> Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.
This, combined with the <250 employees = lower obligations, seems to indicate one should worry about the GDPR but in proportion to the size of your company (outside the EU).
The bigger you are, the more seriously you should take it, I guess?
I don't understand how that meshes with the previous paragraph
> The Internet makes goods and services in far-flung places accessible anywhere in the world. A teenager in Cyprus could easily order a pizza online from a local pizza shop in Miami and have it delivered to a friend’s house there. But the GDPR does not apply to occasional instances. Rather, regulators look for other clues to determine whether the organization set out to offer goods and services to people in the EU.
If it applies or not us irrelevant, what only matters is to what degree is it able to be enforced (and in practice) against companies that have no assets under EU jurisdiction. From what I gather, it's very little, so most smaller companies simply don't care.
Pretty sure that both instances you're talking about (Huawei/Megaupload) are perfect examples of parent's point --- the US is capable of enforcing laws outside of its territory, the EU is not.
Unless you think the US is going to go to war with its allies, its military power has little importance in this context. The US is a large, wealthy market for imports and a supplier of many products and services that it exports. It's a huge financial centre. Despite the unfortunate state of its government and public services by the standards of a modern democracy, it's still broadly aligned with other modern democratic nations in terms of values and culture, which means it's still a much safer partner to trade and cooperate with than you'd find in some other large parts of the world.
This makes playing nice with the US a diplomatically and economically sensible policy, up to a point. I suspect the US will find it encounters that point increasingly often, partly because the rest of the world is also changing and partly because Trump did so much damage to international relations and the US may never fully recover. The ongoing negotiations about global corporate taxation are a good if rather dull example.
Once the discussion on whether the EU can enforce laws over its territory is over, one can think about the content of GDPR and how its guidelines are good practices that your users will appreciate, even if GDPR doesn't apply to you.
> what only matters is to what degree is it able to be enforced (and in practice) against companies that have no assets under EU jurisdiction
This is exactly true. Now sure the nervous nellies will be all over what outlier things can happen as is typical. In a practical sense the EU does not have the resources to go after (other than perhaps a few test cases for publicity) anything but the juicy or most flagrant cases.
A lot of the blocks are down to "Small Regional News Site" really being "small regional front for a large news organisation running a single platform" that seems to have just made a blanket assessment. I don't think many genuinely small independent regional sites have bothered.
E.g. Lee Enterprises is one of the publishers who still blocks European users, and they own 75+ newspapers.
If you're in the EU and get "451: Unavailable due to legal reasons", it's a good chance it's a Lee Enterprises paper.
I think the pragmatic answer to this question is another question: do you have any operations that fall under EU jurisdiction?
If yes, then they have the ability to punish you and you need to follow the GDPR. If no, then the GDPR is just as irrelevant as any other EU regulation and can safely be ignored.
The website has no relation with the law, and is not an authoritative source of information. It's not even a particularly good one. It's just a website run by some guys.
Cookies per se have nothing to do with the GDPR. In fact, if your cookie is not tied to a natural person, the GDPR does not even apply. Also, cookies are under your control. You can alter and delete them whenever you want.
As an example: If your site allows different styles or languages and you want to store the setting in a cookie, you do not have to care about the GDPR. Only when you track your user's behavior with a cookie, the cookie banner thing becomes relevant.
"This is not an official EU Commission or Government resource"
Which explains idiocy like
> We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
This is a violation of the regulator guidance for the ePrivacy Directive. So I wouldn't trust anything on this site when they themselves aren't compliant with EU directives and regulations.
Not true. You don't have to consent to set a cookie. It depends on what the cookie does. Gdpr actually doesn't care about technicalities like cookies, but about privacy. So if you achieve the same tracking using other techniques (like Etag) that needs consent as well.
This is a little unorthodox. But, a first party cookie that stores consenting data used for reasonably expected purposes, doesn't need to ask you explicitly for consent. [As Hacker News ostensibly doesn't need cookie consent for you to log in with a cookie.]
https://gdpr.eu/privacy-policy/ suggests they share data with third-party Google Analytics, which seems to breach guidelines - except that they respect Do Not Track in this case.
Sensitive topic, so I feel the need to state that I am not trying to troll by saying this:
I do not see this argument as idiocy.
Many stores have signs out front stating, "If you enter this building, you accept that you are being filmed". Many are recording you before you even enter. They do not require explicit consent from people willfully choosing to enter.
Should we really assume that the client has not taken any responsibility when they willfully type in https://www.somewebsite.com/ and hit enter?
Since users can block cookies/javascript, or simply not visit websites they don't trust, I genuinely do not understand at which threshold of manual intervention we can finally conclude that a user has accepted responsibility - if their voluntary decision to visit does not count.
I get that companies sharing data and doing nefarious things with your personal information is not great, but I don't see how this does anything to help with that.
There is a massive difference. A proper analog is stating that "web requests you make will be logged". If you don't want to be recorded as having walked in, don't walk in.
To make this a fair comparison, the sign would say:
If you enter this building, you accept that you are being:
- filmed
- probed for all wifi and electrical emissions
- weighed
- measured
- secretively (as much as can be managed) pinned with tracking beacons
- lured into unknowingly entering other buildings w/o realizing it
- fingerprinted by any surfaces you touch
- associated with the means of transportation to arrive/depart
- and on and on and on
Since people can just wear masks, electro-blocking hazmat suits, high heels, a fresh change of cloths for every outing and come equipped with high-resolution GPS and building blueprints... it's a perfectly reasonable assumption.
You forgot gait analysis [0] so remember to put a stone in your shoe.
What amazes me is how many people were worried about the distopian future of minority report [1] 20 years ago, yet (especially on HN) now it's here they welcome it. I guess Upton Sinclair was right: It is difficult to get a man to understand something when his salary depends upon his not understanding it.
Although it does depend a bit on what the cookies they are storing here are used for you cannot use implied consent to workaround the law.
Taking your example of signs in stores: if a store had a sign saying "if you try to steal from this store you will be shot on sight" it does not suddenly make that legal because a customer saw the sign and still decided to enter.
Additionally with a website you do not see the message until you have already entered and they have already placed the cookie so again, there can't be implied consent. It's just notification of what they have already done.
The EU cookie laws are basically, for non-essential cookies (e.g. mostly tracking/ad stuff) users must be given the option to reject them before they are enabled. Seems pretty simple + pretty fair to me. The problem is that most websites fail to implement it correctly. When they do implement it correctly it's really useful in my opinion.
I think you missed my point. I not asking about what the law says. I'm asking why a person willfully choosing to visit a site is not considered a form of consent, since it requires an intentional action from a user. If intentionally visiting the site isn't consent, how is it that clicking an "Accept" button magically is? Both are intentional actions by the user.
Feels like walking into a store and saying, "I don't consent to be here". That's fine, but you chose to be here, so now here you are. Feel free to leave and not come back. You have that choice.
Answered by another user: It depends on what the cookie is used for, and I understand this perspective to a degree.
Session cookies are required for a lot of basic functionality and have been around forever - people are used to them. But cross-site tracking and other telemetry tracking for targeted advertisement is a bit of an overreach, and very invasive. I get that people don't like it, but you can block a lot of that, and opt out of visiting the site entirely. I don't understand how adding an "Accept" does much. Feels like a superficial change.
> I didn't type in anything or click enter to get to that site.
Are you being pedantic...? If you clicked the link, you engaged in an intentional action - which is my point.
This and the fact that uBlock detects 9 trackers on the site is quite puzzling given that its basically an ad/pr stunt by protonmail which itself generally doesn't have any trackers/cookie pop-ups
You can do a block for GDPR countries and avoid the issue entirely. We did that and its worked out fine.
This also helps avoid the cookie notice hell that you get if you design for the EU market - if you go to an EU page you can get a full page of cookie notices.
Cloudfront has a geo restrictions option that works well for this.
You don't know what you do and don't need to do. Literally the page linked here has lots of comments that they are doing cookie notices wrong / should be in jail etc.
Some people don't have time for all this lawyering just to post a few things online.
Don’t be evil is only the first step. You also have to hire specialists and delay launches to continually prove to many bureaucrats’ satisfaction that you are still not evil. Opting out is much cheaper, and maybe safer since the “doesn’t target serving individuals in the EU” language is relatively clear.
Exactly. the EU is constantly changing the rules here. And penalties can be monumental. Users can also send you various data requests (and hackers can pretend to be users and do the same resulting in data breaches). Just not worth it.
Because users can control how their cookies are set, cleared etc etc?
Because it's not evil to not want to risk jail when giving away some stuff for free if you set a cookie by accident that is not approved?
Because most users don't care about these endless navel-gazing exercises?
Because there are much MUCH worse things online, from scam tech support folks who rip you off to ransomeware to endless other scams and hassles?
Because the cookie notice farce has done nothing about my ISP selling my browsing history, my TV reporting my viewing habits and showing me unwanted ads and seems to be designed to get self important folks who are technically clueless to jump around and pat themselves on the back.
Because while I never minded making stuff available to EU it's not worth jumping through a bunch of hoops to do so.
A lot of justifications. Would it really be to much to ask to just play nice instead of first coming up with a scheme to exploit users. Then trying to figure out how to stay within the law. And then finally, go out of your way on the internet to justify your behavior?
I deal with the question all of the time. My general, non legal view, is the following:
- If your economics operate outside of the EU (e.g. you accept money from non EU, have offices outside of EU, etc.) then you don't need to comply, however the process to comply isn't entirely all that hard to do (see point #2).
- GDPR is easy to comply with because you're either (1) at a scale where you have global operations so you're already or (2) you're at a scale where you don't really matter to the regulation, even if you have EU citizens in your DB.
- If you get acquired by another biz that has operations in EU (but you don't), then the overall entity likely becomes susceptible to GDPR
This is based on not a legal review, but rather a logistical one. In other words, if you don't have operations in the EU how on earth is the EU going to penalize you. Are EU cops (which don't exist?) going to show up at your door to collect money?
Anyone know anything about that Horizon 2020 project REP-791727-1?
I can't find anything about it anywhere. There is a Horizon 2020 project with the ID 791727. But it is marked as closed, and is about funding of ProtonSuite and not disseminating information about GDPR.
Suppose that there was a crypto-currency exchange with no assets or presence in the EU. Moreover, their TOS says "no EU residents" AND they IP-block EU IP addresses.
Some/many EU residents rent servers from AWS to do crypto-trading on this exchange. These servers are physically located outside the EU. These same residents also access the exchange's website using a VPN that says that that they're outside the EU.
[1] Is this exchange subject to the GPDR wrt said EU residents?
[2] Does this exchange subject to tax-reporting requirements of the various EU countries?
64 comments
[ 3.2 ms ] story [ 122 ms ] threadBetter explained here: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-tr...
http://webcache.googleusercontent.com/search?q=cache:AerXIhX...
> Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.
This, combined with the <250 employees = lower obligations, seems to indicate one should worry about the GDPR but in proportion to the size of your company (outside the EU).
The bigger you are, the more seriously you should take it, I guess?
> The Internet makes goods and services in far-flung places accessible anywhere in the world. A teenager in Cyprus could easily order a pizza online from a local pizza shop in Miami and have it delivered to a friend’s house there. But the GDPR does not apply to occasional instances. Rather, regulators look for other clues to determine whether the organization set out to offer goods and services to people in the EU.
The answer is the same as what extends US law to the entire world. 11 aircraft carriers.
This makes playing nice with the US a diplomatically and economically sensible policy, up to a point. I suspect the US will find it encounters that point increasingly often, partly because the rest of the world is also changing and partly because Trump did so much damage to international relations and the US may never fully recover. The ongoing negotiations about global corporate taxation are a good if rather dull example.
This is exactly true. Now sure the nervous nellies will be all over what outlier things can happen as is typical. In a practical sense the EU does not have the resources to go after (other than perhaps a few test cases for publicity) anything but the juicy or most flagrant cases.
While it's good they try to respect it, the fact that's there's an fundamental "local" nature to them, makes it very unlikely. Very very unlikely.
E.g. Lee Enterprises is one of the publishers who still blocks European users, and they own 75+ newspapers.
If you're in the EU and get "451: Unavailable due to legal reasons", it's a good chance it's a Lee Enterprises paper.
If yes, then they have the ability to punish you and you need to follow the GDPR. If no, then the GDPR is just as irrelevant as any other EU regulation and can safely be ignored.
As an example: If your site allows different styles or languages and you want to store the setting in a cookie, you do not have to care about the GDPR. Only when you track your user's behavior with a cookie, the cookie banner thing becomes relevant.
"This is not an official EU Commission or Government resource"
Which explains idiocy like
> We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
Is simply not on. You can't assume acceptance.
Law experts don't code webpages. But this is embarrassing nevertheless.
https://gdpr.eu/privacy-policy/ suggests they share data with third-party Google Analytics, which seems to breach guidelines - except that they respect Do Not Track in this case.
I do not see this argument as idiocy.
Many stores have signs out front stating, "If you enter this building, you accept that you are being filmed". Many are recording you before you even enter. They do not require explicit consent from people willfully choosing to enter.
Should we really assume that the client has not taken any responsibility when they willfully type in https://www.somewebsite.com/ and hit enter?
Since users can block cookies/javascript, or simply not visit websites they don't trust, I genuinely do not understand at which threshold of manual intervention we can finally conclude that a user has accepted responsibility - if their voluntary decision to visit does not count.
I get that companies sharing data and doing nefarious things with your personal information is not great, but I don't see how this does anything to help with that.
To make this a fair comparison, the sign would say:
Since people can just wear masks, electro-blocking hazmat suits, high heels, a fresh change of cloths for every outing and come equipped with high-resolution GPS and building blueprints... it's a perfectly reasonable assumption.What amazes me is how many people were worried about the distopian future of minority report [1] 20 years ago, yet (especially on HN) now it's here they welcome it. I guess Upton Sinclair was right: It is difficult to get a man to understand something when his salary depends upon his not understanding it.
[0] https://blog.ansi.org/2018/05/gait-analysis-walk-biometric-i...
[1] https://medium.com/context/personalized-advertising-is-an-ox...
Taking your example of signs in stores: if a store had a sign saying "if you try to steal from this store you will be shot on sight" it does not suddenly make that legal because a customer saw the sign and still decided to enter.
Additionally with a website you do not see the message until you have already entered and they have already placed the cookie so again, there can't be implied consent. It's just notification of what they have already done.
The EU cookie laws are basically, for non-essential cookies (e.g. mostly tracking/ad stuff) users must be given the option to reject them before they are enabled. Seems pretty simple + pretty fair to me. The problem is that most websites fail to implement it correctly. When they do implement it correctly it's really useful in my opinion.
The GDPR however does require explicit consent.
>Should we really assume that the client has not taken any responsibility when they willfully type in https://www.somewebsite.com/ and hit enter?
I didn't type in anything or click enter to get to that site.
>Since users can block cookies/javascript,
Except when that breaks stuff.
I think you missed my point. I not asking about what the law says. I'm asking why a person willfully choosing to visit a site is not considered a form of consent, since it requires an intentional action from a user. If intentionally visiting the site isn't consent, how is it that clicking an "Accept" button magically is? Both are intentional actions by the user.
Feels like walking into a store and saying, "I don't consent to be here". That's fine, but you chose to be here, so now here you are. Feel free to leave and not come back. You have that choice.
Answered by another user: It depends on what the cookie is used for, and I understand this perspective to a degree.
Session cookies are required for a lot of basic functionality and have been around forever - people are used to them. But cross-site tracking and other telemetry tracking for targeted advertisement is a bit of an overreach, and very invasive. I get that people don't like it, but you can block a lot of that, and opt out of visiting the site entirely. I don't understand how adding an "Accept" does much. Feels like a superficial change.
> I didn't type in anything or click enter to get to that site.
Are you being pedantic...? If you clicked the link, you engaged in an intentional action - which is my point.
> Except when that breaks stuff.
Then don't visit?
This also helps avoid the cookie notice hell that you get if you design for the EU market - if you go to an EU page you can get a full page of cookie notices.
Cloudfront has a geo restrictions option that works well for this.
Some people don't have time for all this lawyering just to post a few things online.
Because it's not evil to not want to risk jail when giving away some stuff for free if you set a cookie by accident that is not approved?
Because most users don't care about these endless navel-gazing exercises?
Because there are much MUCH worse things online, from scam tech support folks who rip you off to ransomeware to endless other scams and hassles?
Because the cookie notice farce has done nothing about my ISP selling my browsing history, my TV reporting my viewing habits and showing me unwanted ads and seems to be designed to get self important folks who are technically clueless to jump around and pat themselves on the back.
Because while I never minded making stuff available to EU it's not worth jumping through a bunch of hoops to do so.
I deal with the question all of the time. My general, non legal view, is the following:
- If your economics operate outside of the EU (e.g. you accept money from non EU, have offices outside of EU, etc.) then you don't need to comply, however the process to comply isn't entirely all that hard to do (see point #2).
- GDPR is easy to comply with because you're either (1) at a scale where you have global operations so you're already or (2) you're at a scale where you don't really matter to the regulation, even if you have EU citizens in your DB.
- If you get acquired by another biz that has operations in EU (but you don't), then the overall entity likely becomes susceptible to GDPR
This is based on not a legal review, but rather a logistical one. In other words, if you don't have operations in the EU how on earth is the EU going to penalize you. Are EU cops (which don't exist?) going to show up at your door to collect money?
Which is why their sample data processing agreement is literally the ProntonMail one - https://gdpr.eu/data-processing-agreement/
I can't find anything about it anywhere. There is a Horizon 2020 project with the ID 791727. But it is marked as closed, and is about funding of ProtonSuite and not disseminating information about GDPR.
https://cordis.europa.eu/project/id/791727
Some/many EU residents rent servers from AWS to do crypto-trading on this exchange. These servers are physically located outside the EU. These same residents also access the exchange's website using a VPN that says that that they're outside the EU.
[1] Is this exchange subject to the GPDR wrt said EU residents? [2] Does this exchange subject to tax-reporting requirements of the various EU countries?
> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
https://ec.europa.eu/info/law/law-topic/data-protection/refo...