In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
There is nothing - and I do mean nothing - written into the GDPR that requires any warnings of any kind, or places any limits on fines, except for $10/$20 million or 4% of revenue, whichever is greater. Period. A multimillion-dollar fine without warning for a first, minor violation is perfectly lawful under GDPR. The idea that "yes it says that but we can trust EU regulators to not assess large fines against foreign companies, even though they would benefit handsomely from them" rings hollow to me.
I think you and everyone making similar points in this thread are getting tripped up by the difference between rules-based regulation and principles-based regulation. This is unsurprising, given that the US is so heavily rules-based, but the EU (certainly the UK) has a long history of principles-based regulation.
In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set. In principles-based regulation, the rules are extensive rather than complete and you expect the regulator to have some lattitude (and, if the system is well designed, a mechanism of recourse if they do something stupid).
An advocate of rules-based regulation would say this can make regulators unpredictable and capricious. An advocate of principles-based regulation would say it is an important safeguard against "rules-lawyering" and regulatory capture (especially the kind that ties new entrants up in check-box compliance that doesn't actually affect your business because all the rules have been worked around).
A classic example would be the time PayPal tried to tell the UK regulators they shouldn't be regulated like a financial institution (which is a claim they successfully made in the US). They pointed to chapter and verse of the relevant law, and said that according to subparagraph 2.b.c(iii)... and the relevant regulator essentially told them "shut up, you keep consumers' money for them and will be treated accordingly". As a result, the worst "PayPal took all my money and I can't get it back" stories generally do not come from the UK. (And when they do, they are accompanied by referrals to the Financial Conduct Authority, who have teeth.)
You can approve of this way of working or not, but the GDPR is a principles-based regulation, and you'll have to engage with it on those terms.
What you dub principles-based regulation others call trust-based regulation, or randomly-enforced regulation, or we-know-it-when-we-see-it-based regulation. Some don't appreciate this type of regulation.
I think the unfortunate thing is that, when the previous/existing incarnations of these protection laws were/remain unenforced, many assumed it was because of lack of "teeth". But those of us familiar with how these principles-based regulatory bodies work know that it's more about confusion and regulator apathy. Nobody here is watching the watchers. Instead, there's a bunch of people foaming at the mouth with pitchforks asking for more laws and dismissing alternative concerns as hysteria or not understanding how laws work. We should be discussing how to solve the problem, yet we continually devolve to discussing the government-led solution presumably because we feel helpless and can't consider better options.
Going on a bit of a tangent here, I am becoming concerned with how we discuss these things. You're completely either for or against it. And if you're against one way you are automatically for the other. If you think one thing is bad, obviously you need to be corrected that other thing is bad too. And then you'll get extreme examples showing it. Call it whataboutism, appeal to emotion, whatever.
Every time these GDPR discussions come up, someone is always quick to say the US is worse, US is getting a taste of its own medicine, that dissenters must want surreptitious data collection, and on and on. Oddly enough, bringing it full circle, the tendencies for humans to argue in these directions instead of stay focused on the issue at hand make me glad to have more strict boundaries that are less subject to the whims of idle thought. Obviously this can't be absolute, so we should craft our rules to limit their scope at least from the outset. It's not about one country/continent vs another, it's about the goals and how they are achieved. Some believe and/or have experienced difficulties conforming to all sorts of government rules, it is a human thing not a location one. IMO, we need to stop deflecting and we need to stop being so absolute. People that are feeling pain of impending laws are not hysterical and laws are not magically OK because other forms/interpretations have downsides.
I think this is a situation where it's easy to see the mote in someone else's eye. I tried to provide a summary using the standard terms for both approaches (in practice, making it clear I preferred a principles-based approach); you jumped up to rebut (in practice, by trying to find the most derogatory synonym for "principles-based regulation" and accusing opponents of "frothing at the mouth"). And then both of us are astonished by the level of partisanship in this argument ;)
It's true, I do think that a more principles-based approach is usually preferable. (And I will happily marshal anecdata to that end!)
But it's naive to think that any approach comes without a cost. Even the PayPal example I mentioned above could be coloured the other way: A company makes a major investment in a foreign market, only to find the rules changed underneath them by a capricious government agency! (Someone brought up IR35 down-thread, and that's an excellent example too.) Is that an acceptable cost for the outcome? I'd look at the overall state of (eg) consumer financial protections in the US vs the UK and say "yes"; but I'm open to evidence-based disagreement.
Meh, I'm less concerned with disagreement (or the words used) than I am with deflection. To be clear, and brief, I am not saying one approach to law is better than another (though I too have my preferences and of course corruption anecdata abound). In this case, I think neither legal approach is preferable with such a large statute. But if we are resigned to this option, one could argue that the size/scope of the legislation can only happen with vagueness and trust. In general I think we could arrive at a GDPR-level statutes (at a global level no less) after working up to it. And I don't believe the regulatory bodies' failures themselves justify doubling down on those same failure-causers. I could talk about my suggestions for days, but in general a good set of first steps would be simple transparency requirements for specific uses and tangible enforcement.
Thank you for bringing this up. I never knew PB law was a thing. I thought it was just poorly written. Being a yank, I just assumed they forgot the corner cases. I am anti authoritarian by nature so I tend to view authorities as Djinn that must be tightly constrained by wording lest they find a way to misbehave. I would have thought PB would have a higher risk of regulatory capture and corruption of regulators than RB. What is a small business owner's recourse if a regulation is being selectively enforced to favor a competitor? To they need to find funds to retain legal representation? What if the competitor is much larger?
Edit: I realized this might sound passive aggressive. I like the idea of human judgement in regulation, but I really want to know what checks are commonly used to account for all actors involved potentially being malicious.
I think your tangent is merited and unfortunately there seems to be a lot of polarizing comments (I might have done a couple, but there are some that really go over the top in either direction, like "hiring a lawyer to be your DPO is trivial" or people spreading FUD and saying how they will have to shut access from the EU to their personal site, etc.)
But in essence people are missing the bigger context.
Principles-based regulation means you're still committing the same number of crimes per day if you somehow anger the wrong people. If the local police don't like you, then principles-based laws can be used to single you out and target only you.
This is it. Thank you, I commented about my local experiences with government in Europe and US/Canada but did not know the correct terms and you're right, I think this is the big difference and a driver of fear outside of the EU. In Canada I found the police, by-law enforcers, and almost any official are essentially rules based robots, very much different to my experience in the UK. Thank you for teaching me about rules-based and principles-based regulation. This is one of the big reasons I enjoy living in Europe tbh, a bit of discretion and old 'common sense' is actually quite an awesome thing.
The EU’s digital commissioner said in 2015 that the EU should use regulation to "replace today’s Web search engines, operating systems and social networks" with EU companies.[1]
And they've passed or proposed ridiculous laws like cookie warnings and link taxes. We have reason to be suspicious of their intentions.
You have to keep in mind that the EU is not as integrated as the US on a political level. You need diplomatic leeway to get everyone to agree to do anything: instead of saying "this is what we'll do", it's "this is more or less what we do, everyone gets to fill in the details on their own". Without that level of flexibility and autonomy for individual countries, they would block the legal process even more than they are now.
As for the link tax: I would blame the publishers pushing for it, not the EU.
An advocate of rules-based regulation would say this can make regulators unpredictable and capricious.
Unfortunately, so might students of history. Ask anyone in the UK who was working in the freelance or contract world when IR35 was introduced.
In that case, too, the principle was reasonable enough: there was a loophole in tax law where you could decide you're a contractor instead of an employee and pay less money despite for all other practical purposes still being an employee, and this was being actively exploited by some people.
In that case, too, the reality was that most people working in the sector probably wouldn't be challenged by the authorities, not least because the enforcers had limited resources.
But in that case, too, a given individual's status was often unclear. While some of those who were deterred or subsequently received penalties really were engaging in obvious tax avoidance, other reports described crippling penalties for people whose arrangements appeared to have been quite reasonable but to have fallen foul of someone in government's dubious interpretation.
This led to substantial amounts of time and money being collectively spent by the freelance and contractor community incorporating new legalese into contracts and paying for advice and taking out insurance policies. An entire trade body was formed primarily to deal with this threat. Even today, those of us who take on any sort of individual contract or freelance work from time to time have to be careful not to say or do certain otherwise reasonable things, or to allow others to do so, for fear of tipping the balance or giving any appearance that might be subject to challenge.
And the irony is that while the law arguably had some effect initially in getting contractors to go back to being permies if they were just using it as a tax dodge, overall it appears that IR35 has raised very little extra tax revenue for the government. It turns out that the vast majority of contractors and freelancers were operating in that fashion legitimately and continue to do so, and most enforcement actions appear to fail to the extent that the government even tries any more. Nevertheless, the rules still hang like a sword of Damocles above the whole sector.
Are you claiming that most companies are not storing data in compliance with current law today? There's a meme about how all businesses are trying to exploit personal data mercilessly at any cost, yet among the small businesses around here and the people I know who work there, none of us is in that line of work, nor I suspect would any of us want to be.
I do not believe that the vast majority of companies which are significantly impacted by the GPDR were storing data in a reasonable manner, no.
Having to spend some effort to make sure you are in compliance with a huge new piece of regulation is expected and I understand that people complain about having to do it. However, after the initial bring-up pains any business which continues to have a problem with the GPDR most likely has a business model directly in conflict with the spirit of the law.
I do not believe that the vast majority of companies which are significantly impacted by the GPDR were storing data in a reasonable manner, no.
If that's your personal belief then obviously you're entitled to your opinion, but have you seen any actual evidence that that is the case?
However, after the initial bring-up pains any business which continues to have a problem with the GPDR most likely has a business model directly in conflict with the spirit of the law.
Perhaps, but as you say, what we know now is that there are some initial compliance costs for everyone. If nothing else, we all have to understand the new regulations and our obligations under them, and we will now have to allow for additional subject rights and stronger and more specific documentation and notification obligations, which generally apply retrospectively as well.
I admit that part of my concern here is not specific to the GDPR, but rather to the general practice of creating ever more rules governing businesses. Every time some new regulation comes along, the costs of running a business go up. Not only does that impose some level of overhead on established businesses, it also has a chilling effect on new businesses starting up, and on paths to growth like starting a side business that can expand to something full time and later to take on additional employees. If a new regulation is necessary to achieve some positive effect, then those overheads might be justified as well, but I remain to be convinced that this is the case for most of the new rules and regulations that have come in over the decade or so that I've been doing this now. The GDPR is just the latest example of something perhaps well-intentioned but poorly implemented.
> If that's your personal belief then obviously you're entitled to your opinion, but have you seen any actual evidence that that is the case?
I can't speak for that other person but I've seen lots of evidence to that effect. I look at ~40 companies / year at the moment and a large percentage of those has issues. Usually not because of malice, mostly because of lack of resources or unfamiliarity with regulations.
Say I use a DDoS prevention service (like cloudflare). They get my user data, and also have to be under scope of GDPR as well. And since IP isn't indicative of EU citizenship status, a company had better apply GDPR to everything rather than just a subset.
In the end, this law makes a "We respect the privacy of your data" subset of providers, and provides a great way for us users to identify bad actors (Google, FB, Amazon, etc).
I'm absolutely glad to heard that (about CloudFlare).
The GDPR is becoming a "I'm doing the right thing" checkbox. At least with the European rule, we data-drained Americans can rely that these services might cost more, but we retain our rights.
Lack of will have to be scrutinized. Smaller places may make the determination based upon reasonable answers, or be malicious. Facebook/Google/Etc wouldn't exist in their current forms if there was strong privacy rules in place.
> This is unsurprising, given that the US is so heavily rules-based, but the EU (certainly the UK) has a long history of principles-based regulation.
This is a good point, but many people seem to forget that most misdemeanor criminal offenses in the US are punishable by fine and/or up to 30+ days in jail. People do not often get the jail time so most don't even think about it, but it is available as an option to the judge for things like repeat offenders.
Unfortunately in the US, any conviction leads to essentially a work "blacklist," whereby employers do background checks and deny employment for anything they find within 7 years.
Not for non-violent misdemeanors. Unless you're a flagrant offender you will normally be slapped don the wrist and given a stern lecture in the form of a class. Source: was in a fraternity in the US where literally nothing bad happened to anyone I knew with a misdemeanor outside of a fine and class
A lot of companies won't hire you if you have a criminal record of any kind. Some won't even hire you if you have any record of arrest, regardless of conviction.
> If the court seals the record its nearly impossible for anyone but government agencies to discover
No, it is not, because background check and other third-party intelligence firms aren't purely reactive now, they have and use tools to proactively vacuum up public records and maintain their own DBs. After-the-fact sealing of arrest records or expunging of convictions has no effect on data that is already in third-party hands.
Never knew this, so is it that just no employer cares enough about minor misdemeanors or the cost of doing so makes it not worthwhile? I've never heard of anyone getting a job offer taken back because of a minor misdemaonor
Now if the government interpretation of GDPR will differ from a website owner's they'll be able to shut it down with a fine. Since this law can be interpreted in so many ways they can virtually fine any site they don't like, because depending on interpretation every site can be found non complaint. This is huge and dangerous.
> In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set.
Given that description, after a couple decades working in some and dealing daily with the acts of other agencies who which issue and apply regulations on the US, let me assure you that the regulatory system in the US is nothing at all like “rule-based” as you have described it.
I have also been extensively involved in compliance issues at US companies in the financial space and this comment is dead-on. The idea of rule-based regulations is a complete straw man as far as I can tell.
Or you can just disengage with Europe all together, which is an obvious choice for many small to medium sized companies, given the risks and costs involved.
We ran the numbers on how much it would cost to establish compliance, and with that alone it was barley worth it based on the current EU customer base we have.
We also considered all the additional liability we’d be taking on, and with that alone it was barely worth it based on the current EU customer base we have.
We’d also be very happy if one of our competitors started investing in the EU market. It’s worth about 10 times less than the US market in our industry, so having them chasing peanuts in Europe (and investing in compliance with European - absolutely not international - regulations) would be a truely fantastic outcome for us.
Where did I advertise misuse of our customers data? Compliance and privacy are not the same thing, just like compliance and security are not the same thing. We have a great privacy policy and we don’t misuse our customers data in any way.
For us, it didn’t make sense to invest the amount of money we’d have to to establish compliance with the GDPR, or to invest in maintaining that compliance, and the liability that GDPR would introduce for us most certainly didn’t make sense.
Europe is worth almost nothing to us, we don’t market ourselves there because it’s a waste of money. The EU customers we have all sought us out, not the other way around. For us, the cost and liability is simply not worth it. I think you’ll start to see more businesses make this decision, based on facts and numbers. You can’t just cry that they’re all being hysterical or want to abuse they’re customers data and privacy. When you introduce expensive new regulations, that have very strong punitive elements, this is exactly what you’d expect to happen. Small to medium sized businesses will wear the most of the cost (while posing the least of the risk). Luckily for us, EU is worth close to nothing for us.
You are advertising that your handling of personal data is so haphazard that GDPR compliance would be expensive.
You are admitting that you aren't good enough for the EU, and therefore that you aren't very good in general at whatever you do.
I expect that, at least in some obviously global markets like most e-commerce, GDPR compliance (as opposed to throwing the towel like you) will be treated like a certification of being a relatively non-evil and non-amateur business, with a significant impact outside the EU.
I’m sorry, but this is simply the naive opinion of somebody that has clearly never had to deal with compliance before on a meaningful level.
My customers are all happy with my privacy policy, and not a single one outside of the EU has expressed any interest at all in the GDPR. We are actually compliant with a majority of the regulation, however there are some areas where we would have to re-architect to gain full compliance.
This is not in anyway a signal that we’re “not good enough” to handle our customers data. It is mostly a sign of a poorly written piece of regulation, that has more undefined edge cases than it has defined use cases.
We’re not going to be the only company that comes to this conclusion, so you can go around slandering anybody you like, but that’s not going to change the facts behind what is a rather simple business decision for a lot of people.
You’re incredibly naive if you think complying with regulations like this is going to be cheap and easy, and your even more naive if you think that compliance is going to mean anything other than a rubber stamp. I’ve seen PCI, Fedramp, ISO27k, SOC2... organisation that have been certified as compliant, but were in reality less than 10% compliant. The compliance industry is a joke worldwide, and everybody knows it.
I'm arguing from the point of view of a customer, not "slandering".
Customers are going to have a choice between GDPR-compliant companies and USA-only ones and (if they care) they are going to assume the worst about why the GDPR can make a company retreat from the EU market.
As far as the public understands that complying with a new law is expensive, and why GDPR compliance in particular is expensive, it is obviously more expensive for "bad" companies: don't expect the same compassion and tolerance with which other types of customer disappointments (e.g. raising prices) are received.
Your competitors who do not retreat from the EU are obviously caring more for customer privacy, and/or better organized, and/or less reliant on excessive data collection. They are not going to be considered stupid because they spend more than they should on doing the right thing.
You admit bad organization ("there are some areas where we would have to re-architect to gain full compliance"): not trying to comply with the GDPR is clearly not a "rather simple business decision", it's a decision to accept failure instead of losing even more money, and you aren't going to look good even if it's the rational choice in your situation.
Right now we are going through a federal audit. We sell only to US orgs, but also have a social media platform.
Because our social media platform is open to all, we are addressing adhering to the GDPR. In spirit, we already do, but they want what amounts to 5 documents how we use metrics and user data.
(Edit: we use metrics only in a '20 new people signed up'. We treat all data as federal confidential data. We also abide by deletion requests - immediately all user data is zeroed out, and a script overnight removes the zeroed fields. If it should not have been entered, we also will nuke users on backups too.)
If you're doing things respectfully and the right way, the GDPR is a nuisance. If you were hoovering anything and everything, you're in for a bad time.
And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".
Edit:
> "My customers are all happy with my privacy policy,"
Do they have a choice, aside to never use your stuff? If do you force acceptance of the 'privacy policy' on usage of your service? If you, that is in direct violation of the GDPR.
Hope you never want to consider European citizens as a customer. Building in this respect is cheap, but is expensive if you ignore now.
Think of this as "California Emissions". Eventually the US will adopt, even if in defacto. Might as well be on the right side of the fence.
So because you don’t have many in-scope systems, you believe that the cost of compliance is going to be the same for every company in the world? And what did I say that gave the impression that I don’t respect my users or their data?
Our application is a financial one, so I’d say it’s reasonable to assume that it ends up with a lot more in-scope PII than yours does.
In spirit, we also comply with almost all of the GDPR. However, some of its undefined edge cases prevent us from fully complying with it without an expensive re-architecture project, and re-implementation of some of our toolset. The areas we don’t comply with are incredibly minor, and I’ve seen some people arguing that we’d fall within the GDPRs limits of flexibility. However, that’s not how we manage risk. No matter how confident we were, being wrong could potentially end our business with fines.
As I have said repeatedly, for many small to medium sized businesses that don’t have many EU customers, there is simply no reason to implement GDPR at all. The costs can be quite high, and the risk of getting it wrong is enormous and not survivable. This is one of the many unintended (although entirely expectable) side effects of the regulation. All you’re trying to do is spread FUD.
I think that this point can't be over-emphasized, and I wish you had put that sentence in its own paragraph.
Risk (management) was also alluded to elsewhere in the comments in the discussion of "rules-based" versus "principles-based" regulation.
Perhaps characterizing certain business reactions as "panic" is grossly unfair, when they're merely sensible (or even somewhat excessive) risk-aversion reactions.
I've come to suspect that the HN readership has a high risk-affinity, not just because of the startup leanings, but also even because of the preponderance of programmers working in internet/web tech, possibly never even being exposed to an environment that's life-critical or money-critical (is there a word for that? fiduciary?). Given that, I also suspect there's also broad, possibly even unconscious assumption that risks like you're describing are no big deal, 80% compliance is more than enough, (always) ask for forgiveness instead of permission, and that sort of thing.
Personally, I don't think there's anything wrong with either risk-affinity or risk-aversion, as long as one is aware of it and it's not an unconscious bias.
I think you've hit the nail on the head regarding the bias of this particular forum. As a group, it seems obvious that HN would be less risk-sensitive than the average.
For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type. The mood of consumers and legislators worldwide is becoming increasingly pro-privacy and security.
Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.
> For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type
I find it a bit frustrating that you would so clearly ignore the whole point of this sub-thread merely to repeat the same sentiment about privacy and security, which wasn't under debate in the first place.
Are you seriously suggesting that the GDPR is the end-all, be-all of data privacy regulation and that "legislastion of this type" will always be a proper subset of the GDPR, no matter the jurisdiction?
If not, then even your purported future-proofing rings hollow, especially for a company which already substantially complies with the spirit of the legislation, which is what we've been discussing here.
> Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.
I remain unconvinced that this is true, because of, again, risk. It seems credible to me that, for many businesses, the risk could easily not be worth it, regardless of others opinions on the ease of compliance or financial exposure (so far only unsubstantiated opinions, as we have no actual data on enforcement yet, and this is a pretty deeply political matter, as you yourself point out).
Moreover, I find it telling that you would refer to the situation as a "game". I expect the business owners in question (I'm assuming smaller business, in general) are more likely to view it a bit more soberly, in that they're running a business, not playing a game. As such, I don't expect they have a "mini" or a "meta", only decisions for which they and those that depend on them bear the consequences.
I think the underlying idea here, is that data is "radioactive". Quite a lot of data can be fed into classifier systems to accurately identify people (not just computers), their trends, their shopping habits, and other much more private things.
In Europe, because of classification systems surrounding IBM and Nazis, have chosen to be very proactive about the dangers of having too much data. It may be used right now in a good way, but the data can easily be used for very evil things.
The GDPR reminds me of a Target (chain retailer) advertisement where a 17 year old girl was being profiled and send pregnancy, maternity, and baby ads. The father was angry at Target sending his daughter this, until the daughter fessed up that she was indeed pregnant. How did they determine this? Shopping purchase records. The GDPR may not have stopped the first occurrence, but would have provided sufficient "bite" to ever stop this from ever happening again.
Your response seems to completely ignore what I said, which had nothing to do with data. It's as if you're just making an appeal to emotion.
I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.
Others may be arguing against the spirit of the law, the extent of the protections, the tradeoffs between data and privacy, or any of those topics actually related to data or its storage. I'm not, nor is the GP.
I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.
> I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.
It certainly doesn't appear to be a false dichotomy to me. If your company has a European presence, you will be required to follow the GDPR. But for my purposes, companies that say they will support the GDPR globally will absolutely get my business before those that do not.
And there are plenty of areas where my data is used against me. Look no further than the recent cell phone location leaks, or facebook, or google.. The time for their siphoning every last shred of data is done.
> I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.
And I, a customer, can make a very easy choice of "If you assert that you follow the GDPR globally, I will buy from you." I think of it like California Emissions, or other 'Better than average certifying bodies'.
> It certainly doesn't appear to be a false dichotomy to me.
That's the problem. What you seem to be espousing is exactly "my way or the highway" (where "my way" is the GDPR) or "you're either for it or against it", the very epitome of false dichotomy.
Why not actually address the middle ground that has now been clearly explained multiple times? In what way does that non-compliance equate to nefarious conduct?
> And there are plenty of areas where my data is used against me
And here, again, is the appeal to emotion. Where's the data in this case, not those other cases?
That, and the fact that a good chunk of present day Europe was under the Soviet boot for 40 odd years and the people there got to see up close how dangerous data is in the wrong hands (in that case: the government).
Hungary and Poland were under the Soviet boot, but a generation later they are going back to undemocratic and authoritarian governments. Eastern Germany was under the Soviet boot and they have far more neo-nazism than Western Germany who wasn't. So the 40 years seem to have made some long lasting damage instead of fostering as strong "never again" attitude.
On the other hand 12 years of nazi government have left a much more permanent "never aggain" against big brother in Western Germany. To my knowledge it's the only country on the planet where citizens' resistance made Google to stop deploying Streetview (where it might well be debatable whether Streetview is the worst big brother thing. But sometimes relatively minor issues raise big fears and hit big resistance, as it seems to be with GDPR for small US businesses)
Countries are made up of individuals and not all individuals have the same mental make-up. Yes, there are quite a few worrisome developments but there still (maybe not much longer) is an institutional memory of these things that is for the moment exerting a positive influence in this particular domain.
I'm not sure what you mean by this. No magic is required, only sufficient desire by those in power.
That wasn't my point, though. It was that now only governments are allowed to gather and keep this data. Granted, the breadth of what's available to them may not be as great if they're mainly recording traffic with no access to corporate servers, but even that access can be periodically arranged given sufficient desire.
I remember the time we had very good privacy policies but getting that project to be compliant with COPPA was still a significant effort, so I think I get where you're coming from.
Once we became compliant, quite frankly, I felt a lot safer and more confident in affirming that our privacy policies were very good. Maybe it was some kind of sunk cost syndrome, but I was glad we did (were forced to do) it.
thanks, you’ve pointed out a great signal that now exists. don’t do business with companies that choose to pull out of the eu market rather than comply with gdpr. these are companies that have made an explicit decision that user data privacy is a burden not to be cared about.
my company OTOH is choosing to apply gdpr principles globally.
Compliance and cost of doing so does not equate to privacy. Remember when all of the auto manufacturers in Europe "complied" with new regulation by spending a fortune on testing?
And in your mind there is absolutely no possibility that a reasonable explanation would exist why a company would pull out because of it?
How about cost of compliance? For example, just the fact that you need to figure out whether you are compliant or not costs money. If you ask for user consent, then you must be able to later show that you got said consent from the user to work that data. You also have to take into account the risk of fines if something somewhere goes wrong. We, as software developers, should be intimately aware of how things can go wrong despite everyone trying their best.
All of these things cost money. If the cost is greater than what the business from the EU brings in, then it's not worth it. The fact that there are people who immediately and only jump to the thought they don't care about privacy is very worrying.
There is a difference between complying with GPDR and caring about privacy.
I completely and utterly care about privacy, but things like not tracking IP address and allowing people to request removing them are a bridge to far. I can’t comply with that. I treat my customers important PII (names, addresses, etc) very delicately. But the cost of complying GPDR is too must.
> allowing people to request removing them are a bridge to far.
Are dissonant. You will have to pick the one or the other but you can't both care about privacy and not allow people to request removal of their data. That should be fairly obvious.
GDPR does allow you to record IP addresses in access logs and whatnot. And I'm not so sure people can actually ask you to remove their IP addresses; they'd have to demonstrate use of that IP over the relevant time interval, which is beyond most people. So I think while GDPR requires you to have a good reason to collect IP addresses, it doesn't meaningfully impose an obligation to be able to expunge them in removal requests.
and what will you do when Canada follows in the EU's footsteps? Or the rest of the world? When they finally put pressure on the US to do the right thing? Because this is the right thing to do.
An option that I see a lot of companies taking, we considered it, but decided it wasn’t worth it. I personally know of a few companies that have decided to blatantly ignore it until they see how offshore enforcement works out. If it ends up being favourable, it’s a strategy we may adopt.
The GDPR regulation directly applies in all member states, and does not need individual states to do anything at all to enact it. If national courts decline to enforce it then it can escalate to the Eu courts.
It is also international in that it applies to EU citizen date no matter which country it is held or processed in.
It is true — you need to read the actual GDPR rather than online summaries.
The GDPR creates some new criminal offences that can be prosecuted through courts without the regulatory authorities being involved in Clauses 162 & 163.
Article 82 allows individuals to sue in court for compensation if breaches of GDPR rules cause harm.
I read the article, and I found it more than slightly dismissive of this option, particularly because the article (and other commentors, it seems), in effect, makes the inference that the main goal of avoiding compliance is a continuation of some nefarious behavior.
A bunch of companies are going to do this and then regret it when they notice that their competitors really didn't have to do much work to become compliant.
Then they'll try to come back... after their EU user-base was kicked out and forced to find alternatives.
> If the original business couldn’t, its unlikely the competitor could.
Considering amount of FUD spread about fines, even here, with fairly educated readership - I don't think you can really trust other people's cost / benefit analysis, even when they happen to have same variables with same values.
People are often wrong even in much clearer cases . . .
We’d be quite happy if that happened. Seeing our competitors investing in Europe would simply mean less competition in markets with much greater growth.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
By blocking EU IPs the service is very clearly, unambiguously, not targetting EU residents.
Not sure why downvotes. If you block EU IP, EU resident accessing a website on holiday outside EU will not know that the website is not meant to offer services to EU residents. Solely blocking EU IPs is not sufficient. What would do probably is to have a banner on the website, where user is informed that website doesn't allow EU resident visitors with "Leave" button.
Now the problem is if the EU resident confirms that he/she is not an EU resident. Then controller or processor is still processing protected data, but unknowingly.
If you block EU IPs but your business is not targeting Europeans who are on holiday you don't need to comply with GDPR.
If you block EU IPs but your business is targeting Europeans who are on holiday - well, you probably still don't need to comply with GDPR because you've demonstrated attempts to actively avoid European residents.
The test in GDPR is not "does any European ever use the service?" but "are you targeting them?"
I was really wondering that as well. Can we be held accountable?
It would be nice if the GDPR had a piece about “if a company refuses sales, even if they accidentally happen, the company isn’t liable” and/or “blocking EU IPs or redirecting to a no sale page is sufficient to avoid compliance”.
Probably they will not be - but there are cases of extradition of EU citizens to the US for various crimes like hacking. Who knows, maybe it will happen the other way around or some people will have to take holidays in the EU off the list.
Same here. EU makes up such a small amount of or customer base, and EU customers spend far less money with us. Which is generally true in most industries, US consumers spend far more than consumers anywhere else in the world.
If we ever choose to enter the EU again, it will be a careful and deliberate choice, and will likely only ever happen if our growth slows in other regions.
We’ve got a great privacy policy, and don’t abuse our customers data in any way. However compliance would be very expensive for us, largely due to some of our early architecture decisions. The liability is also insane, and we don’t want anything to do with it. When we looked at how little our EU customers were worth to us, it was a very easy decision to simply abandon them.
so you say. if you don’t have strong processes to make sure that is true, it isn’t true. gdpr is mostly about ensuring you have such processes. if
you can’t do things such as tell the user what data you have, and delete it, you do not have a great policy.
methinks you need some advice from better counsel. i bet that you are closer to compliant than you think.
Do you actually think the only way to respect users privacy is to comply with GDPR? That is an absurd and narrow minded opinion. Do you also actually believe that the entire regulation is reflected in your two line comment?
Listen, you’ve said higher up the thread that you are plan to spread FUD about all companies that don’t comply with GDPR as a marketing strategy for your own product. I don’t see how anybody here could possibly take you seriously. GDPR is going to have a lot of unintended consequences, and people aren’t going to be happy with all of them. One of them is that small to medium sized companies will reconsidering doing business in the EU, another is that the scope of the legislation is especially anti-competitive for small EU based businesses. There’s been a lot of FUD going around HN recently that the only reasons a company would plan to pull out of the EU are hysteria and malevolence. That’s not true, and for many companies this is just a simple business decision.
> That’s not true, and for many companies this is just a simple business decision.
But likely based on incorrect advice.
You haven't said why you think your company isn't compliant with GDPR, and it's possible your company is compliant with GDPR, or would require only minor tweaks to privacy policies to make it compliant.
If you ask US-trained lawyers (especially those with exposure to the tech or financial sectors) to perform an impact assessment of a European regulation, don't be surprised to receive a full-on Chicken Little response.
The reality is that the law is not a programming language and compliance is about alignment with principles, not blindly following a set of rules.
Sounds like he analyzed if very closely, so probably not base on incorrect advice.
And I’m guessing he can’t share too much about why since he has said its based on architectural decisions, which might reveal business secrets.
The biggest reason I don’t like complying with GDPR is the IP address situation- I’m going to continue to track them and I’m not going delete them because somebody requested.
> I’m not going delete them because somebody requested.
Why do you think you need to delete them when requested to do so? Can you point me to the bit of the regulation that makes you think that's a requirement?
When I read it, I see that the "The data subject shall have the right to ... erasure of personal data ... where one of the following grounds applies: ... the data subject withdraws consent...."
I imagine that HTTP logs associating URLs and IPs are personal data because they associate users with activity, so they would have to be removed.
It's pretty hard to destroy individual log lines (they're often aggregated in zipped files, for instance), and logs show up in lots of places: your load balancer may log, your web server may log, your application may log, those logs may be backed up to tape, you might have debug logs captured for analysis from any of these systems, and those debug logs might be present on developer machines, not on servers or long-term storage.
That basically means that if any user asks to have their data erased, you have to figure out whether they owned that IP address at that time (so they can't ask for others' information to be removed), then delete all those logs, potentially rewriting your whole tape archive(!), potentially having developers destroy the debugging info they were using to track down a memory leak or whatever (on laptops, or in the ticketing system, or in heap dumps, or wherever it might be).
It's pretty easy to say "don't keep logs of IP addresses", but that's one of the major ways people detect malicious traffic, e.g. spam, denial-of-service attacks, and break-in attempts. It's hard to live without that.
Am I reading something wrong? Is there something I missed in that section that makes it easier?
Is "so we can look for malicious traffic" enough of a legal ground for processing to keep personal information around indefinitely even if the user asked for it to be removed? I can't imagine that's so, as that would be a pretty big loophole.
> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
There are several justifications for procesing user data. One of them is consent. But there are others. One is "legitimate need". You're not using user consent to process this log data, you're using a legitimate need justification.
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interest doesn't let you gather everything and keep it forever, but standard practice log rotation seems like it's compliant.
The proper way to deal with this is to rotate out the logs after a finite amount of time (you are doing that anyway, right?) and then to delete the logs after yet another period of time, once they have outlived their useful life. That's good practice anyway so I really don't see the problem.
Looking for malicious traffic is not a loophole that allows you to keep data indefinitely - even if nobody asks you to remove it - you don't need to keep it indefinitely.
I'm not the person you're asking this from, but any regulation tends to require extra work to be done. Just the fact that you need to know that you're compliant requires work. Then you have requirements such as being able to prove that users gave you this consent, being able to prove that you did delete all the user data in all the possible places (including back ups, VMs, crash dumps on developer machines etc) when requested etc.
You also have to take into account the risk of the fines. The fines are enormous and there are no guarantees that the regulators will not slap you with the highest fines "to make an example of you" or because you just rubbed them the wrong way. Even if you try your hardest to comply and think you have all the bases covered, it could very well be that you are not compliant because something was overlooked or there's a bug somewhere or something else entirely. You can never be certain about this.
Now you add up all of these costs and compare it to how much the EU market offers you. If the costs to comply exceed the income, and there's no near-future opportunities for large growth, then it would make a lot of sense to just pull out of the market.
If you are already compliant with your great privacy policy, what are some specific things that you find too expensive to be worth it? All I read from GDPR detractors are vague hand wavey claims of “compliance stuff” being expensive. I’m obv not a professional compliance expert so ELI5.
This argument makes about as much sense as "if you have nothing to hide, you have nothing to fear" in support of surveillance laws. Presumption of guilt is a terrible rule to live by.
Actually your argument makes no sense because it amounts to : I am honest therefore there is no need for laws. Thousands of years of human history suggests you are wrong.
GDPR and “not spying on your users” are not even remotely related. GDPR is a massive regulation requiring significant resources that most small businesses simply don’t have.
Surely you already had "cyber" coverage on your general liability policy, right, since you are handling users' data? I haven't been notified of any changes in premium for our policy related to the new regulations, fwiw.
>I haven't been notified of any changes in premium for our policy related to the new regulations, fwiw.
I don't see how you can legitimately believe that there is not going to be an increase in costs. Either the insurance company was overcharging you before, they're lowering their margins or the price goes up. Anything else would require that the risk would be basically non-existent. The price might not increase right now, but it might increase next year or the year after that or the service might get worse.
>Massive legal fees for what, exactly?
To deal with situations that you didn't expect to happen, but did happen anyway. Even if you try your best, mistakes can happen.
The GDP, the consumer spending market and the consumer spending per household is all higher in the US than the EU. You can cherry pick out a few industries where other countries spend more than the US, but it's still the most valuable market by far in most industries.
There is a difference between what GDPR says is okay with user data and what is actually okay with user data.
We may be reasonable with user data, but either disagree with a portion of GDPR (like IP addresses) or do not have the time or money to very we comply.
Still don't understand the issue. IP addresses are being kept private like with all the other user details right? You still can have web logs with ip addresses without needing consent.
And also (as stated in numerous places) that you won't get hit with fines. If you aren't compliant (and it would take a big violation to get their notice) you are given ample time to comply. Or you could in your case if you really are violating it flagrantly then you could just block access to EU. But you would have to a big violater.
So if you look at a prisoners dilemma outline you've got:
- you are violating / you block EU: outcome is no market access to EU
- you are violating / you don't block EU: you have access to the market and if you are caught violating you got ample time to change or you can just block EU and you're in the same boat as before
- you aren't violating / you block EU: you just blocked access for no reason and losing out on a market
- you aren't violating / you don't block EU: You have access to the market
So if you don't know you're violating or you wonder about the IP address and weblogs issue which is minor, then the prisoners dilemma show that best go with continue as normal. There is no case were you would be hit with big fines.
To be honest I know nothing about law enforcement in the EU, but the one thing I have heard about in recent memory is that guy who made a video of his girlfriend's dog saluting hitler, and was subsequently tried for a hate crime, convicted, and was charged with a pretty hefty 800 GBP fine after being found in violation of the Communications Act of 2003[1]. Seems like a pretty poor example of principles-based regulation. Maybe it's just an outlier though, idk.
Oh okay, I actually misremembered what I had seen, I thought it was just the saluting thing. I just checked the original again[1], and that being said I still don't see how this isn't a ruling that is overblown; he's saying "wanna gas the jews" in a playful way to his dog over and over, and the dog responds when this is said.
The ruling was that this was a hate crime, because it was "menacing, anti-Semitic and racist". I have trouble seeing how a Nazi pug that responds to "gas the jews" is anything other than silly bit of absurd comedy. I can't realistically see this video actually advancing any legitimate hatred, or having any negative consequences other than some people laughing at how silly it is, and some people just thinking it's kind of stupid.
I know several people who fit that criterion. I didn't say it wasn't rude, crass, impolite, or ignorant. I said that I don't think it counts as a hate crime, and that it doesn't fit the criterion for "menacing" society. How many people do you think fear for their personal safety because of that pug?
For what it's worth, I grew up in a town that was roughly half jewish, reflected in my circle of friends. When I was younger, extremely crass jokes that made light of historical tragedies were made at everyones expense, including ones that historically affected my family. It was clear that the intent of these was not to instill terror or provoke hatred. It was more of a pissing contest, to see who could say the most absurdly offensive thing.
Were these the types of situations where we should have had more sensitivity to the real weight of these tragedies? Sure.
Were these hate crimes? Absolutely not. When someone commits a hate crime against you, you probably wouldn't regularly invite them over to your house for the next several years...
> I said that I don't think it counts as a hate crime
That's curious given your background. I know a couple of people that still have the tattoos on their arms and one guy who literally has no family at all and it pains me to see that people think that this is just a matter of bad taste. "Gas the Jews" is not a joke, my sense of humor is pretty broad but it does not stretch that far.
To be clear, I'm not arguing that it wasn't a horrible atrocity that completely destroyed many peoples lives, and and I'm not arguing that the genocide itself was in any way funny. The joke isn't that the event itself is funny, it's the absurdity of context in which the statement is being made that's funny.
I can't even count the number of comedy central stand-up specials I've seen that casually make jokes about absolutely horrific things that destroy lives. Jokes that play on children dying, slavery, the holocaust, rape, murder, pedophilia, torture, etc. I guarantee you that both you and I both know someone (or are one person removed, at most) that has had their lives destroyed by one of these things, or something of a similar caliber. Does that mean that none if these jokes can be funny, in any context? If so, I'd say you'd be hard pressed to find a single comedy special that counts as funny; virtually every comedy special I've seen makes light of one of these horrific things in some way.
I'm a big fan of George Carlin, so I can see where you're coming from ('Elmer Fudd', if it rings a bell) and yet I can't cross that particular bridge. Sorry. But thank you for the conversation.
I have family that suffered at the hands of communists. Many were deported and exiled, some were sent to gulags. Some of them made it back, some died there, because the conditions in Siberia were horrible. Do you think it would be reasonable to start fining or jailing people who make jokes about "being sent to the gulag"?
I think you're simply appealing to emotion here to justify an unjust ruling and an unjust law.
I think the person you're replying to has a point in saying that some laws in Europe are pretty ridiculous. However, the difference is that that's a local law in the UK and not one that affects the entirety of Europe. Nor is it a widespread law in other European countries.
Who is talking about jailing, the guy just got a fine. It was pretty big (still less than one paycheck, no?), but if that is the worst case you can find, I think you can make fun of anything.
And fwiw I do think Europe is oversensitive about Nazis-related stuff. But for good reasons.
I don't know, EU members seem perfectly willing to toe literal rules for perverse outcomes in some areas. Open market gamesmanship, for one, such as the proliferation of national standards as a way to exclude 'single' market products.
Maybe they are trying a kind of best of both worlds approach?
Great explanation. I didn’t know the difference between US and U.K. law was so fundamentally different. Thank you for educating me on the correct terms.
This sort of explanation has been very popular by people who are trying to reduce the overall concern level of the community. You're not wrong. You very well could be right and this could be how it will work. Let me give a view as to why it doesn't matter.
The problem with this approach is if you run a large or small company or are a sole proprietorship or simply have a hobby site, you can't write off legitimate fears of heavy handed enforcement. No one wants to be the example.
In the former cases, if your company is how people are feeding and clothing their children, do you want to be the person who says "Oh well we tanked the company this year because weren't worried. Someone on the internet told us they'd be gentle! How could we have known they'd be serious about levying the maximum penalty!?"
If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
I'm on my company's GDPA compliance team and it is serious business. Our European footprint is small but not insignificant. If we were an unreasonable bunch, we'd just shut the whole thing down and move on. The very expensive very well versed German legal counsel we're paying to help us do this right completely disagrees with what many are saying here. We have no reason to not believe them as they have a lot of experience with the German laws the GDPR is based on. We're paying them far more than the fines we'd see because we believe in doing the right thing. Ergo, we must take the "hard" regulator view rather than your "kid glove" view. Our lawyer's underlying point in every discussion is that this is really really serious business and that they're not fooling around. Adding to that is a GDPR like law is likely to be implemented in Canada and other jurisdictions in the future. We must be ready for that as well.
I think GDPR is great for consumers. I think we'd actually be in a better/easier place if it were a requirement in the US since everyone would have to follow the same rules. The problem is that implementing it takes time and effort to do well at scale. To not loose your competitive edge against other large competitors that do not serve the EU and can operate under only US law. These are real concerns that have nothing to do with the regulators and whatever their whims are.
So even if you're right, these are the real costs. You're going to be held accountable to the people you let down if you put your company in peril. You're going to be held accountable if you loose marketshare because you got this wrong and an unencumbered competitor outmaneuvers you. And most of all, you simply cannot assume the best case, kid glove, approach is what is going to happen. THIS is what people are frustrated with.
I do hope that the EU is fair and equitable (which is my belief) but it would be irresponsible for me to act as if that is the only possibility.
That's a fair assessment and in line with the proportionality of the costs associated with becoming compliant with the GDPR, it sounds as if the company you are working for is smack in the middle of the range where the turnover:compliance costs is at its worst. This is unfortunate but I don't see any way in which that could have been avoided. For trivial companies the cost is negligible because the costs are small or nil, for large companies the cost is negligible because their turnover is huge (unless they are misbehaving on purpose, then the cost might be very large), for companies in the middle it hurts the most but it is still worth doing it and doing it right for all the reasons you listed.
As for this part of your comment:
> If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
It's no big deal if you already had a user centric approach to privacy, if that's novel then you will probably have to change lots of procedures and some software too in order to get things right, even so I've seen far worse from a compliance point of view, look into fintech or healthcare compliance for examples.
Wow I wish we had principle-based regulation in the US. It seems like rules are made specifically so that only wealthy, entrenched institutions can follow them without significant burden. When those institutions fail, the fines don't seem relative to profit or size of the company or anything.
I suspect it wouldn’t work in the US. Principles based regulation requires some level of concensus on principles. We don’t have that in the US. Polarization breeds rules worship because you don’t trust the other people to use their discretion.
Consider, for example, how every major social issue devolves into a Constitutional litigation. Whereas in Europe people just vote on stuff.
And as to regulatory approaches I think you’d be surprised. European regulation is often quite conservative.
Oh totally agree. Just think about the DMV. The people who work there cite the law word with zero discretion. Most US companies are like that as well. It's quite dystopian.
Well lets say it wouldn't work with the current ruling class mindset where everyone they employ is stupid and unable to think critically.
It depends on where you are. In places like Oregon, the DMV is a friendly place full of smiles where expiration dates can slip a few days and you don't have to change your hairstyle for your ID photo.
> A multimillion-dollar fine without warning for a first, minor violation is perfectly lawful under GDPR
Come on, this is just scaremongering. Newsflash: If you run a business, you are already responsible for adhering to hundreds of other laws in which the fines could reach millions. But you don't see people running around screaming that the world is ending, because they know that the laws will generally be applied fairly, given that a large economy (like that of the EU) relies on just application of laws to maintain stability.
Running a business, like anything else in life, requires the ability to make reasoned choices from somewhat ambiguous data. And the data here is somewhat ambiguous for good reason - it's to prevent businesses from exploiting loopholes and rendering the law ineffective. If you are going to crank the anxiety to 10 every time a situation like this occurs, you probably shouldn't be running a business or handling others' data in the first place.
I have a feeling there are a significant number of people who are young enough to have only worked in digital media, and who aren't used to the idea that businesses are regulated. It's been such a free-for-all until now that they're not used to the idea that there might be externally-imposed limitations on what they can do. I don't mean that in a dismissive way - nobody willingly reads complex legislation in industries that they're not involved in - but it would explain some of the more naive complaints.
> you are already responsible for adhering to hundreds of other laws in which the fines could reach millions.
Source please?
> If you are going to crank the anxiety to 10 every time a situation like this occurs, you probably shouldn't be running a business or handling others' data in the first place.
I'm not running one right now. It's not the situation that give me anxiety, it's just that it no longer seems interesting to support European customer for a potential business if that imply that I risk that much over their information. They just removed a big bunch of potential customer for a potential company. I would already try my best to limit the amount of PII but there's many time you just can't.
I'm from Quebec. Here we have laws over lottery. You know what it imply? If you make a lottery here in Quebec, you need to follow some simple regulations (I personally know people that did it essentially for fun (not for profit)) so they are pretty easy to follow, and pay the taxes for the winner. You know what I had to endure each time I went on an online contest, a broad exclusion because it was just not worth it to follow theses regulations. It's crazy the number of contest where you could literally do CTRL+F "Quebec" in the rule and find our little province (nowadays I see more of "where law forbid it" or stuff like that, but I haven't try to participate for a long time on a contest either).
Do theses companies had too much anxiety for our regulation? None at all, they were some multi billions companies that did this. It was just not worth it.
Canadian here. You are making assumption about decisions you don't know about,- like "Do theses companies had too much anxiety for our regulation? None at all, they were some multi billions companies that did this. It was just not worth it."
That is a sweeping generalization and if you dilute and guess what the most probable reason for excluding Quebec was,- it's probably for the best. It was a shady contest to begin with.
The Canadian sweepstakes law and corresponding province laws are not that hard and costly to comply with as well. Look at the countless valid and non-scam contests present and available to our citizens. You, I and rest of us should be glad that rules like these exist since a there are people companies out there willing to part you with your hard earned money.
As an example, you just need to store my skill testing answer and if I get awarded a price, reset a flag that I need to fill out a new answer. In Quebec, you need to give monetary guarantees to make sure you pay out and give contest rules out to the bureau ahead of time. That is not a tall task. It's for the better if those shady contests did not want to participate
That’s what you think. But its still a risk, because its different. It’s still easier and cheaper short term and long term just to skip the oddballs.
It’s why you see so many online contests in the US that only apply here. Not because they want to avoid it, but because its easier and cheaper not to comply with other laws.
Which other violation could cost me a 20 million dollar fine ?
Sure, they will probably don't give that fines, but they could, what if I run a small business that interferes with the activity of some other business run by for example someone that is friend or can corrupt the people in charge of doing the fines ? They will fine me for 20 million dollars, sure I can appeal, a normal trial in my country lasts at least 5 years, in this time I will probably go out of business...
The fact that they could it's a big problem, they should have specified a proportion between the size of your company and the maximum allowed fine.
In order for prevent the law from becoming feckless, there had to be an element of discretion on the part of the enforcers. It’s there to cut the bullshit of companies who use blatant trickery/loopholes to make themselves seem like a smaller company in order to reduce their potential fines.
But as I already said, the stability of the EU’s economy depends on fair application of the law. If the EU levies a 20 million Euro fine on a company with 20 million/year in revenue, the chilling effects of that action would cause much more than 20 million in damage to the EU economy. That should be blatantly obvious. Despite propaganda to the contrary, the EU has a very good record of behaving as a reasonable government entity, moreso than most. They’ve championed quite a few consumer-friendly pieces of legislation that have managed to not destroy the applicable sectors.
If you think this is a valid concern, I can only assume you’re just as worried about other outcomes that have insane, struck-by-lightning levels of unlikelihood, in which case you are not going to have the spare cycles to be able to successfully run a business anyway.
> Which other violation could cost me a 20 million dollar fine ?
Tax code violations, for sure. Environmental regulations may also carry huge maximal fines. Some misdeeds can even lead to criminal prosecution and land you in jail (but generally, they won't, except for the worst of transgressions).
Note that the GDPR requires fines to be proportional to the offence. If you really worry about some regulator fining you for 20M euros just because they're having a bad day, you do have legal recourse available.
This law may be not a big deal and not heavily regulated and not impact US small businesses at all - but many don't want to be the first to find out. After the dust has settled for a few years, then I'll make a conclusion if it has been applied fairly.
In principle I might agree with you, however the EU has a long history of striking a fair balance between consumer rights and commercial interests. There is no point, in history, of the EU doing anything remotely like you've described. Which actually gives me more faith in the GDPR than legislation in a corrupt ecosystem as corrupt individuals will find a way to warp legislation in their favor anyway.
So yes, I do trust the EU and their history has proven that the aforementioned idea isn't a hollow one.
Related to this, there is a difference in culture that may had add to the fear for people running SMEs outside of Europe. I am talking about a difference in the culture of fines, at least at the local level of government based on my personal experience. When I lived in Canada (and the US briefly) it was common for me to get fined for various trivial offences. I used to joke I should have a fine budget, or at least fine schedule for attending court. The local authorities set speed traps, fine for crossing the road at the wrong place, not shoveling snow quickly etc. My parents in-law and everyone on their whole street got fined for parking their cars on the street by a by-law officer instead of their driveways when the houses were new builds still getting constructed and new drive ways were clearly in the process of being constructed and could not be entered. There was someone in the news who got arrested for not mowing their lawn. I'm not making this up, just do a search, in fact it seems dozens of people have been sent to jail for not paying fines for not keeping up with landscaping in the US. Now since being back in the UK for six years I've not received a single fine, had any interaction with the police or courts. There is a big difference in how fines are applied in Europe and I agree with your comment that I do trust the EU more in this regard, based on the way they operate historically.
> Now since being back in the UK for six years I've not received a single fine, had any interaction with the police or courts.
I'm 26, have always been Canadian and I never seen what you talk about there. It's disturbing that you had this experience.
The only fine I ever heard someone get where relative to the road and were mostly parking and speed tickets. Even then, I also don't know anyone that doesn't drive 120 kph on a 100 kph road and about the parking, the signs are pretty self explanatory (though they can become pretty complicated where there's more than one).
If you consider that you follow what any signs, well that would means you shouldn't get any of theses fines. Theses fines are also defined and you know what you risk if you don't follow the signs.
Now say the same about GDPR... pretty harder I would say.
People drive at 120 on a 100 road and that's alright even though cars kills thousand each year, much more than keeping your shipping information in a database, yet you risk a much bigger fine for keeping that information without following the "signs".
This is true, I have never received a fine -- and furthermore, I personally don't even know anyone who has received a fine! Could of course be that some did and kept it to themselves.
I think UK is a special case here. In other EU countries it is not uncommon for corrupt civil servants to drown companies in fines to the point of bankruptcy.
Considering Europe's history of bloody nationalism, and the recent resurgence in that nationalism, as a non-European I don't trust Europe to refrain from using GDPR to persecute non-European companies.
In England and Wales, you could be fined £10^99 for having a crumb of cannabis in your pocket. There is nothing - and I do mean nothing - written in the Misuse of Drugs Act that requires any warnings of any kind, or places any limits on fines. The maximum sentence for possession of a Class B controlled substance is five years imprisonment and an unlimited fine. Period. A fine larger than the number of atoms in the universe is perfectly lawful under the Misuse of Drugs Act. The idea that we can trust judges and sentencing guidelines rings hollow to me.
> In England and Wales, you could be fined £10^99 for having a crumb of cannabis in your pocket. There is nothing - and I do mean nothing - written in the Misuse of Drugs Act
> The fourth, fifth and sixth columns show respectively the punishments which may be imposed on a person convicted of the offence in the way specified in relation thereto in the third column (that is to say, summarily or on indictment) according to whether the controlled drug in relation to which the offence was committed was a Class A drug, a Class B drug or a Class C drug; and
You've misread the legislation. The maximum sentences you're referring to are for summary convictions at a magistrates court. Possession of a controlled substance is an each-way offence which can be tried at either a magistrates or crown court. There is a higher maximum sentence if your offence is tried at a crown court, which is listed in schedule 4, namely "5 years or a fine, or both".
But that law has to be read in conjunction with others, which set out when trial is at magistrates or crown court; and what the sentencing guidance is.
The courts must follow the sentencing council guidelines unless it's in the public interest not to do so.
Judges don't have to adhere to guidelines as these are only guidelines. I have seen couple of cases where people were punished severely for something rather minor. Only thing you can do is to complaint about the judging.
> The primary role of the Council is to issue guidelines on sentencing which the courts must follow unless it is in the interests of justice not to do so.
> The Sentencing Council is an independent, non-departmental public body of the Ministry of Justice and replaced the Sentencing Guidelines Council and the Sentencing Advisory Panel in April 2010.
Yes, but the point I'm trying to get across to people is that there's a general legal requirement that the legal and administrative systems be proportionate, even if it's not incorporated by explicit reference in every piece of legslative text.
(I can't lay hands on it at the moment but there are clear guidelines to UK judges on what constitutes reasonable fines for offences, such that it should be feasible for the person to actually pay the fine)
UK judges don't have to follow the guidelines - these are just guidelines, but judge can use his/hers own discretion within the law. In case of drugs some judges expose almost psychotic hatred towards drug users and can deal punishment outside of the guidelines.
Yes and there's nothing saying I won't be arrested and thrown into a cell for the rest of my life if I say something incorrect by mistake when entering the US.
There's nothing that says IRS won't prosecute you if someone buys you a soda and you don't declare it as income.
Or that you won't be prosecuted by someone in the US if your blog has a copyrighted image and you don't receive a DMCA request that was sent to you.
See how ridiculous that sounds?
All fines can be administratively and judicially appealed.
> I won't be arrested and thrown into a cell for the rest of my life if I say something incorrect by mistake when entering the US
For the rest of your life? Source please?
You can be put temporarily into a cell for plenty of stuff but that's temporary. A fine is pretty permanent and when it can be millions, well that's probably the end of your business too.
> There's nothing that says IRS won't prosecute you if someone buys you a soda and you don't declare it as income.
Isn't it simply paying back what you should have + interest? (with some threshold)
Paying taxes is already part of the cost of running a business too (and that's a pretty low cost for a startup, versus having an actual trained DPO).
> Or that you won't be prosecuted by someone in the US if your blog has a copyrighted image and you don't receive a DMCA request that was sent to you.
Which is exactly why you try not to put copyrighted image over your website. Most of the times PII isn't something you can just avoid for a business.
> All fines can be administratively and judicially appealed.
Any appeal represents a cost. A cost that you can't always support until the end.
At the end, it's all about the cost of the risk... that's it. GDPR seems a pretty high cost.
The IRS is probably the best US example of "proportionate punishments" and why people should not be overly afraid of GDPR.
The tax laws are vastly more complex than GDPR. The maximum penalties for tax fraud seem to be $250,000 + cost of prosecution + 5 years in jail.
If you make a small mistake on your taxes, and the IRS notices, you will probably receive a warning and have to repay it with interest. If you make a negligent mistake, you may be in addition be fined a small percentage, like 10-20%, of the amount you failed to declare. You have to conduct very large scale and intentional tax evasion for the maximum penalties to apply.
The IRS could argue for and try to apply the maximum penalties for a lemonade stand, but they don't. And people go on with their lives, put in their best effort to comply, and can be confident that they will be treated fairly.
I think you've got it backwards. GDPR is bringing civility back. I think it's great legislation that favors peoples privacy over business profits made by invading that privacy. As a business owner myself, I'm glad something like GDPR came along. I think it better reflects the society I want to live in.
That’s one guy in one case (that was eventually dismissed). There are probably a few handfuls of other examples you can post here. It doesn't hold a candle to the millions of people and businesses liable under the GDPR who face a nasty framework of foreign laws with no limits on fines other than $10/20 million.
Many countries believe their law applies extraterritorially. The US Foreign Corrupt Practices Act applies to any company that does any business in the US. A German director of a Canadian company that pays a bribe to an Ethiopian government official can be prosecuted under the FCPA if they set foot in the US. Sweden will prosecute citizens, and I presume residents, who purchase the services of a sex worker abroad. I don’t believe Kim Dotcom ever set foot in the US before the New Zealand government arrested him on foot of a US extradition warrant.
It's not like if the US laws didn't have any extraterritoriality.
This is a disingenuous argument. The US has never passed a law that is this easy to violate outside of its own borders, is this ripe for abuse, and carries such enormous penalties and burdens for essentially everyone in the world that wants to operate a website. In fact, no country has ever done this before.
> The US has never passed a law that is this easy to violate outside of its own borders, is this ripe for abuse, and carries such enormous penalties and burdens for essentially everyone in the world that wants to operate a website.
The US has clearly passed many laws that meet all those criteria but the last (and with much harsher, often criminal rather than merely financial, penalties), so unless you believe that operating a website is somehow a unique class of activity deserving special protection from extraterritorial application of laws, this is a pointless comparison.
And there's actually a number of US laws affecting website operators that arguably meet all three criteria, as other comments point out.
> The US has never passed a law that is this easy to violate outside of its own borders
The US has a law requiring US citizens living and working outside of the US to file taxes in the US. Not doing that is a crime. You'll probably argue that this is different, since it concerns American citizens, but it isn't different, because it's a US law that is very easy to violate outside of its borders.
Lol, the US has FATCA which makes it very difficult for fin-tech startups to work with americans. I'm an e-resident of Estonia, and almost all financial services state they cannot serve US clients.
Except that FATCA's sole purpose was to raise money, and the US isn't even compliant itself. FATCA is a whole different ball game to GDPR, and I don't recall the complaints from Americans when EU instituions were forced to implement it. In addition, the costs for implementation of FATCA were huge. Most people are halfway there with GPDR compliance already, unless they're doing something they really shouldn't have been doing.
GDPR is not a money making mechanism but a way of forcing compliance. I think that's the difference that many US people don't seem to understand.
Also I was responding to the comment that the US has never done anything like this, which is completely false, US people tend to forget what it's like for the rest of the world.
But that is in the eye of the beholder. With a maximum fine of $20 million, a country like Germany might say, for example, "Ok, small American company, yours was a minor violation. We'll only assess a $2 million fine - that's only 10% of the maximum! See how lenient and proportional we are? Danke und tschüss!"
You can litigate disproportionate fines, and there's a general requirement for proportionality in both EU law and under the ECHR.
Again, people are assuming that this is the first and only directive that has fines associated with it. It isn't. You don't hear a lot of people talking about the three month prison sentences possible for CE marking, for example - because very few of them have been handed out and only for egregious violations such as unsafe machinery that has caused injury.
Who's to say that 10% of the maximum for a minor violation isn't proportionate? Also, most small businesses do not have the resources to hire competent counsel on the other side of the planet to litigate these things.
> Who's to say that 10% of the maximum for a minor violation isn't proportionate?
A large body of case law, well-defined guidelines for evaluating harms and mapping them to fines, and the EU's general fear of stymieing economically productive activity (the motivation behind GDPR is to enable more data trading, not less, but within better-defined legal boundaries).
We have had laws with "open ended" sentencing guidelines since the very beginning of organised society. This is a solved problem.
There's a lot of American libertarians that believe government is intrinsically bad, for some reason. And also a monolith; they don't see any difference between bits of government, different branches, different types of enforcement, and so on. They're very loath to admit that it takes a certain minimum amount of structure to keep the roads open and the lights on.
I do agree with the power of government to break the prisoners dilemma regarding to public works, but not that they have that much control over people's behavior.
The tendency of people to follow laws has shown little relation to blunt enforcement. It has to do with peoples tendency to follow norms.
I want to stress that this is a major point of political polarization in Europe at the moment. Even if this claim is true, it warrants a clear and articulated defense.
Also any Americans reading “we can trust X” will likely get a good laugh out of this.
It is irresponsible not to assume that if the law is written a certain way then at some point, the law can (and likely will) be enforced that way when it suits the government.
> It is irresponsible not to assume that if the law is written a certain way then at some point, the law can (and likely will) be enforced that way when it suits the government.
With the caveat that "the law" in this case isn't just the GDPR, it's the entirety of EU case law. GDPR exists in a particular legal context.
I get the impression I am misunderstanding EU law (not necessarily a surprise) when folks say things like "Civil law vs. Common Law" or "legal context."
If a law is on the books, it can be enforced in the EU, right? I understand there is precedent but precedent is not law, it's merely the common understanding of that law in that particular context. Precedent is overturned all the time (not to mention ignored when convenient), as it should be.
Is there a critical difference here that I am not understanding? Perhaps it has to do with the fact that the EU is not a state, but a high level guiding body for a number of states?
That is a fine analysis but I'm not sure what your question is. All laws exist in a legal context and analyzing them while being ignorant of that context is futile. That's all I was saying. I think almost all the people armchair-analyzing the GDPR in a hyperbolic manner would be equally useless at analyzing their own laws, in their own countries, for what it's worth. (someone in another comment said something contrasting the EU with places where laws are "not open to interpretation." Dear lord...)
That doesn't mean Jacques' analysis is not worthwhile, by the way. He is not ignorant of the legal context. Judging by the reaction to the article, this is going to be one of those situations where you can lead a horse to water but you can't make him drink.
I thought the article was well written, rational, and measured, and with the right leaning toward not capturing data to avoid worrying about the GDPR.
That said, I would've liked to see a bit more healthy skepticism about the ability of any sort of government or organization to avoid mis-using laws with a wide breadth when it suits them, especially if things slide toward tech-protectionism.
I mean some of those are bad examples, like the UK's government isn't great w.r.t. privacy (Investigatory Powers Act). Shocker that they might disagree with EU regulators.
But fair enough, nobody should be trusted blindly. This is why we have appeals and legal avenues to create checks and balances. So in the context of this discussion, it's pointless. We don't have to trust them. If a fine looks disproportional, there are legal remedies. Up to the ECHR which is generally quite careful in it's decisions.
If you don't trust the EU's legal system, that's a different problem. One that rings a bit hollow, and doesn't really further the GDPR discussion.
That is absurd and wrong. The law says the fine needs to be proportionate:
GDPR 83.1: Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
Proportionate is in the eye of the beholder. As I stated in another response, an example might be that a low-level offense receives a fine of only 10% of the maximum - just $2 million. And apparently I don't need to worry, because I can just spend six figures hiring an attorney in a country I've never been to, who possibly speaks a language I don't, who will fight the case for me if the fine is out of line.
The mandate of the regulator is to create compliance. Of course any institution can randomly decide to act outside of their mandate. If they would start to do so, the courts would rule them in. Same as anything. Doing business in the US, with it's notion of punitive damages that are completely unconstrained by law is a much larger risk.
On that token, have you actually at all looked into how "proportionate" is interpreted legally? After all this isn't new and there are a vast number of regulations using the same legal language. Yet somehow business in Europe has not stopped. So prima facie your concerns are absurd, you have not brought evidence that there is an issue (or anything at all unprecedented really) and I have to wonder what motivates you.
As others have said, if you have no interest in complying with laws that protect my privacy, then it's appropriate for you to not do business here.
I'm assuming you speak English. Do you really think there's any lawyer in the EU, competent to litigate EU law, who doesn't speak near-fluent English?
(Actually, if the lawyer is from continental Europe, and you only speak English, they do speak at least one language you don't, but I'm guessing that's not what you meant.)
It doesn‘t need to be written there. It has been written elsewhere, long ago.
All state action is subject to judicial review, where proportionality is a big factor.
It‘s an aspect of due process that is being reviewed and enforced by every court, up to the constitutional courts.
Example: the German criminal code threatens „up to five years“ in prison for theft.
That does not mean that a first-time theft of a not-too-valuable object could get you five years. Impossible. But not written in the statute itself. But even if a court was mad enough to hand out such a sentence, the revision stage would be swift and without any uncertainty.
Actually, it‘s hard to conceive of a first-time theft-offender going to prison, instead of paying a fine or at least having the prison sentence suspended.
> If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
> I don't really see what's special about this law
The key change is the fairly explicit punishments and apparent intent to hand them out for non-compliance. A lot of older regulations get considered by companies but the issues relegated, officially or otherwise, to "yeah, we'll apologise and fix that when someone notices" which might not be a good way to manage the risk management after next Friday.
> ... might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
Exactly. A lot of the unhelpful hysteria is being drummed up by consulting companies trying to sell there services to help others assess and/or manage their GDPR compliance: they are stoking the fears to improve sales.
The rest is coming from people who don't want to lose control of some of what they consider to be _their_ data. From a business perspective this is usually "I've collected it or pad for it, I should be able to keep it / sell it / use it, this is unfair, wa waa waaaaaa" and from a technical perspective many of us data people have flinch reactions to any idea of hard-delete or un-rollback-able update operations (they are not really impossible to rollback of course, anyone sensible is building considerations for backup retention policies into their procedures, but rolling back is less likely to be simple and can only be done during that retention window).
The consulting companies use exactly the same MO that Y2K consultants used. Cherry picking case studies and data sets to make executives think the sky is falling when in reality it's not all that hard to be compliant with GDPR and it really is comprehensible by an average person spending a day or 2 reading up on it.
Exactly that. Working as a data analyst for my agency's clients I had more work in making sure my clients do not panic after having other consultants claiming, that the world will end and what not.
It is possible to comply with GDPR in most cases with not too much of an effort (I know some processual stuff is just boring and ugly, but doable).
It is possible to not have a cookie wall of horror, if you "just" want to do tracking (analytics) or first party onsite marketing.
It will get more complicated with personalized recommendations, profiling and stuff. I have to admit this - especially with third party vendors and such - will be a little bit more fun/challenging.
The amount of discretion and lack of clarity in the penalties is part of the problem. It opens you up to risk based on the whims of politics and the regulators and increases uncertainty. Laws should be clear, limited, and understandable - this is not.
I really don't know why people think that the authorities will (or even could) automatically punish each minor infraction with 4 % of global revenue or 20 million €. GPDR article 87 specifies in great detail when fines should be imposed and how their value should be calculated, and the Article 29 WP also has a guideline on that:
It is therefore simply not possible for a data protection authority to impose arbitrary or ridiculously high fines as they would never hold up in court.
I'm starting to wonder if there's an active disinformation campaign about this somewhere. Are people getting their fears from Facebook again?
Edit: If there is such a thing I bet it's Cambridge Analytica/"SCL group" involved, since they made their money from large scale nonconsensual abuse of political personal data, and have an arm dedicated to swinging elections with misleading Facebook adverts.
I mean part of the issue is that I literally cannot answer the question "are we GDPR compliant?". The amount of time we've spent figuring out whether we need to sanitize apache logs has been ridiculous.
If you search for GDPR IP address you'll get 100 different opinions on what you need to do. That in my opinion is what makes this law ridiculous. How can companies be expected to comply with something this unclear? I'm sure I would have had your opinion before I was the person who is ultimately responsible if my answer to GDPR compliance is wrong.
Everyone having issues with this is somewhere in the line of fire for a wrong answer to any of these questions. Our concern over the fuzziness of this law is very valid, I don't like uncertainty personally.
When all else fails, just make something up.
In the unlikely event anyone asks, just tell them you have no logs with their IP address. What are they going to do, check themselves?
Because those people tend to come from a country which doesn't have laws open to interpretation and thus mark people who drunkenly pee on a fence with the same sex offender tag than child molesters. If you're country functions in a way where laws can't be interpreted according to context it's hard to think of a different system.
But they are different systems. For example contracts in the EU tend to be way shorter, as long as you get the gist. Contracts in the US are painfully long, listing things out explicitly, etc.
This exactly what rules-based regulation (US) and principles-based (EU) regulation means, and why the GDPR is written the way it is.
Because they don't know anything about EU authorities and have no reason to trust that they have the interests of US small businesses at heart? To them, this could potentially be a money grab with no pain to their constituents. It's already playing out to some extent with their new tech taxes.
In an ideal world, yes. But that leads you down a Kafkaesque hole of bureaucracy - at some point you have to stop adding detail and leave things open to interpretation. There are plenty of laws out there with fines "up to €X" and, from my limited experience, I don't think the GDPR is especially ambiguous compared to others.
Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.
I think this is a common misinterpretation though because of the lanauge - that the maximum fine is actually the minimum, because the figures that are talked about are "€20m or 4% of global turnover, whichever is the greatest." It's the emphasis on "the greatest" that has an undercurrent of "we're going to fine you the maximum of these two numbers."
I'm not sure what you mean by "actually the minimum". They will find you the maximum of those two numbers, at most, if you flagrantly disregard the law.
Yeah, this is the confusion - it's difficult to write it out in a way that isn't ambiguous! I think the fact that there are two numbers, the higher of which is the maximum fine, may imply to some people that the lower figure is the minimum - i.e. if 4% of your global turnover is €100m then €20m is the minimum - but of course there in fact isn't a minimum. It might have helped comprehension if there had been an arbitrary minimum figure - say €100 - to anchor the discussions.
>Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.
Nothing in the GDPR states this. It's obviously the intent, but ultimately it's left up to the bon vouloir of EU regulators.
It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.
Neither Article 83 or 29 impose any actual limits. They say that those imposing fines should take some things into consideration. After which they can impose a multimillion-dollar fine.
It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender. You can, of course, say "don't be slow then", however, when for an out-of-EU entity (be it biz, or NGO) simple math doesn't show it is worth the effort, then it makes perfect sense to stop offering services to EU. Which is a side effect of the legislation. OP apparently understands it puts GDPR in a bad light, so he says about "overreaction" in every topic related, and this post is likely comes as the response to the latest one.
But merely being a repeat offender isn't enough to trigger the maximum fine.
You'd have to be a consistant repeat offender, with no effort made at remediation, with no cooperation with the regulator, and probably handling sensitive or financial data.
Here's a list of recent actions taken. I think the current maximum fine is £500,000. Have a look through a few of these hopefully it's somewhat reassuring.
> It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender.
When I read things like this I realize how many companies are not treating user data as they should. Protecting user data should already be built into the company software and process.
Given FB revelations and additional scrutiny to Google, I see some form of this law coming to the US.
As a user I suppose they should do whatever satisfies me, and I'm not always need a bunch of populists from EU parliament, who can't write a clear text, run to save me, making field even more favorable for big corpos at the expense of SMEs, and small non-profits in the course of action.
>Given FB revelations and additional scrutiny to Google, I see some form of this law coming to the US.
That would be good news for the EU, of course. Even before GDPR, entrepreneurs were routinely advised to incorporate in US instead, and the legislation likely added incentives for that.
Yes. We've had PECR for years. If companies are surprised by GDPR they're probably already violating PECR.
But, dispite this widespread non-compliance and fierce fines available to the regulators the sky hasn't fallen. Why do people think GDPR is sudden;y going to make things so much worse?
The OP reacts to news of businesses stopping serving EU, and those businesses are from outside of the Union. So PECR is not so relevant.
>dispite this widespread non-compliance and fierce fines available to the regulators the sky hasn't fallen
Don't you really see how absolutely wrong is this? When law is composed in a way which makes it in practice only selectively applicable, it leads to erosion of justice, and invites for corruption.
General law applies as well. There's lots of case law on the size of fines.
Which means in practice that if x other people have been fined around y for an offense similar to yours, your fine has to be in the vicinity of y. Ditto if x people have been fined more for larger offenses or less for smaller. This kind of assessment is routine. General. It's not something that needs to be written into each and every law.
The law says that the fines should be "effective, proportionate and dissuasive". That gives companies ample room to challenge a fine that is way out of proportion to the damages caused to their users.
If you are fined 10k-100k you have the typical problem of whether it is worth fighting..
But you are supporting the argument that you could be illegally (according to article 83) fined 4 million euros as a first offence because a regulator wants to be disproportionate and set an example with your small company and then have costs of 10-100k to throw out an obvious case, but it wouldn't be worth it?
I don't think there's a need to cut the transatlantic cables, but if a company doesn't want to take proper care of user data then it's perfectly reasonable that they stay away from that market and let other companies have that business.
Maybe you should list all of the possible cases that could be initiated against you as a business owner in the US and which ones you can and can't guard against before you worry about that cable.
If the penalties were exact and written into the law then companies could simply make more from your privacy data than the fine they would have to pay. That would have the opposite effect of the law. Adding a clause that the fine is discretionary gives the enforcer the ability to adapt to this sort of behavior.
> based on the whims of politics and the regulators
Political whims? Maybe in the USA judges and prosecutors and police cheifs are elected every few years and these things are political and can change, but this isn't the case in many EU countries.
That Varonis link gets posted quite a bit, but it drastically over simplifies things and even tries to poke fun at some aspects of the legislation. The ICO site is a much better read for this.
Fair point - my intent was to point out that some sources which are less intimidating than others. If all you read was the Varonis link you'd be in trouble, but if someone's the kind of person who thinks that they can read one blog post and understand the GDPR I'm not sure they're the kind of person that can be helped anyway...
I would even go as far as saying that that article is straight up wrong/misinterpreting at least some of the articles.
I randomly checked Article 14, as I am wondering how I am expected to communicate to users that I don't collect any PII([0]), and it turns out Article 14 is not about
"You need to tell people what you’re doing even if you’re not collecting personal data."
but about
"Information to be provided where personal data have not been obtained from the data subject" = "You have collected personal data about the data subject, just not directly from them, but via some other source"
[0]: Even though I'm not sure if that's even easily possible for any company that has a website, now that IPs can fall under PII.
I am concerned that the effect of this legislation on the private individual is the opposite of the stated intention.
People are being forced to sign agreements which jeopardise the natural rights to their data which they would otherwise have.
One example: a friend who has a very pretty daughter was asked by her school to give them the right to film her and to use any and all such recordings as they see fit for 50 years even after she leaves the school.
This feels very wrong on just about all the conceivable levels.
I am not sure where you are, but this is usually standard. You can’t film someone at a place where there’s some expected form of privacy and use that footage publicly.
Talking about GDPR, the fact they had to ask is proof it works. It’s an opt in. Your friend now has the option to say yes if they want to share it, but the default is no.
There are also provisions for withdrawing consent after giving it. The agreement can’t go above that law.
What ? It's the opposite, it allow you to access and delete the data, even if you gave consent one time.
And your image concern a lot of other old laws, even if you sell it you can get it back later.
I have difficulty in understanding your language and in following your logic. Surely, signing away the rights to your records for over 50 years can not be better for you than not signing them?
GDPR states, that even if you give consent now you can withdraw this consent anytime. So even if OP consents now and in one year decides he/she doesn't want the daughter's videos being used anymore he/she can do this and the school needs to honor that (or else: big fines).
So GDPR helps you in maintaining control over your data as you see fit.
This law has nothing to do with signing away the rights of your image to be used for publicity, though. GDPR does not come into play at all in the scenario with your friend’s daughter; the school is likely abusing laws in their request and should be investigated, but those laws aren’t related to GDPR and the existence of GDPR does not somehow cause the daughter’s position to be weaker here.
Consent could be withdrawn before or after GDPR. My guess is that the school have realised they're at risk of having to reprint all their promotional materials if consent is withdrawn.
So they need a contract, a model release. They needed that before GDPR. If you don't like the terms, don't sign it.
English may not be my mother tongue but I can logically follow an argument.
Your friend' daughter was not obligated to sign such contract and GDPR reinforce previous laws protecting her image ;)
The only thing which would make that outrageous would be an element of force (which would make it not consent anyway, but I digress). Instead, you're giving an example that explicitly allows for a denial. That's exactly as it always should have been, so I really don't understand what the point is that you're trying to make here.
The point is simply that the school is now at risk of huge fines, so in turn it puts pressure on parents to sign as strong as possible waivers. Not many people here seem to understand it but that is what is happening.
The force is of purely psychological nature, of course: "surely, you don't want to cause problems to your school?"
What richmarr said. If a contract is in place, then the terms of contract would take precedence over GDPR as "legitimate interest". In other words, zero change before or after GDPR. If the school is trying to get free modelling out of the kids with tick boxes, they risk the consequences, GDPR or otherwise.
Under the GDPR, consent must be revokable, at any time, and as easy to withdraw consent as to give it. So you could sign that. Then 5 minutes later withdraw consent.
Additionally consent must be "freely given". If you would be punished (e.g. expelled from school) then you haven't given consent, so they can't use it.
"freely given" is not a very clear concept in these circumstances. Parents do not want to antagonise the school and/or put their child at some kind of disadvantage, so they sign. Is that still "freely given"? It looks like GDPR is being used (as an excuse?) to make parents sign things which otherwise they might not. I hear you say that that is not the problem of GDPR and you can withdraw your consent later but how many will know that or remember to do so?
From the above "school might have to reprint all its publicity materials if consent is withdrawn" it is clear that this would be viewed as being antagonistic towards the school and its interests.
> Parents do not want to antagonise the school and/or put their child at some kind of disadvantage, so they sign. Is that still "freely given"?
That's a good point, and there might be a court case about that. I agree that the parent probably doesn't have enough free choice. If the law was to say "That isn't freely given", then the school doesn't have consent, so they can't use the images!. That's the beauty of it. It's a different legal viewpoint than "signed contract uber alles". DPA should look at if you had real consent.
> it is clear that this would be viewed as being antagonistic towards the school and its interests.
Good? The whole point of the GDPR & EU data protection law is to push the pendulum the other way, because it's gone too far. If someone can come up and force them to reprint everything, and then someone else force them to reprint everything, well maybe they should collect less personal data? If they didn't collect personal data, they wouldn't have this risk. EU law is trying to discourage massive data collection.
That's a US-ism. Somewhere between many and most countries have a "natural rights" concept that considers certain creator/subject rights to be inalienable and neither belonging to recorders or permanently assignable to them.
Well, I don't know. I am asking. She is a minor under orders of the school, so she is in no position to refuse being filmed, anywhere in the school, showers, toilets, anything.
Suppose she in later life becomes a Hollywood star and her school starts selling these recordings of her on the internet because, after all, her father has given them a permission to do this for fifty years ahead?
> I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data
We are still waiting for the first court battles that will help determine how GDPR is actually enforced in practice. Until then being in compliance with GDPR is gonna be like herding invisible cats, and it's likely well intentioned people will get burned and OP ends up with major egg on his face within a years time. I want to drink the EU koolaid as much as the next person, but that's just naive.
> We are still waiting for the first court battles that will help determine how GDPR is actually enforced in practice.
I'm wondering if this is yet another point where cultural differences are muddling the discussion. In particular, the difference between common law systems (like the USA) and civil law systems (like nearly all of the EU).
In Civil law systems, the judge his interpretation matters much less then in common law systems. Mainly because everything is already codified into law.
Reminder: you have to legally comply with every letter of the GDPR, not just the TLDR version. Saying "but we implemented the TLDR version" is not a legal defence.
This concern applies to all laws though. Not murdering people doesn't require you to spend ages examining the exact text of a statutory definition of murder. The tl;dr version is enough for me to grasp that kicking somebody in the head until they stop breathing isn't allowed.
I remember back in the day there was no such concept on the internet. Your identity didn't translate to anything in real world. At somepoint people started to treat it as 'real world but on the computer' instead of thinking about it totally radically new way about 'self'/'identity' ect. People thought of their internet profiles as their own self.
Intenet age was killed even before it started. Endless promise of internet to free human beings was thwarted by paranoia, censorship, laws ect.
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.
It's not that it's annoying, it's that I literally cannot answer "are we GDPR compliant?". If you search for GDPR IP address, you get a ton of different opinions. Do I need to sanitize logs? How does that fit in with the requirements for security compliance we are also subject to?
At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".
And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".
So everything should be written out explicitly, because you'd rather complete a checkbox-ticking exercise rather than thinking about it and do the correct, ethical thing in good faith?
Sounds like a win for the GDPR to me, we know rigid checkbox-ticking is ineffective.
Apart from that, NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures" for "Federal Information Systems and Organizations". GDPR is a data protection regulation in the context of the EU legal system. Apples to oranges.
> So everything should be written out explicitly, because you'd rather complete a checkbox-ticking exercise rather than thinking about it and do the correct, ethical thing in good faith?
When doing the ethical, moral, right, correct thing might still be considered falling short of "reasonable measures" by some bureaucrat? It might be kinda nice to have had more detailed guidance.
> NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures"
Yes, so a law or rule or EO says "you must be compliant with this framework" - the GDPR just left off the part where they have controls/a framework.
It's not rigid box ticking, a control defines what you need to do. How you do that is up to you and should be updated often as things evolve. For example, in the GDPR I would say you must catalog data collected and perform a personal data assessment with justification for whether "piece of data" is personal data or not. I can comply with that, I have lots of supporting documentation that an IP address does not personally identify a person.
Then if a regulator releases a clarification that an IP address is personal data or the consensus of the security community changes or whatever happens, I just update my security plan and make sure the IP address is handled the same as all of the other personal data in our systems and I was never out of compliance.
It basically works the same in practice, you must make a good faith effort to comply -- but proving you made a good faith effort and documenting what you did and why is also part of the compliance framework. The GDPR doesn't have that, you're at the whims of the EU because there is nothing except internet opinions on how to comply.
Fair enough. As an implementer at a company, I can understand that sentiment. But the GDPR isn't for companies, it's for users.
Laws and regulations tend to stick around for longer than expected, and they're static. Technology and "cyber criminals" are dynamic. For better or worse, the GDPR acknowledges this. I think that's a testament to the Article 29 Working Party, in a world where most politicians are clueless about technology.
> Fair enough. As an implementer at a company, I can understand that sentiment. But the GDPR isn't for companies, it's for users.
You're absolutely right! GDPR is wonderful for users as a ringing and clear statement of human rights.
Unfortunately, it also needs to be for companies because it affects companies just as much as users. I would go so far as to say GDPR rests almost entirely on companies to turn this stirring declaration of human rights into rights said humans can actually make use of. In this regard, it's a collection of opportunities for improvement of awe-inspiring proportions.
You're right. Technologies and threat landscapes change. Regulation needs to acknowledge this or be worse than useless. Yet, perhaps there are ways to deal with this that don't rest largely on handwaving away critical questions of what compliance actually might look like with weasel-words like "reasonable".
It is one of the most basics tenets of any legislative system that penal provisions be as precise as possible so as to avoid any abuse from the legislator or the executive body tasked with enforcing said statute.
If the legislation is principle based or overly broad so as to cater to the notion that it will be enforced in an ethical and moral manner the purpose shall be defeated.
As such, there shall be no manner in which the individuals who are regulated will have any sense of how to comply with the legislation and ultimately this undermines the rule of law as well as the respect of the public for such legislation.
Such legislation that sets out fines and penalties, especially the absolutely ridiculously high penalties provided for by GDPR, must be as precise as possible so as to ensure the public knows exactly what is prohibited and what is not. This is notwithstanding the fact that this marvelous bit of administrative madness has the ability to bankrupt any organisation up to and including developing countries.
To trust that the executive body will apply regulations in an ethical and fair manner is a rather paradoxical view especially when such regulations also include mechanisms for judicial review and public control. Thus, legislation which claims to be fair and ethical is also, by the same token, providing measures in case the system is abused, which is again rather paradoxical.
These are not apples and oranges, this is a massive administrative monster that container penal sanctions and as such must be rule based based on basic legal principles that apply in pretty much every jurisdiction, European or otherwise.
> So everything should be written out explicitly, because you'd rather complete a checkbox-ticking exercise rather than thinking about it and do the correct, ethical thing in good faith?
What if my opinion of what is ethical differs from what regulators decide? Opinions are notoriously inconsistent, subject to bias, and easily used to discriminate.
> So everything should be written out explicitly, because you'd rather complete a checkbox-ticking exercise rather than thinking about it and do the correct, ethical thing in good faith?
Yes, because if I’m supposed to comply with something, I want to know exactly what I’m complying with.
Right now I think I’m already doing everything in good faith, but the enforces of the GDPR may think different.
This is why we have laws- so we can be held accountable exactly.
GDPR fundamentally cannot tell whether storing of IP addresses is OK - because it's the processing of personal data for a specific purpose that can be lawful or not, and there's infinite number of possible processing purposes.
For example, if you're a CDN business, and naturally need to fight DDOS attacks, then storing exact IP addresses for all requests for a few weeks easily falls under "legitimate interest" (GDPR 6.1.f). On the other hand, if you're a political news site, then storing IP addresses and URL for the purpose of determining political preferences of people without their consent is very clearly illegal, taking into account that IP address can often be static and so identify specific person.
Yes, it means that you have some decisions to do yourself, and the regulator might disagree with your decisions, but that's true about pretty much every new law, no?
I think it gets "hate" from people who don't have much data but they still have to implement all the requirements, which go beyond than their own data storage. Ad-supported websites are probably the most common case here, even if the sites don't store any data themselves.
And that is a good thing. This >23 different trackers and adservers just to read crappy news content BS is so nice to be shaken.
I really love the GDPR for just making the life for such business models way harder.
Implementing data, analytics, tracking and stuff in a way that is compliant with GDPR (or its local equivalents) is doable and from an architectural point of view even interesting imho.
I love building GDPR conforming data architectures with my clients right now.
i suggest you remove the 3 trackers from your blog, or at least let me see it without them. I m not trying to be snarky, just pointing out that removing everything is often very hard.
Well. I know that I have GTM, GA with DC integration (currently) still active on my blog. DC integration will be dropped and the privacy page will be updated to describe, what I am tracking and how long data is being stored. As needed to comply with GDPR/DSGVO.
As I am still having 7 days to go and that is just a personal blog, I plan on using my free time to do that (would just take 3 - 5 minutes to disable everything if I wanted to by removing GTM and redeploying).
So removing everything is quite easy. It is way more difficult to selectively remove singular features - in this case the DoubleClick integration. As I am not doing that exact step all day (even being a data analyst with a focus on web data), I would have to look, where to configure that exactly. That would take longer.
So be snarky - I don't care, as I am already preparing for GDPR compliance and will have my house in order come May, 25th.
[Edit]
Took 12 minutes in the end. Will take some time until caching catches up. Using a incognito instance all good to go regarding the trackers. "Only" the update for the privacy page remains for the weekend to do.
> the privacy page will be updated to describe, what I am tracking and how long data is being stored. As needed to comply with GDPR/DSGVO.
I thought the GDPR required users to opt-in to tracking (if consent is used as the lawful basis for processing), and if they choose not to opt-in, you must disable the tracking while still providing the service. Are you sure just updating your privacy page is enough?
Then there are the requirements to allow users to download or delete their data.
No. That is just plainly wrong. GDPR allows for tracking without opt in. It just needs to enable you to opt out of being tracked with for example a link to opt out in the privacy policy page. Something I still plan to make more visible (in the footer or something like that), but is already there [0].
These so called cookie layers are not necessary for tracking. They are not even necessary for first party on site advertising. For that you also do not need consent if you read the GDPR/DSGVO (German version).
In the DSGVO it is §6.1f [1] you would want to read about. There is even an elaborate explanation from the German legistlation [2] what "Berechtiges Interesse" (
legitimate interest) exactly means.
So to make this short: direct marketing as well as tracking is totally fine even without consent. Give an option to opt out, explain why you need the data, what you do with it and how long you store it as well as a point of contact (for people wishing for their data to be deleted) and you are fine.
As long as you do not do profiling or stuff like that. A personal blog/website is then totally fine with GDPR. Btw. you would need to add all of this to your privacy page even if you had no web tracking installed, as your webserver probably would have logging activated. Having an IP address in there make this data fall under the GDPR (at least in Germany). So you would need to explain all that stuff because of the log files non the less.
First of all i did not mean to make you change your blog site - I was just pointing out that the law applies to everything no matter how small.
Second, are you sure about this? My understanding is that if you use third-party tags such as analytics you need to get consent from users and not to use them if they don't consent.
One other thing that is not clear to me is if we need cookie prompts, and how can we implement cookie opt-ins/outs without being able to set cookies.
I am sure. At least in Germany the respective privacy protection agencies (federal system so multiple agencies have their say) already stated, the "pure" analytics and "pure" advertising is ok without opt-in, only an opt-out needs to be provided.
If you do linking of such stuff (like Google Analytics with DoubleClick) you need an opt-in. Only then the opt in cookie banner is really necessary.
Or perhaps these people/businesses have much more data about you and don't want to share how they monetize their "free" services by selling/renting/aggregating/analyzing your data?
Think of all the free apps: I was in a conference with startup founders bragging about the business they make selling the location data of app users by incorporating some third party libraries in their apps without the users knowing. Of course, everything is anonymized, is it?
Add-supported websites on the other hand have only to document what is going on and get the consent of the user. That's a simple notification bar with a button, like the cookie notice, plus a page detailing the privacy policy. The GDPR even mentions legitime reasons for collecting, storing and transmitting personal identifiable data like technical or business needs. And in addition, almost all ad networks are going to anonymize IP addresses by stripping some bits and have opt-out features for being profiled.
I d wager for the vast amount of websites (>90%) it's just the ads, IPs and email addresses. Most websites have no monetizable use of your private info other than ads.
> Ad-supported websites are probably the most common case here, even if the sites don't store any data themselves.
Internet advertising is a viper pit of privacy invasion. They didn't get their house in order, and let it turn into the horrible mess it is today, so they shouldn't be surprised that the regulators stepped in.
I rather think it gets a lot of hate because it leaves a lot to the discretion of the regulators. Overall, the SMEs I talk to don't have a problem with regulating data (most think it will pop the gangrenous ad-tech bubble). It's the lack of predictability that bothers them.
It is the converse of the second that worries people. Look at an ironically US example of Slingbox forwarding TV antennas to other locations in a 1:1 fashion specifically to not count as rebroadcasting. That took a Supreme Court case and much legal maneuvering to sink something that was legal because they didn't like it.
People are rightfully worried about "you followed the law completely but we don't like it so massive fines!".
> People are rightfully worried about "you followed the law completely but we don't like it so massive fines!"
That seems largely independent of how precise/vague the laws are, if you're expecting the enforcing party to find a way to get you regardless.
The 'defence' here seems to be that you can make a decent argument that you've taken appropriate measures to conform with your [reasonable] interpretation of the rules.
The regulator can object (and possibly penalise you) if they think you're not acting in good faith, or you have a grossly unreasonable interpretation of those rules. You can object to an unfair interpretation of the rules by the regulator as well.
Either way, if The Powers That Be want you nailed to a wall, they'll find a way, this particular regulation or not.
You make reference to a legal system that precisely defines what is or isn't legal, and then give an example of a company who were legal, but who got prosecuted / sued anyway, and who lost.
Law is not just the acts and statutes, it's case law too. We have strong guiding principles in GDPR, and we have mostly clear direction for what is or isn't acceptable. And now we wait for regulation to happen.
> so massive fines!".
No. "We don't like it, so here's a letter telling you what we don't like, with suggestions for current best practice". At that point you either change to come into compliance, or you write back and explain why you think you are in compliance. European regulators (at least the ones in the UK) try to avoid fines. The UK's ICO has never used their maximum fine, and there have been some serious data breaches in the UK.
Hate? Try to think of it from a business in the US perspective that wants to know why they have to (for lack of a better way to put it) bogu to an entity that does not represent them in any way. And the fact that you might sell something or service customers in Europe does not mean you should have to answer to any rules that they setup either. Should the town that I live in and operate a web site out of be able to have rules in place and then go after citizens in the EU for not abiding by them?
And actually it's one step further since many of the procedures and rules are being taken broadly and universally even against entities (businesses and us persons) that aren't even covered by the GDPR.
And no it's not like 'oh if you want to sell a car in Europe you need to certify this and that' that is not the same thing. Why? Well for one thing the golden rule. If you want that car allowed through the port you need to do what they tell you to do or they have a right to not allow it on their land. In this case their citizens are utilizing US websites and therefore it's on them to determine if they feel the service or product they are getting is fit.
I am referring to US businesses that don't have an office or physical presence in Europe. To those that do the 'golden rule' applies.
Here in UK I have been receiving about 5-10 emails a day from various companies - most of whom I don't remember - telling me I need to sign up again so they can keep my details and keep spamming me.
Same here, finally recruitment agencies will unsubscribe me from jobs offers that I'm totally not interested in. I used to get a few emails per week asking me if I'm interested for relocation and work in [insert programming language I have no experience in]. I asked them many times to stop emailing me this crap, they never did until this week :)
Indeed. I was reading a tragic article about the energy cost of bitcoin and I started to wonder how much energy, bandwidth,HD space is totally wasted on sending everybody spam, junk, messages every day that they will never read. And keeping info for the same. I wonder if it is a reasonably large chunk of the total energy and infrastructure of the whole web?
Maybe we could power a big Chinese city just by getting ourselves deleted from gym mailing lists (weirdly a gym in Cardiff sends me spam mail -- I have never been to Cardiff???).
I bought something on Ebay and the Ebay seller has been spamming me with offers ever since. I didn't sign up to any newsletter. I was not aware that such thing would even be possible with Ebay.
Now they sent me a message telling me that I should sign up again on their website to continue getting their messages. No thanks.
I'm sure there are plenty of bad actors who will keep spamming regardless. Thankfully those ones seldom get through my spam filter - so barely trouble my consciousness.
Yes same for me, and I think it's a great thing because my information leakage risk will shrink significantly in the next weeks due to companies deleting data they have from me that they should've deleted long ago in many cases.
I got a mail from a sports club I'm pretty sure I've never visited asking me to please reply to remain subscribed. That was weird, wonder if I visited their stadium once for a concert or if someone just misstyped their mail.
I have a lot of companies emailing me saying I can opt-out, I thought that was the opposite of what the law is saying?
Eg. If you continue using our service after 23th of May you automatically agree to the new terms. Huh?
The GDPR requires affirmative consent for each specific use of your data. If the company had previously asked you "Please tick this box if you would like to receive marketing messages from us in the future", they don't need to ask for your consent again but they do need to offer an opt-out. If the opt-in was pre-ticked, vaguely worded or mandatory to submit the form, then that consent is no longer valid and they'll need to ask you to opt-in. If you didn't specifically opt-in but were getting marketing messages because you had done business with them, they need an opt-in to keep sending those messages.
I'm also deluged with them. And have to go looking for half of them in the Spam folder. Deep joy.
The reason being that in the past I've picked up some really nice contracts from recruitment agencies phoning or emailing me out of the blue, so I want to remain contactable.
So, yeah. Great. Thanks for the massive proxy unsubscribe request.
Constantly trying to whitewash over the fact that GPDR is a huge pain in the ass and will involve a lot of work for a lot of companies is what I don't understand, but Mr. Mattheij has been doing it for months, so that's evidently very important to him for some reason.
It's chewed up a few weeks of active development time putting in features for purging and exporting anything that looks like it might be personal information, plus a considerable magnitude more hemming and hawing and trying to figure out if, how and to what extent the regulations apply to us, and how the customers that we sell our products interpret the regulations and what features they require for their interpretation of compliance. It's a big headache, especially where we are also dealing in industries that have conflicting data retention requirements.
If we didn't have EU-based customers with sufficient sales to justify the effort, there are a thousand and one other things that we could have better spent that time and energy on.
One might argue that your company doing the "custodial" data work over the past few weeks and building in the mechanisms in order to handle that data in a more nuanced way is something that should have been done beforehand, and that the fact that you had to take time out to look at it means the law is doing exactly what its drafters wanted it to do.
Of course there are 1001 things YOU deem more important. All that says to me is that your interests and priorities are not aligned with how people in the EU want their data handled.
The WHOLE POINT of GDPR is that many companies have continually pushed PII data handling down their list of priorities. As a result, the EU has decided to step in and use a law to bring it back up the list.
I don't think he whitewashes that it's a burden. But he does try to address some of the panic and hysteria.
I care about privacy. Perhaps Mattheij does as well, and that's why this is important to him. If you agree with the spirit of the legislation, then I think you should also consider this a great opportunity to do the right thing, instead of a hassle.
Oh man, the rest of us are so sorry that you are now required to responsibly handle personal information.
To quote the author:
> Then automate it. If you could automate the collection of the data in the first place then you definitely can automate the rest of the life cycle. There is no technical hurdle companies won’t jump through if it gets them juicy bits of data but as soon as the data needs to be removed we’re suddenly back in the stone age and some artisan with a chisel and hammer will have to jump into action to delete the records and this will take decades for even a small website. Such arguments are not made in good faith and in general make the person making them look pretty silly after all nobody ever complained about collecting data, in fact there are whole armies of programmers working hard to scrape data from public websites which is a lot more work than properly dealing with the life cycle of that data after it has been collected. So yes, it is a burden, no, the burden isn’t huge unless you expressly make it so but that’s your problem.
I am happy the author is fighting the power. However since most of us live in society we generally would prefer less chaos.
The difference between investment to collect data and investment to protect dat is there is no ROI for compliance (in any compliance domain) so the capital is not easily available.
Instead of punishing companies for existing in the universe and subject to the laws of thermodynamics, the most effective compliance regimes help transition companies proactively to lower the pain which will lower the cost to GDP and thereby angst from human beings.
The GDPR body won’t even answer basic questions like whether IP addresses need to be retained or not because of the competing requirement of the EU security directive.
They have had 23 years too to prepare for this change. And they own the privacy directives. You’d expect them to be better prepared themselves. But they are being kind of arrogant and unhelpful. I suspect because they know they did not make a perfect law and they will figure it out in case law later. This capriciousness is also super annoying.
> The difference between investment to collect data and investment to protect dat is there is no ROI for compliance (in any compliance domain) so the capital is not easily available.
And now GDPR can bundle both together, so that the ROI for collecting data pays for the cost of handling it reasonably, because otherwise you can't collect it.
It levels the playing field and fixes the broken incentive structure around data collection.
There's certainly no need to panic. The article doesn't address that apart from mindless hysteria there are some very real issues with GDPR. It doesn't have to of course because as the title suggests it's more about dispelling panic than about giving concrete advice.
However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- How exactly does a privacy policy have to be worded so I don't get sued on day 1?
- In which way will I still be able to store address data for contacting my existing customers?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?
Run your small company website without gathering personal data?
No-one can sue you now, that couldn't before. I'm baffled that so many people believe this. I could complain about you to my country's regulation body. Then they could decide to audit you, and for a first offense issue a warning.
If you need the address data for marketing only, and you didn't get an explicit (opt-in) yes to receive marketing, then sorry. Get that explicit opt-in yes in the next week, or delete the data.
If you need the address data for other reasons, for example fullfilling your contract with the customer, or tax records, then keep it. But _only use it for those real reasons_. No free marketing lists. Sorry.
Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
Google seems to think you can still use Fonts. They also seem to think like they will be the data controller, and not data processor, for any user data they scoop up [1]. This seems a bit weird to me. This is the only one of your questions that I'm really not sure about. If it was me, I would just host the font locally so I was sure.
I liked the aisle, but have a lot of issues with it. This is one of my main ones: IP addresses and information security. Quoting you:
> Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
How long is necessary? What does limited mean? Does a regulator now get to determine what sort of algorithms I can use to protect my assets? Advanced persistent threats (https://en.m.wikipedia.org/wiki/Advanced_persistent_threat) can exist over a very extended--and arbitrary time period! I'm in the security software industry, and we and our customers need to detect and react to these threats. That requires data which you simply cannot obtain an opt-in for. Sure, you put that in a posted privacy policy, but if you can only keep the data for 30 days, this means actual evidence of a crime might need to be thrown out.
As long as is needed for the stated purpose. If you're doing IP-based rate limiting with a 1 hour window, it probably doesn't need to still be in your systems >12 hours from now. If you're doing longer term IP reputation or something, keeping it around longer can probably be justified.
> What does limited mean?
The same. Long enough to serve its purpose, and no longer (without justifiable exception, such as being evidence of an actual crime, etc)
> Does a regulator now get to determine what sort of algorithms I can use
Not really, any more than they already do.
"Not guilty, Your Honour; you see, we do store people's HIV status against their real names on the public blockchain, but don't worry, it's ROT-13 encrypted! Twice!"
Also, remember that it's not really the IP that you care about (from a privacy perspective). An IP+timestamp is a very discerning selector, if you have any other data at all.
Nobody knows that '192.168.1.1' is actually me. And even if they did, does it really matter?
But maybe they know that only $IP hit /orders/confirm within 5 minutes of some other system recording that $ME placed an order with other details.
From a privacy standpoint, it's your ability to cross-correlate that IP and whatever else you know about it that could allow identifying and tracking/profiling the actual person using it.
Suppose your marketing dept asked you to scan the last few weeks of security logs to see if you'd had any hits from ranges belonging to $BIGCORP who you're in tense negotiations with? Is that Ok? Or would you refuse because the security logs are collected exclusively for certain purposes of which that isn't?
what value do you get from keeping them for years? Are you actively analysing and re-analysing them for any particular purpose, or is it more of a 'well, you never know...' sort of deal?
"they change often" is arguably a good reason for not keeping them. What advantage do you get from knowing that 10 years ago $IP was sending you spam if it's been though 20 different re-allocations and tens of thousands of 'actual owners' since then?
Imagine if google or cloudflare were logging every since query to their public DNS and correlating it with other access logs or google analytics or whatever. They'd be able to relatively trivially deanonymise huge numbers of actual people's identities and browsing history (beyond what they can obtain already).
That is not true, GDPR is a law, and in the past most EU countries did not have such stringent requirements. You couldn't be sued (Edit: i mean by the DPA).
My point is that you won't be sued for the GDPR. What might happen is that a complaint is raised with the regulatory body. This is not the same thing as being sued.
1) Respond to requests about removal of personal data, do not sell data, inform about data leaks and handle them, if outsourcing, check compliance.
2) Any item that is not legal there will be just void in court. You cannot be sued about an invalid legal policy, but only after breaking the law. The policies do not subsume law.
About the only thing you need to publish is which data is collected, how it is processed (and by whom if outsourced), for how long (if applicable) and how to remove it.
3) Uh, as usual complying to the law for PII handling?
4) Yes, if they are GDPR compliant. Make sure to put them in you privacy policy.
1.) That "if outsourcing, check compliance" part isn't trivial, though. Some suppliers still don't provide data processing agreements. For example, as of now it seems like I won't be able to use DocuSign for digitally signing contracts anymore because they seem to not understand what the new laws implies for them and consequently don't provide a DPA. The last time I checked competitors didn't do so either. It's good that companies have to check their processes for privacy compliance but if that disrupts a company's operations with no real remedy other than falling back to paper-based processes that's definitely a problem (admittedly in this case not one that could be solved by legislative bodies)
3.) No, unfortunately it isn't that easy. Some people - lawyers even - argue that merely someone contacting you via email or handing you a business card doesn't necessarily constitute legitimate interest on your part to process their contact data for the purpose of contacting them in the future. I disagree with that opinion but that people are even arguing about this shows that this isn't just business as usual.
5.) You could argue that this has the potential for breaking how the web has worked until now. If you now have to check for legal compliance first each time before merely linking to an external resource (because that might reveal the user's IP address) that simply doesn't scale. Linking to and drawing upon external resources arguably is what makes the web the web.
I think this lack of implementation clarity is definitely a problem, as it is with CE marking; the legislation sets out "principles", but there's a lot of interpretation that has to be done between those and specific real details.
>How will I be able to operate my small company website in the future in a legally compliant manner?
Maybe you shouldn't operate your company if you can't comply, then. The entire point of the GDPR is elevating privacy as a priority. If that means companies that can't or won't compy can't operate, so be it. People always claim to be pro-privacy, and that means putting privacy above commerce, in the same way that a restaurant that can't or won't meet safety and sanitation regulations shouldn't operate.
If safety and sanitation regulations were as heavy-handed as GDPR there probably wouldn't be too many restaurants.
The point of GDPR indeed is elevating privacy as a priority. Good intent however doesn't automatically entail that the implementation has been equally good.
The EU Justice Commissioner only recently has been quoted that she herself could implement the rules required by GDPR. At the same time the European Commission's very own website isn't even remotely GDPR-compliant. That's just arrogant and condescending.
This doesn't consider some factors that dictate how strong any company will experience their firehose of GDPR requests to be:
- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)
- how easy it is for them to make requests (entirely manual vs. online service)
- wildcard factors (internet flash mobs bent on vengeance against a corporate)
There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.
For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
You can do this already with the existing Data Protection Act. Businesses have not drowned in subject access requests. People seem to forget that data protection isn't new, it's just being beefed up a bit.
See "Europe vs Facebook" for another pre-GDPR example where people were obtaining data Facebook stored on them via existing data protection laws: http://www.europe-v-facebook.org/EN/en.html
> and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
If your company can not show the candidates why they were not hired, you are doing a very bad job.
Are you discriminating against protected classes?
Are you rude or offensive in your comments?
Then, stop doing it. That will be a very good side-effect of this situation. Public scrutiny works. If a company needs to make public their interview notes, that notes are going to improve quality and abide to law.
> how strong any company will experience their firehose of GDPR requests to be
If you are big enough to have a big influx of GDPR, you need to automate it.
> how easy it is for them to make requests
It needs to be easy. The goal is not to let your company shield behind "sorry it is too complicated to give you the information". You need to give people easy access to their own data.
> wildcard factors
How is this difference of a Denial of service attack on the technical side? On the legal part, there are lawsuits that are going to be more effective than GDPR that starts with recommendations for improvement.
> The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it.
You only get the data about YOUR own interview. You can not hoard data this way. It works the other way around. The data protection is protecting you from the company monetizing this information without your consent. Companies are the ones hoarding YOUR personal data and creating a business around it without YOUR consent.
Your concerns are the main reason GDPR was created.
> If your company can not show the candidates why they were not hired, you are doing a very bad job.
You sound like you've never had to deal with telling a candidate they weren't chosen for a position. There's a reason rejection letters are usually canned responses - it's not that HR teams are unanimously evil people, it's because any bit of information could open up the potential for a law suit, even if in good spirit. Someone gets a rejection letter saying "they aren't a good fit"...oh well it must be because I have different colored skin, right? It's a slippery slope from there.
That is the usual stated justification, and may actually be the motivation where it's become accepted as conventional wsdfom, but it's implausible on its face as a real justified concern, because it's just as easy for a rejected subject to infer ill intent from a refusal to explain as from an innocuous explanation.
The real reasons for such policies send to be a combination of:
(1) Regardless of organizational policies, hiring managers will still sometimes use directly prohibited criteria, and some of them will clumsily reveal this (perhaps in ignorance of the prohibition) if they provide explanations. A clear blanket corporate no-explanation policy doesn't prevent the bad acts, but prevents the bad acts that slip through other corporate policies from being announced to victims, and
(2) Hiring criteria that aren't directly prohibited may be prohibited indirectly due to disparate impact. Providing honest explanations for negative decisions makes it possible for people who gain access to the explanations given to multiple candidates to discover disparate impacts, and take action against them, and
(3) People attempting to give honest explanations will sometimes explain things poorly in a way which indicates a prohibited (directly or indirectly) criteria was used, either positively (which might be evidence in other cases)) or negatively.
> because it's just as easy for a rejected subject to infer ill intent from a refusal to explain as from an innocuous explanation.
Sure, you can infer all you want, but I'm talking about whether there is grounds for legal proceedings. There is a higher probability that a defense lawyer would take a case where the rejection letter says "you weren't a good culture fit" vs "you didn't get the job". Companies simply do not want to even open themselves up to litigated, even if they've done nothing wrong. Further, there is no commercial incentive to tell the candidate anything other than "you didn't get the job", so why bother?
> People attempting to give honest explanations will sometimes explain things poorly in a way which indicates a prohibited
That's precisely my point. It's very difficult to explain to someone that they've been rejected for a position even in the most sincere and nicest way possible.
Ok, why you aren't hired has nothing to do with internet privacy. It is also good practice not to tell people why because some will and do sue whether or not the potential employer did anything wrong.
I agree, and there seems to be a lack of conversation around this! Next week could be ground-zero for all sorts of unintended consequences. Especially, a flashmob of GDPR requests could sink a company.
It is highly unlikely that a lot of requests will "sink" your company. As per the GDPR, you have a month to respond to requests and you can extend this period by two more months by telling the user that you need more time to process their request. (See article 12 for reference)
You mean request to be forgotten? Are you seriously lacking an automated removal process if you have more than a thousand users and also can't keep it in a three month deadline?
Oor is it collecting so much data that you cannot just send it all to the requestee?
If it would take a decade, then it is a broken business that should cease to exist as it is doing something illegal with the collected data.
What kind of business is it?
If this is such a serious concern, you should automate this process as much as possible. You don't necessarily need to respond manually to these requests if you put in place the required features on your website which will allow your EU data subjects to benefit from their rights.
Realistically, how hard is it to automatically grab some data from a database and export it as JSON, as well as remove data from your database pertaining to a user? With a relational database, this would be a cinch. I mention the right to access the erasure right, as I estimate these will be the most frequently called upon.
Depends on your system. We have an automated process that produces a PDF, which a human will then go through and redact so we're not leaking through the
non-relevent PII of other people if one of our users isnt using the system quite properly.
If you have a lot of “members” you obviously provide the services by the automated process. Obviously the request processing could also be mostly automatic.
"Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: "
The quoted bit is about one person, not multiple so not directly applicable. I assume if someone organizes a coordinated flood of requests from multiple persons you can still argue that it is excessive.
I agree that the amount of requests is very uncertain. Within my company I'm planning to make one request (data regarding me as an employee). This to see if they're prepared.
I was thinking a solid new business plan is to register gdpr.me (or whatever) and offer a service. $40, fill out a form, and I will send a GDPR request to every company in the world on your behalf. The data coming back is then offered back to you with the ability to create further requests (deletion for example) selectively or in full.
(1) the service is not explicitly allowed for because data subjects (and not data processors acting on their behalf) would be the ones to file such requests.
(2) you would be filing a lot of requests to companies that have no data in the first place and which you could reasonably have known about had you queried the data subject.
I see such a service as acting in bad faith and would file a complaint against you and your service if such a frivolous request would land in my inbox. Better hold on to the $40, you might need to spend them on a lawyer.
But kudos for trying to see the GDPR as an opportunity, now try to do so in a more constructive way. And - funny - you would be mailing yourself since you would be sure to hold PII on the party making the request in order to be able to authenticate the request as being a genuine one, which in turn would make you required to be in compliance.
I would argue there are several sections in the GDPR that appear to allow for a 3rd party to request data on behalf of the data subject. For example:
A20(2): In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
A12(3): ... Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Even in the case it didn't work out to directly query, as another has suggested, just making it easy to fill out as many forms as possible in an automated fashion has value. Use their email to send from.
Also, how does the data subject or gdpr.me know that your company hasn't hoovered up some PII of the data subject?
I've read it several times and unless more clarity comes down on questions like this I'm quite afraid of abuse. I've read 8% of UK citizens intend to (ab)use GDPR for spiteful reasons.
EDIT:
Ok - I believe this absolutely supports my point, straight from the horse's mouth... This is from WP29-2017-4-data-portability-guidance:
"Data subjects should be enabled to make use of a personal data store, personal information management system (PIMS) or other kinds of trusted third-parties, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required."
This is immediately after saying businesses should create API's to allow data portability and GDPR requests.
I don't buy that that allows you to send random requests to parties that you have no way of knowing the requester has a relationship with. That is an unreasonable burden to place on the recipient of such a request. Essentially you will be sending them on a wild goose chase which is against the intent of the law, which is to give people control over their data, not for people to harass random companies, even more so to do this in an automated way.
You can of course go and approach this from a legalistic point of view but that's usually not how things work in the EU, if you are going to split legal hairs to see how you might be able to get away with something then you will be in for a surprise.
But don't take my word for it, feel free to build and launch the service and we'll see if it flies. For $40 I'll pass :)
You could maybe provide your users with a pre-filled request form for various companies they indicate they're a customer of, and have them send them directly.
IIRC there are services along those lines for various 'contact your $REPRESENTATIVE' political and activism lines. I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.
Can't remember what the exact context was that I saw it, but it might have been FOI or something data- related
> I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.
Exactly, and it is abuse. There are so called 'mass letter writers' here in NL that keep on sending FOI requests and other letters to local government effectively DDOSing the services and they too can be - and have been - slapped down.
There is an exemption for vexacious or disproportionately costly requests, so once everything has settled down and it is clear how the regulators deal with complaints, then it should work out ok.
This sounds like the arguments that organisations make against freedom of information laws. There is that risk, but what is the alternative? There doesn't seem to be a middle ground to me - either people can make subject access requests or they can't.
Not an alternative - but the only obvious defence is to do the right thing, and delete data as soon as you have completed processing. e.g. delete those interview notes the second you have declined the candidate.
That's ridiculous. Has anyone in this thread actually ever run a recruiting operation?
I have. There's no way we will be deleting interview notes the moment a candidate is rejected. For one, we have to be able to prove later that we didn't reject based on grounds of discrimination (other regulations). But you also need the ability to review what your interviewers are doing to ensure consistency and quality of assessment. We also go back and re-read interview notes if someone doesn't make it through probation or gets fired, to see if we could have picked up on the issue earlier.
But hey GDPR defenders, here's a question to ponder. I have argued above that I legitimately need interview notes for the operation of my business. If you disagree, what makes you so sure your interpretation is correct and not mine? Don't you think it'd be good if we could resolve this disagreement in some clear way, like if the law itself spelled it out?
The onyl change you need to make is to be able to delete information about criminal offences when those convictions become spent. Arguably that's not a new requirement, but GDPR does make it clearer.
> I have argued above that I legitimately need interview notes for the operation of my business.
That's the point. You're keeping data to comply with a law (Equality laws) or for legitimate reasons, and so you don't need permission and you don't need to delete it when asked.
> Processing shall be lawful only if and to the extent that at least one of the following applies:
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> processing is necessary in order to protect the vital interests of the data subject or of another natural person;
> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
> I have argued above that I legitimately need interview notes for the operation of my business.
I agree that you do legitimately need interview notes, but I don't understand why this conflicts with GDPR. In other words, why am I not allowed to see my interview notes?
We were talking above about deleting them, not publishing them.
But interview notes tend to contain personal evaluations of people, often critical. If interviewers believe they are effectively having to criticise people to their face (which is what this change would do), then they won't be willing to be as honest. No interviewer wants an angry job candidate tracking them down via LinkedIn or whatever and then getting mad because you wrote that they sucked in their notes.
This is an interpretation of the GDPR that I don't think makes any sense or aligns with the original intentions at all, but moreover, if it was interpreted and enforced that way it simply means firms would switch to discussing candidates in person and not write down evaluation notes at all.
> There's no way we will be deleting interview notes the moment a candidate is rejected. For one, we have to be able to prove later that we didn't reject based on grounds of discrimination (other regulations).
The fun of red tape. You will be violating one or the other regulation, that’s the beauty of it.
And yes, civil servants did use those arguments to try and stop FOI. They lost because ultimately they pay themselves out of tax revenues, and when you force people to buy something the bar for denying them information about how that money is used is a lot higher.
This doesn't apply in the case of companies and especially not job candidates.
I have actually seen government agencies complain about being deluged by FOI requests, the cost of dealing with them etc. They mostly get ignored because on inspection the "deluge" of FOI requests tends to be from journalists digging for stories, and that's sort of what we want them to do. Also because the high cost of FOI responses tends to reflect messy and disorganised internal information systems rather than anything fundamental.
That said, I don't think it's really comparable to the GDPR. For one FOI compliance is a joke, organisations get out of it all the time on the thinnest of pretexts. There's no real incentive for a government to police itself in this regard. But GDPR enforcement is incentivised by large sums of money, for an organisation that is technically bankrupt.
> But GDPR enforcement is incentivised by large sums of money, for an organisation that is technically bankrupt.
What do you mean here? It seems to be about suggesting that GDPR is about getting the fine money? Elsewhere the law is quoted where it states the fine should be appropriate to be effective. So even if you don't trust this there's legal ground to back it up. Secondly, why is the EU technically bankrupt? Or is this a theoretical organization?
Appreciate some clarification because currently the sentence I quoted is too open to interpretation.
What does "appropriate" and "effective" mean in the context of law? Put it like this - do you really believe the first targets won't be Google, Facebook, Apple, etc? Very rich companies in industries the EU has failed to compete in and which handle data all day? It's free money for the EU.
Secondly, why is the EU technically bankrupt? Or is this a theoretical organization?
Because its liabilities are greater than its assets, or put another way, it spends more than it receives and does so structurally.
EU budget commitments exceed payments by about €10 billion a year, leading to an ever-rising volume of outstanding commitments, known as reste à liquider (RAL). RAL is expected to exceed €250 billion by 2020.
The EU is not a company, it's effectively a government, and so it simply doesn't allow itself to go bankrupt in a legal sense. It can violate contracts at will because it ultimately controls the courts. So when it doesn't have enough money to make payments it has committed to, it simply delays those payments. This results in an ever growing backlog of delayed payments that can't be made because the EU doesn't have sufficient funds.
Note that this behaviour is illegal under the treaties. The EU is not allowed to spend more than it receives. It does so anyway because it correctly believes the member states are too weak to enforce the rules. Also, the EU controls the ECB and ultimately the ECB is keeping many member states afloat via massive bond purchases. Whilst the EU Commission cannot legally just print money to fund its own operations, in practice that's what it's doing - the ECB prints money and uses them to buy the bonds of insolvent member states, which then turn around and hand some of that money back to the EU as part of its budget.
> For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Huh. So, you’re saying a side effect of GDPR is a radical increase in recruitment/hiring transparency. As if that was a bad thing (clearly, it would be a shift in the capital/labor power assymetry in favor of labor, but I'm not seeing how that's bad.)
> The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc.
Interview notes would not have to be turned over to the candidate. They are personal opinion of the interviewer even if they mention the candidate. GDPR protects that data: you may not disclose it because it would violate the rights of the interviewer.
This level of detail relating to interview notes isn't in there, and all references to "opinion" refer to the decision-making by the regulatory body.
Most people seem to interpret the directive to say that, because the interview notes constitute "any information relating to an identified or identifiable natural person", they are personal data of the person being interviewed?
Talent pool as a Saas and the company needs to manage GDPR - you still have acces to your data. Still open how you monitor the company as required by GDPR, but at least you can redirect angry candidates.
* You need to have a data processing agreement with the Saas company X.
* You need to tell candidates in your privacy information that you send data to X
* You need to make sure X is properly implementing the data processing agreement
(currently not clear how you do this except using e.g. PwC to review X)
If you have the data, you need to tell the candidate what you do to protect it, backup it, restrict access to it etc.
(also if e.g. the talentpool feature is provided by LinkedIn based on LinkedIn data you're not responsible under the GDPR, only if you sent data to X or X collects data on your behalf e.g. in a web form)
The GDPR is not completely new, though; it's a reformulation and extension of the existing Data Protection Directive, which was implemented back in 1995.
For people and businesses in the EEA, the GDPR is much less of a change, because we already had to comply with data protection law. The rest of the world may be less prepared.
Stop spamming every single comment on this thread. Your question is irrelevant and misdirected - I've literally started my argument by saying that "there's currently no case law surrounding GDPR".
Your argument is that there is no case law so you get to claim whatever imaginary consequence you want. That’s fine but then other people may debate your conclusions.
You’re also claiming people are rightfully concerned. Where is that right coming from? From past experience? Or is they just baseless concerns?
> "Your argument is that there is no case law so you get to claim whatever imaginary consequence you want."
No, that's not my argument at-all. That's just your personal interpretation of my words.
> "You’re also claiming people are rightfully concerned."
I'm not "also claiming". That was the sole claim from the very start.
> "Where is that right coming from? From past experience? Or is they just baseless concerns?"
It's literally in the comment:
(1) Some elements of the GDPR are up for interpretation.
(2) There's currently no case law surrounding GDPR.
If you take both of these facts into account - it is perfectly plausible for people to be concerned, as there's no telling how things will play out in a court of law.
on what experience about gdpr case law is the linked article basing his statement?
all those claims about warning shots and leniency and goodwill of the regulator are completely unfounded. the linked article makes the claim, the linked article should substantiate the claims, and we maintain a healthy right to remain skeptical of those claims until some meat is added to them.
The DPA (Datatilsynet) in Denmark operates in the exact way stated in the article. I've fairly sure it's the same in Sweden, Germany, UK, and most of the EU. It is in stark contrast to the US.
I'm not going to link cases, because they're in Danish. They are available from their webpage, and the most resent ones are linked on the frontpage. The last few cases large companies was not in compliance and the didn't get a fine, but they are expected to address the issues, and if they don't then they will get a fine.
That's supernice for you in supernice Denmark. Now what about all the other EU countries? What about in 5 years time if things become less supernice. 10 years time?
They, and other DPAs have multiple decades of history of doing it this way. I trust that more than random people on the internet deciding that GDPR is bad because the DPAs theoretically could do it.
We have plenty of cases serving as prior judgements, and if a DPA suddenly act with a disproportional reaction, there is multiple levels of courts that can and will reverse the decision - nationally and EU level as well.
I know it's kind of hard to imagine coming from a US perspective, but it's "supernice" as you say for pretty much everyone in pretty much every EU country. Based on decades of precedent behaviour.
Here are two recent decisions from the UK. The ICO has a maximum £500,000 fine available.
In one a company was handling sensitive personal data (medical data). They're required to register with the ICO. They did not do so. The sceptics would claim they got huge fines. They didn't. THey got a letter asking them to register, with no further action taken. ICO released a statement.
In another the Crown Prosecution Service lost data in the same way they had previously lost data: they sent unencrypted DVDs through the mail and those DVDs got lost. The DVDs contained victim interviews from children who had been sexually abused. It's hard to think of worse: very sensitive data, transmitted in a stupid easily fixed manner, and a repeat offence. Even this didn't attract the biggest fine. They got a £350,000 fine.
The national regulators have been operating the previous regime for twenty years, so there IS plenty of experience and history to look at. The UK's ICO has made quite clear that the style will not change, as have bodies in other countries.
I was hoping for a nice respite to the anti-GDPR stuff we've seen recently, but this is just naked propaganda. In particular, the sentence:
"the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers ..."
The author seems to have the idea that bureaucratic EU systems are inherently "good" and that even if things look bad on paper, it will be fine because they are "good" people. This is not how the legal system or legal compliance works.
Do you have any experience with a Eu country internet regulatory service?
I have experience with the CNIL (The french one), and they were helpfull and yes, good-natured. Part of our demand to be able to host data from hospital was drafted with their help, when they had no legal obligation to help us.
A friend who work in a legal/tech startup also had good experience with them, and i don't know anybody who ever had a bad run with them.
So if you have contradictory experience, please share them. Until then, i'll still take all this "GDPR will kill tech companies" articles from people who only experienced the US legal system as jokes.
You seem to have misunderstood my comment. I was saying that from a legal complience perspective, the notion that the regulatary body is "good-natured" is meaningless. You have to comply with ever letter of the GDPR, you can't just do most of it, or interpret it loosely, and say "oh but they are good-natured people they will understand.". Legal complience doesn't work like that AT ALL!
What people mean when they say the agency is "good-natured" is not that they're going to ignore non-compliance, but that the way they enforce it is not being completely hostile and
pulling out a massive lawsuit the second they see any issues.
Their goal is not to destroy companies, it's to make them compliant, and it's much easier for them to do that with communication than expensive legal action.
> I was saying that from a legal complience perspective, the notion that the regulatary body is "good-natured" is meaningless.
It's not, because as the article explains, experience with the existing regime shows that, the good natured regulator will send you a helpful and explanatory warning letter that tells you what you need to do to become compliant before jumping into fines.
An un-good-natured regulator would behave rather differently.
No, but legal compliance in most of the EU doesn't work by slapping huge fines on people either - first you are told there is a problem and you'll be given a chance and maybe assistance to become compliant.
I think this is a very distinct difference between the EU with the scaremongering removed, and e.g. the US: My experience of the EU has been that they've consistently looked out for my interests. Even in the face of the local government (I live in the UK) that have kept fighting for positions I find abhorrent (e.g. UK governments keep complaining about having to abide by EU human rights regulations for example).
Yes, we shouldn't aim to give governments power to push things to an extreme, but on the other hand we should also ensure that they have the ability to actually react to serious abuses.
In particularly in the area of data protection, I don't know of a single example where the rules have been pushed to the extreme. If anything, as a private citizen I'm disappointed there's not been stricter enforcement. As someone who has had to deal with it on the corporate side as well, it's not been hard to comply with.
Enforcement here is generally always strongly predicated on not jumping straight to the strictest possible outcome, but in carefully considering how serious a transgression is. It's not that EU systems are inherently good, but that history and practice have shown that when they give flexibility, it takes serious abuses and ill intent to end up with the strictest reactions allowed, and there'd also be little reason to assume that anyone rushing to the strictest interpretations possible wouldn't get shut down hard by the courts.
Not sure id 100% agree and they are at the mercy of individual governments who have in some cases gone against the spirt of some of the eu regs for example Spain's implementation of TUPE.
You are transposing your like of certain EU institutions (human rights regulations) and grafting them onto this legislation. This isn't how it works, not least because there has been no case-law yet, so we have no idea how it will be interpreted. Therefore a legal compliance unit has no choice but to follow GDPR the letter, which is hugely difficult and bureaucratic. The notion that they are "good-natured" is meaningless in a legal sense.
It seems many commentators here are confusing criticism of the GDPR with criticism of the EU itself. Surely people are sophisticated enough to understand that they are 2 hugely different things, and that a robust criticism of regulations and laws are part of a healthy democratic society.
As mentioned elsewhere, these regulators have been operating for a very long time. Even when dealing with the whole Facebook / Cambridge Analytica they're moving quite slowly. There have been various legal changes regarding privacy in the past. E.g. for The Netherlands it is not allowed to have a checkbox on by default to sign up to a mailing list. There's a fine if you don't abide and this fine can be very hefty. In case of problems the regulator first reaches out, a fine is the very last resort.
There has been ample history on how these regulators have been working over the past 20-40 years.
The substance of this line of criticism is that yes, it's probably going to be fine. But if it's not, they can fine you at 4% of global turnover. They probably won't, but they literally can. "I read on a blog that they'd be nice and send me a warning first" gets you exactly nowhere in court ("very well, but what did your lawyer tell you?"). The article praises the GDPR for having teeth -- being timid can be something you are because that's your nature, or it can be something your are because you don't have teeth.
This is what risk is. Absolutely, don't panic. But responsibly managing risk means considering the 100% real and existing option of regulators abandoning their previous caution and trying out their new teeth. Perhaps they get reined in, but perhaps that takes 10 years, or perhaps it turns out to be politically convenient not to rein them in a all. There are 28 EU countries, so 28 regulators, only one ambitious rising star at one of which need to "break bad".
Yes, I agree that this is probably a very small risk. But having a calm and correct view of the fact that there is a risk is 100% the right move here. Something like every other lawyer in Europe is worried about this right now, and do think it's a bit of a big deal. Don't panic, but take the advice of a non-lawyer's blog over your actual lawyer's at your own extreme peril.
> "I read on a blog that they'd be nice and send me a warning first"
That's not what happened. Various people pointed out various cases where it's shown over the course of 20 years what happened. Ample history.
> Don't panic, but take the advice of a non-lawyer's blog over your actual lawyer's at your own extreme peril.
Are you from the US or EU? Immediately going to a lawyer seems strange and unique to me. Within a big company, yeah, lawyer. Anything else unless you're doing something specific I don't see why.
> Various people pointed out various cases where it's shown over the course of 20 years what happened
Yes, and other various other people are pointing out that now there's a new law that changes a lot of things, perhaps what happened in the last 20 years isn't a perfect guide for what's going to happen in the future.
> Immediately going to a lawyer seems strange and unique to me
I'm from the EU, and I go to lawyers for things much smaller than those that can get me fined 4% of turnover. And so should you, if you're serious about managing your risk. If your things are in order, it's not terribly expensive, and you get to lean on your lawyers professional liability insurance if things get weird regardless.
My chief concern is that this will end up being an instrument wielded by big business (through political connections) at the expense of smaller companies, especially smaller overseas competitors but also domestically. If EU-US relations continue to sour, it could also become a weapon in a hypothetical trade war, which I guess is probably one of the "benefits" from an EU government perspective.
Codifying privacy protection is important, but GDPR favors big companies and governments too strongly over already risk-burdened entrepreneurs.
I don't know about them, but I agree with questioning your original comment, based on 17 years of dealing with data protection issues in the UK and other EU countries.
I'm an attorney who's spent the last year or so working on GDPR compliance for a US SaaS provider some of whose clients have EU employees. My understanding is that it's true that EU enforcement is more in the spirit of "how can we get you compliant?" before doling out fines (vs. the US where it can be more "let's make an example of this company by hitting them with a big fine" and scaring others into compliance). I also agree that the authorities aren't going to be handing out 7 figure fines like candy, both because it's not their historical approach and because they don't have the resources to fight too many of those battles. I want to say I read that the Irish authority's annual budget is around $9M. Theirs is higher than most and Ireland is where most of the US tech giants are established due to tax laws. That said, I think to say that GDPR compliance is simple because it's text is fairly readable or that EU data protection law is simply a matter of transparently respecting people's personal data and not being a bad actor as to privacy is an overstatement. For example, the ePrivacy Directive, most known for prompting all those cookie consent banners, can be incredibly complex to comply with. Each member state has implemented that Directive in different ways. Look at this example https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-... where Honda sent out emails to its 350k database simply trying to confirm continued interest in being on their list and got a 13k euro fine for their troubles. I don't know all the facts, but from the document, it doesn't appear that Honda got the fine because they were recalcitrant or being terrible actors. And if the fine is proportionate to the offense (not to the size of the violator), then 13k euro might be levied against a small company for whom it is a significant penalty (not to mention costs, legal fees, etc. in dealing with it).
The Honda case actually seems pretty reasonable to fine - Honda had an issue where consent from dealer events and other sources wasn't correctly recorded. So they have a large list of emails, where consent falls into three categories:
* Person did not consent, they left the form blank
* Person consented, but it was not recorded
* Person actively denied consent ( wrote "no")
Honda then sent commercial email to this set of users, to "confirm" their preferences. In my view, that's not reasonable - if I leave a "would you like to receive email" item in a form blank, that is not permission to send me email.
Agreed that the fine for a company like Honda appears very reasonable. My only point is that their behavior was more sloppy than malicious or 'terrible' - and sloppy in a way that many, many companies are sloppy. And this size fine for a small company would be very painful - maybe fatal.
It's like if a new law were introduced requiring a license in order to ride a bike, to make sure people don't hit pedestrians or bike dangerously in the road. The license is free, it just takes a weekend to go take a written test and demonstrate that you can safely ride a bike. Some people who would pass but can't be bothered to give up a weekend would instead choose to just stop biking. It's an unavoidable consequence of introducing a friction where there wasn't one, and there's no way to carefully target or wordsmith the requirement so that this doesn't happen.
I think people miss that there is a very large qualitative difference between "no law" and "law". Even a very carefully targeted law will still have the effect, on the margin, of preventing or stopping compliant activities. But in the case of something like privacy, or control of data about you, maybe that's worth it in order to stop the noncompliant activities.
On a non-hypothetical topic: does anyone have a good resource on the requirements with regard to backups? That's one of the larger technical sticking points for me - do we have to delete from our backups as well on such a request?
Because the reverse also hold: if we remove the need for driver‘s licenses for cars, more people will be able to drive.
The fallacy is IMO that many people always consider the status quo ante as the perfect balance. Because we have gotten used to driver‘s licenses.
So the argument that new regulation stifles some non-harmful behaviour is a truism, but doesn‘t really contribute anything, unless it comes with numbers.
It's not like that at all; some of us are small business owners who don't have to take any action, because we already were not mishandling PII and already had a PII-handling section in our data-handling policy.
Clearly an emotional topic. The fact remains, GDPR is a well-meaning but fuzzy law, with implications that cannot be foreseen at this point in time.
To remove some of the uncertainty and automate some of the compliance steps, we built a data discovery AI tech that scans corporate data to answer:
* "Do we even store personal information?"
* "Where do we keep it?"
* "How do we make sure PII is consistently stored only in the designated places?"
This may seem trivial to a micro-business that runs on a handful of database tables, which I think is where the author is coming from. But for larger companies, even understanding what's where and why (backups? emails? cloud storages?) is a highly non-trivial—if ultimately rewarding—endeavour.
The regulators have been running for two decades, and this is EXACTLY how they operate. Scepticism in this case is unreasonable, given the massive evidence base.
I do have some direct experience of working with EU data protection regulators. My experience has been that they vary wildly in "reasonableness". UK ICO is pretty OK, they want companies to succeed. France's CNIL is a joke. Petty, spiteful and utterly inconsistent. I watched as a company worked closely with them to get their sign-off on a change to their terms of service and privacy policy. CNIL were happy to be involved and taken so seriously, they were satisfied with the changes and even praised them in private. After the company announced the change, some journalists saw an opportunity to make some noise and did so. CNIL then immediately changed their mind and dished out a fine, despite having previously agreed to it. What a farce.
That's at the national level. I can give many examples of cases where the EU has been anything but reasonable.
The entire argument Jaques presents here boils down to his belief that everyone working in GDPR enforcement in the EU will not only be totally predictable and reasonable today but also going forward into the indefinite future.
As pointed out in the other thread, this belief is itself unreasonable, because the nature of the GDPR means that even in the unlikely even it's true today, if in 10 years a new Commission arrives and changes their mind they can retroactively decide that things previously allowed were actually illegal. The GDPR says virtually nothing about anything so they'd certainly argue such a thing was merely a "clarification" and not a retroactive change to the law.
There are plenty of examples of governments doing this sort of thing over time, including the EU, like with Apple's tax situation. Mr Mattheij appears to just write this possibility off entirely.
"his belief that everyone working in GDPR enforcement in the EU will not only be totally predictable and reasonable today but also going forward into the indefinite future."
EXACTLY! There seems to be an almost cultish devotion to the benevolent institution that it can do no wrong, neither now nor henceforth.
I understand WHY people have this belief. The EU is under constant attack at the moment from many sides, and people feel they need to defend it at all costs, even it they are wrong.
> The EU is under constant attack at the moment from many sides, and people feel they need to defend it at all costs, even it they are wrong.
As you mention that "they are wrong" in reference to saying that the regulators aren't to be trusted, could you explain how the Dutch regulator behaved badly?
I'm Dutch and have followed what they've been doing over at least 10+ years. I don't think I'm wrong in my assertion, but feel free to point out the details. Also, I'd like to know how often you've followed what the Dutch regulator has been doing. I get the feeling you're not aware of their name.
> EXACTLY! There seems to be an almost cultish devotion to the benevolent institution that it can do no wrong, neither now nor henceforth.
You have to trust someone. Either the vast expanse of companies clearly mishandling your data, or the "benevolent" body which so far at least has a fairly good track record. It's not perfect. It's dangerous to give them too much power because you don't know how they will change in the future. But at the end of the day, I'd rather trust a governmental body which is at least supposed to look out for my interests, rather than a company whose main motivation is to exploit me for every penny I have.
A fairly good track record in which its own member states are constantly threatening to leave and one has already successfully left. As an American lokoing in from across an ocean, it does not look like a stable region that I would put trust in
The EU is a funny place at the moment. Most politicians who seek prestige don't bother with the EU, they do national politics. Most national media does not cover EU material, but focuses on national issues. This leads people more focused on the bigger picture to seek out working at the higher level. On the other hand low performers are also sent to Brussels because "In Brussels no one can hear you scream".
Anti-EU sentiment is generally driven by national politicians who somehow always seem to cast blame on the EU when things go bad and take credit themselves when things go well. Even going so far as taking credit for implementing laws they were actually forced to implement by the union.
As a fellow American, that sounds like you need to reconsider your news sources. Brexit was driven by propaganda, not some principled opposition to intractable problems. The “EUrocrats gone wild” stories are popular in certain circles but there’s an entire cottage industry debunking them:
Again, that's taking a talking point as a given. Some people cited that or hypothetical cost savings as a justification but the claims tended to be based on urban legends or outright wishful thinking rather than actual analysis.
This seems like a very dishonest assessment. Are all the people who see this differently from you just brainwashed EU cultist who just feel the need to defend wrong things?
> if in 10 years a new Commission arrives and changes their mind they can retroactively decide that things previously allowed were actually illegal
A new commission can always change their mind and propose new laws that get voted in, as can any government. There is few things an elected body can't do, and even when there is safeguards then those can be removed given enough effort.
And this is not exclusive to them. Common law and to a degree Civil law are changeable in this way where a court can retroactively decide that things previously allowed were actually illegal by providing a mere "clarification".
In eu this mean several layers that can modify what a law actually mean. The government, the national courts, the EU parliament, and the EU court. In the US you got federal law, state law, city law?, and courts all the way to the supreme court, each which can in 10 years make a decision that retroactively decide that things previously allowed were actually illegal. It seems like a risk that is inherently part of the legal system everywhere.
I don’t really see what the alternative is. It’s painfully obvious that a regulation like this is needed. Like any regulation, there will be a period of bedding in while we work out the actual bounds and procedures required.
I’m curious then what your alternative proposal for implementing this regulation would be, assuming you think it’s something that needs to be regulated at all.
Furthermore, it imposes unbelievable costs on companies that in the end must be passed on to consumers. This is completely unnecessary legislation that will probably have no measurable positive effect at all. Bureaucracy and politics at its best.
Hah, no. I guess you haven't dealt much with regulators in the past.
Regulators can never be held to anything they say. When you ask questions, if they answer at all, it always comes with a disclaimer that it's merely "guidance" and not binding. If they later change their mind, it's always a "clarification" and not a change.
The sort of people who think vague regulations are a good idea are the sort of people who think regulators are staffed by people who are inherently good, so they're usually written to give regulators maximum power and minimum accountability. GDPR is a case in point. If you read the EU's documents on the matter closely, and I have, then you find that the EU refuses to even respond to questions at all. That's delegated to national regulators, but the EU is clear that those regulators don't have the power to issue binding declarations, only guidance. In other words, you can ask a regulator or a lawyer. Their opinion has no more or less weight than my own posts do. The only time binding decisions are made is during enforcement actions.
The EU HASN'T delegated everything to local regulators. Have you not come across the Article 29 Working Party, which is dedicated to standardising GDPR interpretations across the EU?
The successor of the working party is a new body called the "European Data Protection Board" (or sometimes supervisor). It will issue binding decisions but only on the matter of cross-border transfer disputes, not any other aspect of the new rules:
> The European Data Protection Board will not only issue guidelines on how to
interpret core concepts of the Regulation but will also be called on to issue binding decisions on disputes regarding cross-border processing.
So the EU will issue "guidance", but so will local regulators, however, it's ultimately the EU itself via the ECJ that decides what the law actually means in the end:
> It is important to recall that, where questions regarding the interpretation and application of the Regulation arise, it will be for courts at national and EU level to provide the final interpretation of the Regulation
That is, if the EDPB or a local regulator states that something is legal, that doesn't stop them later taking you to court over it and winning because ultimately their own advice is not legally binding (except, perhaps, in the cross-border case which is a special exception for some reason).
> The data protection authorities are the natural interlocutors and first point of contact for the general public, businesses and public administrations for questions regarding the Regulation. The data protection authorities' role includes informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing.
In other words local regulators are now essentially advocacy organisations that will be the first point of contact, but have no special powers to actually specify what is or is not allowed.
>if in 10 years a new Commission arrives and changes their mind they can retroactively decide that things previously allowed were actually illegal.
If 1) A new European Commission arrives and proposes a change in the law that is retroactive; AND
2) The European Parliament agrees with the change; AND
3) The Council of the European Union (ministers from every EU member state); AND
4) the Court of Justice of the European Union doesn't strike the legislation down
This is the main issue with this regulation in my opinion. Some of the recent statements by EU officials on that matter verge on absolutist notions of law: "Don't worry. Authorities will be lenient and benevolent." This is how absolutist kings argued why there shouldn't be a constitution or a state under the rule of law.
Law is by its nature open to interpretation and based on precedent. Otherwise there wouldn't be courts of appeal and supreme courts. What's so special about GDPR that makes you think it will be abused more than other laws?
Yes, common law and civil law systems have been converging to some extent. In common law systems you have increasing reliance on statutory law while civil law systems increasingly make use of precedents. Still, the basic principles remain.
- Scope outside of Europe – e.g. if a completely foreign entity that offers a Spanish or French translation of its service could potentially be covered by GDPR, even if they're not marketing to EU markets specifically. Too bad for Quebec I guess. Or what if you fly to speak at a conference in Europe – is that "marketing" to residents of EU? Depends on your slides? Or not? Who knows.
- Consent – does X fall under "legitimate interest"? Is it essential to providing the service? These are not easy to definitively answer for any non-trivial application. And it's not like you can just err on the side of caution – you are not allowed to ask for more consent than you need IIRC. And if the regulator (one of them) disagrees with you after you've spent a few years building a business relying on a certain interpretation, tough luck I guess, try again?
- How to deal with backups that contain personal information
> If a completely foreign entity that offers a Spanish or French translation of its service could potentially be covered by GDPR, even if they're not marketing to EU markets specifically.
No, the GDPR is clear that it is applicable if you are offering goods or services to Europeans. The fact you are speaking French in Quebec isn't relevant.
> Or what if you fly to speak at a conference in Europe – is that "marketing" to residents of EU? Depends on your slides? Or not? Who knows.
So, if you fly to the European conference and talk to a Europeam audience, you're not going to be covered by the GDPR until you actually supply goods or services within the EU.
> the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union
> factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union
> So you can't just run your business from Canada with no special emphasis on EU and call it a day.
You really can, it says that it may make it apparent.
Does your use of English make it apparent that you are intent on selling to the UK? No. Italian, might I suppose. French wouldn't if you were based in Canada.
> The GDPR will require me to hire people and my entity is too small to be able to afford this
Q: Does my business need to appoint a Data Protection Officer (DPO)?
A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
GDPR requires those organisations to appoint a DPO, not to hire anyone new. It's like when you designate Ben to answer the phone after 5PM, Lisa to water the plants and the last guy to leave the office to turn off the light and close the windows (and for many companies there will be a lot less work involved with being a DPO, than with switching off the lights).
Exactly. Most businesses will already be required to have several "responsible person" roles for e.g. health and safety and fire evacuations. It's just that in a 1-person business they're all the same person.
Most small companies (below 10 employees) will refrain from appointing a DPO claiming that they don't do large scale systematic monitoring (not clearly defined).
The issue however is that for a DPO you need to avoid conflict of interest, as the DPO should be as independent as possible, even though the DPO could be an employee of the company.
Shareholders, C-level execs, employees that establish means and purposes of processing or handle the actual processing cannot be reasonably expected to place the interests of the data subject(s) above those of the company.
There is a legitimate question here, where does "large scale" begin? There are a lot of similar questions that nobody can personally guarantee they know the answers for.
>The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an
organisation employing fewer than 250 persons unless the processing it carries out is likely
to result in a risk to the rights and freedoms of data subjects, the processing is not
occasional, or the processing includes special categories of data as referred to in
Article 9(1) or personal data relating to criminal convictions and offences referred to in
Article 10.
Basically small firm that is just holding minimum amount of customer/user information and data and where the business model is not centered around profiling and processing user data.
The piece of text you're quoting is referring to obligations of keeping "Records of processing activities", and is not the definition of large scale, which is undefined in the GDPR.
GDPR is referring to the EU recommendation Article
2 of the Annex to Commission Recommendation 2003/
361/EC. That's where the number 250 originates from.
>Staff headcount and financial ceilings determining enterprise categories
> 1. The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.
> • The GDPR will enable anybody to be able to sue me, even from abroad
> The GDPR does not have this effect, but you may be interested to know that anybody can sue you or your business for whatever reason strikes their fancy. This is a direct consequence of doing business and has nothing to do with a particular law. What the GDPR allows private individuals to do is to contact their regulators and to complain if you decide to ignore their requests.
That's not exactly correct. Art. 79 of the GDPR allows people to sue directly for violations of GDPR although it's very non-specific.
People in Europe are not extremely litigious by nature and will likely resort to calling upon their supervisory authority instead of suing directly.
What is however very interesting is article 80, which will allow a data subject to mandate a not-for-profit body to seek judicial or non-judicial remedy on his/her behalf.
This will give quite a bit of power to non-profit organisations built for this purpose and will likely add quite a bit of pressure to large companies that don't comply with the law.
This article actually points out my philosophical problem with GDPR. In one point he says you have to be compliant if you want to do business in the EU. In another he observed that it is difficult (maybe impossible) to block EU folks from coming to a web presence. It’s the expansive reach that bugs me.
I’ll note that for real businesses this is just a thought excercise, but it’s one I keep coming back to. What if some less reasonable entity attempted to regulate in this way?
> This article actually points out my philosophical problem with GDPR. In one point he says you have to be compliant if you want to do business in the EU. In another he observed that it is difficult (maybe impossible) to block EU folks from coming to a web presence. It’s the expansive reach that bugs me.
Other countries have already had to deal with the US on this front. If you are a US national you may find it extremely hard to get a bank account in a non-US country, for example; non-US gambling services also have to be very careful about US users (PokerStars et al) https://en.wikipedia.org/wiki/United_States_v._Scheinberg
There are also things like the Magnitsky Act and various other bits of human rights law that allow extremely serious crime and crimes against humanity to be pursued internationally.
The one we'll have to watch out for are Chinese censorship laws going global. There's already some weird side effects of "One China".
GDPR lacks clear and unambiguous limiting principles and attempts to impose costs--a tax if you will-- on what you know. From a u.s private person perspective, that looks like a significant overreach. Yes, GDPR reigns in a data industry run amok. Great. But GDPR does not clearly stop there, and for the rest of us GDPR seems to hint ominously that if you know anything about anyone, that may be a problem. So overtly cut ties with Europe or forget what you know. Are we to become know-nothings? New-age luddites? Whatever happened to liberty, representation, and the freedom to learn about the world? The commentary largely focuses on online data, ips and such, but GDPR is not limited to such things. This has the flavor of regulation written by foreign bureaucrats in consultation with big business, having little concern for the significant risk of mystifying and annoying literally anyone else in the world. It's a negative development for interconnectivity and international comity.
For 20+ years the US - as the dominate controlling agent regarding the Internet - ensured the modern (post early 1990s) Internet remained extremely non-regulated and non-interfered with by ~195 nations (when it came to the global Internet system). It worked globally out of the gate and required no special adherence to US laws. The Chinese did not have to adopt US freedom of speech approaches to use the Internet. The Iranians or Saudis did not have to adopt US freedom of religion approaches to use the Internet. The EU did not have to adopt US legal approaches or laws to use the Internet. Any other scenario than the one the US pursued would have resulted in a fractured, mostly useless global Internet. The US was about as good of a shepherd as any nation could have ever been: thus we got several billion users onto the Internet from wildly diverse background jurisdictions. The way the US built the Internet made it possible for the EU to say: hey, we're going to do GDPR, because that works for us (and yet the Internet still works); and for other jurisdictions to say: hey, we're going to do this that or something else because that works for us.
> The whole internet dances to the US tune, legally.
You've got that almost exactly backwards. The US approach has required almost no dancing at all to the US tune. That's precisely why ~4 billion people can use the Internet from 195 nations, all with dramatically varying laws. They're not adopting US law to use the Internet. That's why the Chinese have been able to implement their unique approach and still use the Internet (restricted to fit their tolerances at a government level).
You very specifically do not have to dance to US legal tunes to use the Internet. Even when it comes to IP laws, you do not have to dance to the US tune (Europe has varied widely from the US on such, eg as it relates to piracy, and yet the Internet keeps on regardless).
While I agree the US was generally benevolent, it did it because it knew it had the tech superiority. It's the same thing with the Opium Wars and China or Perry's gunboat and Japan: we'll force you to trade with us because we know our goods are superior and you'll buy them.
Same thing with the internet: the US was the biggest developed country, it had a large, stable, rich internal market, it had big universities churning out graduates (many of them coming from other countries!), it was the inventor of many tech things that make up the internet. So of course a less regulated internet would benefit it since its companies were best positioned to take advantage.
My guestion for the next 30-40 years: unless China screws up badly, it will overtake the US. It's simple math: a moderately rich Chinese population will overtake the US one, as it outnumbers it 4 to 1 or so. Will the US be as benevolent and open when it's the underdog?
Based on some reactions I've seen here, regarding the EU and the GDPR and also on reading a ton of comments about China, I'm not so convinced.
TL;DR: The US is reasonable, for a super power, but it didn't do it out of the goodness of its heart.
> Will the US be as benevolent and open when it's the underdog?
US benevolence will increase in direct proportion to the extent that it isn't the sole global superpower (realistically it has been the sole superpower since WW2, the USSR power projection was mostly a facade, as it always had a terrible economy). Its perceived role as global policeman, has put it into an endless number of ridiculous positions (both politically and militarily). The less the US believes it has to be the prime actor in that regard, and the more the US has to inter-operate with everyone else in a normal fashion, the less obnoxious it will be about a lot of things. It will be able to semi-normalize back to closer to how other major nations behave.
Obviously the US will remain an outsidzed global superpower. Its economy and military scale alone will ensure that. However the coming future in which China is a real rival that can stand toe to toe, will force a number of fascinating adjustments to all politics around the globe (and I mean not just to US politics, all politics for all countries).
The real question to ask is, will China be benevelont with its future power? Look at what they're doing to their people right now for the answer (vast Muslim torture camps like the Mao days, where people are being forced with violence and psychological torture to give up their Islamic beliefs; literally torturing homosexual people to convert them away from homosexuality; restricting "homosexual speech" because it's anti-Socialism; wiping out what limited speech the people of China had acquired; using its military to annex the South China Sea away from its neighbors, which is 4x the size of France or Texas; etc). Now consider for a moment that that is China just getting warmed up as a global power, and consider what other horrific things they may choose to do under dictator Xi (dictatorships have a near universal record of getting worse, rather than better, as it pertains to human rights).
Consider that China has begun an aggressive expansion of its military outside of its borders (laying down plans to build numerous foreign military bases to give it global projection capability). Now one might fairly criticize the US for its global military expanse; however the US hasn't used its might to annex nations or territory globally, it hasn't actually acted as a traditional empire (ie Ramstein military base in Germany is no threat such that the US might suddenly attempt to annex Germany). Meanwhile China routinely threatens to invade Taiwan and annex it, they get upset if you so much as recognize Taiwan as an independent nation or talk to its leader directly. Maybe next week China will decide that Mongolia too is a proper part of the greater China strategy.
So with that growing power, is China suddenly going to become a soft benevolent giant? Or will they get worse? I think the answer is obvious and the planet should be terrified about what's coming. The entire Chinese approach is incompatible with democratic values across the board, and they are without question going to throw their weight around as it pertains to censorship (they already are). They're currently busy buying up Eastern Europe and using their investments to get countries like Greece to block actions against them as it pertains to eg the South China Sea. Imagine a world under the reign of Xi, forced by threat (direct or implied) to comply with how the the CPC operates China today. If people thought the US superpower behavior was bad (a democratic nation with vast human rights protections), that's going to be 10x worse.
1. Invitation to treat: that is offering services for consumption
2. Offer to contract: fulfilling the invitation by making a contract of terms
If you drop a potential customer at step 1, e.g. having your web-server decline the connection based on GeoIP, would that not constitute reasonable effort? We don't have case law regarding GDPR yet but I would certainly argue that it shows efforts being taken to exclude EU residents.
I think it probably would but there are 2 major issues there (under some interpretations):
- the IP, under GDPR, is personal data. You need consent or a legitimate interest to process it.
- it is very murky regarding EU persons abroad. So if I operate with a German citizen originating in Hong Kong, I may be subject to the law.
Personally, I think that you'll be fine blocking EU IPs as long as you aren't doing anything more with them, but that doesn't change the philosophical problem.
Someone else, through proactive work on their part, came to my site (say hosted outside of the EU), even though I did not want them to and I am on the hook for a law I had no agency in creating.
Again, largely a thought exercise and not a real problem for real businesses, but it does beg the question...are websites liable for every law in the world? Do we just fall back on the 'well they can't enforce it' model of evaluating website legislation?
> I was actually surprised by how easy it is to read it
there's a whole two hundred post debate around here whether ip are or aren't pii on their own, with the wast majority holding the wrong position.
there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar). you also need a privacy policy if you are receiving phone calls. did you know that?
there's a whole bunch of implication on how liable you are about holding unwanted personal information, including unwanted medical personal information i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am unable to walk due a permanent disability and requiring a ramp is present to access your gazebo, is that so?"
there is a huge surface area for uncertainty, up and including 'best practices' that are a constantly shifting target.
edit: to clarify the calendar part: if you have a meeting with someone, that links an identity with a location. that's why it's an issue, even without considering the address book, which is another issue by itself.
>there's a whole two hundred post debate around here whether ip are or aren't pii on their own.
Largely pointless. EU courts have in the past ruled that IPs are personal data because they can be tracked back to a person. End of story.
>there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar).
was largely already covered by the previous EU privacy law and the german privacy law. Courts largely agree that calendars for appointments are fine as long as you keep them reasonably secure and don't throw them around in public.
>you also need a privacy policy if you are receiving phone calls. did you know that?
Yes I did. I informed myself when I registered as a small business.
I know. I'm on that side. Can link you to dozens threads where the comment stating ip are pii are downvoted to hell asunder and false myths spread like wildfire.
> Courts largely agree that calendars for appointments are fine
yes, but for online calendars the provider is a processor and need to be listed as such. and when a customer exercise the right of being forgotten, you'll need to go back and delete the meetings. all new stuff I'm quite sure the majority forgot to consider.
> Yes I did. I informed myself
good for you, doesn't mean there are a lot of business that didn't, and considering the false myth spread around here, this board needs to hear as much as possible about these things.
> you also need a privacy policy if you are receiving phone calls. did you know that?
You mean your website needs to have a note next to your phone number saying something like "we will not record your phone calls", and if there isn't, you're liable to be fined?
No, people were correctly answering the specific question: is an IP address on its own personal data? (No, it can't be used to identify a natural person).
THe problem is that it's a stupid question. No-one has just IP addresses, they have a mix of data. If you can combine the IP address with anything else to identify a natural person it becomes personal data.
Without conditions. Even hashing them doesn’t make them ‘irreversibly anonimized’ because the ip space is too small for hashing to be irreversible. A rainbow table can be built with all ips and use to deanonimize the ip.
The document you link to has this interesting statement:
> The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
That raises an amusing question. Suppose you have a one person business with a small number of customers (a few dozen or so) that you deal with in person. With proper mnemonic techniques it would be possible to do all the storage and processing of their personal data in your head.
Does GDPR apply?
The only thing I see in the quoted paragraph that might suggest it does not is "provided the data is organised in accordance with pre-defined criteria (for example alphabetical order)". Do brains use pre-defined criteria to organize data?
This too raises an interesting question:
> Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
If data is used to train a neural net and then discarded, but you keep the trained neural net, in some sense the data is still there in the weights of the connections in the neural net. Has it been sufficiently rendered anonymous to no longer be considered personal data?
I assume you mean you use only IPv6? Unfortunately I'm away from the real computer but I guess you could run a simulation like that (try to build rainbow table and see how fast it goes).
I agree ip can address multiple persons. What is common sense matters little. Ip were enshrined in law as personal information and that’s that. It’s stupid, but it’s not something you can just argue away with reason and logic, you have to argue it with lawyers in courts, and given precedents you gonna lose, and that’s what matters.
Haha, the response to your comment here is a perfect example of how ambiguous this law is: you yourself are disagreeing with official interpretations of this law. And the blog post that we’re commenting on here says that personal projects have to comply, while you have posted multiple times saying they don’t?
It’d be really nice for the “fucking idiots” that you referred to earlier if those of you who clearly know what the law says and what it means could get your stories straight.
Bottom line, DONT store/sell/mangle with personal data of your users unless you are able to fulfill this. I was thinking a bit about having an online store:
- make login as it is on Hacker News, you dont need email
- once user has selected and payed the goods, request sending address and contact (phone/email/whatever)
- ship it, print the requested / store into cold store (it is not that hard, you do it for bitcoins, right?), delete everything except username and password (and maybe the attached goods) from server
The described process will pass the GDPR Nightmare Letter in 10 minutes (to write a general reply) that you sent to everyone requesting.
This is what traditional "physical" stores do, not the large chains, the traditional, one employee, family store. And it works.
For everything else require consent, including tracking, but think very hard if you need anything else as it will complicate your business progressively.
I really dont understand all the fuss about the GDPR, if you explain (and prove) this to ICO, I would really like to see who will punish you for that.
This is actually a great boilerplate for a response. Somebody should create a product that collects this information inside your company and formats it for sending it to any and every GDPR requester. End of story.
My (EU) clients fall into two camps. Those who haven't had to do a single thing to be GDPR compliant because they were already following the various data protection and privacy laws, and the ones panicking.
The latter group say things like "this is ridiculous, they're making us change so much" but never have an answer to the fact that they're already violating PECR or the Data Protection Act.
Whatever one thinks about the subject matter, the writing in this piece is awful. You can get the substance of what the writer is saying by skipping 90% of the content. Moreover, the tone is talking down at the audience - unless that audience is already excited about gdpr. This comes across as not being interested in convincing anyone but in cheerleading their position.
It ain't hysteria if you're in Germany, and a private individual or a nonprofit (e.V.). Due to specialities of German law third parties can serve you legal writs for hundreds or thousands of EURos.
Which is why I'm shutting down these 20 domains running HTTP/SMTP services I'm hosting in less than a week, and wait until the smoke clears.
Can you point me to a more detailed source on this issue? I have heard Germans concerned about getting sued by third parties for minor website legalese issues.
I'm not fluent in German so I wasn't able to fully understand the situation.
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
As a solo business owner based in the US, I’ve been spending the last couple weeks learning about GDPR and getting compliant. While it has not been a fun process, I do think in general the regulation is quite reasonable and overall good for the world in general. So far, GDPR compliance has not cost me any money, only time.
There are three problems however that I have with GDPR and I’d love to hear how other small non-EU businesses are dealing with this.
First is the requirement to have EU representation (Art. 27). Since I don’t have any physical presence in the EU, GDPR requires the appointment of a representative. It would appear that a new industry has been created selling non-EU businesses GDPR representation in the EU which in my brief Google searching can cost $1000 per year or more. Are other small businesses owner out there paying for this? Or how else to deal with this requirement? Not a lawyer but this is the only part of GDPR I am tempted to ignore.
Second is the common practice of using lead magnets to collect emails for marketing. My email signup forms are very clear about marketing use, and are double opt in, and subscribers can opt out with a single click. But my research suggests that this is still not GDPR compliant unless there is an explicit consent, which I believe will reduce email signup rates. Also, while Mailchimp has a GDPR form, but it is quite large and doesn’t work embedded in web page headers, sidebars or popups. I’ve only seen one of these Mailchimp GDPR signups in the wild and they opened a new browser tab to present the hosted Mailchimp GDPR form which to me isn’t ideal. How are others handling email marketing signups? Disclosure and checkbox for consent seems a reasonable compromise but I haven’t seen this very often in the wild, at least not yet, that may change come May 25. Not a lawyer but I’m tempted to keep my current forms until I see more websites make changes.
Third, I have a medium sized mailing list (less than 10,000) mostly US based emails which is important for my business. Are people running consent campaigns (as suggested by Mailchimp?) I’m concerned that I will lose a substantial part of my list due to non-response. Again, the list is double opt in and I am very reasonable with my marketing emails. (Not a lawyer) but my thought is to segment my list into EU and non-EU customers and run a consent campaign only on EU emails. Has anyone run a consent campaign and how did it work out for you?
Any thoughts or suggestions from other small and solo business owners would be much appreciated.
No, I definitely value my time. I actually (and maybe strangely) have appreciated the opportunity to review my data processes, privacy policies and security. I think my business is better for it. Also, getting compliant is mostly a one-time effort with little maintenance, whereas paying $1000+ every year for a EU representation service that will in reality probably do absolutely nothing is very irritating to me.
That said, your point is still fair. I sometimes spend my time less-than-optimally because it feels "free."
I suspect you’re going to get the predictable response here that you should do the most conservative things possible, and if that tanks your optin rates and email list and ultimately your business, then obviously you’re a filthy scammer and your business deserved to die.
The lead magnet thing is such a good example. It’s a clear and voluntary trade-off: you can have this free resource if you join my list, from which you can unsubscribe at any point. It can obviously be done in a scammy way, but you’re clearly not doing that. But some people think you should have to provide that resource without any restriction.
Or that forcing people who already opted in to do so again is fair, because if they don’t reconfirm, then they must not have wanted to be on the list. This is like a SaaS company calling every customer periodically to ask them if they might want to cancel.
It makes no sense, but the pro-GDPR crowd on HN in particular is very hostile to marketing in general and email marketing in particular.
No one here who likes the GDPR gives a shit about your business. They’ll be happy to give you bad advice based on how they wish the world was, and if it costs you dearly, that’s not their problem and you probably deserved it anyway.
I’m doing some of the same activities as you, and I personally will be changing basically nothing for GDPR. I’ve always treated customers fairly and I’ll continue to do so. Governments that have no jurisdiction or enforcement mechanisms against my company can pound sand.
Thanks for your feedback. I have heard from some of my friends who also run small businesses that they also plan to do nothing. I think for a purely practical perspective, it's extremely unlikely that EU regulators will go small software, app or web businesses in the US – I'm sure they have bigger fish to fry. That is, unless the small business does abuse their customers data and privacy resulting in a large number of complaints to EU regulators. Still, I think almost all of GDPR is pretty reasonable and not very costly (time or money) to implement (at least to me).
> My email signup forms are very clear about marketing use, and are double opt in, and subscribers can opt out with a single click. But my research suggests that this is still not GDPR compliant unless there is an explicit consent, which I believe will reduce email signup rates.
But if it required user activity to register for those lists AND you explicitly identified them as for marketing purposes, that seems like you already HAVE consent? I mean, what do you imagine consent to mean other than "an active affirmation from the user that they're ok with this". If it's indeed double opt-in AND clearly communicated, it seems you clear that bar by a mile?
I'm not a lawyer, but my interpretation of GDPR and the research I've done suggests that my current lead magnet approach (which is at least in the US very common) gives me consent to use the email for delivering the lead magnet, but not for marketing unless there is an explicit opt in for subsequent marketing emails. I think (and I have read) that not getting the user to explicitly check a box for marketing emails is implicit consent and is not allowed under GDPR. Also, saying something like "you cannot sign up for getting this lead magnet unless you consent to marketing emails" is also not allowed. That said, I agree with you that I'm very clear. So maybe I and others are interpreting GDPR too strictly. Here is one article that takes GDPR very strictly: https://kerstinmartin.com/blog/gdpr-lead-magnets
I just found another article however with another solution which may be better. The article suggests instead of saying "Get this free ebook! And p.s. we will send you information and marketing emails about our product." you should say "Sign up for our newsletter to receive information and marketing emails about our product. Also we will send you a free e-book as a gift." It's not as good of a call-to-action, but changing the order does turn into explicit consent for marketing. Source: https://blog.mailrelay.com/en/2017/12/28/new-gdpr#_What_abou...
First of IANAL, I'm a European citizen within IT that has to deal with GDPR in my professional role.
I believe there is a lot of hysteria and FUD around GDPR.
Anyway, this is how I would handle your problems.
1. In the same article[1] that you reference, the following paragraph might apply to your business:
>27.2 The obligation laid down in paragraph 1 of this Article shall not apply to:
>processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1)
I would ignore it for now. If any supervising authorities would contact you regarding compliance issues, talk to an expert.
2. This is if you use Consent as the legal basis for collecting the data. I have seen a few business use 6.1.f [2] (legitimate interests) as their legal basis, which has other issues like the weight test of interests not being tested in court, yet. The Article 29 Data Protection Working Party have released opinions on how 'legitimate interests' should be used [3]. However, there are other laws about marketing that could apply on a country per country basis.
If you select the consent route, a double opt in with possibility to opt out at anytime that should be sufficient as long as you document the text for the opt-in's and record it together with the date&time of the opt-in.
Oh, and you don't make the consent conditional on getting your goods/services. I can recommend the Article 29 WP guidelines on consent[4] for extended reading.
It sounds like your current process is enough or requires very little tweaking, I would keep it as is.
3. I have not run a consent campaign. I have run information campaigns about our users rights with links to required documentation and they have been appreciated.
I would not run a consent campaign as I believe your consent should be good enough based on the process mentioned above.
Re #1: To be exempt you must fit all 3 criteria:
1. processing is occasional
2. does not include, on a large scale, processing of special categories of data (e.g. religious, political, criminal backgrounds, sexual orientation, etc.)
AND
3. unlikely to result in a risk to the rights and freedoms of natural persons
I collect a number of emails on my website and apps every day, so I don't think my processing is "occasional". If I collected emails once a year or even once a month, sure I could argue that processing is occasional. But collecting 10-20 email signups per days doesn't seem occasional to me.
2. Thanks for this opinion on this. I think I agree your assessment.
3. Again, I think I agree with you - thanks for you opinion.
This is no hysteria.
Depending on where your company is located the sueing risk is really high. E.g. in countries like Germany there is a whole industry which lives from sueing companies and people and I can imagine that GDPR will open a whole new sueing market there.
In other countries like Austria you get first warned and then sued on big GDPR violations which is a much better solution.
From a German perspective not much has changed: The core concepts "as minimal data collection as possible" & opt-in for more, the right to ask which data a company has about you and the right to make them delete it are established law in Germany since at least 2009 if not 1983.
Not as per the law. The law explicitly states that option for judicial remedy exists. The article is the opinion of a lawyer based on current practice, but this is not what the law actually says.
There's no hysteria. There's just FUD disinformation campaign - businesses who make a lot of money thanks to privacy violations are very unhappy with this and they have a lot of voices.
I'm unhappy with this because now I have to do a lot of extra work verifying that I'm not breaking some law, then implement changes in both code and license agreements, then get all the users to agree.
I've had zero profit from user data so far - to the contrary. If everyone could be billed just with some cryptocurrency, totally anonymous, that would be great.
The only thing I can do as a customer is be mildly amused at the fact that you're complaining it's inconvenient for you to respect my privacy now that a law is coming into effect forcing you to do so.
From the other end of the spectrum, I know you're wildly exaggerating the difficulty of compliance.
It's not inconvenient, it's costing me money. I don't want your data, I need to collect it and store it to comply with other laws, now I need to verify that the particular way I collect and store that data isn't violating some other new law.
You are not my customer, but even if you were, keep in mind that for every piece of regulation (and there's tons of it!) I need to fulfill, I have to pay, which means you need to pay. I need to set prices to keep my bottom line. If I can't keep my bottom line, I'll eventually stop providing the service, because I'm not providing it for fun. That's for paid services.
Now, some companies don't even charge you, they provide (aggregate) data about you to advertisers, who are then willing to pay more for their ads. It only makes sense, how much would you pay for an ad for a piece of specialized software that gets shown to the wrong audience 99.99% of the time? What's going to happen if that kind of data usage becomes infeasible? Those companies need to start charging, or go out of business. There will be less free services. I suppose that helps companies who do charge, but it hurts people who can't pay and don't care about data collection.
I'm not providing such a service, but if I was, you would be paying me with your "privacy". If "respecting your privacy" means you don't want to pay, you can get lost, because you're only costing money. The definition of "customer" is that you compensate the other side.
Your comment led me to wonder if any businesses are considering raising prices for EU customers as a result of this law. I'm not so much wondering about the "we lost revenue because we can't sell your data anymore", but more along the lines of "complying with the regulatory environment in this region is expensive, and we pass the cost of compliance along to customers in the region".
I recently learned about the AU warranty rules, which are very consumer-friendly — and which a commenter pointed out might be the reason that Apple and others charge significantly more when selling products in AU.
Note: I'm not saying anyone should raise prices as a result of GDPR, just wondering if anyone has done so.
Do you think companies will/should make explicit the cause of higher/differential pricing? On the one hand, it could anger consumers. On the other hand, it would provide transparency so that consumers would understand where the price increase came from.
> I need to collect it and store it to comply with other laws, now I need to verify that the particular way I collect and store that data isn't violating some other new law.
Have you seen this? It seems to say that GDPR allows you to do what you're doing.
I fully it expect it to allow it, but you can't just pick one line out of the whole text and be done. For instance, what's the definition of processing? How does it cross-reference with the whole body of other EU regulations? Etc.
Did you actually look into the GDPR before jumping to these conclusions about the effects on your business? For example, if you have a legitimate need for user data (e.g. "I need to collect it and store it to comply with other laws") then the GDPR does not apply. This is very plainly laid out for those that care to actually inform themselves.
> Did you actually look into the GDPR before jumping to these conclusions about the effects on your business?
The fact that I have to look into the GDPR already proves my conclusion to be true. I fully expect there to be few if any issues, but I still need to verify against the regulation, which is thousands of lines of text.
I can't just refer to "salvar on hackernews" saying it's "legitimate" if it's for legal compliance.
Yes, you need to look into regulations to make sure you're complying with them. I really hope that this is not news to you if you are running a business or service.
I can tell you that GDPR is going to cause issues with block based backups. Many hosting providers don't separate customers on different block devices. When you back up a block device you have snapshots that have many different organizations data on them.
Part of making good backups is knowing that the backup can't change. The only solution now is to add paths to go back and modify those backups to remove customer data when asked too.
Reading https://ec.europa.eu/info/law/law-topic/data-protection/refo... I would agree, of course if that identifier is not in some other database, that maps it to a person. If you have just ids in a backup and you remove the person-ID mapping this should be fine.
I've seen a lot of people talk about having a separate table for ids that should be removed when you restore a backup. It seems like a plan pretty viable solution, at least from what I've seen.
The conventional solution to that problem I’ve heard for the last couple decades is to use encryption so the backup doesn’t need to be altered ahead of your normal rotation schedule as long as you can probably drop a customer’s key on demand.
The backups are encrypted, but the there is no way for the backup software to know one client's data from the other. Its block based, so all it sees is a volume.
Post hosting providers, or anybody really don't create new volumes for each customer. They would simply have a directory per client. Onces you start needing to know more about the file system then you sort of waste all the benefits block based backups provide.
By block based I mean volume based, were we simply copy the allocated blocks of the file system that changed between each backup.
I think the parent means encrypt customer data with key specific to that customer. When you erase that customer key their data becomes irreversibly damaged.
I get that, but the problem is the way data is stored today it is stored on a single volume. That is many customers are stored on a single volume. When backed up there is normally one key per volume.
I guess the real issue is who will be responsible ensuring backups are stored in a way that different clients are isolated.
As somebody who makes backup software I know the burden will at some point be on my plate.
That being said, if people stored data differently, and did actually have a key per customer then the backup software won't matter, because like the parent and you said, just delete the key. But nothing really works like that today, and it will require a massive amount of software to be rewritten to handle this sort of stuff. So until then either you can't backup your data, or you make the backup provider figure it out.
I chuckled at that sentence as well. It's not that the tech sector is rational, it's that a lot of the people working in it are desperate to maintain a self-image of being a rational, scientific-minded person. Then, if some evidence collides with that self-image, we just blame it on management. Problem solved!
One question that I have thought about is how are foreigners supposed to learn about the GDPR's existence? If it wasn't for the fact that I spend more time on HN that I should I would never have heard of it. I doubt there are many businesses here in Australia that know about it.
Is the system of warnings and increasing fines described in the post a part of the law, or does one need to rely on the "spirit of the good natured enforcers" if they are unable (or unwilling) to immediately comply fully?
It is, but in a vague way, see article 83[0], where to choose what fine to apply you must consider, amongst other things:
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
If an authority did not go this way any fine could be voided by an appeal.
I don't think it's really that simple. especially the deletion requirements. There are just so many IT systems that really don't support deletion. An absolute worst case I can imagine is GitHub being asked to delete an account which had commits in multiple large projects. Are they going to alter those projects source code?
I'm not talking about copyrighted or otherwise shady stuff pushed to GitHub. My concern is what's supposed to happen when a GitHub user requests GitHub to delete their entire account and all the personally identifying information they have on them. Clearly GDPR calls for this to be possible, yet that would mean that GitHub would have to delete this user's commits (which usually contain full names and mail addresses). Clearly they can't reasonably do that though.
> If you’re posting users information to a public repo
Like their name and email address in every commit they submit?
I've already seen a notice from GitLab requiring me to consent to waive my rights to have that info deleted if, e.g. I were to contribute to the GitLab open source project. But I'm not sure that that's even enough for GDPR.
The waiver is only one aspect of it. Waiver only applies when consent is required. Article 6 of GDPR also allows for the use of personal information when "processing is necessary for the performance of a contract to which the data subject is party..." Consent is not required when it is a necessary part of performance under a contract. GitLab's updated terms state that as part of the agreement to voluntarily contribute to GitLab projects, contributors acknowledge and agree that their personal information will become part of the repository as part of the Git functionality. Therefore, their personal information will not be deleted and will remain in the repository so as not to impact the code base. This only applies to those who contribute to GitLab projects. This does not apply to general use of the software. There is still much that is unclear regarding GDPR but we are doing our best to comply and protect individuals' privacy. An important function of this waiver and acknowledgement is to provide transparency to our contributors. If an individual does not want their information to be maintained, they have the option not to contribute.
I'm not sure about the point regarding the DPD. EU Directives themselves don't have teeth, but they're supposed to be transposed into national laws - e.g. the DPA in the UK - and would be enforced nationally. A regulation comes into law across the EU, but is still often transposed, and the enforcement mechanism (to begin with) is still basically the same.
He's right that the DPD was not well-adhered to, though.
The problem with the laws stemming from the DPD was that there were different laws in each EU country, and the enforcement options were too weak for slippery international corporations.
One critical change in the GDPR is the mandatory reporting of significant breaches. Before, it was entirely optional, so reports could come out years after the even once the material surfaced online.
Sure, it wasn't consistent, but the argument about lack of enforcement really comes down to the national regulators not taking their jobs seriously enough or being given sufficient resources. The ICO in the UK has only ever issued pretty small beer fines.
The problem with self-regulation in this area is that there is significant competitive advantage to be gained by not being particularly careful. In that sense, I think GDPR evens the playing field.
I've been doing a bit of consulting work on the GDPR and for the most part small sites aren't going to have a lot of headache dealing with the GDPR requirements.
Typical, simplified, workflow (varies):
1) Review what data you collect and why
2) Document these in an updated privacy policy along with third parties you share data with and why
3) Update all forms on your site collecting personal information
4) Update your cookie policy and the way you handle cookies, for some of these you might need consent, for some there might be exemptions
5) If you expect this to be an issue, set up automated means of handling requests pertaining to data subject rights, otherwise process them as they come via email
While some smaller sites are getting around the need for an EU rep by claiming that they are only processing data occasionally and not on a large scale (whatever that means, as it's not defined by the GDPR) there is a big problem with getting an EU rep, because as opposed to a DPO, which doesn't have liability, your EU representative "should be subject to enforcement proceedings in the event of non-compliance by the controller or processor." making that natural or legal person liable, so you won't be able to easily outsource this.
If you have set up shop in the EU, then it's pretty easy to handle the aspect of an EU rep. Also, if you're transferring data between your EU and US offices/datacenters, you can self-certify under the privacy shield, starting from ~$250 per year to not have to deal with binding corporate rules or standard contractual causes, so that you can effectively make these transfers "safe" under the GDPR, along with various technical safeguards, of course.
Privacy Shield starts at $500 per year for the smallest company, and that’s before you contract with a mediator (lowest cost there is $50/year if you use the EU options). Unless I’m missing the option for $250/year on their website?
I was referring to https://www.privacyshield.gov/Program-Overview where single framework (EU-U.S.) for companies with between $0-$5 million the yearly fee is $250. If you want to add Swiss-U.S. privacy shield as well, then $375 per year for both.
Thanks - I have no idea where I got the $500 number in my head. Maybe I was thinking of one of the private mediators I was researching? Sorry for questioning your initial number...
I think much of this probably comes down to cultural and ideological differences between the US and the EU. It certainly seems that almost all of the rabidly pro-GDPR crowd is from the EU.
Interesting: I have a number of anti-GDPR comments here and on last night’s GDPR thread that got upvotes last night US-time, heavily downvoted throughout the night, and are now going back up :)
Yes, because being against a law that is both reasonable and the right thing to do doesn't make any sense when you're a real live human being. The hysteria about businesses imploding under legislation is classic internet outrage at a phenomenon not very well understood. If you actually took the time to read the source material, you could very see that it's reasonable and made to protect you. At the same time, you would see that there will not be any world-ending fines handed out for literally no reason (on a slight tangent I don't understand why it is so impossible to grasp that this isn't something that happens in the EU).
This is a law with good intent that was very poorly written and is very ambiguous. Most of the people with your view posting here aren’t experts in this regulation or the law in general, but just armchair lawyers who scanned this regulation and like the intent so they argue that it’s simple.
Ironically, if you asked 10 different people with that position about basic facts about this law, you’d all have different answers. Maybe if it’s so simple you could all take a few mins to get your story straight on how it works?
The author claims that local law compliance has always been the case. That is in fact incorrect and is a glaring mistake in the article. For the first 20 years of the Web's popular usage globally, you in fact mostly did not have to comply with local laws when it came to commerce online - there were few laws, and most jurisdictions had yet to flesh out how they were going to regulate and apply their laws or not. You simply opened up shop and sold to anyone from anywhere that wanted to buy from you, and you did not need to give a second thought to anything else.
Coming next is a global compliance nightmare. If you want to sell globally, you'll have to comply with dozens of unique local approaches. Small businesses won't stand a chance of being able to deal with that. An army of fee charging middle-men will spring up offering solutions, extracting fees accordingly.
This is just an author wishlist and not the reality. I especially find the "clearing house" fantasy amusing. How he thinks this house of bureaucrats will be able to judge that John Does complaint has any merit?
I recognized your user name from the other thread (https://news.ycombinator.com/item?id=17095217), it looks like you've made up your mind (to the point where your comments where ridiculous enough to be deleted) and no amount of argument will even get you to consider any other options.
I am only trying to understand why people feel so easy about it. I read hundreds of articles on the topic and nobody really has a clue what is going to happen. That my comments were deemed ridiculous and deleted is the symptom how crazy this whole thing is.
How he thinks this house of bureaucrats will be able to judge that John Does complaint has any merit?
The same way judges can throw out a case without going to trial. Checking if the complaint makes sense, if it represents an actual violation as described, etc. Anyone dealing with the public knows that a huge chunk of the complaints don't even pass that bar.
John Doe says company has personal information on him and doesn't want to delete it. Shows email exchange with the company and company is stating they don't have his personal data, so there is nothing to delete.
How do they judge the case has a merit?
Let's say a group forms on xchan type of site and flood company and "clearing house" with such claims.
Unless Doe can provide any actual reason for believing they have his data, and as long as the data handling process of the company is sound, the regulator will just close the issue. At least that's my experience.
Remember that the Data Protection Directive, which already allows citizens to ask companies if they have data on them and to correct incorrect data, has been around from 1995, yet there hasn't been any mobs ruining companies.
What reason could anyone provide? (even that a company like fb still has your data) Or that a company sold it illegally? Or that random targeted ads you are seeing are the result of data from any particular company?
Today I've been asked by a library of "Junta de Anadalucia - Spain" to accept it's terms and conditions to use the wifi internet connection provided for it's users and it's a clear violation of the GDPR by a government body, basically they're asking for a blank check to do whatever they want without boring to ask/inform the user.
Translation by translate.google:
====
The Telecommunications Corporate Network of the Junta de Andalucía reserves the right to monitor and collect information while the user is connected to the Service. This information can be used at the discretion of the Telecommunications Corporate Network of the Junta de Andalucía and can even be shared with the State Security Bodies, their associates or suppliers.
Likewise, the Telecommunications Corporate Network of the Junta de Andalucía reserves the right to revise this agreement at any time.
The user must accept the General Conditions of Access each time they use the service and, it is your responsibility to review it each time the Service is accessed in case there has been any change.
The Telecommunications Corporate Network of the Junta de Andalucía, reserves the right to withdraw the Service, modify the specifications or forms of use thereof, as well as change access codes, users, passwords and other security elements necessary to access the Service . IF YOU DO NOT AGREE TO THESE TERMS, INCLUDING ANY MODIFICATIONS, DO NOT ACCESS OR USE THIS SERVICE.
As someone more on the hysterical side, good post, thanks. Can you clarify one part for me? Take this bullet:
> The GDPR is going to expose me to fines of up to 20 million Euros for even the slightest transgression
> No, the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers at the various data protection agencies in Europe they will first warn you with a notice that you are not in compliance with the law, give you some period of time to become compliant and will - if you ignore them - fine you. That fine will be proportional to the transgression. You can of course ignore the fine and then ‘all bets are off’ but if you pay the fine and become compliant you can consider the matter closed.
What if you get warned and decide at that point to just shut the site/app/business/project down?
Or is it the case that once you begin operating under the GDPR era, you'll have to handle those "good natured" enforcement warnings, delete data, etc?
I get that I'm probably compliant, and probably wouldn't have any complaints against me. I just don't know if it's worth waiting it out to see if there's an issue, or if now is my only chance to easily not deal with it by just blocking EU users.
I am afraid it is not so simple. There is a thing with data collector, and data controller in GDPR I don't full understand yet. It's not like you're not responsible for data collected by services that you hook up to your application.
You are the data controller because you decided that people who visit uour site would also load GA scripts. You decide what is done with their PII. GA is just a data processor.
> Note that the 20 million Euros or 4% of global turnover is the maximum fine, the specific language is ‘a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater’, so that’s the maximum of the fine that’s being set by the 20 million or the 4%, and this bit is there to ensure that even the likes of Facebook and Google will not simply ignore the law and pay the fine to be able to continue as they have so far. This in no way should be read as you, the small business operator will face a fine of 20 million for each and every infraction that could be found.
Saying that this is intended to be aimed at the Facebooks and Googles is all well and good, but that's covered by the "4%" criterion. The €20 million figure is aimed at companies that have a global turnover of less than €500M, not the Googles and Facebooks. That's why it's scary.
Does anybody know if it's required to remove CDN links (such for Google fonts, cdnjs, etc.) and host all assets locally instead unless consent is given? Assets from CDNs are required for a site to function; what's not required is to send `Referer:` so maybe it's sufficient to set a referrer-policy.
I wonder the same. Would I need the web visitor's consent for loading a reCaptcha to verify they're indeed human?
Google fonts is just one of the many font libraries. For example, most web font licenses at myfonts.com don't permit webmasters to self host them. Bypassing the HTTP referer download protection, downloading them and then self hosting the font files could lead to significant legal problems.
> Well, this website is fully compliant with the law, so at least in this particular case it seems to work. Why? Because I don’t store any information about you. That’s a conscious choice on my part which I made long before the GDPR was even talked about in public. But if your situation is more complex then you too can be compliant, or at least - and this is key - you could try to be compliant. For instance, one oft heard argument is that no webserver (or even any internet service) is going be able to be compliant because all web servers log IP addresses, and IP addresses are PII. But that argument does not hold water. There are several reasons for that, the major ones being: webservers only log IP addresses if you configure them to do so. Almost all webservers have a formatting option that determines what exactly is logged and you could configure your webserver to not log the whole address but just the network portion. You also have the option to log the address and to disclose that you do so in your privacy policy, but then you will have to allow for the removal of that data on request, which you may find burdensome (or not, that depends on the volume of such requests). Finally, you may have a legitimate reason to log the IP address, provided you delete it after you are done with whatever use you collected it for in the first place. There is enough room in the GDPR to hold on to the address for 30 days with a possible extension of another 60 days after which an automated reply to the user can tell them their IP address was purged and you’d be in compliance. That’s one of the reasons why I think the GDPR is a surprisingly good law, most of the times when legislation is written that impacts technology the end result is absolutely unworkable, in this case most scenarios seem to work well for all parties involved.
Ok but we have to trust this person that they don't store IP information. There is no way of knowing for sure. And there is no obvious way to detect a lie on this.
That's thoroughly good advice. Panic reduces efficiency and the capability to react rationally.
>Becoming compliant with this law will cause my business to go under
>If becoming compliant with the law will cause your business to go under that is more or less the same as saying that your business is built on gross privacy violations. So if that’s your busines model then good riddance to you and your company
Hmm, I would nitpick on that, Google Adsense has been ass about getting GDPR compliant, they don't offer any method of serving ads without storing consent including their tracking-free ads. This is not something that affects me personally but I know people running larger websites that rely entirely on ad revenue (premium model is hard since they drive visitors with UGC, most people don't have an account, they don't want to paywall anything or ask money from the people that drive traffic). The site itself is already fully compliant and with exception of very minor changes (minimum age 13 -> 16, adding a "download everything" button) was compliant in the past.
I blame Adsense on that one, not GDPR though. The ad industry has to adapt, pushing the work on the website operators won't help and is not appropriate. IMO Adsense should either offer a fully consent-free ad experience in compliance with the GDPR or operate the consent dialog for the website owner in a non-intrusive manner.
Maybe this means there will be an opening for a GDPR-compliant adnetwork in Europe
You cannot store a users personal data like IP
or cookie id unless you have consent from the user.
I expect that nobody will comply with this.
Smaller companies seem to think GDPR is something they can fix by changing the legalese in their impressum and privacy policy. "Yet another trip to the impressum generator".
Bigger companies seem to pretend they misunderstand the GDPR. I got emails and popups from Facebook, Twitter, Instagram etc informing me about all kinds of nonsense about how they changed their policies and asking me all kinds of unrelated questions about what kind of ads I want to see.
Not a single company asked me for permission to store my personal data.
But: "However, an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies."
So: you can store IP addresses as part of your information security needs, but not turn round and use them for direct marketing. (I'm not sure if web advertising counts as "direct marketing" here)
How can I be non-compliant with GDPR? If I could care less about it, is it enough for me to do nothing? Should I expect that European users should find out themselves that they my website is not GDPR-compliant? Or I must actively ban EU IPs?
If you actively choose not to pursue compliance, you should make it clear in your own privacy policy that the site is not for use by EU/EEA citizens and also use IP geolocation to block their requests.
You should require users to positively certify that they are not EU/EEA citizens, and refuse service if they are. Blocking by IP is a good idea but not sufficient.
> This in no way should be read as you, the small business operator will face a fine of 20 million for each and every infraction that could be found.
Thank you, random stranger on the Internet! However, that is not the law. And even if you are right? As I posted yesterday, half of the employers in the USA has 1-4 employees and make $387,200 on average yearly. Even if they get fined to 1% of the maximum, they are completely wiped out. So no, it's not hysteria, it's plain business sense for them to slap an IP ban on it and move on.
What I think is a big problem this stuff about requiring consent. This is a big issue at the moment for website owners and app developers who have on line advertising from vendors such as Google (Admob/Adsense) and use e.g. Google Analytics for development support. These guys do not record individual user details and have no interest in doing so.
Specifically for such people there is an issue where personalised advertising (according to to Google and others) needs an opt in, fine but for app developers and web site owners they don't have any user details other that maybe ip address so if they put up a pop-up and record consent how do they know who the user is if they don’t have any other users info.
This is leading to absurd discussions re for example Google Analytics used by millions of websites and apps. There is something called client id which GA uses to identify unique "users” or website visitors. Now apparently as it is unique this is personal data so should require consent according to some experts I have read. But as it anonymous how can it be identified who it “is”. If a user demands to know what data a website/app has and mentions the client id info well who knows for sure what any client id represents in the real world ?
More to the point what is the likely legal/financial consequence if a user claims that the website id did not ask for consent for this client id to be recorded (how would they be able to prove which one it was that was theirs anyway) ?
Would they be able to sue ? I presume not. So is the IC going to be interested in this apparent breach ? And if the developer/website owner had a data breach where they GA account was compromised would they have to inform all the Client ID individuals ? Again obviously not but you see how these discussions are going !
What does competitors stop doing that now?
No business is 100% compliant in any law. If they want they can just for the sake of it bury you in legal work already.
I spent two hours today at our campsite working on my web sites to make them reasonably compliant. One problem area is that I serve my blog on Google Blogger. With pained reluctance I turned off comments and stopped showing my followers. I also linked to Google’s own GDPR info page. I used to use Jekyll and maybe I should go back to doing that.
Not sure what "it will ensure that the public will not be able to use the GDPR to harass businesses" as GDPR explicitly empowers individuals to seek compensation. https://gdpr-info.eu/art-82-gdpr/
GDPR puts into jeopardy the business model that almost every consumer internet business has run on, post internet bubble: advertising.
That's what is at jeopardy here and nobody is willing to just say it.
Don't agree with the concept of tracking users to serve them ads? Great, make the case that GDPR ends the scourge of advertising subsidized applications as services.
Let's not ignore it though. The reality is, a lot of internet companies that consumers use and like, rely on either selling advertisers access to their market or sell user contact data outright, because there is no other way to make money.
If the argument is that this is an unethical and harmful way to keep services alive then we need to agree that the bulk of the last 20 years of startups business models are broken and what the implications for future internet business models are.
> we need to agree that the bulk of the last 20 years of startups business models are broken
I agree.
If a startup is build on selling my data, I am more willing to pay a fee then to have them sell my data.
If we could go back to WhatsApp having a fee instead of Facebook using and selling my (meta)data, I would switch anytime. If Telegram starts raising a fee for using their messenger without anybody reading my messenges/location/... I am all in.
> ... it may not be possible for you to lock Europeans out reliably enough...
Here's a fun little example of this: If one of your parents was a British citizen, then you're a British citizen 'by descent'—not merely eligible to become a British citizen after you fill out a form, you're an automatic British citizen by default unless you renounce your citizenship. (This has caught out at least one member of the Australian parliament, where dual citizens aren't allowed to serve.) This means that you can have someone who's an EU citizen (for the time being, at least), who doesn't live in the EU, has never set foot on EU soil, and maybe isn't even aware that they're an EU citizen themselves.
Your example is interesting but the fact that it is such a remote edge case means that if such a person were to raise an issue with their local DPA they will find that no such institution exists so you are safe to ignore that situation for all intents and purposes. Even so it would be common courtesy to honor a removal, update or insight request from that individual as well as from all other individuals that your service caters to.
This is what pisses me off the most about all the hysteria and whining:
"The law has been in effect for over two years at this point, and the DPD, the European Data Protection Directive has been in effect for over two decades. So no, this law was not sprung on anybody, though it is very well possible that you only became aware of it a few weeks or months (or days?) ago. If that’s the case do not panic, you too will most likely be fine."
Nevermind the fact that the underlying privacy laws are much older, and so many practices were already essentially illegal but went unchallenged so far.
> in the spirit of the good natured enforcers at the various data protection agencies in Europe
Is this serious? Why would we assume enforcers to be good natured if they benefit from fines. Or to assume they would stay good natured, even if you have the most perfect humans there now.
It's far more likely that the EU is creating tools to prevent disruption and manipulate markets. The template will likely be followed elsewhere, effectively elevating the state's data collection abilities over all other organizations.
Note, Bitcoin does not seem compatible with their laws.
What really annoys me about GDPR is that, given all the confusion surrounding the law, a lot of GDPR professionals are popping up everywhere.
There are a lot of people making money by providing GDPR-compliant-solutions. To avoid this, all that had to be done was to write a clear text with everything everyone had to do to be compliant, instead of pilling up some big and dubious words that no one really knows what they mean.
Concerning the law itself, it's a lot of fireworks. Give it a few months and no one will care about it again.
I think many (most?) companies will implement these privacy policies across all of their users as it can be hard to determine whether a user is in the EU or not... so indirectly, this law might mean that everybody will finally have strong privacy guarantees (at least when it comes to companies of a meaningful size).
And as so often the EU will be the initiator of a world wide adoption of (semi) unified rules, as it was for USB charging, among other things.
It will naturally get a lot of flack and a few people/companies will make it their scapegoat as to deflect from them as usual, but that's - sadly - almost normal now.
Is it all good: no!
Is it a good start: yes!
Is it IMPOSSIBLE to comply: heck no, I'm working at a small Austrian company and we had to change almost nothing, as lo and behold, we have no desire to be a data kraken and tried to held the privacy of our customer and users always on a reasonable level. As we'd wish that others do with our data and use of service...
A few years from now I predict people will deny that the EU had anything to do with instigating this, the way people often insist the manufacturers just suddenly decided USB charging was the way to go and ignore that it first happened after the EU threatened them.
I'm curious as to how much time you've taken in researching and implementing specific privacy laws of non-EU countries, since you don't seem to find it burdensome to comply with such regulations. Do you know for a fact you're in compliance with South African, Sri Lankan, or Australian privacy laws?
> I think many (most?) companies will implement these privacy policies across all of their users
In terms of percentages, exceptionally few businesses outside of the EU will implement GDPR. The rest of the world will overwhelmingly entirely ignore it.
There are 20 million businesses in the US. 500,000 new businesses are created each year. 0.1% or less will comply with GDPR. Why? Because very few US businesses ever do business with the EU.
A small clothing retail shop from Texas or Florida or Michigan is not going to concern itself with complying with GDPR just because they took three orders from the EU. They're going to ignore GDPR and continue doing business as they always have. And the EU is going to find it entirely impossible to enforce compliance for those types of small instances due to the scale & tracking required to do so. If by chance they develop a larger EU business, then they'll comply.
Further, how do you force compliance on a US clothing shop from Florida, that sells 27 items per year into the EU, and violates GDPR (while having zero presence in the EU)? They can't, unless the EU develops a Chinese firewall.
The extremely majority of small businesses in India and China also do not do business with the EU. They will not be worried about GDPR. That's true about nearly all the rest of the businesses around the globe.
Geolocation, IP Lookup etc. You generally shouldn't care whether they're a resident in the EU, but just whether they are in EU or not. Remember GDPR doesn't cover any citizens from EU who aren't in EU.
I read that GDPR applies to EU residents. That means someone who is EU resident non necessarily could be browsing from the EU. For example when on holidays.
But this is only your assumption and not a fact. Person on holiday is still EU resident and enjoys protection of GDPR.
Do you have a source that says that GDPR doesn't apply to IP outside of EU?
> GDPR only applies to EU residents, yes, but not if they're on ex. holiday outside of EU.
While this is an interesting way to interpret it, it's likely that the law may be clarified in the future to state that if at the time of collecting their data the user is in the EU, the protections shall apply to said data regardless of where the user is now.
That is true, which is why it's really difficult to special case a lot of things related to this, because the behavior could change to match the special cases.
I'm a EU citizen and proud of EU actually, something I don't feel very often btw, for being in the forefront in law-making that protects the privacy of individuals.
My vocabulary has been enriched with a new word: PII. I like it. It simplifies when thinking about GDPR. I expect one or two years from now I'll know the important parts of GDPR like the back of my hand.
But right now every person in the world running a multinational company needs to understand a new piece of legislature that threatens 4% of their annual revenue. You have better things to do and so I understand everyone's anger.
But is it wrong to force business-runners to learn about GDPR, stuff that's pretty close to human rights, like "don't track any of my PII without telling me exactly what you plan to do with it"? Is it wrong to now have to learn this, as a web/app developer?
I'm sooooo sick of being tracked. It has definitely made me exit the social media world all together, six months ago. Even though it is detrimental to my career I even asked Linkedin to erase my data. I truly hope my career isn't screwed just because I refused to give Microsoft a detailed description of 30% of my person, my whole work life that they can connect to an email address (some people even give them their phone number), IP, tracking cookie, thus a Facebook profile, real or shadow, thus to the most detailed graph of PII there is, probably in the whole universe. Hopefully in the whole universe otherwise civilizations on other planets took a wrong step somewhere.
I hope GDPR leads to PII being treated as gold by the market because it's so rare. Because isnt' it better to skip all this tracking-business that having to deal withstuff like GDPR?
No cookies for me please. Ans I'm also sick of having to run javascript.
Remember guys, while you are stressing over how to work with GDPR, Facebook literally listed all their existing data collection items and forced everyone to consent. Total increase in privacy: 0
> The GDPR is going to expose me to fines of up to 20 million Euros for even the slightest transgression
> No, the GDPR has the potential to escalate to those levels but in spirit
You missed a key question here. As a business owner, what on earth do I need to do next?? Do I need to email all my users giving them an opt-out option?!
Working on that, there will be a second installment on Monday and - possibly, if I can find the time - a third with a number of case studies.
This whole sequence was sparked through a discussion about the GDPR on HN a few weeks ago and I've been working on it off-and-on hoping to get it done before the law becomes enforceable.
> If becoming compliant with the law will cause your business to go under that is more or less the same as saying that your business is built on gross privacy violations. So if that’s your business model then good riddance to you and your company.
Exactly. People try to explain to me how it is impossible to comply and usually it turns out that it would be easy. I think the problem most of time that people misunderstanding the requirements or not reading GDPR (not even TLDR versions).
It is easy if they believe particular person's interpretation. But that doesn't mean they are right. People have huge problems with interpreting written word if it is not written without a room for interpretation and if you add to the mix bureaucrats that have targets to meet you'll see it will not be easy at all.
Am in EU, am involved in some compliance stuff and have talked to plenty others at other companies, and it really does seem to be a nothing-to-see-here for all companies except the sleezy ones.
In all of my research, talking to lawyers, and seminars on GDPR, it is about:
1. Ask permission for collecting data
2. Keep sensitive data safe
3. Restrict access to said data
4. Keep a log of what happens with the data
5. Delete it upon request
6. Have all of the above documented and adhere to the protocol.
It's such a none issue unless you're relying on the very thing GDPR is designed to combat. If you not collecting and selling peoples data, and you don't do the above already, see this as a good opportunity to do what you should have been doing all along. There is such an awareness now, that it's the easiest it has ever been to know how to handle sensitive data properly.
Completely agree with everything you list, and would add that 6. you can't force a user to give up privacy in order to get some other benefit, e.g. you can't offer to unlock some feature in return for more tracking
Example:
How do you ask user for a permission to log access logs (which contain IP address) in the server, so that you can detect spam, ddos and other attacks? How do you store that consent information and what do you do if user doesn't consent?
What do you do if user connecting from given IP address wants you to send him data you have collected about him. If people share IP addresses how do you know which log data is about which person?
Some entity runs a webserver. This entity has a legitimate business purpose in retaining access logs for e.g. 3 months for e.g. spam and security reasons. This entity just has to document that.
This entity can allow a 3rd party service to access these logs so that 3rd party can do whatever needs to be done if it is within the reasons the entity gave for having the data.
What neither can do is go use that data for anything other than the said purposes.
And if the given reasons are gratuitous and somehow the regulators notice, expect to get a nastygram and have to comply or face fines.
Basically what you can't do is collect data for longer than you have a legitimate need for, or cash-in and sell data you've collected. Basically, all said and done, just don't be sleezy and you'll be ok.
Who defines what is a legitimate business purpose?
Let's say I comply with all that, but someone makes a complaint and particularly bitter civil servant judges that the collection is not legitimate, because he doesn't like the content of the website?
That’s like arguing that we shouldn’t have laws in case a cop is having a bad day and follows you around writing tickets. This is a legal process like anything else: your standard should be what you’re comfortable defending in court. Being able to show a good faith decision process, compliance with common industry practice, etc. are going to help the case that any lapse was unintentional.
If your angry ex is hired by a regulator you’d appeal it but there’s no reason to think that’s a common problem.
But appeal might take forever and by the time it is resolved you file for bankruptcy because the fine ruined the cash flow. I've seen in it many times in the EU, for example in Poland. Civil servants are immune from taking responsibility and if you manage to get any compensation you'll find yourself spending years in courts.
> Processing shall be lawful only if and to the extent that at least one of the following applies:
Consent is one:
> the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Here are all the others (see especially the last one):
> processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> processing is necessary in order to protect the vital interests of the data subject or of another natural person;
> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
And even (1) isn't always needed. There are several justifications for processing personal data, and permission is only one of them. (Although for compliance it is the easiest)
Is there even a single thing forbidden under GDPR that wasn't already forbidden before in at least half a dozen member states? In that case, it makes everything easier except for ignoring requirements.
I'm not certain about the other memberstates but to my knowledge the privacy law hasn't changed that much. There is a good increase in the amount of generating an audit log of any privacy sensitive stuff you do and of course the various "Right to be *" variants but those are largely non-issues.
German courts already considered a EULA or "check box to consent and get thing" a non-binding consent (to some extend).
Largely, if you are running afoul the GDPR in germany there is basically two options A) you rely on adsense a lot and B) you ran afoul the previous laws already.
So, overall, I would say that yeah, most of the stuff forbidden by the GDPR was already forbidden. The GDPR grants you new rights and requires corporations to ensure compliance however, that's new.
Plus the teeth in form of pretty hefty fine limits. Which is good IMO.
The only person who’s opinion you should worry about is your internal legal counsel’s. The nerds who try to carry on like this is a technical problem with a technical solution are so far off. It’s about beig able to argue and justify your interpretation - not how much you have gold plated your tech stack
That doesn't have to be in money raised, that would be rather unlikely in this case.
It could be percentage of problems "fixed" whether that be by sharply worded letter or by court proceedings (the former is far easier and cheaper for the authority), or by the time it takes the authority to investigate a problem.
You don't know that, depending how mad is the person in charge. Take into account that it might be good for a couple of years but the power it gives might be tempting to shut down sites that are against EU agenda.
There is no "TLDR" of the GDPR. It has to all be read, understood and complied with. This is basic legal compliance, and is not at all easy for a small business.
And if you are a small/medium business, don't comply and somehow are reported, you will receive an email from the regalutory instance of the country the person who reported you come from. They will tell you what is wrong and point you to some articles who can give you advices on how to comply. If you have difficulty to do so, you can contact them and ask specific advices, they will respond (probably a bit late) and as long as you comply with the RGPD within a month after that, you're good.
Audit can take some time and have a real impact on your business though, so i'm not saying everything is perfect. But to me, audit is the only thing you have to be really afraid of, not fines.
Yes, and it is not that hard a read. The only problems people seem to be having are in trying to finesse the rules to avoid looking after data with due diligence. If you really want to look after data, then you just need to do that, and you will be compliant.
I can't help but love the turmoil GDPR is causing in the adtech "industry". Like wasps buzzing around the exterminator who's about to destroy their nest.
People keeping their jobs is not the most important thing one should strive for with no regards to anything else. Especially not in tech, where it's more than likely that it won't really hurt them.
1. Many people (even "rational hacker-types" ha-ha!) do not take the time to research, analyze or understand the regulations and laws that affect them.
2. Many people, even though they don't understand said regulations, will have an extreme negative reaction to the new regulation especially when they see big scary numbers like numbers like "$20M Euro". This is true even of regulations like the GDPR which most anybody should be able to read and understand in a couple of hours.
3. Many people don't understand where regulations come from or how they work. They have no understanding of scope, process, judegement criteria or enforcement vectors. This leads to terrifying visions of "EU cops" waiting at airports to arrest people the moment they get off the plane.
Frankly, the whole situation speaks to the profound ignorance and fear that lies at the heart of the modern nation state. Citizens do not understand the government, they have no understanding of how or why it does what it does, all they really understand is that the government can and will completely ruin them should they violate one the tens of thousands of laws and rules and regulations and decrees that modern governments impose on their domains.
This ignorance has real consequences and costs. You can see this now particularly in Britain where many people are now learning how their country actually works after voting to tear down their current regulatory and economic framework. But you can also see it in all the fear and the moaning and the teeth gnashing every time some new regulation is proposed. (The funny thing here is that even the most hardcore libertarian economists are coming to understand that regulation does not impede economic growth [1]. Indeed there's ample evidence that regulation, by imposing best practices on firms and increasing trust within the market, is a significant driver of economic growth.)
The reason I point this out on HN is because I think, at the end of the day, being an entrepreneur or an investor is all about learning how the world really works and then changing the world to work for you. And while most people can perhaps afford to plod along with all sorts of misguided notions about how the world works because their jobs do not require them to have any real understanding of the big picture, entrepeneurs and investors absolutely cannot. Buffet says it best: "Risk is not knowing what you're doing." The sites shutting down in the face of the GDPR out of fear and ignorance are making the most basic mistake, they literally do not know what they're doing.
I'm not sure about that paper. It's based on someone's research who works at the census bureau and a university professor. They're interest is also in making their employer look good.
Also the paper ends in "we also may be mis-measuring dynamism."
I personally am not hysterical about any of this, I just am concerned for the citizens of the EU while living under this law. My main issue with the GDPR is that articles and supporters are constantly thinking in terms of "business" and not in terms of other services, and also not thinking in terms of long term impact.
For instance, I run a small community website (~30 people). I receive no income, and I know everyone involved. Everyone is in the United States. Is it open to the world? Yes, technically. What happens when an EU resident signs up? Well, I'll continue to do exactly the way things are currently set up.
How does this situation play out long term? First, I'll tell whomever contacts me that I am in compliance with US law, and I'm a US citizen. I do not have to follow their laws because it's not within my jurisdiction. Second, they will order me to block EU citizens from my site, which I will not do because it's a mandate of work on me for no reason by a foreign country.
So what happens in this situation? The only recourse for the EU is the internet version of "sanctions", to block my website from the EU.
Now they've set a really interesting precedent. How do they now enforce these blocks? Technical issues aside, are they going to do a whitelist or a blacklist? Regardless, they are setting up the equivalent of the Great Firewall for the purposes of maintaining the GDPR.
So why does this matter? It's only an isolated incident that will likely never occur, right?
Wrong. One community website like mine with one EU citizen that decides to file a GDPR complaint means that somehow this situation occurs. It can even be an intentional, "sign up, file complaint" immediately to trigger this legal situation. Think there aren't any foreign governments that wouldn't flood a system like this to censor the EU citizens in various mild ways? Think some random anarchist activist will not decide to monkey with the system by finding and reporting all the small violators?
The end product is a curation of the internet for EU citizens by EU government. Hopefully your leaders are benevolent, and nothing crazy happens in the democratic process. I remember being told during the Bush and Obama administrations that my views against government surveillance due to potential for abuse were unjustified because we could never have a horrible president and that our presidents will always be benevolent, so the policy would never change toward the worse. How did that play out? How do people think democracy functions, honestly?
Again, I really don't care too much. They can self censor if they want, but it really seems like GDPR is a win for Russian and Chinese meddling.
> For instance, I run a small community website (~30 people). I receive no income, and I know everyone involved
You may be able to ignore GDPR compliance in your situation, as per article 2:
> This Regulation does not apply to the processing of personal data: [...] by a natural person in the course of a purely personal or household activity; [...]
There is some more information in recital 18, that says
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.
So if you're not making money, and you're not established as a business you should be okay.
If you have any doubts or concerns, become compliant or ban all EU/EEA users.
That's an interesting statute. The problem is it can be interpreted in many ways. Your interpretation is how some may see it, however there are others as well.
For instance:
> by a natural person in the course of a purely personal or household activity
First off, this isn't purely personal nor household activity. I serve others, not myself.
> and thus with no connection to a professional or commercial activity.
If the goal of the community is to help people develop professional skills (writing, for instance), couldn't that have a connection to professional activity? Also, I use this website as an example on my resume to bolster my own professional competence as a coder. That could qualify.
As always, laws are words that generally end up with the best paid lawyer's interpretations winning in court. It's a roll of the dice, that statute is not clear at all.
We're still debating the meaning of nearly all statutes in the US constitution 242 years later. Some in the legal community have declared "consensus" by case law, but even those end up getting changed and overturned all the time.
> So if you're not making money, and you're not established as a business you should be okay.
I've got a shared hosting service where I run WordPress for a blog. As such I have no direct control over the web server, nor what my hosting provider might decide to record of information, nor do I have time to audit what WordPress changes for each update.
Since I'm a programmer by trade, and my blog deals with programming, it's reasonable to assume someone might consider my blog "professional or commercial activity". Maybe I'm saved by some hard criteria defining "professional or commercial activity", but to be frank, it's not worth my time going through the entire GDPR to find that out.
As such I'm not going to take the risk of being in violation and will be shutting down my blog. Instead I'll likely be reverting to posting on Google+ or Facebook, if I bother posting more at all.
Another thing I fear for the EU is that they will begin to lag behind. If technology forums/other interest group sites are being blocked, how will they stay current?
The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...
In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.