I think the GDPR is well intentioned and has provoked some important and useful conversations about how we make use of users’ data.
But reading stuff like this makes me that much more inclined to use that Cloudflare option of IP blocking the whole continent. This feels like a very slippery and dangerous can of worms that’s not worth opening.
There's already a tonne of laws every company has to comply with. The GDPR isn't any more onerous than any of those, it's just new. Even the "nightmare letter" doesn't have anything unreasonable in it and the only reason why it might be difficult for a company to comply with would be that their internal systems and processes were already horrifying - something which we have now collectively deemed that permitting is causing more harm than good.
What other laws do I have to comply with right now that are so vaguely defined and carry such horrifyingly punitive fees? I guess we'll have to wait and see how it's actually enforced but no other legal obligations I've had to consider so far when building products feel this threatening to smaller online businesses.
It's bad enough we have to deal with patent trolls. I'm not inclined to add this to my risk profile.
I feel like I have a pretty clear idea of the rules in the cases you describe. For GDPR I have no such confidence.
It seems like the smart thing for US startups to do right now is ignore EU customers until they’ve validated the business idea enough to justify the engineering and legal expenses of taking this on.
> The alternative is to not collect personal information from your customers
If that worked I'd embrace GDPR. Problem with "any consumer can make a complaint which requires expensive follow-up" regimes is one doesn't have to do anything wrong to incur costs. Someone can mis-interpret something and make a complaint. Now you have to interface with a regulator, which tends to be risky, expensive and time consuming.
If you're not collecting any information "interfacing with the regulator" means replying to their email by saying "we're not collecting any information". (Assuming they even got that far, given that they'd likely take a look at your website and notice you aren't collecting any information.)
I'm not sure what's risky, expensive or time consuming about that.
Consumer says “I think you’re lying” and forwards to their national data regulator. (This is as simple as writing an e-mail.)
Data regulator now asks you questions. You must respond. Hopefully they agree with you. But maybe not! Twenty-eight regulators appointed by different political groups are a complex system. You will need to gain expertise on them or hire someone with it.
All I’m saying is that time and money might be better used elsewhere. Particularly by someone just making side projects.
> Twenty-eight regulators appointed by different political groups are a complex system. You will need to gain expertise on them or hire someone with it. All I’m saying is that time and money might be better used elsewhere. Particularly by someone just making side projects.
If you're not collecting data, then all of this is irrelevant. You just say "I'm not collecting data". There's no nuance here.
This is your interpretation. Many prominent lawyers disagree.
In any case, convincing a regulator that you are not, in fact, collecting data could be harrowing, distracting and expensive. The risk of incurring those costs probably isn’t a smart one to take for a hacker or very early-stage start-up.
So in this hypothetical scenario, for some reason the regulator looks at your website, which presumably has no personal information inputs, no tracking analytics etc. and which you have asserted collects no personal information, and they decide that you're still somehow collecting information, and for some reason hounding your low traffic website is the best use of their limited resources.
Taking that risk (of a regulator mis-interpreting something and needing clarifications, again and again, or worse, mis-interpreting something and getting hostile) across the EU’s twenty-eight members is a good one for Facebook. Probably not for a hobbyist.
Even if we assume a completely bizarre and pathologically incompetent regulator that somehow ends up zeroing in on some tiny website which exhibits no evidence of violation, the hobbyist might have to... delete their website?
> If you're not collecting data, then all of this is irrelevant. You just say "I'm not collecting data". There's no nuance here.
How do you prove you are not collecting data?
If your use default configs of Apache, or Nginx, your access.log is probably infringing GDPR. It’s impossible to prove you’re not collecting this without an extensive audit.
> Isn't this true for literally all regulations and laws on the planet?
No, it’s not. Comparable statutes in the U.S. are HIPAA or the Securities Act is 1933. Most laws require, to kick off an expensive process, someone to (a) pony up to start a lawsuit or (b) convince a public prosecutor to take on the case. Dedicated regulators are established where (a) and (b) aren’t working.
Most dedicated regulators consider consumer complaints. But the response rates are reasonably low and not mandated by law. (The best complain-and-investigate regulatory regimes avoid their incumbency-promoting effects by limiting oversight of new entrants. This incumbency bias was not taken into account in the GDPR’s drafting.)
If GDPR looks identical to other laws, in the EU or U.S., to you, you may want to speak with your lawyer about it.
> Most laws require, to kick off an expensive process, someone to (a) pony up to start a lawsuit or (b) convince a public prosecutor to take on the case.
Seems like a lot of red-tape just to enforce some laws. Why wouldn't you want to lower friction for law enforcement?
> If GDPR looks identical to other laws, in the EU or U.S., to you, you may want to speak with your lawyer about it.
Don't worry about my lawyer, mind your own business.
Don't care about that sphere of activity, never going to do any of theses.
> If you're taking money, you have to make sure you know your customer (KYC).
Can you be more precise? What are the laws about that and should'nt it be Paypal job to support that? Never wanted to compete with Paypal either..
Data is literally everywhere... that means GDPR apply to almost everything. Which is why you may see some people complains about being able to sell guns online but you will see much more people complains about GDPR.
> Don't care about that sphere of activity, never going to do any of theses.
> Can you be more precise? What are the laws about that and should'nt it be Paypal job to support that? Never wanted to compete with Paypal either..
So what you're saying is you couldn't care less unless it affects you. Got it.
This is part of my point though. You're a perfect example of what I'm talking about. Who the hell doesn't know about KYC? You just woke up to the world and realized "oh shit, regulations exist! Unacceptable!". Yes, regulations exist, and this is just another one.
> Data is literally everywhere... that means GDPR apply to almost everything.
This isn't about data, it's about PII. And PII isn't everywhere, unless you're collecting it.
> Which is why you may see some people complains about being able to sell guns online but you will see much more people complains about GDPR.
No, that's not why. The reason why is that one has been around for a long time and people got used to it.
Other laws you had to comply with where the ones the GDPR is replacing. Several EU country had very similar law. Idon't know about the fines about such laws though, since they were not enforced.
Enforcement is what's going to matter, I'm pretty sure you could dig up other laws that are vague and have high fines, that are just not enforced and thus don't seem as threatening as the widely publicized GDPR.
Of course, I'm not a lawyer, and I may very well be wrong on my assumptions.
On the other hand, patent trolls are not part of the risk profile for our industry in the EU, since software is not patentable there.
But anyway, it makes perfect business sense for a US startup to just block the EU (or at least state somewhere that they are not complying and thus EU users shouldn't sign up) and focus on their home market until they are big enough to comply with the terms (or are willing to take the risk).
If you don't use copyrighted works then DMCA is going to be a much easier problem to deal with. We have plenty of precedents to look at to assess how the DMCA works as well.
> The GDPR isn't any more onerous than any of those, it's just new
It’s different. “Complain and investigate” regulatory regimes are expensive to comply with. That is irrespective of whether one is doing anything wrong.
These regimes aren’t inherently faulty. They’re quite good in the American securities business. But they create a palpable incumbency bias, as well as one towards those who can afford lawyers and make a useful phone call.
Such a regime would have been ideal if constrained to large companies. Rolling it out for everyone means anyone mis-interpreting something could trigger a regulatory investigation. Even if found innocent at the end, that process is harrowing, expensive and distracting.
Every jurisdiction has its costs and benefits. Europe is still a huge market. But if one doesn’t see enough revenues to justify a dedicated compliance person, it’s a market which may now make sense to delay going into.
The problem is that there is a lower floor of a $20m fine. Big corps can risk a 4% hit, but for anyone struggling to get a small startup off the ground the fine is too onerous.
As far as I'm concerned the process should be like this:
1. EU issues warning and cuts off traffic to the domain after 30 days.
2. Startup fixes GDPR compliance.
3. EU unblocks startup.
Only after the company breaks GDPR after getting unblocked should they be hit with this massive fine. For those of us that don't give a shit about Europe it's so frustrating having to worry about how we have to comply.
And before someone says something about "it's only for companies targeting the EU" that isn't as clear as people make it out to be. An errant ad, or a single conference talk, or even engagement on social media can be construed into requiring GDPR compliance.
But of course the reason the EU didn't want to block corporations flouting the GDPR technically is because they saw the arms race happening in China and decided that they didn't want a second firewall. So instead they went the lazy route and they pushed the whole mess on small startups that aren't the problem in the first place. Large corporations are the problem. The fundamental design of the internet and web is the problem.
There is nothing stopping them from doing so though. Maybe they're having a bad day or simply don't like you very much. Some of the data protection authorities have like one to two dozen people working at it total.
In the long list of factors to consider when determining the fine, which the DPA will be found to not have given the legally required consideration on appeal of the fine, if you assume a DPA is going to be stupid enough to try.
The same law that fined me $1,800 because a posted notice fell off my door in a blizzard? The same law that allowed the judge to uphold the fine by saying "I don't believe you". Bureaucracy sucks, and the second it gets its tentacles on you, no amount of cheek clenching is gonna delay the inevitable.
It's not a 20m / 4% floor, the fines will be discretionary and most importantly are likely to be incremental.
EU regulatory authorities do not usually operate in a "shut your service off for non-compliance" mode: assuming they receive a tip-off about your business not being compliant with GDPR
1) they send you a notice and ask for proof of compliance. If you produce evidence, the case is likely closed.
2) assuming you can't produce that evidence, they will give you a warning and a deadline by which to become compliant. A small fine may be levied at this time
3) if the deadline passes without you having done anything, they will eventually get round to giving you a new date, issue a sterner warning and increase the fine for non compliance.
To get a $20m fine you'd have to be a massive corporation and be caught repeatedly flaunting the regulation in an outrageous and damaging way (for the consumer); any idea of closing off your small service / website / whatever to EU users because of the perceived risk of a fine is a massive overreaction.
People play games with language and try to pretend that just because judges have discretion that this isn't somehow ridiculous.
It is not mandatory that the EU issue a warning. What the EU should have done if they didn't want small startup owners to freak out is they should have made the process clearer and if the $20m level is only aimed at massive corporations then why make it $20m at all? Why not just make it 10% of revenue? I'm not from the EU, I have no idea how the EU court system works. They did not make this easy for small startups.
Let's read the actual document then shall we? It's written in plain enough language for anyone to understand: http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889
20m is one of the two ceilings (the other being 10m) for fines, and in several paragraphs in the document I linked the principles of discretionality, effectiveness and proportionality are stated.
If a regulator tried to levy a $20m fine against a startup for a first offence, there would be a strong case to appeal the ruling at an EU court
>Even the "nightmare letter" doesn't have anything unreasonable in it and the only reason why it might be difficult
How about another reason: it simply increases administrative costs. If you have enough users firing these letters off then you could end up spending a significant amount of time simply responding to these letters. Something has to pay for all of that, and it's not like this cost is going to go away at some point, so the entire business model has to be set up in a way where it can just eat this cost.
Note, I think, you also need to be GDPR compliant for EU users when they are not in the EU. So I don't think IP blocking actually works for 100% of cases.
I would suggest not getting too hung up on this, it is showing you the worst outcome and assuming you have made a good effort to be compliant I should think things would be fine even then. No doubt you have Ts and Cs, that document is full of clauses put in place because of things like this, and any of them could probably result in a worse letter from a customer wanting to sue you over something. But I image also that hasn't happened to you yet either?
Geoblocking EU users makes it fairly clear you don't intend to serve[0] them, at least in my opinion. If the only reason you could be in scope is offering your service in the Union, and you do your best to avoid that, you should probably be out of scope.
We'll see what the regulators think.
[0] From Recital 23: "[When deciding whether processing is in scope under Article 3(2)], it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union."
I'd agree with that. Someone somewhere is probably going to complain about an instance where it failed, but I honestly would be surprised if regulators made a big deal out of it.
Yes. Besides for the administration costs incurred (which is probably the real killer), the list of death points are:
1. Adding a dialog as the first step in an onboarding funnel that's already difficult to get users through
2. Handling non-consent. WTF! So if the user doesn't give consent to something that 99% of the population doesn't understand, I'm not allowed to prevent them from using the app. And so my engineering team needs to waste critical hours figuring out things like how to deal with crashes, or maybe how in the fuck we're supposed to fallback to not using services that we're built on (e.g. Firebase)!
3. Dealing with the fallout of #1 in the form of bad reviews that are the kiss of death to startups
Handling non-consent. WTF! So if the user doesn't give consent to something that 99% of the population doesn't understand, I'm not allowed to prevent them from using the app.
This is like a living, breathing example of why GDPR had to be written the way it was, so that arrogant techbros couldn’t rationalize their way around to screwing everyone over for a quick dollar. It’s also a perfect example of why you get zero sympathy. “But maaaa, it’s hurting my funnel!” Good.
Did you read any further? If I can't prevent them from using the app, then I have to solve an impossible problem. Namely providing a fallback for core services that the app is built on.
You do not need any consent for essential services. But you do need to make sure that those services do not sell your users personal information to third parties, and make sure you can comply with other GDPR requirements (right to be forgotten etc) by getting a data processor agreement with that core service. You are responsible for what your suppliers do.
If you would have built your whole app on "free" services for which your users pay with their personal information, that would be problematic under GDPR. And rightfully so.
So now the EU is in charge of how I decide to build my app, and is trying to dictate what suppliers I can use?
What if I decide that crash reporting is an essential service (it is), and the EU's lawyers decide that it's not? Who is going to pay my legal fees, and potential fine? I should be on the hook because some schmuck uses a service that I provide for free (which essentially means I'm paying for it with my time), and is upset that I may not be handling his data in the way that the EU says I should be? The sane solution would be to allow me to tell this individual that he cannot use the app if he doesn't consent. But here comes the EU telling me that I must allow him to use the app.
> So now the EU is in charge of how I decide to build my app, and is trying to dictate what suppliers I can use?
No, the EU only stipulates that you are not allowed to sell, leak or otherwise slander personal data from EU residents without their freely given consent, and makes you liable for that.
IANAL, but I think there is no reason to fear too much, though I would stay on the safe side regarding interpretation. And remember that anybody can report you for anything to the authorities, or sue you already; if you are prosecuted you'll have to pay your legal fees and fines whether it's about GDPR or not.
imagine a random person with a game since 10 years, perhaps not maintained anymore, suddenly need to comply with eu regulation, which is aimed at something completely different (data harvesters).
this is likely a big and unnecessary burden to most startups.
i believe in less regulation in general so my opinion could be biased.
I imagine you could apply this same logic is applied to taxes, employee rights, not discriminating while hiring or firing, and hundreds of other similar laws under which your company must operate? What makes the GDPR so much worse?
That argument could just as well be reversed:
New startups can build their business from the ground up in such a way that it conforms with GDPR to give them a competitive edge.
While bigger businesses, with very established monetization models that don't comply with GDPR, are now in a pretty unfavorable place and have to scramble looking for alternative monetization models, forcing much bigger changes.
this is totally illogical and false with a basic understanding of economics. by definition the new startup is DOA without capital for compliance/proof of compliance/mandated features whereas the bigger business has capital.
"GDPR, the European Union’s new privacy law, is drawing advertising money toward Google’s online-ad services and away from competitors that are straining to show they’re complying with the sweeping regulation."
I'd love to hear by what mechanism you think eliminating foreign competition will cause unemployment, low innovation, and low growth in European countries.
So the rest of the world should get annoyed with the opening dialog, so that the EU doesn't have to get blocked? Sounds like this could be solved by a proper solution, which the GDPR is not.
I feel like I'm missing something - the site/article/page hasn't loaded for me for the last 40 minutes or so, and yet people are upvoting it.
Am I missing something? Is it just me? "Is It Up"[0] says it's up ...
Maybe I'll try via a different IP address.
Edit: The number of upvotes (twelve and counting) shows it's not just me. I've now changed my IP address and it loaded almost instantly.
Jacques - FWIW the IP address that's not working is 92.18.56.74 - it's been failing to load your site for at least the past hour, I have no data from before that.
Many/most people have dynamic IP addresses, and I wonder if Jacques' provider has aggressively blocked addresses that have been abused in the recent past.
There is a chance that they have some automatic DDOS protection mechanism kick in, I know they have some pretty aggressive counter measures in place to protect their links.
Anyway, the server is definitely 'open to all takers', nothing there that could cause this. Also, last Saturday ABN-AMRO (one of the bigger Dutch commercial banks) went offline for many hours due to a huge DDOS, this may be related but I never thought my lonely blog would be in the line of fire.
> I assume that means he is blocking certain parts of the US, if not the US in its entirety.
On what basis do you make that assumption?
It is still the internet, routing issues can and do occur. There is absolutely nothing in the configuration of my server(s) that would block anybody from any nation.
I'll alert my hosting provider to make sure they know about it just in case it's a novel thing and their monitoring didn't pick it up yet but it could easily be further upstream.
If he intends it to be working and accessible, and if he doesn't know that it's not working, then simply using a proxy is good for me, but bad for him.
I like to provide value to people who write articles worth reading. Jacques is definitely one of them.
I like how the article starts with "the nightmare letter is clearly a troll attempt we need to deal with"
and closes with "actually, those are are all valid and reasonable questions that you should have answers to if you were not breaking the law in the last five years. Answering them automatically should be easy
If you, no matter what company size, are not dependent on illegally and immorally profiting from personal data, then GDPR may even be good for you."
The letter is clearly a troll attempt because it is engineered to inflict maximum damage even if the claimant has no use for a lot of the information they are requesting.
Even so, in isolation and moderation the questions make good sense and answering them properly using an automated system and an updated privacy policy should not be a huge burden.
I've been involved in the GDPR-proofing of the company that employs me in the UK, and find that the questions are the same that our consultants put to us when identifying where we stood.
Based on my experience (medium sized manufacturing company) I think that the letter really becomes a nightmare when the company receiving it has not looked into it at all, or when their business model relies on being able to ignore consent from users for their processing; in other cases, and especially for any company that sells to businesses rather than individuals, GDPR compliance is really not that bad IMO.
I don't agree that this is trolling, even if it is a fishing expedition. The primary purpose appears to be to probe for GDPR compliance, which is a valid expectation of customers and prospective customers (Europeans at least).
You can probe for GDPR compliance without inflicting a large amount of work on the counterparty, assuming that you are on friendly terms.
For instance, if you wish to know if they are GDPR compliant you could ask them something along the lines of "Hello there dear valued business relationship, I would like to know if you are aware of the changes in legislation re. privacy and if so whether or not you are at present compliant with that law and if not if you have a time-table when you will be'.
To ask for the maximum under threat of reporting a party to the regulator is not aligned with 'probing for GDPR compliance'.
No, that request should get you some fairly precise answers. If the answers are unsatisfactory then you always have the option to escalate, and it will actually help you if you do in the end decide to lodge a complaint with the regulators.
As it stands it's clearly an attempt at causing the wheels to grind to a halt, the title of the request and the context in which it has been presented are evidence of that as is the faux concern laced through the letter. This is not a request made in good faith.
In some cases, like having received email communication from a business I’ve never used, never provided my email to, and never consented to receive promotional emails from, the situation starts out unfriendly from the very beginning.
It that case, I want to know about all the data that company has regarding me, and how they got it. Most likely I also want them to delete it too.
Given that their first communication with me is totally unsolicited email marketing, it seems reasonable that if I can reach for a legalese template for a GDPR request, and that raises the chances they’ll take me seriously, then it would be a good thing, almost the precise opposite of trolling (which is more or less what the company was doing by attempting to get data about me in the first place). And I truly don’t have sympathy for companies like this if they find that answering GDPR requests takes up a lot of their time and they lose money as a result. That is literally the only way they will care about data privacy.
I agree that this template could be used for trolling, but there are so many valid, positive outcomes that could be made easier by such a template that I think it’s unimportant to focus on possible trolling until it becomes a material problem.
In fact, this just gives companies a way to disingenuously whine about GDPR to legislators. “Look how many troll requests are clogging our system!” When really, many templated requests aren’t troll requests.
> In some cases, like having received email communication from a business I’ve never used, never provided my email to, and never consented to receive promotional emails from, the situation starts out unfriendly from the very beginning.
Agreed, but that's not the letter writers goal.
> It that case, I want to know about all the data that company has regarding me, and how they got it.
Agreed.
> Most likely I also want them to delete it too.
No, you absolutely want them to delete it, and besides that to tell you if they passed it on.
> Given that their first communication with me is totally unsolicited email marketing, it seems reasonable that if I can reach for a legalese template for a GDPR request, and that raises the chances they’ll take me seriously, then it would be a good thing, almost the precise opposite of trolling (which is more or less what the company was doing by attempting to get data about me in the first place).
Yes, but the letter writer is by their own admission not in that situation, they're a customer of the company, so a direct relationship between them and the company exists, which most likely was initiated by the letter writer.
> And I truly don’t have sympathy for companies like this if they find that answering GDPR requests takes up a lot of their time and they lose money as a result. That is literally the only way they will care about data privacy.
Agreed, but again, that is not the context.
> I agree that this template could be used for trolling, but there are so many valid, positive outcomes that could be made easier by such a template that I think it’s unimportant to focus on possible trolling until it becomes a material problem.
No, it will be used for trolling, in fact it already is being used for trolling. And that's a net negative, which if enough idiots do it will cause the GDPR to be devalued to the point where it is no longer very useful.
> In fact, this just gives companies a way to disingenuously whine about GDPR to legislators. “Look how many troll requests are clogging our system!” When really, many templated requests aren’t troll requests.
That's the whole problem isn't it? Check the context in which the original letter (see link in article) is presented. It's a clear example of trolling.
I think you’re focusing way too much on the fact that the template is written from the perspective of an existing customer.
On reading the template, it seems super obvious that it doesn’t assume a goal of only being applied to situations when you’re already a highly engaged customer.
Things might be on a spectrum. I might have signed up for a newsletter years ago, then later come to regard that company as a big data risk, then accidentally forget about my old newsletter account.
It would be fine to call myself “an existing customer” in that case, even though my connection to the company is not like a vigorous customer relationship with a company whose services I use all the time.
That’s just a common idiom, very clearly not intended to mean the template is intended for spamming around to every big box company you’ve ever engaged with or something.
You can write, “I’m your customer,” while still feeling that you don’t trust that company and what your request for a comprehensive overview of how they use your data to be taken seriously (hence the template’s value).
> I might have signed up for a newsletter years ago, then later come to regard that company as a big data risk, then accidentally forget about my old newsletter account.
In that case it looks like the burden lies with you, not with the company and to send a letter like this in that context would be total overkill. I'd start off with a simple request to remove my data.
But I would be worried about what data they collected, and who they might have sold it to, even if they had never yet done anything suspicious or wrong directly towards me.
Another way to put it is: I’m generally deeply mistrusting of corporate entities collecting my data at all — even very upstanding corporate entities — and believe basic prudence requires me to treat them all with skepticism about my data.
I agree that the letter could be written in a less threatening manner, but the specific questions are required, in my opinion.
If you ask someone whether they are complying with the law, you're likely to just get an inconsiderate "yes", with no indication they even understand the law (there is certainly plenty of misunderstanding that I have seen already, from companies large and small). Making specific questions about their business practises, such that they will have to plainly lie in order maintain a false claim of compliance is more rigorous.
I would use that strategy only in a situation where the relationship is already adversarial or where some distrust is warranted.
But different strokes for different folks, of course everybody is free to do what they want. But then you should be aware that a torrent of these requests are not going to help make matters better, they will just cause people to tune out and regulators to stop taking the complaints serious.
It saddens me to confirm that your viewpoint is backed up by my day to day experience looking at companies from the other side. But, and this is important, not every company sucks at this, I'd say it's about 70/30 at the moment (substantially improved from 3 years ago) when it comes to doing things right. That 30% is of course way too low but it was so much worse that that's already quite a step. This too depends very much on the company activity.
Even the companies that don't suck at it are still putting me at risk just by possessing my information. In the risk analysis, it's not that the chances of something happening are necessarily high, it's that the potential damage is high.
That's spot on. You can really see the difference between one company and another by asking a single question: do they treat the data they possess as a liability or as an asset?
For a basic probe, I'd just ask for general information, e.g. the documentation of what user data they process with what justification. Compliant orgs can likely just respond with a PDF they've prepared, you can review that and if something seems odd or interesting or not matching what you see ask detailed questions later, or request specific information about your account. (Also easier for you, since the initial response doesn't require verifying your identity)
If they can't give a convincing answer, then bigger guns are appropriate.
> even if the claimant has no use for a lot of the information they are requesting.
It's not about wether the information is useful or not, it's about seeing what a company has.
If I get some unsolicited comms from a company then I'm going to want to get information about all the data they hold on me, preferably including where they got it from and where they sent it to.
Then you ask that without resorting to threats of reporting someone to the regulators unless that is your whole goal.
Keep in mind that the writer of the letter claims he/she is a 'customer of the company', so a friendly relationship, not a hostile one like the one that you are describing. Those are totally different situations and different strategies apply.
The only thing that could be called a "threat" that I saw (and I may have missed some instances) was:
> I would like you to be aware at the outset, that I anticipate reply to my request
within one month as required under Article 12, failing which I will be forwarding
my inquiry with a letter of complaint to the <appropriate data protection authority>.
and I don't really see that as a threat, more of a "directing of the proceedings". I mean, it's fact. If some company doesn't respond in the way I think they should to then that's exactly what I will be doing. This isn't a love letter, I don't see any harm in stating fact about this. I can totally see how it could be taken either way though.
I also agree the letter is going after everything, and everything is going to be painful for companies, but for me personally the pain is going to be a byproduct of wanting to know everything.
To be clear, companies that have made efforts to comply with GDPR that I've directly engaged with I'm not interested in and am going to leave alone, but the next unsolicited email from a recruiter I get will start a cascade of access then deletion requests up to the point where my information entered the system, painful or not.
If you have a relationship with a company that is otherwise in good standing this is a fishing expedition based on false concern, and clearly a trolling attempt. If you have an actual reason based on some evidence that something is not ok then yes, by all means go for it. But if that's not the case all this letter does is to try to get the company to waste time and resources on it, effectively devaluating the GDPR.
In fact, this is how I feel generally about most or all engagements I have with large companies. Privacy policies, opt-in for any protections which have aggressively anti-consumer defaults, blosted irrelevant Javascript executing on their webpages, unfriendly customer service, bureaucracy any time I need help.
Since this is all standard, I would generally believe a serious-toned legalese template letter that referenced real possible consequences for non-compliance would be a no-brainer first place to start.
If you're allowed to use the smartest engineers and the cleverest algorithms to process as much data about me as possible to create perfect ads, and if that's not trolling... then neither is it trolling to ask what you've been up to.
That depends on what your motivations are. If you are just interested then that's all fine and good, if you have a legitimate issue with a company then too you are in the clear.
But if all you want to do is cause work 'just because you can' then you're on a fishing expedition without an actual cause. The claimant in the letter is clearly aware of that and how it would make them look in the eyes of the regulators if they were to forward a complaint hence the 'set up' at the beginning of the letter indicating some kind of faux concern in spite of being a 'customer'.
The dissonance there is pretty strong, if I'm a customer of a company in good standing this is not how I would address them.
But they all told me they only hire the smartest engineers, and that’s why I had to derive 256-ary Judy tree implementations on the whiteboard. Someone is lying!
But it feels to me that if I'm processing personal data about my users, then it's reasonable for them to ask what it is and where it is.
There are overheads that come with doing business.
GDPR is going to shake out some of the companies that are competent at using personal data but incompetent at telling people what it is and where it's stored.
I saw this letter quite a while ago (maybe a month ago) in the context of "When you are preparing for GDPR, you should be able to answer these questions". In other words, it was a self test to help you determine whether or not you were fooling yourself about being ready for GDPR. If people are actually using them as data requests, it's very unfortunate.
Look, we all know that you think the GDPR is a great idea, but a law which can't be used to its full extent is IMHO not a great law. I agree with the goals of the GDPR: they're laudable. But its details & its implementation are, quite simply, wrong.
You don't install a self-destruct mechanism which can be triggered by just pushing a single un-guarded button. Likewise, you don't pass a law which can inflict grave economic harm just by sending a letter.
The law was engineered to inflict maximum damage for abuse of personal data.
This letter is designed to inflict maximum administrative paperwork without first establishing whether abuse has taken place.
Also, "grave economic harm" cannot be dealt with such a simple letter. The maximum fine cannot be levied by individuals, only regulators, and they will not do so for individual cases.
Given the involved scale, corporate lobbying and stated goals, this was the best that could be done.
It's probably not even possible to create a great law. The industry that can't even agree on something as simple as coding guidelines is suddenly screaming that the law isn't good (enough).
What's the worst that can happen if you reply to this letter with incomplete information?
I imagine the client will then send you another letter, to which you reply that you've already sent the information. And so on.
In the end, the client may sue you. But in that situation, you make the effort of deleting the information you said you didn't have, and you win the case.
The claimant could report you to the authorities but a partial answer is better than no answer and you could always accompany the partial answer by an estimate when you think you will have the remainder of the information requested.
Is there amy regulation about how the data has to be formatted? Say I send a json string like "this is LITERALLY the data we use", but the avergae Joe is left irritated and annoyed, am I in trouble?
This makes me wonder: what if you encrypt using a proprietary tool, and sell a decryption tool through another company? You could actually make money from GDPR requests.
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.
However, providing remote access should not adversely affect the rights and freedoms of others – including trade secrets or intellectual property.
I have to confess, it's a guilty pleasure of mine to respond with a variant of the Nightmare GDPR letter to SOME companies who sent me the classic "we're sure that you want to access all the amazing benefits of our data processing so if you REALLY want to opt-out you'll need to click on this link and manually remove consent from a couple hundred 3rd party providers" email.
I'd never do that to any company (big or small) with whom I have legitimately interacted, but a lot of this drivel has come from random recruitment companies that must have scraped my details from my CV or Linkedin or wherever.
If you're not legitimately concerned then you are actually devaluing the GDPR by abusing it. If you have a legitimate concern with a particular company I'd send them a custom letter rather than a form letter and I'd try to work with them in order to achieve the desired effect (for instance: for them to delete my data once and for all) rather than to get a bunch of information that I have no further use for.
Alright, let me rephrase: I am interested in such companies that somehow have my details on record despite me never contacting them, and who show no understanding of the principles of GDPR; in particular I want to know what they hold about me and what the source of their data is, which is why I send the letter (which I have modified to remove the stuff I am not concerned about).
Some of them have since replied with "we've gone ahead and deleted all your data", which could be interpreted in many ways I guess
Anywhere that has made my acceptance an "opt in" I have then sent a polite email asking for my details to be removed. I'm happy to continue to use any services that follow GDPR and use them with the minimum of fuss; but anywhere that feels like they're trying to worm their way around the law feels like the kind of organisation the GDPR is designed to protect us against.
Thankfully the responses I've had thus far have been equally amicable.
The most friction so far that I've seen are some news organizations that seem to do what they can do mis-interpret the law. I have no idea what made them think that's the right response but it is almost as if they are doing it willfully.
For the rest of it hardly any interaction to date other than that the spam volume seems to have dropped 50% or even more overnight.
Any company I didn't give my data to directly and have never heard of is a concern. Many companies sending out GDPR emails need to learn that processing data is a liability they should avoid if possible.
Yes, that would be a concern. But this is not that situation, the letter writer states clearly they are a customer of the company and they use examples from other companies to create a situation of faux concern about the addressee. That's not a request made in good faith and that street runs both ways.
That’s a fair point, but seems to be overly focused on how the template states things about being a customer.
The template clearly is intended for a broad set of situations, and easily modifiable fir businesses where you did not realize they had data about you.
I would still see this letter as appropriate, with minor tweaks, to a company “in good standing.”
(More broadly, I’m not sure I know of even a single company I would consider to be in good standing on this topic without first making them prove it. Certainly not any medium-sized or large company, however good-natured they might seem.)
We may wish for spherical users in a vacuum, but there are a lot of people out there looking to fuck their enemies over and who care little about the collateral damage to the commons.
Because people then use that letter to increase the burden on companies 'just for kicks', it creates an asymmetry that the law did not intend. It forces attention away from the positive effects of the law and gives companies reasons to say 'see, this is what you get'. It's irresponsible.
This kind of thing is inevitable though. Within a month there will be online services that auto send an even more annoying version of this letter to every company on your contact list.
The same happens unfortunately with FOI requests. I've seen a case of someone explicitly stating they're sending FOI requests to a municipality just to spite them, which led to that municipality having to hire four (!) people to process them and find the documents. This in turn led to a restriction of that law, which is a real shame.
Yes, we have the same here. The laws have been amended to take care of the 'volume letter writers'. The best part: I'm aware of one such a person and they're unemployed, so they use their state supported life to harass the state to cause damage.
There was absolutely nothing wrong with the cookie law. What was wrong is that companies then went out of their way to FUD it and to mis-interpret it to the point where the law lost much of its value.
The GDPR is a response to that lawyering, but that's no reason why the public at large should now push the pendulum the other way. This law doesn't 'actually suck', but it can be made to 'actually suck' and then we all lose something of value.
> and you're basically asking people to not talk about its problems.
On the contrary. I'd love to talk about those problems, but this isn't one of them. Data Subjects should have the right to make Data Subject Access Requests. But the context matters.
If you want to really talk about the GDPR's problems then I think it would be better to focus on the Designated Representative bit, which is prohibitively expensive for small companies.
Why do you keep putting words in my mouth, that's the second time in a row.
You have a very US centric view of laws and legality, this is not a US law so please try to shift your viewpoint to the EU way of doing this and then re-interpret.
>There was absolutely nothing wrong with the cookie law.
Really? The cookie law, however well-intentioned, could never have been useful. The simplest reason for this is that you can never know if a site is not complying with the cookie law or simply doesn't set cookies. The only way to be certain of this was to use the already existing browser mechanisms for dealing with cookies. In other words, the cookie law would never have done anything even if companies handled it exactly as intended.
Implementing the cookie law costs money and time. It costs developer money and time, and it costs the time of consumers, because some developers are always going to get it wrong simply by virtue of not knowing everything about the law or how to handle it. They will hear about it from third parties and not know how to handle it and simply follow the first steps that tells them how to handle it.
The way the cookie law went should have been expected. It shouldn't have been a surprise to anyone that it didn't do anything and it simply wasted people's time and money.
>This law doesn't 'actually suck', but it can be made to 'actually suck' and then we all lose something of value.
Then we're pretty much guaranteed to all lose something of value. In IT you should expect things to go wrong and for people to abuse the system. Because inevitably that's going to happen.
I know I’ve posted this before but the law does not intend anything. The law is written, and then stuff happens. People intend and make broad laws that then more precisely get to intent after legal battles / precedent.
This is allowed under the law! If you don’t like it, change the law!
The reason people have been complaining about GDPR this whole time is exactly this. Things take on a whole new meaning when complied with at scale when all you need to send is an email. This seems worse than FOIA (the US Freedom of Information Act) and Europe placed it on their entire private sector.
A law allows what it allows. 'Let's pass a law that sets a maximum penalty of death, but promise just to impose $10 fines for the first decade' is a recipe for disaster.
A law which purports to protect privacy but instead demands that any visitor be permitted to rewrite your year-old web server logs is beyond Orwellian.
I admit that my view is somewhat US-centric but also has roots in Europe. I would challenge / I am asking: what is the real difference in the EU, that you could fall back on if sued because of these letters? You have to prepare for that if you want to be responsible, right?
Is it because this is not law, but rather, regulation which is only selectively enforced and suits cannot be brought by individuals but rather by central regulators that will never keep up with the avalanche?
Does the EU never enforce law by the letter, so the letters are unreliable and really more like a guideline? (If so, why bother with law?
Lack of EU sovereignty over member states means it won't get enforced if it's really an inconvenience anyway?
> what is the real difference in the EU, that you could fall back on if sued because of these letters?
This is the first part where your view of how things would likely play out and reality diverge. Under the GDPR a Data Subject whose request is not answered satisfactorily or timely could sue but that will likely go nowhere because they should direct their complaints towards the regulators, not towards the courts.
> You have to prepare for that if you want to be responsible, right?
No, to prepare you have to be 'in compliance', which is a different thing. Essentially you should read the law, decide which part of your operation is 'in scope' and adapt your business to reflect your understanding of the law.
In case of a complaint to a regulator they may (but not necessarily) investigate and if they find transgressions they will issue some guidance on how you should achieve compliance. If upon re-testing it appears that you have not followed the guidance you will most likely be hit with a fine. If the original investigation was because of a data breach or other serious issue they may decide to fine you immediately as well.
> Does the EU never enforce law by the letter, so the letters are unreliable and really more like a guideline? (If so, why bother with law?
The EU tries to achieve a certain effect with the law: to make it harder for companies to wipe breaches under the carpet, to give Data Subjects more control over their data and to stop the worst excesses in the world of data brokering.
So if you cross any of those you can expect enforcement.
> Lack of EU sovereignty over member states means it won't get enforced if it's really an inconvenience anyway?
All member states have automatically adopted the law when it went in force (April 2016).
Thank you for the thoughtful responses! As someone with experience in regulation in the United States it makes sense to me that it is at the regulator's discretion to enforce these rules so there will (necessarily) be enforcement of intent, at least for the current regime. (might change in the next one)
All that said, it likely can and will be mis-used, and citizens will likely sue and cite the regulation if the regulator refuses to enforce the regulation so if I were Europe, I would try my best to prepare for such an eventuality as part of the law to reduce burden. I don't think it's alarmist to suggest this.
I also don't think it is alarmist to suggest that regulators will not always be rational actors, and there are politics at play. It will be interesting to see if any blatant cases of prosecution result from crossing an EU government or leader. Fingers crossed that never happens.
The author of the nightmare letter didn't even claim that his nightmare letter was aimed at data subjects (AKA users), but specifically to companies that are trying to be compliant. Like, "if you can answer this letter, you're compliant".
The author of this piece just twisted the meaning of the letter completely.
We already received one of these for Riot.im; kinda depressing that despite all the GDPR work we’ve done for Matrix (https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix... etc) folks think it’s worth burning yet more of our time in proving it to them (but just to them). So much for writing software and actually making Matrix better...
Then automate the process or hire an administrator to deal with stuff like this. It's not the requester's fault that you can't handle compliance with a law efficiently.
the inability of gdpr advocates to assess or even acknowledge the true cost and negative consequences of this law is extremely unsettling. everything from "its completely easy to implement [even-though i'm not even referring to any particular business model]" to "it requires development of non-product related features but won't hurt startups" to "proving compliance isn't a burdensome cost to completely innocent companies" to "if you can't do it, you shouldn't exist anyways [even-though no one is forcing anyone to use anything]" to "it is vague to give our benevolent regulators ability to enforce it selectively [and somehow always perfectly]"
ironically, this very blogger made all the same arguments here:
his response to his current concern is: "then automate it" as if this is trivial. and "my blog is compliant" as if this means anything for even the most basic business model.
> the true cost and negative consequences of this law is extremely unsettling
I think the cost of not having this law is much higher.
Also, lots companies had few problems automating the dissemination of users personal information to dozens of interested parties, building completely automated markets for this information with derivatives trading etc, all without users (and regulators) knowing or understanding anything about these practices. It is long overdue to put a stop to the excesses, and as a EU citizen I am extremely happy with GDPR.
There will be new opportunities for startups, hopefully GDPR can help make sure these opportunities are less detrimental to society than before.
> I think the cost of not having this law is much higher.
There is no way you could know this and every indication to the contrary. Many EU countries are struggling with jobs and claiming to want a tech sector. This just made it much less likely.
> There will be new opportunities for startups,
The barrier to entry was raised. That means that startups which cannot afford proof of compliance will not exist - whether or not they meet your subjective definition of "detrimental to society."
This is what you get by leaving the invisible hand of the free market to "regulate" itself. Companies have enough rope to hang themselves dozens of times over with the way they collect and handle personal information (startups included), so it's no surprise that strong user-focused data protection is now law.
The internet has seen an absolute explosion of innovation over the last 20 years, which has massively added value to our lives. Compare it to heavily regulated sectors like medical services, pharmaceuticals, education and banking/finance. You're totally ungrateful for what the 'invisible hand' has provided. You take all of the advances and services that emerged on the web over the last 20 years for granted.
In other words, your assumptions don't factor in the link between the myriad of web services now available, and the freedom people have had to provide services on the web.
The government has a constructive role to play in the market, in provisioning tools and information to empower people to maintain their privacy, which market players are not economically incentivized to provide in sufficient quantities.
That would take the form of public funding for development of anonymity technologies, public directories comparing services and their abidance to voluntary data protection standards, and possibly public service announcements educating people about what data they disclose while browsing non-anonymously, or browsing particular types of websites, and how that data can be shared and used by private data collectors.
What the government should not be doing is imposing Big Brother laws that violate the privacy rights of companies in relation to the data they store, which properly understood, belongs to them, regardless of who that information is pertaining to, and violate private property rights by regimenting how web service companies will operate.
Centrally planning the web economy in the manner of imposing regulations like the GDPR is so ridiculously misguided. It is going to destroy innovation, and particularly, business creation.
I think not: incumbents will have more changes to make than startups, who can think it through and get it right from the start (for everyone, ideally). Also the data-portability rule directly lowers the barrier to entry and creates huge opportunities for competition.
Ad-tech startups who built their tech in the previous years may feel screwed by GDPR, but I won't shed any tears for them. They may carry on in the US, if that makes you happy.
>>I think the cost of not having this law is much higher.
The solution severely confines the space of operation, by straightjacketing web service provisioning to a narrowly defined set of procedures, and thus I think it's unlikely to be less costly than the problem it seeks to solve.
Creativity does not flow from this kind of central planning. I believe the blind spot that GDPR advocates have is that they don't fully grasp the scope of what they don't know and what has not yet been discovered, and thus they don't fully account for the cost of laws that inhibit the innovative processes that lead to discovering new ways of providing goods/services.
The responsible way of addressing privacy concerns, that would have been far less likely to undermine liberty and have other negative unintended consequences, would have been to develop user friendly anonymous browsing technology, like Tor-enabled browsers.
> The responsible way of addressing privacy concerns [...] would have been to develop user friendly anonymous browsing technology, like Tor-enabled browsers.
After you reach anonymously a service (e.g. Facebook) and login you won't get any help from Tor or similar technologies. You need a law to tell the other party to not mess with your privacy
A browser that doesn't store cookies and anonymizes your IP will prevent things like a Facebook tracking you across the web.
The rest is an issue of contract law. No one is forcing you to use Facebook, thus it is not violating your privacy when you choose to give it your data. Perhaps public education, on how the personal data you disclose to web services can be used, and information on anonymous alternatives, would help in this situation.
Whatever the solution, it should not impose arbitrary restrictions on how websites can use the data others disclose to them, or obligate a web provider to respond to letters they receive. These are Big Brother laws that will limit the availability of services by severely constraining the space of operation.
I want to be able to use the web without other people's overbearing laws severely limiting the range of websites and services available.
> "if you can't do it, you shouldn't exist anyways [even-though no one is forcing anyone to use anything]"
I'm in this camp, and to respond to your counterargument:
No one is forcing anyone to use anything... except healthcare, health insurance, car insurance, etc. And in many cases, while you may not be forced to use a tool, not using it puts you at an extreme competitive disadvantage. People shouldn't have to choose between being able to compete and valuing their privacy.
I'm fully on board with acknowledging that complying with GDPR has a pretty high cost, but the flipside of that is that if companies had done the right thing to begin with, a) the cost wouldn't be so high, and b) we wouldn't need this law.
Yes, I find his previous 'the GDPR can't impose anything painful on you if you do things correctly' posts to be quite amusing in light of his most recent 'these folks are making things painful, even if you are doing what until yesterday I said was correct' posts.
Moving targets are no fun at all when running a business.
It's a pretty consistent position: If you have your house in order this letter is a non-issue. If you don't have your house in order you could take up to 3 months to answer the request, still a non-issue, but it might take you some work.
Answering a request - even one engineered to be annoying - like this should not be a huge burden for any company that is not doing anything shady and that has been preparing for just such an event.
I wonder if there would have been a better middle ground by allowing to charge a fee for such requests, like some freedom of information law does. We wouldn't want to make it a strong deterrent against sending such requests to large companies, though, that should have automated the process anyway.
You're right. Why should I have to spend my money to make sure I'm not polluting the environment? Make my products conform to safety regulations? Provide safe working conditions? Pay my taxes? It's all the governments fault for passing regulations that help consumers. Those fuckers.
many people disagree with preemptive, guilty until proven innocent regulation. many people also disagree with taxation in-so-far as they are not proportionate usage fees. And yes, certain regulations are definitely harmful. "But other regulations exist" isn't a valid excuse for any and all ever-increasing regulation.
Are you saying that there is no reason for GDPR to exist? None at all? It has nothing to do with all the data leaks that have happened, Facebook and Cambridge Analytica collecting information, invasive targeted ads?
I didn't read their comment to be that black and white, but rather to say that the law is overly vague and hard to comply with. Surely not the first such complaint you've heard.
If GDPR was an environment law, it would say, "Hurting the environment means you can be subject to a $20,000,000 fine." Which sounds great! Except the biggest thing most people can do to hurt the environment, by far, is international flights. And everyone is wondering if the law meant to cover flights. And lots of people are saying, "You shouldn't be flying far anyway." And one expert is saying, obviously flights are excluded, and another is saying, fines are very likely. Etc etc.
Up to 4% or 20Mill. A small startup won't get slapped with that size of a fine. If you are worried about those numbers, you should be able to hire a lawyer and ensure you are in compliance.
Enforcement of which regulations? Do you mean all commercial enforcement in the EU's history, or enforcement of internet related technologies specifically? I'm not trying to be dense, I suspect you know more about this than me, so I'm honestly curious what makes you confident about restraint in enforcement of regulations affecting small businesses on the internet.
If you base all of your business decisions on the worst possible scenario, then you simply aren't going to run a business at all. That is true both before and after GDPR. Some level of risk is inherent in all business activities.
No. The law lists the maxium possible fine under the worst situation.
The absolute maximum available is 4% or €20m, whichever is higher, but the actual fine imposed is always going to be less than this. We know this because after 20 years of existing data protection law the maximum fines have never been imposed.
As I cited in another GDPR thread: the data protection authority of Saxony, for example, handed out less than 50 fines in two years, with an average of less than 3000 Euros.
There may be a great deal of uncertainty now, but things will eventually be settled.
If you are worried about being subject to a twenty million dollar fine, then you can probably afford to hire a lawyer to respond to the multiple warnings you will get before any fine is levied.
Are you saying large laws result from abuse of power by corporation or that large laws are typically abused by the government? Either way, I think I agree.
Why should I spend money to make sure I keep and delete all your information you gave me correctly? This is affecting a single person, the one that gave the information. He is fully responsible for his information, yet he gave it. It's like saying, well we should protect Tesla owner from using the ludicrous mode toward a wall. Maybe he should just not do it?
The environment affect EVERYONE, it's important to protect it because of that. It's a single entity that affect everyone. It's funny because it's exactly the opposite of GPDR, which is a single entity (the one that gave the information to the company) that affect everyone (every potential customer of a company).
GDPR just shift the blame over corporation instead of the one that gave the information in the first place. It shift the fear toward them instead of the one actually responsible for sharing it in the first place.
I'm happy that GDPR will push company to keep less information, there so many website I avoided because they asked for information I didn't want to give, but that's an issue that many website already solved (because that friction was making less user too). What it did bad is add confusion.
I think it's too early to come to any conclusions about GDPR. It's going to take some time and some litigation before we really know the shape and location of the edges of the regulations.
Companies need to apply the same judgment as they do for basically anything else related to running a business. How much do I need to do to comply with this regulation? How do I respond to that?
I mean, it's not like businesses worry too much about people's livelihoods when they lay them off. It's just a business decision and the laid off person needs to deal with the realities of the situation. Now, business owners need to do the same when it comes to the GDPR decision.
If all they do is hope, then they might be screwed.
If you tally the score today, I think it's a win. A few companies may have folded, but a billion or two users have gained a little more insight and control over how data about them is used. But like I said, it's too early to be very confident about this.
Should be fine... if their business model included farming out PII for profit, those same people can be gainfully employed in shutting those systems down and implementing processes to ensure it doesn't happen again. Net employment change zero.
I only want to help users and creators. They should not be afraid of the GDPR. There is a lot of FUD around this topic and I guess that most of the people didn't even read the law.
But I'm gonna take your advice anyways. There is plenty of information already for anyone concerned.
You’re spreading patently false information. After being corrected in one thread, you repeat it in another. I’ve read the law, myself and with a lawyer. This is complicated stuff. Ignoring letters is a bad idea.
The letters aren't even smart FUD. This sort of stuff gets made up by dumb people to validate the fears of other dumb people. It's a kind of self-propaganda. The idea that rando customers can ask for arbitrary information like backup policies and safe-guards or the location of your servers is just silly. The SARs have clear, well-defined limits [1] and the response can and should be automated (once identity has been verified).
In a legitimate - not trolling - exchange I could see a situation where asking about back-up policies is valid. For instance, a company could have had a breach where backups were involved. But the letter has been carefully worded as a DSAR, a Data Subject Access Request and throws in some cover in terms of concerns the user might legitimately have. So you can't just ignore this letter.
The safe guards question would be valid in that context as well but not right of the bat in a first exchange, but if a previous answer left something specific unsaid.
The location of the servers is a valid request depending on the context, for instance when the data is sufficiently critical to be legally mandated that it stays within the EU (yes, there is such data).
Agreed on the automated response, that's the best way to handle this.
Again, this is a troll letter, but even so it still requires a response otherwise you give the claimant grounds for forwarding their complaint to the regulators (who likely will ignore it but I'd play it safe).
Would you kindly elaborate on which part of that link is relevant to this kind of letter? The PDF there only relates to what a citizen can do when you don't answer the letter.
How does that make the letter irrelevant? Responding to the letter rather seems to be the first countermeasure against the authorities' involvement...
Woke up to my second one today from a user who literally only had their name and email address in one entry in our system.
And now, they still have their name and email in one entry in our system, but it's the record that we deleted the first entry at their request. Thanks for wasting half an hour of my day checking our systems, jerk.
You had two years to sort out a quick procedure for doing this process, and it still took an hour and a half. Didn't you have a script to do that semi-automatically?
Half an hour*. And I got hired when my US company figured out the GDPR was important about seven months ago. We're in a bunch of verticals with a lot of different systems that can't all be made to talk to one another. Some of it is semi-automatic, some can't be, and some could be but would require a ton of developer time.
Oh, only seven months to look at it? What were the lawyers doing all that time before then? IT techs here have been training for GDPR for the four years since the law was first designed.
> What were the lawyers doing all that time before then? IT techs here have been training for GDPR for the four years since the law was first designed.
wow, and people claim this won't just destroy totally innocent startups.
Any business trading internationally has to have a care over the regulatory environment of the target country. Why is internet trading any different?
What I meant by the 'four years' comment was not that it takes that long to train, but that GDPR has been included in the training for that long. A four year run-up is plenty long enough for even start-ups to get themselves up to speed and design their systems for privacy by design.
spoken like someone who's never started a company.
> "What were the lawyers doing all that time before then?"
what lawyers? do you realize that compliance, proving compliance, and implementing mandated features are completely separate tasks with cumulative costs? even if you aren't doing anything with the data?
> Any business trading internationally has to have a care over the regulatory environment of the target country. Why is internet trading any different?
bad, stifling, preemptive regulation is bad regulation in any industry. why is internet trading any different?
I was in discussion with a poster who was working for a company structured "in a bunch of verticals with a lot of different systems that can't all be made to talk to one another".
Don't you think that size of company would have a lawyer somewhere?
Why don't you just delete all their data and not record it? Then you can legitimately respond that you don't have any of their personally identifiable information.
Also, you're going to either need to suck up the admin time, script it, or block the EU. Take your pick, there's not much point slinging names around. Chances are it's going to happen again and you may as well be ready.
Wait, I think I'm starting to see what happened, correct me if I'm wrong.
1. Someone requested you delete their data from your system.
2. You did this and logged their request.
That seems legit and pretty much un-jerk like. How did the user know what data you held on them? If they didn't know then the fact that you only held an email address then asking you to delete seems reasonable.
Also, did you really only have their name and email? Unless you have a table called "names_and_emails" that isn't linked anywhere else I assume that you've got the user linked to some sort of subscription or something? That's information too.
The other possible meaning of what you wrote (and my first understanding) was that the same user sent two deletion requests.
That does seem excessive, but then if you complied with the first then the second just becomes a formality at that point surely?
> Does doing that preclude criticizing the clumsy legislation that caused this?
Wether you think this law is clumsy or not (I don't, I think it's a hell of an improvement on the status quo) it stands a good chance of protecting people's privacy, and as a father that is especially important to me with kids growing up even more intertwined in digital age than I was.
As someone who runs a few sites it means some more work for me, but it's worth it. I'm still a person in the world with the need for privacy.
It’s the most self-inflicted wound in history, as an industry. Abusive practices, constant leaks, intrusive marketing, have all been building to a hefty backlash. It’s a shame that you’ve been caught up in the riptide, through no particular fault of your own, but this was inevitable. A whole industry can’t dick over the world’s population without blowback. The time for reasonable negotiations and slow change was probably a decade ago, not twenty years of abuse in. At this point nobody outside of the industry cares if people in the industry are hurting, they just want some privacy back.
Really? Most of what I've seen from outside the industry is akin to "GET THIS ING DIALOG OFF MY SCREEN I HATE IT WHEN THE FIRST THING AN APP DOES IS SHOW A ING POINTLESS DIALOG WHEN I JUST WANT TO USE THE APP"
I have a general question about this. If you have a privacy policy which discusses (amongst other things) the answers to these questions, would it be sufficient to just reply directing the customer to that privacy policy? i.e. let him dig out the answers he "needs" from there.
In part this form letter seems to assume that all the burden is on the company, whereas if the company has already answered these questions in a public medium you could (1) take that as a signal that the claimant is a troll (otherwise they would have read your privacy policy) and (2) that they probably don't care about the answer, they're just looking for a reason to stir the pot, so any deficient answer will be used to contact the regulator.
The best way to deal with that is to answer the request in detail (which makes it very unlikely that a regulator would follow up if there was a complaint) and to refer to public resources such as your privacy policy because that's something that indicates that the claimant didn't do their homework, which is something a regulator will use to weigh whether or not to follow up on the complaint.
> The best way to deal with that is to answer the request in detail
I keep hearing this but I think in reality the volume of troll requests will dictate whether that is practical or not for any given company. Small startups might have problems if that volume is not proportionately small.
The problem would be in answering just one of these, then the amount of effort would be disproportionately large. But to answer a whole bunch of them is a 'mere matter of programming' unless you've really made a mess of things.
Jacques, thanks a million for your work on this topic. It makes me feel much more confident about being able to efficiently handle such a nightmare letter if it one day comes.
The vagueness of the meaning of "processing" PII is one of my handful of problems with GDPR. Is the mere act of having a unique index on an email address column a form of processing? I'd argue it is. It's can be construed really far.
> 2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Article 2(1) limits the whole GDPR to personal data "processed" in the context of a filing system, whether electronic or physical.
In other words (in my non-lawyer reading): If I have your business card in my pocket, or I leave it on the table, or throw it away, I'm not "processing" your data in a covered way—even though I have it. If I put it in my stack of business cards or add you to my CRM, I am.
These three words can mean everything and nothing. It will take years to see how each of the EU's twenty-eight members' regulators take to interpreting them.
Exactly. The term could have been "storing", but that would have been potentially too narrow, as it could be argued that proxies are excluded. As such, "processing" is like a more complete term for "storing or handling".
Having an index though is additional processing. If you could simply note 'in a database' and not have to note processing the database is doing, you could do all your processing with stored procedure.
2. For what purposes? Why do you need it at all? (You might do many different instances or types of processing for one purpose.)
3. What's your lawful basis for processing their email address for each purpose?
So "in the database" would not be what they're looking for. But if it's in the database because you need to a) log them in, and b) send transactional/account-related emails, then that's what you say. I wouldn't bother them with how specifically or technically you make that happen, unless it involves third parties or something like that, because that isn't really what they asked for.
So:
1. Yes, I have it.
2. To identify you to the service, let you sign in, and send account-related messages like password reset codes.
3. Performance of a contract under Article 6(1)(b), providing the service they signed up for.
I updated my web service (solo dev, side project) with a GDPR compliant terms and privacy policy, got this form letter already from a few of my users. I have to tell, it's seriously depressing and I was contemplating shutting the whole side project down over the weekend.
I have a tiny project in closed beta right now I've been working on in my spare time for 7 years I'm considering closing to the EU. The idea is even entirely privacy minded with all data save email address being client side encrypted so we never see it unencrypted.
I never intended to make real money off it except maybe covering server costs if I'm lucky, but the time it would take dealing with requests like this it enough to scare anyone off.
Broadly speaking, and noting that IANAL, etc, etc, ...
I'm not sure what the problem is.
Your obligation is to keep the data secure, and only keep data that you need. Then you need to respond to requests to (a) tell a person what data you hold on them, (b) tell them what you do with the data, and (c) delete it if asked, unless you have a legitimate reason to keep it.
So if someone has given you data for the purpose of you providing a service then all you need to do is treat that data with care, don't do anything your customer doesn't expect you to do, and be able to provide and/or delete it.
Fair do, someone disagrees and has down-voted me. Please, having read the actual regulations[0] several times, including the recitals[1], I'd be pleased to see what's missing from that outline, so I can improve my understanding.
Treehouse is an odd yet apt choice as the laws vary highly by municipality. None of the treehouses I played in as a child were inspected or up to code. I think the argument to be made here anyway is the level of danger. You could die falling out of a treehouse, whereas the actual damages from mishandling a single users data is several magnitudes less.
> You could die falling out of a treehouse, whereas the actual damages from mishandling a single users data is several magnitudes less.
That's a very dangerous sentiment to have. Identity theft is a very real thing. You can do pretty horrible things impersonating other people, things that will lead to people ending up in jail, things that can ruin whole families and drive people into poverty, desperation, and suicide.
It opens people up to blackmail, manipulation and a whole list of other, rather nasty, tactics.
On the extreme end, there's also the fact that not everybody lives in a "free country". In many places saying the wrong things, even online, can have very final consequences. In such cases, you not taking proper care of your user's data, sharing or leaking it all over the place, can result in people vanishing in some torture dungeon never to be seen again.
My entire, multi-year record of personal and financial information has been leaked and stolen at least 3 times, most recently from Equifax. In addition, certain of my passwords and financial and personal details were leaked at least a dozen times that I know about by various stores, restaurants, apps, and online forums.
The consequences to me, personally? Not much. I haven't been blackmailed, I haven't been impersonated, jailed, or driven to suicide.
And in this, I am not unique, not unusual. Probably at least half of the adult US population has had all their information leaked just like mine was. The overwhelming majority of them suffered few to no consequences.
My argument is that freeflight's apocalyptic image of the dangers of PII leakage and identity theft don't seem to match the actual experience of living in a country where PII leakage and identity theft are a norm.
The examples given were hardly "apocalyptic". And since there are accounts of all of them happening, it does seem to match the experience for some. Which leads me back to my initial interpretation of your comment.
Big lurker, just created this to throw in my anecdote. I know of a person that was targeted with identity theft. They are current fighting it in court. It is weird how they have to prove to the system that it wasn't them who registered some vehicle somewhere and were involved in a hit-and-run(while they were even outside of the country through that period of time). That person owns a transportation company and could possibly get their license suspended. They were paid a visit by the sheriff because the debt collectors were not seeing their money (thankfully the sheriff was understanding enough, because it did look like they were going to be arrested until the court date). The name was not even written correctly! But since it is a SIMILAR name and at your address, it is you!
Sorry for the rant, I just don't think the people that are going through this have the time or will to sit and describe their crappy situation. Is everyone who got their identity stolen supposed to run to the press? Run to Equifax's office asking for their reimbursement? If so, I wish they can spell it out more clearly to those who do end up affected. I think we will hear more about these stories eventually, after everyone who got burned clears their names of whatever they were burned for and have the patience to sit and explain how crap hit the fan, because they took out a loan somewhere and didn't understand the consequences.
Even if GDPR isn't perfect right now, it is a step in the right direction. It sounds to me like the whole industry has been mishandling data until this point, that it makes it okay for people to complain that new players wont be able to come in and continue the same ways. Sorry if this is not the proper reply format, I hope it is ok to reply to anecdotes with anecdotes.
Why shouldn't they have that option? You chose to visit that website and input your data. You are completely free to not go there.
Adding legal costs like this de-incentivizes website owners which is now causing websites to shutdown EU access which I don't like.
I don't get why the EU thinks there are entitled to get content from the web while not abiding by the business model for targeted advertising companies.
Even if you're running a small side-project, you really should (a) not do things people don't expect, (b) be able to provide people with a copy of their data that you hold, and (c) delete their data if you're asked to (and you have no legitimate reason to keep it).
That all seems completely reasonable to me. It's certainly reasonable that a new start-up or side-project should use these considerations as part of their design, and I should think that an existing start-up or side-project that does not comply should look hard at why not.
If you think these demands are unreasonable, I'd genuinely be interested in knowing which, and why.
Does it seem reasonable to you? Let me propose a scenario to you. Let's suppose that you commenting on Hacker News would mean that you must adequately respond to certain messages sent to you. If you don't do that then you can be fined. Does this sound like an environment that would encourage you to share your thoughts on Hacker News? Or does it sound more like an environment, where you would just not say anything and perhaps go elsewhere?
It's unreasonable, because it imposes an administrative cost on anyone that tries to do things on the side regardless whether they have good data handling practices or whether they have any intention of abusing the data. I would bet money on the fact, that JUST the fact that they must respond to a letter is enough to make some people go do something else. And who knows, maybe the side project could've been the next google.
not to mention that, historically and intrinsically, visiting a site or using someones application is a voluntary activity. no one is forcing the user to do anything and the user shouldn't be able to force the developers to do anything.
My understanding is that if someone is not a customer, and I hold no data on them, then I can safely ignore any requests. At worst I can automate a response saying "I hold no data on you".
For customers, how many requests would you expect? One in 100? One in 1000? If I store the data securely, and I only use it for the purpose it was intended, I can automate a response that (a) Sends them a copy of their data, (b) points them at the privacy policy saying I don't do anything unexpected with their data, and (c) offer a link to delete their data.
Once set up, these should not place a significant burden on the provider of a service.
I suspect we are arguing about how much work will be required. I'm saying that once set up, the administrative overhead is negligible, you are saying it isn't. Certainly the services I run have seen no increase in administrative load, I'd be interested to know who has seen a significant increase (once already set up) and why.
> Once set up, these should not place a significant burden on the provider of a service
You're counting on an automated response mollifying users and being seen as reasonable by each of the EU's twenty-eight regulators. Perhaps that is true.
If so, a reasonable regulatory regime was produced. If it is not, or it is for a while and then one country decides to go ape shit, this was a bad law. Until we have more data there is regulatory uncertainty. Within that uncertainty is risk. That risk is unreasonable for non- or low-revenue generating projects.
Moreover, there is more precedent for such regulatory regimes becoming more, not less, onerous over time. That leads to incumbency bias, since Facebook and Google no doubt already have lobbyists for each of the national data regulators.
> you need to respond to requests to (a) tell a person what data you hold on them, (b) tell them what you do with the data, and (c) delete it if asked, unless you have a legitimate reason to keep it
Over the course of a few years, doing these things might take up as much time as it would to learn a new language. For a side project, I’m not sure that’s a smart trade-off.
You could have an automated report generator/emailer to deal with a), point the user to your privacy policy for answer to b), and finally again have an automated process for c) as well. This doesn't seem to be in the "learn a new language" effort ballpark to me.
If you're handling user data for a side project, then you'd better be serious enough about protecting your users' privacy; if not, either remove the need to store any more data than is required to provide whatever service it is you're providing, or rethink your approach to starting a project in the first place.
> might take up as much time as it would to learn a new language
How so? Just build yourself a tiny tool that takes an email address or username and sends them their database entries along with the standard explanations about why you need that data.
For my side projects that will be around two hours per project and then 2 minutes for every request.
> Just build yourself a tiny tool that takes an email address or username and sends them their database entries along with the standard explanations about why you need that data
You're assuming automated responses will satisfy requestors and, for the unsatisfied, be seen favorably by each of the twenty-eight national regulators, today and into perpetuity.
In any case, I got curious about your 2 hours / project + 2 minutes / request metric. One can achieve "basic fluency" in a number of languages within 480 hours [1]. We thus find a trade-off hyperbola [2]. For 1 project, after 14,340 requests you could have learned a new language. For 5: 2,820 per project. For 10: 1,380. At one request per day, that's under 4 years. TL; DR, even with optimistic figures, a significant toll is extracted purely for administration.
TBH I suspect most of them have never run anything. I did an info session for a team of consultants, and was careful to include a lot of information on the positive intentions of the law, and every single one realized quickly that most of the costs of compliance for the vast majority of businesses had nothing to do with improving the state of privacy, and that for many business models that aren't abusing data this law is still going to be incredibly expensive.
There's just a huge gap between people who viscerally understand making high-level business decisions and people who don't, and the vast majority of the writers and supporters of this law appear to be in the "don't" group.
I think you're missing some categories. I've run websites. I consider myself pro-GDPR-spirit. But I also believe it should have explicitly phased down its effects on small organizations. If it gets tweaked back based on the observed effects, I'll consider that a win. If it is written in stone and remains as is for long enough to dampen entrepreneurship in favor of big deep pocketed organizations, it will be a huge loss. Right now it feels more like it will be the latter, but who knows.
And then they spend their entire free-time playing administrator on a service that doesn't make them any money. Time they could've spent on improving the service. The alternative is that if they're outside the EU they just block the EU and if they're inside the EU then they abandon the project.
> And then they spend their entire free-time playing administrator on a service that doesn't make them any money.
Do you really think this is going to be a constant, relentless attack on your time? Do you really think that users of a service will constantly be sending DSARs?
I run a few closed services as side-projects totalling a few thousand users. I've received exactly three DSARs, and those are from people who wanted to see if I had processes in place. I'm very surprised that people think the administrative load will be significant.
But these are the underlying assumptions that can, and perhaps should, be explored. Broadly speaking, how many users will send in DSARs? One in ten? One in 100? One in 1000?
We are talking about side projects. You do that as an hobby. Any minute spend on ANYTHING else than what you like to do is a minute lost for no meaningful reason.
If the service gets enough users? Perhaps it will. If I annoy the wrong person on Twitter, then I'm fairly certain I will be handling those requests for a while.
Just out of curiosity, how long did it take you to respond to those requests?
>But these are the underlying assumptions that can, and perhaps should, be explored. Broadly speaking, how many users will send in DSARs? One in ten? One in 100? One in 1000?
>How long will it take to respond to a request?
I don't know, but I do know that there are plenty of developers out there that would probably have a lot of trouble adequately responding to these kinds of requests. Particularly the people who might have some trouble with English, especially the type of English in these requests. I have no idea how those people are going to handle these situations.
> If the service gets enough users? Perhaps it will. If I annoy the wrong person on Twitter, then I'm fairly certain I will be handling those requests for a while.
Anyone to whom you are not providing a service should not have any data released to them, so they can get a simple "I'm sorry, you're not a customer, and I hold no data on you." response.
Anyone who is a customer and is sending vexatious requests - I'd refund them if appropriate and terminate their service. Especially for side-projects, you don't need the aggravation.
In my case people were genuinely asking about actual data, and I took the time for the first to respond "by hand" - it took about ten minutes. The second time I documented what had been done the first, and parametrised it. Total time was about 15 minutes.
The third time I ran the script by hand and checked the output. Total time was under three minutes. I'm pretty sure that after another two or three I can just let it run automatically. Time taken for subsequent queries? Probably none.
And I agree that for some people, especially those for whom English is not their first language, would have trouble responding in English. It's not clear that they have to.
But speaking about time taken, I'm now going to bow out. I've made my position and understanding as clear as I can. GDPR is here, and everyone can make their choice about what they do to be seen to comply. I wish you all good luck.
> (c) delete it if asked, unless you have a legitimate reason to keep it.
Deleting it if asked might be neither cheap nor possible, depending. What if he has an audit log in his system recording that foo@bar.example attempted registered, baz@quux.example wrote a record &c.? If the audit log is a secure audit log, it's not possible to mutate a record after it's written — but that's exactly what the GDPR requires!
So now he has to either allow his audit logs to be mutable (and thus no longer secure), or he has to e.g. use an opaque identifier for his users, which means he needs another database, his audit-log–viewing system has to perform joins between the logs & that database (which means that it will no longer be straightforward to view with tail(1) & friends), that join has to handle deleted users in some useful way, &c. &c. &c.
That's thought he has to spend on something he didn't have to previously. There's obviously no problem with that in the case of something that's essential (and several provisions of the GDPR are essential). The problem is when the GDPR is mandating something inessential, or — in the case of its mandate that users be permitted to rewrite history — outright wrong. He's being forced by the law to implement a misfeature.
It's somewhat similar to a law mandating key escrow: it imposes engineering cost to achieve a wrong end.
> If the audit log is a secure audit log, it's not possible to mutate a record after it's written — but that's exactly what the GDPR requires!
My reading, and the advice I've seen in multiple locations, is that in the case of immutable audit logs (and backups, for example), being immutable logs (or backups) would count as a legitimate reason to retain the information. It would be required to store the logs and backups securely, but that should be done anyway.
The requirement would then be to delete what's possible (which is what the GDPR says) and then not process whatever remains. In other words, it's mandating what is already good practice.
Can you not just have a checkbox that says "I agree not to use this service from within the EU." or something like that? Like, I don't even track IP addresses for my dumb side projects. I wouldn't know where to start with this.
This is actually something I've mocked up, but I'm not sure if it flies. I also wonder if blocking by IP actually counts as processing PII... Lol. So many questions.
The information obligations begin with citizenship:
> One requires transparency in gathering and using data in order to allow EU citizens to exercise their rights to personal data. Therefore, the General Data Protection Regulation sets forth a variety of information obligations.
American citizens don't may or may not have rights under GDPR, or may have rights only where the processing is done within European borders, but European citizens have rights under GDPR regardless of where they are.
Ah true, in the past I have hashed emails with no salt to try and provide some privacy. For password reset I just asked the user for their email when requesting the reset and tested against the hash to make sure its legit.
Please don't! GDPR letters are FUD. The only authority that can enforce GDPR is the DPA of your country or your user's country. And then after thoroughly investigation the DPA can implement different measures and the fines are just for the stronger actors and breaks.
Please be more specific in your refutation. In following the link you've provided I see nothing to support your assertions, and it appears to support jacquesm.
Are you suggesting that countries outside of the US care about US copyright law? The Russian video streaming site I use sure doesn't.
What about the pharma companies in India that copy American drugs (to the great benefit of humans worldwide)? US law does not rule in other sovereign nations.
Please folks, GDPR investigations are only undertaken by the EU. No single actor can try to 'sue' you for infringment. The maximum they can do is to complain to the GDPR office in your country. And then, maybe, the office is gonna undertake an investigation. This whole is process can be a matter of years.
Don't be afraid, if you receive one of those letters just ignore it.
Emotional distress isn’t a thing in the EU in general, and definitely not out of proportion to actual damages. If someone incurred costs as a result of your failure to comply with the GDPR, those would be damages. If, for some reason, they wound up in therapy as a result of your failure to comply and had to pay money/take holidays from work/etc for that, that’d be the closest thing to emotional distress we have.
Sure, and in fact that’s meant to be the primary enforcement mechanism. But fines aren’t what I’m talking about there - civil lawsuits without a regulator involved are possible under the GDPR, although their potential damage is limited to actual damages and the cost of hiring a lawyer.
The first enforcement mechanism is going to be a letter detailing the complaint and asking for information about how you deal with user's data. If they think you are not handling it properly, you are asked to change it, that's it.
> Don't be afraid, if you receive one of those letters just ignore it.
You probably should not be making such blanket statements. Keep in mind that the companies that receive such requests may have substantial assets in the EU (or may even be based entirely in the EU).
This is akin to telling people to break copyright law because the courts are too busy to go after everybody and it could take years before it is your turn.
Disclaimer: We are a GDPR model company in Ireland. This means that we are implementing the mechanisms that the country is going to take as default for every other company. We had EU folks over here for months.
I'm assuming everybody responding to you did just that so this is a null statement.
> Disclaimer: We are a GDPR model company in Ireland. This means that we are implementing the mechanisms that the country is going to take as default for every other company. We had EU folks over here for months.
I'll happily bet that I spent more time reading the GDPR than you did (such as: for the last year as a part of my day job) and you are spreading some pretty dangerous information in this thread up to and including telling people to ignore legitimate requests under the law.
If you give out that kind of advise and in such an unqualified manner you should not then follow up by saying that 'this is not legal counsel'.
A DSAR is a legitimate request under the law if you feel that this particular letter is not a legitimate request then you should address that with specifics.
The user made no request to access backup data, I don't know where you got that but it was not in the letter.
The user requested to know if there were backups and if so how they are handled, which is a perfectly legitimate question, if only because quite a few breaches start with 'we've lost a backup and it wasn't encrypted'.
This could - but does not necessarily - fall under 'other supplementary information' but would require more context.
Now, some of the requests in the letter are over the top but there is no harm in answering them. Not answering the whole letter is extremely dumb because you can't ignore a legitimate request because it asks for one thing that is not legitimate. Then you should just answer the remainder and lay out your reasons for not wanting to answer the questions you feel are not within the scope of such a request.
Well, for the full enforcement process: if your answer is not satisfactory, I will forward my letter (together with the notice of non-answer, or the notice of unsatisfactory answer) to my national data protection agency. Believe it or not, it's just an email. From there on, you have bureaucrats (who are paid for this & motivated to write fines) that will take up the legal process. The whole setup is similar to the consumer protection agency - and I hardly ever have to do anything after notifying that agency, I just receive a later with the resolution after a few months.
Depends on what you mean but "not gonna work". I presume that all my questions will have satisfactory answers, either directly by the company or via the DPA. Either way, it's just an email for me. I'm pretty sure it's more than "just an email" for someone who does business in the EU but chooses to ignore my original request.
> The maximum they can do is to complain to the GDPR office in your country. And then, maybe, the office is gonna undertake an investigation. This whole is process can be a matter of years.
Years of regulatory investigation sounds expensive. Furthermore, willfully ignoring regulators is a good way to piss them off. The only winning strategies here are (a) lawyer and lobbyist up and (b) block users in countries where you don't have (a).
First you should receive an enquiry about yor DPA asking for the information they need and your processes, if they deem it necessary they will do an in-depth investigation. After that, they can reach a conclusion. Then if you are still not GDPR complaint, you will be fined.
Each of the EU's twenty-eight members will have their own interpretation of the process.
In any case, the fines aren't the problem. It's the cost and distraction of going through this process. That cost is imposed irrespective of whether one is doing everything correctly. Responding to DPA requests, investigations, et cetera is a reasonable burden for a company like Facebook. For many start-ups, it may make sense to partition and/or delay their European roll-outs.
> In any case, the fines aren't the problem. It's the cost and distraction of going through this process.
>> fines are an exception. There are other machanisms to protect the users
Fines aren’t the problem. It’s the cost and distraction of going through this process. Those “other mechanisms” are still costly and distracting, even if you did nothing wrong.
I think that the primary target for GDPR investigations is going to be the big actors like Facebook, Google and Advertising networks who's single business model is profiting from user data.
Big online marketing companies are looking at a variety of technologies to turn their user's into buying customers of their advertising customers both online and in-store.
Look at Facebook as an example with their dreadful user interface attempt to trick EU customers into opting-in to facial recognition technology.
But there's a good reason for this. The ability for stores to know who their customer is, what they buy and re-market to them is powerful, and incredibly creepy.
GDPR is a good reminder to all companies that the individual user owns their data, not the company. I personally like this shift, which will over time make companies think about the business models they implement, encouraging us to have customers rather than users.
No, there appear to be some connectivity issues of the non-obvious kind (apparently BGP related), the hosting provider is working on it and there are several work-arounds posted in this thread.
It seems like a lot of the comments are about one issue:
- do you believe generally, even for an “upstanding” company you’ve done business with for a while, that commercial entities can be trusted with your data?
If yes, you’ll see the template as overbearing and needlessly aggressive outside the context of some specific incident when a company proved to be untrustworthy. Especially if you operate a side project or business of your own, and believe you personally would not abuse consumer data collection, you’ll see it as rude in the best case, trollish resource wasting in the worst case.
If you’re a consumer with a general mistrust of all commercial entities, even “upstanding” ones, when it comes to data practices, or if you just happen to believe that the potential risks for data abuse or harm are too high to be offset by anyone’s good intentions or past good behavior, then you’ll see this as a reasonable template, perhaps needing a few modifications for differing contexts, and that jumping straight away to legalese boilerplate just has to be assumed necessary when dealing with self-interested commercial entities.
Sending boilerplate almost guarantees that a regulator will put your request at the bottom of the pile if you decide to take it to the next level unless the company responds in a way that shows their contempt for the law.
I think that will depend on how seriously GDPR non-compliance is treated.
I’m hopeful some big corps will be heavily fined to set precedent and to ease concerns that GDPR is a mild form of regulatory capture intended to be misused (regardless of its wording) to asymmetrically inhibit new entrants and small firms.
But that’s what the big corps want. They’d gladly each cough up a billion for a permanent state where market entry is harder. Especially the easy to disrupt consumer services like Facebook and Snapchat.
Boilerplate says that you don't care to even bother write a specific letter with your specific questions. Going on the assumption that the regulators will receive a large volume of complaints they will do what every overwhelmed institution does:
Triage.
- which requests can we get rid of immediately?
- which requests are definitely legitimate?
- which requests are borderline? but will need work?
The boilerplate letters will - unless the boilerplate contains major errors - fall in the third category. It is my expectation that most enforcement in the first period will come from the second category, and in those cases where enough people each individually expended some effort on their complaint to the regulator.
That might be true, or you might feel that your request is entirely general in nature -- you are generally concerned about how your data is used, collected, or sold by a given company, even though, at this moment, you have no specific complaint. Maybe you heard about how a similar company in the same industry did something bad, and you just want to be cautious and check.
Yes, you might modify the tone of the template for the context of that situation. But you might still use a template because you believe it gives you the best way to be sure that the request uses adequate language to constitute a properly formatted and comprehensive request (short of taking your draft request to your personal attorney and paying them for advice).
Your point is not wrong, but there still might be cases when someone satisfies both
(a) not basing their GDPR inquiry on a specific incident or mistreatment that they know of, only on general skepticism or due diligence to get a comprehensive understanding of how the data is used.
(b) still wants to use a template to have reasonable confidence it is a well-formed and comprehensive request without needing to pay an attorney to draft it or advise them on their own draft.
Can someone tell me is it legal (or even viable) to just automatically completely remove all the information on the person sending those letters? Certainly beats banning whole EU by IP.
I just want to note how non-obvious compliance with GDPR is. Two experts on GDPR and privacy in this thread (Jacquesm and Ainiriand) have been disagreeing throughout the thread on just the basis of whether one should reply to GDPR complaints like this. Imagine how much up for interpretation the more gritty parts of the law will be.
And Jacquesm is saying don't be alarmed in some comments while in other comments he admits there could be problems with people trolling with this letter. So I'm even more skeptical of allowing any EU users.
I think it would be best if people like you would just go ahead and block all EU users. There's so much "well I might just block them then!" going around these days, when you should just do it if you think it's the best approach.
It's a very consistent position: no need to be alarmed, yes you will have to answer a letter like this, even if it is trolling. But if a letter like this alarms you then you probably have bigger problems.
They did consider it, there is a pretty extensive part written on what can go into a DSAR and from what I can see this letter skirts the edge and in some places goes over it but on the whole it is not an unreasonable burden to deal with it as it is.
Take into account the lengths to which companies will go to collect data, it stands to reason that in that context there is some balance to be found if a Data Subject makes a request about that collected data. If you don't collect data the request can be answered immediately and without further work.
There are no experts on the law, even lawyers arent. The only one who can authoritatively produce interpretations of the law is the european Court of Justice. For that to happen a country's Supreme court must refer a case to them for consultation which is then binding throughout the EU. In the meanwhile, 28 different privacy regulatots can independently try to interpret it. Most of the regulators are not staffed yet and not up to the task.
I've said it many times, GDPR is such a waste of time and resources for startups unless your market is really EU.
GDPR is super expensive to remain compliant, simply because of the broadness of the terms used, leading to undefined scope of liability.
The cheapest way to stay compliant with GDPR is to completely block access to EU customers. In fact, this is what I did with my business. I redirect to a generic text file (not even a HTML that could trigger a GDPR clause by itself) explaining my stance.
"Sorry, this site is for non-EU users only" something to that effect. A HTML can execute scripts (ie., collect data) while a text file does not, atleast that's my understanding.
It would probably be a problem if Google or MS did this, because lots of other companies and institutions (foolishly) depend on them instead of using OSS. I would be disappointed if Apple did it, but I have the feeling this law is an advantage for them. :)
The rest of the companies threatening to block the EU are seriously overestimating their importance.
What worries me most is how little is being said about private-operated sites. I am little Joe running internet forum about space battles with maybe 5 active users right now and no more than 100 active members historically. Should I sign data processing agreement with Google because I am using Gmail to send E-mails? Should I hire DPO? Am I risking my house being taken from me to cover multimilion fine because user posted their photo or e-mail 5 years ago and I’ve missed it because I don’t delete user-posted content together with their account?
> What worries me most is how little is being said about private-operated sites.
If you want I can research the matter in more detail, someone else came up with federated sites like Mastodon nodes and that's another pretty gray area.
> I am little Joe running internet forum about space battles with maybe 5 active users right now and no more than 100 active members historically.
Ok.
> Should I sign data processing agreement with Google because I am using Gmail to send E-mails?
No. You could try to stretch the law to include that particular example but from my reading of it this is perfectly acceptable.
> Should I hire DPO?
No, but you are the de-facto DPO, so if you receive a DSAR then you probably should answer it, though with your user counts I think the chances of that are very small.
> Am I risking my house being taken from me to cover multimilion fine because user posted their photo or e-mail 5 years ago and I’ve missed it because I don’t delete user-posted content together with their account?
No.
But if a regulator should tell you that you should remove a users data (because you refused to for some reason or other) you probably should. The EU does not 'fine first and ask questions later', they will investigate first, warn and then when ignored they will fine. And for a small entity like yours which is more of a hobby than anything else I highly doubt regulators would even bother but you can't rule it out completely. Better increase you comet insurance as well if that's your main worry :)
>No, but you are the de-facto DPO, so if you receive a DSAR then you probably should answer it, though with your user counts I think the chances of that are very small.
I think that we might have this view about it right now, but I could easily see a scenario, where somebody targets you for "harassment" through something like this. Maybe you say something somebody else doesn't like on Twitter and they do that to you.
I'll deal with that when it happens. If I'm going to run my business based on everything that could happen with 0.001% probability then I would not get anything done at all.
> You could try to stretch the law to include that particular example but from my reading of it this is perfectly acceptable.
But I should still note about the fact in my privacy policy, shouldn't I?
Couple other things I've noted when working on GDPR compliance for my forum:
- It may be good idea to write in your forum rules that you don't allow users to embed their data outside of forum profile.
- Forums accumulate tons of lurker accounts (users that register account but don't post or browse anything) that could be automatically deleted
- Forums like to log IP's used by users when they, say, post messages. Those could be overwritten to 0.0.0.0 for items older than X days.
I've also been working on privacy policy template for people in my position that I have on GitHub and would love to have any feedback:
> But I should still note about the fact in my privacy policy, shouldn't I?
Yes, I would disclose any third party that sees all or part of the data, and I would also disclose what reason there is for me to make use of that service.
> I've also been working on privacy policy template for people in my position that I have on GitHub and would love to have any feedback:
I will do that, but not right now, wildly busy today, but if you drop me a line (jacques@mattheij.com) I promise I will do that within the next couple of days.
Yes, you can be if the business is small. Obviously there is a conflict of interest there but it is better to have a conflicted DPO than none at all. Even in a larger company the DPO would report to the CEO and then you'd be back where you started. The only way to really have a DPO independent of the organization is to have the DPO report to the board, and this is in fact done in places where that is warranted.
Your literal reading of the law is right but your practical implementation will still have to fit the available maneuvering room and no DPA - one would hope - would insist on bankrupting half the SME's in their country.
514 comments
[ 2.3 ms ] story [ 322 ms ] threadBut reading stuff like this makes me that much more inclined to use that Cloudflare option of IP blocking the whole continent. This feels like a very slippery and dangerous can of worms that’s not worth opening.
It's bad enough we have to deal with patent trolls. I'm not inclined to add this to my risk profile.
You can't sell guns and drugs online.
If you're taking money, you have to make sure you know your customer (KYC).
I would also like to hear other examples.
It seems like the smart thing for US startups to do right now is ignore EU customers until they’ve validated the business idea enough to justify the engineering and legal expenses of taking this on.
I seems reasonable, but I would argue it's due to the law being new, not to some intrinsic property of it, no?
If that worked I'd embrace GDPR. Problem with "any consumer can make a complaint which requires expensive follow-up" regimes is one doesn't have to do anything wrong to incur costs. Someone can mis-interpret something and make a complaint. Now you have to interface with a regulator, which tends to be risky, expensive and time consuming.
I'm not sure what's risky, expensive or time consuming about that.
Data regulator now asks you questions. You must respond. Hopefully they agree with you. But maybe not! Twenty-eight regulators appointed by different political groups are a complex system. You will need to gain expertise on them or hire someone with it.
All I’m saying is that time and money might be better used elsewhere. Particularly by someone just making side projects.
If you're not collecting data, then all of this is irrelevant. You just say "I'm not collecting data". There's no nuance here.
This is your interpretation. Many prominent lawyers disagree.
In any case, convincing a regulator that you are not, in fact, collecting data could be harrowing, distracting and expensive. The risk of incurring those costs probably isn’t a smart one to take for a hacker or very early-stage start-up.
Even if we assume a completely bizarre and pathologically incompetent regulator that somehow ends up zeroing in on some tiny website which exhibits no evidence of violation, the hobbyist might have to... delete their website?
Have you ever responded to a regulatory enquiry?
I'd like to point out that it's in the interest of a proeminent lawyer to tell you that their services are needed...
How do you prove you are not collecting data?
If your use default configs of Apache, or Nginx, your access.log is probably infringing GDPR. It’s impossible to prove you’re not collecting this without an extensive audit.
If you're accused and you're unlucky enough that the regulators/police follow up on the accusation, you're going to have to answer to them.
Exercise some critical thinking please.
No, it’s not. Comparable statutes in the U.S. are HIPAA or the Securities Act is 1933. Most laws require, to kick off an expensive process, someone to (a) pony up to start a lawsuit or (b) convince a public prosecutor to take on the case. Dedicated regulators are established where (a) and (b) aren’t working.
Most dedicated regulators consider consumer complaints. But the response rates are reasonably low and not mandated by law. (The best complain-and-investigate regulatory regimes avoid their incumbency-promoting effects by limiting oversight of new entrants. This incumbency bias was not taken into account in the GDPR’s drafting.)
If GDPR looks identical to other laws, in the EU or U.S., to you, you may want to speak with your lawyer about it.
Seems like a lot of red-tape just to enforce some laws. Why wouldn't you want to lower friction for law enforcement?
> If GDPR looks identical to other laws, in the EU or U.S., to you, you may want to speak with your lawyer about it.
Don't worry about my lawyer, mind your own business.
That breaks the site guidelines by crossing into incivility. Could you please not do that?
https://news.ycombinator.com/newsguidelines.html
"replying to their email"
https://jacquesmattheij.com/so-your-start-up-receive-the-nig...
Don't care about that sphere of activity, never going to do any of theses.
> If you're taking money, you have to make sure you know your customer (KYC).
Can you be more precise? What are the laws about that and should'nt it be Paypal job to support that? Never wanted to compete with Paypal either..
Data is literally everywhere... that means GDPR apply to almost everything. Which is why you may see some people complains about being able to sell guns online but you will see much more people complains about GDPR.
> Can you be more precise? What are the laws about that and should'nt it be Paypal job to support that? Never wanted to compete with Paypal either..
So what you're saying is you couldn't care less unless it affects you. Got it.
This is part of my point though. You're a perfect example of what I'm talking about. Who the hell doesn't know about KYC? You just woke up to the world and realized "oh shit, regulations exist! Unacceptable!". Yes, regulations exist, and this is just another one.
> Data is literally everywhere... that means GDPR apply to almost everything.
This isn't about data, it's about PII. And PII isn't everywhere, unless you're collecting it.
> Which is why you may see some people complains about being able to sell guns online but you will see much more people complains about GDPR.
No, that's not why. The reason why is that one has been around for a long time and people got used to it.
Enforcement is what's going to matter, I'm pretty sure you could dig up other laws that are vague and have high fines, that are just not enforced and thus don't seem as threatening as the widely publicized GDPR.
Of course, I'm not a lawyer, and I may very well be wrong on my assumptions.
On the other hand, patent trolls are not part of the risk profile for our industry in the EU, since software is not patentable there.
But anyway, it makes perfect business sense for a US startup to just block the EU (or at least state somewhere that they are not complying and thus EU users shouldn't sign up) and focus on their home market until they are big enough to comply with the terms (or are willing to take the risk).
Did these precedents take place before or after the DMCA was enacted?
It’s different. “Complain and investigate” regulatory regimes are expensive to comply with. That is irrespective of whether one is doing anything wrong.
These regimes aren’t inherently faulty. They’re quite good in the American securities business. But they create a palpable incumbency bias, as well as one towards those who can afford lawyers and make a useful phone call.
Such a regime would have been ideal if constrained to large companies. Rolling it out for everyone means anyone mis-interpreting something could trigger a regulatory investigation. Even if found innocent at the end, that process is harrowing, expensive and distracting.
Every jurisdiction has its costs and benefits. Europe is still a huge market. But if one doesn’t see enough revenues to justify a dedicated compliance person, it’s a market which may now make sense to delay going into.
As far as I'm concerned the process should be like this:
1. EU issues warning and cuts off traffic to the domain after 30 days.
2. Startup fixes GDPR compliance.
3. EU unblocks startup.
Only after the company breaks GDPR after getting unblocked should they be hit with this massive fine. For those of us that don't give a shit about Europe it's so frustrating having to worry about how we have to comply.
And before someone says something about "it's only for companies targeting the EU" that isn't as clear as people make it out to be. An errant ad, or a single conference talk, or even engagement on social media can be construed into requiring GDPR compliance.
But of course the reason the EU didn't want to block corporations flouting the GDPR technically is because they saw the arms race happening in China and decided that they didn't want a second firewall. So instead they went the lazy route and they pushed the whole mess on small startups that aren't the problem in the first place. Large corporations are the problem. The fundamental design of the internet and web is the problem.
I don‘t believe that you truly believe that, after it has been refuted a dozen times in every single GDPR discussion.
There is no lower floor. There is not even an obligation to hand out fines.
But that is irrelevant in this thread.
There is no lower floor. That was a lie!
The authorities can easily fine someone a thousand Euros or a million Euros.
Again, you're derailing. I was replying to the claim that no fine lower than 20 million Euros could possibly be imposed.
The same law that fined me $1,800 because a posted notice fell off my door in a blizzard? The same law that allowed the judge to uphold the fine by saying "I don't believe you". Bureaucracy sucks, and the second it gets its tentacles on you, no amount of cheek clenching is gonna delay the inevitable.
People play games with language and try to pretend that just because judges have discretion that this isn't somehow ridiculous.
It is not mandatory that the EU issue a warning. What the EU should have done if they didn't want small startup owners to freak out is they should have made the process clearer and if the $20m level is only aimed at massive corporations then why make it $20m at all? Why not just make it 10% of revenue? I'm not from the EU, I have no idea how the EU court system works. They did not make this easy for small startups.
How about another reason: it simply increases administrative costs. If you have enough users firing these letters off then you could end up spending a significant amount of time simply responding to these letters. Something has to pay for all of that, and it's not like this cost is going to go away at some point, so the entire business model has to be set up in a way where it can just eat this cost.
I would suggest not getting too hung up on this, it is showing you the worst outcome and assuming you have made a good effort to be compliant I should think things would be fine even then. No doubt you have Ts and Cs, that document is full of clauses put in place because of things like this, and any of them could probably result in a worse letter from a customer wanting to sue you over something. But I image also that hasn't happened to you yet either?
What you think does not align with my understanding of the GDPR, what makes you say this?
No, location is what matters. Of course one could argue if IP is a reliable indicator of location, given VPNs, potentially faulty GeoIP databases, ...
We'll see what the regulators think.
[0] From Recital 23: "[When deciding whether processing is in scope under Article 3(2)], it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union."
established companies have no issues with fees, or legal requests.
gdpr is to protect the established companies from competition.
it is basically a reverse china ban. because china-style banning of competition is still considered bad in the eu.
1. Adding a dialog as the first step in an onboarding funnel that's already difficult to get users through
2. Handling non-consent. WTF! So if the user doesn't give consent to something that 99% of the population doesn't understand, I'm not allowed to prevent them from using the app. And so my engineering team needs to waste critical hours figuring out things like how to deal with crashes, or maybe how in the fuck we're supposed to fallback to not using services that we're built on (e.g. Firebase)!
3. Dealing with the fallout of #1 in the form of bad reviews that are the kiss of death to startups
This is like a living, breathing example of why GDPR had to be written the way it was, so that arrogant techbros couldn’t rationalize their way around to screwing everyone over for a quick dollar. It’s also a perfect example of why you get zero sympathy. “But maaaa, it’s hurting my funnel!” Good.
If you would have built your whole app on "free" services for which your users pay with their personal information, that would be problematic under GDPR. And rightfully so.
What if I decide that crash reporting is an essential service (it is), and the EU's lawyers decide that it's not? Who is going to pay my legal fees, and potential fine? I should be on the hook because some schmuck uses a service that I provide for free (which essentially means I'm paying for it with my time), and is upset that I may not be handling his data in the way that the EU says I should be? The sane solution would be to allow me to tell this individual that he cannot use the app if he doesn't consent. But here comes the EU telling me that I must allow him to use the app.
No, the EU only stipulates that you are not allowed to sell, leak or otherwise slander personal data from EU residents without their freely given consent, and makes you liable for that.
IANAL, but I think there is no reason to fear too much, though I would stay on the safe side regarding interpretation. And remember that anybody can report you for anything to the authorities, or sue you already; if you are prosecuted you'll have to pay your legal fees and fines whether it's about GDPR or not.
this is likely a big and unnecessary burden to most startups.
i believe in less regulation in general so my opinion could be biased.
While bigger businesses, with very established monetization models that don't comply with GDPR, are now in a pretty unfavorable place and have to scramble looking for alternative monetization models, forcing much bigger changes.
"GDPR, the European Union’s new privacy law, is drawing advertising money toward Google’s online-ad services and away from competitors that are straining to show they’re complying with the sweeping regulation."
Excellent. Then maybe some competitors will arise with products that are built with privacy in mind from the ground up.
Nope. Surely you can think of a technical solution to this problem.
Am I missing something? Is it just me? "Is It Up"[0] says it's up ...
Maybe I'll try via a different IP address.
Edit: The number of upvotes (twelve and counting) shows it's not just me. I've now changed my IP address and it loaded almost instantly.
Jacques - FWIW the IP address that's not working is 92.18.56.74 - it's been failing to load your site for at least the past hour, I have no data from before that.
[0] https://isitup.org/jacquesmattheij.com
Or couldn't. I changed IP address and can now.
Many/most people have dynamic IP addresses, and I wonder if Jacques' provider has aggressively blocked addresses that have been abused in the recent past.
Anyway, the server is definitely 'open to all takers', nothing there that could cause this. Also, last Saturday ABN-AMRO (one of the bigger Dutch commercial banks) went offline for many hours due to a huge DDOS, this may be related but I never thought my lonely blog would be in the line of fire.
On what basis do you make that assumption?
It is still the internet, routing issues can and do occur. There is absolutely nothing in the configuration of my server(s) that would block anybody from any nation.
I'll alert my hosting provider to make sure they know about it just in case it's a novel thing and their monitoring didn't pick it up yet but it could easily be further upstream.
https://webcache.googleusercontent.com/search?q=cache:QSStS_...
https://us.hideproxy.me/go.php?u=xRv6FweyJ5wXueEdkahRiAzzGVM...
I like to provide value to people who write articles worth reading. Jacques is definitely one of them.
I've mirrored it here in case it may help: http://blogs.intellique.com/so-your-start-up-receive-the-nig...
Receive => Received
and closes with "actually, those are are all valid and reasonable questions that you should have answers to if you were not breaking the law in the last five years. Answering them automatically should be easy
If you, no matter what company size, are not dependent on illegally and immorally profiting from personal data, then GDPR may even be good for you."
hehehehehehehe
Even so, in isolation and moderation the questions make good sense and answering them properly using an automated system and an updated privacy policy should not be a huge burden.
For instance, if you wish to know if they are GDPR compliant you could ask them something along the lines of "Hello there dear valued business relationship, I would like to know if you are aware of the changes in legislation re. privacy and if so whether or not you are at present compliant with that law and if not if you have a time-table when you will be'.
To ask for the maximum under threat of reporting a party to the regulator is not aligned with 'probing for GDPR compliance'.
Asking for the maximum shows you exactly how compliant an entity is.
As it stands it's clearly an attempt at causing the wheels to grind to a halt, the title of the request and the context in which it has been presented are evidence of that as is the faux concern laced through the letter. This is not a request made in good faith.
It that case, I want to know about all the data that company has regarding me, and how they got it. Most likely I also want them to delete it too.
Given that their first communication with me is totally unsolicited email marketing, it seems reasonable that if I can reach for a legalese template for a GDPR request, and that raises the chances they’ll take me seriously, then it would be a good thing, almost the precise opposite of trolling (which is more or less what the company was doing by attempting to get data about me in the first place). And I truly don’t have sympathy for companies like this if they find that answering GDPR requests takes up a lot of their time and they lose money as a result. That is literally the only way they will care about data privacy.
I agree that this template could be used for trolling, but there are so many valid, positive outcomes that could be made easier by such a template that I think it’s unimportant to focus on possible trolling until it becomes a material problem.
In fact, this just gives companies a way to disingenuously whine about GDPR to legislators. “Look how many troll requests are clogging our system!” When really, many templated requests aren’t troll requests.
Agreed, but that's not the letter writers goal.
> It that case, I want to know about all the data that company has regarding me, and how they got it.
Agreed.
> Most likely I also want them to delete it too.
No, you absolutely want them to delete it, and besides that to tell you if they passed it on.
> Given that their first communication with me is totally unsolicited email marketing, it seems reasonable that if I can reach for a legalese template for a GDPR request, and that raises the chances they’ll take me seriously, then it would be a good thing, almost the precise opposite of trolling (which is more or less what the company was doing by attempting to get data about me in the first place).
Yes, but the letter writer is by their own admission not in that situation, they're a customer of the company, so a direct relationship between them and the company exists, which most likely was initiated by the letter writer.
> And I truly don’t have sympathy for companies like this if they find that answering GDPR requests takes up a lot of their time and they lose money as a result. That is literally the only way they will care about data privacy.
Agreed, but again, that is not the context.
> I agree that this template could be used for trolling, but there are so many valid, positive outcomes that could be made easier by such a template that I think it’s unimportant to focus on possible trolling until it becomes a material problem.
No, it will be used for trolling, in fact it already is being used for trolling. And that's a net negative, which if enough idiots do it will cause the GDPR to be devalued to the point where it is no longer very useful.
> In fact, this just gives companies a way to disingenuously whine about GDPR to legislators. “Look how many troll requests are clogging our system!” When really, many templated requests aren’t troll requests.
That's the whole problem isn't it? Check the context in which the original letter (see link in article) is presented. It's a clear example of trolling.
On reading the template, it seems super obvious that it doesn’t assume a goal of only being applied to situations when you’re already a highly engaged customer.
Things might be on a spectrum. I might have signed up for a newsletter years ago, then later come to regard that company as a big data risk, then accidentally forget about my old newsletter account.
It would be fine to call myself “an existing customer” in that case, even though my connection to the company is not like a vigorous customer relationship with a company whose services I use all the time.
That’s just a common idiom, very clearly not intended to mean the template is intended for spamming around to every big box company you’ve ever engaged with or something.
You can write, “I’m your customer,” while still feeling that you don’t trust that company and what your request for a comprehensive overview of how they use your data to be taken seriously (hence the template’s value).
In that case it looks like the burden lies with you, not with the company and to send a letter like this in that context would be total overkill. I'd start off with a simple request to remove my data.
Another way to put it is: I’m generally deeply mistrusting of corporate entities collecting my data at all — even very upstanding corporate entities — and believe basic prudence requires me to treat them all with skepticism about my data.
If you ask someone whether they are complying with the law, you're likely to just get an inconsiderate "yes", with no indication they even understand the law (there is certainly plenty of misunderstanding that I have seen already, from companies large and small). Making specific questions about their business practises, such that they will have to plainly lie in order maintain a false claim of compliance is more rigorous.
But different strokes for different folks, of course everybody is free to do what they want. But then you should be aware that a torrent of these requests are not going to help make matters better, they will just cause people to tune out and regulators to stop taking the complaints serious.
It's like bringing a chainsaw to a surgery.
There have been enough data breaches that distrust is always warranted when a company has my data.
If they can't give a convincing answer, then bigger guns are appropriate.
It's not about wether the information is useful or not, it's about seeing what a company has.
If I get some unsolicited comms from a company then I'm going to want to get information about all the data they hold on me, preferably including where they got it from and where they sent it to.
Keep in mind that the writer of the letter claims he/she is a 'customer of the company', so a friendly relationship, not a hostile one like the one that you are describing. Those are totally different situations and different strategies apply.
> I would like you to be aware at the outset, that I anticipate reply to my request within one month as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to the <appropriate data protection authority>.
and I don't really see that as a threat, more of a "directing of the proceedings". I mean, it's fact. If some company doesn't respond in the way I think they should to then that's exactly what I will be doing. This isn't a love letter, I don't see any harm in stating fact about this. I can totally see how it could be taken either way though.
I also agree the letter is going after everything, and everything is going to be painful for companies, but for me personally the pain is going to be a byproduct of wanting to know everything.
To be clear, companies that have made efforts to comply with GDPR that I've directly engaged with I'm not interested in and am going to leave alone, but the next unsolicited email from a recruiter I get will start a cascade of access then deletion requests up to the point where my information entered the system, painful or not.
Since this is all standard, I would generally believe a serious-toned legalese template letter that referenced real possible consequences for non-compliance would be a no-brainer first place to start.
But if all you want to do is cause work 'just because you can' then you're on a fishing expedition without an actual cause. The claimant in the letter is clearly aware of that and how it would make them look in the eyes of the regulators if they were to forward a complaint hence the 'set up' at the beginning of the letter indicating some kind of faux concern in spite of being a 'customer'.
The dissonance there is pretty strong, if I'm a customer of a company in good standing this is not how I would address them.
But it feels to me that if I'm processing personal data about my users, then it's reasonable for them to ask what it is and where it is.
There are overheads that come with doing business.
GDPR is going to shake out some of the companies that are competent at using personal data but incompetent at telling people what it is and where it's stored.
https://news.ycombinator.com/item?id=16606629
Look, we all know that you think the GDPR is a great idea, but a law which can't be used to its full extent is IMHO not a great law. I agree with the goals of the GDPR: they're laudable. But its details & its implementation are, quite simply, wrong.
You don't install a self-destruct mechanism which can be triggered by just pushing a single un-guarded button. Likewise, you don't pass a law which can inflict grave economic harm just by sending a letter.
This letter is designed to inflict maximum administrative paperwork without first establishing whether abuse has taken place.
Also, "grave economic harm" cannot be dealt with such a simple letter. The maximum fine cannot be levied by individuals, only regulators, and they will not do so for individual cases.
It's probably not even possible to create a great law. The industry that can't even agree on something as simple as coding guidelines is suddenly screaming that the law isn't good (enough).
I imagine the client will then send you another letter, to which you reply that you've already sent the information. And so on.
In the end, the client may sue you. But in that situation, you make the effort of deleting the information you said you didn't have, and you win the case.
Had the company had the information at a time in the past doesn't mean they would do now.
Going out of your way to make the response useless is probably not a good idea.
* Ironically, people are using Google Drive to do this.
This makes me wonder: what if you encrypt using a proprietary tool, and sell a decryption tool through another company? You could actually make money from GDPR requests.
How should we provide the data to individuals?
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.
However, providing remote access should not adversely affect the rights and freedoms of others – including trade secrets or intellectual property.
Ref: https://ico.org.uk/for-organisations/guide-to-the-general-da...
Thankfully the responses I've had thus far have been equally amicable.
For the rest of it hardly any interaction to date other than that the spam volume seems to have dropped 50% or even more overnight.
The template clearly is intended for a broad set of situations, and easily modifiable fir businesses where you did not realize they had data about you.
But as a customer of a company in good standing this letter is over the top and in some places dishonest.
(More broadly, I’m not sure I know of even a single company I would consider to be in good standing on this topic without first making them prove it. Certainly not any medium-sized or large company, however good-natured they might seem.)
The GDPR is a response to that lawyering, but that's no reason why the public at large should now push the pendulum the other way. This law doesn't 'actually suck', but it can be made to 'actually suck' and then we all lose something of value.
Of course GDPR is a well intentioned law. It's implementation is debatable though, and you're basically asking people to not talk about its problems.
On the contrary. I'd love to talk about those problems, but this isn't one of them. Data Subjects should have the right to make Data Subject Access Requests. But the context matters.
If you want to really talk about the GDPR's problems then I think it would be better to focus on the Designated Representative bit, which is prohibitively expensive for small companies.
So you realize that this is a problem, but you'd rather not talk about it?
Context matters, but the law should codify the context, and not leave it up for interpretation.
You have a very US centric view of laws and legality, this is not a US law so please try to shift your viewpoint to the EU way of doing this and then re-interpret.
You should also look at the whole thing from a US perspective before calling people with a US centric view "dumb".
Where did I do that?
Really? The cookie law, however well-intentioned, could never have been useful. The simplest reason for this is that you can never know if a site is not complying with the cookie law or simply doesn't set cookies. The only way to be certain of this was to use the already existing browser mechanisms for dealing with cookies. In other words, the cookie law would never have done anything even if companies handled it exactly as intended.
Implementing the cookie law costs money and time. It costs developer money and time, and it costs the time of consumers, because some developers are always going to get it wrong simply by virtue of not knowing everything about the law or how to handle it. They will hear about it from third parties and not know how to handle it and simply follow the first steps that tells them how to handle it.
The way the cookie law went should have been expected. It shouldn't have been a surprise to anyone that it didn't do anything and it simply wasted people's time and money.
>This law doesn't 'actually suck', but it can be made to 'actually suck' and then we all lose something of value.
Then we're pretty much guaranteed to all lose something of value. In IT you should expect things to go wrong and for people to abuse the system. Because inevitably that's going to happen.
This is allowed under the law! If you don’t like it, change the law!
The reason people have been complaining about GDPR this whole time is exactly this. Things take on a whole new meaning when complied with at scale when all you need to send is an email. This seems worse than FOIA (the US Freedom of Information Act) and Europe placed it on their entire private sector.
EDIT: clarity.
A law allows what it allows. 'Let's pass a law that sets a maximum penalty of death, but promise just to impose $10 fines for the first decade' is a recipe for disaster.
A law which purports to protect privacy but instead demands that any visitor be permitted to rewrite your year-old web server logs is beyond Orwellian.
Is it because this is not law, but rather, regulation which is only selectively enforced and suits cannot be brought by individuals but rather by central regulators that will never keep up with the avalanche?
Does the EU never enforce law by the letter, so the letters are unreliable and really more like a guideline? (If so, why bother with law?
Lack of EU sovereignty over member states means it won't get enforced if it's really an inconvenience anyway?
Something else?
This is the first part where your view of how things would likely play out and reality diverge. Under the GDPR a Data Subject whose request is not answered satisfactorily or timely could sue but that will likely go nowhere because they should direct their complaints towards the regulators, not towards the courts.
> You have to prepare for that if you want to be responsible, right?
No, to prepare you have to be 'in compliance', which is a different thing. Essentially you should read the law, decide which part of your operation is 'in scope' and adapt your business to reflect your understanding of the law.
In case of a complaint to a regulator they may (but not necessarily) investigate and if they find transgressions they will issue some guidance on how you should achieve compliance. If upon re-testing it appears that you have not followed the guidance you will most likely be hit with a fine. If the original investigation was because of a data breach or other serious issue they may decide to fine you immediately as well.
> Does the EU never enforce law by the letter, so the letters are unreliable and really more like a guideline? (If so, why bother with law?
The EU tries to achieve a certain effect with the law: to make it harder for companies to wipe breaches under the carpet, to give Data Subjects more control over their data and to stop the worst excesses in the world of data brokering.
So if you cross any of those you can expect enforcement.
> Lack of EU sovereignty over member states means it won't get enforced if it's really an inconvenience anyway?
All member states have automatically adopted the law when it went in force (April 2016).
> Something else?
That's up to you :)
All that said, it likely can and will be mis-used, and citizens will likely sue and cite the regulation if the regulator refuses to enforce the regulation so if I were Europe, I would try my best to prepare for such an eventuality as part of the law to reduce burden. I don't think it's alarmist to suggest this.
I also don't think it is alarmist to suggest that regulators will not always be rational actors, and there are politics at play. It will be interesting to see if any blatant cases of prosecution result from crossing an EU government or leader. Fingers crossed that never happens.
The author of this piece just twisted the meaning of the letter completely.
The blog post is a response to this Ask HN:
https://news.ycombinator.com/item?id=17161718
ironically, this very blogger made all the same arguments here:
https://jacquesmattheij.com/gdpr-hysteria
his response to his current concern is: "then automate it" as if this is trivial. and "my blog is compliant" as if this means anything for even the most basic business model.
I think the cost of not having this law is much higher.
Also, lots companies had few problems automating the dissemination of users personal information to dozens of interested parties, building completely automated markets for this information with derivatives trading etc, all without users (and regulators) knowing or understanding anything about these practices. It is long overdue to put a stop to the excesses, and as a EU citizen I am extremely happy with GDPR.
There will be new opportunities for startups, hopefully GDPR can help make sure these opportunities are less detrimental to society than before.
There is no way you could know this and every indication to the contrary. Many EU countries are struggling with jobs and claiming to want a tech sector. This just made it much less likely.
> There will be new opportunities for startups,
The barrier to entry was raised. That means that startups which cannot afford proof of compliance will not exist - whether or not they meet your subjective definition of "detrimental to society."
> Why are we down-voting this post?
Responding to that will certainly not lead to new insights or good discussion. I did respond to the other point.
In other words, your assumptions don't factor in the link between the myriad of web services now available, and the freedom people have had to provide services on the web.
The government has a constructive role to play in the market, in provisioning tools and information to empower people to maintain their privacy, which market players are not economically incentivized to provide in sufficient quantities.
That would take the form of public funding for development of anonymity technologies, public directories comparing services and their abidance to voluntary data protection standards, and possibly public service announcements educating people about what data they disclose while browsing non-anonymously, or browsing particular types of websites, and how that data can be shared and used by private data collectors.
What the government should not be doing is imposing Big Brother laws that violate the privacy rights of companies in relation to the data they store, which properly understood, belongs to them, regardless of who that information is pertaining to, and violate private property rights by regimenting how web service companies will operate.
Centrally planning the web economy in the manner of imposing regulations like the GDPR is so ridiculously misguided. It is going to destroy innovation, and particularly, business creation.
I think not: incumbents will have more changes to make than startups, who can think it through and get it right from the start (for everyone, ideally). Also the data-portability rule directly lowers the barrier to entry and creates huge opportunities for competition.
Ad-tech startups who built their tech in the previous years may feel screwed by GDPR, but I won't shed any tears for them. They may carry on in the US, if that makes you happy.
The solution severely confines the space of operation, by straightjacketing web service provisioning to a narrowly defined set of procedures, and thus I think it's unlikely to be less costly than the problem it seeks to solve.
Creativity does not flow from this kind of central planning. I believe the blind spot that GDPR advocates have is that they don't fully grasp the scope of what they don't know and what has not yet been discovered, and thus they don't fully account for the cost of laws that inhibit the innovative processes that lead to discovering new ways of providing goods/services.
The responsible way of addressing privacy concerns, that would have been far less likely to undermine liberty and have other negative unintended consequences, would have been to develop user friendly anonymous browsing technology, like Tor-enabled browsers.
After you reach anonymously a service (e.g. Facebook) and login you won't get any help from Tor or similar technologies. You need a law to tell the other party to not mess with your privacy
The rest is an issue of contract law. No one is forcing you to use Facebook, thus it is not violating your privacy when you choose to give it your data. Perhaps public education, on how the personal data you disclose to web services can be used, and information on anonymous alternatives, would help in this situation.
Whatever the solution, it should not impose arbitrary restrictions on how websites can use the data others disclose to them, or obligate a web provider to respond to letters they receive. These are Big Brother laws that will limit the availability of services by severely constraining the space of operation.
I want to be able to use the web without other people's overbearing laws severely limiting the range of websites and services available.
I'm in this camp, and to respond to your counterargument:
No one is forcing anyone to use anything... except healthcare, health insurance, car insurance, etc. And in many cases, while you may not be forced to use a tool, not using it puts you at an extreme competitive disadvantage. People shouldn't have to choose between being able to compete and valuing their privacy.
I'm fully on board with acknowledging that complying with GDPR has a pretty high cost, but the flipside of that is that if companies had done the right thing to begin with, a) the cost wouldn't be so high, and b) we wouldn't need this law.
Moving targets are no fun at all when running a business.
Answering a request - even one engineered to be annoying - like this should not be a huge burden for any company that is not doing anything shady and that has been preparing for just such an event.
In some cases you can, but most GDPR DSARs are going to be free of charge.
No, it's not: it's the government's fault for passing an over-large law.
Up to 4% or 20Mill. A small startup won't get slapped with that size of a fine. If you are worried about those numbers, you should be able to hire a lawyer and ensure you are in compliance.
https://www.gdpreu.org/compliance/fines-and-penalties/
So the fine is in range(0 ... max(4% gt, 20M))
Ok?
The absolute maximum available is 4% or €20m, whichever is higher, but the actual fine imposed is always going to be less than this. We know this because after 20 years of existing data protection law the maximum fines have never been imposed.
If you are worried about being subject to a twenty million dollar fine, then you can probably afford to hire a lawyer to respond to the multiple warnings you will get before any fine is levied.
The environment affect EVERYONE, it's important to protect it because of that. It's a single entity that affect everyone. It's funny because it's exactly the opposite of GPDR, which is a single entity (the one that gave the information to the company) that affect everyone (every potential customer of a company).
GDPR just shift the blame over corporation instead of the one that gave the information in the first place. It shift the fear toward them instead of the one actually responsible for sharing it in the first place.
I'm happy that GDPR will push company to keep less information, there so many website I avoided because they asked for information I didn't want to give, but that's an issue that many website already solved (because that friction was making less user too). What it did bad is add confusion.
I mean, it's not like businesses worry too much about people's livelihoods when they lay them off. It's just a business decision and the laid off person needs to deal with the realities of the situation. Now, business owners need to do the same when it comes to the GDPR decision.
If you tally the score today, I think it's a win. A few companies may have folded, but a billion or two users have gained a little more insight and control over how data about them is used. But like I said, it's too early to be very confident about this.
You're right, it's the EU's.
https://ec.europa.eu/commission/sites/beta-political/files/d...
https://news.ycombinator.com/item?id=17178562
But I'm gonna take your advice anyways. There is plenty of information already for anyone concerned.
[1] https://ico.org.uk/media/for-organisations/documents/2014223....
Why is this silly? Does the law explicitly forbid people from asking stuff like this?
No. The expectation is each of the EU’s twenty-eight national data regulators will be nice and reasonable into perpetuity.
The safe guards question would be valid in that context as well but not right of the bat in a first exchange, but if a previous answer left something specific unsaid.
The location of the servers is a valid request depending on the context, for instance when the data is sufficiently critical to be legally mandated that it stays within the EU (yes, there is such data).
Agreed on the automated response, that's the best way to handle this.
Again, this is a troll letter, but even so it still requires a response otherwise you give the claimant grounds for forwarding their complaint to the regulators (who likely will ignore it but I'd play it safe).
How does that make the letter irrelevant? Responding to the letter rather seems to be the first countermeasure against the authorities' involvement...
And now, they still have their name and email in one entry in our system, but it's the record that we deleted the first entry at their request. Thanks for wasting half an hour of my day checking our systems, jerk.
wow, and people claim this won't just destroy totally innocent startups.
What I meant by the 'four years' comment was not that it takes that long to train, but that GDPR has been included in the training for that long. A four year run-up is plenty long enough for even start-ups to get themselves up to speed and design their systems for privacy by design.
> "What were the lawyers doing all that time before then?"
what lawyers? do you realize that compliance, proving compliance, and implementing mandated features are completely separate tasks with cumulative costs? even if you aren't doing anything with the data?
> Any business trading internationally has to have a care over the regulatory environment of the target country. Why is internet trading any different?
bad, stifling, preemptive regulation is bad regulation in any industry. why is internet trading any different?
Don't you think that size of company would have a lawyer somewhere?
Also, you're going to either need to suck up the admin time, script it, or block the EU. Take your pick, there's not much point slinging names around. Chances are it's going to happen again and you may as well be ready.
Because then we have no record of complying with their request, which is something we need to show records of if we're ever audited.
> Also, you're going to either need to suck up the admin time, script it, or block the EU.
Yes? Does doing that preclude criticizing the clumsy legislation that caused this?
1. Someone requested you delete their data from your system.
2. You did this and logged their request.
That seems legit and pretty much un-jerk like. How did the user know what data you held on them? If they didn't know then the fact that you only held an email address then asking you to delete seems reasonable.
Also, did you really only have their name and email? Unless you have a table called "names_and_emails" that isn't linked anywhere else I assume that you've got the user linked to some sort of subscription or something? That's information too.
The other possible meaning of what you wrote (and my first understanding) was that the same user sent two deletion requests.
That does seem excessive, but then if you complied with the first then the second just becomes a formality at that point surely?
> Does doing that preclude criticizing the clumsy legislation that caused this?
Wether you think this law is clumsy or not (I don't, I think it's a hell of an improvement on the status quo) it stands a good chance of protecting people's privacy, and as a father that is especially important to me with kids growing up even more intertwined in digital age than I was.
As someone who runs a few sites it means some more work for me, but it's worth it. I'm still a person in the world with the need for privacy.
The best way to deal with that is to answer the request in detail (which makes it very unlikely that a regulator would follow up if there was a complaint) and to refer to public resources such as your privacy policy because that's something that indicates that the claimant didn't do their homework, which is something a regulator will use to weigh whether or not to follow up on the complaint.
I keep hearing this but I think in reality the volume of troll requests will dictate whether that is practical or not for any given company. Small startups might have problems if that volume is not proportionately small.
> 2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
https://gdpr-info.eu/art-4-gdpr/
- BUT -
Article 2(1) limits the whole GDPR to personal data "processed" in the context of a filing system, whether electronic or physical.
In other words (in my non-lawyer reading): If I have your business card in my pocket, or I leave it on the table, or throw it away, I'm not "processing" your data in a covered way—even though I have it. If I put it in my stack of business cards or add you to my CRM, I am.
https://gdpr-info.eu/art-2-gdpr/
These three words can mean everything and nothing. It will take years to see how each of the EU's twenty-eight members' regulators take to interpreting them.
If the data takes part in a process you have, you're processing that data.
So having a database index would almost certainly be covered.
1. Are you processing their email address?
2. For what purposes? Why do you need it at all? (You might do many different instances or types of processing for one purpose.)
3. What's your lawful basis for processing their email address for each purpose?
So "in the database" would not be what they're looking for. But if it's in the database because you need to a) log them in, and b) send transactional/account-related emails, then that's what you say. I wouldn't bother them with how specifically or technically you make that happen, unless it involves third parties or something like that, because that isn't really what they asked for.
So:
1. Yes, I have it.
2. To identify you to the service, let you sign in, and send account-related messages like password reset codes.
3. Performance of a contract under Article 6(1)(b), providing the service they signed up for.
But again, I'm not a lawyer.
Article 15, on access requests: https://gdpr-info.eu/art-15-gdpr/
How to interpret Article 15: https://gdpr-info.eu/recitals/no-63/
I never intended to make real money off it except maybe covering server costs if I'm lucky, but the time it would take dealing with requests like this it enough to scare anyone off.
I'm not sure what the problem is.
Your obligation is to keep the data secure, and only keep data that you need. Then you need to respond to requests to (a) tell a person what data you hold on them, (b) tell them what you do with the data, and (c) delete it if asked, unless you have a legitimate reason to keep it.
So if someone has given you data for the purpose of you providing a service then all you need to do is treat that data with care, don't do anything your customer doesn't expect you to do, and be able to provide and/or delete it.
Fair do, someone disagrees and has down-voted me. Please, having read the actual regulations[0] several times, including the recitals[1], I'd be pleased to see what's missing from that outline, so I can improve my understanding.
[0] https://gdpr-info.eu/
[1] https://gdpr-info.eu/recitals/
I frankyl don't understand why web site owners are entitled to a wild west, now-law zone?
That's a very dangerous sentiment to have. Identity theft is a very real thing. You can do pretty horrible things impersonating other people, things that will lead to people ending up in jail, things that can ruin whole families and drive people into poverty, desperation, and suicide.
It opens people up to blackmail, manipulation and a whole list of other, rather nasty, tactics.
On the extreme end, there's also the fact that not everybody lives in a "free country". In many places saying the wrong things, even online, can have very final consequences. In such cases, you not taking proper care of your user's data, sharing or leaking it all over the place, can result in people vanishing in some torture dungeon never to be seen again.
The consequences to me, personally? Not much. I haven't been blackmailed, I haven't been impersonated, jailed, or driven to suicide.
And in this, I am not unique, not unusual. Probably at least half of the adult US population has had all their information leaked just like mine was. The overwhelming majority of them suffered few to no consequences.
Adding legal costs like this de-incentivizes website owners which is now causing websites to shutdown EU access which I don't like.
I don't get why the EU thinks there are entitled to get content from the web while not abiding by the business model for targeted advertising companies.
That all seems completely reasonable to me. It's certainly reasonable that a new start-up or side-project should use these considerations as part of their design, and I should think that an existing start-up or side-project that does not comply should look hard at why not.
If you think these demands are unreasonable, I'd genuinely be interested in knowing which, and why.
It's unreasonable, because it imposes an administrative cost on anyone that tries to do things on the side regardless whether they have good data handling practices or whether they have any intention of abusing the data. I would bet money on the fact, that JUST the fact that they must respond to a letter is enough to make some people go do something else. And who knows, maybe the side project could've been the next google.
For customers, how many requests would you expect? One in 100? One in 1000? If I store the data securely, and I only use it for the purpose it was intended, I can automate a response that (a) Sends them a copy of their data, (b) points them at the privacy policy saying I don't do anything unexpected with their data, and (c) offer a link to delete their data.
Once set up, these should not place a significant burden on the provider of a service.
I suspect we are arguing about how much work will be required. I'm saying that once set up, the administrative overhead is negligible, you are saying it isn't. Certainly the services I run have seen no increase in administrative load, I'd be interested to know who has seen a significant increase (once already set up) and why.
You're counting on an automated response mollifying users and being seen as reasonable by each of the EU's twenty-eight regulators. Perhaps that is true.
If so, a reasonable regulatory regime was produced. If it is not, or it is for a while and then one country decides to go ape shit, this was a bad law. Until we have more data there is regulatory uncertainty. Within that uncertainty is risk. That risk is unreasonable for non- or low-revenue generating projects.
Moreover, there is more precedent for such regulatory regimes becoming more, not less, onerous over time. That leads to incumbency bias, since Facebook and Google no doubt already have lobbyists for each of the national data regulators.
Over the course of a few years, doing these things might take up as much time as it would to learn a new language. For a side project, I’m not sure that’s a smart trade-off.
How so? Just build yourself a tiny tool that takes an email address or username and sends them their database entries along with the standard explanations about why you need that data.
For my side projects that will be around two hours per project and then 2 minutes for every request.
Or am I missing something?
You're assuming automated responses will satisfy requestors and, for the unsatisfied, be seen favorably by each of the twenty-eight national regulators, today and into perpetuity.
In any case, I got curious about your 2 hours / project + 2 minutes / request metric. One can achieve "basic fluency" in a number of languages within 480 hours [1]. We thus find a trade-off hyperbola [2]. For 1 project, after 14,340 requests you could have learned a new language. For 5: 2,820 per project. For 10: 1,380. At one request per day, that's under 4 years. TL; DR, even with optimistic figures, a significant toll is extracted purely for administration.
[1] https://blog.thelinguist.com/how-long-should-it-take-to-lear...
[2] 2 * Projects + (1 / 30) * Projects * Requests = 480
There's just a huge gap between people who viscerally understand making high-level business decisions and people who don't, and the vast majority of the writers and supporters of this law appear to be in the "don't" group.
There is where our expectations diverge. Do you really expect one request per day for a small side-project? Or even for a moderate start-up?
I find that astonishing. I admit I only have a few thousand users, but I've had a total of three requests.
Do you really think this is going to be a constant, relentless attack on your time? Do you really think that users of a service will constantly be sending DSARs?
I run a few closed services as side-projects totalling a few thousand users. I've received exactly three DSARs, and those are from people who wanted to see if I had processes in place. I'm very surprised that people think the administrative load will be significant.
But these are the underlying assumptions that can, and perhaps should, be explored. Broadly speaking, how many users will send in DSARs? One in ten? One in 100? One in 1000?
How long will it take to respond to a request?
We are talking about side projects. You do that as an hobby. Any minute spend on ANYTHING else than what you like to do is a minute lost for no meaningful reason.
(2) hobbies already cost time, money and effort, this adds a bit more to the time and effort factor, need not cost any money
(3) if you decide you can't operate your hobby and be legal then you always have the option to shut down
or
(4) you can shut off your service for Europe after removing all data on EU citizens that you have collected.
This is no different than any other regulation.
Just out of curiosity, how long did it take you to respond to those requests?
>But these are the underlying assumptions that can, and perhaps should, be explored. Broadly speaking, how many users will send in DSARs? One in ten? One in 100? One in 1000?
>How long will it take to respond to a request?
I don't know, but I do know that there are plenty of developers out there that would probably have a lot of trouble adequately responding to these kinds of requests. Particularly the people who might have some trouble with English, especially the type of English in these requests. I have no idea how those people are going to handle these situations.
Anyone to whom you are not providing a service should not have any data released to them, so they can get a simple "I'm sorry, you're not a customer, and I hold no data on you." response.
Anyone who is a customer and is sending vexatious requests - I'd refund them if appropriate and terminate their service. Especially for side-projects, you don't need the aggravation.
In my case people were genuinely asking about actual data, and I took the time for the first to respond "by hand" - it took about ten minutes. The second time I documented what had been done the first, and parametrised it. Total time was about 15 minutes.
The third time I ran the script by hand and checked the output. Total time was under three minutes. I'm pretty sure that after another two or three I can just let it run automatically. Time taken for subsequent queries? Probably none.
And I agree that for some people, especially those for whom English is not their first language, would have trouble responding in English. It's not clear that they have to.
But speaking about time taken, I'm now going to bow out. I've made my position and understanding as clear as I can. GDPR is here, and everyone can make their choice about what they do to be seen to comply. I wish you all good luck.
http://www.paulgraham.com/schlep.html
Deleting it if asked might be neither cheap nor possible, depending. What if he has an audit log in his system recording that foo@bar.example attempted registered, baz@quux.example wrote a record &c.? If the audit log is a secure audit log, it's not possible to mutate a record after it's written — but that's exactly what the GDPR requires!
So now he has to either allow his audit logs to be mutable (and thus no longer secure), or he has to e.g. use an opaque identifier for his users, which means he needs another database, his audit-log–viewing system has to perform joins between the logs & that database (which means that it will no longer be straightforward to view with tail(1) & friends), that join has to handle deleted users in some useful way, &c. &c. &c.
That's thought he has to spend on something he didn't have to previously. There's obviously no problem with that in the case of something that's essential (and several provisions of the GDPR are essential). The problem is when the GDPR is mandating something inessential, or — in the case of its mandate that users be permitted to rewrite history — outright wrong. He's being forced by the law to implement a misfeature.
It's somewhat similar to a law mandating key escrow: it imposes engineering cost to achieve a wrong end.
My reading, and the advice I've seen in multiple locations, is that in the case of immutable audit logs (and backups, for example), being immutable logs (or backups) would count as a legitimate reason to retain the information. It would be required to store the logs and backups securely, but that should be done anyway.
The requirement would then be to delete what's possible (which is what the GDPR says) and then not process whatever remains. In other words, it's mandating what is already good practice.
Can you not just have a checkbox that says "I agree not to use this service from within the EU." or something like that? Like, I don't even track IP addresses for my dumb side projects. I wouldn't know where to start with this.
> One requires transparency in gathering and using data in order to allow EU citizens to exercise their rights to personal data. Therefore, the General Data Protection Regulation sets forth a variety of information obligations.
American citizens don't may or may not have rights under GDPR, or may have rights only where the processing is done within European borders, but European citizens have rights under GDPR regardless of where they are.
If its client side encrypted its not Personaly identifiable information.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
Is a good starting point. Yes, you can refuse a request if it does not qualify but in this case there is more than enough meat to take it serious.
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Step 2: Ignore letters about GDPR.
Alternatively, set up a form response to autosend whenever you get an email with some of those keywords.
There's an ethical and moral aspect here you're ignoring.
What about the pharma companies in India that copy American drugs (to the great benefit of humans worldwide)? US law does not rule in other sovereign nations.
You probably should not be making such blanket statements. Keep in mind that the companies that receive such requests may have substantial assets in the EU (or may even be based entirely in the EU).
This is akin to telling people to break copyright law because the courts are too busy to go after everybody and it could take years before it is your turn.
Disclaimer: We are a GDPR model company in Ireland. This means that we are implementing the mechanisms that the country is going to take as default for every other company. We had EU folks over here for months.
I'm assuming everybody responding to you did just that so this is a null statement.
> Disclaimer: We are a GDPR model company in Ireland. This means that we are implementing the mechanisms that the country is going to take as default for every other company. We had EU folks over here for months.
So it's do as I say, not as I do.
Please take a look at the full enforcement process:
https://ec.europa.eu/commission/sites/beta-political/files/d...
You don't have to take my word for it, this is not legal counsel, it is just reading the law before jumping to extreme conclusions.
If you give out that kind of advise and in such an unqualified manner you should not then follow up by saying that 'this is not legal counsel'.
A DSAR is a legitimate request under the law if you feel that this particular letter is not a legitimate request then you should address that with specifics.
The user requested to know if there were backups and if so how they are handled, which is a perfectly legitimate question, if only because quite a few breaches start with 'we've lost a backup and it wasn't encrypted'.
This could - but does not necessarily - fall under 'other supplementary information' but would require more context.
see:
https://ico.org.uk/for-organisations/guide-to-the-general-da...
Now, some of the requests in the letter are over the top but there is no harm in answering them. Not answering the whole letter is extremely dumb because you can't ignore a legitimate request because it asks for one thing that is not legitimate. Then you should just answer the remainder and lay out your reasons for not wanting to answer the questions you feel are not within the scope of such a request.
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
As you can see, the letter clearly extralimitates the user's rights. So you can forward as many letters as you want but that's not gonna work.
Years of regulatory investigation sounds expensive. Furthermore, willfully ignoring regulators is a good way to piss them off. The only winning strategies here are (a) lawyer and lobbyist up and (b) block users in countries where you don't have (a).
https://ec.europa.eu/commission/sites/beta-political/files/d...
First you should receive an enquiry about yor DPA asking for the information they need and your processes, if they deem it necessary they will do an in-depth investigation. After that, they can reach a conclusion. Then if you are still not GDPR complaint, you will be fined.
In any case, the fines aren't the problem. It's the cost and distraction of going through this process. That cost is imposed irrespective of whether one is doing everything correctly. Responding to DPA requests, investigations, et cetera is a reasonable burden for a company like Facebook. For many start-ups, it may make sense to partition and/or delay their European roll-outs.
>> fines are an exception. There are other machanisms to protect the users
Fines aren’t the problem. It’s the cost and distraction of going through this process. Those “other mechanisms” are still costly and distracting, even if you did nothing wrong.
Big online marketing companies are looking at a variety of technologies to turn their user's into buying customers of their advertising customers both online and in-store.
Look at Facebook as an example with their dreadful user interface attempt to trick EU customers into opting-in to facial recognition technology.
https://venturebeat.com/2018/04/18/facebook-engages-in-priva...
But there's a good reason for this. The ability for stores to know who their customer is, what they buy and re-market to them is powerful, and incredibly creepy.
https://www.pymnts.com/facebook/2017/facebook-patent-facial-...
http://www.thedrum.com/news/2017/12/01/facebook-reportedly-d...
I now turn my phone into flight mode before I enter a high street store.
https://www.kaspersky.com/blog/offline-tracking-ads/16510/
GDPR is a good reminder to all companies that the individual user owns their data, not the company. I personally like this shift, which will over time make companies think about the business models they implement, encouraging us to have customers rather than users.
Edit: apparently not blocked, but still can't connect apart from via VPN.
https://webcache.googleusercontent.com/search?q=cache:QSStS_...
- do you believe generally, even for an “upstanding” company you’ve done business with for a while, that commercial entities can be trusted with your data?
If yes, you’ll see the template as overbearing and needlessly aggressive outside the context of some specific incident when a company proved to be untrustworthy. Especially if you operate a side project or business of your own, and believe you personally would not abuse consumer data collection, you’ll see it as rude in the best case, trollish resource wasting in the worst case.
If you’re a consumer with a general mistrust of all commercial entities, even “upstanding” ones, when it comes to data practices, or if you just happen to believe that the potential risks for data abuse or harm are too high to be offset by anyone’s good intentions or past good behavior, then you’ll see this as a reasonable template, perhaps needing a few modifications for differing contexts, and that jumping straight away to legalese boilerplate just has to be assumed necessary when dealing with self-interested commercial entities.
I’m hopeful some big corps will be heavily fined to set precedent and to ease concerns that GDPR is a mild form of regulatory capture intended to be misused (regardless of its wording) to asymmetrically inhibit new entrants and small firms.
Triage.
- which requests can we get rid of immediately?
- which requests are definitely legitimate?
- which requests are borderline? but will need work?
The boilerplate letters will - unless the boilerplate contains major errors - fall in the third category. It is my expectation that most enforcement in the first period will come from the second category, and in those cases where enough people each individually expended some effort on their complaint to the regulator.
Yes, you might modify the tone of the template for the context of that situation. But you might still use a template because you believe it gives you the best way to be sure that the request uses adequate language to constitute a properly formatted and comprehensive request (short of taking your draft request to your personal attorney and paying them for advice).
Your point is not wrong, but there still might be cases when someone satisfies both
(a) not basing their GDPR inquiry on a specific incident or mistreatment that they know of, only on general skepticism or due diligence to get a comprehensive understanding of how the data is used.
(b) still wants to use a template to have reasonable confidence it is a well-formed and comprehensive request without needing to pay an attorney to draft it or advise them on their own draft.
Perhaps proponents of GDPR should have considered this very obvious weaponization of the law...
Take into account the lengths to which companies will go to collect data, it stands to reason that in that context there is some balance to be found if a Data Subject makes a request about that collected data. If you don't collect data the request can be answered immediately and without further work.
At the monent the law is unenforceable
GDPR is super expensive to remain compliant, simply because of the broadness of the terms used, leading to undefined scope of liability.
The cheapest way to stay compliant with GDPR is to completely block access to EU customers. In fact, this is what I did with my business. I redirect to a generic text file (not even a HTML that could trigger a GDPR clause by itself) explaining my stance.
The rest of the companies threatening to block the EU are seriously overestimating their importance.
If you want I can research the matter in more detail, someone else came up with federated sites like Mastodon nodes and that's another pretty gray area.
> I am little Joe running internet forum about space battles with maybe 5 active users right now and no more than 100 active members historically.
Ok.
> Should I sign data processing agreement with Google because I am using Gmail to send E-mails?
No. You could try to stretch the law to include that particular example but from my reading of it this is perfectly acceptable.
> Should I hire DPO?
No, but you are the de-facto DPO, so if you receive a DSAR then you probably should answer it, though with your user counts I think the chances of that are very small.
> Am I risking my house being taken from me to cover multimilion fine because user posted their photo or e-mail 5 years ago and I’ve missed it because I don’t delete user-posted content together with their account?
No.
But if a regulator should tell you that you should remove a users data (because you refused to for some reason or other) you probably should. The EU does not 'fine first and ask questions later', they will investigate first, warn and then when ignored they will fine. And for a small entity like yours which is more of a hobby than anything else I highly doubt regulators would even bother but you can't rule it out completely. Better increase you comet insurance as well if that's your main worry :)
I think that we might have this view about it right now, but I could easily see a scenario, where somebody targets you for "harassment" through something like this. Maybe you say something somebody else doesn't like on Twitter and they do that to you.
> You could try to stretch the law to include that particular example but from my reading of it this is perfectly acceptable.
But I should still note about the fact in my privacy policy, shouldn't I?
Couple other things I've noted when working on GDPR compliance for my forum:
- It may be good idea to write in your forum rules that you don't allow users to embed their data outside of forum profile. - Forums accumulate tons of lurker accounts (users that register account but don't post or browse anything) that could be automatically deleted - Forums like to log IP's used by users when they, say, post messages. Those could be overwritten to 0.0.0.0 for items older than X days.
I've also been working on privacy policy template for people in my position that I have on GitHub and would love to have any feedback:
https://github.com/rafalp/misago-privacy-policy-examples/blo...
Yes, I would disclose any third party that sees all or part of the data, and I would also disclose what reason there is for me to make use of that service.
> I've also been working on privacy policy template for people in my position that I have on GitHub and would love to have any feedback:
I will do that, but not right now, wildly busy today, but if you drop me a line (jacques@mattheij.com) I promise I will do that within the next couple of days.
The GDPR requires that the DPO must be independent from the organisation, so you can't be 'your own DPO'.
On the other hand the DPO is only required when sensitive or large quantities of data are concerned.
Your literal reading of the law is right but your practical implementation will still have to fit the available maneuvering room and no DPA - one would hope - would insist on bankrupting half the SME's in their country.