It's no laughing matter for some companies. EU citizens have turned into pests overnight. There are businesses who don't make much money from the EU to justify compliance with the regulations.
Is it onerous because you are doing dodgy things with EU citizens data, because you don't take information security seriously or because you've fallen for some of the FUD around GDPR (having to hire a DPO, being fined 2 trillion dollars, etc etc)?
If it's too hard for you to copy paste a GDPR compliant privacy policy and monitor a GDPR email address then well, maybe you're in the wrong job.
We do take security seriously and we're not doing anything dodgy.
We have business reasons for collecting user data, and users have no real reason to tell us to delete it at will, other than the fact that it makes them feel "creeped out".
The future is probably going to be super creepy. If you want to participate, get over it.
So lets unpick this. You think you're not doing anything dodgy with your users personal information. However you feel that their information is your information and users have absolutely 'no real reason to tell us to delete it' (apart from, you know, it being their information). Then you top it off by taking a screeching right turn and saying 'future is going to be creepy ... get over it'.
Riiiight. You sound like the perfect person to be handing my personal information and I would trust you to take full care of it.
There is an epidemic of snark in the overall conversation about GDPR. I'm sure I have my biases and blind spots, but the majority seems to come from the same direction as the comment you are replying to.
It's not "their" information. It's information about them. I collected it and stored in my servers that I'm paying for, and that makes it my information. Your laws may say differently, but practicality wins here.
Do your users know what information you collect, and what for? If they don't, you're being creepy. Here's the same thing taken to a logical extreme:
"I shoot this sex tape myself with my camera, climbed my tree on lawn, zoomed with my long focus lens, stored it in my computer. It's my data. If they don't like it, they should have pulled their curtain."
There must be a threshold somewhere. When does it stops being acceptable, and starts being creepy?
I'm pretty sure in my country (France), only the police may peep through windows with optical instruments. The work of a private investigator you speak of may very well be illegal, assuming the investigator is not an on duty police officer.
Public places are one thing (he entered this building with that woman at this hour). Looking through private property is another.
Under Canadian Law (which you are subject to, according to your profile) and you're liable if you decide to snoop on a specific persons data, or misuse it in a way that they didn't intend. So, it doesn't seem to be completely your information.
> Your laws may say differently
Sure, Canadian laws in this area are very scattered and backwards. I wouldn't put that forward as a good thing though, or use it as a pretense to not bother protecting or managing your users PII.
Here is the thing: my email and personal info is mine. And if you are using my info to provide me your service that is also ok - I will rent that to you. And give you my CC#.
But if I do not use your service, then I want that you delete all my personal data. Why is that so hard?
But is knowledge of your email address yours? Do you expect to control all knowledge? What action do you take when someone accidentally CCs another party when they should’ve BCC’ed, and your address is leaked?
There are pieces of information that are particularly problematic for other parties to know. An email address is not one of those things.
Retaining email addresses doesn’t necessarily suggest deliberate misuse (or even accidental misuse), however. Unless you’re of the opinion that retaining it after, say, account closure/deactivation, is itself misuse.
I’d take a big issue to an organization storing a social security number or something of that nature, because its leak would represent a significant risk, but email addresses are fairly disposable items that we only voluntarily attach to ourselves to.
But more times than not it does. Since there's a long history of companies doing bad stuff, you definitely don't deserve the benefit of the doubt on this one.
there is also a long history of people giving up their personal data to get some (overall) irrelevant service and then being surprised when their data is missused...
Yes, but how much of that can be attributed to the service not adequately explaining what they are collecting and how they are using it to the users upfront, in a format that non-lawyers can understand?
It is genuinely fascinating to me how different people can feel about things. I get enraged when my "government" tells me what I can and can't do with my body/money/time. If I want to snort coke all day, what business of theirs is it as long as I'm not infringing on others' rights? Likewise, if I want to give my data to a super sketchy website, why shouldn't I be able to?
Obviously it's "safer" to let others make rules and force us inside the fence to keep us sheep away from the dangerous wolves out there. I do understand that perspective to some extent. However I would never trade my freedom for security. The former is not easy to regain.
Except they're not taking freedom away from users, they're taking freedom away from corporations. Freedom that many corporations have been abusing. This is a key difference in perspective.
Your example where you "want to give your data away to a sketchy website" is not in any way representative of reality when a) the website is as ubiquitous as for instance FB, and thus in no way perceived as sketchy, and b) the user makes no conscious decision to consent (let alone "wants it").
I think you have a decent point there, but the comment I replied to literally said:
> Hoping you've blocked access to the EU so I don't happen across it :)
Being glad that he doesn't have the freedom to use the site, thanks to a government law (whether a side-effect of the law or a direct effect is irrelevant, because the law brought it out just the same).
I suspect it's more in teh sense of a "Don't let the door hit you on the way out..." retort.
That is, if you're offering such a service that exploits users for their data, then I would never want to use it, so it might as well be blocked, for all I care.
Maybe even desirable if it was, so you don't come across it by mistake and sign up without doing proper diligence.
Freedom of choice is nice, but there's an argument that putting rat-poison in food products isn't ok, even if you label it on the package.
The government also prohibits you from accepting a job offer for less than minimum wage, and the general consensus is that this gives workers more power.
The government isn't the only source of power and coercion; private companies are too. A lot of these regulations are the one countering the other.
Your premise is flawed: if it was true that without government, companies would just carelessly or intentionally poison us all (not a good way to gain repeat customers btw) then I would agree with you. But obviously I disagree with your premise.
The Jungle is a widely misunderstood book. For one, it's fiction [1] [2] [3].
The milk scandal is interesting tho. I don't disagree that there are people/companies out there that are horrible human beings (or run by horrible human beings), but these are exceptions. There is also a market-based recourse for consumers. Lawsuits and liability is a big deterrent for example. It's also illegal to harm someone (as it should be) so jail time for the offenders is quite possible without having enormous and onerous regulations. And haven't you noticed that it's the giant companies that often push regulation? Because it raises barriers to entry for competitors. Big companies have the resources they need. Using the government to hurt your competitors is one of the oldest traditions in countries with governments big enough and powerful enough to do so.
And they got the crap sued out of them. The lying is the problem IMHO. People know what they're getting now, but millions still choose to smoke. And why shouldn't they be able to?
Companies are careless and malicious despite government and customers actions.
* XIX century wants it's snake oil back
* Didn't hear about China and melamine milk scandal?
* Would you buy food from Amazon if it was co-mingled in current way?
* VW emission scandal
It is easy to be freetard when you do not get diarrhea every so often due to food that was "optimized" (like in XIX century ;)
EU citizens turned into "pests" two years ago. Much like Y2K was a "pest" years before January 1, 2000. But unlike EU regulations, Y2K was like The Terminator: there was no appeal process, and it absolutely would not stop...ever, until you fix your Y2K bugs.
GDPR OTOH, eh, maybe there's some way to wiggle out of it? And two years later, when Compliance Day comes, here we are.
You are a pest when you use a service and give nothing back in return, stealing resources that are better allocated to users that actually contribute to revenue.
I don't understand... isn't that something that the company decides? How are users stealing something?
For the longest time companies have been able to market something as 'free' when they have been the ones who have been trying to hide the fact that users' data was being sold, etc. So I would argue that if someone is 'stealing', it is actually the companies themselves.
No, GDPR effectively says that you have to get the users to opt in to your targeted ads (aka the business model) but you also cannot deny them the content if you opt out. In effect, the EU wants to get all the content for free while not paying the costs that give them such great content which is targeted advertising.
The "stealing" is because they are trying to get companies to give their content out for free without paying the cost which requires targeted advertising (and no, generic ads pay shit which is why tons of companies are blocking all the EU because they now aren't worth the server costs).
Nobody's stealing anything. You're giving the product away for free. Sure, the user is still "paying" with their data. But they didn't sign up for that. (And if they did, congrats, you're a step closer to GDPR compliance!)
If you're sick of people using your product and not giving anything in return, Charge. A. Fee.
Sure, the user is still "paying" with their data. But they didn't sign up for that. (And if they did, congrats, you're a step closer to GDPR compliance!)
The GDPR specifically forbids giving users the option of paying with data. (In that you can't deny access if the user doesn't agree to the data usage).
Charge. A. Fee.
It turns out that a whole lot of users don't want microtransactions for everything they do online, and would rather allow providers to monetize their data in exchange for access. You not liking those agreements is not a reasonable justification for forcibly banning them.
I know this sounds extreme but you could always go with the good old approach of charging users money for provided goods and services, instead of monetizing their data or throwing ads at them.
Yes, when you're telling the angry mob why you won't give in to their irrational demands, you should definitely tell them who you are and how to hurt you...for transparency.
Well European users (like other users) don't want to pay as well. And why create a specific feature for European users when globally people are just fine clicking on ads.
What makes you think that European users do not want to pay for content they consume? Given that Europeans passed this law we apparently are.
You don't need to create a specific feature for European users if you don't want to, just as European users don't need to do business with you if you don't value their privacy. Economic exchanges are voluntary. If you think ignoring European customers is something that pays off for you, go for it.
Can you point me to any specific study which says that Europeans are more willing pay for content vs. rest of the world? I mean, if that were true, you would see a lot more paywalls in Europe vs. globally.
I don't know of any such study but I'm not sure why I need to given that this law quite clearly reveals the preference of European citizens?
If we would not care about privacy to a greater degree than other regions we would presumably not pass legislation that protects private information and cuts into ad-revenues.
Even if you charge EU customers for goods and services, you end up having to collect and store personal information in order to provide evidence to tax authorities that you collected and paid the right amount of VAT for each country.
"I want to use your free service and to participate in your monetization model only after you explicitly tell me how you are going to do with my data. If you can't tell me this, and get me to accept the trade off, why should I trust you?" -- EU citizens"
I doubt anyone here cares if you don't trust them and choose not to use their service. But that's not enough for you :)
So it's more like "if you can't do this according to the whims of my government regulators, I'll still be using your service, AND prepare for a large fine."
Is it really too much to ask to clearly spell out how you use my data, clearly get my consent to use it, and provide an email address where I can request it be deleted? Really? You're saying that is too difficult?
It’s only the last part we have a problem with. We’re not going to track down every trace of your data and delete it. We probably also won’t let you do an export.
I think we’re perfectly fine with telling you we use your data for ML training, internal analytics or showing you relevant ads. That is standard stuff you consent to in a TOS.
>It’s only the last part we have a problem with. We’re not going to track down every trace of your data and delete it. We probably also won’t let you do an export.
If you can't easily delete or export my data, it means that you don't have a coherent, legible record of exactly how my data is being processed. You can't be sure if my data has been leaked or stolen. You can't guarantee that you'll be able to notify me in the event of a breach. You can't prove that my data was lawfully collected. I can't check the data you hold on me to ensure that it is accurate.
The GDPR is easy to comply with if your data protection policies and processes were decent to begin with. If you have read the text of the GDPR and can't see how you could bring your business into compliance, then you are almost certainly doing something seriously negligent or seriously shady.
We are not going to go looking through compressed archives and snapshots for your data. We are not going to run routines on immutable logs to filter out all trace of your history. We are not going to check CSV files used for imports. We are not going to track down any third parties who may have shared our data. We are not going to retrain neural networks on a new dataset that excludes your data. We are not going to move heaven and earth for a user who decides it'd be clever to demand all his data be deleted after reading a couple articles on Medium. We don't care how European you are.
What we can do, is set a little deleted flag on your profile to treat you as "deleted".
it is... what does data processing mean? does it include when my databe does a look up on a field which has your name in it or does it mean i do ML on it to serve you adds and profile you? cos it doesn’t say in the regulation... so yes it is very hard to figure out what level is clear... as regulation is not clear.
> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
So not a database query itself, but the thing that drives the database query. It also extends to things like logs - aka don't keep a log full of SQL queries that are full of peoples personal information. Don't ship that log off to some third party, or make it available to random people.
For web apps it's mostly the storage and retrieval aspects that are important. Don't store too much PII. Don't allow anybody to access it at the DB level. Implement appropriate access restrictions at the web-app level.
actually what you quoted might as well apply to query as it is actually processing data... and again the point is the regulation is vague... it can be interpreted in multiple way before we get precedents.
It applies to anything that contains PII, so sure you should ensure your queries are not sent in plaintext over the network and are not logged unnecessarily. There isn't much else that can be done.
It is perhaps a bit too abstract, but that's because it's covering a highly complex topic, but I don't think it's too vague on this: If it contains PII, protect it. Which, of course, you should be doing already.
Whether it's too much to ask is not the issue, nor whether doing what you list is full compliance (doubtful).
No one is asking.
Rather, the right question is whether the entity demanding (the EU government) has the right to do so on the basis that their jurisdiction extends to anywhere that a citizen of theirs can reach via the Internet. I argue no.
You probably disagree, which is fine, but this ultimately comes down to enforcement. And for now at least, I win on that front.
'Free' is a powerful word - there's a lot of incentive for companies to tout 'free' and for users to feel like they're getting a good deal - when in reality there's a whole lot of other stuff happening behind the scenes.
My take is that consumers need to be aware of what 'free' really means for each service that advertises it. What are the real implications - not just something hidden in doublespeak in a ToS or privacy policy.
Everything spelled out in the GDPR is a great thing for users and should have been there from the very beginning - being able to erase all their data, see all their data, export their data, and get notified when data is accessed.
> Everything spelled out in the GDPR is a great thing for users and should have been there from the very beginning - being able to erase all their data, see all their data, export their data, and get notified when data is accessed.
I hate this "empowering users" philosophy of the EU. It's reminiscent of "right to be forgotten" type regulation where EU believes users should be in control of "their" data, when it reality it isn't "theirs" to begin with. Once data is "public" you can't ever "erase" it because it's not "yours". I'm sorry, if you shoplift in my store (online or no), I'm keeping track of you no matter how much you demand that I erase "your" information.
Because it is their data, consider if there was a database of your fingerprints and DNA available online to everyone, would that really be okay to you?
This strikes me as the typical political response when you are backing a terrible candidate and somebody points out something terrible they do/did. Rather than defend your candidate you respond by attacking theirs. My kids do this all the time when I catch them doing something wrong, "well #{brother} was doing #{badthing}!"
Both seem wrong, can we agree on that? DMCA is a disgusting weapon, as is a lot that the US has done. Does that make weapons created by Europe ok?
You don't need to do anything to implement DMCA on your site - just respond to emails. How is this even comparable with the kafkaesque implementation required by gdpr?
Valuable, dear, beloved users for which the business has boundless sympathy, empathy, and compassion are now awkwardly the source of compliance concerns for which the costs outstrip the reasonably expected revenues enabled by compliance. While compassion is unlimited, it is possible the budgets and time may not be.
"for which the costs outstrip the reasonably expected revenues enabled by compliance"
The GDPR is not about revenue but about privacy. It's not meant to be cost neutral. Bank robbers could also quote you to complain about the burden of anti-robbery laws.
You're absolutely right! GDPR is in no way, shape, form, or manner meant to be cost-neutral. Your point about bank robbers is well-taken.
However, is it possible that in a context where companies are weighing the cost of GDPR compliance against the benefits of GDPR compliance (i.e., keeping their EU business) some might come down on the side of jettisoning the EU business? They might even opt to do it by using a tool, like Cloudflare Workers, that they can convince to block everyone in the EU.
You would be absolutely, completely, 100% right to consider this fully in line with the intentions of GDPR. Protect privacy or GTFO, right?
If companies find it too onerous to do business in the EU I am sure others will happily fill that gap, so I am not worried. A lot of polluters probably also went out of business once environmental regulations got tightened.
You're right! I'm also sure others will happily try!
With that said, it's possible that a fragmented market with fewer legal business models may not be as conducive an environment to all possible businesses. It's even possible that as a result, not all gaps will get filled.
Personally I think it's healthier to have a fragmented market. Maybe it's not as efficient but fragmentation makes it more possible for smaller companies to find a niche. Otherwise big companies like Amazon, Facebook and others monopolize business world wide.
Different legal models also provide grounds for experimentation. Who knows what works better in the long run? Wild West or regulation like GDPR? We don't know.
Sometimes a fragmented market just means everyone has the same problem and nobody can solve it profitably at a price that works for most. Then things just suck for everyone.
Which is to say that you could be right! Absolutely and completely! Or you could be really wrong. Time will tell. The economic history of protectionism could be read by some to provide some clues, though.
Is it? It's a lot of bloviating about love and kindness and positivity that dances around the point a lot. It implies, instead of being explicit. It focuses on feelings instead of making a point clearly and concisely.
It's poor communication. For the same reasons, it's great PR material.
> But I wonder what changed since last week because those compliance concerns were just as valid last week.
I imagine that for a lot of really small shops, what's changed is that GDPR is now law when it wasn't for the past couple of years.
> Or do you mean to imply the company knowingly broke the law for a couple of years just because they could?
Maybe! Depends on the company, I should think. In some cases, I'm completely certain that you're absolutely right and they've been knowingly breaking the law for years because they can and there were no consequences.
For others, it's possible that the situation may be more subtle. The costs in time and money and opportunity costs to determine how compliant they are or need to be might be daunting or dwarf any reasonable forecast of revenue from EU users.
It's possible that not all scenarios might not be quite as simple as having nothing to fear so long as you are doing nothing wrong.
> That just isn't true, the GDPR has been law for the last two years and before that there was a law with roughly the same (say 80% or so) components.
You're absolutely, completely, 100% correct! Please accept my deepest apologies for being unclear.
Until May 25, GDRP which has been law for years did not take full effect. It's possible that some people made choices based around which laws are in full effect, rather than what is law, for reasons that might at times be other than negligence or malice.
Again, please accept my apologies for being unclear. Please let me know if there's anything else I can clarify!
But I wonder what changed since last week because those compliance concerns were just as valid last week. Or do you mean to imply the company knowingly broke the law for a couple of years just because they could?
You keep repeating this on various threads, but it's not a good argument.
It's obvious: for companies that are now blocking EU users, they weren't in compliance or blocking before because the law wasn't being enforced. Hence the cost / benefit tradeoff was different. Now that possible enforcement is on the table, the calculation has changed. It's pretty simple.
For companies who were ignoring before and ignoring now, nothing has changed. They are either taking a huge risk or are correct in assuming that there's no enforcement mechanism, so they don't need to worry about it.
> You keep repeating this on various threads, but it's not a good argument.
It's an excellent argument. That you don't agree with it is obvious but whether or not a law is enforced or not does not change the fact that it is the law.
Those companies that have decided to block EU users as a rule have done fuck all in the last two years and now, rather belatedly, have realized that in fact they are subject to the law rather than that they can afford to ignore it.
> They are either taking a huge risk or are correct in assuming that there's no enforcement mechanism, so they don't need to worry about it.
I sincerely hope that they will swap positions after the first few fines have been dealt out.
That you don't agree with it is obvious but whether or not a law is enforced or not does not change the fact that it is the law.
And something being "the law" doesn't actually mean anything. If not enforced, laws are just words.
So these companies who are now blocking did the actually rational thing, which is ignore the law right up until it matters.
No fines are going to hit these companies that have no EU presence. That's just scaremongering. And for the ones that do, I guess we'll see. Blocking the EU market seems pretty damn fair to me. I don't understand why the EU thinks it can force a business outside of the EU to deal with their citizens if it doesn't want to?
> No fines are going to hit these companies that have no EU presence.
Oh they will be fined. The question is whether those fines will ever be collected. But the collection of fines is a different part of the government than the part that sets and applies the fines.
> That's just scaremongering.
No, it's a fact of life: if you ignore the law you will be fined.
> And for the ones that do, I guess we'll see.
Oh ok, so they will be fined. At least we agree on something.
Note that the EU at this point in time couldn't care less about those companies that have no POP in the EU, and if that causes companies to pack up and leave then so be it. But those companies that do have a POP and that knowingly and persistently violate the law, whether they are European in origin, American or Chinese deserve to have the book thrown at them if they ignore the law.
> Blocking the EU market seems pretty damn fair to me.
That's just fine, I take it your business is not affected or you plan to ignore the law because they can't collect. I'm perfectly ok with you doing that, don't get me wrong. It's your right to do this but I do think you should be transparent about this.
> I don't understand why the EU thinks it can force a business outside of the EU to deal with their citizens if it doesn't want to?
The EU can't force that, and that's not the intent of the law.
