I don't understand how this post could reach HN just a few minutes after I published it... Whoever it did, thanks!
I decided to make a little change in the URL (Europeans instead of EU) and that's why there was a short period of 404 errors before I created the redirect.
I'm a native English speaker and I picked up on your sarcasm. You did great :-)
That said, a constant source of miscommunication from native english to native english that is written, is missing sarcasm. Just a side effect of not having non-verbal communication cues.
It uses its magic crystal ball, while simultaneously consulting a legion of captive demons to determine this and other similarly unknowable information.
I suppose you have to use your TOS for that. (In fact, a banner that tells European users that they aren't allowed to use your site is probably the easiest way to insulate yourself -- if you collect their data because they used your service illegally, I'm not sure you can be blamed.)
Considered this before, but it doesnt work. IIRC, the law applies to euro citizens both living in country and abroad. As such, geoip blocking is not a working strategy. (a french citizen who lives in japan still had GDPR rights) A better one would likely be a clickwrap agreement for all users stating "European citizens are not allowed on this service" which they have to click a "I am not european" tickbox to.
I'm the author of the post, and yes: blocking 500 million geolocated people is crazy. That's not the spirit of the law.
I just wrote the post because if you want to overkill and you are lazy, you can follow our recipe to 'implement' GDPR. I just wanted to be sarcastic and also show how easy to implement Cloudworkers + Apility.io.
You should consider making this a bit clearer in the beginning. There is already a lot confusion about GDPR lately and people could take your post seriously. As pointed out by others already, geo-blocking isn’t a proper way to become GDPR compliant.
You have a responsibility to your users, be they EU or not. The fact you consider "they keep sending it to me" means that you are not considering the whole privacy issue. This data is not yours to do with as you please. Yes they send it to you -- but you are listening, You are the active party here. There is a duty to protect your users data.
The question I was answering was why my company is collecting this data. We have email subscribers from the EU because...they subscribed to our email list. We don't advertise in the EU, we have no EU-specific languages or currency on any of our projects, etc. But EU users still want to subscribe to our content, visit our site, etc. So we're "collecting their info" because they voluntarily send it to us and we're not specifically trying to block them. Perhaps we should.
We're not compliant with the letter of the law of GDPR (and according to some it doesn't apply to us at all due to the above), but we treat all user data seriously, regardless of where they come from. If that's not good enough, then people can stop visiting / subscribing / purchasing, or the EU can try to levy a fine and collect it. I'm not particularly worried about either scenario.
I have a responsibility to treat users in a way that I consider fair, which includes protecting data such that it doesn't get used in a way that I wouldn't want my data used, or that a person who is more sensitive than me wouldn't want their data used.
I do not agree that I have any sort of implicit responsibility to treat my users in a way that an EU bureaucrat deems fair.
On the contrary, if you are running a business where 99% of your customers are outside of the EU, its totally rational versus opening yourself up to massive liability.
You need to purge that 1% customer data though. If you're accepting EU citizens data through any channel - another business, them using a VPN, via smoke signals, you need to comply.
You need to comply with the laws of the jurisdiction you operate in. If you don't operate in the EU (and having a presence on a global communication network does not qualify), EU laws are not applicable.
The onus is on concerned EU citizens to stick to .eu domains with a feel-good GDPR-VERIFIED banner if they are so inclined, not on the rest of the world to bend over.
As a non-EU business, I will pay my GDPR "fines" right after I'm done paying my Iran and North Korea issued fines. Cheers!
Seriously though, I made no comment on the law itself so I'm not sure what your point is. Most reasonable people would agree it's a good law in spirit, and I wish I had some of those protections where I live.
But the notion that it can be enforced on non-EU entities is ludicrous.
So much this. So many people conflate citizenship and residency, and it leads to no end of confusion. GDPR applies to EU residents, accessing services from the EU, and some more edge cases. But not to EU citizens.
(There are countries with up to 30% non-citizens, and there are plenty of multi citizens. The distinction is entirely relevant.)
Not even residents (meaning permanent residents). People who are in the Union's territories (including tourists / visitors). Like most laws it applies wherever EU countries have jurisdiction. It applies to all your users if your business is located in the EU though.
> Considered this before, but it doesnt work. IIRC, the law applies to euro citizens both living in country and abroad.
No. The law applies to people physically in the EU, not blanket to EU citizens. An American in Paris is protected by GDPR laws - a German living in NYC is not.
> IIRC, the law applies to euro citizens both living in country and abroad.
GDPR doesn't mention citizenship, it applies to any Data Subject who is a 'natural person'. The scope is stated as 'whatever their nationality or place of residence' which is universal.
So just blocking EU residents is not enough, one would have to also ensure that no other data is processed (1) within any country implementing GDPR or (2) anywhere in the world if you have a controller in the EU, his role being a sort of GDPR proxy.
Even saying 'within EU' is actually inadequate; the Isle of Man has implemented GDPR but isn't in the EU and there are probably other examples.
You hear wildly different takes on this depending on the source. Troy hunt had a (now seemingly deleted) article where he claimed you have to be targeting EU users specifically, ie offering products in a european currency, EU domain, eu language (other than english).
Dropping a IP block on the EU seems to be a pretty clear indication that you arent targeting EU users.
I think the most important part about the post is at the very end:
> Please don’t take us seriously
> This is an example of all the things you can do with Cloudflare Workes and our API. If you like it, please spread the word! But hey, don’t take us seriously. We just wanted to take the drama out from all the GDPR madness out there.
Anyway: just for academic interest I’m curious how much this increases the overall request latency, as there would be one additional blocking HTTP call at the beginning. Do you have any benchmarks for that API call to check the blacklist?
If you make sure that the response is cacheable, then Cloudflare will cache it at the edge and so only the first check for any particular IP will be slow.
What makes a response cacheable is a little complicated. There's cache headers, but also some heuristics involved. However, you can override all of that from a Worker by passing an explicit cache TTL to fetch():
fetch(url, {cf: {cacheTtl: 86400}})
This will force Cloudflare to cache the response at the edge for one day regardless of anything else. (Note: The documentation currently claims this option is available to enterprise customers only, but as of this week, it actually works for everyone. Docs to be updated soon.)
Yes, you should cache as much as you can to reduce the latency. We have some examples using NGINX and Lua to cache at the very edge and reduce roundtrips to our endpoints.
Probably I will give it a try on Workers another Friday afternoon.
Isn't there a Cloudflare geo-location header that you can trivially activate and map to EU/Non-EU? That would result in no additional latency except for the worker itself.
How does CloudFlare know if someone is a citizen of the EU and traveling abroad? In haproxy, I redirect a few accept-language headers, but even this has its faults.
You're the third person to ask this and I'd like to ask you: is this idea coming from a specific source? The law, like any other EU law, obviously does not apply outside the EU. It applies to companies that do business in the EU (even if they are based outside), but it can't apply to companies that don't do business there. https://ec.europa.eu/info/law/law-topic/data-protection/refo...
It actually isn't clear that it doesn't, as best I can tell. I don't have the text in question in front of me, but one of the questions I've asked and haven't gotten a solid answer on is - who is covered by GDPR? Is it only EU citizens residing in the EU, or EU citizens generally?
If it's the latter, then someone with both US and German citizenship could be covered even if they've never been to the EU.
This is a very dangerous interpretation. Let me tell you why: this opens the door for someone, let's say China, to say that their laws apply to Chinese nationals outside of China. You know, censorship and the rest.
While GDPR is a good idea, its legal impact can only be for business conducted within EU boundaries, or we are going to open up a Pandora's Box like this.
You mean: like giving fines to ANY company doing business with Iran just because some US President decided to cancel its own part of an international treaty...? ;-)
Come on: you're whining but you're doing that kind of extra-territorial stuff for decades!!!
Anyone who is in the EU (citizens and not) at the time of using the service. EU citizens living abroad are not covered (unless they are visiting Europe, of course).
Geoblocking is not enough. A user in Europe that bypasses an EU block with a VPN is still covered (this has been explicitly stated).
GDPR applies to all EU citizens. It doesn't matter if the citizen is accessing the web site from the eu or another country. Blocking people in the EU doesn't block all eu citizens from accessing your product/service.
People keep saying this but its not true. The EU has no jurisdiction outside of the EU. If both the user and site are outside of the EU at the time of the transaction, they can not make claims, regardless of citizenship.
No, it is true, If you don't the EU Army will come and get you. /s
It's a basic idea, and HN prides itself on being smart, but there aren't global laws. No one gets to enforce civil penalties outside of their jurisdictions, without exceptional circumstances. If they fine you and you don't have offices there just ... don't pay? The EU might not exist in 10 years anyway.
The EU has jurisdiction over EU citizens, even those outside of the EU (see US citizens and taxes). But I question how the EU would have jurisdiction on anyone who is outside of the EU and does all their business outside of the EU, even with EU citizens. The EU can prohibit EU citizens from visiting websites that violate the law if they want. They can also block EU residents from visiting those sites.
Recital 23 (referring to Article 3, Territorial Scope)
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
An attempt to prevent EU users from accessing the site at all is about as strong a signal as it gets regarding this. When you're blocking all of Europe by IP, it's pretty fucking obvious you're not envisaging offering services there.
You’re going to get downvoted for that comment, but you do raise a legitimate question of enforceability. Sure the EU can say any company in the world who has EU residents’ data should comply with GDPR. But... or what exactly? The EU doesn’t have the power to fine companies outside of their jurisdiction. I mean, they can try. But as far as I know there is no enforceability to ensure that the company actually pays the fine.
For larger companies with offices in the EU (especially the ones headquartered there for tax purposes), they obviously have no choice to comply. But what about a small startup, with its only domicile and employees in the US?
What exactly could the EU do to punish a startup in that case? Unless they have some enforceability treaty with the US, I don’t see how they have any legal ground to extract fines for arbitrary laws defined in their jurisdiction. The worst they could do is ask EU ISPs and/or payment networks to block the offending sites, right?
It applies to companies that do business in the EU. They could at least seize any assets that you have in the EU, including future profits there. If you don't do any business in the EU to disrupt then this doesn't apply to you anyway.
Corporate counsel, who actually went to many of the lead-up conferences for GDPR, said the data authorities from many member countries didn’t even hesitate before saying they would file civil lawsuits against non-EU companies.
Such a suit could be ignored too, but it would certainly be a PITA for vacationing executives who get locked up in Italy for an outstanding summary judgement.
If they have significant business in the EU then they can be fined regardless of size but the rules indicate that working towards compliance can go a long way to reducing the size or even existence of fines. Plus to get to that stage you have to ignore someone's request to remove their personal data.
I won't DV anyone. I use an addon that hides the down arrows. [0]
I suppose when I asked the question, I am assuming internet businesses for the most part don't isolate themselves to a specific region, so their reply probably makes more sense for the businesses that operate in a small locality. Perhaps they have such a business. I should have considered that prior to asking.
Where this might start to get interesting is if people use infrastructure that is in multiple regions and that infrastructure provider has an agreement to block companies that do not comply. So if AWS for example had such an agreement, then non compliant companies could find their sites broken, even if they are only hosted in the U.S., not that this would ever happen, but it could.
> The law, like any other EU law, obviously does not apply outside the EU.
There are precedents for the opposite. If you have a grandparent born in some EU countries, you have EU citizenship according to the law of that EU country, even if you never set foot on that country and have no contact at all with the EU. There is a (non-EU) country which says that if you're a citizen of that country, you have to pay income taxes to it, even if you never set foot on that country and have no contact at all with it. At least one country says that its law applies to buyers of widgets manufactured in that country, even if they are sold by someone who never set foot on that country and has no contact at all with it, to someone who likewise has no contact with it. And so on.
Also, GDPR applies to more than just citizens of the EU. The language doesn't even say citizens. Data subject could be someone in the EU on vacation for two week. Even me a heathen US citizen! O_o
I'm the author of the post. My most stupid post is in HN! crazy! I just wanted to be sarcastic and make some laughs about people blocking all traffic from Europe, which is crazy!
It's a Friday afternoon blog post to show how cool my product is with Cloudflare Workers and having fun at the same time!
It's no laughing matter for some companies. EU citizens have turned into pests overnight. There are businesses who don't make much money from the EU to justify compliance with the regulations.
Valuable, dear, beloved users for which the business has boundless sympathy, empathy, and compassion are now awkwardly the source of compliance concerns for which the costs outstrip the reasonably expected revenues enabled by compliance. While compassion is unlimited, it is possible the budgets and time may not be.
But I wonder what changed since last week because those compliance concerns were just as valid last week. Or do you mean to imply the company knowingly broke the law for a couple of years just because they could?
Is it? It's a lot of bloviating about love and kindness and positivity that dances around the point a lot. It implies, instead of being explicit. It focuses on feelings instead of making a point clearly and concisely.
It's poor communication. For the same reasons, it's great PR material.
> But I wonder what changed since last week because those compliance concerns were just as valid last week.
I imagine that for a lot of really small shops, what's changed is that GDPR is now law when it wasn't for the past couple of years.
> Or do you mean to imply the company knowingly broke the law for a couple of years just because they could?
Maybe! Depends on the company, I should think. In some cases, I'm completely certain that you're absolutely right and they've been knowingly breaking the law for years because they can and there were no consequences.
For others, it's possible that the situation may be more subtle. The costs in time and money and opportunity costs to determine how compliant they are or need to be might be daunting or dwarf any reasonable forecast of revenue from EU users.
It's possible that not all scenarios might not be quite as simple as having nothing to fear so long as you are doing nothing wrong.
> That just isn't true, the GDPR has been law for the last two years and before that there was a law with roughly the same (say 80% or so) components.
You're absolutely, completely, 100% correct! Please accept my deepest apologies for being unclear.
Until May 25, GDRP which has been law for years did not take full effect. It's possible that some people made choices based around which laws are in full effect, rather than what is law, for reasons that might at times be other than negligence or malice.
Again, please accept my apologies for being unclear. Please let me know if there's anything else I can clarify!
Please accept my apologies. I was under the impression that we were collectively discussing an issue of substance and import to us, rather than authoring customer-focused communications.
It's my opinion that the writing style appropriate for being maximally nice to customers is inefficient, time-consuming, inexact, and wasteful in other contexts. I'm sorry if I failed you by being insufficiently clear previously. Please accept my heartfelt apologies for this egregious oversight.
> Of course, you should back up your kind words with kind actions too.
You're right! You are without question correct that kind words should be followed with kind actions. Yet, it might be worth mentioning that kind actions can have costs measured in time, funds, resources, and opportunity costs. It's possible that in some incredibly unfortunate scenarios, this might result in actions being considered that some might see or choose to characterize as being perhaps a bit less kind than they could be.
You're still right, of course. Kind actions should follow kind words.
But I wonder what changed since last week because those compliance concerns were just as valid last week. Or do you mean to imply the company knowingly broke the law for a couple of years just because they could?
You keep repeating this on various threads, but it's not a good argument.
It's obvious: for companies that are now blocking EU users, they weren't in compliance or blocking before because the law wasn't being enforced. Hence the cost / benefit tradeoff was different. Now that possible enforcement is on the table, the calculation has changed. It's pretty simple.
For companies who were ignoring before and ignoring now, nothing has changed. They are either taking a huge risk or are correct in assuming that there's no enforcement mechanism, so they don't need to worry about it.
> You keep repeating this on various threads, but it's not a good argument.
It's an excellent argument. That you don't agree with it is obvious but whether or not a law is enforced or not does not change the fact that it is the law.
Those companies that have decided to block EU users as a rule have done fuck all in the last two years and now, rather belatedly, have realized that in fact they are subject to the law rather than that they can afford to ignore it.
> They are either taking a huge risk or are correct in assuming that there's no enforcement mechanism, so they don't need to worry about it.
I sincerely hope that they will swap positions after the first few fines have been dealt out.
That you don't agree with it is obvious but whether or not a law is enforced or not does not change the fact that it is the law.
And something being "the law" doesn't actually mean anything. If not enforced, laws are just words.
So these companies who are now blocking did the actually rational thing, which is ignore the law right up until it matters.
No fines are going to hit these companies that have no EU presence. That's just scaremongering. And for the ones that do, I guess we'll see. Blocking the EU market seems pretty damn fair to me. I don't understand why the EU thinks it can force a business outside of the EU to deal with their citizens if it doesn't want to?
> No fines are going to hit these companies that have no EU presence.
Oh they will be fined. The question is whether those fines will ever be collected. But the collection of fines is a different part of the government than the part that sets and applies the fines.
> That's just scaremongering.
No, it's a fact of life: if you ignore the law you will be fined.
> And for the ones that do, I guess we'll see.
Oh ok, so they will be fined. At least we agree on something.
Note that the EU at this point in time couldn't care less about those companies that have no POP in the EU, and if that causes companies to pack up and leave then so be it. But those companies that do have a POP and that knowingly and persistently violate the law, whether they are European in origin, American or Chinese deserve to have the book thrown at them if they ignore the law.
> Blocking the EU market seems pretty damn fair to me.
That's just fine, I take it your business is not affected or you plan to ignore the law because they can't collect. I'm perfectly ok with you doing that, don't get me wrong. It's your right to do this but I do think you should be transparent about this.
> I don't understand why the EU thinks it can force a business outside of the EU to deal with their citizens if it doesn't want to?
The EU can't force that, and that's not the intent of the law.
"for which the costs outstrip the reasonably expected revenues enabled by compliance"
The GDPR is not about revenue but about privacy. It's not meant to be cost neutral. Bank robbers could also quote you to complain about the burden of anti-robbery laws.
You're absolutely right! GDPR is in no way, shape, form, or manner meant to be cost-neutral. Your point about bank robbers is well-taken.
However, is it possible that in a context where companies are weighing the cost of GDPR compliance against the benefits of GDPR compliance (i.e., keeping their EU business) some might come down on the side of jettisoning the EU business? They might even opt to do it by using a tool, like Cloudflare Workers, that they can convince to block everyone in the EU.
You would be absolutely, completely, 100% right to consider this fully in line with the intentions of GDPR. Protect privacy or GTFO, right?
If companies find it too onerous to do business in the EU I am sure others will happily fill that gap, so I am not worried. A lot of polluters probably also went out of business once environmental regulations got tightened.
You're right! I'm also sure others will happily try!
With that said, it's possible that a fragmented market with fewer legal business models may not be as conducive an environment to all possible businesses. It's even possible that as a result, not all gaps will get filled.
Personally I think it's healthier to have a fragmented market. Maybe it's not as efficient but fragmentation makes it more possible for smaller companies to find a niche. Otherwise big companies like Amazon, Facebook and others monopolize business world wide.
Different legal models also provide grounds for experimentation. Who knows what works better in the long run? Wild West or regulation like GDPR? We don't know.
Sometimes a fragmented market just means everyone has the same problem and nobody can solve it profitably at a price that works for most. Then things just suck for everyone.
Which is to say that you could be right! Absolutely and completely! Or you could be really wrong. Time will tell. The economic history of protectionism could be read by some to provide some clues, though.
This strikes me as the typical political response when you are backing a terrible candidate and somebody points out something terrible they do/did. Rather than defend your candidate you respond by attacking theirs. My kids do this all the time when I catch them doing something wrong, "well #{brother} was doing #{badthing}!"
Both seem wrong, can we agree on that? DMCA is a disgusting weapon, as is a lot that the US has done. Does that make weapons created by Europe ok?
You don't need to do anything to implement DMCA on your site - just respond to emails. How is this even comparable with the kafkaesque implementation required by gdpr?
'Free' is a powerful word - there's a lot of incentive for companies to tout 'free' and for users to feel like they're getting a good deal - when in reality there's a whole lot of other stuff happening behind the scenes.
My take is that consumers need to be aware of what 'free' really means for each service that advertises it. What are the real implications - not just something hidden in doublespeak in a ToS or privacy policy.
Everything spelled out in the GDPR is a great thing for users and should have been there from the very beginning - being able to erase all their data, see all their data, export their data, and get notified when data is accessed.
> Everything spelled out in the GDPR is a great thing for users and should have been there from the very beginning - being able to erase all their data, see all their data, export their data, and get notified when data is accessed.
I hate this "empowering users" philosophy of the EU. It's reminiscent of "right to be forgotten" type regulation where EU believes users should be in control of "their" data, when it reality it isn't "theirs" to begin with. Once data is "public" you can't ever "erase" it because it's not "yours". I'm sorry, if you shoplift in my store (online or no), I'm keeping track of you no matter how much you demand that I erase "your" information.
Because it is their data, consider if there was a database of your fingerprints and DNA available online to everyone, would that really be okay to you?
"I want to use your free service and to participate in your monetization model only after you explicitly tell me how you are going to do with my data. If you can't tell me this, and get me to accept the trade off, why should I trust you?" -- EU citizens"
I doubt anyone here cares if you don't trust them and choose not to use their service. But that's not enough for you :)
So it's more like "if you can't do this according to the whims of my government regulators, I'll still be using your service, AND prepare for a large fine."
Is it really too much to ask to clearly spell out how you use my data, clearly get my consent to use it, and provide an email address where I can request it be deleted? Really? You're saying that is too difficult?
Whether it's too much to ask is not the issue, nor whether doing what you list is full compliance (doubtful).
No one is asking.
Rather, the right question is whether the entity demanding (the EU government) has the right to do so on the basis that their jurisdiction extends to anywhere that a citizen of theirs can reach via the Internet. I argue no.
You probably disagree, which is fine, but this ultimately comes down to enforcement. And for now at least, I win on that front.
It’s only the last part we have a problem with. We’re not going to track down every trace of your data and delete it. We probably also won’t let you do an export.
I think we’re perfectly fine with telling you we use your data for ML training, internal analytics or showing you relevant ads. That is standard stuff you consent to in a TOS.
>It’s only the last part we have a problem with. We’re not going to track down every trace of your data and delete it. We probably also won’t let you do an export.
If you can't easily delete or export my data, it means that you don't have a coherent, legible record of exactly how my data is being processed. You can't be sure if my data has been leaked or stolen. You can't guarantee that you'll be able to notify me in the event of a breach. You can't prove that my data was lawfully collected. I can't check the data you hold on me to ensure that it is accurate.
The GDPR is easy to comply with if your data protection policies and processes were decent to begin with. If you have read the text of the GDPR and can't see how you could bring your business into compliance, then you are almost certainly doing something seriously negligent or seriously shady.
We are not going to go looking through compressed archives and snapshots for your data. We are not going to run routines on immutable logs to filter out all trace of your history. We are not going to check CSV files used for imports. We are not going to track down any third parties who may have shared our data. We are not going to retrain neural networks on a new dataset that excludes your data. We are not going to move heaven and earth for a user who decides it'd be clever to demand all his data be deleted after reading a couple articles on Medium. We don't care how European you are.
What we can do, is set a little deleted flag on your profile to treat you as "deleted".
it is... what does data processing mean? does it include when my databe does a look up on a field which has your name in it or does it mean i do ML on it to serve you adds and profile you? cos it doesn’t say in the regulation... so yes it is very hard to figure out what level is clear... as regulation is not clear.
> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
So not a database query itself, but the thing that drives the database query. It also extends to things like logs - aka don't keep a log full of SQL queries that are full of peoples personal information. Don't ship that log off to some third party, or make it available to random people.
For web apps it's mostly the storage and retrieval aspects that are important. Don't store too much PII. Don't allow anybody to access it at the DB level. Implement appropriate access restrictions at the web-app level.
actually what you quoted might as well apply to query as it is actually processing data... and again the point is the regulation is vague... it can be interpreted in multiple way before we get precedents.
It applies to anything that contains PII, so sure you should ensure your queries are not sent in plaintext over the network and are not logged unnecessarily. There isn't much else that can be done.
It is perhaps a bit too abstract, but that's because it's covering a highly complex topic, but I don't think it's too vague on this: If it contains PII, protect it. Which, of course, you should be doing already.
You are a pest when you use a service and give nothing back in return, stealing resources that are better allocated to users that actually contribute to revenue.
I don't understand... isn't that something that the company decides? How are users stealing something?
For the longest time companies have been able to market something as 'free' when they have been the ones who have been trying to hide the fact that users' data was being sold, etc. So I would argue that if someone is 'stealing', it is actually the companies themselves.
No, GDPR effectively says that you have to get the users to opt in to your targeted ads (aka the business model) but you also cannot deny them the content if you opt out. In effect, the EU wants to get all the content for free while not paying the costs that give them such great content which is targeted advertising.
The "stealing" is because they are trying to get companies to give their content out for free without paying the cost which requires targeted advertising (and no, generic ads pay shit which is why tons of companies are blocking all the EU because they now aren't worth the server costs).
I know this sounds extreme but you could always go with the good old approach of charging users money for provided goods and services, instead of monetizing their data or throwing ads at them.
Well European users (like other users) don't want to pay as well. And why create a specific feature for European users when globally people are just fine clicking on ads.
What makes you think that European users do not want to pay for content they consume? Given that Europeans passed this law we apparently are.
You don't need to create a specific feature for European users if you don't want to, just as European users don't need to do business with you if you don't value their privacy. Economic exchanges are voluntary. If you think ignoring European customers is something that pays off for you, go for it.
Can you point me to any specific study which says that Europeans are more willing pay for content vs. rest of the world? I mean, if that were true, you would see a lot more paywalls in Europe vs. globally.
I don't know of any such study but I'm not sure why I need to given that this law quite clearly reveals the preference of European citizens?
If we would not care about privacy to a greater degree than other regions we would presumably not pass legislation that protects private information and cuts into ad-revenues.
Yes, when you're telling the angry mob why you won't give in to their irrational demands, you should definitely tell them who you are and how to hurt you...for transparency.
Even if you charge EU customers for goods and services, you end up having to collect and store personal information in order to provide evidence to tax authorities that you collected and paid the right amount of VAT for each country.
Nobody's stealing anything. You're giving the product away for free. Sure, the user is still "paying" with their data. But they didn't sign up for that. (And if they did, congrats, you're a step closer to GDPR compliance!)
If you're sick of people using your product and not giving anything in return, Charge. A. Fee.
Sure, the user is still "paying" with their data. But they didn't sign up for that. (And if they did, congrats, you're a step closer to GDPR compliance!)
The GDPR specifically forbids giving users the option of paying with data. (In that you can't deny access if the user doesn't agree to the data usage).
Charge. A. Fee.
It turns out that a whole lot of users don't want microtransactions for everything they do online, and would rather allow providers to monetize their data in exchange for access. You not liking those agreements is not a reasonable justification for forcibly banning them.
Is it onerous because you are doing dodgy things with EU citizens data, because you don't take information security seriously or because you've fallen for some of the FUD around GDPR (having to hire a DPO, being fined 2 trillion dollars, etc etc)?
If it's too hard for you to copy paste a GDPR compliant privacy policy and monitor a GDPR email address then well, maybe you're in the wrong job.
We do take security seriously and we're not doing anything dodgy.
We have business reasons for collecting user data, and users have no real reason to tell us to delete it at will, other than the fact that it makes them feel "creeped out".
The future is probably going to be super creepy. If you want to participate, get over it.
But more times than not it does. Since there's a long history of companies doing bad stuff, you definitely don't deserve the benefit of the doubt on this one.
there is also a long history of people giving up their personal data to get some (overall) irrelevant service and then being surprised when their data is missused...
Yes, but how much of that can be attributed to the service not adequately explaining what they are collecting and how they are using it to the users upfront, in a format that non-lawyers can understand?
It is genuinely fascinating to me how different people can feel about things. I get enraged when my "government" tells me what I can and can't do with my body/money/time. If I want to snort coke all day, what business of theirs is it as long as I'm not infringing on others' rights? Likewise, if I want to give my data to a super sketchy website, why shouldn't I be able to?
Obviously it's "safer" to let others make rules and force us inside the fence to keep us sheep away from the dangerous wolves out there. I do understand that perspective to some extent. However I would never trade my freedom for security. The former is not easy to regain.
Except they're not taking freedom away from users, they're taking freedom away from corporations. Freedom that many corporations have been abusing. This is a key difference in perspective.
Your example where you "want to give your data away to a sketchy website" is not in any way representative of reality when a) the website is as ubiquitous as for instance FB, and thus in no way perceived as sketchy, and b) the user makes no conscious decision to consent (let alone "wants it").
I think you have a decent point there, but the comment I replied to literally said:
> Hoping you've blocked access to the EU so I don't happen across it :)
Being glad that he doesn't have the freedom to use the site, thanks to a government law (whether a side-effect of the law or a direct effect is irrelevant, because the law brought it out just the same).
I suspect it's more in teh sense of a "Don't let the door hit you on the way out..." retort.
That is, if you're offering such a service that exploits users for their data, then I would never want to use it, so it might as well be blocked, for all I care.
Maybe even desirable if it was, so you don't come across it by mistake and sign up without doing proper diligence.
Freedom of choice is nice, but there's an argument that putting rat-poison in food products isn't ok, even if you label it on the package.
Your premise is flawed: if it was true that without government, companies would just carelessly or intentionally poison us all (not a good way to gain repeat customers btw) then I would agree with you. But obviously I disagree with your premise.
And they got the crap sued out of them. The lying is the problem IMHO. People know what they're getting now, but millions still choose to smoke. And why shouldn't they be able to?
Companies are careless and malicious despite government and customers actions.
* XIX century wants it's snake oil back
* Didn't hear about China and melamine milk scandal?
* Would you buy food from Amazon if it was co-mingled in current way?
* VW emission scandal
It is easy to be freetard when you do not get diarrhea every so often due to food that was "optimized" (like in XIX century ;)
The Jungle is a widely misunderstood book. For one, it's fiction [1] [2] [3].
The milk scandal is interesting tho. I don't disagree that there are people/companies out there that are horrible human beings (or run by horrible human beings), but these are exceptions. There is also a market-based recourse for consumers. Lawsuits and liability is a big deterrent for example. It's also illegal to harm someone (as it should be) so jail time for the offenders is quite possible without having enormous and onerous regulations. And haven't you noticed that it's the giant companies that often push regulation? Because it raises barriers to entry for competitors. Big companies have the resources they need. Using the government to hurt your competitors is one of the oldest traditions in countries with governments big enough and powerful enough to do so.
The government also prohibits you from accepting a job offer for less than minimum wage, and the general consensus is that this gives workers more power.
The government isn't the only source of power and coercion; private companies are too. A lot of these regulations are the one countering the other.
So lets unpick this. You think you're not doing anything dodgy with your users personal information. However you feel that their information is your information and users have absolutely 'no real reason to tell us to delete it' (apart from, you know, it being their information). Then you top it off by taking a screeching right turn and saying 'future is going to be creepy ... get over it'.
Riiiight. You sound like the perfect person to be handing my personal information and I would trust you to take full care of it.
There is an epidemic of snark in the overall conversation about GDPR. I'm sure I have my biases and blind spots, but the majority seems to come from the same direction as the comment you are replying to.
It's not "their" information. It's information about them. I collected it and stored in my servers that I'm paying for, and that makes it my information. Your laws may say differently, but practicality wins here.
Under Canadian Law (which you are subject to, according to your profile) and you're liable if you decide to snoop on a specific persons data, or misuse it in a way that they didn't intend. So, it doesn't seem to be completely your information.
> Your laws may say differently
Sure, Canadian laws in this area are very scattered and backwards. I wouldn't put that forward as a good thing though, or use it as a pretense to not bother protecting or managing your users PII.
Do your users know what information you collect, and what for? If they don't, you're being creepy. Here's the same thing taken to a logical extreme:
"I shoot this sex tape myself with my camera, climbed my tree on lawn, zoomed with my long focus lens, stored it in my computer. It's my data. If they don't like it, they should have pulled their curtain."
There must be a threshold somewhere. When does it stops being acceptable, and starts being creepy?
I'm pretty sure in my country (France), only the police may peep through windows with optical instruments. The work of a private investigator you speak of may very well be illegal, assuming the investigator is not an on duty police officer.
Public places are one thing (he entered this building with that woman at this hour). Looking through private property is another.
Here is the thing: my email and personal info is mine. And if you are using my info to provide me your service that is also ok - I will rent that to you. And give you my CC#.
But if I do not use your service, then I want that you delete all my personal data. Why is that so hard?
But is knowledge of your email address yours? Do you expect to control all knowledge? What action do you take when someone accidentally CCs another party when they should’ve BCC’ed, and your address is leaked?
There are pieces of information that are particularly problematic for other parties to know. An email address is not one of those things.
Retaining email addresses doesn’t necessarily suggest deliberate misuse (or even accidental misuse), however. Unless you’re of the opinion that retaining it after, say, account closure/deactivation, is itself misuse.
I’d take a big issue to an organization storing a social security number or something of that nature, because its leak would represent a significant risk, but email addresses are fairly disposable items that we only voluntarily attach to ourselves to.
EU citizens turned into "pests" two years ago. Much like Y2K was a "pest" years before January 1, 2000. But unlike EU regulations, Y2K was like The Terminator: there was no appeal process, and it absolutely would not stop...ever, until you fix your Y2K bugs.
GDPR OTOH, eh, maybe there's some way to wiggle out of it? And two years later, when Compliance Day comes, here we are.
An IP address is not regular PII, its 'linked PII'. It must be collected in conjunction with information that can identify a user to fall under GDPR, an ip on its own is worthless. If an IP address allows you to link information from HTTP logs with a user database that does have PII, then the ip address is part of the PII. If you aren't collecting any actual identifying information, then an ip is fine.
I hate the GDPR hysteria as anyone but you might be approaching this topic a bit too casual. The GDPR doesn't speak of "regular PII" or "linked PII".
Article 4.1 defines an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to for example an online identifier.
IP addresses are specifically mentioned as online identifiers in recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags
Only time will tell how this will be interpreted specifically but we have at least one court decision already [1]:
> What makes a dynamic IP address personal data?
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
> there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
> the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
Isn’t the IP address of a person/data which is subject to GDPR? So this form of blockade means that you need to disclose that you are using service X for checking the black list and that they might track/ store data.
I keep seeing these posts on how to block European users to avoid the GDPR. As a citizen of Europe, seeing these posts consistently making it to the front page is disappointing. It would seem that Silicon Valley perceives the GDPR as more of a hindrance than an opportunity to offer users better privacy. Nothing has been learned.
To a lot of US-ians the GDPR is just some EU bureaucrat stopping them from making more $. Nothing matters apart from being able to do whatever you want and make $.
If there's a successful business that blocks EU access due to GDPR, that's a huge immediate opportunity to enter that market in the EU (unless, of course, the business model is based on resale of personal information).
Consider this case, startup app in a niche market, only available on US app stores, and a one man dev team that needs to focus on app dev not compliance for some regulation that could never apply to their customers. Yet needs to be sure they don’t end up giving the company to the EU because someone over there signs up on a marketing list.
That’s the startup I’m presently working on. We’ll expand beyond the US borders (and implement GDPR) when we advance to a larger revenue stream. But right now, GDPR compliance is a distraction that interferes with gaining enough traction to help us afford the engineering and legal resources to ensure such compliance.
NOTE: we delete all client data when they cancel already. And we don’t do any creepy marketing.
An admirable effort, but all the fans of this law seem to hear is "You're not 100% compliant with the GDPR? You're scummy and shady and don't care about my privacy. I hope you fail immediately because the world is better off without you."
Meanwhile they'll be using VPNs to access your site anyway :)
This is interesting, an EU Activist thinks they can twist Facebook's and Google's arms into providing free service: (again, I'm not a fan of FB/Google invasive data mining driven advertising)
> NOTE: we delete all client data when they cancel already. And we don’t do any creepy marketing.
Do you inform your users what data you're collecting, why you're collecting it, and get their consent? Are you taking proper precautions with the expanded PII data (encrypting at rest for example)? You've basically covered the requirements.
> Yet needs to be sure they don’t end up giving the company to the EU because someone over there signs up on a marketing list.
What kind of FUD are people reading...if someone voluntarily gives you their email to sign up for a list that's fine. You just need to keep that they consented to receive what they agreed to. What you can't do is use that email for crap they didn't sign up to receive. Obviously normal unbsub rules apply, which in this case says forget that someone ever signed up.
It's a reality. Literally, a 4% tithe on our revenue would literally kill us right now. Funny though you seem to know this isn't the case, having never seen our books.
Um, but now you are storing data "they own". And now you have to comply with how each member country wants you to handle that data. So yeah, you can violate the GDPR...
In my limited view, this is pretty much the case. When I was telling our management team about the GDPR and how it relates to our new European-focused project, the first thing the CEO said was "how do we get around this?"
Management decided we're not gonna comply with the GDPR and just hope nobody notices.
Some of us do work for companies who respect and promote GDPR who are not based in EU, and we're hiring. Leave, that's a perfect example of terrible leadership.
Agreed. When the Volskswagen story broke that was my first repsonse: Management Failure. No matter how you slice it in a company that is run in a hierarchical fashion there is no way that an employee at some level decides to break the law in such a blatant manner without being pressured to do so in some way.
Which in the longer term turned out to be right. I'd love to see Winterkorn behind bars for that one.
Well, that was what VW said from the beginning. Although it was presented as "rogue engineer", the person they originally presented was the head of the entire department, and a VP at VW. And VW is suing Winterkorn in a civil case, too.
> Management decided we're not gonna comply with the GDPR and just hope nobody notices.
Although they don't say it that way, that seems to be what most GDPR advocates are implicitly advising. They keep saying not to panic and shut down your web site or block europeans because and the EU is not going to sue you as a first step, etc etc.
I can see why you'd be disappointed - if popular websites started blocking US customers I'd be pretty bummed out as well (even if it was easy to circumvent).
As a dev though, I also understand the frustration. Creating startups is already time-intensive and stressful. A lot of us are on shoestring budgets. Most startups will fail. To a solo developer in the US, the idea of spending time understanding and complying with GDPR is daunting, it's more than just a hindrance to many. Still, I don't want to break European law, so maybe it's easier to block EU users at first and change policies later if profitable.
I think blocking is at least showing you respect the law, compared to just doing nothing and being non compliant.
If a company does not understand GDPR it's fair to say I don't want them handling my personal data. And it's not like this is new, there was a 2 year period to prepare for this.
"Most startups will fail": I do not see that happening. You will first receive a warning. The EU won't really care if you are a tiny startup. Unless you are running a shady business, there's not much to worry about.
Not wanting to use non-GDPR compliant services is completely fair. I think it should be the user's choice.
I think assuming the EU won't care about tiny startups is irrelevant - I want to follow the letter of the law, it's why I'd opt to block EU users instead of just ignoring the existence of the law.
The problem is not with the spirit of GDPR. I am totally with that. The problem is the liability of it - as a small startup it is seriously scary to think that all it takes is one insane customer to pull the fire alarm and we'd have regulators and fines raining down on us even if we believe with all of our hearts we are doing it right.
Hence, the blocking of the EU - its better to block at the beginning and then expand to the EU once we have revenue to support someone handling this as an employee.
> as a small startup it is seriously scary to think that all it takes is one insane customer to pull the fire alarm and we'd have regulators and fines raining down on us even if we believe with all of our hearts we are doing it right.
You know this is not what would happen, right, that you'd be given advice and the opportunity to towards an amicable resolution?
Can you point me to where in the GDPR it talks about being given "advice and the opportunity to towards an amicable resolution"? (I'm not being facetious, I'm genuinely curious to read about it, if it exists)
Article 83 in general and specifically Art. 83 (2) state that "the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement" should be taken into account when determining penalties. We'll have to see what this means in practice though.
The GDPR doesn't use "should"; it states that "[w]hen deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to" that factor. Basically, if you can show that they _didn't_ take that into account, or that you tried to cooperate and were stone-walled, you will have good grounds for having the fine overturned.
My understanding is that the measures taken against GDPR infringements will very much depend on the good will of the relevant national authority.
And as a member of a EU country that for the last year has been constantly bending (when not breaking) the rules to repress and attack legitimate political reivindications, the relativism in the application of GDPR is something that I find very worrying.
That's an optimistic view of dealing with government, that they would actually be reasonable and helpful. Many in the US have a decidedly pessimistic view of dealing with regulations and bureaucracy.
Uber versus Night School is an example of this. Uber: Ignore taxi regulations, get tons of VC, get rich while being awful people. Night School: try to work with government and play by the rules, fail, get used as a cautionary tale.
I think something akin to GDPR is necessary and good, but GDPR as written probably isn't it. I look forward to seeing how it works out in practice, and how it develops/is replaced, and in the meantime feel bad for the developers and customers that suffer through the unintended consequences and misfeatures of it.
After the law gets clarified some, I think you're right that it won't be bad for small players. But I wouldn't want to be one of the test cases.
> That's an optimistic view of dealing with government
Calling the data protection agencies "government" may be correct in some very legalistic sense, but is utterly wrong under any colloquial meaning of the word.
We have 20+ years of dealing with tons of national and regional DPAs following national rules. Now these DPAs play by a single rule book, but other than that, little changes.
How many $300kEUR fines (the maximum in Germany until yesterday) served by a German DPA (we have 17: one federal, one per state) have you heard about in the last 5 years?
The first one was handed out by a court based on criminal law. This is not comparable to administrative fines. He got fined 260 days of his income (which is the basis on which such fines are assessed). He had two previous, very recent convictions. I'd say this is not a very harsh sentence but your opinion might vary.
The second one is a law very much like GDPR (notice the little words "up to"?). Not a single fine has been given based on that, not even a small one.
The challenge is absolutely not technical, so 2 years makes no difference. The challenge is that GDPR is essentially impossible to comply 100% with, and absolutely impossible to comply without incurring extra costs.
GDPR is the PCI of the privacy world, 99% of companies will be non compliant if audited, but 99% of companies wont be audited. The difference is unlike PCI anyone can launch claims against companies, including for malicious reasons like taking out a competitor, and political reasons like a eurocrat taking a disliking to a particular company.
It's not possible for a financial institution to exist without incurring 'extra costs' for SOX and KYC compliance. And yet they all do. That pesky regulation seems to be useful.
Actually this has been a big problem in the cryptocurrency space. It's entirely too onerous to comply with the rather extreme regulations in the finance space so exchanges had to ignore them for the longest time. Some exchanges even have to move countries because it would be nearly impossible to operate "legally". Yet their services are still needed and if they didn't have this freedom and flexibility then the cryptocurrency space might not have had the tools it needed to grow and innovate.
What are these companies doing that makes it so hard to comply?
I've been involved in GDPR efforts at work and all the policies seem fairly straight forward to me. If you're not doing shady shit and you're upfront with your users what you are collecting the data for, how long you keep it and what access policies you have set up.
it’s a problem cos the regulation is vague and what you just said is Your interpretation of it... that doesn’t mean it would stand up in court of law...
It includes liability for any and all data handed off or handled by 3rd parties. In other words, google analytics, facebook ads, salesforce customer data, mailchimp, constant contact, that really useful startup. How can you guarantee they are in compliance? If they aren't, you are now liable.
Enforcement guidelines are ill-defined, and the definition relies on vague terms. For example, is retaining an IP critical to running your business? What if you're getting DDos'd? Now it is up to someone else to make that distinction, and you're dependent on them "being reasonable."
And if IP is the only PII you keep and if you destroy IP logs after let's say 6 month and write something about that in your TOS, you're good. And even if you're not, if hey contact you and are not happy with your way of handling data, they will warn you then offer solution.
You can even self-report if you're not sure you handled the privacy well, and they will point you the stuff you have to work on (and give you month to do that).
I Understand Americans are afraid of fine and lawsuits, but please don't be afraid. Read GDPR statement from regulatory instances, they are here to help business too.
> I Understand Americans are afraid of fine and lawsuits, but please don't be afraid.
I think GDPR is short-sighted from a game theory perspective and will short-change European citizens.
When I sold software online, Europe was < 5% of my sales. Why take on business-ending liability risk for that amount of sales? Sure, maybe I'd do these things anyway, but once you open that pandora's box, you're relying on favorable interpretation and the goodwill of regulators.
Having seen what happened in the US with civil asset forfeiture, well-meaning laws can have their purpose bent, and goodwill can be perverted. Why take on that exposure?
>It includes liability for any and all data handed off or handled by 3rd parties.
Why would you hand of the data of your customers to someone that won't/can't prove to you that they will be in compliance with the current legal requirements?
Honestly that is the entire point of the GDPR, don't misuse customer data and don't hand it over to 3rd. parties unless the customer allows you to.
> It includes liability for any and all data handed off or handled by 3rd parties.
Good. Outsourcing violations, ethical or legal, shouldn't get you off the hook for them.
Besides which, what are you doing handing off stuff that's important to your business without knowing what's being done with it? Not a recipe for success. And if it's not important, then...
The policies required for PCI compliance are all straightforward too. But enforcing large sets of policies across an organization is a challenge, no matter how simple the actual policies are.
It's not 2 years though. European countries have had variations of the law for decades. If you ever bothered to comply with those, you'd have had literally decades and very little cost to comply with GDPR.
As a developer I can understand this point of view, but as a consumer I say it's time to grow up. Internet startups have taken a "move fast and break things" approach that is analogous to early industrial revolution approaches to worker safety, product efficacy and safety, and environmental protection.
You're working in the real world, with real consequences if you end up exposing people's personal data. The party is ending. Either deal with it, or find something else to do.
> You're working in the real world, with real consequences if you end up exposing people's personal data. The party is ending. Either deal with it, or find something else to do.
They are dealing with it... by limiting their liability.
Considering Facebook even actively tracks non-users, where's the "users" choice of not participating in that glorious Silicon Valley invention?
As far as I can tell, the "user" doesn't have a whole lot of choice there and Facebook isn't the only company doing that kind of aggregated data collection.
I'd agree with that if Facebook would be that single outlier nobody wants to emulate.
But Silicon Valley isn't a monolith where everybody is on the same page about everything, I have no doubt there's plenty of people in SC who consider FB a success-model to be followed into a shining future.
They're already on the one big island... they've just decided not to worry about the other big island across the sea yet because the one they're on is big enough for the time being.
I think I'd use the term 'putting it off for later'. Almost like technical debt. I'd probably look more seriously at GDPR compliance at about the same time I start working on internationalization and localization.
These are things I can put off until later, I don't need them to validate my startup concept. If the startup is successful, it might make sense to expand the market.
Yeah but what they actually do is removing themself from market place. If I were looking for a startup, I would check for someone banning EU users, with prospective idea and copy what they have done, but GDPR oriented and voila, I am first on the market, slowly taking over the original site bussiness in EU and later the world. EU is a huge marketplace and you really need to be extremly short minded to avoid it due to some stupi legislation, not to mention that as a US cityzen I would abandon any site not going for GDPR compliancy as they are saying to me, between the lines, "we are bastardising my data". Like seeing a laser pointer on your forehead.
Will that work if noncompliant company is offering its service for FREE* by funding everything selling data and you have to charge/use less valuable static ads? Just having a larger market doesn't automatically make you're product more successful, especially when that larger market needs more mundane localization efforts that the average startup probably won't invest in for a couple years GDPR or not
Plus, blatently ignoring regulation is cheaper in the short term, and if you successfully leverage that advantage into revenue than you can start throwing money at the problem once the regulators finally do get around to prosecuting you.
Only if your audience doesn't give a fuck about originality and community. You can't copy those. Even people in the EU care about who's fake and who's real.
I agree that exposing personal data is serious, and companies should be held responsible if they violate the terms of their privacy policy. I think companies should follow the law of the land.
The thing about GDPR that I disagree with is how it aims to have global jurisdiction. If it was a US law (as a US-based developer), perhaps I'd protest it, but I'd still follow it if I wanted to work in software.
But just because it requires changes affecting companies outside of EU that doesn't make the jurisdiction global. It's the same as with any other product that you are selling - if you want to sell it in EU, it has to satisfy EU's rules, irrespective of where it's being assembled / produced.
So if you "sell" to EU residents, follow EU's rules.
I think that's fair, but I don't think it's necessarily fair to put the responsibility on foreign websites to do the blocking and vetting. If the EU wanted to block websites that aren't compliant, that would make more sense IMO.
> So if you "sell" to EU residents, follow EU's rules.
Surely this will just result in the development of the reseller model?
As long as the reseller doesn't collect data, they're protected and as long as the US company doesn't maintain a presence or ideally market to the EU, they're untouchable due to the lack of any EU-US enforcement agreement for the GDPR.
Part of the length/complexity of the GDPR text is to deal with "cool hacks" like this to avoid having to spend money on IT security or to respect user preferences.
I feel that you're ignoring the situation of small startups with just a few founders. At this stage, it can really kill your business to spend a lot of your resources on making sure you're complying with GDPR. Usually the 'consumer' of those startups are OK to take some risk, heck a lot might even sign up with dummy emails.
The Poland proposal [1] to limit GDPR compliance to only large businesses was trying to address that. But it's flawed, because a small company (Cambridge Analytics) could still make a lot of damage to users' privacy... but the intent of Poland was good.
I feel there should be an opt-out based on the numbers of users and the age of the company/service: If you can easily prove that you're not handling more than X users and your company is less than 2 years old, then GDPR does not apply yet, as long as you warn clearly on your website that you're not-yet-falling-under-GDPR. If you're still in the GDPR-waiver zone but believe to be GDPR compliant, then you can remove the warning and are subject to GDPR like every other company.
That way entrepreneurs won't be scared to try some MVP here and there. I'm especially thinking of those trying to start a startup in countries that are part of the E.U.. The rest of the world entrepreneurs can just focus on their local userbase.
Going along that, it's also like 3D printing house startups no complying with fire safety regulations in the name of "oh no, it's too expensive, let's just not deal with that". Actually, thinking about it, such startups would probably start somewhere where regulations are laxer, make money there, then invest in security, and finally expand to western countries where subject to massive regulations. I don't want unsafe houses, I don't want unsafe cars, and I don't want unsafe websites. Some other countries don't mind about that. To each their own, what's so ridiculous about that ?
For what it's worth, I'd argue the same should be permitted of a small car maker. If I want to go build my own cars, step 1 should be putting a motor on a chassis and being able to drive forward. Step 1 shouldn't be adding airbags and seat belts to a couple axles.
The safest car is one that can't drive, and the most privacy-friendly software will fail to compile. You should be able to build a functional car before you need to worry about making it as safe as possible, and similarly you should be able to build a functional MVP of your software before you need to worry about compliance with a huge international policy.
Like most car analogies this one has a fatal flaw.
Before you are permitted to use your DIY car you need to comply with safety regulations to avoid harming others. You can keep your unsafe car off the street in your garage, though. Same for software that is not compliant; you just don't get to call it a "product" and let it loose on the public.
Well it's funny because Uber, a company that actually does seem to have financial resources, is allowed to run their apparently unsafe cars on the streets of some us states.
to be fair though uber also has thousands and thousands of unsafely driven cars on the road that we have no problem with; humans are bad at controlling heavy rolling fast motorised steel boxes
Uber seems to be worse than humans thusfar. Orders of magnitude fewer miles than average before killing anyone, covering up running red light running, misleading videos. A human driver like Uber would've ideally lost their license and faced legal penalties by now.
I disagree with the analogy. Trying to use the same analogy: If I were a one person entrepreneur trying an MVP, I would be building a bicycle, not a car. And what I suggest is have the right to put a sticker on the bicycle: "Warning, this is not compliant with the car regulations" to make sure people don't have false expectations. (Because I agree that in the real world, only a fool wouldn't be able to differentiate between a car and a bicycle, but for web services, this isn't an easy task)
A one person entrepreneur might not consider him/herself to be "being in the webservice business". Instead he/she would consider being in the business of [whatever problem the MVP is trying to solve]. It just hapens that in the 21st century, most of innovation happens online.
Back to your car analogy, it seems that people on one side argue that all companies "being in the webservice business" are 'car makers'. some people on the other side of the argument might say it's not.
Also, ultimately, it's possible that after spending a lot of time and hours examining the legal requirements of GDPR, a startup realizes it's not technically hard to comply, but the issue here isn't implementing the requirements, it's more about getting all the legal analysis, certification, handling customers requests, etc.
> If you disagree, should the US also stop prosecuting VW for the diesel cheating?
In that case, VW has clearly been in the car business for much more than 2 years, and in my example "X users", a good value for X would be something order of magnitudes less than the number of VW customers around the globe. So no, the US would continue prosecuting VW.
>I feel that you're ignoring the situation of small startups with just a few founders
It's that the equivalent of starting a new car company and arguing that you shouldn't be required to follow the same safety standard as Volkswagen Group, because you're still a small company?
At it's core the GDPR is simply stating that you're accountable for the data you collect and that you're only allowed to use the data for the purpose is originally collect. Building privacy into your product is much easier for someone designing something from scratch, compared to retrofitting it into the business plans of Facebook and Google.
I get the feeling that most of the people arguing against the GDPR are people who are focused solely in collecting user data as a core business. The people I know who are building actual product, where people pay for a service, are doing fine. Even though that they have to build products in a manner I suggested five years ago, where user data is either not collected or delete when processing is completed.
I feel like starting from scratch GDPR really isn't that hard to handle.
If your business is based around exploiting user data however it might be a lot harder, but then that's the point of GDPR, to prevent people exploiting user data.
GDPR exists because it turns out we can't trust companies to handle personal data with the care it deserves, and I don't see why any company should be excused that proper care.
I am a US citizen who, until last week lived in France. I wasn’t protected by HIPAA in Europe. Interestingly, HIPAA is stronger than the protections provided by U.K. law. For example, practitioners in the U.K. actually use Skype for mental health consultations — which would be a huge HIPAA violation in the US.
That isn’t about data protection— it’s actually the opposite, it’s about Euro banks sharing data with US authorities. Furthermore the unintended consequence of FATCA is that many Euro banks stopped allowing accounts from Americans because they didn’t want compliance risk. GDPR is having the same effect: US companies will refuse service to Europeans because of compliance risk.
GDPR has effects way beyond better user privacy. Sorry I've been pasting this in multiple GDPR related threads, but here it goes:
I have a profitable, bootstrapped SaaS business based in US. It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.
I've been talking to a very well known giant corporation (also based in US, but has many global offices) for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses, (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Of course, blocking European users doesn't do anything for me since I want to do everything I can to protect user privacy.
But anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.
The loudest GDPR advocates don’t care about you. 90 years ago they would have been the ones helping collectivize the farms, unintended consequences be damned.
And this law’s effects are all about the unintended consequences. Anyone thinking government regulators are reasonable and benevolent has never dealt with said regulators beyond any trivial level. To make it more fun each member country handles enforcement, so now you have a risk of 28 different interpretations of the law. It’s madness. Even if you do everything right there is still a compliance risk. It’s like HIPAA in the US — HIPAA is pretty “easy” to comply with, but the consequences are so severe that it necessarily drives up operational costs significantly. Unless Europe is a significant part of your revenue, better to block Europe and decrease your risk to near zero rather than have a potential risk of catastrophic, company-ending fines. Because the fine isn’t against profit, it’s against total, worldwide revenue. So unless your European profit exceeds 5% of your worldwide revenue, no sane person would take that risk. Even without the enforcement risk, you still have to deal with potentially hundreds or thousands of information requests — even if you are doing everything by the book.
That part is spot on, he's showing how history rhymes. It's an example of humans historically making the same mistake of not reasoning about unanticipated consequences.
> The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. (snip) That's their interpretation of GDPR. It doesn't matter whether it's right or wrong. This is the side-effect of GDPR.
I understand it's frustrating on your side, because you have no control over the response of your customers. But understanding what GDPR is (and not falling for FUD) is why the VPs and Directors get paid the big bucks and get the fancy titles. If they can't or won't work with legal to become compliant, they should resign and let someone else do the job properly.
I'm not saying, "oh it's easy" -- it's not easy. But that doesn't make the law wrong either. And it's not OK to blame GDPR as being "bad", when those rules are mostly just putting some real enforcement around stuff all moral and ethical organizations should have already been doing anyway.
It is your opinion that the law is not "bad" because you view the positive intentions of the law as bigger than the negative unintended harmful effects is has.. on people exactly like the OP.
Your points don't "make the law right". In whose view? Right or wrong for whom? In his example he listed all the ways he is handling user data in a respectful way. And yet, he is still harmed by this law.
That the VP and President may be doing their jobs wrong (in your view) is no recourse for OP, he is harmed all the same.
And ... are they doing their jobs wrong? At the end of the day, they are limiting their risk. What threshold of risk of harm to their business and livelihoods would you feel is an acceptable tradeoff to comply?
It doesn't make the law right either. Also, those VP's might be doing their job perfectly and the net effect could be that they cannot share data with any non-EU companies stifling their competitive advantages.
There are many real world effects of GDPR and we are just starting to see the pros/cons of it.
If you judge a law on what its effects should be rather than what they will actually be when applied to imperfect people, plenty of terrible laws will look good.
Wait a minute… You provide a service, and your users are afraid the GDPR could come to them?!?
Please tell me I've read something wrong. Otherwise, this is just panic induced stupidity. I expect they will grow out of it (though maybe not before you go bankrupt, which obviously sucks big time).
It's pure FUD and panic. I think the only item most people have actually read is 4% revenue or 20M fine which ever is greater. It's unfortunate, but was the only way to get the Googles and FBs of the world to pay attention.
Depending on exactly what the service is, this makes total sense under GDPR.
The GDPR regulates both Data Controllers, and Data Processors
Suppose I'm excited to hear about Hats.example, a site that sells hats. I visit, but they don't have any hats for my ostrich. Damn. But, they do have a box where I can leave my email address "to be contacted about future products". Great, maybe they'll introduce Ostrich hats. I fill out the box.
Hats.example uses famous email deliverability company WeSpamPeople.example to ensure their marketing emails have "industry best in class reach". I soon get an email every week featuring different styles of hat, but they're all for people, disappointing.
But then, WeSpamPeople's VC runs thin, and they cut a deal with OutrightFraudAndScams.example, which tricks people into making dubious "investments" and wants a lot of "leads". Now as well as the hats newsletters I asked for but don't really care about, I'm getting stuff inviting me to invest in Venezuelan Bitcoin mining and a project to make "Green cyber-organic goats for the blockchain". Ouch.
Hats.example are a Data Controller. The GDPR says they are responsible for looking after the data that I gave to them, even if "technically" that form I filled out is a Javascript frame injected by WeSpamPeople.example, it's part of the Hats.example business, so it's their responsibility to ensure my email is not abused by a processor like WeSpamPeople.example, for example through contractual terms requiring WeSpamPeople.example to delete my email, never to send it elsewhere, etcetera.
WeSpamPeople.example are a Data Processor because they were given my email address and other details to send me "marketing" information. They have a duty under the GDPR to get reasonable assurance that this was OK with me, for example maybe Hats.example did some paperwork that promised they're legitimate and they got sign-off for these email addresses. Regardless of whether they were given terms requiring them to do so by the Data Controller, the GDPR says they have to take care not to abuse the data, for example they can't sell it to anybody, since they obviously don't have permission to do that.
OutrightFraudAndScams.example are also a Data Processor, and maybe also a Data Controller they know they didn't have permission to touch this data, but presumably they also routinely violate all sorts of other anti-fraud or anti-scam laws. Maybe the GDPR will help add to the fines and charges and put them out of business.
> But then, WeSpamPeople's VC runs thin, and they cut a deal with OutrightFraudAndScams.example, which tricks people into making dubious "investments" and wants a lot of "leads". Now as well as the hats newsletters I asked for but don't really care about, I'm getting stuff inviting me to invest in Venezuelan Bitcoin mining and a project to make "Green cyber-organic goats for the blockchain". Ouch.
Just so it's clear, you're positing that when WeSpamPeople breaks every existing contract they have, that those on the other side of said contracts are now liable?
Of course it could happen, but I don't see the EU fining those on the other side of the contract as long as they moved to another DP and alerted their users when the breach of contract was discovered. Both actions should happen regardless of GDPR.
I agree with you up to a point. Diligence is going to come into this as it does with Bribery where again laws in one place target crime everywhere. How diligent were Hats in picking WSP to deliver email? You don't have to have done a rectal exam of every employee, but if it was obvious to half the world what was going to happen, a prosector might be able to get a jury to conclude Hats should have known too.
Sure, but the original comment alludes that the emailer is a best in class in the industry, and not some Nigerian fly by night company. Obviously there is still some due diligence to do, but I wanted to spell out what was being implied so that the unlikliness was also shown.
TBH, email is a bad example anyway because good providers are already pretty quick to boot bad actors so they don’t end up on blacklists.
> Wait a minute… You provide a service, and your users are afraid the GDPR could come to them?!?
Yes.
It's not unreasonable, because GDPR has components that require vendor assurance (more or less). So the megacorp with a point-of-presence in the EU has to be cautious about what strictly-US SaaS services it uses if there's any potential for data crossing into the SaaS.
This is almost certainly exactly what GDPR is intended to do. It aims, in part, to make sure companies can't shirk their responsibilities by handing everything over to vendors who will ignore GDPR.
Again, makes total sense from the perspective of an American legal department. They're falling back on the tools they know to de-risk vendors, which is formal certifications and accreditations. ISO, SOC, etc. The lawyers are going to be extra twitchy because of how vague and hand-wave-y GDPR is.
An actual compliance audit from an accredited auditor, paid for by the SaaS offering of course, is not going to be cheap or easy.
And the GDPR is the side-effect of people running hog-wild with PII etc. I feel for you but I see your situation as collateral damage of the privacy crisis.
If I were running my own company right now, this is probably the approach I would take. I'm a big privacy advocate, but I'm also anti-authoritarian and don't like being forced into things by overbearing laws.
Blocking Europeans sounds a lot more reasonable than having to hire a lawyer and spend double the time and effort just to be compliant while writing a new JavaScript MVC Todo List app.
Hey, rest of the world, I'm sorry the US is so terrible and that this, currently, with all the bs we're putting you through, is the status quo for online fedoras. Defending censorship under.. the guise of anti-authoritarianism. "Right wing anarchy."
GDPR is happening because for the last several (10s?) of years companies have been playing fast and loose with people's data. They've had their chance and they've blown it fairly comprehensively.
The people (by and large government is run by the people, for the people, at least in some countries) have had enough. I've had enough, and this is us telling companies they've had their chance and not made the grade so we're dictating now. As a person, and father (who has to worry for the rest of my live about my offspring's health and happiness, and linked to that, privacy) I'm very happy with this law. I support it, as seemingly a lot of people do. That's not authoritarian, it's the will of the people.
And no, I'm not some sort of communist beard stroker, I'm pretty central in my political beliefs and I also don't appreciate governments sticking their noses in where it's not welcome, but this, this is welcome.
> It would seem that Silicon Valley perceives the GDPR as more of a hindrance than an opportunity to offer users better privacy.
Why would you think that SV would be interested in offering anything for its own sake? The vast majority of the model is to create new rent-seeking profit opportunities for investors, with internet users as a mere means to that end.
> I would be very wary of a company who claims this legislation is onerous. It is potentially life threatening to companies who do very shady things without your consent. That much is true. That is the entire point.
I somewhat suspect those companies hiding behind the 'oh lets just block Europe' excuse just don't want to admit the extent of what they are doing with the data.
US citizens should take note of this, because it's their data too.
This might be it for like a very small handful of malicious companies. More realistically they are companies who have very little market share in the EU and their attorneys are very risk-averse and tell them a simple opt-out with few billing hours creates the most ROI.
EU citizens should not be pissed off that second-order effects exist in the world. If they are, they need to take ECN 101/102 again and pay closer attention.
I somewhat suspect those companies hiding behind the 'oh lets just block Europe' excuse just don't want to admit the extent of what they are doing with the data.
If the cops showed up at your door asking to search your home, business, and Internet accounts without a warrant, would you let them? Why not? What are you hiding?
If you don't think this legislation is onerous, you're not doing the work of implementing it. Now, in my company's case, a big enough chunk of our customers are in the EU that it was the right choice.
Thing is? We changed almost nothing about the way we processed data. Data subjects are no better off because we've spent tens of thousands of dollars complying. Whether people comply or not, the fact of the matter is that this regulation is onerous. It's onerous even if you love the intent of it, and it's onerous even if you think it's worth it.
If this is anything more than fear of change (I suspect it isn't, once people get a little more accustomed to GDPR and some of the inevitable issues are ironed out), and other device owners start blocking EU citizens, I suspect GDPR may end up being a huge boon for Europeans.
Much like China, which has managed to develop a huge internet industry because it doesn't have to compete with the American competitors, the EU's huge market will provide a lot of space for EU startups if the American competitors refuse to do business in Europe. But unlike China, the GDPR will make those European companies more competitive on the world scene rather than less.
If the choice was between 2 services, one of which complied with GDPR and one which didn't, and explicitly excluded GDPR protected users, I'd assume the vast majority of regular consumers, but definitely businesses, would pick the GDPR compliant one.
American competitors aren't going to refuse to do business in the EU. They're going to comply with GDPR for EU customers, and in some cases across the board. I keep hearing how easy it is to comply. Then that's that, it's easy and there's money to be made, so US competitors will continue to be dominant as before.
It's not about privacy, its about poorly written regulation that leaves too much vagueness because its based on principles rather than hard rules. Good intentions are not enough, there must be clear paths to implementation and verification. Perhaps that should've been fixed instead of wondering why so many companies don't really want to deal with it.
It will also do just about nothing in regards to the major companies that everyone had such a big privacy issue with in the first place, so not only is the regulation vague but it's also ultimately very ineffective.
>because its based on principles rather than hard rules
They tried hard rules, rather than principles with the cookie laws and the companies around the world turned a good idea into a shit-show of popups while continuing to behave like nothing happened.
Honestly the more I read and the more I see how different business react I start to view the GDPR as EU finally showing that will not accept businesses viewing it as a second rate legislator.
The GDPR and reactions to Trumps policies an EU that is finally starting to behave like it's representing the best interest of 500 million people.
95% of my GDPR work has done nothing for actual privacy. If this is how the EU "represents the best interest of 500 million people," then no thank you.
Can you elaborate please ? And what about the other 5% ?
I mean, if companies cared about privacy in the first place, there probably wouldn't be the need for such a regulation. At the very least, GDPR will get the general population be conscious about what the hell is going on under most websites.
Most of the costs of this (so far -- we'll see how it goes with subject rights; I spent several hours already working on a right to erasure request that was so confusing it will take a number of additional hours just to entangle and document) are learning the regulation (not privacy, but the regulation itself -- very different), doing documentation (the largest cost by far), and holding customers' hands. The last 5% wasn't all that meaningful; a few assorted things, like one of our S3 buckets that was storing encrypted backups of non-sensitive data with no expiration, and it got noticed during GDPR prep. It would have been noticed anyway (probably even before now).
We've also lost customers (including a contract that would have been our second-biggest) because our competitor is either lying or doesn't know anything about the GDPR, and has convinced customers they're compliant. Their story sounds easier than ours; "We're in the EU, so we're compliant" as opposed to "Hey, you need to sign this DPA with us to be compliant."
And no, many companies already did care about privacy. Companies are not faceless villains -- they're made up of people like you, assuming you have a job, and even aside from not wanting the bad publicity of breach or misuse most people want to use data correctly.
A lot of "GDPR work" I have witnessed recently has been totally useless and frankly I'm still not sure why I understand the tortuous paths some have chosen to follow.
I think a lot of that is down to decisions taken by US-based management that is simply clueless about how law works outside the US. And probably also only got their information from US-based lawyers that were either as clueless as themselves, or had incentives to make everything look very complicated.
On the other hand, most of the companies around me that have no links with the US were not particularily worried, and either consider that they are already compliant, conducted minimal work to be acting in good faith, or at worst are waiting for the regulatory body (CNIL here) to tell them what they are doing wrong, if that is the case.
However, I don't know any company that does shady things with their users' data, and things might be very different for those.
I think you are mistaken - the amount of effort big companies are putting into this certainly already has improved privacy significantly- and its just the beginning!
And yet, multiple companies that do all kinds of crazy things with your data (https://www.google.com/search?q=gdpr+shutdown) have shut down already as a result of GDPR. You could argue that wasn't the goal but I'm pretty sure it was part of it and seems to be effective in that way at least.
Like what exactly? The vast majority of them don't do anything that crazy other than storing an email or running some ads on the site, which is completely insignificant compared to the detailed profiles that Facebook and Google have and will continue to maintain. And it doesn't even touch the ISPs, credit unions, medical companies or other deep databanks.
Right now there are billions of people around the world clicking "yes" on all the privacy and consent popups while grumbling about the annoying notices and just wanting to get back to what they were doing. Meanwhile there are also plenty of people creating havoc by filing lawsuits against every company they can, adding up to billions demanded on just the first day.
> Meanwhile there are also plenty of people creating havoc by filing lawsuits against every company they can, adding up to billions demanded on just the first day.
No, the EU is not the US, no lawsuits have been filed. Some individuals have reported some companies to their local data protection agencies, just like the GDPR says you should. No money has been "added up to billions", because the DPAs don't sue for damages, the levy fines to ensure compliance.
Huge difference. If you're going to critique the GDPR, please understand how the legal and regulatory systems of Europe work first.
As a French guy, these type of comments make me smile. The GDPR is basically just the implementation of the French law "Informatique et Liberté" into the European Level. (You can read on HN many Germans saying that it's actually the implementation of the Datenschutzgesetzt. The truth is: these two laws are extremely similar.)
This law has been in application since 1978 [1]. And in 2018, we have adtech companies like Criteo. [2] I have one of my best friend who started his adtech startup in France. Everything is good.
There's is a lot of implicit contracts (you filled up our sign up form? Well, then you chose to give us your data. ...) The only things you have to do: know which data you collect and give the ability to people to update/delete their data. That's all.
I don't understand the fear. I don't understand what is "vague" about it. It's so simple and low barrier that Microsoft decided to make it the rule for all of their users. But thanks to the hysteria, they made a PR stunt out of it.
You mean Criteo the company that has lost over 50% of their valuation since last year because of cookie and consent issues? Yea it's going really well for them. https://finance.yahoo.com/quote/CRTO/chart?p=CRTO
The difference is that France is insignificant in the adtech market. The real money is in the US and spread out across Europe, with Asia soon to overtake. The existing rules you point to weren't affecting global operations where Criteo and others made their money.
It's strange that you think the business models are going to fly in Asia. China and many Asian countries are laying out privacy regimes that are even more strict than the GDPR. Take a look at China [1] or Thailand [2]. Pretty soon it will be the case only in America that adtech companies can collect and sell endless personal information without consequence.
What are you talking about? China with it's national real-time citizen tracking using 'social credit' scores, facial recognition, and internet firewalls really cares about your privacy?
Ok, spend all your time going after the ad company and ignore the government which is 1000x worse and will control your life or toss you in a cell. Good luck with that.
He's not ignoring that? He's pointing out the laws are stricter when dealing with private companies. You are talking about two completely orthogonal laws or standards.
In this more specific case, it's very difficult to judge China's policies with an even tilt because private Chinese companies are ad hoc lifted to "public status" when they're convenient for the government to leverage.
But China grants legal exemptions without especially good or consistent oversight over those countries. The net result is an awful lot of folks who get a legal exemption for a specific aspect of their business and then tend to run roughshod in other less scrutinized areas.
>very difficult to judge China's policies with an even tilt because private Chinese companies are ad hoc lifted to "public status" when they're convenient for the government to leverage.
How is this different from any other western government?
Having worked at a high profile government contractor, my observation is that you don't get the same kind of leverage other folks report. Also, the bidding process is cuthroat and subject to public scrutiny here.
Now if you're taking about security contractors, that's different and the same the whole world over I guess.
First of all "insignificant" is far fetched. Small? Yes. But not insignificant.
Second... I don't see how valuation matters. Did they loose money? Went out of business? No. VW lost valuation during the whole diesel gate scandal. Did that make VW a less relevant? No.
And the last thing that I wanted to mention: I said "this is just an implementation of an old French law into the European Level". And I was mentioning the French law itself, not the European Law.
The cookie issue that you're mentioning is related to the ePrivacy directive, which is solely European Law, that was passed one or two years before the whole lost of valuation. My point was just that the GDPR doesn't affect anybody.
> I don't see how valuation matters. Did they loose money?
Do you know that they are a publicly traded company? Losing money is exactly what happens when the stock price falls. When you lose more than half of your value, going out of business is a serious risk.
The stock price usually reflect the "feeling" of the investors. But it does not make a company loose/win money. It's just what the investors think the company will make in the future, but investors (as often) can be wrong.
It only affects the ability to make more money by issuing new shares.
But the "bank account" of the company doesn't get divided by two. Customers don't start paying only half the price for their service.
Giving people the option to delete their data is a bit like allowing someone to get their money back two years after eating a meal at a restaurant.
Given the EU assertion of global jurisdiction, the GDPR seems like a bit of a trade war and it's surprising more commentators aren't treating it as such.
The US should be inspired by this and give online retailers the opportunity to collect and remit sales taxes.
Yes it is. The customer paid for their past use of the service with their data. Wanting to take that data away after having used the service is exactly like wanting a refund for a product you consumed.
Regardless, GDPR requires that you do this. Data's value is massively inflated in the minds of "technologists" and it is time that price came down to reflect the realities that the rest of the world wants.
Sincerely hoping that this marks the end of the data gold rush
> Giving people the option to delete their data is a bit like allowing someone to get their money back two years after eating a meal at a restaurant.
I'm sorry the analogy is totally flawed. On one hand you have something consumable: food, on the other side that can be made eternal: data.
When making an application that collect data, you just have to make a form/button to give the ability to update/delete data. It's no more different that when you make an adult website, you have to make a page "Are you above 18?"
Sometimes, it sounds to me that people on HN don't have a problem with the law X or Y. They rather have a problem with the concept of regulation in general. (See the comments on all the posts about Germany requiring Uber drivers to have a car insurance with a higher liability.)
But if you want to give an analogy to normal business, a more suitable one would be: "Giving people the option to delete their data is a bit like allowing customers to get their money back on their gift card they purchased 2 years ago"
>I'm sorry the analogy is totally flawed. On one hand you have something consumable: food, on the other side that can be made eternal: data.
You're not understanding the analogy. What does a user get out of using Google's services? They get access to a suite of products (search, email, cloud storage, online productivity apps, videos, and so on) that are maintained by a rather expensive group of employees and run on a rather expensive collection of hardware. When you use those services you pay for them by letting Google collect information about your use of those services. The value you get from those services is often intangible (you watched a cat video or looked through a photo gallery of your sister's new kid), though sometimes monetary (you don't have to pay an ISP for an email address if you use gmail.) When you choose to no longer use the services and demand that Google delete all the data they have gathered are you going to return that intangible value and pay them for the money you saved by using their systems? How would you do return the experience of watching a stupid cat video? It's exactly like eating a meal but insisting the restaurant give up the value, i.e. the money, that they got from you.
You're right. I didn't get the analogy. After your explanation, I now get it.
But still, the analogy is flawed then. If I give the restaurant money, the way the use they money afterwards doesn't affect me. They cannot take more money from my bank account or from my pocket. The only thing they can do is invest it and make more money, but it does not affect me.
When I give my data, the way they use my data – after I've "eaten there" – can affect my life. They can send me spam, they can put me into database of "people with suspicious behavior", ...
The law is more about giving a second chance: I could have given information in the past, and you could have sent me commercial emails in the past. But now I've realized I've made a mistake and I don't want you do that anymore.
If you want an analogy to real life: it's more about giving 5 years of jail to a burglar. They committed a mistake, so they have to pay for it, but they should have the right to get out after having paid, and live a normal honest life.
FWIW, this last analogy is probably not going to sound very convincing to an American audience, as convicted felons here have their lives permanently ruined, including after they've paid their debt to society in full. As an expat, people are surprised to hear I'm the only person who can request and provide my (empty) criminal record from my home country.
Google generates money not by collecting data but by showing targeted ads (they need personal information to do good job at targeting).
They actually do provide option to opt out, remove information about you but they make a quite a hassle to opt out and block features that could otherwise work, to encourage you to opt back in. For example you don't agree for Google to your location history? Fine, you don't have location history in Google Maps even for places you searched 5 seconds ago.
Anyway, to turn things around, yes they provide you services for free, and you're paying for using them by have targeted ads, if you decide to not use those services anymore you can't get an offline version of their tools that doesn't phone home, so why should they be allowed to keep your data in perpetuity?
Targeted advertisements is one way that Google uses data about its users to generate cash. Just like users use Google Docs to create invoices, use Google Search to find solutions to problems, and use Gmail to send resumes and receive job offers. The exchange here is the use of the service for the gathering of the data. How it's used post exchange is not relevant. Is a person who decides to cease using gmail going to quit the job that they used gmail to, in part, get?
The fair result of a person choosing to stop using a company's service is that they get to stop paying for that service, i.e. Google doesn't get to collect data about your current and future activities.
The difference is that your data is still valuable whether it is week later or 10 years later. While it is unlikely Google does it, the data also can be sold to multiple parties and that doesn't diminish its value.
People truly underestimate how much information about them is actually worth.
The first part doesn't make sense. This is no different than exporting your data if you stop using a piece of software. Giving data back isn't really an issue of contention, nor is privacy in general.
I looked up information on how to legally comply with GDPR and it's a lot more complicated than you're making it out to be. You have to show regulators the well-defined pipeline for any personal data, and justify to them why that data is being collected.
There are also extra procedures you have to follow that could be really complicated depending on the business. This is even worse for small businesses. I can definitely understand those people who want to just wash their hands of it, especially if they don't get much business from Europe.
As I said other comments, I'm not sure if people on HN have a problem with the GDPR, or just with the concept of regulation itself.
Also, when I read about "complicated rules for small businesses". It reminds me about American republican politicians explaining how taxes on the rich will affect the average joe's taxes.
The reality is that many rules only apply to big businesses. And small businesses are exempt of many rules. My favorite one is the "Data Protection Officer", everybody on the internet™ says that you need one. The reality? Most small business won't. The article 37 explains that the Data Protection Officer is when a business is "collecting data on a large scale" [1] Second of all, people interpret that as "Hiring somebody", you don't. It's just a role, take your CEO, and now he's your "Data Protection Officer", ...
I support GDPR, but to be fair about Data Protection Officer, that position sounds like a liability, no one will want that title unless they are appropriately compensated for it, so most likely this will be a dedicated person who will be paid just to be responsible for things being complaint.
Perhaps in early stage of a startup a founder will take the title to save cost, but he/she will want to lose that responsibility as soon as possible.
> It's just a role, take your CEO, and now he's your "Data Protection Officer"
Congratulations, you're uncompliant. Thanks for playing "GDPR is easy".
> (5) The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Expert knowledge just mean that he/she read the entire directive. The same way that most employer in europe have read their country's labor law.
The reason why they say that is because the "Data Protection Officer" is the person liable for GPDR violation. The same way the CEO is liable for many wrong doing a company could do. They require no certification, no degree for a person to be a "Data Protection Officer."
The "GDPR is easy" brigade is very keen on telling people that it's easy to just read the actual text, so let's try that.
Just having read the GDPR doesn't count for "expert knowledge", it's just knowledge. "Expert" is something more. How much more? Funny you should ask, welcome to GDPR limbo.
Also, it doesn't say expert knowledge merely of GDPR, it says expert knowledge of "data protection law", vague and unbounded, certainly not limited to the GDPR. GDPR is probably the most restrictive you have to comply with, but the text literally requires you to have to have expert knowledge of the others, too. Finally, there's the little "and practices". It's not enough to read it, you have to be an expert in how data protection law is used in practice.
Before you have processed even a single byte of data, you're literally uncompliant simply by being blasé about how you name your DPO. It seems unlikely that anyone will get busted simply for this, but low likelihood of enforcement is not the same as compliance, and why would they include this paragraph if they didn't feel it was important? People who actually care about being compliant need to think about this.
The irony here is that American users are so used to being endlessly surveiled without consequence that they are genuinely shocked that the rest of the world refuses to put up with this bullshit. This is completely normal to them.
The GDPR is just another step in a global fight by people all over the world to regain their data sovereignty and protect themselves from endless surveillance. The momentum at the international level is very clearly for data sovereignty. Russia and many Asian countries are following closely behind. And while everybody was freaking out about the GDPR nobody seemed to notice that China passed even stricter online privacy laws [1] earlier this month. Singapore [3] and Malaysia [4] are up to speed and even Thailand [2] will likely soon require minimum standards. (Edited to add more links.)
The end result is like so many other things: American companies will end up blocking everybody but American users who they know they can exploit without consequence. American users will celebrate their exploitation as freedom from Big Government. Everybody else will move on and just shake their heads.
Read the thread again. Nobody has a problem with data protection but the fact that the regulation is not actually clear, hence creating more work while simultaneously being rather ineffective. How is that good for the user?
Also it's hilarious to claim China has better privacy when that government tracks everyone using facial regulation with real-time threat scoring and national social rankings called a "citizen score". A late payment on a single bill gets your face and contact info on a giant billboard so go ahead and try complaining about your data over there and see how far that goes.
How can the regulation already be ineffective? It's literally been in effect for one day. You'll have to refine the standard anti-regulatory tropes in this case.
Get this: not everybody is consumed by paranoid fantasies concerning their government. And while your shallow understanding of China based off a few western-oriented articles here and there may validate your own biases do understand they have no real relation to reality. In reality, there are no extraordinary consequences for missing a single bill. On the other hand if you're sued in court over a debt the judge -- not unlike American judges (!) -- can use public humiliation to try to modify your behavior.
The regulation is ineffective because billions of people have already given consent to Facebook and Google because they just want to get on with their lives and aren't about to stop using their services.
>>> People have already faced various punishments for violating social protocols. The system has been used to already block nine million people with "low scores" from purchasing domestic flights. While still in the preliminary stages the system has been used to ban people and their children from certain schools, prevent low scorers from renting hotels, using credit cards, and black list individuals from being able to procure employment. The system has also been used to rate individuals for their internet habits (too much online gaming reduces ones score for example), personal shopping habits, and a variety of other personal and wholly innocuous acts that have no impact on the wider community.
>>> Authorities vowed to collect the personal information of debtors and publish it in public places such as newspapers, train stations and other high-visibility platforms. The Supreme People’s Court reported in January that by the end of 2017 it had publicly listed the names of nearly 10 million people. They had been blacklisted from various activities, with 9.36 million of them prohibited from buying plane tickets and 3.67 million from buying high-speed rail tickets.
I'd say if you put it on a indoor table, a measly cubic centimetre of sand can make a (small) pile, and a random estimate on the internet states that there are 8000 grains of sand in a cubic centimetre.
"Clear" regulation is a fantasy. Every established boundary of regulation people enjoy in Western civilization was once and unclear, untested boundary that laws and courts had to cope with.
If folks find ambiguity in the GDPR, do NOT get into American Fintech. Here's a great question: what are the technical requirements mandated by the US government to become a bank?
American users are not celebrating anything; the populace here is half-mad, the result of decades of targeted propaganda and marketing honed upon the edge of surveillance by a gruel of barely distinguishable private and public actors. In its last election the US learned that these strings could be plucked by foreign actors by simply buying them, but strayed dangerously close to informing the public that such things were bought, that a misinformed public in a particular localized region could be sold as a packaged product and that misinformation was the product, the apex-goal: to create an identity around a false belief. I attribute much of the US' mental health problems to the disparity between the advertisement and reality.
So many left-wing people are convinced that if it weren't for those meddling russians the status quo would remain. It's mind boggling. Foreign powers have attempted to sway elections before and they will do so in the future.
In a way it very much reminds me of Germanys 'stabbed in the back' conspiracy theories at the end of WWI. Any rationalisation to avoid the cold, hard truth.
I'd bet money on two terms for trump at this point. The left has learned nothing from this.
>There's is a lot of implicit contracts (you filled up our sign up form? Well, then you chose to give us your data. ...) //
AIUI that's one of the main changes, that explicit consent is now needed to retain data and specific details of how it will be secured, who it might be passed to, must be given. Also that if the service being offered doesn't need the data, that the company offering the service can't insist on having it.
It is a big thing for micro-businesses and SMEs in the UK - despite having data protection laws already - it does change the complexion of how one handles PII and the embedded assumptions. We're talking about businesses many of whom have paper bookings diaries - the diary apparently needs to now be secured, whilst it's always sat on the counter before; that's a costly structural/workflow change (unlock the diary for every phone call!).
What you have described is _exactly_ how regulation works. It's still a hundred times better than what most countries in the world produce, since it's designed around the average human and not a megaco.
This isn't about how it works, it's about whether it works or not. That companies need to follow the law isn't exactly confusing, and nobody is saying they shouldn't, but when the law cant even clearly answer basic questions of who it applies to and when, that's a problem.
There are examples of regulation that does work, but GDPR is not really in that category.
...Ok, because you say so? Are you a lawyer? Do you realize that this whole discussion exists precisely because it's unclear?
There are already billions in lawsuits against facebook, google and others so companies are rightfully being careful. And even if you fall under GDPR, there is plenty of vagueness about the data and processes itself. This is not as simple as you make it out to be.
> Do you realize that this whole discussion exists precisely because it's unclear?
I realize that this statement is untrue.
Some people are dredging up all kinds of "but what if" and "I really, truly don't understand how my collecting data could be considered GDPR-triggering".
I find that dishonest. Protest as much as you want.
Oh, and surprisingly, just by some bizarre happenstance, you are "Currently working on Instinctive, a B2B marketing technology company."
I can tell you immediately that whatever you're doing falls under the GDPR.
>> that whatever you're doing falls under the GDPR.
Cool, except we weren't confused about that. Figuring out what data exactly and when, along with the proper processes, documentation, and interaction with all of our clients took lots of lawyer time though.
No I didn't, you should read it again. The original thread was about GDPR in general until the other commenter started talking about me and my company personally. We're not confused on whether it applies to us, although there are plenty of specifics that lack guidance.
HN is full of morally totaly unscrupulous people. The typical Silicon Valley crowd actually celebrates the kind of privacy invasion that the GDPR is design to counteract. So, obviously it's no big surprise that these Silicon Valley bros post silly tips on how to avoid the GDPR by just blocking the pesky Europeans.
They will learn. It's a financial certainty.
On a separate note: I feel totally disgusted with the kind of people who are totally uninterested with the the fate of their users. It's not exactly uncommon in Silicon Valley. Fuck these guys.
I don't know about you, but I have learned a great deal!
I've mostly learned that Eurocrats can't actually write useful regulation. Blah blah blah human rights blah blah reasonable measures. Next chapter. Blah blah envisage blah blah reasonable measures. Blah blah blah inter-government communications protocols blah blah codes of conduct.
What's a reasonable measure? How do I know if I'm compliant? How do I know if a vendor is compliant?
GDPR is a wonderful, incredible, essential document for laying out human rights for the digital world. It's also terrible and incomprehensible regulation.
Can you think of any good technical regulations that do lay out requirements & obligations in a useful manner without being massively outdated, trivially bypassable, or some sort of hugely onerous 'one size swamps all'?
I mostly agree that the lack of concrete measures makes it horrible from a compliance view, but I'm not sure you can have both things, especially in a relatively immature area of law.
Did they ask for explicit permission to use your data? Do they provide the service if you only provide the data they actually need, rather than asking for a swathe of PII so they can sell it on? Do they provide info on how your data is stored, and who has access to it? Do they provide a way for you to view and/or delete all the PII they have on you?
You're right! Those are all critically important questions to ask! It's just possible that they might not be completely exhaustive, though.
Do they take reasonable measures to detect and inform me of a breach? Do they take reasonable measures to ensure it's me requesting data being deleted? Can they provide the same data about all Data Processors they make use of?
It's possible that the answers to this might not be easily and readily answered in every single potential case one might encounter when dealing with specialist vendors.
You're completely right to spell out those questions. It's just possible that there may be more to GDPR compliance - and certainty - than that in some cases.
just blocking them doesn't seem like that bad of an idea, especially with the fines involved.
I think the things that bother me is:
1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.
3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?
No, it's not the same. The lack of proportionality is precisely why the UK/EU is such a hard place to conduct business.
These rules don't stop anything about ads, they just make them less targeted. Not a big deal, but it will increase the costs of serving users and thus decrease the total amount of commercial projects started.
I find it funny to claim that the US could be more proportionate than the EU.
Less targeted ads are exactly what we need. That's what the regulation aims for!
Your argument is like claiming that unfortunately, due to car dafety regulations, we cannot enjoy as many fatal accidents as we once did.
And to make my point of view clear: not all businesses deserve to exist. We as society decide which business models and behaviours are okay. "Decrease the total amount of commercial businesses started" cannot ever be a persuasive argument.
Nobody reasonable is arguing that it's a bad idea to let customers control their data. The actual issue is that the rules are vague and thus create a lot of confusion and waste that affects all companies, while not providing any real protection against the massive conglomerates that abuse data in the first place.
>The #1 complaint about ads is that they are not relevant, so this does nothing but increase that problem.
The #1 complaint about advertising is that in 2018, it has evolved into a shadowy, insecure brokerage of surveillance data that it obtains using all kinds of under-handed tactics. If the GDPR curbs this in the slightest, it will be a net positive for people of Europe.
It will not curb it. Facebook and Google who control 90% of the ad industry will already have consent from billions of people by the end of the day, and the increased regulation will only increase their market share as the safe and reliable avenue for advertisers and further strengthen their monopolies and data activities.
> Sure, one of the most valuable companies on the planet with an army of lawyers doesn't know what it's doing.
This a fallacy, not an argument. [1]
> Or maybe it's because the rules are confusing and messy and you have a different interpretation?
Please point out which rules are confusing and/or messy. Virtualy every single blog post about GDPR points out how it’s well written compared to other juridictions on the same subject. The language is clear and the website provides a Q/A section as well as concrete example for every point.
Yes, a company worth over half a trillion dollars with access to the best legal teams around the world has authority on whether it has done what it can to be compliant or not. And authority is how the legal system works, not everyone can just practice law without going through the proper education and licensing.
> Please point out which rules are confusing and/or messy.
The comment thread you just replied to -- the one where you seem to saying that random HN commenter is more accurate than Facebook's entire legal team on regulation that is supposed to be unequivocal -- is a start.
> Yes, a company worth over half a trillion dollars with access to the best legal teams around the world has authority on whether it is compliant or not.
You've made this personal twice now, signaling a lack of any real argument.
You do not know my history, and sadly you didn't even bother to do some basic research or you would recognize that I'm one of the few in our industry that has called for regulation and data protections for years. [1] Instinctive has been on the forefront of this as well with our most recent push for net neutrality. [2]
And surprisingly you seem to miss that B2B marketing is rather unaffected by GDPR since everything we do has always been contextually targeted, consent-based, and 1st-party relationships anyway. If you want to have a discussion, base it on the ideas and not the person.
As for Facebook breaking laws, I find that incredibly hard to believe given their resources, recent legal , 1st-party data and consumer connections in their walled garden, and the fact that consent is already given by billions of users who just want to use FB products and don't care about the rest. They have nothing to gain from skirting regulations that only serve to strength their relationship.
>Less targeted ads are exactly what we need. That's what the regulation aims for!
I have nothing against targeted ads. I am against targeting ads and collecting/distributing my data without my explicit consent. E.g. mobile companies selling my real time location because there's some obscure sentence in their 90 page terms of service.
>And this is exactly what GDPR does, you then have an option to opt-in.
I mostly like GDPR. Ability to opt-in and being of charge of your data, i.e. removing it from a service if you want to, and the right to export and move it to another service are great and long due.
What I don't like is that it's a principle based regulation and thus it can be applied arbitrarily and selectively.
Please learn from the experience of dealing with side effects of GDPR in EU first, before trying to push it to the US.
The side effects would include:
1) Reduced number of services available to EU customers.
2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
> 1) Reduced number of services available to EU customers.
That’s not a bad thing. If services that don’t want to protect their users’ privacy can’t operate, that’s a good thing.
> 2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
> EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
From what I've read, opt-in is only supposed to be used when there's an actual voluntary choice, and "allow us to share your data with 3rd party trackers or we block you" doesn't count as a real choice.
It should be treated in the same way as opting into marketing emails. Totally optional. Not opting in shouldn't totally break a site.
Because consent must be "freely given". As soon as you start attaching consequences unrelated to the utility itself, you're making a decision less and less freely.
The greater the power imbalance, the less free the choice. Social networks are a great example of this. You can choose not to use a particular one, but what's the alternative if everyone is already on that platform? You can go without, but what if it's LinkedIn, and there can be a real impact on your career?
The rest of what you wrote is silly. Social media websites are not charities. They don't have to provide you with a service if you are not willing to compensate them with your data.
Personal data is not the only form of compensation, and GDPR is a direct response to the situation that attitude has created.
Nobody is suggesting companies provide free services. We're saying that personal data is more than commodity, and we should be looking to more ethical business models. And we won't be sad to lose companies that can't adapt.
edit: And I don't think my point was silly, but I'm also not really libertarian. So I don't think it's acceptable for companies to abuse their dominant position to make things worse for society at large.
You're making a philosophical argument about what is a "real choice", precisely the problem with the "based-on-principle" GDPR. All this will do is create a big mess if/when this gets into real litigation.
Not allowing businesses to fire customers who don't want to share anything sounds like a massive problem for companies who's revenue model depends on user info. Think of all the people who don't want to share anything but still aren't willing to type in CC info for facebook, are they entitled to free facebook use on the companies' dime?
> 1) Reduced number of services available to EU customers.
because everyone knows that it is better to not make no money at all, than just a slightly less than normal because your ads are not targeted.
> 2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
Sure, and it is their absolute right to do so, but other people finally have some control over their data, I especially like the fact that finally user can also remove/change the data about them.
It's not the same. There're companies which intentionally collect and exploit private data. There're companies which are just behaving negligently with users data. There should be different penalty for intentional and negligent violation.
And there's a lot of room for choosing the fine/punishment. There should be some rules, i.e. fines for intentionally violating privacy of millions of people should be very different from fines for unintentional violation of privacy of 10 people.
> It's a foreign requirement that feels like a violation of sovereignty.
Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.
EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.
What does it mean for a website to "cater" to just my home country? The internet doesn't know political boundaries and most sites cater to all visitors on some marginal level.
The internet doesn't know, but e-commerce/data business pretty darn well knows where their customers/users are situated.
The old web was mostly static websites. We spoke of visitors. The new web is app-ified/interactive, walled off to logged-in agreement-abiding geolocated users, and even a single logged-out "visit" broadcasts this to 100s of trackers who will remember your every move online.
If you aren't collecting and storing PII, you have nothing to fear from the GDPR. Even if you are, you're fine as long as you only collect what you legitimately need to offer your services.
IANAL, but if your company is a targeted marketing company (think Groupon) and users sign up explicitly to get sent offers, then you're probably in the clear. If your company offers some other service, but you also want to sell your users' data for targeted marketing, the GDPR requires you ask for and get real consent.
Even my simple blog with no ads has google analytics on it. I don't feel like I was doing anything wrong or abusive, but I guess there's a case to be made.
I assure you I have been against the DMCA since before it passed, though I don't think it's quite the same nor do two wrongs make a right.
> Tell that to this US law the whole world has to comply to called DMCA.
If a site has no US presence and blocks all users in the US, what negative repercussion can violating the DMCA incur? Maybe their domain can be siezed, but that can be avoided by not having a domain hosted in the US. The US could block all traffic to the site, but that should be moot if the site has no US users.
With the DMCA, if a US judge determines that a foreign company has broken the law, and someone associated with the company ever visits the US, that person is at a high risk of being orange-jump-suited in a barbaric punishment system.
This is outside the scope of my previous comment. If someone visits the US then they have a physical presence in the US.
I'm still failing to see how the original claim, that everyone has to abide by the DMCA, is true. This seems like claiming that everyone has to abide by Thailand's Lese Majeste laws (laws criminalizing insults to the monarchy). Yes people may face repercussion if they have an economic or physical presence in the country. But if they don't, then theres nothing Thailand can do to enforce this law .*
* not without cooperation with other countries at least. Some nearby countries are known to enforce Thailand's Lese Majeste laws abroad and extradite people. But in most countries, this isn't the case.
The "Pirate Bay guys" were persecuted in Sweden, nothing I can find on the coverage of their arrests and trials mention American copyright law. Extradition treaties are voluntarily made by the countries that establish them.
Again, if a country doesn't want to abide by the DMCA then they don't have to. Extradition treaties and the Pirate Bay do not disprove this claim.
IP addresses are not PII unless you also have timestamps and a legal avenue for querying the ISP records to see which account and thus person was behind the IP address at that time.
As a small blog, no ISP is going to give you the time of day, so it's not PII because you have no avenue for converting it to a person. If you transmit that data (say to google analytics) it might /become/ PII because google (or any other person you transmit it to) may combine it with other data they have access to, to turn it into PII.
The reasons large organizations are fretting about IP addresses are thus:
a) They have IP/timestamp records going back years, maybe decades
b) They may have ISPs willing to talk to them about who had the IP address at a specific time
c) They can't confidently allow that data to pass to partners in case their partners have access to ISP records
d) That data is a ticking timebomb, because even if they don't have an agreement with an ISP now, if an ISP offers that service for free to all takers in the future, their trove of IP/timestamp pairs could suddenly become PII overnight through no action from them
So yeah, for businesses operating at a certain scale, IP/timestamp combos are now a toxic asset. That doesn't mean your log files for your blog are suddenly a GDPR violation, unless you share them with people or have an inside track with a local ISP.
DMCA is only one example. In the financial world, the extra-territoriality of US laws is widespread, such that for example even securities sold outside of the US, to non US customers, by non-US institutions, issued by non-US entities have long US laws compliance sections in their documentation. Non US banks outside of the US are reluctant to take US clients because of these laws (not dissimilar to the discussion on blocking EU IPs here).
I even read somewhere a while ago that the US claims jurisdiction on any financial transaction in the world as long as it's done using USD... Talk about overreach.
>Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.
If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?
Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?
>EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
So what? If the EU wants to stifle competition, why should the US care. They are only hurting themselves.
> If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?
You don't.
If they're not In The Union, and you're not In The Union, then you're not required to comply with the GDPR.
> Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?
It's impossible to give consent for something if you don't fully understand the ramifications of what you're consenting to[1].
I find it odd that people take issue with regulation, perhaps its been ingrained into the cultural consciousness of the west that regulation is always bad, but historical analysis shows that regulation has always had an overwhelmingly net positive effect for the members of a given society. You can link the stage of a country's development to how effective their government is in protecting it's constituents.
Notwithstanding any opinions of the contents of the directive itself, as Canadian citizen, the schadenfreude of the United States getting its comeuppance is not nearly worth another foreign federal government imposing its will on our domestic activities.
> A College student working on a side project with no revenue are treated the same as some massive multi-national.
Am I reading this wrong? If the college student creates just a simple page, he/she is already complaint with GDPR.
If the student starts collecting personal information, then they need to know what's allowed or not. There are already things that are not legal to do, GDPR just adds private information into that.
The treatment of privacy is one of issues where it's pretty much impossible for individual protect from, GDPR tilts the scale in favor of individuals.
There is nothing non-compliant about that. You seem to misunderstand essential vs. data hoarding for advertisement purposes. If you were to keep that data forever, sell it to third parties or profile users based on that logging data, not tell them about it, then yeah, you'd be violating the GDPR.
For normal operation system logging is pretty much a requirement for essential operation. That includes most properties of a connection like IP, UA, date, time, URI etc.
Which is the answer I see all of 50% of the time. Then, I see "Well, actually it is non-compliant because yadda yadda". My company isn't going to hire international compliance experts to review the operations of every public website we run, and we don't have any that need European visitors. So, best to just block them.
Meaning what? Our time is finite. Time we spend trying to comply with European regulations, when we have no European presence and seek no European customers, is time taken away from everything else we need to do—including complying with the actual laws we live under.
Without it documented why I am collecting it, how I use it and how I store and delete it, it is non-compliant that I am collecting it at all. I think that you are assuming that they know it is being collected and that they are supposed to use it for something. They don't. It is not essential at all to the operation of the service if you don't actively monitor it. Saying it could potentially be used for some kind of security function seems like a CYA if you aren't actually doing that.
Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.
If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data, and build a system to get user consent, etc.
I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.
> If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data
No, because that website doesn’t collect personal information.
> and build a system to get user consent, etc.
You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
> No, because that website doesn’t collect personal information.
Yes it does. It a least records an email address and password to create profiles. And any features like tagging memes, marking memes as favorites, etc. could be argued to constitue personal data.
> You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
Again, I specified a meme generator site that has at least some user specific personalization.
DPO is only needed in specific cases. Dank meme sites don't fit in any of: a) public authority b) monitoring subjects on large scale c) dealing with criminal conviction data.
> build a system to get user consent
It's called a checkbox. They likely use one to agree to TOS anyway. If you don't have that one, DMCA and COPA is what you should be worried about before GDPR. (If you're based on the US anyway)
Article 37 1.a and 1.b are extremely vauge. Hiring a DPO becomes necessary once your service "requires regular and systematic monitoring of data subjects on a large scale", or processing personal info specified in article 9 "on a large scale".
However, nowhere does it actually specify what sort of scale constitutes "large". I don't see any user count threshholds or anything like that.
Also, it's possible that someone's list of authored memes is personal data. If somebody creates a lot of political memes then this could easily be covered by article 9, since political affiliation is explicitly covered there.
Additionally just saying "have a checkbox" isn't going to cut it. GDPR forbids blanket opt in or opt out schemes. You would have to build a system to track what the user has consented to and refactor all features to abide by each user's consent configuration.
I'm not saying every these tasks are hugely onerous - just that I can see the use case for blocking EU traffic to avoid having to abide by their regulations.
They only apply if it's your core activity though. If dank memes are your core activity, you're not "processing personal data" on a large scale, regardless of how many memes you store.
Again, only if you assume that these memes aren't covered by article 9. You might be able to infer a lot about someone from their authored or favorites memes. Article 9 doesn't just cover the personal data itself, it covers personal data revealing ethnicity, political opinion, etc. If I look at a user's list of authored memes, and it's full of pro gay rights memes have these memes revealed their political opinion? Many would argue yes, and processing memes is definitely the core activity of our hypothetical site.
What about all the comments on those memes? Do those go too? What about the people who hot-linked to those memes? Do you just nuke the images and break all the content people linked to?
You sign up for a website and upload and share a bunch of memes.... honestly... the shit isn't really your data anymore. It is the publics. You shared it and yanking it back is kind of a dick move.
It really isn't as "simple" as a DELETE statement that some people argue it is.
You are just making s*it up. Meme is something you publicly posted it is not your personal info, you possibly agreed to transfer copyright to the site, if you still own it, of course you have right to delete it.
As for personal info, most meme websites don't require any accounts to create them, because it only makes the site less usable, but if the site do have accounts, you do have right to see/update your account, you have right to delete your account and be sure that if your account is deleted the data is actually gone.
> Meme is something you publicly posted it is not your personal info,
Very generous assumption on your part. Article 9 specifically says that anything revealing personal info like ethnicity, political affiliation, etc. is covered by GDPR. If I look at a Adam's list of authored memes and there's a bunch of pro-Democrat memes and I look at Bob's and it's all pro-Republican memes, then it's very easy to see a court ruling that a memes reveal political affiliation.
I can easily see small websites just ignoring GDPR and hoping they fly under the radar.
This is my plan. What are they going to do, extradite me over claims that my access logs includes IP addresses? Claim that I do business in the EU when I don't take payments, every side project I've made is in English, and I've never set foot there?
I don't get the complaints about how hard GDPR is and having to understand it all. If you're based in the US, have you read the actual DMCA document? CFAA? California S.B. 1386? TWEA? ADA? Or at least any interpretations of them and validated that you comply?
If not, then worrying about GDPR which is mostly not enforceable in the US sounds disingenuous.
Not saying anyone thinks it's a good idea. I'm saying I haven't seen that many comments, annoyed people, and general discussion about other laws, which actually impact US people and can be enforced there.
I'm guessing they also ignore those laws, because of posts like this one. If you're running a business complying with regulations, you likely already know how to block a country. I mean, you keep track of the current embargoes and block relevant countries, right?
> " It's a foreign requirement that feels like a violation of sovereignty."
How about you look at what bs comes out of the US gov't? That is the worst foreign requirement and violation of sovereignty so far, and it keeps on giving.
1. when you open a restaurant nobody cares you're a collage student. You have to have all the checks and permits to serve people food. It's not because somebody hates small businesses, it's because the right not to be poisoned is more important than the right to do business hassle-free. Why should internet be different?
2. Fuck your souvereignty. Seriously. USA has no problem violating secrecy of correspondency worldwide, and argues in length for years whether wiretapping its citizens is OK, because everybody agrees wiretapping others is perfectly fine. USA forces poor half of the world to follow ridiculous copyright law, including software patents and art becoming public domain after a century or more. There's no good will earned there, so don't expect a free pass cause of your feelings. Want to serve customers from other countries - have to obey the law there.
3. they probably could. Still - I'm sure there will be "GDPR as a service" soon. Maybe some libraries, frameworks and standards how to handle personal data will finally be created? This should have been done decades ago.
Equivocating mishandling user data on a project that some kid in a dorm made for fun, which collects maybe an email address. With putting someone in the hospital with food poisoning is beyond a dishonest comparison.
> Equivocating mishandling user data on a project that some kid in a dorm made for fun, which collects maybe an email address. With putting someone in the hospital with food poisoning is beyond a dishonest comparison.
Nobody’s saying both are treated equally under the GDPR. The law stays the same, the way it’s enforced is adapted to the case, like any juridiction. Whatever the situation, you always get a warning before being fined.
So? Projects like that aren't forbidden now that the GDPR is in force. Just put up a paragraph explaining why you need that email address, an unchecked checkbox if you want them to agree to send irrelevant emails, and you're done.
When corporations like Equifax or Cambridge Analytica have engaged in identity theft to the tune of basically half the continent of North America, you want to repeal one of the few laws fighting against it with an argument about kids in dorm rooms? It's basically the tech equivalent of "won't somebody think of the children?"
> Just put up a paragraph explaining why you need that email address, an unchecked checkbox if you want them to agree to send irrelevant emails, and you're done.
Oops, seems you’ve forgotten about the “right to be forgotten”, and several other requirements. Better prepare yourself for those >$20 million fines — how dare you negligently handle personal data, college software engineering student!
I’m all for strengthening privacy protections and punishing bad actors in this domain, but designing strong regulations that don’t have seriously bad unintended consequences, is a really really difficult task. I’m not necessarily saying it shouldn’t be done; just that I don’t envy the jobs of those trying their best to do good for the world via regulations without accidentally destroying some really good things.
It may turn out that GDPR has few unintended negative consequences, or it may turn out the harmful side effects are far more severe than anyone predicted. Only time will tell, I suppose.
Personally, I wish there were a technical solution to privacy concerns — something akin to DRM, but applied to each individual’s personal data to prevent it from being used in unauthorized ways. That’s about the only kind of DRM I think I could really get excited about :)
I agree. My point wasn’t that the right to be forgotten is bad or wrong, but that the parent post ironically said “just add a checkbox and you’re good!” about GDPR compliance, and was not just wrong — but $20 million wrong!
Those kind of fines are simply not compatible with low quality advise like “Just add an opt-in checkbox, and you’re good to go for GDPR! What’s the big deal?”.
Overall, I like GDPR a lot (though as a disclaimer, I should say I haven’t read all ~80 pages yet).
Still, I am not as confident as many here that GDPR will have no serious unintended side effects.
Imagine for example if Google, Microsoft, Facebook, etc. all get hit with huge fines despite genuine best attempts by them to be compliant, after which they decide to cut their losses and exit the EU market entirely. Stock markets could crash globally, a new recession would occur, etc.
I very much doubt anything like that would happen, of course. But until things settle post-GDPR, I don’t think anyone can say for certain how this will economically affect the EU, and the world.
While I agree with your point 2 (remember CAN SPAM and DMCA!), that's called "whataboutism" which is usually seen as a bad argument. I wonder if it's only called a bad argument because people are on the receiving end of it or whether it really is faulty in some way.
You are speaking as if the European Union spit out this legal document and nothing else, when in fact loads of supplementary material have been released, for consumers as well as for enterprises. Of course, the actual act must be written in formal legal language.
> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
I hear you, but the argument is that the data doesn't care who caused the leak. A college side project leaking an SSN does the same amount of damage as a multinational leaking an SSN, so the law is going to want them to treat them equally seriously.
My understanding (I could be wrong - IANAL and I haven't read the 80 pages) is that GDPR takes a somewhat countervailing view. SSN data breaches would be treated the same way as, say, whether someone likes the Beatles. The problem with GDPR from my perspective is its Draconianism.
This is by the way the same problem with the various restaurant analogies. It makes some sense for the health department to inspect large restaurants. It would make no sense for them to subject neighborhood cookouts to the same degree of scrutiny.
GDPR seems to be based not on actual harm that could occur based on invasive, sketchy or otherwise bad data storage practices; instead, it seems based on a subjective idea that people have "fundamental rights" to various forms of state-mediated protection in relation to technology. Rights are unequivocal and almost entirely uncompromising.
> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
That's false. The GDPR repeatedly refers to evaluating the risk with regards to various decisions. The ICO even has separate guidance for small businesses and big businesses.
> 2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.
This one I can appreciate, but perhaps look at it from our point of view:
You're violating our laws that protect our citizens.
Why would we possibly have any sympathy for that?
> 3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?
The GDPR is easier to read than many US laws, and you don't have to read it anyway. The ICO has written extremely high-quality guidance for most businesses which will suffice. It should take no more than a few hours to determine how your business would be affected.
And in the situation that it’s no more complicated than a EU citizen visiting a website that doesn’t sell to European businesses, that’s probably fine.
But when you want to trade with Europe, you have to abide by our standards for human rights.
I am European browsing from a non-EU IP. Seems to me a blanket ban on EU IPs is both draconic and ineffective.
As for SV seeing GDPR as more of a hindrance: SV was build on the freemium model of gathering as much data as possible. Companies were funded under the assumption that their user growth would lead to valuable data stores.
GDPR and an increased privacy aware public are existential threats to these companies, as there is little chance to pivot to a non-data-use company. You have to start over.
I hope we will look back at these companies as ugly centralizing dinosaurs, as little by little, the consumers realize the power they gained back (or always had) over their usage and data, does not justify these business models to exist.
(Also, GDPR, even when seen as an opportunity, _is_ a hindrance to implement. Regulation in response to market evils is known to be heavy-handed and clumsy).
But they still process European user data if they do not block my IP. So they are not complying at all with GDPR's main requirement, just a poorly singled-out subclause.
Do EU laws protect you in China? I feel, partially, that going through a proxy means you are more under the discretion of the laws of the country with which the last proxy is operating under. Do you disagree? It's all very confusing
you're saying that blocking eu ip is insufficient. so you can, at leisure, forcibly subject anyone to attack by gdpr, against their will, by circumventing their access controls.
the only way for all businesses around the world to avoid abuse and subjugation to eu regulators, who they cannot influence, is to not exist at all?
No, the blame would be on you then and you would be held responsible for whatever legal action is necessary, not the company trying to block Europeans users like you. Benefit of the doubt is for the company because of their best effort European citizen blocking.
> than an opportunity to offer users better privacy
I have a site that I did this with. I also wish the US would pass a law like this. And I beg to differ. No, I don't believe this is self-contradictory.
The issue is risk. I'm a one-man band - the site in question does make money most of the time, but not much, and it has always been much more of a hobby/labor of love than a business[1]. And when any legal change means I might end up with legal grief or potentially not be visit European relatives again, even if I generally approve of the change, I'm going to knife it because there is no planet on which the site means more to me than the risk.
My plan right now is to let the big boys who can afford it take the initial lawsuits and let them shake out what the vagaries mean, then come back in a year or so and see what my exposure would be if I let ya'll back in.
[1] Oh, and it should already be complaint, at least as I understand 'compliant'; I added notices and rejiggered a few things for selective denial and whatnot. I never have and never will sell/rent/share user data, don't integrate with any surveillance/ad networks, etc. But I have no confidence that someone won't see me as a likely target to use to make some point, and hiring a legal consultant for something this size would take it from slightly profitable to a future break-even measured in many years.
I have a similar, but opposite feeling. Genealogy sites, even free US based ones, are (such as WikiTree) taking GDPR very seriously. Rather than risk being sued out of existence, they are marking any and all content involving living individuals as private unless the individual has an active account on the site.
This makes it difficult, if not impossible, to find links to living individuals. A ton of people have done a ton of work to build a shared public tree, and some 50-100 years of it are getting chopped off the bottom.
I'd love a browser plugin that indicates a site I'm visiting is blocked in the EU. I'm not in the EU, but if I site cares that little about my privacy that they don't want to comply with GDPR then I don't want to use it. I might just start browsing through a VPN terminating in the EU anyway.
The companies that don't want to deal with GDPR are more than free to stop serving the EU. Then alternatives to these companies (services) will spawn within the EU.
It's a bit like a good forest fire. Out of the monocultural ash sprout (life sustaining) varieties.
Dealing with laws is hard. Dealing with laws that aren't even from your country is very hard.
When you're in "move fast and break things" mode, getting stuff working for SOME users is better than having a complete solution for all users that come much later. It's not even just about ignoring Europeans. A lot of these products and software solutions start "only available in California", or hell, only in SF. That's even true for some stuff from big companies like Amazon.
Then as you grow, you can start tackling more barriers and regulations from other countries. I mean, there's plenty of companies that won't ship to my address because they don't do business with the US. Or when I lived in Quebec, I could not participate to a lot of contests because it wasn't worth it for these entities to deal with Quebec's gambling laws. That's ok.
Even if you agree with the general idea of GDPR, even if you want to implement the tightest privacy rules you can't in your software, there's more to it than that. I've watched lawyers duke it out over some of the details. My employer takes GDPR very seriously and we've done everything in our power to comply, not just with the letter, but also with the spirit of the law. But we're big, we have money, and we're actively trying to grow internationally. 10+ years ago when the company was barely afloat? I'm not sure they would have been able to deal with the fine prints even if they wanted to.
There's more to GDPR than sending a silly email and adding a "Delete all the things!" button.
Many people view The EU's recent actions (GDPR, Vestager's crusade, etc) as a blatant attempt to weaken the dominant US tech sector so that Europe can try to compete.
I like the better privacy stuff. What really pisses me off about GDPR is the whole "you cannot deny us your content even if it goes directly against your business model. Instead, you have to have give us all of your shit for free and then provide us an opt-in for your business model to work."
What used to be a full opt-in to the content and business model of a site, the EU wants to only get the content and choose whether or not they want to support a sites business model. You cannot have your cake and eat it too. If you want the sites content, then you should also agree to their business model to actually support it.
Unsurprisingly, now that you cannot tie a sites value with their business model, many companies are choosing to leave the EU as they assume most people don't want to pay for the content they consume (in addition to other things).
I just spent the last few weeks on this and the regulators took a 'tech should conform to my understanding' approach.
It's horrible legislation, time consuming across a still-emerging field (talk about hindering progress..) and I'm not even part of the EU. I am tempted to just shut off my services to the EU until I redeploy everything as dapps and wipe my hands of this nonsense.
Let EU deal with blocking eth because it doesn't conform to the way they think technology should work.
I think EU citizens should take this as a good sign- the law is working. If nobody reacted to it, it would be a sign that the law doesn’t do anything.
And the whole idea here is that I’d businesses don’t feel like complying with the regulation, then the EU doesn’t feel welcome letting them do business. And if we all believe capitalism is as wonderful as we say it is all the time, then businesses will spring up to fill the demand left behind. But if that doesn’t happen... hmm. Maybe it wasn’t such a great idea after all.
My gut tells me Europe will use GDPR to further attack (and fine) large US tech companies (Facebook, Google, Apple, etc.). Everybody is likely breaking these sorts of laws in some small way, but I doubt the EU will bother going after a small startup. If you can't avoid a lawyer, I doubt you're worth being prosecuted.
- This is insufficient for GDPR compliance. Besides the other points mentioned in this thread, you also need to delete any data about EU residents you have already collected.
- CloudFlare sets a geolocation header, you can probably just use that without consulting a third party, without adding any latency!
Id argue the web workers are better (although they are paid for), only because you have full control over what to do with them (like showing them a message that you're not GDPR compliant in their area yet, etc)
I know plenty of people who block all of China, simply to be rid of its many botnes which run rampant and are hosted by network administrators who don't respond to abuse requests. I guess Europeans can now experience how it feels to have parts of the internet made unavailable by whimsical sysadmins.
I simply don't understand how or why a law that has scope in the EU is causing trouble for companies which conduct no business in the EU beyond responding to HTTP requests on a global decentralized telecommunications network. Why would an American internet business which conducts no operations in Europe and has no servers in Europe be subject to regulation that affects the EU? What is going to happen? Is the EU going to target American banks of American businesses and try to extract fines? Is the EU going to extradite owners of these businesses? Are EU courts going to issue default judgements on businesses and individuals?
> Is the EU going to target American banks of American businesses and try to extract fines?
You mean like America? That time when the USA decided to enforce their embargo against Cuba by intercepting a payment from one of the Nordics for a bunch of Cuban cigars? No, that's unlikely.
> Is the EU going to extradite owners of these businesses?
Extremely unlikely, besides that would require the cooperation of the other country. But - and this is interesting - the other countries typically expect the EU to cooperate with extraditions when the law is broken and we do. So who knows.
> Are EU courts going to issue default judgements on businesses and individuals?
Against individuals: Unlikely, but it could happen, against businesses, that's typically how things go when one party doesn't show up.
But note that for that to happen you first have to ignore the regulators for long enough to get them really pissed off, an action I would recommend against.
I hope not. They really need to tell the US to go to hell on that front. Pissing away a deal that is seemingly working because Trump got made fun of by Obama.
> They really need to tell the US to go to hell on that front.
Would be easier if Europe had a coherent voice. You got the former Eastern Bloc countries desperately clinging to the US (because they, rightfully, fear that Putin will screw them over), you got the UK which is trying to not fall apart due to Brexit, France is... France and Merkel is trying to prevent the worst of the shitshow, even though she's miserably failing at that (and under heavy pressure from the AfD nazis and her own sister party which is openly copying the nazis).
In addition, Europe is so damn far behind the US when it comes to military power - jeez, German army is practicing tank shooters with broomsticks as munition, the NH90 marine helicopters are not allowed to fly over water and we all know what a fuckfest the A400M is. No money, no competence, but it wasn't a problem since WW2 as the USA had always covered the EU... now that Trump is, well, being Trump the EU has yet another giant problem to tackle.
I am ideologically more aligned to pacifism, the problem is that it does not work in a world of wannabe highschool bullies (USA, China, Russia, Iran, Saudi-Arabia, Qatar) vying for regional dominance.
Europe is so damn powerless and underfunded that we cannot even ensure that basic human rights are respected in conflict areas. On a bully stage, the tiny kid will always be the one that's bullied. No matter how economically powerful the EU is.
The US has all the leverage. They can just say "you can trade with Iran or you could trade with us," and what is the EU going to do? I'm not happy about the Iran deal being torn up either, but there is nothing European leaders can do about it.
It's not really a bluff; they can cut off any European business that deals with Iran easily. Someone else will play ball. This wouldn't be the first time they did it either.
Jacques - I love the effort you've put into explaining the GDPR to clueless and needlessly exasperated (mostly) americans here on HN.
To be honest I used to think you were just a shameless self-promoter like almost everyone else, but in this case you've risen to the occasion. Bravo. I think you're now rating quite high in most people's "mental books of good people". Or at the very least, in the minds of people who actually have a strong impact.
I don't follow you. My interpretation was that OP said roughly, "I don't understand/approve of GDPR because of this and this." Child then responded by saying roughly, "but America does it too." Seems like the child was trying to imply that OP's claims/concerns are false because they are hypocritical.
The intended effect was to provide some context and to take away a worry. I can see why Americans would be worried because there are many examples of where America has 'exported' its laws all over the globe. The EU is emphatically not doing this, they simply require that if you do business in Europe that you have a European presence so they can enforce their local laws against you.
That "European presence" requirement is, by itself, an attempt to force their laws on the world, and if it's going to have teeth, will require other countries to bow to pressure to enforce it even though they had no input.
If Jamaica passed a law fining any company that hired homosexuals, we'd consider it bullshit even if they tried to abstract it a level up by only passing it as a local law, and then passing another law saying companies that serve Jamaicans have to have local representatives. I'm not sure why you think this is any less bullshitty a tactic, other than the fact that the law they're trying to push seems more reasonable (which I agree with).
So you're saying F. local laws that get in the way of international commerce? You could stop doing business with Jamaica, and hence put pressure on it's elected bodies.
If you don't like foreign markets, don't enter them.
I think that child was saying that since America does that routinelly, Europe is entitled to do it too. Alternatively, may do it for strategical power reasons.
Not a lawyer too, but I'm interested what makes you (and jbfoo) believe that it doesn't apply to individuals. It's a EU regulation it should apply to natural and legal persons.
Ok, it has an exception for the processing of data by natural persons in the course of a purely personal or household activity but that doesn't mean it doesn't apply to individuals in general.
> Ok, it has an exception for the processing of data by natural persons in the course of a purely personal or household activity but that doesn't mean it doesn't apply to individuals in general.
If you set up a service that operates in the same way as a similar service would operate if it were done by a business then I suspect that you being a private individual is not going to be much protection, after all you are effectively roughly in the same situation as a sole proprietor business minus the incorporation.
If you process data for family and friends then that would most likely be enough to trigger the exception.
So the dividing line in the case of a Mastodon server would likely be whether or not you allow total strangers to make use of the service and whether or not you respect their rights.
It's true that the GDPR has exemptions for "personal or household activity". Ideally, this should apply to non-commercial Mastodon instances.
However, some non-commercial Mastodon instances are now supporting thousands of users. An argument could be made that operating such instances is no longer a "personal or household activity".
Whilst I would hope that the local data protection agency would side with the Mastodon instance operator, it does put them in a rather difficult situation.
I think this possibility raises a lot of concern for operators of Mastodon instances and other online services.
The companies that are most guilty of mishandling personal user data are American companies. If it could not apply to them in protection of EU citizens any regulation would be useless.
That makes me wonder: what about wechat? Surely Tencent has many overseas Chinese users in Europe, and I’m sure they play as or more aggressively as the American majors. Is Europe going to sanction Chinese companies for violations along with American ones?
Facebook is most definitely American even if their European subsidiary is based in Ireland. That is all moot under the law anyways, as they consider global revenue of any parent company, not just that of the subsidiary.
Recital 23 [1] of the GDPR excludes most US-based businesses from compliance with GDPR. It essentially says that sites that don’t “envisage” (their word) offering services in the EU are in fact not offering services there for the purposes of the GDPR and are thus are not subject to it. It also explicitly states that the mere accessibility of a foreign-based website from within the EU does not by itself subject the site to GDPR.
So while blocking the EU isn’t required, the other tests they use to determine whether or not you intended to offer services to EU residents are a bit murky. In light of that, what better way is there to make your intention to not serve EU users clear to all than to block EU users? That’s the main reason to do it. This kind of blockade will not prevent all EU users from accessing your site, but it doesn’t matter. You’ll have made your intent to not serve EU users clear, which will preserve your immunity to GDPR.
A point with many sites is that they use ad networks and those ad networks send localized ads to Europeans, thus the site targets (or "envisages") Europeans. Even if the actual content is about quite local things.
In my personal opinion, that would be both a stretch of this recital and an abusive use of the GDPR. You don’t control what ads are shown to anyone because they are served by a third party, and you have a good faith belief that you are not subject to GDPR under Recital 23. My guess is that if you used an ad network that specialized in EU ads, you’d be subject to it. But using code from a US ad network that may have some EU advertisers now or in the future shouldn’t expose you.
But I don’t disagree that some EU countries that intend to abuse the GDPR for the purpose of generating massive amounts of revenue from fines may try to make this kind of claim. One of the problems with GDPR is that when you combine unclear regulation with the lack of moral hazard that government agencies enjoy and the financial incentive of massive fines, you create a monster that will constantly seek to expand who and what is covered under it.
You control to whom you give the space on your site. You contract somebody to do this under the terms you negotiate with them. "This is somebody else, they are just paying me" won't work. (And well, if the ad network is GDPR compliant it is relatively little work for you to add the note, if they are not GDPR compliant they may not target Europeans)
Again, this argument is a stretch for sites that are otherwise immune under Recital 23. It is one that may be tested by the most abusive GDPR enforcers, but I believe that test will ultimately fail.
Regardless, it’s one more reason to block radioactive EU traffic.
Your page is showing European ads and you are earning money of those. For me, as a user, the ad network is an implementation choice of your business.
Probably you can offload some challenges to the ad network, if they don't tell you enough of their business, but that's between you and them. For me I'm accessing your site.
I don't see how you can possibly say that. If I'm serving a german an ad in german, for a german business, then how the hell am I not clearly doing business in germany?
You aren’t serving any ads in the case of an ad network. You contracted with an ad network that is within the US and the site on which you served their code is not otherwise subject to the GDPR. Your intent to not serve the EU market is clear.
Yes, and that sucks. Adding more overly broad extraterritorial laws is going in the wrong direction.
Note that a common response by foreign banks to FATCA is to refuse to do business with Americans, which is very likely the best course of action. So it shouldn't be surprising when companies take similar precautions because of GDPR.
There seems to be a big difference between enforcing a law on all financial institutions and enforcing a law on all websites basically that serve the EU. The latter seems next to impossible to enforce.
Yes, this is the way the law, prosecution and judgement works. If you violate GDPR and the EU prosecutes you and you don't even show up to court and there is judgement against you and you are fined, the EU can try to get paid from your bank. That's how law, prosecution and judgement work in America too. How else would it work? Why would anyone obey any regulation or ever show up to court otherwise?
That being said, the starting point shouldn't be, "there's no need to imagine that I'm violating GDPR. I only serve Americans". The starting point should be, "I had better imagine that I might be violating GDPR even though I only intend to serve Americans. Are there things I haven't considered? Are there resources I should seek out? As a service provider of some kind, hadn't I better spend a day or two imagining the ways I might run into trouble and plan to avoid it?"
Playing Devil's advocate, there are 193 countries in the UN; is it reasonable to ask site owners to keep abreast of the Internet laws passed in each one, and spend a couple of days for each, even if you just serve your compatriots?
I'm biased for the GDPR, since I think every site should follow its principles regardless of legal obligation, but I don't think the rationale you're proposing is scalable.
Laws are made with physical borders in mind. Digital world doesn't have those borders. But it seems that politicians are expecting those borders to work.
I'm not even sure about sane way to map IP address to country. There are some geolocation services, but I doubt that they are 100% precise and probably paid. Also if I'm using geolocation service passing IP of the incoming request, does that mean that I'm already violated someone's privacy? This is weird.
With IPv4 stretched thin, there's a lot of international trade, even of small blocks. Also, multihomed servers can announce IPv4 from one ASN on another ASN, given permission. Anyway, it's nontrivial to really know where an IPv4 is located.
It should be noted that I'm talking about the previous poster's proposal. The GDPR doesn't demand that; it specifically says that simply being available in the EU does not automatically make it fall under the regulation.
Its your favorite dictator, the leader of Crazystan and from 29th of May 2018 I ask that from that date, for every site accessed by citizens of my country I require the hosting company to send one employee to be sacrificed to our mighty gods.
Failure to comply will attract a fine of 50 Gazillion dollars.
As long as you're just "responding to HTTP requests", there's nothing to worry about and the GDPR does not apply.
It's when you start collecting personal data on EU residents, send their personal data to third parties for analytics/targeted advertising, and so on, that things get interesting.
I can't think of any web server that doesn't log ip addresses by default, and I think it's been established that satisfies the GDPR threshold test for personal data. So while what you say is true, I think you're being a little bit deceptive when you say 'As long as you're just "responding to HTTP requests"' because all practical and established means of doing that violate the GDPR by default.
Post process the bloody logfile on a regular basis. You can legitimately capture IPs etc for a while, provided that it is for a good reason - fixing a problem, or gathering aggregate trends but not for direct marketing reasons against individuals who have not given consent. So, your logrotate.d/ might get a few post/pre rotate scripts, if it really bothers you.
I run a small UK based IT firm. So far I've turned down some of the logging on my HA Proxy instances and stopped logging IPs and user agents in general and a few other things. If I need to do some diags then I'll turn them on again. That's on the long term stored logs (due to backups). So far, my backups are smaller 8)
I do keep very detailed logs with IPs (actually full packet capture) in the ES cluster for IDS purposes but those are turned over (deleted) within a few hours. Less detailed logs last a lot longer.
Ip used for technical reasons such as logging access are not concerned by the gdpr per se. The same goes to KYC informations.
The gdpr is actually a well written piece of legislation which should worry you only if you do shady stuff.
The only edge case that I know are not well addressed concerns the status of encrypted data (would be deleting private keys considered to be deleting them? This question is important on blockchain data storage)
If you log for security purposes that is a "legitimate interest" which would allow you to keep doing that, provided:
- You make a note that this data is being logged.
- You state for how long this is logged (6 months is reasonable), and justify that time frame.
- You state who else has access to these logs.
- You state what steps you have taken to try to minimize unauthorized access to these logs.
- In a register (these statements should be delivered on request of a law supervisor) you also provide your personal details, which users are affected by this data processing, and your goal (which should be something along the lines of: "fraud prevention and intrusion mitigation" to have legitimate interest. Expect big companies with law firms to push this "security interest"-angle hard, as they try to justify their data processing).
Pretty reasonable, no? It would be nice if the large web logging softwares provide standard options to automatically limit disclosure of PII web logs.
You already described far more work than I'm willing to do for the small web site I happen to host. If there's a simple geoblocking switch I'd much rather flip the switch and block Europe than continuously worry that I didn't dot every 'i' and cross every 't' to make some obscure European regulator happy.
The fact that the regulation is so vague around it in the first place is the whole problem. There are dozens of conflicting statements (from law firms, no less) about what exactly exposes you to GDPR.
EU will not be able to enforce GDPR law in other countries, unless company has a subsidiary in the EU. Otherwise any country in the world can create their laws and expect that anyone in the world following them.
Unfortunately that horse has already left the barn. Have a look at the USA's FATCA law or any of their sanction laws against countries like Cuba or Iran.
Fun fact: Russia recently approved similar law which requires all personal data of Russian citizens to be stored in a server hosted in Russia. So theoretically many webmasters are already be in trouble :)
It's similar in the sense that government dictates how foreign companies can deal with personal data of its citizens. I agree that purpose seems to be different.
A) The law seems to extend beyond the borders of the EU.
B) It's extremely long and vague, doesn't really offer a lot of actionable advice, and nobody outside of privacy lawyers seems to really understand it fully.
C) The penalties are harsh.
Further muddying the waters, the EU and US already have some existing bilateral agreements with respect to data privacy [1], but does the GDPR supersede or unilaterally invalidate these...? Who knows?
> The law seems to extend beyond the borders of the EU.
Hi guys,
It's Kim from the Best Korea, and we just decided that we are going to allow our people to access the Internet.
There is a tiny little thing though, our internet policy stipulates that for every traffic hit to sites outside our borders, the country of origin either donates 1 nuke or if it doesn't have nukes an item of great value, or a 24 hour TV broadcast featuring me.
A) It covers behaviour towards the citizens (ie passport carrying members) of the EU. It basically says: "please do not be evil" - OK it says a lot more but I think you get the idea.
B) It does cover a lot of ground but it is written in pretty accessible language for such a large and complex subject.
C) The possible maximum penalties are set at a level that will not destroy a serial transgressor but should hopefully deter anyone from becoming such a beast in the first place.
Overall, GDPR is really a manifesto for how people should be treated in the burgeoning data economy. I still find it hard to understand how such a reasonable and farsighted set of regs came to be designed in the first place. As a citizen of the UK, at least I am reasonably certain that the GDPR will stay on the local statute books post Brexit because to contemplate otherwise is economic suicide.
I'm wondering this too actually, I run a small business, we collect only the bare minimum of information from our customers but we do have some European customers. I'm ignoring GDPR completely, is there any downside for me? Will they block customers from using my service? Will they sieze my European cloud servers? Or can I safely do nothing as I currently am because I don't reside or have a registered business in Europe?
If you have a lawful basis for collecting the information, you're only passing it along to others as necessary to provide your service to your customers, the customers have clearly consented, and you employ reasonable protection of that data... it's extremely unlikely that you're in violation.
And if you were, they'd come to you first with a warning (at least based on past behavior). They're not going to seize assets unless you seriously provoke them.
1: ignore GDPR, you'll probably fly under. And if you dont, fine are scaled for business and people affected, as well as privacy infraction. Encrypt your backups, encrypt PII if you can do it effortlessly, and you're good. If you are not using emails except for checking double inscription, encrypt them too, the entropy is low BUT this is better than nothing .
2: If you have some time and money to spend to try to improve your services: self-report. A public agent will point you the weakness of your data processing.
I'm going to call bullshit unless you can provide a source that any overseas government can levy a fine for whatever reason and then "trash my credit".
How? I'm not in their country, their laws don't apply to me or my business in any way, shape or form. They could perhaps argue I do business there, but that still doesn't give them anything to press charges against. Best they could do is block my site as far as I can guess...
There are thousands of laws on the books where nothing happens when you ignore them. Sure it is possible that the EU will pick some obscure small company doing boring business things outside of the EU to make a test case out of, but how likely is this?
Anyone not up to shady activity can afford to wait for the case law and best practices to settle before doing anything.
Why can't I ignore it? I have european customers but they chose to sign up with a business in a foreign jurisdiction where their laws don't apply. If it's a problem, the EU can feel free to block my sites, but I can't see how it's negligent to not comply with laws that don't apply in my country.
I don't comply with laws from many other jurisdictions either. Should I start applying censorship laws for China and Saudi Arabia too? Why should the EU be special?
EU has a history of moralistic bullshit proposals like that stupid cookie law.
Which looked good in the eye of the law-makers (career politicians I should call them) but doesn't really work in the real world.
People get used to accepting the stupid cookie law and it becomes a habit, and in a couple of years the law lost it's meaning (people blindly accept cookie law) and no-one cares about "the great privacy laws of the EU".
This is probably how GDPR will end up, no sane person would have the time to read all the privacy notices and the crappy opt-ins to just order food as fast as possible.
Hey I'm starving I need that food ordered now, here's my location so you can deliver food here, I don't give a rat's ass about your privacy statement and clickady clack are there any more opt-ins to check before I can finally order my food?
Nobody just doing ordinary business things is going to get caught up in the GDPR. The EU are going to go after the local companies first and/or the worst offenders. Just sit back and wait for the case law and best practices to settle down and then decide what to do.
My feeling is it is going to end up like the cookie law, but who knows at this stage.
Not directly related, but see FATCA. Because of a US law, individuals in many countries who don't deal with US securities/markets, have to fill a form saying they don't have any direct investments in US, or that they are not a citizen/resident of US.
Well thats because you dont understand GDPR.
If the company doesnt conduct any business in EU - or more correctly with EU private persones - then GDPR doesnt apply to the company. It also doesnt apply for any Business-2-business relations.
GDPR only applies if you are providing a service to a EU citizen. That also explains what EU will do if a company doesnt comply with GDPR (where it should); they will stop the company from providing those services to the EU citizen.
This is also why blocking EU traffic doesnt make you GDPR compliant (I can use a vpn or visit your site when travelling, and then you are still providing a service to a EU citizen).
If the case really is as you say, with just serving http request, then you have no issue with being GDPR compliant, because you dont store and information about the EU citizen. If however you are not just serving http requests, but track the user or otherwise store information on the site visitor, then you may have GDPR issues. But if you do store data about your users, you really should treat the data correctly.
GDPR is common sense, and if you bother to understand it correctly, its fairly easy to be compliant. Though I’d say, the bigger the company the more complex the implementation.
You're mistaking GDPR's intent with its implementation, an error that lots of people are making.
As Americans we're particularly sensitive about having to follow rules made by people who don't represent us and are not accountable to us. This is a totally fair and justifiable reason to be against GDPR even if you agree with its objectives.
“As Americans we’re particularly sensitive about having to follow rules made by [others]”
That may be one of the most ironic comments I’ve ever heard. I love americans, but as a super power you stick your nose into so many other countries business, directly or indirectly. So, lets just say that argument is not gonna change my view in any way.
I don’t think I am mistaking intent with implementation. The regulation’s written text leavea many details to be answered along the way and the first couple of rulings on GDPR will (hopefully) bring us a lot of insigts into how to interpret and implement GDPR in practice. So I guess no one really knows the implementation yet. Until then we have to go by what is reasonable and the intent. And if you store data on private citizens you better treat it correctly.
Keep in mind, just blocking traffic out of the EU does not serve as GDPR compliance. EU citizens are covered by GDPR, not EU traffic. A EU citizen traveling to the US is still afforded all the protections of GDPR as they do back at home.
I understand why you think this way. After all, GDPR is about human rights!
In practice, GDPR is binding on businesses that operate within the EU. An EU citizen in the US doing business with a US-only company is not afforded any protections under GDPR.
I didn't get past the first paragraph. The site lobbed four interruptions my way:
- Agree to cookie
- Forced "Do you want our newsletter" prompt
- Request to show notifications
- Pop-up icon to subscribe to notifications
... and one non-intrusive top-of-page banner notification, " Awesome! Your IP is not in our blacklists of abuse...". This last item (when dismissed) may have triggered the 4th item above.
The EU or its member countries are free to arrest whoever they want whenever they want on their own soil, and not face any kind of externally enforceable sanctions. Best way to avoid being subject to arrest in a foreign country is to simply not go there.
I received an email from a website I don't remember signing up for, and have no clue what they do. After a few attempts I am able to log in. I go through menu after menu looking for the "permanently delete all my data" button only to find an FAQ that says
"Q: How do I delete my account?"
"A: Please get in touch with our Customer Services team if you have any worries or concerns. If something at {website} has troubled you, we'll be happy to help sort it out."
To their credit, the support chat person was very efficient in complying with my request.
Just curious, but what does the investors think when a company volentarly leaves the EU market because it is easier to simply ignore eu as a market then to comply to GDPR?
It all depends on your investors and who your company's target audience is.
If I run a business putting up American flags on people's houses on patriotic holidays (an actual business in my neighborhood), then ignoring the EU market is an easy decision because I already was.
And if you presented a nice growth graph over American customers with the implication for expansion over other regions such as EU, whats the possibility that some investors considered that potential when they invested?
Like say a software service which I would assume is more common investment target here rather than flags.
Your example is a different audience. As I pointed out, it depends on your target audience. Not every company wants or even needs to do business with the E.U. in order to be successful. I know that sounds strange to someone in Europe, and I've never been able to make my Austrian friends understand it, but it's true. There are millions of businesses from Australia to Alabama and beyond who don't care about the E.U.
For all its noise and bluster about "500 million customers lost!" the European Union is still less than 7% of the world. I think most businesses would be happy to serve the other 93%.
But that bypass the original question. A company might survive fine on 75%, but what will investors think when the potential growth is being artificial cut down to 75%?
I would imagine that the stock market value would take a rather strong dip if a company proclaimed that they revenue would be cut down to 75%. Investments and stock options are not only valued by the companies current ability to survive, but also speculative value.
If you don't have a investor then clearly the question does not apply. Similar if you don't have a company the question does not apply.
"what does the investors think when a company volentarly leaves the EU market?"
This question has 4 predicates.
1) investors. If no investors then there is no investors that can have an opinion.
2) Company. If no company then no investors, and since you have no investors than point 1 applies.
3) leaves. If the company don't leave the market then the investors can't object to a company is leaving, as such point 1 and point 2 applies.
4) EU market. If the company is not leaving the EU market then the question about what investors will think about a company leaving the EU market is not relevant, and thus point 1, point 2 and point 3 applies.
> Assuming every business is suited to a global audience
That was the question. What does investors assume when investing in a software company such as those ycombinate investors usually invest in, for which HN is a forum created by ycombinate.
While I know they are not recommending, recommending this, for everyone who does, this doesn’t get you off the hook at all unless you are a new site who has never had EU visitors. Also of course all the EU citizens in the US, GDPR would presumably still apply.
1,524 comments
[ 3.1 ms ] story [ 423 ms ] threadIt works for me now.
I decided to make a little change in the URL (Europeans instead of EU) and that's why there was a short period of 404 errors before I created the redirect.
I tried to be sarcastic, but I think my English is not good enough :-)
That said, a constant source of miscommunication from native english to native english that is written, is missing sarcasm. Just a side effect of not having non-verbal communication cues.
I just wrote the post because if you want to overkill and you are lazy, you can follow our recipe to 'implement' GDPR. I just wanted to be sarcastic and also show how easy to implement Cloudworkers + Apility.io.
No crazier than thinking you have to comply if you have no connection to the EU.
Just to be clear, I treat all my users fairly and protect their data, and I am not intentionally targeting any EU users with anything I do online.
We're not compliant with the letter of the law of GDPR (and according to some it doesn't apply to us at all due to the above), but we treat all user data seriously, regardless of where they come from. If that's not good enough, then people can stop visiting / subscribing / purchasing, or the EU can try to levy a fine and collect it. I'm not particularly worried about either scenario.
I do not agree that I have any sort of implicit responsibility to treat my users in a way that an EU bureaucrat deems fair.
If the customer joins your Japanese site while in Japan, its governed under Japanese law, not EU law. Your citizenship is irrelevant.
You need to comply with the laws of the jurisdiction you operate in. If you don't operate in the EU (and having a presence on a global communication network does not qualify), EU laws are not applicable.
The onus is on concerned EU citizens to stick to .eu domains with a feel-good GDPR-VERIFIED banner if they are so inclined, not on the rest of the world to bend over.
As a non-EU business, I will pay my GDPR "fines" right after I'm done paying my Iran and North Korea issued fines. Cheers!
Seriously though, I made no comment on the law itself so I'm not sure what your point is. Most reasonable people would agree it's a good law in spirit, and I wish I had some of those protections where I live.
But the notion that it can be enforced on non-EU entities is ludicrous.
(There are countries with up to 30% non-citizens, and there are plenty of multi citizens. The distinction is entirely relevant.)
No. The law applies to people physically in the EU, not blanket to EU citizens. An American in Paris is protected by GDPR laws - a German living in NYC is not.
GDPR doesn't mention citizenship, it applies to any Data Subject who is a 'natural person'. The scope is stated as 'whatever their nationality or place of residence' which is universal.
So just blocking EU residents is not enough, one would have to also ensure that no other data is processed (1) within any country implementing GDPR or (2) anywhere in the world if you have a controller in the EU, his role being a sort of GDPR proxy.
Even saying 'within EU' is actually inadequate; the Isle of Man has implemented GDPR but isn't in the EU and there are probably other examples.
Dropping a IP block on the EU seems to be a pretty clear indication that you arent targeting EU users.
EDIT: Found the article https://www.troyhunt.com/free-course-the-gdpr-attack-plan/
How the hell does the EU claim extraterritorial jurisdiction over the entire world? And people complain about America being “imperialist?”
> Please don’t take us seriously
> This is an example of all the things you can do with Cloudflare Workes and our API. If you like it, please spread the word! But hey, don’t take us seriously. We just wanted to take the drama out from all the GDPR madness out there.
Anyway: just for academic interest I’m curious how much this increases the overall request latency, as there would be one additional blocking HTTP call at the beginning. Do you have any benchmarks for that API call to check the blacklist?
But Cloudflare has servers very close to our endpoints around the world, so I guess < 50ms if you don't use SSL could be a good estimation.
We are working hard to reduce the amount of time to establish the connection. It's about 80% of the time of the request.
What makes a response cacheable is a little complicated. There's cache headers, but also some heuristics involved. However, you can override all of that from a Worker by passing an explicit cache TTL to fetch():
This will force Cloudflare to cache the response at the edge for one day regardless of anything else. (Note: The documentation currently claims this option is available to enterprise customers only, but as of this week, it actually works for everyone. Docs to be updated soon.)Probably I will give it a try on Workers another Friday afternoon.
If it's the latter, then someone with both US and German citizenship could be covered even if they've never been to the EU.
Which is to say your hypothetical dual citizen would have zero rights under GDPR in their dealings with purely US entities.
While GDPR is a good idea, its legal impact can only be for business conducted within EU boundaries, or we are going to open up a Pandora's Box like this.
Come on: you're whining but you're doing that kind of extra-territorial stuff for decades!!!
Geoblocking is not enough. A user in Europe that bypasses an EU block with a VPN is still covered (this has been explicitly stated).
https://gdpr-info.eu/art-3-gdpr/ Art 3 (2b)
People (regardless of EU citizenship status) who are physically in the EU.
This isn't so hard.
An expat living in the EU is protected because they reside in the EU. If you are living in the USA, you must follow American laws.
It's a basic idea, and HN prides itself on being smart, but there aren't global laws. No one gets to enforce civil penalties outside of their jurisdictions, without exceptional circumstances. If they fine you and you don't have offices there just ... don't pay? The EU might not exist in 10 years anyway.
Recital 23 (referring to Article 3, Territorial Scope)
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
An attempt to prevent EU users from accessing the site at all is about as strong a signal as it gets regarding this. When you're blocking all of Europe by IP, it's pretty fucking obvious you're not envisaging offering services there.
For larger companies with offices in the EU (especially the ones headquartered there for tax purposes), they obviously have no choice to comply. But what about a small startup, with its only domicile and employees in the US?
What exactly could the EU do to punish a startup in that case? Unless they have some enforceability treaty with the US, I don’t see how they have any legal ground to extract fines for arbitrary laws defined in their jurisdiction. The worst they could do is ask EU ISPs and/or payment networks to block the offending sites, right?
Such a suit could be ignored too, but it would certainly be a PITA for vacationing executives who get locked up in Italy for an outstanding summary judgement.
It's a good thing there are a lot of beautiful parts of the world other than Italy.
I suppose when I asked the question, I am assuming internet businesses for the most part don't isolate themselves to a specific region, so their reply probably makes more sense for the businesses that operate in a small locality. Perhaps they have such a business. I should have considered that prior to asking.
Where this might start to get interesting is if people use infrastructure that is in multiple regions and that infrastructure provider has an agreement to block companies that do not comply. So if AWS for example had such an agreement, then non compliant companies could find their sites broken, even if they are only hosted in the U.S., not that this would ever happen, but it could.
[0] - https://userstyles.org/styles/9038/hide-down-vote-arrows-and...
There are precedents for the opposite. If you have a grandparent born in some EU countries, you have EU citizenship according to the law of that EU country, even if you never set foot on that country and have no contact at all with the EU. There is a (non-EU) country which says that if you're a citizen of that country, you have to pay income taxes to it, even if you never set foot on that country and have no contact at all with it. At least one country says that its law applies to buyers of widgets manufactured in that country, even if they are sold by someone who never set foot on that country and has no contact at all with it, to someone who likewise has no contact with it. And so on.
It's a Friday afternoon blog post to show how cool my product is with Cloudflare Workers and having fun at the same time!
That's an excellent attitude to take towards your users.
Valuable, dear, beloved users for which the business has boundless sympathy, empathy, and compassion are now awkwardly the source of compliance concerns for which the costs outstrip the reasonably expected revenues enabled by compliance. While compassion is unlimited, it is possible the budgets and time may not be.
Better?
But I wonder what changed since last week because those compliance concerns were just as valid last week. Or do you mean to imply the company knowingly broke the law for a couple of years just because they could?
Is it? It's a lot of bloviating about love and kindness and positivity that dances around the point a lot. It implies, instead of being explicit. It focuses on feelings instead of making a point clearly and concisely.
It's poor communication. For the same reasons, it's great PR material.
> But I wonder what changed since last week because those compliance concerns were just as valid last week.
I imagine that for a lot of really small shops, what's changed is that GDPR is now law when it wasn't for the past couple of years.
> Or do you mean to imply the company knowingly broke the law for a couple of years just because they could?
Maybe! Depends on the company, I should think. In some cases, I'm completely certain that you're absolutely right and they've been knowingly breaking the law for years because they can and there were no consequences.
For others, it's possible that the situation may be more subtle. The costs in time and money and opportunity costs to determine how compliant they are or need to be might be daunting or dwarf any reasonable forecast of revenue from EU users.
It's possible that not all scenarios might not be quite as simple as having nothing to fear so long as you are doing nothing wrong.
That just isn't true, the GDPR has been law for the last two years and before that there was a law with roughly the same (say 80% or so) components.
That the law got ignored we can agree on.
You're absolutely, completely, 100% correct! Please accept my deepest apologies for being unclear.
Until May 25, GDRP which has been law for years did not take full effect. It's possible that some people made choices based around which laws are in full effect, rather than what is law, for reasons that might at times be other than negligence or malice.
Again, please accept my apologies for being unclear. Please let me know if there's anything else I can clarify!
And your point is? Customers appreciate when you consider their feelings.
Of course, you should back up your kind words with kind actions too.
Please accept my apologies. I was under the impression that we were collectively discussing an issue of substance and import to us, rather than authoring customer-focused communications.
It's my opinion that the writing style appropriate for being maximally nice to customers is inefficient, time-consuming, inexact, and wasteful in other contexts. I'm sorry if I failed you by being insufficiently clear previously. Please accept my heartfelt apologies for this egregious oversight.
> Of course, you should back up your kind words with kind actions too.
You're right! You are without question correct that kind words should be followed with kind actions. Yet, it might be worth mentioning that kind actions can have costs measured in time, funds, resources, and opportunity costs. It's possible that in some incredibly unfortunate scenarios, this might result in actions being considered that some might see or choose to characterize as being perhaps a bit less kind than they could be.
You're still right, of course. Kind actions should follow kind words.
You keep repeating this on various threads, but it's not a good argument.
It's obvious: for companies that are now blocking EU users, they weren't in compliance or blocking before because the law wasn't being enforced. Hence the cost / benefit tradeoff was different. Now that possible enforcement is on the table, the calculation has changed. It's pretty simple.
For companies who were ignoring before and ignoring now, nothing has changed. They are either taking a huge risk or are correct in assuming that there's no enforcement mechanism, so they don't need to worry about it.
It's an excellent argument. That you don't agree with it is obvious but whether or not a law is enforced or not does not change the fact that it is the law.
Those companies that have decided to block EU users as a rule have done fuck all in the last two years and now, rather belatedly, have realized that in fact they are subject to the law rather than that they can afford to ignore it.
> They are either taking a huge risk or are correct in assuming that there's no enforcement mechanism, so they don't need to worry about it.
I sincerely hope that they will swap positions after the first few fines have been dealt out.
And something being "the law" doesn't actually mean anything. If not enforced, laws are just words.
So these companies who are now blocking did the actually rational thing, which is ignore the law right up until it matters.
No fines are going to hit these companies that have no EU presence. That's just scaremongering. And for the ones that do, I guess we'll see. Blocking the EU market seems pretty damn fair to me. I don't understand why the EU thinks it can force a business outside of the EU to deal with their citizens if it doesn't want to?
Oh they will be fined. The question is whether those fines will ever be collected. But the collection of fines is a different part of the government than the part that sets and applies the fines.
> That's just scaremongering.
No, it's a fact of life: if you ignore the law you will be fined.
> And for the ones that do, I guess we'll see.
Oh ok, so they will be fined. At least we agree on something.
Note that the EU at this point in time couldn't care less about those companies that have no POP in the EU, and if that causes companies to pack up and leave then so be it. But those companies that do have a POP and that knowingly and persistently violate the law, whether they are European in origin, American or Chinese deserve to have the book thrown at them if they ignore the law.
> Blocking the EU market seems pretty damn fair to me.
That's just fine, I take it your business is not affected or you plan to ignore the law because they can't collect. I'm perfectly ok with you doing that, don't get me wrong. It's your right to do this but I do think you should be transparent about this.
> I don't understand why the EU thinks it can force a business outside of the EU to deal with their citizens if it doesn't want to?
The EU can't force that, and that's not the intent of the law.
>
> No, it's a fact of life: if you ignore the law you will be fined.
Which law specifically, under the jurisdiction they operate in, are they ignoring?
> I sincerely hope that they will swap positions after the first few fines have been dealt out.
The idea of EU laws being enforceable worldwide is mind-boggling. Do you, seriously, think this is a reasonable notion?
The GDPR is not about revenue but about privacy. It's not meant to be cost neutral. Bank robbers could also quote you to complain about the burden of anti-robbery laws.
However, is it possible that in a context where companies are weighing the cost of GDPR compliance against the benefits of GDPR compliance (i.e., keeping their EU business) some might come down on the side of jettisoning the EU business? They might even opt to do it by using a tool, like Cloudflare Workers, that they can convince to block everyone in the EU.
You would be absolutely, completely, 100% right to consider this fully in line with the intentions of GDPR. Protect privacy or GTFO, right?
With that said, it's possible that a fragmented market with fewer legal business models may not be as conducive an environment to all possible businesses. It's even possible that as a result, not all gaps will get filled.
Different legal models also provide grounds for experimentation. Who knows what works better in the long run? Wild West or regulation like GDPR? We don't know.
Which is to say that you could be right! Absolutely and completely! Or you could be really wrong. Time will tell. The economic history of protectionism could be read by some to provide some clues, though.
More than USA citizens with dubious DMCA takedown requests?
Both seem wrong, can we agree on that? DMCA is a disgusting weapon, as is a lot that the US has done. Does that make weapons created by Europe ok?
https://en.wikipedia.org/wiki/Tu_quoque
Are they really pests for demanding privacy? In today's environment?
"I want to use your free service without participating in your monetization model. K thanks" -- EU citizens
My take is that consumers need to be aware of what 'free' really means for each service that advertises it. What are the real implications - not just something hidden in doublespeak in a ToS or privacy policy.
Everything spelled out in the GDPR is a great thing for users and should have been there from the very beginning - being able to erase all their data, see all their data, export their data, and get notified when data is accessed.
I hate this "empowering users" philosophy of the EU. It's reminiscent of "right to be forgotten" type regulation where EU believes users should be in control of "their" data, when it reality it isn't "theirs" to begin with. Once data is "public" you can't ever "erase" it because it's not "yours". I'm sorry, if you shoplift in my store (online or no), I'm keeping track of you no matter how much you demand that I erase "your" information.
"I want to use your free service and to participate in your monetization model only after you explicitly tell me how you are going to do with my data. If you can't tell me this, and get me to accept the trade off, why should I trust you?" -- EU citizens"
So it's more like "if you can't do this according to the whims of my government regulators, I'll still be using your service, AND prepare for a large fine."
No one is asking.
Rather, the right question is whether the entity demanding (the EU government) has the right to do so on the basis that their jurisdiction extends to anywhere that a citizen of theirs can reach via the Internet. I argue no.
You probably disagree, which is fine, but this ultimately comes down to enforcement. And for now at least, I win on that front.
I think we’re perfectly fine with telling you we use your data for ML training, internal analytics or showing you relevant ads. That is standard stuff you consent to in a TOS.
If you can't easily delete or export my data, it means that you don't have a coherent, legible record of exactly how my data is being processed. You can't be sure if my data has been leaked or stolen. You can't guarantee that you'll be able to notify me in the event of a breach. You can't prove that my data was lawfully collected. I can't check the data you hold on me to ensure that it is accurate.
The GDPR is easy to comply with if your data protection policies and processes were decent to begin with. If you have read the text of the GDPR and can't see how you could bring your business into compliance, then you are almost certainly doing something seriously negligent or seriously shady.
What we can do, is set a little deleted flag on your profile to treat you as "deleted".
> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
So not a database query itself, but the thing that drives the database query. It also extends to things like logs - aka don't keep a log full of SQL queries that are full of peoples personal information. Don't ship that log off to some third party, or make it available to random people.
For web apps it's mostly the storage and retrieval aspects that are important. Don't store too much PII. Don't allow anybody to access it at the DB level. Implement appropriate access restrictions at the web-app level.
It is perhaps a bit too abstract, but that's because it's covering a highly complex topic, but I don't think it's too vague on this: If it contains PII, protect it. Which, of course, you should be doing already.
For the longest time companies have been able to market something as 'free' when they have been the ones who have been trying to hide the fact that users' data was being sold, etc. So I would argue that if someone is 'stealing', it is actually the companies themselves.
The "stealing" is because they are trying to get companies to give their content out for free without paying the cost which requires targeted advertising (and no, generic ads pay shit which is why tons of companies are blocking all the EU because they now aren't worth the server costs).
You don't need to create a specific feature for European users if you don't want to, just as European users don't need to do business with you if you don't value their privacy. Economic exchanges are voluntary. If you think ignoring European customers is something that pays off for you, go for it.
If we would not care about privacy to a greater degree than other regions we would presumably not pass legislation that protects private information and cuts into ad-revenues.
After all, if someone exhibits a certain attitude towards their users' data that is a good indicator that there is more that isn't done properly.
It's funny that you think that it's totally ok to do this.
What's really being affected on the backend side of things is bulk data collection and storage and sharing with 3rd parties without consent.
If you're sick of people using your product and not giving anything in return, Charge. A. Fee.
The GDPR specifically forbids giving users the option of paying with data. (In that you can't deny access if the user doesn't agree to the data usage).
Charge. A. Fee.
It turns out that a whole lot of users don't want microtransactions for everything they do online, and would rather allow providers to monetize their data in exchange for access. You not liking those agreements is not a reasonable justification for forcibly banning them.
If it's too hard for you to copy paste a GDPR compliant privacy policy and monitor a GDPR email address then well, maybe you're in the wrong job.
We have business reasons for collecting user data, and users have no real reason to tell us to delete it at will, other than the fact that it makes them feel "creeped out".
The future is probably going to be super creepy. If you want to participate, get over it.
-Other than the fact that it makes them feel "creeped out".
Pick one.
My mother does not understand where data is kept, what is encryption or anonymisation even if you darw it for her...
and if my father wants tp watch porn he’ll pop his CC where ever just to jerk off...
Obviously it's "safer" to let others make rules and force us inside the fence to keep us sheep away from the dangerous wolves out there. I do understand that perspective to some extent. However I would never trade my freedom for security. The former is not easy to regain.
Your example where you "want to give your data away to a sketchy website" is not in any way representative of reality when a) the website is as ubiquitous as for instance FB, and thus in no way perceived as sketchy, and b) the user makes no conscious decision to consent (let alone "wants it").
> Hoping you've blocked access to the EU so I don't happen across it :)
Being glad that he doesn't have the freedom to use the site, thanks to a government law (whether a side-effect of the law or a direct effect is irrelevant, because the law brought it out just the same).
That is, if you're offering such a service that exploits users for their data, then I would never want to use it, so it might as well be blocked, for all I care.
Maybe even desirable if it was, so you don't come across it by mistake and sign up without doing proper diligence.
Freedom of choice is nice, but there's an argument that putting rat-poison in food products isn't ok, even if you label it on the package.
thinking it’s a good idea to give your personal data to FB is not FBs fault, it’s yours.
So we should stop government from enforcing food safety and accept poisonings as fact of life...
Counterpoint: Cigarette companies poison you, and they found it's an amazing way to gain repeat customers.
like do they MAKE you smoke? cos government MAKES me pay taxes Marlboro does not MAKE me smoke...
* XIX century wants it's snake oil back * Didn't hear about China and melamine milk scandal? * Would you buy food from Amazon if it was co-mingled in current way? * VW emission scandal
It is easy to be freetard when you do not get diarrhea every so often due to food that was "optimized" (like in XIX century ;)
https://en.wikipedia.org/wiki/The_Jungle
Consider how many modern food standards regulations came about, and what abuses they were addressing.
The milk scandal is interesting tho. I don't disagree that there are people/companies out there that are horrible human beings (or run by horrible human beings), but these are exceptions. There is also a market-based recourse for consumers. Lawsuits and liability is a big deterrent for example. It's also illegal to harm someone (as it should be) so jail time for the offenders is quite possible without having enormous and onerous regulations. And haven't you noticed that it's the giant companies that often push regulation? Because it raises barriers to entry for competitors. Big companies have the resources they need. Using the government to hurt your competitors is one of the oldest traditions in countries with governments big enough and powerful enough to do so.
[1] https://www.history.com/news/7-things-you-may-not-know-about...
[2] https://www.libertariannews.org/2012/11/15/meat-packing-lies...
[3] https://www.zeroaggressionproject.org/uncategorized/upton-si...
The government isn't the only source of power and coercion; private companies are too. A lot of these regulations are the one countering the other.
Riiiight. You sound like the perfect person to be handing my personal information and I would trust you to take full care of it.
Not.
EDIT: Not allowed to say what was previously put here.
> Your laws may say differently
Sure, Canadian laws in this area are very scattered and backwards. I wouldn't put that forward as a good thing though, or use it as a pretense to not bother protecting or managing your users PII.
"I shoot this sex tape myself with my camera, climbed my tree on lawn, zoomed with my long focus lens, stored it in my computer. It's my data. If they don't like it, they should have pulled their curtain."
There must be a threshold somewhere. When does it stops being acceptable, and starts being creepy?
Public places are one thing (he entered this building with that woman at this hour). Looking through private property is another.
But if I do not use your service, then I want that you delete all my personal data. Why is that so hard?
There are pieces of information that are particularly problematic for other parties to know. An email address is not one of those things.
I realize that it was a user error, am a bit miffed about it for two minutes, maybe mail them that they should be more careful with mail addresses.
If, OTOH, it's a business misusing my mail address intentionally and for monetary profit, I hope that regulators stomp on them.
I’d take a big issue to an organization storing a social security number or something of that nature, because its leak would represent a significant risk, but email addresses are fairly disposable items that we only voluntarily attach to ourselves to.
EU citizens turned into "pests" two years ago. Much like Y2K was a "pest" years before January 1, 2000. But unlike EU regulations, Y2K was like The Terminator: there was no appeal process, and it absolutely would not stop...ever, until you fix your Y2K bugs.
GDPR OTOH, eh, maybe there's some way to wiggle out of it? And two years later, when Compliance Day comes, here we are.
Article 4.1 defines an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to for example an online identifier.
IP addresses are specifically mentioned as online identifiers in recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags
Only time will tell how this will be interpreted specifically but we have at least one court decision already [1]:
> What makes a dynamic IP address personal data?
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
> there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
> the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
[1] https://www.whitecase.com/publications/alert/court-confirms-...
Don't take it seriously.
To a lot of US-ians the GDPR is just some EU bureaucrat stopping them from making more $. Nothing matters apart from being able to do whatever you want and make $.
It’s just a different mindset.
The example from a previous HN article was the Chicago Tribune blocking EU access.
Are you saying that there's a "huge immediate opportunity" for people in Europe to read local Chicago news?
Not every business is global. In fact, 99%+ aren't.
That’s the startup I’m presently working on. We’ll expand beyond the US borders (and implement GDPR) when we advance to a larger revenue stream. But right now, GDPR compliance is a distraction that interferes with gaining enough traction to help us afford the engineering and legal resources to ensure such compliance.
NOTE: we delete all client data when they cancel already. And we don’t do any creepy marketing.
Meanwhile they'll be using VPNs to access your site anyway :)
http://www.bbc.com/news/technology-44252327
This does sound like you'll have an easy time complying with GDPR! :)
So what's there to worry about? Sounds like you're well on your way to being compliant
If anything, this allows you to be transparent with your users too.
Do you inform your users what data you're collecting, why you're collecting it, and get their consent? Are you taking proper precautions with the expanded PII data (encrypting at rest for example)? You've basically covered the requirements.
> Yet needs to be sure they don’t end up giving the company to the EU because someone over there signs up on a marketing list.
What kind of FUD are people reading...if someone voluntarily gives you their email to sign up for a list that's fine. You just need to keep that they consented to receive what they agreed to. What you can't do is use that email for crap they didn't sign up to receive. Obviously normal unbsub rules apply, which in this case says forget that someone ever signed up.
In my limited view, this is pretty much the case. When I was telling our management team about the GDPR and how it relates to our new European-focused project, the first thing the CEO said was "how do we get around this?"
Management decided we're not gonna comply with the GDPR and just hope nobody notices.
Which in the longer term turned out to be right. I'd love to see Winterkorn behind bars for that one.
Although they don't say it that way, that seems to be what most GDPR advocates are implicitly advising. They keep saying not to panic and shut down your web site or block europeans because and the EU is not going to sue you as a first step, etc etc.
As a dev though, I also understand the frustration. Creating startups is already time-intensive and stressful. A lot of us are on shoestring budgets. Most startups will fail. To a solo developer in the US, the idea of spending time understanding and complying with GDPR is daunting, it's more than just a hindrance to many. Still, I don't want to break European law, so maybe it's easier to block EU users at first and change policies later if profitable.
I think blocking is at least showing you respect the law, compared to just doing nothing and being non compliant.
"Most startups will fail": I do not see that happening. You will first receive a warning. The EU won't really care if you are a tiny startup. Unless you are running a shady business, there's not much to worry about.
I think assuming the EU won't care about tiny startups is irrelevant - I want to follow the letter of the law, it's why I'd opt to block EU users instead of just ignoring the existence of the law.
Hence, the blocking of the EU - its better to block at the beginning and then expand to the EU once we have revenue to support someone handling this as an employee.
You know this is not what would happen, right, that you'd be given advice and the opportunity to towards an amicable resolution?
I know nothing about European legal systems though
And as a member of a EU country that for the last year has been constantly bending (when not breaking) the rules to repress and attack legitimate political reivindications, the relativism in the application of GDPR is something that I find very worrying.
Uber versus Night School is an example of this. Uber: Ignore taxi regulations, get tons of VC, get rich while being awful people. Night School: try to work with government and play by the rules, fail, get used as a cautionary tale.
Source: https://psmag.com/economics/night-school-failed-because-it-f...
I think something akin to GDPR is necessary and good, but GDPR as written probably isn't it. I look forward to seeing how it works out in practice, and how it develops/is replaced, and in the meantime feel bad for the developers and customers that suffer through the unintended consequences and misfeatures of it.
After the law gets clarified some, I think you're right that it won't be bad for small players. But I wouldn't want to be one of the test cases.
Calling the data protection agencies "government" may be correct in some very legalistic sense, but is utterly wrong under any colloquial meaning of the word.
You don't know this.
How many $300kEUR fines (the maximum in Germany until yesterday) served by a German DPA (we have 17: one federal, one per state) have you heard about in the last 5 years?
From April 2015 to March 2017 there were 124 proceedings, with 47 leading to fines.
The aggregate sum of all those 47 fines was... 174.226 Euros.
[1] http://www.dw.com/en/germany-fines-man-208000-for-stealing-c... [2] https://www.thelocal.de/20170405/germany-to-fine-social-medi...
The second one is a law very much like GDPR (notice the little words "up to"?). Not a single fine has been given based on that, not even a small one.
GDPR is the PCI of the privacy world, 99% of companies will be non compliant if audited, but 99% of companies wont be audited. The difference is unlike PCI anyone can launch claims against companies, including for malicious reasons like taking out a competitor, and political reasons like a eurocrat taking a disliking to a particular company.
Most large banks and insurance companies are listed.
We had two major expenses: liability insurance for meetings and SOX insurance for the officers. Everything else was in the noise.
I've been involved in GDPR efforts at work and all the policies seem fairly straight forward to me. If you're not doing shady shit and you're upfront with your users what you are collecting the data for, how long you keep it and what access policies you have set up.
Not a problem if you ask me.
Enforcement guidelines are ill-defined, and the definition relies on vague terms. For example, is retaining an IP critical to running your business? What if you're getting DDos'd? Now it is up to someone else to make that distinction, and you're dependent on them "being reasonable."
You can even self-report if you're not sure you handled the privacy well, and they will point you the stuff you have to work on (and give you month to do that).
I Understand Americans are afraid of fine and lawsuits, but please don't be afraid. Read GDPR statement from regulatory instances, they are here to help business too.
I think GDPR is short-sighted from a game theory perspective and will short-change European citizens.
When I sold software online, Europe was < 5% of my sales. Why take on business-ending liability risk for that amount of sales? Sure, maybe I'd do these things anyway, but once you open that pandora's box, you're relying on favorable interpretation and the goodwill of regulators.
Having seen what happened in the US with civil asset forfeiture, well-meaning laws can have their purpose bent, and goodwill can be perverted. Why take on that exposure?
Why would you hand of the data of your customers to someone that won't/can't prove to you that they will be in compliance with the current legal requirements?
Honestly that is the entire point of the GDPR, don't misuse customer data and don't hand it over to 3rd. parties unless the customer allows you to.
Good. Outsourcing violations, ethical or legal, shouldn't get you off the hook for them.
Besides which, what are you doing handing off stuff that's important to your business without knowing what's being done with it? Not a recipe for success. And if it's not important, then...
Are you just making this stuff up, or has this actually happened?
You didn't (as hundreds of others), so now the EU forces you to. So now you have an opportunity to become a better company: https://medium.com/tsengineering/the-gdpr-blog-post-9a571b13...
You're working in the real world, with real consequences if you end up exposing people's personal data. The party is ending. Either deal with it, or find something else to do.
They are dealing with it... by limiting their liability.
As far as I can tell, the "user" doesn't have a whole lot of choice there and Facebook isn't the only company doing that kind of aggregated data collection.
I see them as a very poor example of good things coming out of Silicon Valley...
But Silicon Valley isn't a monolith where everybody is on the same page about everything, I have no doubt there's plenty of people in SC who consider FB a success-model to be followed into a shining future.
If “fighting over coconuts” is not on their list of things they wish to do, it’s not a completely absurd choice.
These are things I can put off until later, I don't need them to validate my startup concept. If the startup is successful, it might make sense to expand the market.
Plus, blatently ignoring regulation is cheaper in the short term, and if you successfully leverage that advantage into revenue than you can start throwing money at the problem once the regulators finally do get around to prosecuting you.
Worked for Uber.
I do agree with your overall point though.
The thing about GDPR that I disagree with is how it aims to have global jurisdiction. If it was a US law (as a US-based developer), perhaps I'd protest it, but I'd still follow it if I wanted to work in software.
So if you "sell" to EU residents, follow EU's rules.
Surely this will just result in the development of the reseller model?
As long as the reseller doesn't collect data, they're protected and as long as the US company doesn't maintain a presence or ideally market to the EU, they're untouchable due to the lack of any EU-US enforcement agreement for the GDPR.
The Poland proposal [1] to limit GDPR compliance to only large businesses was trying to address that. But it's flawed, because a small company (Cambridge Analytics) could still make a lot of damage to users' privacy... but the intent of Poland was good.
I feel there should be an opt-out based on the numbers of users and the age of the company/service: If you can easily prove that you're not handling more than X users and your company is less than 2 years old, then GDPR does not apply yet, as long as you warn clearly on your website that you're not-yet-falling-under-GDPR. If you're still in the GDPR-waiver zone but believe to be GDPR compliant, then you can remove the warning and are subject to GDPR like every other company.
That way entrepreneurs won't be scared to try some MVP here and there. I'm especially thinking of those trying to start a startup in countries that are part of the E.U.. The rest of the world entrepreneurs can just focus on their local userbase.
[1] https://iapp.org/news/a/polands-proposed-gdpr-exemptions-spa...
"We are a startup on a shoestring budget, we can't put safety belts in our cars!!!"
The cost of being in the car business is to build safe cars. The cost of being in the webservice business is to protect userdata.
If you can't, you are not good enough to be allowed on the market.
If you disagree, should the US also stop prosecuting VW for the diesel cheating?
Great point about VW btw, I forgot about that !
The safest car is one that can't drive, and the most privacy-friendly software will fail to compile. You should be able to build a functional car before you need to worry about making it as safe as possible, and similarly you should be able to build a functional MVP of your software before you need to worry about compliance with a huge international policy.
Before you are permitted to use your DIY car you need to comply with safety regulations to avoid harming others. You can keep your unsafe car off the street in your garage, though. Same for software that is not compliant; you just don't get to call it a "product" and let it loose on the public.
you can drive your unsafe car on the track, and your negligent mvp on your customers own hardware as in-house software.
A one person entrepreneur might not consider him/herself to be "being in the webservice business". Instead he/she would consider being in the business of [whatever problem the MVP is trying to solve]. It just hapens that in the 21st century, most of innovation happens online.
Back to your car analogy, it seems that people on one side argue that all companies "being in the webservice business" are 'car makers'. some people on the other side of the argument might say it's not.
Also, ultimately, it's possible that after spending a lot of time and hours examining the legal requirements of GDPR, a startup realizes it's not technically hard to comply, but the issue here isn't implementing the requirements, it's more about getting all the legal analysis, certification, handling customers requests, etc.
> If you disagree, should the US also stop prosecuting VW for the diesel cheating?
In that case, VW has clearly been in the car business for much more than 2 years, and in my example "X users", a good value for X would be something order of magnitudes less than the number of VW customers around the globe. So no, the US would continue prosecuting VW.
It's that the equivalent of starting a new car company and arguing that you shouldn't be required to follow the same safety standard as Volkswagen Group, because you're still a small company?
At it's core the GDPR is simply stating that you're accountable for the data you collect and that you're only allowed to use the data for the purpose is originally collect. Building privacy into your product is much easier for someone designing something from scratch, compared to retrofitting it into the business plans of Facebook and Google.
I get the feeling that most of the people arguing against the GDPR are people who are focused solely in collecting user data as a core business. The people I know who are building actual product, where people pay for a service, are doing fine. Even though that they have to build products in a manner I suggested five years ago, where user data is either not collected or delete when processing is completed.
If your business is based around exploiting user data however it might be a lot harder, but then that's the point of GDPR, to prevent people exploiting user data.
GDPR exists because it turns out we can't trust companies to handle personal data with the care it deserves, and I don't see why any company should be excused that proper care.
I have a profitable, bootstrapped SaaS business based in US. It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.
I've been talking to a very well known giant corporation (also based in US, but has many global offices) for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses, (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Of course, blocking European users doesn't do anything for me since I want to do everything I can to protect user privacy.
But anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.
And this law’s effects are all about the unintended consequences. Anyone thinking government regulators are reasonable and benevolent has never dealt with said regulators beyond any trivial level. To make it more fun each member country handles enforcement, so now you have a risk of 28 different interpretations of the law. It’s madness. Even if you do everything right there is still a compliance risk. It’s like HIPAA in the US — HIPAA is pretty “easy” to comply with, but the consequences are so severe that it necessarily drives up operational costs significantly. Unless Europe is a significant part of your revenue, better to block Europe and decrease your risk to near zero rather than have a potential risk of catastrophic, company-ending fines. Because the fine isn’t against profit, it’s against total, worldwide revenue. So unless your European profit exceeds 5% of your worldwide revenue, no sane person would take that risk. Even without the enforcement risk, you still have to deal with potentially hundreds or thousands of information requests — even if you are doing everything by the book.
This is possibly the strangest comment I've seen about this whole ordeal.
I understand it's frustrating on your side, because you have no control over the response of your customers. But understanding what GDPR is (and not falling for FUD) is why the VPs and Directors get paid the big bucks and get the fancy titles. If they can't or won't work with legal to become compliant, they should resign and let someone else do the job properly.
I'm not saying, "oh it's easy" -- it's not easy. But that doesn't make the law wrong either. And it's not OK to blame GDPR as being "bad", when those rules are mostly just putting some real enforcement around stuff all moral and ethical organizations should have already been doing anyway.
Your points don't "make the law right". In whose view? Right or wrong for whom? In his example he listed all the ways he is handling user data in a respectful way. And yet, he is still harmed by this law.
That the VP and President may be doing their jobs wrong (in your view) is no recourse for OP, he is harmed all the same.
And ... are they doing their jobs wrong? At the end of the day, they are limiting their risk. What threshold of risk of harm to their business and livelihoods would you feel is an acceptable tradeoff to comply?
There are many real world effects of GDPR and we are just starting to see the pros/cons of it.
Please tell me I've read something wrong. Otherwise, this is just panic induced stupidity. I expect they will grow out of it (though maybe not before you go bankrupt, which obviously sucks big time).
The GDPR regulates both Data Controllers, and Data Processors
Suppose I'm excited to hear about Hats.example, a site that sells hats. I visit, but they don't have any hats for my ostrich. Damn. But, they do have a box where I can leave my email address "to be contacted about future products". Great, maybe they'll introduce Ostrich hats. I fill out the box.
Hats.example uses famous email deliverability company WeSpamPeople.example to ensure their marketing emails have "industry best in class reach". I soon get an email every week featuring different styles of hat, but they're all for people, disappointing.
But then, WeSpamPeople's VC runs thin, and they cut a deal with OutrightFraudAndScams.example, which tricks people into making dubious "investments" and wants a lot of "leads". Now as well as the hats newsletters I asked for but don't really care about, I'm getting stuff inviting me to invest in Venezuelan Bitcoin mining and a project to make "Green cyber-organic goats for the blockchain". Ouch.
Hats.example are a Data Controller. The GDPR says they are responsible for looking after the data that I gave to them, even if "technically" that form I filled out is a Javascript frame injected by WeSpamPeople.example, it's part of the Hats.example business, so it's their responsibility to ensure my email is not abused by a processor like WeSpamPeople.example, for example through contractual terms requiring WeSpamPeople.example to delete my email, never to send it elsewhere, etcetera.
WeSpamPeople.example are a Data Processor because they were given my email address and other details to send me "marketing" information. They have a duty under the GDPR to get reasonable assurance that this was OK with me, for example maybe Hats.example did some paperwork that promised they're legitimate and they got sign-off for these email addresses. Regardless of whether they were given terms requiring them to do so by the Data Controller, the GDPR says they have to take care not to abuse the data, for example they can't sell it to anybody, since they obviously don't have permission to do that.
OutrightFraudAndScams.example are also a Data Processor, and maybe also a Data Controller they know they didn't have permission to touch this data, but presumably they also routinely violate all sorts of other anti-fraud or anti-scam laws. Maybe the GDPR will help add to the fines and charges and put them out of business.
[Edited: minor typos / fixes]
Just so it's clear, you're positing that when WeSpamPeople breaks every existing contract they have, that those on the other side of said contracts are now liable?
Of course it could happen, but I don't see the EU fining those on the other side of the contract as long as they moved to another DP and alerted their users when the breach of contract was discovered. Both actions should happen regardless of GDPR.
TBH, email is a bad example anyway because good providers are already pretty quick to boot bad actors so they don’t end up on blacklists.
Yes.
It's not unreasonable, because GDPR has components that require vendor assurance (more or less). So the megacorp with a point-of-presence in the EU has to be cautious about what strictly-US SaaS services it uses if there's any potential for data crossing into the SaaS.
This is almost certainly exactly what GDPR is intended to do. It aims, in part, to make sure companies can't shirk their responsibilities by handing everything over to vendors who will ignore GDPR.
An actual compliance audit from an accredited auditor, paid for by the SaaS offering of course, is not going to be cheap or easy.
And the GDPR is the side-effect of people running hog-wild with PII etc. I feel for you but I see your situation as collateral damage of the privacy crisis.
Blocking Europeans sounds a lot more reasonable than having to hire a lawyer and spend double the time and effort just to be compliant while writing a new JavaScript MVC Todo List app.
The people (by and large government is run by the people, for the people, at least in some countries) have had enough. I've had enough, and this is us telling companies they've had their chance and not made the grade so we're dictating now. As a person, and father (who has to worry for the rest of my live about my offspring's health and happiness, and linked to that, privacy) I'm very happy with this law. I support it, as seemingly a lot of people do. That's not authoritarian, it's the will of the people.
And no, I'm not some sort of communist beard stroker, I'm pretty central in my political beliefs and I also don't appreciate governments sticking their noses in where it's not welcome, but this, this is welcome.
Why would you think that SV would be interested in offering anything for its own sake? The vast majority of the model is to create new rent-seeking profit opportunities for investors, with internet users as a mere means to that end.
Yet. Give it some time.
> I would be very wary of a company who claims this legislation is onerous. It is potentially life threatening to companies who do very shady things without your consent. That much is true. That is the entire point.
I somewhat suspect those companies hiding behind the 'oh lets just block Europe' excuse just don't want to admit the extent of what they are doing with the data.
US citizens should take note of this, because it's their data too.
[1] https://medium.com/tsengineering/the-gdpr-blog-post-9a571b13...
EU citizens should not be pissed off that second-order effects exist in the world. If they are, they need to take ECN 101/102 again and pay closer attention.
If the cops showed up at your door asking to search your home, business, and Internet accounts without a warrant, would you let them? Why not? What are you hiding?
Thing is? We changed almost nothing about the way we processed data. Data subjects are no better off because we've spent tens of thousands of dollars complying. Whether people comply or not, the fact of the matter is that this regulation is onerous. It's onerous even if you love the intent of it, and it's onerous even if you think it's worth it.
Much like China, which has managed to develop a huge internet industry because it doesn't have to compete with the American competitors, the EU's huge market will provide a lot of space for EU startups if the American competitors refuse to do business in Europe. But unlike China, the GDPR will make those European companies more competitive on the world scene rather than less.
If the choice was between 2 services, one of which complied with GDPR and one which didn't, and explicitly excluded GDPR protected users, I'd assume the vast majority of regular consumers, but definitely businesses, would pick the GDPR compliant one.
It will also do just about nothing in regards to the major companies that everyone had such a big privacy issue with in the first place, so not only is the regulation vague but it's also ultimately very ineffective.
They tried hard rules, rather than principles with the cookie laws and the companies around the world turned a good idea into a shit-show of popups while continuing to behave like nothing happened.
Honestly the more I read and the more I see how different business react I start to view the GDPR as EU finally showing that will not accept businesses viewing it as a second rate legislator.
The GDPR and reactions to Trumps policies an EU that is finally starting to behave like it's representing the best interest of 500 million people.
I mean, if companies cared about privacy in the first place, there probably wouldn't be the need for such a regulation. At the very least, GDPR will get the general population be conscious about what the hell is going on under most websites.
We've also lost customers (including a contract that would have been our second-biggest) because our competitor is either lying or doesn't know anything about the GDPR, and has convinced customers they're compliant. Their story sounds easier than ours; "We're in the EU, so we're compliant" as opposed to "Hey, you need to sign this DPA with us to be compliant."
And no, many companies already did care about privacy. Companies are not faceless villains -- they're made up of people like you, assuming you have a job, and even aside from not wanting the bad publicity of breach or misuse most people want to use data correctly.
I think a lot of that is down to decisions taken by US-based management that is simply clueless about how law works outside the US. And probably also only got their information from US-based lawyers that were either as clueless as themselves, or had incentives to make everything look very complicated.
On the other hand, most of the companies around me that have no links with the US were not particularily worried, and either consider that they are already compliant, conducted minimal work to be acting in good faith, or at worst are waiting for the regulatory body (CNIL here) to tell them what they are doing wrong, if that is the case.
However, I don't know any company that does shady things with their users' data, and things might be very different for those.
Right now there are billions of people around the world clicking "yes" on all the privacy and consent popups while grumbling about the annoying notices and just wanting to get back to what they were doing. Meanwhile there are also plenty of people creating havoc by filing lawsuits against every company they can, adding up to billions demanded on just the first day.
No, the EU is not the US, no lawsuits have been filed. Some individuals have reported some companies to their local data protection agencies, just like the GDPR says you should. No money has been "added up to billions", because the DPAs don't sue for damages, the levy fines to ensure compliance.
Huge difference. If you're going to critique the GDPR, please understand how the legal and regulatory systems of Europe work first.
This law has been in application since 1978 [1]. And in 2018, we have adtech companies like Criteo. [2] I have one of my best friend who started his adtech startup in France. Everything is good.
There's is a lot of implicit contracts (you filled up our sign up form? Well, then you chose to give us your data. ...) The only things you have to do: know which data you collect and give the ability to people to update/delete their data. That's all.
I don't understand the fear. I don't understand what is "vague" about it. It's so simple and low barrier that Microsoft decided to make it the rule for all of their users. But thanks to the hysteria, they made a PR stunt out of it.
--
[1] https://en.wikipedia.org/w/index.php?title=Data_ownership&ol...
[2] https://en.wikipedia.org/wiki/Criteo
The difference is that France is insignificant in the adtech market. The real money is in the US and spread out across Europe, with Asia soon to overtake. The existing rules you point to weren't affecting global operations where Criteo and others made their money.
It's strange that you think the business models are going to fly in Asia. China and many Asian countries are laying out privacy regimes that are even more strict than the GDPR. Take a look at China [1] or Thailand [2]. Pretty soon it will be the case only in America that adtech companies can collect and sell endless personal information without consequence.
[2] https://www.bangkokpost.com/business/news/1455534/new-data-l...
Ok, spend all your time going after the ad company and ignore the government which is 1000x worse and will control your life or toss you in a cell. Good luck with that.
The laws are not stricter (they arent even laws yet), and they are meaningless in those areas because the government itself already defies them.
That doesn't make laws meaningless.
But China grants legal exemptions without especially good or consistent oversight over those countries. The net result is an awful lot of folks who get a legal exemption for a specific aspect of their business and then tend to run roughshod in other less scrutinized areas.
How is this different from any other western government?
Now if you're taking about security contractors, that's different and the same the whole world over I guess.
Second... I don't see how valuation matters. Did they loose money? Went out of business? No. VW lost valuation during the whole diesel gate scandal. Did that make VW a less relevant? No.
And the last thing that I wanted to mention: I said "this is just an implementation of an old French law into the European Level". And I was mentioning the French law itself, not the European Law.
The cookie issue that you're mentioning is related to the ePrivacy directive, which is solely European Law, that was passed one or two years before the whole lost of valuation. My point was just that the GDPR doesn't affect anybody.
Do you know that they are a publicly traded company? Losing money is exactly what happens when the stock price falls. When you lose more than half of your value, going out of business is a serious risk.
It only affects the ability to make more money by issuing new shares.
But the "bank account" of the company doesn't get divided by two. Customers don't start paying only half the price for their service.
Given the EU assertion of global jurisdiction, the GDPR seems like a bit of a trade war and it's surprising more commentators aren't treating it as such.
The US should be inspired by this and give online retailers the opportunity to collect and remit sales taxes.
Sincerely hoping that this marks the end of the data gold rush
I'm sorry the analogy is totally flawed. On one hand you have something consumable: food, on the other side that can be made eternal: data.
When making an application that collect data, you just have to make a form/button to give the ability to update/delete data. It's no more different that when you make an adult website, you have to make a page "Are you above 18?"
Sometimes, it sounds to me that people on HN don't have a problem with the law X or Y. They rather have a problem with the concept of regulation in general. (See the comments on all the posts about Germany requiring Uber drivers to have a car insurance with a higher liability.)
But if you want to give an analogy to normal business, a more suitable one would be: "Giving people the option to delete their data is a bit like allowing customers to get their money back on their gift card they purchased 2 years ago"
How is that unfair?
You're not understanding the analogy. What does a user get out of using Google's services? They get access to a suite of products (search, email, cloud storage, online productivity apps, videos, and so on) that are maintained by a rather expensive group of employees and run on a rather expensive collection of hardware. When you use those services you pay for them by letting Google collect information about your use of those services. The value you get from those services is often intangible (you watched a cat video or looked through a photo gallery of your sister's new kid), though sometimes monetary (you don't have to pay an ISP for an email address if you use gmail.) When you choose to no longer use the services and demand that Google delete all the data they have gathered are you going to return that intangible value and pay them for the money you saved by using their systems? How would you do return the experience of watching a stupid cat video? It's exactly like eating a meal but insisting the restaurant give up the value, i.e. the money, that they got from you.
But still, the analogy is flawed then. If I give the restaurant money, the way the use they money afterwards doesn't affect me. They cannot take more money from my bank account or from my pocket. The only thing they can do is invest it and make more money, but it does not affect me.
When I give my data, the way they use my data – after I've "eaten there" – can affect my life. They can send me spam, they can put me into database of "people with suspicious behavior", ...
The law is more about giving a second chance: I could have given information in the past, and you could have sent me commercial emails in the past. But now I've realized I've made a mistake and I don't want you do that anymore.
If you want an analogy to real life: it's more about giving 5 years of jail to a burglar. They committed a mistake, so they have to pay for it, but they should have the right to get out after having paid, and live a normal honest life.
How is that unfair?
Google generates money not by collecting data but by showing targeted ads (they need personal information to do good job at targeting).
They actually do provide option to opt out, remove information about you but they make a quite a hassle to opt out and block features that could otherwise work, to encourage you to opt back in. For example you don't agree for Google to your location history? Fine, you don't have location history in Google Maps even for places you searched 5 seconds ago.
Anyway, to turn things around, yes they provide you services for free, and you're paying for using them by have targeted ads, if you decide to not use those services anymore you can't get an offline version of their tools that doesn't phone home, so why should they be allowed to keep your data in perpetuity?
The fair result of a person choosing to stop using a company's service is that they get to stop paying for that service, i.e. Google doesn't get to collect data about your current and future activities.
People truly underestimate how much information about them is actually worth.
There are also extra procedures you have to follow that could be really complicated depending on the business. This is even worse for small businesses. I can definitely understand those people who want to just wash their hands of it, especially if they don't get much business from Europe.
As I said other comments, I'm not sure if people on HN have a problem with the GDPR, or just with the concept of regulation itself.
Also, when I read about "complicated rules for small businesses". It reminds me about American republican politicians explaining how taxes on the rich will affect the average joe's taxes.
The reality is that many rules only apply to big businesses. And small businesses are exempt of many rules. My favorite one is the "Data Protection Officer", everybody on the internet™ says that you need one. The reality? Most small business won't. The article 37 explains that the Data Protection Officer is when a business is "collecting data on a large scale" [1] Second of all, people interpret that as "Hiring somebody", you don't. It's just a role, take your CEO, and now he's your "Data Protection Officer", ...
--
[1] https://gdpr-info.eu/art-37-gdpr/
Perhaps in early stage of a startup a founder will take the title to save cost, but he/she will want to lose that responsibility as soon as possible.
Congratulations, you're uncompliant. Thanks for playing "GDPR is easy".
> (5) The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Expert knowledge just mean that he/she read the entire directive. The same way that most employer in europe have read their country's labor law.
The reason why they say that is because the "Data Protection Officer" is the person liable for GPDR violation. The same way the CEO is liable for many wrong doing a company could do. They require no certification, no degree for a person to be a "Data Protection Officer."
Just having read the GDPR doesn't count for "expert knowledge", it's just knowledge. "Expert" is something more. How much more? Funny you should ask, welcome to GDPR limbo.
Also, it doesn't say expert knowledge merely of GDPR, it says expert knowledge of "data protection law", vague and unbounded, certainly not limited to the GDPR. GDPR is probably the most restrictive you have to comply with, but the text literally requires you to have to have expert knowledge of the others, too. Finally, there's the little "and practices". It's not enough to read it, you have to be an expert in how data protection law is used in practice.
Before you have processed even a single byte of data, you're literally uncompliant simply by being blasé about how you name your DPO. It seems unlikely that anyone will get busted simply for this, but low likelihood of enforcement is not the same as compliance, and why would they include this paragraph if they didn't feel it was important? People who actually care about being compliant need to think about this.
The irony here is that American users are so used to being endlessly surveiled without consequence that they are genuinely shocked that the rest of the world refuses to put up with this bullshit. This is completely normal to them.
The GDPR is just another step in a global fight by people all over the world to regain their data sovereignty and protect themselves from endless surveillance. The momentum at the international level is very clearly for data sovereignty. Russia and many Asian countries are following closely behind. And while everybody was freaking out about the GDPR nobody seemed to notice that China passed even stricter online privacy laws [1] earlier this month. Singapore [3] and Malaysia [4] are up to speed and even Thailand [2] will likely soon require minimum standards. (Edited to add more links.)
The end result is like so many other things: American companies will end up blocking everybody but American users who they know they can exploit without consequence. American users will celebrate their exploitation as freedom from Big Government. Everybody else will move on and just shake their heads.
[1] https://www.csis.org/analysis/new-china-data-privacy-standar...
[2] https://www.bangkokpost.com/business/news/1455534/new-data-l...
[3] https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-...
[4] https://www.hg.org/article.asp?id=33273
Also it's hilarious to claim China has better privacy when that government tracks everyone using facial regulation with real-time threat scoring and national social rankings called a "citizen score". A late payment on a single bill gets your face and contact info on a giant billboard so go ahead and try complaining about your data over there and see how far that goes.
Get this: not everybody is consumed by paranoid fantasies concerning their government. And while your shallow understanding of China based off a few western-oriented articles here and there may validate your own biases do understand they have no real relation to reality. In reality, there are no extraordinary consequences for missing a single bill. On the other hand if you're sued in court over a debt the judge -- not unlike American judges (!) -- can use public humiliation to try to modify your behavior.
And sure, China has nothing to worry about other than this: https://en.wikipedia.org/wiki/Social_Credit_System
>>> People have already faced various punishments for violating social protocols. The system has been used to already block nine million people with "low scores" from purchasing domestic flights. While still in the preliminary stages the system has been used to ban people and their children from certain schools, prevent low scorers from renting hotels, using credit cards, and black list individuals from being able to procure employment. The system has also been used to rate individuals for their internet habits (too much online gaming reduces ones score for example), personal shopping habits, and a variety of other personal and wholly innocuous acts that have no impact on the wider community.
Also tell these people it was just a big joke: http://www.scmp.com/news/china/society/article/2144690/chine...
>>> Authorities vowed to collect the personal information of debtors and publish it in public places such as newspapers, train stations and other high-visibility platforms. The Supreme People’s Court reported in January that by the end of 2017 it had publicly listed the names of nearly 10 million people. They had been blacklisted from various activities, with 9.36 million of them prohibited from buying plane tickets and 3.67 million from buying high-speed rail tickets.
I see this "not clear" repeated here. Can you cite a section that you find not clear, so we understand what you mean?
So n = 8000 makes a sand pile.
If folks find ambiguity in the GDPR, do NOT get into American Fintech. Here's a great question: what are the technical requirements mandated by the US government to become a bank?
In a way it very much reminds me of Germanys 'stabbed in the back' conspiracy theories at the end of WWI. Any rationalisation to avoid the cold, hard truth.
I'd bet money on two terms for trump at this point. The left has learned nothing from this.
It is a blocker that slows down your efforts to work on the next feature. It is not hacker friendly. It is a huge pain in the ass.
Edit: btw, I don’t really blame the EU. Google and Facebook got us into this mess.
AIUI that's one of the main changes, that explicit consent is now needed to retain data and specific details of how it will be secured, who it might be passed to, must be given. Also that if the service being offered doesn't need the data, that the company offering the service can't insist on having it.
It is a big thing for micro-businesses and SMEs in the UK - despite having data protection laws already - it does change the complexion of how one handles PII and the embedded assumptions. We're talking about businesses many of whom have paper bookings diaries - the diary apparently needs to now be secured, whilst it's always sat on the counter before; that's a costly structural/workflow change (unlock the diary for every phone call!).
What is poorly written about it?
> there must be clear paths to implementation and verification.
There are.
>Perhaps that should've been fixed instead of wondering why so many companies don't really want to deal with it.
There's nothing to fix, and I'm going to assume you can't even name 3 things since your post is just an extremely vague talking point.
There are examples of regulation that does work, but GDPR is not really in that category.
I haven't seen many grey areas or difficult corner cases in the discussions here, so far.
Only people claiming that everything is unclear, because they don't want to accept the truth: that they clearly fall under the GDPR.
...Ok, because you say so? Are you a lawyer? Do you realize that this whole discussion exists precisely because it's unclear?
There are already billions in lawsuits against facebook, google and others so companies are rightfully being careful. And even if you fall under GDPR, there is plenty of vagueness about the data and processes itself. This is not as simple as you make it out to be.
I realize that this statement is untrue.
Some people are dredging up all kinds of "but what if" and "I really, truly don't understand how my collecting data could be considered GDPR-triggering".
I find that dishonest. Protest as much as you want.
Oh, and surprisingly, just by some bizarre happenstance, you are "Currently working on Instinctive, a B2B marketing technology company."
I can tell you immediately that whatever you're doing falls under the GDPR.
Cool, except we weren't confused about that. Figuring out what data exactly and when, along with the proper processes, documentation, and interaction with all of our clients took lots of lawyer time though.
They will learn. It's a financial certainty.
On a separate note: I feel totally disgusted with the kind of people who are totally uninterested with the the fate of their users. It's not exactly uncommon in Silicon Valley. Fuck these guys.
I don't know about you, but I have learned a great deal!
I've mostly learned that Eurocrats can't actually write useful regulation. Blah blah blah human rights blah blah reasonable measures. Next chapter. Blah blah envisage blah blah reasonable measures. Blah blah blah inter-government communications protocols blah blah codes of conduct.
What's a reasonable measure? How do I know if I'm compliant? How do I know if a vendor is compliant?
GDPR is a wonderful, incredible, essential document for laying out human rights for the digital world. It's also terrible and incomprehensible regulation.
I mostly agree that the lack of concrete measures makes it horrible from a compliance view, but I'm not sure you can have both things, especially in a relatively immature area of law.
I would have been happier if they'd done something around setting up an administrative body that authors and updated regs.
Did they ask for explicit permission to use your data? Do they provide the service if you only provide the data they actually need, rather than asking for a swathe of PII so they can sell it on? Do they provide info on how your data is stored, and who has access to it? Do they provide a way for you to view and/or delete all the PII they have on you?
Do they take reasonable measures to detect and inform me of a breach? Do they take reasonable measures to ensure it's me requesting data being deleted? Can they provide the same data about all Data Processors they make use of?
It's possible that the answers to this might not be easily and readily answered in every single potential case one might encounter when dealing with specialist vendors.
You're completely right to spell out those questions. It's just possible that there may be more to GDPR compliance - and certainty - than that in some cases.
I would say this is also applicable in reference to the unintended consequences of regulations
just blocking them doesn't seem like that bad of an idea, especially with the fines involved.
I think the things that bother me is:
1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.
3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?
And why not? The result/harm is the same.
It doesn't matter a bit whether a company's web site is handing its visitors' data over to Facebook or a "private site" does.
The side project or the private site always have the option of not participating in the adtech frenzy.
But of course they want to participate (free money!), even if they find out much later that almost no money is coming their way.
These rules don't stop anything about ads, they just make them less targeted. Not a big deal, but it will increase the costs of serving users and thus decrease the total amount of commercial projects started.
Less targeted ads are exactly what we need. That's what the regulation aims for!
Your argument is like claiming that unfortunately, due to car dafety regulations, we cannot enjoy as many fatal accidents as we once did.
And to make my point of view clear: not all businesses deserve to exist. We as society decide which business models and behaviours are okay. "Decrease the total amount of commercial businesses started" cannot ever be a persuasive argument.
Nobody reasonable is arguing that it's a bad idea to let customers control their data. The actual issue is that the rules are vague and thus create a lot of confusion and waste that affects all companies, while not providing any real protection against the massive conglomerates that abuse data in the first place.
The #1 complaint about advertising is that in 2018, it has evolved into a shadowy, insecure brokerage of surveillance data that it obtains using all kinds of under-handed tactics. If the GDPR curbs this in the slightest, it will be a net positive for people of Europe.
They are playing games, and don't respect the requirements that the GDPR puts on "consent": focussed, freely given (non-punitive), fully informed.
Or maybe it's because the rules are confusing and messy and you have a different interpretation?
This a fallacy, not an argument. [1]
> Or maybe it's because the rules are confusing and messy and you have a different interpretation?
Please point out which rules are confusing and/or messy. Virtualy every single blog post about GDPR points out how it’s well written compared to other juridictions on the same subject. The language is clear and the website provides a Q/A section as well as concrete example for every point.
[1]: https://en.wikipedia.org/wiki/Argument_from_authority
> Please point out which rules are confusing and/or messy.
The comment thread you just replied to -- the one where you seem to saying that random HN commenter is more accurate than Facebook's entire legal team on regulation that is supposed to be unequivocal -- is a start.
No, it does not.
Maybe your playacting is simply because you‘re „Currently working on Instinctive, a B2B marketing technology company.“?
You do not know my history, and sadly you didn't even bother to do some basic research or you would recognize that I'm one of the few in our industry that has called for regulation and data protections for years. [1] Instinctive has been on the forefront of this as well with our most recent push for net neutrality. [2]
And surprisingly you seem to miss that B2B marketing is rather unaffected by GDPR since everything we do has always been contextually targeted, consent-based, and 1st-party relationships anyway. If you want to have a discussion, base it on the ideas and not the person.
1. https://twitter.com/search?f=tweets&q=manigandham%20regulati...
2. https://www.newamerica.org/oti/press-releases/companies-urge...
--
As for Facebook breaking laws, I find that incredibly hard to believe given their resources, recent legal , 1st-party data and consumer connections in their walled garden, and the fact that consent is already given by billions of users who just want to use FB products and don't care about the rest. They have nothing to gain from skirting regulations that only serve to strength their relationship.
I have nothing against targeted ads. I am against targeting ads and collecting/distributing my data without my explicit consent. E.g. mobile companies selling my real time location because there's some obscure sentence in their 90 page terms of service.
I wish regulation like GDPR would also be implemented in US, but really unlikely.
I mostly like GDPR. Ability to opt-in and being of charge of your data, i.e. removing it from a service if you want to, and the right to export and move it to another service are great and long due.
What I don't like is that it's a principle based regulation and thus it can be applied arbitrarily and selectively.
The side effects would include:
1) Reduced number of services available to EU customers.
2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
That’s not a bad thing. If services that don’t want to protect their users’ privacy can’t operate, that’s a good thing.
> 2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
How does this have anything to do with GDPR?
Some value it until they hit XXXXXXXXX amount of extra cost. Some only value it until they hit XXXX amount of extra cost.
Most probably only value it as much as they're forced to.
From what I've read, opt-in is only supposed to be used when there's an actual voluntary choice, and "allow us to share your data with 3rd party trackers or we block you" doesn't count as a real choice.
It should be treated in the same way as opting into marketing emails. Totally optional. Not opting in shouldn't totally break a site.
Why not?
The greater the power imbalance, the less free the choice. Social networks are a great example of this. You can choose not to use a particular one, but what's the alternative if everyone is already on that platform? You can go without, but what if it's LinkedIn, and there can be a real impact on your career?
But you do have a choice. Don't use the site if you don't consent to its rules. Pretty straightforward choice.
It is, if you don't think the rest of what I wrote is worth any consideration.
Nobody is suggesting companies provide free services. We're saying that personal data is more than commodity, and we should be looking to more ethical business models. And we won't be sad to lose companies that can't adapt.
edit: And I don't think my point was silly, but I'm also not really libertarian. So I don't think it's acceptable for companies to abuse their dominant position to make things worse for society at large.
because everyone knows that it is better to not make no money at all, than just a slightly less than normal because your ads are not targeted.
> 2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
Sure, and it is their absolute right to do so, but other people finally have some control over their data, I especially like the fact that finally user can also remove/change the data about them.
Which is exactly what GDPR is designed to stop. You're welcome - the rest of the world.
is it though? According to https://en.wikipedia.org/wiki/Ease_of_doing_business_index#R...
USA is 3 positions behind Denmark which is in EU, and just one ahead of UK.
Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.
EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.
The old web was mostly static websites. We spoke of visitors. The new web is app-ified/interactive, walled off to logged-in agreement-abiding geolocated users, and even a single logged-out "visit" broadcasts this to 100s of trackers who will remember your every move online.
> The internet doesn't know political boundaries
Tell that to this US law the whole world has to comply with to called DMCA.
I assure you I have been against the DMCA since before it passed, though I don't think it's quite the same nor do two wrongs make a right.
I would suggest that you remove google analytics then. It only causes harm.
If a site has no US presence and blocks all users in the US, what negative repercussion can violating the DMCA incur? Maybe their domain can be siezed, but that can be avoided by not having a domain hosted in the US. The US could block all traffic to the site, but that should be moot if the site has no US users.
It's been this way for nearly 20 years.
I'm still failing to see how the original claim, that everyone has to abide by the DMCA, is true. This seems like claiming that everyone has to abide by Thailand's Lese Majeste laws (laws criminalizing insults to the monarchy). Yes people may face repercussion if they have an economic or physical presence in the country. But if they don't, then theres nothing Thailand can do to enforce this law .*
* not without cooperation with other countries at least. Some nearby countries are known to enforce Thailand's Lese Majeste laws abroad and extradite people. But in most countries, this isn't the case.
Again, if a country doesn't want to abide by the DMCA then they don't have to. Extradition treaties and the Pirate Bay do not disprove this claim.
But extraordinary retention is just the fancy word for CIA abduction. So no treaties are in place here.
As a small blog, no ISP is going to give you the time of day, so it's not PII because you have no avenue for converting it to a person. If you transmit that data (say to google analytics) it might /become/ PII because google (or any other person you transmit it to) may combine it with other data they have access to, to turn it into PII.
The reasons large organizations are fretting about IP addresses are thus:
a) They have IP/timestamp records going back years, maybe decades
b) They may have ISPs willing to talk to them about who had the IP address at a specific time
c) They can't confidently allow that data to pass to partners in case their partners have access to ISP records
d) That data is a ticking timebomb, because even if they don't have an agreement with an ISP now, if an ISP offers that service for free to all takers in the future, their trove of IP/timestamp pairs could suddenly become PII overnight through no action from them
So yeah, for businesses operating at a certain scale, IP/timestamp combos are now a toxic asset. That doesn't mean your log files for your blog are suddenly a GDPR violation, unless you share them with people or have an inside track with a local ISP.
You can read more here: https://www.whitecase.com/publications/alert/court-confirms-...
It doesn't have to.
If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?
Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?
>EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
So what? If the EU wants to stifle competition, why should the US care. They are only hurting themselves.
You don't.
If they're not In The Union, and you're not In The Union, then you're not required to comply with the GDPR.
> Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?
It's impossible to give consent for something if you don't fully understand the ramifications of what you're consenting to[1].
[1]: https://www.nytimes.com/2018/03/17/us/politics/cambridge-ana...
It must feel horrible, now that the US is on the receiving end of this for a change... ;)
Am I reading this wrong? If the college student creates just a simple page, he/she is already complaint with GDPR.
If the student starts collecting personal information, then they need to know what's allowed or not. There are already things that are not legal to do, GDPR just adds private information into that.
The treatment of privacy is one of issues where it's pretty much impossible for individual protect from, GDPR tilts the scale in favor of individuals.
For normal operation system logging is pretty much a requirement for essential operation. That includes most properties of a connection like IP, UA, date, time, URI etc.
Do you disagree with this TLDR of the regulation?
https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-d...
Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.
It's called software cause it can be changed easily.
I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.
No, because that website doesn’t collect personal information.
> and build a system to get user consent, etc.
You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
Yes it does. It a least records an email address and password to create profiles. And any features like tagging memes, marking memes as favorites, etc. could be argued to constitue personal data.
> You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
Again, I specified a meme generator site that has at least some user specific personalization.
DPO is only needed in specific cases. Dank meme sites don't fit in any of: a) public authority b) monitoring subjects on large scale c) dealing with criminal conviction data.
> build a system to get user consent
It's called a checkbox. They likely use one to agree to TOS anyway. If you don't have that one, DMCA and COPA is what you should be worried about before GDPR. (If you're based on the US anyway)
However, nowhere does it actually specify what sort of scale constitutes "large". I don't see any user count threshholds or anything like that.
Also, it's possible that someone's list of authored memes is personal data. If somebody creates a lot of political memes then this could easily be covered by article 9, since political affiliation is explicitly covered there.
Additionally just saying "have a checkbox" isn't going to cut it. GDPR forbids blanket opt in or opt out schemes. You would have to build a system to track what the user has consented to and refactor all features to abide by each user's consent configuration.
I'm not saying every these tasks are hugely onerous - just that I can see the use case for blocking EU traffic to avoid having to abide by their regulations.
Themselves
> build a system to purge user data
SELECT * from users, memes, usermemes where userid = #####
You sign up for a website and upload and share a bunch of memes.... honestly... the shit isn't really your data anymore. It is the publics. You shared it and yanking it back is kind of a dick move.
It really isn't as "simple" as a DELETE statement that some people argue it is.
As for personal info, most meme websites don't require any accounts to create them, because it only makes the site less usable, but if the site do have accounts, you do have right to see/update your account, you have right to delete your account and be sure that if your account is deleted the data is actually gone.
Very generous assumption on your part. Article 9 specifically says that anything revealing personal info like ethnicity, political affiliation, etc. is covered by GDPR. If I look at a Adam's list of authored memes and there's a bunch of pro-Democrat memes and I look at Bob's and it's all pro-Republican memes, then it's very easy to see a court ruling that a memes reveal political affiliation.
This is my plan. What are they going to do, extradite me over claims that my access logs includes IP addresses? Claim that I do business in the EU when I don't take payments, every side project I've made is in English, and I've never set foot there?
If not, then worrying about GDPR which is mostly not enforceable in the US sounds disingenuous.
I'm guessing they also ignore those laws, because of posts like this one. If you're running a business complying with regulations, you likely already know how to block a country. I mean, you keep track of the current embargoes and block relevant countries, right?
How about you look at what bs comes out of the US gov't? That is the worst foreign requirement and violation of sovereignty so far, and it keeps on giving.
2. Fuck your souvereignty. Seriously. USA has no problem violating secrecy of correspondency worldwide, and argues in length for years whether wiretapping its citizens is OK, because everybody agrees wiretapping others is perfectly fine. USA forces poor half of the world to follow ridiculous copyright law, including software patents and art becoming public domain after a century or more. There's no good will earned there, so don't expect a free pass cause of your feelings. Want to serve customers from other countries - have to obey the law there.
3. they probably could. Still - I'm sure there will be "GDPR as a service" soon. Maybe some libraries, frameworks and standards how to handle personal data will finally be created? This should have been done decades ago.
The law is designed to cover pessimistic case. You can get sick because of food poisoning, you can be robbed because your identity was stolen.
I don't think my comparison was dishonest.
Nobody’s saying both are treated equally under the GDPR. The law stays the same, the way it’s enforced is adapted to the case, like any juridiction. Whatever the situation, you always get a warning before being fined.
When corporations like Equifax or Cambridge Analytica have engaged in identity theft to the tune of basically half the continent of North America, you want to repeal one of the few laws fighting against it with an argument about kids in dorm rooms? It's basically the tech equivalent of "won't somebody think of the children?"
Oops, seems you’ve forgotten about the “right to be forgotten”, and several other requirements. Better prepare yourself for those >$20 million fines — how dare you negligently handle personal data, college software engineering student!
I’m all for strengthening privacy protections and punishing bad actors in this domain, but designing strong regulations that don’t have seriously bad unintended consequences, is a really really difficult task. I’m not necessarily saying it shouldn’t be done; just that I don’t envy the jobs of those trying their best to do good for the world via regulations without accidentally destroying some really good things.
It may turn out that GDPR has few unintended negative consequences, or it may turn out the harmful side effects are far more severe than anyone predicted. Only time will tell, I suppose.
Personally, I wish there were a technical solution to privacy concerns — something akin to DRM, but applied to each individual’s personal data to prevent it from being used in unauthorized ways. That’s about the only kind of DRM I think I could really get excited about :)
Those kind of fines are simply not compatible with low quality advise like “Just add an opt-in checkbox, and you’re good to go for GDPR! What’s the big deal?”.
Overall, I like GDPR a lot (though as a disclaimer, I should say I haven’t read all ~80 pages yet).
Still, I am not as confident as many here that GDPR will have no serious unintended side effects.
Imagine for example if Google, Microsoft, Facebook, etc. all get hit with huge fines despite genuine best attempts by them to be compliant, after which they decide to cut their losses and exit the EU market entirely. Stock markets could crash globally, a new recession would occur, etc.
I very much doubt anything like that would happen, of course. But until things settle post-GDPR, I don’t think anyone can say for certain how this will economically affect the EU, and the world.
If the side project uses personal user data, then there is no reason to treat them differently.
EDIT: Example: https://ec.europa.eu/justice/smedataprotect/index_en.htm
I hear you, but the argument is that the data doesn't care who caused the leak. A college side project leaking an SSN does the same amount of damage as a multinational leaking an SSN, so the law is going to want them to treat them equally seriously.
This is by the way the same problem with the various restaurant analogies. It makes some sense for the health department to inspect large restaurants. It would make no sense for them to subject neighborhood cookouts to the same degree of scrutiny.
GDPR seems to be based not on actual harm that could occur based on invasive, sketchy or otherwise bad data storage practices; instead, it seems based on a subjective idea that people have "fundamental rights" to various forms of state-mediated protection in relation to technology. Rights are unequivocal and almost entirely uncompromising.
>
> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
That's false. The GDPR repeatedly refers to evaluating the risk with regards to various decisions. The ICO even has separate guidance for small businesses and big businesses.
> 2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.
This one I can appreciate, but perhaps look at it from our point of view:
You're violating our laws that protect our citizens.
Why would we possibly have any sympathy for that?
> 3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?
The GDPR is easier to read than many US laws, and you don't have to read it anyway. The ICO has written extremely high-quality guidance for most businesses which will suffice. It should take no more than a few hours to determine how your business would be affected.
https://ico.org.uk/for-organisations/business/
No one forced your citizens to come to my website.
But when you want to trade with Europe, you have to abide by our standards for human rights.
I guess they can afford it.
As for SV seeing GDPR as more of a hindrance: SV was build on the freemium model of gathering as much data as possible. Companies were funded under the assumption that their user growth would lead to valuable data stores.
GDPR and an increased privacy aware public are existential threats to these companies, as there is little chance to pivot to a non-data-use company. You have to start over.
I hope we will look back at these companies as ugly centralizing dinosaurs, as little by little, the consumers realize the power they gained back (or always had) over their usage and data, does not justify these business models to exist.
(Also, GDPR, even when seen as an opportunity, _is_ a hindrance to implement. Regulation in response to market evils is known to be heavy-handed and clumsy).
It doesn't matter it's ineffective. The block means they're complying with GDPR's requirement that they not target Europeans.
the only way for all businesses around the world to avoid abuse and subjugation to eu regulators, who they cannot influence, is to not exist at all?
This means that you should be criminally prosecuted by the US. The government sees this the same as hacking.
XD XD XD
I have a site that I did this with. I also wish the US would pass a law like this. And I beg to differ. No, I don't believe this is self-contradictory.
The issue is risk. I'm a one-man band - the site in question does make money most of the time, but not much, and it has always been much more of a hobby/labor of love than a business[1]. And when any legal change means I might end up with legal grief or potentially not be visit European relatives again, even if I generally approve of the change, I'm going to knife it because there is no planet on which the site means more to me than the risk.
My plan right now is to let the big boys who can afford it take the initial lawsuits and let them shake out what the vagaries mean, then come back in a year or so and see what my exposure would be if I let ya'll back in.
[1] Oh, and it should already be complaint, at least as I understand 'compliant'; I added notices and rejiggered a few things for selective denial and whatnot. I never have and never will sell/rent/share user data, don't integrate with any surveillance/ad networks, etc. But I have no confidence that someone won't see me as a likely target to use to make some point, and hiring a legal consultant for something this size would take it from slightly profitable to a future break-even measured in many years.
This makes it difficult, if not impossible, to find links to living individuals. A ton of people have done a ton of work to build a shared public tree, and some 50-100 years of it are getting chopped off the bottom.
The GDPR is even an issue for people running simple blogs and forums. Many public software for these don't even have the features for GDPR compliance.
It's a bit like a good forest fire. Out of the monocultural ash sprout (life sustaining) varieties.
When you're in "move fast and break things" mode, getting stuff working for SOME users is better than having a complete solution for all users that come much later. It's not even just about ignoring Europeans. A lot of these products and software solutions start "only available in California", or hell, only in SF. That's even true for some stuff from big companies like Amazon.
Then as you grow, you can start tackling more barriers and regulations from other countries. I mean, there's plenty of companies that won't ship to my address because they don't do business with the US. Or when I lived in Quebec, I could not participate to a lot of contests because it wasn't worth it for these entities to deal with Quebec's gambling laws. That's ok.
Even if you agree with the general idea of GDPR, even if you want to implement the tightest privacy rules you can't in your software, there's more to it than that. I've watched lawyers duke it out over some of the details. My employer takes GDPR very seriously and we've done everything in our power to comply, not just with the letter, but also with the spirit of the law. But we're big, we have money, and we're actively trying to grow internationally. 10+ years ago when the company was barely afloat? I'm not sure they would have been able to deal with the fine prints even if they wanted to.
There's more to GDPR than sending a silly email and adding a "Delete all the things!" button.
What used to be a full opt-in to the content and business model of a site, the EU wants to only get the content and choose whether or not they want to support a sites business model. You cannot have your cake and eat it too. If you want the sites content, then you should also agree to their business model to actually support it.
Unsurprisingly, now that you cannot tie a sites value with their business model, many companies are choosing to leave the EU as they assume most people don't want to pay for the content they consume (in addition to other things).
And the whole idea here is that I’d businesses don’t feel like complying with the regulation, then the EU doesn’t feel welcome letting them do business. And if we all believe capitalism is as wonderful as we say it is all the time, then businesses will spring up to fill the demand left behind. But if that doesn’t happen... hmm. Maybe it wasn’t such a great idea after all.
"This Regulation applies to the processing of personal data of data subjects who are in the Union"
- This is insufficient for GDPR compliance. Besides the other points mentioned in this thread, you also need to delete any data about EU residents you have already collected.
- CloudFlare sets a geolocation header, you can probably just use that without consulting a third party, without adding any latency!
This is a very weak and lame attempt at just getting people to use your service when it's already built in...
You mean like America? That time when the USA decided to enforce their embargo against Cuba by intercepting a payment from one of the Nordics for a bunch of Cuban cigars? No, that's unlikely.
> Is the EU going to extradite owners of these businesses?
Extremely unlikely, besides that would require the cooperation of the other country. But - and this is interesting - the other countries typically expect the EU to cooperate with extraditions when the law is broken and we do. So who knows.
> Are EU courts going to issue default judgements on businesses and individuals?
Against individuals: Unlikely, but it could happen, against businesses, that's typically how things go when one party doesn't show up.
But note that for that to happen you first have to ignore the regulators for long enough to get them really pissed off, an action I would recommend against.
Would be easier if Europe had a coherent voice. You got the former Eastern Bloc countries desperately clinging to the US (because they, rightfully, fear that Putin will screw them over), you got the UK which is trying to not fall apart due to Brexit, France is... France and Merkel is trying to prevent the worst of the shitshow, even though she's miserably failing at that (and under heavy pressure from the AfD nazis and her own sister party which is openly copying the nazis).
In addition, Europe is so damn far behind the US when it comes to military power - jeez, German army is practicing tank shooters with broomsticks as munition, the NH90 marine helicopters are not allowed to fly over water and we all know what a fuckfest the A400M is. No money, no competence, but it wasn't a problem since WW2 as the USA had always covered the EU... now that Trump is, well, being Trump the EU has yet another giant problem to tackle.
As a European, I consider this a good thing.
Would like more spending to make sure soldiers don't die due to shitty equipment, but still largely fine.
I am ideologically more aligned to pacifism, the problem is that it does not work in a world of wannabe highschool bullies (USA, China, Russia, Iran, Saudi-Arabia, Qatar) vying for regional dominance.
Europe is so damn powerless and underfunded that we cannot even ensure that basic human rights are respected in conflict areas. On a bully stage, the tiny kid will always be the one that's bullied. No matter how economically powerful the EU is.
They have a pretty easy to defend position.
To be honest I used to think you were just a shameless self-promoter like almost everyone else, but in this case you've risen to the occasion. Bravo. I think you're now rating quite high in most people's "mental books of good people". Or at the very least, in the minds of people who actually have a strong impact.
I'd love to see the dataset you have access to backing up any of that statement. It must be fascinating.
That would make you a sub-processor.
Yes, like America. This may shock you, but America isn't always right.
That was exactly your parent's point?
Disappointing to see so many EU apologists defaulting to whataboutism.
Ahh yes, one of my favorite logical fallacies: https://en.wikipedia.org/wiki/Tu_quoque
If Jamaica passed a law fining any company that hired homosexuals, we'd consider it bullshit even if they tried to abstract it a level up by only passing it as a local law, and then passing another law saying companies that serve Jamaicans have to have local representatives. I'm not sure why you think this is any less bullshitty a tactic, other than the fact that the law they're trying to push seems more reasonable (which I agree with).
If you don't like foreign markets, don't enter them.
> Against individuals: Unlikely, but it could happen
AFAIK IANAL: GDPR doesn't apply to individuals that e.g. host mastodon instance.
>> Agreed
Not a lawyer too, but I'm interested what makes you (and jbfoo) believe that it doesn't apply to individuals. It's a EU regulation it should apply to natural and legal persons.
Ok, it has an exception for the processing of data by natural persons in the course of a purely personal or household activity but that doesn't mean it doesn't apply to individuals in general.
If you set up a service that operates in the same way as a similar service would operate if it were done by a business then I suspect that you being a private individual is not going to be much protection, after all you are effectively roughly in the same situation as a sole proprietor business minus the incorporation.
If you process data for family and friends then that would most likely be enough to trigger the exception.
So the dividing line in the case of a Mastodon server would likely be whether or not you allow total strangers to make use of the service and whether or not you respect their rights.
However, some non-commercial Mastodon instances are now supporting thousands of users. An argument could be made that operating such instances is no longer a "personal or household activity".
Whilst I would hope that the local data protection agency would side with the Mastodon instance operator, it does put them in a rather difficult situation.
I think this possibility raises a lot of concern for operators of Mastodon instances and other online services.
I get the impression that a big part of the motivation for GDPR is this type of resentment against America.
If Facebook was german there's no way that GDPR would of passed.
So while blocking the EU isn’t required, the other tests they use to determine whether or not you intended to offer services to EU residents are a bit murky. In light of that, what better way is there to make your intention to not serve EU users clear to all than to block EU users? That’s the main reason to do it. This kind of blockade will not prevent all EU users from accessing your site, but it doesn’t matter. You’ll have made your intent to not serve EU users clear, which will preserve your immunity to GDPR.
[1] http://www.privacy-regulation.eu/en/recital-23-GDPR.htm
But I don’t disagree that some EU countries that intend to abuse the GDPR for the purpose of generating massive amounts of revenue from fines may try to make this kind of claim. One of the problems with GDPR is that when you combine unclear regulation with the lack of moral hazard that government agencies enjoy and the financial incentive of massive fines, you create a monster that will constantly seek to expand who and what is covered under it.
Regardless, it’s one more reason to block radioactive EU traffic.
Probably you can offload some challenges to the ad network, if they don't tell you enough of their business, but that's between you and them. For me I'm accessing your site.
You aren’t serving any ads in the case of an ad network. You contracted with an ad network that is within the US and the site on which you served their code is not otherwise subject to the GDPR. Your intent to not serve the EU market is clear.
Note that a common response by foreign banks to FATCA is to refuse to do business with Americans, which is very likely the best course of action. So it shouldn't be surprising when companies take similar precautions because of GDPR.
That being said, the starting point shouldn't be, "there's no need to imagine that I'm violating GDPR. I only serve Americans". The starting point should be, "I had better imagine that I might be violating GDPR even though I only intend to serve Americans. Are there things I haven't considered? Are there resources I should seek out? As a service provider of some kind, hadn't I better spend a day or two imagining the ways I might run into trouble and plan to avoid it?"
I'm biased for the GDPR, since I think every site should follow its principles regardless of legal obligation, but I don't think the rationale you're proposing is scalable.
I'm not even sure about sane way to map IP address to country. There are some geolocation services, but I doubt that they are 100% precise and probably paid. Also if I'm using geolocation service passing IP of the incoming request, does that mean that I'm already violated someone's privacy? This is weird.
Its your favorite dictator, the leader of Crazystan and from 29th of May 2018 I ask that from that date, for every site accessed by citizens of my country I require the hosting company to send one employee to be sacrificed to our mighty gods.
Failure to comply will attract a fine of 50 Gazillion dollars.
It's when you start collecting personal data on EU residents, send their personal data to third parties for analytics/targeted advertising, and so on, that things get interesting.
I run a small UK based IT firm. So far I've turned down some of the logging on my HA Proxy instances and stopped logging IPs and user agents in general and a few other things. If I need to do some diags then I'll turn them on again. That's on the long term stored logs (due to backups). So far, my backups are smaller 8)
I do keep very detailed logs with IPs (actually full packet capture) in the ES cluster for IDS purposes but those are turned over (deleted) within a few hours. Less detailed logs last a lot longer.
Or, maybe, just block all of the EU.... probably a lot easier for a small site.
- You make a note that this data is being logged.
- You state for how long this is logged (6 months is reasonable), and justify that time frame.
- You state who else has access to these logs.
- You state what steps you have taken to try to minimize unauthorized access to these logs.
- In a register (these statements should be delivered on request of a law supervisor) you also provide your personal details, which users are affected by this data processing, and your goal (which should be something along the lines of: "fraud prevention and intrusion mitigation" to have legitimate interest. Expect big companies with law firms to push this "security interest"-angle hard, as they try to justify their data processing).
Pretty reasonable, no? It would be nice if the large web logging softwares provide standard options to automatically limit disclosure of PII web logs.
I wouldn't call that a similar law at all, because the spirit of it is so that the government can have access to that data…
A) The law seems to extend beyond the borders of the EU.
B) It's extremely long and vague, doesn't really offer a lot of actionable advice, and nobody outside of privacy lawyers seems to really understand it fully.
C) The penalties are harsh.
Further muddying the waters, the EU and US already have some existing bilateral agreements with respect to data privacy [1], but does the GDPR supersede or unilaterally invalidate these...? Who knows?
[1] https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield
Hi guys,
It's Kim from the Best Korea, and we just decided that we are going to allow our people to access the Internet.
There is a tiny little thing though, our internet policy stipulates that for every traffic hit to sites outside our borders, the country of origin either donates 1 nuke or if it doesn't have nukes an item of great value, or a 24 hour TV broadcast featuring me.
A) It covers behaviour towards the citizens (ie passport carrying members) of the EU. It basically says: "please do not be evil" - OK it says a lot more but I think you get the idea.
B) It does cover a lot of ground but it is written in pretty accessible language for such a large and complex subject.
C) The possible maximum penalties are set at a level that will not destroy a serial transgressor but should hopefully deter anyone from becoming such a beast in the first place.
Overall, GDPR is really a manifesto for how people should be treated in the burgeoning data economy. I still find it hard to understand how such a reasonable and farsighted set of regs came to be designed in the first place. As a citizen of the UK, at least I am reasonably certain that the GDPR will stay on the local statute books post Brexit because to contemplate otherwise is economic suicide.
If you have a lawful basis for collecting the information, you're only passing it along to others as necessary to provide your service to your customers, the customers have clearly consented, and you employ reasonable protection of that data... it's extremely unlikely that you're in violation.
And if you were, they'd come to you first with a warning (at least based on past behavior). They're not going to seize assets unless you seriously provoke them.
1: ignore GDPR, you'll probably fly under. And if you dont, fine are scaled for business and people affected, as well as privacy infraction. Encrypt your backups, encrypt PII if you can do it effortlessly, and you're good. If you are not using emails except for checking double inscription, encrypt them too, the entropy is low BUT this is better than nothing .
2: If you have some time and money to spend to try to improve your services: self-report. A public agent will point you the weakness of your data processing.
The entire point is, NO you can't just ignore GDPR. Your lack of action toward compliance is negligent.
Anyone not up to shady activity can afford to wait for the case law and best practices to settle before doing anything.
I don't comply with laws from many other jurisdictions either. Should I start applying censorship laws for China and Saudi Arabia too? Why should the EU be special?
People get used to accepting the stupid cookie law and it becomes a habit, and in a couple of years the law lost it's meaning (people blindly accept cookie law) and no-one cares about "the great privacy laws of the EU".
This is probably how GDPR will end up, no sane person would have the time to read all the privacy notices and the crappy opt-ins to just order food as fast as possible.
Hey I'm starving I need that food ordered now, here's my location so you can deliver food here, I don't give a rat's ass about your privacy statement and clickady clack are there any more opt-ins to check before I can finally order my food?
My feeling is it is going to end up like the cookie law, but who knows at this stage.
GDPR only applies if you are providing a service to a EU citizen. That also explains what EU will do if a company doesnt comply with GDPR (where it should); they will stop the company from providing those services to the EU citizen.
This is also why blocking EU traffic doesnt make you GDPR compliant (I can use a vpn or visit your site when travelling, and then you are still providing a service to a EU citizen).
If the case really is as you say, with just serving http request, then you have no issue with being GDPR compliant, because you dont store and information about the EU citizen. If however you are not just serving http requests, but track the user or otherwise store information on the site visitor, then you may have GDPR issues. But if you do store data about your users, you really should treat the data correctly.
GDPR is common sense, and if you bother to understand it correctly, its fairly easy to be compliant. Though I’d say, the bigger the company the more complex the implementation.
As Americans we're particularly sensitive about having to follow rules made by people who don't represent us and are not accountable to us. This is a totally fair and justifiable reason to be against GDPR even if you agree with its objectives.
That may be one of the most ironic comments I’ve ever heard. I love americans, but as a super power you stick your nose into so many other countries business, directly or indirectly. So, lets just say that argument is not gonna change my view in any way.
I don’t think I am mistaking intent with implementation. The regulation’s written text leavea many details to be answered along the way and the first couple of rulings on GDPR will (hopefully) bring us a lot of insigts into how to interpret and implement GDPR in practice. So I guess no one really knows the implementation yet. Until then we have to go by what is reasonable and the intent. And if you store data on private citizens you better treat it correctly.
I experienced this myself. EU is absolutely powerless outside their borders.
In practice, GDPR is binding on businesses that operate within the EU. An EU citizen in the US doing business with a US-only company is not afforded any protections under GDPR.
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Edit: fix list formatting
Just use Content-Security-Policies to block your pages from loading anything but safe assets/services.
You will need to politely ask those not using browsers that support CSPs to switch/upgrade.
There is no possible way they can enforce any law, fine or penalty outside their borders. They won't even try.
I asked a data protection specialist, a real expert on the legislation, but they couldn't answer that question for me.
Two years ago (14 April 2016) the regulation was adopted, and a 2 year notice period was put in place so businesses could prepare
That notice period ended today
"Q: How do I delete my account?"
"A: Please get in touch with our Customer Services team if you have any worries or concerns. If something at {website} has troubled you, we'll be happy to help sort it out."
To their credit, the support chat person was very efficient in complying with my request.
If I run a business putting up American flags on people's houses on patriotic holidays (an actual business in my neighborhood), then ignoring the EU market is an easy decision because I already was.
Like say a software service which I would assume is more common investment target here rather than flags.
For all its noise and bluster about "500 million customers lost!" the European Union is still less than 7% of the world. I think most businesses would be happy to serve the other 93%.
I would imagine that the stock market value would take a rather strong dip if a company proclaimed that they revenue would be cut down to 75%. Investments and stock options are not only valued by the companies current ability to survive, but also speculative value.
You make two mistakes:
1 - Assuming every business has investors. The majority do not.
2 - Assuming every business is suited to a global audience. The vast majority are not.
"what does the investors think when a company volentarly leaves the EU market?"
This question has 4 predicates.
1) investors. If no investors then there is no investors that can have an opinion.
2) Company. If no company then no investors, and since you have no investors than point 1 applies.
3) leaves. If the company don't leave the market then the investors can't object to a company is leaving, as such point 1 and point 2 applies.
4) EU market. If the company is not leaving the EU market then the question about what investors will think about a company leaving the EU market is not relevant, and thus point 1, point 2 and point 3 applies.
> Assuming every business is suited to a global audience
That was the question. What does investors assume when investing in a software company such as those ycombinate investors usually invest in, for which HN is a forum created by ycombinate.
The GDPR applies to any residents of the EU, not EU citizens regardless of location.