> Again, this applies to US companies even if it's a single record of EU personal data.
This is part of why I think GDPR is a disaster for startups. It's a massive regulatory burden which big companies will be able to comply with but small startups don't have the legal horsepower to handle.
What aspects of the law are disastrous for startups? What startups might see as a "massive regulatory burden", I see it as, at long last, a means of finally holding irresponsible companies to account.
The spirit of the law is really quite simple; my personal data is an extension of me, and if you want to store or process it, you need a legal basis for doing so, and need to be able to demonstrate this legal basis to me. If your startup is at odds with this, well then perhaps you're not the kind of company the EU wants to be doing business with.
The scope of personal data is disastrously large and the guidance is fuzzy at best.
Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics.
No part of my "business model" is attempting to profit from personal data yet I have to jump through a bunch of new hoops.
My likely solution for projects is to simply block EU traffic going forward.
IP addresses aren't PII. If you're capturing IP + real name, or similar (email + real name) then AIUI you'll need to tell people on request who you sell that info to and allow removal.
Assuming it's a personal blog then just don't capture any PII. Don't sell it, be prepared to delete a user's comments on request. Don't capture PII without informed consent.
I personally think so, but everything I've read about GDPR says they usually now are considered in scope.
Deleting comments is non-trivial. How do I verify that the person requesting deletion is the original commenter? How do I then wipe out every mention of their IP address from all my logs?
These are easily solvable questions for large companies, but overheard for small startups and personal projects.
However, is it not thought that because the ISP keeps a log of dynamic IP addresses, these could (in theory) be matched to the IP address of anonymous comments, thus de-anonymise them?
No, because you need to take into account the effort needed to de-anonymise the IP address.
> > (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
IANAL, but I'd be wary of saying that you'll be fine storing dynamic IP addresses. You'll probably need to have a rationale as to why you don't consider it.
Because I fundamentally don't think a random foreign entity should dictate how I manage logs on my personal blog. It's challenging enough to debug issues without having IP issues.
> my personal data is an extension of me, and if you want to store or process it, you need a legal basis for doing so, and need to be able to demonstrate this legal basis to me.
In the U.S., freedom of speech usually trumps privacy rights. It will be very damageable if the supreme court ruled that any EU citizen can limit US speeches based on their laws.
That's precisely the problem and is a clear example of how Europeans value privacy differently.
Personally, I think it is a fundamentally important right that I be able to post a blog about how "the_mitsuhiko wronged me" in some way and have that information publicly accessible. European courts think you should be able to suppress such information—even if it is true.
"perhaps you're not the kind of company the EU wants to be doing business with"
Europeans want Facebook and Google and the rest, the EU doesn't. The EU != the europeans.
So international startups must now care more about what the EU wants than what european customers want. That's wrong.
In the meantime, european governments take measures that jeopardise private life, like putting black boxes at ISPs in France to watch everyone (aka. fight terror...).
People living in the EU absolutely want control of the gathering of their PII.
The only complaints I've seen about it are concerning people responsible for administrating data in companies.
GDPR represents an ideology of not giving corporations free reign to make profits at any human/social cost, but to reign them in and give people chance to consent rather than be data-raped.
Could you expand on how you think it's (solely?) ideology? What's bad about informed consent wrt PII?
"The only complaints I've seen about it are concerning people responsible for administrating data in companies": now that we're sure some people are annoyed... how many truly benefit from it? I do understand you think it's a good thing. How many in your FB friends share your point of view? How many even know? How many will benefit?
"GDPR represents an ideology": one point we agree on.... "at any human/social cost": what cost? Can't I sue Facebook in a civil court if I suffer any prejudice just like I can sue any company?
Is there any "data-rape": if your data is processed only to choose which ad you will see, does it count as a "data-rape" for you? The ad you're seeing is the only thing of value on Facebook: your data has no value except to show you this ad.
Can you tell me where I can buy data from Facebook? I'd love to buy the friend-list of influencers who have set their privacy settings so that data doesn't leak. What? I can't? Doesn't FB sell people's data? ;-) What about famous artists private pictures then?
That's what people think of when they hear "Facebook is selling your data". They don't hear "Facebook is using your data to show you better ads which pay for the whole service".
Informed consent isn't bad. Have you read FB Terms&Conditions? Have you read the paragraph that says you're OK that FB has the right to use and reproduce the content you're posting on FB? You have already given your informed consent. Now you're trying to take it back.
One of the reasons GDPR was enacted is because the cookie law wasn't taken seriously. Companies used technical means (removing any meaningful opt out) to render the law moot in practice; as the industry failed to self regulate, the EU took the nuclear option.
Thank you. I for one don't care, I'm french and I live in Spain.
People SHARE their life on FB. They don't expect it to be private.
When journalists tell them Facebook is "selling" their data, they believe it because many want to believe they're victims of capitalism (that's even more true in Europe because the economy is mostly in a bad shape). Instead, they fall victim of politicians who want control (EU politicians now have POWER over american companies! how exciting), and of journalists who don't like competition (journalists work for TV stations or newspapers who sell... ads).
The only thing that has value on your Facebook page is the ad. Not your photos. Not your comments. Not your sexual or political preference. Only the ad.
It's pretty crazy to me that people can feel this way after things like the Equifax breach. Equifax was sitting on all that data that people didn't even know they were included in, and probably didn't even WANT Equifax to possess.
But that's just business as usual, businesses are allowed to do things we consider morally wrong because that's just how things work.
And the second a law springs up that helps out the little guy, it's a massive governmental overreach. How dare government actually try to help people, think of all the businesses they are hurting!
You're using a non sequitur. Equifax is of course a massive data processor which should be regulated. Choosing to instead regulate every single person who even accidentally has an IP address in their logs somewhere is the overreach.
This helps massive corporations (who can afford to comply) and hurts small businesses which cannot.
This law suggests a shift to assuming no consent for gathering of PII, only gathering data when you have informed consent and a justifiable business need.
In the case of web servers I can't see a problem with not recording IP if you're also gathering PII; or asking for permission in the PII submission; or say dropping the last digits from a dotted-quad as a default.
Consent is only one possible justification for processing, you do not need it for everything. It's more a shift to "processing PII is forbidden unless for one of the following reasons", consent being one of them, and requiring assigning purposes to collected data. You can't just have webserver logs piling up somewhere without reason, but you probably can have a policy like "We keep IP addresses for 48 hours for security purposes", if you have an appropriate security process needing that data.
In light of recent revelations about the way social media companies treat their users’ data and privacy, strong regulation is not “overreach” but “overdue”.
The law could have easily been tailored to target large social media companies. Instead it applies to everyone, including tiny businesses who accidentally have one European visitor.
I'm strongly considering simply taking down all my old blogs/sites because it's far too much work to deal with GDPR for anything less than a medium-sized business.
And then huge media company just creates small subsidiary (tiny business) to "accidentally" collect personal information. Got caught? No problem, close that one, open another...
Not really. For example, if Facebook Inc. establishes a "Totally not FB LLC" for the purpose of skirting GDPR, Facebook Inc. is still the data controller according to the law, as it is directing the data collection and purpose, even if "Totally not FB LLC" does all of the handling as a data processor. Except now the fine is levied on the total turnover of both companies, not just one.
It would be a shame to take down your old blogs as I'm sure people get value from them.
My approach is one very much based on risk - how likely am I to receive requests from data subjects requesting deletion of their data? How likely am I to be subject to a targeted attack where people try to remove information from my server? How likely am I to be the subject to enforcement action if my server is hacked and data is leaked?
On one argument operating a blog is a purely personal activity and so out of scope of GDPR in any event. If you're outside the EU, GDPR will only apply if you are actually offering goods/services to those in the Union, or are monitoring them. I take the point about analytics in the second place, but in the absence of analytics, I don't see that making available a blog constitutes the offering of goods/services?
Just to be clear, there is little to no risk of someone running a simple blog getting fined by a data protection regulator.
In the UK for example the ICO who regulate data protection matters concluded 17,300 cases, in which only 16 of them resulted in fines.
I’m just intrigued as to how you have developed this perception of GDPR and data protection law looking to regulate small one man blogs out of existence?
/edit oh and my other point still remains - even if you’ve got some customers through a blog, you don’t appear to be within scope of GDPR on the assumption you’re not directly looking to do business with EU based customers (for example through offering payment options in European currencies).
> I’m just intrigued as to how you have developed this perception of GDPR and data protection law looking to regulate small one man blogs out of existence?
There are huge industries with vested interests against privacy and consumer data protection and they have deep pockets. That person, if not instrumental in spreading misinformation, must then be a victim of it.
GDPR outside of the EU (for purely non-EU entities) is a non sequitur there are zero internal processes to make it work.
Lets take the most basic example the GDPR does not apply in a vacuum it's enforced and supported by Data Protection Agencies (DPA) in each member state which are responsible to ensure that companies in those member states comply with EU regulation like the GDPR within the context of local laws and regulations.
The DPA is responsible for the application of the GDPR within it's member state (and it's power is limited to that member state only but the GDPR does have a few venues for applying a local DPA directive across member state lines) it's also responsible for handling complaints in that state and it provides directives and advice to both law makers and the industry.
If I'm a UK company and need to deal with the GDPR (till Brexit do us part) I work with the ICO which is the UK Data Protection Agency. While other DPA might affect me the ICO is my primary source of both advice and enforcement and any issues that might originate in another DPA would still pass through the ICO.
Now I am a company in don't know where lets take Argentina I want to sell to EU customers which DPA do I answer too? which DPA to I ask for advice? How do I arbitrate complaints filed against me and to which DPA do I prove I handled data disclosure requests in a manner compliant with the GDPR? which DPA would know my local laws to ensure if my application with the GDPR was complaint with local data retention and lawful access laws?
In fact other than going through my own state/trade department and organizations what venue do I have as a non-EU resident and a non-EU entity to any EU services and resources.
The question to all of this is none as a non-EU company there is fuck all you can do even if you want to comply with the GDPR.
You use the legislation to guide your internal processes, systems and employee/user education. You ask your legal counsel for advise. Other than what you'd normally do anyway, you'd provide evidence of disclosure only to the DPA that asks. The DPA doesn't care about your local laws - seek local legal counsel instead.
To a developer used to systems thinking this should not be rocket science. Most of it is just good practice. Kim Cameron came up with the laws of identity many years ago, which the GDPR is surprisingly similar to.
If the ICO (UK) issued a fine, you wouldn't appeal in Spain, would you? Because of course you respond to the DPA that issued the fine or complaint. Am I not understanding your question?
The only entities that can enforce GDPR are the DPAs in various EU countries. So if some action is taken against a non-EU company, it's anyway done by one of the DPAs - e.g. if there's a complaint against some USA company by a German citizen, it would be the German DPA handling that.
Any decisions of German DPA can be contested just as any other administrative decisions in German courts, the German DPA is fully under their authority. Yes, you won't have your local courts, but it doesn't mean that you can't appeal - you simply have to file this appeal where the contested decision was made.
You get the courts that the person you're servicing uses. Like when you sell to someone in a particular country and have to abide by their sales and tax laws.
That’s not true on both accounts EU courts have no jurisdiction over non-EU entities and there is no process on how to arbitrate a lawful retention requirement which trumps GDPR between EU and none EU entities.
As for the taxation part of your comment that is again an incorrect statement in fact it’s categoriclaly false.
If I as say a Brazillian company want to sell goods to an EU resident I do not perform any tax collection other than the local taxes in my country.
In fact it likely means that I can forgoe some local taxes like VAT or sales tax due to export.
You as the customer are obliged to pay all taxation related to this purchase which is usually paid when the item clears customs as the customs duty.
The only cases when one would collect tax on behalf of another country is when there is an explicit tax agreement to do so and process to support it. This is extremely rare and usually only happens within shared customs unions.
As a non-EU entity I legally can not collect VAT on behalf of EU customers because I have no way of paying that tax on their behalf.
What, like US courts have no jurisdiction in the EU? I can pirate US movies, and as a EU bank, not report on US citizens in the EU to the US?
Those weird things aside, this isn't about collecting VAT. It's about remaining within the confines of the law of the country you're conducting your affairs in.
It's like if I, as a Russian, wanted to sell a car to someone in the US, I'd have to ensure that my car meets whatever requirements/standards the US sets out for vehicles. If my vehicle doesn't meet those standards, which court do you think I'd have to appeal in, as a Russian selling a car to an American?
Those copyright laws are enforced through local copyright holders and or existing trade agreements which again is something that understood and is established in international law including WTO regulations.
The GDPR has no mandate under existing international law.
The level of strawmaning is getting ridiculous when 2 countries sign a trade agreement you have 2 electorates which have a say in what is going to happen.
The GDPR extra-territorial application isn't just extra-territorial it's extra-judicial in which you have a law forced on you that you have had no saying in how it was passed and you have no saying it how it would be interpreted and or enforced.
That's not correct as a non-EU entity I'm under no obligations to register for MOSS or to collect VAT unless under TBES (which is nothing new since it's an extension of the old VOES scheme) which applies to a limited number of services only:
https://ec.europa.eu/taxation_customs/business/vat/telecommu...
Even if by some chance you are a small business that for an inexplicable reason does fall under this you can get out of this scheme fairly easily (VAT exemption rules apply) and more importantly VAT can be handled by a proxy e.g. a payment processor.
For businesses there is no VAT collection at all and all businesses must pay reverse VAT when purchasing (or providing) services from (and to) outside of the EU regardless if they fall under TBES or not.
Again only if the goods fall under the criteria set by TBES if you are above the limit in a specific country which in the UK for example is £85,000 and it's more or less similar across the EU.
This means that most businesses it's not an issue since you can have a turn over of a few 100,000 EUR spread across the EU without being required for registration.
This is also solved via your payment processors and what would you know the EU also offers you the infrastructure to register where is the one stop shop for GDPR?
34,000 EUR on average 31,000 without the UK, and 37,000 without the Nordic countries.
You also must provide a service that is qualified for VAT since it doesn't cover all non-tangible goods e.g. anything that is actually produced by a human but is delivered digitally like professional services.
> UK company and need to deal with the GDPR (till Brexit do us part)
Brexit will make little or no difference unless you refuse to deal with EU citizens in any way the involves you having access to their PII or storing any information about them (including traces of their activity in your product/app/site.
GDPR will be carried over post-brexit, and even if it is later revoked by act of parliament and not replaced by something equivalent you'll still need to deal with it if you want to trade with EU citizens. If the UK refused to play ball and somehow blocked us from the punishments for non-compliance we will face inconvenient sanction by other means.
GDPR isn't perfect (is any regulation?) and their are certainly significant questions to be answered from the PoV of people operating outside the EU, and even some issues that may still require more clarity for those entirely operating here, but I wholeheartedly welcome it (UK citizen here, FWIW) despite being a data specialist and therefore having a bad nervous-twitch reaction to any idea of a non-soft delete operation!
I'm not a lawyer, but I would think your Argentina company can be in one of 2 states:
1. You have a subsidiary in EU, in which case that is who will get fined or will have to deal with the DPA where it is registered
2. You don't, in which case the EU can not fine you?
Well the GDPR doesn’t define that it applies to anyone who touches PII belonging to EU residents.
The logic dictates is that it won’t apply to companies that simply dont have any legal presence in the EU.
But that is not defined because again there are no exceptions.
However PayPal might enforce it on you in fear of the EU going after PayPal because it’s expected that all EU companies would require GDPR compliance from their business partners overseas that perform any data processing for them or are exposed to EU PII.
However how this compliance to be achieved, validated and arbitrated isn’t defined either.
Article 3 is clear about the scope of the regulation when an entity is outside the EU. It states that it will apply where that entity is offering goods/services or is monitoring data subjects in the EU. Enforcement is a separate matter but the underlying law is clear. Art 2 then contains general exceptions to the application of the regulation also.
It’s not clear at all by this definition if I sell guitar picks on my personal store and I’m located in say Zimbabwe I’m either forbidden form selling it to the EU or will have to comply with the GDPR which can be prohibitive to me due to local laws.
The GDPR isn’t clear only anything it rewrittes agreeable concepts of localization which have much more severe applications than simply the GDPR.
It also provides zero channels and infrastructure for non-EU entities to comply to the GDPR in a manner which is offered to local EU companies.
If the GDPR would define its scope as if I can buy form you you must comply what stops the EU form mandating I must collect VAT on their behalf?
Laws are not always crystal clear in each case because to do so risks making them capable of being worked around (and of course in some cases they are just badly drafted - but I don't see this so much with GDPR). Laws are then subject to interpretation by the courts and by lawyers. If you're having issues with understanding laws, then you may need an expert to guide you, as in many areas of life.
Recital 23 of GDPR will give you insight into how your Zimbabwean guitar pick seller would be treated. If they are consciously offering picks to data subjects in the EU, either through specifically referencing EU data subjects, or through offering picks in EU currencies or tailoring the site for different European languages, then they are likely in scope.
Conflict of laws provisions are a separate point, however in various areas, the GDPR expressly states that legal obligations override GDPR obligations in various areas.
Whenever any company considers that a law may apply to them (whether as a result of operating in the country or because of the extra-territorial implications of certain laws, like GDPR) they generally take advice from local lawyers as to the implications or do independent research.
The regulation is obviously available and there is a host of interpretative guidelines issued by the Article 29 Working Party which will enable anyone with enough time and desire to understand the implications of compliance. I'm not sure what kind of assistance you're looking for here? It's incumbent on the party who wants to operate in a country/provide services to users in that country to understand the relevant laws.
If you disagree with the extra-territorial application of the GDPR then that's a separate issue. Bringing international tax treatment into the discussion is also not of relevance.
Yes laws are not crystal clear but you don't understand the problem because when laws are unclear in your country / union there is a clear channel to debate it which is the regulator and the courts this channels are not available to extra-territorial parties.
Add to that the fact that you now have laws enforced on you that you have no control on how they were written or are enforced because you are not part of the electorate that passed them.
International law is applied when 2 countries agree on a common set of rules in which case you have 2 representative electorates which are mediating an agreement.
The GDPR has no legal basis of application it's not part of any trade agreement or any other international agreement between the EU and other countries.
The claim that it somehow applicable is essentially tyrannical despite the intent of the law the means through which and the fact that people support it's universal application is terrifying.
What is even more terrifying is the likely means of enforcement which will be through the multinationals.
>The regulation is obviously available and there is a host of interpretative guidelines issued by the Article 29 Working Party which will enable anyone with enough time and desire to understand the implications of compliance. I'm not sure what kind of assistance you're looking for here? It's incumbent on the party who wants to operate in a country/provide services to users in that country to understand the relevant laws.
What are you even trying to say here? If I don't live in the EU, have no legal presence in the EU I have no means through which I must comply with the GDPR.
Mandating that I would create a local legal entity to serve as a proxy in a member state is a violation of existing trade agreements and WTO rules.
Enforcement of extra-territorial laws must be done through a process which is agreeable and understood by all parties.
>If you disagree with the extra-territorial application of the GDPR then that's a separate issue. Bringing international tax treatment into the discussion is also not of relevance.
This entire debate is about the extra-territorial application of the GDPR, bringing international tax treatment is super relevant because it's an established framework and it already establish things like localization which are critical for extra-territorial application that the GDPR must follow.
People really need to wake up and understand that the GDPR isn't about Facebook or eBay, Amazon or the likes it applies to them equally as it applies to your local dry cleaner or hair dresses which collect and process Personal Information as defined under the GDPR and are subject to the full extent of it's regulatory requirements.
What is more frighting is that through commerce of either tangible goods or services this regulation can be applied to non-EU entities in not only a extra-territorial fashion but in also extra-judicial one.
The reality is that either many small businesses or businesses regardless to which the volume of trade they have with the EU is less than the cost of compliance would likely be forced to stop offering services to EU consumers or switch to a proxy like well eBay or Amazon.
The scope of regulation like FATCA or SOX which were mentioned here as examples applies to institutions that can afford it and can handle it.
The GDPR applies to everyone equally, actually that isn't true if it applies to non-EU entities it doesn't apply equally it's much more costlier to them. If nothing else is then just by your ridiculous example "consult a lawyer" then a GDPR lawyer in Belgium or the UK would be fairly cheap since it's an established local law, to get the same level of advice and to get arbitration with a DPA in say Bolivia you can't go to an ambulance chaser you'll be limited to an international law firm.
Not to mention that getting legal advice for such services can be achieved for free in the EU through the local DPA and or various organizations like Citizen Advice which provide legal assistance.
> What are you even trying to say here? If I don't live in the EU, have no legal presence in the EU I have no means through which I must comply with the GDPR.
I was responding to your point that there were zero channels to help non-EU companies to comply.
I’m really not sure on what resources you think are available to EU companies that are not available to non-EU companies? You would definitely not get GDPR advice at the Citizens Advice as they have more important matters to deal with. To the extent a local regulator would provide guidance to an EU company, I am certain they would also provide to a non-EU company looking to comply. You present it as a clear distinction between EU vs non-EU companies but that simply is not the case!
We can agree to disagree on the pros and cons of an extra-territorial law but don’t misrepresent the position in terms of help available to EU vs non-EU companies.
Also your point about hairdressers is nonsense. A non-EU based hairdresser is very muh out of scope of GDPR!
Local DPA, local courts, local MPs, industry unions, EU MPs, EU high courts.
And please tell me how say I as a small merchant in any country outside of the EU can get in touch with them and get services from any of them.
Better yet please tell me how a lawyer in Mexico or the Philippines would be able to advise me on GDPR unless they are part of a top tier international law firm which operates in the EU and has experience with GDPR.
Please let me know to which non-EU bar associations were provided with materials and guidance and have conducted workshops and seminars in order to ensure that they would be able to provide legal advice on this manner by a DPA or any other EU regulatory agency.
>You would definitely not get GDPR advice at the Citizens Advice as they have more important matters to deal with.
Wanna bet? citizens information board (CA in Ireland) already offers such service (so does Citizens Advice Edinburgh), in the UK the ACF provides GDPR related legal council to foundations, a lot of other industry organizations offer similar services.
> I am certain they would also provide to a non-EU company looking to comply. You present it as a clear distinction between EU vs non-EU companies but that simply
They will not provide any service or information to you, in fact they are forbidden from doing so trying contacting an MP who isn't yours or an agency outside of your member state.
>We can agree to disagree on the pros and cons of an extra-territorial law but don’t misrepresent the position in terms of help available to EU vs non-EU companies.
There is anything to disagree about, this isn't about extra-territorial law this is about extra-judicial application of it which is tyranny since you are applying laws and regulation outside of the scope of international law and frameworks. The fact that you accept this as something good makes me think that the brexiters might have had a point.
>Also your point about hairdressers is nonsense. A non-EU based hairdresser is very muh out of scope of GDPR!
I think you should practice on your reading comprehension I'm in the EU on the 25th of May I am submitting a data access request letter to my dry cleaner (I like my hairdresser), Pristine Dry Cleaners just for the lolz and to show just how ridiculous it can be.
I know for a fact that they have my name, address and phone number since it was required during registration and I also know that their branch in East Finchley shares the same database as the one in Lancaster Gate since I've used both despite being different franchises so I really want to know who they shared those with.
Ok, my apologies for not picking up on the fact you are in the EU. Is it the cost that is stopping you from making a subject access request today under existing laws?
Apologies also - I took Citizens' Advice in the narrow sense of the Citizens Advice Bureau (I used to work there so it's in my subconscious) who generally deal with benefits, employment and housing law queries. I took a look at the citizensinformation.ie and did a search for GDPR - I can't see much in the way of materials unfortunately. ACF makes materials available which can be read by anyone regardless of location. Sure, they might make advice available to local entities, but this would be a small benefit to EU orgs vs non-EU orgs.
However I still don't really follow your point how organisations will approach GDPR compliance in general and the idea that there is a massive gap between what is available to EU entities versus non EU entities.
For lots of organisations, GDPR will not be on their radar, and life will go on as normal post May 25th.
For organisations aware of GDPR, their route to compliance will be through reading the source materials and supporting materials available on the Art 29 Working Party website. That is the case regardless of whether the organisation is in or out the EU. They can consult materials from third parties like ACF but the core materials are as above.
I don't really think contacting your MP or actually contacting a regulator is something which many entities have actually done because actually the base regulation and the interpretation notes are sufficient to understand what an organisation has to do to comply (again available to anyone who cares to read). In terms of court access
In terms of access to legal advice, then I don't quite think it's as bad you paint out here! I've instructed local counsel in multiple countries direct and it's a straightforward process and those firms were not part of a top tier international law firm network. Often smaller local firms have firms of similar sizes in other countries that they can refer work to. If other peoples' implementations of GDPR are anything like my company's then the extent of legal advice sought will have been limited.
I think overall I take your point that resources on offer to non EU companies may be a more limited, but overall the core resources are the same. Lots of non-EU entities have been working very hard on looking to comply with GDPR using the above resources and taking local legal advice where relevant. I agree that for smaller organisations this is more problematic, but this is the case regardless of location to an extent.
I do take your point about the extra-judicial nature though. We will have to see how things work out. My instinct is that for lots of companies it will be business as usual and the local regulators will have bigger targets that they want to go after.
The company I work for has been working on GDPR compliance for the better part of 3 years.
We also maintain compliance in the financial sector and we have both very good in house and external counsel which works with both the ICO and political institutions to ensure we meet our compliance.
The fact is that as an EU citizen you have a say about how the GDPR is applied and you have a say in how it will be enforced and interpreted.
As a non-EU entity you have no voice.
You also cannot ask for assistance from any EU or member state body.
Now if you want a good comparison as you have worked for a legal aid organization before you can likely estimate the hourly billable of a lawyer in the UK to provide you counsel on UK or EU law vs say FATCA or SOX.
My bet is that it would likely be at least 3 zeros in difference.
The fear isn’t that a DPA would go after you, but rather that they’ll force service providers to compell you to comply.
Under the GDPR for PayPal to remain compliant it needs to ensure that all merchants that use it to receive payments from EU residents are also compliant because you share your Personal Information with PayPal who then shares it with the merchant (name, email, address, phone number etc.).
This is going to be the likely channel of enforcement not them dragging you to court.
I don't think any of this is entirely clear, but from my understanding it seems like the EU wants to apply GDPR even if you don't have an EU presence.
In practice, I doubt that they'd get the US to enforce judgements. But it might mean that I can never risk going to Europe again lest I risk having a default judgement enforced against me for one of my businesses.
The threshold for determining establishment is a low threshold however there will still be various factors taken into account in determining whether that establishment is there (for Art 3(1), and indeed whether goods and services are being offered to data subjects in the EU (for Art 3(2)).
The mere availability of a website is not sufficient however to satisfy the above. Recital 23 below gives more details about those factors:
*Whereas the mere accessibility of the controller's,
processor's or an intermediary's website in the Union, of
an email address or of other contact details, or the use
of a language generally used in the third country where
the controller is established, is insufficient to
ascertain such intention, factors such as the use of a
language or a currency generally used in one or more
Member States with the possibility of ordering goods and
services in that other language, or the mentioning of
customers or users who are in the Union, may make it
apparent that the controller envisages offering goods or
services to data subjects in the Union.*
Yes, I should have better specified "accessible". If you ship to those customers, and make that publicly known, that appears to satisfy the intent to provide service to that country?
Add on language and currency, basics of accessibility, and you're meeting the definition AFAICT.
No if you aren’t a legal entity in the EU you have no presence in the EU.
If you would push for this the only thing that would happen is that companies would stop accepting orders from the EU.
If this is going to be the definition expect a lot of store fronts to be closed to EU residents following May 25th or more likely the first time this precedence will be set in court.
It seems a direct parallel of being tried for copyright infringement in USA when you have an offshore website - like O'Dwyer who had to bribe himself out of being extradited from UK to face charges of copyright infringement in USA. He'd never been there, didn't have servers there, and was acting legally in his jurisdiction of residence.
Similar things happened with USA's actions on Silk Road, KAT, with Kim Dotcom, and I'm sure many other legal situations I'm not aware of.
EU is seemingly extending logical contact to be equivalent to entry to a jurisdiction as USA appear to have established is desirable as a facet of inter-national application of law in the internet age.
I much prefer the extension of jurisdiction in protection of member states citizens rights than in the service of media conglomerates.
Copyright is enforced via local copyright holders / representatives, trade agreements and WTO rules AKA local or international law.
In no way shape or form does US law has a direct mandate outside of the US.
All the examples you've given were those of actions performed through established legal channels to which all parties had and have a saying in.
Extra-territorial application of the GDPR under existing frameworks (or the lack thereof) is tyrannical because you apply it to people that have had no saying in the establishment of the regulation and have no control over the interpretation and or the enforcement of it.
So, given that there's no DPA in the US (as far as I'm aware, there are also none in China, India, Australia, etc), how would the GDPR be enforced against an entity with no physical presence in the EU?
On paper it can’t.
In practice since the EU expects EU entities to essentially mandate GDPR compliance form their non-EU partners in order to be complaint it’s is pretty simple at least for ecommerce.
PayPal could tell you you must comply to accept payments form the EU and likely in the same manner they handle everything which means no guidance, benchmarks or clear directions and it would be up to you to figure it out.
By PayPal I don’t mean just PayPal but any other payment processor or service provider which you are dependent on.
I work for a startup in the EU and will be affected by GDPR. It's a nuisance but not a disaster. In fact, any small company that really can't employ good enough processes to comply is probably doing something very, very wrong.
It is nice that you think that but actually startups have the least amount of problems regarding GDPR. You can start coding with GDPR in mind (privacy by design) and you will hardly have a lot of problems. Big companies have huge codebases and databases and they will have to integrate privacy into them which is FAR more complicated than any startup can even imagine. On the other side, if you are doing startup where you want to use privacy breaching as a business model, then you shouldnt exist in a first place, so no damage done.
This is why I don't think it is. For far, far, far too long, startups have treated user data, privacy, and security as an afterthought. Now, they are going to be required to give consideration to those things. This can be nothing but a good thing. The age of "move fast and don't care about user data" is coming to a close, and all should be happy.
You suggest an exemption for startups? Wait until a Facebook decides to buy all their 'analytics' from a small startup they funded, basically circumventing the whole GDPR.
Laws are not code. You could have the exemption be based on the number of individuals whose data is processed, for example: Facebook can use as many shells as they want, but they'd still need to comply if they want to look at their massive user base, but my small business with a few dozen customers wouldn't need to worry.
without trying to be harsh to EU, they do have a bad record. 2 examples: Cookie Law, EU VAT (by common admission it is a system that is impossible to implement correctly)
They have provided a real-world example elsewhere in the thread. It really seems to support their point:
"Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics."
Well, he is not a company. So he doesn't need to do anything. If it's a personal website GDPR does not apply.
If it is a company. Yes, it will require more work. That is the nature of regulation, but the demands placed on companies are not unreasonable in any way. I would place it on the same level as stores being required to provide receipts, or restaurants being required to clean the kitchen. It certainly was easier when they didn't need to do that, but don't we agree it's an reasonable burden to place on businesses to guarantee an acceptable level of service?
Restaurants being subject to local laws around hygiene makes sense. It would be far stranger for restaurants to be subject to health codes from across the world just because tourists occasionally visit.
I had no say in GDPR but am forced to comply, despite the overheard it entails without any actual benefit to user privacy (in my case).
So why is it registered to your company if it is your personal blog? To deduct taxes? If you are, you must derive business benefit from it. So it is in face not a personal blog.
Also, you can keep logs (with IPs) if the purpose of the log is to prevent abuse. If you are only keeping the log on because it was the default, that is a bad reason to keep them, and is not in compliance with GDPR.
If you are keeping the log because you are selling the data to Facebook for data analysis, and are sad because you have to turn them off for EU citizens. I’m not sorry that you are forced to comply.
> So why is it registered to your company if it is your personal blog? To deduct taxes? If you are, you must derive business benefit from it. So it is in face not a personal blog.
It's not strictly personal, in the sense that I post technical content which sometimes leads to me being hired for consulting engagements.
> If you are keeping the log because you are selling the data to Facebook for data analysis, and are sad because you have to turn them off for EU citizens. I’m not sorry that you are forced to comply.
I honestly cannot tell if you are trolling or not.
Do you truly think Facebook has a program where I can sell them my Apache logs of a few daily visitors?
Not logging IPs makes debugging and abuse detection much more challenging. Moreover, it is also the current default in most software which touches HTTP requests.
We could make it easier for states to find and prosecute criminals by not requiring warrants and making encryption illegal, but we don't (and we shouldn't) because the peoples' rights are inalienable, whereas the rights of states, corporations and other entities to interfere with that privacy are not.
Yes, it would be more challenging, and inconvenient, and probably a massive pain in the ass not to log IPs by default, but if the end result is a weakening of the power of modern social media companies (and political and law enforcement agencies) to exploit people's data for nefarious ends without consequence, then society as a whole, and the web, benefit.
Mind you, I don't necessarily believe GDPR is the solution, or that logging IPs is unreasonable, but I do welcome the conversation people seem to be having about who owns their identity.
The mechanism is they send you an email, you verify it as you wish (have them post a comment using their credentials), you overwrite all comments from that uid in the db with a simple query?
If you're using a CMS then it's going to be type the username and hit "delete all comments"; maybe WordPress et al. do this already.
With a small blog the administration of that is going to be facile, surely.
Sure it is facile. But it is a burden and a exposure to risk, which wont be worthwhile for the most non profit blogs.
And by the way, most blog comment systems don't require you to create an account before commenting. So this "have them post a comment using their credentials" wont work anyway.
Not to stretch out this comment any more, but are we seriously arguing that adding a delete button is hard? I mean, most people on here would agree that its not something they would worry about. It sounds more like people are upset they are forced to do it, and have no say in it.
How want you add a delete button with out adding a complete login system? Or do you want to allow everybody to delete every comment? And of course this is also doable, but the question is, is it worth for a non profit (non tracking) blog? Probably not. Is it worth for Facebook and Google? Sure.
Exactly. I'm not arguing it's impossible, but that it imposes a meaningful additional burden on small operators without any real benefit to privacy.
Personally, I don't even think people should have the right to go back and delete a comment from years ago, which might have started a whole interesting discussion. But the EU requires that I think through such a system, including finding a way to identify them as the commenter and purge their PII from all logs/backups/caches as well.
> The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
And if GDPR does apply you only have to do the extra work if the IP addresses can be used to identify a natural person. Note here "can be", not "is".
> Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
> (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
And article 4
1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
IANAL but for me this doesn't sound like a blog, open to the public, maybe even with a public commenting system, would be freed from the burden of the GDPR.
IPs "can be", not "is" personal data
It doesn't help you that IPs are not always personal data, as soon as they can be, you have a problem if you store them.
This is part of why I think GDPR is a disaster for startups. It's a massive regulatory burden which big companies will be able to comply with but small startups don't have the legal horsepower to handle.
Typical EU regulatory overreach.