If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data, and build a system to get user consent, etc.
I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.
DPO is only needed in specific cases. Dank meme sites don't fit in any of: a) public authority b) monitoring subjects on large scale c) dealing with criminal conviction data.
> build a system to get user consent
It's called a checkbox. They likely use one to agree to TOS anyway. If you don't have that one, DMCA and COPA is what you should be worried about before GDPR. (If you're based on the US anyway)
Article 37 1.a and 1.b are extremely vauge. Hiring a DPO becomes necessary once your service "requires regular and systematic monitoring of data subjects on a large scale", or processing personal info specified in article 9 "on a large scale".
However, nowhere does it actually specify what sort of scale constitutes "large". I don't see any user count threshholds or anything like that.
Also, it's possible that someone's list of authored memes is personal data. If somebody creates a lot of political memes then this could easily be covered by article 9, since political affiliation is explicitly covered there.
Additionally just saying "have a checkbox" isn't going to cut it. GDPR forbids blanket opt in or opt out schemes. You would have to build a system to track what the user has consented to and refactor all features to abide by each user's consent configuration.
I'm not saying every these tasks are hugely onerous - just that I can see the use case for blocking EU traffic to avoid having to abide by their regulations.
They only apply if it's your core activity though. If dank memes are your core activity, you're not "processing personal data" on a large scale, regardless of how many memes you store.
Again, only if you assume that these memes aren't covered by article 9. You might be able to infer a lot about someone from their authored or favorites memes. Article 9 doesn't just cover the personal data itself, it covers personal data revealing ethnicity, political opinion, etc. If I look at a user's list of authored memes, and it's full of pro gay rights memes have these memes revealed their political opinion? Many would argue yes, and processing memes is definitely the core activity of our hypothetical site.
> If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data
No, because that website doesn’t collect personal information.
> and build a system to get user consent, etc.
You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
> No, because that website doesn’t collect personal information.
Yes it does. It a least records an email address and password to create profiles. And any features like tagging memes, marking memes as favorites, etc. could be argued to constitue personal data.
> You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
Again, I specified a meme generator site that has at least some user specific personalization.
What about all the comments on those memes? Do those go too? What about the people who hot-linked to those memes? Do you just nuke the images and break all the content people linked to?
You sign up for a website and upload and share a bunch of memes.... honestly... the shit isn't really your data anymore. It is the publics. You shared it and yanking it back is kind of a dick move.
It really isn't as "simple" as a DELETE statement that some people argue it is.
You are just making s*it up. Meme is something you publicly posted it is not your personal info, you possibly agreed to transfer copyright to the site, if you still own it, of course you have right to delete it.
As for personal info, most meme websites don't require any accounts to create them, because it only makes the site less usable, but if the site do have accounts, you do have right to see/update your account, you have right to delete your account and be sure that if your account is deleted the data is actually gone.
> Meme is something you publicly posted it is not your personal info,
Very generous assumption on your part. Article 9 specifically says that anything revealing personal info like ethnicity, political affiliation, etc. is covered by GDPR. If I look at a Adam's list of authored memes and there's a bunch of pro-Democrat memes and I look at Bob's and it's all pro-Republican memes, then it's very easy to see a court ruling that a memes reveal political affiliation.
I can easily see small websites just ignoring GDPR and hoping they fly under the radar.
This is my plan. What are they going to do, extradite me over claims that my access logs includes IP addresses? Claim that I do business in the EU when I don't take payments, every side project I've made is in English, and I've never set foot there?
I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.