297 comments

[ 2.9 ms ] story [ 317 ms ] thread
Intelligence agencies are. They are exempt from it and get a monopoly on data collection.
Are you suggesting EU intelligence agencies should abide by the GDPR?
They already abide by the GDPR. There are exemptions on the GDPR for: national security; defence; public security; the prevention, investigation, detection or prosecution of criminal offences; etc.
I'm suggesting it's a power play from the governments using privacy as an excuse.
Frankly, I don't see why any business should be competing with intelligence agencies in their "market".

It's quite reasonable that our spy agencies which we create for spying have a monopoly on it - just as police should have a monopoly on putting people behind bars and not letting them out, IRS should have a monopoly on collecting taxes from people, and FDA has a monopoly on proclaiming which drugs are safe.

If Facebook or Google are gaining some equivalence in capabilities to what the intelligence agencies are supposed to be doing, that's a bad thing and should be stopped.

The EU has been way too overbearing lately. I have to say, it's made me a bit more welcome to Brexit happening; taking out one of the more economically-important countries from it should cut its power a bit, along with insuring that there's a decent chance of small businesses and the like to expand into Britain sanely.
The UK implements GDPR like every other EU country. Maybe they roll it back when Brexit is done, but I wouldn't hold my breath for it.
I think Theresa May recently reaffirmed her commitment to GDPR. The UK was even heavily involved in drafting it.
What else did the EU do bad for you?
Make me click throughly thousands of useless cookie warnings.
(comment deleted)
You know what a cookie is, most non technical people, those whose idea of Internet overlaps with Facebook, do not.
You know, I used to get really aggravated at those. "This is silly!" I would rant. "Cookies are harmless!" But I've started to come around.

Yes, they're still irritating. But I like the fact that site owners have to THINK about how they're irritating their users and I'd like to think they're questioning whether or not they _really_ need to use cookies to serve static content...

I think they should rather press browser companies to expose privacy settings more and make management easier. So instead of having millions of popups, you could do it from the browser level. That would be more secure and easier to implement.
Or more likely, they search for and install "cookie warning plugin" in 2 minutes and then forget about it forever.
Websites don't need a cookie warning for harmless cookies (like login cookies or language preferences). Cookie warnings are only needed for tracking cookies, and those aren't exactly harmless.
I find this opinion amusing, given that at the same time US was successfully failing to keep the net neutrality.

It could have been a bad decision per se, but historically laws take years to become actually useful. And internet is only now getting out of the "Wild West" phase.

On that matter: how many of NH'ers here have voted for Brexit due to the cookie laws?

It is not only that, but also that enabled huge vulnerability, because people now click these without reading.
Cookie warnings are the new ads. My ad-blocker eats them.
The problem isn't the warnings. The problem is that every damn website where you read a single article thinks it's somehow ok to set a cookie (and track you).
The problem is both. We can't pretend that failed solutions with good intentions are not problems. It is not worth adding more problems on the stack because the guess-and-check solution whims fail. Solutions can be measured and worked towards, not guessed at where they do such large changes that their failure is also large.
Many aspects of GDPR seem as direct attempt to learn from the failures of the Cookie warning law and fix them - namely, the big flaw was that the law was written so that flashing a banner with no real choice was considered sufficient to consider that the user "agreed", and that's why everyone did the intrusive banners.

GDPR is designed so that these intrusive banners with no real choice are absolutely worthless to the site, they can't construe freely given informed opt-in consent, so the expectation is that websites won't bother with such measures anymore. Of course, time will show what workarounds people will imagine, but both intent and actual wording is wide enough to ensure that this time the adtech tracking business will have no reasonable legal way to get permission to continue what they did and will actually have to stop tracking most users.

That wasn't the EU's fault; that was purely and 1000% the fault of the websites that implemented them and chose to do a half-assed job of it.
Any European country outside EU still does bilateral agreements when it's convenient for them, just check Norway and Switzerland for two examples.

It remains to be seen how much exit Brexit will actually mean in reality.

Does "expand ... sanely" mean building businesses on citizens' data without regard to possible harm to those citizens or society at large?

If not, what alternative do you propose to GDPR?

> If not, what alternative do you propose to GDPR?

There are lots of alternatives. How about enforcing the existing statutes before expanding them? My preferred alternative would be to start with a smaller scope and just require clear transparency on what is taken (i.e. not stored, taken). You can grow from there. But first, show you are capable at enforcement before increasing scope so vastly.

I disagree completely. EU seems to be the only large entity that cares about citizens, and GDPR is likely to bring a lot of sanity to the field. It seems that the positive effects are often extended also to people that aren't strictly in the target group.

I'm saying this as an employee in a company that has been doing changes to ensure compliance. Some extra work, sure, but all the changes I've seen from inside have been for the better.

hey are you storing customerID -> zipcode mapping anywhere by any chance. Do you purge that mapping on 'forget' ?
It would literally take me a single Ctrl+F though the codebase to see every line of code that uses CustomerID.

Does it not for you? Ah right, you're making a point about how slow the progress will be if we do not allow the small business owners to build their half-baked solutions.

I am pretty sure Romans once had the same issue with the bridge builders.

>It would literally take me a single Ctrl+F though the codebase to see every line of code that uses CustomerID.

Most real world applications aren't that simple unfortunately. You can Ctrl+F all you want, but that won't show you the logging that automatically logs parameters from requests that include customerID or the reports based on DB replications or ETL.

Well, then remove all of the other data associated with the customer. CustomerID then is then going to be irrelevant anyway.

But frankly, all of your points are equally invalid. Replications are a copy. Replace values in replications with faux values if that's required. ETL? Absolutely the same. Logs? sed s/UserID/FauxUserID.

You're operating a semi-garage business if it's so hard to comply with GDPR. Data does not belong to you anymore, and you've had a few years to make sure you complied.

(comment deleted)
That's only because the people building them haven't cared about it. Now, hopefully, people will care about it.
ok? Not sure what you are trying to say with ctrl+F.

Don't care for your dumbass comment about some small business thing.

> EU seems to be the only large entity that cares about citizens

Business owners are citizens too, and they hire citizens.

So? Their desires do not trump the rights of everyone else.
Nobody said they did. I am unsure how that relates to my comment.

I was responding to GP who I believe was wrong and gave an example of the types of citizens that not only do they seem not to care about, but appear to actively punish.

Actually (as a user) I very welcome GDPR. Why would it be so terrible for a user?

SOT: As for Brexit - I'm very curious how it would turn out, especially with so many conflict points (Ireland border and Scots wanting referendum for example)

Law is terrible because after two years people still don't know what to do and how to be complaint. There is as many interpretations as interpreters and so on. GDPR is a tool to shut down websites under guise of protecting privacy.
Oh come on. Hanlon's Razor.

GDPR, like all laws, has something to do with power struggles. But do you have evidence supporting your doubt that it's actually intended to be about protecting citizen privacy?

Given that protectionism is stupid and protectionists genuinely believe that they are doing something good for their nation when they implement protectionist policies I can use Hanlon's razor and assume both.
"protectionism is stupid" can be used as a generality, but if you make it a broad, confident assertion you're removing human judgment and trying to apply simplistic rules to the world — which is exactly the type of thinking that makes bureaucracies stupid.

And yes, with Hanlon's Razor, you can still criticize things that you accept as likely coming from good intentions.

This has opened so many attack vectors than it closed. For example you no longer need to hack a database to get user data. Just impersonate and request the data from target company. Cookie law trained people to click anything without reading and people don't understand what they do online. Then data portability will enable more pii in circulation. For example fake social network enables Facebook account import for prizes and so on. Now GDPR emails train people to mindlessly signup and agree to whatever. Just create fake email asking to sign up to copy of a target site. Obtain password and download all data. Furthermore employees will have easy access to neatly packaged user data, so that they can sell it in the site. This law is hackers wet dream.
Indeed, there may be really negative consequences of incompetence. But understanding when it's incompetence versus malice is still useful perspective.
Isn't that mostly because, despite being given 2 years to implement, nobody's really bothered to do anything until the last second?
If it is unclear what to do, then why would anyone risk doing it wrong?
If you start out early, you can contact your country's regulator for guidance.
Which are not going to know either, because it is all free to interpretation. It is not uncommon that even when government offers paid interpretation, so that company can back what they do by it, to withdraw it couple years later and fine the company (Because civil servant giving out the interpretation was wrong or for other reasons).
Since it applies quite a few new rules that pertain to the development of software, many of which do not store data that is that interesting. (Things like the usual user and IP address logging used to fight spammers.)

So the result is that developing software is more complicated and expensive, and hence less services that people want to use (and only services people want to use matter) come into existence, leading to a lower quality of life.

I don't buy that last sentence for a single second. Fewer services not caring about your data is not a bad thing. And those that do pop up will have done so in an age of caring about user data, thus leading to higher quality services, and a higher quality of life.

Hell, something like this should have been instituted from the very start of the internet.

Like everyone else, I've been bombarded with numerous "we've updated our privacy policy" emails over the past few weeks.

I'm not sure updating privacy policies with CYA language will suffice.

The evidence suggests European regulators really want companies to change their behavior.

Well, I've also gotten a ton of "please, please, please confirm that we can keep sending you the e-mails we're sure you really don't want to miss" from companies I don't remember ever dealing with, which I've gleefully ignored, so it seems quite a few companies are changing their behaviour in as much as they seem to be purging their mailing lists. Even if that's all that's achieved, it'd still be a big improvement/
I've got a ton of those too and am skeptical what they accomplish. A lot of the mailing list ones I've seen are opt-in. But, I a lot of the services ones have been "Agree or GTFO", and I don't know how doing that before GDPR drops is going to matter. From what I understand, they can't say that they have consent if it was mandatory to continue using the service.
I've gotten these emails from an MFA vendor. I haven't had the time to review and agree to the new privacy policy they've provided.

I'm confused about why a business would be impacted by this law, if they are only storing the login data I'm paying for them to store for me.

How does the GPDR impact employee auditing requirements? How do I delete your info from my system, and still prove that you only accessed systems to which you were authorized, while you worked for me?

If the company is storing Personal Data (on people in the EU) or is present in the EU, GDPR applies. They might also be complying voluntarily for various reasons.

Data Subjects' rights to their data aren't absolute. If you need it for legal/compliance reasons, or legitimately need to keep it for clearly defensible reasons like auditing, preventing fraud, etc., you aren't required to delete it.

But if your only legal basis for processing the data was Subject consent, and they revoke their consent, you are required to delete it. Many companies are treating mailing lists this way and/or are confused and terrified in general, so everyone is getting emails.

Some companies are also adding Data Processing Agreements to their terms of service that allow them to be Data Processors for customers. Maybe your MFA vendor is one of those.

Most of those e-mails are either illegal or unnecessary.

If you've already opted-in to receive marketing messages, then they don't need to ask for your consent again just because GDPR is coming.

If you haven't already opted-in, then the Privacy and Electronic Communications Directive only allows unsolicited messages containing marketing information related to previous purchases you have made from that company.

The requirements for consent have changed, though. For example, pre-checked checkboxes are no longer considered consent, so strictly consent has to be re-obtained if the original form contained a pre-checked consent box.

Consent is not supposed to be coupled to receipt of a service either.

that doesn't make sense, it would make all corporate news letters illegal unless a purchase was made.
Unless you've explicitly opted in (not failed to opt out), that is exactly what GDPR does
Not if the user affirmatively chose to receive the news letter.
Updating privacy policies is necessary but not sufficient. GDPR has explicit requirements for what a privacy policy must contain, as part of the Right to Transparency.

I'll also say that most of the privacy policy emails I've gotten are from companies that probably don't have to change much of what they're doing except for documenting things more. I.e. online services that I pay for, as opposed to websites that try to monetize me. It's the latter category that will have to adapt much more than the former.

> I'm not sure [...] will suffice

I think if we're being honest, nobody's sure what will suffice. Even if we pretended the legislation spelled it out in non-vague terms, what suffices is more about enforcement than codified word. Couple that with the fact that it is in vague terms and it falls even more heavily on the enforcers to define the law. Until then we wait, often while being berated by others for our confusion.

It’s been interesting to see the phrasing of those emails.

I feel like there’s been 2 main categories:

1) GDPR is coming, we used it as an opportunity to rethink what data we collect and what we do with it, and re evaluate our practices

2) GDPR is coming, here’s a long and confusing email that doesn’t make much clear except we think that GDPR is a pain in our neck

Emails of the first kind tend to be sent by smaller outfits, while the latter tend to be sent by large companies in positions of power.

I just move them to bin. I wonder how many of them is fishing, so that they redirect you to fake sign in page and steal your password.
> I wonder how many of them is fishing, so that they redirect you to fake sign in page and steal your password.

Or spammers trying to verify that your email address is active. Presumably the spammers can charge more for verified targets.

I usually ignore them too, however I found one recruitment agency send me a mail saying that no reply/action is 'assumed consent' for them to keep my data.

So I'm having to impose an annoying level of extra scrutiny on these mailings to make sure no other company is throwing the no action == assumed consent excuse

> no reply/action is 'assumed consent' for them to keep my data.

This is illegal under GDPR

GDPR is absolutely explicit that no action == no consent.
Well it didn't make any odds last quarter so they're only preparing for it now...
Also true: The news maximizes fearmongering.
I happened to be looking into pinterest's 'updated privacy policy' for the last 30 mins. They just seems to wiggle and bend in every direction to make it seem like they're complying, but even my blind granny can see they're not. I wonder how companies like them will survive - because their whole existence is based on doing the exact things the gdpr wants to stop.
Not sure why the doom and gloom. Because they can carry on as always except in Europe. If that's 90% of their base then yes, they may have problems.

For such companies GDPR simply shrinks profits, no?

GDPR applies for non-EU based operations as long as the users are EU-based.

I guess theoretically they only have to comply with GDPR specifically for EU-based operations and/or EU citizens, so they could technically keep at it if their servers are outside the EU and for any non-EU users. But I think in the long run it'll be easier to have sitewide compliance.

Sitewide compliance could reduce revenue worldwide, in those cases it could often make sense to exit the EU market entirely.
That is of course one alternative. Depending on your business it might be viable, but the EU is a pretty big market to skip out on assuming your business model itself doesn't violate the GDPR.
If the only reason you're making money is by disrespecting your user's privacy, then one has to question whether you should be in business in the first place.
GDPR isn’t perfect, and those not in compliance with a new, vaguely written, policy aren’t automatically evil.
The policy is 2 years old. It's hardly new; there was lots of time to ask questions and come into compliance.
Plenty of time to ask questions but no one who can give straight answers.
Europe is 500 million potential users, so if you're not privately held, then you also need to explain to stockholders that you intent to leave that market open to competitors. Sure all EU citizens aren't equally wealthy, but a large number of those 500 million are in a lucrative segment.

Let's say that Instagram decides that the EU isn't worth the hassle, and leaves. Now competitors have 500 million users to target and build a platform for, without the annoying interference from US based companies. If some is successful under the GDPR, there's no real reason they could easily enter other, less strict markets later, using the profit from their EU business,.

The assumption is Pintrest can't be successful in the EU.
There are some services that wouldn't exist if it wasn't for targeted advertising. Instagram may have millions of users in the EU but how many would pay for the service? The number that would probably would not be enough to sustain the network effect.

And if Instagram users switched to mainly non-targeted advertising, Instagram may find itself not making enough money to sustain its company. While a 'competitor' willing to make less money could show up, their ability to collect / store photos or videos / update the ui / filter out inappropriate content would be decreased if they were barely profitable, making it a less useful service than Instagram was.

I didn't mean it as 'doom and gloom' - I'm just interested in the economics and management/business aspects of it. Is it possible to turn a company around that has 'ads' woven so deeply in its DNA? Would such a company just give up on a target demographic sized 500mm? What would that do to their valuation and funding? Maybe the answer is 'nothing', I'm not sure - but plenty of companies were punished by the markets the last 15 years for not at least trying to get into Chinese and Indian markets, which are (if you only count the people that can actually buy something) much smaller than the EU, and much harder to break into culturally.
Shrinks profits or destroys their business model (ie apps/games that people wouldn't buy but survive well on targeted advertising)
Hm, that’s interesting. It should be possible for Pinterest to be compliant, e.g. Twitter is compliant.

Was there anything specific that caught your eye?

Do you know how Twitter is complying? I'd be interested to hear.

In the last month or so, I have started seeing consent interstitials in Tweet embeds on news sites and stuff. They say something to the effect of "Twitter uses analytics to track ..., do you agree?". But, there's only an agree button.

Our SaaS consumes Twitter data through GNIP API (company they bought a couple years ago). Twitter was the first data provider to require reviews of all the usage scenarios and they are very serious about enforcing the correct use. Twitter also publishes compliance feed which all downstream services are required to respect. E.g. if a user removes their twit or profile we remove their data from our service.

We had to negotiate with other social networks to provide similar functionality.

Wow, that's good to hear that there's a compliance feed. That sounds like exactly what I was talking about in a different thread, where there needs to be a webhook, feed, or some other communication mechanism to disperse deletion requests to processors.
It's certainly possible for Pinterest to be compliant if they actually try to be compliant and change their behavior (not only the privacy policy) accordingly. That doesn't mean that they're going to be compliant.
All from https://policy.pinterest.com/en/privacy-policy .

- "We collect information in a few different ways: ... 3. Our partners and advertisers share information with us". Unless I have explicitly given those partners and advertisers consent to share that information with pinterest (and specifically with pinterest), I don't think this is compliant. But wait, there's a setting in your profile that you can turn on and off: "Use information from our partners to improve which recommendations and ads you see • Learn more". Note how it doesn't say 'don't collect information on me'. It only says 'don't use information to personalize'. I've read several sections of their website on this, and it's all carefully worded to make sure they never promise not to collect information on you - just that they won't show you what they can do with the information they collect on you.

- The section "What we do with the info we collect:" contains the phrase 'legitimate interest' 5 times. This is a desperate attempt to justify themselves using the phrasing of the law. Take this for example:

"We also have a legitimate interest to improve Pinterest, maintain our relationship with you, and protect users. We both benefit when we use your information to: Help your friends and contacts find you on Pinterest, if you agree to this in your settings. For example, if you sign up using a Facebook account, we can help your Facebook friends find you on Pinterest when they first sign up for Pinterest. Or, people can search for your account on Pinterest using your email."

That's severely stretching 'legitimate interest'. Now you might say 'hey but it says 'if you agree to this in your settings'. Yeah except that in the settings, it says 'Use your Facebook account to log in', it doesn't say anything about slurping up all your Facebook contacts so that they can be spammed with 'hey do you know xyz' when they first log on.

Or here: "We have a legitimate interest in delivering ads that are relevant, interesting and personal to you in order to generate revenue (providing this Service is expensive!) To further these interests we use the information we collect to: ".

Yeah under that definition of 'legitimate interest', we might as well scrap this whole gdpr thing. 'We have a legitimate interest to use every method we can think of to squeeze every last advertising penny out of your personal data' would at least have been honest.

- "Tell our ad partners the types of products you might be interested in. For example, if you create a board dedicated to sneakers, we can tell a retailer that you’re more interested in sneakers than, say, sweaters." Yes well that's the exact thing I do not want. Look, I'm fine with paying for stuff with my personal data - up to a point. But pinterest sending every interest of mine they think they can derive from my activity to anyone who will pay for it - no. OK, let me just go to my profile and turn that off, like all other, trivial features they repeatedly point out can be disabled 'in your profile' - uh what do you know, there's no such setting!

Look, maybe it won't turn out as bad as it looks, and maybe the above relies on a strict interpretation of the law that, in practice, will turn to be more... let's say lenient. But reading that 'privacy policy' just feels like being fed a shit sandwich while surrounded by 12 harp-playing angels singing about how delicious it is.

Thanks! I agree, it seems they are trying to handle it the same way as the cookie law. I hope they do a proactive audit and fix the most blatant violations.
I would expect Pinterest to focus on the US market.
They have their products translated into languages that are only spoken in Europe, they know I'm in Europe and show me pins that are relevant to my country, and they work with merchants to show you geo-targeted ads. I mean, spending 51% of your effort on US demographics is technically still 'focusing' I guess - but I don't think it'll be enough to be able to claim that this law doesn't apply to them.
> but even my blind granny can see they're not.

Curious what you see, if you have any examples.

Have replied to other comment asking the same, above.
Leaving aside questions of business model, many large online services simply don't have an easy way to track from downstream information back to the original source. That will make it almost impossible to implement notifications or "right to be forgotten" in any strict sense. One possible outcome is a new set of businesses designed for GDPR will arise in place of Pinterest and others.

That outcome seems to be a not-so-hidden goal of GDPR.

Isn't the burden on the data controller to ensure that they only transmit data to processors that are setup to handle deletion requests? In this case, that'd mean Pintrest or whoever is required to get their advertising partners or API consumers to setup some kind of webhook or feed for deletion requests.
It's just not very clear how easy that protocol would be to implement. The problem is siloed data without clear identifiers to track sources.

For example, it's common in services like Pinterest to have upstream collectors that feed information into a Kafka pipeline to downstream services that use the data as they see fit. They don't necessarily have consistent identifiers that would allow you to determine that person A's data lives in derived form in services 1, 5, and 14. In the limit you might have to scan all persistent data.

It gets much harder once the data leave the company and travel to other online services.

Depending on the case law and administrative guidance that develops to interpret GDPR more precisely this problem may be simply unsolvable for some businesses.

I totally agree, re: possibly being unsolvable for some companies. It'll be very interesting to see how the actual enforcement develops.

I suspect the regulators want companies to create these kinds of consistent identifiers where they don't already exist and make sure that they ride along with personal data wherever it finds it's way.

There's a comment in the article about an oblique reference in an email to "a tall, bald guy living on East Whatever St." being PII and must be included in data subject review/deletion requests. How do you find that, even if you're scanning everywhere?

What about users' computers with excel sheets with personal data? That's how reporting is done a lot of places that I know of. You can make them install an agent to scan data or require all data be put in centralized storage like a network share or corporate subscription to a service like dropbox or something. But, I 100% guarantee that Andy from HR or Jane from marketing going to "forget" to do that or put it in some insane format that the scanner can't handle.

Can you elaborate what do you mean by "downstream information" ? Is it in the technical sense internally (server A receives a bunch of possibly private data from server B without much context), or in the intercompany sense (we receive a bunch of possibly private data from another company without much context) or something else entirely ?
(See my example referencing Kafka downthread.)
That doesn't answer the question - is the Kafka pipeline feeding it into your services or someone else's services? That's a very big difference GDPR-wise.
Apparently neither is The Verge, having a fixed footer popup with the only option being "I Accept" doesn't comply with the guidelines
Well, you have the option to leave their website. It's still unclear to me whether this violates the GDPR. Art. 7 (4) of the GDPR says:

> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

You don't enter a contract when visiting a news site.

(comment deleted)
The cookie law was flawed from the beginning because it allowed companies an opt-out mechanism (which we see via these cookie banners). This is even the case if the user does not consent. A company cannot force or even ask a user to opt out of GDPR so, unless a company misreads the law, we won't be seeing useless GDPR banners.
I believe it's the ePrivacy regulation rather than the GDPR that applies here. It's my understanding that you no longer need permission for certain usages of cookies where they're needed for certain functionality, such as shopping carts - and possibly some degree of tracking -- perhaps -- if some or all of the following are done:

* The data isn't retained for too long * IP addresses are anonymised * Session cookies or cookies with a near future expiration date are used * First party cookies are used

What exactly you need to do is not always totally clear, but usually the balancing test works like "is it required for legitimate business purposes that the user is likely to expect".

If they don't need permission at all, then they're free to ask away. (Although it does show that people have failed to understand these changes in the law.)

It complies so long as:

1. Tracking is not enabled until you click it and 2. You can still use the core functionality of the site without accepting

So long as you can still read the website around the pop up and they don’t activate tracking until you accept it then they are in the clear. The banner can be annoying as it wants as well.

Yep, this is right. You can technically use the service without giving consent, so it meets the guidelines. However, the Verge will make that consent box as annoying as possible to encourage you into accepting. Oh, you don't want half of your screen blocked? Well, just click this simple button and sign away your soul.

All the big companies are doing something similar. If you want to be an honest publisher and follow the laws, you can have a clearly written consent box that lets users accept or decline. However, you'll see 95% of people decline, and take a big hit on your revenue while your competitors prosper.

What are we really accomplishing? We're just going to have popups on every site, that do their best into tricking users into accepting. Do you want to see other examples of consent management solutions that will be appearing soon?

https://www.quantcast.com/gdpr/consent-management-solution/

If you want to opt-out, you need to use the tiny "show purposes" button.

http://acdn.origin.appnexus.net/cmp/docs/#/basic/show

Click "execute" for the example. Want to opt-out? Click the "learn more" button, and then you'll need to disable about 1,000 options.

They might as well just make personalized advertising illegal. It's pretty clear 95%+ of people don't want to be tracked this way. However, these consent management solutions are saying 70-80% of people are accepting. This is happening because people are being tricked or forced into agreeing. Why are we rewarding businesses that choose to use this kind of behavior and punishing honest ones? Why are we turning internet browsing into an annoying experience filled with popups that are a minefield to navigate?

> Why are we turning internet browsing into an annoying experience filled with popups that are a minefield to navigate?

Honestly, because it works if you are targeting a specific niche. The problem with large, generic platforms such as Google and Facebook is that there is no typical demographic, so without knowing who people are it is difficult to point advertising at the most suitable demographic.

In the old print days you knew the reader of a car magazine was into cars and the reader of a caravaning magazine was most likely a middle aged couple who were fairly well off and receptive to more expensive lifestyle upgrade goods. If we could find a way to segment like this without tracking that would be great but while everyone uses these large, monolithic, caters for all platforms, it’s really hard, without tracking, to know who you are advertising to.

I find retargetting creepy and annoying but I like targeted, informative ads that are relevant to my interests. There is a balance to be found here that walks the line between useful and effective and creepy and annoying.

Oh and the cynic in me thinks that the 7 years of ineffective cookie law pop ups was just training people to accept them for GDPR now that they mean a bit more.

Are you seeing the same what I'm seeing?

If I go to the quantcast link and press 'show purposes', everything is deselected by default as it should be, and if I click 'Save' there then I proceed without having opted in to anything. Sure, the "show purposes" button to refuse is misleading and should be changed, but the 1000 options screen is fine, at least for me.

Everything is deselected IF you click the "show purposes" button. If you visit the page and click what appears to be the only option, "I agree", then you're opted-in for everything.

Why doesn't the page have two equal size buttons, "I agree" and "I disagree"? We all know why. It's about intentionally misleading users into agreeing. This isn't fine, and it defeats the entire purpose of these regulations.

> However, the Verge will make that consent box as annoying as possible to encourage you into accepting. Oh, you don't want half of your screen blocked? Well, just click this simple button and sign away your soul.

To be compliant they would have to leave that half a screen blocked with a simple button to opt out again.

Can I revoke that consent after I gave it as easily as I made it? It seems not, this would be a violation next week. Article 7, part 3.4 "It shall be as easy to withdraw as to give consent." is as literally clear as it can get - not possible to withdraw consent, not easy to withdraw consent, but as easy. Counting clicks required and the size of font used for links are likely to be used as criteria.

Their current privacy policy and cookie policy linked there doesn't mention how can I withdraw this consent, so it violates the information requirement of Article 12. It does mention that browsers can be used to block cookies (which violates the "as easy" part) but says nothing about the ".. and other tracking technologies." sentence of their "consent" window.

Futhermore, a popup window that occupies half of my phone's screen is intrusive. It's not sufficient to, as you say, "You can still use the core functionality of the site without accepting" - Recital 32 (https://gdpr-info.eu/recitals/no-32/) states "the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.", so it seems that this request may violate the requirements.

To be fair I am yet to see any implementation of giving consent that enables people to revoke it as easily. There should be a link in the privacy policy that revoked access with a click for whatever tracking platform the site is using, without having another bar that hovers all the time with those links in I doubt you will find easier than that.
This is generally not a problem for any genuinely opt-in features - I went to a particular place to opt-in because I wanted to, and I can go to the same place to opt-out afterwards.

It's a bit different in situations where I don't really want it but the service provider does; but these are the intended target of this legislation. One could argue that this is a useful criteria for UI evaluation - if the site feels that it's unreasonable to dangle a banner "Opt-out of tracking NOW!!!" to everyone forever, then perhaps it should be considered exactly just as unreasonable to dangle an identical banner "Opt-in to tracking NOW!!!" in front of everybody until they accept. If you don't want to do the opt-out banner, then you could be forbidden to show the opt-in banner. So even a very literal interpretation of this may make some sense.

You are supposed to offer access to your service 'without detriment'. A popup that you cannot close blocking half the page sounds like 'detriment' to me. Also you need a clear way to say no.
I am ready. I have a list of targets already in mind.

I’m a big fan of EdX for example but it’s unacceptable that their app wants to talk to connect.facebook.net. I didn’t consent to that and it’s not required to deliver their services. And I did give them fair warning.

I hope people will be proactive about this. Even if regulators aren't all that interested, users can do a lot to enforce GDPR, thankfully.
As a EU citizen, I certainly am. For too long companies have abused my trust and personal data without any consequences. The general fear shows how deeply necessary a stricter rule set was.
Almost certainly the "companies" you speak of were entirely FREE services and the "abuse" was really just your lack of understanding that when a service is free, YOU are the product.
"There has grown up in the minds of certain groups in this country the notion that because a man or corporation has made a profit out of the public for a number of years, the government and the courts are charged with the duty of guaranteeing such profit in the future, even in the face of changing circumstances and contrary to the public interest. This strange doctrine is not supported by statute not common law." - Robert Heinlein

The EU is under no obligation to allow the business model of "free, but paid for by selling your data" to continue to exist, just because it has existed until now.

Well, I cannot read the article on mobile without agreeing to being tracked, the popup takes 3/4th of the screen.

Ain't it the browser's job to display an agree/deny message for cookie tracking per domain? This seems backward to me as the page is already asking the browser to agree to storing cookie. As of now I need an extension in order to block cookies by default and whitelist them accordingly to my needs.

> We use cookies and other tracking technologies _to improve your browsing experience on our site_. That looks like a lie to me. Is there anything stopping them from creating a cookie only once/if I login?

> improve your browsing experience

In advertiser-speak, "relevant and interesting ads" are an "improvement to your browsing experience".

Actual end-users may have a slightly different interpretation on what constitutes an "improvement".

As a childless man, for example, are relevant and interesting ads not an improvement over the tampon and diaper ads that are all over TV?
Not really, considering that means all my data is being scattered to the winds of the internet.
It certainly may be, and it's your choice to make (if you wish so) by opting in to targeted advertising.

What's wrong (and, in a few days, illegal) is for the service provider to assume that everyone will prefer that.

They had two years to comply. But most weren't aware aware of it for the first year, and then they only started looking into being compliant with it a few months ago.

It's not the EU's fault then are not ready. I don't think announcing the law 5 years earlier would have helped many more companies to comply before the due date.

Genuine question as it pertains to US-based companies. How can a foreign law have such seemingly deep impact on US-based companies, let alone, situations where the visitor is not paying for services? Maybe this gets into International Law, but even if I'm not _targeting_ European visitors, say they cross some threshold by percentage compared to US visitors - why must I abide by a foreign law?
because the EU has enough global influence in terms of it economic power that it is able to hurt economic interests of US companies who want to operate in the EU.

For most of the world, this has been true in regards to following US laws for a long time. (DMCA, copyright law)

In the end, international law is mostly a game of (economic) influence, and the EU is economically significant enough for these companies for EU law to matter.

> For most of the world, this has been true in regards to following US laws for a long time. (DMCA, copyright law)

Let's not pretend that the US is unilaterally shoving copyright law onto the rest of the world. When the US made its last major overhaul of the copyright system, it was to harmonize copyright law with what already existed in Europe. In addition, the EU already signed onto the TTIP, which is a massive concession to the media industry on copyright. That wasn't due to US influence; in fact, the US backed out of the TPP.

> the EU already signed the TTIP, which is a massive concession to the media industry on copyright. That wasn't due to US influence; in fact, the US backed out of the TPP.

TTIP was NOT signed into law already. It is also a completely different treaty from TTP. (TTP has nothing to do with the EU btw).

> TTIP was NOT signed into law already. It is also a completely different treaty from TTP. (TTP has nothing to do with the EU btw).

TTIP hasn't been signed into law, but it's been written by EU member states to serve EU members' interests, so it's pretty reasonable to use it as a measure of what the EU wants.

TPP is a different treaty from the TTIP, though not very - the TPP and TTIP were written in tandem to be companion agreements, and the TPP contains many provisions that were explicitly included as concessions to the interests of EU states, even though they're not parties to the TPP itself.

How can a US embargo on certain countries disrupt their trade with the rest of the world?
It's really funny to read this because my perception, possibly wrong, is that the U.S. acts this way all the time to the rest of the world.
That perception is likely more true than many Americans would prefer to admit.
As an American, I agree with this. It comes down to the value of the market. GDPR has a major impact on American companies because the EU is a valuable market - as I understand it, every company has the option to opt out of GDPR by ceasing operations in the EU, which would mean blocking EU traffic (I may be oversimplifying a bit, but the crux is the same). The US treats the rest of the world complying with its laws the same way, and any company could opt out of US laws by not servicing US customers.
(comment deleted)
Can you provide a few examples?
In Sweden we have a mandatory tax on all storage units, harddrives, dvds usb drives, you name it. This is to combat piracy and the loss of profit for companies.

Of course this was pushed through by US lobbyists and, you guessed it, that's where the money goes as well.

> Of course this was pushed through by US lobbyists and, you guessed it, that's where the money goes as well.

You can be certain that some (local) politicians got some kick-backs out of it.

Completely different situation. If it was only to sales to US customers, then it would be comparable. That the Swedish government allowed external influence to change the laws for its own citizens is nothing like the GDPR applying only to EU citizens.
Same in Slovenia, I think. I actually love this tax! It allows me to pirate guilt-free :D
The US expects to be asked permission before encryption technology can be used in a software product. Our copyright and general intellectual property policy has been pushed on everyone else. We (The US) even go so far as to heavily interfere in other countries politics, covertly or overtly, to maintain favorable trade conditions and protect our prevailing ideology.
Digital Millennium Copyright Act (DMCA) and Fair and Accurate Credit Transactions Act (FACTA)/Fair Credit Reporting Act (FCRA) are the two obvious ones.
DMCA is a big one. Copyright, in general: not complying with US regulations, even if you are in, say Sweden (cough Pirate Bay), is unwise.

There is also the impact of PATRIOT section 215 and FISA, which requires some foreign companies to ensure that some sensitive data is not stored on devices operated by American companies.

FATCA is a huge one. It's a huge cost to European tax payers and it's not even clear if it benefits Americans.
FATCA, for example. It forces all foreign banks with US customers to report their customers and their assets to the US treasury or suffer a 30% withholding tax on all US sourced payments [1].

Needless to say, non-compliance is not a real option for most banks, given the importance of the US in the banking sector, so they're essentially being blackmailed into compliance.

(Unfortunately for US expats, some foreign banks figured out that the easiest way to be compliant was simply to get rid of their US customers.)

[1] https://www.law.cornell.edu/uscode/text/26/1471

The US pulling out of the Iran Nuclear Deal, and forcing sanctions on those companies that are doing business both in Iran and the US.
The US blocked Antiguan gambling companies from doing business with American citizens, despite permitting domestic companies to offer the same services. The US lost a WTO dispute and refused to pay the settlement, which now amounts to nearly $300m. Bizarrely, the WTO granted Antigua the right to breach American copyright law by way of restitution.

https://calvinayre.com/2016/11/28/business/antigua-warn-amer...

(comment deleted)
If a US-based company is not making any money from EU-based users or companies, I don't think there's anything they have to do. When they do, however, that money supply can be targeted.
GDPR is far more aggressive than this. If you collect data on EU residents (this data collection is defined extremely broadly - basically any kind of logging or tracking on a session level), GDPR applies, and the fines are based on global revenue, not revenue derived from EU users.
The EU can't reach over into another country and start applying their laws unless they are willing to invade. The only way the EU has to enforce this law is if you interact with them, so they can physically block or take your assets, or if your government thinks that the EU laws should be applied at home, in which case why are you complaining to the EU?

There is no world police enforcing laws in every country. It all boils down to a monopoly on violence and if a country can't physically get to you or your stuff you can tell them to fuck off all day

If they can enforce their data protection laws on the global net, why can't they enforce their 'hate speech' laws on the global net?
They do. For example, Twitter filters out Nazi related hate speech in Germany and France.
I think the spirit of GDPR is to target the multinationals who also have tax dodging subsidiaries the world over. E.g. The EU could calculate global revenue for Facebook and then fine Facebook Ireland (or wherever) the resulting sum; which Facebook Ireland would be legally obliged to pay. But I am speculating

Edit for clarity

What happens if you have no presence in the EU and the EU tries to fine you? How do they actually get you to pay the fine instead of just ignoring it?
You just become persona non-grata in the entire continent of Europe.
The company can't make business deal with europe. People owning the company are fine and can't visit with no fear of being annoyed by the police, the EU is not the US.
What organization is responsible for fine enforcement?

If such a fine is levied, but the company is based in China, does China have any treaties with the EU demanding the fine be enforced, or can they tell the EU to go pound sand?

GDPR could become a global thing, because it could be used by the EU as a predecent for Free trade agreements. (which most nations in the world are happy to sign).
It could, but with controversial concepts like "right to be forgotten" baked into the GDPR, I don't assume most nations will necessarily be happy to sign "free" trade that requires them to rewrite history records.
Yesterday I was presented with WeChat's Cookie policy for European users [1] for the first time, and they appear to have a European subsidiary, which could probably be fined. Of course they could just decide to fold that operation, especially considering (IANAL, but) the policy doesn't appear fully GDPR-compliant. I doubt that they are making significant profit in Europe anyway.

[1] http://www.wechat.com/mobile/htdocs/en/cookies_policy.html

It’s questionable as to whether or not judgements under the GDPR can be enforced in the US. There are existing treaties that generally enable this, but those also allow for a large number of exceptions. One of those exceptions is usually where something is illegal in one country and not illegal in the other, but we’ve been told there may be exceptions to that as well. It’s a big mess, but generally it would be up to a US judge in each individual case to decide whether the judgment can be domesticated.

However, recital 23 makes it clear that you do not need to comply with GDPR unless ”it is apparent that [you] envisage offering services to data subjects in one or more Member States in the Union”. In other words, it’s not your fault if you are a US-based site and it goes viral in the EU unless it was targeted to them.

Don’t translate to EU only languages, mention EU users or customers, or use an EU-based domain extension. You can also announce your intention to not serve EU customers by blocking EU visitors. Even though some EU traffic may get to your site through VPNs etc, merely trying to block them is more than enough to show that you do not “envisage” serving EU customers, which makes you not subject to GDPR. Those EU users that evade your block through technical means are not subject to the protections of the GDPR.

Finally, one law firm suggested that we put a checkbox similar to this on our registration forms:

”This website was designed to comply with US privacy laws. By checking this box, you attest that you are NOT subject to any law or regulation that conflicts with or is more restrictive than US privacy laws, including but not limited to the GDPR.”

Hm, that seems like a good advice, I was thinking about that too, and came to quite tricky problem, hypothetical situation: EU user uses technical measures (or just click the checkbox) to circumvent your blocking and then sues your ads provider which is US based and does operate in EU, due to personal data collection without consent. And they figure out they are having legal/operational costs due to you, as operator, serving them poisoned data.

Can they (ads provider) sue you? And if they do, even if you are not guilty, how much money would it cost to win at the court?

Talk to any proponent of the GDPR, and they’ll tell you that it’s all about principles and intentions. But that’s a double-edged sword. Sites can’t lure EU users in and ignore GDPR, but at the same time, users cannot lie to you, and then go file a complaint with a regulator or demand rights that they told you they don’t have (either by using a VPN, which means they are lying about their location, or checking the box attesting to something they know to be false).

When looking at whether an action can proceed under the GDPR (either against you or an ad network whose code you have on your site), their regulators will review your site and see that the checkbox was required to register. That, combined with not having content or services targeted to EU users, should stop any GDPR action in its tracks before it is filed.

This of course all depends on the GDPR being enforced in good faith. They have every incentive to be abusive with it, and no incentive not to be. But we just have to hope that newly self-declared privacy overlords in the EU are kind and benevolent.

> Talk to any proponent of the GDPR, and they’ll tell you that it’s all about principles and intentions.

Here's a random and perhaps unfounded thought that I've had a couple of times regarding this line of thought re: GDPR.

What to stop some foreign bad actors from abusing the hell out of this legislation and burning up more useful time and energy on it? Moving beyond that, it would very likely serve to further divide and erode the trust between the EU and the US.

For example, if we're to assume that Russia is seriously meddling in everything that they currently stand accused of meddling in, essentially engaging in some loose, and seemingly effective (depending on who you ask), forms of cyber warfare, then what is to stop them from turning this regulation in to a complete nightmare for US/EU relations and further driving us away from our common goals?

It just seems to me that these sorts of good faith and intentions based laws don't work as effectively in the modern era as they maybe once did.

edit/ It honestly doesn't even need to be so malicious. I could imagine trolls causing more than enough trouble for small businesses just for the lulz.

What to stop some foreign bad actors from abusing the hell out of this legislation and burning up more useful time and energy on it?

Nothing, and in fact it incentivizes each of the 28 countries to act in bad faith. The crippling fines authorized by GDPR have the potential to both create enormous revenue streams and hobble foreign competitors of local companies. GDPR advocates say this won’t happen, but there is nothing to stop it.

> further divide and erode the trust between the EU and the US.

You mean more than all the leaks of EU data by US companies that go unpunished because of loose/nonexistent US privacy laws?

Yes, but doesn't the checkbox you mentioned, does exactly that, force the users to ignore their rights for the sake of using your site? If this would be acceptable, it would put GDPR into position of cookie law nonsense and if I understood ICOs correctly, this doesn't create a consent as user had no free choice. There is a human rights interpretation here, for example, if we create a contract, that I will be your slave and you give me a car in return, it is quite simple for me to sign it, that contract would be void even if you prove, that I signed it.

The ICO put a market of live human organs as example.

In same manner, even if I would click that I agree, that your site is designed for US privacy laws and not for people under GDPR protection, it would be the same as you would warn me, that I will be your slave before signing and that I can just walk away and don't take the car. But if I take the car, the contract would still be void. I don't think that this would fly.

The problem is not in the GDPR requirements but rather in right to privacy as fundamental human right and GDPR is just an advice how to respect it - it is actually a free help.

What you want to avoid is something much bigger than the checkbox on your site or ip blocking, check here "The Bill of Rights":

https://en.wikipedia.org/wiki/Fundamental_rights

This is something you shouldn't even think to violate, not to EU or US users. Or anyone else.

Yes, but doesn't the checkbox you mentioned, does exactly that, force the users to ignore their rights for the sake of using your site?

It doesn’t force them to do anything, nor does it ask them to waive any of their rights (which is often illegal and/or unenforceable). Instead, it asks them to certify that they are not subject to laws more restrictive than those in the US. If they are, they are not allowed to register. As the site owner, you have a legal right to rely on your users not lying to you. Your slavery example is an entirely different scenario - you are asking people to waive rights they have (to not be a slave in this case). That’s not what this checkbox says.

The main point of the checkbox is to signify your intention to not offer services to people subject to the GDPR or other restrictive laws. We have been advised (by actual attorneys) that this should meet the standard built into the GDPR that we do not “envisage” the offering of goods or services to those subject to it.

Exactly this is the problem of GDPR, user can lie, and you have no passive defense against it, you can't even make an excuse, you didn't know. You shouldn't even offer him a choice. The only defense is that the user gives you consent to it (at least GDPR is giving that choice). Everything else is void. Same as with slavery. You can't violate fundamential human rights even if user begs you to do it, except in states like South Korea, China (actually, you don't need to beg there =/)

I think that at the end, world will be better place due to GDPR, but there is surely some rough ride ahead - not due to respect of privacy but due to violating it so often that it became normal to us.

Again, if they lie to you, you’re covered. It’s about your intent. Do you intend to offer goods and services in GDPR-affected countries? If you have a checkbox like this, then you clearly don’t, and GDPR does not apply to you.
Yes, I understood your point, but I think you are struggling with mine, you might not offer goods to EU, but your ads provider might. And by feeding it with GDPR protected data it might sue you, on local courts, just for the PR reasons or something else. I am not saying they will, I am just showing you the justification why they might.

I think that much greater threat is comming from a direction of US companies you use than from EU courts this (again, might) become another "patent trolling"-like action from some US companies.

Yes, but you’re feeding them data based on your understanding that the user is not subject to the GDPR. Under GDPR, site owners have the responsibility to determine this, and they rely on you to not load their code if a user is subject to it. So the EU cannot go after anyone whose code is on your site (ad networks, analytics providers, etc) if your site does not “envisage” offering services to EU residents.
Well, we can't be much smarter than this, we will see, but I am more concerned about this than GDPR on its own.
(comment deleted)
Well, for one, many of these companies, like Facebook, are not US companies. They're headquartered in Dublin, an EU country.

And, you don't have to abide by foreign laws as long as you never intend to go into that country or do business with people in that country. But, as many EU companies are about to find out, they're subject to US laws, most notably those pertaining to sanctions on Iran. So why shouldn't US companies be subject to EU laws?

If none of your customers are outside the US, go ahead, feel free to ignore GDPR. When companies are unable or unwilling to discriminate their service by geographical boundaries, the country with the strictest law rules.
I have been helping a school who I do IT work for with their GDPR roll out - not because it is my area of expertise but because they had nobody else to turn to and the Local Authority who control the school have released zero guidance in preparation.

There are many, many unresolved issues:

We are supposed to employ a 'data officer' this basically cannot be anyone who works in the school at present. We sought volunteers but didn't get a single applicant. It is difficult to justify paying someone to do it (if you can find a qualified person) - the budget for things like school books is already paper thin.

I contact external suppliers who use our data and receive a wall of silence.

Things like publicly visible visitors books are outlawed (depending on how you read guidance), the alternative are electronic systems - more cost.

Displaying certain sensitive information, prescriptions for pupils, are now outlawed, this could compromise safety.

There seems to be a raft of GDPR training systems which are basically a single page questionnaire, costing upwards of £300.

I don't have an issue with what the legislation is trying to do it just seems so vaguely implemented. Basically we all know that the organisations who need to clean up their act will be doing the least to comply.

> Things like publicly visible visitors books are outlawed

Does this mean the quaint guest book visitors could sign at the hotel I stayed in a couple weeks ago would be illegal under the GDPR?

We have been told so, if you are publicly displaying personal information about an individual without their permission. Of course their are ways around this, using a single sheet for each person for example.
FFS, no. It's optional, you volunteered the data, and the data is used for it's intended purposes. This is still fine.

(What wouldn't be fine is scraping the guest book, and then using that info)

GDPR mandates that you can see your data and remove it in a timely fashion. If you can't contact the person with the guest book some years later, then you can't see your data in a machine-readable format or delete it.
There are limits to which data can be requested to be deleted.
It seems like this would be a trivial problem to solve. In the extremely unlikely case that some guest requests access to or deletion of their data in your physical guestbook, just ask for the approximate date of their stay, look through the book for the relevant page, (presumably entries are sorted by date), make a copy for them (with the data of anyone else that wrote on the page censored out), and stick the original in the shredder. Done.

Yeah, it's gonna take you ten, fifteen minutes, but how often is it going to happen, realistically?

1) Are you allowed under the GDPR to ask for additional information (i.e. date of stay in this case)?

2) If you stick the original in the shredder, you are removing much more than just the requestor's data.

>1) Are you allowed under the GDPR to ask for additional information (i.e. date of stay in this case)?

You can ask for whatever you like. If I hold any data about you, I have to provide it. It is my responsibility to either store personal data in a form that is amenable to access requests by data subjects, or delete it immediately.

>2) If you stick the original in the shredder, you are removing much more than just the requestor's data.

There is no "right to retention" under the GDPR. Unless I am obliged to retain that particular data under some other legislation, the GDPR requires me to retain it "for no longer than is necessary for the purposes for which the personal data are processed". The regulations specifically require you to delete personal data as soon as possible. Throwing the whole damned book into the shredder is not only permissible but actively encouraged.

https://gdpr-info.eu/art-5-gdpr/

> Yeah, it's gonna take you ten, fifteen minutes, but how often is it going to happen, realistically?

Sounds like a DDoS waiting to happen.

It does not have to be machine readable. GDPR is technologically neutral. If the medium of storage is paper, a data subject access request can be fulfilled on paper. For example, photocopy the page, redact the other names, and mail the copy to the data subject.

If the data subject access request is sent by email, you can take it a step further and scan and email that page. Still, it does not have to be machine readable.

Can you point me to the text in the GDPR says what you are saying? IANAL and there's a good chance I'm just misreading the GDPR, but doesn't Article 20[0] completely disagree with you? In addition, imagine the person with the guest list lost the password to their email after putting you on their guest list, and now you don't have their new email address to ask them for the data

[0] https://gdpr-info.eu/art-20-gdpr/

1(b) of article 20 clarifies that it had to be machine readable where:

the processing is carried out by automated means.

That's the right to data portability, which is your right to have your data with an electronic service transferred to another service in a machine readable format.

It has nothing to do with data subject access requests, which is encoded in Article 15: https://gdpr-info.eu/art-15-gdpr/

"Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form."

That does not mean machine readable.

If you run a hotel, you can presumably answer the phone, and a photocopier and a dark pen should be enough to comply with reporting and deletion requirements.
Disclaimers, although I was responsible for implementing GDPR for a subsection of a bigCo, I am not a lawyer, do not speak for my company, etc. I've just been getting increasingly annoyed by the amount if misinformation on both sides of the GDPR debate, (that it's both a straight good or a straight bad) even in sister comments to this, that I figured I'd try and give a Real Answer to your question.

They would need to provide functionality such that an EU resident could request timely export and deletion of any records belonging to them in that guestbook.

If your guestbook is physical and substantial, this may be limiting without additional systems, but GDPR also is rather vague in the pushback you're allowed to give if you're completing the export with best intentions, so this will likely not be settled until precedent occurs; this will be even more grey-area due to considerations of "ease of access" of the information in question, and other "softer" considerations.

So to answer your question more bluntly: Without the bare minimum of a business process for someone to call up and say "I want to export/delete my entry in your guestbook" I'd say the experts who guided my team would probably agree that the business owner should err on the side of assuming non-compliance, so long as you don't reasonably preclude EU visitors.

Can you clarify how your entire response is substantially different in any way from the single word "maybe"?
"maybe" doesn't detail the steps you could take to bring yourself into compliance, doesn't describe the specific decision points that put you at risk, and doesn't describe how the "maybe" ever resolves to a hard "yes or no"

I've given you the benefit of the doubt in answering this honestly but I don't think you read my initial response charitably.

I would say that you could provide a notice specifying that signing the guestbook also constitutes consent to the public display of the person's name.

If you want to take it further, you could ask them to submit a small form confirming their consent.

Worst case, you redact their name -- use a marker! -- and document that process as part of your data review.

Either way, it's complete overkill. It's not about following the letter of the law; it's about the spirit of the law. No one is going to get sued or fined for providing a public guest book.

Two notes here:

First, pedantically, (But in the interest of maintaining my "trying to reiterate the letter of the law as I understand it") I'm pretty sure interactive/implied consent isn't considered sufficient; (Interactive consent being what was allowed for EU cookie compliance) and that one cannot "Sign away" GDPR protection.

Second, while I agree that it's overkill, I'm operating from the "This is the rigorous interpretation that people far more legally versed than myself have established". This may not be the right decision for a smaller corp or business entity, as it is in my case for a notable multinational. While I might agree that I'd have an absolute spit-take if such a small entity were made an example of, I can also understand the paranoia on the other side, especially given the context of US jurisprudence and how it differs from the "tone" of EU-style enforcement.

No argument on either point. We have to be practical, though, and the law is usually forgiving of such practicalities.

You're right, though: strictly speaking, it's not compliant.

>If your guestbook is physical and substantial, this may be limiting without additional systems, but GDPR also is rather vague in the pushback you're allowed to give if you're completing the export with best intentions, so this will likely not be settled until precedent occurs;

And then you are fined 4% of revenue when you are the scapegoat setting a precedent for a vaguely defined law...

sigh..

the 4% is the maximun fine allowed.. its not a minimum..

this FUD is getting idiotic.

>the 4% is the maximun fine allowed.. its not a minimum..

I think it's always safe to assume the worst from bureaucrats. Especially when no sentencing guidelines exist.

>I think it's always safe to assume the worst from bureaucrats.

No it isn't. As a law-abiding web developer, I have had frequent contact with European data protection authorities for many years. Without exception, they have been thoughtful, reasonable and gone out of their way to help me comply with the regulations.

The regulatory authorities exist to ensure compliance, nothing more. They are not a revenue-generating scheme or a Kafkaesque bureaucracy.

The GDPR explicitly states that penalties must be proportionate and sets out no fewer than eleven factors that must be considered before any penalty is issued. It also explicitly establishes a mechanism for ensuring that enforcement is consistent across all member states, by means of the European Data Protection Board. The regulations simply do not allow a member state to "go rogue" and start handing out €20m fines for trivial infractions.

https://gdpr-info.eu/art-83-gdpr/

https://gdpr-info.eu/chapter-7/

> The GDPR explicitly states that penalties must be proportionate

Proportionate to what? The max fine is 4% or revenue or $20 million dollars, whichever is larger.

So is it proportionate to the $20 million dollar fine? If my infraction was small they can just fine me a small proportionate fine of 1% of the maximum.

Why couldn't the EU bureaucrats have stated in clear terms what infractions would receive what fines? Why couldn't they have released a sentencing guideline? And there will be 28 countries applying this law and setting fines in a thousand different ways.

> They are not a revenue-generating scheme or a Kafkaesque bureaucracy.

This law is absolutely kafkaesque and you can't point to any written case law or section of the law that can concretely dispel my doubts since it does not exist. All you and other posters can do is state that I'm spreading FUD and give me feel good assertions about how I can trust in the benevolent EU bureaucracy and that I should have faith in the system. Can you not understand why I can't take that seriously when millions of dollars and my entire way of life are at stake?

> Why couldn't the EU bureaucrats have stated in clear terms what infractions would receive what fines? Why couldn't they have released a sentencing guideline? And there will be 28 countries applying this law and setting fines in a thousand different

"So, using customer email addresses for marketing lists and not infringing any other way is a worth a 0.1% of revenue fine but our analysts project a 0.5% increase in revenue from our marketing list, so let's do it anyway". It's to give authorities scope to punish organisations making calculations like the above, more than "Your local library decided to tell everyone who took out a book last year about their new book club, not realising it's an illegal use of personal data".

And you are allowed to take it to the european court if you think the fine is bullshit. And if you don't already know, european court don't take bullshit very well.

Anyway, all regulatory instances are working together (in a group named G29, imagination is not their strength) to draw guidelines for fines and warnings. They will also discuss together ongoing cases (to avoid multiple prosecutions i guess). If you are not trying to cheat data from your customers and if your security is up to date, you risk nothing.

Actually, the maximum fine is 4% of revenue or €20m, whichever is more. For a small business or organization, the 4% number isn't the scary one.

You can say that in practice this would never happen, but calling it FUD also doesn't seem right since the regulation is super vague and only mentions maximum fines, not likely actual fines.

That will never, ever, ever, ever happen. I guarantee that no inn will ever be fined 4% of revenue over a simple paper guestbook.
You really don't think it's possible that one of the 28 member nations of the EU will pass down an absurdly large fine for some minor infraction? This happens all the time...

The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined and some judge that is in a bad mood or hates the idea of my business can simply fine me 20 million to kill my business and still be abiding by the letter of the law.

> You really don't think it's possible

For signing a guestbook or something similarly trivial? No.

If you truly believe that (if it really escalated) the European Commission, and then the European parliament, and then ultimately the European Court of Justice is going to put up with 20-million-fine-for-a-guestbook shenanigans, I don't know what to tell you, except that I think your definition of "reasonable" is not reasonable.

Maybe I'm not jaded enough, and I can believe in a single bad actor, but all of them? Including an entire institution that has direct public accountability?

As an aside, I think it would be helpful if participants in GDPR discussions would indicate if they approach it from a USA or EU angle (or even a non-EU and non-USA perspective. I've haven't really noticed any specific opinions from outside the USA/EU).

"You really don't think it's possible that one of the 28 member nations of the EU will pass down an absurdly large fine for some minor infraction?"

For the infraction of having a guestbook? Absolutely not.

"The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined"

I don't see that as a problem.

" some judge that is in a bad mood or hates the idea of my business can simply fine me 20 million to kill my business and still be abiding by the letter of the law."

Then you appeal. You're acting like there's no recourse or appeals mechanism for you.

> The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined

The law specifies the maximum fine, so you can't go over that. It also specifies that fines have to be proportionate. If you think the fine is disproportionate you have the right to appeal - that is also built into the law. If you think the appeal erred in law you get further rights of appeal. If your country hasn't made these legal routes available to you then you can take your country to the European courts.

In America in this century they tried to seize an entire inn for renting to the wrong kind of people.
Maybe not today, but who knows how this law will be used in the future. This could be used shut political website by slapping it with fine for non compliance. Vague law means any company can be found non compliant. By the time you appeal you'll be bankrupt.
Stop spreading FUD please. 1: fines are up to (4%? thought it was 2%) depending on the offense (i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

2: Yes some terms are vague, some part are vague too (what is considered "big scale"...) but if you want to cry about a vague law that enable government to shut down businesses, look at FOSTA-SESTA. This law is also vague to allow european countries to tinker around. Moreover, a vague law is often in favor of the defendant on european courts (if a litigation is ever taken to european court), so this is an advantage for owners.

3. A warning will be issued before any fine, then some time would be given to comply. If complying is difficult, regulatory instances have to help you by giving you ideas/examples/advice.

4. In the case of a physical guestbook, i'm pretty sure the regulatory instances will just laugh at the demand and ignore it anyway.

5. We had a CNIL contact before the GDPR was even drafted (we host health data) and we store non-hashed IP address of our customers (for ip whitelisting), name, surname, email address and phone number. Everything seems good for him as long as our security audits every year are good. I'm pretty sure we hold more client data than almost every small to medium shop whose business is not selling customer data, yet members of regulatory instance say we are okay. This panic is ridiculous.

>Stop spreading FUD please. 1: fines are up to (4%? thought it was 2%) depending on the offense (i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

I have to laugh since you are telling me to stop spreading FUD and you can't even cite off the top of your head if the fine is 4% or 2%.

The fine is 4% of worldwide revenue or $20million (whichever is larger).

>(i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

Can you cite the section of the law that makes you so confident in making this assertion?

All the people telling me to stop worrying don't seem to have any ground to stand on. I've read so many feel good assertions about how "this is not how EU law works" and I can't trust any of them since none of the assertions people are stating so confidently are written into the actual law.

All I know is what is possible. If I am violating GDPR in any way I could be fined $20 million dollars and frankly I don't want to be one of the legal pioneers to find out how each of the 28 member states of the EU will interpret how to apply this law.

> The fine is 4% of worldwide revenue or $20million (whichever is larger).

It is incorrect to suggest that a simple error will lead to the maximum fine. Here is the text of the regulation that sets out all the tests.

https://gdpr-info.eu/art-83-gdpr/

---begin---

Art. 83 GDPR General conditions for imposing administrative fines

Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

1Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). 2When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

> the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

> the intentional or negligent character of the infringement;

> any action taken by the controller or processor to mitigate the damage suffered by data subjects;

> the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

> any relevant previous infringements by the controller or processor;

> the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

> the categories of personal data affected by the infringement;

> the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

> where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

> adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

> any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

> the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

> the obligations of the certification body pursuant to Articles 42 and 43;

> the obligations of the monitoring body pursuant to Article 41(4).

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

> the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

> the data subjects’ rights pursuant to Articles 12 to 22;

> the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

    Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines >up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
        the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
Which part of that applies to an address book?

And, again, that's the maximum possible fine for the worst case - taking into account all of this:

> the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

> the intentional or negligent character of the infringement;

> any action taken by the controller or processor to mitigate the damage suffered by data subjects;

> the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

> any relevant previous infringements by the controller or processor;

> the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

> the categories of personal data affected by the infringement;

> the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

> where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

> adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

> any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

Suppose they wanted their data removed from the guestbook. Would simply taking some white-out to where they signed it be enough?
Absolutely not.

At best, you can challenge them to remove the page with your contribution to the guest book.

TipEx would do, and you could preserve the page.
TipEx == White Out for other US residents. (I had to look it up.)
(comment deleted)
As far as I'm aware, GDPR doesn't make any new prohibitons in this regard - however, it's quite plausible that they were already technically forbidden for years by the earlier data privacy laws, but simply most organizations didn't pay much attention to them.
Recital 15 of the GDPR states that it only applies "to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system."

So if you don't file the sign in book, it's out of scope of the GDPR.

> I contact external suppliers who use our data and receive a wall of silence.

> Displaying certain sensitive information, prescriptions for pupils, are now outlawed, this could compromise safety.

Oh no! Protecting pupil's private information. For me, the shocking part is that the suppliers aren't receiving anonymized data already.

I don't think you read the sentence properly before responding. Notice the word "safety" there? I presume he's talking about issues where you need ready access to medical data for students to allow a quick response to medical emergencies in class or elsewhere. Things like allergies and other conditions where normal first aid might cause serious harm.

There seems to be two types of responses to GDPR. On one side people saying "I don't see what the problem is with just doing the right thing!" and on the other people that have thought about it in a real-world scenario to realise what the problems might be.

That's not how I read it, since there's already data protection laws for how to handle kids information. If the data is being used for it's intended purposes ("Parents, give us this information so we can use it in an emergency"), and there's some kind of safe-guard (Only teachers can see it), that should still be fine. What about that under the GDPR is not okay?
> What about that under the GDPR is not okay?

I don't know because I didn't write the original post. However your interpretation seems rather peculiar considering the last part of the sentence explicitly mentioned safety issues. One should surely give the original commentator the benefit of the doubt that he talking about a real issue and not just saying "I don't care about pupil's privacy"

These mesical data were supposed to be private by other laws even before - unless you have consent from parent.
> this basically cannot be anyone who works in the school at present

Why? That isn't a requirement of the law. I could understand how existing staff wouldn't want to take on the role without additional renumeration, but the liability would naturally fall on the head.

Depending on the organization, it can be quite hard to find someone who does not have a conflict of interest while still having the necessary skills to act as a Data Protection Officer. As an example, someone working in IT might have the necessary skill, but is likely to have a conflict of interest because part of their duty as a DPO would be to inspect their own work.
The GDPR is pretty vague on that point -- from https://gdpr-info.eu/art-37-gdpr/, the regulation just says:

> The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

It seems to me a bit of a stretch that working in IT is a conflict of interest with adhering to data processing regulations; ensuring that your infrastructure is compliant is generally one of the remits of the IT function. You could convince me that the head of "analytics and user data extraction" at Facebook might have a conflict of interest with the DPO hat, but I'm skeptical about the broader claim that these conflicts are hard to avoid.

> It seems to me a bit of a stretch that working in IT is a conflict of interest with adhering to data processing regulations; ensuring that your infrastructure is compliant is generally one of the remits of the IT function.

That's a bit like saying auditing/compliance is something that you might as well let the accounting department take care of. It's certainly true that making sure you're compliant with various regulations is a large part of what someone in accounting does, but it seems pretty clear that you can't let the same person be the auditor as well without a conflict of interest, and that's roughly what the role of a data protection officer is all about.

There's some evidence that data protection authorities share this view; a German authority fined a company after they appointed the IT manager as their DPO[1] (sorry, German-only source). It might be too early to say for sure how this will play out, but I wouldn't gamble on data protection authorities accepting just any IT employee unless they're working in some very specific role that prevents any conflict of interest.

[1]: https://www.lda.bayern.de/media/pm2016_08.pdf

That's interesting, thanks for sharing -- but that linked article is from 2016, so not sure it can refer to the GDPR DPO.

What DPO is that case about? Is it under the DPD (which GDPR supersedes)? If so, what does the DPD say about conflicts of interest and DPOs?

If the law that this case was prosecuted under has as loose a definition as the GDPR, then you're right that this implies German regulators could well enact the GDPR under that interpretation too.

Presumably the legal basis would've been the Bundesdatenschutzgesetz, which is Germany's implementation of the DPD. The DPD itself is not very specific, only saying "such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;". The language in the Bundesdatenschutzgesetz itself[1] is quite similar to the DPO language in the GDPR.

[1]: https://www.gesetze-im-internet.de/bdsg_1990/__4f.html

> Depending on the organization

We're talking about a school here.

If a school has to say, "We can't appoint our IT-person, because they're also the one aggregating and profiling the data-profiles of our students for advertisers, so it would be a conflict of interest," that school has bigger problems than GDPR compliance.

This is not about advertising or any kind of misuse of the data. Rather, IT's role is very much one where they they setup and maintain systems and procedures that process data. It's certainly true that GDPR compliance is something an IT person will have to think about, but making the same employee responsible for auditing that things are compliant is quite a bit of a conflict. Auditing versus accounting is a similar concept.
That isn't a conflict, that's a bloody huge incentive to get it right.

They'd be responsible, liable for compliance.

> We are supposed to employ a 'data officer' this basically cannot be anyone who works in the school at present.

Naive question: isn't the data officer basically a single point of contact on data issues (and have some general knowledge on the topic)? Why can it not be someone working at the school?

By default, if they cannot delegate, wouldn't the responsibility go to the director of the school?

I feel like we tend to be overly pedantic in how we interpret some of the GDPR. For example, a small shop might not have a physical security officer. The owner/manager of the shop still has to have some general sense about ensuring the physical security of the shop, dealing with contractors/vendors (alarm system), etc.

With data collection, isn't it the same? Aren't people already doing this? No one would collect data, and not care about its basic security?

I think it's great that GDPR is forcing people to wonder: what data do we have, is it shared, who is responsible, what's the retention, and can it be deleted on request. After that, I don't buy into the fear mongers trying to make a quick buck.

>No one would collect data, and not care about its basic security?

Um...

I think that's exactly what most small organizations do.

A small shop absolutely does not need a DPO. See guidance here: http://gdprandyou.ie/data-protection-officer/

If the small shop happens to be collecting sensitive personal data -- health data, political affiliations or union membership, etc. -- (a) they should probably stop and (b) they would need a DPO.

Highly unlikely in any case !

As to the DPO, it is meant to be an independent person within the organisation, who cannot be unduly influenced by management, etc. Assigning the role to a regular employee who, e.g., reports to the principal and is a teacher by day, would not seem to satisfy the requirement.

Bear in mind that a DPO has to have "expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39".

The link you provided says you need a DPO in an organization

> Where the core activities of the organisation (controller or processor) consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale

Small shops contain things that they sell, and they also keep records of selling things for tax purposes, and may even have video cameras to avoid getting robbed. IANAL but isn't that a lot of data processing operations, and isn't there lots of systematic monitoring of individuals?

Or are you saying that because it's not "large scale" (e.g. only 100 people walk in a day) and it doesn't have sensitive data, then it's immune?

The core activities of a small shop do not consist of data processing operations which require monitoring people.

The core activities of a small shop include some data processing operations that don't require monitoring people (e.g. records of what they sell), and an anti-robbery video camera isn't a core activity of their business; I'd even assume that it's not looked at most of the time and is even more likely to be outsourced to some security company (which would have a DPO).

Keeping things for tax purposes requires no consent, same for anything you are legally required to keep record off. Video cameras most certainly fall under legitimate interest (as long as you follow the law about using surveillance in your country).

From what I recall on the info I've seen locally is that you don't need a DPO until you hit 250 employees.

(comment deleted)
A DPO is only mandatory if the core activities of your business include regular and systematic monitoring of individuals on a large scale, or include the processing on a large scale of specially protected information.

A shop only processes personal data as a secondary activity, with their core activity being selling merchandise. The data they do process is not in a specially protected category under the GDPR and pertains only to their business rather than the wider lives of their customers. They do not need a designated DPO.

A social media network, an ad tech company or a credit reference agency does need a DPO. A manufacturer of IoT gadgets that constantly phone home with a stream of usage data almost certainly needs a DPO. If the IoT gadget I sold you tells me what time you get home from work and what time you go to bed, that sounds an awful lot like "regular and systematic monitoring". A manufacturer of IoT gadgets that only phone home occasionally with fully anonymised error logs probably doesn't need a DPO.

This sounds pretty reasonable - I misjudged how bad the DPO requirement was. Thanks for explaining it to me!
>We are supposed to employ a 'data officer' this basically cannot be anyone who works in the school at present.

As a public body, you are required to appoint a data protection officer. That officer may be an existing staff member, provided that they have suitable training. They may fulfil other tasks and duties, as long as these duties do not result in a conflict of interests. The same person can act as the data protection officer for more than one organisation, so you could share a DPO with other schools or the local authority. (GDPR Art. 37-39) If no-one in your organisation is competent to act as a DPO, then you were almost certainly breaching the Data Protection Act.

https://gdpr-info.eu/art-37-gdpr/

>Things like publicly visible visitors books are outlawed (depending on how you read guidance), the alternative are electronic systems - more cost.

They were already illegal under the Data Protection Act. You can use visitor forms or cards instead of a visitor book - the receptionist still has a record of visitors, but their personal information isn't on display.

>Displaying certain sensitive information, prescriptions for pupils, are now outlawed, this could compromise safety.

This was already illegal under the Data Protection Act. If parents want staff to be aware of sensitive medical information relating to their child, you should have taken a written declaration consenting for that information to be shared. That information should not be displayed in a place where pupils, visitors or any other unauthorised person might see it.

A school does not necessarily meet the definition of a public authority [1]; I would say it's not; it depends on individual EU countries to legislate on that definition.

Furthermore, in Ireland, for example, fines cannot be levied against public authorities: https://www.irishtimes.com/news/crime-and-law/public-bodies-...

[1] https://www.lexology.com/library/detail.aspx?g=e71ac55f-566b...

The Data Protection Act 2018 was passed by parliament today. It applies the definitions of "public authority" given in Schedule I of the Freedom of Information Act 2010 (with a few exceptions), so maintained and academy schools are considered public authorities for the purposes of the GDPR. It does grant the Secretary of State the right to alter this definition, so it's possible that schools could be removed from this scope if the impact is deemed to be unreasonably onerous.

http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180...

I bet the folks in Dublin will be happy to know that UK law applies to them again /s
The chap I was replying to mentioned that something would cost him "£300", not "€300". It's a reasonably safe bet that he's in the UK.
Fair enough. I haven't reviewed the UK legislation.
Unfortunately, most organisations need professional guidance on GDPR, and that's not necessarily cheap or accessible to the budget-constrained. A few points on their issues (IANAL):

1. Most organisations do NOT need a Data Protection Officer (DPO). There are a set of criteria for determining if you do. Here is guidance on it from the Irish DPC: http://gdprandyou.ie/data-protection-officer/

If they are processing health data, then technically, yes, you might need one. You can consider outsourcing the DPO role to a privacy consultant; it may be the most sensible option.

2. If your data processors have not put agreements in place, then you are legally obliged to do so yourselves. This can actually be an advantage because you set the terms. Unfortunately, again it's best to seek professional advice, preferably legal advice when it comes to drafting contracts. I would go so far as to ask your solicitor to send a "threatening" letter with the agreement they need to sign.

3. Why does the visitor book need to be publicly visible? Is there a secretary or receptionist who could handle the book? Switching it to an electronic system is not necessarily going to meet the requirement. (GDPR is intentionally technologically neutral by the way -- there is no inherent advantage of one medium over another, so long as you're collecting and using data in a justifiable way, and meeting the other data controller requirements.)

4. Again, regarding display of health data, which is considered sensitive personal data, I would say it depends. GDPR is not a series of absolute dictums. Use of data does have to be explained and documented, and I believe you could seek parental consent for display of that information under certain circumstances. (Presumably to teachers who will be overseeing children?)

5. The vagueness of the legislation is definitely a problem. The GDPR does allow for an official certification[i], which will be a huge improvement (whenever we see it!).

All the scaremongering aside, the reality is that the legislation is still largely untested. We can fully expect to see a series of test cases appear over the coming months, which will provide clarity.

However, it's important to note and realise that no data protection authorities are going to start doling out extreme fines come Friday morning.

Even if an organisation is reported to the authority, there will undoubtedly be opportunities for remediation first and, unless it's a serious data breach, I seriously doubt anyone will receive a significant fine any time soon.

Facebook, on the other hand...

6. When it comes to training and certification, I'd recommend the IAPP: https://iapp.org/

They are one of the thought leaders in the space, and have a solid track record, with affiliations with lots of reputable privacy consultants.

[i] http://www.privacy-regulation.eu/en/article-42-certification...

"Unfortunately, most organisations need professional guidance on GDPR, and that's not necessarily cheap or accessible to the budget-constrained."

Professional guidance is needed for many things, and usually it's not cheap for any of it.

I think the EU just kind of tipped their hand when questioning Zuckerberg, German MEP Manfred Weber asked whether the Facebook CEO could name a single European alternative to his “empire”.

https://www.theverge.com/2018/5/22/17380982/mark-zuckerberg-...

This sure seems like the EU trying to toss up arbitrary laws because they can't compete with American companies.

I don't think the EU is such a monolithic entity as you seem to presume by referring to a single MEP's comment...
(comment deleted)
It's refreshing to see an objective article written about this subject. They presented plenty of facts from both sides of the argument and left the subjectivity up to the reader. Well done.
I already benefit from GDPR - here is a constant spammer of my maiblox from channelwisewq.im and now I wanted to know whos behind.

Ups... https://snag.gy/4nAZOw.jpg

Lots of companies are ready for GDPR, i.e. the ones that handle user information responsibly in the first place, and aren't opaque data hoarders as a central part of their business model.

I'm personally not a fan of the "lets collect it because we can" mentality.

"Data is the new oil" is a great analogy because not only is it valuable, the industry of data gathering is booming with little to no care about the side effects or long term consequences.

Had the right to privacy been enshrined in protective laws much earlier, requiring explicit consent to profile peoples behavior as it pertains to technology, things would obviously be a lot different. Obstacles often represent opportunities for improvement. Hypothesizing:

1. Alternatives to traditional advertising as a method for creating markets for products and services would have a better chance of taking off. A world where we have a relationship with the source of product/service introductions, where we can discriminate and depend on them to discriminate, could prevent a lot of manipulative, misleading and damaging crap from reaching people, and ensure demand goes to the highest quality products/services.

2. The difficulty of gathering would drive the value of peoples personal information higher, likely leading to better protection i.e. more careful handling, fewer data breaches and leaks.

3. A lot of "wasted effort" gathering and storing information as part of this data frenzy that ultimately doesn't provide value to anyone, despite all the moving money, could have been avoided.

> the ones that handle user information responsibly in the first place, and aren't opaque data hoarders as a central part of their business model.

Do you only acknowledge the existence of these two categories? So only "data hoarders" would struggle with becoming GDPR compliant?

I've got clients in the charitable sector having to reconfirm their entire contact list - 99% of whom would be happy to stay in touch - because the provenance isn't up to GDPR standards. We're expecting to lose most of those because people forget to respond to yet another GDPR request.

Expensive audits and code reviews, re-architecting parts of the system that accidentally record fairly innocent personal data (IP addresses in logs and backups, historical shop order data, Test data copied from live data. Staging servers and all the other places that data ends up in when a website has been around for a decade or more)

Yes - this data could potentially be misused and it would have been wonderful to have anticipated when the system was originally built but that was in a more innocent age and nobody could have made a business case for it back then.

I would argue that the cost to organisations (many of whom are non-profit) vs the benefits to users is fairly out of kilter. Protecting user data perfectly is a noble aim but perfection costs.

No, I was a bit hyperbolic perhaps in response to the tone of the article or its headline. Of course there are responsible organizations who are affected and have costs associated with GDPR. Knowing nothing of what your clients do, 99% seems a bit hyperbolic to me, too. The reason email is so "hard" is because in reality not many people want to get the emails being sent. I find it annoying that I have to unsubscribe from a mailing list and sometimes even go out of my way not to get repeat snail mail when I'm being charitable and giving a donation to someone. Aside from all that, costs of doing business happen. I don't think the cost vs benefit is so out of kilter as you say.
I'll put my hands up to 99% being hyperbolic. ;-)

I do worry that a lot of GDPR compliance will amount to "box ticking" rather than a genuine improvement in user privacy.

Legislation is a blunt instrument and it's hard to get sizeable real world benefit from a heady mix of noble sentiment and complex statute.

That is a fair concern.
Only tangentially related but I've found it somewhat ironic that GDPR has resulted in an extreme increase in communications from companies whose email marketing I've unsubscribed from as every company with my email address sends me their updated terms of service, most of which contain marketing surrounding their "transactional" email.
“Companies, especially US companies, are definitely scrambling here in the last month to get themselves ready.”

https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

They had two years to prepare for this

I love the "especially US companies" bit. US companies have long assumed any laws are just words on paper that don't apply to them. I really truly hope GDPR hits many of these (and similar companies) really hard.
> After four years of deliberation, the General Data Protection Regulation (GDPR) was officially adopted by the European Union in 2016. The regulation gave companies a two-year runway to get compliant, which is theoretically plenty of time to get shipshape. The reality is messier. Like term papers and tax returns, there are people who get it done early, and then there’s the rest of us.

That gets me the most. It seems like most companies didn't give a single f*ck about the legislation until maybe the beginning of this year - many far later. Of course, they are scrambling now to comply because they didn't start early enough

Come on, that's just the markets being rational.

I, for one, am glad that my procrastination problem is finally validated as rational by market forces!

(I find it very intriguing to find parallels between human, supposedly irrational, behavior, and organizational behavior that results as a consequence of rational - or at least explainable - behavior of many selfish actors.)

I feel really bad for smaller companies/orgs. I've received countless emails from various businesses I've had interactions with over the years. I've seen the full gamut of messaging -- from "changes in our privacy policy" to "please fill out this entire sign-up form again with your details" to "please send us an email if you wish to unsubscribe". It's obvious that it's entirely unclear to businesses what they should be doing here. So they're all just cargo-culting off each-other, hoping that they're sufficiently covered. I feel bad because I know those who don't have the time, money or knowledge to properly deal with this are going to end up losing their only communication avenue with customers. Customers, too, do not understand the gravity of these new opt-in affirmations.

It seems utterly beholden on our regulators to not only regulate, but to regulate clearly so that the 'reasonable person' has a chance in hell of abiding to-the-letter.

European companies don't appear to be having this problem. This seems more like a case of US companies having no experience with being forced to follow other groups laws if they want money. We've gone off of what, 60-70 years of the US forcing other countries time make it easier for our businesses? The only other time I've seen something similar is when China started enforcing their laws heavily, and many companies just pulled out
> European companies don't appear to be having this problem

Did you miss the articles of EU based small projects shutting down operations? Also, do small web based tech companies even exist in Europe? When I look all I see are medium to large 90s era b2b tech companies.

> I feel really bad for smaller companies/orgs.

Just like everywhere else, the (continuous) addition of regulations favors the larger, entrenched actors who can afford to deal with them. That's always the pernicious effect of too much regulatory load that states should be really aware of.

I don't buy this argument. Those smaller orgs had the choice to not hoover up their user data, in which case GDPR would be a snap.
> I feel really bad for smaller companies/orgs.

Why? I've seen most places (big and small) adopt a very simple page with one button on it asking if you want to opt in or out. Takes 5 seconds at most.

Too many 'smaller' and larger companies have gotten my details buy buying data from resellers, and then they have the gall to plead with me to let them keep mailing their crap?

I'm happy to opt-in to companies that I like doing business with.

I understand the point about the data resellers, and I agree. But TBH I'm more concerned about the minority of 'good actors' in this space, who have gotten my information the correct way, but now, due to various constraints or ignorances, are left at a great disadvantage and may end up losing a vast chunk of their diligently acquired subscribers.
> It's obvious that it's entirely unclear to businesses what they should be doing here.

What's obvious is that many of them were ignoring the existing DPA and PECR law, and were slurping as much data as they wanted from a variety of sources, and sending marketing email to those contacts.

And now GDPR is coming in a lot of them have realised that they don't have a lawful basis for holding or processing that data, and certainly not for sending marketing to the contacts, and so they're cleaning their databases.

This is a feature, not a bug.

Companies that only held the data they needed; knew why they were holding it; and had correct permissions (if that was needed) are not having much problem with GDPR.

This quote is bonkers:

> like “an oblique reference, like the tall bald guy who lives on East 18th Street. If someone said that in an email, that would be information you’d need to provide me with access to under the GDPR,” says Straight.

I have no idea how anyone who deal with user-generated content can possibly comply with that. Even if you had an actual person reading through all your content to try and find data related to "Jason Straight", without personally knowing him there's no way they would know that this is referring to that person.

I see a lot of complaints about 1500 page bills in front of Congress and so on, but this kind of nonsense is exactly why you need 1500 pages of dense, precise language to define these laws.

Talked to my mother the other day. She works at a tiny local (German) home care company. (That means 5 middle-aged women in an office and a bunch of nurses on wheels.) They've been ready for GDPR for a year now, including sending their new data officer to the required seminars and whatnot.
Many grocery stores offer memberships where they offer customers discounts in exchange for the customers using an ID to help the store track their purchases. Such arrangements appear to be voluntary and desirable for both consumers and stores.

Would such an arrangement fly under the GDPR?

It would seem that if consent has to be freely given, and not conditioned on something like a cheaper price, then the GDPR would not allow the grocery stores to give discounts only to people who agreed to the membership and tracking.

Yes, there are a bunch of problems with that business model now.

1. GDPR prohibits "bundling" of consent. Usage of your private data for, say, physically making a membership card should have separate consent than using that same data for tracking you; the fact that you want membership (and consent to it) cannot imply that you must also want tracking.

2. GDPR requests that you must be able to withdraw consent without detriment. That ties in directly to cheaper price.

3. In general, GDPR declares that permission to use your data is not something that can be "traded away" in a contract, that privacy is a core right and thus you can't enter into a voluntary contract saying, for example "I give Bob $5, Bob allows me to use his data" - or, more exactly, you may sign the contract, but the clause that gives permission to use data would automatically be null and void, and Bob could revoke consent without detriment anyway. Exactly as it is with binding arbitration and many other clauses in consumer contracts; in EU there are many aspects that can't really be given away in voluntary contracts - as far as I understand, common law has a bit different approach and tradition regarding contracts in this aspect than civil law in core EU countries, EU law doesn't shy away from regulating what a contract may include (or what can be binding if included) even if both parties agree to it.

That seems unfortunate for businesses like those grocery stores, and for their consumers.
IMHO we'll be seeing a switch to pseudonymous/anonymous purchase tracking instead of all these 'loyalty cards'; it's a bit more tricky and a bit less useful, but it can be powerful anyway and get most of the analysis results you'd want.
The GDPR exists for the EU to help itself to some $billion of the >$1 trillion increase in the value of US tech companies over the last three years. If you live in the real world, and not in the theoretical world of law as written, you don’t have to worry about a thing unless you’ve got a business as profitable as Facebook or as abusive as Unroll.me.