Thanks for the series of articles. I can't wait to see the rest of the world(especially the US) catch up with the visionary EU regulations. It's sad that so many Americans/Anglos dislike regulations so much.
I, too like more data privacy, but think for a second about this: who can afford more regulation? The giant corporations like FB, Google etc. The small alternatives will suffer.
The big players are flagrantly disregarding this stuff and have been for a long time. This seems to me like an opportunity for smaller players to be better, and to build in privacy from the ground up.
I don't think this is true at all. Compliance in large organisations will be harder than small ones – small organisations should already be fairly well aware of where their data is, and how to handle it. Larger organisations tend to have mountains of uncontrolled user data which nobody is in charge of.
The costs could be a big deal for small businesses.
Take a business about as far away from data as you can imagine. For instance, a business that makes replacement knobs for antique radio restorations. They have a website with an online catalog and a shopping cart where you can order replacement knobs, pay online, and they ship the knobs to you.
They collect your name and address for shipping, your email address to contact you if there are any questions or issues with the order and to give you order processing updates, and payment information.
If this business is offering their goods to people in the Union, that data collection falls under GDPR, and they have to have a designated representative in the Union.
I've not been able to find anything so far on (1) how some random small business in the US goes about finding someone to be their designated representative in the EU, and (2) what they will have to pay that person to take do so.
The chances of such a shop running their own shopping infrastructure is very small, most likely they will use some kind of partner for the whole shop setup, up to and including fulfillment and they'll be happy doing what they're good at: making knobs.
And if they do run their own shopping infrastructure they obviously will have to deal with all the ins and outs of that, including operations, keeping the whole thing up-to-date and secured as well as compliance with the law.
How about customer support? Even if a small business has someone else run their cart, and handle order fulfillment, there is still a good chance they deal directly with customer support, which usually includes collecting and storing customer information.
Won't that mean they are still under GDPR and still need to have a designated representative?
Yes, in that case they would have to have a designated representative. I'm working on that particular angle at the moment but it is a rather complex affair and I don't want to commit to this before I'm all lawyered up and read up on the responsibilities and the risks.
Article 27(1): "Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union."
Article 3(2) is the one that says GDRP applies to the processing of personal data of data subjects in the Union by controllers or processors not in the Union if the processing activities are related to the offering of goods or services in the Union.
A designated DPO is only required for companies that have over 250 employees. Surely that can't be a huge burden? Just appoint the head of security to be the DPO. He can google the GDPR requirements and then be all set after 15 minutes.
If you are smaller than that and you outsource processing of the personal data of your customers, then all you have to do is make sure the customers consent to this, and you are good to go with GDPR. It's practically effortless, unless your business model relies on monetizing innocent victimes without their consent.
I'm not talking about the DPO. That's from article 37 and has nothing to do with the representative required under Article 27.
The Article 27 representative must be in the Union, which is why it can be problematical for a company whose office and employees are all outside the Union.
But Article 27(2) explicitly excludes the requirement of designating a representative according to 27(1), if the processing of personal data is limited within perfectly sound limits.
Article 27(2) excludes that requirement for "processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing".
To be excluded, the processing has to satisfy three requirements:
• "is occasional"
• "does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10"
• "is unlikely to result in a risk to the rights and freedoms of natural persons"
Most businesses probably won't process any of the Article 9(1) special categories or the Article 10 criminal stuff, so that shouldn't my much of a hurdle for most.
All kinds of data pose a risk to the rights and freedoms of natural persons. See Recital 75 for examples. Of particular note, if it can lead to identity theft, fraud, or financial loss it poses such a risk. This is going to snag a lot of businesses.
Then there is that "is occasional" requirement for being excluded. I have no idea how that is going to be interpreted.
I'm not sure the rest of 27 applies to the business you describe.
> The obligation laid down in paragraph 1 of this Article shall not apply to:
> processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
> I, too like more flight safety/healthcare hygiene/safer cars, but think for a second about this: who can afford more regulation?
As an end-user/customer, I’ll have the regulated version every single time, thank you.
You can reframe this either way you like, but what it will come down to is that IT has so far been one of the few completely unregulated industries, with only its own merits to show for why such regulation shouldn’t be needed. So far it’s not doing a very good case for itself.
People like Alan Kay has warned about this. If we don’t start taking our profession seriously (like doctors take not killing their patients seriously), someone else will. And then the future of programming will be legislated.
If that’s how it all will turn out, that’s because we as a industry has deserved it.
The GDPR is merely about basic decency and should only be considered a taste of what the future holds. Unless we ourselves show that we can act responsibly without further regulation.
Edit: Ofcourse if you are the world’s biggest privacy-violater with 100s of thousands of employees worldwide working every day to mine and AI even more shit out of you, ofcourse trying to get GDPR-compliant will take some effort. That’s the whole fucking point.
Smaller businesses treating user-data decently and with respect won’t have any such issues or conflicts of interests.
The people that feel that the GDPR is a terrible thing are going to be really upset if and when software liability will be targeted. This has to be the only industry where it is the norm to charge the customer to fix a defect that we ourselves created.
I'd rather think it is the opposite - that generally people will pay for fixing defects unless it can be proven that it was sold in an intentionally misleading way.
"Oops, did that airport take three times the money compared to expectations to build? Time to pony up more or end up with a half built airport".
That’s an interesting view. Do you own a business where you had to implement GDPR or is this theoretical? Oh, and did you know that GDPR also affects the work of teachers, solo entrepreneurs, doctors and the like?
My strong believe is that regulation is a big burden for small companies and solo entrepreneurs and a big opportunity for the large corporations. Facebook and Co will use all the power and wit they have to circumvent any regulation. The solution is not more regulation. The solutions needs to be architectural
> That’s an interesting view. Do you own a business where you had to implement GDPR or is this theoretical?
I'm obviously biased because I work for a company providing CRM software. That said, that gives me a decent amount of expertise in the matters too.
Basically we need to get all our own customer-data and systems GDPR-compliant. Which I won't deny has been a reasonably big effort on our part.
But instead of only doing this for ourselves, we've put all this effort into getting our own CRM-software GDPR-compliant instead, meaning in the process all our customers get to benefit from this at near zero cost.
Basically: By using a modern, maintained and competent CRM-solution, you should get GDPR-compliance in your core-databases almost "for free". I won't push my own company here, but it should be trivial to find should you be curious.
If your CRM-solution does not help you provide GDPR-compliance, you should consider how serious they are in these matters and if you want to continue using them.
And if you don't have a CRM-solution at all (really?) it's definitely time to consider getting one, because that's going to be the absolutely best tool you will get w.r.t. ensuring compliance.
> Oh, and did you know that GDPR also affects the work of teachers, solo entrepreneurs, doctors and the like?
It affects stored and processed privacy-sensitive information. Why should certain professions or business-categories be excluded?
As an American I hope it never does. Governments stifling competition through regulation gives me an uneasy feeling. I think it may be a cultural difference. Europeans value safety more than innovation and vice versa. Possibly due to the extreme behavior we saw after '08 over here
> Europeans value safety more than innovation and vice versa.
This is quite funny considering you are writing this on the WWW, which runs on top of the TCP/IP stack. The WWW came out of CERN, the TCP/IP stack came out of DARPA. The web is at its roots a pretty global affair.
This is not about 'stifling competition', this is about privacy.
Excellent post Jacques. This was well needed. Wish I had it a few weeks/months ago to point several people towards it...
GDPR feels like the opposite of Y2K. Unheard of by most until very shortly before the deadline, underplayed by those who haven't researched it, and overplayed by many of those who have.
Note that the requirement to have a designated representative does not apply to: "processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or". (See Article 27).
Anyone know what counts as "occasional"?
Also, the regulation says the representative must be in one of the member states where the data subjects are located. I know of some non-EU businesses that have just a handful of customers in the EU, scattered among a few member states. They slowly get new customers, and slowly lose old customers. Whatever member state they put their representative in, there is a decent chance that in a year or two all the customers in that member state will be gone. Do they have to keep changing representatives?
Occasional: Not re-occuring regularly. So once per year but every year is not occasional. Once and then never again is occasional. In between: consult a lawyer, and if you can't afford that err on the side of caution.
As for the whole designated representative thing I'm looking at solving that in a somewhat creative way, but this will take some time and preparation.
Would you say a personal blogger in the US needs an EU representative if they're running a WordPress installation on a shared web host? I've been debating with myself whether I need to move my content somewhere like wordpress.com to avoid that requirement. The personal information I process comes from comments and web server logs, and I'm not sure that counts as occasional.
On the other hand, I look at Article 3, and I'm not sure posting content on a personal blog counts as offering goods and services. Or do blog comments count as a service?
See recital 23 of the GDPR [1]. You do not need to comply with GDPR unless ”it is apparent that [you] envisage offering services to data subjects in one or more Member States in the Union”. The test for this is:
”Whereas the mere accessibility of [your] website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that [you] envisages offering goods or services to data subjects in the Union.”
In English:
Do not translate your site to EU-only languages (Italian, German, etc.), use an EU based domain extension, or create content or services that would be especially appealing to EU users, and GDPR will not apply to you.
That's sort of what I was thinking, though I don't know how well I'll resist griping about GDPR there. :D
People's opinions on this regulation differ so dramatically that even when I read something in it that sounds pretty clear, I second-guess myself and worry that the courts will side with the worst-case interpretations.
> Would you say a personal blogger in the US needs an EU representative if they're running a WordPress installation on a shared web host?
No.
> I've been debating with myself whether I need to move my content somewhere like wordpress.com to avoid that requirement.
The biggest issue would be your log files, I've covered that in comments here, and in the articles as well. Another issue could be if you run analytics tags or advertising, which may impact you in a negative way financially in the case of advertising. My own blog is analytics and advertising free, I don't see it as a source of income so I don't care but obviously that will not hold for everybody.
The critical part is when you start to ask users to enter data into your system, as long as you don't do that you will be able to solve this in a straightforward way.
> The personal information I process comes from comments and web server logs, and I'm not sure that counts as occasional.
You are right that it isn't occasional. So, logs: analyze them, then delete them within 30 days or so. That should be enough to do most security related work with the logs as well as any analysis you care for.
Comments on your blog you will simply have to delete when the commenter asks for it. Even when I ran reocities.com this was the most requested support item, and it is pretty easy to do in an automatic fashion if you still have the original relationship between an account and the comments, this could be entirely self-service. I expect the typical blog engine plug ins to become GDPR compliant in the near future because lots of people will be asking for this.
> Or do blog comments count as a service?
Yes, it is a service. You operate a server which takes in data and records it. That it isn't commercial is not important in this case, data subjects will create accounts and there will be PII associated with those accounts, either directly or in the comments.
Now for some arguably bad advice (from a legal perspective, but it is very practical): I'd take 30 days to see how this all shakes out past may 25 before taking action on something as insignificant as a blog. That way you will have a lot more information to base your decision on. Obviously that has a risk: you will probably not be in compliance but I'm going on the assumption that regulators will have a lot more on their plate than your blog for the foreseeable future.
Fortunately I don't do any analytics or advertising. I've already set up the server logs to be deleted after a month. Commenters can't create accounts, but it wouldn't be too hard for me to delete their comments. I should probably make a privacy policy.
WordPress does have some plugins for complying with GDPR, so I'm going to try one of those to see what else needs to change, in those developers' opinion. If only there were such a thing as certification so I could trust anyone was doing more than guessing!
Anyway, thanks for your feedback. I appreciated your article.
Sounds to me like you're almost there. The lack of certification is a real problem and you're not the only person remarking on that. I suspect that 'the usual suspects' will offer certification soon but it will most likely be priced out of the ballpark for small companies, let alone individuals operating a blog.
There may be an alternative though, working on that :)
I don't find anything in your postings to be reassuring. To say that the regulators will be too busy to mess with my blog won't be of use to me the day they do choose to mess with my blog.
Chance of incidence times size of the risk is a good way to do risk management. In this case the chance is tiny and the size of the risk is too. If this worries you then I am afraid I will not be able to reduce your fears but please read up on the actions EU data protection agencies have taken in the past. I'm sure you will agree that the risk to a blog is not quite zero but very close to it and besides, you could simply try to comply with the law and then there won't be a problem at all.
It's the armchair lawyers doing sneaky stuff that they will try to continue to do that should be worried here.
I'm not sure a personal blog counts. I think the people who created the blogging and comment software need to do something, but not you as the blogger.
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
I'll give you an example from real life: The Geocities archive that I re-hosted contained numerous so called geobooks, guestbooks filled out by the visitors of the geocities sites. These comments were usually pretty harmless but some people did really dumb stuff and under their own name.
Under the GDPR that would be PII and so the removal requests would arrive, whether or not the legal bar was met. I'd rather not have to argue in court whether or not my blog was purely personal even though I run it under my own name.
So even for a blog if you allow people to comment calculate in that they will ask for some of those comments to be removed. It's a relatively small burden because it won't happen often (with all the millions of Geocities sites it only happened a few thousand times over a decade), and it will stop people from complaining to the regulators. Better yet: monitor your comments and approve them selectively, if you drop the obvious dumb ones there is a fair chance that you'll never have a removal request.
The only thing is that I'm running the site myself. That's why I was thinking of moving the content to a blog host that would manage the back end for me. But maybe even moderating the comments myself would make me the processor or controller. If every blogger on Tumblr or wherever is subject to GDPR that way, wow is the web in trouble.
There's a big difference between bloggers operating their own infrastructure (like me) and bloggers that use some platform. The platform operators would have to make sure their platform is compliant, so the bloggers that do not operate infrastructure will be covered.
That leaves people like me (and you, apparently), I solve the problem in the simplest way: no logs, no analytics, no comments on my site.
Yeah, I've been thinking about closing the comments. I don't get many anyway, but the people who do comment might care that they're gone.
I'll be curious to see whether GDPR results in a web with fewer features, or maybe features that don't work as well. I tried DuckDuckGo, for example, but I dropped it quickly because Google's results are so much better. I actually like that it takes my previous searches into consideration.
There definitely is a tension between functionality and privacy. The problem is that companies that could offer certain functionality without invading people's privacy have made a habit of grabbing what they can. The number of apps on mobile phones for instance that require access to your location and your contacts is staggering. Slowly people are wising up to the impact this has, I think for many people retargeted ads was their first 'aha' moment.
Convenience and privacy will always be at odds. If the largest excesses are taken care of then this will already have been worth it.
Edge case, eu based travel agency serving eu citizens. They need to book an hotel in a far away country, in the middle of nowhere, asking for a kosher lunch (religion) or wheelchair (health)... legal basis is contract fullfilment, article 49.1.b and .c seems to cover this cases but to me it is still very muddy situation.
Google and Facebook will now directly control most Internet advertising. All those intermediary organizations that live under a rock, passing tracking data around, have a big problem - they have no connection to the user. So they can't ask for permission to do anything. They have no way to do so.
Google has made some big changes in how they deal with third parties in the advertising chain.[1][2] Third party trackers are being cut off, and advertisers are being encouraged to dump them and switch to Google Ads DataHub.
Google is frantically trying to get user consent for tracking, popping up a deceptive message on every Google search result page. That popup asks you to "log in" to Google. They just assume everyone has a Google account. Without that permission, Google can only serve you "non-personalized ads".
There will be some places where this will have a huge impact. For instance in the cases of real time bidding on advertising through open exchanges based on data about the user.
I think it is also an opportunity though, we might be able to roll back some of the more annoying ad-tech and get users to selectively switch off ad blockers again.
Another option is that more parties will switch to advertising space sold directly to media buyers without all those intermediaries (much like it used to be until we started to track everything and anything).
Once you are logged in to Google you can turn off the targeting of the ads through this link:
Slide the slider at the top right of the page to the left and confirm the change, targeted ads gone. This takes about 10 seconds or so if you are already logged in to Google.
We remember the internet before targeted ads came. 100 flashy and gif banners on the page. Websites still need to make money, they'll just increase the ad spots if the ads are not profitable enough.
The main reason for that is because the advertising industry is trying to allocate the same advertising budgets to more inventory aimed at fewer users. Ad blockers are making a real impact and the novelty factor of ads wears off quickly.
That's why there is such an explosion of ad-tech firms, anything to get back to where they were last year in terms of CTR and engagement. Then the users become de-sentisized and then the whole cycle restarts.
After reading a large number of GDPR-related articles and summaries, I've generally come to the belief that if you are doing the right thing with user data, it is unlikely GDPR is going to cause you to suddenly start suffering.
If you aren't selling user's data, you keep it reasonably secure, and they can delete their account, you are probably good. Most of the services you use will already be GDPR (and Privacy Shield) compliant, and it is easy to list your cloud and payment providers and link to their statements of compliance.
And almost everything a user could ask for, if you don't have an automated solution to, you can generally comply with by checking your email and responding accordingly, so for small userbases, this is hardly really even an issue.
Furthermore, as far as actual enforcement goes, the EU is not going to shut you down or put you out of business on a technicality. They are going to take you out if you show flagrant disregard for your users. This is going to hit the Unroll.me's of the world, not your average web forum.
I know how advertising works, but i don't see 3rd party ads as directly "selling the data of the users". You include an ad that is visible inside the page. At most, you are sharing the page view with an ad company, but you are not communicating any of the data you have collected to the ad server. It's up to them to create a profile/track. "Selling access to your audience" is not the same as "selling your own data to an ad company".
It's not really. most people just put an ad tag on their page. It's adtech services that profile the user using their own data and trackers. The process remains the same.
Usually when people say "selling user data", they usually mean "monetizing user data". There are four levels to doing that:
- Level 1: Monetizing aggregates. Aggregating lots and lots of data, running statistics on all of it, and selling the outcome. Example: An online streaming site that sells TV analytics to TV channels.
- Level 2: Selling proxied access. That's the Twitter/Facebook/Google ads model: Allow interested parties (advertisers) access to an audience, but they never are directly told "Mary Jane is a 33 year old woman with 2 children and an income of $80000/year."
- Level 3: Selling personal data. This is what people think is happening in level 2, but is much rarer than it sounds. For example, let's say you have influencers on your site, you'll sell to potential sponsors data about that influencer. Or sites with personal statistics and insights that will sell access to it to their users' competitions (a known practice in sports services).
- Level 4: Selling confidential data. That's where we're talking the really shady/illegal stuff. Gathering emails/credit cards and selling them to spammers and fraudsters, that sort of stuff.
There are companies in the PR business that does that. Email addresses to journalists and and other people marketers want to read their press releases.
Some even claim to be GDPR compliant. It will be very interesting to see how that turns out. Personally I wouldn't mind if the whole business segment was burnt down by the regulators.
Well every two weeks or so I get unsolicited mails offering to sell me very large databases of contact information. My standard is to just completely ignore these, but when I got nagged for the third time recently I sent them a (very intrusive but still legally entirely legitimate) subject access request to find out what they have on me, who they got it from and who they have sold it to as it was entirely without consent.
All laws are subject to some degree of judicial interpretation. Laws are not like software code, but I would suspect much of the hysteria/uncertainty comes from programmers trying to interpret the law like software code.
Even if your business is nothing like selling user data -- say you're Dropbox, or Box, or Microsoft, or similar -- your sales and marketing org is going to get walloped by the GDPR. How do you run a compliant cold outbound process? The EU has largely declined to tell people.
I'd be highly surprised if Dropbox, Box or Microsoft do not have their house in order in time. Unless they are planning to go to court over it.
A dutch proverb says 'high trees catch a lot of wind', if you're a high tree you ensure the wind is not aimed at you unless you explicitly want it that way. At their level there are precious few excuses about lack of resources.
> How do you run a compliant cold outbound process?
Perhaps that question itself illustrates the moral ambiguity of cold-calling?
If you rely on a marketing service that depends on buying personal information without the subject's knowledge, in order to catch people by surprise, then perhaps GDPR is doing its job by making that difficult.
Analogy: tax laws take money from me but the EU doesn't give me any hints on tax avoidance schemes
After reading a large number of GDPR-related articles and summaries, I've generally come to the belief that if you are doing the right thing with user data, it is unlikely GDPR is going to cause you to suddenly start suffering.
This is an extraordinarily dangerous view of GDPR and will likely subject you to fines of up to 20 million EUR. There are hundreds of technicalities that can easily expose you to company-killing fines. This is like saying “you see that massive, fire breathing dragon over there? He’s actually really nice. I mean sometimes he’s not, but grab the kids and let’s go cozy up to him...it will probably be OK”. Unfortunately, most of the time, things are exactly as dangerous as they appear.
Loading Google Analytics automatically on the page on which you ask permission, even if it was an oversight? You’re toast. Using a wordpress plugin that utilizes JavaScript from a third party site and didn’t ask permission for that first because you didn’t know about it? Oops...you may lose your house.
Now, the usual people will say “nobody is taking your house for that”. All I can tell you is that the plain language of this regulation says the only limits are 10 and 20 million EUR.
Edit: to those downvoting this, and there are many of you, please show me where in the GDPR it says that I am incorrect in my assertion that loading third party JavaScript without permission could result in a fine of at least the average value of a house in any given country. Otherwise there is nothing to downvote, because I am not wrong.
Show me where it says in GDPR that multimillion-euro fines are not legally possible in any given situation, and I’ll never comment in one again.
Please get educated on the subject.
The problem is that I am educated on the subject, and spent many thousands of dollars on GDPR-related legal advice for my company. My view comes from actually reading it and from no attorney being able to tell me that I could not possibly be fined 10 or 20 million EUR by one or more of the 28 countries to which GDPR applies.
Attorneys will never give you a guarantee like that.
Of course they won't, since it would give you the freedom to go and do whatever you want and then when you get fined you can take it out on them. You can't get an attorney to assume your liability by asking them for guarantees.
Again, this whole argument can end if you just show me where in the law it says that I cannot legally be fined up to 20 million EUR for a single violation. You seem to have confidence that this limit exists, so please show it to me and I’ll never dispute your view again.
Sure, there's nothing beyond the years of experience people have had with the existing system and its regulators, and the statements they've publicly made about how they plan to proceed.
So yes, they can if they choose, and if they can make a convincing case, and you can't make an appeal or a big enough media shitstorm that they back down.
But is it likely?
Are you equally worried that you might die tomorrow because a meteorite crashes into your house?
It could happen, and the consequences would be pretty massive, but it's not generally a serious concern of most people.
Risk is likelihood x harm, and you're seemingly in every thread shouting about the massive potential harm, without ever really considering the likelihoods.
Exactly how likely it is I don't know, but I highly doubt it'll be close to your expectations. And probably not mine, but maybe somewhere in the middle.
Are you equally worried that you might die tomorrow because a meteorite crashes into your house?
No, but then again there is no law that says that a meteorite must crash into my house if I use third party JavaScript on my site, and the only thing up for debate might be the size of that meteorite. I am afraid of things when it is put in writing that I should be afraid of them.
While I actually agree with your general position regarding GDPR, I wanted to highlight why I felt this comment should be downvoted: This strays into a personal attack on the user, rather than a response to the content of his comment. If someone is repeatedly "not getting it", downvote it and move on.
"Please get educated on the subject" is not a substantive comment, and referring to someone's overall trend of commentary is commenting on them, not their post. I've had someone here repeatedly do this to me, and I don't appreciate it.
Don't be afraid to let your existing argument stand against theirs, I think your posts strongly support your position. A response to a given detractor isn't necessary. :)
I’m curious what about the potential fines is unclear or up for debate. Practically the only part of GDPR that is completely clear is the fines and lack of limits on them.
How can you possibly agree with someone that has written lengthy articles essentially saying “ignore what you’re reading in the text of the law”?
> I’m curious what about the potential fines is unclear or up for debate
Can you point to any instance of any of the EU regulators imposing the maximum fine available to them for a data protection breach? We've had these laws for 20 years now.
Since the maximum is 20 million EUR, a company-killing fine doesn’t have to be the maximum or anywhere near it for most businesses. Hell, a 100,000 EUR fine would take the vast majority of small sites and their owners into bankruptcy.
Don't you feel dishonest when you keep mentioning the 20m because "that's in the law", but missing out the "proportionate" that's also written into the law? Since you'll never ever mention this, here's all the mitigation that's written into the law.
Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). 2When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
the intentional or negligent character of the infringement;
any action taken by the controller or processor to mitigate the damage suffered by data subjects;
the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
any relevant previous infringements by the controller or processor;
the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
the categories of personal data affected by the infringement;
the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Proportionate, which is not defined in the GDPR, is in the eye of the beholder. A country can easily say “we’ll only fine you 200,000 EUR - just 1% of the maximum - because this was a minor violation”. That fine would still destroy most small businesses.
You'd have to work pretty hard to get a 100,000 euro fine.
That's the kind of fine that would be imposed after thumbing your nose at the regulators and continuing in your ways after being warned and the violation being a particularly bad one.
I personally would refer you to any number of comments/articles (including my own) pointing out that law is not written like code. Law doesn't work in absolutes, we have judges for a reason. There has to be a law for enforcement of it to occur, and it has to be broad enough that it can't be evaded on technicalities (see the loophole in the EU "cookie law", which GDPR is specifically designed to close).
GDPR is actually surprisingly light on concrete technical rules. This isn't PCI compliance where they specify the number of letters that must be in your passwords and what version of TLS you need to use. GDPR creates a framework of general principles you need to adhere to in the best way you know how. (Good laws need to be written this way, since technology changes over time.)
It is not in the EU's best interest to punish you for a minor oversight when you are largely a well-behaving corporation, it's in their best interests to encourage you to fill in any gaps when needed.
Law doesn't work in absolutes, we have judges for a reason.
What laws have you been reading? The whole basis of law is that it must be absolute - otherwise people don’t know how to follow it. People are both exonerated and convicted every day of serious crimes based on nothing more than technicalities (“absolutes”), even when the legal outcome is in direct conflict with the spirit of the law.
I'm just getting really tired of people that hysterically throw around large numbers in order to instill fear. It's counterproductive and boring to boot. This whole series is in a way a reaction to this kind of comment and 'downandout' in particular is a name that pops up over and over again in this context with the most inane stuff. So yes, that's personal but my patience isn't infinite.
The numbers are the MAXIMUM POSSIBLE fine, for the most serious, repeated breach.
Here's an organisation that lost video interviews of children who'd been sexually abused because the organisation sent unencrpyted DVDs via mail. This was a repeat occurance of a very similar thing they did before. They didn't get the maximum fine. https://ico.org.uk/action-weve-taken/enforcement/crown-prose...
Here's an organisation that lost half a million customers details (names, addresses, and telephone numbers) because they lost some unencrypted backup tapes. Again, they were not fined the maximum: https://ico.org.uk/for-organisations/guide-to-data-protectio...
The fines you mention - 325,000 EUR and 150,000 EUR - seem pretty stiff to me and would kill most small businesses. They aren’t the maximum, but that doesn’t really matter if the fine is a death sentence for your business.
I’m not sure how any of this makes the point you seem to be trying to make that GDPR is lenient.
Spending time arguing with people who are not progressing the discussion at all is also counterproductive. It stresses you out, wastes both their time and your time, and provides for boring reading. Downvote, move on, smile because you know deep inside you're right and they're wrong. ;) And if your original statements are of quality/convincing enough, everyone else who reads it will know this as well.
Like many others, we are no longer accepting EU traffic and have banned users that we know to be from the EU from the handful of forums that we operate (with an apology and an invitation to come back should they move). I suspect that most businesses outside the EU will eventually block EU traffic, just to avoid the potential liability.
Can I ask what business? I want to make sure I am not doing business with anyone who won't do business under GDPR. Am not an EU citizen, I just wish I had their protection here.
I think you’ll find a pretty limited universe of sites available to you if full GDPR compliance is your benchmark. For starters, the vast majority of North American sites won’t be complying. Your comment is meant to imply that I am the exception in the US, but I think you’ll find it to be the rule.
If even one competitor has GDPR compliance, it means they are willing to stand behind their business in a way you are afraid to. Think of it this way: Which likely makes a better tool, a company with a 30 day return policy or one with a lifetime warranty?
You are afraid of the 20 million euro fine. Whatever your business is that you don't want to share, I'm sure you have a competitor that will be GDPR compliant. And I'll know which one is afraid to put their money where their mouth is.
Put another way, any service that is GDPR compliant is providing me a 20 million euro warranty, and you're providing me a 0 euro one. Which is more trustworthy?
> There are countless examples a short search away of such violations, I’m not going to catalogue them here [...]
I think it's important to cite precise examples.
If we're asking developers of small websites to give up a significant amount of their time to be compliant, we have to be rock solid into the why it is a good regulation. For example, most of the recent privacy violations in the news - FB leaks, Snowden leaks, etc. - seems untouched by GDPR.
Question: What if a US company puts up a clickthrough agreement on their site that reads
"It looks like you're accessing this site from the EU. This site is not compliant with EU law and cannot be accessed from within the EU. If this is an error and you do not reside within the EU, please read the following:
... very long legalese about claiming that you are definitely not an EU citizen and the EU-seeming IP address is in fact a VPN or proxy, so you are definitely not subject to EU law. In case this agreement is signed fraudulently, damages will be ascertained by $US_STATE court (wherever company HQ is) ...
[ ] I agree, under penalty of perjury, that the above applies to me. In the case that this agreement is signed fraudulently, I agree to pay the damages awarded by $US_STATE court and waive my right to sue within the US."
Can this company continue doing business as usual, given that any EU user who tries to invoke GDPR will subsequently be fined and potentially deported to the US for hearing?
"Consent: If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding."[1]
I'm not saying the GDPR won't apply, the company will still have to spend resources on complying with GDPR requests. However, any user who invokes the GDPR will be in violation of the CFAA and face very seriouos consequences. The question is more "can we engineer a MAD situation where users won't dare invoke GDPR in fear of the consequences"?
> Data that is not associated with a particular individual is not ‘in scope’ when it comes to the GDPR unless that data can be re-associated with that individual.
I wonder if that make the ETH and BTC blockchains illegal to have nodes in Europe from now on. Like if I post a series of transactions that are linked to me, can I ask all the EU nodes to remove this information?
Also, what if a person engaging in illegal activity wants their data removed? Can they just have their financial transaction history erased and subsequently unavailable to the authorities? GDPR almost seems designed to allow for destruction of evidence and coverups.
Financial transaction history no, precisely because there is a legal requirement to retain these. Other data? Of course they can. You shouldn't even concern yourself with why that person wants their data removed. It's their data.
I would like to know how this will affect Microsoft.
I run a Pi-Hole [0] to redirect all advertising-related queries to a black hole. When tracking the most-blocked domains, Microsoft is at the very top [1].
For instance, when I enter "Office" into the start menu, Microsoft immediately sends a ping to bing.com and Microsoft's telemetry servers. That is, Microsoft is sending all of the data entered into the start menu to Microsoft's servers, even when using the 'Pro' version and with 'full' telemtry off.
When it was first detected that Microsoft was adding telemetry calls to all compiled programs in Windows [2], Microsoft said it was mostly for event debugging for programmers. Now I'm not so sure -- look at your Microsoft account privacy settings to see that Microsoft tracks when you open applications. (They say on the page that not all data is shown there).
Unforutnately, there is no way to opt out of this. You can "disable" full telemetry, but you still have to opt into "Basic" telemetry, which still sends your advertiser ID, the programs you run, and the queries you put into the start menu. I'm concerned that Microsoft is not going to stop here. They have a real incentive to capture as much data about you as they can -- they currently earn about $1 billion in advertising through Bing.com search queries. Unlike Google or especially Facebook, however, it's much more difficult to opt out of Microsoft's tracking -- so many people depend on Microsoft Office or other Windows programs that I can't fully switch to Linux.
I don't know how this is acceptable through GDPR. There are so many problems with what Microsoft is doing:
1. There is no way to opt out of telemetry
2. There is no way to see all of the data that Microsoft has collected
3. Microsoft has severe lock-in because so much software is written for Windows-only
4. Microsoft has an incentive to increase their telemetry, not decrease it.
I've long suspected this but couldn't prove it. Aside from the privacy implications I've found it makes windows unsable. Basic operations can take several seconds and if you're on an intermittent connection (which developers never test on) the menu can be frozen for over a minute.
> however, it's much more difficult to opt out of Microsoft's tracking -- so many people depend on Microsoft Office or other Windows programs that I can't fully switch to Linux.
This comes up a lot but I think we need to change how we think about it. Yes there will be pain and yes there will be things you could do before but can no longer do, but we need to treat it like ripping off a bandaid and embrace the pain rather than hope to mitigate it.
It absolutely does not give companies an edge. If you are a small company, the fine itself could cripple you before you even factor in the legal time, money and effort
> Are you going to be paying people's fines when they rely on your advice?
Following my advice will substantially reduce the chances of people having to pay fines. That's a public service. If you want me to assume liability for that then you are clearly asking for more than I can give you.
But rather than trying to play word games with you I'd like to point to the track record of the various EU data protection entities and you'll see that on the whole they are doing a very good job.
Finally, as for paying people's fines, if you break the law you are liable for the fine, long before you will be fined (unless you are really making a mess of things) you will be warned so that you are able to come into compliance. If you ignore that and then you are fined you really have only yourself to blame.
Been wondering about this for a while now, maybe someone in this thread can shed some light on this? What about processing httpd access logs to count visitors? Most tools use IP addresses to count unique visitors. Does that mean this now qualifies as "processing personally identifiable data"?
That's just fine. You are collapsing the IP addresses into a count and that count can not be reversed back in to the IP addresses you started out with. And then, after you're done with your log analysis (and any security related work you need to do with them) you can dispose of them.
There are some instances where it may make sense to have a very long log history but I'd be careful to properly document the need for that unless that need is an obvious one and easily explained. Anything longer than a year would be outright wrong and anything shorter than 30 days will definitely be ok.
> ignore requests for deletion, correction or insight from your users
This is an obvious slippery slope, and it's probably going to be challenged by the U.S. 1st amendment. It's already an issue with the previous "right to be forgotten" law which was way more limited in scope. [1][2][3]
I am replying to your arguments, I think you don't realize how evil a law like GDPR is. Many small projects will get killed while privacy abusers will just find a way to avoid the law. You still have to point to one example where this law will make someone's life better.
> I think you don't realize how evil a law like GDPR is.
I've read the law end-to-end several times, I do not think it is evil.
> Many small projects will get killed while privacy abusers will just find a way to avoid the law.
This is Europe, not the United States.
> You still have to point to one example where this law will make someone['s] life better.
It's already making my life better.
For instance, this email I just received:
--
Let's stay in touch!
As many of you know, the new General Data Protection Regulation ("GDPR") requirements go into effect on 25 May 2018. Your privacy is very important to us, so please consent by clicking the button below if you would like to continue receiving updates from YouPic on announcements, insights and potential opportunities.
Yes, let's stay in touch!
Sent with from YouPic
Viktor Rydbergsgatam 14, Gothenburg, Sweden
--
From a company that I've never done business with, that has absolutely no right to spam me and that I've tried many times to get them to stop spamming me with zero result.
So no, let's not stay in touch, fuck off with the spam, the targeted advertising, the profiles, the retargeting, the selling of profiles, the stealing of contact lists and so on.
> So no, let's not stay in touch, fuck off with the spam, the targeted advertising, the profiles, the retargeting, the selling of profiles, the stealing of contact lists and so on.
I do agree with all of that, but I think the solution is more technical than regulatory.
Ublock Origin, uMatrix, and Ad Nauseum are doing an infinite better job to protect user privacy than any legislation we can make up.
At the end of the day, users are responsible for their own security and privacy as the web is global, and you can't expect all juridictions to comply with EU laws.
We tried technical, it's a losing battle. All that will happen is more and more sleazy ways to get around the technical countermeasures. Ad-blocker detectors, track-walls, back-end filled ad slots and so on. There is no way short of going the legal route that this will ever stop.
What would have worked is self regulation but the industry has clearly shown that it is utterly incapable of doing so.
> At the end of the day, users are responsible for their own security and privacy as the web is global, and you can't expect all juridictions to comply with EU laws.
That's the beauty of it: now we can. I'm really curious how the EU will go after foreign parties that decide to flaunt the law because they have no residence in the EU (and because they decided they did not want to play the representative game). That will be the real test. If that fails then the law will fall apart.
> That's the beauty of it: now we can. I'm really curious how the EU will go after foreign parties that decide to flaunt the law because they have no residence in the EU (and because they decided they did not want to play the representative game). That will be the real test. If that fails then the law will fall apart.
Copyrights are very different as they are already everywhere. We don’t want reprocity for laws concerning content. Picture if China or Russia demands enforcement of their Internet laws globally.
In my not-so-copious free time, I help maintain the online back-end for a membership organization (about 1500 members). I've found little guidance on GDPR for a volunteer-based membership organization, but have managed to piece a good bit together. I was feeling pretty good about the work done versus compliance, hand-wringing from other officers notwithstanding, e.g. if we delete old member records, someone might rejoin and get a different member number, and what if they wanted to keep the original?
Now, though I'm wondering about the discussion e-mail lists we have and if we need to auto-prune archives. They have folks' real names and such in them, after all, from participating in discussion.
(I also wonder how this affects big email lists, e.g. linux-kernel)
You are not excluded from the law as volunteer organization.
As far as deleting old member records and public archives, it depends on what consent members have given before. Membership information, especially receipts for subscription must be kept usually for 10 years for bookkeeping purposes. As for public posts, unless the members withdraw their consent (Excercise Right to be Forgotton) i don't see why. They knew then that the posts are public?
edit: you must formalize this with a privacy policy though, what data you keep, what type of consent (article 6) and for what reason you need it, if you haven't done so yet. Then ask every member for approval of the policy.
Not excluded indeed, figured that out late but not too late.
The lists are not public, but only visible within the organization. I think part of my concern is not knowing how easy it would be to rip a given set of messages out of the archive in Mailman. I don't expect it is likely Right to be Forgotten will be exercised, but it sounds to be a bear if it does get exercised.
I was under the impression that GDPR did not differentiate between offline and online data.
If that’s true, then the recommendation about backup in the article doesn’t work (you can’t store PII on offline backup media in the basement and not comply with erasing the data there too on request).
It also means that deletion requests can’t easily be automated. Chasing down records on archive media is likely going to involve physical labor. It’s even the case that for write-only media it’s impossible to delete, you’d have to re-write a backup without the offending data.
All this of course suggests this isn’t the case, that offline data must be out of scope. But why isn’t this clearer?
Storing data offline is not meant as a way to get the data 'out of scope' but simply to reduce the effect of a breach. It shows that you have taken active measures to reduce the impact of a breach which will definitely get you points for trying.
As for backups, I am going on the assumption that they are properly encrypted, I will update the article to that effect.
Gdpr completly applies also to offline data. Companies are being required and have lawyers going over inside data on physical cabinets and educating and auditing who has access, how, when and proper measures of protection to all of it. I personally know lawyers involved in the process and companies going over that auditing effort. I'm very glad they are being forced to think on how to deal with my data even for the case when they are mh employer and have my very personal data round on physical paper.
> The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
> the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
> the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
> the personal data have been unlawfully processed;
> the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
> the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
I think this means your backups are ok, unless the data was for a child under the age of 16. But I also think that if you have encrypted your backups, and you make robust attempts to remove the <16 year old's data when you restore the backup, that the regulators are going to be satisfied.
Since there seem to be a lot of knowledgable folks in these threads, I have a question about GDPR's impact on decentralized or federated social networks like Diaspora[1]. On these networks, users can create a profile on any server, and be connected with users on any other server via a federation protocol[2].
All the ideals of user control and data portability are there and central to the Diaspora project; but technically, the underlying protocol involves passing users' posts and comments from one server to another. This seems like it would fall afoul of guidelines against passing data to third parties, and the same technical constraint seems to be fundamental to other federated services like Friendica[3] and Mastodon[4]. I'm really curious how the GDPR would affect services like this, especially as someone who's quit Facebook and is looking at decentralized networks as an alternative.
That's a good point and I will research this because I also would like to know exactly how this influences such networks. I consider them a positive development, and as such would like to know exactly what the impact is.
From the top of my head it would require the software to implement the various GDPR principles, and it would be wise for operators of servers to verify that they are not exposed. Better yet if EU residents connect to EU servers and let the federation take care of the connections across legal boundaries. That's smart for a variety of non-GDPR related reasons too.
One challenge is that everyone's reading is different. What reading will regulators have? And what reading will they have in 6 months vs now?
For example in this article it is assumed that everyone needs a data protection officer - the only question is whether you want someone full-time, or you want to share one with several other companies. However when I read https://gdpr-info.eu/art-37-gdpr/ it seems that most companies don't fall under 1.a or 1.c.
The question mark is 1.b, the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. If you're just recording transactions, clearly you are not monitoring them. If you're running a data broker, clearly you are monitoring them. If you're running queries against your transactional data to decide who to send a marketing email to..is that monitoring? "Find all people who put something into a cart yesterday and then didn't complete the transaction." I don't think of that query as monitoring, but I can see how someone else might.
Search for the phrase, "Do I need a (dedicated) Data Protection Officer?"
You will see that the only two options that he discusses are having a dedicated Data Protection Officer versus a designated Data Protection Officer. With the difference being whether they are your full time employee doing nothing else, versus a part time responsibility.
Neither in the article nor in his comments here does he admit the possibility that it might be a role that you don't actually need filled.
You will need to assign the role of data protection officer to someone in the organization if it is small, and if it is a larger company then you will probably want to have an individual that does this as a major part of their job description. A CCO (chief compliance officer would be a good choice in a large org). In a really large company or a company that deals with lots of sensitive data you'd want a dedicated person.
Because a basic e-commerce site could easily accumulate in the 10's of thousands of records over a couple of years of operation. Besides that is is a 'free' operation, simply say 'Joe is our DPO' (assuming Joe agrees, and if you're a sole proprietor you are Joe).
The designated representative however is another matter.
The specific part in the law that triggers this requirement is that almost every e-commerce site qualifies size wise ('the numbers of data subjects involved') and technology wise (analytics, A/B testing, funnels and recommendation systems).
If the numbers are low (100's), there is no tracking, no recommendation systems and no analytics then you are right, in that case you do not need a DPO, but even then I would still assign the role since it is free.
Depending on how you do A/B testing, you might be in the clear because of https://gdpr-info.eu/art-11-gdpr/. If you've built recommendation systems that rely on profiling customer behavior, then clearly you're doing something that touches on the heart of what GDPR tries to regulate. There is a grey area, and no real guidelines.
Also I do not believe that the DPO is actually a free position to fill. If you read https://gdpr-info.eu/art-38-gdpr/ in section 6 there is the requirement that the DPO should not have a conflict of interest. If you're both the DPO and the person who is being asked to sell data, that's a conflict of interest. Even if you're the sole proprietor.
If I thought I needed one, I would hire one. Even as a part time contractor. It is safer.
Agreed, except for the DPO bit. The law is clearly geared towards larger entities. No regulator that is of a sound mind will insist on a sole proprietor no employee company going to multiple employee status and to hire a DPO that will take home more than the owner of the company.
I agree that the law is quite explicit that such conflicts of interest are to be avoided. But there is a lot of precedent for this situation with respect to compliance officers. A very small company that is audited for compliance with some standard will be looked at with a different level of strictness when it comes to separation of duties. This is simply a fact of life, when a company is small some conflicts of interest and some overlap between roles is unavoidable.
Given that this situation is a common one and given that regulators are not going to put a substantial chunk of Europe's SME's out of business (because that is not in their interest) I expect this to be dealt with in a reasonable way.
Something similar happened with VAT regulation: The EU decided to go after service companies selling into the EU and 'shopping' for the best VAT deal causing loss of income for the various governments (VAT is not harmonized in the EU). Initially this was a huge burden for small companies because they had to - on paper - file VAT in every EU country where they had customers and they could be audited by all of those entities. That was unworkable for small companies. So they came up with VAT-MOSS and it works very well (I've used it for a year or two).
I'm not sure how this is supposed to be comforting. Judicial bodies have repeatedly come up with different, or even conflicting, interpretations of the same text. Take the US Constitution, for examine. The main text has remained unchanged for over two centuries, and most of its Amendments are at least a century old. Yet the courts are still overriding past interpretations of the same laws.
Many years ago the world figured out that "Medical school is a requirement for a doctor career" [1].
Somehow our ancestors did not have the brilliant idea to just put a fine to any hospital that breaches medical protocols and send patients to death.
The first web browser was released in 1993. Any computer science professional born before 1970 had not seen a web browser as a student (because it did not exist).
25 years after 1993 the EU decided that a law that regulates the profession with fines (GDPR) is enough.
I already commented on the previous post feeling the author has no idea what he is talking about but this nails it:
> What’s important with any law is - besides the letter of the law - what the spirit of the law is, the laws intent.
This very conveniently forget the GDPR will not be interpreted by a single authority in Brussels but rather by the relevant authority in every single EU country. Whatever the lawmakers intended, who gives a hoot? I can pretty much guarantee the Hungarian NAIH will see this as a fantastic cash grab opportunity. (I am a dual Canadian-Hungarian citizen, I know my birth country all too well.)
Despite all this "pah-pah, it'll all be fine" there is not even a guidance much less any law describing who shall be fined for how much. Spirit of the law protecting you from Hungarian bureaucracy , good luck Chuck. The courts will eventually curb this madness and set some best practices but meanwhile those who got fined excessively will stay bankrupt. Don't be the patsy. At this time, unless you are a big enough company to have a sizable legal department do not do business with the EU. This is not hysteria, this is just good business sense.
Yes, I saw your previous comment. If you feel that you can discard a whole article because you find one line in it that confirms your prior belief then that's fine with me. But I've been in this business for long enough and have seen EU regulators at work often enough that there is no mystery to me about how this will play out. What will happen is that the small fry will be ignored unless they cross the lines in very visible ways. Larger companies and companies with more risky models will be more at risk of having the regulators take an active interest in them. Large companies because there is a large chance of complaints to the regulators, companies with more risky models because they will be acting against the spirit of the law even if they will do everything they can to comply with the letter.
If you don't believe that's how it will work that's entirely fine with me but about 30 years of data confirm my point of view.
> If you feel that you can discard a whole article because you find one line in it that confirms your prior belief then that's fine with me.
The entire spirit of these articles are completely misguided because the adverse reaction to GDPR is not hysteria. Here's the unique nature of this which makes it a recipe for disaster:
1. Every business interacting practically any way with European citizens is affected
2. The potential fees for breaching a very complex regulation are unprecedentedly high.
3. Determining the actual fees for each breach is in the hand of every EU country, including some which today wouldn't be admitted into the EU.
The oft bandied around 20 million euro fine is the reason for that particular choice of words. People shutting down their projects without having spent a minimum amount of time on the impact, bloggers worried about having to hire a DPO. I haven't seen this much bullshit since the Y2K days and even then with some work and planning it got taken care of.
People were genuinely surprised when the world didn't end. This is going to be just like that. May 25th the world will continue to turn and none of these bogeyman stories will come to pass with anything approaching fidelity.
Regulators will target the worst excesses to show they mean business and are severely limited in manpower anyway so the vast majority of interaction that has to do with the GDPR will amount to a change in mindset and some best practices. In edge cases things will get a bit more interesting (someone mentioned federated services and that's a really good question).
FWIW I've been looking at companies from the GDPR angle for about a year and a half now, we slowly ratcheted up the push for compliance and it is interesting to see how (EU based) start-ups have adapted to the new legislation. We have also found some companies that were ill prepared but that's to be expected.
The worst position to be in is a small (10...20FTE) company operating in the US running a SaaS that stores critical information. That's an expensive affair. For most other companies - including the really large ones - the impact will be mostly a one-time investment in software and inventory of data and processes. After that they will be in much better shape and that's a good thing.
Companies that make a business of selling data are expected to be hit hard, and rightly so.
Your confidence scares me. What about this, I have the same amount of evidence you have: Some regulators will target the weakest. It's really easy to slap a few tens of thousand of euros fine on a small business. Sure, fining a big company for many tens, hundreds of millions makes news but a few ten thousands is a good income.
No fines in all of 2017, in spite of 10,009 data leaks that were reported.
In one case there was a settlement of 48K, but it is not quite clear what the circumstances were, probably to protect the guilty.
"De AP stelt in een samenvatting van het jaarverslag 2017 dat het niet altijd direct een onderzoek start. Het gaat eerst in gesprek met partijen die een overtreding begaan en in veel gevallen leiden die zogenoemde alternatieve interventies niet tot een officieel onderzoek."
Rough translation:
"The Authority says in the summary of their annual report for 2017 that it does not always immediately starts an investigation. It first tries to talk to the parties that have violated the law and in many cases these so called alternative interventions do not lead to an official inquiry."
Proof of what? The GDPR is not yet in force. Proof of Hungarian authorities targeting small businesses for minor or even non existing infractions? Here's one: the tax authority starts garnishing many taxes a few days after the payment deadline -- it's common the entrepreneur realizes they are in trouble when all the cash is gone from their bank account. But if you so want, I can find you any number of horror stories of how small businesses are treated in Hungary, now that they will have a chance to mess with rich westerns (as perceived at least), I have zero doubt they will take this chance.
Well, you may be right. I don't have a crystal ball but so far all the other EU law that had this potential has not been activated in that way. VAT law for instance is a good candidate. I've missed one filing by a few days in 2016 because I was switching bookkeepers and I got fined 115 euros, it's my responsibility vv the tax authorities but the bookkeeper that messed up paid the fine so it didn't cost me anything.
I don't really understand your tax authority example though, doesn't that mean the payments are late and that the tax authority is fully with in their right to take what's theirs?
Nowhere in the (developed) world would the tax authority start garnishing without a notice first -- mostly because they might be in error. And yes, they did take more than their due, more than once.
That's not very nice of them. If I were in the receiving position on an action like that I'd take them to court.
Let's hope that kind of behavior won't be the norm. But I wish the Hungarian Data Protection Authority much good luck trying such tactics against other EU companies, it will most likely not play out how they think it will.
I recall a case of the Irish tax authority trying to fine EU companies for failure to pay VAT, that blew up pretty badly for them, and in the end it turned out they themselves had fucked up. Since then they've been well behaved.
I've tried to find a citation for that particular case but can't find it. I own one of the companies that got fined.
There are a couple mentions in this article that reference marketing emails and consent and the GDPR affecting them. I'm pretty sure this is wrong. The Privacy and Electronic Communications Regulations (PECR) govern marketing communications, not the GDPR. Wired did a good breakdown of how these two are getting confused recently: http://www.wired.co.uk/article/pecr-gdpr-emails
> There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of anyone who breaches the Privacy and Electronic Communications Regulations (PECR). They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice imposing a fine of up to £500,000.
> These powers are not mutually exclusive. We will use them in combination where justified by the circumstances.
I'd agree that the lack of enforcement of PECR certainly makes it feel like just a suggestion.
Slightly off-topic: Is there a short history of the GDPR somewhere? History might be an odd word choice given that it isn't even in effect yet, but I'm simply referring to something that documents and chronicles what parties or individuals set the regulation in motion, the public discussions around the regulation, and what third parties were consulted in the process etc.
As an EU citizen, I'd like to know what or whom I should direct my ire towards.
180 comments
[ 2.8 ms ] story [ 244 ms ] threadEDIT: take a look at that slide, google invested 40 human years for assessment alone https://twitter.com/winfriedveil/status/995951301132537857?s...
Take a business about as far away from data as you can imagine. For instance, a business that makes replacement knobs for antique radio restorations. They have a website with an online catalog and a shopping cart where you can order replacement knobs, pay online, and they ship the knobs to you.
They collect your name and address for shipping, your email address to contact you if there are any questions or issues with the order and to give you order processing updates, and payment information.
If this business is offering their goods to people in the Union, that data collection falls under GDPR, and they have to have a designated representative in the Union.
I've not been able to find anything so far on (1) how some random small business in the US goes about finding someone to be their designated representative in the EU, and (2) what they will have to pay that person to take do so.
And if they do run their own shopping infrastructure they obviously will have to deal with all the ins and outs of that, including operations, keeping the whole thing up-to-date and secured as well as compliance with the law.
Won't that mean they are still under GDPR and still need to have a designated representative?
Can you point to which bit of GDPR says this please?
Article 3(2) is the one that says GDRP applies to the processing of personal data of data subjects in the Union by controllers or processors not in the Union if the processing activities are related to the offering of goods or services in the Union.
If you are smaller than that and you outsource processing of the personal data of your customers, then all you have to do is make sure the customers consent to this, and you are good to go with GDPR. It's practically effortless, unless your business model relies on monetizing innocent victimes without their consent.
The Article 27 representative must be in the Union, which is why it can be problematical for a company whose office and employees are all outside the Union.
To be excluded, the processing has to satisfy three requirements:
• "is occasional"
• "does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10"
• "is unlikely to result in a risk to the rights and freedoms of natural persons"
Most businesses probably won't process any of the Article 9(1) special categories or the Article 10 criminal stuff, so that shouldn't my much of a hurdle for most.
All kinds of data pose a risk to the rights and freedoms of natural persons. See Recital 75 for examples. Of particular note, if it can lead to identity theft, fraud, or financial loss it poses such a risk. This is going to snag a lot of businesses.
Then there is that "is occasional" requirement for being excluded. I have no idea how that is going to be interpreted.
> The obligation laid down in paragraph 1 of this Article shall not apply to:
> processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
I think the processing is "occasional".
As an end-user/customer, I’ll have the regulated version every single time, thank you.
You can reframe this either way you like, but what it will come down to is that IT has so far been one of the few completely unregulated industries, with only its own merits to show for why such regulation shouldn’t be needed. So far it’s not doing a very good case for itself.
People like Alan Kay has warned about this. If we don’t start taking our profession seriously (like doctors take not killing their patients seriously), someone else will. And then the future of programming will be legislated.
If that’s how it all will turn out, that’s because we as a industry has deserved it.
The GDPR is merely about basic decency and should only be considered a taste of what the future holds. Unless we ourselves show that we can act responsibly without further regulation.
Edit: Ofcourse if you are the world’s biggest privacy-violater with 100s of thousands of employees worldwide working every day to mine and AI even more shit out of you, ofcourse trying to get GDPR-compliant will take some effort. That’s the whole fucking point.
Smaller businesses treating user-data decently and with respect won’t have any such issues or conflicts of interests.
"Oops, did that airport take three times the money compared to expectations to build? Time to pony up more or end up with a half built airport".
You say that like it's a bad thing.
I'm obviously biased because I work for a company providing CRM software. That said, that gives me a decent amount of expertise in the matters too.
Basically we need to get all our own customer-data and systems GDPR-compliant. Which I won't deny has been a reasonably big effort on our part.
But instead of only doing this for ourselves, we've put all this effort into getting our own CRM-software GDPR-compliant instead, meaning in the process all our customers get to benefit from this at near zero cost.
Basically: By using a modern, maintained and competent CRM-solution, you should get GDPR-compliance in your core-databases almost "for free". I won't push my own company here, but it should be trivial to find should you be curious.
If your CRM-solution does not help you provide GDPR-compliance, you should consider how serious they are in these matters and if you want to continue using them.
And if you don't have a CRM-solution at all (really?) it's definitely time to consider getting one, because that's going to be the absolutely best tool you will get w.r.t. ensuring compliance.
> Oh, and did you know that GDPR also affects the work of teachers, solo entrepreneurs, doctors and the like?
It affects stored and processed privacy-sensitive information. Why should certain professions or business-categories be excluded?
This is quite funny considering you are writing this on the WWW, which runs on top of the TCP/IP stack. The WWW came out of CERN, the TCP/IP stack came out of DARPA. The web is at its roots a pretty global affair.
This is not about 'stifling competition', this is about privacy.
GDPR feels like the opposite of Y2K. Unheard of by most until very shortly before the deadline, underplayed by those who haven't researched it, and overplayed by many of those who have.
Anyone know what counts as "occasional"?
Also, the regulation says the representative must be in one of the member states where the data subjects are located. I know of some non-EU businesses that have just a handful of customers in the EU, scattered among a few member states. They slowly get new customers, and slowly lose old customers. Whatever member state they put their representative in, there is a decent chance that in a year or two all the customers in that member state will be gone. Do they have to keep changing representatives?
As for the whole designated representative thing I'm looking at solving that in a somewhat creative way, but this will take some time and preparation.
On the other hand, I look at Article 3, and I'm not sure posting content on a personal blog counts as offering goods and services. Or do blog comments count as a service?
”Whereas the mere accessibility of [your] website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that [you] envisages offering goods or services to data subjects in the Union.”
In English:
Do not translate your site to EU-only languages (Italian, German, etc.), use an EU based domain extension, or create content or services that would be especially appealing to EU users, and GDPR will not apply to you.
[1] https://gdpr-info.eu/recitals/no-23/
People's opinions on this regulation differ so dramatically that even when I read something in it that sounds pretty clear, I second-guess myself and worry that the courts will side with the worst-case interpretations.
No.
> I've been debating with myself whether I need to move my content somewhere like wordpress.com to avoid that requirement.
The biggest issue would be your log files, I've covered that in comments here, and in the articles as well. Another issue could be if you run analytics tags or advertising, which may impact you in a negative way financially in the case of advertising. My own blog is analytics and advertising free, I don't see it as a source of income so I don't care but obviously that will not hold for everybody.
The critical part is when you start to ask users to enter data into your system, as long as you don't do that you will be able to solve this in a straightforward way.
> The personal information I process comes from comments and web server logs, and I'm not sure that counts as occasional.
You are right that it isn't occasional. So, logs: analyze them, then delete them within 30 days or so. That should be enough to do most security related work with the logs as well as any analysis you care for.
Comments on your blog you will simply have to delete when the commenter asks for it. Even when I ran reocities.com this was the most requested support item, and it is pretty easy to do in an automatic fashion if you still have the original relationship between an account and the comments, this could be entirely self-service. I expect the typical blog engine plug ins to become GDPR compliant in the near future because lots of people will be asking for this.
> Or do blog comments count as a service?
Yes, it is a service. You operate a server which takes in data and records it. That it isn't commercial is not important in this case, data subjects will create accounts and there will be PII associated with those accounts, either directly or in the comments.
Now for some arguably bad advice (from a legal perspective, but it is very practical): I'd take 30 days to see how this all shakes out past may 25 before taking action on something as insignificant as a blog. That way you will have a lot more information to base your decision on. Obviously that has a risk: you will probably not be in compliance but I'm going on the assumption that regulators will have a lot more on their plate than your blog for the foreseeable future.
WordPress does have some plugins for complying with GDPR, so I'm going to try one of those to see what else needs to change, in those developers' opinion. If only there were such a thing as certification so I could trust anyone was doing more than guessing!
Anyway, thanks for your feedback. I appreciated your article.
There may be an alternative though, working on that :)
It's the armchair lawyers doing sneaky stuff that they will try to continue to do that should be worried here.
https://gdpr-info.eu/recitals/no-18/
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Under the GDPR that would be PII and so the removal requests would arrive, whether or not the legal bar was met. I'd rather not have to argue in court whether or not my blog was purely personal even though I run it under my own name.
So even for a blog if you allow people to comment calculate in that they will ask for some of those comments to be removed. It's a relatively small burden because it won't happen often (with all the millions of Geocities sites it only happened a few thousand times over a decade), and it will stop people from complaining to the regulators. Better yet: monitor your comments and approve them selectively, if you drop the obvious dumb ones there is a fair chance that you'll never have a removal request.
That leaves people like me (and you, apparently), I solve the problem in the simplest way: no logs, no analytics, no comments on my site.
I'll be curious to see whether GDPR results in a web with fewer features, or maybe features that don't work as well. I tried DuckDuckGo, for example, but I dropped it quickly because Google's results are so much better. I actually like that it takes my previous searches into consideration.
Convenience and privacy will always be at odds. If the largest excesses are taken care of then this will already have been worth it.
Google has made some big changes in how they deal with third parties in the advertising chain.[1][2] Third party trackers are being cut off, and advertisers are being encouraged to dump them and switch to Google Ads DataHub.
Google is frantically trying to get user consent for tracking, popping up a deceptive message on every Google search result page. That popup asks you to "log in" to Google. They just assume everyone has a Google account. Without that permission, Google can only serve you "non-personalized ads".
[1] http://www.thedrum.com/news/2018/05/01/publishers-hit-out-go... [2] https://adexchanger.com/platforms/google-sharply-limits-doub...
I also think you will see some acquisitions of crappy publishers with lots of pageviews so that advertisers can get an end-user touch point.
I think it is also an opportunity though, we might be able to roll back some of the more annoying ad-tech and get users to selectively switch off ad blockers again.
Another option is that more parties will switch to advertising space sold directly to media buyers without all those intermediaries (much like it used to be until we started to track everything and anything).
Once you are logged in to Google you can turn off the targeting of the ads through this link:
https://adssettings.google.com/authenticated
Slide the slider at the top right of the page to the left and confirm the change, targeted ads gone. This takes about 10 seconds or so if you are already logged in to Google.
We remember the internet before targeted ads came. 100 flashy and gif banners on the page. Websites still need to make money, they'll just increase the ad spots if the ads are not profitable enough.
That's why there is such an explosion of ad-tech firms, anything to get back to where they were last year in terms of CTR and engagement. Then the users become de-sentisized and then the whole cycle restarts.
If you aren't selling user's data, you keep it reasonably secure, and they can delete their account, you are probably good. Most of the services you use will already be GDPR (and Privacy Shield) compliant, and it is easy to list your cloud and payment providers and link to their statements of compliance.
And almost everything a user could ask for, if you don't have an automated solution to, you can generally comply with by checking your email and responding accordingly, so for small userbases, this is hardly really even an issue.
Furthermore, as far as actual enforcement goes, the EU is not going to shut you down or put you out of business on a technicality. They are going to take you out if you show flagrant disregard for your users. This is going to hit the Unroll.me's of the world, not your average web forum.
I am curious when people mention this: Who literally sells user's data ?
[1] https://www.youtube.com/watch?v=-Glgi9RRuJs
https://www.iab.com/guidelines/real-time-bidding-rtb-project...
Other avenues of interest: location based advertising and programmatic adaptive advertising.
- Level 1: Monetizing aggregates. Aggregating lots and lots of data, running statistics on all of it, and selling the outcome. Example: An online streaming site that sells TV analytics to TV channels.
- Level 2: Selling proxied access. That's the Twitter/Facebook/Google ads model: Allow interested parties (advertisers) access to an audience, but they never are directly told "Mary Jane is a 33 year old woman with 2 children and an income of $80000/year."
- Level 3: Selling personal data. This is what people think is happening in level 2, but is much rarer than it sounds. For example, let's say you have influencers on your site, you'll sell to potential sponsors data about that influencer. Or sites with personal statistics and insights that will sell access to it to their users' competitions (a known practice in sports services).
- Level 4: Selling confidential data. That's where we're talking the really shady/illegal stuff. Gathering emails/credit cards and selling them to spammers and fraudsters, that sort of stuff.
Some even claim to be GDPR compliant. It will be very interesting to see how that turns out. Personally I wouldn't mind if the whole business segment was burnt down by the regulators.
Isn't the uncertainty part of the problem?
Even if your business is nothing like selling user data -- say you're Dropbox, or Box, or Microsoft, or similar -- your sales and marketing org is going to get walloped by the GDPR. How do you run a compliant cold outbound process? The EU has largely declined to tell people.
A dutch proverb says 'high trees catch a lot of wind', if you're a high tree you ensure the wind is not aimed at you unless you explicitly want it that way. At their level there are precious few excuses about lack of resources.
Perhaps that question itself illustrates the moral ambiguity of cold-calling?
If you rely on a marketing service that depends on buying personal information without the subject's knowledge, in order to catch people by surprise, then perhaps GDPR is doing its job by making that difficult.
Analogy: tax laws take money from me but the EU doesn't give me any hints on tax avoidance schemes
This is an extraordinarily dangerous view of GDPR and will likely subject you to fines of up to 20 million EUR. There are hundreds of technicalities that can easily expose you to company-killing fines. This is like saying “you see that massive, fire breathing dragon over there? He’s actually really nice. I mean sometimes he’s not, but grab the kids and let’s go cozy up to him...it will probably be OK”. Unfortunately, most of the time, things are exactly as dangerous as they appear.
Loading Google Analytics automatically on the page on which you ask permission, even if it was an oversight? You’re toast. Using a wordpress plugin that utilizes JavaScript from a third party site and didn’t ask permission for that first because you didn’t know about it? Oops...you may lose your house.
Now, the usual people will say “nobody is taking your house for that”. All I can tell you is that the plain language of this regulation says the only limits are 10 and 20 million EUR.
Edit: to those downvoting this, and there are many of you, please show me where in the GDPR it says that I am incorrect in my assertion that loading third party JavaScript without permission could result in a fine of at least the average value of a house in any given country. Otherwise there is nothing to downvote, because I am not wrong.
Please get educated on the subject.
The problem is that I am educated on the subject, and spent many thousands of dollars on GDPR-related legal advice for my company. My view comes from actually reading it and from no attorney being able to tell me that I could not possibly be fined 10 or 20 million EUR by one or more of the 28 countries to which GDPR applies.
Of course they won't, since it would give you the freedom to go and do whatever you want and then when you get fined you can take it out on them. You can't get an attorney to assume your liability by asking them for guarantees.
So yes, they can if they choose, and if they can make a convincing case, and you can't make an appeal or a big enough media shitstorm that they back down.
But is it likely?
Are you equally worried that you might die tomorrow because a meteorite crashes into your house?
It could happen, and the consequences would be pretty massive, but it's not generally a serious concern of most people.
Risk is likelihood x harm, and you're seemingly in every thread shouting about the massive potential harm, without ever really considering the likelihoods.
Exactly how likely it is I don't know, but I highly doubt it'll be close to your expectations. And probably not mine, but maybe somewhere in the middle.
No, but then again there is no law that says that a meteorite must crash into my house if I use third party JavaScript on my site, and the only thing up for debate might be the size of that meteorite. I am afraid of things when it is put in writing that I should be afraid of them.
"Please get educated on the subject" is not a substantive comment, and referring to someone's overall trend of commentary is commenting on them, not their post. I've had someone here repeatedly do this to me, and I don't appreciate it.
Don't be afraid to let your existing argument stand against theirs, I think your posts strongly support your position. A response to a given detractor isn't necessary. :)
How can you possibly agree with someone that has written lengthy articles essentially saying “ignore what you’re reading in the text of the law”?
Can you point to any instance of any of the EU regulators imposing the maximum fine available to them for a data protection breach? We've had these laws for 20 years now.
https://gdpr-info.eu/art-83-gdpr/
--begin--
Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). 2When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
--end--That's the kind of fine that would be imposed after thumbing your nose at the regulators and continuing in your ways after being warned and the violation being a particularly bad one.
Please show me where it says that, and where it defines “pretty hard”.
GDPR is actually surprisingly light on concrete technical rules. This isn't PCI compliance where they specify the number of letters that must be in your passwords and what version of TLS you need to use. GDPR creates a framework of general principles you need to adhere to in the best way you know how. (Good laws need to be written this way, since technology changes over time.)
It is not in the EU's best interest to punish you for a minor oversight when you are largely a well-behaving corporation, it's in their best interests to encourage you to fill in any gaps when needed.
What laws have you been reading? The whole basis of law is that it must be absolute - otherwise people don’t know how to follow it. People are both exonerated and convicted every day of serious crimes based on nothing more than technicalities (“absolutes”), even when the legal outcome is in direct conflict with the spirit of the law.
The large numbers ARE BUILT INTO THE LAW you are so vehemently defending. We are just supposed to ignore them? Pretend they don’t exist?
Everyone should be afraid of laws that offer possible massive fines that are incredibly easy to violate on technicalities.
Here's an organisation that lost video interviews of children who'd been sexually abused because the organisation sent unencrpyted DVDs via mail. This was a repeat occurance of a very similar thing they did before. They didn't get the maximum fine. https://ico.org.uk/action-weve-taken/enforcement/crown-prose...
Here's an organisation that lost half a million customers details (names, addresses, and telephone numbers) because they lost some unencrypted backup tapes. Again, they were not fined the maximum: https://ico.org.uk/for-organisations/guide-to-data-protectio...
Here's an organisation that is handling sensitive personal data - medical data - who had a legal obligation to register with ICO. They didn't. They didn't even get a fine. (Last para) https://www.bloomberg.com/news/articles/2018-04-26/u-k-healt...
We have countless examples of severe data breaches for dumb stuff, and the maximum fine is never ever applied.
I’m not sure how any of this makes the point you seem to be trying to make that GDPR is lenient.
Spending time arguing with people who are not progressing the discussion at all is also counterproductive. It stresses you out, wastes both their time and your time, and provides for boring reading. Downvote, move on, smile because you know deep inside you're right and they're wrong. ;) And if your original statements are of quality/convincing enough, everyone else who reads it will know this as well.
Please show me where it is written that anything I have said in this thread is factually inaccurate.
You are afraid of the 20 million euro fine. Whatever your business is that you don't want to share, I'm sure you have a competitor that will be GDPR compliant. And I'll know which one is afraid to put their money where their mouth is.
Put another way, any service that is GDPR compliant is providing me a 20 million euro warranty, and you're providing me a 0 euro one. Which is more trustworthy?
And no, everyone isn't going to block the EU.
I think it's important to cite precise examples.
If we're asking developers of small websites to give up a significant amount of their time to be compliant, we have to be rock solid into the why it is a good regulation. For example, most of the recent privacy violations in the news - FB leaks, Snowden leaks, etc. - seems untouched by GDPR.
"It looks like you're accessing this site from the EU. This site is not compliant with EU law and cannot be accessed from within the EU. If this is an error and you do not reside within the EU, please read the following:
... very long legalese about claiming that you are definitely not an EU citizen and the EU-seeming IP address is in fact a VPN or proxy, so you are definitely not subject to EU law. In case this agreement is signed fraudulently, damages will be ascertained by $US_STATE court (wherever company HQ is) ...
[ ] I agree, under penalty of perjury, that the above applies to me. In the case that this agreement is signed fraudulently, I agree to pay the damages awarded by $US_STATE court and waive my right to sue within the US."
Can this company continue doing business as usual, given that any EU user who tries to invoke GDPR will subsequently be fined and potentially deported to the US for hearing?
So, no.
[1] https://gdpr-info.eu/art-7-gdpr/
I wonder if that make the ETH and BTC blockchains illegal to have nodes in Europe from now on. Like if I post a series of transactions that are linked to me, can I ask all the EU nodes to remove this information?
I run a Pi-Hole [0] to redirect all advertising-related queries to a black hole. When tracking the most-blocked domains, Microsoft is at the very top [1].
For instance, when I enter "Office" into the start menu, Microsoft immediately sends a ping to bing.com and Microsoft's telemetry servers. That is, Microsoft is sending all of the data entered into the start menu to Microsoft's servers, even when using the 'Pro' version and with 'full' telemtry off.
When it was first detected that Microsoft was adding telemetry calls to all compiled programs in Windows [2], Microsoft said it was mostly for event debugging for programmers. Now I'm not so sure -- look at your Microsoft account privacy settings to see that Microsoft tracks when you open applications. (They say on the page that not all data is shown there).
Unforutnately, there is no way to opt out of this. You can "disable" full telemetry, but you still have to opt into "Basic" telemetry, which still sends your advertiser ID, the programs you run, and the queries you put into the start menu. I'm concerned that Microsoft is not going to stop here. They have a real incentive to capture as much data about you as they can -- they currently earn about $1 billion in advertising through Bing.com search queries. Unlike Google or especially Facebook, however, it's much more difficult to opt out of Microsoft's tracking -- so many people depend on Microsoft Office or other Windows programs that I can't fully switch to Linux.
I don't know how this is acceptable through GDPR. There are so many problems with what Microsoft is doing:
1. There is no way to opt out of telemetry
2. There is no way to see all of the data that Microsoft has collected
3. Microsoft has severe lock-in because so much software is written for Windows-only
4. Microsoft has an incentive to increase their telemetry, not decrease it.
[0] https://pi-hole.net/
[1] https://imgur.com/a/MbjtYJe
[2] https://old.reddit.com/r/cpp/comments/4ibauu/visual_studio_a...
I've long suspected this but couldn't prove it. Aside from the privacy implications I've found it makes windows unsable. Basic operations can take several seconds and if you're on an intermittent connection (which developers never test on) the menu can be frozen for over a minute.
> however, it's much more difficult to opt out of Microsoft's tracking -- so many people depend on Microsoft Office or other Windows programs that I can't fully switch to Linux.
This comes up a lot but I think we need to change how we think about it. Yes there will be pain and yes there will be things you could do before but can no longer do, but we need to treat it like ripping off a bandaid and embrace the pain rather than hope to mitigate it.
Until EU reaches mass debt and mass unemployment, and wonders why every tech startups are in the US, or in Asia.
also, being GDPR compliant gives companies a competitive edge.
I'm utterly shocked at the HN bubble about what constitutes a proper bussiness model.
Following my advice will substantially reduce the chances of people having to pay fines. That's a public service. If you want me to assume liability for that then you are clearly asking for more than I can give you.
But rather than trying to play word games with you I'd like to point to the track record of the various EU data protection entities and you'll see that on the whole they are doing a very good job.
Finally, as for paying people's fines, if you break the law you are liable for the fine, long before you will be fined (unless you are really making a mess of things) you will be warned so that you are able to come into compliance. If you ignore that and then you are fined you really have only yourself to blame.
There are some instances where it may make sense to have a very long log history but I'd be careful to properly document the need for that unless that need is an obvious one and easily explained. Anything longer than a year would be outright wrong and anything shorter than 30 days will definitely be ok.
This is an obvious slippery slope, and it's probably going to be challenged by the U.S. 1st amendment. It's already an issue with the previous "right to be forgotten" law which was way more limited in scope. [1][2][3]
[1] http://www.dailymail.co.uk/news/article-3156779/More-280-000...
[2] https://www.telegraph.co.uk/technology/google/10833894/Polit...
[3] https://www.wired.com/2014/07/google-right-to-be-forgotten-c...
I've read the law end-to-end several times, I do not think it is evil.
> Many small projects will get killed while privacy abusers will just find a way to avoid the law.
This is Europe, not the United States.
> You still have to point to one example where this law will make someone['s] life better.
It's already making my life better.
For instance, this email I just received:
--
Let's stay in touch!
As many of you know, the new General Data Protection Regulation ("GDPR") requirements go into effect on 25 May 2018. Your privacy is very important to us, so please consent by clicking the button below if you would like to continue receiving updates from YouPic on announcements, insights and potential opportunities. Yes, let's stay in touch!
Sent with from YouPic Viktor Rydbergsgatam 14, Gothenburg, Sweden
--
From a company that I've never done business with, that has absolutely no right to spam me and that I've tried many times to get them to stop spamming me with zero result.
So no, let's not stay in touch, fuck off with the spam, the targeted advertising, the profiles, the retargeting, the selling of profiles, the stealing of contact lists and so on.
I do agree with all of that, but I think the solution is more technical than regulatory.
Ublock Origin, uMatrix, and Ad Nauseum are doing an infinite better job to protect user privacy than any legislation we can make up.
At the end of the day, users are responsible for their own security and privacy as the web is global, and you can't expect all juridictions to comply with EU laws.
What would have worked is self regulation but the industry has clearly shown that it is utterly incapable of doing so.
> At the end of the day, users are responsible for their own security and privacy as the web is global, and you can't expect all juridictions to comply with EU laws.
That's the beauty of it: now we can. I'm really curious how the EU will go after foreign parties that decide to flaunt the law because they have no residence in the EU (and because they decided they did not want to play the representative game). That will be the real test. If that fails then the law will fall apart.
Time will tell.
Copyrights are very different as they are already everywhere. We don’t want reprocity for laws concerning content. Picture if China or Russia demands enforcement of their Internet laws globally.
Now, though I'm wondering about the discussion e-mail lists we have and if we need to auto-prune archives. They have folks' real names and such in them, after all, from participating in discussion.
(I also wonder how this affects big email lists, e.g. linux-kernel)
As far as deleting old member records and public archives, it depends on what consent members have given before. Membership information, especially receipts for subscription must be kept usually for 10 years for bookkeeping purposes. As for public posts, unless the members withdraw their consent (Excercise Right to be Forgotton) i don't see why. They knew then that the posts are public?
edit: you must formalize this with a privacy policy though, what data you keep, what type of consent (article 6) and for what reason you need it, if you haven't done so yet. Then ask every member for approval of the policy.
The lists are not public, but only visible within the organization. I think part of my concern is not knowing how easy it would be to rip a given set of messages out of the archive in Mailman. I don't expect it is likely Right to be Forgotten will be exercised, but it sounds to be a bear if it does get exercised.
If that’s true, then the recommendation about backup in the article doesn’t work (you can’t store PII on offline backup media in the basement and not comply with erasing the data there too on request).
It also means that deletion requests can’t easily be automated. Chasing down records on archive media is likely going to involve physical labor. It’s even the case that for write-only media it’s impossible to delete, you’d have to re-write a backup without the offending data.
All this of course suggests this isn’t the case, that offline data must be out of scope. But why isn’t this clearer?
As for backups, I am going on the assumption that they are properly encrypted, I will update the article to that effect.
> The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
> the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
> the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
> the personal data have been unlawfully processed;
> the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
> the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
I think this means your backups are ok, unless the data was for a child under the age of 16. But I also think that if you have encrypted your backups, and you make robust attempts to remove the <16 year old's data when you restore the backup, that the regulators are going to be satisfied.
All the ideals of user control and data portability are there and central to the Diaspora project; but technically, the underlying protocol involves passing users' posts and comments from one server to another. This seems like it would fall afoul of guidelines against passing data to third parties, and the same technical constraint seems to be fundamental to other federated services like Friendica[3] and Mastodon[4]. I'm really curious how the GDPR would affect services like this, especially as someone who's quit Facebook and is looking at decentralized networks as an alternative.
[1] https://diasporafoundation.org [2] https://diaspora.github.io/diaspora_federation/ [3] https://friendi.ca [4] https://joinmastodon.org
From the top of my head it would require the software to implement the various GDPR principles, and it would be wise for operators of servers to verify that they are not exposed. Better yet if EU residents connect to EU servers and let the federation take care of the connections across legal boundaries. That's smart for a variety of non-GDPR related reasons too.
For example in this article it is assumed that everyone needs a data protection officer - the only question is whether you want someone full-time, or you want to share one with several other companies. However when I read https://gdpr-info.eu/art-37-gdpr/ it seems that most companies don't fall under 1.a or 1.c.
The question mark is 1.b, the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. If you're just recording transactions, clearly you are not monitoring them. If you're running a data broker, clearly you are monitoring them. If you're running queries against your transactional data to decide who to send a marketing email to..is that monitoring? "Find all people who put something into a cart yesterday and then didn't complete the transaction." I don't think of that query as monitoring, but I can see how someone else might.
Really? I haven't heard of people who have vastly different opinions in what specific pieces of GDPR means. Do you have any links?
> For example in this article it is assumed that everyone needs a data protection officer
What? Where is that assumed? The first thing it talks about are the reasons you may need one and nothing about assuming everyone needs one.
check reddit.com/r/gdpr. Every other question has been answered with both a yes and a no.
You will see that the only two options that he discusses are having a dedicated Data Protection Officer versus a designated Data Protection Officer. With the difference being whether they are your full time employee doing nothing else, versus a part time responsibility.
Neither in the article nor in his comments here does he admit the possibility that it might be a role that you don't actually need filled.
I replied to your other comment in this thread, and I will update the article.
Can you explain why you think that it does? With reference to where in the legislation it says it, and why you concluded that?
The designated representative however is another matter.
The specific part in the law that triggers this requirement is that almost every e-commerce site qualifies size wise ('the numbers of data subjects involved') and technology wise (analytics, A/B testing, funnels and recommendation systems).
https://ico.org.uk/for-organisations/guide-to-the-general-da...
Would be a good document to review.
If the numbers are low (100's), there is no tracking, no recommendation systems and no analytics then you are right, in that case you do not need a DPO, but even then I would still assign the role since it is free.
Also I do not believe that the DPO is actually a free position to fill. If you read https://gdpr-info.eu/art-38-gdpr/ in section 6 there is the requirement that the DPO should not have a conflict of interest. If you're both the DPO and the person who is being asked to sell data, that's a conflict of interest. Even if you're the sole proprietor.
If I thought I needed one, I would hire one. Even as a part time contractor. It is safer.
I agree that the law is quite explicit that such conflicts of interest are to be avoided. But there is a lot of precedent for this situation with respect to compliance officers. A very small company that is audited for compliance with some standard will be looked at with a different level of strictness when it comes to separation of duties. This is simply a fact of life, when a company is small some conflicts of interest and some overlap between roles is unavoidable.
Given that this situation is a common one and given that regulators are not going to put a substantial chunk of Europe's SME's out of business (because that is not in their interest) I expect this to be dealt with in a reasonable way.
Something similar happened with VAT regulation: The EU decided to go after service companies selling into the EU and 'shopping' for the best VAT deal causing loss of income for the various governments (VAT is not harmonized in the EU). Initially this was a huge burden for small companies because they had to - on paper - file VAT in every EU country where they had customers and they could be audited by all of those entities. That was unworkable for small companies. So they came up with VAT-MOSS and it works very well (I've used it for a year or two).
Multiply that by the number of EU countries.
A lot of the fear in this thread seems to be from people reading EU law through US filters.
No, my fear is from reading the EU law with an experience based Hungarian filter.
Somehow our ancestors did not have the brilliant idea to just put a fine to any hospital that breaches medical protocols and send patients to death.
The first web browser was released in 1993. Any computer science professional born before 1970 had not seen a web browser as a student (because it did not exist).
25 years after 1993 the EU decided that a law that regulates the profession with fines (GDPR) is enough.
Good luck EU!
[1] https://www.learnhowtobecome.org/doctor/
> What’s important with any law is - besides the letter of the law - what the spirit of the law is, the laws intent.
This very conveniently forget the GDPR will not be interpreted by a single authority in Brussels but rather by the relevant authority in every single EU country. Whatever the lawmakers intended, who gives a hoot? I can pretty much guarantee the Hungarian NAIH will see this as a fantastic cash grab opportunity. (I am a dual Canadian-Hungarian citizen, I know my birth country all too well.)
Despite all this "pah-pah, it'll all be fine" there is not even a guidance much less any law describing who shall be fined for how much. Spirit of the law protecting you from Hungarian bureaucracy , good luck Chuck. The courts will eventually curb this madness and set some best practices but meanwhile those who got fined excessively will stay bankrupt. Don't be the patsy. At this time, unless you are a big enough company to have a sizable legal department do not do business with the EU. This is not hysteria, this is just good business sense.
If you don't believe that's how it will work that's entirely fine with me but about 30 years of data confirm my point of view.
The entire spirit of these articles are completely misguided because the adverse reaction to GDPR is not hysteria. Here's the unique nature of this which makes it a recipe for disaster:
1. Every business interacting practically any way with European citizens is affected
2. The potential fees for breaching a very complex regulation are unprecedentedly high.
3. Determining the actual fees for each breach is in the hand of every EU country, including some which today wouldn't be admitted into the EU.
People were genuinely surprised when the world didn't end. This is going to be just like that. May 25th the world will continue to turn and none of these bogeyman stories will come to pass with anything approaching fidelity.
Regulators will target the worst excesses to show they mean business and are severely limited in manpower anyway so the vast majority of interaction that has to do with the GDPR will amount to a change in mindset and some best practices. In edge cases things will get a bit more interesting (someone mentioned federated services and that's a really good question).
FWIW I've been looking at companies from the GDPR angle for about a year and a half now, we slowly ratcheted up the push for compliance and it is interesting to see how (EU based) start-ups have adapted to the new legislation. We have also found some companies that were ill prepared but that's to be expected.
The worst position to be in is a small (10...20FTE) company operating in the US running a SaaS that stores critical information. That's an expensive affair. For most other companies - including the really large ones - the impact will be mostly a one-time investment in software and inventory of data and processes. After that they will be in much better shape and that's a good thing.
Companies that make a business of selling data are expected to be hit hard, and rightly so.
Your confidence scares me. What about this, I have the same amount of evidence you have: Some regulators will target the weakest. It's really easy to slap a few tens of thousand of euros fine on a small business. Sure, fining a big company for many tens, hundreds of millions makes news but a few ten thousands is a good income.
Do you have any evidence for this?
I have plenty of evidence for the opposite, if you want I will collect it.
Here is one sample dataset, NL:
https://www.computable.nl/artikel/nieuws/overheid/6345059/25...
No fines in all of 2017, in spite of 10,009 data leaks that were reported.
In one case there was a settlement of 48K, but it is not quite clear what the circumstances were, probably to protect the guilty.
"De AP stelt in een samenvatting van het jaarverslag 2017 dat het niet altijd direct een onderzoek start. Het gaat eerst in gesprek met partijen die een overtreding begaan en in veel gevallen leiden die zogenoemde alternatieve interventies niet tot een officieel onderzoek."
Rough translation:
"The Authority says in the summary of their annual report for 2017 that it does not always immediately starts an investigation. It first tries to talk to the parties that have violated the law and in many cases these so called alternative interventions do not lead to an official inquiry."
I don't really understand your tax authority example though, doesn't that mean the payments are late and that the tax authority is fully with in their right to take what's theirs?
Did they take more than was their due?
Let's hope that kind of behavior won't be the norm. But I wish the Hungarian Data Protection Authority much good luck trying such tactics against other EU companies, it will most likely not play out how they think it will.
I recall a case of the Irish tax authority trying to fine EU companies for failure to pay VAT, that blew up pretty badly for them, and in the end it turned out they themselves had fucked up. Since then they've been well behaved.
I've tried to find a citation for that particular case but can't find it. I own one of the companies that got fined.
PECR is the implementation of http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:320... which is European law.
There are a number of regulatory actions available to eg ICO if companies are violating PECR.
https://ico.org.uk/about-the-ico/what-we-do/taking-action-pr...
> There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of anyone who breaches the Privacy and Electronic Communications Regulations (PECR). They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice imposing a fine of up to £500,000.
> These powers are not mutually exclusive. We will use them in combination where justified by the circumstances.
I'd agree that the lack of enforcement of PECR certainly makes it feel like just a suggestion.
If it's not enforced, then what was its point?
I think it's best to think of the GDPR as its replacement, rather than thinking of them side by side, to be honest.
Wired getting something wrong is... believable.
As an EU citizen, I'd like to know what or whom I should direct my ire towards.