This is a ridiculous over-reaction based on an extremely shallow interpretation of the GDPR.
If you are running a small business and you feel that you won't be able to operate your business because of the GDPR consider all those other laws that you have to be in compliance with as well. If that's your attitude towards legal compliance then you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go away.
Legal compliance is a requirement for any business, and privacy law is just one more thing to take into account and for a small business that does not process super sensitive data (such as medical information or financial information) the costs of compliance are negligible. They're not '0', but then again it is a business and costs of doing business are the norm.
It is impossible to sell raw-milk cheese in the United States. Are French cheese makers overreacting by simply choosing not to do business here rather than change their centuries-old production techniques? It is illegal to sell kinder eggs in the US, because of some law that involves children accidentally swallowing toys. Is Kinder overreacting by refusing to sell those candies here? You cannot buy Bovril in the US, because of a panic about mad cow disease from 20 years ago. Are the manufacturers of bovril overreacting by refusing to create a separate production facility that uses only beef sourced from outside the UK? Compliance with laws outside your primary market has a cost, and potentially a benefit. Every business, large or small, is going to do that cost-benefit analysis, and make their own decisions. As an american I can hardly blame the Kinder people for failing to provide me with convenient access to chocolate eggs containing plastic toys. It's my government, and the laws they've put in place that have had that effect.
Thank you for making a coherent argument. You are missing one point I think: if not for those regulations those companies would love to do business. They are forbidden from doing business, this guy sees the law and runs off without even trying to become compliant. That's a different thing. There is no way that Kinder could be compliant with US law in such a way that they would not be exposed to what - to EU sensibilities - amount to exorbitant damage claims.
Similar arguments apply to the other examples you use, I see your point and there are valid reasons to not enter a certain market because of the legal climate there but the point I am trying to make is that the OP has not raise any valid point at all other than 'I don't want to comply'. And that's fine by me but then don't bother dressing it up in a bunch of made up requirements.
>this guy sees the law and runs off without even trying to become compliant
This guy quite clearly states that he doesn't have resources to become compliant, while it is too risky to make a mistake here.
There are fans of GDPR on this website, who prefer to ignore the fact that the compliance has its cost, and added to that still unknown risks of practical interpretation of legislation which also have their cost. But these are real life things.
I respect his right to do whatever he would like with his own hobby, but we should be clear that the guy is stating he doesn’t have the resources, based on a series of misunderstandings.
So, for example, he says he is required to appoint a DPO.
The U.K. Information Commissioner has this to say:
>Do we need to appoint a Data Protection Officer?
A> Under the GDPR, you must appoint a DPO if:
> you are a public authority (except for courts acting in their judicial capacity);
> your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking);
> * or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
You are correct as to a DPO, but if he is, say in the US, and subject to GDPR, he must have an EU Representative, who by all indications would be liable for his violations. That's a significant burden if not a practical impossibility for most in his position. Also, if he's transferring personal data from the EU to the US directly from individuals, his only practical way of making that transfer compliant is likely to be privacy shield certified which is not cost free (although he could maybe rely on consent as a derogation, but relying on that has risk). I can think of many things like this that have, if not a hard cost, then a definite cost in time and resources to comply including keeping up with compliance. Could easily be not worth the effort for a single individual.
If you tick all those other boxes, but are concerned that your processing may be teetering on the boundary of 'large scale', I would be cautious and assume your liable.
These are excellent questions that you will have to have shown you've considered if you get audited. If there's disagreement with the regulator, you'll come together to resolve it, and then may need to appoint one.
Well, so it's undefined, at least until practice of legal application establishes. Undefined means risk, and stopping serving EU is a meaningful mitigation, if your profits don't compensate you for all the hassle. Where's "overreaction“ then?
A UK privacy attorney I know considered 20k records (individuals) to be large scale. I haven't seen much helpful guidance. The WP29 guidance I've read only gives examples at the very extremes of large and small so not too helpful. Practical guidelines will evolve over time.
"There must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any."
Specifically they recommend against also being the data controller. I.e. you shouldn't be responsible both for handling personal data and verifying compliance of said handling.
I'm not seeing any interpretation being done here, but judge for yourself. Here is what the GDPR actually says (Art. 37 Designation of the data protection officer):
> (1) The controller and the processor shall designate a data protection officer in any case where:
> a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
> b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
> c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
That's the UK's straight-forward unequivocal explanation of the rules. Where there is room for interpretation or uncertainty, the ICO is very good at pointing this out. It doesn't here.
As poisan42 points out - it echoes the words in the actual article, directly.
The GDPR replaces the 1995 Data Protection Directive.[4] Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.[5]
Only for the sake of correctness/completeness: GDPR does allow member states to adjust certain details to bring them in line with local regulations (see Chapter 9). These are explicit opening clauses though that must not basically weaken or augment GDPR.
It's an EU Regulation, which under EU law the local courts have a duty to enforce. Local courts and laws will be dealing with all the details unless a case is appealed to ECJ.
To say that local courts and laws will have no influence is complete rubbish.
GDPR compliance takes resources. I would say for a small business it takes about 1 or 2 days. Not hard work but tedious. In the end you will have around 5 documents that will show your processes, what you do to keep data save, a plan how you deal with questions from customers and regulators, that you trained your employees and that you choose your subs carefully.
Essentially that's it.
I am no lawyer but I am a CPO.
Pro tip: Speak with the regulators they are on your side.
Yes - I guess having an EU contact is something not easy to come by on the other hand there might soon be a service for it.
I guess an XMPP Server could be considered a communication service an could be subject not to the GDPR but to regulations concerning ISPs and Phone companies.
Well many of us find it completely normal to spend days on having a good security, setting up HTTPS, encrypting content to protect privacy. I wonder why GDPR seems so different, it's just more of the same, just less technical.
I guess I am a fan of GDPR, certainly compliance to anything has a cost. I personally don't find the costs of GDPR compliance onerous unless you have already built up lots of non compliant systems that now need to be fixed, in which case the free ride is over. Anyway, this guy is pulling out of the EU but if he allows anyone from the EU to use his service from a non-EU location anyway he would be risking non-compliance.
They did that in a rather smart way, too, by diverging it enough from the original that they could sell it elsewhere as a new thing.
I mean, it never really took off here, very few people prefer it over the original, but better than not being able to sell it outside of the US at all.
Yes. Rather a step back from the original offering isn't it? If I'm being honest, I couldn't give a damn about the kinder eggs prohibition, as I am not a child, and I do not have children. The Bovril issue is by far my biggest personal concern, although I'd really like to be able to buy raw milk cheese.
There are states in the US where you can buy raw milk cheese legally. You just can't do it through interstate commerce, but for example it can be done in person at farmer's markets with cash. New York is one such state, I dunno about the other major tech hub states.
Bovril could easily comply. They would simply have to open a manufacturing facility that did not use UK beef. The French cheese makers could sort of comply, by pasteurizing their milk. Kinder, I admit, has a more difficult problem, and has, in fact attempted to comply, by creating a completely different product with the same name.
"The French cheese makers could sort of comply, by pasteurizing their milk"
And why should the French cripple a delicious and traditional product, which is gladly gobbled up by millions of happy consumers to sell their product in the US?
Because otherwise they can’t sell it there. Their country, their rules. A French cheese maker doesn’t get to dictate the rules abroad. Take it or leave it.
It seems to me that French and other European cheese makers are much more interested in protecting the integrity of their product than opening up the US market for it.
You mean, exactly what we are doing right now, causing all kind of outrage in France ? Funny you should bring that up, because it's a very hot topic currently :-D
Except EU has always (well, Sweden since 1973) had regulation, if you would gave followed that, you would not have to change much in most cases. Just write some documents and smaller changes.
But in this case this is not even a business. It is a zero-revenue open-source project. It seems to me that only very well-funded charities are allowed to run web services now.
P.S. I sincerely hope my country gets out of this ASAP.
Kinder is a great example actually on how a company adjusted their product. Now I believe in all markets (even beyond USA) the product is safer and less dangerous for kids to get injured.
It takes some special talent, even as an adult, to take such a big bite off of a classic Kinder egg that you'd have any chance of accidentally swallowing the plastic capsule or somehow else hurting yourself on it.
And with the new egg, I'd be concerned that my kids swallowed that plastic spoon. Like, that's something they actively have to put into their mouth and it's not as interesting as the toy for them to be motivated to not swallow it.
It's also small enough for them to realistically pull this off.
They marketed it as a new thing beside the original here in Germany.
Most people seem to prefer the original, though. They lost a lot of charm by going from toy+edible+tinfoil to plastic+toy+plastic+edible+plastic spoon+plastic.
They're not forbidden to so business, they're forbidden to so business unless they adapt their product or practices. I'd say that is pretty much the same as this case?
> It is impossible to sell raw-milk cheese in the United States.
I've bought plenty of raw mil cheeses (domestic and imported) in the US.
http://www.realrawmilkfacts.com/raw-milk-regulations says:
"In 1987, the FDA mandated pasteurization of all milk and milk products for human consumption, effectively banning the shipment of raw milk in interstate commerce with the exception of cheese made from raw milk, provided the cheese has been aged a minimum of 60 days and is clearly labeled as unpasteurized."
As many cheeses are aged more than 60 days, the ban on "raw-milk cheeses" is basically an urban myth.
Oh it's real enough, since there are also plenty of cheeses which are aged under 60 days and not traditionally pasteurized. It's also relevant for making yogurt and butter in traditional ways, though one can start with pasteurized and get an okay enough result.
But as I said in another reply to the parent poster, there are states which allow raw milk products in intrastate (but not interstate) commerce.
[Edit: Wow my text got mangled by autocorrect. Fixed so that it makes sense now!]
Indeed. And the prohibition on raw milk does not ban cheese. Many cheeses from France are still available, because they do not involve raw milk. The EU has passed a law, perhaps it is a worthwhile law. This is one of the consequences. The ban on raw milk in cheese making exists thanks to (presumably) the best intentions, and the end result is that there are many cheeses I would like to buy, that I cannot. An American (unlike me) who supports such a ban rejoices in the fact that we are protected from these dangerous french cheeses. Perhaps you rejoice that you are protected from the dangerous GDPR non-compliant Monal.
> the prohibition on raw milk does not ban cheese.
It bans "raw-milk cheese", which is a distinct kind of product, not one way of many to make a particular product ("cheese"). If you ban raw milk, you ban certain types of product entirely, and there is no workaround.
It would be like saying a prohibition on planes does not ban automobiles, and after all, both are a kind of vehicle. True, but not really relevant.
Back to the GDPR case, it's closer to a producer of pasteurized-milk-cheese saying they are going to get out of the cheese business altogether because of the ban on raw-milk-cheese, and labeling their cheese as such and documenting however briefly that the cheese is made out of pasteurized milk is just too much effort, and they are afraid of being sued by people claiming it is raw-milk-cheese.
No analogy is perfect. In this case, there are questions that legitimately have no definitive answer (like what is "large scale"), so it is more like the cheese maker genuinely doesn't know whether their milk would be audited as raw-milk or not, and even if they consult with a lawyer they still don't have confidence that they would know.
It's you. The original comment says 'The author of Monal misunderstands/misrepresents the regulation and is throwing a silly tizzy'. To which you say 'some laws ban some things. also, cheese is made of milk'. These things are true but not related to the GDRP or messengers.
There are literally no costs for complying if you sell or give away a messenger app, unless you're leaving everything unencrypted or collect tons of unrelated private data, too.
If they sell private information gathered from that messenger app to undisclosed third parties, then there may be additional costs of compliance.
Maybe this developer is complaining because he's running a nefarious business model? In that case it might indeed be easiest for him to shut down his business in the EU.
The original comment is about the proportionality of the response, the choice the author is making and what the commenter thinks about it. When something is banned outright, there is no choice and no proportionality. So, no, it's not particularly responsive nor analogous.
Same as the ban on the cheese wasn't a ban on "cheese" it was a ban on "cheese made with this manner" the regulations being shown here aren't a ban on "collecting/using personal information" it's a ban on "collecting/using personal information this manner"
Again cost / benefit is always a valid choice to operate somewhere.
The conversation was about whether the response was proportionate to (what the commenter felt was) a small imposition. You can't just change the degree of imposition from a small one to a really severe one and then claim it's 'the same'. It's only the same if you possess the enviable mental quickness to find not-the-same things the same. You're right that I don't.
If you cancel an appointment because you stubbed your toe, many people will consider that response unreasonable. If you did it because a pterodactyl flew in and bit off your head, lightning thought process and all, fewer people would.
If you read the article, you would find out that this is the essence basically.
"As GDPR approaches, I get the impression that it is an end of an era for the internet. The days of someone making something, putting it on the internet and offering it to the world seem to be over. "
And this particular thing GDPR ruins pretty goddamn well.
Bullshit. That era existed before everything was analyzed and monetized and PII was packaged and sold as a commodity. GDPR ruins invasion of privacy for profit.
I have good news for you about kinder eggs: they're no longer banned.[1] There's a store in Harvard Square that has about twenty different kinds. Sadly, they appear to be all licensed stuff now.
> It is impossible to sell raw-milk cheese in the United States
No, it's not, but it is legally imposible to import them, and trade them in interstate commerce (many—I think still a majority—of states allow raw milk and raw milk products, though the FDA prohibits most directly and sets standards which effectively prohibit the rest in interstate commerce, including foreign imports.)
Not that that really changes the point you are illustrating.
He is a 1 person team. Given him a break vs. being so aggressive in your comment. There is a cost associated with trying to figure out GDPR regulations, finding a lawyer, vetting their feedback, acting to hire folks, changing UI to give user an opt out, implementing that in the system etc. All these things don't drop from the sky.
And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.
> Given him a break vs. trying to me so aggressive in your comment.
The article is spreading FUD and inciting others to spread it even further in the comments.
> There is a cost associated with trying to figure out GDPR regulations, finding a lawyer, vetting their feedback, acting to hire folks, changing UI to give user an opt out, implementing that in the system etc.
The GDPR is online, and has been for a long time, you don't need a lawyer but if you feel that gives you more comfort then fine, you don't need to hire anybody, that is just plain nonsense, and changing the UI to give users an opt out: that should have been done two years ago.
> All these things don't drop from the sky.
Indeed, this did not drop out of the sky. It has been in the works for years.
> And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.
That's fine with me, the way in which it is presented is not fine with me.
Well - you haven't refuted any of his core points wrt DPO, Push & XMPP. All your comments have been stated in an aggressive tone which generally is a negative signal. At this point, I feel you need to provide more context to your core points vs. just saying read the GDPR and comply with it (or that you should have already done 2 yrs back). Even companies like Google and FB are complying with it in the past month.
This is the furthest thing from true, like almost every single question about this terrible law. Vague law + faceless bureaucracies + universal application + crippling penalties...sounds like a brilliant combo to destroy people’s lives.
as usual, the rebuttal is: there have been this kind of laws in Europe for a decade.
For example, if you're operating in Italy and don't provide 2 separate checkboxes for managing personal data directly and indirectly at sign up time you're in breach of the law.
Do you remember many people's lifes crippled by this?
Wait. So, I've had a site where there was only a single checkbox to create an account.
Now, if there was someone from Italy (I don't know, the site's gone for years now, highly unlikely but theoretically possible) does this means I'm a possible law offender and should avoid visiting Italy?
Oh, it also had no cookie banners, too...
Could be, the reason no one was hurt is that those laws weren't actually enforced any much? If so, I believe GDPR's promised to be different.
It's certainly true that even before the GDPR, almost any nontrivial business could reasonably be argued to be violating some mostly-unenforced law. I don't see that as a reason to shrug, and make the problem one step worse.
Selective enforcement of commercial law is a routine tool of unfree states--look at something like the tax charges against The Cambodia Daily. To trust in regulatory discretion is to trust that no government in the EU--a continent that within living memory hosted Francisco Franco, Giorgios Papadopoulos, and much worse--will ever be run by people you disagree with. In the extreme, a dictator can always ignore or rewrite the law; but somewhere in the slide from our present democracy to that, I don't think it's unimaginable that the GDPR could be abused.
I support privacy regulation. I don't see why it requires us to abandon the rule of law.
ETA: Downvote if you trust Viktor Orban, I guess? I'm presuming a strong case of "it can't happen here"....
My wording was awkward, but I think the meaning is clear. "...in the EU--the union of countries primarily located in a continent that..." ?
And what am I missing? They were dictators of Spain and Greece respectively. There are millions of people who can remember their rule alive in those EU countries today. What changed in the last fifty years to make a recurrence impossible? Turkey narrowly missed joining, and it's basically there now. Hungary seems well on its way.
The threat of being suspended from the EU and the (potential) economic damage from that? You can’t be a dictatorship and keep the same rights in the union, as per the Copenhagen criteria and Article 7.
Spain just crushed a political movement trying to organise a referendum through force. It arrested the leaders and the rest of the EU is helping them catch the ones that fled. They call it a rebellion and state that Catalonia can never be independent.
Not an Article 7 violation, apparently. According to the EU it's merely an internal matter.
Hungary elects a government by a wide margin, it's a popular government, and the government reflects its people's disagreement with EU policies that aren't in any treaties and weren't in anything Hungary previously agreed to. This is apparently a violation of "rule of law" and "not democracy".
The EU's definition of democracy is anything that helps the EU, simple as that.
And Russia considers itself to be a democracy. There's a big gray zone between good government and a self-admitted dictatorship. Smart modern authoritarians know that they need to maintain the pretense of democracy (for reasons like the one you note), and they do a passable job--look at something like Cambodia. That's what makes tools to exert personal power while still complying with the law as written so important.
Why do you think the GDPR needs to give the government that much power? For a simple example: Why is 20M EUR the right statutory maximum? If the regulators would never enforce it, then why does it need to be so high?
Because otherwise some companies might conclude that it is cheaper to continue to violate the law and simply to pay the fine. See Volkswagen, which got fined billions for violating the law (and rightly so), and they're still in business and have not withdrawn from the markets where they were fined. But it looks as if they did learn their lesson (for the next 30 years or so, this wasn't the first time they got caught with something like that).
Volkswagen-sized companies would be subject to the 4% of revenue limit, since that's >20M EUR. That 4% seems high to me, but not insane.
The 20M seems insane to me. If the standard for smaller companies were e.g. 100% of the last five years of revenue plus 50k EUR, then can you imagine a case where it would be cheaper to violate the law and keep paying the fine? That would be a lot less menacing to small, non-commercial or semi-commercial projects.
I'm pretty sure the regulatory bodies are thoroughly and wholly excited to take on Google and Facebook with some hefty fines and clarify the GDPR and how it applies. I can't wait either.
Google and Facebook have financial impacts in complying due to the very nature of their business.
They comply later than everyone else not because they didn’t see it coming or didn’t prepare for it, just that it wasn’t in their interest to do it earlier
Indeed, this did not drop out of the sky. It has been in the works for years.
I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017. My country's data protection agency made no attempt at raising awareness despite having my email address on file :-D It's only been frequently hitting non-EU industry news and places like HN since late 2017 so I can appreciate how non-EU folks might feel blindsided by it.
I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017.
Likewise. This idea that the GDPR has been in the works for years so it's somehow implausible that very small businesses have only just heard of it doesn't stand up to scrutiny. No owner-run microbusiness is spending the time necessary to keep up with the vagaries of EU debates.
Similarly, the idea that the GDPR is plainly readable and so that shouldn't be a burden and no-one needs to consult experts makes no sense. The document is many pages long, there are many more pages of guidance and interpretation produced by both the EU itself and the various national regulators, and it's still fundamentally ambiguous on many significant practical points.
It is entirely reasonable for a small business that does relatively little trade with the EU not to want anything to do with this, and it has little if anything to do with how good or bad their practical data protection measures and respect for privacy are. If small businesses are overreacting then that is on the EU for failing to pass better law and provide sufficiently clear, concise and timely publicity and guidance on what it really means.
My business interests are in the UK, so we're stuck with this one. However, if we'd realised ahead of time how much trouble the new EU VAT rules would cause a few years back, we would gladly have sacrificed the modest part of our revenue that comes from other EU member states in order to avoid that mess, and it wouldn't have been a close decision. So I find it very hard to criticise anyone running a small business outside the EU for wanting to avoid the latest round of heavyweight EU regulations if they have a way to put themselves outside of their scope.
Thank you for perfectly describing the frustrations I have experienced with GDPR. As the owner of a small SaaS business in the US I don't have the time to follow various EU regulations that closely.
I only found out about GDPR earlier this year from a random HN comment. I can't understand the attitude from some HN commenters that everyone should have known about this for years. Where/how should every small business that could be impacted by this regulation be notified?
As you noted, the regulation is readable, but verbose and frustratingly vague. I ended up reading most of it along with countless articles from various third parties debating what it means and how to comply - and I'm still not 100% certain if the steps I've taken mean I'm actually "GDPR compliant."
I too got stuck having to comply since around 30% of my customers are in the EU. However, I gladly would have foregone all of that revenue and focused on non-EU customers only if I had known what was coming back then...
Nobody actually knows what "GDPR compliant" means. As it's up to you to demonstrate, and it's up to your regulator to decide a policy enforcement guideline, basically nobody knows. It's really, really, really burdensome, especially if you have to retrofit it to existing systems.
You know what? i'm pretty sure you can just talk to one of the european regulator in advance and ask him questions about points you don't understand. They are pretty slow but they do respond.
I'm probably a bit more in touch with this stuff than most because of the nature of my business but in the last year or so I've seen more and more companies that made real work of their GDPR impact studies (companies with vast amounts of data and/or sensitive data were further along). For all but the largest the impact has been very low, the longer ago they started the lower the amount of work they had to do.
That's the price of sitting in your office with your head down though, you can't ignore changes such as these.
This is one of the oldest HN mentions about the GDPR I could find:
> Indeed, this did not drop out of the sky. It has been in the works for years.
VOGON CAPTAIN:
[On Speakers] People of Earth your attention please. This is Prostectic Vogon Jeltz of the Galactic Hyperspace Planet Council. As you no doubt will be aware, the plans for the development of the outlying regions of the western spiral arm of the galaxy require the building of a hyperspace express route through your star system and, regrettably, your planet is one of those scheduled for demolition. The process will take slightly less than two of your Earth minutes thank you very much.
MANKIND:
[Yells of protest]
VOGON CAPTAIN:
There’s no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you’ve had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.
From "Hitchhiker's Guide to the Galaxy" by Douglas Adams
* The GDPR text, national regulators' comments, industry opinion, sample docs and a plethora of free resources have been readily accessible on the Internet for about the same length of time.
Having worked on the GDPR docs for a medium-sized business that builds learning management systems for corporate customers (about 100 live systems + dev and testing platforms where we are a processor of their personal data), it took about 3 weeks-worth of time to re-audit our platforms, complete a more detailed risk/impact assessment and write this all up together with some procedures for handling enquiries.
Yes it took time, and we went the extra mile with diagrams and tables because the docs are customer-facing, but handled in a timely fashion, GDPR compliance is not a brick wall to business continuity.
If a business already has in place a baseline level of good information security practice, GDPR compliance is not that hard.
Also, needing to have a DPO is not difficult since he already has one employee, himself. It's not ISO2700x, you don't need to fiddle around with rights in small businesses to make sure it fits the narrow perspective of a standardization and exclusiveness.
I can't speak for you, but I only heard about GDPR 6 months or so ago, like most people outside of Hacker News. Most small businesses only heard about it in the last 6 weeks.
Sure, the regulation was there, but nobody talked about it, and it's unreasonable to expect people to magically learn about EU regulations, especially if they don't live in the EU.
I saw that one coming a mile away, thank you for the quote though :)
And no, this is not about demolishing our way of life, the town we live in or the planet, it's about respecting the privacy of your users, which - for a change - is actually a positive thing. Unless of course you weren't going to do that in the first place you should welcome the development, I imagine that in a just world the Vogons would be on the receiving end of it.
Oh, and in this case the plans were not on display in the locked filing cabinet in a basement of a building where the lights had gone off and where the stairs were missing.
A handy URL has been provided for a long long time and all the debates have been recorded in public as well.
Im already respecting my users privacy. I should’t have to spend time and money to prove it any more than i should have to prove I didn’t rob your house.
Sure make it illegal to mistreat user data then punish those who fail. Don’t punish everyone up front
I smirked a bit, the EU certainly didn't advertise it in the last two years but it was definitely around. But just like in HGttG there isn't much use in yelling in protest now, grab a towel and grab something safe. (I should sent out my towel reminders to some of my users since I updated a few pages)
Similar laws have been on the books in most if not all EU countries for literally decades. How Americans can be blind sighted by the way things have been for years is absolutely beyond me.
Except in this case the Vogons already visited you 15 years ago to tell you about the e-privacy directive and 20 years ago to tell you about the data protection directives.
The decision to exclude a portion of your user community should be explained.
Unless you personally know the developer you are making a number of assumptions about their resources and time to deal with this issue.
Presumably the developer wants to continue to offer this app and service. His understanding of GDPR and how it affects his service will grow over time and he will likely eventually take action to reintegrate the EU into his service.
> His understanding of GDPR and how it affects his service will grow over time and he will likely eventually take action to reintegrate the EU into his service.
Unless you personally know the developer you are making a number of assumptions about their resources and time to deal with this issue.
This particular law is 88 pages full of duplicated terms, vague definitions and sometimes contradicting points. A very quick proof of that is the number of misunderstandings on so many points of it just in the comments of this topic - e.g. "do you need a DPO?", "do you need two separate people to avoid CoI?", "does the DPO need to be EU resident?". There are hardly two people with the same interpretation. And if people on HN have a horrible grasp of GDPR, how would an Average Joe be able to understand it idependently?
The only thing certain are the insane crippling fines.
It is extremely naive to believe you don't need a lawyer for that. You do - the same way as in some of EU's less market-oriented countries, after a VAT reg you need a registered accountant.
Well, the difference is that theft is a natural law. We are born with an instinct it is wrong.
Having a data processing officer in the EU for some definition of significant business is not a natural law and requires careful parsing of the legal text.
Businesses hate regulation and uncertainty because it just adds to their costs. Large companies just eat the cost. For small businesses it’s practically impossible to be in compliance for all laws. But if the risk of not being compliant is too high and the reward is too low then they will choose this.
Having spent this week doing compliance for my small business customers, the cost is not zero but it's really not much at all - I've done full compliance for six companies and it cost less than £250 each (one of those clients is a large NGO).
This guy doesn't like regulation and is playing to the crowd for sympathy.
The secret is bald faced lying. The quoted price may barely cover an updated privacy policy from a lawyer. And nothing else. Not one line of code changed.
Let alone full review of every system and legal review of the DPAs you have to sign and or create with every single co and processor.
Not the OP, but it's pretty straight forward for most people (including the author of TFA). You need to identify what private information you collect. You need to decide what lawful basis you are using to collect that data. If you have no lawful basis, you have to stop collecting that data. When you collect the data you need to notify the user under what lawful bases you are collecting the data. If you are using consent lawful basis, you need to get consent in an opt-in manner. You need to record what statement you have shown to the user and any consent that you receive.
If you are using only contract basis for the data it's really easy. You tell them that you are using their data for purposes of fulfilling the contract. The great thing about contract basis is they can't object. The only thing you need to do is to inform the customer of any 3rd parties you send their information to in order to fulfil the contract.
It only gets complicated if you want to use the data for other things. For legitimate interest (which is essentially exactly the same as the laws that are currently on the books) you need to be able to exclude processing the data if someone objects. You also need to make sure that you don't delete their data if they exercise their right of removal (which is completely bass-ackwards, but whatever). Consent is similar actually, but you have to get the consent up front. The other lawful bases are very unlikely to show up in most organisations.
I think the main problem with most organisations (and it's the case with the company I work for at the moment) is that control of private information is very loose. For example, we use several SaaS systems for our marketing. Some of them are clearly unnecessary and so we either have to remove that functionality or get consent. So there's lots of discussions about whether it is worth a huge wad of text thrown at the user in order to have cat emoji's or some stupid thing like that.
The other main problem is that if you want to use something other than contract basis, you need to build something that allows the user to exercise their rights. It can be a manual process, but if you have a lot of users it might threaten the margin.
Anyway, long story short: If you are only gathering the information that you need to do the work you are doing, there is likely very little (or in a lot of cases I bet nothing) to do. If you are gathering the information to use for your own purposes, then there may be a lot that you need to do.
Not to put too fine a point on that, personally I highly approve of this. I really could care less if somebody's business model is destroyed because it is now too expensive to collect information that you don't need to do the job. Even in the company I work for, where we don't actually use the data for nefarious purposes (AFAICT ;-) ), we're finally having some long overdue conversations about what stupid SaaS crap we're using under the hood. Not to be unkind, but I utterly fail to understand how marketing people fall for the same lies that they spew out themselves... "If only we send our customer's data to this service, they will find a way to drive more business our way! And we don't even have to pay them!" Yeah... right...
I don't do any real business in the EU, but I'm a fairly succesful online marketer. Being able to flexibly use SaaS businesses is so, so valuable for testing and iterating on marketing plans. I would fight pretty hard against a company policy that limited it, since today's marketing test is tomorrow's major revenue driver.
I think you misunderstand what I was saying. We collect data in our system. We use that data for marketing under legitimate interest. Sometimes marketing would like more analysis done on the data than we have time to implement. They hear about some SaaS business that will take the data and give them a marketing plan (Yay! No work to do!). They ask us to ship over all the data to the SaaS business. Sometimes it's a good idea because the SaaS business is legitimately providing an analysis service. Almost all of the time the SaaS business is providing nothing beneficial and instead just scooping up personal data that they sell. It's difficult for us technical people to explain why we can't just arbitrarily ship data over to some random SaaS. With GDPR it will be much, much, much better. Essentially I think it will shut down the fly by night operations that are just sucking data and offering nothing in return. But on the flip side it will mean that these analysis operations will have to charge a reasonable fee for their services (instead of selling the data they collect). This, in turn, will prompt the marketing people to have to do due diligence because they actually have to spend money out of their budget. No more "It's free, so why not?"
Similarly we sometimes get asked to incorporate silly things into our service because the marketing people think that it will create engagement. Again, these are free SaaS businesses that are scooping up data and selling it. Although I made up the cat emoji thing, it's not that far off what we sometimes get asked to incorporate. With GDPR, those businesses are going to have to charge for their services and that's going to have to come out of our budget. We don't have to argue "We're not shipping our whole customer database over to a SaaS just so we can have cat emojis on the the system". Similarly, it makes our systems simpler because if they really want cat emojis, we can implement them -- it's just not "free" (it never was, but it's hard to have that conversation sometimes).
I probably should have left the SaaS thing out of my explanation because it's confusing and only slightly related to what I was talking about :-). Like I said, we use some great services for marketing and will continue to do so under GDPR.
Do a lot of SaaS businesses sell personal data as their business model? When I think of SaaS I think of paid subscription access to a piece of hosted software.
For example, my business model might be to ask you for your login and password information for your bank so that I can help myself to the contents of your bank account. In return I'll send you a newsletter on how to get rich quick :-)
I doubt you are asking seriously, but in case you are, the distinction is: if I need the information to complete the contract, then it is under contract basis and I'm allowed to use it for that purpose. If it's not needed for completing the contract, but I have a legitimate reason for using the data anyway (kind of vague, but includes marketing -- basically all the stuff that was legal before GDPR) I can do so, but I need to tell you I'm doing it. You can object and then I have to stop. If I have no legitimate reason for using the data, but I want to anyway, I can still do it. I need to ask for your consent (which has to be opt in). My service can't depend on you opting in (because I have no legitimate reason for needing the data). I can't deny service just because you opt out. You can also withdraw your consent at any time.
So in my silly example at the top, I could literally ask for consent to use your login details for you bank. If you agreed, I could use them. However, since I have no legitimate interest in your bank login details (other than I wanna look at your bank balance), I can't make my service depend on that.
If your business model is based on making money from data that you have no legitimate interest in and you have no consent for... well, I really, truly have no sympathy at all. I understand that some people may have a different opinion, but I don't think mine is really that unreasonable.
This seems as good a place as any to challenge some of the simplifications that are often given in defence of the GDPR.
Not the OP, but it's pretty straight forward for most people (including the author of TFA). You need to identify what private information you collect.
Fair enough.
You need to decide what lawful basis you are using to collect that data. If you have no lawful basis, you have to stop collecting that data.
Right, but probably the most practically relevant basis for anything non-trivial will be legitimate interests, which of course involves balancing tests. Even today, just a week before this all comes into effect, there is little guidance about where regulators will find that balance.
If you are using consent lawful basis, you need to get consent in an opt-in manner. You need to record what statement you have shown to the user and any consent that you receive.
But this is retrospective and stronger than the previous requirement. Even if you have always been transparent about your intentions and acquired genuine opt-in from willing users, you are now likely to be on the wrong side of the GDPR if you can't produce the exact wording that was on your web site or double opt-in email a decade ago. The most visible effect of the GDPR so far seems to be an endless stream of emails begging people to opt in to continue receiving things, even where people had almost certainly genuinely opted in already before.
For legitimate interest (which is essentially exactly the same as the laws that are currently on the books) you need to be able to exclude processing the data if someone objects.
Not quite. There also appear to be a balancing aspects here, though with some additional complications involving direct marketing, kids, and various other specific circumstances.
Take a common example of analytics for a web site. These may include personal data because of things like IP addresses or being tied to a specific account. Typically these have relatively low risk of harm for data subjects, but if for example a site deals with sensitive subject matter then that won't necessarily be the case either.
A business might have a demonstrable interest in retaining that data for a considerable period in order to protect itself against fraud, violation of its terms, or other obviously serious risks. Maybe the regulators will consider that those interests outweigh the risk to an individual's privacy if their IP address is retained for several years, at least in some cases. Maybe they will find differently if it's the web site for a drug treatment clinic than if it's an online gaming site.
Even if the subject matter isn't sensitive, where does the line get drawn? A business that offers a lot of free material on its site to attract interest from visitors might itself have a legitimate interest in seeing who is visiting the site and tracking conversion flows that could involve several channels over a period of months. This is arguably less important than protecting against something like fraud, but nevertheless the whole model that provides the free material may only be viable if the conversions are good enough. But equally, maybe it's not strictly necessary for the operation of the site and whatever services it offers for real money, so should the visitor's interest in not having their IP address floating around in someone's analytics database outweigh the site that is offering free content in exchange for little else in return?
That's just one simple, everyday example of the ambiguity involved here, and as far as I'm aware the regulator in my country has yet to offer any guidance in this area. Would any of the GDPR's defenders here like to give a black and white statement about this example and when the processing will or won't be legal under the new regulations?
The other lawful bases are very unlikely to show up in most organisations.
I would think the basis that you have to comply with some other law is also likely to be quite common. It will immediately cover various personal data about identifying customers and recording their transactions for accounting purposes, for example. But again, since that will include the proof of location requirements for VAT purposes in some cases, how much evidence is a merchant required to keep to cover themselves on that front, and when does it cross into keeping too much under GDPR?
The other main problem is that if you want to use something other than contract basis, you need to build something that allows the user to exercise their rights.
And once again, those rights are significantly stronger under the GDPR, particularly around erasure or objecting to processing. Setting up new systems that comply may not be too difficult, but what about legacy systems that were not unreasonable at the time but don't allow for isolated deletion of personal data? To my knowledge, there is still a lot of ambiguity around how far "erasure" actually goes, particularly regarding unstructured data such as emails or personal notes kept by staff while dealing with some issue, or potentially long-lived data in archives that are available but no longer in routine use. And then you get all the data that is built incrementally, from source control systems to blockchain, where by construction it may be difficult or impossible to selectively erase partial data in the middle.
Not to put too fine a point on that, personally I highly approve of this. I really could care less if somebody's business model is destroyed because it is now too expensive to collect information that you don't need to do the job.
But what if an online service's business model relies on processing profile data for purposes such as targeting ads to be viable, and regulators decide that a subject's right to object to that processing outweighs its necessity to the financial model?
It's easy to say a lot of people might not like being tracked, but on the other hand, if services like Google and Facebook all disappeared in the EU as a result of the GDPR, I'm not sure how popular it would be. There are two legitimate sides to this debate, and neither extreme is obviously correct.
Thank you! This post starts to show some of the huge complexities that GDPR has for business and their understanding of what the terms of the law mean.
A point is that often statements of a law are defined not by the language but by the ruling of lawsuits that occur around those statements and that is what most companies and lawyers are waiting for, what do courts rule when these lawsuits happen.
The biggest issue that I have heard of (Im no expert) is what does the right to be forgotten actually mean ? Does that mean all your backups are now illegal as you are retaining the customers information after they asked you to remove their records?
I think some of the fear that smaller business have is that this will encourage lawsuits until people understand how the courts will rule on each item.
I think the parent's reply is a good one. We could probably debate some of the finer points, but I think when we get some time to see how it all shakes out in the end we'll have a better vantage point.
I can't find it right now (and I have to get back to work), but there is a reasonableness requirement for requests. So things like backups might be covered by that. I wish there was some direction on that because it's a problem for me at work as well.
My opinion is that the directive's view is that all personal data retention should be temporary. There should be a defined point where the personal data is deleted. Either that's when it's no longer necessary for the contract, or when you no longer have a legitimate interest in it, or when the user asks for the removal.
Up to this point, most of us have been building databases with the intent of retaining the information indefinitely. So we never thought about this. Although I'm a fan of this law, I admit that it's going to be troublesome transitioning from where we were to where we need to go.
And as the parent briefly stated, immutable databases are going to be a serious problem.
I think the UK agency had some text on erasure and backups, and it basically boiled down to this:
If a data subject requests their data to be erased, you should remove their data from active systems so that it is no longer being processed, but you don't have to remove it from backups or other passive systems. You should however store some sort of marker so that if you need to restore data from backups, the data subject's data will be re-erased or otherwise stopped from entering active systems again.
And if a data subject asks, you have to tell them how long you store your backups of their personal data.
I think that's perfectly reasonable. And if your backup retention policy is "forever", now might be a good time to re-evaluate that policy.
Neither the UK nor the EU previously had any general provision for a right to erasure. At EU level, considerable waves were made when the "right to be forgotten" ruling was issued, but that came from a court that was considering a specific case.
I think some of the fear that smaller business have is that this will encourage lawsuits until people understand how the courts will rule on each item.
That concern really is unfounded, though. The primary means of enforcement of the GDPR will be action by national data protection regulators. It isn't some carte blanche for trigger-happy lawyers to start suing every business that gets a little detail wrong or anything like that.
The general concern that the picture is unclear until something happens to clarify it is, unfortunately, much better founded.
> But what if an online service's business model relies on processing profile data for purposes such as targeting ads to be viable, and regulators decide that a subject's right to object to that processing outweighs its necessity to the financial model?
forgive my frank language, but too fucking bad.
edit: my right always outweigh your profits. Sorry.
The only problem I see here is needing data based on contract obligations, I have seen lots of sites packing the data collection into privacy policy or some shady contract, thinking that this is legitimate interest. But legitimate interest is actually the hardest part of GDPR, even if most people think it is a workaround. If you can provide the service without some personal data (not due to financial claims) you can't pack those under "better user expirience" as legitimate interest. I presume, that after 25th, google will stop tracing searches for EU users for example. Legitimate interest has a long recital behind it and is a real problem to do it right unless legalislation requires the data. I would stick to consent for everything else. Just mentioning.
There is only two ways of legitimate interest that I considered for my service; "security" and "better user experience".
The data collected under the former is simply the IP and a timestamp in webserver and app logs, usually purged within 7 days and then any user data included in backups, purged after 3 months.
"better user experience" is not really personal data but I included it anyways; browser type (mozilla/edge/etc.), viewport resolution, pageload time, OS. And not stored in a way that allows correlating them.
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Let me put it this way: if I found out this guy was using my IP address and machine config to do analytics and perform "security" checks, I'd report him to my regulator. Dead serious.
"Analytics" is not what his company is for, ergo, using my Personal Data to do analytics isn't okay. He sure as hell isn't doing it for my benefit. I'm also not hiring him for security, so the same reasoning applies: he doesn't get to store my IP address in his logs without asking.
And when I say "no" to his opt-in modal, he'll still have to provide me non-degraded service. The fact that he can do so is yet another indicator that the data collection is not a legitimate interest.
The security of their network is a legitimate interest. The regulator would see that alone as sufficient reason to gather data, especially if that data is mostly discarded 7 days later.
No. They could start looking at IPs once they actually had a security problem, but there's no way in hell they "need" to write my IP address hither and yon to protect their network.
Look, you can definitely discover and monitor for problems by simply hashing IPs and storing the hash instead. Once you've detected a potential problem (say, a lot of requests from the same hash), only then do you have a "legitimate business need" to record the actual IP addresses and do some short-term analysis of the situation.
The spirit of the law is simple: if you don't absolutely need to store personal data, DON'T. Just don't. Store something else. Or just drop the data into /dev/null. Saying that you'll delete soon the personal-data-you-don't-need isn't sufficient.
And really, if this is the way GDPR compliance is going to go, "muh security" is quickly going to gain the reputation as the bullshit reason shady people trot out who want to disobey the law. People who actually care about security should push back on that strongly.
I don't think that it relates to you, but maybe just for others: "better user expirience" is not something without it your website could work. If this means handling PI (for analytics (GA way, not local) for instance), you cant just flush it down the legitimate interest.
Over the thumb: you can use it for things were you need PI for your service to work, it is normal, that you request address if you operate the online shop, you can't deliver the goods without it, while analytics is something users don't need and is not required for your service to operate.
I was just writting complaint letter to my phone/isp company where they showelled marketing, questionars, threat assesment (not IT security, customer assessment) analytics and few other fishy things into legitimate interest, without even providing information about which data they use and why exactly. Legitimate interest is a really nasty thing and it is hard to get it right, it is not free "get out of jail" card.
They struggle with it for the same reason people on the political left always struggle to understand why some people oppose new regulations: the question of whether and how to regulate commercial activities is always a proxy for deeper underlying differences in how people view the world. GDPR is just a proxy fight between the left and the right and is showing all the same characteristics.
Consider adventured's sibling post - it quite astutely points out that GDPR discussions are much more vitriolic than you'd expect for discussions of the minutiae of data handling. People who say that GDPR compliance is hard are being attacked on a personal level. He explains it as 'emotional investment' in GDPR but I don't think that's a good explanation; the people arguing most strongly for it are also those saying it's not much work, so that seems backwards. You'd expect people who put in the most effort to be most emotionally invested in it.
There's a much better explanation available: your view on GDPR is a direct consequence of your assumptions about human nature. If you believe in the existence of benign and enlightened technocrats then GDPR seems like excellent progress towards building a better world - it's extreme vagueness and severe penalties are exactly what's needed to foster obedience to technocratic elites. People who complain about this are just being unnecessarily awkward ... just be reasonable after all, and you'll be fine! The EU are reasonable so if you're reasonable too, you have nothing to fear! From this perspective, anyone who objects to GDPR or actually decides compliance is impossible must - almost by definition - be being unreasonable. What are they hiding? Why can't they just get on board; the only answer available is that they have flawed characters and any points they make about gray-area debatable things like cost:benefit ratios must be some sort of obfuscation.
If on the other hand you believe the whole idea of wise and beneficent bureaucrats is naive, then GDPR looks like a hell of a lot like a power grab by the very sort of people who shouldn't be able to grab power. Vagueness is of deep concern because it's in the shadows of vagueness that abuse can be found, and when a law is nothing but vagueness, it even makes sense to question to motives of those who created it - that's a problem because lots of self-styled Europeans have bought into the EU's utopian rhetoric and can't separate criticism of the EU from criticism of themselves and their desired future.
There's no real scientific way to prove whose assumptions about human nature are right. The USSR was a rare example of a real-life experiment in who was right and for a long time it proved the American style, conservative, small weak government is better mentality to have superior results. But that was decades ago and many have forgotten or weren't alive back then, so now rule by technocratic dictatorship seems attractive again.
As a consequence GDPR discussions will always have the same flavour as Clinton v Trump debates, or Brexit debates, or whether to restrict spending on political campaigning. They are ultimately about the same issues.
You're bringing your US-American assumptions about politics and left vs right into the context of European politics where they are a poor fit. The world is not Democrats vs Republicans.
There is no GDPR debate or fight: it's done, it was done six years ago, and the only people pushing back are American companies who are unhappy that Europeans don't want their data hoovered up by corporations they have no control or oversight of, for who-knows-what purpose.
Sorry, but do you want to say that EU has no left and right in politics (parent post did not mention Democrats or Republicans)? Or that everyone in the EU is unanimously happy with GDPR? Seriously, if a law's getting applied only after a long while it's passed - it's not unheard of to have a debate as people start to actually care.
Maybe I'm wrong, but I think that parent example is not US-specific at all and is applicable to just about any country where there are people that learn toward different beliefs (that "direct consequence of your assumptions about human nature" part of the post)
The assumptions may be wrong, but that was generally constructive.
First of all, come on, obviously I'm not saying there are left and right in EU politics (and in the national politics of EU countries), but what those left and rights are concerned with don't match 1:1 with the issues under debate in American politics.
Partly because there is a much broader political spectrum -- Democrats in the US roughly line up with, for example, the Conservatives in the UK or the CDU in Germany -- but also because it's just a different set of issues and preoccupations.
I do think it's fair to say that within the EU there is a general consensus about the importance of data privacy, and I also don't detect any resistance to the GDPR in general, or any question that it should be repealed. (That was partly sealed by the revelation of US spying on Europeans a few years ago, which hasn't been forgotten.)
Second, if I'm honest, I find the whole "assumptions about human nature" is a bunch of hokum and quite the opposite of constructive. Nothing about GDPR has to do with "obedience to technocratic elites", and is in fact about rejecting the ability of institutions which are not democratically accountable to gather personal data and monitor people, or make decisions that affect their daily lives, without their informed knowledge and consent.
GDPR is not a "power grab" (hah!), it's about distributing the power that comes from control of information more evenly. The EU has a lot of flaws, but this is one of the most democratic and equalizing bits of regulation that they've produced, and frankly the concessions it makes to large companies are huge.
I don't accept the argument that to be in favor of this I must be in favor of USSR-style totalitarianism. If anything, the inefficient planned economy of VC-funded startups, with their cults of personality around founders, that want to collect data and influence populations with impunity are the petty dictators of the 21st century. Personal rights should trump the rights of corporations, and I am deeply suspicious of people who would equate the two.
But that's all making a mountain out of a molehill: most of what GDPR does is harmonize existing regulation across the EU to make it easier for companies within and outside of Europe to do business here, adds enforcement teeth to the regulatory agencies and harmonizes the penalties, and sets out in actually rather specific detail what is required to be compliant, while giving everyone years to implement this regulation.
If people don't want to comply with GDPR and just block all EU users, then that will make the internet a nicer place for us, so by all means go ahead!
You probably haven't looked then. Despite assumptions elsewhere, I'm from Europe and still live there for example. The idea that everyone loves GDPR is naive. Only today I was working next to someone who was trying to figure out how it applied to her (tiny) business, and getting annoyed by the process. She's just copy/pasting the contents of an email she received into her own mail copy to avoid having to do extra work.
Nothing about GDPR has to do with "obedience to technocratic elites"
No? I think you missed by points then.
The GDPR was created, is enforced by and serves the interests of regulators. It specifies so little it is essentially a direct grant of power to those people - they can do whatever they want within its framework and that framework allows nearly anything.
As for 'technocratic elites', did you see political parties campaigning on this issue? I sure as heck did not. Right now the hot topics in European politics are immigration, terrorism and economic growth. Not data protection.
is in fact about rejecting the ability of institutions which are not democratically accountable to gather personal data and monitor people
Of course companies are democratically accountable - outside of monoplies (rare), you can just not trade with them if you don't like their data handling practices.
Interestingly enough, GDPR gets the most support from the center-right parties within the EU, in my experience because it's a law that protects individual's rights to their data. You'll find that it's not that popular among the left-wing member parties.
It's a deflection tactic by people who are emotionally invested into GDPR. Note the extreme emotionalism that GDPR draws out of its supporters. That makes it difficult for some of the supporters to have a rational discussion when it comes to the flaws of GDPR. They don't have a legitimate response to the context in question, so the easy approach is to attack the credibility of the person stating that they've struggled with compliance, rather than engaging in substantive discussion about the problems that GDPR generates for small businesses. The fear for the supporters is that if they admit to there being any flaws in GDPR, that will then act as a threat to GDPR (which they view as a monumental victory for privacy). They don't want to give an inch of ground, no matter the issue, because they're afraid of having GDPR diluted, taken away, and or not spread to the rest of the planet.
This is also why in all cases you'll see the GDPR supporters go after the character of the site/service owner (including always questioning their motives to muddy the waters). It's an attempt to short-circuit any reasoned debate, to destroy the credibility of the opponent. This has happened numerous times on HN in the last month or two.
You still have data hygiene policies to enact which are confusingly legislated. Also legitimate interest is a loophole created to appease some lobbyists but the legislators declined to make clear anywhere because they don’t give a shit about commercial needs.
What exactly did that less than £250 get your customers in return?
Even if you had a business that was whiter than white in terms of compliance with previous data protection laws and had perfect documentation of all its data collection and processing activities, it would surely cost far more than that just for the time to write some basic notes on the extra things you now have to tell data subjects and/or your regulator, get them reviewed by a lawyer, incorporate them into the relevant policies, and send notifications to anyone affected about your updated privacy policy.
Is that £250 each just for GDPR compliance? That's one law in one region. Now multiply it by the number of legislative bodies worldwide and the number of relevant laws passed by each - how much does that cost?
If a business doesn't want to be compliant with the laws of all ~200 sovereign states in the world, they're most welcome to just select a single one and do business there (not the US though, as laws often change for each state so that's right out the door). I'm sure the competitors in the space will love having one fewer competitor.
Complying with the laws of 200 countries is negligible for a big business like Google, a significant burden for a small startup, and a prohibitive expense for a new open source project.
Are you compliant with the copyright laws in your company? Are you sure you have licenses for all the software you use? Have you audited the software you write to ensure that none of the programmers have included code without an appropriate license? How about patents? Are you sure that the software you write does not infringe on patents somewhere? There are people who will happily audit your company in exchange for a truckload of money... For some reason, most people don't think this is necessary.
Your risk in GDPR is similar to your risk in IP law. If you don't comply with the law and someone calls you on it, you might have legal proceedings against you. In most cases it's pretty obvious if you are compliant with the law (Well, to be fair, it's completely unobvious if you are going to get randomly sued for patent infringement, but I digress...) If you are have a very complex situation, then maybe it is worth some legal advice, but it's pretty freaking obvious if you need the data you have collected in order to fulfil the contract or not.
An audit without certification will never give you anything that you could not have come up with yourself. So feel free to buy a GDPR audit but realize that you are just buying an opinion.
In the USA, the word "audit" is used to describe any process by which a company tries to determine if it's in compliance with some set of rules. Sometimes that process has special legal consequences, but it usually doesn't. The final deliverable is often literally called an opinion.
No lawyer or accountant has ever given me anything that I couldn't have come up with myself, with sufficient study. I still paid them, because the law is very complex and I have other things to do with my time. That's how any country with a nontrivial legal system works.
You seem to have great confidence that you understand how the GDPR will be enforced. I'd suggest that:
1. Not everyone knows as much about EU law as you do. This is especially true for people who don't live in the EU.
2. You might be wrong. Maybe GDPR compliance really is dead simple, and the lawyers who keep answering "it depends" are just cheating their clients; but from my experience in complying with similarly complex regulations, I wouldn't bet 20M EUR that's the case.
> For small businesses it’s practically impossible to be in compliance for all laws.
I've been in continuous operation with my businesses since 1986 and I guarantee you that I've been compliant with the laws as much as I'm aware of them. The major transgressions involving business assets were parking tickets, speeding tickets (< 10 km/h excess by an employee of the company in a company vehicle). Other than that not so much as a copied piece of software. Oh, and we were once late with a tax filing because the bookkeeper messed up, they absorbed the fine.
Running a small business in a way that is compliant with the law is stupidly easy: know the law.
Now, there is one thing that I did that I know full well was against the law and that came about as a result of me getting very angry about some stuff that happened to a friend of mine. In that particular case I saw my actions as akin to civil disobedience. In the end it got superseded by others doing the same thing much better and at a much larger scale but I would have fully accepted the consequence of breaking the law in that case. But it would have been a conscious decision to break the law.
Incidentally: not knowing you are breaking a law is no excuse for breaking the law, ignorance is not a valid defense.
> [Complying] with the law is stupidly easy: know the law.
You're out of touch.
Compliance just isn't as simple as you think it is no matter how much you double down in these comments. Laws aren't black and white. Do you not use an accountant, either?
Incredibly out of touch. I can virtually guarantee that a regulator or prosecutor who wanted to make an example of him could tear his business apart finding violations over 30+ years.
That's not exactly a new insight, Richelieu beat you to that one a couple of centuries ago.
But that's just trying to stretch what we are discussing here: that it is possible to comply with the law in principle. That some overzealous prosecutor with a grudge could nail you might happen - in Russia, maybe even the USA. But frankly where I live I have not yet seen a case like that. We probably have them but not frequently enough to make the news and in general the legal system here works quite well.
Have you been running a socially controversial business? That's where the specifics of the law start to really matter. The butcher, baker and candlestick maker have little to fear from the most badly drafted of laws; it's the person running a skate park or gay bar in a small town who tends to be on the sharp end.
> it's the person running a skate park or gay bar in a small town who tends to be on the sharp end
Or for that matter, someone running a social platform that allows socially "undesirable" speech, speech that is openly critical of government policy, or speech that exposes the wrongdoing of powerful people.
Not the point. You’re making the case that you’re always fully compliant with all laws and have been for 30 years, because it’s just so damn effortless. It’s almost more work to NOT be compliant!!
And I’m saying that’s bullshit. You’re breaking laws left and right, but you just don’t get caught because enforcement of those laws is so inconsistent. And the GDPR is so much worse; I’m sure you’re not compliant with GDPR given how vague and over-reaching the law is, but you’re probably mostly compliant and you’re too small for anyone to care.
> You’re breaking laws left and right, but you just don’t get caught because enforcement of those laws is so inconsistent.
Well, you know my business better than I do I guess.
> And the GDPR is so much worse; I’m sure you’re not compliant with GDPR given how vague and over-reaching the law is, but you’re probably mostly compliant and you’re too small for anyone to care.
And my business is about 100x the size of the one of the person writing the article. And I'm not worried. So I see the article writer as someone who uses the opportunity to make a whole bunch of fuss over something that (1) most likely would never impact him and (2) has indicated clearly that despite his opening sentence he probably doesn't give a damn about his users privacy.
So as far as I can see the law is working as intended.
That is the OPs exact point. Did you read the article? He mentioned that "The days of someone making something, putting it on the internet and offering it to the world seem to be over". And here you are talking about knowing the laws while the OP sits in a different country trying to run his business.
You might be from Europe and to you it may just seem sensible but 1-5 person companies often have to make tradeoffs like this. It is not right to say just comply with the law - it is so easy! The company, here, has decided that the cost is too high and that they are out.
> And here you are talking about knowing the laws while the OP sits in a different country trying to run his business.
I also have to be compliant with US laws if I deal with US citizens. What's the difference?
> You might be from Europe and to you it may just seem sensible but 1-5 person companies often have to make tradeoffs like this.
Not the ones that want to stay in business.
> It is not right to say just comply with the law - it is so easy!
But it is easy, he's just making it seem as though it isn't. There is so much factually wrong in that blog post that if that's the level of thinking that goes into the decision making then there most likely are other issues.
> The company, here, has decided that the cost is too high and that they are out.
Probably good riddance. But for all the wrong reasons.
I know you are frustrated. But your tone and rebuttals sounded repetitive to me as well. Learn to be self critical too. You were overwhelmingly shot down in your comments yesterday and there is a reason for it.
> Legitimate interests is not defined. So good luck with that.
Are you expecting GDPR (or any law for that matter) to define an exhaustive list of every definition, that holds true now as well as for the future? Have a rethink about that statement...
> I guarantee you that I've been compliant with the laws as much as I'm aware of them.
All the laws, worldwide?
Are you in compliance with anti-blasphemy laws? Laws that forbid insulting the monarch? The tax regime of every country in the world?
The creator of Monal has decided the easiest way to be compliant with another country's laws is simply not to do business there, and I think you're underestimating the difficulty of the alternative (trying to comply with every country's laws).
Any laws that have the potential to reach me I am compliant with. If there are countries with laws that strike me as idiotic - such as anti-blasphemy laws - then I will do my level best to be informed of that beforehand and I will not break that law even if I feel that it is idiotic.
And as for the 'don't insult the monarch' law, we have that law here in NL and I purposefully broke it as a private individual to make a point.
The tax regime of every country in the world has no impact on me, I reside in NL, my businesses are here as well. But when I had several businesses in Canada and one in the USA I complied with the tax laws there too.
> The creator of Monal has decided the easiest way to be compliant with another country's laws is simply not to do business there, and I think you're underestimating the difficulty of the alternative (trying to comply with every country's laws).
He's taking the easy way out because there never was a real business behind this. This is my conclusion because he feels that his holidays are more important than the rights of his users.
>Why should the creator of free software spend their own money to support users in a region that imposes extra regulations?
If I create free software that concretely and demonstrably aids in worldwide human trafficking and has negligible utility elsewhere, would you still consider my refusal to comply with regulation reasonable because my software was free?
How free the software is not a determining factor, either morally or legally, in determining whether or not the GDPR is or should be applicable.
Because even free software has to comply with the law. Funny how that works, but not making a profit on something does not absolve you from legal liability.
Funny how that works, but not making a profit on something does not absolve you from legal liability.
But why would someone who is literally giving something away accept that liability, or even any perceived risk of liability, if they have an easier option?
Running a small business in a way that is compliant with the law is stupidly easy: know the law.
There are professionals who spend their entire careers just "knowing" very specific parts of the law, and who are still frequently found to have misinterpreted it when tested in court.
Is doing your company's annual financial returns also stupidly easy, because you just have to know accountancy?
What about security? Just write all the software you use yourself based on your expert knowledge of cracking and cryptography?
Incidentally: not knowing you are breaking a law is no excuse for breaking the law, ignorance is not a valid defense.
This is possibly the greatest conceit in the history of legal systems. No human being in any Western nation could even read every word of law that applies to them in an entire lifetime, never mind fully understand the implications and the motivations behind those words that might be relevant to interpretation. Ignorance may not be a legal defence, but not being magically aware of the sum of all human knowledge about every legal system that you interact with is certainly a reasonable excuse for doing something illegal but otherwise apparently ethical and sensible.
> For small businesses it’s practically impossible to be in compliance for all laws.
This is just ridiculous, patently false and making an excuse for reckless behaviour. Only specific laws apply to your business domain and if you aren't complying with them then you are wilfully breaking the law and putting your customers and the general public at risk.
Own a cafe ? You should be cooking in a safe manner. Sell a car ? It shouldn't kill people. Run a website ? Make sure your user's privacy is respected.
> Own a cafe ? You should be cooking in a safe manner.
Almost no restaurants score a perfect 100% during food inspections.
Many regulations understand that real life works on a gradient. That is why cars have varying safety standards that they have to meet based on their size and class, and why consumers can pay more for cars with a higher safety rating.
I have started to think that parts of GDPR should have been restricted to large companies - e.g. anyone with more than 100k active users, data describing 100k individuals, or an organization employing more than 100 employees. That would seem like a fair way to protect privacy while keeping barriers low for tech ventures / experiments.
If you do that then facebook and the other privacy terrorists will happily create 20000 little companies that they outsource their scum to. Also, a very small company with tens of thousands of datasets can still do terrible damage to people.
Perhaps, when it comes down to it, he doesn't want to be subject to a law that he had no ability to influence given that he's not an EU citizen. In blocking EU users he is fully compliant with the GDPR as he has zero of their personal data to begin with?
If that was the case, no one outside the US could use VISA/MasterCard either (they enforce US laws on all international customers), or could make any business with any US company (even HN has to enforce the Iran embargo on all its international users).
If you want to criticize local laws applied internationally, abolish the US.
Sure, he's entitled to take his ball and go home if he really wants to. That doesn't put him in the right, and it doesn't make his move anything more than whining.
You can be respective of privacy without complying with GDPR. It requires a lot more than simply being privacy-conscious. (E.g. I don't think Hacker News is doing anything unethical even though they blatantly violate GDPR)
> Legal compliance is a requirement for any business
You are required to comply with the laws of your country, not those of other countries.
> You are required to comply with the laws of your country, not those of other countries.
No, you are required to comply with the laws of any country you do business with. This applies to any type of business, and I don't see why "it's on the internet" appears to be the main counter-argument.
If I buy something from you (via snail-mail or on the internet) and it doesn't follow the requirements of the consumer law in my country, I can ask you to comply with the laws of my country. If you refuse, I can report you and you will be fined (if you don't pay, then you can have your right to do business in my country revoked). In practice most cases won't escalate that far, but the principle is the same.
> Because by default any web site has, in the past, been open to people from any country that doesn't censor the web.
This has never been true since the internet was international. You have always had to comply with laws of countries you interact with, it's just that most people who ran internet businesses decided to ignore the law (just try hosting some copyright or patent infringing content on the internet and see how long it takes to have legal action applied, even if you aren't a resident in that country). And, despite the ethical questions about censorship, censorship is usually done through the laws of a country (for instance in Germany). So complying with censorship requests (or having your entire site blocked) is actually an example of complying with laws of other countries.
The world is made up of sovereign nations, and businesses that wish to interact with other sovereign nations must obey the restrictions that the both nations place on that interaction. If you don't like it, then don't do business with that nation. I cannot think of another industry where this concept is seen as foreign -- it's a very fundamental part of how the world has been structured for thousands of years. Just because it's much easier to conduct businesses overseas than it was 200 years ago doesn't change the fundamental properties of what you're doing.
The fundamental properties of doing business overseas have changed. What used to be a prohibitively expensive enterprise is now within the reach of everyone.
And the cost of regulation, which used to be negligible compared to the cost of the enterprise itself, has now become a significant barrier for small businesses.
The costs of compliance are not a fundamental property of doing international business (after all, governments can change the cost of compliance or make it cost nothing). The fundamental properties I was referring to are that you are transacting with another nation state's people, and you have no fundamental right to do business with them unless that other nation grants you permission. Just because it is easier to do such business without permission or oversight doesn't change that you are doing the same type of business.
You might not think the costs are fair (and in practice that should be taken into account by regulators, to avoid removing all international trade and thus losing the benefits), but that is not really justification for arguing that this is a departure from how things have always been. Nor is it justification for arguing that you shouldn't care about the laws of other countries you do business with because you don't live there (which is what GGGGP was insinuating).
It is a departure from the way things have always been online.
The EU can certainly demand that web creators jump through hoops, but then they can hardly complain if creators outside the EU decide that interacting with the EU isn't worth the trouble.
Nobody is forcing people to do business with the EU. If you don't like the laws in the EU, then you don't have to do business with the EU. Simple as that.
(My whole point is that a lot of people arguing about GDPR want it both ways, and don't see that it's not strange that countries have rules for doing business with their residents.)
That is not true. You do not need to comply with any country’s laws except the one you reside in, except for treaties by your home country that say otherwise or your desire to travel abroad.
Just think of what China would do to the Internet if it could.
> You do not need to comply with any country’s laws except the one you reside in.
Unless you want to business with another country, in which case you need to follow the laws of that country when you conduct that business. Which is what I've been saying the whole time.
> Just think of what China would do to the Internet if it could.
If you want to provide a service to China you need to follow Chinese laws or they will block you using their firewall. China is a (not very nice) example of how a country has the right to decide who it does business with -- if you won't help them conduct surveillance of their citizens then they won't do business with you and will block you from doing business with their people. You might not agree with their laws or how they act, but it is their right as a sovereign nation to create their own laws.
I never said you need to follow the laws of every country in the world, and I really don't understand how so many people are reading that out of what I said (and keep saying). If you want to do business with a country you will have to obey the laws of that country. That's the way international trade has always worked.
When the business is being conducted outside the EU but the EU is enforcing GDPR, it is a problem. The GDPR is specifically written for extrajurisdictional enforcement which is a big change in the world of laws.
I am just saying that the EU will not be the only jurisdiction following this model. Be prepared.
If you feel it’s important to comply with the laws of any country you accept HTTP connections from, why would you be upset with this outcome? Restricting your services to familiar jurisdictions until
you can afford the legal advice to safely enter new countries is the only reasonable course of action in a world following that philosophy. One should not assume they’re familiar with the laws of 176 countries merely because they know how to start nginx.
Collecting personal information and running a business based on that personal information is very different to knowing how to configure nginx. You're putting up a bit of a strawman.
You can be fined if there is international or bilateral law or if somehow else the fine can be domesticated. There is no international regulation (not even consensus) on privacy so the law is not directly enforced here. However you are also not required to apply another country's law to all your customers, and if you don't want to you should (but are not really enforced to) block the EU.
Considering that most online businesses are (effectively) a form of international trade, I wonder whether GDPR fines could be seen as a form of customs fine (which definitely is something that foreign companies can be forced to pay, as you've said).
"you are required to comply with the laws of any country you do business with."
Prove that.
Because that's not how "the law" works. I am Canadian, my business exists only in Canada, and there are only two types of laws that apply to me. Canadian laws, and treaties that Canada has signed on to comply with.
No other country in the world can just make some "arbitrary" law that affects me. Unless my country agrees. And to my knowledge, Canada has not signed a treaty with the EU regarding enforcement of the GDPR.
> I am Canadian, my business exists only in Canada, and there are only two types of laws that apply to me. Canadian laws, and treaties that Canada has signed on to comply with.
If you decide to sell a couch to someone in America, you have to comply with American tax laws, American import and customs laws, American consumer laws, American patent laws, American copyright laws, American trademark laws, and any other laws involved with doing a financial transaction with someone in America. The same logic applies for Australia, the United Kingdom, Germany, Belgium, South Korea, Japan, etc. Pretending otherwise is naive, and if you don't believe me then try to sell something patented in America to an American.
The key question is what happens if you break those laws. In most cases you will be given a fine, and if you don't pay then you will no longer be allowed to sell goods to consumers in that country. If you continue to break the law then you are probably breaking an international treaty on border control or customs, which means that you could be extradited or tried in your own country. Some of the laws I mentioned above are mediated through international agreements, but the fundamental point is that if you break their laws they can place sanctions against you to stop you from doing business with them.
Of course, for a couch business things would probably never reach that level. And for an internet business you probably would just be IP blocked or something similar.
> No other country in the world can just make some "arbitrary" law that affects me. Unless my country agrees.
But it only affects you if you make the positive decision to do business with a country that has those laws. If you don't decide to do that, then you don't have to follow those laws (obviously). You can't have it both ways though (the benefit of having access to a market without having to follow the laws of that market).
In the case of enforcement you're right that they wouldn't have the right to compel to you to pay a fine, but they can in theory place sanctions against you. So if you continue to do business with sanctions in place then there is a process for extradition through international treaties.
> The key question is what happens if you break those laws. In most cases you will be given a fine, and if you don't pay then you will no longer be allowed to sell goods to consumers in that country. If you continue to break the law then you are probably breaking an international treaty on border control or customs, which means that you could be extradited or tried in your own country. Some of the laws I mentioned above are mediated through international agreements, but the fundamental point is that if you break their laws they can place sanctions against you to stop you from doing business with them.
A foreign country could arbitrarily decide I owed them a certain fine, or was no longer allowed into their country, or that they didn't want to allow my products into their country, at any time, whether or not I followed their laws.
In my daily life I've done, and continue to do, things that are illegal under e.g. Iranian law. That's fine and normal - I have no obligation to comply with Iranian law. Iran can make its own decisions about whether e.g. I'm allowed to enter their country, but that would always be the case.
If you make a profit in America you'd better believe that the US government wants a share of it (there are exceptions if you sign a W8BEN and ask for a tax exemption based on existing international treaties) but the default position is that you pay tax on profits made in foreign countries -- and this applies for any country in the world that has something resembling a capital gains tax.
If you sell electronics that are a fire hazard, you can be punished for breaking consumer laws. I mean, for an extreme example, if you sell an illegal substance in America from overseas you can be punished for breaking those laws too.
I think you're seriously mistaken as to how one-off (and maybe all) import into the US works.
If I buy something mail-order from Canada, I'm considered the importer and would have to pay duty on it, just as if I had driven a truck over the border, bought the couch over there and driven it back.
If it's something as big as a couch, chances are it's going to be held at a customs warehouse for me to pick up (after I've paid the duty).
If I need to do this on a regular basis, I'm going to hire an import/export broker or possibly go through an actual furniture importer. That's the company that's doing business in the US that owes US incomes taxes, has to comply with US consumer protection laws and any of those other regulations.
In all of these scenarios, at no time did the Canadian couch store do any business in the US, even though I, the customer doing the "buying" may have been initiating the transaction over the Internet (or phone or with a paper mail-order form) physically in the US and/or with a US credit card.
If that Canadian couch is a fire hazard, the US's recourse is to stop it at the border and not let it in (or punish the US company, only in the case of the furniture reseller), and possibly punish me, the importer, since I'm the one legally attempting to bring it into the country. AFAIK, they have no recourse against the Canadian company.
you seem to suggest that you can (for example) sell/distribute canadian alcohol in saudi arabia, even though it's illegal there. do you really think that's accurate?
every country has the right to enforce it's own laws within it's own borders. you don't get a pass to do whatever you please in another country without their permission.
edit: i noticed "my business exists only in Canada"
if you mean to say you aren't doing business in another country than what you've written isn't speaking to the point of "you are required to comply with the laws of any country you do business with"
Yes. You can sell alcohol to Saudi Arabians from Canada. You cannot ship to Saudi Arabia. The buyer may pick up in another location where alcohol is legal including in person in Canada. What they do with the alcohol once in their possession is their business.
In which case you are doing business with (say) France, which has its own alcohol customs laws that you have to follow.
I never said that you have to follow the laws of the country of nationality of your clients. That'd be a ridiculous thing to say, and I'm not sure why you're arguing against that particular strawman (the GDPR only talks about EU residents and doesn't mention EU citizenship at all).
The word choice of citizen vs resident is a red herring. The issue is the extrajurisdictional reach of the law.
An EU resident visiting" your business which is hosted and operated in the United States, is the same as a Saudi Arabian coming to the United States to buy alcohol.
This is the reason why the GDPR requests an EU designated representative, so there is someone to charge locally.
> An EU resident "visiting" your business which is hosted and operated in the United States
Except the EU resident isn't "visiting" your business, you're providing a service to them across the US-EU border (and just like any cross-border service there are rules). I really don't get why this case is any more complicated than any other kind of consumer law (you can't sell electronics that blatantly catch fire to Australian customers, even if you're based in a country where consumer laws don't exist).
You aren’t providing the service across the border. The service is in your own country. The buyer is using telecommunications to make an order across the border.
The buyer is the one responsible for knowing their own local laws and should be responsible for managing them.
If a Saudi Arabian couple ordered a gay wedding cake from a baker in Montreal, over the phone from Saudi Arabia, in preparation for flying to Canada to get married, which laws apply? To whom?
Selling to Saudi Arabians and selling to Saudi Arabia are two entirely different things. In one you're doing conducting business in the Saudi Arabian market, and therefore under the umbrella of their government and in the other you're conducting business in whatever market the person you're selling your alcohol is located at, and under the umbrella of that market's laws.
When an EU business buys a service from an American operating in America from their website hosted in America how is this materially different than when a Saudi Arabian citizen visits New York and buys alcohol?
Because the EU business is not located in New York. It's located in the EU. By providing a service to an EU resident you are interacting across the US<->EU border and thus EU laws restrict what services you can provide across that border. I would recommend thinking about it like shipping products overseas.
No. It is quite definitely not true that you must comply with the laws of countries you are not in.
The EU is primarily leveraging the fact that most everyone wants to travel to the EU eventually.
While you in your home country you have no need to comply with the GDPR unless a treaty between your home country and the EU exists to mandate it.
The EU is also leveraging their trade agreements.
What they don’t understand is that China is next and they have totally diametrically opposed views on consumer privacy. But when has the EU ever been farsighted?
The U.S. has been doing this for decades, applying U.S. laws to global citizens who happen to travel to the U.S, and I'm not even talking about kidnapping foreign citizens and taking them to Cuba.
And a US citizen who chooses to break EU law has very little to worry about unless they travel to an EU country, where that country's law will be applied.
> No. It is quite definitely not true that you must comply with the laws of countries you are not in.
Unless you wish to do business with that country, in which case you need permission from that country in order to do business with its residents. If you break their laws they can place sanctions against you, and if you find a way to break those you can theoretically be punished legally through extradition.
If you don't do business with those countries then you're off the hook. Obviously.
Just look at the recent Project Gutenberg copyright lawsuit for an example of how breaking the law of a country you are not in can cause you legal troubles.
If you are not doing anything shady, if you have your house in order security wise and if you do not collect data that you have no use for you are 95% there. The remainder will maybe require consultation with a lawyer for an hour or two if you want to play it safe but you could also simply wait for a few months to see how it all plays out.
If you are respectful of other people's privacy then there is very little chance that you will be found afoul of the law and even if you should be then you will be warned to become compliant long before you will be fined.
This whole discussion is beyond ridiculous.
Imagine the rest of the world reacting to the DMCA this way which has far wider scope and effect.
> then you will be warned to become compliant long before you will be fined
citation needed
> if you do not collect data that you have no use for you are 95% there.
I have always been respectful and even never required emails on signups. I am not 95% there because there is a ton more to do. In fact i am at 5% because i have a lot of small scale past projects. Not everyone is a VC-funded startup.
That's the kind of emotional reaction that everyone has to GDPR. Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.
> I have always been respectful and even never required emails on signups.
Good.
> I am not 95% there because there is a ton more to do.
Such as?
> In fact i am at 5% because i have a lot of small scale past projects.
You've had two full years to get this done. The law came into effect the 14th of April 2016. It is now May 2018.
> Not everyone is a VC-funded startup.
If you can build it you can also build it in a way that is compliant with the law and if you built it in a way that requires a lot of work to be compliant with the GDPR then you likely were already riding a very fine line with respect to the DPD which has been in effect for much longer.
> That's the kind of emotional reaction that everyone has to GDPR.
Emotions are a bad guide when it comes to legal stuff.
> Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.
Everything. Even if you process just an IP you need to document your procedures, change privacy policies. If at any point you ask for anything you need to implement opt ins, a way for (unauthenticated) users to request their data (even if it's just 1 IP) etc. My point is that having negligible private data is not less of a compliance burden than having a lot of private data.
> You've had two full years
You mean i ve had 2 years to attempt to interpret a vaguely written law. Actionable information is just now coming out, and even that is contradictory (cue this topic). Even the EU parliament's website does not comply yet.
> you likely were already riding a very fine line with respect to the DPD
First, that is a directive, not a law and compliance can vary widely. Second, gdpr requires new procedures which means it requires amendments anyway
> Even if you hold just an IP you need to document your procedures, change privacy policies.
So don't hold IPs if you can't be bothered to know where the might end up and if you don't want to update your privacy policy. Why would you?
> My point is that having negligible private data is no less compliance burden than having a lot of private data.
And no data means no compliance burden.
Note that holding data already has costs associated with it no matter what you do: you need to secure that data, you need to back it up, you need to process it and eventually you will need to get rid of it. All of those cost money and effort.
> You mean i ve had 2 years to attempt to interpret a vaguely written law.
As laws come the GDPR is surprisingly clear. I was quite skeptical until I actually got a copy of the draft and I was positively surprised. They actually got it mostly right, there are some minor things that I would have liked to see different but on the whole I am not complaining.
> Actionable information is just now coming out, and even that is contradictory (cue this topic).
The hysteria is ridiculous. Anybody that has spent even so much as a couple of hours on this subject - and from a somewhat serious point of view rather than the ridiculous fear mongering - knows enough to not have written a silly blog post like the one on display here.
> Even the EU parliament's website does not comply yet.
That article was not exactly enlightened to put it mildly.
> First, that is a directive, not a law and compliance can vary widely.
Yes, but if you did take it serious then you are well underway.
> Second, gdpr requires new procedures which means it requires amendments anyway
Yes, there is some overhead. But this is mostly to ensure that the law will not be ignored like what happened with the DPD. As you say 'it was a directive' which many companies interpreted as 'can be ignored'. What they failed to realize is that if you don't self regulate after a directive is issued that there will be a version of the directive with teeth that has the strength of law. Congratulations, we are there.
No. This is the myth that "consent is always required". There are several justifications for processing personal data, and consent is just one of them. There are others.
First, notice how things like legitimate interests are not narrowly defined and left up to the DPA to judge. Which makes it hard to know whether you even need consent or not. Second, this is ICO, the British regulator. There are 28 of them one in each country and they won't always agree, so the application of GDPR policies can vary.
Legitimate interest definition is almost exactly the same as the existing laws on handling private information. If you want to complain about it, don't complain about the GDPR. If you've been handling private information for EU customers and have been complying with the law, then there is practically nothing for you to do.
But, again, if you're not compliant they'll just write a letter telling you this and asking you to come into compliance.
At that point you can check your understanding of the law and what you're doing and write back letting them know why you think you're in compliance; or you can change your process; or you can take it to court.
What happens when that is not possible though? E.g. in the case there is a breach and it is found out because of it that you were not compliant. Do they still write you a letter? Also , is this procedure common for all DPAs or just for the UK?
> Imagine the rest of the world reacting to the DMCA this way which has far wider scope and effect.
That would have been a wonderful thing to see. The DMCA has had a chilling effect on speech worldwide, and has created difficult barriers for small businesses to deal with if they want to host user-created content.
I think you unintentionally made your opponent's point!
If I run a soup kitchen and new regulations make it too costly for me to continue, I'm in the right to shut it down if I want. If anyone is against this decision, then they should open their own soup kitchen that meets the new regulations.
I never said the regulations were bad. I just said that the guy closing his service is just one guy. If one person ran a soup kitchen by themselves and -- because of new regulation -- decided it was too onerous, I would say "Thank you for running the soup kitchen as long as you have. Have a well deserved break." I feel the attitude in this thread is "You ran a service by yourself for X years, and now you're finding it too onerous. You must continue running the service, because i said so". This seems like a weak argument.
These situations are incomparable. The author of the article is being criticized for choosing not to do something that may be illegal. If the author continued to run his service in an illegal way, then he should be treated the same as marijuana growers. But he has chosen not to run his service. The equivalent situation in the United States would be a bar that decided to close after Prohibition and restart their business in Canada. This is a perfectly reasonable reaction to new regulation.
Perhaps it's not obvious to the author of that software, but publishing products (even free ones) involves liability. You cannot simply say, "Well I didn't charge you!" A free product can still be the subject of a fraud lawsuit, or a negligence lawsuit, etc.
And I think this is as it should be. I'm not sure why people think software meant for use by a broad audience, however cheap, should not be subject to basic safety, security and privacy regulations.
What's more, it's pretty clear the author doesn't actually have a lot of GDPR obligation. They need to maintain a contact point which Apple is actually doing for them. They need to forward RTE requests to crashlytics. If they're doing ANYTHING else with personal data, that's shady as hell and I'm glad they're not doing it to EU citizens anymore.
In the United States and under English common law, those giving away something for free are only liable for 'gross' negligence, which is a significantly lower bar than the implied warranties of merchantibility that will arise if you start charging. All these warranties can simply be disclaimed, by licensing the software correctly.
> I'm not sure why people think software meant for use by a broad audience, however cheap, should not be subject to basic safety, security and privacy regulations.
There is a major difference between cheap and free. There is an especially major difference between cheap and open-source, because most open-source licenses include specific text to disclaim any implied warranty. Without contractual consideration, the author's words don't form any kind of contract with those who choose to use his software.
This is not a difficult concept to grasp. If the author made any money off his project, then yes, a very strong warranty is implied, but without that, the warranty is rather weak. Under common law, those giving things away for free can only be held liable for 'gross negligence', which is different from the automatic warranties that arise when you sell things, regardless of price.
Even in America, if a user can argue that their consent is uninformed you can still end up with a lawsuit. What's more, various states have different rules regarding that liability as well.
You're not wrong in this guy's case, especially since his software is on the App store. However, for most open-source projects, the installation process is sufficiently obtuse that you would be hard pressed to claim you were 'tricked' into installing it
It's not clear that open source projects that are published public domain actually have GDPR obligations. Specific INSTANCES of them running as a service might.
Right... which is why this guy has decided this is no longer going to be his hobby in the EU. While the EU has every right to say 'those who do X for a hobby must do Y to comply' they cannot say 'everybody must have X for a hobby' or 'Bob must continue doing X for a hobby' .
The high-tech laws and regulations of the EU are a bit more sophisticated than in the US so it may take some time for the rest of the world to catch on.
Well, if anything, Europe has a history of labeling authoritarians as progressives. Whether that's something to be proud of is something history will decide.
Authoritarianism is the only way to protect the people from runaway capitalism. Juncker is a good leader - I never understood why Americans/Anglos think that "Authoritarianism = BAD".
How is that hypocritical? It's really obvious that the author puchased an "im" domain because it looks like the acronym for "Instant Messaging", not because he wants to be associated with a European country or European law. He also purchased his domain name before the GDPR came out.
I also don't understand this reaction, because the guy is the developer of a chat program. It seems that if you encrypt communications and user data and do not sell personal data to third parties, then you comply with the GDPR. I don't see where those bureaucratic hoops come into play this developer is bemoaning.
If he's already handling the data securely and only keeping the data necessary for the service (which I doubt but we'll never know) all he has to do is:
- Appoint a data protection officer (himself)
- Write down the processes of how he stores data (we keep it on this database, hosted at x provider; that provider is called the data processor) and how he deletes data whenever the subject of the data requires it.
I agree with you, but in this particular case, it seems to be a free chatting app, not a revenue-making business. From the looks of it, I think the author's motivation for writing and maintaining this are ideological, to provide privacy to users. "This app has no ads, no user behavior tracking and all messages are exchanged directly with the XMPP chat server". Doesn't look like a business to me.
Operating a network service is now illegal by default. Yes, the exceptions are large enough to accommodate most legitimate businesses. Yes, the likelihood of enforcement action against a small player is low. But the normal course of websites has so far been miles and miles away from the nearest illegal act. Now they are right up against the letter of the law merely for calling listen(). The only other law to come that close to the normal operation pure-internet entities is copyright, and it’s drawn similar ire. While it’s true that websites have always been prohibited from committing murder, the possibility of committing murder with a website is so remote as to be absurd.
Please elaborate. I was unable to perceive the legal depth of interpretation.
> you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go away
Businesses limit liability and legal exposure all the time.
> I frequent Europe and do not want to get into legal trouble on vacation.
There is no precedent for violators of EU law regarding privacy to cause people to be harassed on their vacation (yes, there are examples of this on the US side but that's not what we are discussing here).
Worst case you would be warned to become compliant, then if you persist in not being compliant you might be fined, then if all that fails there might be a request for extradition but I highly doubt it would even get that far. Time will tell. What will definitely not happen is that out of the blue you will be yanked from your bed in Paris or Barcelona because you decided to refuse a request for deletion.
> The days of someone making something, putting it on the internet and offering it to the world seem to be over.
No, the days of harvesting data and building profiles without consent are over. You can make something just like you did last week and you can offer it to the world just fine. Do take care of your users data, be a good steward and try to do your best not to get hacked.
> do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
The GDPR does not have this requirement for the kind of business the article writer has. No need to hire anybody. Pure nonsense.
> Tracking crashes with Crashlytics introduces new issues because it is posted to Fabric from a user’s device, IP addresses are in the logs this is personally identifiable information (PII). Crashlytics is GDPR compliant but the burden is on me to show regulators that I am compliant points back to the need for DPO.
Having a DPA in place with Crashlytics takes care of this, that's all the burden there is, in fact, Crashlytics most likely has a standard form for this because they will be entering into DPA's with a lot of companies in the next couple of weeks/months.
> Even though no message traffic passes through Monal’s sever, registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance.
Everything you do requires GDPR compliance but not everything is impacted by the GDPR. In this case logging the IP is fine, and then when you're done with the data you can get rid of it. No need to keep it indefinitely. And that simple trick: remove data that you no longer need is going to go a long way towards establishing GDPR compliance.
> APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person. However,the fact that it can be combined to identify a person makes it PII.
So do not keep it longer than you need it.
> I believe in privacy but I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.
But he does have the time to write blog posts complaining about having to meet the letter of the law. That time would have been better spent actually reading the law and figuring out the impact.
> Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.
Of course it is.
> EU user data is sent out of Europe constantly.
Indeed. And that won't stop because of the GDPR.
> GDPR is written such that a user cannot agree to a user agreement that gives up GDPR requirements it’s not a matter of saying you agree to X by using this service.
Yes, that's the whole point. You can't blackmail your users to opt-out of the law by virtue of withholding your product, which is a very very nasty way of trying to deal with a legal issue, rather than to face it head on and simply attempting to try to comply.
> GDPR compliance is something the XSF is talking about right now.
Good to see not everybody has the same attitude.
The way I read it this person is not trying to limit their liability, they're simply trying to pretend the law doesn't exist, have come to the conclusion that that won't fly and now blame the law for their laziness and negative attitude towards the privacy of their users in general.
If he really cared about the users privacy then he'd at least make a serious attempt. This blog post does not indicate a serious attempt was made, it reads like someone looking for excuses.
i think you are being a bit naive and dismissive. the law could easily be interpreted as his endeavor requiring a Data Protection Officer. the guidelines (http://ec.europa.eu/newsroom/document.cfm?doc_id=44100) for the DPO require that processing "special categories of data" needs a DPO. those categories include tings as benign as "trade union membership."
so if his chat app has someone in the EU chatting about trade union membership while this chat service then "processes" that data, they might be held liable to the DPO requirement.
Bigger than the DPO issue for processing Article 9 special data is the fact that processing Article 9 special data is generally prohibited outside of enumerated exceptions.
> so if his chat app has someone in the EU chatting about trade union membership while this chat service then "processes" that data, they might be held liable to the DPO requirement.
This is a ridiculous argument. No, someone in the EU chatting about trade union membership does not magically require him to hire a DPO.
There's two kinds of "free service" on the internet. There's the Facebook / Google kind of free, where the herd of non-paying users is being aggressively monetised in other ways by a very profitable business. It's perfectly reasonable to expect this kind of free service to jump through the GDPR hoops as just another cost of doing business.
This is the other kind of free, where it genuinely is being done out of interests sake as a public service, like guerilla gardeners. In this case, it's perfectly reasonable to say that you got into this because you're interested in solving the technical challenges, not because you enjoy wading through bureaucratic rules, and decide to stop offering that free service in the EU because the fun has gone out of it.
Probably you're completely right about how easy complying would actually be, and in that case you could certainly take this code and run your own push server that serves EU clients.
It's a reasonable action based on shifting tides and uncertainty, particularly for a project with no revenue to speak of. If the EU wants to do arbitrary things, that's on them.
Thanks for clearing that up - I can't stand people who think they are above the law. Here in France and Germany, this law is creating a lot of jobs too. I hope more laws like that in the future so that even more jobs can be created. I love the EU :-)
For jobs to be created (presumably in startups) , there must be startups first. Startups won't be started if you need to hire 1 full time accountant (for the VAT mess), 1 privacy person and 1 lawyer before you even lay down your idea. I get it that GDPR is creating some nice jobs these months, but it won't last long. I wonder if this guy would even make the app if he was in the EU today.
I am all for fair taxation and privacy, but the EU should start creating the mechanisms that make it easy and automatic for startups to comply with stringent requirements instead of leaving the burden upon them.
You don't need a 'full time accountant' for the VAT mess, I've been doing this for years (decades) and it took about 2500 euros / year / company for the full administrative burden, including payroll for up to 25 employees.
You don't need a privacy person either (I suspect you mean DPO), but you do need to know what you are doing.
> I am all for fair taxation and privacy, but the EU should start creating the mechanisms that make it easy and automatic for startups to comply with stringent requirements instead of leaving the burden upon them.
That I agree with, it can still be better. But VAT/MOSS took the sting out of the VAT reporting and the privacy law is entering a shake out period now and will also end up to be manageable.
the parent specificly refered to jobs being created for privacy officers or sth. i m replying to that. Also, the too many different VAT regimes can create a huge accounting mess if you are selling in many different EU countries, hence the existence of payment processors and relevant startups.
This is such a terrible argument. You’re essentially arguing that any business of any kind should never complain or choose not to do business in a jurisdiction if the reason is regulatory burden, no matter how onerous, expensive, ambiguous, and offensive that regulation is.
That’s illogical and not the way that any business evaluates what activities to pursue or forgo.
You’re casting aspersions on this one guy and implying that he must be up to something shady, all because he’s chosen to not serve a market that has decided to pass some horrible regulation that you happen to like. Unbelievable.
You can’t have your cake and eat it too. The EU can pass whatever laws they want, but the rest of us are still free to tell you to pound sand.
> if the reason is regulatory burden, no matter how onerous,
No, what we're saying is OP can't complain about the burden of this onerous regulation when the fact is that almost none of it is relevant to OP and he'll have to make only minor changes to be compliant.
Several of the claims OP made are flat wrong and it's trivial to show they're wrong by simple web searches.
There is so much misconception about GDPR. It is cleary directed at large data-tracking corps, not single person IM apps. Even if someone tries to "sue" you (which he can't, only report you to authorities), it first needs to go through many iterations where you can make your case.
The op seems to be motivated more by politics than the reality of this as I understand it. The "reasonable" qualifier in most of it, while it will need to be litigated, does a lot to assuage my concerns about overreach from it.
Could you be sued to the poor house from it? Maybe. But that's the risk of operating a business in the US every single day.
Do I misunderstand this section: "Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation." That sounds like you can be sued by any subject on their whim?
That is not how the EU works, in the US i would be very afraid reading that, in the EU nothing will happen if you do not violate in a spectacular way, and that, after many warnings. They are after companies tracking you across real estate and selling relevant data from their vast silos to companies that can market stuff to you. They tried many ways already to prevent this kind of practice in some countries but loopholes were found so this is the hammer. As a small company, if you answer and act on actual user complaints, you have no worries no matter what the language. It is not in their interest to go for small offences. And if your story is reasonable, like OP, they will just let it go.
What this gives the EU is the hammer to hit persistent abusers of user data. They want you to be careful with user data and not treat it like you own it; you do not. It is not yours to sell or share or publicize.
Edit; note as well that every country has a compliance office; if they know you are in complaince as in you are ‘good people’ (best effort, no giant holes etc; just best practice in our field which you should do anyway) they will not bother you with every (or any) user complaint after that. I have good experiences with this with far grave (and potentially criminally punishable) matters in a few EU countries.
It is reasonable to assume overreach by governing bodies will occur; this is no less true for the EU than for any national government. The EU is no less likely to misuse that hammer, intentionally or not.
"It is reasonable to assume overreach by governing bodies will occur"
No its not as they now have regulations in place to prevent that, before GDPR you could. You can only be sued to the poor house from it if you do something like leave your patients health information on the bus.
Even then you probably won't. If it's an incident that happened despite of having taken the necessary precautions, you would probably get only a small fine or a warning.
These laws have been in place since 2016, they are going to start enforcing them starting the 25th. If you actually read anything about it from the source, it's clear it's setup against data abusers. It's not aimed at small businesses. If you don't do anything with user data, you don't even have to do anything. Like in the case of the OP. Aside from that, the EU doesn't have a history of overreaching/abusing power such as this. If this was US legislation your worries would be justified.
So we've gone from you can't, to you won't, to you almost certainly won't. I completely agree, I'm just saying the 1% possibility is something you have to live with.
Where in the law does it say they only do this when ignored? Surely if this were the case, they'd put it in the law like they did punishment limits. Or are you banking on subjective enforcement?
"The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests."
That seems like a request from a data subject. I was responding to a comment that said you will only be sued by a regulator if you ignored them. There are multiple blog posts and articles that regulators have posted about what they will and wont do that is not codified.
thats not it. From my understanding people say that because that is how the UK regulator has dealt with cases in the past. But there is a different regulator in every EU country
Regulators. "Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation".
So, 28 countries, each with 1+ organizations. So you could find yourself having to deal with multiple parties in different languages.
From my German perspective this whole GDPR panic is so interesting. The GDPR is basically a carbon copy of the data protections laws that have evolved in Germany since 1977. Yet we still have many thousands of small companies dealing with data, individuals running web forums etc.
It's especially funny when small to medium German companies suddenly panic because of the GDPR and when you look at their situation all you can say is "yeah, you should have implemented that 15 years ago, it's already been German law that long".
In Germany not much will change, but at least companies like Facebook can no longer just move to another country with worse privacy laws (like Ireland) and call it a day. For us the GDPR means that protecting user data will no longer be a competitve disadvantage. But if you're a small company and handling data reasonably, the GDPR won't hurt you anyway.
It literally translates to "federal data protection law" and has been German law since 1978. In certain conditions it has also mandated a DPO (https://de.wikipedia.org/wiki/Datenschutzbeauftragter) since then, but in fact the first DPO position in Germany was created in 1971.
The right to a data export is mandated by article 34 BDSG (https://www.gesetze-im-internet.de/bdsg_1990/__34.html). It has always been common use this law to get a free copy of the data which our credit reporting agencies have about you, I've done that multiple times.
Thank you for those detailed links. They are kind of eye opening, and I am German. However, it is hard to understand how stuff like GEZ, Schufa and article 35 can exist concurrently in the same country.
Schufa (the biggest consumer credit reporting agency in Germany) and article 35 can certainly co-exist. In fact you can write to Schufa and request that they delete all your data.
However, if you do that, good luck ever getting a mortgage, credit card or other post-paid services ever again if all credit report requests come back with the reponse "no data available". So I wouldn't recommend that.
> However, if you do that, good luck ever getting a mortgage, credit card or other post-paid services ever again if all credit report requests come back with the reponse "no data available". So I wouldn't recommend that.
How does that work for people who never had a Schufa history? If for instance I decided to move today from Brazil to Germany, would I be unable to do all these things there, since they would have "no data available" on me?
There are thosuands of horror stories how the Schufa isn't able or willing to correct wrong data. And no data protection agency in Germany did ever brought such a case to a court.
What do you imagine that fixed cost to be? Delete your logs and don't, you know, make an entire business out of misrepresenting your revenue model and you're most of the way there.
Any business that is shut down by GDPR is, to me, a good business to shut down.
issue isn't the business model, is the size. For a large company, handling GDPR is trivial. For a startup or small company, the cost is prohibitively high.
I'm not arguing for or against it, just pointing that the resulting unintended consequence is protecting large companies. Exactly the opposite of the original intent.
> For a startup or small company, the cost is prohibitively high.
Nonsense. I look at another high tech data driven start-up every week and not a single one has stated that the GDPR costs are 'prohibitively high'. Sure, there are some that need to do more work than others (medical, ad tech). But on the whole companies that were already doing their best to not fuck up with their customers data have very little to do in order to get to where they should be and the remainder has a bit more work but will mostly likely be more-or-less compliant by the 25th and what work remains will be done long before the eye of Sauron will turn their way by virtue of their size.
The cost is strongly related to the size of the organization and the amount of sensitive data you hold as well as whether or not you were a bad steward of the data in the past.
I'd go as far as saying that if you responsibly handled data before GDPR, what you have to do to be GDPR compliant is document the process and make it possible to delete data upon request.
I actually think it's entirely the other way round.
A small business or a startup should have a relatively limited amount of data capture, and that data should be stored in a relatively limited number of places. In most cases, it should be straightforward to make sure that this is documented and appropriate controls are in place.
On the other hand, large companies have vast quantities of uncontrolled data gathering that nobody is responsible for.
Spot on. The biggest problem cases are hospitals, banks, insurance companies, airlines and - funny enough - governments. They all hold mountains of data and the systems are old and in many cases no longer maintained by anybody that was there when the system was first created.
Suit yourself. But as mentioned elsewhere, the equivalent of GDPR has been law in Germany for over a decade, and small businesses have had no problem complying.
> If I want to put an open source app in the App Store, that’s not a business model for me. It’s more just personal expression.
Try convincing a regulator of that.
But it doesn't matter, you're still logging PII. GDPR doesn't make any distinction of profit vs. non-profit vs. personal ownership. You're as liable as an individual as an organization.
Your personal expression is writing the open source software and putting it on GitHub. However, once you make it available as a service, you should be responsible for it.
No - you cannot ignore it when you are a small company that's true. But you can (probably, we'll see) ignore it if you don't do shady shit with your customer data. You are allowed to process data, if it's used to fulfill the service you provide. That's reasonable, and probably applies to most of what OP is doing.
So when I get reported, I'll say I didn't worry because some guy on Hacker News said I'd be OK? That's not how it works. You can be as confident as you want without affecting the reasonable worries actual businesses have about this regulation.
I have an actual business, thank you. And I did my homework by talking to a lawyer about it. What I got from this talk is, that most of the stuff that is going around is pure panic mode.
Please, don't take my words as granted but talk to an actual lawyer. You'll probably even find a free session for startups somewhere in your city, at least in Europe.
Ask the regulators. The ICO provide comprehensive guidance documents, a wide range of tools to facilitate compliance and a dedicated helpline for small organisations. They're extremely busy at the moment, but they'll be more than happy to explain your obligations under the GDPR and the best way of achieving compliance.
False. If you do any sort of logging of network traffic - think server logs - or even backup your database and a single person comes asking for all their data to be removed from all your backups sitting in cold storage, you're in for a world of hurt.
The mere act of pulling all my database backups from glacier at once would cost enough to force me to just shut down my personal projects.
"The GDPR is open to interpretation, so we asked an EU Member State supervisory authority (CNIL in France) for clarification. CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it. Organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time (indicate the retention time in your communication with the data subject). Backups should only be used for restoring a technical environment, and data subject personal data should not be processed again after restore (and deleted again)."
That agrees exactly with what CNIL said. Obviously you have to keep an index of requested deletes for the same length of time you keep backups in order to re-delete the relevant data in the event of restoring the backups.
Article 63 of the GDPR specifically covers consistency of enforcement across the regulatory agencies.
I don't see the problem here (for small companies). If you have a database with user data, and a user deletes his account, you delete the data from production. At this moment, you have a live system without this users data, and some backups with the data. The moment you make a new backup, you have a dataset to restore from that does not include the user data.
You keep daily backups for 1 week, and after one week the users data is gone from all backups.
The only possible window for restoring deleted user data is the time window from deletion to backup. To "solve" this you need to make more backups, ideally live backup and replication with really frequent snapshotting. And this is something you would want even without the new law, because you don't want to lose user data in case of a server failure. Why would you restore from an old backup? (And if you really need to restore from an old backup you most likely want to merge this backup with the newest one to reduce data loss. In this case you can reapply all deletes.)
The new laws don't change anything. For me at least. Also my lawyer is totally fine with "only" minimizing the problematic time window. We both know that it will never be zero.
You have a very narrow view about what backups are used for. Which is fine for your business, but for many others, the backups are important business records. What if an employee is stealing from the company, and does it for longer than the time that your business keeps backups? You might say "oh but I keep logs", in which case you have the same problem with keeping the logs that you think you dodged by not keeping the backups.
Yes and no... the GDPR is all about purpose, and if you keep a log for the purpose of logging unauthorized access to data this is fine if you state this fact in the contract with the employee and only store and access the logs for this purpose.
You just can not keep backups of everything for the purpose of everything.
My example can not include all cases and was written in the spirit of "we are a bunch of devs with a small project". As is monal.im .
You can still log accesses and aggregate them into statistics, just don't keep the IP addresses. You can still log IP addresses to detect DOS attacks or whatever, just delete the log when you don't need it anymore, after a day or so. There's no need to get backups from glacier, because you know there is no personal data in them.
There are other laws which require you to keep data for up to 10 years. This will require you to split up your backups and clean the ones for the longer storage from all unnecessary PII. That is already costly and challenging. Problem is nobody really knows what data you have to strip of and what do you have to retain for other laws.
You are talking about a very narrow set of legal reasons that need 10 years of archiving. This has nothing to do with the GDPR and these archives should really not be created from normal daily/... backups. If you fall into that category you need a lawyer even without the GDPR and this lawyer will tell you exactly what and how to archive. "Nobody really knows" does not apply here because your lawyer knows.
> very narrow set of legal reasons that need 10 years of archiving
Invoices for VAT MOSS have to be archived for ten years. And until today nobody really knows (it is another EU law disaster) which information you have to keep to prove the origin of your customer.
Why do you need to keep more information than the invoice itself? All invoices should include the invoice recipients name and address, and thus the country of origin. In many countries invoices below a certain amount can omit the recipient, but you don't need to omit it.
Do you invoice for a different country than the recipients country? Why?
> the information used to determine the place where the customer is established or has their permanent address or usually resides.
Sadly this regulation doesn't specify which kind of information this could be.
Your customer could try to get a better price by pretending to be from a country without VAT. Therefore the address given by the customer is more or less worthless in this regards. One more realistic information is the IP address. But as this also is pretty easy to spoof it might be reasonable to also keep information about the country were the cc card was issued, if possible.
My only still active side project to which this applies isn't open for public registration yet, and I fully intend to completely block the EU before going live.
That's only the case if you store personally identifiable information in your logs. IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP. Plus, if you rotate out your logs and clean them up regularly, you don't really need to worry about it. (That's what the EU lawyers at my work told us.)
Database backups are only a problem if you save them forever, though it sounds like you are. GDPR generally requires that you regularly archive, rotate out, and clean up old data.
> Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, ... or a computer IP address.
Emphasis mine.
I said:
> IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP.
I'm actually saying that both are a requirement for logging IPs in the circumstances being discussed here, but I certainly don't mean to suggest that either would grant you "carte blanche" to collect and log IPs.
I suspect that logging IP only for security purposes is fine, but the idea that it is a bulletproof defense is just wrong, we have no idea. Current indicators are that regulators think IP is personal & that legitimate interest defenses are suspect.
I can't see any way in which this interpretation can be valid. You'll always be able to "directly or indirectly" identify people from IP addresses. Just because I don't store IP and identity together, doesn't mean there's not many other ways to identify somebody based on an IP address.
I think the concern of the regulatory agencies (valid or not) is that there are db for sale that allow extremely precise locality information based on IP. Close enough to identify a household, which combined with other data can limit the data to a single person.
You might be thinking of this pseudonymization stuff. My advice is not to play with it. Just delete your logs after a month unless you have a demonstrable and immediate security need for them.
Wrong about what? I wasn't referring to pseudonymization; we thought that wasn't worth trying after the legal teams laid out what it involved. Log rotation is important, like I mentioned.
I spent near to $10,000 in 6 lawyers 2 in usa 4 in different european countries and all wrote detailed report for me negating what you just said. IP is one of the most PII identifiable elements of an internet user. Exception is when you can prove such IP is a merely a proxy. please get some other lawyers opinion!!
Note that I didn't say IPs aren't PII; I said they don't count as long as you are collecting them for the specific purpose of security and don't have any way to identify the person using that IP. Pretty much by definition that is not PII.
That came from the legal departments from our German, UK, and French entities.
You contradict yourself, either its PII or not. Common understanding in the industry is that it is. Purpose of security doesn't change if its PII or not. Although security/auditing might allow to hold on for longer because you need the PII as a feature (which you should be transparent about). For pure telemetry you don't need it, I'd claim.
If you're too worried about this, remove the last octet from the IP or and/or it with a mask. And especially don't associate the IP with the user (by default you can't find out who's the user only by IP).
Probably because that's a dumb exemption. Number of employees is pretty fucking irrelevant when it comes to data. By this standard, Cambridge Analytica would have had lessened burden on regarding objections to processing, demands for data deletion and so on.
And it's good that it wasn't allowed. Otherwise we'd just have medium sized companies worrying about GDPR while large companies spawn one-man shell companies that "specialise in data processing".
That is resolved today by subsidiary clauses in laws.
If owned or controlled by big-co in an non arms length manner, then it wont be considered a 'small company' in terms of the GDPR.
Edit: These corporate control laws have teeth, otherwise every small & large business owner would do something similar by making all of their corps 'offshore' in some zero tax jurisdiction and pay 0 tax locally except for business done actually in the territory itself.
Oh, but they're completely "independent", I don't understand what's the problem, Mr regulator ;-) This already exists in many ways for financial aspects. Sure, it's not super legal/moral, but...
Or the could be completely legitimate small businesses doing this device for anyone.
> would do something similar by making all of their corps 'offshore' in some zero tax jurisdiction and pay 0 tax locally except for business done actually in the territory itself
If there is a complaint against my small software company, are there limits on how much I'm required to spend on defense? Do I have to travel to Europe to defend my company or will investigators from Europe travel to my location at their own expense? Will I be reimbursed for reasonable expenses if the complaint is groundless? Are there parts of the regulation that act like strong anti-SLAPP laws in some states?
Can my small company be trivially bankrupted by any sociopathic gamer skid with an EU address and a grudge when DDOS attacks fail?
"You can beat the rap but you can't beat the ride."
> Can my small company be trivially bankrupted by any sociopathic gamer skid with an EU address and a grudge when DDOS attacks fail?
Your dude with a grudge can only lodge a complaint with the relevant regulatory entity, they're the ones who will verify whether you complied or not with his GDRP requests and if they deem that you are in violation fine you after negotiation fails.
This isn't the US: you can't be sued by random people for anything.
(1)A random person complain to his regulator that you are not complying with GDPR. If he asked for his personal data, jump to (3)
(2) His regulator contact you, tells you that wht you're doing is bad: you have some stuff in opt-out, not clicking "opt-in" cause a degradation of service, or you are sending him 3rd party cookies he did not accept.
(3) Depending on the complexity and your ressources, you have X months to comply.
So it's a law that's arbitrarily enforced?
Kinda like giving limitless power to discriminate to someone?
There is no misconception on GDPR: the idea is good, the implementation is horrible and retarded and it is lead by people who do not understand a single thing about technology.
Having an app that is non compliant out there induces anxiety. Having 10-20 old or fire-and-forget projects out there, it's anxiety multiplied. There is a non negligible chance that One disgruntled or trolling user or competitor will report you to their country's DPA . There are 28 DPAs and they are not all as good and fair as Germany's or the UK's , they may fine you even if there is no good reason. Example: in my country the DPA fined a company last week (3000 euros) because they searched a company's computer while the employee was not present, even though they found that the computer did not contain any personal information.
By law it is enforceable and directed at any entity that tracks European data. There is no clause the limits GDPR to large companies, just like there is no clause that limits or restricts fines outside of the 4%/20M number.
It would be entirely possible for someone to not be compliant with a side project and get fined 20M because there is nothing that explicitly forbids this it is entirely up to interpretation.
Given that US companies have already been targeted in the EU, unfairly [1], I find that law terrifying because I have to trust regulators that don’t have my best interests in mind with possible penalties that are very high.
Citation needed. I have seen absolutely zilch about the implementation of GDPR in countries like Hungary, Romania or Bulgaria. And they are members of the EU as well, you know.
It's in the text of the legislation. Chapter 7 sets out the requirements for the European Data Protection Board to ensure consistent application of the regulations across all member states.
Article 83 states that any penalties must be proportionate to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, action taken to prevent or mitigate an infringement and the degree of cooperation with the supervisory authority.
However there is a grand plan to do the absolute opposite, which is to adopt the entirety of EU law into UK law. The so called "Great Repeal Bill" or whatever they are calling it this week.
Sure, feel free to "leave", really, no offense. We talked to a lawyer in Germany regarding this (we are a small software company with 5 people). His response was: If you don't do shady shit with customer data, you'll probably don't have to worry. Also, if you are in a "contractual agreement" (e.g. EULA), you can apparently justify most data collection without any change at all.
Even though that's a personal risk you're willing to take, it might not be one everyone else is willing to. One might question a law that asks everyone to take risks (or pay/pray for peace of mind).
There are many other laws where you‘re taking risks. Maybe you‘re violating some US securities statute? Maybe you‘re violating some German accounting rule?
Why haven‘t all those doomsayers closed down their businesses long before the GDPR?
I mean, technically I'm taking a risk when I step out of my house every day. So why ever walk?
There are varying degrees to which people see laws as affecting them. Small business tech owners, when a law says they have work to do, are going to feel affected. If there was a securities or accounting law that felt similarly overreaching one could expect a similar reaction. This is especially true if there is an alternative (locking out markets) that is easier. It's not helpful to try and compare the situations. It's also not fair to consider people weighing the costs of these laws as doomsayers. They aren't closing down their business, they're just restricting it to more business-friendly environments in their view.
You've made many concrete, general statements in this discussion which turn out to be relevant to your personal situation and your personal appetite for risk. Maybe that's not an effective way of holding a conversation about the general issues around the GDPR?
I'm not sure what else I should reply to something like your comment before tbh. Neither can I predict the future, nor am I a lawyer. I'm just posting about my opinion, which I got by gathering information online and from consulting with a lawyer. I've stated the conclusion I've come to, based on this information and yes, I believe that to be correct (or as correct as one can be about a law with no reference cases in court yet).
I was just pointing out, that when a lawyer says "probably", he usually has a good reason to do so. And it's my strong belief that the reference cases in court will not be fought by small companies, because they rarely are.. There is just not enough money to make fit the effort you need to put in winning the first case. Before there is not one single case, I don't think it's necessary to panic and shut everyone out.
You don't need to believe me or agree with me, but reducing this to "my personal appetite for risk" is really weird.
You stated your extremely general conclusions, and only later mentioned that they were relevant to your personal business. And in this particular sub-thread, you made a very general statement about risk, again without qualifying it at all. And you only mentioned the lawyer after you were challenged about a general statement.
Maybe you have huge assumptions that people reading what you say will add all kinds of limitations to what you say? I don't. It leads to terrible discussions, like this one.
I'm sorry for making too generic statements, I'm not trying to have a bad discussion, really.
Regarding the personal risk comment, I could've been more clear: From what I got, no lawyer can give you a guarantee at the moment, that what he says is actually what will happen. So in the end you'll have to take action based on recommendations, and take a risk - or, as the op, shut out all European users completely. My personal risk is continuing to do business in the EU, even with this uncertainty. You couldn't have guessed all that from my earlier comment, so I agree it was bad..
Regarding that, i wonder how DPAs will handle cases. I can totally think of small businesses or professionals like doctors reporting each other to the DPA. Can DPAs easily dismiss complaints?
Risk is a part of life. Even before GDPR there was a risk that you were violating some privacy law in countries that your customers were connecting from. By putting your product out there, you've taken on most of this risk already.
There was a previous 1995 directive for instance. It didn't have the teeth of GDPR, but was actually rather similar. It would be hard to be compliant with That and in breach of GDPR.
That rather makes the anti GDPR arguement sound like "yes I know that is the law, but I was breaking it over the internet so that doesn't count"
Because European courts and regulatory authorities are not run by gibbering morons. The Data Protection Directive was materially similar to the GDPR and was enforced by the same supervisory authorities. The DPD gave member states total discretion as to the level of fines, with no upper limit. I have found no evidence whatsoever of irrationally large or unreasonable fines under the DPD.
You could be breaking the law in any number of countries. What steps are you taking to comply with the laws of Saudi Arabia or North Korea?
Well usually they aren't any kind of social or economic hubs, so I don't really worry if I can't enter or do business with north korea in my day to day life.
The EU on the other hand...
Also almost all laws stay in one jurisdiction, they don't go beyond their own country.
What if you don't want to deal with any of that. You can no longer just create some useful, free service and make it public.Heck, I don't even like having to be familiar with software licensing just to add something in Github.
If you don't want to follow the law you're welcome not to and will have to deal with the courts when they come knocking. This has always been true for all laws, not just GDPR. Try violating fiscal laws in the US just because "you don't want to deal with any of that" and let us know how well that works out for you.
> It is cleary directed at large data-tracking corps,
Then the law should say that. For instance when India implemented uniform goods and services tax processes, it explicitly excluded businesses below a certain revenue threshold and gave them a simple % of gross alternative to all the processes. GDPR doesn't make any such distinction, so such decisions to drop EU support are to be expected.
Well, it's wrong in the sense that profiling activities require a "lawful basis", consent is one of the possible lawful basis available.
So you can profile without consent IFF you can convincingly justify said profiling via one of the other lawful bases. But those won't really let you do blanket profiling willy-nilly either and come with other strings attached.
When it's a one man show, you can't afford these kinds of unknowns. And by afford, I don't just mean monetary, I also mean mental costs, like your mind spinning at night wondering of the ways you might be harmed, or the ways you might develop a solution to the problem, etc.
> When it's a one man show, you can't afford these kinds of unknowns.
One really can. It took me all of a few seconds to shrug of the GDPR when I first heard of it. Then, with all the scare mongering (webserver logs will be illegal!), I spent a few minutes reading up on it. It's all more than reasonable: if you're not doing anything shady, or are being negligent bordering on incompetent, you can just shrug it off and sleep soundly.
No. Compliance with GDPR for a small company is relatively straightforward if you aren't doing anything shady with private data. It's not even an unknown.
Corporate veil piercings happen a lot more when your a small or one man shop, and officers can often be directly liable for the actions of the company. It's not as bulletproof as you think.
But the usual requirement for piercing the corporate veil is that the owner/operator of the business is using the business with the sole reason of insulation from having their private assets in the line of fire. If the business is otherwise legit and a fine were levied against the business there would be a fairly strong barrier before the assets of the shareholder become part of the story. A good precaution against this is to have more than one shareholder (preferably more than a token percentage for the second shareholder).
IANAL, but that is not the requirement I've heard. It is perfectly valid to insulate one's other assets from corporate creditors. One must voluntarily commingle those assets with corporate assets in order to justify a piercing. It's not always obvious to the careless what will constitute commingling, but this is kind of the point of corporations.
Frankly this post has prompted me to reevaluate your other legal advice in this thread.
My exposure to this is limited to cases in Europe and ones that I was a direct witness to and in all those cases it was pretty clear that the company was created with the express purpose to commit bankruptcy fraud and the result was the owner of those companies lost his shirt. All other attempts to pierce the corporate veil that I've seen failed.
Presumably that fraud involved assets that belonged to the corporation (or were represented to creditors as such) being transferred outside the corporation to other entities controlled by the owner? That will pierce. Imagine instead someone who builds a store in a location with insufficient commercial traffic and whose corporation fails for that reason alone: her creditors can't take away her house, her retirement account, or some unrelated business.
Long story short: guy figured out a way to make money: create an LLC, rent some warehouse space, order hardware, sell hardware, pay invoices, order some more hardware, sell hardware, pay invoices. This cycle repeats a couple of times with higher and higher order values and then finally when the orders are really large (millions) holds a clearance sale, pockets the money and defaults on the invoice. Boom, company bankrupt.
He did this several times before the corporate veil was pierced and they took him for all he had.
The other case was one that is probably best described as mismanagement ('onbehoorlijk bestuur') where the CEO/sole shareholder of a company started using the corporate account as though it was his personal account. When the company was unable to meet payroll taxes the taxman seized his private assets after piercing the veil.
Both of these episodes are clear cases of commingling. "Pockets the money" and "as though it was his personal account" are key phrases that would command any forensic accountant's full attention. Without these or something like them there would be no justification for piercing.
Excellent, thank you for pointing out the exact reasons why that happened. It made good sense from my perspective but to know the exact bits that would flag it is useful information.
While Monal is privacy focused, it is also free, open source and run by a single person — me. I simply do not have the resources or the time to jump through the regulatory hoops required by the EU.
As a new and small construction company we simply don't have the resources to comply with all the building codes and the related paperwork. I just can't afford to meet all food safety requirements, I just want to provide free meals for homeless people in my spare time. I just built this car from scratch for myself and now they tell me I can not drive it on public roads just because I don't have the time and money to meet the required standards?
I made this software program that listens on a port on my computer, located in Springfield, IL, USA. I allow other people to connect to this program over the internet, which terminates at a connection I pay Comcast to provide me. I log their IP addresses (on my server that I own which resides in the United States) because I'm curious where my users are coming from. Someone from Europe is claiming that I owe them some of "their" data (which they seem to think is stored on my storage that they never bothered renting from me) or I might have to pay 20 million euros. I tell those users and their government, neither of whom I owe anything, to kindly piss off and then ban all ip addresses from the EU.
To put it another way, I go to Central Park and start to juggle. I don't charge people, I just juggle because I like to juggle. Some people watch; others simply ignore me. I write observations about a couple of the people who watched me perform in my journal. One of those guys was from France. He later looks me up in a phone book and calls me to demand I give him any observations I wrote in my journal. I tell this fellow to piss off. A few months later I get a letter saying I need to pay 20 million euros because I wouldn't give away my personal observations stemming from something I did publicly and for free.
Everyone seems to have latched on to this 20mm € fine part, but missed the surrounding paragraphs that require that fines are proportionate to the offending, and only to be used after, on in conjunction with other methods of enforcement.
It's most certainly not a blanket "Everybody who is not in compliance with the GDPR will get a 20 million Euro fine".
GDPR is not about annoying small businesses at all. First, to file a complaint one has to go through several steps, and the fine will be proportional to the offence. No small business owner will have to pay 20M€ for logging an IP (plus keeping IP logs are actually mandatory). Offenders will first be issued a reminder, then be fined if they don't comply after that. If you're a small business owner and you don't comply, then you can't complain.
Secondly and most importantly, GDPR is not about preventing people to get information, but rather about preventing people to track customer. If I use your example, GDPR would prevent you from following someone after they watched you juggling. It would prevent you from following them home, noting where they work, who are their acquaintances, what kind of food they eat and so on: it's technically legal but incredibly creepy. If someone were doing this to you you would be the one to tell them to piss off. You can perfectly write what are the observations of the passer-bys who watched you, as long as the log is anonymized. Which is easy to do and not harming for your business. You didn't want to track them anyway, did you?
>I wouldn't give away my personal observations stemming from something I did publicly and for free.
No, you'll just sell it to the highest bidder. And enough people do this in such an underhanded way that the EU decides to regulate the shit out of you. So maybe you should have asked permission before recording identifiable people's behavior or otherwise earned their trust. Instead of being shady and myopic about it.
You have to respect the privacy of people in the same way you have to respect their lives. You can not harm or kill random people, you can not do arbitrary things with information about them.
It’s alarming that you don’t realize how insane this argument is. Now murder and keeping notes about someone you see in public are the same? You’re headed towards thought-crime with this; it’s basically murder to continue to hold an opinion of someone that they disapprove of, because “privacy”. Ridiculous.
Of course they are not the same but they share a common principle, i.e. you can not do arbitrary things involving other people. And nobody is talking about your opinions, you are free to think whatever you want, just as you are free to harm yourself or even commit suicide. But if your »thinking« involves information about other people, there are limits just as there are limits if you go from killing you to killing others. If something is ridiculous, then the way you twisted what I said.
Wow. There you go again! So if my thinking involves someone else’s information, they have some right to make me change my thinking or punish me if I don’t??
First, you switched from respecting peoples' privacy to taking notes, thinking, and having opinions. I even responded to your comment before you added the notebook in the park example. You probably also noticed that I put »thinking« in quotes.
Anyway, it is not the act of having the information about other people that is problematic, it is the act of collecting, using, or sharing it. Do you think I should be able to follow you around and write down every step you make? Should I be able to use that information in every way I want? Do you want me to tell your significant other what you actually did on that »business« trip, tell your coworkers what you got from the sex shop? Should your doctor be able to tell everyone about your health status, your bank about your financial status?
It is just naive to pretend that handling information is inherently without any concerns and therefore no rules should apply at all. And it is just silly to pretend that writing down an observation you made in the park in a notebook is the same and should be treated in the same way as systematically collecting information about every website visitor.
I didn’t write the original comment about the notebook in the park, just FYI.
And your examples are not all the same. If you’re in public, you have no reasonable expectation of privacy. So yeah, take all the notes about me you want. That’s entirely different from my doctor sharing my health info.
Sorry, my fault with that first comment. Then why is your doctor not allowed to share your health information but a website where you search for and read about medical conditions can collect and share what you looked up as they please?
And while you personally may not have any expectations of privacy in the public, that is certainly not true in general for everyone and in every country. Here in Germany the constitutional court ruled just this week that having a dash cam in a car violates the privacy rights of the people you capture.
You are also generally not allowed to take photos of people in the public without their consent. It is not a problem if they randomly appear in a picture you took of a building or whatever, but you are not allowed to take photos were people are the main motive.
Your first two examples are cute, but your third has the unfortunate side effect of undercutting your argument. A car you built yourself (or more often a motorcycle) actually _can_ be driven on roads in the US, as long as it has the appropriate indicators (brake lights, turn indicators, headlights). There's a crazy subculture around building bikes that would never in a million years pass muster as production vehicles. (let's drop a chevy small block into a harley).
The indicators are a tiny subset of the actual requirements involved in a production vehicle. In fact, there are examples of European production cars that can't be street legal in the US, and the companies involved chose to simply not sell them here. Smart cars were impacted by this for awhile (no crumple zones), they eventually dealt with the problem though, and as I recall there was a production ferrari that couldn't be driven here because ferrari chose to simply not sell in the US rather than conduct two crash tests or something like that. Can't recall the details.
"While most Porsches can import quite easily from Europe to the USA, the 959 had complications abound, making it impossible for US citizens to get their hands on one of these supercars. One of the citizens was Gates, who ordered a 959 from Porsche, only to have it impounded at customs. The reasoning provided to justify the impounding was that the 959 had not yet cleared crash-testing requirements and did not meet EPA standards. Gates’ German supercar sat idly by for over a decade."
> A car you built yourself (or more often a motorcycle) actually _can_ be driven on roads in the US
Such a car cannot be driven on the road within The Netherlands without it being validated as safe (plus some other inspections).
For US, same seems to apply. Per https://www.dmv.org/car-registration.php it mentions: "Pass a vehicle safety inspection.". So again you need to deal with paperwork and read what those safety regulations are.
Some rules are decided by state. For example, Idaho has no vehicle inspection process, just registration (i.e., paying a fee and getting a license plate and license plate sticker).
Dmv.org is not associated with any government body. Its advice should be taken with a grain of salt as such matters are not uniform across the US. Moreover their state specific info is often a paraphrased summary that only represents best practices and not the full scope of the applicable law.
Yeah, for "specially constructed vehicles" that safety inspection is extremely minimal. For a production vehicle, the requirements are much more extreme, and cost millions to comply with.
> A car you built yourself (or more often a motorcycle) actually _can_ be driven on roads in the US, as long as it has the appropriate indicators (brake lights, turn indicators, headlights).
They don't do safety inspections in the US?
Doesn't the vehicle need to have brakes, a means to change direction, emission checks and so on?
TIL in some states they do emissions checks (although in a lot of states motorcycles are totally exempt from those anyway). And no, they don't do safety inspections of "specially constructed vehicles". And based on the ones I've seen, I can't imagine a world in which they'd pass. [1]
However, at least some states (probably most) require a minimum level of insurance from a carrier licensed in the state. There's nothing that requires those carriers to provide insurance to vehicles that don't meet their minimum requirements.
They vary wildly. Some states (washington used to be this way when I lived there) don't require insurance for motorcycles at all. But yeah, private companies can often make their own rules.
You could build and drive a car you built yourself with no regards for your personal safety - it's your car after all, and it's your business if you get injured. But could you sell such a car?
You could build and use a service with no regards for your personal privacy - it's your service after all, and it's your business if your data gets leaked. But could you offer such a service?
Yep. You could totally sell it, and in fact that's exactly what Boss Hoss motorcycles does. I believe each vehicle has to be unique, or something. Not sure where the line is between these custom vehicles and "production" cars, but it involves the scale of the production. Exactly the kind of exemption people are suggesting for the GDPR.
And has made his business that much less viable, and opened himself up to competition from a company with a comparable product that does comply with the law.
And maybe one day the USA will pass some privacy legislation...
The fact that it is open source does not mean it isn't a business.
And yes, he has saved himself the time and the effort of dealing with the GDPR, has also managed to position himself as someone who pays lipservice to privacy but who does not care to actually be compliant with privacy legislation when it matters. I wouldn't want my data in his hands after that anyway (not that that would ever happen because I don't have a smartphone in the first place).
That's ridiculous, and the same non-logic as "anyone who declines to let the police search their home without a warrant is trying to hide something illegal". In both cases there is no upside and a chance of a large downside, even when you're completely innocent.
Your point is clear, but this is internet software all having to comply with the same regulations regardless of actual industry. I'm having to close my small construction company because the FDA passed harsher food safety requirements.
No, you don't have to close at all. You just need to comply with the law, just like everybody else. You also need to file your taxes, keep the books in order, ensure that you do not pollute the environment, in some cases you need to be licensed in order to be able to practice your trade and so on.
Why would this particular regulation suddenly cause you to close your business unless you were doing something really shady?
Perhaps it costs money to do so, and the company does not have enough working capital + lines of credit to make the payments necessary?
I feel like your statement here is basically "you are a business, therefore it is impossible for you to run out of money", which -- superficially -- seems very naive.
Obviously it might cost money (or time, which might mean money). Argument is still the same, it's not out of the ordinary to comply with regulations and laws.
It seems more like a cultural difference, whereby some one-man shops from US find privacy not important.
No there's no cultural difference (or perhaps there is, but it's not on display here). It's not out of the ordinary to comply with regulations and laws -- businesses often change to do so. However, it's also not out of the ordinary for businesses to go out of business due to legal situations. Both are signs of a functioning regulatory environment.
At that level it doesn't have to cost anything other than your time. And if it's not a business it is a hobby and those cost time (and usually also money).
The GDPR is not going to cause any but the weakest businesses to close shop, in fact if the GDPR causes a business to close (which I highly doubt other than people voluntarily throwing in the towel because they can't be bothered) then I am not sure if I'm going to shed tears over that because it likely means that that business was so weak already that other things besides GDPR compliance were suffering as well (such as security).
The comment I responded to cited environmental regulation. These are oftentimes costly to implement. All regulation costs money to implement. Even if each regulation by itself is cheap, these things add up -- it's death by a thousand cuts.
Yes, but then again: if you don't implement them society as a whole will end up holding the bag. Polluter pays is a very good principle.
> All regulation costs money to implement.
Yes. But that's called the cost of doing business. And most software based businesses have insane margins anyway because of their ability to scale.
> Even if each regulation by itself is cheap, these things add up -- it's death by a thousand cuts.
That's one way of looking at it. Another way of looking at it is that it levels the playing field between those that ride roughshot over their users rights and those that try to be nice.
I'm not sure what it is you are arguing about. I am in 100% agreement that regulation is necessary for a functioning society. However, the natural result of introducing new regulation is that some businesses will choose to leave the market. This is the cost of doing business. If a society can bear the loss of the business from the market, then things are good. That's about all there is to it.
> Another way of looking at it is that it levels the playing field between those that ride roughshot over their users rights and those that try to be nice.
Neither of those viewpoints are in opposition. You can both believe that more regulation kills some businesses through a 'death by a thousand cuts' and that these regulations level the playing field.
I'm sure such businesses exist. But this isn't one of them, the article writer is leaving his EU users for reasons all his own, as in: he made them up.
People are allowed to make up their own opinions, even ones not based in fact, and take actions on things they own regarding them. That is a fundamental human right, last time I checked.
If you abstract away the industry specific details of my examples, you are not supposed to physically endanger, harm or kill people regardless of the actual industry. So I would say it is exactly the same but instead of physical harm we are talking about harming peoples' privacy.
Maybe one could argue that there is something to be gained by differentiating the rules based on the industry but, at least to me, it is not obvious that the result would be better and not just more complex. Also there are already rules and laws for specific industries and how they have to handle personal information, think for example medical or financial data.
I built a small shed in my backyard. I didn't follow any building codes. I cooked a meal at home, I didn't follow any food safety standards. I build a gokart from scratch and ride it around my own property.
Should any of these be banned? Now if I tell my friend, 'Hey, you can store stuff in my shed/grab a plate of food/take the gokart for a spin', should any of it be banned?
I think you'll find recording a video of your neighbors from your home without their permission will be seen as quite different from your other examples by most people.
the laws you refer to preexisted. Did they tear down all the houses that don't comply with contemporary building standards? I dont think so. GDPR is enforced retroactively on everything since the beginning of the internet.
> Did they tear down all the houses that don't comply with contemporary building standards?
No, they fined everyone that owns homes commercially that did not upgrade the homes to comply. And then fined them again. And again, until they complied.
Where did that happen? There were earthquakes recently in Italy that tore down super-dangerous but not illegal houses.
In fact the construction sector is a very bad example here, because old buildings are usually covered by separate regulations , thats not true for software.
Some are pointless or even harmful to society. HN complains constantly about insufficiently dense housing....a situation caused by none other than building codes.
When possible, build in places with good codes, not bad ones.
If you see nothing wrong with moving websites into the category of buildings, aircraft, medical devices, etc... what are you doing on HN? The entire ethos of this community is free and casual, sometimes entrepreneurial experimentation with networked software. It may be necessary to end that for the greater good, but that’s not something to take lightly.
US law has surprising respect for the hacker ethos, so that even in highly regulated activities, there is a much less rigorous licensing regime for small-scale practitioners. . Experimental aircraft certificates, private pilot licensing, amateur radio licensing, etc. You can build yourself a car, cook food for a party, etc. without being subject to the laws about those activities under corporate mass manufacture.
No need to be snarky - you do have a good point that can stand on its own. However the issue is not black and white. And just because you think the GDPR is a step forward, some people disagree. Even the Monal guy might agree with you - he just doesn't think it is worth it. And why wouldn't we expect strictly enforced food safety regulations to prevent meals being shared? It might be worth it, but it doesn't mean there won't be collateral damage.
My comment is not intended to be snarky. I am aware that it sounds otherwise and I thought about adding a few more sentences to counter that, but there is just not much I have to add, it would just make the comment longer. So I decided to keep it short even if it might sound a bit snarky hoping that everybody is able to infer that I wanted to say that this is not some unique burden thrown at software developers but that we were some kind of exception not having to deal with that much regulation as other industries.
Why not give the user control and have things such as crash reporting be opt-in?
We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Suggesting that XMPP federation isn't compatible with GDPR seems like an over-reaction, isn't that like saying that SMTP isn't compatible?
Indeed and TBH when the part about Crashlytics made me glad about GDPR (although the rest of the message does indeed sound like an overreaction). I do not like when applications i use try and do things that are irrelevant to what the application is all about, especially when these "things" involve communicating through the internet and even more so when i am not informed about it.
I think it's a weak argument to suggest that crash reports are not "what the application is about" it contributes to the ongoing development and stability of an application which you use.
That said I do think there should be an expectation that your participation in crash reporting would be voluntary and explicit.
For example, IP addresses are considered personal information but what that means is you just can't blindly collect them. If the service you use relies on IP addresses as a basic point of operation then its fine.
> that means is you just can't blindly collect them
Genuinely curious, what about all of the web servers that log every request which usually by default includes the client IP? Not doing anything special with the IP, they are just there in log files and archives.
Personally, I'll activate anonymization of ip addresses in my logs coming next week. There are various solutions for that available.
I think you can also log the ip, you just have to get your user's explicit consent.
I will also remove Google Analytics, and switch AdSense to contextual ads. I am a bit worried about the latter step, but if the losses are too great I can still try to get consent from my visitors and switch to personalized ads again. As for Google Analytics, I never did get that much out of it, but perhaps I should have used it more. I never activated the "deep personalization" options in GA to begin with.
It bothers me to pester my visitors with consent popups. On the other hand, looking at what Google proposes for compliant AdSense, it also bothers me that apparently multiple companies get to track my users if I enable personalized ads. I wasn't really aware of that, and just accepted Google as tracking because they know everything anyway.
So much as I dislike the new privacy laws, at least the made me reconsider my AdSense settings.
It's fine to collect this information in your logs as it's part of the normal operation. I log them for security reasons and the logs do not persist for more than a week or two, which is less than the month I'd have to comply within. Provided you're not logging IP addresses for non-legitimate reasons and you're not keeping the data for longer than you reasonably need to, you have nothing to worry about.
Also the section of the GDPR that talks about pseudonymization using a token how should my user DB table be GDPR compliant? Contains ID (primary key), username, password hash, email, etc and the ID is also in other DB tables for obvious reasons (such as user posts/actions).
I think it can simply be GDPR compliant if you inform your users that you are saving that data in your database, and they give you the explicit OK to do to. Explicit consent meaning they tick a checkbox saying "I understand that page x is saving the data y in a database and I am OK with it".
If you have a site where users can make posts, I'd say they pretty much give you consent by signing up. IANAL, though.
The consent has to be explicit. Of course, you can always just require consent in order to sign up. Just as long as it's clear what's going on and you can remove/anonymise the data if the user decides to revoke their consent and leave the service.
OK, but explicit in what sense? Does it have to refer to the GDPR, as in "I agree my dta will be stored according to GDPR"? I must admit I have trouble understanding it - how could anybody sign up anywhere without data being stored?
>We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls
We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation (to this degree at least). Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time.
The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it.
> We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation (to this degree at least)
So someone having a copy of my data that I wish be removed is trampling on a webmaster's rights? That makes no sense whatsoever.
> Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers
This isn't even true. They have _a tiny bit more_ control of what you can do _with their_ data. That's it.
Buckle up because this type of regulation is only going to happen more frequently and in large part because of your attitude that it is "your" data versus the user's data.
But it's not "their" data. It's the webmaster's data. It rightfully belongs to the webmaster. It just happens to pertain to the user. There is no justification for that information still belonging to the user after the user surrenders it to the website.
> But it's not "their" data. It's the webmaster's data.
No
> It rightfully belongs to the webmaster.
No, you are completely wrong here. The basic point of the legislation (and other privacy legislation in the EU that came before GDPR) is that a users personal data absolutely does not belong to the someone else once collected.
Your personal info, username, account settings, marketing anayltics, etc. are definitley you're data and you should be free to have them deleted.
The two year old IPs in a server log sitting in backup, or a chance occurrence of your username in a random call stack for some web exception is not your data, and you shouldn't force a business to have to dig through that mound of digital noise to satisfy your deletion needs
I obviously wasn't talking in a legal sense, I was talking in a "what's actually right and good" sense. The law doesn't make something right. Rightfully, the information belongs to the webmaster. Under GDPR, users get to put a leash and muzzle on webmasters.
Well, I'd say it's also not at all rightful in a "what's actually right and good" sense.
And as others have pointed out, no the users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do with personal information about their users. But feel free to argue that it is your moral right to sell user's e-mail addresses to some spammer or whatever.
"users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do"
I'll let that excerpt speak for itself.
And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary.
> And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary
Views like this are exactly why we need the GDPR.
I find it utterly ridiculous - disgusting even - that you really believe you have the right to do whatever you want with someone else's personal information. When you provide an email address, physical address, name or other PI, it's with the expectation of it being used for a specific purpose - you should absolutely not give you the right to sell that information to the highest bidder.
The Equifax breach was already illegal - I assume you mean you think that websites shouldn't keep user information to prevent future data breaches.
This is a bad solution to that problem. So many people's data was stolen that preventing future data from being stolen isn't the most important thing we should be doing. Last I heard it was 150 million people - that's enough that it no longer really matters to the average person if their data is leaked in the future because there's such a high change it already has.
The real solution is to change our systems so that data leaks aren't a big deal. If people didn't ask for a 9 digit number to identify me, as if that's a reasonable thing to keep secret, then it wouldn't matter if everyone in the world knew it. That's the problem with data breaches like this. That's what we should be fixing in response to it.
Holy shit man, did you come right out of "Atlas Shrugged"?
This isnt even users feelings, this is data that can a:have monetary value and b:can be plain wrong and damage a user.
Do you think that merely by observing data you have right to it? Do you not believe in any IP law? If you agree with any type of IP law then you are just being hypocritical by insisting that webmasters get to take and use whatever data they come across
>Do you think that merely by observing data you have right to it?
Yes, with some exceptions for actual copyright and the like.
>Do you not believe in any IP law?
IP law, yes, but I don't feel a user's entries into a website automatically qualify as IP owned by the user. The terms of many websites actually say that whatever you upload to them is owned by the website, unless a prior IP applied to it. I've only ever heard the claim that your name et al. are your inherent IP from "Sovereign Citizens" before.
IP law is not a natural right. It's been encoded into existence by laws. The GDPR is encoding new rights into law in regard with personal data.
I don't see a way to declare one bad and not the other unless you're just saying that new things are bad.
Additionally the terms of websites can say whatever they want but it doesn't mean they are legally defensible. I could put into my terms "by finishing this sentence you agree to be enslaved by Lovich LLC" but that doesn't make it happen
A bunch of 3rd party trackers collecting every move you make with your cursor probably won't fit most people's definition of 'voluntarily entered into a website'.
As a webmaster, I have an absolute right to carve '192.0.2.7 requested /foo.html from me' into stone and store it for posterity.
The GDPR prohibits me from doing that, and in fact requires that I have the ability to rewrite history by removing that fact if the user who had 192.0.2.7 ever requests it.
Some people, on hearing this, say, 'well, that's fine, you can just store 192.0.2 or 192.0 instead.' That seems pretty silly to me, since the whole point of logs is that they contain full information.
The GDPR tries to do the right thing, but it's broken. Immutable logs are a fundamental right.
I also would prefer more clarity in the area of logging IP addresses, and would like to have a clearer consensus on what is allowed here. I think we will get a clearer picture after a bit of time.
It appears to me that as long as you don't use the logs for nefarious purposes you'd at least have legitimate interest in processing them (including the IP addresses), and so could keep them. This is the stance I am taking with respect to my personal webserver (together with a time limit after which logs are deleted); if a regulatory body informs me to change my approach, I'll gladly adapt.
Note also that IP addresses can be personal data, but do not have to be. Most claims here seem to relate to a ruling, where the IP address was deemed personal data in the hands of an ISP, who would be able to resolve it to a real person [1]. If you hold an IP address, but can't connect it to a real person (e.g. by having legal means to convince the ISP to give you that name based on the address), then it seems the IP address would not even be personal data in the first place. In the particularly ruling, the operator of the webserver was the German government, which presumably has more legal power to make an ISP turn over identifying data on a customer than a random website would have.
In any case, I hope some more clarity about this will emerge soon. But what you are talking about here would at best be a borderline infraction (and probably just be covered under legitimate interest). OTOH, what the person starting this thread had in mind seems to be that all the data he might collect on his users is fair game to do with as he pleases.
I absolutely agree. If you feel a law is wrong, it is your absolute right to say so and demand change. This is the basis of all law and civilisation. The consensus of what is right-or-wrong is what makes a society.
I'm sure the person you're replying to is also talking in the 'rightful' sense. While the data collected technically belongs to you, it can still be a privacy violation. This is extremely important on the web where it's very easy to share that data, make it public or accidentally leak it.
It can be a privacy violation but the idea of a fundamental right to privacy is not universally supported like free speech.
If it is a fundamental right, how far does it go? Should I be able to sue you for watching me walk in a public place? Photographing me? Video taping me? What about a privately owned but still public place?
There are a lot of questions here that I think people tend to skip over about users owning information about them and being able to control it.
There are lots of laws against following someone and observing/recording every move they make.
Making some observations out your window of cars passing by is something no one ever had a problem with. Taking down every single identifier you could and coordinating with others to track that person, for a profit, is something that would not be kosher in meat space.
Why this different just because it's on a computer?
The laws you talk about are, I think, laws about stalking. I'm not aware of any laws that apply to that kind of thing if it happens on a massive scale. Singling someone out is an important part of stalking.
Keeping detailed information about everyone that enters your store isn't illegal, as far as I know. Especially not information that is gained from observation (what color shirt they're wearing, their IP address) and information that is submitted willingly (their name given for a reservation at a restaurant, their username).
I wasn't trying to say it was - I was simply saying that when you base an argument on free speech, you don't have to explain why free speech is a good thing because it's generally accepted by everyone to be a good thing.
In this case, a lot of people base their argument on a fundamental right to privacy which is not generally accepted by everyone and therefore it has to be explained because it's an important part of the discussion.
> Rightfully, the information belongs to the webmaster.
What? Because you just decided that it does?
It's people like you why we need GDPR-like laws. I'm curious, what's your stance on the Equifax data breach? They had data that belongs to them and they could do with and treat it as they pleased, right?
If I get nude picutures of you, or your mother, daughter etc. is it then "my data"?
Am I therefore allowed to do with that data as I wish?
I think most people agree that unless those pictures are gathered with very specific consent, subject to many restrictions, they are not "my data". This is obviously an extreme example, but the reasoning extends to more data that is considered sensitive. The point being that "data ownership" is a complicated issue.
The credit card example was already illegal by other, more targeted legislation.
Nobody likes getting a lot of junk mail, but it's not the end of the world. I actually got my first credit card from a pre-approved offer found in junk mail.
> [...] Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time.
You are saying that's a bad thing?
Services that require you to sign up, should provide the possibility for users to look at, modify and delete their user data - that's all. Where's the problem?
Yes, I'm saying that's a bad thing. Someone shouldn't have a right to come into my house and tear up a piece of paper in my drawer if I happened to write something about them on it.
The problem is that there's no justification for having the right to coerce other people just because they have information you gave them. If users enter names into your website, you're not allowed to run a statistical analysis of what names are most common on your website without asking. If people named Jane are more likely to eat ice cream, you can't target ice cream ads at them and help keep your site free, without asking them. Worse than just this kind of coercion of what you're not allowed to do, users can coerce you into taking time out of your day to expunge records about them. It's all entirely backwards.
The point of GDPR is to switch collecting users’ personal data from being a benefit to being a liability. That will absolutely cause short term pain to some companies that hadn’t expected this, but it ends up as a long term benefit to society, the same as most legislation.
Do you have a source for most legislation being a long term benefit to society?
If forcing low-earning EU citizens off the internet because every website requires a subscription is a social good to you, then sure, it's a long term benefit.
Is the internet even a net benefit with this current trend towards turning everything into clickbait or some other psychological experiment to get traffic and harvest data off of it? How useful is the average website now compared to what the internet was like in the 2000's?
Even if it would all be a net benefit, why is it ok for all of these companies to be so misleading about it. No one out a simple EULA, for what is happening with the data. Hell half the agreements just say that the companies can do whatever with the data, but an average person does not have the ability to parse the output of the legal teams of every company they interact with every day. The only way this could get even close to an equal footing between users and companies is if every single person was a lawyer
The rate of high-quality content being added to the internet has surely been on the increase as the adoption of the web increased, even if the likes of clickbait and spam grew faster, shifting the "average" quality down.
I don't agree with that at all. In the 2000s I frequently could find new and useful websites for learning on every Google search. Now I have to wade through hundreds of sites that only host clickbait or repackage other sites content so they can deliver ads that end up containing malware. The internet has given me a commodity in the form of constant good data that is unequivocally an improvement, but the signal to noise ratio on the web has gotten worse every year
I'm not seeing exactly where you disagree there. There's more bad information now, and a higher ratio of bad to good, but I'm saying despite that, there's still more good than there used to be, and probably a higher rate of good being added.
For example, with small numbers for the argument's sake, say in 2000 there were 5 good webpages and 4 bad webpages added to the internet every day. Now there are 10 good webpages and 50 bad webpages added every day. That would mean we're getting more good information per day than before, but the signal to noise ratio has gotten worse, as you said.
I'd agree that the total amount of good information has increased but if bad infi is being added at an accelerating rate compared to good info then I wouldn't say the rate of good information is increasing in anything but the most technical sense.
For all intents and purposes the information doesn't exist if you can't find it, you can only find information as a certain rate, and a larger and larger chunk of that information bandwidth every day is bad information. The practical result is that the rate of good information someone has access to has decreased even if the total system has a nominally higher rate
>Oh no, that's a real pity. Oh no, poor webmasters.
Why are the rights of people who own websites less important to you than the rights of other people?
Regardless, you might not still be saying this once half the websites smaller than Google become subscription-based in the EU or just block the EU altogether.
I didn't really realise it until the GDPR got into full swing but I'd much rather pay with money than with data.
What you're describing is a good thing. If you're going to treat my data like an almost stale slice of pie selling it off cheap to anyone who will buy it - Please do block my access!
> Someone shouldn't have a right to come into my house and tear up a piece of paper in my drawer if I happened to write something about them on it
They don't have that right. GDPR only applies to business. If you mean you wrote it in your house for some business reason then yeah they have the right to know you've done so and why and the right to ask you to remove it if you don't need to have that information.
In no situation do they have the right to come into your house. That's a touch too far into the absurd.
As it seems that we are making society-wide sweeping statements here, I'll add mine:
In a society where the webmasters have shown that they can't uphold their duty to secure PII (or any kind of data really), as evidenced by ~monthly high-profile data leaks, they deserve to be restricted in their "rights to the fruits of their labor".
I find your view very interesting. You have a very capitalist and US law based perspective on it. For one, not everything in a society needs to allow to "collect the fruits" of individual work (which is essentially capitalism). Europe has much more socialism mixed into their understanding of their societies than the US.
Further, the US law is based on risks of heavy punishments but few regulations, while the law in many parts of Europe is based on strict regulations but less high fines. It looks like the EU has too many rules, but that is a subject of perspective.
Problem here: The internet gives a shit about borders and society.
Please don't just say this is a US perspective. This is a sociopaths perspective that the current US legal system promotes due to the machinations of the same group of sociopaths.
Every business owner here who would complain about how the GPDR is taking their rights to their personally earned data away would be the same people who launch a lawsuit because one of their competitior's products had a typeface that was vaguely similar to theirs
There are regular people here, they just don't go starting businesses that have abusing their customers as a business model because they couldn't sleep at night if they did that
Targeted ads hardly qualify as abuse to me. Getting to use a website for free in exchange for your browsing data being analyzed is a great deal and a win/win for everybody.
Surely anyone who disagrees with your feelings on this matter must be a sociopath, though.
It's not just targeted ads. We see a new data breaches every week that leaks customer data and is used in identity theft that causes actual, quantifiable damages to users. The entire internet, and increasingly physical goods in our homes, has become the equivalent of a ghetto where every single person has to have bars on their doors and look over their shoulders constantly to avoid having shit stolen from them or their privacy violated.
The GDPR didn't arise out of some feeling that companies we're making too much money. It arose out of the fact that the industry refused to self regulate. They were given years to do this and the standard operating procedure for security around data right now is to lol because who cares if you have a breach, that's a problem for the people you harvested data from, not you.
The bad side effects from this data harvesting are called negative externalities. A similar set of negative externalities is pollution.
Do you think it's immoral for regulations to make certain business model that rely on dumping poison into the water or air unprofitable, just because those companies could have made some money if only they could do what they liked regardless of the harm to others?
You're not allowed to "degrade the service" or allow access contingent on consent to targeted ads/tracking, so the practice isn't going to be sustainable for websites when only a tiny percentage of users give consent, seeing how they get to use the site one way or the other - have their cake and eat it too.
Implying that the majority of user's wouldn't just instantly click the largest button that says "make this annoying wall of legal text go away" whether that is agreeing to tracking or not?
While the inability to target ads based on data about you and your search history searches removes some amount of advertising income. Websites would still be allowed to show ads, and I would imagine that those ads can be specific to the article currently being viewed.
This is exactly how conventional TV advertising works, just because you don't know the gender, race, political views and entire life story of a website user, doesn't mean you can't get almost the same effect. You can target ads in general at specific content and hit most of the correct users anyway rather than targeting specific users and the content they have viewed in the past.
"The study, which looked at ads run on member networks during 2009, showed that among users who clicked on a behaviorally targeted ad, 6.8% converted. That compared with only 2.8% of those who clicked on a run-of-network ad."
No one's arguing that the targeted ads don't make more money. We are arguing that the extra value from the ads is not worth violating everyone's privacy.
A quote I heard recently is "Some of you may die, but it's a sacrifice I'm willing to make." That's what the tone towards small businesses/websites in relation to GDPR sounds like to me. I can't understand valuing this right to the "privacy" of not having your (often anonymized) identity tied to a marketing profile so much that you'd rather some free small websites no longer exist and others move to subscriptions.
I am sorry if I formalized it too general. Like you say, it is purely focused on the law system and unrestricted capitalism, which as an individual you either use or not.
Sociopath is a tough word, but in the original non insulting meaning of deviation from the common society, I think the word is right.
"We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation"
We still do. Nothing has changed on that front.
"Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time."
As it should have been from the beginning. Having the standard being that the company hoovers up all your data all the time without telling you what they're doing with it or why they need it was a terrible, terrible thing.
"The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it."
> We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Government intelligence organizations like the NSA and foreign equivalents will now have a monopoly on unsolicited data collection. Which, combined with selective enforcement to prevent disruption of gov cartels, is one of the few reasons it went through.
>I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
>1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
I thought this guy was a single person who put something on Github. How is he required to appoint a DPO? What kind of large-scale processing of personal information is he doing?
That seems insane, and I'm definitely not a lawyer, so maybe there's an out, but I think maybe he's right. Article 37 is pretty clear that if your core business involves processing data that's subject to the GDPR, you need to appoint a DPO, and it can't just be you, because they also require that the DPO can't have a conflict of interest. Man, that's unfortunate.
you are a public authority (except for courts acting in their judicial capacity);
your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
In Germany the law has been that you only need a DPO if a) you are a public authority, b) at least 10 people in your organization/company handle or have access to personal data or c) you handle sensitive data (e.g. health records).
As far as I know the GDPR doesn't change these requirements here. So even if you're a company of 5 people and just handling some email addresses or similar data you certainly don't need a DPO.
First of all, you're saying "core business". Is this even a business?
And I copy-pasted direct text from the regulation. Note how it says "large scale". Twice. If he is actually processing personal data on a large scale, then maybe it is not unreasonable to have a DPO.
At a certain point, even if you are a single person, if you are processing and tracking enough data then you still shouldn't be allowed to do what you want. Company's could just outsource all liability to single person consultancies then like they outsource a lot of none core jobs to consultancies to get around employment law now
It really comes down to the definition of "systematically monitoring". On our service we capture behavior (say in FullStory) and Google Analytics at a "large scale". How the DPO clause gets interpreted is going to be a key finding in the next few months. This is imho the most confusing and potentially difficult part of GDPR
Not that's irrelevant in this case. The question is whether you're processing sentive PII on a large scale. DPO is only necessary when processing sensitive PII. Sensitive is very clearly defined in the law as race, religion, medical records or biometric data. And IP addresses certainly do not qualify as sensitive PII (they are PII though) so I don't understand the entire discussion here. Seems to be just a political kneejerk
That's fair in this case, at my company we track "pregnancy status" and "due date". It's unclear at this point whether that's considered sensitive PII.
XMPP does have presence functionality so I'd consider that to be systematic monitoring. I don't know if his service is doing that, but it's one of the most useful aspects and definitely seems to fit the definition to me.
No. That article says you only need a DPO if you're a public authority or if you're processing certain data or you're processing very large amounts of data.
I'm struggling to understand why that's unclear. Is it the use of "public authority or body"?
Monal is an XMPP chat system. User's messages are user data, and everything it does is processing that data, in the form of broadcasting it. I suppose as long as the data doesn't count as "very large", that'd be fine, but what does very large mean?
> To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.
For some reason, I can't reply to Max_aaa's question directly.
> How do you guaranty that nothing in the messages being handled by the server is "sensitive personal data".
You guarantee it by reading the rest of GDPR. It defines sensitive personal data separately than personal data. Sensitive personal data is defined by GDPR to be things that can be used to discriminate against the individual, such as race, ethnicity, religion, health information, credit information, age, etc.
EDIT: And what I mean to say is that if the messages aren't passing through the server or being stored on the servers, then the only info being handled by the server is the meta-data including IP address, which is not included in GDPR's definition of _sensitive_ personal data.
Example: Parts of our software run on customer servers and as such they are processing data in their control and not ours, hence can for example used to filter out personal data before they are then sent to our servers, without causing any GDPR related triggering of sending personal information to a third party (our company).
It's not “processing user data on a large scale” that requires a DPO, but “processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
AFAICT, it's not a public authority or body (37(1)(a)), it's not "regular and systematic monitoring of data subjects on a large scale" (37(1)(b)) (it seems to be merely crash reports and minimal information required for the service, not systematic monitoring), nor is it one of the special classes of data (37(1)(c)). I'm not sure how you could could conclude a DPO is necessary.
I suspect it's going to be a bit like IR35 in the UK. Menacing on first glance, but so broad in it's definition that any court is going to struggle to draw the hard conclusions for anything that isn't what the law was explicitly created to prevent.
Having to rely so much on the discretion of the courts is not a good thing. Generally, it is better if all people who agree on what happened agree about the legality of that.
When instead it is up for interpretation, that comes with issues. The first is selective enforcement, there is also the chilling effect on both sides. Those who ought to be protected worry about the slack given to their potential predators. Meanwhile those who are 'potential predators' need to worry about the slightest move that is illegal under some interpretation.
The end result of this chilling effect is fewer willing customers, fever willing companies, and less mutual trust. Notably, this lack of trust persists even if you presume everyone still follows the law. At that point it seems to me a law has failed.
I don’t agree. All laws are up for interpretation. That’s why we have the judiciary. Law makers draft laws, courts decide where those laws fit into the wider body of law.
The kind of law making you’re implicitly advocating is tantamount to despotism. Drafting a law that outlaws islam might well be clear in it’s wording, but it needs to be tested against the law that allows freedom of religion, freedom from persecution, and a ton of other laws no doubt. The claritiy of language with which a ban on islam is articulated is all for nought if it’s contradicted by, and incompatible with other laws.
Although, GDPR has been explained very clearly. And we’ve been given a loooong time to digest, understand, implement, and question it. I don’t think any reasoable person can make a compelling case against GDPR. But unreasonable people can, and as we’re seeing, they will.
Companies with less than 250 workers have fewer requirements, but the obligation of a DPO follows a different set of rules https://gdpr-info.eu/art-37-gdpr/
Edit: Art 30 "The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."
This was in one of the earlier drafts of the GDPR but was removed, so you can be required to appoint a DPO if you are a small startup as well, but only if one of the conditions mentioned in article 37 applies to you (which I think doesn't to the OP).
Recording IP addresses in a web server log does not qualify as "regular and systematic monitoring of data subjects on a large scale" by any stretch of any definition.
And that's besides the fact that they don't have any presence in the EU. GDPR's scope only includes companies with at least some presence in the EU. That's not just because it'd be unenforceable - the laws make no attempt to include a wider scope than that.
I don't think he can. The DPO may not be assigned any tasks that would result in a conflict of interest between their role as a DPO and their other responsibilities. I suspect that means that the sole proprietor can't be the DPO. But, you know, not a lawyer, not even European, could be wrong. See article 38, paragraph 6, 2nd sentence.
Yup, I read that and I don't see how it would be in the conflict of interest for probably the vast majority of cases. But, yeah, I'm not a lawyer too.
Edit: DPO Network says this which I think is a pretty good summary (though it's not part of the explicit legal policy, it's someone's opinion)
> CAN WE ASSIGN ONE OF OUR EMPLOYEES AS OUR DPO?
> Yes. However, you must ensure that other professional duties of this employee must be compatible with his/her new duties as DPO and do not result in a conflict of interests.
I imagine when running a business one faces many stupid bureaucrats, this could be another one (or they could be competent and understand and accept the technical explanation of how my imaginary company complies with GDPR).
But yeah, why quit because of the n + 1th bureaucrat, when you've dealt with n of them while starting and running of your business?
> Being the sole owner and manager and being the DPO is clearly a conflict of interest.
Could you clarify why you think this is so? As an owner, my interests would align with the DPO's interests so it's hard to me to find where the conflict of interest would reside in the case of being the sole employee _and_ DPO.
Now if it's a large company where they make money per GDPR policy workaround then I could see it being required another person than the owner, but it could still certainly be an employee.
I would say there is a definite conflict of interest for the sole owner to be the DPO - you are responsible for the entire direction of the company, thus have considerations beyond data protection (rather than an individual who ONLY has to consider the data protection outcomes in the exercise of his duties). Even if you make data protection a paramount concern, and intend to be fully compliant, there is the possibility that you could e.g. make more money or provide a better service by making a different choice, therefore there is a conflict of interest.
That's a big assumption. In an executive/owner role where, say, you are the CTO, surely data protection (and therefore the risks and penalties involved in controlling this data) are a core concern? Owning or being in an executive position seems to me to be an investment of interest, not a conflict.
And even if such a conflict does arise, as it surely will somewhere, the text linked states that the controller and processor shall ensure that such a conflict does not exist. It does not say that "You can't do this because 'conflict of interest'", it just says those two roles will ensure there will be no conflict of interest. If you read all the guidance, you will see that the DPO is the most protected role. It has the least liability. The data controller and processor have their own responsibilities, from a liability pov.
Unless you are the business owner/executive, DPO, data controller and data processor...I can't see this being a conflict of interest. Ever.
I don't think it's a big assumption as the law as well as the guidelines clearly state that point (from "Guidelines on Data Protection Officers" [1] by WP29, pages 16 ff.):
> The absence of conflict of interests is closely linked to the requirement to act in an independent
manner. Although DPOs are allowed to have other functions, they can only be entrusted with other
tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular
that the DPO cannot hold a position within the organisation that leads him or her to determine the
purposes and the means of the processing of personal data. Due to the specific organisational structure
in each organisation, this has to be considered case by case.
> As a rule of thumb, conflicting positions within the organisation may include senior management
positions (such as chief executive, chief operating, chief financial, chief medical officer, head of
marketing department, head of Human Resources or head of IT departments) but also other roles lower
down in the organisational structure if such positions or roles lead to the determination of purposes
and means of processing. In addition, a conflict of interests may also arise for example if an external
DPO is asked to represent the controller or processor before the Courts in cases involving data
protection issues.
In summary, if you have power to decide how or for what purposes the processing of the data is to be carried out you're probably not allowed to serve as DPO. Of course in the end it's the company's decision who to give that role to, but not following the guidelines increases the chance of non-compliance.
Younneed a DPO if you 10 employees or more. Fornhiavcase, he most likely just needs to update his privacy policy and have a form to collect users requests (like TypeForm) and make sure that he handles them (event if it's manually deletion in database).
A designated DPO is a ROLE not a person, that's a huge difference. Just like a security officer in a small company is a role assigned to someone who most likely has other duties too in a large company it will be a dedicated person (and in a really large company there might even be more people working in a team under a CISO or something to that effect). So 'designated' means that the role has to be assigned to a person, it does not say 'dedicated' where you'd have to have a person whose exclusive job is DPO.
So, DPO is not necessarily a person with no other duties. In most smaller organizations that deal with sensitive data the DPO role will be shared with the CCO (Chief Compliance Officer), only at a certain scale of processing and with certain data would you need to budget for a dedicated DPO from day one, but presumably your business plan will also foresee in other things such as office space, computers and so on. Certain businesses come with implied costs.
I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it.
All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn't have been handling personal data.
I don't have any knowledge about monal.im (don't know what it is - some kind of im client?), but this person is making some claims:
- he needs a data-protection officer: no, only larger orgs handling lots of personal data need this. If he's making an im-client and not servers that store data he certainly doesn't, but I don't know what his setup is.
- crash analytics: This can be handled by telling the users clearly that you'll be gathering the data (and defaulting to not gathering if they don't actively approve). As long as you have a proper PURPOSE for gathering and storing the data and don't use it for anything else you're golden. You do have to document this, in case of a review (hyper-unlikely).
- Push: he's getting a message and storing the device/ip combination. This seems to be central to the service he's providing. Therefore he can and should put that in the description/terms of his service (as he cannot deliver the service without this). As long as it is clearly explained to the end-user this is fine, and he can keep doing it. If he stores it and does anything with this data other than the central purpose that he informed the end-user of he's in violation. I'd suggest putting it in clear text in front of the end-user and deleting the data as soon as it's no longer needed. Don't do any non-approved analysis on it. If you want to analyse - ask for permission.
XMPP federation may be a problem, I agree with that. The problemer here (as I see it) is that each service getting the personal data must only process it for the purposes explicitly agreed to by the end-user and honour any subsequent notifications of rectification and deletion. This is a hard nut to crack indeed.
> I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it.
> All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn't have been handling personal data.
What if I didn't want you to visit my website. Sure, by the letter of the law I am collecting PII (your IP address) but I think I can reasonably argue that it's quite a technical feat for a private layperson to go from "sudo apt-get install apache2" to "removing IP addresses from log files".
Sure, this is tongue in cheek - but most of that panicking I read was people concerned about their personal websites, especially with the "might be taken as professional work stuff just because of ads or you're blogging about tech as a tech freelancer.." - didn't really hear anyone with a company panic.
If you didn't want visitors to your site you shouldn't have put it on the web. If you want visitors to your site without any strings attached you should serve the content without grabbing and storing anything about the clients.
This is called the "technician's responsibility" where I come from. To only track/store/process what is absolutlely necessary, in order to not be liable for the consequences when someone you cannot feasibly stop wants to do something untoward with the date (i.e. unconcented analysis, government extraction of data, breaches)
I know the "logging by default" comes from a different age of the internet, and I'm absolutely for minimizing data collected - but I'm sticking to my opinion that as long as the default of every internet-facing package is logging IP addresses by default, it's not good that private owners have to face problems or a lot of work because of that.
I am assuming the answer is no, but would a startup be able to build a SMTP or NNPT like system today? It would be a shame for the GDPR to be yet another force moving the Internet from its historical decentralization reinforcing the current centralization trend.
I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it.
That person doesn't own those bits on that hard drive.
They don't own the bits. They own the data those bits represent. The person/company who does own the bits has to comply with the rights of the owner of the data.
How you decide to store it makes little difference as long as it's digital.
Fun aside: if you store it on paper you're not beholden to GDPR. Crazy.
Think about. A person doesn't own the random bits (data) about them that goes through and is stored on various systems they interact with. Under the GDPR in the EU, they might have a right to know what is stored about them on various systems, but they don't "own" that data.
> To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. 4In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. 5The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC¹.
Article 1 (c): the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or ....
What makes you believe that the "large scale" refers to the size of the organisation and not on the amount of processed data.
>... I frequent Europe and do not want to get into legal trouble on vacation.
Does the author seriously believe this could happen? Enforcement of GDPR is similar to antitrust law. A regular police officer isn't going to fine you for that.
The author's anxiety makes as much sense as not traveling to the United States because you're worried that your one-person pottery business might be considered a monopoly under the Sherman Act.
BetOnSports, an AIM listed UK company took sports bets over the internet, including from US customers:
> In July 2006, their then-CEO, David Carruthers, was arrested while changing planes in Texas on the way to Costa Rica from the U.K. In April 2009 he pleaded guilty to federal racketeering charges, and in January 2010 was sentenced to 33 months in prison.
> BetonSports plc is a British online gambling company founded by Gary Kaplan in 1995. The company was one of the biggest players in the United States online gaming market, drawing in several billion US dollars in wagers in the early 2000s.[1] In June 2006 US authorities indicted the company and a number of its executives on RICO, mail fraud, and tax evasion charges arising from its supplying online betting to customers in the United States (the alleged crimes took place before the adoption of the Unlawful Internet Gambling Enforcement Act of 2006).
This is about federal crimes committed by executives of a billion-dollar company.
OP seems to be a solo open-source project, and violating the GDPR is not a criminal offense. This isn't even close to being comparable.
While I agree that violating the GDPR is much less likely to result in being pulled off a plane than running a company that allows people to gasp gamble on the internet, your characterisation of the problem as 'federal crimes' seems to suggest that there was something much more nefarious going on than simply allowing people in another jurisdiction to do something over the internet that is completely legal in the jurisdiction you are based in. I could be wrong, but according to my understanding, that's not the case.
The 'federal crimes', were precisely enabling US customers to gamble over their phone lines. That was enough to get a publicly traded company in a friendly nation categorised as 'organised crime'.
The other thing you mention about how it's not a criminal offense is something important a lot of people seem to be missing. If you're violating the GDPR and someone notices, the first thing that happens is that they work with you to try to correct the problem, not that they hit you with huge fines and laugh while twirling their mustaches.
Maybe we just misunderstood each other a bit: My point about the 'federal crime' is not to judge gambling as more nefarious, but to simply point out that the violated law in this case is a completely different type of law (criminal).
As you correctly note, the GDPR is an EU regulation that will be enforced by national regulatory bodies through warning letters and fines. Unlike for criminal offenses, there simply is no way for it to be enforced by a police force or through arrests.
Reading through the indictment, it appears that BetOnSports was actively (and repeatedly) advertising within the US. I feel there's a rather clear line between operating in one jurisdiction and merely accepting customers from overseas , vs. actively seeking out customers and doing business in a jurisdiction where your activities are illegal -- I'm not sure I would categorise it as "completely legal in the jurisdiction you are based in" when you are deliberately doing business, and spending money, in another jurisdiction.
Well in the UK the only criminal offenses under gdpr are around falsifying records to fool the regulator or attempting to deanonymise data. Both of which are punishable by a fine, not prison. And since you can't go to prison for a civil offense I think your comment is misguided.
Now if the state has got to the levels of your tasteless gas-chamber example, i don't think you need worry about data protection law
I'm both surprised that people react so strongly and... mostly ok with it. Majority of GDPR is pretty reasonable - know what data you have and make sure your users know it as well. Allow removing it, make sure you don't share with parties who don't need it. For normal services it doesn't appear to be a tough retirement.
You certainly don't need to hire extra people like author suggests and federation should be just fine. (it's essential to what the service does)
We're talking about chat.. you shouldn't be logging the contents, at most a bit of metadata to prevent abuse (eg. a connection log to identify and block spammers).
If you don't store that metadata longer than needed (a couple of weeks? storing it for years would be hard to defend) you have legitimate reasons to keep it, and don't need to worry about deletion requests
That's why I mentioned I'm ok with projects reacting strongly and removing themselves. Removing my info (and many other GDPR points) is in my interest. If they can't do this, I'm glad I won't be their immortal user.
I was going to say the same thing. If you're an individual running an OSS service, or a small business, requests for information or deleting information really are going to be really rare.
This project is completely out of scope for GDPR, not having any presence whatsoever in the EU. You aren't going to be arrested when going on holiday. You wouldn't be breaking the law at all, even if it was possible to enforce anything.
Even if it was in the EU, it wouldn't require a DPO, and your use of IP addresses is very reasonable and within the standard allowances which don't require user consent.
Maybe bother reading _anything_ from an official source before coming to this conclusion? This reads to me more as something you want to have a rant about because you don't like it - rather than as any kind of pragmatic decision.
Disclaimer: I work on GDPR stuff for a company it certainly applies to, this is my opinion not my companies
We’ve spent tons of money & interacted with lots of official sources trying to get opinions about what GDPR means and it just isn’t available.
Everything is a risk mitigation technique right now with no real answers in sight. If I had any personal projects serving traffic in the EU right now that weren’t profitable I’d likely shut them down.
I think it’s likely that the regulatory agencies will act with restraint and this will all be hysteria without merit, but I’ve seen enough legal opinions to know that’s not the worst case scenario.
What are you talking about? There's a ton of information about what GDPR means, both from the EU and the national regulators (particularly the ICO). The best sign that the regulators aren't going to go crazy with this, is that they already have quite significant powers and they're not throwing their weight around now.
This lawsuit doesn't seem to stem from the GDPR, despite the article (mistakenly[1]) mentioning it. I don't even know if the regulatory bodies are enforcing the GDPR yet, much less in February this year, or even worse, 2015.
Here's a statement from the CPP, connected to the 2015 lawsuit. They mention Facebook being in breach of Belgian privacy laws from 1992.
[1] - none of the other reporting I found on the subject(Guardian, Bloomberg, etc) mentions the GDPR. They also don't show the court order, which is frustrating.
Honestly, most small USA businesses take one look at "Up to €20 million, or 4% annual global turnover – whichever is higher." and just run. There's no point in even trying to salvage the situation.
> For the 3.7 million small businesses with 1 to 4 employees, the Census Bureau figures show average annual sales in 2007 were $387,200.
Given that, who wants to risk a 20M fine? All this advice in this thread to do this, run it through a lawyer (lawyers are expensive especially international ones), makes no sense to the majority of the businesses in the USA: there are less than 8M employers in the USA and a very small percentage has a yearly turnover of even a mil not to mention the ~600M USD where the fine changes from a constant to a percentage.
To give you another idea of how much money this is, about a quarter of public companies have less than 25M USD market cap.
As a dual Canadian-EU citizen I am stupefied by this law.
Please actually read the law before you try to argue with “as a...“. The fine scales with the violation and it does -surprise- not mean that arbitrary Github projects will have to pay 20m€...
Similar laws already exist and have existed for a long time. There’s no evidence of disproportionately and illogically large fines having been handed out in the past, and nothing to suggest regulators will start now.
Show me a law where you need to make half a billion euros before the potential fine becomes proportional of your turnover.
It only takes one opportunistic apparatchik to make your life hell and this GDPR thing is now law in such places like Hungary where I haul from and if they can get away with it, trust me, they will go overboard. Maybe not 20M overboard but still.
The overreaction to GDPR from US tech startups in particular surprised me at first. But my partner is a lawyer working on GDPR compliance for a variety of tech firms, and he explained that there's almost a historical cultural difference in terms of attitudes to ownership of personal data.
European regulation typically treats personal data as being the property of the person being identified; US tradition considers data generated by a company to the be the property of that company, not of the person.
This made the whole massive unnecessary panic by primarily US-based small companies much more understandable to me.
It's not really 'unnecessary' if you didn't account for the objectives of the GDPR in your initial design. Assign any moral attributes you like to it, if GDPR requires substantial tinkering with your product then it's reasonable to be concerned.
While this developer may be overreacting (he probably doesn't need a DPO), i understand why it might just be easier to block it , at least until there are precedents about how to comply and more info on how the regulation will be enforced.
GDPR can be scary for developers, because nobody actually knows how a website or app is supposed to work (I have yet to see a single example), and it requires a series of steps that are not trivial on the administrative side. The Right to be forgotten is the easy part. Having to document everything you do and introduce data-dumping mechanisms that are both anonymous and secure is administrative burden. Having to do that for every little project that you release, even if it has 10 users, is a bit too much. Many developers cast a wide net, releasing products often, and this is practically unnecessary work unless you have a significant amount of users.
Introducing opt-in forms everywhere is also not great. It didn't work for Windows Vista so why do we expect this to work on the web? Opt-ins for things like cookies should be implemented on the browser. What's the point of warning a person before sharing their email? What's the point of warning them even you 'll install a cookie? IP addresses and cookies etc are integral parts of the HTTP protocol and the browser so why not introduce anti-tracking regulation that targets browser vendors and telcos instead of introducing regulation that targets every developer on the planet? It doesn't seem like an optimal plan imho. The example of the cookie law (for which it's hard to argue that it has not utterly failed) should act as a bad precedent, not a good one.
It's easy for US developers to be positive of GDPR because they can avoid the overreaching parts, but for us in the EU its something we have to abide by 100% of the time. I 'd like to hear what other people think about those, because otherwise i hear a lot of emotional praise for GDPR which is blind to how problematic it is at day 0.
> The example of the cookie law (for which it's hard to argue that it has not utterly failed) should act as a bad precedent, not a good one.
It is an utter failure but mostly because services try hard to turn it into a travesty and simultaneously manage to deceive their users by attributing blame for the annoying cookie warnings to regulators.
"We are required by law to show you this stupid warning because our site uses advanced features that need cookies to work. Without them, you couldn't even login! (OK)"
Which, of course, is utter bullshit. If you can stop this deception, things might actually work out as intended.
Sites may rethink their need for personal data gathering if cookie warnings would have to look more like the following.
"We'd like to analyze your site usage for ad targeting and other things that make us some more money.
Do you agree we use cookies for that? (yes/no)
NOTE: Even if you disagree, standard site functionality like logins will continue to work unharmed."
I don't think you need to get explicit agreement when using cookies to implement expected site functionality, as long as you don't use re-purpose them for profiling/targeting purposes. IANAL, though.
If a law can be so easily circumvented, does not provide an alternate solution and fails to effect any change at all, then it's a failed law and a bad law, regardless of good intentions.
Please be nice to the developer. I didn't post it to shame him. I'm just very sad about the post because I was hoping to establish XMPP as the group chat in my family, of which half are iPhone users.
The developer has decided to spread misleading information and FUD about legislation protecting people. We shouldn't be "nice" to people deliberately spreading lies.
Unfortunately every single one of these stories has turned into a long form ad-hominem attack against the site owner and their supposed alterior motives.
Just curious (to you or anyone else affected), would you be willing to give up your rights under the GDPR, with regards to this company specifically, to regain access? Do you believe you should have a right to trade these rights of yours or is it in the general good that companies cannot offer an easy GDPR opt out?
If the result of the GDPR is that only big companies, employing as much lawyers as developers, will be able in the future to provide the tools I need, then yes I would be willing to give up my rights under the GDPR. Because what is the alternative, if all small messenger provider have to give up everybody will be using FB? Is that better for privacy then the current state?
Wouldn't a better alternative be to design a messenger that complies with GDPR? Simple user accounts that can be deleted at the request of the user, peer-to-peer encryption (and where possible, communication), a "storage cabinet" for each user where encrypted data end in when the user is offline (with an encryption/decryption key that is generated client-side and transmitted while both users communicate) and can easily be deleted and i think this covers most uses.
This is just an idea that i came up with right now, but if you start your design with the goal to store as little data as possible and anything you store needs to be both encrypted and easy to delete, then i believe you can come up with several ideas for most issues.
It also helps to see this as respecting the users' privacy and giving them control, as opposed to a development burden :-P.
I don't think you actually answered his point. Sure you could build an IM client that is GDPR compliant, but at what point do the costs become so high that everyone just defaults to using Facebook because (1) they can afford to be compliant and (2) they are trained well enough to not fuck up their encryption.
In other words, are we moving towards a world where unless you are VC backed (Signal, Telegram, Whatsapp, etc) don't bother building an IM client? Also note, I don't think there might be anything wrong with that - if we expect all our communications to be E2E encrypted, maybe Joe Shmoe shouldn't be writing an IM client.
There is an assumption that there is some additional "natural" cost involved because of GDPR, but where does that assumption come from? The cost might currently exist if you are not compliant and you need to convert (or you need to skirt the edge between what is allowed and what not), but if you start with being firmly compliant from the design phase, where does the cost come from?
I think everyone already knows that more regulations hurt businesses. We don't have to wait for the result to find that out. The question is whether the help done to consumers outweighs that. There are many ways to tackle the privacy issue beyond a large, sweeping law.
> I think everyone already knows that more regulations hurt businesses.
That's not a given. Further, it's more important to look at what's better for society as a whole. Further, less regulation within banking caused some big profits.. but also some hefty problems.
The company would still be subject to the GDPR which they may consider an unacceptable risk. I'm specifically asking whether users would like to be able to give permission to ignore the GDPR altogether or if they see that ability as harmful for society in general.
You don't need a DPO. I work with healthcare businesses and some of them don't even need a DPO.
You only need a DPO if you are a public authority, if you do large scale processing or large scale processing of sensitive data (ambiguous in the GDPR).
If you collect some data, all you need is a privacy policy outlining such, stating what you collect in general and that your legal basis for doing so is to provide the user a service and to monitor for app crashes / bugs - both within your legitimate interests.
Many people have interpreted GDPR to be stricter than it is. In fact, those who have to do the most work are those that cause incredible damage to individuals when they lose data - especially those that have had recent, massive data breaches e.g Equifax.
It's not defined. It was left intentionally ambiguous in the GDPR so member states have some flexibility in definition.
I've got a call with a lawyer on Monday to clarify some bits of the GDPR. Number one Q for me is "how far can you take legitimate interests?".
Some lawyers are advising that marketing data and usage falls under legitimate interest, in a way that these higes drives for consent seem unnecessary.
If anyone else has any questions, I can ask and feedback. I'm sure I'll have those questions too.
Possibly but they are not "sensitive data" (aka "special categories of personal data"). Article 9 of the GDPR outlines what these special categories are:
"personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, [...] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation"
Oddly, GDPR gives 3 reasons why you would need a DPO:
1. you're a public authority (NHS practices are an example)
2. Large scale processing
3. Large scale processing of sensitive data
They don't specify what large scale means. They also haven't specified how sensitive data qualifies the third statement. One can assume the threshold is lower but the GDPR doesn't specify any thresholds with regards to this.
It really should be defined by company size or revenue. If I my site goes viral and a small web app suddenly has 2M lines of logs, but my revenue is small/non-existent, then there's no reason to comply. If that pushes my revenue over 1M euros a year, you now get pushed into a zone where you should be compliant, and you have enough revenue to afford it as well.
Another comment in this thread indicated that "large scale" was any business in which 5 employees or more had access to the data in the course of normal business operations.
Not exactly an ironclad source, but better than nothing, hopefully.
I'm convinced this is the start where EU citizens become second class Internet users. Many businesses just don't want to go through the troubles of GDPR regulatory hoops. For most businesses, there's enough customers to sustain their business in the US, Canada, rest of the world that they can ignore all EU customers.
If a business blocks EU citizens what will happens is that either another one who cares about GDPR will pop up and be able to work with both EU and non-EU citizens, or the business in question wont be that important in the first place. In either case, nothing will change for most people.
Maybe, but imagine if Google, Microsoft, Facebook, Amazon, etc. had decided to pull out of the EU. Not that any of them aren't replaceable, but providing the suite of functionality that any one of them does to their customers would not be a simple feat.
"Second class citizens" might not be the right term, but would "segregation" be an appropriate term?
Except that Google, Microsoft, Facebook and Amazon have been at the table when GDPR was written and will be compliant with it. So it's a completely bogus argument.
What would most likely happen is that companies that act as "middle men" would pop up that provide the functionality those sites do. But TBH i doubt that would ever happen in the first place, even with much stricter rules. There are way too big of an audience to be lost.
It's "viral". If you ignore privacy while processing data, you are not only excluding EU customers. You are also excluding US/Canada/rest-of-world companies that want to operate in the EU market.
> I'm convinced this is the start where EU citizens become second class Internet users.
This is free market with 550 mil potential users/citizens, void will be filled pretty quickly by other companies/developers that actually spent some time reading about what GDPR is.
> Europe doesn’t have a stellar record when it comes to high tech startups. For many reasons.
For many reasons indeed, this is broad topic and GDPR doesn't change anything if we are talking about big US players and their domination. None of them is getting out of EU.
> And I am afraid GDPR has just added another one.
I disagree, it's the other way around. Small single person companies/developers that will get out from EU market will could only strengthen local market. Any other US/EU/outside EU startup/developer can fill that void.
> Europe doesn’t have a stellar record when it comes to high tech startups
Which automatically implies that you were talking about non-EU tech companies leaving EU because of GDPR and EU startups filling their space. And now you fail to see how this will make more likely succeed EU companies? What?
I think you fail to understand what the point of my argument was. It doesn't matter if this will be EU founder or US founder or XX founder, if there is a void it will be filled, doesn't matter who will fill it. This is an axiom describing the free market.
> onerous regulation
I am conducting online business in EU handling personal data and I don't find it onerous at all. Adding to that as EU citizen I am happy that this regulation was introduced in EU law system.
How is knowing and writing down what your actually do with user data (and employee data, btw) and who is responsible an onerous regulation?
In a world where lots of small shitty businesses (and some bigger ones) don't care what happens to your personal data it's long overdue for this being finally regulated.
Yes, the void will be filled by megacorps like Google who were practically GDPR compliant 5 years ago because they have armies of developers and lawyers dedicated to data management and legal compliance.
Are you preparing to start such a company? I know zero funders excited about regulation. About technology and platforms, sure. But never about regulation. Only lawyers get excited about that.
Maybe, but GDPR is not the only business-hostile regulation EU has. Together they make an environment in which even 550m users may not be worth it for the small startup. They will simply pivot to the more competitive, but freer, US market.
In that case where there is a proven market demand for idea B you can either compete with company A (which presumably has more resources than you), or enter into a market that company A has willingly forfeited.
I think the second option will have plenty of takers if it turns out that US companies are that scared of GDPR.
Many of the comments here are rebutting - saying that a DPO isn't needed or that this guy gave up unnecessarily. But the fact that he had to spend who knows how much of his time to even discover whether he needs to do anything (or what sort of trouble he could get into) is too much of a barrier for many people and their hobby side projects. This is unfortunate and not surprising collateral damage of the GDPR.
I'm a small businesses owner. When I first found out about the GDPR, this was exactly my view, and I even posted on HN to that effect.
Then I actually spent a little time to find out more and, as someone who cares about privacy, quickly realised the positive intent behind it, and how simple it is to comply with in principle: let users know what data you collect and what you do with it, and give them the possibility to request it or request it's deleted.
TBH, if someone requested any of this, I'd do it without the GDPR.
> I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
A DPO is most certainly not required by all organisations[0], and I would be suprised if it applied to this project. I know lots of blogs are saying it is, but it is simply untrue. I'm not saying that this totally relieves the burden however.
A lot of people are claiming that a DPO is required. GP is saying that a DPO is most certainly not required and that the claim [that a DPO is required] is simply untrue.
> I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
Lots of people are responding to the DPO side of this sentence, saying that it's not as onerous as the author of this article is making it sound, but as someone who's also not based in the EU it's the "EU Representative" part that I'm more worried about myself.
Article 27 says:
> (1) Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
Article 3(2) is the bit that says the GDPR applies to processing outside the EU of EU citizens' data etc.
> (2) The obligation laid down in paragraph 1 of this Article shall not apply to:
> a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
> b) a public authority or body.
It's clear here that not everyone outside the EU needs to have an EU representative, but 2a is wordy and confusing enough that it's real hard for a non-EU non-lawyer to figure out with certainty whether or not they need one. The ambiguous combination of 'and's and 'or's don't help, but 'unlikely to result in a risk to the rights and freedoms of natural persons' sounds like something that's ambiguous enough on its own that you might need an EU lawyer to actually interpret it.
Reading the FAQ, the only way to really safely ignore the DPO provision would be to hire a law firm with GDPR expertise to parse the vague language in the law and to give written guidance as to whether the law applies to each specific web site, which you can then present to EU authorities in the future to show you performed due diligence to try to meet the requirements of the law.
I can only think you are not familiar with European principle based law vs US rule based law. Where you see 'vague', I see 'flexible' and 'able to move with the times'
Have you considered that a law being "flexible" and "able to move with the times" is exactly why someone wouldn't like it being vague? A law that is "flexible" means that it's a law that can be arbitrarily applied. A law that can "move with the times" means that what might be fine now won't be fine later and just maybe you will be the first to find out.
It doesn't matter if European law has a history of being "principle based", if it can fuck you then someday it just might. Europeans might be fine with this, but I think most Americans would not be. If I was in OP's position I would do the same thing, by simply blocking an IP range all possibility of being made an example of by some people from another continent is flushed down the drain. I'm absolutely baffled why people think this is absurd, if you're not even making any income off of it, why would you ever open yourself up to such expensive potential liability?
The FAQ is referencing the legal concepts in the law's text. For example "sensitive data":
"(...) including for the processing of special categories of personal data (‘sensitive data’)", special categories are mentioned on Article 9. "(...) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation"
Do you store or transfer or process any of that data on a large scale? Is it personally identifiable? "Processing" is defined on Article 4.
I believe the original legal text, though not the easiest to read, gives you a fairly clear idea on where your organization or project should stand with respect to GDPR.
(1) What data do you process?
(2) How is it connected to your economic activity?
(3) How do users consent this use of the data?
(4) Is your data "sensitive data"?
If you're some random guy online doing large scale processing of "sensitive data" you better hire a law firm with GDPR expertise to understand and comply with the law, I mean, that's the whole point.
(1) The controller and the processor shall designate a data protection officer in any case where:
...
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or ....
Article 9 describes personal data as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, ...
I would say that messages send via IM are personal data like described in Article 9. I also would check the "large scale" checkbox. So in my interpretation he will need a DPO.
I don't think he has access to the messages, it's an IM client. If he did have access to the messages then I fail to see how having to hire a DPO in that case would be outrageous. If anything, that's the reasonable thing to do.
> Your evaluation of the impact of the law on your project is lazy
That seems a very pejorative way to describe it. You can say the same thing in terms of "you could probably keep operating if you put a lot of effort into understanding the details of the law" which kind of proves the author's point: this creates work for people and why should someone do that work for no return? Where does the presumption that people owe EU citizens these services at a higher standard than the rest of the world is content (legally) to accept?
Youtube, disqus, twitter are designed to collect as much info about persons as possible, so yes, it might be difficult to prevent them from doing that.
The fault lies entirely with those companies, which did the wrong thing with impunity until it was literally outlawed.
This is going to sound crazy, but I spun up an instance of a simple open-source comments system[1] for a blog that I write, and I chickened out of deploying it because I wasn't sure if it complied with GDPR. I distrust Disqus over their ad-driven model and deep tracking of users, so for now I’m just doing without comments.
Is it possible to self-host something that handles user data (name, comment, IP address) and comply with this regulation? What if there's more data, federated data? Can one just spin up an instance of Friendica, for example, or are there additional steps required for compliance? I'm honestly not sure anymore.
If you do it for hobby it is not a problem. For IP address if you don't store it indefinitely, like you can anonymise IP after a month. I think you store IP for spam protection, solving user issues, which is lawful basis so you can protect your good interest. Most important you are not passing it to some third party. Second you can always make consent checkbox.
DPO is required only if you really store race, religion, credit card data, health records. If you keep name and IP you do not need a DPO.
There is so much FUD about GDPR, it will pass after a year. Now compliance vendors are having part, a lot of champagne will be opened on May 25th.
In the end if you know, what data you have, why do you have it and who you share it with, it should be good enough.
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
> Is it possible to self-host something that handles user data (name, comment, IP address) and comply with this regulation?
Yes. There's something called GDPR legitimate interest (a subcategory in the "Lawful basis" someone else mentioned here), which lets you store e.g. IP addresses for security reasons, without asking for permission.
I think Talkyard ( = open source comments, no ads, no tracking) is GDPR compliant. For example, people can download their personal data and delete their accounts. (I'm developing it).
1. Isn't this person allowed to be the Data Protection Officer themselves?
2. Is APNS inherently not compliant or if there something unique about this use-case?
What's kind of great about this new regulation is that we get a clear view on businesses that can't adequately protect user's privacy. It's painful for businesses such as these, but ultimately it seems that consumers would come ahead of it.
If the weak link in this case may not have been the developer themselves, but external factors but it's still a pretty interesting data point.
This makes little sense. There is nothing in the GDPR that you shouldn't already have done. Besides, even if you don't operate in the EU, it makes sense to have a basic privacy setup anyway, and GDPR compliance is just that...
On top of that, this isn't american lawyering. If you make a mistake or are simply trying but not having a good time at it, you're not automatically destroyed, put in jail, fined for billions of euros etc.
The GDPR is beneficial to everyone, except people with bad intentions or bad practises (like having big budgets for PR, Ads and the CEO but not for tech).
The GDPR for basic FOSS and other single-person software boils down to:
- Don't capture data and not ask first
- Don't capture data and not tell
- Don't capture data and now show
- Don't capture data and not say where it is
- Don't capture data and not say who can access it
- Generally, users should be able to CRUD their data
- Delete data on request
- Export data on request
Most of that is common sense and in most non-commercial services this is available anyway.
You can make it even simpler:
- Only CRUD when a user CRUDS and tell them that is what they are doing while they are doing it
- Make sure the delete/opt-out/close account button actually works
- Have a line somewhere saying "i'm hosting this on platform XYZ in country ABC"
Since you are likely going to build CRUD + delete account anyway, that's a solved problem. Unsubscribe/Delete account usually already exists, no problems there either. That leaves writing a few lines telling users where you are storing stuff and how to contact for issues.
Don't forget: laws comparable to the GDPR were already in effect long before the EU came up with a EU-wide version. In the UK for example, you could ask a business to send an export of all the data they have on you via mail, and they were bound by law to comply. In the netherlands, if you store PII of people who are not your clients and send them mail/spam/offers, you get fined. Hell, they even had a more universal version where you aren't allowed to put mail in someone's mailbox unless it was addressed specifically to them, and there was one where you weren't allowed to put any ads in if the mailbox was marked for that. And you have a system where cold-calling was not allowed, same for fax-ads.
I don't really get it. So what's the burden for the developer here - he argues that the IP is PII (personally identifiable information), which is true, but I don't think it means you can't log IPs in general anymore?
So is now every standard apache2 installation a non-compliant (illegal?) service, as it logs GETs?
I don't think that's the case.
//edit: It seems to be the case that you are ok if you do log-rotation and delete old ones - which makes sense, so you can still use them for debugging.
The burden is if the EU does investigate him, for whatever reason whatsoever, even if he is 100% compliant he needs to spend money to prove he is compliant and deal with the EU.
Why would you think that? If he wanted to be compliant he only needs two things:
1. Some procedure that allows him to answer users privacy requests ("what information about me do you have?", "Please delete my personal data from your servers.")
2. A so called "directory of procedures" which states what data you collect and who's responsible for it.
If your fail to comply with 1. the user can call upon their local data protection agency who will contact you and request the contents of 2..
At no point would he need a lawyer or spend money, even if he were based in the EU. That's not saying it's a bad idea to ask a lawyer for advice if you do handle lots of user data.
Most of this stuff has been law in Germany for years, I've dealt with the German data protection agencies many times (from both sides of the aisle).
- They helped me force my university remove personal information about me from the public uni website (by constructively explaining to them why it's a bad idea to have this information about student online in the first place).
- When someone trolled me by registering me to a dating platform which refused to delete the fake profile and spammed me for a year, one mail to the agency was enough to stop these idiots.
- When I worked with social workers, the data protection agency (after a client accused us of mishandling their data) helped us go through our communication procedures and identified some point where client privacy could easily be improved.
As a US company, if you don't want to deal with this, just don't. If you do handle user data you should, though.
I think the majority of users on HN are from the US. And going by the GDPR related comments over the past few months, it seems the litigious US stereotype really is true - a lot of people seem to be prepared to "lawyer up" at the drop of a hat!
Pretty sure that is exactly the case. GDPR went all out on user privacy that is simply a burden for small businesses to deal with EU citizens, it's financially more sensible to just block the entire EU from their services.
That makes a valid point: You should open a bug with Apache to remove IP address and User-Agent from the default log formats, as they should not be logged by default or else GDPR issues arise.
You can log IP addresses if there is a legitimate use for them. You just need to ensure that they are protected and that you do not keep them for any longer than is necessary (= use logrotate).
Logging them by default is a silent opt-in to a scenario where you are legally obligated to protect data you may not even know exists.
Anyone whose software logs IPs by default should stop, so that the admins who choose to log IPs must voluntarily choose to log protected information and handle it appropriately.
A "society" is all about building up information about the people around you and knowing about them. Complete anonymity often leads to the breaking down of people filters and behaviours, they think they can do whatever they want without consequences.
Many countries outlaw face coverings as they imply correlation with lawlessness.
The direct linking of IP address as PII flies in the face of that. If I am logging IP addresses for security and to monitor against abuse, and I in fact determine that an IP address is abusive, it behooves me to have any/all data that ip address used in my system to try to identify them.
The right to be forgotten .. why just online? Why just digital?
What if a shop owner or waiter in small town notes which customer like what, or what client tips well. Which local has annoying kids that she lets wander an vandalize the store.
If that owner/waiter writes that down in a log, and shares with co-worker on next shift ... is that in violation. What if they don't write it down and just have a really good memory ... what if they just 'organically' get a reputation and word gets around.
Is old wives gossip illegal under GDPR , or the "sterotypical" Italians mothers who keep an eye out on all the kids in street and report to each other who is doing what.
Plenty of stores and bars will have a list "don't take personal checks from these people" ... are those types of lists not allowed anymore?
If the GDPR was JUST limited to "customers" or people who have explicitly created accounts that might be one thing, but over reaching to say ANY apache webserver that automatically logs IP addresses had to be GDPR compliant is absurd.
If I post a tech blog with how-tos , personal ramblings, or even example code projects I release as open source that you are completely free to use or not use ... why do I have now have some obligation to you? You chose to walk up to my storefront and look inside ... I'm free to remember whatever I want about you while you looked around.
The US passed pretty broad overreaching Computer Fraud and Abuse Act [https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act] that many have argued is so broad that a violation of TOS could be considered abuse/hacking. If you view my site without agreeing to my TOS, should I be able to have you prosecuted?
I'm pretty sure lawyers and "consultants" are the only ones super happy about GDPR. Companies will still harvest user data with updated T&Cs and more buttons for the user to click, because all services will be useless without accepting. Governments will also continue gathering users' data for "the common good".
I'm pretty sure that many ordinary European (and US!) citizen are pretty happy about the GDPR as well. If clicking an extra button is really all it takes.
But despite the assurances of many here that it's not hard to comply, I'd probably have shut down the servers of my own hobby non-profitable location data gathering website as well, simply because even reading the GDPR document would be too much effort.
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.
> I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
Is there any actual requirement within the GDPR that this needs to be a dedicated person, or does being a DPO just need to be someone's responsibility, e.g. in the case of a one-man open source project the guy who runs the project?
> The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
I guess you could say that it is literally impossible for the DPO to not have conflicts of interest if the DPO is also the owner and manager of the company.
Well, if you're owner and manager, I think you've got the independence, adequately resourced and reporting about right.
If you're a sole proprietor and managing data at volume and sensitivity levels that a DPO is required, I hope you're an expert at protecting that data..
No there is no requirement for most bodies at all. Please see my other comments on this discussion. A person at my company is called the DPO, but that is far from their main role in the business
Also, my understanding is Germany allows for whistle-blowers to take a cut of fines. Language in the GDPR calls for over-estimating damages for loss of PII when compensating individuals as well.
Generally, I appreciate the GDPR. That said, it's a huge burden trying to go through many dozens of workflows, technical or otherwise, where (typically minimal) PII is recorded, catalog them, limit (and purge) intake of data to bare minimums, create documentation supporting said workflows to be able to provide the SA's, create a plan for being able to search ALL those workflows/databases/spreadsheets/apps that have PII to supply that data upon request, and then be able to delete all cases of such data upon request.
Turns out that's actually a mountain of work. It will probably force us to significantly improve workflows and combine data repositories moving forward but it's a large burden up front. Likely many hundreds, if not thousands, of hours for our fairly small enterprise.
I read that enforcement report. I think it was fully warranted that the 1,000 pound fine was levied against that company. (1) they did not immediately report the fact that they disclosed that customers private information and (2) they did not have appropriate technical measures in place to avoid such problems, specifically: they were tasking their cs reps to cut-and-paste information between screens that could display the information of two unrelated customers, a super stupid and error-prone set up.
The fine, 1000 pounds is proportionate given the size of the entity it is levied against, the resources at their disposal and the turnover of the company, if the company had been much smaller one would hope for leniency but the fine would have not been levied at all or it would have been 1000 pounds, no middle ground there.
The GDPR is by most accounts and interpretations aimed at "the big players" ... but it is not SPECIFICALLY written to be limited to them.
Two view points to this:
1) If make to specific, big players will find a way to slip through the exceptions and game/lawyer the system
2) So vague , that only the "big players" will have the infrastructure/legal approval to actually guarantee 100% compliance. Smaller fish that the reward just doesn't justify the risk/uncertainty will certainly pull out of the market.
If the law is about "supercookies" and targeting an individual throughout the entire internet ... it should say that.
If its about the transfer/monetization of the aggregation of data ... PII being sold for money or some other in-kind transaction ... say that.
If a single entity uses a cookie and retains data for one single domain and that is ok ... say that.
If retaining logs that contain an IP Address and the logged in credentials are ok to keep for security auditing. .... say that ... if its only ok to store them for a year(??), 6 months(??) , 1 month(??) ... say fucking that!
If a company/site is aggregating PII of over a million unique users is troubling and should be specifically bound by these restrictions and need a DPO ... say that.
If a site only has a few 1,000 - 10,000 Unique PII records/users of note , and is not the focus of these regulations .... say that.
Give concrete examples, lawyer the shit out of it ... leave open for amendments so when abused can be modified.
It's just a shitty law trying to fix an already shitty situation.
Long story short: Monal developer doesn't understand GDPR, makes a bunch of incorrect claims about it, doesn't want to understand it, and so removes his software from the EU.
That's his right, go him.
He didn't have to write a ton of incorrect nonsense about the GDPR though. He could have just skipped to the last step.
GDPR compliance is not actually that hard - I'm in the middle of doing it for a very large company - as long as you're not storing information about users it's almost trivial tbh, but there are a lot of unfortunate vague terms in the law (the intent is rather clear however).
The reaction to this law in the US is rather funny because the rest of the world has been dealing with strange US laws for decades on the web... finally something bites the other direction and people freak out.
> The reaction to this law in the US is rather funny because the rest of the world has been dealing with strange US laws for decades on the web... finally something bites the other direction and people freak out.
i'm quite positive that i've seen people call for europeans to not do business with american businesses on account of said us laws (in other HN threads).
> registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance. APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person.
Article 6, Paragraph 1, seems to cover those two parts of data collection. Logging a user's IP for security is acceptable, as is logging for a legitimate interests of the user (or operator) as long as it do not conflict with the interest of the data subject in regard to their need for data protection. APNS push tokens seems to fit that description quite well.
Agreed, I don't see how this possibly cannot be a legitimate interest - the user knows they need to be contacted for a push request to work, even if they don't understand or care about the underlying vagaries of IP addresses.
it covers it ... except when it doesn't. Which is open to 'interpretation'
Where is the scale balanced on this ... will it be the same in each of the different countries implemeting it?
>as long as it do not conflict with the interest of the data subject in regard to their need for data protection
Article 6.1.f
>processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
So ... I can retain IP records in my logs , as long as they aren't a child?
In regard to children I view it as part of two different interpretations. One is that data in regard to children need to be considered with extra care and in those cases that the process is written down or is more formal then that consideration need to addressed.
The other way to see it is a bridge to the US regulation COPPA, where operators in the US and EU now have to follow the same rules in regard to children. In this case Monal would have to move out of both EU and US in order to avoid the regulations in regard to children.
You don’t need a DPO if you’re a one man company, or your revenue is under a certain amount of which I can’t remember, because it hasn’t been relevant at our 10.000 employee municipality.
You’re allowed to track ips in your log, if there is a reason for it and you only keep them for a reasonable amount of time.
You do need to gather consent for push messages. But you can do so by simply asking your users, and frankly, you should always ask your users before you spam them, but it’s obviously going to be a little work to implement.
This is an overreaction, especially because no one knows how the GDPR plays out until it’s been tested in the courts.
> Obviously, this is needed for a notification to be delivered to the right person.
This seems pretty clearly a case of 'Legitimate Interest'. Filling in a couple of page word document (a LIA) and keeping it somewhere on the off-chance that someone queries you, is likely sufficient from my understanding. (This is not legal advice).
"APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server."
I didn't think monal ran their own XMPP servers? If they don't then is there really a danger of someone combining the data from the two services?
> Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.
I have no idea, but if the monal developer isn't running any XMPP servers then is this even an issue?
This all seems like someone who doesn't like GDPR having a bit of a tantrum and interpreting the laws in a way that makes it seem like they are in a worse position than they actually are.
How can I be non-compliant with GDPR? If I could care less about it, is it enough for me to do nothing? Should I expect that European users should find out themselves that they my website is not GDPR-compliant? Or I must actively ban EU IPs?
I think the part about rather big enforcement penalties made it easy for various consultants to scare companies and sadly also some individual developers.
I already had to fend off implementing some ridiculous features. I've pushed against misconceptions and use of non-existent terminology that's not even in the law. People are taking info from all kinds of sources, some of them sketchier than others, despite the existence of official EU guides, and the law itself.
But I bet it will be easy to comply for most non-adtech/tracking businesses. And as an internet user, I'm looking forward to better data exports, data removal and more transparency.
My understanding of GDPR, if the logs remain anonymized... i.e. the IP addresses are not correlated with user records, then the solution is compliant. The IP addresses are not considered PII.
When I worked with GDPR compliance we tried and tried but still ended up with the opnion that IP adresses are considered personal information.
Article 4 point 1 in the GDPR indicates this (unless you can somehow prove that the IP is not related to the person, which I think we all know it effectively is in most cases)
One thing I see missing from these discussions is budget - specifically the budgets for the regulatory agencies responsible for enforcing GDPR. Lack of enforcement budget will, I think, make GDPR a non-issue for the vast majority of organizations. And as the EU ramps up its infighting over the new budget, there will be LESS budget allocated for something like this that has no vested constituents who will be helped or harmed by such allocation.
Every time something like this comes up, we see similar objections. They normally take one of three forms:
1) You are overreacting. The EU isn't going to come after some small fry operation, or some non-business entity.
This is an easy thing to say when you're not personally exposed to the risk. Would advocates of this position be willing to personally indemnify open source projects / side projects against GDPR enforcement? I suspect not, but perhaps there's a business opportunity in giving them the opportunity to do so. Sort of a GoFundMe for peer-to-peer insurance.
2) The GDPR is all about not being a jerk with your users' data. As long as you don't do that, and do relatively minor things X, Y and Z, you're totally fine.
This flavor of argument might actually be true, but if I'm assuming the risk I'm probably going to want to hear it from someone with skin in the game, like a lawyer, who I can point to if it turns out to be false. Even if I had the desire to read through the law (I don't) and understand the specific implications for my project (I wouldn't), the very act of doing this represents a cost that I could more simply avoid by excluding EU residents from my service. I'd choose the latter path every time, and put "support EU residents, check into the legal implications of GDPR" on the roadmap, for "someday".
3) You're exposed to millions of risks anytime you do anything. This is just one more and you're making a big deal of it.
Often this accusation comes with a subtext that you're trying to prove some political point, suggesting that you're making a decision in bad faith to "punish" the EU. Well, I personally think something like the GDPR is needed, and have no particular axe to grind, but I also have no idea if the legal exposure is serious, and no particular desire to put in the work to find out.
Yes, business, or really any activity, involves legal risk. In this case though, the risk is pretty serious, first of all because the penalties (20M Euros max) are serious, and secondly because it will be very difficult to claim that you've never heard of the GDPR. If Tonga creates some law impacting side hustles on the internet, at a minimum I can credibly claim to be unaware of that law. The GDPR on the other hand has been all over the news for weeks. I've clearly heard of it (especially now that I've commented on a discussion of it on HN).
My feeling is there's a real risk that this law will lead to a general practice of non-EU individuals, and non-EU startups launching MVPs to at least temporarily block the EU to avoid unnecessary risk. That's not the intended purpose of the law, but laws have unintended consequences all the time. If the EU wants to avoid this unintended consequence they should provide a clear, objective, and cheap (in terms of both time and money), set of instructions that will allow projects like monal to continue operating there. If such a set of instructions exists, I haven't seen it.
> This is an easy thing to say when you're not personally exposed to the risk.
No, it's an easy thing to say because we have over 20 years experiences of regulation around data protection. The regulators send a letter asking you to come back into compliance unless you've been really bad. They only move to fines if you ignore them.
Here's a company that was handling sensitive personal data (medical data). They have a legal obligation to register with ICO. They didn't do so. Imagine what would happen under HIPAA. Now read what happened in EU.
People freak the fuck out about the big fines, but they don't realise they're conditioned by the pathologicaly dreadful US system which aims to over-charge and over-sentence at every opportunity.
Here's some examples: The UK Criminal Prosecution Service sent some unencrypted DVDs through the postal mail. Those DVDs got lost. They got a fine.
Some time later they did it again - this time the DVDs contained interviews with children who were the victims of sexual abuse.
Think about this for a bit: no encryption, no secure mode of delivery, a repeat offence, incredibly sensitive personal data.
In fairness, this story is consistent with my own (limited) experience dealing with EU law. A few years ago, I was trying to determine if an EU based company I was advising really needed to offer the now-ubiquitous cookie advisories. I met with some very high profile (and very expensive) lawyers, who told me that although I technically needed to include the various popups and advisories, I was not in any real danger, because of selective enforcement. Eventually, they changed their mind and we added the sliders anyway, but for a time, the law was stricter than the actual enforcement.
But I was an american being advised by a top tier british law firm. How is a random guy releasing free (or cheap) services on the internet supposed to deal with a situation like that? The arbitrary nature of the enforcement is exactly what makes this a problem. If there were strong penalties, but clear ways to remain in compliance, this developer might have made a different call.
If I know I'm technically out of compliance, and I don't have a high powered lawyer telling me it's not a big deal, then I'm not sleeping well. And if I can solve the problem once and for all by taking the unfortunate step of simply cutting EU residents off of the service, then I'm going to at least consider that option, and probably take it in the short term.
If the EU wants to reassure people that "The regulators send a letter asking you to come back into compliance unless you've been really bad. They only move to fines if you ignore them." then they would be well advised to make that very clear. If they don't, you're going to see more of this, and really, if it's true, why wouldn't they?
So, imagine you're running a free service as a side project. And the state of Idaho introduces a law, that has federal teeth, such that if a resident of Idaho might use your service, you must register with the state of Idaho. Would you be happy about that? Is there any possibility that you might decide to simply block Idaho rather than deal with the hassle?
A better solution would be a webpage, hosted by the state of Idaho saying "Here's what we're after, don't do these things, and you're in no danger." Followed, hopefully, by a list of things that you weren't planning on doing anyway because you're not a jerk, and that are crystal clear so you don't have to speculate about how selective the attorney general of the state of Idaho is in prosecuting these sorts of crimes.
This is a manual by one particular consulting firm, and the text of the law. While reading the law may be good, it is really not feasible to understand all the repercussions without consulting a lawyer. While this consulting firm may have a good interpretation of key provisions, they are not actually your attorney, and their incentives cannot be known to really align with yours.
I mean, this isn't rocket science. More regulation is always going to lead to businesses leaving the market. This is not a bad thing, if your country is willing to put up with it. My guess is that the EU will not care about monal exiting the IM market, and their legislature has decided that they want to prioritize this regulation over the efficiency of the IM market. That's fine -- that's the EU's choice to make.
You have pointed me to the entire content of the GDPR. It's 11 chapters, with 99 articles. I'm unashamed to admit that I don't consider even skimming such a document "easy". I was imagining something more along the lines of a one pager with 4-8 bullet points, each of which was easy to address.
HACCP has nice 7 points, are you comfortable with implementing it on your own? Each country has its own regulator making rules. Restaurants are fined on violations all the time. (20M fine for GDPR violation is upper bound, if you have 10K/month revenue, you are not going to be fined with millions)
Should add to that that the law (which is generally abstract) will be interpreted by 28 different legal systems. EU legal system is not homogeneous and there are definitely different sensitivities between countries (e.g. Germans seem very happy about GDPR - the Poles less so). That's an extra risk factor imho.
> I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.
Harsh words but I feel they're warranted: If you don't want to treat my private data with the due diligence you should, then we're better off not using your service.
Just pointing out that some people may want to choose how they want their data treated case-by-case, instead of having no option to use the website because its blocked
It has a maximum, not a minimum: The higher of 4% turnover OR €20m. That means even with 0 revenue, your fine can be up to €20m (It won't, because if you're not making money your small fry to them, but still, the fine can be greater than 0)
20m euro or 4% of revenue, whichever is higher, is the max fine. Up to the individual to say how truly likely it is a small revenueless project could possibly get fined, even with large amounts of malfeasance.
If a similar law to GDPR was introduced in other countries such as the US, complying now would probably cost considerably less than dumping business in every country that does it and complying with all the laws only once you can't operate sustainably as a business anymore.
You CANNOT, by any means, consider an IP address to be "personal data". You cannot say "I don't want my IP to lay around in a database somewhere" because ... IT IS NOT YOUR IP. An IP address is used to uniquely identify a device on a network, not a person. This device can be (and usually is) a router, a proxy, a server of some kind, a corporate computer, a public computer and so on. Not to mention the fact that a device can also have multiple IP addresses at the same time. So, an IP address CANNOT be used to uniquely identify a person and it really shouldn't be considered in the context of GDPR. Ah, an IP address + some other identification data, that's another discussion. Depending on the combination, it might be considered personal data.
> [A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
I think the principle is that since an IP address could be used to identify you, it is considered personal data.
Even under current rules the common household IP-Address appears to be (in combination with any other relevant data (a timestamp for example)) personal data.
> Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person. [ECLI:EU:C:2016:779]
If you sell hardware, you have to deal with CE/FCC/RoHS and -worst of all- WEEE compliance, to name just a few. In comparison, GPDR is a piece of cake. Just sayin.
this is the natural reaction to a business model such as Facebook. they are making billions from everyones private data and the result is an overreaction that hurts mostly small companies
Guessing: even if you don't have assets in EU, you have a Google (or Facebook, or Amazon) account, and Google has assets in EU. EU could ask Google to ban you, or else.
That seems like a bit of a stretch, unless you were actively using Google's services as a tool of your wrongdoing. The EU would be forcing an unrelated private company to act as an arm of law enforcement. It would be like the local police punishing you for speeding by leaning on Applebee's to refuse you service.
Maybe there's a legal precedent for that sort of thing, but I'm not aware of it.
Comments here only show how terrible this law is, as nobody has a clue how to interpret the requirements. EU direction is simple - cripple the internet so that only handful of companies could afford to navigate regulational hurdles and that way it will be easier for bureaucrats to control it. Any small initiative kill with fines. In few years internet will be under full control of socialist regime and people are sleep walking into new reality with the help of do-gooders.
If you are running a small business and you feel that you won't be able to operate your business because of the GDPR consider all those other laws that you have to be in compliance with as well. If that's your attitude towards legal compliance then you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go away.
Legal compliance is a requirement for any business, and privacy law is just one more thing to take into account and for a small business that does not process super sensitive data (such as medical information or financial information) the costs of compliance are negligible. They're not '0', but then again it is a business and costs of doing business are the norm.