You can be respective of privacy without complying with GDPR. It requires a lot more than simply being privacy-conscious. (E.g. I don't think Hacker News is doing anything unethical even though they blatantly violate GDPR)
> Legal compliance is a requirement for any business
You are required to comply with the laws of your country, not those of other countries.
> You are required to comply with the laws of your country, not those of other countries.
No, you are required to comply with the laws of any country you do business with. This applies to any type of business, and I don't see why "it's on the internet" appears to be the main counter-argument.
If I buy something from you (via snail-mail or on the internet) and it doesn't follow the requirements of the consumer law in my country, I can ask you to comply with the laws of my country. If you refuse, I can report you and you will be fined (if you don't pay, then you can have your right to do business in my country revoked). In practice most cases won't escalate that far, but the principle is the same.
> Because by default any web site has, in the past, been open to people from any country that doesn't censor the web.
This has never been true since the internet was international. You have always had to comply with laws of countries you interact with, it's just that most people who ran internet businesses decided to ignore the law (just try hosting some copyright or patent infringing content on the internet and see how long it takes to have legal action applied, even if you aren't a resident in that country). And, despite the ethical questions about censorship, censorship is usually done through the laws of a country (for instance in Germany). So complying with censorship requests (or having your entire site blocked) is actually an example of complying with laws of other countries.
The world is made up of sovereign nations, and businesses that wish to interact with other sovereign nations must obey the restrictions that the both nations place on that interaction. If you don't like it, then don't do business with that nation. I cannot think of another industry where this concept is seen as foreign -- it's a very fundamental part of how the world has been structured for thousands of years. Just because it's much easier to conduct businesses overseas than it was 200 years ago doesn't change the fundamental properties of what you're doing.
The fundamental properties of doing business overseas have changed. What used to be a prohibitively expensive enterprise is now within the reach of everyone.
And the cost of regulation, which used to be negligible compared to the cost of the enterprise itself, has now become a significant barrier for small businesses.
The costs of compliance are not a fundamental property of doing international business (after all, governments can change the cost of compliance or make it cost nothing). The fundamental properties I was referring to are that you are transacting with another nation state's people, and you have no fundamental right to do business with them unless that other nation grants you permission. Just because it is easier to do such business without permission or oversight doesn't change that you are doing the same type of business.
You might not think the costs are fair (and in practice that should be taken into account by regulators, to avoid removing all international trade and thus losing the benefits), but that is not really justification for arguing that this is a departure from how things have always been. Nor is it justification for arguing that you shouldn't care about the laws of other countries you do business with because you don't live there (which is what GGGGP was insinuating).
It is a departure from the way things have always been online.
The EU can certainly demand that web creators jump through hoops, but then they can hardly complain if creators outside the EU decide that interacting with the EU isn't worth the trouble.
Nobody is forcing people to do business with the EU. If you don't like the laws in the EU, then you don't have to do business with the EU. Simple as that.
(My whole point is that a lot of people arguing about GDPR want it both ways, and don't see that it's not strange that countries have rules for doing business with their residents.)
That is not true. You do not need to comply with any country’s laws except the one you reside in, except for treaties by your home country that say otherwise or your desire to travel abroad.
Just think of what China would do to the Internet if it could.
> You do not need to comply with any country’s laws except the one you reside in.
Unless you want to business with another country, in which case you need to follow the laws of that country when you conduct that business. Which is what I've been saying the whole time.
> Just think of what China would do to the Internet if it could.
If you want to provide a service to China you need to follow Chinese laws or they will block you using their firewall. China is a (not very nice) example of how a country has the right to decide who it does business with -- if you won't help them conduct surveillance of their citizens then they won't do business with you and will block you from doing business with their people. You might not agree with their laws or how they act, but it is their right as a sovereign nation to create their own laws.
I never said you need to follow the laws of every country in the world, and I really don't understand how so many people are reading that out of what I said (and keep saying). If you want to do business with a country you will have to obey the laws of that country. That's the way international trade has always worked.
When the business is being conducted outside the EU but the EU is enforcing GDPR, it is a problem. The GDPR is specifically written for extrajurisdictional enforcement which is a big change in the world of laws.
I am just saying that the EU will not be the only jurisdiction following this model. Be prepared.
If you feel it’s important to comply with the laws of any country you accept HTTP connections from, why would you be upset with this outcome? Restricting your services to familiar jurisdictions until
you can afford the legal advice to safely enter new countries is the only reasonable course of action in a world following that philosophy. One should not assume they’re familiar with the laws of 176 countries merely because they know how to start nginx.
Collecting personal information and running a business based on that personal information is very different to knowing how to configure nginx. You're putting up a bit of a strawman.
You can be fined if there is international or bilateral law or if somehow else the fine can be domesticated. There is no international regulation (not even consensus) on privacy so the law is not directly enforced here. However you are also not required to apply another country's law to all your customers, and if you don't want to you should (but are not really enforced to) block the EU.
Considering that most online businesses are (effectively) a form of international trade, I wonder whether GDPR fines could be seen as a form of customs fine (which definitely is something that foreign companies can be forced to pay, as you've said).
"you are required to comply with the laws of any country you do business with."
Prove that.
Because that's not how "the law" works. I am Canadian, my business exists only in Canada, and there are only two types of laws that apply to me. Canadian laws, and treaties that Canada has signed on to comply with.
No other country in the world can just make some "arbitrary" law that affects me. Unless my country agrees. And to my knowledge, Canada has not signed a treaty with the EU regarding enforcement of the GDPR.
> I am Canadian, my business exists only in Canada, and there are only two types of laws that apply to me. Canadian laws, and treaties that Canada has signed on to comply with.
If you decide to sell a couch to someone in America, you have to comply with American tax laws, American import and customs laws, American consumer laws, American patent laws, American copyright laws, American trademark laws, and any other laws involved with doing a financial transaction with someone in America. The same logic applies for Australia, the United Kingdom, Germany, Belgium, South Korea, Japan, etc. Pretending otherwise is naive, and if you don't believe me then try to sell something patented in America to an American.
The key question is what happens if you break those laws. In most cases you will be given a fine, and if you don't pay then you will no longer be allowed to sell goods to consumers in that country. If you continue to break the law then you are probably breaking an international treaty on border control or customs, which means that you could be extradited or tried in your own country. Some of the laws I mentioned above are mediated through international agreements, but the fundamental point is that if you break their laws they can place sanctions against you to stop you from doing business with them.
Of course, for a couch business things would probably never reach that level. And for an internet business you probably would just be IP blocked or something similar.
> No other country in the world can just make some "arbitrary" law that affects me. Unless my country agrees.
But it only affects you if you make the positive decision to do business with a country that has those laws. If you don't decide to do that, then you don't have to follow those laws (obviously). You can't have it both ways though (the benefit of having access to a market without having to follow the laws of that market).
In the case of enforcement you're right that they wouldn't have the right to compel to you to pay a fine, but they can in theory place sanctions against you. So if you continue to do business with sanctions in place then there is a process for extradition through international treaties.
> The key question is what happens if you break those laws. In most cases you will be given a fine, and if you don't pay then you will no longer be allowed to sell goods to consumers in that country. If you continue to break the law then you are probably breaking an international treaty on border control or customs, which means that you could be extradited or tried in your own country. Some of the laws I mentioned above are mediated through international agreements, but the fundamental point is that if you break their laws they can place sanctions against you to stop you from doing business with them.
A foreign country could arbitrarily decide I owed them a certain fine, or was no longer allowed into their country, or that they didn't want to allow my products into their country, at any time, whether or not I followed their laws.
In my daily life I've done, and continue to do, things that are illegal under e.g. Iranian law. That's fine and normal - I have no obligation to comply with Iranian law. Iran can make its own decisions about whether e.g. I'm allowed to enter their country, but that would always be the case.
If you make a profit in America you'd better believe that the US government wants a share of it (there are exceptions if you sign a W8BEN and ask for a tax exemption based on existing international treaties) but the default position is that you pay tax on profits made in foreign countries -- and this applies for any country in the world that has something resembling a capital gains tax.
If you sell electronics that are a fire hazard, you can be punished for breaking consumer laws. I mean, for an extreme example, if you sell an illegal substance in America from overseas you can be punished for breaking those laws too.
I think you're seriously mistaken as to how one-off (and maybe all) import into the US works.
If I buy something mail-order from Canada, I'm considered the importer and would have to pay duty on it, just as if I had driven a truck over the border, bought the couch over there and driven it back.
If it's something as big as a couch, chances are it's going to be held at a customs warehouse for me to pick up (after I've paid the duty).
If I need to do this on a regular basis, I'm going to hire an import/export broker or possibly go through an actual furniture importer. That's the company that's doing business in the US that owes US incomes taxes, has to comply with US consumer protection laws and any of those other regulations.
In all of these scenarios, at no time did the Canadian couch store do any business in the US, even though I, the customer doing the "buying" may have been initiating the transaction over the Internet (or phone or with a paper mail-order form) physically in the US and/or with a US credit card.
If that Canadian couch is a fire hazard, the US's recourse is to stop it at the border and not let it in (or punish the US company, only in the case of the furniture reseller), and possibly punish me, the importer, since I'm the one legally attempting to bring it into the country. AFAIK, they have no recourse against the Canadian company.
you seem to suggest that you can (for example) sell/distribute canadian alcohol in saudi arabia, even though it's illegal there. do you really think that's accurate?
every country has the right to enforce it's own laws within it's own borders. you don't get a pass to do whatever you please in another country without their permission.
edit: i noticed "my business exists only in Canada"
if you mean to say you aren't doing business in another country than what you've written isn't speaking to the point of "you are required to comply with the laws of any country you do business with"
Yes. You can sell alcohol to Saudi Arabians from Canada. You cannot ship to Saudi Arabia. The buyer may pick up in another location where alcohol is legal including in person in Canada. What they do with the alcohol once in their possession is their business.
In which case you are doing business with (say) France, which has its own alcohol customs laws that you have to follow.
I never said that you have to follow the laws of the country of nationality of your clients. That'd be a ridiculous thing to say, and I'm not sure why you're arguing against that particular strawman (the GDPR only talks about EU residents and doesn't mention EU citizenship at all).
The word choice of citizen vs resident is a red herring. The issue is the extrajurisdictional reach of the law.
An EU resident visiting" your business which is hosted and operated in the United States, is the same as a Saudi Arabian coming to the United States to buy alcohol.
This is the reason why the GDPR requests an EU designated representative, so there is someone to charge locally.
> An EU resident "visiting" your business which is hosted and operated in the United States
Except the EU resident isn't "visiting" your business, you're providing a service to them across the US-EU border (and just like any cross-border service there are rules). I really don't get why this case is any more complicated than any other kind of consumer law (you can't sell electronics that blatantly catch fire to Australian customers, even if you're based in a country where consumer laws don't exist).
You aren’t providing the service across the border. The service is in your own country. The buyer is using telecommunications to make an order across the border.
The buyer is the one responsible for knowing their own local laws and should be responsible for managing them.
If a Saudi Arabian couple ordered a gay wedding cake from a baker in Montreal, over the phone from Saudi Arabia, in preparation for flying to Canada to get married, which laws apply? To whom?
Selling to Saudi Arabians and selling to Saudi Arabia are two entirely different things. In one you're doing conducting business in the Saudi Arabian market, and therefore under the umbrella of their government and in the other you're conducting business in whatever market the person you're selling your alcohol is located at, and under the umbrella of that market's laws.
When an EU business buys a service from an American operating in America from their website hosted in America how is this materially different than when a Saudi Arabian citizen visits New York and buys alcohol?
Because the EU business is not located in New York. It's located in the EU. By providing a service to an EU resident you are interacting across the US<->EU border and thus EU laws restrict what services you can provide across that border. I would recommend thinking about it like shipping products overseas.
No. It is quite definitely not true that you must comply with the laws of countries you are not in.
The EU is primarily leveraging the fact that most everyone wants to travel to the EU eventually.
While you in your home country you have no need to comply with the GDPR unless a treaty between your home country and the EU exists to mandate it.
The EU is also leveraging their trade agreements.
What they don’t understand is that China is next and they have totally diametrically opposed views on consumer privacy. But when has the EU ever been farsighted?
The U.S. has been doing this for decades, applying U.S. laws to global citizens who happen to travel to the U.S, and I'm not even talking about kidnapping foreign citizens and taking them to Cuba.
And a US citizen who chooses to break EU law has very little to worry about unless they travel to an EU country, where that country's law will be applied.
> No. It is quite definitely not true that you must comply with the laws of countries you are not in.
Unless you wish to do business with that country, in which case you need permission from that country in order to do business with its residents. If you break their laws they can place sanctions against you, and if you find a way to break those you can theoretically be punished legally through extradition.
If you don't do business with those countries then you're off the hook. Obviously.
Just look at the recent Project Gutenberg copyright lawsuit for an example of how breaking the law of a country you are not in can cause you legal troubles.
If you are not doing anything shady, if you have your house in order security wise and if you do not collect data that you have no use for you are 95% there. The remainder will maybe require consultation with a lawyer for an hour or two if you want to play it safe but you could also simply wait for a few months to see how it all plays out.
If you are respectful of other people's privacy then there is very little chance that you will be found afoul of the law and even if you should be then you will be warned to become compliant long before you will be fined.
This whole discussion is beyond ridiculous.
Imagine the rest of the world reacting to the DMCA this way which has far wider scope and effect.
> then you will be warned to become compliant long before you will be fined
citation needed
> if you do not collect data that you have no use for you are 95% there.
I have always been respectful and even never required emails on signups. I am not 95% there because there is a ton more to do. In fact i am at 5% because i have a lot of small scale past projects. Not everyone is a VC-funded startup.
That's the kind of emotional reaction that everyone has to GDPR. Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.
> I have always been respectful and even never required emails on signups.
Good.
> I am not 95% there because there is a ton more to do.
Such as?
> In fact i am at 5% because i have a lot of small scale past projects.
You've had two full years to get this done. The law came into effect the 14th of April 2016. It is now May 2018.
> Not everyone is a VC-funded startup.
If you can build it you can also build it in a way that is compliant with the law and if you built it in a way that requires a lot of work to be compliant with the GDPR then you likely were already riding a very fine line with respect to the DPD which has been in effect for much longer.
> That's the kind of emotional reaction that everyone has to GDPR.
Emotions are a bad guide when it comes to legal stuff.
> Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.
Everything. Even if you process just an IP you need to document your procedures, change privacy policies. If at any point you ask for anything you need to implement opt ins, a way for (unauthenticated) users to request their data (even if it's just 1 IP) etc. My point is that having negligible private data is not less of a compliance burden than having a lot of private data.
> You've had two full years
You mean i ve had 2 years to attempt to interpret a vaguely written law. Actionable information is just now coming out, and even that is contradictory (cue this topic). Even the EU parliament's website does not comply yet.
> you likely were already riding a very fine line with respect to the DPD
First, that is a directive, not a law and compliance can vary widely. Second, gdpr requires new procedures which means it requires amendments anyway
> Even if you hold just an IP you need to document your procedures, change privacy policies.
So don't hold IPs if you can't be bothered to know where the might end up and if you don't want to update your privacy policy. Why would you?
> My point is that having negligible private data is no less compliance burden than having a lot of private data.
And no data means no compliance burden.
Note that holding data already has costs associated with it no matter what you do: you need to secure that data, you need to back it up, you need to process it and eventually you will need to get rid of it. All of those cost money and effort.
> You mean i ve had 2 years to attempt to interpret a vaguely written law.
As laws come the GDPR is surprisingly clear. I was quite skeptical until I actually got a copy of the draft and I was positively surprised. They actually got it mostly right, there are some minor things that I would have liked to see different but on the whole I am not complaining.
> Actionable information is just now coming out, and even that is contradictory (cue this topic).
The hysteria is ridiculous. Anybody that has spent even so much as a couple of hours on this subject - and from a somewhat serious point of view rather than the ridiculous fear mongering - knows enough to not have written a silly blog post like the one on display here.
> Even the EU parliament's website does not comply yet.
That article was not exactly enlightened to put it mildly.
> First, that is a directive, not a law and compliance can vary widely.
Yes, but if you did take it serious then you are well underway.
> Second, gdpr requires new procedures which means it requires amendments anyway
Yes, there is some overhead. But this is mostly to ensure that the law will not be ignored like what happened with the DPD. As you say 'it was a directive' which many companies interpreted as 'can be ignored'. What they failed to realize is that if you don't self regulate after a directive is issued that there will be a version of the directive with teeth that has the strength of law. Congratulations, we are there.
No. This is the myth that "consent is always required". There are several justifications for processing personal data, and consent is just one of them. There are others.
First, notice how things like legitimate interests are not narrowly defined and left up to the DPA to judge. Which makes it hard to know whether you even need consent or not. Second, this is ICO, the British regulator. There are 28 of them one in each country and they won't always agree, so the application of GDPR policies can vary.
Legitimate interest definition is almost exactly the same as the existing laws on handling private information. If you want to complain about it, don't complain about the GDPR. If you've been handling private information for EU customers and have been complying with the law, then there is practically nothing for you to do.
But, again, if you're not compliant they'll just write a letter telling you this and asking you to come into compliance.
At that point you can check your understanding of the law and what you're doing and write back letting them know why you think you're in compliance; or you can change your process; or you can take it to court.
What happens when that is not possible though? E.g. in the case there is a breach and it is found out because of it that you were not compliant. Do they still write you a letter? Also , is this procedure common for all DPAs or just for the UK?
> Imagine the rest of the world reacting to the DMCA this way which has far wider scope and effect.
That would have been a wonderful thing to see. The DMCA has had a chilling effect on speech worldwide, and has created difficult barriers for small businesses to deal with if they want to host user-created content.
I think you unintentionally made your opponent's point!
> Legal compliance is a requirement for any business
You are required to comply with the laws of your country, not those of other countries.