"Our Marketing team is excited to share moments that spotlight the magic of your events. In order to accommodate the specific needs of every user, you have the option to opt out of Section 7 by sending written notice of your decision to opt-out to legal@eventbrite.com."
Source: https://twitter.com/I00I00I/status/987540833384546304
So Eventbrite asks for a 'written notification' after you've setup instead of using an opt-in setting during setup, dirty fuckers.
Article 2d "This Regulation does not apply to the processing of personal data: [...] by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security." exempts data collection by gov't for security purposes.
Article 6.1c "Processing shall be lawful only if and to the extent that at least one of the following applies: [...] c) processing is necessary for compliance with a legal obligation to which the controller is subject;" exempts data collection by private parties if ordered by gov't, e.g. if they require communications operators to track subscriber identities or something else, then GDPR consent requirements don't apply.
So I'd say that it's materially true that "Data collection for security and intelligence purposes by governments is exempt from GDPR rules", as long as governments are doing this data collection according to whatever other laws they have passed and not in violation of them (which sometimes has been the case, though, with executive branch doing what legislative branch has forbidden them).
Member states have argued that intelligence services aren’t covered by EU law (their management is reserved to the member states), but since the basic principle of data protection is embedded in the European Charter of Human Rights, you can argue that EU residents (indeed, everybody) should be protected. It’s just that, unless individual countries write it into their law or a court successfully asserts its jurisdiction, there is nobody to enforce it against the intelligence services.
Personal attacks will get you banned here, so please don't post like this.
You've unfortunately posted other uncivil comments in the past, too; could you please (re-)read the site rules at https://news.ycombinator.com/newsguidelines.html and use HN as intended from now on?
"piece of legislation intended to cripple US corporations and supplement EU budgets with US corporate profits".
The most ignorant fucking statement I have read on HN in a long time. The 2016 GDPR is an update to the 2002 EU Data Protection Regulation. It has nothing to do with taxes, profits or crippling any company. It is an enforcement of the EU Charter of Fundamental Rights.
His opinion "I wonder why the EU is an afterthought when you need to spend millions on compliance for every new feature" is not backed up by any facts.
If he had said that meeting the legal requirements in 28 different independent and sovereign countries adds too much cost then he would be correct.
Remember the EU Single Market and Custom Union does not cover every aspect of commerce and industry across all 28 member states.
Having said that, the Payment Services Directive 2 (PSD2) which applies to Stripe, will remove any remaining barriers and costs that still exist between member states when applied to the provision of electronic payments. If one was to add in the eIDAS directive then meeting compliance for identity, fraud, etc will soon be irrelevant.
> 1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
It's not even resident, the bar is far lower. A US resident on holidays to europe is covered.
How is this enforced? For facebook, let's say, is all I have to do is change my country from a non-European country to a European country, and I'm good? Because that is a fairly easy line to cross.
I've asked about this before in another thread but didn't get anything useful for me. How can I get the benefit of being a EU resident, with respect to GDPR, while not physically being in the EU? What I'm asking for may probably sound like a fraudulent thing, but I value my privacy a lot, and if there are any steps I can consider to make myself come under GDPR (without moving to the EU), I'd like to know.
Using a VPN to connect to a location in Europe might work, if the company uses IP address to check whether a user is in the EU.
Of course, Facebook has other options (many users just tell them where they live, you can even fill out an address) so you could try claiming to live in the EU there, too.
Which is particularly interesting for me the next couple of election cycles, as I am a US citizen registered to vote back in the last place in the US I resided - and live in Germany, which was notable for its data protection laws even before GDPR.
I might have a moral obligation to use Facebook again.
What the fuck are you smoking. Five fucking years this legislation has been open for public discussion, thousands of hours of open hearings. Every arsehole has had their five minutes. Every fucking detail and possible consequence discussed and argued over. Nearly two fucking years since it became law across the EU, a month from going into force and fucking ignorant clowns like you pop up with the dumbest fucking takes.
Show us some proof the GDPR is harder for small and new businesses to comply.