If someone's business is no longer profitable after complying with GDPR, this is a reasonable step to make. I know that to many that means you have a bad/scummy business model, but in any case if you are in this category it definitely makes sense to block EU visitors. I think there are probably a lot of sites in this category as targeted ads are ubiquitous and the source of income of lots of sites. We may see some that are complying now give up if enough people start opting out.
It's more the level of risk. I help run a small nonprofit that uses no advertising and sells no data. If we fail to comply with the GDPR, we're subject to a €20M fine. If it was 4% of global revenue I'd just pay the $80, but no, it's the greater amount. It's a reasonable choice for someone not doing anything scummy to avoid the chance of an impossible debt.
1. Be upfront about what user-data you collect and how you use it.
2. Or try to find ways to not seem like a scummy, unprofessional or unreliable business partner while randomly blocking customers from your site, because you cant account for their data.
You’d think the choice be pretty fucking obvious, no?
I can't afford the legal costs to prove my innocence against a foreign government anymore than I could afford a $20 million fine. (there's no limit to how many times they can attempt to fine you, even if you are innocent every time)
You only have to prove "innocence" if your users doubt your statements about PII handling, are so annoyed about your doing that they inform the supervisory authority and that authority has sufficient doubt that they open an investigation. It must be a tricky/dirty/spammy business you're in if you really fear that your users will call the authorities in droves about your procedures.
Even for user requests the law states that the user must show that he has a valid reason to act, repeated requests just for the fun of it don't need to be honored and the user can charged for thus a behaviour.
And to be honest: Blocking access casts more doubt than being open and ask for consent.
You are utterly and completely wrong. All it takes is court papers and a lawsuit for _any_ reason at all, and you are done.
You seem to be claiming the GDPR dictates who is allowed to sue and what evidence they must provide, and it simply does not. Go look it up, it's a "guilty until proven innocent" system, which guarantees loss to the accused, guilty or not.
You obviously don't know how the EU works. If a Data Protection Agency comes to know your wrongdoings, they'll first try to resolve peacefully the matter, by telling you what you're doing wrong. Only if you persist multiple times you'll be in danger of being brought to court.
Source? From what I know, the German DPAs (they are organized on state level) hand out like 2 fines per month each, generally way below the maxima (under old German law, the max was 300000 €), and concluding the majority of cases without a fine.
in the years 2015-2016 they had 173 proceedings that could involved potential fines. 52 of those resulted in fines. 34 of those fines were <1k€, 13 were <10k€.
No, they aren't. There have been user complaints about them. These complaints can ultimately result in a investigation and finally a court case. That is still far off, however
>"The suit against Google alleges that users of the company's Android software are forced to turn over personal data to use an Android-powered mobile device.
The lawsuit alleges this "forced consent" amounts to a violation of GDPR, which guarantees individuals the right to consent when companies want to collect and process their personal data."
this just shows how lacking cnns quality is nowadays.
It most likely will become a lawsuit in the next days/weeks, yes. But just because an investigation got started doesnt necessarily mean that it'll end in an lawsuit. This is exactly was the original post was talking about. The investigator will contact the company, look at how the company processes the data and finally - if they're willfully ignoring gdpr - open an actual case.
more likely however is that the company already tried to comply and will just get a few reports of things they have to change/improve.
as google probably doesn't have interest in actually upholding gdpr, the investigators will probably soon-ish open an actual suit.
You are missing the entire point of this thread, my first comment:
>I can't afford the legal costs to prove my innocence against a foreign government anymore than I could afford a $20 million fine. (there's no limit to how many times they can attempt to fine you, even if you are innocent every time)
This is just _one_ person/entity suing these companies (not even the government). Unless they want a default judgement against them, they have to pay lawyers to defend these suits.
They are being sued under the GDPR, the complaints linked on noyb.eu are not "misleading" they are legal documents that have been submitted to the courts. That's what a lawsuit is. It doesn't matter who initiated it or why.
Having dealt with 2 DPAs (UK and DE) it is guilty until proven innocent I think you may be thinking of the rights of seeking damages under the GDPR which is utterly irrelevant to the core enforcement of it.
I think have way too of a rosy outlook on how laws are enforced in the EU much of the enforcement is contradictory to the ideals you hold in such high regard.
Charities are one of the most common targets of data protection enforcement in the EU even before the GDPR, in the UK they are collectively the sector that gets hit the most by the ICO and the picture isn’t much different on the continent and one of the main reasons for that is that they are easy targets (this does not mean they didnt do anything wrong but they are easy targets nonetheless).
Neither of those points address the issues I raised, which is risk of fines. "Just comply" isn't an amazing option when I can't even comprehend the applicable law from every supervisory authority in the Union.
Right now, GDPR is like a bet, where if you win you make a small amount of money, and if you lose you lose €20 million, and no one knows what the odds are. In a year's time, you will probably see people drift back into the European market, as we'll have a better idea what the enforcement regime will actually look like.
So, how many cases do you know where fines are collected from small non-EU businesses? None? Okay.
Why do you insist in a sum of €20 million, even if the law states that the fines (if applicable) should be reasonable and take into consideration if the non-compliance was intentional, repeated and massive?
But it _is_ intentional if you block EU users you had in the past, continue to store/process/sell their collected PII without their consent and deny them a way to get information about the scope of your doing or a way to request deletion.
Tell your users what PII you collect about them and why, ask for consent and give an option to opt-out.
There is not "legal threat" if you are open about your business model, keep the collected PII reasonable and safe and don't sell the data without consent. Honoring requests for information or deletion is still a problem for you if you served EU users in the past if you don't delete/anonymize that data - even if you block access. If you're not open about your data processing and handling and don't ask for consent, don't blame the GDPR for a business model that can't be honest to your users.
You are confirming that all it takes is a little slip up, and your entire life is ruined by legal fees. Or even just the "whiff" of potential slip up, not even a real one, but only a perceived slip up, and your life is over.
I have been in court before, if you have not, perhaps that is why you are ignorant of the horrendous dangers this law puts on everyone.
No. After one small slip up nothing would happen, unless someone notices it and reports it to the regulator. At that point they'd write you a letter and explain where they think you're going wrong, and point to best practice, and ask you to confirm what you're actually doing.
If you have no presence in the EU, why should you care about the GDPR? My website contains jokes that will get me imprisoned in some countries, but I don't block access to those countries since their legislation does not apply.
Because those countries have not announced to the world that will sue you in court if one of their citizens reads your jokes. The GDPR has done this.
I "believe" this law was intended to be a big hammer on the data brokers of the world, but the little fish often get the focus after the big fish are all caught. Even if they aren't the original target.
If you haven't looked up the law, you should do so. It states emphatically and clearly, you having a business presence in the EU is irrelevant to this law.
First off, I've never heard of one that claims if I interact with their citizen that I am liable under their law.
And more importantly, this is a total fiasco. I have dozens of emails from all kinds of providers telling me about updates to their privacy policies or otherwise. And there's been talk and warning for month from Wordpress plugin devs and blogs.
Can you name a single other foreign law in the past 20 years that has had this effect on US businesses?
The net response EU media companies seem to agree on is that "do you accept cookies or refuse to read our site ?" has now become an EULA-sized agreement for reading their site.
Everything else stayed the same. Technically you can say no, if you don't mind clicking on the no button every single screenfull.
If they were GDPR compliant they wouldn't block EU visitors. Blocking EU visitors does make GDPR not apply to you. There is no way if you are making a serious effort not to serve EU residents that they could enforce it on you
To block EU visitors, one probably uses IP geolocalisation. IP address is considered a personnal data (in the EU at least). The fun part is, forbidding access to a website according to IP geolocalisation might probably fall under GDPR law for automatic decision processing.
So, either you block access to your website using non-personnal data, or you probably actually are non-compliant with GDPR.
I am not compliant with Chinese, British or German anti-free speech laws either. Why should anyone feel threatened by a foreign government's internal laws? The US is a sovereign nation (as are almost all others) and EU laws do not apply here.
The GDPR _explicitly_ states that it's irrelevant if you want to do business there or not. It claims global authority over all nations and businesses that interact with it's "citizens", NOT "do business in the EU".
This is an unprecedented legal overreach. Just because we want the hammer brought down on the FB/Google beast, doesn't mean we should chop off our own hands to accomplish it.
> This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This one doesn't apply, because the controller or processor is outside the union.
> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
This one does apply, and look, it mentions services, but also...
> the monitoring of their behaviour as far as their behaviour takes place within the Union.
...this applies too. You're monitoring the behaviour of EU citizens; those people have protections.
Let's compare this idea. I should be able to sell verboten art in Germany because I am an American citizen, and it's legal to do so here (but not there), so I "have protections" by my laws in the US?
Or am I misunderstanding how you are justifying the GDPR?
And Germany is free to stop that merchandise at the border, and then burns it. They only very, very rarely do so, but when they do, they will go after the customer that bought it.
Same thing when it became clear 2 years ago that sending large amounts of opiates through the mail into Germany is not actually a problem.
So theoretically, you are allowed to sell that art, because those laws don't apply to you. In theory it should be stopped at the border, and your customer may get arrested for buying it.
In practice, you are allowed to sell that art, and nothing is stopping you.
Needless to say, Germany is crying foul ! We make rules, and don't enforce them, and others don't automatically enforce them for us ! Evil capitalist data-selling election-stealing swine !
How do you recommend any company that makes less than a million a year to live under the threat of accidental destruction at the whim of a foreign nation?
Do you think we should comply with every countries laws? What happens when they conflict? (like US free speech laws vs China, or even Britain?)
I think this was meant as a hammer on Facebook/Google cartel. I doubt even MS, Amazon, or other large companies will be as adversely affected.
The GDPR targets the very business models of companies that collect data and sell it. For this I applaud it's effects, but it's a big nasty dragnet, and innocents are likely to get hurt.
I've seen this argument/fallacy said over and over again and it's time to speak up. This is called the "black and white" or "false dilemma" fallacy (https://yourlogicalfallacyis.com/black-or-white).
The premise is "Either you support the GDPR" or "you're running a shady PII sales scheme". The problem is that there is another option, you're not trying to abuse anyone's data but you don't have the time or interest to protect yourself against a vague legal document with Draconian fines and no track-record to know how it will be enforced.
And some of the requirements sound good on paper but less good in front of a screen. Take the request to see my data or download it. I either need to build in a process to automate it or do it manually, both of which take effort. Deleting data is another sounds-simpler-than-it-is problem. What about deleting PII like username from log files?
There are lots of people that are making this out like it's not that big of a deal - but it's not something I was expected to do until now and that most of the countries in the world require me to do. I'm not selling people's data or misuse it or them - why should I have to jump through these hoops if I don't need the EU audience or their threat of serious fines.
Although I dislike this solution for 99% of websites out there, there are valid short term reasons to use this solution.
Imagine e.g. a user survey on a US University which saves data not in a GDPR compliant format. Why should this very local small group website be GDPR compliant when it's almost 100% sure it's only used from the US?
OK, but now I ask myself what happens if a Europe exchange student also participates...
> Why should this very local small group website be GDPR compliant when it's almost 100% sure it's only used from the US
Because it’s the least one should do regarding privacy. When not mandated by law, doesn’t mean you don’t have to do the right thing.
Many companies that sell your data are complaining at the moment because they have to come clean about their malpractice. Don’t let them distract you from the compnies that always did the right thing and were gdpr complient before the laws were written.
In Croatia you get fines for not having a valid fire extinguisher even though there is one in the corner right there. Why? Because "they went out of their office and cannot return empty handed, so let's write this small fine at least".
Also, public companies (those owned partially by the state) are exempt from GDPR...
That is why GDPR sucks, it is just another tool in almost despotic government.
Re: messe - the massive overreaction seems to be from Americans in this thread insisting that since their perception of government regulators is as inefficient, a drag on business, and intent on vindictively fining people contrary to the provisions of their enabling legislation. (To me) seems like hand-wavy alarmism about the threat of international law and supranationalism to perceived individual freedom.
60 comments
[ 3.1 ms ] story [ 113 ms ] thread1. Be upfront about what user-data you collect and how you use it.
2. Or try to find ways to not seem like a scummy, unprofessional or unreliable business partner while randomly blocking customers from your site, because you cant account for their data.
You’d think the choice be pretty fucking obvious, no?
Even for user requests the law states that the user must show that he has a valid reason to act, repeated requests just for the fun of it don't need to be honored and the user can charged for thus a behaviour.
And to be honest: Blocking access casts more doubt than being open and ask for consent.
You seem to be claiming the GDPR dictates who is allowed to sue and what evidence they must provide, and it simply does not. Go look it up, it's a "guilty until proven innocent" system, which guarantees loss to the accused, guilty or not.
E.g. from the Bavarian DPA (german doc: https://www.lda.bayern.de/media/baylda_report_07.pdf, page 151):
in the years 2015-2016 they had 173 proceedings that could involved potential fines. 52 of those resulted in fines. 34 of those fines were <1k€, 13 were <10k€.
http://money.cnn.com/2018/05/25/technology/gdpr-compliance-f...
>"The suit against Google alleges that users of the company's Android software are forced to turn over personal data to use an Android-powered mobile device.
The lawsuit alleges this "forced consent" amounts to a violation of GDPR, which guarantees individuals the right to consent when companies want to collect and process their personal data."
It most likely will become a lawsuit in the next days/weeks, yes. But just because an investigation got started doesnt necessarily mean that it'll end in an lawsuit. This is exactly was the original post was talking about. The investigator will contact the company, look at how the company processes the data and finally - if they're willfully ignoring gdpr - open an actual case.
more likely however is that the company already tried to comply and will just get a few reports of things they have to change/improve.
as google probably doesn't have interest in actually upholding gdpr, the investigators will probably soon-ish open an actual suit.
Do I _really_ need to link to all the other news companies saying the same thing? There are lawsuits started already.
The source of the news are always the four complaints by noyb.eu, just as hadrien01 pointed out earlier.
Most non-sensationalist news pointed out that the nonprofit noyb.eu was probably created in the spirit of patent trolls.
>I can't afford the legal costs to prove my innocence against a foreign government anymore than I could afford a $20 million fine. (there's no limit to how many times they can attempt to fine you, even if you are innocent every time)
This is just _one_ person/entity suing these companies (not even the government). Unless they want a default judgement against them, they have to pay lawyers to defend these suits.
They are being sued under the GDPR, the complaints linked on noyb.eu are not "misleading" they are legal documents that have been submitted to the courts. That's what a lawsuit is. It doesn't matter who initiated it or why.
I'm not a lawyer though, so I might've misunderstood the wording.
Yes, it literally does do this. Please can you point to the bit that allows anyone to sue?
> Go look it up, it's a "guilty until proven innocent" system, which guarantees loss to the accused, guilty or not.
Completely untrue. That would be incompatible with human rights and European law.
You're scared about stuff that isn't in GDPR or that cannot happen under EU law.
I think have way too of a rosy outlook on how laws are enforced in the EU much of the enforcement is contradictory to the ideals you hold in such high regard.
Charities are one of the most common targets of data protection enforcement in the EU even before the GDPR, in the UK they are collectively the sector that gets hit the most by the ICO and the picture isn’t much different on the continent and one of the main reasons for that is that they are easy targets (this does not mean they didnt do anything wrong but they are easy targets nonetheless).
Right now, GDPR is like a bet, where if you win you make a small amount of money, and if you lose you lose €20 million, and no one knows what the odds are. In a year's time, you will probably see people drift back into the European market, as we'll have a better idea what the enforcement regime will actually look like.
As a small actor, chances of getting fined in an initial grace-period where things are sorted out is literally zero.
Why do you insist in a sum of €20 million, even if the law states that the fines (if applicable) should be reasonable and take into consideration if the non-compliance was intentional, repeated and massive?
But it _is_ intentional if you block EU users you had in the past, continue to store/process/sell their collected PII without their consent and deny them a way to get information about the scope of your doing or a way to request deletion.
It's not hysteria if it's a legitimate legal threat that could destroy your ability to feed your family.
There is not "legal threat" if you are open about your business model, keep the collected PII reasonable and safe and don't sell the data without consent. Honoring requests for information or deletion is still a problem for you if you served EU users in the past if you don't delete/anonymize that data - even if you block access. If you're not open about your data processing and handling and don't ask for consent, don't blame the GDPR for a business model that can't be honest to your users.
I have been in court before, if you have not, perhaps that is why you are ignorant of the horrendous dangers this law puts on everyone.
http://money.cnn.com/2018/05/25/technology/gdpr-compliance-f...
I "believe" this law was intended to be a big hammer on the data brokers of the world, but the little fish often get the focus after the big fish are all caught. Even if they aren't the original target.
If you haven't looked up the law, you should do so. It states emphatically and clearly, you having a business presence in the EU is irrelevant to this law.
"Any woman driving anywhere in the world can be stoned to death", I'm sure there's quite a few islamic clerics dreaming of the day it happens.
The thing to see is that this law, enforced internationally, has about the same level of realism that those clerics have.
And more importantly, this is a total fiasco. I have dozens of emails from all kinds of providers telling me about updates to their privacy policies or otherwise. And there's been talk and warning for month from Wordpress plugin devs and blogs.
Can you name a single other foreign law in the past 20 years that has had this effect on US businesses?
Everything else stayed the same. Technically you can say no, if you don't mind clicking on the no button every single screenfull.
So, either you block access to your website using non-personnal data, or you probably actually are non-compliant with GDPR.
The GDPR _explicitly_ states that it's irrelevant if you want to do business there or not. It claims global authority over all nations and businesses that interact with it's "citizens", NOT "do business in the EU".
This is an unprecedented legal overreach. Just because we want the hammer brought down on the FB/Google beast, doesn't mean we should chop off our own hands to accomplish it.
This one doesn't apply, because the controller or processor is outside the union.
> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
This one does apply, and look, it mentions services, but also...
> the monitoring of their behaviour as far as their behaviour takes place within the Union.
...this applies too. You're monitoring the behaviour of EU citizens; those people have protections.
Or am I misunderstanding how you are justifying the GDPR?
Same thing when it became clear 2 years ago that sending large amounts of opiates through the mail into Germany is not actually a problem.
So theoretically, you are allowed to sell that art, because those laws don't apply to you. In theory it should be stopped at the border, and your customer may get arrested for buying it.
In practice, you are allowed to sell that art, and nothing is stopping you.
Needless to say, Germany is crying foul ! We make rules, and don't enforce them, and others don't automatically enforce them for us ! Evil capitalist data-selling election-stealing swine !
(note, I fully support the spirit of this law, and am happy they are shutting down the data cartels abuses)
Do you think we should comply with every countries laws? What happens when they conflict? (like US free speech laws vs China, or even Britain?)
Meanwhile other businesses which takes the GDPR seriously gets a massive boost in trust and reputation.
Guess which ones are going to get meaningful new business and which ones will be deemed unreliable and untrustworthy?
The GDPR targets the very business models of companies that collect data and sell it. For this I applaud it's effects, but it's a big nasty dragnet, and innocents are likely to get hurt.
The premise is "Either you support the GDPR" or "you're running a shady PII sales scheme". The problem is that there is another option, you're not trying to abuse anyone's data but you don't have the time or interest to protect yourself against a vague legal document with Draconian fines and no track-record to know how it will be enforced.
And some of the requirements sound good on paper but less good in front of a screen. Take the request to see my data or download it. I either need to build in a process to automate it or do it manually, both of which take effort. Deleting data is another sounds-simpler-than-it-is problem. What about deleting PII like username from log files?
There are lots of people that are making this out like it's not that big of a deal - but it's not something I was expected to do until now and that most of the countries in the world require me to do. I'm not selling people's data or misuse it or them - why should I have to jump through these hoops if I don't need the EU audience or their threat of serious fines.
Imagine e.g. a user survey on a US University which saves data not in a GDPR compliant format. Why should this very local small group website be GDPR compliant when it's almost 100% sure it's only used from the US?
OK, but now I ask myself what happens if a Europe exchange student also participates...
Because it’s the least one should do regarding privacy. When not mandated by law, doesn’t mean you don’t have to do the right thing.
Many companies that sell your data are complaining at the moment because they have to come clean about their malpractice. Don’t let them distract you from the compnies that always did the right thing and were gdpr complient before the laws were written.
Also, public companies (those owned partially by the state) are exempt from GDPR...
That is why GDPR sucks, it is just another tool in almost despotic government.