fine with this, but I think most Americans would not be. If I was in OP's position I would do the same thing, by simply blocking an IP range all possibility of being made an example of by some people from another continent is flushed down the drain. I'm absolutely baffled why people think this is absurd, if you're not even making any income off of it, why would you ever open yourself up to such expensive potential liability?
I will leave the reader to make their own jokes.
"(...) including for the processing of special categories of personal data (‘sensitive data’)", special categories are mentioned on Article 9. "(...) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation"
Do you store or transfer or process any of that data on a large scale? Is it personally identifiable? "Processing" is defined on Article 4.
I believe the original legal text, though not the easiest to read, gives you a fairly clear idea on where your organization or project should stand with respect to GDPR.
(1) What data do you process? (2) How is it connected to your economic activity? (3) How do users consent this use of the data? (4) Is your data "sensitive data"?
If you're some random guy online doing large scale processing of "sensitive data" you better hire a law firm with GDPR expertise to understand and comply with the law, I mean, that's the whole point.
(1) The controller and the processor shall designate a data protection officer in any case where: ... (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or ....
Article 9 describes personal data as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, ...
I would say that messages send via IM are personal data like described in Article 9. I also would check the "large scale" checkbox. So in my interpretation he will need a DPO.
He has no data of the kind described in Article 9.
That seems a very pejorative way to describe it. You can say the same thing in terms of "you could probably keep operating if you put a lot of effort into understanding the details of the law" which kind of proves the author's point: this creates work for people and why should someone do that work for no return? Where does the presumption that people owe EU citizens these services at a higher standard than the rest of the world is content (legally) to accept?
A DPO is most certainly not required by all organisations[0], and I would be suprised if it applied to this project. I know lots of blogs are saying it is, but it is simply untrue. I'm not saying that this totally relieves the burden however.
[0]:https://ico.org.uk/for-organisations/guide-to-the-general-da...
Most certainly simply untrue?
A lot of people are claiming that a DPO is required. GP is saying that a DPO is most certainly not required and that the claim [that a DPO is required] is simply untrue.
How are they suppose to fill the positions by 25th of May?
>1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
I thought this guy was a single person who put something on Github. How is he required to appoint a DPO? What kind of large-scale processing of personal information is he doing?
Edit: DPO Network says this which I think is a pretty good summary (though it's not part of the explicit legal policy, it's someone's opinion)
> CAN WE ASSIGN ONE OF OUR EMPLOYEES AS OUR DPO?
> Yes. However, you must ensure that other professional duties of this employee must be compatible with his/her new duties as DPO and do not result in a conflict of interests.
https://www.dponetwork.eu/faqs.html
Being the sole owner and manager and being the DPO is clearly a conflict of interest.
I imagine when running a business one faces many stupid bureaucrats, this could be another one (or they could be competent and understand and accept the technical explanation of how my imaginary company complies with GDPR).
But yeah, why quit because of the n + 1th bureaucrat, when you've dealt with n of them while starting and running of your business?
No, like Google, Microsoft and Intel before the European Commission.
Could you clarify why you think this is so? As an owner, my interests would align with the DPO's interests so it's hard to me to find where the conflict of interest would reside in the case of being the sole employee _and_ DPO.
Now if it's a large company where they make money per GDPR policy workaround then I could see it being required another person than the owner, but it could still certainly be an employee.
And even if such a conflict does arise, as it surely will somewhere, the text linked states that the controller and processor shall ensure that such a conflict does not exist. It does not say that "You can't do this because 'conflict of interest'", it just says those two roles will ensure there will be no conflict of interest. If you read all the guidance, you will see that the DPO is the most protected role. It has the least liability. The data controller and processor have their own responsibilities, from a liability pov.
Unless you are the business owner/executive, DPO, data controller and data processor...I can't see this being a conflict of interest. Ever.
> The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
> As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.
In summary, if you have power to decide how or for what purposes the processing of the data is to be carried out you're probably not allowed to serve as DPO. Of course in the end it's the company's decision who to give that role to, but not following the guidelines increases the chance of non-compliance.
1: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_...
https://gdpr-info.eu/art-37-gdpr/
Under the GDPR, you must appoint a DPO if:
you are a public authority (except for courts acting in their judicial capacity); your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
So - no?
As far as I know the GDPR doesn't change these requirements here. So even if you're a company of 5 people and just handling some email addresses or similar data you certainly don't need a DPO.
I'm struggling to understand why that's unclear. Is it the use of "public authority or body"?
He's not handling sensitive personal data.
He doesn't need a DPO.
See also the derogation for micro companies:
https://gdpr-info.eu/recitals/no-13/
> To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.
How do you guaranty that nothing in the messages being handled by the server is "sensitive personal data".
Example: Parts of our software run on customer servers and as such they are processing data in their control and not ours, hence can for example used to filter out personal data before they are then sent to our servers, without causing any GDPR related triggering of sending personal information to a third party (our company).
> How do you guaranty that nothing in the messages being handled by the server is "sensitive personal data".
You guarantee it by reading the rest of GDPR. It defines sensitive personal data separately than personal data. Sensitive personal data is defined by GDPR to be things that can be used to discriminate against the individual, such as race, ethnicity, religion, health information, credit information, age, etc.
EDIT: And what I mean to say is that if the messages aren't passing through the server or being stored on the servers, then the only info being handled by the server is the meta-data including IP address, which is not included in GDPR's definition of _sensitive_ personal data.
Sounds to me like they are not a) processing b) collecting message data.
And I copy-pasted direct text from the regulation. Note how it says "large scale". Twice. If he is actually processing personal data on a large scale, then maybe it is not unreasonable to have a DPO.
clause a: not a public body
clause b: not systematically monitoring (eg. installing video cameras all over the streets)
clause c: not processing large scale sensitive or criminal information.
doesn't look to me like a DPO is needed based on this article?
When instead it is up for interpretation, that comes with issues. The first is selective enforcement, there is also the chilling effect on both sides. Those who ought to be protected worry about the slack given to their potential predators. Meanwhile those who are 'potential predators' need to worry about the slightest move that is illegal under some interpretation.
The end result of this chilling effect is fewer willing customers, fever willing companies, and less mutual trust. Notably, this lack of trust persists even if you presume everyone still follows the law. At that point it seems to me a law has failed.
The kind of law making you’re implicitly advocating is tantamount to despotism. Drafting a law that outlaws islam might well be clear in it’s wording, but it needs to be tested against the law that allows freedom of religion, freedom from persecution, and a ton of other laws no doubt. The claritiy of language with which a ban on islam is articulated is all for nought if it’s contradicted by, and incompatible with other laws.
Although, GDPR has been explained very clearly. And we’ve been given a loooong time to digest, understand, implement, and question it. I don’t think any reasoable person can make a compelling case against GDPR. But unreasonable people can, and as we’re seeing, they will.
Edit: Art 30 "The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."
https://ico.org.uk/for-organisations/guide-to-the-general-da...
Recording IP addresses in a web server log does not qualify as "regular and systematic monitoring of data subjects on a large scale" by any stretch of any definition.
And that's besides the fact that they don't have any presence in the EU. GDPR's scope only includes companies with at least some presence in the EU. That's not just because it'd be unenforceable - the laws make no attempt to include a wider scope than that.
So, DPO is not necessarily a person with no other duties. In most smaller organizations that deal with sensitive data the DPO role will be shared with the CCO (Chief Compliance Officer), only at a certain scale of processing and with certain data would you need to budget for a dedicated DPO from day one, but presumably your business plan will also foresee in other things such as office space, computers and so on. Certain businesses come with implied costs.
You certainly don't need to hire extra people like author suggests and federation should be just fine. (it's essential to what the service does)
This really isn't a burden.
We're talking about chat.. you shouldn't be logging the contents, at most a bit of metadata to prevent abuse (eg. a connection log to identify and block spammers).
If you don't store that metadata longer than needed (a couple of weeks? storing it for years would be hard to defend) you have legitimate reasons to keep it, and don't need to worry about deletion requests
The comment I replied to seemed to reference far more than chat.
1. Isn't this person allowed to be the Data Protection Officer themselves? 2. Is APNS inherently not compliant or if there something unique about this use-case?
What's kind of great about this new regulation is that we get a clear view on businesses that can't adequately protect user's privacy. It's painful for businesses such as these, but ultimately it seems that consumers would come ahead of it.
If the weak link in this case may not have been the developer themselves, but external factors but it's still a pretty interesting data point.
Does the author seriously believe this could happen? Enforcement of GDPR is similar to antitrust law. A regular police officer isn't going to fine you for that.
The author's anxiety makes as much sense as not traveling to the United States because you're worried that your one-person pottery business might be considered a monopoly under the Sherman Act.
> In July 2006, their then-CEO, David Carruthers, was arrested while changing planes in Texas on the way to Costa Rica from the U.K. In April 2009 he pleaded guilty to federal racketeering charges, and in January 2010 was sentenced to 33 months in prison.
> BetonSports plc is a British online gambling company founded by Gary Kaplan in 1995. The company was one of the biggest players in the United States online gaming market, drawing in several billion US dollars in wagers in the early 2000s.[1] In June 2006 US authorities indicted the company and a number of its executives on RICO, mail fraud, and tax evasion charges arising from its supplying online betting to customers in the United States (the alleged crimes took place before the adoption of the Unlawful Internet Gambling Enforcement Act of 2006).
This is about federal crimes committed by executives of a billion-dollar company.
OP seems to be a solo open-source project, and violating the GDPR is not a criminal offense. This isn't even close to being comparable.
The 'federal crimes', were precisely enabling US customers to gamble over their phone lines. That was enough to get a publicly traded company in a friendly nation categorised as 'organised crime'.
The other thing you mention about how it's not a criminal offense is something important a lot of people seem to be missing. If you're violating the GDPR and someone notices, the first thing that happens is that they work with you to try to correct the problem, not that they hit you with huge fines and laugh while twirling their mustaches.
As you correctly note, the GDPR is an EU regulation that will be enforced by national regulatory bodies through warning letters and fines. Unlike for criminal offenses, there simply is no way for it to be enforced by a police force or through arrests.
Now if the state has got to the levels of your tasteless gas-chamber example, i don't think you need worry about data protection law
Or equally bad: people trivialising it by comparing it to some new regulation to show how bad it is because "the state" somehow is involved.
Is there any actual requirement within the GDPR that this needs to be a dedicated person, or does being a DPO just need to be someone's responsibility, e.g. in the case of a one-man open source project the guy who runs the project?
> The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
I guess you could say that it is literally impossible for the DPO to not have conflicts of interest if the DPO is also the owner and manager of the company.
More:
https://ico.org.uk/for-organisations/guide-to-the-general-da...
> The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
If you're a sole proprietor and managing data at volume and sensitivity levels that a DPO is required, I hope you're an expert at protecting that data..
Article 4 point 1 in the GDPR indicates this (unless you can somehow prove that the IP is not related to the person, which I think we all know it effectively is in most cases)
All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn't have been handling personal data.
I don't have any knowledge about monal.im (don't know what it is - some kind of im client?), but this person is making some claims:
- he needs a data-protection officer: no, only larger orgs handling lots of personal data need this. If he's making an im-client and not servers that store data he certainly doesn't, but I don't know what his setup is.
- crash analytics: This can be handled by telling the users clearly that you'll be gathering the data (and defaulting to not gathering if they don't actively approve). As long as you have a proper PURPOSE for gathering and storing the data and don't use it for anything else you're golden. You do have to document this, in case of a review (hyper-unlikely).
- Push: he's getting a message and storing the device/ip combination. This seems to be central to the service he's providing. Therefore he can and should put that in the description/terms of his service (as he cannot deliver the service without this). As long as it is clearly explained to the end-user this is fine, and he can keep doing it. If he stores it and does anything with this data other than the central purpose that he informed the end-user of he's in violation. I'd suggest putting it in clear text in front of the end-user and deleting the data as soon as it's no longer needed. Don't do any non-approved analysis on it. If you want to analyse - ask for permission.
XMPP federation may be a problem, I agree with that. The problemer here (as I see it) is that each service getting the personal data must only process it for the purposes explicitly agreed to by the end-user and honour any subsequent notifications of rectification and deletion. This is a hard nut to crack indeed.
I am assuming the answer is no, but would a startup be able to build a SMTP or NNPT like system today? It would be a shame for the GDPR to be yet another force moving the Internet from its historical decentralization reinforcing the current centralization trend.
I can't find any exemption for small companies in Article 37 of the GDPR. Can you give me a hint what part do you interpret this way?
What makes you believe that the "large scale" refers to the size of the organisation and not on the amount of processed data.
> To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. 4In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. 5The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC¹.
> I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it. > All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn't have been handling personal data.
What if I didn't want you to visit my website. Sure, by the letter of the law I am collecting PII (your IP address) but I think I can reasonably argue that it's quite a technical feat for a private layperson to go from "sudo apt-get install apache2" to "removing IP addresses from log files".
Sure, this is tongue in cheek - but most of that panicking I read was people concerned about their personal websites, especially with the "might be taken as professional work stuff just because of ads or you're blogging about tech as a tech freelancer.." - didn't really hear anyone with a company panic.
This is called the "technician's responsibility" where I come from. To only track/store/process what is absolutlely necessary, in order to not be liable for the consequences when someone you cannot feasibly stop wants to do something untoward with the date (i.e. unconcented analysis, government extraction of data, breaches)
This feels dishonest. If, for example, I wish to ban certain people by IP Address, your solution is to take my entire service offline?
I know the "logging by default" comes from a different age of the internet, and I'm absolutely for minimizing data collected - but I'm sticking to my opinion that as long as the default of every internet-facing package is logging IP addresses by default, it's not good that private owners have to face problems or a lot of work because of that.
That person doesn't own those bits on that hard drive.
How you decide to store it makes little difference as long as it's digital.
Fun aside: if you store it on paper you're not beholden to GDPR. Crazy.
Think about. A person doesn't own the random bits (data) about them that goes through and is stored on various systems they interact with. Under the GDPR in the EU, they might have a right to know what is stored about them on various systems, but they don't "own" that data.
That's impossible and doesn't make sense.
Do you have a source for this?
From some quick googling that doesn't appear to be true.
https://www.orsgroup.com/news/compliance/how-the-gdpr-affect... https://www.winterhawkconsulting.com/4946-2/ https://www.p4p.uk.com/gdpr-compliance-paper-documents/
Even if it was in the EU, it wouldn't require a DPO, and your use of IP addresses is very reasonable and within the standard allowances which don't require user consent.
Maybe bother reading _anything_ from an official source before coming to this conclusion? This reads to me more as something you want to have a rant about because you don't like it - rather than as any kind of pragmatic decision.
We’ve spent tons of money & interacted with lots of official sources trying to get opinions about what GDPR means and it just isn’t available.
Everything is a risk mitigation technique right now with no real answers in sight. If I had any personal projects serving traffic in the EU right now that weren’t profitable I’d likely shut them down.
I think it’s likely that the regulatory agencies will act with restraint and this will all be hysteria without merit, but I’ve seen enough legal opinions to know that’s not the worst case scenario.
Mind you Belgium us 1/30 the size of the US
Here's a statement from the CPP, connected to the 2015 lawsuit. They mention Facebook being in breach of Belgian privacy laws from 1992.
https://www.privacycommission.be/sites/privacycommission/fil...
[1] - none of the other reporting I found on the subject(Guardian, Bloomberg, etc) mentions the GDPR. They also don't show the court order, which is frustrating.
That lawsuit is being interpreted as a signal that they intend to be very aggressive in their enforcement of GDPR.
That's not a given. Further, it's more important to look at what's better for society as a whole. Further, less regulation within banking caused some big profits.. but also some hefty problems.
Wouldn't a better alternative be to design a messenger that complies with GDPR? Simple user accounts that can be deleted at the request of the user, peer-to-peer encryption (and where possible, communication), a "storage cabinet" for each user where encrypted data end in when the user is offline (with an encryption/decryption key that is generated client-side and transmitted while both users communicate) and can easily be deleted and i think this covers most uses.
This is just an idea that i came up with right now, but if you start your design with the goal to store as little data as possible and anything you store needs to be both encrypted and easy to delete, then i believe you can come up with several ideas for most issues.
It also helps to see this as respecting the users' privacy and giving them control, as opposed to a development burden :-P.
In other words, are we moving towards a world where unless you are VC backed (Signal, Telegram, Whatsapp, etc) don't bother building an IM client? Also note, I don't think there might be anything wrong with that - if we expect all our communications to be E2E encrypted, maybe Joe Shmoe shouldn't be writing an IM client.
Then I actually spent a little time to find out more and, as someone who cares about privacy, quickly realised the positive intent behind it, and how simple it is to comply with in principle: let users know what data you collect and what you do with it, and give them the possibility to request it or request it's deleted.
TBH, if someone requested any of this, I'd do it without the GDPR.
You only need a DPO if you are a public authority, if you do large scale processing or large scale processing of sensitive data (ambiguous in the GDPR).
If you collect some data, all you need is a privacy policy outlining such, stating what you collect in general and that your legal basis for doing so is to provide the user a service and to monitor for app crashes / bugs - both within your legitimate interests.
Many people have interpreted GDPR to be stricter than it is. In fact, those who have to do the most work are those that cause incredible damage to individuals when they lose data - especially those that have had recent, massive data breaches e.g Equifax.
Are 1 million IPs in my logs 'large scale'?
Not exactly an ironclad source, but better than nothing, hopefully.
"personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, [...] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation"
1. you're a public authority (NHS practices are an example)
2. Large scale processing
3. Large scale processing of sensitive data
They don't specify what large scale means. They also haven't specified how sensitive data qualifies the third statement. One can assume the threshold is lower but the GDPR doesn't specify any thresholds with regards to this.
I've got a call with a lawyer on Monday to clarify some bits of the GDPR. Number one Q for me is "how far can you take legitimate interests?".
Some lawyers are advising that marketing data and usage falls under legitimate interest, in a way that these higes drives for consent seem unnecessary.
If anyone else has any questions, I can ask and feedback. I'm sure I'll have those questions too.
Even ICO says legitimate interests might be okay for some marketing.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
I get that the GDPR regulations seem quite complex and daunting but his usecase seems pretty simple to me.
Article 6, Paragraph 1, seems to cover those two parts of data collection. Logging a user's IP for security is acceptable, as is logging for a legitimate interests of the user (or operator) as long as it do not conflict with the interest of the data subject in regard to their need for data protection. APNS push tokens seems to fit that description quite well.
Where is the scale balanced on this ... will it be the same in each of the different countries implemeting it?
>as long as it do not conflict with the interest of the data subject in regard to their need for data protection
Article 6.1.f
>processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
So ... I can retain IP records in my logs , as long as they aren't a child?
The other way to see it is a bridge to the US regulation COPPA, where operators in the US and EU now have to follow the same rules in regard to children. In this case Monal would have to move out of both EU and US in order to avoid the regulations in regard to children.