533 comments

[ 2.8 ms ] story [ 358 ms ] thread
Overbearing legislation applied by unelected representatives is being abused. If only there were technical solutions provided with an assumption of goodwill instead of 88 pages of mandates without such an assumption.
Assumption of good will is a trap that naive people fall into. If someone can take advantage of something, it will happen.
> If someone can take advantage of something, it will happen.

As demonstrated by the troll in this very situation, right now (assuming the filer is actually a troll).

Completely agree in general. It's a probability thing, given enough traffic all possible events happen. That said I do not understand how these mandates protect anyone.

The bad actors are still going to be bad and lie about it, the honest actors just got burdened with some of the worst legislation in recent history without it even coming from our elected officials.

It's dangerous and I don't care for having to backtrack through years worth of projects in use and figure out how they can each be GDPR compliant. It's a tax on creators time and is imo one of the worst possible things legislators can do to an emerging space (as all software is).

> If someone can take advantage of something, it will happen.

Who do you think can take advantage here?

Legislation is usually applied by unellected people. Judicial independence is usually seen as a good thing. Perhaps you mean that the law was enacted by unellected people, which is also incorrect of course? So now I don't see your point at all?
I'm not in the EU but must comply to their regulation.

The internet at it's base abstraction is a borderless medium without regard to locality. Imposing legislation by user region is a dangerous precedent as each region can now impose fee-seeking legislation on internet companies.

So what do you propose no laws at all for the internet? Or each jurisdiction makes orts own law? In which case would the US mind getting the hell back inside it's borders and stop trying to extradite British teenagers who alledgedly broke some 'hacking' law?

Sounds like Team America again.

The government's of the world are struggling with internet jurisdiction issues, currently the US is taking the stance that any act against their companies is a US matter, whereas the EU is looking at abuse of its citizens is an EU matter. Weaker states have no recourse at all. I find it hard to judge that the US stance is ethically better than the EU's

Any solutions should come from first level engineering principles not lawyers and politicians. I don't care if it's US prosecuting a kid for hacking, companies storing and losing information on people or a space shuttle exploding. The problem lies in the failure of software and the solution should be in software.
The law has been proposed by the European Commission who is just nominated not elected.
The European Commission's members are sent there by the national governments. Elect another parliament/government if you don't like who yours did sent.
That’s like saying if you don’t like a police officer then elect a different city council. Parliament members don’t campaign on who they’ll nominate to the EU commission. Brexit can’t come fast enough.
Thank God for the Queen and the Lords eh?
It's easier to vote "yes" in an quit the EU referendum than what you suggest. Which is what the Brits actually did. The former works while the latter doesn't.

We don't elect governments over here, just Parliament and President.

Proposed by the European Commission, yes, but it also had to be passed by the directly-elected European Parliament.
Proposed yes. Just like in the UK un-elected civil servants propose all kinds of laws and regulation. Just like with the EU commission you only get to propose laws. The council of ministers (heads of states for EU countries) and the directly elected EU parliament actually get to enact regulation.

Being able tho propose a law is not ther same as enacting a law, and is not the same as applying a law which is what the parent comment said.

(comment deleted)
Hurr durr who cares about privacy anymore.
How are the representatives "unelected"? The European Parliament is elected every five years by the citizens of all EU member states and voted on the GDPR in 2016 after long talks. Some even say that the GDPR is not hard enough.
The GDPR was passed by the European Comission, not the EP. Members of the EC are appointed, just like ministers in governments. But governments can only pass time limited decrees which then have to be signed into laws and voted for in Parliament. The EC which can pass binding regulations that apply indefinitely.
I think you mean "proposed" instead of "passed" - "passed" is usually used to mean "passed a law"

The commission proposes legislation, the council & parliament pass it

(comment deleted)
You are wrong.

The GDPR was formally proposed by the European Commission, but it then went to the European Parliament (where it was amended). If the European Parliament had voted against it then it would have never become law.

You do realise that the European Parliament is directly-elected, right?
Not by me and I do not consent. My consent does not matter, unfortunately, I must abide. Governments are good at that.
I'm a little confused. Who is sending compliance requests? If it's not the ico, there's rely no problem. If it is the ico, ask what needs to change. No lawyers required.
> No lawyers required.

Phrases like this just sound weird to me. If there's a risk that someone could sue you over something, from a business perspective I have always been taught that you avoid it, period, until you get a lawyer.

I wonder if this is a cultural difference between the US and EU? Might explain some of the different reactions people have had to the legislation.

>If there's a risk that someone could sue you over something, from a business perspective I have always been taught that you avoid it, period, until you get a lawyer.

Bad news: If you have a business, people can attempt to sue your business for whatever they want, and you might have to defend against it. There is nothing on the books that says lawsuits have to be reasonable before they can be filed, only that people who abuse the legal system get punished AFTER a court decides they're a moron.

Not just businesses. Anyone can get sued for any reason. If your blanket policy really is “I won’t do anything if I risk getting sued” you literally can’t even leave your house.
Eh... this is way overstated. You don't have to be a lawyer to file a pretty solid 12(b)(6) motion, which gets you through the obviously idiotic suits. I'd rather file one of those than do GDPR compliance documentation.
Despite all the bluster to the contrary, in the US we avoid accepting responsibility for our actions at all costs. To the point that business schools now effectively teach that the correct strategy is to put your fingers in your ears, and yell "la la la" until somebody actually smacks you.
The legal climate here is different. If you accept responsibility, you will be sued, by victims for possible monetary losses and/or by prosecutors for possible criminal liability. If you stonewall, you might get sued for (see previous) but you might not if it's too expensive.

I don't know if it's a social thing or a legal thing or some combination or what, but apparently it's harder to sue in other parts of the world.

It's not harder, just less profitable.
Which business schools are those?
Harvard Business School and its wannabes.
Give me a break. HBS does not teach students anything remotely close to ignoring problems and never taking responsibility for your actions.
>If there's a risk that someone could sue you over something

That seems like a pretty broad policy... someone could all the time for any reason no matter how good a reason.

Sure, it's not black and white - it's a scale. We don't lawyer up for literally everything. But we do lawyer up for a lot of things.

It's sort of like the "never roll your own security" advice that gets brought out when people ask questions about crypto. To a certain extent, yeah, we do have to roll our own security. Of course developers need to roll their own stuff, at least at the integration level.

But as soon as it gets even slightly dangerous, I'm not going to be doing, say, my own XSS filtering. I need a vetted library at that point.

I've been taught to think of the law the same way - you don't roll your own legal advice.

In Europe you don't get big fines for no good reason. And if you've attempted to comply you'll most likely get a warning first.

So why not roll your own?

> If there's a risk that someone could sue you over something,

Which bit of GDPR introduces that risk?

Maybe sue isn't the correct term, but you are talking about potentially a 20 million dollar fine.

I'm being told that the EU would never pursue that with a small business and they'd just tell you what you need to fix.

That also sounds weird to me as an American. I'm not saying it isn't true, just that it's not the way I'm used to thinking about laws.

European law tends to talk about the maximum available penalty under the worst possible situation. It then gives a list of factors to be taken into account. I'm not sure why that's a bad thing.

Look at the US COPPA, with potentially $41,000 per violation. Why isn't this more scary for American website operators? https://www.ftc.gov/tips-advice/business-center/guidance/com...

> A court can hold operators who violate the Rule liable for civil penalties of up to $41,484 per violation. The amount of civil penalties a court assesses may turn on a number of factors, including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company. Information about the FTC’s COPPA enforcement actions, including the amounts of civil penalties obtained, can be found by clicking on the Case Highlights link in the FTC’s Business Center.

I mean, any US website that's compliant with COPPA should find GDPR to be a doddle.

https://corporate.findlaw.com/law-library/ftc-imposes-larges...

COPPA is frightening to web operators, at least in the abstract. The majority of web services online at least make a cursory effort to either ban users under the age of 13 from accessing the site or force them to give parental consent. Technically speaking, if you're under 13 you're not really supposed to be on sites like Twitter.

The equivalent reaction for GDPR would be if everyone either started making half-hearted efforts to block European users (which isn't what EU wants), or if everyone forced all of their users to agree to the same data collection before they signed up (which as far as I can tell is not legal).

From the law:

> However, an operator of a general audience site or service that chooses to screen its users for age in a neutral fashion may rely on the age information its users enter, even if that age information is not accurate.

This line is basically the entire reason why COPPA is generally not seen as a problem for US businesses.

> ..started making half-hearted efforts to block European users (which isn't what EU wants..

Are we sure about that? GDPR seems like a gift to European startups who don’t like American competition. BlaBlah car in France got huge, incidentally right around the time the anti-Uber hysteria in France reaches a peak. The sale of Daily Motion to Yahoo was blocked by the French government under ridiculous national economic interest grounds. Europe loves tariffs and trade barriers and they have a history of “protecting” the public from competition. Try shipping spare parts for a child’s stroller to France — I was taxed at 50% — the tax even applying to the shipping fee, not just the parts. My dad made the mistake of sending kids clothes to my kids with the tags still on them — $100 worth of clothes cost me €65 in duties. When I ship small amounts of stuff to the US, I literally have never had to pay a tax. The EU loves protectionism. Farmers literally set fires and throw rocks when Spanish wine crosses into France and the authorities don’t prosecute a single person. Now that EU countries have a bunch of lotteries tickets with American tech companies, the governments are likely foaming at the mouth with excitement over fining American companies. And, sadly, many people in Europe actually think this is about privacy.

Blablacar has a different business model than Uber and Dailymotion is now useless because of government intervention.

American startups have less to worry about than european ones, they have their non-GDPR market to address and grow, and we'll see in the future if extra european companies get fined (AND effectively pay) because of GDPR

BlaBlaCar is about carpooling, it is not a Uber ripoff, but you'd know that if you had travelled once to Europe. It is about different values - solidarity, ecology, social relationships - than just underpaying the guy-next-door to do anything you're willing to pay for with your smartphone.

Otherwise the only person that seems to be "foaming a the mouth" is you, in this ridiculous Murica rant.

Do I need to remind you that your country is just starting an economic war on the rest of the world with illegal customs taxes ? Also, enjoy getting scammed by your own ISPs now that net neutrality effectively got cancelled on you.

You don't realize how little Europeans care about your precious American tech companies, and more about values such as not being the data points of international megacorps with shady business practices, or low-end programmers ready to milk people of all their data just to install a phone game.

I have to point out that blablacar is not about solidarity, ecology or social relationships, to the contrary actually, it's about being a vampire draining money from solidarity and ecology and market domination.

I mean carpooling was about solidarity and ecology, then blablacar seized the market and turned it into "no mobile phone, no credit card, no access to carpooling", "give us money first". I used to carpool before blablacar and many times I did not ask that much money or even no money at all, sometimes I got barter out of carpooling. Or the other way around, people enjoyed my company and refused my money. Now this social link is over because everybody is using blablacar and blablacar requires expensive upfront payment.

I hate how blablacar turned something that was about helping each other and bringing people together into a capitalist profit making venture aiming for world market domination.

> I have to point out that blablacar is not about solidarity, ecology or social relationships, to the contrary actually, it's about being a vampire draining money from solidarity and ecology and market domination.

So you just hate it because it's a company and it's making money. Right ?

> I mean carpooling was about solidarity and ecology, then blablacar seized the market and turned it into "no mobile phone, no credit card, no access to carpooling", "give us money first".

BlaBlaCar single-handedly created the huge carpooling market that now does exist in France for example. They didn't seize the market, people gave it to them. There are still other carpooling websites which you can use, and carpooling panels in events are still a common thing.

Up-front payment, not directly giving out people's phone number : you pretend this is bad practice, but this is exactly the security that was needed to bring the masses to carpooling, and as a matter of fact it did.

You seem to dislike that people would be ok in a win-win situation, where they both get paid for their expenses, and are happy to chat with other people while doing a small move for the planet. This is what's happening.

> I hate how blablacar turned something that was about helping each other and bringing people together into a capitalist profit making venture aiming for world market domination.

This is truly misguided. The opposite equivalent to my parent, but now with an anti-capitalist idealistic view of the world. Do you not see that? People are not into this ideological warfare of yours. The "world market domination" ... of carpooling? Do you realize how ridiculous that sounds?

Please find a mindset where you are able to leave BlaBlaCar be. Seriously, these are people too, and they are providing a great service. And I'm worried people, just like you do, are too prone to ranting on companies for all the bad reasons. The very reason you're using the excessive word hate, to me, seems to prove you're personalizing the entity and are a bit out of the rational realm in your claims.

I have no problem whatsoever with a company making money. But here we're talking about a single company in a close to monopoly situation and who uses its position to dictate its rules.

I think you are misremembering here, when blablacar started and was called covoiturage.fr there were a variety of other carpooling websites, some having been around for several years notably covoiturage.com. At the time carpooling through websites was on the rise and many competitors existed (123envoiture.com, easycovoiturage.com, vadrouille-covoiturage.com, and more), all were free to use. I remember because I was an active user of pretty much all of those sites. covoiturage was one website among others and not the most popular, then came Frédéric Mazzella who bought covoiturage.fr and create a company Comuto to operate it with the intent of aggressively capturing the carpooling market.

first step was to offer the service for free and build a community around it while buying the competitors, next step was to push the remaining competitors out of business with the network effect and use the fear card to position blablacar as a unavoidable middleman (so people could not communicate directly and strike a deal outside the website as was the usage until that point), then pivot from free to paid for. Last step is domination of the market and increasing prices to very expensive as there is no competition as Mazella explained in an interview:

"Pour l'instant, seul les services Français et Espagnol sont payant, pourquoi ne pas toujours commencer avec le modèle économique ?", Kevin Deniau.

"Tout est un problème de masse critique et d'absence d'offre de covoiturage", Frédéric Mazella.

F.Mazella n'a pas souhaité dire que le passage en mode gratuit de Blablacar est uniquement pour capter l'attention des utilisateurs et qu'une fois le marché écrasé et dominé sous couvert de gratuité, le système payant se mettait en place. Ce fut le cas en France de manière progressive pour faire passer la pilule et c'est la même chose en Espagne, où la fronde s'organise petit à petit. https://blogs.mediapart.fr/evenstrood/blog/110714/covoiturag...

I'm not saying anything about bad practice (good or bad is a relative notion), I'm saying that blablacar destroyed the social component of carpooling to turn it into an economic one. That blablacar put artificial barrier preventing people who need carpooling the most (people who cannot afford a smartphone or a credit card) from having access to it.

I've been doing carpooling for years and had no issues with cash payment or direct contact with other users, but suddenly blablacar marketed these as undesireable and risky and pretended there was a need to move to less freedom for more security by making them the unavoidable middleman and upfront payment, obviously the need was actually on their side and was about putting them in position to maximize profit.

And I'm not alone to have noticed this, this is quite common knowledge [1][2][3][4][5]. It's around that time that I notice a change in carpoolers, before all were people going from one place to another, now appeared people with no need to go from A to B with large vehicles taking as much passengers as possible to make as much money as possible.

You may think this is win-win situation, but it's really not[7] (also the testimony at the end of [2]), it's a business as usual situation where capitalist parasitic company turning something desireable into an economic commodity/convenience [8][9]

we'll have to agree to disagree on me despising blablacar for what they did as being misguided. Frédéric Mazella knows well what he did and he dit it on purpose with intent. I do realize how realistic and sad it is that a capital...

I had read [1] to [4] (maybe [5]-[6] too, but I don't remember) when they were posted, and I did think at the time that BlaBlaCar was a bad thing. But these are only blog rants, and I shortly changed my mind after that. I perfectly remember the (IMO) shitty UIs all carpooling websites had at the time, and I do remember people being doubtful about it in general. I was too. Now, there's nothing less common than carpooling, and you have to admit it serves ecology well. This is one of the things those blog posts couldn't or didn't see, four years ago.

[7] is a collection of problems people encountered. I had read a few of these long time ago, and re-read them now : these seem to be situations any service linking people together would encounter, and I don't see how any other website could avoid those entirely.

[8] I can't read; [9] is quite general.

> I've been doing carpooling for years and had no issues with cash payment or direct contact with other users, but suddenly blablacar marketed these as undesireable and risky and pretended there was a need to move to less freedom for more security by making them the unavoidable middleman and upfront payment, obviously the need was actually on their side and was about putting them in position to maximize profit.

You are personnalizing BlaBlaCar as a sneaky fox whispering into people's ears, playing on their fears and need for security. BlaBlaCar's position was the result of people's acceptance of their services in free will. You cannot change that. Also, it is very clear in some of your links that BlaBlaCar targeted the conductors (this "critical" mass) with economical incentives in order to bring the market to the next level, which, again, succeeded like nothing had before. I'm not sure destroyed is really what would describe their rise if you take a broader point of view.

> I'm not saying anything about bad practice (good or bad is a relative notion), I'm saying that blablacar destroyed the social component of carpooling to turn it into an economic one.

You are appealing to relativism, and then clearly implying that social and economic components are mutually exclusive, and I'd go as far as to say you also implied which one is evil and which one isn't. I just wanted you to notice that.

Also, it's not because something isn't free that you have to be an ass about it and that it's not social; and the inverse is also true. That's not something very common in France, but you can actually charge people and, at the same time, give them a good social experience.

> That blablacar put artificial barrier preventing people who need carpooling the most (people who cannot afford a smartphone or a credit card) from having access to it.

There are no people who need carpooling the most. Everyone needs to travel around for cheap money. It kinda feels like virtue signaling from your part to imply that you think about the poorest users, as if the person talking to you wasn't.

Also, this is quite untrue. On Leboncoin you will find older or used smarpthones from 10 euros, to 100 if you want fancy ones, while the cheapest phone plans, including internet, start at 2 or 3 euros a month. This extends worldwide with 3 billion smarpthone users in the world [1]. The magic of capitalism...

Technically speaking, to counter BlaBlaCar's existing monopoly on carpooling users, you'd have to create an open-sourced meta-platform for carpooling where people can register, and choose to use either BlaBlaCar as a middleman (that's what they do best), or not, or any other company or system that has been built to do just that. Over time, you would acquire an open database of carpooling users, which would serve for the greater good. This, and only this, improves free choice and resources efficiency, without the abuse that might come from a centralized platform such as BlaBlaCar. In my opinion, destroying or hating the business that built this carpooling community (I&...

Let's look at the timeline to check your claim about blablacar vs Uber:

blablacar exists since 2004, it was first covoiturage.fr and had became the market leader in France in 2008, in 2009 the began opening services in foreign countries, in 2011 the bought main competitor which started in 1997 and are confident that their market domination allow them to pivot from free to taking a 20% commission.

january 2012, Uber launches in France.

in 2013 they change their name to blablacar so it's the same name in the 10 coutries they operate, uber grows to operate in two cities in France.

2014: uber grows to 6 cities in France, blablacar adds ukraine, russia, brazil and gets 100 millions funding to tackle world market and now transports 1 million people per month.

2015: france his 2nd biggest market for uber in Europe with over 500k users per year, blablacar buy German competitor Carpooling, Hungarian competitor AutoHop and Mexican sart-up Rides now totalling 20 millions users in 19 countries and rises 200 millions to speed up world market deployment. UberPop is forced to suspend operation due to operating illegally by evading legal obligations.

2017: uber still operates illegally without a licence and European Court confirms the UberPop suspension while also confirming that Uber is a transportation company and has to follow laws and regulations.

As we can see here, by the time Uber arrived in France, blablacar had already seized the french market for quite some time, blablacar operates lawfully while uber evades legal obligations and kept at it despite repeated warnings which is probably the reason why it got into trouble.

And this is coming from someone who strongly dislike blablacar.

Then again if US tech companies paid their taxes instead of engaging in heavy tax evasion (hello apple, facebook, amazon, google, ...), and respected local laws maybe they would not get so much flak.

Surely US law also has fines proportionate to what has happened. E.g. EPA has hit large companies with multi-million fines for systematically polluting water over a long time, but if your small company makes a small mistake that's not the same. GDPR explicitly has a list of criteria to assess when determining the fine, and there's no reason to believe courts won't hold regulators to that.

For past experience with German privacy regulators (as an example, since our old law was fairly strict too), I'll quote a recent comment of mine:

From what I know, the German DPAs (they are organized on state level) hand out like 2 fines per month each, generally way below the maxima (under old German law, the max was 300000 €), and concluding the majority of cases without a fine. E.g. from the Bavarian DPA (german doc: https://www.lda.bayern.de/media/baylda_report_07.pdf, page 151):

in the years 2015-2016 they had 173 proceedings that involved potential fines. 52 of those resulted in fines. 34 of those fines were <1k€, 13 were <10k€.

(comment deleted)
Well, I'll operate under the assumption that EU posters know EU governments better than I do :)

If that's the case then I suspect you'll see fewer companies panicking over time. It may just take an adjustment period for companies to realize, "Oh, this legislation isn't actually filled with hidden land mines."

I posted this above, but the old maximum fine from the ICO was £500k which was never used. The same people worried about being put out of business by the $20M max I guess were okay with close to the ~$750k max? For a lone website operator the new maximum is effectively no different than before.

https://government.diginomica.com/2017/08/10/ico-maximum-fin...

Even in the worst case scenario you have the option of going out of business and filing for bankrupcy if you are incorporated in the EU and do get hit by a 20M fine. The EU can certainly try to take that amount from the company, but if it's a Ltd. or Gmbh. or equivalent its liability is limited by its shares.

Or you can incorporate outside of the EU (Guernsey or soon enough the UK perhaps?) and ignore the GDPR. At which point we'll just wait and see if the EU has any teeth outside its jurisdiction and how it will enforce this law.

The only way to get hit by a 20M fine is to do something really wrong on a very large scale and ignoring warnings and refusing to fix it.
Only regulators will have the standing to give fines. Don't think anyone can sue.

It's like you're driving too fast on the highway, but if it's just you mom complaining and not a police officer you won't get fined :)

- that said, we should all respect the speed limit, they are there for a reason.

in the EU you cannot get huge amount of money out of nothing, fines are limited to the extent of the damage. So basically much less legal action in the EU and needs for lawyers.

Bigger companies do have legal teams, but smaller one can operate without ever needing a lawyer.

> > No lawyers required.

> Phrases like this just sound weird to me.

Are you from the USA? Because my best guess is that that's why it sounds weird to you. I almost sued a company (they paid just in time) and even then wouldn't have looked for representation, let alone for issues like these. Just read a blog post or two about GDPR. No lawyers required.

The owner of the forum received the "Nightmare letter" [1] which he is legally obligated to respond to, which as an open source project does not have the resources to be able to respond to them.

[1]: https://www.linkedin.com/pulse/nightmare-letter-subject-acce...

To answer that letter takes maybe 5 minutes for a simple forum operator.
I host a standard FluxBB forum on a stock Debian apache server. Can you please spent 5 minutes to answer that letter for me?
I don't want to. It's your forum. Your responsibility.
Open source is totally unrelated to the matter at hands here. Any small operator is having limited resources and GDPR has been thought to allow everyone to answer requests.

It gave 2 year to get conformity to something which has been effective since 1995 through a European directive. The forum owner decided to ignore this a do nothing, now he's confronted with the consequences of his choices.

But again his reaction is akin to a knee jerk reaction as he is probably in capacity to answer the request while outsourcing to a third party does remove his responsibility and obligation to answer GDPR requests just now it's gonna get a bit more complicated as he has a third party into the loop which is probably not complying either.

The forum owner wasn't getting "compliance requests" he was receiving "subject data access requests".

Those requests can be:

- Please give me all my data

- Please delete all my data

- Please stop doing things (processing) my data

Or some mix of all the above. A site owner (controller) has 30 days from receiving such a request to respond or the person making the request can report them to their Supervisory Authority (ICO is the UK Supervisory Authority, each country in the EU has their own).

So it looks like having a script to delete all user's data can get you out of trouble with any of these letters.
But it's important to remember the GDPR doesn't give users a right to have all data deleted on request. Processors only have to delete data in certain situations.

For example, if you told the user why you collected the data, and you're still using it for that purpose, and you have a legitimate need to continue to do so then you don't need to delete the data. And there's an extra exemption for "exercising the right of freedom of expression and information".

https://gdpr-info.eu/art-17-gdpr/

- Please tell me all the data you have on me

* furiously delete all user's data *

This is probably gonna get you in much more trouble than you could have been initially. For example France has law telling ISP they have to collect and retain customer data and activities for a year to able to retroactively identify who did what online at what time, failing this is not a matter of a report that could lead to warning and then to a fine but years of jail time instead.

The GDPR specifically says you don't have to delete the data if you are legally required to keep it for other reasons. Most often this is financial data, but there are plenty of other examples.
Have you ever ran a business that, uh, intended to scale beyond one employee and a hobby website? I've never seen a company be threatened with some form of legal attack and not get lawyers involved. Especially with such a new law like the GDPR that has no judicial precedences upon which to build business processes. I've been in companies as small as 4 people, and we still had lawyers on retainer for stuff like this (copyright violations in user hosted content was a big one before GDPR).

If you can completely distill a binder of a legal framework down to an "if this then that else this" sentence, you don't understand it, and your hubris is going to kill your company. If you think the correct response is "don't respond, wait until it escalates", you don't understand it and your hubris is going to kill your company. If you're doing anything worthwhile you're going to be bumping up against some law or another, and you can't just ignore it and you can't afford to not understand it. That's why you pay lawyers.

GDPR is not new law, it's a mean to enforce a European Directive from 1995. Also there are several privacy precedents in the EU, for example max schrems.
Is it legal to publish the name of the requestor? Name and shame?
Under the banner of "transparency"!
> The sad thing is that one email came from the co-founder of a Startup out of Germany.

They should definitely name and shame them.

Yeah, let's not start giving people bad ideas here, m'kay? If you want to do some internet idiocy, do it yourself.
Having lived in Germany, "Co-founder of a Startup out of Germany" conjures up the image of one of the many economics-degree-holding bros who strut around and "network", bullshitting everyone (themselves included) that they're going to be the next Zuckerberg.

Then again, my remote impression is that Silicon Valley isn't that much different nowadays.

I'm not a lawyer, but I do think he should have totally posted the letter, without redaction. We don't have enough context here.
If you post it, you'll get your own letters from him demanding you forget him or be in violation of GDPR.
Well, if the owner of the forum is receiving request e.g. to delete accounts or to disclose what data is recorded about someone, why not just comply with the request? What's the big deal?
If I ran a forum for a number of years, and a person decided to close their account, that'd be fine. But if they then said that I need to remove _all of their posts_, that's really shitty.

It would destroy the usefulness of a forum.

How does GDPR affect people in other countries with no interest in doing business in Europe? If I host a forum in the US and you ask me to remove your posts and I tell you where to stick it, what legal consequences might I face?

Erm, asking for a friend.

As much as I dislike Donald Trump, I am willing to hold my nose here and suggest encouraging the Trump Administration to go full MAGA and direct Congress to pass laws explicitly stating that no foreign judgements or fines may be enforced on US citizens.
I think we understand where you're coming from, but as written this is incredibly ignorant. You're essentially rejecting all international law (copyright, patent, tax, etc).
boom.

1000% increase in foreigners moving/ starting technology companies in the US.

seriously tho. great idea.

Yes, and then they just wait until you show up on their soil (say, on vacation) and arrest you then.

Remember Assange? He's fine as long as he stays in the embassy, but step into the back alley for a smoke and he's off to the hoosegow.

(comment deleted)
Maybe you do business with someone that does have a footprint in the EU? They can put the screws to them I guess.

I imagine visiting an EU member would be unwise as well.

If you aren't in the Union, it applies to you if either [1]:

(a) you are processing data of data subjects who are in the union related to the offering of goods or services to such data subjects, or

(b) you are processing data of data subjects who are in the union related to monitoring of their behavior as far as their behavior takes place within the Union.

If you can avoid both of these, then I believe you can pretty much ignore GDPR.

If you have "no interest in doing business in Europe", it should be easy to avoid falling under (a). Recital 23 [2] discusses what it means to be "related to the offering of goods or services" to data subjects in the Union.

It means that you have to envisage offering services to such people. The mere accessibility of your website to EU people, or having an email or other contact details in the EU, is insufficient to show such intent. If you offer your website in EU languages that are not generally used in your non-EU country, accept EU currencies, mention your EU customers on your site, and things like that, will strongly suggest you are offering them goods and services.

What monitoring of their behavior means is discussed in Recital 24 [3]. It basically means tracking a person for profiling or analyzing or predicting their personal preferences, behaviors and attitudes.

Most sites selling things to end users probably don't need to do any such behavioral monitoring. If you do, just do a geoip check and exclude EU IPs. If you aren't trying to do business in Europe you probably want to do that anyway, because EU visitors are just noise in your data.

[1] https://gdpr-info.eu/art-3-gdpr/

[2] https://gdpr-info.eu/recitals/no-23/

[3] https://gdpr-info.eu/recitals/no-24/

geoip based blocking is wrong. An American customer can be travelling in Europe and be blocked while any EU citizen can use a proxy or VPN to workaround your geoip block.

If you can live with infuriating a small portion of your customers while have a protection that can be circumvented in a matter of seconds then geoip block is what you want, otherwise ...

It's an efficient way to protect yourself from the regulation. You don't need to prevent Europeans from using your site, you just need to be able to say reasonably that you don't intend to operate in the EU.
As wan23 already noted, the purpose of the geoip block is to help establish that you are not offering goods or services to data subjects in the Union, in order to not fall under GDPR territorial jurisdiction (see Article 3).

Yes, that will also catch some of your existing US customers when they travel to Europe. However, you may actually want that, because the GDPR does not talk about EU citizens. It talks about data subjects "in the Union".

I haven't seen anything about what makes someone who is physically present in the EU count as being "in the Union" for GDPR purposes. One who wants to be cautious might want to count anyone physically in the EU as being "in the Union" for GDPR purposes until there is definitive guidance otherwise.

Yeah that's an interesting question about the line for GDPR and the right to be forgotten. If a user themself posts text onto a forum, I wouldn't consider that private information. If it's not private info, I wouldn't think they should be able to legally request it be deleted. That would be almost like an editor of a wikipedia article asking that it be removed. I wonder how GDPR applies.
Gdpr doesn’t have a clause for voluntary, required or accidental sharing.

If a user publishes on your forum he has disabilities, congratulations, under gdpr you just leaked user personal data of the worst kind.

> If a user publishes on your forum he has disabilities, congratulations, under gdpr you just leaked user personal data of the worst kind.

I'm really not sure what people think they're gaining from posting these wildly inaccurate GDPR comments.

I agree, the amount of FUD and fearmongering related to GDPR is quite impressive, even here on HN. It seems people who don't like GDPR are trying their best to make it look diabolical as if this would make it go away.
No, you do what's necessary to fullfill the service you provide to the user: they wanted to publish a forum post, you store and publish the submitted data as is necessary to offer this. That's neither a leak nor forbidden.
Actually text posts can be used to personally identify users, given you have access to enough written words from this person to build a profile of their writing style.

It's been used to track and identify people. IIRC it's also been used in attempts to impersonate people.

So one can argue that text posts are personal data that can be used to identify them, but I suppose this is the kind of thing that is up to the court to decide.

I guess posts are considered 'User Generated Content' which I think falls under the directive.

Does that also mean then that quoted content counts? What if another user merely copies/pastes text someone said into their own reply (like you have to do on HN)?

> But if they then said that I need to remove _all of their posts_, that's really shitty.

Why do you think GDPR forces forum owners to delete posts? Which bit of GDPR do you think introduces this requirement?

In order to reply to your questions, the mark would have to study the GDPR one way or the other to answer them.

That by itself is way too much hassle.

Well, yes, if someone has no idea what's in GDPR they're probably going to be more fearful of all the bullshit being spread about it.
It would certainly be interesting to quantify how much money has been spent just trying to understand it
Well the burden of proof lies on the person who makes the claim. otherwise it's an unsubtantiated claim that can be discarded without evidence.
In that sense, is hn not GDPR compliant?
From what I've seen of the policies in other forums: If they posted actual personal information, admins will edit it out on request, but in general they don't consider posts that don't contain anything identifying personal information and will keep them.
> If I ran a forum for a number of years, and a person decided to close their account, that'd be fine. But if they then said that I need to remove _all of their posts_, that's really shitty.

> It would destroy the usefulness of a forum.

Couldn't you just anonymize their posts, for instance by updating their username to something like "Deleted User"? Wouldn't you be fine as long as there wasn't anything left to link them to their real identity?

What if some used quoted another user without the quote function? Or took a snippet from a user as forum signature?

Those are easily handled but still if you are a hobbist it’s just too much hassle.

I asked something similar in the Instapaper story:

A general question for the GDPR experts: If user A does a request of their data and user B added a page their Instapaper account that had user A listed, does that page have to be included in the response to user A?

I didn't get an answer there. It is basically the same scenario of one user referencing another.

Are their posts personal data though ?
From one of his responses in the link "I do appreciate the links. The gdpr documentation is quite long and I lack the domain expertise to read and comprehend the document in full. Perhaps this is cultural, since the United States is a very litigious society, but I would not feel comfortable accepting liability for gdpr compliance without consulting an attorney. It is also unclear how I am expected to respond to DPA execution requests (what the hell is a DPA request?), which I have already received, and what penalties I could face if I fail to provide a sufficient response. Overall, it just seems like outsourcing to StackOverflow or Google Groups makes more sense. This way I can focus my time on making Drone better, as opposed to becoming a legal expert"
I think you are right about one thing, the misreading of European law that comes from living in a litigious society. Just act in good faith and GDPR will not bite.

  Just act in good faith and GDPR will not bite.
Do you have $20million to make that gamble?
Nobody will fine an open-source project that amount of money. The goal of GDPR is not to bankrupt anybody but to nudge them into compliance. If you aren't maliciously handling user data, you are not a target of high fines.
Then why does the law not have this an an exemption?
Have what as an exemption? Not applying GDPR to small-time open source projects? Being open source doesn't suddenly make it fine to mishandle users' information.
GDPR has exemptions built in but being open source project is not one.
20 million is the max penalty for repeat offenders. See article 83 about fines being proportinate to the offense: https://gdpr-info.eu/art-83-gdpr/

This is a european thing, if any law says $x is the max fine or alike, then for a first time offense you usually get much less.

"usually" is the problem.
how is interpretation of the law not a problem with any law that was in effect before GDPR. It didn't stop anybody from starting businesses before and will not after.
It's punishment amounts. Laws should strive for minimal maximums and reasonable ranges to apply that interpretation in. We don't say every crime is punishable up to a life sentence for a reason. The more leeway the law provides, the more room for abuse (for either side). It would not have been hard to define multiple reasonable ranges, but sadly they think these values are what gives the law "teeth" (instead of actual enforcement which is what should provide it).
The EU had competition law before that mentions 10% of global turnover as a maximum fee, along with very detailed notes of how to set them: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:...

The Sherman Act also mentions a ceiling of 10 million, 3 years of prison for private persons. And from history we know antitrust authorities broke up companies like AT&T or Standard Oil, which seems to me a much bigger punishment.

Both laws only mention the maximum fine.

Yet you don't see small companies sweating over competition law.

> Yet you don't see small companies sweating over competition law.

They would if it applied to them and they had to do work to comply. This is very simple. If a law applies to a company, companies will worry about it and the perceived risks. If a law doesn't apply to a company, they won't worry. Ideally, both the laws and their punishments are as narrowly scoped as possible to prevent abuse at the whims of enforcer subjectivity. It goes without saying that a business not affected by a law won't sweat it like they might if affected by a law. Couple that with ambiguities in the legislation and effort to comply and it's clear why small businesses sweat one and not the other. It's a very poor comparison.

your argument applies exactly the same to GDPR, entities that do not engage in collecting or processing personal data have no reason to sweat. Those who are following the law that had been introduced in the EU in 1995 either.

Had you read the GDPR you'd knew that punishment is proportional to the offense, had you read the regulation in charge of receiving complaints you'd know that they said they will first give a chance to comply to the law before resorting to punishment. The only ambiguity is in the broad term "legitimate interest" offering exemption to GDPR.

Sorry but I don't understand how defining multiple ranges would have been simpler than only having one. I also fail to see how 4% of global annual revenue is unreasonable considering facebook and google have both been fined the previous maximum amount of 150 000€ with no consequences for them and they went about their day keeping at doing what they were doing that caused them to be fined.
I would still be bankrupted by "much less" than $20 million.
Good for you.

now understand that fines are proportionate to the offense. Are you engaging in doing very bad thing to personal data on a very large scale and having a business based on this ?

no ? then what are you afraid of ? that failing to answert to one guy asking for what data you have on him will cause you to be fined to bankruptcy level ? I pity the fool as said that one guy.

Your fundamental argument seems to be "this will only affect bad actors" but I don't think the history of law in any part of the world justifies such optimism.

Or how about: I'm sure the advocates for civil asset forfeiture made similar arguments.

If you want to argue that prosecutors on your side of the pond are impervious to corruption, well, consider that you're including Spain, Italy, and Greece in that body politic (at least for now).

Let's not talk theory. I am making that gamble. Business is about risk judgement, and I have judged the risk to be miniscule.
Or 4% of your world revenue whichever is largest.

Then again you can stop brandishing this FUD as this kind of fine is not gonna happen to small actors. If you act in good faith and are found doing something wrong you'll receive a notification asking you to fix the issue.

Why do people think EU is dumb and will start distributing 20M fines right and left at the first offense ? Just look at how it's done up until now and what CNIL said about how GDPR will be applied.

There are litigious people even here, though. Someone who has an axe to grind for whatever reason can keep annoying the DPA until they do go after you.
No, that simply doesnt happen. Ive annoyed the ico in the uk many times and they refuse to do anything for one complaint. I recently got a 500gbp out of court settlement in a spam lawsuit that the ico did fuck all about.
> that the ico did fuck all about.

I think this is the really important bit that Americans are missing.

We've had decades of regulation from ICO, and we've seen them do fuck all about a lot of stuff. GDPR isn't going to change their approach.

We've seen a number of lawsuits posted here on HN with EU companies, either going after other EU companies, or US companies, or other EU <-> US <-> AU lawsuits. Sure a lot of it involves the bigger shops like Microsoft/Google/Facebook, etc .. but don't go saying it's not a litigious society.

Lawsuits are used in a lost of western and eastern countries to try and right wrongs. Many of them use lawsuits to troll and money grab as well. It's not unique to the US.

FYI, there are no lawsuits with GDPR: You file a complaint with the relevant data protection agency and they then decide whether to pursue this. Should they do that, the company can dispute the claim and only then elgal proceedings would follow (agency v company, no potential award for person filing complaint)
IANAL but my understanding is that contrary to US, several EU countries have limitations to what on can claim in court. Claim can not exceed damage. If you burn yourself with a hot coffee in a mc donalds your medical expense will covered and you might get a couple hundreds or a thousand while in the US you can be awarded millions in punitive damage by a jury.

This limitations means there's less frivolous litigation in the EU, unless it's a rich person or entity trying to silence someone, then they will waste money on frivolous litigation until the other party is unable to take it anymore (SLAPPs) a well known example of this is what happened to journalist Denis Robert who went through 10 years of multiple litigations in several countries for daring to expose the money laundering scheme happening in the European banking system in Luxembourg.

> The gdpr documentation is quite long and I lack the domain expertise to read and comprehend the document in full.

As if he read all laws of his own country that apply to him. Raise your hand if you actually read and comprehend all laws that apply to you. I'm willing to bet there's not a single person on this planet who really reads and comprehends all laws completely.

Usually you just go with common sense and reading a blog post or two when it seems relevant: that usually makes compliant and in the worst case it will get you a warning from the regulator (they give warnings for unintentional first-time violations, so they'll tell you if you're doing wrong and it bothers them enough (usually you're too small anyway), and you get a chance to improve).

>As if he read all laws of his own country that apply to him.

Drone.ci is treating GDPR like any other law by steering well clear of the territory it regulates. The US also has stringent rules about online gambling, payment processing, pornography, copyrighted material, etc. Normal website operators don't become familiar with these rules or how to thread a business through them. They simply don't engage in regulated activity at all, unless making a deliberate and well-capitalized entrance with the help of lawyers and compliance professionals. (Obviously there are some high-profile counterexamples, but those are, well, high-profile).

If the GDPR were a law about data brokerage or advertising, then forum operators would be similarly far away from it. But it's a law about the handling and storage of data related to people, which you definitely do if you're running a forum. Ordinary websites have never been that close to the boundaries of legality before, so people are scared.

He received the "nightmare letter"[1][2] asking for everything possible under GDPR and then some.

1: https://www.linkedin.com/pulse/nightmare-letter-subject-acce... 2: https://jacquesmattheij.com/so-your-start-up-receive-the-nig...

The nightmare letter is bogus scaremongering bullshit. THe forum owner should just i) post a link to the privacy policy (which surely explains things like legitimate needs) and ii) supplies a copy of the data being held.
This is so incredibly tonedeaf: do you honestly think that small hobby-scale websites have a privacy policy?
Do you believe that hobbyists must not follow laws & regulations when they interact with the public?
Do you believe that anyone who has a hobby website with a forum needs an official privacy document, presumably vetted by a lawyer.
What if a forum owner receives a DMCA letter, or a letter from NSA? You do not really need to consult a lawyer to remove copyrighted material or something else that is illegal.
A single DMCA notice is relatively easy to deal with. Even though a startup owner probably "should" consult with a lawyer, you don't need to if the take-down request is clear and the material is either clearly infringing or not. There are gray areas, but they are rare.

A letter from the NSA is a completely different story. You definitely need to hire a lawyer, probably an expensive one. One NSA letter could easily shut down a small startup.

Why do you think the document needs to be vetted by a lawyer?

The regulation makes repeated reference to proportionality.

> Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary.

For a simple forum this is a simple privacy policy.

And forums should already have something like this if they're complying with EG US COPPA or similar.

Private and general aviation have a different set of regulations. Small and large aircraft have a different set if regulations.

I’ll let you figure out the rest.

GDPR is not applicaple to personal or household activities

https://gdpr-info.eu/recitals/no-18/

> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

What? So just because you're small scale you can ignore people's privacy?
There’s a big difference between ignoring somebody’s privacy and having an official lawyered document that spells them out.

I’m sorry that this is a distinction you weren’t able to make.

It doesn't have to be lawyered.
Excuse me? How in the world am I supposed to know if it is sufficient for GDPR without a lawyer?
The context is a small forum that doesn't gather much user data and doesn't do weird things with it.

The forum owner should create a simple privacy policy that details what information is gathered; why it's gathered; how long it's kept; and how to correct mistakes.

If someone does report the forum to the regulator all that'll happen is that a letter will be written asking the forum to come back into compliance, and giving advice about doing so.

GDPR makes many references to proportionality. It also mentions standard practice.

EG here: https://gdpr-info.eu/art-24-gdpr/

> Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary.

> Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

> Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

How are they complying with eg US COPPA, which carries a penalty of $40,000 per infringement?
Yes. because it's a legal requirement when you collect personal data.
As someone who ran a forum centered around one of my passions, I was happy to help users out with small adminstrative tasks. Like you said, no big deal.

Now if I was legally required to act on every request in 30 days or face potential litigation, that's a totally different story. I'm doing something that's a fun hobby of mine for free that will benefit others with similar interests. The line is drawn when it can have real world consequences and take up a substantial amount of personal time in order to comply with frivolous requests. That's when it stops being fun and definitely not worth risking legal headaches.

> act on every request in 30 days or face potential litigation

That's not what happens though. You get a request, you have 30 days to respond to it (and for the vast majority the privacy policy is ok as a response) and if the requester isn't happy they report it to the regulator who writes for more information. In that situation you again send off your privacy policy, maybe with a bit more detail.

The regulator either tells you that you're wrong, and explains why, and gives you advice to come back into compliance, or agrees with you and tells the requestor that they've misunderstood the law.

And all of this has provisions for proportionality. The regulators will recognise that small forums run for small projects will not have resources to respond to many requests.

If its a hobby and you otherwise have a full time job, 30 days is even too short. Not to mention that's when it stops becoming fun as the person mentioned.
This misrepresentation of the situation is well addressed in the other reply, but I'd like to point out that unless your hobby is collecting and processing personal data, you simply have to not collect any personal data as no personal data is required to run a forum, add a page explaining so and direct requests to this page.
What constitutes personal data hasn't been made clear. People think IP addresses and usernames will count, and really anything in someone's posts might too. Post timestamps are no doubt correlated with users timezones, that sounds like personal data to me too.

You could credibly argue that the sole purpose of a forum is to collect and share personal data.

I've been sending all kinds of companies a request of my data. Everyone that keeps sending me mails without me knowing why, I just sent them a nice request to give me a copy of my data.

After that, I request them to delete it all :)

You're the reason we can't have nice things. I hope you are proud of yourself. GDPR is great but will be ruined by people like you.
Why? It's their data and their right to have it deleted.
Isn't that the point of GDPR?
Honestly, laws like this give rise to the phrase "the road to hell is paved with good intentions."

I am not anti-gdpr. I am quite concerned about the side effects on the small guys. Its obvious that this law was targeted at larger companies. But its also obvious that it massively increases risk profiles for innocuous behavior.

This is a problem. And hey, as a person in the US, I have no representation to help address my concerns over the validity/applicability of the law.

I am not a fan of that.

Then again, I also don't like it when we do this to others. FATCA is an example of this, where US citizens seeking banking services were denied services due to the implied risk to the bank from non-compliance. They generally don't have much recourse either.

Extra territorial impacts are the result of bad laws. I like that GDPR gives control back to the users. I dislike that it opens up such a massive legal attack surface as to make things like running a forum dangerous.

(comment deleted)
We've had thousands of companies for years and years using every trick in the book to get people on their mailing lists and collect data about them, but now that users have the right to do something about it, that makes them the assholes?
I'm glad you are feeling such rightous indignation. I won't lie and tell you that I am not being entertained by watching the EU internet implode on itself.
So everyone can spam us without repercussions? Fuck them all. If GDPR makes their life miserable then it achieved its goal.
You think GDPR is great but you are angry at an EU citizen using the law as intended?
Why are you against fighting spam?
Well that sucks, I wonder if this means other discourse instances might be hit with the same GDPR letters? There'll probably be someone who has (or will have) forked discourse to make these changes.
How does Discourse factor into this? From my read of this, it doesn't seem to be specific to the fact that he's using Discourse.
I thought he was using Discourse for his forum? Its not like I'm taking a shot at Discourse, I was just saying that it might be worthwhile to tack on an export function that is user facing to mitigate the onslaught of requests.

[edit]: @jcastro, I totally didn't realize that was already there, my bad.

Not sure what version this was added to but Discourse has an export button that individual users can use from their profile page.
It does not appear Discourse has any admin tools in place to deal with a GDPR request. A self-service user panel would be even better.

There is an open question whether posts would need to be deleted are just anonymized from the user account. Safer to delete of course.

People asking to exercise their rights on their own private information are not trolls.
(comment deleted)
In this case, you are making work for a person that doesn't monetize the platform you're using. It was service that was offered in good faith, and is now, because of this useless request, not going to be available.

Instead they are being forwarded to a service that does monetize their service.

>now, because of this useless request

No, it is because of an overreaction to a request. If they are acting in good faith then just reply

How many hours should this person put in to respond to the request?
And to all the others.
About 3 minutes.

"Here's the privacy policy. Here's the data export page."

Haha data export page, what even is that? Let me just go to my SQL DB, redis, glacier backups, and Kafka logs and just click the data export button. It will only take 3 minutes.
Maybe you could create some sort or reusable digital tool that could be used to aggregate all the data for any given user? Perhaps it be could be called a "script" or "program"?
Perhaps this person could spend time learning programming in his free time, implement the 'scripts or programs', read 500 pages of law, go back and time and write down every time any amount of data is used, etc etc etc.

While you are at it, you could take the bar exam to become a lawyer in your free time to avoid legal fees, to continue to run the forum as a volunteer.

And all because europe can't pay software devs so all the talent leaves so they need selective enforcement to make local companies competitive! Trump would approve of such trade barriers.

"Can I have all my data that you hold?" isn't something that has been introduced with GDPR. It was introduced with DPA over 20 years ago. That was backed by £500,000 fines.

THe sky didn't fall.

There's a button to download the user's data on their profile page. You can direct them to that. There's also a function to anonimise a user, which scrubs records of IP addresses and usernames.
Are you talking about Disqus specific features? Because that is really beside the point and the fact that you are bringing it up shows how clueless you GDPR zealots actually are.
What's Disqus got to do with it? The fact you are bringing it up does you've no interest in the facts of this case. This is about a forum, which uses Discourse, which has these features. This is totally relevant.
Discourse, disqus good job nit picking.
Maybe the request is an overreaction?
Closing down a forum because of a single request is a ridiculous over reaction.

OP could have waited for the regulator's letter before doing anything.

> exercise their rights

These aren't their natural right. Some laws are just bad independent of whether most people support or agreed to them. This is most obvious in dictatorships, but dysfunction strikes all systems.

I agree. The "rights" outlined in GDPR are hysterical frivolities concocted by madmen with a backwards understanding of freedom and justice. In the future of the EU I predict a "right to have everyone else in public pretend you aren't there and not look directly at you for more than 500 milliseconds in a 5 minute window" and "right to have free peanutbutter on wednesdays."
Does he have any proof that the person is a troll ? From what I read he just assumes it.
I didn't read the whole thing, but the part where the troll says he believes the site is in violation and makes threats but doesn't have any actual proof that there is a violation sounds like a good indication.
He's still obliged to respond to that letter. Can't hide like this.

(guys, I'm being sarcastic)

According to his GitHub, he's in San Francisco. He's a US citizen living in the US. The EU can't touch him.
Does that continue to be true if the US citizen goes to visit an EU country? It'd really suck to get arrested on your vacation because you ignored some troll's GDPR-based harassment. I don't know how this works.
If youve ever dealt with the uk ico youll know its true. They refuse to do anything about individual complaints. The gdpr also states that samctions will be determinedby the gravity of the violation and number of users affected, among other factors.

Nothing to worry about for people like the open source project in question. This is way overblown paranoia, but unferstandable given the current hype.

It’s not ‘nothing to worry about’ until the various enforcement bodies across the EU all establish predictable patterns of behavior and sanctions. Until then, nobody wants to be the first wrist slapped just to see how much it hurts.
The ICO has had 20 years to establish their pattern, and it seems to be pretty well set by now. They basically do fuck all about individual complaints, unless perhaps it's something incredibly serious. I recently had to take a data bureau to court for selling my details without permission (and won an out of court settlement for 500GBP) for spam, because the ICO did fuck all. I have another case pending against the very large UK company that used 2 separate data bureaus to spam me without permission.

So if the ICO won't sanction a very large company for clearly violating PECR, I really wouldn't worry. They only take action if they get thousands of complaints. I very much doubt that GDPR is going to change this behaviour, but I would love to be proven wrong.

So what you're saying is that all the small businesses feverishly seeking to comply with GDPR are wasting their time, because actually the law doesn't apply to them?
If they are not in the EU and not doing anything out of the ordinary then yes.

Life is full of risk and the GDPR is right down towards the bottom of things to worry about at this point if you are outside the EU. I suspect this is also the case if you are inside the EU too, but we will soon know.

Do you think if the complaint went to a government official in the EU they would throw down the hammer on a site that was up for all of a couple days in GDPR time?

I have my doubts.

I've got a handful of sites (ultimately for portfolio / coding practice type stuff) out there. Honestly it wouldn't take me too much to respond to someone's letter considering the simplicity of the site(s), not that anyone uses them.

I also really wouldn't expect any EU official to throw down the hammer on me. Personally I wouldn't panic, and I'd at least wait for the EU official to weigh in before panicking.

No. They're unlikely to do anything. If they did do anything it would be to post a link to current best practice advice.
No, but it is more than enough to scare people. Doing a project that makes you zero or very small amounts of money does not justify any risk-taking, and certainly nobody wants to go into the trouble of sending emails to various DPA people in Europe if the need arises. This kind of treatment should be reserved for large companies or specific uses of private data. In addition, the approach of the law "guilty until proven innocent" is hugely off-putting.
Then I dare you to post one of those website la here.
I don't really see this as a GDPR troll. This guy is saying he can't manage formal GDPR requests. He's running an internet forum for christs sake. We had forums before we ever had tracking, and anonymous internet handles were practically invented on forums. What's he doing exactly that he can't answer GDPR requests with a simple "we don't collect personal information"?

Of course, he probably is collecting PII, because he's using discourse. But since he says he doesn't have time to answer GDPR requests you can be pretty sure he doesn't take the time to ensure his infrastructure hasn't been owned. I'd wager he doesn't even know what PII the system he runs is collecting, so how can he be securing it on his users behalf?

It's totally reasonable for his users to ask how he's protecting their personal data. If he wants to flip tables and storm out when they ask, that's up to him. From my perspective, the system works. He wasn't making the effort his users deserve to securely store their PII, and so now he isn't storing it at all. No one had to sue anyone, no one had to go to court, and he made the sensible decision to get out of the PII game he had no business being in. Success if ever I heard it.

I don't know why all these websites are shutting down due to GDPR when all you have to do is hire a competent law firm with GDPR compliance expertise to review your software and help you determine if any parts need to change to become compliant and also help you address any GDPR requests.

</sarcasm>

True. You can also just make a budget for the fines, block days per month for compliance, and remove all contents that displease EU residents. Easy. /s
Everyone was saying that you don't need to worry about GDPR unless you are a scumbag that is selling user information. This open source project owner must have been doing something unethical if they are shutting down their forum due to GDPR. </s>
Well, he is most likely a dirty hippie communist. Unlike true champions of privacy - Facebook, Google, NSA and Mossad.
In its majestic equality, the law forbids rich and poor alike to sleep under bridges, beg in the streets and steal loaves of bread or violate the GDPR.

-- Anatole France (I might have edited that quote slightly)

OMG this is perfect! I'm so stealing this quote. It applies to so much it's scary.
But in this context it really doesn't work well as an analogy.

Few rich people have any inclination to sleep rough, whereas many wealthy tech companies have been happily selling their users' data as the law allowed it.

(comment deleted)
The idea is large companies can afford the compliance costs.
The idea is large companies can steal many loaves of bread and get away with it on a technicality because they have the resources to comply with the letter of the law while pissing on its spirit.

Only little people would steal a crust of bread for their supper. The rich generally commit bigger crimes.

You could change "I might have edited this quote slightly" to "DoreenMichele might have edited this quote slightly." Then it is totally not stealing because it cites your source. Bonus: When people get too up in arms, you have someone else to blame.

;)

I have seen many people complain about how it is unfair that small companies also have to do due diligence with people's data, not just he big ones. It seems really mind-boggling to me.

Is it also unfair that both small and large companies aren't allowed to pour acid into rivers? Should they get an exception?

Should only large restaurants be forbidden from serving rotten food? Should small car makers have exceptions to car safety and emission standards?

Is it also unfair that both small and large companies aren't allowed to pour acid into rivers? Should they get an exception?

Funny you should say that because I'm an environmental studies major and we do, in essence, let small shops do exactly that. Most toxic chemicals are disposed of in residential and commercial trash because they are being disposed of in small quantities. You basically do have to exceed a certain threshold before certain regulations apply to your toxic waste, such as household batteries.

We encourage consumers to recycle tech. We sometimes tack on some kind of environmental related tax or surcharge to try to cover the cost, but it is paid up front, it is a small amount and we know the fee at the time of purchase. But we don't set bear traps that can ruin your life because you put an old computer in the trash can instead of disposing of it properly, for example.

But this is not about people recycling something wrong on accident, it's about companies not doing so on purpose because it saves them money.

GDPR was never about normal people, it was about companies. Trying to reframe it like it's about people is disingenuous. It is supposed to protect people, yes, but from people like you company owners and executives and others who think "screw everything, I'm looking at my bottom line".

You ignored the example with food, so I'm sure you already know this.

They're shutting down because they're privacy-ignorant and that doesn't fly in the EU any more.

People apparently have a hard enough time understanding invisible things such as privacy, but this goes double for those whose income depends on violating the privacy of everyone.

Can you provide examples of websites shutting down due to GDPR ?
I only know about some US newspaper closing EU access and this guy's forum.

I'm sure we'll get a separate thread for each site that's closing, to emphasize how the (advertising) world is ending, one just needs to wait.

There's no advertising on the forum under discussion.
This is at least the 5th instance I've seen of a website announcing their closure due to GDPR on Hacker News. Most websites probably wouldn't announce it and given that a post about simply blocking all EU users got upvoted to the front page less than a week ago I doubt the idea of blocking all EU users isn't more prevalent.

https://www.polygon.com/2018/4/28/17295498/super-monday-nigh...

https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying...

http://money.cnn.com/2018/05/25/media/gdpr-news-websites-la-...

https://www.theguardian.com/technology/2018/may/24/sites-blo...

Try doing some basic research before asking leading questions that you don't expect responses to.

Even before GDPR, one could receive a DMCA request, an US court order, a letter from FBI, a letter from NSA. It didn't prevent people from creating websites though. GDPR requests are definitely less scary than a letter from NSA or an US court order: nobody will put you into jail for non-compliance, kidnap you or send a drone to you.
> Even before GDPR, one could receive a DMCA request, an US court order, a letter from FBI, a letter from NSA.

And a data access request. This has always existed, but it was a directive which was implemented in each local law, and local legislators could give (more mild) fines but almost never did.

GDPR is not new. And I'm not talking about 2016, I'm talking about the previous law from 1995 which is 95% the same for 99% of the companies.

None of those laws were extraterritorial.
Again, nothing changed on that front. There are two answers to your comment:

- Yes they were. If you violated the law, even if your servers are outside, the country would claim the violation happened in their territory because the subject was in their country so the law was violated there, and they can sue you.

- Neither is GDPR. If you are outside the EU, they can't force you to pay a fine like your own government can. Without enforcement, the law doesn't really apply. (See GDPR from 2016 until now.)

Which one applies depends on a bunch of things, such as whether there's an extradition treaty and whether you have offices in the EU, etc. I've never gotten a straight answer on which law rules in such cases, but that's probably because there is no single ruling case. Both are sovereign states, who supercedes is not codified in any law because there is no higher instance to appeal to.

I mean, if a small island state makes a law that if one of their citizens visits another country, that country should pay tribute for the honor of being visited by one of theirs, how in the world is that going to be enforced? Same with GDPR: the EU claims it applies worldwide, but the only reason that holds any truth is because you probably want to do business with EU citizens. Banning your company is the only thing they can truly do to you, and that has always been the case.

> nobody will put you into jail for non-compliance

ha

> kidnap you or send a drone to you

thank you for making it obvious you are arguing in bad faith. Hint: you are more likely to be fined 20 million Euros for violating GDPR than having a drone sent after you for ignoring a DMCA request.

If you actually believe you will have a drone sent after you for violating DMCA or ignoring a letter from the NSA go see a psychiatrist.

It's really hard to know what exactly was asked of him by the letter and by whom. I get the nightmare letter scenario but is that the exact request he got?

Can he not extract all that user's data and delete if that is what is being requested?

This was linked to in the post: https://jacquesmattheij.com/so-your-start-up-receive-the-nig...

It is a request for a lot of information.

Yeah i'm familiar with that. I was wondering if that was the exact request. It's not clear to me that the dude got that exact request.

It's also not clear to me that anyone getting that letter must do what that letter says to the letter else face consequences. We haven't seen that situation tested yet (although I can get why someone might not want to test it them self) all we've seen are letters being sent from individuals to individuals. Now how any enforcement would actual play out IRL.

Who wants to be a guinea pig for lawyers? what fun!
It wouldn't be lawyers unless it got a lot further down the line and went to tribunal. It would be the ICO (or equivalent), which is the regulator.
> It's really hard to know what exactly was asked of him by the letter and by whom

It says this right in the posting. >>

> In case anyone is interested, this basically described what has been happening to me: https://jacquesmattheij.com/so-your-start-up-receive-the-nig... 1.2k

> The sad thing is that one email came from the co-founder of a Startup out of Germany.

I"m not really a fan of the GDPR. I don't think it really protects privacy. I think it just uses the power of the EU, a fairly big and strong organization, to intimidate the rest of the world to comply with laws that it really shouldn't have legal jurisdiction to enforce globally. I think this is a scary precedent to set that the biggest bully on the block can de facto enforce such standards because the rest of the world is terrified of the consequences of standing up to them.

Isn't this the sort of thing people accuse the US of? The rest of the world makes ugly jokes about "Be careful what you say about the US or they might come liberate you too." The EU is now in the protection racket. When the mob says you should give us a few bucks because it would be a shame if something happened to your business, people recognize that is not nice behavior. But the EU can do the same on the web and some people laud it is a good thing for individuals in the name of personal privacy.

If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.

(Yes, I am guilty of having this opinion without having actually read it. I blogged previously about my opinion this would do bad things to forums. I am shocked to see negative fallout happening so very soon.)

>If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.

Facebook and other data aggregators build profiles of you even if you don't participate directly in those services. The web is different now than it was in 1996.

And GDPR doesnt help with that. I cannot send Facebook a request for my shadow profile, nor demand they delete all such data, as I have no way to ‘identify myself’ to them unless I have a Facebook account.
Yeah I don’t think the data protection authority will agree with that. You should file a complaint at your data protection authority.
They seem to have no problem identifying you without an account and then linking your shadow profile to your real profile, should you create one.

I suggest using the identifier you received at birth to make the request plus your e-mail.

Yes there is. If your email address is in the contact list harvested by facebook when people register on the website, it is linked to your shadow profile and can be used to show the lack of explicit consent and existence of your shadow profile.

It's the path currently explored in a class action against facebook for forced consent and we'll see what happens.

Does Facebook have EU offices? If they do, this law will simply make it close them. If they don't, what is the class action even being based on?
>Does Facebook have EU offices?

Yes, they are based in Ireland.

This isn't true, you don't need to have offices in Europe for the GDPR to apply to your company. It's just if you're serving/having European customers. Which, if you compare it to shipping things across borders, makes sense (you can't just say "but it's legal in the US, where I'm sending the package from").

So closing the offices wouldn't help.

They aren’t attempting to enforce legislation globally. If a company operates in the EU, it has to comply. For companies that don’t operate in the EU and have no EU customers or traffic, they don’t. Simple
Even if said foreign companies have EU customers, what can the EU do about it? If I were a foreign company, I would completely ignore GDPR requests. Like > /dev/null, not even bother reading them.

This law will only make things (even) more expensive and cumbersome for EU companies wrt. the rest of the world. This is going to be the asinine Cookie Warning all over again, times a hundred.

> Even if said foreign companies have EU customers, what can the EU do about it? If I were a foreign company, I would completely ignore GDPR requests. Like > /dev/null, not even bother reading them.

EU regulators could domesticate their judgments in the jurisdictions where these companies are based. It's entirely possible to do this in most states in the US, for example.

Failing that, they could target assets held in the EU or take action whenever corporate officers travel to the EU.

I read the other day that it applies to EU citizens that are not in the EU at the time.
There are multiple professions where not participating online is quite disadvantage.
(comment deleted)
What you are saying is: don't use the internet.

Google, Facebook, Twitter, etc. got websites to implement their like buttons everywhere. The information gathered by them is collected and everybody is being tracked wherever they go.

If a few mega corporations like google, fb, and twitter are The Problem, why are we making a law that generally applies to everyone and will disproportionately impact smaller organizations instead of dealing with these mega corporations per se?

If we aren't as a world terrified of what is being done by small groups like the open source organization announcing it is shutting down in the very post under discussion, why are you defending the GDPR on the idea that it somehow reins in the abuses of FB, Google, etc? Do you have evidence that it is, in fact, reining them in? Or are they just getting with their lawyers, finding cute ways around the problem and carrying on while entire organizations smaller than them suddenly shut down and die because the EU wrote words somewhere that these mega corps likely care relatively little about?

If you make special laws for a few companies, you are fighting the hydra. There will come something after you fined Google or Facebook long enough for being too big. Defining a size for "mega corporations" is also quite arbitrary and I'd quite worse because it doesn't fight the underlying problem: every human should have the right of privacy.

> Do you have evidence that it is, in fact, reining them in?

We will see what happens. The first complaints against Facebook and Google have already been filed.

I said dealing with these mega corporations per se. This in no way suggests making special laws for a few companies.

If the entire world currently agrees that a handful of companies are The Problem, then there should be some means to go after said handful of companies and get them to stop being The Problem without creating blanket laws negatively impacting the entire world, especially smaller organizations.

Dealing directly with a problem company usually involves charging them under existing laws (anti-monopoly laws?) and things like that. It usually does not mean making unenforceable laws that name them by name or define things in a Jim Crow style that clearly targets them in specific and that is unlikely to stand up in court.

The problem is, it's not a handful of companies, it's a few hundreds or even thousands, which makes rigorous laws sensible.

Google, Facebook, Twitter have a roster of the web pages you have viewed, whether you interacted with them or not.

Verizon, AT&T, T-Mobile and every other phone company has a complete log of your location history (for mobiles), message & call history, and unencrypted browsing history. They have no need for it to provide service (beyond the month or two in which these actions occured), but they do sell it to third parties, the list of which you have never seen.

Your credit card company does the same with your credit transactions.

This is already 30 companies or so, just in the US, and it is just the tip of the iceberg.

GDPR says "a person's data is their own property", which is easy to understand and enforce. You may not like it, but it's along the line of copyrights and trademarks, except the beneficiary is mostly the common man.

I can't comment on the effectiveness of GDPR on the large data farmers such as Facebook and Google. However, I think that the alternative that you are proposing for lawmakers to go specifically after the current infringers of privacy would set a scary precedent. We shouldn't have specific corporations operating under a different set of laws than the rest of society, as that would undermine the rule of law.
We should handle companies that have >1M data records differently from smaller companies.

Most countries handle private persons with larger income differently, e.g. they need to pay more income tax.

Most countries handle startups differently, e.g. they don't need to pay taxes in the first years.

Most countries handle farms differently than other corps, e.g. they give subsidies to them.

Most countries handle people with no income differently, e.g. they get social security payments.

Most countries handle banks differently, e.g. they are regulated.

Most countries handle health companies differenty, e.g. they are regulated.

> We should handle companies that have >1M data records differently from smaller companies.

What makes you think we don’t already do that? GDPR is about privacy 101; there’s nothing in it that shouldn’t apply to small companies.

Do we allow small restaurants to poison their clients because they’re just starting and you-know-it’s-hard-to-build-a-restaurant-so-let’s-wait-a-bit-before-applying-regulation? Of course no.

"GDPR is about privacy 101;"

It looks like our experience on implementing GDPR is different.

Essentially GDPR is like being PCI and SOX compliant from the first day - and looking at what companies go into to not be under PCI compliance, like use Stripe forms, this looks like significant overhead. After implementing GDPR, SOX and PCI in several companies, from an IT perspective they are comparable, with PCI the easiest to implement, especially on the process side, GDPR a little bit more than SOX on the documentation side but no monitoring of code changes and traceability.

Paying 10.000+ EUR for a missing word in your data protection declaration is no problem for a multi billion dollar company, but can and will kill startups.

If your GDPR is not on the same level as a SOX implementation, there will be a rude awakening if you get a review and are fined.

Paying for a data protection officer is hindering small companies and startups.

Updating your deletion infrastructure with every feature you implement is overhead. If you do not automate this and keep it updated and respond to information request by hand, plan for significant manual work.

Having a process documentation of 100+ pages which needs to be updated with everything you do and every new feature that captures or transfers personal data or stores data is a huge overhead for iterating on your product.

Do a risk analysis and data protection sign off for every test feature decreases your speed a lot.

You need to document every process (what data, where stored, when deleted, what cloud/saas/systems involved, who has access, how it is protected, ...) - like sending marketing mails or cold calling or going to a conference collecting business cards or giving stuff away to winners on Facebook - if it touches personal data.

Encryption in the database of personal data and encryption on the storage medium is a lot of operation stuff - this will lead to converging every startup to only use PG instead of being polystorage.

Implementing access controls to your office (if you use Excel with personal data) as if you were a data center is a lot of overhead - no more starting at home or in the garage. Probably best to go to WeWork who have proper office access control, if you have the money.

Investing into training days, planning and updating training material and managing training and with your staff is a lot of overhead for startups. Together with staying up to date with court decisions on GDPR will cost startups 1 FTE (see above). From now on instead of hiring that second developer I'd consult startups to hire a security officer first.

Having a data processing contract for every prototype feature you test is a lot of overhead to being agile and lean.

Marketing signing up with a credit card to try out some automation in a startup - these days are gone.

I'd say it is significantly more difficult to follow the lean startup methodology than before.

From working in some large companies and some startups, implenting GDRP, SOX and PCI, GDPR will help large companies who already have a large legal team, large compliance teams and who are SOX compliant against disruptive startups. Google and Facebook are the main beneficiaries from the GDPR.

An open source CI project shutting down its forum because it can't ensure the proper handling of the personal data of its members is neither terrifying, nor a tragedy, it's the law working as intended.

People clueless about privacy and privacy abusers are no longer welcome to the data of EU citizens.

Because that's how laws work, they apply to everyone.

Then again what you say is a misrepresentation and biased idea, what proof do you have that GDPR will disproportionately impact small organizations ?

Have you read the actual annoucement posted here ? asking because it does not say that it is shutting down but that it is moving its community discussion from a self hosted discourse forum to a third party hosted subreddit because discourse lacks the ability to properly address GDPR request and lack of time to do so.

Of course GDPR also applies to FB, Google, etc. Have you followed the discussions 5 years ago when GDPR was in the making and witnessed the intense lobbying from silicon valley against strong protection ? Probably not.

Are you aware of the noyb.eu[1] initiative, Max Schrems again, currently targeting google, facebook, whatsapp and instagram for their "forced consent" (more to come) ? La Quadrature du Net a french internet rights organization is currently working on 12 class actions targeting google, facebook, amazon, apple and microsoft, etc.

[1]: https://noyb.eu/ [2]: https://gafam.laquadrature.net/

You can neuter the like button, thanks to tools like Privacy Badger.
It's more scalable to neuter the button server-side than client-side, though. That button is clearly so 'wrong' from the consumer's point - I hope this is the beginning of the end.
It is more scalable client-side. There are fewer browsers than Internet edges. The Internet is designed to circumvent any attempt to control the edges.

You can hammer one app Facebook but you can’t hammer all apps.

Just consider revery Chrome extension that is malware. You can though hammer Chrome to block functionality that enables malware.

I feel like when people talk about right to privacy they're often using a catch-all for several different concepts. There's a big difference between a right to anonymity and a right to be forgotten.

If you have a very strong right to anonymity, a right to be forgotten is less important because it's easier to separate yourself from your online identity. In fact, forgetting information is pretty harmful because anonymous systems need better tools for building and validating reputation.

If you have a strong right to be forgotten, anonymity is less important because you can just delete information you regret sharing. And similarly, anonymity is kind of harmful because you now need ways to validate who owns information and ways to control how it's spread.

EU seems to be less concerned with anonymity, and more concerned with managing and regulating information after it's already been created and shared. This also kind of rubs the anonymity crowd the wrong way because they've advocated for a while that information isn't necessarily something that you can own like property, and that the Internet should actually be far more immutable than it already is.

> There's a big difference between a right to anonymity and a right to be forgotten.

Exactly. Privacy also doesnt mean being invisble when interacting with people or machines. It's not a well-defined right, and the limits can often be fuzzy (e.g. a problem that kids often have with parents). Pseudonymity / anonymity can also be subject to gradation.

> If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.

sensible regulation that defines workable limits of what personal information can be collected, combined with requirements for anonymization when needed is a better solution.

Some of the early results we are seeing from GDPR make one question how ‘sensible’ it really is.
This is exactly what happens when you look to lawyers to solve social problems.
Let's not forget that GDPR has been introduced to enforce a law that already existed but worked on voluntary self-regulation basis and as such was fully ignored but pretty much every actor.

GDPR is also quite weak in this regard as it has few new additions: explicit consent (thanks to snowden exposing prism and despite the largest lobbying campaign against it orchestrated by silicon valley[1]), max possible fine increased so actor like google and facebook would stop paying 150,000€ fines right and left while laughing in the face of European laws, and class actions.

Again it's only thanks to snowden revelations that the GDPR weakening personal data protection was overturned.

The real change that matters is that now the law can and will apply.

[1]: https://lobbyplag.eu/influence

Site operators who shut down their site preemptively because they don't have time to even consider their GDPR stance are not really a strong signal on how sensible the law is.

In this case the operator's usage of the word troll to describe what happened is telling. Anyone can send any kind of threatening letter they want, and they are free to report you for non-compliance, but that doesn't mean any action will be taken against you, let alone actual fines.

IANAL, but IMHO the chances of any solo forum operator being sanctioned by EU regulators is effectively nil—the purpose of the law is specifically to address usage of personal data, not old-school off-the-shelf forums and other one-off websites where the scope of the data is essentially the core of the service itself.

You can argue the only thing that matters is the end result, but I'm not sure there's any way to write meaningful privacy regulation that will not generate a huge wave of FUD, especially with the traditional SV stance that we ought by default to have carte blanche to monetize user data in any way that's effective.

Site operators who shut down their site preemptively because they don't have time to even consider their GDPR stance are not really a strong signal on how sensible the law is.

No, but it is a strong signal of my critique: That the EU is a 900 pound gorilla and that is a large part of the problem here. Small operators will, in fact, be impacted by this because they don't have the resources -- including time -- to cope with this and this will cause substantial fallout. Suggesting that "The details of the law are sensible" is not a rebuttal of the cincerns I am expressing.

To change the practices of Facebook and the ad-tech world, you need a 900 pound gorilla or else nothing will change. All of this sky-is-falling punditry holding up small operators as examples is premature. Yes there is uncertainty, the landscape is changing, but it's not going to crush the little guy, mark my words.
Can you post to any of those results from the actual regulators?

So far there have been a few people just giving up before the regulators get involved, which seems like a massive over reaction.

That's basic survival for instinct for small shops. They may not be able to do X, but their entire life won't be crushed under the boot of Darth GDPR either.
> but their entire life won't be crushed under the boot of Darth GDPR

What a fucking stupid thing to say.

GDPR requires a few things: don't collect too much data; be honest about why you're collecting it; allow corrections; in some situations allow deletion.

This isn't a a boot crushing people.

What a fucking stupid thing to say.

It's perhaps more poetic than is the norm here. That doesn't make it a fucking stupid thing to say.

The reality is that since we don't yet know how this will play out, those who are risk averse, whether by personality or positioning (because some people just can't afford to take risks), will tend to flee from what could be a crushing burden. Furthermore, if someone is essentially in survival mode and can't spare the time and energy to read the GDPR and become confident they know how to deal with it, then just needing to read it and adapt can be a de facto crushing burden without any fines being levied.

> If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.

There are tons of companies processing my personal data that are not web companies. GDPR isn't about "data being on the web", it's about all handling of personal data.

If you walk into a store and buy something, does the owner not have a right to record relevant personal information as it pertains to the sale, such as when buying a car? This idea that those vendors ought to be required to delete records seems backwards — you aren’t required to interact with entities that do things you don’t like — unless it’s the government, no escaping that.

Public records are potentially more harmful than anything Facebook has. For example, I just shipped a 20 foot container of household goods to the US from France — that manifest, including my personal information is public record — I have to explicitly send a letter and request privacy for that shipment — and then remember to renew that request each year or else details of my entire shipment, including my address and contact information are available publicly. Thanks government. I can’t simply use another shipping company — it’s a government rule. When GDPR applies to governments, then I might become a fan, but as it is now, I am being “protected” from my Facebook likes or web history but what protections do I have from governments who traffic in my information. There is zero reason my shipment manifest needs to be known beyond Customs or the shipping company moving the goods, yet, here we are. Facebook never committed mass murder — but governments certainly have. Google Analytics data doesn’t have a realistic chance of causing harm — but someone with my address and a manifest of a shipment of expensive stuff results in a potential for real harm — that stuff is literally public record with absolutely no controls over who can buy that information.

The owner of the store does have the right to record the sales transaction data. But that was never under dispute even with GDPR. GDPR specifically says that you do not have the right to be forgotten in the information is important for legal compliance (e.g. tax records), free speech, and a couple of other things.

https://ico.org.uk/for-organisations/guide-to-the-general-da... See “when does [it] not apply?”

GDPR already applies to governments. What makes you think it is not?

https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-in-...

> Starting May 25th 2018, all organisations, including those in the public sector, need to comply with the GDPR.

Government agencies have been working their asses off to become GDPR compliant. If you have a problem with the way your shipping info is handled, file a complaint against that government agency at the French data protection authority.

Please stop the FUD. The right to be forgotten has never been absolute and applies to both companies and government.

> GDPR already applies to governments. What makes you think it is not?

This, for example:

> Germany's spy agency can monitor major internet hubs if Berlin deems it necessary for strategic security interests, a federal court has ruled.

> In a ruling late on Wednesday, the Federal Administrative Court threw out a challenge by the world's largest internet hub, the De-Cix exchange, against the tapping of its data flows by the BND foreign intelligence service.

> The operator had argued the agency was breaking the law by capturing German domestic communications along with international data.

> However, the court in the eastern city of Leipzig ruled that internet hubs "can be required by the federal interior ministry to assist with strategic communications surveillance by the BND".

https://www.yahoo.com/news/german-spy-agency-keep-tabs-inter...

GDPR has national security exemptions dude...
I know that. So it doesn't necessarily apply to governments.
Since when Germany's spy agency has been a government ?

Also see the much controversed "legitimate interests" exemption to GDPR that has been carried over from the 1995 EU directive.

If it's not part of the German government, they have a larger problem.

My point is that Europeans overall are more comfortable with government snooping, and less comfortable with snooping by private interests, than Americans are. In practice, of course, American government agencies snoop far more than European ones do, but the American ones must be more covert about it.

> GDPR already applies to governments. What makes you think it is not?

It doesnt apply to security-related services, and the governements are allowed to override it for most purposes as outlined in article https://gdpr-info.eu/art-23-gdpr/

There are three related reasons for this:

1. Each EU member state has a different legal framework and so a Regulation (which has direct effect, meaning it applies as-is and does not have to be "transposed" into national law) would not be appropriate when dealing with criminal investigations;

2. The EU can only act in areas where it has been given "competence" to do so under the Treaty on the European Union and Treaty on the Functioning of the European Union. Member states are reluctant to give the EU broad competence to establish criminal offences or to regulate the investigation and prosecution of offences;

3. The treaties explicitly exclude almost all activities related to national security because that is a fundamental feature of being sovereign, which EU member states are and the EU is not.

Due to points 1 and 2, the EU passed the Law Enforcement Directive (2016/680/EC) which regulates processing of personal data in a law enforcement context. Being a Directive (and not a Regulation) means that each member state has latitude to adapt it to their respective legal frameworks when transposing it into national law.

Incidentally, point 3 will cause huge problems for the UK when we eventually leave the EU. The Court of Justice of the European Union - the EU's highest court - cannot take in to account laws of a member state relating to national security (insofar as they _only_ relate to national security) due to their exclusion by the treaties, but they can take in to account laws of a third country.

I read the ICO article and discovered the GDPR applies unless it doesn’t and I can refuse to act unless I can’t and I can charge fees unless they don’t want me to.

I still have no idea what to do exactly. I don’t really think it is my responsibility but I live in a country and operate in another country where laws this vague are unenforceable.

What you say is a gross misrepresentation of what GPDR is.

First it allows to record and keep the relevant data for sales and legal requirements. Second it applies to government.

Comparing facebook vs government is really a dumb fallacy, why would government be unable to use facebook for whatever ? and facebook to cooperate to that ? it is already happening, look at what happened in the Philippines with Rodrigo Duterte[1].

That you are unhappy with the US legal requirement to be able to ship cargo to their country[2] is unrelated to GDPR, maybe take your complaint to the relevant governement or regulation body.

[1]: https://www.bloomberg.com/news/features/2017-12-07/how-rodri...

[2]: excerpt from world shipping council to US customs

II. Cargo Manifests: General Today a cargo manifest is the document that states what a carrier has loaded aboard a vessel for delivery to the United States. The creation, submission, and retention on board of the manifest are tasks that are the responsibility of the vessel carrier and are regulated by law and regulations. Proper manifesting is a requirement for allowing the entry of inbound vessels and for the issuance of a permit to unlade.

We recognize that the cargo manifest has become a document that is used by the government to prescreen cargo for national security reasons. It was not designed for this purpose and has some limitations in this regard.

> This idea that those vendors ought to be required to delete records seems backwards

GDPR doesn't introduce a requirement to delete data upon request.

(comment deleted)
You want a scary precedent ? look at DMCA and it's been used to intimidate and bully all over the world and outside US jurisdiction (the pirate bay case showed that US government outreach went to threat of economic sanctions to a foreign government).

The GDPR is probably not what you think is, because it barely introduces new stuff, it only enforces what already existed but was ignored because it was based on self-regulation.

There are a number a publications about RGPD explaining that there really nothing to panic about (unless you're a giant conglomerate), it's not going to kill your business unless your business is based on violating privacy and things you should not be doing in the first place because it's been illegal for a while and you had 2 years since the announcement to respect the law.

> If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.

Does not work that way, actually thanks to RGPD it's now: if you don't want to deal with RGPD requests don't collect or process personal data.

by comparison, you literally don't need to do anything to implement DMCA, except perhaps respond to emails.

(I wonder why this is contestable? DMCA is an afterthought, GDPR requires a lot of actual work to implement even if you process minimal data like IPs)

And if you respond to those emails you’re not still in danger of a business-closing fine.
Same for GDPR, you just respond to the users with "I don't collect anything on my website".

Now if you collect and track you may want to inform the users and let them opt-out.

GDPR is similar in a way with the Don't spam me laws, I assume you had to write code to respect this law and I did not see people complaining that they need to write code to respect that law. Or you can not do business with EU citizens.

You haven't read it, i presume. The implementation requires a lot more than that.
No, because I am not a business owner so I am not interested in all the details, my interest is an internet user, I am fine with popups that allow me to opt out, I am also fine with websites that will block me(like the newspapers one) because I will find an alternative that does not track me.

I understand that you may have some small websites and you put on them who knows how many trackers/analytics and now is time consuming to go to those websites and implement something, but we needed this law the same as we needed the don't spam me law, it will take effort to fix existing sites but is for the best.

I realize that I am sort of the pot calling the kettle black here because I also have not read it, but I am making meta commentary on observable and inferable unintended consequences disproportionately impacting smaller organizations while you are arguing the details of how to comply without really knowing anything about it. The kind of observations I am making are not actually dependent on me understanding the details of the law. The kind of rebuttals you are making that hand wave off the concerns of businesses and other organizations do hinge on knowing those details. Your rebuttals really have no basis.
The thing is I don't know how this law could be "nicer" for small sites but continue to be fair.

I feel a bit bad for small creators that need to fix their sites but at the same time I dislike the people that are trying to find possible loopholes around the law, fixing all this loopholes and workarounds is the reason the laws have long texts.

Do you have a website or something that is affected? I only have a simple site that I used some time ago as CV and for testing, I never had tracking scripts,analytics, referrals. I am also the opinion if you don't want to respect my privacy then tell me that and block my access.

The implementation really doesn't require any more than that. The poster said "I don't collect anything on my website".

Of course, if you do, like in this forum example, you will have to do something, but that doesn't apply to all the information/blog/brochure sites using unnecessary tracking, etc. They can simply not do so.

Can’t square this comment with the long front page discussion just a couple days ago about whether ref’ing a Google font could violate GDPR.

Since everything your site does basically is defined as “collecting” or “tracking” it’s absurd to claim you can just simply “not do so”.

The problem there is that you can't just say "no tracking", you have to be able to argue that there really is no tracking. If you put in content from a third party and have no legal promise by them that they don't track, you can't know if your users are tracked or not.
Then just put that in your privacy policy and you are off the hook.

If Google tracks something, whether it is via their fonts, by putting some cookie on your site or whatever, it is their problem (and they actually said so, in that Github post referring to the font issue). They are the ones collecting and processing the data, not you, so they will have to deal with the GDPR compliance.

That's their interpretation, and they don't face consequences if it's wrong. Since I've gotten advice to the contrary from lawyers looking into GDPR, I won't trust it until there's clear feedback from regulators or courts about it. Fonts are easy enough to self-host.
> Fonts are easy enough to self-host

But what’s special about fonts? If I can’t reference an asset outside my own domain because the network request could allow the 3rd party to log an IP address, How is that not antithetical to the foundation of the WWW?

Besides the fact that this goes against the last decade of advice on how to speed up your site...

Nothing says you can't link to those resources, but if the page automatically loads them (hotlinked images, scripts, remote fonts, etc.) then there's an issue.

Is it really that unreasonable that loading a page to x.com should only load resources from x.com and 3rd-party resources compatible with X's privacy policy?

> Nothing says you can't link to those resources, but if the page automatically loads them (hotlinked images, scripts, remote fonts, etc.) then there's an issue.

Seems like a contradiction, and exactly my point. Trying to collect privacy policies and compliance statements from any place you might load an <img> or <script> from is extraordinarily burdensome and pointless besides. Totally absurd over-reach IMO.

And what about the 25 hops in between you and them which also collect your IP and the domain being contacted?

How they "don't face consequences" if it is wrong?! Google (along with Facebook) are very much going to be the first in the line for auditing - and I believe the first complaints against them have been filled on the first day GDPR was in force already. The entire raison d'etre of GDPR is very much Google and Facebook, who were thumbing their noses at EU's privacy regulations so far.

If someone is going to have top-notch legal team on this it is going to be Google. So if Google's legal says that it is alright because they are the data processor/controller as defined by GDPR you can pretty much take them for the word there.

I wonder whether people spreading this sort of panicked disinformation about the fonts and what not have actually read the GDPR text. It is pretty clear about who is considered to be a "data processor" or "controller" - someone who merely uses a resource like fonts is certainly not one if you aren't collecting any information yourself or having someone else do it on your behalf. That Google may be doing it is irrelevant as long as they aren't providing the data to you (which would make you a "data controller").

And if you are neither a data controller nor data processor you aren't concerned by GDPR at all.

It is well explained here: https://www.gdpreu.org/the-regulation/key-concepts/data-cont...

Nope. You contracted Google not the end user. You have to go track down all this information and all the providers and then handle the GDPR downstream.
I think there is a lot of FUD around GDPR, for the fonts issue you can use fallback fonts for EU citizens, and if you insist to have those fonts ask for permission. I think the situation will clear out in a few weeks and in the end most people will know what is permuted and what not, is like with software licenses with a bit of research you know how to use GPL, LGPL,MIT etc no need to pay some law fird to research it for you.
> Can’t square this comment with the long front page discussion just a couple days ago about whether ref’ing a Google font could violate GDPR.

This is a very good point, and to be fair you're absolutely right. The definition of user-tracking extends far beyond Google analytics, and if you're not fully informed about what 3rd-party services you're using on your own website, and the ramifications of those, this could present problems.

When I said "they can simply not do so", that assumes they are aware of what tracking they're doing, which may not be the case. If you're using some WordPress.com blog theme with CDN calls built in, you might have no idea. There may even be an argument for this falling to WordPress.com (in this example) as the provider of the themes.

Realistically, I don't predict CDN calls to turn out to be in violation of GDPR in practice, even though there's a very reasonable argument for them being that in theory.

I kind of half-hope they are though, as a user. I've never been a fan of their use, and use the uBlock and Decentraleyes add-ons personally to avoid them. I wouldn't be devastated if we returned to a norm of locally linked resources (especially with HTTP2 adoption), though that's probably just wishful thinking.

>If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.

I can visit site A and B, not put any of my data intentionally on them but still my data get be funneled to 25 third parties that know what I visited.

So your point is don't use internet or turn of javascript and open each link in private windows and maybe use some proxyes or Tor

As a side note, using Brave browser with all protections turned on by default, including Javascript disabled, and re-enabling Javascript (2 clicks) only on the websites you care and trust enough to, has made my Web browsing experience incredibly better, especially on mobile.

Now everything loads in an instant, no more shenanigans that jump around the screen as I scroll, no Facebook/Twitter/Google buttons (that nobody even uses), no pop-up/in/out/over adverts, and even those asinine cookie warnings are gone by default!

I cannot recommend it well enough.

I do the same on Firefox with Privacy Badger and Noscript extensions, supplemented with a PiHole on the network to disappear all those intrusive ads. On my phone, I use Naked Browser Pro, which lets you allow Javascript per site, along with Adaway.
> 25 third parties that know what you visited

Ever try running traceroute?

How is that relevant here? You mean that when I connect to A there will be some intermediate points, that is true but those points are not setup there to track me, some points will differ, there are protocols to work around tracking at that level(using proxies and VPNs). But if I don't block the tracking scripts and cookies and I have 2 tabs with 2 different sites and both have FB code in it, FB will know I am the same person, they will search in the shadow profiles, find me, add this extra data to the profile. Then 24 more trackers will do the same,
You forgot to mention how this law hits your income quite hard, as you mentioned yourself a while ago: you're using internet advertising as supplemental income.

And you're very likely using the services of one of the big players, like Google, the very ones you're suggesting should be explicitly targeted in another message below.

Like I said before, including to you: the EU does not owe companies a business model, especially when the costs of that business are externalized to citizens of the EU and of the world.

Your so-called alternative at the end is just more of the arrogant snubbing typical of the advertising industry.

The costs are externalized yes but in many of these cases the person losing some privacy also benefits.
Smoking might cure anxiety but that doesn’t mean it doesn’t give you lung cancer...
So people shouldn't be allowed to smoke if they want to?
If they want that’s fine but it’s damaging behaviour for society so it will be taxed and/or regulated.
The reason it is taxed is because they can get away with it.
I assume you live in a country without free medical care? I don’t.
I live in a country with tax funded healthcare.
That's another way of saying the same thing. Taxing bad behaviour pays for their healthcare then.
> If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.

If you don't want to get robbed, don't leave your home.

The GDPR exists because everyone has been a dick because they know they can get away with it. By default the mentality is take take take. Now the business models built on that are being trashed. If someone keeps burgling your house they need to go to prison. Simple as. Time is up for this way of thinking.

It is not difficult to be compliant. Most people don’t bother because they are drama queens or hiding what their business is really based on and the latter is usually not ethical by any manor and deserve to be shoved off a cliff.

People will have to do some real innovation instead of selling off data and working out how to attract people into a product that exists only to do that really.

Saying that people need to be shoved off a cliff is not elevating your position. In fact, these kind of statements are exactly what make me concerned about regulations and laws. One has already made your mind up about a group of people and now it's time to execute.
Such is the result of tech industry overreach. Had they adopted a more moderate stance, people would not be calling for them to be pushed off the proverbial cliff.
Yes the data gathering side of the tech industry is sounding like they’re selling menthol cigarettes to sick people at this point.
It’s a metaphor. You’re already teetering. All it takes is a little push and you’re hurtling to your demise.
If it is a metaphor, presumably you mean more like "your business is hurtling to its demise."
GDPR exists as a proxy censorship tool to close sites using fines without looking like a socialist censor. GDPR is written so that every site can be found non complaint.
Please go and read the regulations and compliance. A monkey could work it out.
I read it five times at least. They are vague and arbitrary. Every site can be found non complaint.
If that's the case, surely you have examples of similar EU regulations being used for censorship before this? The GDPR is hardly the first regulation businesses have to follow.
I'm not really sure why you think this. So, the EU should just let companies steal and sell their citizen's information? I mean, IIRC companies can have separate privacy policies for non-EU users. Also, you have a very narrow view of how information is "given" and collected. Literally using the internet is "giving away" your data. Should I go live in a cabin in a remote location surrounded by a Faraday Cage/Lead walls/magic invisible shield?
I think this is a scary precedent to set that the biggest bully on the block can de facto enforce such standards because the rest of the world is terrified of the consequences of standing up to them

Precedent? It's hardly the first time one powerful body politic has enforced its own standards on others. A very, very, very long way from the first time.

> I think it just uses the power of the EU, a fairly big and strong organization, to intimidate the rest of the world to comply with laws that it really shouldn't have legal jurisdiction to enforce globally.

They do have jurisdiction, because the laws apply to companies that want to reach Europeans.

It's up to companies whether they think it's worth the effort to reach this market.

Companies do some crazy stuff on the other end of the spectrum to have a presence in China, right..?

delete
That sounds like an excellent source of corruption and conflict of interest.
Do you have any sources please?
Wow, look how easy it is to put the small Internet business out of business now. Well played 9.9%.
Could/should probably ignore GPDR requests if your business operations are entirely US based, whether or not anyone from the EU uses your site. US national sovereignty doesn't disappear because the EU says jump. We are not bound by the laws of governments other than our own.

You can probably ignore them anyway if you aren't a big company. With millions of these troll letters going around (and probably getting ignored), odds of any corrective action against you seem very low.

In any case, the corrective demands of the EU give you time to comply after they declare that you've violated something? Could probably wait for that point even if you're in the EU.

If you make money from EU users and are US based you need to be GDPR compliant or they will target you through payment processors and ad networks.

If you don't make money from EU users and don't want to be GDPR compliant you should probably just shut them off if you ever want to operate in the EU in the future

The OP initially says if you’re small time they likely won’t target you. Are you really saying if you’re super small time, the EU is going to go after your payment processing? Of course anything is possible. It seems highly unlikely though.

Then his/her last point is that they’ll give you a chance to correct things.

Your post doesn’t seem to cover that either.

They will go after you the moment you become bigger and if you are person running a business one of your hopes is that you won't remain small time forever
The way it's been done in the past, it usually starts by notifying you and giving you reasonable time (a month) to fix things then move up to sanctions.

But this is not a given every time and not everyone goes the nice route, some go directly to court. So when you are a small fish, you are better off doing your best to follow the GDPR in the first place than scrambling to avoid sanction in a limited time later. it is not that complicated to not collect data you don't need, ask before collecting it and informing about what you do with it.

> it is not that complicated to not collect data you don't need, ask before collecting it and informing about what you do with it.

This is not all the GDPR requires. You’re just describing traditional Privacy Policy.

> they will target you through payment processors and ad networks

How will they do that, and on what legal basis?

Garnishment.

If the regulatory agency decides to fine you, and you don't successfully defend yourself against that in court, then you'll have to pay that fine. If you fail to pay the fine on time, any entities within the juristiction that owe you can be ordered to pay the fine instead (i.e., your payment processor will be ordered to redirect funds arriving for you to the state, which also, as far as their juristiction is concerned, fulfills their debt towards you--as far as their legal system is concerned, the payment processor has paid you and you have paid the fine).

Sounds like a good reason to start only accepting crypto
Except that won't help you? Usually, payment processors are ordered to redirect funds as that is usually the easiest way, but if that is not an option, your customers will be ordered directly to redirect payments. As long as you have customers within the jurisdiction, they will find a way to make you not earn any money from them until your fine is paid.
So you admit that GDPR is really just a trade barrier.
GDPR - the core of it - is about privacy, it's an increment on prior laws in EU countries. It's also in part a response to the data hungry US tech companies, without question.

The 4% of worldwide revenue fine potential is exclusively targeted at the US tech giants. By my last count, the US has roughly 100 tech companies worth over $10 billion each (with trillions of dollars in worldwide revenue). Nobody taxes revenue, that's about the most moronic thing you can possibly do - unless you're doing it to try to harm / punish companies. Very few EU tech companies have meaningful worldwide revenue to tax.

(comment deleted)
Of course they're trying to harm companies when they fine them. That's implicit in the term "fine".

They target revenue because otherwise companies will just use Hollywood accounting to declare they make 0% profit, they just pay huge licensing fees to some cayman island company.

How can it be a trade barrier when EU companies are more affected by it? (They have to provide these protections for everyone, whereas non-EU companies only have to provide them for people in the EU).
You just answered your own question. The cost of compliance is largely a fixed cost. So if only 50% of my users come from the EU, then my per-user costs are 2x what an EU-centric company's would be. So it skews the economics in favor of blocking the EU if your business is not EU-centric. This in turn means users are pushed to EU companies that have no choice but to comply.
But the cost is the same for both companies inside and outside of EU, so US companies "not being forced" just mean they have the luxury to decide whether EU customers/visitors are a concern to them - EU companies HAVE to do it, even if 95% of their userbase is in the US (but I think those US users will appreciate it still).

Imagine a law that forced all companies in the EU to be polite to their customers no matter what or face fines. In that case you could also say that users would be pushed towards EU companies because they were "forced" to be polite, but I think that would be deserved and US companies could just do the same. Similarly to GDPR, if one side is forced to treat my data with respect and actively have me consent, then I would chose them, law or no law.

No it applies to any organization offering data services/web sites to EU residents, including authorities.

GDPR is only a regulation stating more explicitly what you're required (and were always required) to do for compliance with EU privacy laws. It obviously was needed since privacy violation has become so blatant. The GDPR legislation has been a long time in the making. It might be the case that privacy in Europe is being valued more than elsewhere in the world, I don't really know, but it's nothing new at all. For example, in Switzerland (not in EU but certainly with humanist and very old democratic and civil rights traditions) privacy in the form of banking secrecy is held in even higher esteem.

Yes, as a collateral effect, some business models might not work in EU any longer, or not to the extent they used to (though ads and affiliation links had been on a race to the bottom anyway). But I'd say that's a win, or can be turned into a net benefit. Think about what the Web has become in the last 10-15 years. We still don't have reasonable micropayments, and nobody wants paywalls anyway, etc. The result has been the rise of "platforms" and monopolies where the user's data and attention is the product, with publishers of quality, nuanced content struggling or going out of business. While you of course don't owe dead-tree publishers anything, an economic model for content creation working for more people than it is now is still very much desired.

If you're perceiving GDPR as trading barrier (even though it's just a privacy law), please also consider the US's total and utter failure to get their antitrust regulations in gear: Facebook buying WhatsApp, Google buying DoubleClick and YouTube, etc. At a certain point, others will have to react to that kind of government-sanctioned monopolization to protect their markets.

> please also consider the US's total and utter failure to get their antitrust regulations in gear: Facebook buying WhatsApp, Google buying DoubleClick and YouTube, etc. At a certain point, others will have to react to that kind of government-sanctioned monopolization to protect their markets.

The European Union also green lit those acquisitions. Hence the fines against Facebook for essentially lying to the European Commission about the merger.

It will be interesting to watch this unrolling, and I'd think criminal investigation is also on the table (vs Fb employees and EU officials).
YANAL and this advice looks like it's calling for bad things to happen.
Exactly. It is more likely that your office will burn down or you will get injured on the way to work than you will be targeted under the GPDR if you are outside the EU doing boring standard web things. Worrying about the GPDR as a non-EU company is like worrying about being struck by a meteor.
Honestly, that sounds like the most sensible advice. If I run a small US-based business and I receive one of these letters, I'm almost certainly just going to ignore it--as I'm sure many are already doing. It's not like I'm ignoring an official government notice. It's just an email from someone random making an assertion/request.

Maybe I put a notice up and geofence EU IP addresses but it seems that would just raise my visibility and suggest that I think I'm doing something wrong (whether or not I am).

At the least I'd wait for some indication that a random US ecommerce site (or whatever) actually has something to worry about.

Note that I am not a lawyer and this isn't legal advice, if that wasn't extremely obvious from my language. Not that the EU can get me!
The GDPR seems to me to be just another example of nontechnical authorities trying to regulate what they don't understand.

Why don't more technical people become politicians, or at least form lobbying groups or think tanks?

The response to the GDPR seems to me to be a bunch of people who fundamentally misunderstand how law works, especially in Europe, and who have a pathological relationship to regulators because their own legal system is fucked beyond all recognition.

GDPR requires you to only gather the data you need; only keep it for as long as you need it; tell people what you're doing with it; and allow them to correct it if it's wrong. How is that too hard?

Read the nightmare letter.

How hard is it to reply to just “a few” questions like that?

You point people to the privacy policy. The Nightmare letter is mostly bullshit scaremongering.
... and document every instance of processing, as well as the legal basis for processing for each use of each piece of data, and how you decided that legal basis (and if you used "legitimate interest," you need to do a LIA -- the template I use is several pages before you enter the information). Then you have to negotiate different DPA terms with a dozen clients whose privacy lawyers told them they each need a different term because we privacy professionals still have no idea what parts of this law mean. Oh, and then you have to handhold customers who think they know more about privacy law than you do because they read a 500-word rundown of the GDPR, because if you don't nicely convince them they're wrong, they'll make a complaint.

There's plenty more, but you get the idea. Anyone who says implementing this law is simple isn't implementing this law in a business of normal size and complication.

> and document every instance of processing, as well as the legal basis for processing for each use of each piece of data, and how you decided that legal basis

But only if that's proportionate.

https://gdpr-info.eu/art-24-gdpr/

> Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary.

> Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

The bar for that is very, very low given the guidance we've received from the supervisory authorities, so that doesn't really minimize my point. An incredibly small number of businesses would be able to argue that this doesn't apply to them.
>> Why don't more technical people become politicians, or at least form lobbying groups or think tanks?

Technical fields pay a lot more and you control most of your destiny.

Politics pays nothing and you deal with bureaucracy.

Hmm.

> The GDPR seems to me to be just another example of nontechnical authorities trying to regulate what they don't understand.

Either you are against any laws at all and believe that corporations could provide physical security and wage wars, or you are misinformed.

If you gossip about me behind my back, is it wrong of me to ask what you told others about me? If you are a company sharing my data with other companies, should I not be allowed to demand to know with whom you're sharing my data?

If you process personal data of millions of people, wouldn't it make sense that you have to have someone in charge of watching out for their data?

If you want to track people to create profiles of them, should you not ask them whether they're actually okay with that, rather than doing it secretly?

If you accidentally lose my data and hackers could be stealing my identity or using my password, should I not be told?

These are the things covered by GDPR, or previously, the data protection directive, cookie law and the data leak reporting laws. For example, the previous cookie law was also deemed a stupid idea by a tech-illiterate government, because lots of websites started popping up cookie walls and everyone got annoyed. But the truth is, the websites with cookie walls are the ones who want to do extensive profiling beyond any normal visitor count trackers or login systems or whatever. Of course they should inform you about that.

GDPR is not much more than common sense should already tell you to do. But since corporations are not people and do not have a collective conscience, it has to be codified in laws.

From the prototype letter:

"I am a customer of yours."

Not until you pay me, you're not. Yes, Mr. Well Actually, I know that the law says otherwise, and that's exactly why the law is FUBAR.

Are you implying that free services like Facebook should be exempt from privacy laws like GDPR?
Well if you know that Facebook is bad, why did people even register in the first place? Or put their whole life onto it?

It's ok if the privacy law only gone against stuff like analytics or horrible facebook buttons that even collected stuffs from people who clearly weren't users. i.e. tracking especially tracking outside their "domain"

however GDPR goes against all and anything. I mean if I go to a supermarkt I can't just tell the supermarkt owner to shut down all his cameras until I leave the store, he would basically just kick me off his market (which actually is his right in the EU). However the EU somehow made a solution that actually even goes against their own market principles just to have extreme amount of Privacy in the internet (only in the internet, their own institutions can still collect data, i.e. in germany the ard has tons of data about everybody) and this is my problem with the GDPR, it's a law from people who actually just want to hurt the big us internet companies. The law also was made by a lot of people without any clear technical background (there were some, but they were a minority)

I never registered on facebook because I knew. People who don't know or don't care is different, then there are other psychology explanation and network effect.

Your example is deeply misrepresenting the GDPR, seems like FUD to me. GDPR applies outside the internet, GDPR is very limited in scope as it kept the "legitimate interests" exemption from the 1995 directive.

Can you substantiate your claim that GDPR was made by people who do not understand what they do ?

> in germany the ard has tons of data about everybody

Your name, address, move-in date, and whether you paid them. Additionally – if you don't to pay twice – who you live with. Am I missing anything? In any case, they are still bound by the same GDPR as we all are.

(A small nitpick: The ARD does not hold any data but their members do.)

GDPR isn't limited to the Internet. It includes most automated processing.

https://gdpr-info.eu/art-2-gdpr/

> This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Not at all. If you don't pay me, you're a guest, not a customer. Should guests have rights too? Of course! But guest rights are very different than customer rights. Hosts should be held to a certain standard, and if they fail to meet that standard then they should expect to hear from regulators. What makes GDPR noxious is that it turns every individual interaction with the host into its own little mini-lawsuit, creating a potentially infinite burden and liability. It's actually an approach I usually think of as typically American, usually coming from the "don't need regulators because everything can be a tort" libertarians. For it to come from Europe is almost ironic.

In any case it's the wrong way to address the problem, and its ill effects are seen in cases like this. It's actually easier for "free services like Facebook" to comply because they can hire full-time compliance staff. The worst effects fall on smaller sites and individuals, making them less able to compete - individually or collectively - with the entrenched big sites. Some have even painted it as a form of regulatory capture, though I think that's a bit of a stretch.

> What makes GDPR noxious is that it turns every individual interaction with the host into its own little mini-lawsuit,

No, it really doesn't.

In Europe action for civil torts is limited to what you've actually lost. There are no punitive civil claims. Courts are a method to get back to how you were, they're not a route to betterment.

And GDPR is not enforced by each victim of a breach taking civil action through the courts, but by victims reporting to the regulator and allowing the regulator to take action.

The reason people in Europe seem so blasé about this is because we've had decades of experience with regulation, and we know that they don't have many teeth, and tend not to use the teeth they do have.

GDPR isn't changing this.

No, it doesn't create a new tort, but that's why I said mini lawsuit. The mandatory response and per-instance fines create the same sort of burden, even if they're administered through a body other than the courts. In some ways it would almost be better if it were through the courts, because at least there are established rules about evidence, nuisance suits, appeals, etc., but that wouldn't solve the fundamental problem.
You don't have to be a customer for GDPR to apply to you, they just have to collect PII from you to be considered the data subject and now the organization need to follow GDPR.

If you collect data from me when I visit your website, even without me buying anything, you have now collected data and you need to comply.

The use of the word "customer" in this context is incorrect.

Even if you pay someone, nothing except GDPR stops them from reselling your data for extra profit.
Can't wait for future nightmare letters coming from Saudi Arabia when they find moral indecency on my web site or China finding imperialist propaganda that needs addressing. This will be used as a precedent for every other control freak pushing their values onto us. What happened to free and open internet?
This already happens. Russia sent notices to GitHub about certain documents that were hosted there. China and Saudi Arabia just straight up block things they don’t like.
It would be much better for the EU to just block these sites that they think are violating EU citizen privacy rights.

But they’d never do that, because their citizens still want to use the sites, so it’d be unpopular. And ineffective since people would just work around it. Apparently these pesky humans don’t care about their privacy like they should!

Plus then the EU can’t levy billions in fines.

Goes to show that when an industry does not self-regulate, it gets over-regulated, which often disproportionately benefits incumbents, which incentivizes future lack of self regulation.
Not exactly. GDPR only applies to the EU. China isn't going to rewrite its laws to make the EU happy and mirror GDPR, neither is the US.

It's more accurate to say that when an industry doesn't self-regulate, the EU over-regulates and shoots themselves in the face. The US and China will race even further out ahead accordingly.

In the US I can easily unleash a large user data hungry AI at will, experimenting all day long with anything and everything I can come up with. I can screw with people's data in countless ways, without their permission. While this haven exists, I can rapidly learn and come up with technology and services that tech companies in the EU can't risk attempting and won't bother to contemplate.

To the point: you can still push every edge of the AI revolution in the US and China, to see what's there. That revolution is heavily built on user data. In the EU, you're in a straight-jacket at the very beginning of the revolution (one that is guaranteed to only get tighter), many years before we've even seriously begun experimenting with the fertile soil. They're fucked, the world will be dominated by AI that comes out of either the US or China, or both.

GDPR does not restrict EU companies' activities in less regulated markets. They are still just as free to abuse the privacy of users in USA as are their competitors overseas.

Your anxiety appears to be about American AI companies' competiveness in the face of even worse abuse of users' privacy in China than in USA.

In a race to the bottom do you really want to be the winner, no matter what?

https://gdpr-info.eu/art-3-gdpr/

> This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

I just sent a GDPR letter to a company in the UK, which is still part of the EU. I have one of their Android phones, and it came with a non-removable app. It appeared to just be a bookmark. One day that app woke up and sent me a notification asking me to visit a web site, which led to a SurveyMonkey form.

So I sent the company a letter asking what data they have on me. It's going to be interesting to see what happens.

    It's going to be interesting to see what happens.
My bet: Nothing.
From the several requests I've made already, that seems unlikely.
Can you give an example, whom you sent a request and what you got in return?
I second the sister comment's question: how did you go about sending them (like what phrasing did you use, for example?)

Want to write a short post on it?

Guy shuts down forum, goes through the nightmare letter dissecting each part as "good question" or "you should have this already" or "easy one". So what was his issue anyway?
Forum guy =/= nightmare letter guy
He points out that he's dealing with several of these requests. Even if you're doing everything correctly in terms of privacy etc., responding to these requests can still be time consuming.
How is "read the privacy policy, then click this link to get all your data" time consuming?
Guys moves from discourse forum to subreddit for community discussion because he got a GDPR letter from a start up head or something.

links to what he thinks has been used to craft the letter he received.

Underlying issue is that guy does not have time to deal with GDPR and discourse does not offer the proper tools, so he went the easy route of outsourcing, but he overlooked that he's still probably still liable under GDPR.

How is reddit different than discourse here? Is discourse hosted?
How can it be hard for a forum to comply to GDPR? What kind of private information does it really need to save?
I'm a European that supports the GDPR but here's my take on the issue in the post.

I don't think it would be hard for the person in the post to comply, it would just be time consuming. Say for example that a user requests a data transcript. Well he will have to collect all the post etc from that user and send it somehow. Now this is probably just a simple SQL query but it takes a bit of time, time that many people don't have.

Another issue seems to be that he is afraid of repercussions and is conditioned in the US system where everyone seems to be suing everyone all the time.

On HN I can go to my user profile and see all comments/posts I've made. And I can delete them all.

I strongly suspect this sufficient. Maybe it would be ideal to offer a "delete account" and "download account" button.

But there is no reason you should be processing letters from people.

I'm not even sure you need to offer removal of public information. But allowing deletions of accounts is hardly controversial.

Also it would be a good idea not to keep IP addresses forever. Two weeks retention is enough to detect mass registration.
> And I can delete them all.

How? I can only delete for a small amount of time after posting. I cannot delete any of my past comments. If there is an option to remove old(er) comments I would sure like to know about it, seems to be hidden pretty well.

Cannot he irreversibly delete user's data instead and send an empty file?
I'd be surprised if the forum software he uses doesn't already support self-service for that
It's not clear that a forum administrator would need to do anything under the GDPR except respond to emails with the standard template: "The forum does not collect or process any personal data."

Technically, I suspect, this would be true. The GDPR and the right to be forgotten are subtle on this. If a user chooses, unprompted, to share PII it's not clear that collection has taken place. Imagine a user, out of the blue, uploads her bank account information to a forum and others take the credentials and steal or her money. Would anybody seriously believe that the business should be liable for failing to secure the PII data? The other question is whether such data can be said to be processed. Clearly the forum is not processing the PII data as PII data. It's likely the case that the business doesn't know that any given forum contains PII data.

The GDPR also gives businesses a lot of lee way here. Erasure requests can be rejected under "freedom of information", if they cause undue burden a fee can be demanded, or if they're just frivolous they can be outright refused [1].

Admittedly this is speculation. European regulation is rules-based and a lot of leeway is given to regulators. The right to be forgotten is probably the least concrete aspect of the law. It's not clear how it intersects with user-generated content because it's not clear that PII is even being collected here. In the end, I suspect the regulators and the courts would probably be open to good faith efforts towards compliance. This might take the form of removing account data (username, emails, profile pictures) but leaving the forum posts up. If a specific forum post is believed to contain PII the business might ask the user to explain how the data in the post could be used to personally identify them as a data subject.

[1] https://ico.org.uk/for-organisations/guide-to-the-general-da...

Usernames can be identifying, as could other profile information. IP addresses in server logs. Those are easily under your control, and you should mention those as things you process, but also are easy to justify assuming you don't do anything weird with them.
(comment deleted)
>Would anybody seriously believe that the business should be liable for failing to secure the PII data?

Yes: look at the reaction to Facebook "leaking" personal data through a well-documented public API.

The forum uses discourse, an open source forum software. I'm sure someone will soon add the functionality for users to download their data from discourse. And then you only need to have a standard email reply pointing GDRP requesters to that functionality.

Why are US companies/citizens overreacting so much? I haven't seen any company or sideproject from a different country react this way. (please let me know if I'm wrong)

It seems mainly to be just the american reaction to any letter related to a new law, the examples of data he lists are just things the forum needs for purely technical reasons, like a mail for password resets and login.
Things like names, emails, IP addresses.
>private information

GDPR is about personal information, not private information. Personal information is anything relating to an identified or identifiable person. Your forum account username, password, posts, private messages, votes, etc. are all in GDPR scope. If it's possible to use the same username, password, and writing style, etc. across the internet then at least some forum users are "identifiable" whether or not they have provided a real name, phone number, or anything like that.

So basically drone.io is saying that discourse is not RGPD compliant and reddit is better equipped to deal with RGPD requests so he's moving his community discussion from a self hosted discourse to reddit.

Looks like a knee jerk reaction and missing the point that you can evade RGPD by outsourcing to a third party, one can still send RGPD requests to drone.io and owner is still responsible for answering those but now has to deal with getting the relevant data from reddit.

The thing I have to wonder is who did this and more importantly, why?

If you're a startup competing against an open-source project, then this is potentially a great (not good) way to get a leg up. You get the benefit of access to the code until you don't need it anymore, then get the project shut down and reap the benefit of being the last man standing.

Sure, you might eventually run up against the license on the software you just lifted, but open-source projects can't afford the same protections that a well-funded startup has.

And if you somehow get sued for license violations, the penalties are usually more a slap on the wrist than an effective notice to knock that shit off.

I really hate the way my mind works some days.

> If you're a startup competing against an open-source project

Doesn't have to be a startup. I expect many small businesses will use it to damage competitors. It's not like it's unheard of .

Overreaction as usual!
How is it an overreaction?

If he doesn't want to waste his time because of EU snowflakes it is his prerogative to shut down his forum. Why do you believe you have a right to his service?