What many posters here miss is that there is a big group of tech people that have no interest in dealing with legal matters more than the bare minimum, and overall deem them risky. I am one of them. People like me are well-aware of the fact that if we are not experts then we're absolutely gonna lose because a dedicated lawyer can and will dig up material you couldn't prepare yourself to defend from.
Thus, complying with something somewhat ambiguous like the GDPR is still an expense -- of time, money and risk -- that many small website owners won't be willing to spare.
Look, it's not hard to encrypt all personally identifiable information; there are ready-made frameworks that let you choose which DB columns you encrypt and how. You can generate a key for each user on creation and have their data encrypted with it. The problem is NOT that.
The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).
Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.
From the description Streetlend didn’t violate the GDPR in concept though. Addresses are public record, available in public databases, and there is nothing stopping you from doing lending eBay. All it needed to do was clear it’s records every 6 months and let people delete their accounts.
Except this isn’t really true. Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.
The really ironic thing about that this is that streetlab imagined itself “ethical” when it’s entire business model was selling your data...
The GDPR isn’t really that hostile to small business and it doesn’t require an understanding of law. You can hire a data protection officer at a legal firm for almost nothing, and as long as you follow their advice on how to pass audits, you’re really not in trouble.
That being said, the GDPR is really hostile toward startups trying to make money the same way Facebook and Google does. You need to have a massive legal department to do that, and Streetlend obviously did not. But is that really so terrible?
It may call for a new business model for the internet, and that may seem impossible right now. But do you remember when the EU outlawed environmentally shitty lightbuilbs and everyone said we were going dark because it was impossible to do anything else? Today 95% of lightbuilbs are LEDs because of that.
Startups will find a way to make money that isn’t selling your data.
> Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.
If you mean he just slapped some Amazon ads on his site to support his side project, then accusing that guy of "selling your privacy data" requires quite a bit of mental gymnastics and is a pretty dishonest description of the facts.
The blame here is wholly with the users for putting their data online in the first place (really, you can go a very long way with my.fake.name@gmail.com!) and especially Facebook for providing the framework that enables this all.
You're completely ignoring the point of GDPR. The point is that users should be in control of their data, and when they give it to someone they have the right to know what it is used for and to be able to retract consent for its usage.
Blaming users for providing their personal data is strange -- if the implication is that nobody should provide their personal data because it can be abused then is it not obvious that the use of personal data should be regulated?
If the majority of banks lost your money regularly, would you blame customers of the bank for using banks -- or would you say that banks should have stricter regulations to stop people from being screwed?
As for the Amazon bit, I think you're underselling it. Amazon tracks users in arguably unethical ways (due to the lack of consent, and the scope, and the inability to opt-out) and display their ads is inflicting that on your users. If you care about your users privacy (which is what GDPR is trying to enforce) then you would know that "just slapp[ing] some Amazon adds on [your] site" is not the correct approach to handling users' personal data. I do agree it's not trivial to handle GDPR if you don't have a lawyer (though you can get a data officer from a legal firm), but complying with laws is part of doing business.
> The point is that users should be in control of their data, and when they give it to someone they have the right to know what it is used for and to be able to retract consent for its usage.
See, I disagree with this very premise. Why is it true? It's _not_ my data; it's data about me. Even things like pictures, once shared, are no longer under my control. I actually feel it's fundamentally dangerous to make users think they actually control data they don't.
> If you care about your users privacy (which is what GDPR is trying to enforce)
I also disagree with this. The GDPR doesn't do anything to make companies handle my data more carefully or responsibly.
Data about me is my data, and if the government gives me the right to control it, I have that right.
If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely. The rest of my data is no different. I own my data and the data about me, not them.
GDPR gives users the controls and governance over their data that should have always existed, but that tech companies gaslighted users into believing doesn’t exist.
If you send me that photo via email, should you subsequently be able to revoke my access to that photo. If so, by what means?
If you used a closed messaging system (say Facebook's messaging system, or Apple's Messages), should you be able to revoke access?
If you follow the argument a hop, skip and a jump away, what happens if I submit a photo to a publication and they run it on their website? Can I revoke access? What if that publication has published that photo in a physical form?
ie, where is the line where a reasonable person should expect that the data they have willingly shared/published has slipped beyond their control?
If you give someone a license to reproduce a digital asset, you lose the ability to revoke access to it.
All other rights are reserved. Would it change the dynamic to be able to revoke access to assets in a private messaging system? For sure. But copyright law (at least in the US) supports this right of the copyright owner. The inability to revoke access is a failing of the tool or the product, not the law.
Isn't it pretty standard for website T&Cs to say something along the lines of "by uploading content to this website you are providing [website owner] with a license to reproduce the content"? Sometimes those T&Cs will be quite broad - non-revokable, across all media (including forms not yet imagined).
> The inability to revoke access is a failing of the tool or the product, not the law.
Does the law need to change? Or (in the case of email) is it fine as is because the reasonable person realizes that once you hit 'send', the content is out of your control?
> If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely.
I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.
> The rest of my data is no different.
Exactly, you have no control over it.
> I own my data and the data about me, not them.
No, you don't _own_ your data.
> GDPR gives users the controls and governance over their data that should have always existed
No, on all accounts. There is no reason at all that you need to delete accounts or force anyone to delete any information about you. That's all just silly.
> but that tech companies gaslighted users into believing doesn’t exist
That's also silly. If you don't control something, you don't control it. Full stop. I don't understand why you don't understand that.
Neither of you are really using supporting evidence in this discussion, you're both just two sides of a value argument increasing in volume.
On the one hand, the other guy is legally correct - gdpr's purpose is to legally give individuals control over data about them (pictures they upload, addresses they input, whatever). That control is responsible on a site to site basis - if a person's naked picture is leaked online, every single IP address that hosts it must take it down if requested, or violate gdpr.
You're making a functional argument - if a person's nudies are leaked online, they don't functionally have control over that data. Morals and laws be damned, that picture is staying on the internet.
You can both disagree about the morality of this but simply restating both of your points with more "full stops" is pointless. If you're both really having trouble understanding each other's positions, step back and try to defend the opponent's decision.
> You're making a functional argument - if a person's nudies are leaked online, they don't functionally have control over that data. Morals and laws be damned, that picture is staying on the internet.
Which is my point. You no longer retain any control over it. A law saying you have control over it is silly, because it's worse than worthless: it makes me think I have control over something I don't have control over.
Laws cannot magically manufacture things which cannot ever be created.
Moreover, the gdpr doesn't prevent any of the problems that have caused data breaches in the past. The way that Target and Equifax (both of which could easily claim the data they had was essential to their business: Target with credit cards and Equifax being used by banks to coordinate information) are both equally likely under the gdpr and both equally unpublishable.
As for Facebook and Cambridge Analytica, how would this have been prevented? Facebook can just ask you to opt in to their usage of your info to use their service. Facebook can share information with other entities that claim to be gdpr compliant. Other entity then shares information with other people outside of Facebook's control.
I just don't see how the gdpr changes a fundamental fact: you no longer control something someone else has. Laws cannot change that. Laws can give you recourse, but they cannot change it. I actually believe that it's dangerous to believe that I have control over things I don't: it's a false sense of security.
So what's the point of your argument? Should we scrap GPDR because it isn't 100% effective in curbing personal data misuse? You could argue along similar lines that almost any law gives you a false sense of security - why do copyright laws exist, do they give the music industry for example a false sense of security that their audio files can't possibly be copied or shared? No, but they do provide legal recourse and they do set up a framework for acceptable use. If facebook shared your information with another entity without your consent, that would be a violation of GPDR and you would again have legal recourse.
And now we're back to the argument that we shouldn't protect the public against systemic unethical behaviour, and rather we should protect the bad actors while blaming the public for not being educated enough. Wanting better education is a fine goal (and one I agree with), but the reason why we have seat-belts (as well as driving lessons) is that sometimes you also need other protections for the public. The same logic applies for consumer laws. We don't blame the public for not doing enough research to know that their new phone charger blows up after 3 months -- we blame the manufacturer.
Also there's the fact that companies can end up sharing data to other parties, or a company can be acquired and change their mind about what the data will be used for (which is allowed because of the originally nebulous scope of their T&C which was specifically designed to allow for expansion without asking for user consent explicitly when usage changes). GDPR provides methods for users to be protected in both of those cases -- while just enforcing education does not.
Not to mention that if education was mandatory, then the same companies complaining about GDPR today would be complaining about educating users how their services abuse their dignity. Cutting Google/Amazon/Facebook/etc slack for making hundreds of billions from users' personal data and creating "Big Brother"-esque profiling systems for their billions of users doesn't really seem rational to me.
What if we make companies behave responsibly instead? There are less companies than people, and it is easier to go after them.
If I owned a site I would not have a problem to delete someone's personal data.
Also your sugguestion is that if you want to keep your data protected then you should not be using anything on the Internet or make any deals because once you have ordered something on Amazon it can sell your data to everyone else? Or when you rent an apartment, realty agency should be allowed to share your name, SSN, bank card number and address with everyone? No, I don't think it should be this way.
You are correct that GDPR means "you cannot functionally control something someone else has," but you are missing the aspect of "force."
If I find the person that owns the server hosting my data, and I put a gun to his head, and I say, "remove my data," do I now control that data?
What if I instead pay someone else to go around putting guns to the heads of server owners? If I build an army?
What if instead of that I communitize my resources into a legal system that doesn't put guns to people's heads, but will take their money away and put them in jail if they don't follow the laws?
Don't get me wrong, I'm with you in the hacker-culture sense: fuck the system, man, if Google wanted to it could probably blackmail individual US government officials to the point that it took the country over. I get that. I guess we can get deep into a political science debate about governments and social contracts.
Put it this way: Is your sense that you can walk to work without getting mugged a false sense of security? If not, the only alternative is homesteads with militias (not walking to work anymore), or, arming entire populations (putting the burden of self-defense on the people). In the past, this has been tried, and led to gang rule.
If we "give up" on legal systems, we have ample evidence for what happens. When you apply those lessons to the digital space, maybe it's not 1:1, I guess some countries will be learning that for us, while others will try things like GDPR.
It's all a journey for human civilization. People like you that promote self-defense are great because we get amazing government-agnostic tools out of the deal. People that support GDPR are also great because we can test out "social contract" methods.
What's wrong with dancing around both sides of the aisle?
It's not about giving up on the legal system, it's about taking responsibility and not sharing data with people you don't trust, or don't trust to keep secret.
The gdpr makes people think that they don't need to think about what they share and with whom. Do you really think companies are going to significantly change just because of this? I highly doubt it. Sure there will be some things, but in the end many of the same patterns and uses will emerge.
It's not about giving up on the legal system, it's about taking responsibility and not sharing data with people you don't trust, or don't trust to keep secret.
You keep writing as if everyone has a meaningful choice about who gets data about them, but clearly that is not always the case. Someone may obtain data about someone else from a third party, and you can't avoid sharing a certain amount of data and still function as a normal member of society.
The idea of absolute, black-and-white privacy, where either you share personal information or you keep something completely to yourself, isn't very useful in the modern world. Our conventions must be more nuanced than that, and in practice that means what really matters is who gets access to data about you and what they're using it for.
That means basically don't share them with anyone, don't sign any contracts, don't work and live in the street. Because even your employer or real estate agent can sell them to anyone else in your model.
Aside from the "nuh uh; uh huh" nature of this exchange, I really don't understand what your position.
> I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.
I'm not sure what youre definition of "control" is, but based upon the arguments you've made about "control" above, I assume you mean it in some absolute sense.
Ownership definitely implies control. He can use DMCA to compel a third party to stop publishing his photo, for example. How is that not "control"?
Your definition of control seems to be somehow about capability or power, rather than normative ethics or legal right. Which is a rather absurd way of talking about this issue.
In that sense of control, I don't even control my own body. Someone who is stronger than me can hurt me; can rape me; can even kill me. I have no control.
Of course, for normative reasons, we make laws against other people controlling me in certain ways even though they have the power to do so.
Data privacy is no different. The discussion is not about what degree of control a party is physically capable of exerting. The discussion is about what degree of control the government should grant to each party.
The fact that someone somewhere is capable of hoarding my data, does not imply that this outcome is just or optimal. Your position is a textbook example of the naturalistic fallacy.
I don’t “understand” it because it’s not true (controls need not be technical; they can be regulatory, policy, or other methods). Save your apologies, regulation is coming to fix the deficiencies in data rights and protection. Looking forward to more of if it the same fashion.
> I don’t “understand” it because it’s not true (controls need not be technical; they can be regulatory, policy, or other methods).
No, control is only one thing: the ability to constrain the actions of another. You can _never_ prevent your ex from sharing nudes of you; you can only recover damages.
> Save your apologies
I'm not appologizing for anyone.
> regulation is coming to fix the deficiencies in data rights and protection
No, regulations are coming to give users a false sense of empowerment at the cost of everyone else.
I agree with you in principle but your argument has veered into unsound territory. Do you not believe it's possible for the threat of damages to end up preventing an ex from sharing nudes of you that they otherwise might have? Sure, there's a level of determination that will surpass that barrier, but at least there's a barrier.
Following this logic to its conclusion, there is no such thing as control and all laws are pointless. You can't force people not to kill each other, but you can enforce punishments that dissuade people from doing it (and in some countries create regulations to make it harder to acquire tools to do said killing). Same thing goes for stealing, perjury, fraud, assault, breach of contract, defamation, etc.
I actually cannot think of a single instance where someone has "control" over something and the law exists purely as a way of exercising that control, and I can think of hundreds of examples where laws exist to stop people from doing things they may be physically capable of doing but would produce a negative effect on society if permitted. Maybe there is such an example, but it'd be an outlier.
Sure you can. You can lock up anyone who isn't willing to obey the law and continues to cause harm to your ex by sharing the photos, for example. In fact, since revenge porn is now a criminal offence in many civilised countries, that is very likely what will happen.
If anything, the anomaly here is that inappropriately using or sharing personal data about someone is in most cases still only a regulatory or at most civil matter and not a criminal offence. Obviously such an act can potentially cause far more harm to that individual than many physical acts of violence that do carry jail time.
>Sure you can. You can lock up anyone who isn't willing to obey the law and continues to cause harm to your ex by sharing the photos, for example.
Actually, this isn't true, for the purposes of this analogy.
You can only lock up people who are in your country and under the control of your legal system. If your ex flees to Russia and sends out these photos from there, good luck prosecuting them and putting them in jail.
This is the internet we're talking about. An EU law doesn't apply outside the EU, in places like Russia, the US, China, and many other locales. What's the EU going to do when sites in those other countries refuse to take down pictures based on this EU law?
Threatening someone with consequences if they perform some action may not prevent them from doing what they are determined to do, but it will dissuade many. The entire basis of modern society and law is built on the idea of threatening people if they break the law, rather than completely preventing them from doing anything illegal. This is not control in, say, the unix permissions sense, but it's control in common parlance.
It's not their data explicitly but that doesn't mean you can do what you want with it or that companies have no obligation to them just because it's your note. They may not be able to request access to view that note or take advantage of the many GDPR provisions, but if the note contains personally identifiable information about them and said note is leaked to the public then companies will still need to remove that information at their request despite it being your note.
This is similar to some other laws, you can be as slanderous as you want to someone in private but if that slander makes publication then you open yourself up to a lawsuit. You may own copyrights to the image you take of someone in public, but you cannot use their image in your merchandise despite owning the copyright to that image. If someone is doxed in an email, and the email hosting provider used is compromised and has their emails linked to the public, the person who was doxed has just as much right to request that the publicly available emails be removed from search engines, etc.
It absolutely does not. That is still entirely legal. All the GDPR does is make sure that the entity you're trading with is up front about what data they are collecting, and what it will be used for, giving you the ability to make an informed decision.
That's not all it does. Among the other things it does:
It requires the entity to give you the ability to delete your personal data, which means a contract where you grant a service a permanent and irrevocable right to data about you in exchange for a service is illegal.
It also requires the entity to provide an equivalent service to any site visitor that chooses to not grant their data to the entity, thus making the business model of trading even revocable access to one's data for a service unviable in the long run.
It makes it illegal to offer a service in exchange for data that is stored without end-user retrievability. Therefore, it makes a contract where you grant a service irretrievable data about you in exchange for a service is illegal.
All of these reduce the range of possible voluntary interactions. It's anti consent.
No, they do not. Not a single one of those reduces the range of voluntary interactions. If anything, they increase the range, because now it actually is voluntary.
And it is bonkers to imply that something that requires you to actually get affirmative consent from the user is "anti consent". You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.
I just gave you examples of voluntary interactions that are now illegal under the GDPR programme, and you respond that none of the examples reduce the range of voluntary interactions. It's bizarre.
>>You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.
I agree that it is anti-consent. I don't have a problem with laws requiring more legible consent forms.
My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored.
"I just gave you examples of voluntary interactions that are now illegal under the GDPR programme, and you respond that none of the examples reduce the range of voluntary interactions. It's bizarre."
No, you didn't. You gave a list of one-sided transactions where the user has no freedom or really consent at all in the matter.
"My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored."
No, you didn't. All you did was post a list of "transactions" where the company has all the say, and the user really has no input whatsoever. No one is going to miss those transactions.
If you truly, honestly are concerned with "consent", then you should be applauding this law, as it does require actual, informed, affirmative consent. Not the "Here's a great wall of text, agree to give us every little bit of data with no recourse whatsoever for you or don't get any access to the service at all" form of "consent".
I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".
>>No, you didn't. You gave a list of one-sided transactions where the user has no freedom or really consent at all in the matter.
I have difficulty responding to such an immature mischaracterization of what I listed.
I listed a set of contractual arrangements that are now illegal. All of them could be entered into completely consensually, and cannot be reduced to being categorically one sided, given we don't know what the value of the service the user gets in exchange for their personal data will be in every instance that said contract is used.
You're infantilizing people when you claim they're not capable of consenting to the sale of their personal data. In fact, no court of law would ever agree with you that these contracts are non-consensual ipso facto what the user offers, which is why the only way these kinds of contracts could be categorically disqualified is to circumvent the courts' purview of establishing consent, by resorting to statutory interventions like GDPR.
And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.
What you're doing is absolutely reckless.
>>I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".
Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.
Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.
>I listed a set of contractual arrangements that are now illegal. All of them could be entered into completely consensually, and cannot be reduced to being categorically one sided, given we don't know what the value of the service the user gets in exchange for their personal data will be in every instance that said contract is used.
And in that set, you predicated that the user could not revoke consent. That means that it is not a free contract.
>And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.
A contract in which one can not revoke consent is a contract in which one can never truly give consent. If I am unable to revoke my consent, then it can never be in the interest of the user, because my interest may change in the future.
>What you're doing is absolutely reckless.
No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.
>Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.
Which is what you're pushing for. You don't want me to be able to withdraw consent later, thus my selling of data WILL affect my future self.
>Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.
It still affects your future self.
Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent! You should be ecstatic that you will now be able to exercise greater freedom than you could before. You will have that most basic of freedom to evaluate whether or not something is still in your interest, and if it's not, withdraw, without the other party still benefiting off of your information.
>>And in that set, you predicated that the user could not revoke consent.
No I didn't. I said that these contracts enable the user to sell their personal data. If a personal data sales contract includes a clause allowing you to 'revoke consent' AFTER 'selling' your data, then you are renting your data, not selling it.
By making contracts without such clauses illegal, you are reducing the space of contractual interaction, in making it impossible to sell one's personal data.
>>That means that it is not a free contract.
Again, I have difficulty responding to such immature mischaracterizations of reality.
Selling your personal data is a 100% "free contract".
>>No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.
You obviously don't care to debate this issue based on rational arguments and facts. You're debating in bad faith. You've already made up your mind and are more than willing to mischaracterize the situation, and people's position, to push your views.
>>It still affects your future self.
Everything you do affects your future self, but this particular type of sale does not cover data genereted by your future self. It only covers what you have already generated.
It's absurd and totally dishonest to compare it to selling oneself into slavery. It's nothing more than hysterical fearmongering about the free market, in support of government limiting people's contractual rights.
>>Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent!
You're once again mischaracterizing the ability to re-voke a sale, after the fact, as "withdraw consent".
When you sell something to someone, you no longer have a claim to that something, and thus the other party no longer needs your consent to maintain ownership of it.
That I really need to explain the semantics of ownership to you, and explain how allowing retroactive and unilateral reversals of sales makes it impossible to sell something, shows just how completely delusional and dishonest you're being.
Terms that you accept by clicking an "I accept" button can be a proper, considered contract. From what I understand GDPR requires more legible terms of service, in place of the undecipherable legalese one finds now, which could potentially help with the issue of users not understanding what they're accepting.
I don't see why the new rules couldn't have been limited to those of this sort, which ensure that users are providing considered agreement.
Not stolen, but quite probably violated several laws in connection with privacy and personality rights. And this is already the case in many EU countries, no GDPR needed for that.
I actually hadn't considered it before, but I imagine that being a PI in e.g. Germany must be a veritable legal minefield.
See, I disagree with this very premise. Why is it true? It's _not_ my data; it's data about me.
Why do we protect any rights by law? Usually it's because some harm is likely if the right is not protected and the potential victim cannot effectively protect themselves due to some imbalance of power.
Reasonable people can debate how far privacy rights should be protected and where the balance lies between protecting the data subject and allowing data processors to do useful things. Maybe the GDPR doesn't strike the ideal balance here and favours one side too much at the expense of the other.
However, it makes no more sense to argue that someone can't have any legal control over how personal data concerning them is processed than to argue that, for example, someone can't have any legal control over whether their physical property remains in their possession. Many social conventions have proven to be useful, and we codify them in laws so that everyone can see what is considered acceptable behaviour and so that people who try to undermine those norms for their own benefit at the expense of others can be dealt with.
> However, it makes no more sense to argue that someone can't have any legal control over how personal data concerning them is processed than to argue that, for example, someone can't have any legal control over whether their physical property remains in their possession.
No, it's more like making it a crime to break or lose something lent to you. At most it's a civil matter handling damages, not an extension of control over the item lent (baring any contractual agreement).
I don't see why the criminal vs. civil distinction matters here. The point is that you can have legal control over something without necessarily having physical control over it.
Put another way, how is protection of privacy by restricting what someone may lawfully do with personal data any different to protection of physical property by restricting when someone may lawfully use or remove it? Typically you can't physically stop someone from sending your email address to someone else once they have that information, but then typically you also can't physically stop someone from stealing your TV while you're out once they have a big sledgehammer and access to your front window.
I think most of us would still say that we have legal control over our possessions, and most of us would still say that theft is unacceptable behaviour and should be punished. In Europe, where perhaps we tend to have stronger feelings about privacy than in some parts of the world, a lot of people similarly feel that they should have the ability to restrict how data about them is being used and shared, and that some things that some organisations have been doing until now are unacceptable behaviour and should be punished if they continue to do them.
The purpose of the law is one thing, the means through which the law is enforced is another. One can agree with the purpose of the law (people should have control over X) but not with the means (civil damages or criminal penalties).
"To have legal control over your PII" and "To have legal control over your possessions" are similar in nature. The fact that such purposes are implemented in different ways, for mostly technical reasons, does not diminish the argument.
The main technical reason is that, right now, loss of control over PII is widespread, and individually processing each claim would likely overload the judicial system of EU countries which usually don't have class action lawsuits. GDPR simulates a class action lawsuit using regulatory bodies, to be triggered by refusal to comply with a significant number GDPR requests.
Let's talk again in 1-2 years. My prediction is that your premise will be wrong by this time in the EU, i.e., there users will have control over their data.
(not perfect control, but that is the same in every area where law is broken, e.g., there are burglars, but still I think you would consider being in control of your personal belongings, and nobody would argue that we should stop prosecuting burglary because many burglars will always get away with it)
I'm always willing to change my opinion based upon data. I'm looking forward to that discussion in a few years. Regardless of who ends up being "right", it will be interesting.
>>The point is that users should be in control of their data
Intentions and effects do not always align. The effect of GDPR is to make any business model where a user trades their personal data for a service illegal.
Business models involving voluntary exchange should not be prohibited.
The fact is, the free market already gives users control over their data. They are not obligated to use any service that requires private information from them.
GDPR doesn't make illegal the trading of personal data for services. It requires consent for each piece of data (in detail, not a catch all) , and requires an option to remove your data, or opt out of specific uses of said data.
If a party must provide a service for users that refuse to provide their personal data, as long as it provides that service for users that agree to provide their personal data, then there can be no business model based on trading personal data for a service.
And by mandating an option to remove your data, it makes a contract where a user gives a permanent grant of their data to a service provider, in exchange for a service, illegal.
>if the implication is that nobody should provide their personal data because it can be abused then is it not obvious that the use of personal data should be regulated?
I honestly thought this kind of reasoning was a right-wing caricature. No, it is not obvious that choices with risks attached should always be regulated away.
Disclosing information in proportion to trust is a basic life skill. I understand that many in the tech community are frustrated to see the general public failing to exercise this discipline, and maybe regulation is the best way to protect them from themselves, but that's not obvious.
>If the majority banks lost your money regularly, would you blame customers of the bank for using banks -- or would you say that banks should have stricter regulations to stop people from being screwed?
False dichotomy. You want a spectrum of financial products that depositors can choose from according to their risk tolerance. It's essential that we have stable, regulated, insured checking accounts. It's also essential that we have self-directed brokerage accounts.
>"just slapp[ing] some Amazon adds on [your] site" is not the correct approach to handling users' personal data.
A site sending your browser Amazon ads does not oblige it to execute or display them. And this isn't some secret backend upload. If someone is willing to use a site with this revenue model, why is that your business?
> No, it is not obvious that choices with risks attached should always be regulated away.
The assumption is that all users are actively making a choice. Many are not aware of the choices they are making, and I think it's wrong to punish them for it -- when companies profit off this lack of literacy and people rush to their defense whenever people start talking about regulation.
I don't want companies like Google and Amazon to be able to hoard massive amounts of personal information about a large portion of the world's population, and not have to respect the rights of the people whose information they have acquired.
> You want a spectrum of financial products that depositors can choose from according to their risk tolerance.
If effectively everyone of importance just uses Amazon (or Google) ads then you don't get a "spectrum" and there's no choice involved. You have an option to either use or not use a majority of the internet. Yes, you can use ad-blockers but that's not a long-term solution.
> A site sending your browser Amazon ads does not oblige it to execute or display them. And this isn't some secret backend upload. If someone is willing to use a site with this revenue model, why is that your business?
Most users are not aware of how these things work. I agree that if everyone knew how to block those ads and what the actual problems are with them, then things like GDPR might be less necessary (though the right to retract consent is something that should be enforced).
But even then, ad-blockers are a defense against an industry that is over-stepping ethical boundaries every day. At which point do you say that companies which inflict systemic violations of ethics on billions of people should be held accountable? Or is it always the fault of the people because they didn't care enough about their personal information?
It’s not advertising itself that is problematic. I’d be fine with an image loaded from the origin serevr. It’s the attached pervasive tracking and monitoring, coupled with the real security risks that come with the current incarnation of advertising technologies.
The irony is that if instead of passing legislation to try and "protect users/citizens from their own lack of understanding", a government would instead invest heavily in educating their users/citizens on privacy matters in order to minimize the unknowing populace, i.e. the "fodder" for shady data selling companies (like Facebook/Google). Then you would have companies arguing undue interference with their businesses (I don't know the correct term). And my guess is that's the way big companies prefer it since they can lobby easier when it's not laws but instead "education initiatives" and other fuzzy programs. And they could also counter-invest heavily in another set of "public education programs" where they could try to inform the users/citizens about how valuable they are when they don't understand/care about how their data is monetized. And with the advertising power/know-how these companies wield that match would be easily won against some random government propaganda.
I could imagine a major ad campaing where this question is posted all over the city:
"What ethical boundaries do you think are being overstepped through advertising?
Think for yourselves, don't let the government tell you what to think!
Sincerly, your friends the advertising business"
That's a hard fucking question for me to answer concisely, so I wont do that. Sry.
Once upon a time, someone similarly pointed out that, if "they" wanted to improve vehicle safety, rather than mandating seat belts, air bags, and antilock brakes, they should just put an 8" long, razor sharp spike in the middle of the steering wheel---to make the dangers obvious.
The current state of data privacy doesn't even include the spike.
As you point out, education is a fine idea, but it isn't going to work if there is a major industry based on it not working.
And that provides a profiling oracle that can be used to determine data about individuals. Once they interact, you know. It's not even difficult to pull off.
Yes just like your Safeway loyalty card or your credit card uses the data you give. Or you voting and comments on this website is used to determine how to treat you here. Or the analytical data you have on your website. Or amazon.
Are you going to stop using all these services that track you some way or another?
Most digital companies wouldn't exist if they weren't allowed to use the data.
So instead of just blanket calling it something it isn't and something that certainly isn't unique to FB or Google why not actually discuss the fundamentals rather than scapegoting someone just because they are some of the most successful.
> Most digital companies wouldn't exist if they weren't allowed to use the data
This is a statement you're not possibly able to prove, and you've even left "the data" open, so you can quibble about the definition in future replies (despite the GDPR clearly giving one).
Terminating replies here due to the gross intellectual dishonesty; have a great night.
GDPR doesn't scapegoat anyone, it applies to anyone interacting with the EU or operating in the EU. The reason why Google/Facebook/Amazon are being mentioned is because they are the most obvious (and prolific) violators of user privacy. If we spent all our time mentioning all of the companies which violate user privacy on a systemic basis, we would never be able to get to the argument.
> Most digital companies wouldn't exist if they weren't allowed to use the data.
GDPR does not deny you the right to use user data, it regulates usage. This is such a ridiculous strawman that it doesn't even classify as a fallacy, it's just simply a lie.
> Are you going to stop using all these services that track you some way or another?
(I have stopped using many of the services you mentioned, but you're actually touching on the reason why regulation is necessary.) It is unreasonable to tell the general public they should stop using the internet if they want to maintain their privacy and dignity. And that's why there need to be regulations to provide protections for the general public when using a technology that is so central to the modern world.
Violations as defined in statute by the GDPR, which applies to anyone who collects PII on people within the EU. The ISP thing? I'd expect EU VPNs to start selling pretty well.
> Seems to come down to having to protect users from their own lack
> of understanding.
I had the impression that this is rather clearly regulated by the
GDPR. A user has to consent to each use of her data. And you have to
explain the use in an understandable way, no legalese. Just make a
list where you explain in simple words how you want to use the data
and add a checkbox to each item (default not checked). I don’t see
how this could hurt any ethical business model.
If it's anything like the cookie consent, it will just be an annoyance and nobody will be anything wiser. The amount of "no clue what this is" among non technical people I know is 100%. But the EU pats itself on the back cause they're tackling privacy issues. It's a joke.
>>If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.
This arbitrarily limits the range of businesses that can exist. For the sake of people who value their privacy having nothing denied to them, it reduces the services available to everyone.
The rules involve "degradation of service", which is related to existing customers not new ones. So if you have a newspaper subscription and you request that they no longer use your data for a purpose, they cannot cancel your subscription or degrade your service (unless it is impossible to provide a service without said data).
But the GDPR itself is written in legalese. There are many interpretations like yours, but then, without a lawyer, it's a dangerous game to play. The cost of the lawyer may be prohibitive to some small businesses, let alone side-projects.
I'm actually pro-GDPR but this needs to be kept in mind.
This is a misunderstanding. Consent is only one acceptable legal basis for processing personal data under the GDPR. Almost everyone is going to use it as little as possible in future because of all the extra red tape involved. Ironically, that probably means a lot of organisations will now be straining to justify processing on some other basis and to minimise use of data subjects' explicit consent and exposure to the associated subject rights.
Just make a list where you explain in simple words how you want to use the data and add a checkbox to each item (default not checked).
It's not that simple, because for example organisations may have legal obligations or legitimate interests in processing data about someone even though it may not be in that person's interest. Consider these:
[ ] I agree that my bank may keep records of the money I owe them.
[ ] I agree that the car rental firm may keep a record of me borrowing their vehicle.
[ ] I agree that the school where I'm applying for a job may do a background check before trusting me to look after kids.
Obviously there are many issues like this where consent for the data processing can't be voluntary and independent of everything else that is going on.
"I honestly thought this kind of reasoning was a right-wing caricature. No, it is not obvious that choices with risks attached should always be regulated away."
Speaking of false dichotomies...
I think you'll find that self-directed brokerage accounts have more regulations than checking accounts because they provide more opportunity to commit fraud.
You're completely ignoring the point of GDPR. The point is that users should be in control of their data, and when they give it to someone they have the right to know what it is used for and to be able to retract consent for its usage.
That might be the theory, but there may be unintended consequences in practice.
As others have said, introducing regulation always has a cost. In this case, the cost appears to be that a small side business that has been providing a useful service to the local community for several years will no longer be available.
It doesn't matter whether the business was actually violating the GDPR. It doesn't matter if the person running it misunderstood the new regulations and formed an exaggerated view about the potential risks. The end result is still that his service isn't there any more.
If there's demand for said service, then there will be some new enterprising individual who will try to provide it at a profit.
It apparently wasn't running at a profit even before these new overheads. It was essentially being provided as a gift to the community by the person running it, and that person is not prepared to accept what he perceives to be a lot of extra risk just for doing people a favour. Why then is it reasonable to assume that someone else will step in and be willing to provide the same benefit to others despite the additional overheads?
The level of risk and profit is going to adjust to the correct balance over time.
Again, why should we make such a strong assumption in general? Previous ill-judged regulation of tech industries by the EU hasn't gotten any better with time. They still haven't fixed the "cookie law", which must be on the short list for most useless and widely ridiculed law in history! More seriously, they still haven't fixed the VAT mess, which finished too many microbusinesses and caused significant damage to many more slightly larger ones.
If Amazon and FB make unethical tracking tools and you put them on the website, you are most definitely an accomplice to their acts.
"But it's such a small site/ the person's side project" all the more reason to stay away from this. Having a code of ethics where you end up using the most profitable option anyways is not a real code of ethics
The point of ethical judgement is that it's _not_ the best choice by other factors
How do you go from Amazon ads for ladders to unethical tracking tool?
He's not making a profit. Meaning he's actually paying out of pocket to allow neighbours to lend stuff to each other. Yet he's abandoned his code of ethics?
Sorry, I wasnt reading closely enough. I did not realize that the site might have been just affiliate links. I think affiliate links are not much of an issue, personally, mainly because they don't rely on tracking.
But many ads are those that track you across pages and use many of the same stuff as Facebook to show you products. So if you're uncomfortable with that, it's important to put pressure on that.
If he were just throwing up Google AdWords /FB ads or whatever he would be participating in an ecosystem that is unethical for many. It's helping to support a good cause, but wouldn't it be nice to get good things without contributing to an unethical system in the process?
>>If he were just throwing up Google AdWords /FB ads or whatever he would be participating in an ecosystem that is unethical for many.
But likely in complete compliance with GDPR... As Adwords and FB Ads would be in compliance.
That is the entire point of laws like GDPR, it has nothing to do with User privacy and everything to do with Ensure their can be no competition to Adwords or FB in the future.
It's mind-boggling that people are trying to cast some Amazon affiliate links into a nefarious invasion of privacy. On the advertising scale, from 1 to late-90s, I'm-probably-going-to-catch-a-virus-from-a-shady-ActiveX-component, this is maybe a two.
> The GDPR isn’t really that hostile to small business and it doesn’t require an understanding of law. You can hire a data protection officer at a legal firm for almost nothing, and as long as you follow their advice on how to pass audits, you’re really not in trouble.
This. GDPR is a huge burden for small companies. The extra work for implementing the new GDPR requirements can completely halt any new development if you only have a small team of developers. For big companies the workload is relatively much smaller.
If your business model is based on something that will violate the GDPR, like streetlend selling user data to advertisers, then should you really be opening that business in the first place?
The parent comment point has been missed or understood but not used. The point is that small companies which are valid must jump through significant hurdles to satisfy gdpr. Contracting an expensive DPO (are they going to be doing you a service in pricing or making out well) to set this up may be more than some small businesses can handle.
In the UK the ICO is the governing body, and they say I don't need one. From their guidance linked below
>The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.
I am neither a public authority or carry out those certain types of activity.
If your business model is based on something that will violate the GDPR,
That is COMPLETELY IRRELEVANT to what people are saying. If someone complains about me, am I obliged to defend myself? If I don't, am I subject to ruinous penalties? If I do and am victorious is the complainer required to compensate me for all of my costs?
I'm afraid I disagree entirely. If your business is aggregating data in order to sell more effective advertising then you are walking a line and need a lawyer. If your business is selling widgets and you collect personal details in order to complete orders then you are just going to have to write some documentation.
I can tell you as someone who is working in an old school retailer/wholesaler we are not, and neither is anyone we are talking to through various trade bodies, employing lawyers to do GDPR.
Actually, you can keep order data as it has to do with VAT law but you have to keep it in line with GDPR... So it not just writing some documentation, rather making sure your data is secured with up to date and taking into account state of the art technologies etc...
Lawyers can't help you with ambiguous laws very much as it takes precedents to make sure what the words mean.
Other way around. This business was opened half a decade ago, with users being perfectly fine with it (or it wouldn't have stuck around). The GDPR on the other hand has flown under the radar and only suddenly became a thing that service providers (generic "service", not "internet service providers") were made aware of in legal context. So if we're raising eyebrows, it's at the EU and the GDPR. Not at sites that have operated to user's satisfaction for five+ years.
That's what they said about the EU VAT changes as well. "How are small businesses surprised by this new rule that comes into effect in under a month? We've been discussing it in committees they've never heard of somewhere in another country for years!"
The reality is that almost all businesses are small businesses, and most businesses are microbusinesses. These sorts of organisations don't have full time resources watching out for potential legal hurdles coming down the line in a few years. Many of them don't have full time resources at all.
It's ironic that a law where one of the main effects is to dramatically increase notification requirements has resulted in barely any media coverage and no notification from any official sources to any of my businesses yet. What media coverage there has been mostly seems to have been prompted by people being surprised by the sudden wave of privacy-related emails. So, how is this not going to be a surprise move for millions of small businesses if no-one did anything to tell them about it?
Please, I work for a "small" business and the management have been going on about it for months.
If you run a business and were not aware of GDPR then you incompetent or employ people who are feeding you bad information.
Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.
If you run a business and were not aware of GDPR then you incompetent or employ people who are feeding you bad information.
Why? Most businesses are very small and don't have any sort of in-house legal team, and won't go actively looking for expensive external legal advice if they aren't aware that they have a need to.
Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.
That is an entirely unfounded assumption. There is literally no relationship between being technically competent in protecting personal data, having a positive attitude towards respecting privacy, and being aware of new laws coming out of the EU.
Yes, and talks first started in 1996, and yet here we are today with massive problems because small business, and especially self-employed startups etc don't have an on-call lawyer that knows everything about EU regulation. Or anyone. They wont' have heard of this from anyone until it hit the news, only a few months ago. Is a few months enough to understand and become fully GDPR compliant? Probably not. Do you know all the EU laws currently in the works that are going to affect your website 5 years from now? Probably also not.
What about small companies that don’t sell data as a business model?
GDPR punishes the vast majority of businesses that do not have business models reliant on selling user data in favor of trying to catch the ones that do.
Unfortunately, I fear this regulation will do absolutely nothing to stop the bad actors from selling data as they do now.
That sort of depends if you were complying with the UK Data Protection Act (1998), or any of the other European acts stemming from the 1995 directive, already. GDPR is only an incremental step from there. It would appear that lots of people considered the DPA as optional, yes GDPR is quite a bit of work for them.
Google and Facebooks manoeuvring to adapt to the GDPR give a clear road map of the legal requirements. Bluntly, they're not that bad, and they're better for a new startup who can adapt to them from the ground up than an established venture who has to find new ways to make money.
The reporting requirements of the GDPR can be large, but for most companies most of the time you're dealing with a relatively unchallenging piece of legislation. Most of the requirements are just to be able to explain what happens with user data and handle sporadic deletion requests. Loosely connected, separately stored, IDs are the solution to this (pseudonymization). It's a different style of development, but far from tricky. That's systems development, not legal.
This is a legitimate threat to startups reselling user data and overly friendly web-tracking solutions, yeah. To them I say "boo-hoo". For the rest of us? IT regulation with legal teeth is a promising indicator for IT companies. There are more of "them" than there are of "us", and if our legal issues are getting play that means our salesmen will also get play.
I know you didn't intend to, but you've nailed the problem: the ambiguity and doubt. Most (<100%) * most (<100%) is a fraction times a fraction, never a good equation if the upside is low.
I doubt the StreetLend dude made much cash out of this project, so why bother? It was likely just a convenient excuse to kill a side project that had little value that sucked a lot of time, but still, the ambiguity no doubt helped push him towards this outcome.
The penalties for noncompliance are supposed to be “effective, proportionate and dissuasive”, and can start off with warnings. The law only has the headline figures as upper limits (plus damages, IIUC).
This doesn’t feel particularly onerous, especially as any good business plan will include getting public liability insurance for inevitable occasional serious mistakes.
In my businesses case, EU revenue was <1% of gross.
Even though we never resell, mine nor monetize data, the increased risk of legal action was not acceptable to us.
Have you ever filed a claim on an insurance policy? Your premium will certainly go up next time that policy is up for renewal.
It’s unfortunate for our users. They’re quite upset that we’ve decided to drop all EU customers. But, we’re not willing to take on any additional risk for such a small revenue source.
Your call. IIUC, it covers EU citizens not just residents. I only mention this because way you phrased that sounds like you’re dropping the region not just the nationalities.
1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
2. If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.
Luckily, my organization is not “established” in the EU.
Doesn't seem true on the ground. There isn't even many consultancy opportunities getting companies GDPR-ready. 99.99% of companies are managing just fine getting someone to skim the rules and make some guidelines to put with all the other guidelines and internal docs they already have in a big binder.
Its only the end-user-is-product companies that have to have armies of lawyers, and that is no bad thing surely?
> Its only the end-user-is-product companies that have to have armies of lawyers, and that is no bad thing surely?
Note that you're on a site pretty much dedicated to the ongoing viability of end-user-is-product companies, hence the backlash here. My experience, same as yours, is that anyone who provides a service for money isn't having any difficulty at all complying with the GDPR.
On the contrary I think that without any regulation, Google and Facebook are able to completely entrench themselves and take advantage of us all in the process.
The issue is that after Google and Facebook has abused users' data for so long and made so many tens of billions of dollars from that abuse, they're now allowed to keep that money, so they have a huge head-start on anyone else who can't abuse users' data anymore.
The law is needed, otherwise everyone would continue to abuse users' data more and more. So that's clearly not the solution. The ideal solution is fining both Google and Facebook for all the money they've made from that abuse from at least the past 5 years, to level the playing field.
People say that capitalism is the "worst economic system, except for all the others", and that's true. But one of the main issues with capitalism and why it gets to be so broken in the end, is that when companies abuse their powers, the punishment almost never fits the crime. If it did, I think capitalism would be a much more optimal economic system. I think this is by far the biggest issue.
As an example, Intel made tens of billions from anti-competitive moves against AMD, and it was only fined $1.4 billion, a fine that's still under dispute even a decade later (Intel has yet to pay it).
Samsung, and other memory makers have been caught at least once in the past, and now again, doing price fixing. But the fine was and likely will be again much smaller than the profits they made.
Then we have the big banks, which also made a ton of money from screwing people over, and again they were fined at "record levels" but still much less than they made in profits.
This is how the incumbents keep getting ahead of the others, even when stronger regulations pass - they never have to truly pay for the crime they did in the past, and they get to keep 95% of their profits from that crime. That isn't how things should work - the governments should take all of the profits they made from the crime and the fine should be added on top of that. If a company grows 10x in size in a decade from abusing some law and consumers, then the governments should absolutely take back 90% of its size when it's punished later. That's the deterrent.
Now in regards to privacy, the laws weren't that strong before, and I don't really believe in punishing people or companies for laws that didn't exist, which is why governments need to be much more vigilant from the birth of new industries, and not wait until they are mature and most damage has already been done.
Maybe my solutions are a little too extreme, but I do believe more needs to be done compared to what governments are doing now. We can't just let companies get away with almost all the profits they made from abusing consumers.
Also, there need to be stronger anti-merger laws. That's for sure. We almost never need to let companies merge, and if they do merge, that almost always ends-up not being in the consumers' favor. If some companies can't compete on their own anymore, then so be it - let them go bankrupt. The rest will either become stronger, or new entrants will appear. I think that's still preferable over allowing them to "survive" under a bigger company. Let the creative destruction flourish in the market, as it's supposed to.
>The ideal solution is fining both Google and Facebook for all the money they've made from that abuse from at least the past 5 years, to level the playing field.
Probably not far enough. You need to outright shut them down, put them in a prison of sorts, fine them, and then let them continue operating after their term is up. Do not let them sell, do not let them split. But people will lose jobs, ads will be taken out to fight it, and it will be held up in court for far too long. Google and such have ingrained themselves in a way that to properly punish them for their actions is not politically tenable, because the only fitting punishment would destroy these companies and cause significant economic harm.
All of the data was taken without consent. The user might have clicked some 'I agree' checkbox, but they were not in a position to give consent. We could, to compare it to other similar issues involving lack of consent, call it statutory data theft.
Not it wasn't taken. You give over the use of that data to FB when you use their service. Just like you do when you get a loyalty card in Safeway or pay with you credit card.
Calling that stolen is mixing your personal opinions with facts.
If what it says on the blog is correct then he is using affiliate links for amazon for similar products to what you search.
At it's core it is the most ethical a free service can make money (aside from donations).
He isn't selling the data or showing personally targeted ads. (Of course it could be using some amazon plugin that does it anyway for convenience or from ignorance, but he can do it without it through amazon apis)
> Except this isn’t really true. Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.
Founder here. Streetlend never passed personal data to Amazon. It used the search term eg “ladder” and showed ladders on sale from Amazon. No personal data was passed.
Then what's the problem? I have to be honest here, this smells far more of FUD than anything based in reality. Nothing in the linked post is talking about anything which the GDPR makes harder.
Unless you're doing something shady with user data (and you _know_ if you are) the GDPR essentially comprises having _some way_ of giving a user all the data you store on them, and _some way_ of deleting that data.
In this case both of those appear trivial to automate, and even more trivial to just do if somebody actually wants those things. Shit, dropping email login and only accepting federated auth would get you there in one step, unless you're doing things you're not saying.
You're acting like you know exactly how to comply with GDPR, while using the term "essentially" to admit that you don't know 100%. Meanwhile you're faulting someone who runs a non-profitable community project for expressing realistic fears over what the law could do to him, because he isn't sure what risk it lays on him.
I've been running websites and doing IT for a long time. I've spent least 10 hours on my employer's dime reading about GDPR and trying to figure it out. There's a lot of ambiguity. We're in the US, we don't do a lot in Europe, so we're at less risk, and my conclusion was that we're small enough (while MUCH bigger than streelend) that we're not going to be a target while some of the ambiguities get worked out in courts. This poor guy has no protections.
The place I work does actually store personal data for a variety of reasons, and we also work for a bunch of other companies that do, and the path to GDPR compliance hasn't been painful. The biggest issue is, as you say, research, but if the sum of your data storage is an email address, a name, and a physical address, then you're hardly falling into any of the nuanced cases.
I'm not faulting the person, I'm just saying the response doesn't seem founded in firm reasoning, but in (self-admitted, by the link!) "I need to look into this but I haven't, so we're shutting down". This isn't a newsworthy event or "proof the GDPR ruins businesses".
Because looking into it takes time and effort? Even if he looks into it and finds ambiguity then, if he cares enough, he'd need to talk to lawyer, which may cost money.
> This isn't a newsworthy event or "proof the GDPR ruins businesses".
It is anecdote that complying to a far reaching and ambiguous law has real consequence.
> that we're not going to be a target while some of the ambiguities get worked out in courts.
I posited this to our counsel when discussing what to do about GDPR. He cautioned that he’s seen investigations start due to a nosey bureaucrat.
I don’t know if your product is public facing, but if it is, all it takes is a single sufficiently powerful government employee to get curious about your business and start asking questions.
Even if you’re not doing anything wrong, having to engage counsel to respond to the government could get pricey.
Clearly you have no understanding of any legal system in the world works if you believe only people that are guilty of violating the law are sued and ruined by the law.
Indeed it is. We engaged our legal counsel (top 5 global firm in the tech space) to help us understand its impact on us. Even the firm’s “expert” on GDPR still had unanswered questions saying that many nuances will have to be fought out in the courts. That’s not an acceptable risk to my small business.
Laws like GDPR are written in such away that make them open to "legal trolls" in the US we have several of these laws that are routinly used to extort settlements out of small business. These laws are generally viewed as good laws with good intentions but because of their poor wording are open to massive interpretation and thus abuse.
Patent, Copyright and Disability Access laws in the US are to examples commonly Abused laws for this type of behavior
The problem is the legal system in most nations are setup in away that gives the guilty and the wealthy an advantage over the innocent with limited resources
Laws and Legal Systems should be
1. Very Specific and not open to interpenetration
2. Have options for "settlement" as this rewards the guilty, and harms the innocent
3. Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access
4. All Civil Cases must have to show Actual Damages not Theoretical Damages
> Laws like GDPR are written in such away that make them open to "legal trolls"
Except with GDPR all you could do is report them to the member states governing body. So no trolling.
> Very Specific and not open to interpenetration
Except this makes them inflexible and leads to them having to be constantly redrafted. So no use to the world of the HN.
> Have options for "settlement" as this rewards the guilty, and harms the innocent
GDPR is between you and the regulator, they already do this work and the whole aim of the process is to stop you doing bad things. A fine is a late step in the process for organisations who wont listen.
> Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access
Is off topic when it comes to GDPR, see my previous answers
> All Civil Cases must have to show Actual Damages not Theoretical Damages
Again off topic with GDPR, but in the UK that is how damages works already, isn't it?
>> You can hire a data protection officer at a legal firm for almost nothing
What? Define almost nothing. For small businesses it is a wishful thinking they can hire anybody from a legal firm. They probably don't even have a lawyer or a legal department as they can't afford such luxury.
> But do you remember when the EU outlawed environmentally shitty lightbuilbs and everyone said we were going dark because it was impossible to do anything else? Today 95% of lightbuilbs are LEDs because of that.
And now we are finding out LED lights are bad for our eyes and our sleep, so we may go blind sooner and die sooner.
Ok that might be a bit extreme, and besides there is an efficient incandescent tech that will probably come back and save us (and you can argue the EU helped that too)... but my point is the EU has good intents but their creations seem polarised into either extremely preemptive or extremely reflexive and are often premature and poorly thought out, fighting for something for the people but often without thought for how they will directly hurt the people.
For tech the EU isn't exactly unique in this respect though, the UK for instance recently tried to inact some pretty rediculous laws that undermine basic technologies that make the internet work.
"From the description Streetlend didn’t violate the GDPR in concept though. Addresses are public record, available in public databases, and there is nothing stopping you from doing lending eBay. All it needed to do was clear it’s records every 6 months and let people delete their accounts."
> But the comment you commented on said:
"The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous)."
The issue seems to be that the resources required to resolve a delta - from Streetlend's pov - are perceived as excessive. Too much risk; not enough reward.
Look at what happened with Thiel and Gawker. Right or wrong is irrelevant if the opposition has deeper pockets and can bleed you to death (in legal fees).
> Startups will find a way to make money that isn’t selling your data.
Perhaps, that could be true. But plenty will not want to be caught in the crossfire in the meantime. And that too is a biz decision.
Unfortunately there is no more site to prove it, but I would imagine something like this. GDPR on its own shouldn't be a problem for Streetlend, there was something more, users data releated and how to make money off them.
You have to identify your data class which takes a lawyer. You have to assure that no data is held longer than 48 hours even telemetry without providing an export and delete function. You have to support level 4 data requests which will take a lawyer.
Just like all regulation its very doable but its way more cost effective for the big players.
Could you share the name of a legal firm charging ‘almost nothing’ for a data protection officer? Because the ones I’m finding definitely cost more than ‘almost nothing.’
Ugh, sorry but no, the EU can't claim any credit for the success of LED lightbulbs.
They can take some credit for the dim and dimmer mercury containing CFLs, and the ludicrously expensive and somewhat unreliable early LEDs, if they like.
Here in the US you mostly see fluorescent energy saving bulbs, even though incandescent bulbs are widely available in the pharmacies and in the supermarkets. And that is because they are cheaper to operate: the market decided that, rather than a regulator.
>Startups will find a way to make money that isn’t selling your data.
It's hard to argue with statements like that. What if they don't? There are plenty of startups providing extremely valuable or fun services (like flightradar24 for example) that are supported by ads. After GM, Ford and Chrystler there were basically no successful auto startups in the US for 70 years.
This regulation makes life for startups disproportionately harder than for Google and FB that already have an army of EU lawyers on payroll.
> And that is because they are cheaper to operate: the market decided that, rather than a regulator.
This is not true. The US has parallel regulation that encourages the phase out of incandescent bulbs [1]. True to form it's a lot weaker than the EU regulation but it sends the same message.
> This regulation makes life for startups disproportionately harder than for Google and FB that already have an army of EU lawyers on payroll.
This is not true. In fact the GDPR makes it clear that for small businesses (<250 employees) most of the control burden is relieved.
Both the US and EU regulations were widely flouted; it was easy to get incandescent bulbs in practice. There's actually one in the room I'm in now for the simple reason that getting any other kind of bulb to work with dimmers was a nightmare; until a year or so ago, nearly all the dimmers sold in the UK were designed for incandescent bulbs only. The EU had, and still has, no interest in actually fixing this. Instead of making LED bulbs more practical to use they plan to crack down even more strictly on the alternatives, including new efficiency restrictions that effectively ban most stage lighting used by theatres and concerts.
I got some LED bulbs recently that are all glass, so they look exactly like incandescents, they have the same color temperature as "warm white" incandescents (i.e. 2700K), they are as bright or brighter than the incandescents they replace (800 lumens) and they are $1 apiece in quantities of 2. This may be an aberration, but it has certainly made me certain that I should always search for good and cheap LEDs in the future, and not waste time with any other type.
I also found some LED bulbs that have simulated filaments inside clear bulbs for an old-fashioned look, and again the incandescent color temperature.
I've even found cheap LED replacement bulbs for the various interior lights in my car that look just like incandescents.
So I think it's kind of passé to be debating LEDs at this point.
Have you found an LED replacement for the light in your oven?
As far as I'm aware, those are all still incandescent, simply due to the temperatures involved.
I'm not sure you grasp how poor the LED situation is over here in the UK. Some of the other light fixtures here have similar glass LED bulbs (non-dimmable, naturally) and they're pretty decent replacements for incandescents so long as you can live with the limitations - they're also discontinued and cost several times that price when they were available. The only place I can find selling something similar is charging £5.50 (about $7.50) per bulb for something off-brand, though I guess at least that claims to be dimmable: https://www.toolstation.com/shop/p95506 The last off-brand LED bulb I got from there died after about a month mind you.
1. This regulation is specifically (deliberately?) anti small business. If your revenue is less than €20m their fine is up to €20m, i.e. can be 100% of your revenue, meaning bankruptcy. If your revenue is greater than €500m, your fine is capped at only 4% of your revenue, i.e. an acceptable fluctuation. It's worse than a regressive tax.
2. China also has many regulations. Instead if trying to extend their jurisdiction to foreign sites, they simply block them. I thought about this and I actually prefer the Chinese non-expansionist model: I would rather outsource due diligence to the Chinese government than hire expensive EU lawyers and then implement EU specific blocks.
FYI we do not collect any data other than for spam and DDoS attack mitigation, but apparently if you have any third party code in your site like ads you have to subject all of that to this expensive audit.
Well meaning regulation like this written by people who have never created anything pratical in their lives other than regulations illustrates why entrepreneurship in modern Europe is nearly impossible.
> If your revenue is less than €20m their fine is flat €20m
Rubbish, this is just spreading FUD.
From the UK ICO: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.
But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."
Look at the track record of the UK ICO - how many small businesses and side gigs have been fined £500k? How many businesses of any type have been fined the current maximum of £500k?
So where does this ludicrous assumption that everyone is always going to be hit with the maximum fine from here on in come from?
It's scaremongering to assume that a country would enforce the letter of the law? I am not a lawyer, how can I tell when a judge will or will not enforce a ridiculous law? After all, England almost jailed something for training their dog to give the Hitler salute or for posting something mean on Facebook.
Is it scaremongering to assume the maximum fine? Of course - years of legal precedent for current DPA clearly demonstrates this. If the track record showed hundreds of small business people rendered destitute thanks to half million fines it wouldn't be, but it doesn't. It's a maximum not a fixed penalty as one would typically get for a parking offence. If they're not fining anyone £500k why are they going to suddenly fine everyone £17m?
Even TalkTalk were only fined £400k for the most ridiculous incompetence leading to 4 breaches in 18 months and failing SQL injection 101. They make profit in the tens of millions yet still didn't hit the maximum (They should have in my opinion). I think at the time that was the largest penalty yet issued.
Same goes for other data protection bodies across the EU - there will be few instances of maximum penalty under current data protection. I'm sure some countries have never imposed the current maximum.
nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.
>> nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.
That's the most interesting thing about the GDPR. While some developers are picking up their ball and huffing off home, others are actually 100% behind the regulation.
It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.
> It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.
Or the competitors' software.
Consider some business that was doing what GDPR requires already: users could delete their data, they could request a complete copy of it as well as an explanation what it is used for, and it was only used for defined purposes that the user signed off prior anyway.
Sadly, that reduces flexibility somewhat, but they're doing it because they consider it the right thing.
For them, GDPR levels the playing field and makes sure that they never have to stray from this conduct just to remain competitive with companies that aren't so nice to their users.
> It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.
Nothing about the gdpr solves the problems of companies having insecure systems that _leak_ user data. I also don't believe that data about me is data I own. To me, the gdpr feels ineffective at the real issues causing me harm (leaked info) and also a giant burden on companies that fundamentally changes how the industry has worked, but in a way that quite frankly, doesn't make any sense to me. The data about my order isn't my data to control.
>Nothing about the gdpr solves the problems of companies having insecure systems
It doesn't directly prevent insecure systems, but discouraging companies from storing information they don't need and transferring it on to third parties for whatever reason they feel like massively reduces most people's exposure to this risk.
>The data about my order isn't my data to control.
If you believe people have a right to privacy, then you believe they have a right to decide who gets to know what information about them.
"Nothing about the gdpr solves the problems of companies having insecure systems that _leak_ user data."
Requiring disclosure of a breach within 3 days of it happening, as opposed to the several months that is commonplace now, is a big help.
"I also don't believe that data about me is data I own."
Everyone disagrees on this point. Right now, Europe says the opposite.
"also a giant burden on companies that fundamentally changes how the industry has worked"
Good. Currently the industry is geared to suck up every last bit of user data like a vacuum, regardless of whether it's actually needed, so they can sell it. This has gone on for far too long, and I'm glad to see the industry hopefully move away from it.
Probably in part because it's exactly those developers that see how easy it is to leak data to third parties that won't respect it at all and will track the everliving shit out of it.
I'm fully behind the GDPR. It might not be perfect, but I've read the law and it's surprisingly straightforward and sane.
I started writing a lengthy reply, but instead let me ask you this: why would a service be privileged to do anything with your data that they did not ask you for permission to do?
Interesting part for me is the hilarious FUD where we got none when DPA came in. A good part of GDPR is already here with EU Data Protection Acts and what constitutes personal data is much the same. Many of the Kafkaesque and corruption scenarios should be possible under DPA and other laws yet haven't been happening.
GDPR increases maximum penalty to be high enough that it could be a penalty to a Google or Facebook for a serious, wilful, breach of regs, in an environment where the tiniest fraction of reported cases get any fine at all (16 of 17,300 reports for 2017 in the UK) let alone the maximum. Internet now certain that one man software companies and hobbyists with non-commercial regex sites will receive £17m fines, every time and it will be used as a stick to beat one's political enemies with or, most comically of all, pay for local infrastructure improvements.
I don't understand why - the regs seem reasonable and not especially difficult to meet unless your business is built on wilful abuse of personal data. Just a reasonable effort to enhance DPA taking into account new techniques and misuses of data. Deletion for everyone, not just a minority - thanks to FB et al feeling it's fine to never delete, and run shadow profiles on all. The highest penalty will be saved for the most offensive cases involving multi-nationals. It will be interesting in a few years to see how many maximum fines have been levied. My bet is none at all, once or twice if there's an especially egregious breach from an Amazon or Google.
I've little doubt that just as I feel more should have attracted fines under DPA I'll feel more should have got GDPR fines.
>> I don't understand why - the regs seem reasonable and not especially difficult to meet unless your business is built on wilful abuse of personal data.
My intuition is that the people who complain are that fraction of developers who actually care about their profits more than their users' privacy.
I'm sure that's a big part of it when every app wants to do a data grab. I'm also left thinking US law doesn't really do proportionate after a few of these discussions! :)
For us in Europe 20 years of DPA must help - I doubt there's many here would want to go back to pre-data protection.
So you did the research and found out that England probably won't endorse a law to the fullest extent. My point is that a simple tech guy building a company won't know that statistic and how it relates to their specific case.
If I tell you that the maximum sentence in the UK for possession of marijuana is 5 years in prison or an unlimited fine, are you going to tell me that everybody who's ever been caught with marijuana has been thrown in prison for half a decade or bankrupted?
No, in fact, most people get served with nothing more than a formal caution or a £90 fine. This is normal - this is how the law works in this country. Anyone who doesn't understand this hasn't even been paying attention to the lowest-common-denominator newspapers, which are constantly screeching about how people usually don't get anything close to maximum sentencing.
Well then your “side project website” is unsustainable.
It’s not complex - we don’t let people away with flouting regulation because it’s burdensome. “It would make me unprofitable” is not a valid reason to ignore health and safety laws, or hygiene laws.
“I just want to run a food truck as a side project but not care about making people sick or not” is obviously ludicrous. Why is personal data somehow fair game?
Just because you are not making revenue doesn’t mean that you don’t have to abide by regulation. The GDPR is intended to solve a very real and present issue; if you run a side project that deals with personal data, then the fact that it makes no money doesn’t mean that your mistreatment of personal data isn’t harmful!
You can. You just need to think about it and have the correct controls in place.
If you choose to block all EU IPs instead of implementing the most basic data security and retention policies, then it’s for the best that EU users are not able to use your compromised service.
You cannot force peers of any decentralized distributed system to forget data. They can pretend to and appear as compliant peers and yet retain the data.
That is also PII being used for the purpose it was collected for (identifying a contributor) and I believe falls under Art.6(1)(f) of the GDPR. You would likely have a hard time convincing anybody that you can apply the right to be forgotten to a git repo - especially as that particular processing can be argued to not be requiring consent once you have submitted your commits.
The author details are not necessary for the core function of git; the change itself does not need the PII. Moreover, my concern is general for when PII is in such a distributed system; git is just one example of many.
I've always felt that git is poorly designed for that reason. At the very least, there should be an "identity block" that commits etc point into, rather than embedding names, emails, and other identity information into immutable commits. Under GDPR, that's how it would've been designed in the first place. Of course, this'll never happen without a complete fork of git.
Once you've got that sorted and you can change/remove identity information, the likes of GitHub have no issue so long as they have GDPR-compliant contracts with any business partners who can access git repos. Obviously, anyone using GitHub who decides to store all identity data forever is, generally speaking, not GitHub's problem, same as someone who noted down the names of all their friends on Facebook isn't Facebook's problem.
> I've always felt that git is poorly designed for that reason. At the very least, there should be an "identity block" that commits etc point into, rather than embedding names, emails, and other identity information into immutable commits.
So the GDPR is entirely irrelevant because we could just give fake details to companies? And giving correct details to anyone, ever, is in fact “misuse”? That’s not how the law works, nor is it how it should work.
Laws that are stupid and not widely enforced because they are stupid are damaging to the entire concept of law. Particularly if they can hang over like a sword of Damocles if you piss off the wrong people.
The law will be enforced, just as current data protection is.
The law can be enforced without every case attracting the maximum penalty. That's why nearly every law has a range of penalties.
Accidental and minor breaches can attract a minor penalty or a letter asking you try harder. Wilful and repeated breaches affecting many customers will attract harsher penalties.
Same goes for speeding offences - go 40 in a 30 limit, get a fixed penalty ticket. go 140 with the GoPro race footage of you and your buddy posted to twitter expect a much larger fine and a driving ban.
In neither instance is it not enforced, or damaging to the concept of law.
I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.
What @megaman22 is saying fully matches my experience as an Eastern European -- piss off the wrong people and the law will fall on you with its full might. Some people would really love to make an example out of you if you give them the chance. And I don't think that only applies to E.E. but have no data either way, it's just an observation from news and hearsay from affected people around here.
I fully support the GDPR and I'll do my utmost to comply with it even for hobby projects.
That was never something I disputed in my root comment that spawned this big sub-thread.
What I said and will continue saying is -- laws like these open even more doors for legal trolls, big players and nasty competitors to exhaust you out of business. The fact that it doesn't happen on a massive scale in my eyes means nothing; or rather, it means that agents used as an example to scare off others isn't something that's done often because usually just a few lawsuits and their aftermath are plenty enough for those many others to get the message.
So IMO using statistics here is not a strong enough argument. I am not trying to alter your thinking. We actually agree on most points but I simply can't agree that past statistics are a good proof that the new law won't be used in a more heavy-handed manner than originally intended.
To me, that remains to be seen yet and none of us can claim with certainty that what seems likely to them will materialize.
Almost missed this thanks to the incorrectly flagged message up thread.
> I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.
You may be right in our chances of agreement!
I see a judiciary separate from state which is more than happy to put politicians back in their box when they introduce bad or overreaching law. Governments of all colours complain about the judiciary and Lords here in the UK - which I see as proof that the separation basically still works. I see data protection bodies that are separate from government and politics. I see occasional stories of record fines or breaches from mainly Western Europe and talk to friends and conclude small business and solo developers are not being fined or trolled into oblivion in nearby countries either. Yet EU DPA is most of what GDPR is with smaller maximum fines. Why isn't the disaster scenario you foresee already happening with current DPA and other laws? Why are so few fined for breaches and only the most extreme cases getting fines?
I'm less aware of justice systems further east and yes it's obvious that former Soviet bloc are going to be rightly more sensitive to and concerned about corruption. I'm also not aware how successfully that's been left behind from adopting EU laws and years of membership. That said, reading the pieces that turn up on HN it seems that the US is the one with problems of corruption in the justice system currently. No doubt that's also unrepresentative thanks to what's being shared about a vast nation.
So, the legal trolls - it's going to be registrars and data protection bodies bringing cases or seeking sanctions. Just like happens with current DPA. This does not appear to be akin, or anywhere near, the US DMCA where large media companies massively abuse takedowns via automated software and triggering numerous trivial errors. I don't see the scope to exhaust someone out of business - yet it's clearly easy with DMCA. There's nothing a Sony can abuse to pick on a little guy with GDPR - they can report me to the registrar.
You're right that it remains to be seen, but I sincerely doubt our data protection bodies are suddenly going to break out thumb screws and bring orders of magnitude more cases when they've kept fines for the final, extreme, and rare sanction til now.
I honestly expect that just as I feel more should have attracted fines and sanctions under DPA I'll find that GDPR is also being too lightly applied. We'll see. I've been wrong on the internet before. :)
The speed limit analogy is terrible. Or maybe perfect, for my point.
Because speed limits are not enforced, everyone goes somewhere between 5 and 15 mph over, all the time. But catch a pissy cop, or one in a town that uses speed traps as a revenue source, and you can get pinched for hundreds of dollars arbitrarily. Yeah, the jackhole that burns tire at 110 past a school-zone is most likely to get pinched, but almost everyone on the road could.
The GDPR gives authorities various ways to deal with corporations that are breaking the regulations.
When a corporation is compliant and only has minor infractions, they will (most likely) write a sternly worded letter.
But if you're constantly and repeatedly or willfully ignoring or breaking the regulation they definitely won't leave it at a simply tap on the fingers.
Plus, I don't think any regulatory body is looking for bankrupting a corporation. They will obviously size the fine according to how much the corporation has in turnover or profit.
So we are just supposed to hope that they will be nice to us when inevitable violations occur under one of the 28 unique interpretations that this law will be subject to?
I don't think I've heard of many EU regulatory bodies that will immediately go for the maximum punishment the moment anyone does a minor infraction. First you get a letter, then a sternly worded letter, then a tap on the finger, a hard tap on the fingers and if you still refuse to learn the lesson then they break your knees.
If you have minor infractions caused accidentally and you cooperate I have doubts that any regulatory body for the GDPR will go beyond sending a simple letter asking you to fix a problem.
Perhaps it's a cultural difference but here in the US we interpret all laws literally, fully expecting maximum penalties. And yet they are trying to apply this law to American startups who can barely afford a lawyer here, let alone a EU counsel.
laws are interpreted literally in Europe too, or they wouldn't be laws.
But most laws have a range of penalties, and often account for intent and attitude.
E.g. in US law you have "manslaughter" (voluntary or not) and "murder", for example. And you have different penalties for first offense and repeated offence.
I am not one to say "trust the EU government, it is good".
But the intent of the legislator is obviously not to kill businesses willy nilly, it is to punish certain behaviours, they have no reason to willingly cause a business to shut down, which is why the GDPR explicitly accounts for collaboration.
In the end, it is up to you to decide not to abide to the law. There have been local regulations forever, this won't change much.
Note that, in parallel to the EU regulation, the statutory maximums can be enacted(ever since Booker judges can use their discretion again), but in reality most judges rule within the sentencing guidelines.
> I don't think I've heard of many EU regulatory bodies that will immediately go for the maximum punishment the moment anyone does a minor infraction
Yet. Wait until the company is another political organization that is identified as an enemy or competition. Then these laws become tools for shutting down dissenters with selectively applied fines, even to companies outside of the EU.
That’s not what the law says they have to do. All reasonable businesses have to assume the worst case, not the best case. These governments have a built-in financial incentive to not be lenient in any way, shape, or form.
That's the US, yes. EU regulatory bodies are generally rather lenient when you attempt to follow the regulation.
And unlike you say the law does say the regulatory body for the GDPR has to consider the business needs of smaller businesses and adjust their fines accordingly if they even hand them out.
There is a good flowchart in this thread too, I recommend to study it.
But they have never had the extraterritorial reach that they are claiming under the GDPR either. This could easily be used to suck money out of foreign countries. I don’t think they’ll play nearly as nice with people that don’t vote in their own countries.
I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced. Either way, the net result will be that EU residents will have access to a far smaller universe of content and services. Most businesses just won’t take the risk.
Back then, I was not convinced that you had a clear idea of how such a money-grabbing scheme could be implemented. I would kindly ask whether you have a clearer understanding of the relevant procedures now.
It is nearly impossible to fully comply, and may actually be entirely impossible, based upon how much conflict there is between the 28 different interpretations that this will be subject to.
The people saying how easy it is don’t know what they are talking about.
>> It is nearly impossible to fully comply, and may actually be entirely impossible, based upon how much conflict there is between the 28 different interpretations that this will be subject to.
By "28 different interpretations I assume you mean those of different member states. It would actually be 27 now that the UK is leaving, but even so, the GDPR is a regulation (General Data Protection Regulation) and not a directive, partly in order to eliminate inconsistencies in national laws. To clarify, as a regulation, the GDPR does not need to be passed into national law.
Additionally, this reduces the burden on companies that would previously have to deal with multiple local authorities, in the context of the Data Protection Directive.
Further, there are provisions for the consistent application of the GDPR across all member states, particularly a European Data Protection Board.
This is from an article I quoted earlier:
Coordination and Consistency
Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.
One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.
Generally, I have no idea why you say that the GDPR will be nearly impossible or actually impossible to comply with. Different member states have different regulations for drug use, for instance, but that is never used as an excuse to violate drug laws "becuase they are impossible to comply with" due to different national interpretations.
> I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced.
What would be the mechanics of enforcing the GDPR against a US company with no EU presence? I'd understood the opposite, and that the EU's best options to enforce were probably indirect (via customers, vendors, etc. with EU presence).
That and privacy shield (or equivalent). The EU courts could simply go the the US courts and tell them that under privacy shield, the company violated the EU law. Then the US court could decide that, yes, the company did indeed violate EU privacy law and enforce the fine on their side.
If the US court doesn't decide that, the EU will have to resort to indirect measures (Google AdSense will probably stop working since Google doesn't want the EU courts on their butts for making business with someone who violates the EU law and other measures)
> While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.
So how does that affect companies that don't elect to join Privacy Shield?
Agreed that AdSense will probably start indirectly enforcing the GDPR at some point. Someone will probably make a lot of money picking up the traffic they lose, in exchange for never changing planes in Frankfurt again...
Without privacy shield, I guess the EU might still try to go through the US court system to have a foreign claim enforced in the US.
I guess we'll have to wait and see what happens in that case, if the US court system is willing to enforce GDPR fines on their side, that would be a win for the EU (the US has been doing this for ages)
Apparently, existing treaties that the US has allow for the domestication of EU civil judgments in US courts. The prevailing logic right now is that nothing new would need to be passed to allow for that to include judgments issued under the GDPR. Here is one article, there are many more:
> "While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."
That sounds pretty murky to me, more a statement that she expects regulators to cooperate than one that current law provides a clear path. Not that I can find a more confident article in the other direction, of course...
> After all, England almost jailed something for training their dog to give the Hitler salute or for posting something mean on Facebook.
reply.
He wasn't 'almost jailed' - he was fined £800. And the video involved him saying 'Gas the Jews' over and over again to his dog, to which the dog reacted.
The real crime here that it wasn't funny at all. But imposing fines for telling bad jokes and spending tens of thousands of GBP of tax payers money is just wrong, wrong, wrong.
Typically the law in this country has been to impose relatively small fines for malicious communications, and even these are sometimes dropped on appeal, as with the Twitter Joke Trial. The WaPo has it wrong in this instance - Britain isn't Thailand.
So if you're a startup owner who happens to not be well connected, or have a bad lawyer, you get hit with the full $20M fine, while a huge corporation that is politically well connected gets fined proportionally much less?
There's no good way to frame this for a small business. Are you seriously suggesting that the mere benevolent feelings of a judge or board and how their mood is that day is the only thing standing between a startup and bankruptcy? If you're saying a small business should never be fined that much, why isn't that the letter of the law? Why does the court even have the option to completely destroy a startup like that?
> So where does this ludicrous assumption that everyone is always going to be hit with the maximum fine from here on in come from?
Where are you getting this ludicrous assumption that the law won't apply the maximum fine? If you don't think they should be able to, why isn't the law simply sensible, and should apply a lesser fine?
I don't know how the legal system works in the US (I'm starting to think not very well), but that's not how it works. The process in the UK is something along the lines of the court will assess means to pay, then a fine will be levied. I wouldn't expect any business to go bust as a result. They might go bust from the bad press causing a mass exodus of customers, they might get to look extremely stupid, they might find themselves tight for the forthcoming year.
> Where are you getting this ludicrous assumption that the law won't apply the maximum fine
They have never yet applied the maximum in 20 years of the current DPA, why presume they're itching to start next month? This makes no sense to me.
Under the DPA 1998 the largest fine was issued in 2016, to a multi million pound company. £400k, so still only 80% of the maximum. Look to precedent across the entire EU.
> Why does the court even have the option to completely destroy a startup like that?
Supposing 100% of the startup's revenue comes from GDPR violations and they've been doing so for, say, 5 years, then the fine should really be 500% of annual revenue. Or even multiply that by 2 or 3 for punitive purposes. It may or may not destroy the startup, depending on how well funded they are. They could be breaching privacy for reasons other than revenue.
While not “automatically applied,” what part of what you linked to says they won’t use their discretion to assess the maximum penalty in most situations? What stops them?
There are no rules in what you linked to that would prevent or even deter maximum fines in every single case. The only limits imposed are $10 million for lower level fines and $20 million for upper level (or percentages of revenue, whichever is higher - the static amount will always be higher for smaller businesses).
Edit: to those downvoting this (and all of my other comments) - this comment contains only facts. So please show me where it says that there are circumstances under which they must fine you less than the maximum. Otherwise there is nothing to downvote.
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
I think this highlights the EU vs US perspective on Government nicely
In the EU you tend to trust your bureaucrats to make a "Fair and Just" application of the law
In the US we tend to expect our bureaucrats to be vindictive, corrupt, petty, and generally impose fines and penalties not based on the law but based on their personal feelings about the target of their "legal action"
Thus such open ended wording like you posted being classified as a "rule" scares the shit out of most Americans
> I think this highlights the EU vs US perspective on Government nicely
And the differences in the legal systems specifically. I think this is why a lot of HN commentators are finding the GDPR vague. In the US rule based regulations are the norm. For better or worse this tends to allow those with clever lawyers to search for loopholes. UK law is much more principle-based, which means trying to abuse the exact wording is not going to save you from a fine, and equally a technical-breach of wording is not going to get you prosecuted. It's not just the civil servants that we trust with this, it is the judges too.
In the US we have learned that trusting government normally does not work out well for the citizens of that nation.. you end up putting people in jail for Tweets, and Jokes ;)
Explicit criteria existing deter maximum fines, since it opens up the authorities to counter-claims that they did not take criteria in your favor into account.
To most small businesses, whether the fine is $5 million or $20 million doesn’t matter - they still can’t pay it. So if some of these factors are considered and “only” $5 or $7 million is assessed, that’s still a company killer.
Under what circumstances are you expecting to receive a $5m dollar fine? To me (who is assessing this risk at a UK SME) the idea of an SME receiving this kind of fine is absurd. As the poster above said, the law asks for proportionate fines.
The big number max fines in GDPR are there to deal with companies like Google and Facebook who can write of $5m as a rounding error.
People who have been fined at all under the existing DPA, being enforced by the very same people as GDPR, have been negligent, repeat offenders. I don't believe anyone has ever received the maximum fine in the existing regulations. That just isn't how UK law works
They need tax revenue, jobs for their citizens, and goods and services that their citizens want?? It doesnt even make sense for them to run around, shutting down every business they can. It would hurt them.
Some people just accept it when someone says they won’t do something that they totally can.
I know, it doesn’t really make sense. If someone tells me “well it says that we can do that if you go by what’s on paper, but we wouldn’t actually do that”, then change it so that it says on paper that you won’t, or I’m inclined to think that you totally will, because you totally can.
The penalty isn't meant to be something you afford. It's a penalty. (It's a feature, not a bug.) I'm having a really hard time not being sarcastic right now but compliance with the law might also end up being an economical option worth looking into. Cheaper than lawyering-up for being sued by shysters for non-compliance, and cheaper than being penalized for non-compliance.
Mind you, taking whatever-it-is off the internet is fine too. I totally understand. What I don't like is all the whiny sanctimony and martyrdom. "Yes I'm taking my thing off the internet, but first I'm going to make a big deal about what a tragedy it is for the world." Um no. The fact that your thing is a "small business" means few people care about it. (Sad to say. More people care about Facebook than about you. That's why they're the big incumbent.) And it emphatically doesn't mean for example, that you're some hallowed, heroic underdog who deserves protection, especially when you won't even afford the same to your own users and their data.
I'm a hobby developer. I once made a tool mostly for myself, but decided to put it online. A couple thousand people use it, and it runs at a loss but I keep it up mostly because it's useful to some people out there. My tiny website isn't hurting anyone or breaking the internet the way Facebook or Google may be. To claim that having to spend my hobby time implementing a bunch of extra features is just "complying with the law" is bullshit, I'm sorry. In terms of scale, it's basically as if I forced you to do full safety test on a toy car you made for your kid, just because GM cars had safety issues.
And I'm not special. There are plenty of other small devs like me with thousands of small niche web tools out there, most of which are ran purely as a hobby, out of our own pocket. I may not make a blog post and get it to the top of HN, but devs like us have 0 incentive to keep our sites online.
HN loves to complain about things like AMP killing the web, but to me this is orders of magnitude worse.
You don't have to implement any new features to comply with the GDPR. You just need to be clear with users about what data you are collecting and what you do with it.
I really think some people are just completely blowing this up into something it's not, probably because the only thing they've read about it is others scaremongering.
As a business owner that cares about privacy, I was basically compliant already - all I had to do was reword my privacy policy a bit to make it more human-readable.
>You don't have to implement any new features to comply with the GDPR.
How do you deal with user requests? You need at least somehow be able to gather the data, pack it into an user underdstandable format, and delete database entries, also from your backups.
If you're a small business, you are likely to receive a very small number of such requests, if indeed you receive any at all. For most small businesses, someone would simply do a manual extract/delete of the data if it was ever requested.
Regarding backups, realistically you are not going to be required to delete from them as it's completely impractical to delete a single user's data from backup. You just need to be straight with your users - tell them that their data will be removed from your live system immediately, but that some data will remain in archive, securely encrypted, until the end of your defined retention period.
/export?userId=x (make sure to validate they are logged in)
gather data: select * from every table that has userId
pack it into understandable format: every language i have used makes json, xml, csv pretty darn easy
delete: delete from....
backups: i am surprised your hobby project takes backups. perhaps have a table with userIds that were deleted, and when you make your new backup, remove all their data?
Ah yes, and then all of my data has holes in it that I need to deal with. "Hmm, we only have 5 orders for this, but we're missing 6". "hmmm, we charged this credit card, but there's no order for it and I'm not sure if we ever shipped anything?" "hmmm, how do I delete this tracking number from the postal systems' records?"
Etsy https://www.etsy.com/ is full of shops of people who create things as a hobby, but do try to sell things. There are many hobbyist creators who make a few things and try to sell some of them, at least to recoup costs and maybe even earn a little money. In many cases I suspect they earn about $0.001/hour. As a business, it's terrible; as a hobby, many enjoy it. I think "earning a competitive wage" is a reasonable cutoff for at least being on the road to a "real" business.
Then you have a legitimate reason for keeping some of the data (book keeping, shipping) and not for others. Delete the data you can, keep what you must.
> Then you have a legitimate reason for keeping some of the data (book keeping, shipping) and not for others. Delete the data you can, keep what you must.
Just like StreetLend, most likely nothing, and it's just a fear, but again you need to realize that this is a site run purely as a hobby. I'm sorry but reading through legalese and combing my website's code to make sure it's compliant isn't part of my hobby. I'm not a company, I don't have millions of users, I just run a small tool that a few people use. Yet apparently I run the risk of being fined $20m...
If you think a hobby app runs a risk of being fined $20m then you clearly haven't looked into this at all. Why don't you do that first before getting worried about it?
There are lots of guides out there designed for humans.
Essentially, all you have to do is tell your users what data you are collecting and how you will use it.
Also, if a user asks for their data, you give it to them, and if a user asks for their data to be deleted, you delete it. I imagine if either of these things were to happen today, you would do as they wished GDPR or not.
You already had to comply with many other complex laws, like copyrights, trademarks and so on. I don’t see why a privacy law is anything different or special.
It takes 30 seconds to find out whether your identifier violates a trademark. Your content is trivially not a copyright violation if you created it yourself. Hobby projects are not debating the finer points of fair use and whether the conflicting name is for a sufficiently different kind of business to avoid confusion. But every HTTP server handles personal data, and a web-based tool with a database backend especially so, so all the subtlety of GDPR is in play.
Most server/frame works log ip address, but do not tie them to an account. If the account is deleted and the ip addresses are not than that seems like a potential violation as long as ip addresses are considered personal information. As a result the most common configuration is potentially in violation.
How about asking and recording a persons birthday when really all you need to know is if they are the age of majority? A birthday is more information than needed which seems like a violation GDPR when interpreted strictly with my cursory knowledge. Seems unlikely though that any regulator would enforce such a distinction though.
IP addresses are only PII if you are able to actually use them identify an individual.
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual. [1]
So once the account info is deleted, that link is broken. This another piece of DP legislation that has been subject to a great deal of FUD since most of the headlines just went with ‘court confirms IP address are PII’ and omitted ‘in some cases’. TBH, this was already pretty explicitly obvious from the legislation defining Personally Identifiable Information (hint: clue’s in the name).
> So once the account info is deleted, that link is broken. This another piece of DP legislation that has been subject to a great deal of FUD since most of the headlines just went with ‘court confirms IP address are PII’ and omitted ‘in some cases’. TBH, this was already pretty explicitly obvious from the legislation defining Personally Identifiable Information (hint: clue’s in the name).
Makes sense.
Given the above still seems like a potential issue to not delete the ip logs.
1) Bob signs up for a service and is logged
2) Bob than asks for his account to be deleted. Account details are deleted, but the ip logs are retained.
3) Bob signs back up for a new account allowing the data processor to make the link from his new account to his ip old logs with the first account.
Weather the data processor can relink the two records with reasonable probability in step 3 depends on the particulars of the circumstance.
I assume cases like the above will be judged, at least in part, based on the data processor following best practices, and operating in good faith(not actively trying to unmask individuals and actively try to prevent unmasking).
Currently I would not let the GDPR stop me from going forward with any web services plans, however my casual reading of GDPR articles on HN and beyond have not made it obvious how cases like the above will be handled.
> To claim that having to spend my hobby time implementing a bunch of extra features is just "complying with the law" is bullshit, I'm sorry
100% agree. And your situation applies to millions of hobbyists, personal websites, projects, startups, and small businesses around the world.
GPDR appears to be intentionally burdensome, a classic regulation strategy aimed at protecting large incumbents while stifling small business, innovation, and newcomers, or even side projects like your own.
It is by far best GDPR presentation and explanation of lots of misconceptions. Please report back what you think about GDPR when you finish, I am curious it you will still feel threatened.
Congratulations (btw, I really like the guy explaining it)! Now you should probably understand the need for it and why multiple clones are going to start to pop out around the world, not to mention that you know more about GDPR than 99% of people beeing negative about it.
Guilty... is really not something special, IRS anyone? ;) Did you catch something else? Something useful maybe? About borrowing a car for instance? :)
The GDPR is actually late, I have a few IoT devices and I verify them by isolating them on network and sniff out communication (mitm on wifi and old school 10 port hub (yeah, the one screaming everything to all ports) for wired. It is a sad sight, even if they have absolutely no need to contact outside servers (I would never have a device like Siri in my home) they still do, another case would be broadcom drivers on android calling home. Someone has to stop this madness.
I know a lot of people are pissed off due to GDPR, but I will gladly ask them again in 10 years. I think they will change their mind.
There is zero risk running hobby projects for developers. GDPR only applies to the relationship between a business and a consumer. If you have personal hobby-projects, they are 100% outside of the scope of GDPR. You can continue to collect any information you want etc.. What is defined as a hobby project differs with regulation in different countries, but usually it's something like revenue < 5000 €.
You can continue running all hobby tools you want.
Compliance depends on how well your understanding of of a bunch of fuzzy terms like "legitimate interest," "level of security appropriate to the risk," "necessary in relation to the purposes for which they are processed," "no longer than necessary," etc. align with 28 different regulators and judiciaries. That's as far from "trivial" as it gets. Bozho.net is not a lawyer, not your lawyer, and even if here were your top-tier lawyer specialized in data privacy he wouldn't have a clue what courts were going to take these things to mean in the context of GDPR, because there aren't any judgements yet. Security and minimization standards are also about "taking into account the state of the art" - do you know what the state of the art is, and is your organization capable of implementing it? An entirely plausible outcome here is that only the most advanced engineering organizations have technology that meets these standards.
> the most advanced engineering organizations have technology that meets these standards.
Horeshit. There is nothing advanced about storing only the data you need. However, if you've been hoarding like crazy and weighed down with technical debt, and haven't used the last two years, then yeah, might be hard.
Yes, it's a new law, yes, in practice it will be defined by judgments. How is this different from any other new law, other than this one impacts IT harder?
And let me guess what the alternative is: do nothing.
Consider also that European law is different to US law. We draft laws and contracts in a conceptual/abstract way, whereas in the US where everything has to be exhaustive, explicit, and over-worked; just in case anybody dare sues.
GDPR recognises one-size-fits-all won't work. Yes, that means it has some vague terms. Yes, you might have to show you thought about the implementation, and that you erred on the side of privacy.
It's funny how everybody always talks about the maximum fines, not the other sanctions that the GDPR can impose. Guess that's just more sensational.
> Compliance is trivial and involves steps that are already best-practices anyway.
Isn't that besides the point?
You can be 100% compliant and still be sued by somebody. And you'd have to pay some lawyer a lot of money to make it go away.
That risk already existed before the GDPR (anybody can sue anyone for whatever reason they can come up with), but GDPR is high profile enough to make people scared.
About a decade ago, I ran a website that made heavy use of user uploaded GPS data. I didn't sell any data. The only ad income was Adsense.
If I had bothered to restore the server from backups after a HD crash, I'd probably take it down now. Just not worth the potential trouble.
> You can be 100% compliant and still be sued by somebody. And you'd have to pay some lawyer a lot of money to make it go away.
I fail to see how GDPR makes that new. You can be sued for any reasons already, being in the right or not.
E.g. 99% of useful websites violate some patents (that shouldn't ever have been issued), actual predatory suing about this issue happens, yet no one closes his website because "the patent situation makes it too uncertain".
Indeed it is: the first 100 pages of the text detailing what compliance means are a manual for how to read the remaining 5000 pages, and a warning that there will be per-country variants of the law, which I'm sure will all be very clear, made easily available and not at all weird or objectionable, or require being well-versed in the legal intricacies of said member state at all !
You make this assertion elsewhere in the thread. It is incorrect. The entirety of the legislation is 88 pages long and it is really quite straightforward (full link preserved) [1].
Here is a set of (easily available) interactive tools, explainers and guidelines from ICO in the UK which explicitly outline what compliance looks like and what steps you can take to achieve and demonstrate it [2]. It’s available as a 162 page PDF, if you insist on counting pages, but much of it relates to the processing of sensitive data or data relating to children which the majority or orgs can skip.
Mind you, taking whatever-it-is off the internet is fine too
We won’t take our services off the Internet. We’ll simply block you and your overbearing friends in the EU from accessing them. You might not miss one of us, but you’ll likely miss hundreds of thousands of us. Enjoy Facebook. That may be the only site you still have access to when the dust settles.
Compliance is trivial
Since you are saying that, I can guarantee that you haven’t actually read the law or been in charge of trying to make a website compliant. That is an absurdly incorrect statement. Billions are being spent around the world on attempts to comply with it.
> China also has many regulations. Instead if trying to extend their jurisdiction to foreign sites, they simply block them. I thought about this and I actually prefer the Chinese non-expansionist model: I would rather outsource due diligence to the Chinese government
Hell of a way to defend the most absurd and overreaching displays of censorship we see on the modern web.
He's saying that it's safer for him for China just to block him out of their territory than for the EU to allow him and open him up to GDPR-related lawsuits. Even if the lawsuit is scurrilous or the fines a misunderstanding and can be reversed, that can be tremendous effort and anguish for a person. Often requiring years in court.
> outsource due diligence to the Chinese government
That is easily one of the more absurd statements I've seen this month.
> Well meaning regulation like this written by people who have never created anything pratical in their lives
And websites whose customers advertising agencies, and whose product is people, create something? Attempting to track and then monetize everything everyone does online is _creating_ something now?
> And websites whose customers advertising agencies, and whose product is people, create something? Attempting to track and then monetize everything everyone does online is _creating_ something now.
This is snarky, and intentionally simplifies things down to a dumb level. Here's a list of things that "create something" while relying on an advertisement model for revenue:
- Gmail
- Facebook
- YouTube
- StackOverflow
- Reddit (to some extent)
- Yahoo
- Miniclip
- Neopets
I can find a hundred other examples that are ad-revenue supported by create immense value.
It's a difficult balance to strike, and while not perfect, this model has allowed us access to so many good services that would otherwise not exist. Saying that none of them "create something" is just wrong.
How about storing data for spam or DDoS mitigation? You need that data for those filters. But it's in the scope of GDPR. Do you give the spammers that data under SAR requirements, so they can improve? Or do you keep lawyers to justify denials of each request (some of them bogus?) We have done a lot of due diligence on GDRP and we don't "track or monetize" everything. Have you?
> 1. This regulation is specifically (deliberately?) anti small business. If your revenue is less than €20m their fine is up to €20m, i.e. can be 100% of your revenue, meaning bankruptcy. If your revenue is greater than €500m, your fine is capped at only 4% of your revenue, i.e. an acceptable fluctuation. It's worse than a regressive tax.
With the amount of creativity observable for inventing tax-avoiding business structures, I'm sure if the minimum clause weren't there, big players would quickly find a way to spread their revenue over dozens of small entities, each looking like a "small business" on paper.
So I'm not sure it would be even possible to make a regulation "with teeth" that explicitly exempts small players.
" This regulation is specifically (deliberately?) anti small business"
No, it is not.
"Well meaning regulation like this written by people who have never created anything pratical in their lives other than regulations illustrates why entrepreneurship in modern Europe is nearly impossible."
No, it doesn't. It demonstrates that far too many "entrepreneurs" are people who want to play fast and loose with regulations, and not be held accountable for anything.
Don't think of regulation as a binary - on or off. Instead, think of it as an adjustable knob.
The higher you turn the knob, the harder it becomes to (compliantly) do things. Also (if the regulations are working as they should), the less the things that people do produce bad side effects. But the "harder to do things" part mean that fewer things get done - fewer new products and services get created. As the knob goes higher, not all of the things that don't get done are things that the regulations are designed to prevent. Some are perfectly fine things, but the burden of proving it is too much for the single person tinkering in their apartment to ever try to turn their idea into releasable reality.
Sure, I agree with the knob analogy. I just don't think this puts that knob anywhere near too high. Quite frankly, if this industry was guided by ethics, most of these things would be things that companies are already doing.
I don't believe the entire load is anywhere near there, then. Also, for a lot of these things, once you have the procedures in place, maintaining compliance does not take much effort.
I highly doubt it is deliberately anti small business. However, governments don't actually know what the outcome of their laws will be until they are out in the open and if governments claim to know what the outcome will be, they are likely lying.
China policy is pro small business and EU is anti small business.
I am pro small business, and I am against censorship.
I see however historically opposite trends over the last 20 years: China is getting more free speech and is getting more pro small business, and Europe is the opposite. And it's not a coincidence. I think eventually the censorship curves of China and EU will cross. Small business friendliness curves crossed perhaps 15 years ago.
That's just not true. The West hoped that would be the case when Xi took charge, but it's gone in the opposite direction since then. How many chat apps can you use where the CCP isn't listening in on your conversation? They practice wide scale censorship on their own social media, Western social media sites are blocked, and important sources of information like Wikipedia and the New York Times are blocked too.
> China’s authoritarian regime has become increasingly repressive in recent years. The ruling Chinese Communist Party (CCP) is tightening its control over the media, online speech, religious groups, and civil society associations while undermining already modest rule-of-law reforms.
It is misleading to say that "China is getting more free speech," as this phrase conjures notions in the west of unregulated political speech: by anyone, to anyone, for any purpose. In fact, the policy line that has been set forth in China is quite clear, and it does not lead in such a direction.
China's policy is pro China only and to suggest that they're regulations wouldn't change if Alibaba was 20 times the size of Amazon or any other reversal of size between US and Chinese companies is ridiculous.
The GPDR might end up being bad regulation, but we we're already getting bad results for the average citizen. If the industry wasn't going to regulate itself, and it's hurting citizens, are governments supposed to just stand back and hope it works out for the best? Maybe in a libertarian paradise, but no national government is currently running on that paradigm
Edit: also free speech != No regulations. Companies aren't people and they shouldn't be getting the same rights as people. You can't just do whatever you want to make a dollar and then try and claim free speech protections
Companies absolutely should have free speech rights. A company is a group of PEOPLE who have joined together to sell or promote a product, service, or policy.
Should a union be denied freedom of speech? Because a union is a corporation as well. What about the Sierra Club? Should they be silenced? They too are a corporation. Should a teachers union be allowed to speak, but Khan Academy denied the same right? Should organizations advocating free WiFi be allowed speech, but Comcast be denied the same right?
The “companies are not people” tripe being parroted since Citizens United is a naïve and dangerous road down which people are attempting to travel. At the core of the issue is the right of free association. Free association is fundamental to free speech and a free society. Profit motive is irrelevant because profit is just as valid of a goal as “better schools” or “better public policy” or whatever the cause might be.
People are composed of cells that work together for a common purpose. Is a person a cell, to be treated the same way we treat actual cells?
Governments are people who have joined together for the common purpose of governing. Does that make a government indistinguishable from an individual person, which is basically just a cell?
Is there a difference between one kid running across your lawn and 10,000 kids organized for the purpose of running across your lawn?
People are granted free speech because they are considered valuable, unique, irreplaceable, self-conscious entities.
A corporation is a piece of paper registered for $100 that can be destroyed without penalty. It is a tool for achieving an objective, just like a computer. Many people join together to make Wikipedia, but we don't grant that website free speech...
We're in a thread where people are claiming that China's approach to regulation is objectively better than the EU's because it let's them do whatever they want as a company. I was always going to upset some people who are the pro corporate ideology by claiming that companies aren't people and HN has been turning more and more into reddit as it's gotten more popular
Yes. This I think is a downside of the law. Some small owners are going to have a more difficult time.
But this is true for any regulation like food safety regulations, construction regulations, etc. They hurt more a small restaurant than a big chain. But in the end, these regulations are there to protect the customers. Small restaurants have closed and will continue closing for not following food safety regulations. But what is the alternative? Is business creation the final goal of our society? Or there are things more important?
In summary, small businesses are going to have to extend their insurances to also cover risks related to GDPR. But it's the price to pay for having safer data.
TBH most food & construction safety laws are way more small business friendly than the GDPR. Food safety has a well defined relatively easy to follow rule set and food inspectors come in and give you a food safety rating, which you can work on and improve. It won't destroy a small mom & pop restaurant with a $million fine.
For construction, you build your building to 'code', an inspector comes in and stamps the building and then your done. If your not code compliant, then you can correct without much penalty at all, not get a $million penalty and you don't have to go to court or get lawyers. Making your own shack in your backyard isn't an arduous process as far as code compliance goes.
Since most software is constantly modified and edited, I don't think the construction model really works. More the food safety one or a data fiduciary one.
Is the 20M EUR maximum reduced by law, or just by regulatory discretion? The USA is currently demonstrating (with DACA, marijuana enforcement, etc.) the fragility of the latter.
The law explicitly lists factors the regulators have to take into account for determining the fine. If they give a large fine for a small infringement, they're going to have a hard time to claim they took all factors in your favor in account properly.
From what I've seen, it's partially like in the US - each EU member has its own data protection authority which imposes those fines, but they are closer linked than the US states' laws. I can definitely see some EU countries slacking off on enforcing, or being less/more harsh than the others.
But 20 million is possible right? Even for a small offence? Where in the actual text of the law does it say that they will never impose the maximum fine for a trivial or minor offence?
It actually doesn’t say that. This law has the effect of small business essentially needing a 20 million insurance policy to protect against the possible whims of an overzealous regulator? It’s either insure yourself for 20 million or risk losing your entire business over potentially a trivial matter.
When people in the UK have been jailed 8 months over traffic cameras or prosecuted and jailed for speech, I wouldn’t give a European government the benefit of any doubt. Willingly inviting an unelected regulator, accountable to nothing but the letter of a badly written law created by another unelected government body — that’s just foolish.
It’s probably not possible. I wouldn’t map the (EU) GDPR on how a US-like legal system works. E.g. it’s very unlikely that the regulator seeks maximum penalties in the EU, and worst case you could go to court arguing that a penalty is non proportional compared to other cases (and win)
Don't use people personal data and dont allow others to spy on your users (ads, analytics,..) and you wont need to do anything.
Work in best interest of your users and you will be compliant. I don't think that this is harder than food safety regulations.
By the way, the technology is changing fast and a strictly defined law with "do" and "don't"s would be downplayed in weeks. that's why GDPR is conceptual (and thats why everyone is pissed off, as they can't downplay it - how many sites have you seen that are giving you a fair cookie choice?)
And in food or construction if you willfully break the law then that can be criminal and you will face severe fines and/or jail. It's all about your intent.
it absolutely is, see as an example Art 83,
"General conditions for imposing administrative fines" which has at point b "the intentional or negligent character of the infringement".
To me, asking a small developer with a site that gets a few thousands users to implement GDPR is like asking a dad to do full safety test on a toy car he built for his kid, just because a big company like GM had safety issues. The problem EU is trying to solve here are large companies like Facebook making monopolies and syphoning data. So why the hell do they have to impose rules on small hobby websites that run at a loss?
There's a huge chunk of the web that is filled with niche web tools, mostly made as a hobby, running for free. I myself own 2-3 such sites. Now, I'm forced to spend my hobby time adding a bunch of new features on a site that already loses money? I'm sorry but the couple thousand people that depend on this tool will have to find someplace else I guess.
HN sure loves to worry about AMP killing the internet, well to me this is far more dangerous. Can't wait for larger troll companies bullying small devs with lawsuits and killing all their competition using GDPR.
Dealing with missing user records. Deleting all records pertaining to a user, which may break a well-normalized database. Keeping track of any analysis you did and why (e.g. scanning server logs to see country of origin to see if you may want to seek out a translation of your UI?)
In practise, 'it depends'. It may be that it's simple enough to delete everything, or it may be that you anonymise, rather than actually delete. E.g. if you have a `users` table with:
`id, name, email_address`
You could simply blank out everything apart from `id`.
Regarding logs, it might be worth thinking about whether you actually need them to contain personally identifying information (e.g. IP addresses, usernames) - if not, just don't log them.
presumably you have laws that require street vehicles have a valid license before they can go on the road.
Do you remember the police arresting someone because of a toy car they built?
If not, then why do you expect the EU to go after the equivalent site with a few thousand users?
Logically, it's very unlikely. Realistically, seeing the risk of a $20m fine, I sure as hell won't take the chance and will take down my site until the dust settles and the kinks gets ironed out.
Status quo? Baby steps? Enforcement of existing statutes? Consumer education? Promotion/support of preferred alternatives? Codified small business leniency? Objective enforcement clarity?
GDPR violations aren't something a troll can sue you over. All a troll would be able to do would be to raise a complaint with their national entity responsible for it, who analyzes the complaint and then takes action themselves if deemed appropriate.
GDPR is for the most part making explicit things were implicit in the pre existing EU legislation, many of which have been subject to EU court rulings. There is a ton of precedent.
yes but the argument is that one hit from the gdpr can kill you and maybe even most likely will even if you're in reasonable health, and most other legislation you can survive a few hits if you're not already critical.
No. The first hit from GDPR violation will be from the regulator, asking if you actually are in violation, and giving you advice about how to come back into regulation.
I didn't say the argument was correct, but people probably also don't want to deal with the regulator for their little side gigs even if it's only the regulator asking questions.
Agreed. GDPR simply made me aware of that once again. I still feel the trolls should have minimal amount of attack vectors to small businesses, though.
>>But what is the alternative? Is business creation the final goal of our society? Or there are things more important?
The alternative is to let consumers fend for themselves, and if government is going to help, limit that help to investigating and punishing fraud, enforcing contract law, and providing free information resources to help consumers make better informed decisions.
Yes business creation should be the highest goal of society. New businesses are what counteract income inequality and drive innovation.
We need innovation to solve the already existing problems in society, that claim tens of millions of lives every year. There is no zero risk path open to society.
I'm not sure what GDPR is protecting me against that wasn't already covered by PCI-DSS and existing cybersecurity standards. Not being financially defrauded is the only thing i care about. For everything else is easy to avoid sharing personally identifiable data if it's really a concern.
One of they key things to me is increased fines that are available. I've likely had my data and families data lost through a variety of terribly insecure services having breaches.
TalkTalk lost 150k peoples information (including bank account numbers, sort codes, dates of birth, etc - people who later then received scam phone calls with people who knew their details) due to extremely basic security failings. They were fined £400k (a record fine). They then did it again and paid £100k.
Properly securing the site and the data over many years could easily cost more than that, added to the chance you'll not get hacked or fined and it is perhaps even a financially sensible position to not put the effort in.
I think being responsible for negligence in security practices and GDPR are not the same. GDPR is overreach. There is a saner middle ground, for example in Australia new laws coming in mean executives can go to prison for the negligence in your example. That makes more sense as it doesn't invalidate 90% of standard tools processes in technical marketing for example.
I'm not talking about the fine/prison. The overreach is that they dictate how you have to handle data. In Australia you are only obligied not to get hacked and are trusted to figure it out for yourself. In Europe they have all this right to be forgotten BS and reams of compulsory opt ins etc etc
I don't really have a problem with requiring consent to work with personal data. Right to be forgotten is restricted and I can't think of obvious cases within the restrictions here: https://ico.org.uk/for-organisations/guide-to-the-general-da... that I disagree with.
Stronger restrictions on what data you can hold without good reason or consent means that inevitable breaches become less important.
Do you prosecute your friend and aqaintances for uploading pictures of you to Instagram/fb etc? Block all tracking script/pixels on the Web? Avoid using the phone in order to not generate meta-data?
I'm not sure how it's "easy to avoid sharing identifiable data"?
For the most part no (i block ads because I'm not interested in them not for privacy concerns) but I'm also not irrationally paranoid about such things. I've lived in a world where I'm photographed hundreds of times a day by cctv etc for most of my life. Im not really sure what difference a few photos on social media will make
The difference is the size of the aggregated dataset on you and those you are associated with, and how it might be sold, augmented etc. Granted, some places it might be legal to sell cctv footage too - but it will also fall under the GDPR (not the GDPR alone, there are surveillance bills and "ant-terror" provisions... But there's one remedy for government overreach (throw the government, through elections or protest) another for private overreach: government regulation/laws).
I understand the risk of aggregate data etc and do think we need to hold companies accountable however I disagree with the fundamentals of how GDPR tries to achieve this. It’s the wrong abstraction. I also value what free services, indie apps, small scrappy startups and general maker world productions provide society and life in general way more than I value absolute privacy.
PCI-DSS is essentially about credit/debit card data. GDPR is about personal information is general, such that you need to let your users know what you are collecting, what you will do with it, and how long you will hold it.
Are people dying from data being collected for website analytics?
It’s a false dichotomy to compare the risk of DEATH from bad food safety to the annoyance of getting a targeted ad whilst enjoying an online newspaper article for which you didn’t have to pay.
Elevating data obtained while surfing the internet to the level of food safety or building codes is ridiculous.
The attitude you have here is exactly the reason why GDPR is required.
Companies worldwide have consistently failed to safely store and process personal data. There are new data breaches every day. Irresponsible processing of data has a direct negative effect, and that’s not related to the idea that it’s misused for advert targeting.
Minimising the incompetence we’ve seen worldwide by treating it as “just some data collected while surfing” is baffling to me.
I have a little birth control pill reminder iOS app I made like 7 years ago that I still maintain in the app store. I don't make really any money off of it but I keep up with it because it has a good amount of users. I don't THINK any of the GDPR stuff falls under anything the app does, but I sure as hell aren't taking any chances. I just removed it from any country that fell under "Europe" in the app store. I guess my point is I agree with what you're saying, and here's an example of a little hobby app that GDPR killed for EU countries. It's not worth my time, money, or risk to bother with it.
> I just removed it from any country that fell under "Europe" in the app store.
I'm afraid that in your overreacting rush, you might have removed your app from European countries that are not within the European Union.
Though if you are collecting more data on your users than you need (why would you need personal data at all for this app?), you might have been doing them a favour anyway.
Don't worry, there are plenty other of similar apps.
The Berlin-based clue comes to mind, they were offering period tracking, estimation and other features. One day you get a full-screen pop-up saying that they changed their privacy policy and they share your intimate data with so and so and there is no way to access the app and your data any more without accepting.
Most apps nowadays aren't tools, they're sophisticated scams designed to steal people's information.
I'm not storing any data other than a day of the year and wether a pill was taken. It has Google Analytics and a crash reporting tool in it, and I'm not sure how those play into the whole thing.
Edit: I re-read it and it looks like it only applies if you are a business with physical presence in EU or if the user is accessing from EU
GDPR applies to you if a EU citizen signs up from somewhere outside EU as well, but since you don't have any physical or online presence in EU I don't think they will do anything.
Just to clarify your point: it applies to users physically located in the EU. Fines assessed under it apply businesses that serve them anywhere in the world, which is what makes it so damned scary. The EU government has essentially declared itself the Emperor of the Internet.
Money doesn't have to change hands to create a GDPR obligation. And if you mean "HTTP transactions," it's a fundamental shift in the nature of the internet to block countries by default and enable them only after studying and complying with local regulations. Maybe it's an inevitable or even healthy shift, but it's certainly not a "usual" dynamic today.
It's certainly not a recent development to require compliance with law even for products or services that are free.
Transactions do not have to involve money and in fact, the very topic of this entry on HN is about a website that was free, with transactions that did not involve money.
Really? If it's a currently established practice, what are some prior examples of countries punishing foreigners on foreign soil over websites with no payments component?
Maybe each jurisdiction should be the business of regulating locally-accessible websites, not just locally-hosted ones, but that's a fundamental shift in the nature of the internet. "Not available in your country" is currently an anachronism. In that world, a prudent web publisher would start out local and enable specific countries for cross-border traffic only as its legal team expands. Internet communities like this one would splinter as people get tired of clicking links they can't follow.
The countries currently regulating available web content do so with network blocks, not extraterritorial enforcement actions against publishers.
The end of the sentence was "not a recent development to require compliance with law even for products or services that are free".
Free doesn't mean you are exempt from complying with law, that is all I'm saying. I did not comment on how this one applies to EU citizens even for foreign services.
In this regard though, it is similar to US law requiring foreign banks to go through special steps when they are dealing with US citizens so that's not anything new either. Money being involved or not in my opinion is not really significant (I actually think that private data is more important and needs more protection than money) but that was not the point of my comment.
I was just clarifying that the Internet’s new Dear Leader will be trying to reach outside its borders to enforce this law. It doesn’t just apply to companies in the EU.
All websites provide services to users in all countries unless they take positive steps not to. Framing this as a conditional, or a counterpoint to parent's claim about enforcement outside EU borders, is bizarre.
People that say this have not actually read the law, talked to “experts” about how to comply, or attempted to comply themselves. I have, and you’re just flat wrong.
I have read the law, read the guidance, been through the GDPR compliance process for a data-heavy product, have talked to lawyers about the same, and my partner has drafted GDPR policies for several large tech firms. I don’t know everything, but I’m reasonably well-informed.
I’m confident that compliance is:
- Straightforward for any non-tech firm;
- More complex but not that hard for most tech firms that handle data;
- Far more complex for large organisations than small ones;
- Basically only a real problem for fly-by-night tech companies that want to operate by reselling personal data.
I’m not sure what your motivations are it making it seem disproportionately burdensome to comply with, but I don’t think they’re good.
I won’t contue arguing with you, other than to say that what you’re saying flies in the face of everything we have been told after spending thousands of dollars on experts and independently researching the issue for hundreds of hours. If you do a simple Google search, you’ll find that we are not alone in this view, and in fact you may find yourself alone in your view that compliance is easy and costs next to nothing. Chances are quite good that if you thought it was “easy,” you’re not fully in compliance.
One thing is completely curious to me. All around the thread there are some people saying that they will block EU users.
I wonder how people from other parts of the world are understanding this and how do they look to the site like that? I mean, this legislation that is designed to protect people and their data is making them such a problem to rather block roughly 500 milion people. I personally would have a huge trust issue, but this is not about me, what do non EU, who don't run any site (conflict of interest) guys think?
I would for instance rather put a huge mark on all pages "GDPR compliant, protecting data even for non EU visitors" or something like that and try to get some money out of that. But that is just me.
@matthewmacleod GDPR in spirit is good for users as it tries to ensure that companies are following good practices wrt user data and users have control over data. But implementing it completely is not easy for small projects and startups.
I completely disagree. Implementing GDPR compliance should be straightforward for most startups and small businesses. Much easier, in my experience, than doing so at a large company.
As a small business owner, I disagree - I was essentially compliant already, with the policy changes required taking an evening to implement. (OK, there was some time spend reading before then, but still).
Ok, I will take a stab here to see how you ended up doing it in one evening.
- What did you do about logs? Things like request logs will at least contain ip address which is PII. Now logs can be cleared after a fix interval but the time for honoring the data delete request is a month I guess. If you want to keep logs for a period more than that, what do you do? If you anonymize IP , it makes other analysis on top of those logs useless.
- What did you do about data backups?
- What did you do about external error reporting services?
- What did you do about analytics services?
The only reason we log IP addresses is for security purposes (e.g. to block IPs that hammer the service, for forensic investigations, fraud prevention) - in GDPR terms, that is a "legitimate interest".
Regarding backups, realistically you are not going to have to delete data from them, as it's completely impractical to delete only data for a particular user from archive. If a user requests their data to be deleted, delete it from the live site and be open with them that some data will remain in archive - securely encrypted and untouched - for your defined retention period.
Regarding analytics, we use Google Analytics, which uses IP addresses to guess location, but doesn't make them available in the admin site - so GA doesn't actually give us any PII. As such, we simply reworded the privacy policy to be more easily readable, so it's completely clear what data we collect and why. The forthcoming Privacy and Electronic Communications Regulation (aka ePrivacy Regulation) should provide some clarity if anything else is required, but it seems likely that simply having cookies enabled in your browser will count as consent.
The EU citizen living abroad doesn't get the benefit of this EU regulation, just like an American living in London can't assert US laws against the British pub he's drinking in.
We (people who operate online services) are exposed to legal action already, but we aren’t worried about it because realistically there’s such little risk of being targeted. The same is true of the GDPR, the organisations responsible for ensuring GDPR compliance are going to have their hands full for years and years to come, by the time the little guys have anything to worry about the situation will be much better defined. I cannot see a scenario in which I’m going to be pursued because of accidental non-compliance with my revenueless service when there are so many large companies that can afford million dollar fines who can’t even store passwords properly.
if you’re so risk averse that any minuscule chance of GDPR noncompliance precludes you from running an online service... aren’t you already not running anything because of existing legal risk?
GDPR simply reminds me of the other possible legal venues small owners can be sued over. So you might be right on your final point.
Can we just flat out assume the GDPR won't indeed be abused to scare away smaller players though? You are claiming they will be safe for years but what if bigger players want to make an example out of 5-10 smaller players and just report / sue them to hell and back?
I know I am reaching but this possibility can't be dismissed just like that. Historically, bigger players have exhausted smaller competition with legal fees and effectively drove them out of market. We cannot in good conscience claim GDPR won't ever be used like that.
I'll be happy to be proven wrong in several years time from now, but right now I am simply not sure if GDPR is gonna be used for or against the free market (competition). Not claiming either way, just saying the risk wouldn't be worth it for me for now.
Not biggest players, but your competitors to make your life a hell. I already have competitors that are butthurt and spread shit about me since their clients come to me and they lose business.
That's what I'm afraid of, not getting randomly picked by the regulators.
But would another company even have standing to sue? The GDPR is about personal data of natural persons. Such data subjects can sue under Art. 79 if their rights are violated. The most another company could do would be to “incentivize” a natural person to get their rights violated by you and then sue.
> Can we just flat out assume the GDPR won't indeed be abused to scare away smaller players though?
The language of the GDPR makes frequent references to the scope of the processing activity and to its frequency. The law purposefully applies less to smaller controllers. The authorities have made their job harder for going after smaller controllers.
Moreover, the GDPR is done in the scope of the EU, which is not very litigious. Bigger players are unable to bring legal claims against smaller players in any way. The only way for them to game this system would be to fraudulently lodge complaints at the data protection authorities who would have to not notice what is going on and actually bring action against the smaller players.
I'm a small business owner and this is my concern at all. What stops a competitor to just pay a lawyer to sue you or report you to GDPR authorities. Even if you are 100% compliant(which I doubt), you'll still have lots of issues, stress and wasted time with the audit.
Exactly. Even if you win, you won't win anything of much value -- most (if not all) of the money will likely go to your lawyer. And you have a lot to lose, mostly wasted nerves and time you could have spent improving your business -- or simply living your life stress-free.
Defending even from bogus lawsuits is a huge expense of human energy for the non-experts (I'd wager that's 99% of the world's population).
We're a medium-sized software company, and we had to create a dedicated GDPR position so someone can look into everything and decide whether we're GDPR-compliant, and if not, how we can fix it. GDPR really complicates everything, even though most uf us (devs) are actually in favor of it (because we don't really like the idea of companies tracking us forever).
Sue you for what? What "suing ammunition" exactly does the GDPR provide your competitors with?
The authorities are not idiots, and have limited resources - they are only going to be chasing the true bad apples that are willfully infringing the GDPR.
> Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.
Even if they could fight, why would they want to? There are lots of us with tiny things on the internet where the burden of maintenance is only slightly below the enjoyment we get making it available. Increase that burden and the costs are negative and things get shuttered.
Question, if I have a small thing and don't want to preemptively concern myself with GDPR, as a non-EU site operator can I tell an information requester "no"? Might I harm my ability as a person to travel to the EU? Ignoring the standard "if you do nothing wrong you have nothing to worry about" and "the GDPR is really easy to understand" arguments, and assuming I'm not wanting to do any real work, would it be wise for me to just add known EU subnets to my firewall?
In the spirit of my original comment I'd answer "yes" to your last question. If I wanted a legal career I'd pursue that -- but I don't. So I'll cut my loses. That doesn't mean I am a shady operator, it means I don't want to risk being sued for money I don't have and likely end up in jail; in EU you can't just declare bankruptcy and run free afterwards.
Hobby or goodwill projects (==not turning a profit) just aren't worth that risk.
It cares about the location where you're targeting your goods or services, the location where the data processor or controller is established, or the location where the data is processed. Not anyone's citizenship. Much reporting has been sloppy about this, but the more precise info is consistent.
Ok, that does seem to be the consensus and a good reading of the law.
However, IP blocks are still useless for the reverse reason: someone "in the Union" could be vpned through another country. (For example, I'm on vacation somewhere in the EU and VPN through my home computer to purchase something and have it delivered to my house in the US. By virtue of being in the EU at the time, at the least that specific information collected during my stay would be subject to the gdpr. How would said company ever know?
If you're making a purchase for delivery to the US and using a VPN to hide your EU location, that wouldn't bring the website under the scope of the GDPR regardless of your physical location: the EU guidance talks about signs of targeting the EU for the offering of goods or services.
Examples they list: use of EU languages or currencies not used in the host country, use of EU domain names, specific wording addressing an EU audience.
This kind of nuance is where it's good that humans are the ones enforcing the GDPR, instead of needing a programmable rule.
> 2. Article 3(2): "This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b. The monitoring of their behavior as far as their behavior takes place within the Union."
This doesn't seem to discuss intent at all? I mean, we could mince words about what offering a service means, but that doesn't seem productive and unless there is some other part of the law redefining this, won't make me comfortable.
The official EU guidance (not in the text of the GDPR) clarifies what offering means - it requires some evidence of intent to target the EU, rather than merely not blocking the EU.
While that point of guidance won't have region-wide binding force of law unless the European Court of Justice rules that way, I'd be extremely surprised if any national supervising authority or court system would contradict such a document, since the official guidance's reading is clearly among the possibilities consistent with the text (admittedly not the only one) and predictability of this kind of law is key to achieving its goals. Even if they do, they wouldn't likely penalize people with more than a warning if they haven't announced their weird interpretation in advance.
This is an excellent example of the problems people are worried about though.
Q: is it possible to be in violation of the gdpr in a situation where you could never know you needed to be compliant and have taken steps to avoid serving EU countries?
A, official: Yes.
A, unofficial: Most likely not if no one's having a bad day or has a bone to pick or is just being uppity.
The official answer isn't necessarily yes, though. The official answer is more ambiguous than that - "offering" can mean what you think it means, but it can also mean what the official guidance says.
Also, both answers are official and from the EU institutions. One is the law, and the other is meant to help interpret and apply the law. I'm not talking about third party compliance guides (except for the link I shared), of which there are many.
With all of that said... If you have both taken steps to avoid serving EU countries AND have also done things which they view as targeting EU countries, the answer would be murkier. For example, if you block European IP addresses but also use .de and .fr IP addresses and accept Euros, they might consider it to apply despite the IP block.
I'm also not sure what would happen if you took no explicit steps to target, but saw 80% of your customers coming from Europe on a sustained basis and did nothing to stop that.
Overall, the law will be interpreted with its own intent in mind: it should apply if you're engaging with Europe, but not automatically globally.
I understand if you want more certainty, but that's how computer programs operate, not laws.
It's the other way around: it applies to people within the eu, regardless of citizenship so for example a non-eu national that resides within the eu would be covered but data provided by a eu national while living in the us wouldn't be covered.
Yes, I realize that now, but since I can't wait to say I've been told so, I'll keep getting downvotes :)
The recitals do sound as if it applies to citizens, however the actual definition of a data subject for a company outside the EU is someone "in the Union".
I understand that Germany may impose criminal penalties for certain violations of the GDPR, maybe other countries too. In that case yes, you could get arrested changing planes in Frankfurt, and spend time in German prison. The probability of that of course seems very low.
An EU government could try to convince your own government to enforce their fine / injunction / extradition / whatever. I don't think the USA has any treaty or other law that would compel them to. I'd guess that Trump's administration would treat the request as something between a joke and an attack on American sovereignty, so I doubt that's a major risk here. Other countries may vary.
The easiest path for the EU to enforce is probably through your customers and vendors, probably starting with payment processors--like, require everyone who processes payments in the EU to transact only with people who transact only with GDPR-compliant companies. My personal guess is that everyone with a business model that depends on breaking the GDPR will move offshore, and the EU will play the same game of merchant account whack-a-mole that the USA does for online poker and such. I'd guess that the effort to enforce offshore will be big enough that only the most egregious violators will be worth the attention.
Pretty sure there is an extradition treaty [0], which the US makes use of to e.g. try and get British hackers extradited [1]. Such requests can be blocked (also [1]).
Yeah, but extradition treaties generally require "dual criminality", that the offense be a crime in both countries. If your offense wasn't a crime in the USA, then you probably won't get extradited; and if it was, then the USA probably has jurisdiction too (assuming you were physically here when you did it), so the USA can prosecute you itself.
Fair, and my reply was unclear. I mean that if the act is a crime in both countries, then it's a crime in the USA, so you'd be committing a crime with or without the GDPR.
Or, to put it another way: a big group of tech people who have no interest in protecting the data of their customers, preferring to be able to cut corners and do as they please with information that is not theirs.
There is nothing in the GDPR that allows for a person or lawyer to sue a company for GDPR non-compliance. All they can do is complain to the regulatory authority in their EU country, which has the sole power to issue fines. And if you're not taking care of my data, then I have no problem at all with you being fined.
Is deliberately missing the point giving you pleasure?
I stated exactly what I had in mind, the rest is your projection and fantasy.
You say there is nothing in the GDPR that allows a person / lawyer to sue a company. I have no reason to doubt that. Okay. But laws aren't that clear and cut; there are overriding laws, parent laws, derivative laws... the spaghetti black hole is huge and everybody who isn't a hardcore specialist lawyer can't possibly hope to be 100% informed and protected.
That was my original point and still is. How did you transition to the hint that I am (1) farming personal info, (2) not taking care of it, and (3) I deserve a fine.. guess that's one of the Universe's mysteries.
After more than a decade of privacy abuses from almost all companies, I am perfectly ok with the collateral damage to start-ups, apps and personal projects that this law will cause, as long as it stops the abuse.
Society doesn't owe entrepreneurs a business model, but it does owe people a dignified life and some control over information that can be used to harm them.
I fully agree and that's why yesterday I deleted 7 hobby projects -- all their databases and hosted apps, cancelled VPS subscriptions and never made any backups.
Never put ads, never put trackers, never sold anything to anyone. Hell, I just checked their VPS dashboard once a month, that was all.
Since I don't want to deal with the legal baggage I am doing my part in NOT contributing to the rampaging privacy abuses and simply destroyed anything goodwill that I created in the past that might have collected any shred of personal data.
Thus I am perfectly okay with my personal project being a collateral damage of the GDPR. I believe in the GDPR and want to see responsible private data usage.
I paraphrase: what most posters here seem to miss is that most chemist cannot be bothered to read up on environmental rules. It should be my right to dump toxic waste wherever I want, because I am a chemist.
Sorry, but society doesn't work like that. You are always responsible for your actions no matter if you earn a profit or not. And not bothering to read up is also not an excuse.
Companies take risks. This is just another one, that has to be managed like all other.
Good thing I am looking for your pardon then. Let's try that again:
(1) I have a few hobby and free projects hosted on the net where people sign up and might fill up full names. Never made a penny out of them, never had any trackers or ads -- just a bunch of acquaintances used them, and maybe 50-100 strangers.
(2) I don't want to deal with the GDPR.
(3) I delete the entire database without backing it up.
(4) I delete my hosted app and don't renew my VPS subscription.
Zero damage done now and in the past because I never sold any data to anyone.
What part of that gives you the hint I am irresponsible? Society might "not work like that" as you say and since I don't want to deal with extra legal baggage, I am simply doing my best not to contribute to the abusing privacy problem. I delete any and all traces of personal data my hobby apps gathered.
Really, what's so unclear or tempting in my original comment that makes you people attack me?
First of all, I wasn't attacking you, but your statement, that to me sounded like "who cares about the law, I am a programmer".
If that wasn't what you meant, then I am sorry to have misunderstood you.
Fact is, at we have a giant tragedy of the commons due to loose and fast play with peoples personal data. This is similar to what happens in third world countries where people play fast with working safety or environmental laws..
My point was, any data you collect has a risk of doing harm and we have historically grabbed everything in sight, just in case - as if there was no potential downsides to it.
What happens when somebodys sideproject (which hasn't been updated for 18 months due to lack of interest) gets hacked and a gay persons sexual preference and home address is leaked and that person is killed by haters? (extreme example I know)
I have no problem with you doing the above 4 steps, but I do think that we, programmers, have a collective responsibility to safeguard people against non-obvious (to the layman) dangers, the same way as any other industry.
And the tone in this thread is hysterical from the "ooh the GDPR is devil incanated" group.
Fact is that the "new" regulation aligns with what most europeans would have belived had been the law all along (and actually was, just mostly non-enforced).
I also acknowledge that the US have vastly different ethical standards and that everyone is free to be exploited as much as they want..
Click-through EULAs are also not binding in Europe for example, I am interested to see what happens when a DPA takes an american company to court due to having given themselves unlimited consent on page 2712 in their EULA.
If those companies withdraw from Europe, I welcome the collateral damages of some innocent but lazy projects..
Do you really think that a thought about what data you really need (and why), the need to actively safeguard the data (especially the sensitive) and a need to formalize those thoughts on paper is a unbearable burden?
All the american scare-mongering about the fines are people that don't understand European law practice.
And the whole affair of Facebook moving non-EU people away from the Irish juristiction to have them not under the GDPR shows, that it will probably work as intended. (Some people call it Lex Facebook already)
> First of all, I wasn't attacking you, but your statement, that to me sounded like "who cares about the law, I am a programmer". If that wasn't what you meant, then I am sorry to have misunderstood you.
You did misunderstand me. I take partial responsibility but really, give us the programmers at large a bit credit. A good amount of us have a lot of culture in other areas and aren't that immature. (Sadly however, a lot are so I can understand your negative assumption.)
> Fact is, at we have a giant tragedy of the commons due to loose and fast play with peoples personal data. This is similar to what happens in third world countries where people play fast with working safety or environmental laws..
100% agreed with this and your next several paragraphs. I never thought that was okay. Never. But I had a rather cynical view on it: no laws about it? Sure, let's abuse as much as we can! That's how corporations are and that's how they will always be -- it takes a certain mindset to grow into a corporation and I am afraid that being rather scummy is practically a job description for the people who make the corporations come into being, and grow. I also always thought that when the inevitable regulation comes, that's NOT gonna change like anything.
Imagine if FB made you click "I Accept" on a dialog box that deliberately obscures the fact that they want to gather and use your data. What can you do? Report them? By the time a judge calls to them, they might have a switch to make the popup look 100% legit but who cares -- by that time FB or any other corp. might have the "informed constent" of millions of people, again.
It's a huge game of cat and mouse and IMO the regulation we see now is just the first step. I anticipate tens of other steps so things aren't gonna get better anytime soon.
So there you have it. An opinion from an Eastern European dev. ;)
> And the tone in this thread is hysterical from the "ooh the GDPR is devil incanated" group.
IMO only if you feel you are on a mission to calm down histerics. Our perceptions are warped by our preconceptions, we all know it. Example: in my eyes yes, there are alarmists, but much more people who are outraged by the inevitable fact that all of us have to become a little bit of lawyers in order to not get chased by the EU (and not only in terms of the GDPR, of course; there are many other venues through which we can be attacked). I understand the idea of GDPR and I support it fully but that doesn't stop me from disliking legalese.
I don't want to ever abuse people's privacy but I also like to remain a programmer, not become a half-hawyer. Okay? That was my message all along.
> I also acknowledge that the US have vastly different ethical standards and that everyone is free to be exploited as much as they want..
As an European, yes, that has been my observation for a LONG time. USA tech sector has a huge ethics problem and the VC-enabled tech bro culture in SV is only making things worse with time. Somebody should definitely do something because the world is taking notice. VCs operate on reputation as well and sooner or later more and more of them are gonna start refusing to fund startups.
> Do you really think that a thought about what data you really need (and why), the need to actively safeguard the data (especially the sensitive) and a need to formalize those thoughts on paper is a unbearable burden?
OF COURSE NOT. But again, that's my point. It's an expense you absolutely have to spend when you make profit. But I didn't; like the OP, I had hobby websites. It's a simple cost calculation. I don't want to become GDPR expert for things that don't make me money. Thus I shut down my personal projects. If and when I become a guy running a service for profit, I will go the extra mile and shoulder the burden of protecting personally identifiable information.
> All the american scare-mongering about the fines are people that don't understand European law practice.
Not sure it's only that. You can call me a scaremonger in this instance as well. It's just that I am no expert lawyer -- and for me this fact leads to the conclusion that I can be brought down if an expert lawyer wants to get their hands dirty with me. Nothing more, nothing less. Our so-called "justice system" favors the side with the better-paid / more-experienced lawyer and that's pretty much historically proven, especially in Eastern Europe. Maybe it's less visible in most of EU and USA but from what I've read through the years it seems to happen quite a bit there as well.
Maybe the people disagreeing with me believe in the system much more than I do. Perhaps my cynicism is seen as non-constructive. But it's well-founded in the reality I live in.
This is why regulation favors incumbents. The rules don’t help any individual company, so they won’t self-regulate, but the cost becomes a barrier to competition and innovation.
There were "legal matters" on the Internet before the GDPR. These scary rogue legal firms can already target you if they want, without the GDPR. Yet plenty of law abiding small Internet businesses existed yesterday and will continue to exist tomorrow.
I don't currently run a business online, but if I were, honestly I'd be more worried about the usual headaches like accepting payments legally, dealing with spam/fraud/abuse, finding product/market fit, etc. GDPR would be somewhere around 500th on my list of "start-up things that give me crippling anxiety."
This is why I don't get all the hysteria and all the "block all EU IPs!" comments of people in this thread. For years, there have been 28 different data protection laws in the EU that you could be sued with. Now there will be a harmonized one.
So from getting sued 28 times with 28 different laws you have reduced your risk to being sued with just 1. Now, in order to have an online business in the EU you just need to comply with 1 data protection law instead of with 28. How is this bad?
What I suspect is that many people were just not aware of the 28 previous data protection laws that they needed to comply with, at all, and are now realizing that these laws exist.
I don't see how your points and mine conflict. They don't, IMO.
GDPR simply made me aware that I am not willing to go the extra mile for hobby projects so I shut them down and never sold any info to anyone, nor have I served ads/trackers.
Many commenters of my sub-thread here are making me look like a histeric and that's seriously annoying. It's all about deciding if a cost is worth it and I figured in my case it wasn't. Why make it more complex than that?
... well, you set up a LTD precisely to limit liabilities in that catastrophic case scenario but you'd probably find that people "coming after you" will be proportionate to how much you have to come after ... I.e. if you're a guy with a side project that makes no money; you're unlikely to attract "parasitic lawyers".
Further, in my opinion the GDPR is wholesome. You ought to implement it even if it didn't exist. If your business relies on playing fast and lose with user data then IMO it's not an honest business ...
Further still, the worse punishment is 4%/20M; it's not the default intervention or anywhere near the only way that the GDPR will be enforced.
Regarding your first statement, GDPR does not apply to personal projects. Only to business to consumer interaction. You are at less risk (in fact, zero), if you don't have an LTD as you are outside the scope of the law.
The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).
They don't even need to dig up any possible violations - just the legal process alone is enough to kill any side project.
Or, "You can beat the rap, but you can't beat the ride." For a small company or individual, even winning a GDPR case will be a Pyrrhic victory.
Guess they believe in the system more than I do. My country -- and the EU -- has been known to have cases where a big player makes a grizzly example out of a small player, in basically every business area.
>he problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).
>Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.
Isn't this the same with the other laws, like copyright,trademark, patents, software licenses?
I could say the same about one of this other laws, like you may have a video of you doing something cool and a bit of copyrighted music could be heard in background then you coulg get sued by a big bad law firm, the difference is that in this case the regular citizens are protected and not the budget of big music publishers.
For my hobby projects I'm more worried about getting expensive letters from greedy lawyers telling me about some non compliance issue (Abmahnung) not about government authorities. Especially since you often have to sign agreements which include high fines for a second violation (Strafbewehrte Unterlassungserklärung). Considering the complexity of the regulation, reliably avoiding violations and regressions sounds difficult.
I am resisting a push into converting from an on-premise, installed product to a SAAS model for precisely these reasons. I don't want to be responsible for that liability, and I'm just the engineer doing the work. It's a minefield, compared to the way things were.
That seems backwards; with a data agreement between you and the saas - the saas takes on much of the liability for the day to day (eg: making sure data is actually deleted - from backups as well).
> The problem is what happens if a legal firm or an agency targets you.
Nothing. GDPR enforcement is carried out by each country's regulatory authority; they're the only ones who can sue, target or take action against you for non-conformity.
A lot of people here: please CHILL. You make me look like a histeric. Not what I had in mind.
- I don't want to become a semi-lawyer or hire a lawyer until absolutely necessary.
- I had 7 hobby projects where people could fill out full names if they wanted to.
- I deleted all of them -- apps and database -- without backing them up. Never served ads or trackers, never had a 3rd party JS on any of them. Unless somebody had unfettered access to the VPS-es without me knowing it, I never leaked personal info.
It's a very simple cost calculation: I don't even want to invest 2 hours in reading the GDPR in details nor do I want to rework the hobby projects to encrypt the personal data in the DBs, hence I refuse to be a part of the abusing privacy problem and delete anything that might have gathered any personal data. I believe in the GDPR and this was my way to at least not contribute to the problem.
Seriously, what's so unclear? You can repeat to me that "knowing laws and protecting from bogus lawsuits is a fact of life" but it doesn't have to be before I have a business -- which I don't. So I still respectfully disagree that I have to learn legalese today.
So seriously, don't get so worked up over a comment that expresses a sentiment that I want to become more law-aware only when absolutely necessary and not a minute before that.
Fair point, but I personally wouldn't ever do that. There are well-known solutions to the problem: the user's cookie after authentication is not persisted on the server and only an ID is used (the key is derived from the password, otherwise this wouldn't ever work). Then another part of the cookie serves as an ephemeral key that the backend uses to decrypt and serve the personal data back (through HTTPS). Again, that second part of the cookie is never persisted on the server.
I am not asking anybody to take my word for it, just saying how my ethics and tech education tell me I should be doing things.
Are many US based businesses considering limiting access to EU consumers to avoid GDPR? Reselling user data seems to be part of many business models, and I don't know if EU is such a huge market internationally, especially without UK. I support the goal of improving data privacy, and in general GDPR is seen positively by those I've talked to, but the EUs last attempt resulted in useless, intrusive cookie warnings all over the place.
> [...] there is a big group of tech people that have no interest in dealing with legal matters more than the bare minimum, and overall deem them risky.
Then maybe those people shouldn't be opening side businesses? Running a business implies having to deal with business matters which include legal.
For example in Switzerland if I want to open a small cafe in the corner selling home made cheesecake, I'll have to first figure out what the exact regulations in my state are, obtain a permit for opening one, create a "Hazard Analysis and Critical Control Points" concept and send it to the authorities, make somewhat sure I get accounting right, maybe getting a permit for infrastructure changes, etc.
I'm not talking about GDPR especially because I don't know enough about it yet. And in general I am sceptical of laws and regulations that don't seem absolutely necessary.
What I don't get is why anyone should care that some tech people running a business don't want do deal with legal like everyone else? What makes us so special?
I don't run a side business and I don't collect personal data.
I had 7 hobby projects that very few people used. After I read on the GDPR yesterday, I simply deleted all their databases and apps (without backing anything up) and didn't look back.
I believe in the GDPR and I don't want to become a part of the problem. The lowest friction solution was to just delete stuff I don't deem at all important.
If I am to open a business, I'll cross 100 rivers to be GDPR compliant. And you are correct -- us the techies aren't special, of course.
I only asserted that for hobby projects or projects that are not turning a profit the extra effort is simply not worth it. Nothing more.
> You can generate a key for each user on creation and have their data encrypted with it. The problem is NOT that.
This is still debatable, because what if in near future your encryption turns out to be weak and all the personal data become readable again? Things like this... This law was really not thought through.
>> The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).
As I understand it, you will be able to appeal or somehow else address the European Data Protection Board, that will be tasked with ensuring the consistent application of the regulation:
Coordination and Consistency
Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.
One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.
I admit that I'd do that. Lowest friction solution. I don't want law enforcement agencies knocking on my door because I host a hobby project on a free / $5 tier VPS for years.
My intent isn't malicious. I simply don't want to invest in more maintenance. Hence I'd block EU, yes.
Do you also block all US IPs to avoid patent infringement claims? What makes you think the GDPR is broader in scope than the patents the USPTO hands out? In the patents' case, there is even a direct financial incentive for companies to sue you, whereas in the GPDR the interest of the regulatory body is primarily compliance.
That won't completely protect you, it would only greatly reduce your surface of exposure; the eu user could still reach you via a vpn or simply sign up while vising the US.
I havent read the papers but only few online summaries, but each mentions very strongly that GDPR directive are not limited to you running business or webste in EU zine. You need to implement GDPR if someone in Australia is using European IP. You also should assume that signup IS EUROPEAN if you havent given them the chance to say otherwise on your registration form. For example European citizen can visit your US based website when he/she visits USA, sign up then go home. Since she/he is EU citizen, you need full complience on your end. Or face €20 mil fine (I assume your startup is not making more than that off of 4% revenue)
I don't imagine a European country arresting an American for something that was done in America that is legal to do in America would go over real well with the US government.
Your link does not work, because it ends in a period. HN takes the period as being the end of the sentence rather than as being part of the link. Here are working links (mobile, non-mobile):
Also question how would they know who owns the company? I don't think US Gov would easily give out info on US company to foreign country or Union for such no-crime related abuse.
The risk is an EU court telling google to stop dealing with you because you're in violation, or even worse: a payment processor like Visa. No to mention that you and your employees are now unable to safely fly anywhere within the EU or anywhere with an extradition treaty with them.
You don't necessarily need a screenshot, a copy of the webpage the user saw would IMO be sufficient.
You need to be able to show the user agreed and what they agreed to exactly. A screenshot might do that but might also not be sufficient (if there is more text elsewhere on the signup process related to privacy)
A screen capture is the easiest way to achieve compliance but the regulation leaves open other methods as long as you can show that someone gave consent and to what exactly. (IMO you could also store the HTML of the webpage they viewed at the time)
The law says you have to be able to prove the user ticked the box and provide an audit trail for it, IIRC some recitals mentioning that you should be able to reproduce the exact agreements the user made (ie, either in text or as a screenshot) so that you can later show the user and any regulatory body that asks what they agreed on.
No, those recitals are exactly what make my point. Numbers 23 and 24 of the accompanying recitals on that page state that, even if you are not established in the EU, if you profile people "within the EU", the regulation claims to apply.
"Within" is a physical location, so arguing that IP block associated with request is a perfect proxy is at best a legal grey area. For example, an EU citizen could use a VPN to access your services and then send you a data request. See here for discussion: https://www.gdpr360.com/gdpr-ip-addresses-and-classification...
If this seems like a low risk incident, consider that there are litigious people inside the EU (as everywhere) that may actively explore the boundaries of the law.
Careful. You were talking about capturing data in the comment I responded to. Now you are talking about profiling. These are distinct things under GDPR, with different rules.
Profiling data subjects in the EU is covered, regardless of where the processor/controller is located.
If you are processing personal data but not profiling and you are not established in the union it only applies if the processing is related to the offering of goods and services to data subjects in the Union.
For those who are not profiling, blocking EU IP addresses should help establish that they were not envisaging offering goods and services in the Union.
I was loose in introducing the word "capture", which blurred the distinction you're making. But the OC seems to be suggesting that IP blocking is likely to be a one stop solution for someone trying to avoid GDPR details, and your replies leave open that impression.
In fact, there are many ways someone might be profiling without knowing it. For example, precedent about when logging IP addresses constitutes PII is still evolving and seems to apply in cases that would be unintuitive to many US businesses: https://www.whitecase.com/people/tim-hickman. And there have been arguments that geolocating based on IP might itself be data enrichment that contributes to an argument that you are profiling!
Similarly, I haven't seen a clean interpretation of what constitutes offering (or clearly not offering) services to EU users, which determines application to a data processor. For example, if I offer a Portuguese translation of my site for Brazilian users, have I offered service to continental Portuguese?
IANAL but nobody knows exactly where GDPR will apply yet. I think the better takeaway for someone who is trying to respond with minimum effort is: IP blocking might help you build a defense, but it might matter how you implement it and it might not be sufficient.
Note that the regulation talks about where the requester is, not where they report to be.
Some legitimate experts have concluded that this wording allows someone in the EU using a vpn they reports them as coming from outside the EU to be covered.
That seems like a low risk incident to me, but I’m not a lawyer & I can see where that interpretation comes from.
Can anyone give an example of a company that has been targeted by legal firm or an agency ? All I know about it patent trolls. So how would these legal firms make any money from the GDPR !?
Apart from selling services related to the GDPR, such as helping companies with complience or helping individuals report problems, they won't. It seems a lot of people haven't even read the cliff notes version but are happy to proclaim the sky is falling. The GDPR will be enforced only via the appropriate agencies in each country where it is law.
Form a limited company and run the site from that. If you're prepared to shut the site down anyway, then that remains the worst thing that can happen for non-compliance.
There's no need to shut the thing down just in case someone sues you when that hasn't happened yet.
On the other hand, there's a good reason to shutter your site because you don't have time to make it respectful of people's privacy. By all means, shut down your site because the GDPR makes you realise that! But that's not what OP is saying.
>Look, it's not hard to encrypt all personally identifiable information; there are ready-made frameworks that let you choose which DB columns you encrypt and how. You can generate a key for each user on creation and have their data encrypted with it. The problem is NOT that. The problem is what happens if a legal firm or an agency targets you.
The problem is also not botching the encryption process -- and relying blindly on some "ready-made frameworks" is a sure-fire way to do that.
I'll immediately agree to that but in the spirit of the GDPR which allows you some screwups, isn't that still better than keeping non-encrypted personal data on a small VPS you have no idea if other people have no unlimited access to?
I shut down my hobby projects because I didn't want to rework them. Deleted everything, never sold info to anyone, never served ads and had exactly zero external JS snippets on them.
If I am to open a business, I'll however work a lot to be GDPR-compliant. I believe it was about damn time for something like that to emerge.
Yeah, that's what I was talking about couple of weeks ago here. I was afraid that GDPR will stifle innovation and it's just a beginning.
GDPR is highly vague omnipresent regulation with huge strict fines. It's like infamous cookie law times a million.
They could make it into a good law, my opinion on what should have been done:
Keep good parts, such as:
- Appoint official 'security' representative who're responsible for breach disclosures, promoting security practices etc, that person can be personally held responsible for shifty company behavior (though nothing draconian) like non-disclosing a breach, so they would be motivated to be on user side in the company.
- Let users ability to download their own data
- Let users clear way to tell company that they want to stop using their account (and related data gathering)
- Mandate more open disclosure of what is done with data gathered from users
And also:
- Mandate easier ways to review EULA and changes to EULA (like each change should be available separately, describe what changed and why)
- Create system of centralized disclosure of security vulnerabilities by third parties, with record showing request and response publicly after some time. Maybe also create some system of grants for third party penetration testing for larger players in the internet.
- Split available data into categories, like 'non-sensitive data', 'sensitive data', 'highly sensitive data'. Medical records, financial records etc is highly sensitive and higher standards are applied. Email and name is non-sensitive data (so you could run a simple forum, or any other simple free service, where you only want email from a user, without being afraid).
- Split companies into tiers, under 50 employees or 100000 users nothing applies; 51-1000 employees higher standard applies; over 1000 - full power applies. This also should be tied with previous point - for example, smallest tier company should still be responsible for some rules if they deal with highly sensitive data, and if it's largest tier company they should be following some rules even if they only deal with non-sensitive data.
- More sensible fines. For example 1% or $100k, whichever is smaller for the first time, 2% or $1m second time etc. Designated security officer can also be held responsible in the same manner (like, % of salary and later being forbidden to work as a security officer). It can also be tied to tiers of companies.
- Start applying law gradually, beginning with just applying it only for european countries.
I believe that would keep benefits for users and won't create giant problems for the industry as a whole.
With one minor exception, you have just described GDPR.
The exception being: there is no minimum for fines. So a small company could be fined absolutely nothing for an infringement if it was representative of the harm caused or they fixed the issue.
Also. Security representatives--actually called data protection officers--are only necessary at large scale or highly sensitive operations.
The law is being applied gradually. It is already in effect and has been for two years. The approaching deadline is when the penalty clauses will come into effect. How it will be applied remains to be seen, but has no bearing on the validity of the legislation itself.
Not exactly, I specifically left out 'right to be forgotten' part. Also, I didn't see anything specific about tiers for companies and data (I didn't read the whole law, only its explanations) - when you clearly know what applies to you. With GDPR as you said small company could be fined nothing, but it also could be fined a lot - that's the problem, you don't know for sure and that's a risk which streetlend.com was afraid of. If they could just look at GDPR and say "ok, we're a small company and we don't hold any highly sensitive data, so according to the law we just need to provide users with clear ways to stop using our service; ok, keep going" it would be much easier. One of main problems of GDPR is uncertainty around it. Also with gradually I meant geography - only within EU for its companies, because frankly I don't like idea of countries deciding to apply their rules in the internet worldwide - it can get messy pretty quickly.
In my mind, the right to be forgotten is implied by your bullet point "Let users clear way to tell company that they want to stop using their account (and related data gathering)" By the definition of data processing, streetlend has to delete all my data to stop processing it.
It is pretty clear what streetlend needs to do to be GDPR compliant: if the user data is actually being sent to the third parties (the ad networks) then users need to explicitly be told this. If the data is not being sent to third parties then users already consent to their data being stored by entering the data (the data is necessary for the performance of the service operated).
Next to that: allow users to delete their data when they close their account (this should be as easy as setting cascade on foreign key constraints).
As for the geography: if your interaction with European citizens is incidental and not purposeful, you cannot be charged under the GDPR. It is only if you are actively trying to target your goods or services to the European market that they will enforce against you. This is obviously the case since they will have no power to enforce the law otherwise, but it is also covered by the three paragraphs of Article 3.
I didn't say about data processing, but data gathering. What I meant about stop using account is that they won't send you any new notifications, won't show you as a possible friend for other registering people etc. By data gathering I meant that they won't track you anymore, like if you exit facebook, they should still adding info about you through all the like buttons etc.
> Next to that: allow users to delete their data when they close their account (this should be as easy as setting cascade on foreign key constraints).
That is definitely not easy and doesn't work like that. That's why it's common practice in any serious system to have 'deleted' flag instead of actual deleting.
> It is only if you are actively trying to target your goods or services to the European market that they will enforce against you.
Yes, and if you target whole world like most sites in the internet do, you're targeting Europe?
Spite. I've seen big players (controlled by pissed off influential person) chase down small businesses in my country relentlessly, to the point that the father of a family had to serve in jail for 2 years because he couldn't afford the fines. The lawsuit lasted 3-4 years and the poor guy was called to court basically every month... It was awful to watch.
Eventually some good souls gathered the fine money and bailed the poor man. And then the suers got pissed and tried to raise the fine, eventually had to pay for... I don't know the legalese for that, but basically they took it too far and the judge called them out on it and forced them to cover ALL legal expenses.
My point however is that for ordinary people even the nerves and time lost in a lawsuit are too big a price to pay. We aren't machines, these things get to us.
The law is not even in effect yet. The persecution you're talking about is imaginary. Those of us having trouble being so imaginative probably tend to prefer waiting for evidence.
You're right. On that note, it's best to never leave your house. It's just not worth the risk. How can you be sure that debris won't fall out of the sky? Do you have a crystal ball?
I'm aware of the risks involved in going outside and I plan accordingly, that's why I have a life insurance. I wasn't the one who said that was a "scenario that never happenS"
Because there are ~25 existing sets of laws on the same topic [based on GDPR's predecessor framework, but evolved in different ways] that GDPR normalized into a single, common modern framework. Nothing horrible happened with those old laws.
Ok, then don't comply and shut down, but I don't see what's ambiguous about the GDPR in this context. Also, they goal of the EU is not to fine the hell out of small businesses; it's compliance. Companies found to be out of compliance will be worked with and an attempt to conform to the spirit of the law shows good faith.
This article sounds a lot like sour grapes and shows no real attempt to actually figure out what compliance would look like.
> The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).
And in that case the regulator would write you a letter asking you to fix it. At that point you have the choice to fix it, or to write back and explain why you can't fix it now. Or you can ignore the regulator, which may lead to a small fine.
You aren't willing, so you exit the market. Someone else will come along, who is willing, and fills the need while respecting people's privacy. Everyone wins.
Considering one can be sued for just about anything, or accused of patent infringement for just about anything in tech, the fear of litigation isn't a compelling argument.
The GDPR is about 68 to 90 pages depending on which language you're reading it in. It is trying to be futureproof by leaving measures defined in terms of 'current state of technology', 'reasonable security considering the risk' and other such ambiguous terms.
I run a small business and I like this. Just about anybody can read it and understand what rights and requirements are being set out in it.
The GDPR specifically refers to the concept of "micro, small and medium-sized enterprises" [GDPR 40p1 and 42p1 use this text; they direct member states about the spirit of the law, referring that the needs of such businesses need to be taken into account].
GDPR 58p2 sets out that regulatory bodies in a member state have the power to issue warnings. As in, if you mess up, unless the mess-up is malicious or excessively negligent, you get a written warning and reasonable time to fix the problem. My government (The Netherlands) has taken the effort, as have a significant number of third parties, of creating a legal document of 3 to 10 pages covering some details, and they generally set out more explicitly that you grant yourself a week or so to fix problems without penalty. Whilst the GDPR is intentionally ambiguous in order to try to be somewhat futureproof and remain short enough to read back to back in an afternoon, it's fairly clear this is perfectly fine.
The most strenuous sections of the GDPR involve requests from those whose data you store. If they ask you to supply what data you have of them, and whom you've shared it with, you have to comply. Within reasonable timeframes, and you cannot lie about it. If they ask that you delete this data, you must be capable of doing so, and you must do so within a reasonable timeframe. However, the GDPR is nice enough to grant you exceptions for reasonable measures which nevertheless make it hard to comply. Things like a backup tape are specifically called out. It's okay if data that's been requested to be removed, stays on those. You would have to show that this data is pseudonimized (GDPR-ese for encrypted, pretty much).
Any service which has a hard time supporting requests to explain what data you store and where you've stored it, or which cannot delete it from the main service on demand... should indeed just call it a day and shut down. I don't think a service like streetlend would have a hard time supporting such requests, however.
> The GDPR is about 68 to 90 pages depending on which language you're reading it in [...] I run a small business and I like this. Just about anybody can read it and understand what rights and requirements are being set out in it.
I don't run a small business, I make small things on the internet, this is not why I got into tech, I don't want to read 68 pages of yuk. If I made a small site that saves some user data i'd just pull it down too, I don't want the burden of worrying about being sued for some small thing I created, you just wont have it anymore.
FB fucked it up for everyone, ultimately people gota learn that when you give data to someone you implicitly entrust them with it. FB had to go and be evil and now the EU is overreaching demanding everyone spend their time bubble wrapping everything... everyone backing them up are the village people taking to the streets with torches and burning shopkeepers after the king was found doing witchcraft. Go burn the king.
> this is not why I got into tech, I don't want to read 68 pages of yuk
One of the goals of this law and similar efforts is to make it clear that you need to consider the social, ethical, and legal ramifications of the things you crate. You are not creating neutral things in a vacuum; there is no neutral ground in a burning world[1]. That "small thing on the internet" might be reuniting families that were separated by work or politics, or it might be undermining the support structures of an entire industry or community. Maybe you are creating a social space*, which includes a duty to manage that space to keep so it doesn't become a tool of abuse[2]. Maybe your small site stays small. Obviously you cannot be expected to foresee every potential consequence of your creation, but you at least need to make the effort and catch the low-hanging fruit (e.g. the basic privacy features enforced by the GDPR).
> One of the goals of this law and similar efforts is to make it clear that you need to consider the social, ethical, and legal ramifications of the things you create.
One often wonders whether lawmakers heed their own advice here with what they create.
In the US, I've always found it humorous that there is no legal penalty for lawmakers continually and knowingly violating the constitution. The worst that happens is they get their bill struck down in court, then their state's legislature can vote in the next law.
Well, as a german, where this happens often enough: If a law gets truck down by the Federal Constitutional Court ("Bundesverfassungsgericht") as being in violation of the constitution, this universally can be seen as a bad job performance for the lawmakers.
They know the law was in violation of the constitution, still they agreed upon it. It's their fucking job to make sure laws are not in violation of the constitution.
This clearly justifies a strike.
Is that really true? I'd expect there to be cost associated with shitty law. Uncertainty and frequent changes shouldn't be in the interest of anyone but those whishing for extremes. Thus i'd hope for companies to support politicians who's legislature achievements will last. I'd hope, but am of cause not sure this can overcome those seeking short term benefits and political tribal blood sport thanks to the shitty US two party voting system.
Research shows people support of basic different options like more generous or stricter welfare programs change based just on which party they were told supported which option (chosen randomly by the researchers). In the face of that it's hard to believe that people particularly care about deeper things like that.
> [...] You are not creating neutral things in a vacuum; there is no neutral ground in a burning world[1]. That "small thing on the internet" might be reuniting families that were separated by work or politics, or it might be undermining the support structures of an entire industry or community [...]
Your points are well argued - especially regarding the ethical and social implications of what we create, and I agree with them, however we have differing definitions of "small" in this context.
Your arguments apply to things that are maturing and are reasonably big already, but big things have small beginnings... and the internet/web is a fantastic place for nurturing those very very small ideas for basically free, this law appears to threaten those small ideas.
It’s safe to say people create hobby projects that fit within their ethical framework. This is about forcing a very slanted set of ethics on pretty much every creator.
I personally find regulation like this abhorrent and against my morals. Sadly I don’t have the money to fight the EU so my creations will be blocked to its citizens going forward.
The end result of this is that EU citizens will be the ones that suffer from lack of access to technology and the smart ones will end up VPNing into non-EU networks to stay on the cutting edge.
> The end result of this is that EU citizens will be the ones that suffer from lack of access to technology and the smart ones will end up VPNing into non-EU networks to stay on the cutting edge.
Right, because everyone who lives in Europe is too incapable of coming up with technology and businesses themselves (that have the added benefit of being GDPR compliant) and without access to American firms they will surely fall into a technological dark dark age.
Instead of viewing GDPR as some nightmarish spectre coming to ruin everything, why not think of it as a potential opportunity? You're familiar with making money in a borderline no-holds-barred approach, now try and come up with some innovative business ideas that _don't_ rely on scraping and selling as much data as mechanically possible to prop up a business. This is a great for the disruption hackernews loves so much.
> Right, because everyone who lives in Europe is too incapable of coming up with technology and businesses themselves (that have the added benefit of being GDPR compliant) and without access to American firms they will surely fall into a technological dark dark age.
Cite one EU startup that you’ll miss if the issue was reversed.
> Instead of viewing GDPR as some nightmarish spectre coming to ruin everything, why not think of it as a potential opportunity?
That's the best way to think about it. When the EU started imposing VAT taxes on non-EU companies on internet sales to EU customers, a bunch of businesses sprouted to handle all of that accounting for you. (So instead of me selling my software online directly, technically all of my EU customers now buy from a US company called FastSpring instead. Fastspring remits VAT on EU sales for me so I don't have to deal with EU tax law, just my own Australian tax law.)
There's probably similar opportunity for a GDPR service that stores customer data via API service, that shields small / micro businesses from all the GDPR compliance. (Eg all your personal Wordpress blog comments are actually stored, hosted and served by a service that handles GDPR modal-consent forms and deletion requests on your behalf.)
>... now try and come up with some innovative business ideas that _don't_ rely on scraping and selling as much data as mechanically possible...
The problem is a lot of us who would never scrape or sell data and have no interest in exploiting our customers, are still worried about not being GDPR compliant, and the EU choosing to pursue us an example for something that none of our customers actually care about.
> The problem is a lot of us who would never scrape or sell data and have no interest in exploiting our customers, are still worried about not being GDPR compliant, and the EU choosing to pursue us an example for something that none of our customers actually care about.
Why would you be worried about being pursued as an example? Is there any data that supports this as a reasonable fear? Isn't this exactly the "GDPR is a nightmarish spectre that can destroy anyone at any time" mentality?
This is a relatively simple regulation that basically required anybody processing user data to do so responsibly. How does one have an ethical objection to that?
Far better details? It gives vague info on what might be considered personal data... I would not call it very detailed. In most cases just says personally identifiable information.
Arguing the EU is overreaching in demanding basic protections its citizens data, and that the only people who support it are... rioters (?) is a pretty vacuous and idiotic argument to make.
If you're making something that stores personally identifiable information outside of what you need, and don't care enough to secure it or offer ways for a user to manage that data then yes, take it down. Good riddance.
Or, just don't store that data in the first place. If you're storing usernames, passwords and the like then you have nothing to worry about.
>If you're storing usernames, passwords and the like then you have nothing to worry about.
Absolutely false. Anything pertaining to a person in any way is personal data. All default web server installations are GDPR violations, unless nginx grew an "edit the access.log entries pertaining to you" endpoint recently. (Although you can maybe argue "legitimate interest" for web access logging if you invest the time, and implement the right to erasure).
Webserver logs are totally fine since you need them for information security (ie, finding out who has been spamming your webserver with requests), just use the default NGINX settings, in most distros that means deleting old logs automatically.
You are incorrect. Even an IP address that dynamically changes with your ISP is considered personal data and is under strict guidelines. You have absolutely have a lot to worry about if you want to be in compliance.
Something as simple as running Google Analytics without a processing agreement in place is a liability.
I was thinking about GA (Google Analytics) the other day, and how I can follow the GDPR guidelines. The articles I read, both from Google and other sources said to not use user IDs to identify users without consent, to anonymize IP addresses, and to not send PII information to Google, such as in URLs. Ok, that sounds simply enough, but then... I started thinking about it more.
1. User profiles can't be sent to GA. For example, hacker news has /user?id=JohnDoe for profiles, and that contains a username, which is personal data that should not be shared with GA. Ok, so I could rewrite my profile URLs before sending them to GA without the usernames.
2. I haven't heard a single source mention referrals. If I'm on a user profile on my site and click a link, that's going to send /user?id=JohnDoe to GA as the referral. I would need to overwrite the referrals before sending them to GA as well.
3. What about 404 pages that I make up? What if I visit https://www.example.com/JohnDoe? That's sending my personal name to GA again. Hmm, ok, the site could exclude GA from 404 pages.
4. What about search boxes? What if I use the search field on a blog? https://www.example.com/posts?search=JohnDoe. Hmm, that's my personal data being sent again. Ok, we need to make sure any data from search boxes is now stripped and not sent to GA.
5. What if I manually add a query parameter or modify one? A homepage might have https://www.example.com/?page=2, but what if I change it to https://www.example.com/?page=JohnDoe. Hmm, yes, that's personal data being sent again. I guess I need to validate the page parameter to ensure it's an integer before sending the URL to GA. What if I then type in a personal phone number as the page number?
No. This is a fundamental misunderstanding of the law. IP addresses are considered PII if and only if they can actually be legally used to identify an individual. And even where they can be, what on earth are you doing with them that you imagine is non compliance?
Or every independent software developer who isn’t doing anything nefarious with your data but doesn’t have the resources to implement a bunch of new, EU mandated features.
How hard is it to just not collect data that isn't directly related to the running of your business?
Do you find yourself accidentally including data sales SDK's? Do you finish your website or app and realise you've accidentally set it up to fingerprint the user, scrape everything you can from them and sell it?
If your business is just a tool supported by wanton data scraping are you actually doing anything innovative and worthwhile or are you just making an MVP to pack full of advertising and jump on that bandwagon?
If you aren't doing that, then it's just a matter of checking what data you are harvesting and thinking about why you have it and if you really need it. Because if it's actually critical to the running of your business then GDPR does allow you to keep it. If it's not, why waste space, effort and now risk in bothering to harvest and keep it in the first place.
Let me play devil's advocate, and say that some personal data may not be immediately useful, but if continued to get collected, may become useful (for commercial exploitation) later.
For example, an online shop might collect customer addresses, even if the sale is purely digital. If the shop ever decides to expand to physical goods, those addresses will be very useful to find an optimal location.
However, GDPR prevent the shop from collecting (or more accurately, raises the cost of doing so), since the use, and value of, said data only becomes apparent in the future. So the shop makes the best choice now to remove the collection, and then suffer the future disadvantage.
Save the data, tell them about it in your privacy policy (i.e. that you remember that data and how you have in mind to use it), and add a "delete account" button that deletes that data.
Maybe show a notice just below the address input fields that "we remember your address for a while, this is why" and link to the relevant section in the privacy policy.
Proper encryption, limited data collection and exposure, and deletion are not fancy features. If this is onerous, it is hard to imagine you are shipping much.
I'm more likely to hand over sensitive (or even obvious data) if I'm confident it's being handled responsibly. So it could be an opportunity for the markets for your products to increase.
> (83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
also:
> Section 2, art. 32, Security of processing:
> Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: [..]
> [...] If I made a small site that saves some user data i'd just pull it down too, I don't want the burden of worrying about being sued for some small thing I created, you just wont have it anymore.
Not all laws, nor all legal systems, are equally vague. It would be really helpful if the regulations had been accompanied with a large set of 'example applications' demonstrating how EU members should be expected (or required) to implement the law in specific scenarios.
> The GDPR is about 68 to 90 pages depending on which language you're reading it in. It is trying to be futureproof by leaving measures defined in terms of 'current state of technology', 'reasonable security considering the risk' and other such ambiguous terms.
1 page or 1,000 pages, most people are not in a position to accurately interpret it and understand what does or does not comply.
They would be if they read it. Every complaint I've seen about how the law is obviously going to be misapplied is called out specifically in the text in a way that makes it a non-issue.
I've read it. It's a wonderfully written document on basic human rights and inter-government interaction. As regulation I can code to, it's a goddamn clusterfuck. It's like someone tried to invent TCP/IP but in the middle there's a paragraph that says something like "appropriate networking stuff happens here and data is reliably moved around!".
As far as I understand, to make this site GDPR compliant you would have to:
1. Get consent when someone creates an account, saying what you do with the data including how you make automatic decision (e.g. which amazon pages you recommend).
2. Allow people to unconsent/delete accounts
3. Have a page that allows a user to download their data.
4. Have a way for them to fix mistakes in that information
That doesn't seem that burdensome. In fact some flavor of that is pretty much what you get with standard a standard create account/view account/change account/delete account workflow.
You know, until someone opportunistically sues you using a legal firm that costs the plaintiff nothing, and then you're out the cost of getting a lawyer and trying to defend that all of your actions and interpretations of the GDPR are correct. And if your business is already small/not making money, you're adding to the hole you're already in.
Which, you know, the guy directly cites as the reason he's shutting down if you actually read the site.
There's plenty of ambiguity in the GDPR, especially around logging, backups, and third parties (e.g. login through Facebook/Twitter/Google, you know, that thing that five years ago everyone was trying to sell at the way to do user authentication). This guy just decided it's not worth the potential of being sued while we wait for the dust to settle on how those ambiguities shake out (because, honestly, the only way we're going to get those cleared up is if someone is sued and they're made clear by case law).
Unless I'm mistaken, you can't actually sue over your interpretation of the GDPR. You can report companies to the appropriate authority, who can then investigate, and with whom you can communicate. Just like the many other authorities of the kind[1].
Yeah but in the EU/UK I'm not sure people sue for this kind of thing. The US is different. In the UK we don't really have class actions, you can only sue for the damage caused to you which in the case of a website like this isn't going to be much and legal fees are expensive making the whole thing not worth while.
Any UK examples? I haven't heard of it though it's not really my field. If you are worried you can always set up a ltd company which is quite cheap and quick in the UK (like £40, same day - company bank account longer).
I am an architect for a company that does ABM, B2B ads, so I am well versed in the subject. We had to move all of our PI data in the raw form to a different AWS account, and only certain individuals with "legal" clearance can access it. This forced us to re-architect almost our entire stack, and rethink our main API.
The whole thing was a massive endeavor that took a whole engineering team two quarters. If this was three years ago, when we were less than a dozen engineers, we would have most likely thrown the towel and forego cookies and business in the EU altogether.
No-win-no-fee lawyers don't just take any case that walks through the door.
The expected value of the case to the lawyers is the probability of winning, multiplied by the minimum of the expected award and the resources the defendant has available to pay, multiplied by the fee percentage that the lawyers are charging, minus the costs involved in litigating the case.
In the cases we're considering here, the probability of winning is low, the expected award is low, and the resources available to the defendant are low. They're simply not going to take them on.
I’ve been in this situation before, I was sued for copyright infringement for something I shared on my blog by someone who had obviously gone through lawyers until she found someone to take her case.
She alleged I colluded with and stole manuscripts from her publisher (I published my content before she did). I knew I was in the right, and had proof to back it up. Then I found out it would cost tens of thousands to take the case to court and then if I won, I could claim the lawsuit was frivolous and sue for legal fees.
People can use the legal system to rope you into an expensive game that you don’t want to play. Even if you win, that victory might come at a huge cost financially and emotionally. Irrational and vindictive people can hire lawyers too.
Presumably that was in the US. In the UK, which is where StreetLend.com seems to be located, costs are generally awarded to the prevailing party in the judgement.
Yes, it was in the US. I’m not American but unbeknownst to me I moved to the same US state she lived in shortly before she decided to sue me.
Even in the case where fees are awarded, there is absolutely zero upside in being sued. The best possible outcome is to tie up tens of thousands of your own money in legal fees, and invest huge amounts of time and energy in a court battle. And of course there is always a risk you could lose the case.
For a passion project that is a big investment. I cut my losses, and I’m glad I did.
Sue you for what? Gdpr grants no new right to sue. The only thing that's changed is that if someone emails you saying "delete the stuff on me please" you have to do so unless you have a good excuse. And if you refuse, it goes to arbitration and if you refuse unlawfully, you get a fine.
All you have to do to be Gdpr compliant is delete user data when asked. There is no "trap card" provision.
You're right, there is also (gasp!) the right for users to request all of the data you hold about them, and also (shriek!) to be told how you use their data!
I just do not get what there is to complain about here - the GDPR is a good thing for consumers, and as a business owner than gives a damn about privacy, it is not onerous to comply with.
For having an unfair competitive advantage over competitors who properly follow the law. This is a well-known tactic to get rid of competitors or just companies you don’t like.
Incorrect. That "someone" cannot sue you over a GDPR claim; only the national entity responsible for that can take complaints, which they analyze and emit a fine if deemed appropriate.
Start by reading the actual regulation, provided here in a easy online format without the extraneous formatting: https://gdpr-info.eu/
If you want a shortcut, you can try the EnterpriseReady site which has a great overview specific to SaaS companies: https://www.enterpriseready.io/gdpr/
As always though, your best resource is to talk to a lawyer. Do not trust any internet comments about legal decisions for your business.
I get the impression the GDPR expects you to not keep data around forever, as a general best practice.
When you collect data, you have to tell your users at collection what your retention policy is (this is part of Right to Transparency). So, right there, you should probably have a retention policy, and "forever, always" isn't really a well-thought-out policy.
The Right to Erasure is not as far-reaching as some people seem to think it is. If the Legal Basis of the data collection is Consent, then that consent is revocable and processing (including storage) pretty much has to end as soon as consent is revoked. But if the Legal Basis of collecting the data is something else, and I really feel like 90% of the time in practice it's going to be Legitimate Interest, then the Data Controller gets to balance their own needs against the rights of the Data Subject when handling a Right to Erasure or Right to Object request. And you can probably make a good argument that you don't need to modify back-ups. Your argument is stronger if a) your restore-from-back-up procedure can ignore or delete the user's data during/after restore b) your data retention policy eventually deletes the back-up.
Is it truly a WORM store that cannot delete any data ever never? If so, you'll need to encrypt the data in a way that allows you to make records inaccessible.
If the WORM store rotates out old data (webserver logs, tape backups with retention and rotation, etc.) then you simply inform the user of that and that's it.
> If the WORM store rotates out old data (webserver logs, tape backups with retention and rotation, etc.) then you simply inform the user of that and that's it.
Can you point me to where that's allowed? What if retention is reasonably long (a year)? or not (10 years)?
> s it truly a WORM store that cannot delete any data ever never? If so, you'll need to encrypt the data in a way that allows you to make records inaccessible.
So now I can't perform impromptu analysis of my own data in any computationally easy way? Security analysis? Analyzing shipping information to optimize in the future?
Acronis, a german corporation, is implementing the GDPR too [0] and they recommend that if possible, you split backups per customer, if that is not practical atleast do your best to protect the data and don't keep it for unnecessary time frames. You should have a retention policy and encrypt your backups.
>So now I can't perform impromptu analysis of my own data in any computationally easy way? Security analysis? Analyzing shipping information to optimize in the future?
Any analysis will have to be done in a way to make sure you're not exceeding the bounds of network security or you're outside legitimate interest.
Analyzing shipping information is the same, as long as you do everything to make sure the data is pseudonimized or not otherwise in risk of leaking personal data, it's fine or alternatively you ask customers about it.
>What if retention is reasonably long (a year)? or not (10 years)?
Use your own judgement of what is reasonable, worst case you get a letter from the EU asking you to reduce the retention timeframe as long as you made an actual effort to implement the regulation.
My question wasn't so much about doing the analysis, but about being unable to do it without fetching keys and decrypting on a per-log-entry basis. Not only would this be insufferably slow, I've not seen a feature like this in any COTS software and quite frankly seems incredibly difficult to write properly and securely, specifically the key management portion.
Why do you think that's a given? It seems like an implementation detail with a couple of easy solutions such as caching or batching, and it should encourage better system design in many cases where the analysis doesn't require PII and thus it's better from a security perspective not to have access to it there to begin with.
There have been a ton of breaches over the years where reporting or test systems had data which they didn't even need but which had been loaded anyway since it was less work than subsetting the data.
> analysis doesn't require PII and thus it's better from a security perspective not to have access to it there to begin with.
Unless I'm pulling from a raw dump of shipping I've bought, which would contain the address so that it can be cross-checked if there is an issue and I didn't know ahead of time that I wanted to perform this analysis.
Handling delivery problems is normal and expected usage. As long as your lawyer is remotely competent, your ToS will cover that and no government on earth is going to disagree.
If you’re trying to do analytics, you don’t need PII - anonymized locations, sizes, bucketed prices, etc. will cover that and usually makes the process faster, too.
Look at it from a different perspective: does ignorance of food handling procedures or electrical wiring codes remove your obligation to follow safety regulations? This is the same thing for data: yes, it requires you to act as if you care about users’ privacy but that’s another way of saying that you’re no longer being subsidized by being allowed to fob the cost of negligence onto the users rather than being responsible. Everything which people have been talking about in this thread is already covered by accepted security best practices.
If you want this analysis you should plan for it. Mozilla does this for example. Any kind of profiling or monitoring goes through several layers to ensure the minimum amount of data necessary is collected.
If you want shipping analytics you'll have to decide that ahead of time. That way you reduce the risk for your customer in case you don't want to do this and if you do want it you still make an effort to reduce the data necessary.
You should keep in mind that the basic premise of the GDPR is that the shipping address isn't yours to begin with. It's personal data of your customer and ultimately belongs to them.
If they don't allow you to use it for analytics, tough luck.
> If you want this analysis you should plan for it.
Yes, I should be omniscient. Thanks for clearing that up.
> Any kind of profiling or monitoring goes through several layers to ensure the minimum amount of data necessary is collected.
Yes, because they need to collect it. It's not about looking at what they have.
> If you want shipping analytics you'll have to decide that ahead of time.
Again, I'm not omniscient. I can't figure out what my company will be doing in a year, and waiting another year to collect the data I already have could see me hemorrhaging money.
> You should keep in mind that the basic premise of the GDPR is that the shipping address isn't yours to begin with. It's personal data of your customer and ultimately belongs to them.
Which is an absolutely silly notion. It is the company's data, not the users.
> If they don't allow you to use it for analytics, tough luck.
Which is silly. It's the company's data; they should be able to use it to improve their business.
>Yes, I should be omniscient. Thanks for clearing that up.
Not omniscient but being able to plan ahead does help a lot, yes.
> It's not about looking at what they have.
Yes, because they only collect what's necessary and if they don't have that they ask if it's necessary and collect it.
>I can't figure out what my company will be doing in a year, and waiting another year to collect the data I already have could see me hemorrhaging money.
Then simply ask your customers to hand over data with consent to use it for analytics, problem solved, no?
>Which is an absolutely silly notion. It is the company's data, not the users.
No. Under GDPR this is no longer the case. The data belongs to the user now because corporations have shown time and time again that owning the user data is too much responsibility for them.
You do not own the customer data anymore, the customers own it. And they can decide what you're allowed to do with it.
It's perfectly in line with existing German Data Regulations (although they get a minor update too with the DSGVO coming along with the GDPR). Data retention laws in Germany supersede the GDPR. The GDPR itself also mentions that any regulation and law in your jurisdiction may supersede anything in it.
Even that data isn't owned by you. You are merely responsible for keeping it safe while you have to store it. Ultimately it's the customers data. End of story.
Another point, what about "personal data" that isn't really? Webserver log, for instance, contains an IP, which is covered under the law as personal information I believe. This is could be part of carrier grade Nat serving thousands (or even just regular Nat of 2 or 3 people), must I delete everyone? Who's keep would these be encrypted with in your solution?
Webserver logs should for most intents be covered under legitimate interest as part of securing your network. As long as you rotate your server logs, which is default for any distro installation (AFAIK), you don't have to delete those when a user requests them.
Most companies collect and centralize logs, making logrotate irrelevant. What prevents a company from having decade long rotations? Also, who decides what is a legitimate interest?
Even centralized logs can have rotation and retention.
The company will have to decide for themselves, primarly, if some interest is legitimate.
This means you weigh the data you collect by the single user against the continued function of the company, the great good and all other users. The company should then be able to demonstrate this process to the regulatory body.
There is no nailed process but keeping logs for a short amount of time to ensure network security and keeping some logs longer for legal compliance will most certainly pass as legitimate interest.
Network security benefits the user themself, the company and all other users by ensuring their data is secured against breaches. It goes beyond simple self-interest of the company and protects the users too.
Similarly having an email address to contact a user can be legitimate interest. If you only send them informative mail, ie "Someone changed your password" and "We had a databreach" or even "Someone tried to login from Uganda using your password, check if that's alright please" it serves primarly to protect you, the customer and the relationship you build up.
IMO that means it's legitimate.
On the other hand, of course an adcorp could claim their personal tracking data is legitimate. The data collected does not benefit the user other than showing them ads and selling it to others. Of the three groups, only one benefits.
Or keeping a webserver log for 20 years including usernames and emails.
IMO that would mean it's not legitimate.
If you are wrong in what you think is legitimate, you get a sternly worded letter from your favorite regulatory body asking you to fix it.
If you think they are wrong about that, the best option is to write them back and explain why you think it's legitimate. You can work out a solution with them that satisfies both sides.
> Even centralized logs can have rotation and retention.
That was a response to the comment about the default installs in most distros, not the ability of centralized services to rotate logs. It was pedantic and I regret derailing the discussion with it.
> The company will have to decide for themselves, primarly, if some interest is legitimate.
Until a regulator comes and makes a separate decision, and you have to plead with them that you're not wrong even when they think you are.
> If you are wrong in what you think is legitimate, you get a sternly worded letter from your favorite regulatory body asking you to fix it.
From a regulatory body that has no real authority over me, except it might?
I think my biggest issue is that I don't deem data a company has on me _my_ data or that they have to explain everything they do with _their_ data about me. I was never under the impression that it was my data, and in fact, I assume anything I put on a computer I don't control or have a paid, contractual agreement around is public. I fundamentally don't agree with or understand the premise that the situation is otherwise.
(The biggest exception being that I do expect companies to honor their contractual obligations under their credit card processing agreements, but that's not really about _me_ or data about me.)
You can most certainly do that...Unless you've been incompetant with your data organisation and scattered PII where it really has no business being. In which case, how about sorting out your poor data practices before worrying about how you can optimise your shipping costs?
Not pii, but personal data, which is more broadly defined in the gdpr than pii is.
Second, I think you're missing the context here. If I need to encryption each log entry that pertains to a user, even if it doesn't contain pii, then adhoc analysis is nearly impossible to do.
You're assuming that I knew I wanted to do said analysis, or that I would never want to go back to an order's record for more information. (What was ordered, or perhaps the US county someone is in that I need to figure out from the shipping address.)
It's not that the analysis can't be done anonymously, but to do so requires foreknowledge of everything you would like to analyze.
A reasonable approach that we're following is to have a documented backup retention policy and a procedure to re-delete data for any users who have asked to be deleted when those backups are restored. That retention policy can be longer than 30 days as it's impossible or infeasible to delete individual user data from all the backups.
One easy way to do this is with an expiration policy on s3 objects. You need to have an independent backup of those deletion requests though.
If you have a years-old tape archive you probably have a massive legal team who is much better equipped to answer this question.
You decide on a timeframe for deletion of backups (ie. X days). You keep a record of deletion requests you receive for X days. If you need to restore to a backup, you delete data again for the users that requested it.
Then you delete the backups and records of deletion (or the tables in it that contain personally-identified information) after X days.
> You decide on a timeframe for deletion of backups (ie. X days). You keep a record of deletion requests you receive for X days. If you need to restore to a backup, you delete data again for the users that requested it.
All of which requires a good deal of development work.
I would guess there is no requirement data is wiped.
Your file system doesn't wipe data, it just marks it as deleted. At some point it's a technicality, the important part is that you stop using the data.
> You know, until someone opportunistically sues you using a legal firm that costs the plaintiff nothing, and then you're out the cost of getting a lawyer and trying to defend
And that is exactly how it works in all EU jurisdictions (and indeed most of the world besides the US)[1]. This is a big reason the US is a far more litigious place than similarly developed countries.
Absolutely. As currently outlined, (big or legal) companies with any legal resources can harass regular people all day long. They can bring a million dollar suit and if you don't defend it, they get a default judgment, meaning they win by default. Defending it can cost a lot. It costs nearly nothing to file a lawsuit too. An example of this in action is the NRAA and patent trolls.
No, EU is not USA, it doesn't work this way here. You can't sue companies for violating GDPR directly as a person, you can only write a complain to authorities that will decide how to proceed (issue a warning, start an investigation, issue a fine etc.)
Want to host the data on aws? You need a documented data processor agreement with them. Same thing with cloudflare and any other service you might want to use.
Want to use google analytics or some other javascript? Those cookies aren't required so you need a way to let users opt-in to using those cookies. And opt-out and delete any third party cookies. I'm still not clear on how the regulations expect you to delete third party cookies.
Amazon affiliate links also aren't necessary to use the service, and that sets cookies. Have to get consent before users can click on those links.
Don't forget that ip addresses are considered personal data.
And all of this might have to be written down and documented per Article 30 as well. The organization is smaller than 250 people, so that might be an out, but people are using the site daily so one could argue the processing is not occasional.
> Amazon affiliate links also aren't necessary to use the service, and that sets cookies. Have to get consent before users can click on those links.
Assuming that these cookies are only set after clicking the link, and that there is no personal information in the links, then what is the problem? In any case, Amazon setting cookies is not your problem, it is Amazon's.
Affiliate links could be between the user and amazon. I’m not super familiar with affiliate marketing, but you’re right it probably depends on if the cookie is set when the page loads or when the user clicks on the link.
Be careful about interpreting the law if you aren’t a lawyer:
1) IP addressed aren’t a personal identifier since more than one person can use the same IP
2) Google analytics is a processor of data and the general consent you get from your users can grant you the ability to use google analytics since its use helps you enhance the site and make a better user experience
3) You need a data processor agreement to provide access to data that the processor has collected on your user’s behalf. Given you run your aws services, that should be straightforward to provide access.
If IPs aren’t personal because more than one person can have them, how is the name John Smith a piece of personal information? Anyone can have that name and a lot of people do have that name.
John Smith is personal information, but not a personal identified, so you couldn’t let the user access their data based on IP address or their John Smith name.
Saying that some data that you enter will be shared with Amazon, doesn't seem all that far from reasonable expectations and shouldn't need to be codified in law anyway. So number 1 should be there already.
Number 2 could be an "email me if you want your account removed". This will trigger like two emails a year, and you just run a DELETE FROM command. If it becomes more, you make a page.
For numbers 3 and 4, see number 2. I expect that this won't be much either.
The page doesn't mention a single thing that would be a good reason to quit over GDPR. I think the author was looking for a reasonable-sounding exit, especially since he was operating at a loss (and apparently cared about it, since he was cooperating with Amazon to begin with).
What were the previous data protection laws in the UK anyway? In the Netherlands, none of the 4 points above are new. Our data protection law from 2001 also required all of this.
It's just some guy's side project. He probably doesn't make any money on it, doesn't care about the tech stack (which is from 2013), doesn't want to pay a lawyer for advice, and couldn't be bothered working out how to package all the data for release to users.
If you administer a free service that takes an hour a month to keep running, and suddenly you're faced with an immediate upfront time cost plus the likelihood of spending many more hours every few months responding to user requests, shutting your service down might be a rational decision when you would otherwise have kept it running.
This is a bit offtopic and I apologise in advance for that.
However, I felt the need to comment on the assumption that an application that is only 5 years old would imply that it uses a tech stack that no one would care about.
How is it that after a quarter of a century of web development, that the state of the software used is so bad that people still assume that something that is a few years old is assumed to be useless?
I might have been a bit unclear there, sorry: if he built it as a side project five years ago, he either knows that stack pretty well by now, or has decided that it wasn't very good, and either way wouldn't care to work with it solely for the tech.
Five years ago I was messing around with Fortran 2008. Having done so, it's not as interesting anymore. That's not a function of Fortran, which was created when my grandparents were 20-somethings, but of the time spent with it.
Poster indicated they weren't making money on it. If you're already operating at a loss and have been for years, the GDPR can be an easy way out .. and if you're literally not making anything and working a full time gig, any changes (even these seemingly trivial ones) do increase the burden to where it's probably not worth it.
So the owner might be making an excuse, yes, but I don't blame them as it seems like a legit way out if they wanted to close up.
Are you going to purge all your logs of IP addresses, since those are considered personal information too? Also if your website is ad supported in any way, are you sure they are in compliance, or will you get nailed because your ad provider wasn't completely compliant?
"All of these logs contains personal information by default under the new regulation. IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49. The logs can also contain usernames if your web service use them as part of their URL structure, and even the referral information that is logged by default can contain personal information (e.g. unintended collection of sensitive data; like being referred from a sensitive-subject website).
If you don’t have a legitimate need to store these logs you should disable logging in your web server. You’re not even allowed to store this type of information without having obtained direct consent for the purposes you intend to store the information"
Are you going to either 1) completely disable logging on your webserver or 2) ask for consent just to use a default Apache/Nginx logging configuration? The law makes no technical sense.
> Are you going to either 1) completely disable logging on your webserver or 2) ask for consent just to use a default Apache/Nginx logging configuration? The law makes no technical sense.
3) Change your webserver not to store IPs or to delete them relatively quickly?
The default Apache/Nginx configurations aren't suitable for production in many other ways but most distributions ship them with log rotation enabled which would prevent this from being a problem in the default install.
That's a solid 50 hours of engineering and QA. At a $75/hr contracting rate, that is $3,750 (50 * $75/hr).
And that's just the engineering work. The website owner cannot know whether or not the engineering work and website meets the requirements of GDPR by himself. He does not have the ability to interpret the GDPR policies. The website owner would need to consult with a compliance lawyer or expert to assess the website for compliance. I would guess it would take a lawyer 10 hours at minimum (assuming the lawyer is a GDPR expert and already knows GDPR in and out) to assess a website for GDPR compliance, billed at a low $250/hr is $2500.
This is an incredibly unfair conclusion. Beyond the time it would make it to make the actual technical changes, he's right in saying that GDPR is written in a very ambiguous way that is going to open up the possibility of litigation that smaller shops will not be equipped to absorb. He's made a calculated decision that for him personally it is not worth the additional legal/financial risk to continue operating the business. GDPR is complicated and we dont know what the enforcement side is going to look like yet.
It's really funny because the blog post is far more ambiguous than the GDPR. He cites no specific provision of the GDPR, he doesn't quote the law, all he does is offer up the big scary $20m number.
It's pure FUD.
But since we're throwing out wild speculations it's more than possible this guy was doing something really shady. (He admits to affiliate links which are perfectly fine under GDPR). There would definitely be a market for user data even about who's borrowing what, where. Certainly the vast majority of these "the GDPR killed our free business" are precisely these shady businesses who knew they were dead anyways if they had to actually ask their users for consent in plain language.
The guy apart from crying without ever having read those 80 pages (english language text), doesn't see the big picture. The fact that I can force Facebook, Google, etc. to tell me what they are doing with my data (which I btw had given consent to treat like yesterday's newspaper), and subsequently asking the various Cambridge Analytica's the same question, gives the people a power they never had.
Now they do.
He wants to leave the game? Feel free! He wants people to be completely powerless? Well.. the kitchen has a door. Feel free to open and leave if it gets too hot.
This is the classic unintended effect of this kind of regulation. It is harder for small and new companies to comply and crowds them out, further entrenching the power and control of Facebook and Google.
Yes, regulation changes. Companies that infringe consumer privacy cannot continue business as usual and will be hurt. It's a good thing.
McDonald's has it easier to comply with food safety regulations than the cozy mom and pop cafe down the street. Would you be willing to shit your guts out because the ambiance is better there?
> McDonald's has it easier to comply with food safety regulations than the cozy mom and pop cafe down the street. Would you be willing to shit your guts out because the ambiance is better there?
People cooking for themselves at home aren't required to comply with (the same) food safety regulations. Obviously, you never eat at home or at the home of a friend or relative either, right?
Similarly how food safety regulations don't apply to people's homes, neither does GDPR. It does not apply to processing personal data for personal usage.
People collecting phone numbers in their personal phonebooks aren't required to comply with data security and privacy regulations.
Actually, it's easier for small and especially new companies to comply. Now, maybe they don't want to, but I don't feel any kind of sympathy for cost cutting on my privacy.
What you say it's an unintended side effect, I think is very much intended. That's why the GDPR (if it doesn't fail for other reasons) is a very welcome regulation.
That's true, but frankly I'd rather that the large companies I already deal with be forced to interact on better terms than encourage competition by well-meaning startups.
Once upon a time Facebook was the fresh new competition. Once upon a time Google took pains to maintain their "Don't be evil" motto. Everyone starts out starry-eyed, keen to destroy the oppressive incumbent. Very few stay that way.
So the answer is a blanket law that affects all startups big and small. Think Google & Facebook are going to go out of business because of this? No. Think it’s going to be more difficult and risky for startups?
You clearly don’t run a startup that is affected by these rules. Use cookie? Use Google analytics? Have emails and passwords? Send email to your userlist? Now figure out all the legal consent language, and write your own privacy policy that doesn’t get you a $20m fine for running a blog...
How does knowing what data Facebook has on you change anything? You already know the data they have by virtue of the fact that you give it to them. I just don’t get what damage this protects you from?
What about the data they have on people without accounts on their service, but who they track across sites and through friends? I can keep myself from having an account, but I can’t stop my family and friends, and I can only do my best to block their trackers. I’d like to know what shadow profiles they have on me, despite the fact that I gave them nothing.
To be clear before I answer, you’re acknowledging that this isn’t actually just about data willingly given, right?
What does it change? Not much just by knowing, but it can allow for change, including exercising a right to delete that data under GDPR. That is a positive change in my opinion.
Having data on someone doesn’t constitute any kind of damage. So I don’t understand how I benefit from this at all. If my data is hacked, I’m not compensated. If my data is misused, I’m not compensated. Nothing has really changed to protect me from actual damages resulting from personal data collection. But apparently lots of small businesses and startups are now hurt, and Facebook is in a stronger position to collect PII.
How many times i have seen comments comparing civil engineers and software engineers and the liabilities each have.
Civil engineer failing to comply with regulations ending up in jail vs. software engineer well, doing nothing if his software does something wrong.
So welcome to the future where software engineers will be held responsible for what they create. I think it's right direction. And don't start with 'hackers playing for fun with side projects will no longer be able to do this'. It's same for engineer building a shed in his backyard. No one will have problems if he has not done load calculations and is using that shed by him self. Only difference is that if you put it on the internet it's like building that shed in a public park. And then you have problems if you don't think what you are doing.
Really depends on the mess up. You mess up and leak confidential info to an ex-boyfriend? Well, here you are contributing to the stats of women killed by their partners.
If software didn't have strong real-world implications the entire software market would have been just a subset of the gaming market.
I'm not a regulations fan but for me, it feels simply like something obvious materializing.
I think it's important to look at how many programs fall to risks like that. Where is the cutoff where we regulate the whole industry due to a very very small possibility of issue?
Food safety, for instance, can affect everyone because bacteria can be anywhere and a lapse in safety practices has a high chance of public sickness.
I do think some software should be regulated more than it is. Is GDPR the answer? I don't feel so.
Not all software is regulated, no one cares about your program you make at home, run or distribute as long as it doesn't do some specific stuff.
Make a calculator App and GDPR doesn't care. Make a calculator App that collects financial info and personal info and sends that info somewhere, then GDPR cares.
Also their marginal cost of delivery approaches zero. High fixed costs in creating the software and almost negligible marginal costs. The return on capital can be astronomical.
Online services have “real consequences.” But not of the type as goods in the physical world. PCI and HIPAA have tried to mitigate against some of the most egregious crossovers of failed software. GDPR scares me. Not in the “I don’t like the consequences” but in the “I don’t know what this does and how screwed I might be.” I’m very happy to be on the other side of the pond where I can safely observe the fallout. Feels like buying a first generation Apple device: I’ll wait a few years and let the early adopters go through the pain for me...
Of course software has consequences. Not the same as infrastructure of countries though.
Companies are valued at billions not because of life and death risks but usually because it enables other companies to make money. On the other hand, basically everything done in civil engineering could be seen as having real danger implications. Bridges and tunnels of course, but even roads which can wash out and cause harm.
> Only difference is that if you put it on the internet it's like building that shed in a public park
The difference here is that code published online has no assurances of being correct or adequate to the task.
Someone building a shed in a public park is, as far as I'm aware, generally not a regular occurrence and certainly you'd agree that a building on public property could be reasonably assumed to have been built to some sort of safety standards by a public body. There's a tacit agreement that, if I enter such a structure, I can reasonably assume it won't collapse on me due to poor design.
Code, on the other hand, is published online by hundreds of thousands of developers everyday. No reasonable individual can expect that any selection of that code is likely to contain anything that can be considered production-grade. Why are we taking the liability from the irresponsible corporation whose service gets pwned because they didn't review my shitty experimental crypto before using it?
Even popular and well used libraries and software shouldn't be held to this standard. You're expecting people who are building something in their free time to bear legal responsibility for the mistakes of an organization who is paying nothing to use their software. That's beyond not fair -- that would absolutely kill open source software and completely ruin the current ecosystem where a single developer and huge enterprises are on a similar level from an access-to-technology standpoint.
Do understand, that my comment here was about software handling personal information. And not software it self but companies using/writing that software.
"Perversely, this new EU law hurts small and ethical startups, but helps reinforce the dominance of Facebook, Google and Twitter, who are able to prepare and defend themselves using established legal teams and cash reserves, and who now face less competition from startups."
This bit is true. If the startup I work for had not turned profitable in the years leading up to GDPR, we would not be able to compete in this space anymore.
If your business is on such shaky ground that straightforward changes required by GPDR are going to cause your business to collapse then you have bigger problems. Because one employee suing you or your rent increasing will also cause you to collapse.
>because one employee suing you or your rent increasing will also cause you to collapse.
Yes, these are well-known causes of company collapse, so well-known that we have entire industries mitigating the risk (multi-year leases at fixed rate, shell corporations renting (see: wework), and temporary contractor/agency staffing). We don't have that for GDPR yet.
It seems like more research into GDPR could have prevented this.
Firstly, there's nothing this site does that is so unusual. If the user gives explicit and informed consent for their data to be used in this way, then you are likely to be covered.
Secondly, it's looking unlikely that the rules will be enforced that strictly in the near term, especially against a small, hobby website. IANAL but you likely have a couple of years until you have any chance of being on the ICO's radar (ICO is the UK's enforcer). And even then, you can reasonably expect the find to be << €4M.
Thirdly, if you run this site from a limited company (about £100/year to maintain), then the very worst case would be that you are investigated under the GDPR in the future, and you can fold the site then at which point your liability ends. No need to do it now, in fear of something that may never happen.
I hope it's not too late to change your mind about shutting down!
I am currently working in one of this multi-$bn companies. They run/are preparing GDPR.
So far I haven't found ANY person who has read the full 80 pages. Everyone is asking eveyrone else, they download whatever presentations they find on the internet, but NOT ONE have bothered reading the damn thing.
It will be a massacre for many companies, only because very few do their homework.
Having engineers read and interpret regulation personally is not a remotely sane legal risk management strategy. Read the thing on your own time if you're curious, but the engineering work should start with specialized outside counsel/consultants and percolate down to engineers as company policy via the CTO.
You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.
> You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.
Is that a bad thing? The vast majority of regulations exist because someone's "critical thinking" went too far in the name of profit.
Your mistake is assuming that the idea being sold internally under the heading "compliance" is required by, or even tangentially related to, an actual regulation.
I have a theory about this. It's a kind of intentional incompetence. You won't get praised in an organisation for implementing GDPR because it is seen as a cost. In some cases it is even restricting revenue (or at least making it more difficult). By only having a surface understanding of the issue, you can intentionally misunderstand it while later having a plausible excuse. When/if you have a big lawsuit directed at you, you can blame the summary websites, consultants, etc for being insufficient. Indeed, you can blame the GDPR for be "too complicated". "Even the experts got it wrong".
But if you read the law, claim to understand it and don't implement it properly, you are screwed. It's just another case where savy managers are avoiding personal risk at the expense of corporate risk.
the damn thing is more abstract than poetry. it s indicative that all these months, i have not seen a single article / presentation that provides a concrete example of how to shield a website.
The law is completely readable by non-lawyers, IMHO. It's one of the better written laws I've seen. But here's a website by the UK government that explains what all the terms mean and exactly what you have to do: https://ico.org.uk/for-organisations/guide-to-the-general-da...
There are 28 member states. Under some circumstances, a company headquartered in the EU can have the headquarters country's authority act as its "one stop shop." But it would be a mistake for a foreign website to rely on the opinions of 1/28th of the agencies that might prosecute it.
There is a missunderstanding on your part. The law is not what’s written but what the courts make out of it. Lawyers may have the experience to foretell that.
On the other hand I bet you have a better life with your belief until - if ever- you learn the difference the hard way.
Take the simple question: can you look at personal data on your monitor? What about Van Eck phreaking? Basically you are broadcasting the data. Do you need to protect against that?
The GDPR says that at the current state of technology it would take an undue effort to infringe someone's privacy in such a way, so the risk is unreasonable.
It's like worrying that someone will be struck by lightning because they're located on your property near an antenna you set up, and you'll be charged with murder because of that. Yes, it's possible, and about equally as likely.
It's worth noting, as well, that this part of the law hasn't changed at all. The changes to GDPR are about notification and a variety of rights. Protection for leaking data to unknown 3rd parties is exactly the same as it was.
I would estimate the frequency of the attack similar to Lightnings killing people. I’m quite sure it happens but only in very small scale because you have to get so close to the victim.
If the customer is choosing to display his data on his screen while under risk of Van Eck phreaking, it's on him.
If you choose to display customer data on your screen while raising funds for launching a new cryptocurrency in the Sultanate of Kinakuta from sketchy Chinese generals, it's on you.
If you're a big multinational, these uncertainties are a cost of doing business. You have a dedicated team of in-house attorneys and many other high priced lawyers on retainer. If the worst happens, you start private negotiations on settlements. When I worked for a firm owned by a very large multinational, our parent company basically had an IRS auditor with a dedicated office inside of the parent's headquarters. But you can absorb that cost across multiple entities.
Within society "in general" there are usually other forms for quantifying, and spreading, the cost of uncertainty among larger groups. We usually call those markets "insurance." Car insurance, life insurance, health insurance, disability insurance, homeowners insurance, landlord insurance... all of it exists to "cope" with uncertainty.
If you're running a small operation that's hovering at or below breakeven, it's reasonable to look at the existing uncertainty surrounding GDPR and find that the only winning move is to not play.
I'm not a FUD guy; I'm a numbers guy. Uncertainty is real and entire markets exist to deal with them. Where there are _not_ markets that allow you to quantify uncertainty, it is reasonable to look at the potential downside and say, "that's not worth the risk."
I'd be very hard pressed to run a business that catered to the EU at this point until the first N lawsuits happen. There's a reason why in the US people prefer to incorporate in Delaware: it's not because it's the most business friendly state, it's because there is so little uncertainty in case law.
I am making no claims as to whether GDPR is a good thing or a bad thing. Simply that it's an unknown thing. And unless you have the pockets to play in unchartered legal territory, it is perfectly reasonable to shake one's head and walk away.
Unfortunately for you, the ICO was directly asked about this and responded that they do not envision a grace period
> Steve Wood, ICO Deputy Commissioner: Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy.
Except the lazy morons running the privacy orgs couldn't be arsed to give us final guidance until, well, mid April.
And that definitely includes the ICO. I mean, I understand it's a lot to expect to have final guidance on running a balancing test more than a month before the deadline, but I guess grace periods are just for the regulators.
Sure, but isn't that a huge chunk of the web. Full of small games, services and tools that are only used by a handful of people, but those people enjoyed that thing. Just because it's niche doesn't mean it's useless. Just because Facebook has 10 orders of magnitude more users doesn't mean it's 10 orders of magnitude more useful.
There are plenty of devs out there who were running things probably at a loss, but for the sake of their community and users. Sure a few bug fixes here and there was a pain, but it was so small that it was worth it to make a couple people happy. Now they have one big reason to not keep it up.
A house seems like a good analogy... if the owner isn't willing to do maintenance, he'll probably fence it of to avoid fines and liability. A local group might loose their meeting spot, but we still usually consider it worth it.
Our dependency on services that will go away is a problem, but I'd prefer we'd search for different ways to preserve software once unmaintained. Government requires authors to send a few copies of books&newspapers to libraries... maybe something like that with source code?
If your contact with EU customers is only accidental/incidental then I don't believe you're under the GDPR cover. [ https://gdpr-info.eu/recitals/no-23/ ]
The actual law is here and it applies when you offer services or goods to people in the EU or if you monitor their behavior in the EU.
The recitals are a pretty good commentary to clear up the law, the same recitals will be used by regulatory bodies and judges later on, as a guideline.
> The recitals are a pretty good commentary to clear up the law, the same recitals will be used by regulatory bodies and judges later on, as a guideline.
But they are not law. The law says anyone "in the Union".
That law says if you offer service or goods to anyone or monitor them while they are in the EU. It does not say "anyone in the EU" as people you aren't offering services or goods to and you aren't monitoring are not included.
Afaict from summaries on court cases in germany, "offering goods or services" definitely means you have to have more than accidental contact with EU customers. Monitoring is hopefully obvious.
That doesn't feel wholesome to me. I'm a software engineer in the US. I don't know German case law or if German case law can/will be used in, say, Spain.
The law says anyone in the EU (or is it EEA?) that you're interacting with.
Article 3:
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(This also seems to mean a forum with no monetary value at all, but that's another issue.)
A forum with a few european users obviously goes beyond incidental contact.
The thing is, if you want to do business in the EU, you better know the legal system there. The US forces people in the EU to adhere to their legal system all the time.
> It's possible I've targeted no one by location or nationality.
It's not about targeting but about offering services to people in the EU. A silly forum that has a few EU users is beyond incidental/accidental contact and will have to adhere to the EU laws.
A silly forum may not be a business but atleast under german law it can be classified as business-like or otherwise commercial even if you don't make any money on it.
This is the problem. We've went from one guy's "It's a non-commercial entity that has incidental EU users" to your "It's a business-like entity that has beyond incidental contact" with the same facts. They've made a law that applies extraterritorially which requires knowledge of European cultural context to interpret correctly!
Business-like and non-commercial are not mutually exclusive.
Atleast under german law, you are business-like if you offer a website beyond personal interest (ie, a webpage about you, your family or your hobby). A forum is certainly business-like.
The same forum can still be non-commercial, you don't have to make any money to fall under business-like.
In total, a non-commercial entity, which is business-like, and has more than incidental EU users will fall under GDPR.
>They've made a law that applies extraterritorially which requires knowledge of European cultural context to interpret correctly!
I'm sorry, the US made extraterritorial laws that require US cultural context to interpret correctly. You don't get any special treatment here.
EU people can buy my courses. And maybe once per year someone does. Does that mean I should shut off access to EU billing addresses or even EU visitors?
No, if all the data you keep around from EU visitors is strictly for the conduction of business or a legal requirement (taxes for example) then you don't need to do anything (maybe add a text that you do save these things for business purposes). Once the data is no longer needed you should delete it within a certain timeframe (a month or so).
If you save data beyond what is strictly necessary to conduct business, like doing analytics, then you will need to ask your EU users if they are OK with that. If you don't want to do that you can simply exclude EU users from any analytics.
So, in practice this probably means that google analytics, woocommerce, etc will come up with some compliance box and I should enable it for the EU region I'm guessing.
Or exclude them from google analytics. Wouldn't be a giant effect.
You should anyway implement some basic stuff related to GDPR as that is good for other users as well. But it would make sense for you to cut off the access to EU citizens as full compliance is definitely a big pain and probably not worth it for just few users.
Not really. The GDPR covers "personal data," which is much broader than the category of "personally identifiable information" that other legislation covers. A user identifier, even if opaque and not related to any personal information, counts as personal data.
Yeah, and the crazy thing is if you talk with a lawyer they would label anything and everything as personal data just because of how abstract some of the things are in the regulation.
For example, IP address is PII and if you derive city, region or country from that it becomes personal data. Now if you are a small project or startup there is high chance that you are using some of the external analytics tools like GA or mixpanel(as building a good analytics tool is an effort on its own). Now you have to take care of data like country there as well and be very careful that you delete data like this as well.
> if you derive city, region or country from that it becomes personal data
I don't think city itself is a personal data. You could use user's IP address to get the city and then discard it and this way you know user's city but don't have to keep their IP address.
Google Analytics can be a problem; Google or someone else should make the analytics that doesn't store IP addresses.
And I think ISPs should randomly rotate IP addresses of their customers so they cannot be used for identification.
Any identifier can be a "personal data" only if it allows to link it to some real person. If you don't store IP address, email, real name, ID card number, SSN, bank card number, phone number, then user id is just a number.
Quote [1]:
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
So at best this is going to be a dumb boilerplate consent message, like the cookie consent popup that's annoying and always trains users to click yes immediately anyway?
Yes, except if you're found to be in violation of how you store or use the data they consented you to use, you're liable. Also they can at any point remove the consent and you need to deal with that.
The best would be to encrypt IP addresses with a key that is regenerated every week. This way you can identify unique visitors over a week but cannot restore their IP address. I hope it will be the default option for popular web server software.
You don't have to keep IP addresses in the log. You could encrypt them with a key that is regenerated every week for example. This way you can identify requests from the same visitor over a week but you cannot restore their IP address.
I think that soon there will be extensions for popular servers that implement something like this. I wish it were the default configuration.
Also I think if IPSs rotated IP addresses among their customers daily it would not be a problem at all.
I admit to being baffled as to why they shut down. If a user of the service has given permission for their location to be shared on the 'nearby' map, then they still comply with all the legislation because they have tacit permission from the user that their location will be shared with others.
If the user then decides NOT to share their location or want their data deleted entirely, then the as long as the site stops sharing their location or removes their data completely (within 30 days), then they are still GDPR compliant, AFAIK.
EDIT: Sounds to me like a side project started getting a little unwieldy or had too much technical debt for the developer to manage, and he decided to shut it down using GDPR as a vague justification?
They explained why. Obviously you may still disagree, however their opinion of acceptable risk is subjective (ie it's silly to tell someone what their tolerance for risk should be).
> GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops. The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.
> Perversely, this new EU law hurts small and ethical startups, but helps reinforce the dominance of Facebook, Google and Twitter, who are able to prepare and defend themselves using established legal teams and cash reserves, and who now face less competition from startups. The EU Cookie Law, EU VAT regulation and now the EU GDPR are all examples of poorly-implemented laws that add complexity and unintended side-effects for businesses within the EU.
You're just citing the article, which your parent comment seems to have read. How is this a justification? Like, I can face huge consequences if I kill someone, so I just don't do it. Similarly, just mention that you're sharing data with third parties, and act on emails that ask you to remove data of an account... it's not rocket science.
And it's not as if you'll get fined €20 million if one email ended up in a spam box and you didn't remove someone's account in time... it's really blowing things out of proportion to mention that without further qualification. The big money is to threaten companies like Microsoft, not small businesses that don't even make a profit.
Your premise doesn't make sense. You're arguing against someone's subjective regard for risk. That's like telling someone that their love of skydiving is stupid because it's too risky. If the operator has a very low tolerance for risk - assume it's extraordinarily low for these illustrative purposes, as we're discussing a principle that applies regardless of scale - then that's down to their preferences. It does no good to argue against subjective preferences.
You are right in that I don't agree. I don't think this is a question of tolerance of risk, but that he doesn't seem to want to study all the implications.
I will be first to admit that GDPR is full of holes and ambiguities and has never been tested in a court of law yet, but rather than (as the two quotes you pulled from his site) assume that GDPR has been set up to give the 'big boys' free reign and punish small operators, I'd like to think that GDPR actually puts a LOT more accountability on the larger players and actually will put smaller players on a semi-equal footing.
I really don't think that the EU will be spending the money and time (and open themselves to the PR disaster) of suing websites that might make $1000/mo for the full EUR20Million, do you?
In the US copyright trolls, for example, go after small sites first. They are not able to provide the huge amount of money needed to fund a solid legal defense. The trolls can use the precedent to attack larger more well funded targets. It is not unheard of for US law enforcement to do the same thing. That is why groups like the ACLU and EFF are so important here.
But trolls can't go after any sites. The only entity with the power to issue fines is the national regulatory entity. Trolls would only be able to present a complaint with them and let them to the assessing and investigation. Also precedent doesn't work the same way in EU jurisdictions like in the US (although it's irrelevant in this case).
> of suing websites that might make $1000/mo for the full EUR20Million, do you?
I expect some early chilling cases that will scare the shit out of small operators. That's almost guaranteed to happen. I don't expect the EU to need to be aggressive in pursuing small operators (spending lots of money & time on it), a few demonstrative examples will do the job. They'll need to do that to make sure they're all in line. It's too great of a task to force compliance on millions of small businesses otherwise, they will have to make an example of some small businesses. If they don't, compliance by those millions of small businesses will erode over time.
> he decided to shut it down using GDPR as a vague justification?
That's my theory as well.
It's just too bad that he drags GDPR through the mud with this as well, since there are indeed a bunch of people (just like anyone can, apparently be against net neutrality) who would prefer things to remain lawless. They'll point to this article as justification, after which the other party will have to go and read it thoroughly and attack its points, and win that sub-argument, before they're even back to square one with the original discussion.
Unfortunately the European Union's new GDPR (General Data Protection Regulation), introduced on 25th May 2018, creates uncertainty and risk that I can't justify taking.
GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops. The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.
Perversely, this new EU law hurts small and ethical startups, but helps reinforce the dominance of Facebook, Google and Twitter, who are able to prepare and defend themselves using established legal teams and cash reserves, and who now face less competition from startups. The EU Cookie Law, EU VAT regulation and now the EU GDPR are all examples of poorly-implemented laws that add complexity and unintended side-effects for businesses within the EU.
Can anyone in the EU actually comment on the content here? This seems completely out of proportion with everything I have heard about the GDPR.
Given the authors stance on data privacy and accessibility, I am somewhat glad that he is shutting the site down.
I'm working on GDPR compliance at the moment, as are many of my friends here in the UK. Even people in non-IT jobs have been involved or had training, so awareness is high.
The figures cited above are correct, but the consensus from people I've spoken to is that the maximum fines would only be for the most serious breach. It's hard to imagine a small non-profit being fined €20 million. That said, people are taking it seriously.
I can't help wondering if the owner of Streetlend has just decided it's not worth maintaining at a loss anymore and decided to take a swipe at GDPR. I can't know that of course. However what seems fairly inevitable is that technical, commercial and legal changes will come along now and then and it takes real work to adapt. I don't know of any company/organisation that is motivated to keep running but didn't try to comply with GDPR.
I'm unsure of all the negativity regarding the GDPR here.
GDPR compliance is catching up with your project's "ethical debt" in much the same way as a project sometimes has to deal with a "technical debt". If it's unimportant, it's of no concern. If you kept up with good practice, it's of no concern. It's only if it's important and you let the debt accumulate that it could potentially be a problem.
> GDPR compliance is catching up with your project's "ethical debt" in much the same way as a project sometimes has to deal with a "technical debt".
This is needlessly polarizing. I don't have any ethical issues with a service not letting me delete my account or download all my data. Sure, it's nice, but it's not an ethical issue if they don't. I also don't have issues with services processing and analyzing _their_ data (it's not my or our data) any way they choose without notifying me.
I don't get the hand wringing. If you have an image sharing service you will have to contend with child pornography. If you have any content sharing service you have to deal with copyright infringement. You need a lawyer to create a company. If you do open source you will often put a license file in your github repo.
Tech has already and will continue to interact with laws/lawyers. At some point open source libraries will appear to streamline compliance. For now it sucks but ya gotta muddle through or call it a day.
In the first two cases, we generally don't. Or didn't, until recently. DMCA is very push-oriented: You get a takedown notice specifying certain URLs, you take down that content. Compliance solved!
GDPR requires restructuring of applications to keep data on a temporary basis with the consent of the users, to remove data after the fact, to selectively restore, and to allow users access to their own data. These are proactive steps required, and while applications written in the next six months will be built with those requirements in mind, it's still a fairly large burden for business-as-usual applications.
Totally, but there are unlikely to be many ways to structure the law to give users consent over their data and not burden business as usual. Even responding to DMCA requests is burdensome. You can automate it like Google has tried but it fails sometimes and has become a major technical and personell challenge.
I don't want to trivialize compliance. Even ostensibly simple requirements are never quite that, and every second spent on them is time not spent on your product.
> GDPR requires restructuring of applications to keep data on a temporary basis with the consent of the users
The GDPR requires mostly that you document what data is stored and how, and that you have a legitimate reason for doing it this way. Consent is not necessarily required.
> to selectively restore, and to allow users access to their own data.
So, you get a takedown/access notice, and then you take down/show that data. Compliance solved.
Is there any kind of blanket CYA waiver that we can put on sign-up pages like "if you're an EU citizen, sorry you can't use this site because GDPR. Definitely don't click 'sign up' below anyway" ? What is the opt-out criteria for a site?
No, waivers don't make personal data of EU disappear. Just like you can't put a waiver on front of a restaurant and start poisoning people with in unhygienic food, you also can't just waiver yourself away from being responsible with users data.
That is a false choice. According to that, you A) love this law or B) exist only to profit off tracking pixels and JavaScript beacons mwa he ha
Or it could be the people running 100-user-or-less sites are trying to see if they can just leave their sites up, ignore the "oh yeah, well your web server has IP addresses in your LOGS doesn't it!? Well guess what, OUR logs show an EU IP address, so you know what the letter of the law let's us do? €20 million fine, you data slurping fiend!!" frivolous lawsuits in hopes of keeping their little side project which while (maybe) technically noncompliant, aren't actually using the data for those nefarious purposes, only DDoS and spam mitigations.
Here's an even dumber question. If you don't live in the EU and your site is not hosted there, do they have any legal power to get to you? What is the worst case scenario if you don't respond and don't pay any fines? Will they block your site from the EU or get your provider to take it down? What kind of power do they have to come at you?
>GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops. The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.
I get the point about legal trolls,but how are the hoops ambigously defined?
- don't store data you don't need for your business' stated purpose
- get active consent before you do so
- be ready to delete data on command
- store the data with best principles (i.e., instead of having ID and other stuff connected, centralize identifiying information and protect,use pseudonyms otherwise)
He said the site does not make money. So why would he spend more of his time to make the changes needed to be compliant?
That said, I think the fear of no win, no fee legal firms is a little overblown. You can't get blood out of a turnip and if he's not making money there's no reason any law firm would be interested in suing him.
> He said the site does not make money. So why would he spend more of his time to make the changes needed to be compliant?
I'm honestly wondering what the law previously said regarding data protection. The Dutch WBP from 2001 already covers everything that he would have to do under GDPR given this website, so unless the UK has some very weird laws (or unless we're weird), nothing would change. Perhaps an extra tickbox on signing up that says "yeah yeah I'm really very aware that my data is shared with third parties".
Most likely, this is a good excuse to go "I refuse to read the long legalese [even if it's 95% the same as before] and I'm just going to quit this loss-turning website without the community turning sour on me because I have a good excuse".
The main difference is that you have to tell people ahead of time what you are going to do with the data and what lawful basis you are going to use to justify that usage. Later you can't change your mind. Additionally, you have to record what you have previously told people (so you can say, "On this date we informed you that we would use the data in this way, are we are doing so"). One other potential difference is that you need to be able to inform the user specifically with which 3rd parties you have shared the information.
Generally speaking, I think most sites will require some additional development work to update their UI and to store the data. If you have been compliant with the previous laws then it should be no problem. One wrinkle is that in the previous laws there was no way for your customer to find out if you were following the law or not (without suing you). With GDPR they have a right to both be notified what you plan to do and the right to request evidence that you are following that plan. There will be many companies that will have to alter their processes significantly to account for this.
> I'm honestly wondering what the law previously said regarding data protection.
In the businesses I'm working with, I'm finding the biggest problems with GDPR aren't with GDPR - they're because the business wasn't compliant with the UK's Data Protection Act (1998). So the pain is the scramble to catch up.
I just mentioned the Dutch variant because I know of it and since both counties are in the EU, laws are typically very similar. I'm wondering if he was compliant with whatever the current (pre-GDPR) UK law is.
>He said the site does not make money. So why would he spend more of his time to make the changes needed to be compliant?
I think you could ask that question about all the other formalities you have to engage in as well if you run a business? Managing his taxes probably takes more time than making that kind of business GDPR compliant
I haven't seen his tax return of course, but perhaps he's not running it as a "business" at all. From the sounds of things it was a side project and could easily be classified as a hobby even if it were generating a little income.
Well, just in this thread, two people providing 4-point lists of _simple_ things that can be done to abide by the GDPR provide two different lists that they themselves are ambiguously defined.
So, perhaps it's not as _simple_ as you make it out to be.
I've noticed most people are not sure of what exactly they need to do to comply (me included). With the ambiguity, it seems the best way to cover yourself is to just be able to say you consulted a legal team in the past and did what they told you to comply. This has obvious costs associated with it.
>- don't store data you don't need for your business' stated purpose
>- get active consent before you do so
These are mutually exclusive. The GDPR specifically warns against soliciting consent for collection and processing activities that are actually needed, as consent is not considered meaningful when the alternative is to avoid doing business. Consent is only valid if you can "degrade gracefully" in its absence. (I'm not a lawyer).
It makes more sense to ask for literally everything, and provide no feedback on whether the user should join or not until the next page. Literally everything. Even things they can't avoid sharing. Don't check it until the end - preferably several pages later. Then, if they didn't consent to a required thing instead of an optional thing (which should look identical), their entire setup process should be voided, with a great banner blaming European Regulation.
If you didn't check a required item, you're uncomfortable with a fundamental feature of the service, and shouldn't be using it at all. It seems like a feature, not a bug, that it's hard for you to override your values about privacy and use the service anyway. (But anyone designing for user engagement will be aware of this).
Deletion of data from all external services that you use and internal services. If you have some processed data from internal data pipelines you will have to clear that as well. What about error reporting services? Internal logs? I think for data backups you can have it encrypted and that works as a good alternative but if you have to delete data from there it is not at all feasible.
- store the data with best principles (i.e., instead of having ID and other stuff connected, centralize identifiying information and protect,use pseudonyms otherwise)
Even if in the main data stores you store them in a well normalized way. It becomes a pain to do the same thing to do the same in data pipelines, sinks etc. If you are having a reporting DB it would make sense to denormalize data there.
I read the farwell-post as "My start-up failed, and I am shutting it down because I am sick of it", but instead of owning up, I blame the GDPR...
As a Brit, he would most likely already have to comply with most of the stuff already. And he should know that most government bodies use dialogue instead of fines initially..
I find it hilarious that so many think 'its ok to force 70page read for every developer because look what Facebook did'. But at the same time if anyone read the EULA of Facebook when you signed up, then you would have known precisely the risks of sharing your data with Facebook. They hid absolutely nothing from view. Chew on that for a bit.
> GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops.
Disregarding the "hoops" -- shouldn't this 4% go entirely to the affected users? I thought this was meant to protect the users. Seems like a cash-grab by the government. Can someone make a good argument as to why the fines should be paid to a third party (the state) when this issue is between the service provider and the customers?
The only thing I can think of is that the state is the only entity which can enforce the new rights, meaning they get paid for violations of the rights. Still, if someone threatens the integrity and privacy of your data, shouldn't the damages be paid to you?
Much like class action lawsuits, the end user doesn't make much. The lawyers or the state, which go to great expense may recover their expenses, or they may not. The largepunitive fine is to prevent the suits from ever happening in the first place.
> [...]Can someone make a good argument as to
> why the fines should be paid to a third
> party (the state) when this issue is between
> the service provider and the customers?[...]
The same reason you pay speeding tickets to the
state instead of personally to each person living
on the street you sped on, or who could otherwise
have been directly affected by that specific
occurrence of speeding. Or the same reason health
inspection fines for restaurants in the US are
paid to the city or state, not everyone who's ever
visited the restaurant.
There's no concept in the GDPR that the violation only exists between the site and the users whose privacy it violated, where are you getting that idea from?
> pay speeding tickets to the state instead of personally to each person living on the street you sped on
Roads are usually state-owned property, whereas your personal information is your property, right? If Alice mishandles Bob's property, why is Charlie getting paid for it?
> There's no concept in the GDPR that the violation only exists between the site and the users whose privacy it violated
Why not? The site-customer relationship is the only relevant one here. What prevents a profitable, large-scale data mining company from simply accepting the Max(4%,$20m) = 4% tax for mishandling data?
A $20m dollar fine would surely deter smaller actors, but the 4% fine doesn't seem like a deterrent for large-scale data-mining operations, which can be incredibly lucrative. For example, if Facebook had the choice between not using the data and making $60b per year, versus using the data and making $90b - .04 x $30b, wouldn't they accept the tax and continue using the data? If this is the case, I don't see GDPR making a big difference if the highest-market-share companies can "get away" with paying the fee.
This would increase the gap of viable profit models between smaller and larger companies, at the sole benefit of the state, with little, if any, benefit for the victims (the users). Of course, I am assuming that there is no criminal penalty for noncompliance. The government might think: why impose a criminal penalty if the state can simply tax large corporations for the mountains of profit they are making off of insights from personal data?
I think your questions come down to general European v.s. US
jurisprudence.
> If Alice mishandles Bob's property,
> why is Charlie getting paid for it?
If Alice and Bob both join Fight Club and have a consensual fight and
one of them dies, even in the US the survivor will be charged by the state for
that.
The reason is that certain violations aren't simply seen as
person-to-person violations, but disturbances of the general order
that have ripple effects on the rest of society.
European countries in general are more prone to seeing something like
the violation of business law as being a crime against the state, not
just a violation of the specific people who were victims in that
specific instance.
It has upsides and downsides, but I think in general it's better than
the US system. American companies tend to have to worry about
compliance with regulators and the possibility of huge payouts from
court cases filed by individuals. If you have a small company and
screw something up (but not much more than other companies in general)
you can go bankrupt mainly due to bad luck.
In Europe companies tend to mostly have to worry about just the
regulators and the state, except in cases of gross negligence, which
makes it easier to predict when you need to be compliant etc.
There's also the practical matter that the state has a lot more
leverage against the likes of Facebook and can exercise collective
bargaining. You can see how well this "your personal information is
your property" idea is going in the US with the likes of Equifax,
Facebook etc. In practice the little guy just has to eat the TOS of
these services and doesn't have anything like a property right over
his information.
As to your question of whether some companies will simply eat the 4%
fine. We'll see, but that's a topic unrelated to who the fine is being
paid to.
If some company like Facebook were to publicly flaunt the GDPR you can
bet they'll find something else to charge them with. The GDPR isn't
the only privacy regulation in effect, there's also various national
regulations that could be brought to bear. The threat of the 4% fine
is mainly intended as a big stick to bring companies into compliance.
I am about to launch a startup. As an American citizen GPDR scares the shit out of me. My app doesn't do anything I consider rude to my users but that doesn't mean European courts can't find something wrong with the way I do business.
I consider myself lucky that I'm in a state that doesn't make me collect tax in states I don't have nexus.
Europeans are required to use something like chargebee to deal with VAT in different countries. I don't mean to be rude, but if a service like chargebee didn't exist, you Europeans would be fucked.
I'm sure VAT is just the visible part of the iceberg. It's an awful situation for entrepreneurs.
‘Europeans would be fucked’... as if there aren’t any successful or innovative European companies?
Bare in mind that you probably use some sort of service to handle every time of payment, even if it’s a local sale (e.g. Stripe, VISA Pay/V PAY etc.). Additionally, selling goods in the US is just as complicated for an external business as it is into the EU - state, county and city sales taxes, as well as exemptions from US taxes laid out in international treaties have to be accounted for. The general advise if you want to sell internationally is ‘get an accountant’, because it’s actually quite a complicated subject (unsurprisingly).
VAT is actually pretty easy to deal with as a non-European business. The combined work to handle VAT for all of the EU is less than the work to handle sales tax for a single US state.
WTF... The GDPR is only the continuation of the current regulation. If they can't follow it now, it's probably they were already not respecting it before.
And all in all, it really looks like a way to get out without having to admit some other failure.
Yeah I struggle to see how all these businesses which are panicking over GDPR could ever have been compliant with, for example, the UK DPR which has been in effect for a very long time and has many of the same requirements.
The biggest change going to GDPR is clearer definitions of what a data controller is and data processors and new restrictions on "automated decision making".
The ability to view, delete and demand data be accurate has long been a requirement of meeting UK data protection laws and I'm sure many other countries too.
It seems that businesses just ignored the law until it came with fines worth worrying about. A bit like the VATMOSS changes where US businesses were worrying they would have to start dealing with EU VAT even though that was the case previously.
As far as I'm aware, you cannot be privately sued for breach of GDPR. You can only send complaints to the regulatory agency, who then take action. The fines levied then go to the government.
There is no incentive for lawyers to troll around trying to sue for breach of GDPR, because there's no money to be made by them.
Article 79, "Right to an effective judicial remedy against a controller or processor," seems to say that individuals can sue controllers or processors. This may be limited to cases where the regulatory agency does not find in the data subject's favor? https://gdpr-info.eu/art-79-gdpr/
Article 82, "Right to compensation and liability," begins with the text "Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered." https://gdpr-info.eu/art-82-gdpr/
What would be great is an 'open source' legal movement.
Non-profit legal orgs which read the details of laws, cases and then put up detailed 'views' of the laws from the perspective of an individual, company, buyer, seller, landlord, tenant etc.
Instead of having a list of laws, have an experience based checklist for each type of agent.
Also, requiring the government to not just frame laws but provide this kind of information. The ico website[1] seems to be doing it for this particular law.
This might be less useful in boundary cases, where firms with legal resources play at the edge, but it can at least serve as a safe upper bound for a lot of regular activity.
Lot of this information already exists in books, legal reviews, but this is important enough to be made conveniently available on an public website.
GDPR is having a massive chilling affect at my job as well. I think some brand new web frameworks need to be born that focus on compliance. It feels like a solid opening to me to get some new ideas out.
Does anyone expect the GCHQ to get investigated based on its collection and use of private data?
I won't hold my breath that this will ever happen. For that reason (and many others) I expect that GDPR enforcement will be capricious and biased and used as a weapon against unpopular groups.
Can we go back and see what HN users views about the EU Cookie Law was, before the law was put into implementation? Perhaps we will also see hearty support for it, as we now see with the GDPR - when the EU cookie law is just regarded as a nuisance now.
It's counter productive in that disabling or regularly clearing cookies to improve privacy can result in annoying popup messages every. single. time. a website is visited.
I am truly grateful to the developer or the firefox addon 'I don't care about cookies'...
I would think any small software shop outside of Europe is better off blocking all EU IPs rather than risk having to lawyer up when they wind up being targeted and potentially face a $20m fine. It would be financially irresponsible to do otherwise unless they have some kind of GDPR insurance policy (if such a thing exists.)
> GDPR discussions: Americans trying to interpret European Law and European way of enforcing laws
Should they just pretend they don't exist? The Europeans haven't interpreted this law or provided a clear history of enforcement either. That's the point of these discussions – they're uncertain about the consequences of the law!
Of course they shouldn't pretend it doesn't exist.
But the interpretation should be seen in light of enforcement of current data protection regulations (as per ICO in the UK, and corresponding BDSGs in Germany, for example).
GDPR is not "starting from zero" but it's based on current legislation.
The current regulation has been widely ignored and of no consequence to Americans. GDPR looks like it's going to be matter, unlike previous privacy laws.
How about, I won't even try interpreting it and watch a few unfortunate fools get fined so I can learn from their mistakes. Until then, none of my websites will be available in the EU until I can afford a legal team.
I went to a conference recently and attempted to have a discussion about GDPR. Two other people showed up, none of whom had not done any research into the issue at all.
My fear is that patent-lawyer-style firms will start aggressively blackmailing companies for "settlements" or they will begin tons of GDPR-based violations aimed at your business.
> Did it turn a profit? No, sadly not, but running at a loss was fine as my day job covered the bills.
It seems the root of the issue would be financing the changes.
In a way, looking further into the regulations to clear how to deal with ambiguous parts or even straight hire a lawyer to look at the details would be a simple move if the expense could be justified.
Could it be summed up as “unexpected but mandatory changes kill unprofitable business” ?
It's not like he ever intended to turn it into the next Facebook, though, is it? It's like your grandmother's unprofitable home-made scone business shutting down because she doesn't have a certified kitchen.
If her scone business started accepting payments by card then I think it should be held to the similar standards as larger businesses when it comes to securing card details.
Which is kind of what GDPR wants to do for personal data: if you want to collect it from me, there are a minimum set of standards that you need to adhere to because it’s my data.
"few". Handling customers individually in terms of logs and database backups, for instance, is not a small undertaking. Deleting all traces of a customer is neigh impossible; I bet even "compliant" places don't do it right.
The pci DSS has nothing in it like the gdpr; I'm not even sure why you would compare them.and it makes me think you know nothing about either.
It depends how you do it.
For me dealing with PCI DSS compliance was mainly to get rid of unwanted traces in the logs and anything permanent (backed up), and separating services dealing with sensible information.
While doing these changes, there will usualy be a rethinking of how user data is handled at its core. For instance I worked in the past on dissociating user account with it’s profile and private info, so we could get rid of personal info and only keep behaviors.
With GDPR you get similar leeway for keeping most of your data as long as you get rid of identifying info in a reasonable manner. If I’m not mistaken backups are also safe up to a point, but I don’t have the details at hand.
My main point was that if someone had the occasion to think thoroughly about user data policy and cleaning unwanted traces at leadt once in the past, GDPR was a lot easier than one might think at first.
Yes. Starting a business is already a huge mental effort, I've done it once when I was 19 and never since, even though it's pretty much expected of me (programmer after 40). Adding "you might have to pay 20 million euros" to the list of risks is... indescribable.
Can someone explain what ramifications this has for companies operating in the US that may have "personal" data on EU people? I am curious to know if there will be a new wave of lawyers coming after me for running Twicsy. (FYI, I get requests for removals every day, and I comply with all)
GDPR is not difficult to comply with and based on the decades of experience with the Data Protection Act on which it is based, the chances of being sued (or threatened with litigation) seem tiny indeed.
Also, I think the reason why this site cannot cope with GDPR run deeper than being willing to add a 'delete account' and 'download my data' functionality to a loss making site.
On the screenshots, it shows a prominent section on the home page: “StreetLend with Facebook friends (and their friends, and people they endorse)”
This suggests they are using the Facebook login to harvest from the Facebook social graph.
Head down that particular road and you are in a privacy shit show - and after Cambridge Analytica and GDPR my guess is that Facebook is cutting of this supply of data - or setting hurdles that streetlend cannot hit.
A few people were sued by the ICO for non compliance with the DPA - but it didn't open the floodgates of civil litigation. To my mind (and I am in the processes of updating two small businesses to be compliant) it just sets good ethical standards and Google / FB etc are missing a trick in not just declaring this is the standard they will follow worldwide.
Government is not on your side. Remember that, for all countries, for all times, for all peoples. Government protects itself first, at your expense, by helping those who can help it accomplish that said goal. If you can't help it to that end, you're nothing, literally. It truly couldn't care less about you, your liberties, or even your very life. Government can and does completely destroy people's lives, regularly, for having committed no moral offense of any kind, having caused no harm whatsoever to anyone anywhere in any way, but instead for having violated nothing more than a statute granting random behavioral power over you to some overfunded, distant, and uninterested regulatory agency.
This explanation might aid those who're confused about why a community strengthening, environmentally positive, socially worthwhile website like Streetlend would shut down in response to this huge collection of laws that was sold to us as actually helping us.
> a community strengthening, environmentally positive, socially worthwhile website like Streetlend
If Streetlend were even remotely as you described, they would have easily made enough money to defend itself against the government - all in glorious free market fashion. All hail supply side Jesus! Oh wait, it's tiny operation making a pittance in revenue. Whoopsie!
Thankfully, this is the 21st century and Western society has long ago decided that it'd rather have "the government" destroy individuals with a system of courts to appeal to rather than let anyone do whatever they wanted. Thanks Obama.
Many large and profitable enterprises struggled as marginally profitable businesses for an extended period of time before finding a formula that worked.
The ability to run a failing business is also valuable in and of itself. Look at the businesses run by the McDonalds brothers before they opened McDonald's restaurant for example, which helped them gain the experience necessary to eventually create a successful business.
>>Thankfully, this is the 21st century and Western society has long ago decided that it'd rather have "the government" destroy individuals with a system of courts to appeal to rather than let anyone do whatever they wanted.
Ah yes the 21st century, where a growing proportion of young adults live at home, have given up on starting a family, and have a shrinking pool of industries in which they can afford to start a business or career, as a result of an increasing number of well-intentioned regulations.
Regulations like GDPR are hopelessly misguided attempts to centrally plan greed and abuse out of society. The complex bureaucratic rules attempt to anticipate every permutation of commercial interaction, and predetermine the correct parameters of action for each permutation.
It's absurdly reductionist and unworkable, and only results in more rent-seeking and less efficiency.
In what way isn't Hacker News compliant today? There's a "Legal" link at the bottom of the page where they detail what information they collect, who it's shared with and what it's used for. It includes instructions for how to contact them with requests to access or correct that information. It describes the legitimate interest basis for information they collect without explicit consent (e.g. moderation, preventing fraud). Sounds to me like they have a lawyer that knows GPDR over there.
Can you close your account on Hacker News and have all your data deleted? No, according to this:
"Please note that we have no obligation to delete any of stories, favorites or comments listed in your profile or otherwise remove their association with your profile or username."
"The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted and organisations do have an obligation to do so..."
True, they are not. The opt-out analytics is not allowed and they are sending the data to 3rd party (google) without user consent. I could also argue about some minor things, but allowing google to track users without consent is a major breach (but they can also simply fix it by using for instance piwik).
There are expensive lawyers that disagree on that, and think that the EU DPAs would consider basic website analytics a legitimate interest (one of the alternative justifications to consent for processing), and the current draft of the upcoming ePrivacy regulation explicitly excludes the use of first- and third-party cookies for those analytics from the requirement to obtain express consent. You can review the privacy policies of some very large companies with huge legal teams that have already made their updates for GDPR (like LinkedIn/Microsoft for example) that use Google Analytics and many other third party cookies on their site without asking for consent...but describe the legitimate interest reasons for doing so.
Legitimate interest is one of the hardest parts to actually go for (I wouldn't use it for anything that is not seen by naked eye from the Moon) and you can argue that analytics improves the "user expierience" while on the other side the user will argue, that it is not necessary for the site functionality to work. And it isn't. And this is the fundamental condition for legitimate interest. So the "expensive" lawyers are wrong but I think they are just trying to push the limits to see how far they will be able to go.
Let me just point to one sentence:
"Processing conducted due to "faulty" balance test (your interest vs. person fundamental human rights) may expose the controller (you) to highest level of fines".
I wouldn't gamble here and go for local analytics (again piwik is simple to install and use) or require consent from the user.
ePrivacy is not here yet, GDPR is and I doubt the analytics will be excluded as it is tracking in its purest form and you can set up your own software, no need for 3rd party processor here. It would literally destroy the GDPR principles which I doubt ICOs will allow.
For my (user) perspective: I don't have problems giving consent to particular site if they don't give the data to any 3d party processor, from google, fb, amazon to various ad networks. Bottom line, the problem is not for various sites to have my PII, but I have huge problem with agregating those data by single entity and I will never give consent for that (read as: google analytics).
What makes you think the compliance burden is any different for self-hosted analytics vs third-party analytics? You're the data controller in both cases, your obligations for consent/interest, disclosure, access requests, etc are all the same. Google Analytics has a DPA where they guarantee they meet their GDPR obligations relating to your data, and Google is a member of the US-EU Privacy Shield, which takes care of your obligations with respect to transferring data outside of the EU. If anything, hosting your own Piwik instance greatly increases your compliance burden and risk of a costly breach, as you'll be collecting and storing much more personal data than Google does, in a less secure environment -- Google Analytics is mostly aggregate/sampled data, and supports IP anonymization at the edge before any processing/storage is done.
Just for the sake of not relying on google to do their work and not having to rely on someone who has huge conflict of interest with anything regarding user privacy. But regardless of that I would offer a consent pop up, for this site it is trivial, you are surprisingly clean :) Excuse me, I will refrain from further commenting about GDPR, I am sick of downvoting and quite frankly, people will figure it out on their own.
My understanding for Google Analytics is that as long as you're not using the User ID feature (I can't imagine Hacker News would be), and you enable anonymisation of IP addresses, you don't need to get user consent as users' privacy is sufficiently protected.
I'm not sure "needless" is the right word here. Even if you think this law is bad, there is clearly a need for data privacy and protection laws.
People's reaction to their data being scooped up by Cambridge Analytica just because a facebook friend did a survey proves the need. What CA did was probably legal, but in most people's minds should not have been legal.
> People's reaction to their data being scooped up by Cambridge Analytica just because a facebook friend did a survey proves the need. What CA did was probably legal, but in most people's minds should not have been legal.
It's not _their_ data. This is the part that drives me nuts. When you give something to facebook, it's no longer yours and you loose control of it. It's like this for _everything_. That nude you send your SO? It's out of your control. That nude your SO took of you? It's even less in your control.
If you don't have a service agreement with someone, it's not your data. It will never be your data. Stop pretending.
It's dangerous to let people think they control data they hand to other people. They don't. They never will. Why perpetuate the illusion?
And yet we have “revenge porn” laws that say there are things your SO can and cannot do with that photo.
If I put my money in the bank, that does not actually make it the bank’s money. They have the right to do things with it - invest it, loan it, but there is an agreement that it has not been perminantly given. That agreement is backed by consumer protection, insurance, etc. and the bank, no matter how much they would like to, can’t make me sign a EULA that makes my deposits theirs.
> And yet we have “revenge porn” laws that say there are things your SO can and cannot do with that photo.
Which are mainly extensions of harassment law (again, not something you control, but a penalty after action).
> If I put my money in the bank, that does not actually make it the bank’s money.
You also have an agreement with the bank as such. If I just gave it to some guy on the corner (or PayPal) then, you know, whatever is just as possible.
> not something you control, but a penalty after action
I’m fine with punishing companies after they violate data protection/privacy laws.
> You also have an agreement with the bank as such
I’ve not read many bank agreements but I don’t believe they say anything like “the bank can’t take my money to the casino and put it all on black”. Yet if they do that they’ve broken the law.
I wonder if I take data from facebook, download video from youtube, or rip a movie from some streaming service, would you also say that the content is mine now?
> there is clearly a need for data privacy and protection laws
Is there? What if people just accepted responsibility for carelessly handing out information to third parties? Certainly there is much more individuals can do to protect themselves before the government steps in and slaughters small business like the EU did.
> but in most people's minds should not have been legal
Do people think a company selling user data to another company should be illegal? Or are most people more concerned with the relation said company has with Russia, and their potential involvement in influencing the US election? I think it's the latter. And certainly there should be laws about data transactions involving the state's democratic security.
if your business isn’t viable without respecting some basic privacy rules, you should not be in business - big or small.
> What if people just accepted responsibility for carelessly handing out information to third parties?
Without being legally compelled to, few companies have been forthcoming about providing users with information about what they are disclosing and when. Consent is being given, but not informed consent.
This isn't Sarbanes–Oxley, this is literally don't be stupid with customer data.
> "but We Tried and then We Kept Trying"
Will literally get you 100% of the way there if done in good faith. Crypto-shred anything you acquire from an end user and you are good. Collect the bare minimum to offer the service you claim to be offering, and you are good. Alert the customer on how their data will be stored, used and fused and you are good.
Of all people, programmers should stop whining about how hard and oppressed their lives are. The EU is telling you to stop being a clueless *sshole. If you even attempt to stop being one, you are fine.
Er... is that meant to be funny? That website is asking for my email without saying what it's used for :) Also, I can't refuse to provide it and still get access to the functionality.
Literally the only thing the landing page says is the purpose and what your email is used for: "Join the Slack workspace Aptible Gridiron GDPR Slack", and "Verify your email"
European developers have to deal with American software patents all the time to ensure global distribution of their software. And software patents are way less reasonable than GDPR. With GDPR, one can at least be sure that it is up to the site operator to ensure compliance. With software patents, there's always a risk that some random patent troll shows up with some obscure patent registered 10 years ago.
That's actually a great idea in my opinion, not sure why you were down voted. It seems that the incumbent large internet companies will easily be able to afford this burdensome regulation but new startups all the way through medium sized small businesses may struggle or even be suffocated by it. It would seem reasonable to have a tiered system where the penalties only kick in when the business has scaled.
Yes, I think you are missing somewthing. You can't be sued for GDPR.
You get reported to an authority that will handle the process. The Americans think you can just sue people all the time. It not what it is like in Europe. The point of this legislation is to help users, not to penalise businesses.
I mean how many companies were prosecuted for the cookie law?
Unlikely. What's more likely is the regulator will send you a letter asking if you are in compliance or not, and then send you information about current best practice to bring you back into regulation.
If your breaches are deliberate and flagrant you may end up with a fine. But regulation in Europe really is light touch.
No you don't. You get the opportunity to sort things out first. This is not about prosecuting business. It is about protecting users. Completely different.
If I own a small business, what about I just sell online without collecting any data at all? Credit-card and Paypal etc are third-party APIs that I do not have a copy for my own, shipping can be out-sourced to USPS/UPS/Fedex and I don't keep any of them either. Am I now safe for GDPR? It's like a grocery store, you buy stuff and leave the door, I have nothing on record other than you paid me via credit card or nameless cash before you walk out of the door.
Don't know how to do RMA though, maybe for each purchase my site and the buyer both should have a receipt that just records the transaction but nothing else private, still not sure how to implement that though.
It doesn't matter what you do, since you can still get a GDPR inspection / lawsuit that ends up with you non-guilty and losing a lot of money and time.
> GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher)
This is only for the worst, flagrant willing and knowing breaches. Small websites who made an effort to comply wouldn't ever get hit with this kind of fine.
I think this a political statement protesting regulation. It expresses a real ignorance of the legal process, culture and mindset in Europe that looks to actually protect the public from abuses of power, position and exploitation.
Wouldn't it be better for most small businesses if EU required a kind of "GDPR certification" that comes with its own audits? That might contain potential predatory law suits?
On the practical front,how would a product like google docs that offers collaborative editing deal with "forget me"? If I edited someone else's document, would Google (or whoever) be obliged to contact the co-authors to request that edits be removed? ... or should they do that automatically? What's expected to happen to the version history of these documents?
It's the EU, not the USA. There will be no lawsuits. Compliance agency will check, they will report to the business, the business gets time to fix it. Unless very negligent, there will be fines.
EU bashing aside, we 've seen this play out before. Search for old HN comments on the cookie law: It was supposed to reduce traffic by 90%, but nowadays its worse than useless. GDPR will fail too, because it does not address the crux of the issue: that most people do not care about willfully handing over their data, and in fact many of them take pleasure at being public. Most people will not care to delete their data from the service they used for 1 day. They will not ask their local bakery to hand them over reports etc. Most people spend most of their time on facebook, and most of them have already opted-in to the kind of processing that facebook does. Google, amazon, netflix, spotify etc are in line, because people are not going to give up on the most useful tech services.
Some of the worst private offenders in europe are actually public services like tax authorities who dug up tons of stolen data from banks, financial services, or who use google maps and facebook to find out who is flaunting their wealth. While not NSA-level, police authorities are catching up. Registries of all kinds with very private info have very lax access rules in EU countries outside the rich north.
Sure, some techies may feed their entitlement by going after some glaring cases of violations for a few months, but the case remains that, if privacy is a big issue, people are going to have to pay for it (i.e. they have pay a premium). Cryptography/decentralization remains another option.
Chris Beach accuses the GDPR or beigng ambiguous and an example of a of poorly-implemented laws. Combined with the guidance from something like the UK ICO, it seems to me to be remarkably clear and not onerous if your business isn't based on extracting value from user personal data in the first place.
Could we have some examples of the ambiguity and poor implementation?
The main area of ambiguity in my opinion is around "legitimate interests". Many companies who would otherwise breach GDPR regulations are using this as a get out of jail free card, particularly sites/applications which collect personal data without consent.
Personally, I think there will be a number of court cases post-GDPR to clarify what precisely is "legitimate interest" and what is a breach of the regulations.
Tentatively scheduled for a May 2019 departure, but still sticking to EU rules until end of 2020. And finally the UK will probably always adhere to the GDPR, member of EU or not, otherwise it will be at a massive disadvantage for tech companies dealing with Europe.
> And finally the UK will probably always adhere to the GDPR, member of EU or not, otherwise it will be at a massive disadvantage for tech companies dealing with Europe.
I really don't see how this is the case. A small website will be going after product market fit, then they can scale and do compliance. Not adhering to GDPR means your websites can always become compliant later.
To put it another way, Facebook and Google started in the US. Any founder in the EU might consider moving to the US first, getting product market fit before worrying about GDPR compliance, then get compliance once you know your product is good and you aren't just throwing that work away.
GDPR applies to all data controllers anywhere on the earth, if you hold private data of EU citizens or residents and don't follow the GDPR then any EU country's data protection authority can choose to prosecute.
The only way to avoid the GDPR is to not hold personal identifying information on any EU citizens or EU residents.
I take it as applying to expats too living in non EU countries and their natural or adopted children, depending on how they inherit citizenship and maybe their grandchildren.
That is our understanding of it too. It doesn't matter where your company is incorporated, or where your hosting provider stores the data - as long as an EU resident uses your service, you have to comply. I could be wrong, but we are erring on the side of caution with our SaaS app and treating this as the case.
edit: I understand this is an unpopular fact. However it is a fact that the EU does not have global jurisdiction to overrule foreign national sovereignty and dictate legislation. US businesses do not need to comply with GDPR if they are doing no business in the EU, period.
No, you do not have to comply if you're outside of the EU's jurisdiction. They can only hit you if you've got business in the EU that they can directly touch. Facebook, Google, etc. are aggressively complying because they want to continue making money in the EU.
They'll have to overrule eg US or Chinese jurisdiction to force outside companies to comply with GDPR.
How exactly do they intend to force compliance upon the two global superpowers with $34 trillion in economic output? It's laughable. US Federal courts will bury any attempts by the EU to legislate US laws/regulations on these matters.
If I'm a US service/site, I do no business in the EU, and I store information from EU residents on my servers in the US, the EU can't force me to comply with GDPR. They have no means to force that compliance, and to overrule or dictate US domestic laws. The EU doesn't govern the world's laws, if they didn't already realize that they're about to discover it.
Does that still apply if we are a 'data processor' according to their definition? We are an Australian company, with servers based in the US, and we have EU companies actually using our SaaS to manage their employee's information (also based in the EU). We haven't had formal legal advise on this, but upon discussions with other service providers, it seems we still have to be compliant because our paying customers who actually own the data are based in the EU.
If you're doing business with the EU, my opinion is that you should comply to GDPR. Your EU business customers will very likely demand / require it, if not today then sooner than later. Those EU businesses will be assessing the services they utilize and trying to make sure there are no holes in their own GDPR compliance as a consequence.
As a counter example. A US-based service I'm building now, will have zero business dealings with the EU, although it may store EU resident data (people that sign up that are from the EU). I have no concern about complying any time soon. I may choose to never comply, as I doubt I'll be drawing revenue from the EU. It's about the last thing on my list of things to worry about (GDPR, not user privacy in general).
If you're doing business with companies doing business with the EU, you should probably comply. GDPR compliance requires certain affiliated businesses that are involved with the data you collect to also be compliant. The US-based company I work for is in the process of switching to Stripe for ACH invoicing because bill.com isn't going to be GDPR compliant.
EU law says that it's only legal to transfer personal data to companies that have adequate level of protection for personal data. Certain countries are considered to meet the adequacy requirement, but Australia is not one of them[1], so you probably need to meet the requirement using a contract[2]. You should probably consult a lawyer.
> The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.
Yes, EU companies are going to want legal guarantees that you'll fulfill your duties as a data processor under EU law. Common term for such a thing is "data processing agreement", quite a few services offer them in a more-or-less self-service fashion.
this is actually true, while in theory EU says GDPR applies abroad, it simply doesn't because its not law of the land. Only indirectly can it be enforced, e.g. a US based payment processor would want to comply because otherwise EU businesses would not be able to use it.
To me there's still a minuscule risk that goes something like: "Hey, we think your company is violating GDPR. Come to court." US company ignores. EU court finds in favor of whoever is launching these lawsuits. They can't collect any fines, but maybe they could prevent the company owners / other employees from entering the EU even as a tourist until they pay up. Though that goes against the whole philosophy of the LLC, EU perspectives on business generally seem kinda screwy...
I agree unless you have business in EU it's not really worth worrying about it... And even with business in EU, depending on how much of a hassle it would be to overhaul everything, an underconsidered option in all the panicked headless running about is just to have code branches that don't collect any data if the context is EU. Overhaul only what's needed for business, but no need to run around fixing all the other data vacuuming / data laziness going on just yet.
Kinda weird that the whole post is an advertisement for the website which is anyways shutting down, but contains no explanation for WHY the regulations aren't feasible to implement.
Have you actually looked at GDPR? It's virtually infeasible for any small company to adhere to, based on the decades worth of software that we've built the world's economy around. Logs, databases, backup systems, analytics, metrics, sign in systems, e-commerce systems, fundamental algorithms were all built without any concept of users being able to legally claw back their data. Actually implementing this stuff in the real world is a fucking nightmare. It means rebuilding your entire stack if you actually intend to comply with the laws to their fullest extent. And even then, someone can hire a lawyer and sue you, which then burdens you as you struggle to prove your compliance, wasting valuable time and resources for someone who didn't have the forethought to decide ahead of time if they wanted you to have access to their data or not.
Cool, looking forward to the magical solutions people come up with for performing full text search on encrypted PII, lest you get sued for $10M for keeping someone's name in your database that they willingly handed over to you.
Damn, I wanted to do this for Australia (or at least NSW) for gadgets/electronics/computer parts etc. I wonder if I put geoblocking in place if I'd be covered.
Couldn't he keep operating until he gets caught, then lose the case, go bankrupt (the company, not himself), and shutdown at that point instead of now?
Here's the thing: if you already cared about your users' privacy and security, and had some level of common decency in your approach to users, none of this is a big deal or indeed different to what you'd already be doing.
The gdpr is ill-specified for starters. The commentary conflicts with the law itself, and the law makes it nearly impossible to know if you're dealing with a gdpr data subject.
I firmly believe that companies need to protect their data better as the consequences of loss aren't shouldered by them, which the gdpr says nothing about.
I also firmly believe that it's their data. When I send data to another machine, I was never under the impression that said information was mine. I was never under the impression that anything I have on Facebook was ever or will ever be private. I consider order information vital information _of the company_. When I choose to load thea Google analytics tracker, I have no notion that I own that tracking information.
Splitting basic infrastructure like backups and logs by customer or introducing a whole system of flimsy cryptography to support that is no where near reasonable and well beyond common decency.
Explaining all uses of data and why decisions are made isn't common decency. Again, I sent you my data, it is now the server's/company's. I expect them to do what they will with it.
The gdpr is well intentioned, but ultimately nothing more than toxic smoke and carnavel mirrors. It is an underspecified mess and burden creating the notion that you can renege on data you send someone else.
Regulation always has unintended consequences. This is an example of it. Although they mean well regulation never accomplishes its goal and restricts the freedom of many.
> Although they mean well regulation never accomplishes its goal
Yeah man, that's why we have the safest cars and airplanes in history, because of the free market, not because of regulations. I'm sure that United Airlines, who literally dragged a passenger from their airplane, would have invested a ton in passenger safety if not forced by regulators.
Sarcasm aside, laws do work. There's a reason the most developed countries in the world have a very strong legal system. You give up a bit of freedom (which is a bit of an obsession for Americans) in exchange for a lot of protection from various nasty things people do to each other. As a result you sleep better and you get the side benefit of a special brand of freedom: freedom from fear from your fellow human beings, from their arbitrary whims (to a reasonable degree). Unregulated societies look like Somalia. Trust me, you wouldn't like that brand of freedom ;)
Unless the owner is doing something shady (or just doesn't understand the GDPR), the issue is pretty clear.
He's running an unprofitable business (by his own admission), and likely is running it as some sort of sole proprietorship and doesn't want to take the risk on himself.
The solution is to create a company so that the company can shoulder most of the risk so the company goes bankrupt in the event he finds himself unwilling to comply with regulatory requests.
I'm guessing he just doesn't want to dump any more money into a failing project, which is his decision to make.
Is this a failure of the GDPR though, or a success?
Personally I think fly-by-night websites should be the last people responsible for handling personal data. If they're unwilling to attempt to comply with regulations, then perhaps the internet is a better place without these sites.
>If they're unwilling to attempt to comply with regulations
This is an obtuse, bordering on malicious misreading of the post. They're not unwilling to implement the necessary features. They're unwilling to shoulder the risk.
> Personally I think fly-by-night websites should be the last people responsible for handling personal data. If they're unwilling to attempt to comply with regulations, then perhaps the internet is a better place without these sites.
This isn't a data broker, a credit reporting agency, someone with a giant sensor fleet, etc. It's extremely straightforward to not share data with a "fly-by-night" website like this.
Yes, they're unwilling to shoulder the risk.. so why should they get to keep people's data? Because it's a small operation? Because the owner doesn't have time to secure it?
Yeah, it's extremely easy to not share your data with them.. if you know they don't care about protecting it.. But what about all of the other people on the internet that don't know this guy doesn't care about your privacy?
Convincing businesses to take your personal data seriously is the whole point, and you shouldn't get a free pass just because you only handle people's personal data in your spare time.
> But what about all of the other people on the internet that don't know this guy doesn't care about your privacy?
Governments confront problems with this general shape all the time... the result is usually labeling requirements. Sure, this guy should not be allowed to claim he has a crack team of elite cybersecurity engineers when he doesn't. Regardless, no one is asking him keep secrets for them. It's a niche Craigslist.
>Because it's a small operation?
You're actively campaigning to degrade privacy (and also user freedom, competition, and choice) to a much greater degree by displacing these activities onto large, centralized platforms. Especially those which are monetizing your data to a high enough degree that it's worthwhile to staff a compliance team for the privilege of continuing to do so.
Voluntary or not, there are some rights that you cannot give up to someone else. In Europe, one of those rights is control over your own personal information.
There's also the issue of information symmetry. Just because I voluntarily bought your product doesn't mean that you should be 100% free from any liability that it may cause.
I don't control the money I hand over to my bank, but short of complete societal collapse, Mad Max style, it will be used, and accessible in ways that are very clearly defined. It's not just going to dissapear to the Bahamas one day.
Yes, and as banks are repositories of money (sort of like Dropbox and iCloud are repositories of personal data) that makes sense. But banks are not the only institutions authorized to possess money.
Even at a bank, if you open a joint account (enable sharing) and the other person absconds with the contents, you’re out of luck.
And if the bank decides to break that agreement and run off with the cash (Or just lose it), there exists a regulatory framework that will resolve 99% of these sorts of issues.
This is also where GDPR is at. Without it, in theory, you have a shrinkwrap tl;dr agreeement with the service, but in practice, they can do whatever they want with your data, with no repercussions.
See: Facebook and CA. Facebook misused my data (Because my friends opted in to sharing it), CA misused my data (Because they weren't even supposed to be given access to it), and the outcome? Nothing of consequence.
GDPR does three things:
1. It makes those repercussions have teeth.
2. It makes sure that you give informed consent to use of your data. (Unsurprisingly, similar laws exist for banks!)
3. It clarifies what has to happen when you stop being a user of a service. (Prior to it, de-facto, your data would be opted into whatever changes of the data usage policy the service made - regardless of whether or not you still had an active account, whether you agreed with the ToS, etc. If you deleted your Facebook account, you had zero leverage of how your data would be used.)
>In Europe, one of those rights is control over your own personal information.
If that were true, you would not be able to post this comment (the most highly sensitive category of personal data, political views) in a public forum.
If you do not see the differences between collecting PII, and communicating your opinion in public, I'm not sure that a good faith discussion is possible.
But if it's all the same, would you mind sharing your credit card numbers, SSN, and date of birth? I won't leak it, pinky swear.
GDPR is a sham. It's a ham-fisted attempt to protect citizens data (which is mostly unimportant even if leaked) due to the transgressions of a few corporate behemoths. In the end it only serves to solidify the market position of said behemoths as it adds another barrier to entry for small innovative startups that are already difficult enough to start without this bs. My main worry related to GDPR is that once implemented it will be near impossible to reverse once we see what a total clusterfuck it actually is.
They said, as their primary point "make a C-corp (or equivalent) so you don't have to pay if you are wrong". That solves the risk problem, unless you think they have positive equity.
Will a court pierce the corporate veil of a single-member company for a GDPR fine? Doesn't seem outside the realm of possibility, but what single-member company has the resources to a pay a lawyer to find out?
> This is an obtuse, bordering on malicious misreading of the post. They're not unwilling to implement the necessary features. They're unwilling to shoulder the risk.
I think your reading of the comment you're replying to is itself obtuse, bordering on malicious. They clearly understood that the core issue with GDPR for the OP is risk, and suggested a reasonable solution to address it:
> The solution is to create a company so that the company can shoulder most of the risk
Further:
> It's extremely straightforward to not share data with a "fly-by-night" website like this.
Not if you're using the site. The €20 million fine OP is worried about is only triggered in case of an actual leak of personal data. If you're seriously worried that you might end up leaking personal data, maybe you shouldn't be storing it to start with?
The fines are imposed by the government; in the UK that means the ICO. They cannot be levied as the result of a lawsuit brought by private parties. The ICO also has discretion when levying fines, and they've stressed repeatedly they will not be reaching for maximum penalties.
GDPR offers the prospect of big fines if you screw up badly enough. It also is likely to lead to a lot of lawsuits. But there are totally separate issues, and cannot be conflated as you are doing.
OP might get sued. And he might get fined for €20 million (although realistically...no, of course not). But he won't get sued for €20 million.
> The fine is the bait that draws the true threat.
That's simply incorrect. You're looking at a normal civil case, with normal damages.
We started out talking about the risk of an opportunistic civil suit filed by a law firm working on a contingency basis seeking a €2m payout; now that we've established that isn't possible, we're talking about the risk of an actual fine for breaking an actual law levied by an actual regulator (who is on record as saying that large fines would be a weapon of last resort in the most extreme cases).
So other than the risk being much lower, the likely penalties much lower, the chance of an unfair outcome being much lower, and the incentives and mechanisms being completely different...
"Failing" seems a bit harsh. Lots of people run websites that don't make money, and lots of users get value from such sites. Sometimes the operator still hopes to gain from the site (in publicity or whatever), or sometimes it's just a gift.
The GDPR just made that gift more expensive. If he's not doing anything deliberately shady, then the probability that he'll get fined is small; but a small probability times 20M EUR is still a big number.
Maybe I don't understand the GDPR well enough, but the statutory fines seem insane to me. Why do you think 20M EUR is the right number here? Or am I missing details of the law (the law, not how you expect it will be enforced) that mean his actual maximum liability is smaller? Do you just have extraordinary confidence in the regulators to "do the right thing", and thus no qualms about giving them the legal authority to ruin his life?
Perhaps it was unintended to increase the potential burden of monetary cost to running services that were created and provided as hobbies or otherwise as a goodwill gesture to others. Or maybe the regulators didn't care to consider the impact on such services. Or maybe ...
Regardless, thanks to regulators and data/service silos the web we once new or dreamed of is fading from reality. With just the silos to contend with such services could hitherto continue to exist with little concern for the actions of the behemoths; but now such an existence is threatened by regulatory concerns which blanket all regardless of their role and activity.
Pretty much any start up starts out as a "fly-by-night website". Maybe this guy's just an idiot, but regulations like this harm small businesses and innovation. You can debate the merit of them, but this is what they cost.
You're being downvoted unfairly. It is what they cost. Those costs can be mitigated though; there's a lot of businesses that make it their goal to solve regulations for small startups.
The question is more on the side of, is the cost worth it? A good and much longer-running example of this is in the medical industry. There are massive regulations around development of new drugs and treatments. Massive regulations around experimentation on humans. This stifles innovation and prevents potentially life-changing drugs from making it to the market faster, or sometimes ever. It also prevents a lot of other things, such as crackpots from entering the mass market and selling poison as an anti-aging drug.
Is it worth it? There's still debate about this today, especially when promising cancer treatments are taking years/decades to reach the market (=> how many lives are lost during that time? What's the tradeoff for someone who is terminally ill anyway? etc). I'm not nearly informed enough to pick a side in that debate, but it goes to show it's not necessarily a bad thing for "fly by night websites" to be heavily impacted by regulations like these.
I get what you’re saying, but I’m not sure it’s fair to compare PII management to the medical industry. Personally I think the new regulations are rather ham fisted, with so many edge cases that it looks more like a denial of reality than an attempt to regulate it.
I also think it’s going to be pretty harmful to startups, and that we’ll see more businesses just trying to avoid Europe at all costs. Regulation like this can either be easy to comply with, or they can be effective, you can’t really have both at the same time. Even then it just boils down to the old tension between security and compliance. I work with a lot of PCI orgs, all of them have AoCs, very few of them are actually what I would view as compliant. They all managed to satisfy the box checkers, but the DSS doesn’t do much to protect the consumers in most situations. The reality is that the DSS is just a mechanism of shifting accountability around, which is what I see the GDPR as. A bunch of politicians using poorly written regulations to shift accountability on to the market.
The medical industry is a decent analogy though. Highly regulated, high barrier to entry. Which is bad. Overall though, probably better than a free-for-all (e.g. Theranos), as we've learned from several millennia of humans being awful or incompetent.
God forbid we try and apply some of those ethics to IT. (Europe is big on privacy, again a somewhat hard-learned lesson.)
Except that approach ignores the nature of risk. The impact of getting a drug wrong is catastrophic, the impact of disclosing some PII is far less. This impact also decreases proportional to the size of the organisation, unlike the regulatory burden.
To compare PII to medicine is trying to invoke an emotional reaction, not a reasoned one. I don’t think this regulation is well designed at all, I don’t even think it’s going to achieve half of what it’s trying to do. But it will achieve increases compliance costs to pretty much every company, costs that will put startups at a serious disadvantage to established companies. Europe thinks they’ll have some protection by claiming every company in the world must comply, but only time will tell how that will work out for them.
First, European law works differently, and the way we write laws is different. You can't interpret them in the context of the US law system, where everything must be ultra-explicit and overworked. Also, only regulators can levy the fines/sanctions, they don't result from law suits from individuals.
Second, Europeans take privacy serious, and it's a right for us, similar to free speech in America. Also, while not as bad as some medical risks, identity theft is not fun. But, yeah, the risks are different, and the GDPR is pretty mild compared to medical laws, no? I mean in Europe, you can't advertise prescription drugs.
Third, Europe is not claiming every company in the world must comply.
But if you're mad at governments overreaching, maybe you could sort out the requirements FATCA/US tax law puts on foreign banks, or the US attempting to extradite "cyber criminals" before you get to the GDPR?
I am not personally the federal government of the US, so I’m not sure why you’re directing that whataboutism at me. However, comparing identity theft to death or permanent disability is not equivalent no matter which way you look at it.
In any case, none of that responds to any of the points I made. The EU does think this regulation applies to every company in the world (unless you can somehow prove you don’t handle any EU data subjects data - which almost no company could do). One of the reasons being that they don’t want to only hamstring European company’s with it, as that would be a very poor strategic move for their markets. How enforceable this ends up being is entirely unknown at this point, and you can bet there’ll be a lot of legal challenges ahead regarding this.
I'm making the point government "overreach" or whatever you feel it is happens daily, and IMO, GDPR is the least inappropriate of those.
I would imagine it's incredibly easy for many US companies, like e.g. a restaurant or a tire-repair shop to prove they don't explicitly go after EU subjects.
Since I was elaborating on how the EU and EU nationals feel like the GDPR is appropriate in addressing the risk of privacy violations - which part of that did you feel like didn't address your comment of "Except that approach ignores the nature of risk"?
I think you’ve misunderstood how GDPR works. If you handle the PII of a single EU data subject, then you are in scope for it, regardless of whether you intentionally solicit EU customers or not. Even a small restaurant or auto shop is likely to have a mailing list, or a CRM, or other records containing PII. It would be almost impossible to prove they don’t have a single piece of EU PII.
This does completely ignore the nature of risk, because it does not consider impact at all, which traditionally accounts for 50% of total magnitude. A SaaS company with 50 customers has to comply with exactly the same set of regulations as Google does, and faces €20,000,000 fines, regardless of the fact that the small company poses a quantifiably smaller risk to PII. There’s also an argument to be made that the small company is less likely to become the target of a sophisticated attack, as an adversary is much less likely to invest huge amounts of effort into breaching a small set of PII.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
So it's simply not true that "you are in scope for it, regardless of whether you intentionally solicit EU customers or not." I could continue, but I suggest you actually read it if you're going to argue about it.
So spare me with all this "risk" bollocks. You're just another person willfully misunderstanding our laws, and spreading FUD to try and impose your culture and your rules on our society.
The difference here is that the GDPR is widely believed to be aimed at Facebook, Google, and friends, and those companies are a threat to privacy partly because of the enormous scale of their data collection in addition to the intrinsically private nature of the data itself.
The question, then, is whether a small "business" that's closer to a charity or a resume padder needs to be regulated in the same way as Facebook when it doesn't collect data on the same scale. I don't think this applies to medical startups, where human lives are at the same risk regardless of how many customers are using the tech.
Have there been any exemptions for smaller businesses? If not, it seems pretty clear the GDPR is targeted at them too.
The online ad-tech industry is pretty fragmented [1] and widespread data-sharing would certainly be a problem even without the larger companies. It's not like Google or Facebook invented it; this goes back to nearly the beginning of the web. And the offline component goes back even further.
You're spot on with your observation in the medical industry. I've been researching stem cell treatment for a condition i have and the impact regulations (which i fully support btw) have had is that now there are a bunch of hucksters and a bunch of legit businesses offering stem cell treatments and it is practically impossible to separate the two. Despite being well versed in reading scientific papers and internet research in general it is impossible for me to separate fact from fiction. Added to that there is also a significant number of people spreading FUD which adds unwanted noise not only in the marketing side but also on the flip side making it all the more difficult to decipher the landscape.
Related to GDPR i can definitely see a similar situation developing where large entrenched player leverage it to gain an unfair competitive advantage against startups who could threaten then in their market, using the same FUD tactics. This is a silent killer which will wipe out grass roots innovation in Europe.
> Those costs can be mitigated though; there's a lot of businesses that make it their goal to solve regulations for small startups.
Part of my concern is that in order for those regulation-solving businesses to have a working business model, they can't just support every stack under the Sun. Instead, you'll get something like GDPR for Azure™ — which means that it'll be that much more expensive for a startup using an outside-the-box stack to get started.
That's the point of a lot of regulation, really: to insulate firms which already exist from disruption.
I think there's stigma around GDPR among some entrepreneurs because of a complete refusal from some people to see personal data as something they need to treat carefully.
Let's look at an alternate universe for a moment, where online shopping developed with very barebones regulations, PCI-DSS isn't a thing and fraud is far more rampant. Now the EU introduces new regulations much like PCI-DSS with heavy fines attached to it.
Suddenly you would have every small business coming out of the woodwork, claiming PCI compliance is a huge hassle, the fines are unreasonable, etc. Yeah, PCI compliance is a hassle (which is why we have companies such as Stripe taking care of it for you). But to protect and empower the users, it's needed. This isn't about your business, it's about your users and how they can, today thanks to PCI-DSS, generally trust that their credit card is safe to enter online (which is a net good for any industry that needs online payments).
But that universe is crazy because, who wouldn't treat credit card numbers as extremely sensitive data? Well, many companies who today aren't actually PCI-DSS compliant. Sometimes devs just don't know why, when or even how to encrypt the data and nobody audits that until there's a breach.
So my opinion is this is a success of GDPR. Clearly nobody in this comment section thinks the person in question would really have had a hard time complying with it, and probably wanted to shut down anyway. Either its users are better off because the service is a data vampire that doesn't care about compliance, or it's a no-op because it would have shut down either way. Make room for competition that does care, I'm all for that.
> PCI-DSS isn't a thing and fraud is far more rampant. Now the EU introduces new regulations much like PCI-DSS with heavy fines attached to it.
That would be amazing! Then we'd actually have to adopt a push-based or one-time-use transaction model, rather than living under the fantasy (disproven on a daily basis) that merchants should be in the business of keeping secrets, or are even capable of it. It's hard for me to take anything someone says seriously after they express admiration for the credit card number security model.
The point of your post was that companies should treat all data like credit numbers. The point of my post is that the need for a large number of parties to keep secrets is indicative of a fundamental design issue, not a caller for stricter secret-keeping standards.
I've not expressed any particular admiration towards PCI-DSS (and if you perceived any, I didn't mean to give that impression). Furthermore, the point of my post was certainly not to treat PII/Pseudo-PII like credit card numbers.
Payment card data is secret information, that's a given of the industry. If you disagree with that, I welcome you to share your credit cards in a reply here. Is it a design flaw? Yeah, you could say that; there's much better models and PSD2 will fix many things (not all) at the core of your complaints.
In the mean time, having to treat credit card numbers as highly sensitive is a fact of life, and when you're trying to protect users, you have to be pragmatic, you can't live in an ideal world with theoretical technology; you have to regulate what's there.
The GDPR's definition of PII is broad and contains many things which aren't secrets. I can tell you my full name, it's easy to figure it out from my profile, that's not a secret but it's still PII and GDPR asks that you treat it as such. Same for usernames, which are most often publicly visible on websites.
GDPR, more than dictating what you should encrypt, gives the users a set of rights over a class of data they share with companies in order to give (european) users more trust and comfort when choosing whether to share data with those companies. Things like "I should be able to know what a company has on me, and I should be able to download it and delete it".
I can't tell you the number of websites I've seen that don't let you delete accounts properly. That don't let you edit your real name (even if you get married or you legally change it!). That don't allow you any insight into where your email address ends up after you sign up with it. This is the problem that GDPR is trying to solve.
>In the mean time, having to treat credit card numbers as highly sensitive is a fact of life
It's a fact of life because the payment card industry found a legal way to externalize the risk of its idiotic architecture onto others. The networks are as motivated as can be to continue having transactions to intermediate, and had the technology for what I describe 20+ years ago. Smart cards are a 1990s technology. (Magstripes are a 1960s technology). They continue to drag their feet on the migration because we've made it cheaper to implement "security" through the legal system. Fraud losses are low enough for the industry to prefer the status quo, but high enough that credit card fraud is still a fact of life, because we have allowed it to create liability around data security.
> I can't tell you the number of websites I've seen that don't let you delete accounts properly.
So? Why should you be able to delete an account?
> That don't let you edit your real name (even if you get married or you legally change it!).
This seems like an issue for the company and one they should fix for their own good, not yours.
> That don't allow you any insight into where your email address ends up after you sign up with it.
I also don't have control over who my friends give my email or phone number out to, or if they sign up for facebook and facebook slurps that data (even if facebook becomes 100% truly gdpr compliant which I doubt they will even if they claim it). Why should I be able to control what other people do with something I gave them? If they breach my trust, maybe I should look elsewhere.
In the US, as a sort of general non-lawyerly rule of thumb, incorporation shields owners from contract liability, but not from tort liability, which is what they'd face from GDPR screwups.
Depends on the screwup. If he were directly involved in doing something malicious or extremely negligent towards his customers he could be liable. If he can't trust himself not to be in this category though, I would argue that shutting down is still the desired result.
The owner is just focusing on their startup, as they should be. It's up to the owner to decide their tolerance of risk against regulations which hold them to account.
A defensive piece you've made completely misunderstands how a business works in terms of the decisions made regarding risk, especially to an individual who lacks bandwidth/resources.
According to your post, you only expect well endowed individuals/large businesses to be compliant, which is precisely the problem.
sounds like you are willing to eliminate hobby websites and nights and weekends startups, forcing every new idea to incorporate first. that's the sort of thing that the internet was supposed to route around.
When I was reading about the GDPR today, I read that email address and IP are considered private data as well. This means any website with an email login or subscription or that even logs hits with the request IP must take action.
I fully support protection against physical locations and personal information (name, address, etc), but to include email and IP address seems a little excessive.
I get and somewhat agree with your point, but on the flipside, excluding certain types of data means that companies will focus on abusing them to skirt regulations. I can see why they just went all-in on the types of data that are considered PII, because in different contexts, different data are possibly PII.
It's not a perfect solution, but I'm not sure there is one.
Friend works in data law and says that it's ambiguous. One of the problems is that people use personal information in their email. Also, you have no idea if it's actually personal information or just a nickname they've given themselves. For these reasons it looks unlikely that emails will be considered personally identifiable information.
That's unlikely to be true. And people are stupid, and will use their email address - just look at e.g. the Ashley Madison hack. So for most people, it's personal information, and the law will probably treat it as such.
While creating a company does shield you from some level of personal liability, you're (a) still exposed to directors' duties and similar obligations that attach to a director personally, and (b) still at risk of having your name attached to a company that has gone into liquidation.
My question is, if the choice is between shutting down or just completely firewalling out all citizens of the EU, why not limp along without the EU market instead of dying out completely?
If a site makes it very clear EU citizens are not welcome on the service and will be banned on site, can they really be held liable for any EU citizens who get in anyway through proxies?
Our company has stated it has no plans to comply with GDPR and if faced with litigation it will simply be ignored unless the United States government gets involved. Complying is simply something we can’t afford to do right now, especially for a market that makes us a lot less revenue.
Who lost his business because of GDPR? I see a man who decided not to bother with informing himself about how to treat user data properly, and instead shut down his app.
GPDR explicitly lets organizations keep data if they need to. Do you think it just turned into a magical get-out-of-your-past switch that means "my employer will have to delete records of firing me!"?
Your example "my employer will have to delete records of firing me!" is exactly how the GDPR works.
There are exceptions -e .g. if the firing is now leading to a court case, but they are less than you think.
In an ironic twist, after deleting the data subject's personal information, you must be left with nothing that identifies them, so you don't even know that they have requested this in the past - only that someone exercised their right to erasure (not who).
Yes, I have read it, although I am not a lawyer. Have you? Because the exceptions include "necessary in relation to the purposes for which they are collected or otherwise processed", and avoiding re-hire of a bad employee seems pretty related to the purpose of identifying employees in the first place. If you have professional legal advice to the contrary I would definitely be interested in knowing more.
I'm not a lawyer but I've read it fairly thoroughly. From the ico, the exceptions to the right to erasure are below (none of them cover your example):
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;
or for the establishment, exercise or defence of legal claims.
Article 17.1
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
https://gdpr-info.eu/art-17-gdpr/
If you read further down the page, you come to the section you are quoting, 17.3, which says that the above right from 17.1 does not apply even if one of the conditions in 17.1 is met. However the scenario we are talking about is one where none of those conditions were met in the first place, so we never had to look at 17.3.
You can argue that 17.1.b/c would require an employer to remove any demographic/political data it had stored on you, but absolutely not that it requires the employer to remove the record of your existence at the company.
Again, IANAL, but according to 17.1.b, the data subject..shall have the right to obtain from the controller the erasure of personal data concerning him or her ... where one of the following grounds applies:
(17.1.b) the data subject withdraws consent on which the processing is based
17.1.b appears to be the trump card held by the data subject. They can withdraw consent at any time and request erasure.
Once they do, the data controller can then use any of the exceptions in 17.3 to deny them. However none of these is "because I want to keep records of all firings".
My further understanding is that you certainly could keep a record that someone was fired, just not a record that included any personal information that could identify who that was.
No, I addressed that. 17.1.b doesn't cover identifying data, it covers data about their characteristics. That's what my last sentence was about - you can demand that they remove the information that you are black, but not that they remove the information that you were there.
(edit - and I think you could keep the information about their race/etc if it was properly pseudonymized, but I haven't tried working that out so I'm not sure).
that's not quite correct.... "The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location."
meaning you can be doing business with EU residents as a US only company.
I'm not quite sure how they intend to enforce the GDPR on foriegn companies, but they are making that claim.
Well, the EU basically says that if you store data on people who fall under EU law, you're doing business in the EU.
This doesn't sound crazy to me.
If I'm in europe and I sell to an american, I have to adhere to certain US laws just the same. I have to fill in a W8-BEN form or whatnot.
I can elect not to, but next time I'm in the US, things might get awkward at customs. Also, my customers might be fined or more or less 'ordered' not to do business with me. That's within the US's right.
That's just how it works. Everywhere. For all countries.
GDPR (EU Law) requires companies to delete private data upon request.
SOX (US Law) requires companies do not delete private data, in case the government wants to investigate those companies later on.
SOX has existed since 2002. Did the EU lawmakers even consider this when crafting GDPR? I'm betting not, considering the damage they've done to the WHOIS system as well.
This kind of fallout is the result of poor planning and pushing incomplete legislation for political purposes and I think all of us realize that, so let's not pretend otherwise.
GDPR is pretty clear that a users “right to be forgotten” isn’t absolute and that businesses should be weighing up (and documenting) a users right to privacy against their other legal obligations.
Well, european countries usually didn't shy away from bureaucracy. Now that there is the EU, there is another big layer of bureaucracy, and it doesn't help at all. Even worse is the fact that these bureaucrats are really distant from the people, both physically and with their hearts.
We are still going on because we're wasting the capital we accumulated in hundreds of years, otherwise we would have succumbed long time ago.
Of course, this is a summary of my political analysis, I don't pretend to know the truth or really anything. Don't want to offend people with my opinion.
GDPR is a great example of the kinds of disasters that happen when nations try to force the entire planet to follow their unilateral actions.
(Shrug) It's a public response to abuses by private actors. It's a great example of the kinds of disasters that happen when the user is the product and not the customer.
> (Shrug) It's a public response to abuses by private actors.
I disagree, I think it's a political move and won't have the kind of positive impact that we want it to.
GDPR, as it is written, should put Facebook and Google out of business. Invading people's privacy is a huge part of their revenue stream. I'm all in favor of protecting privacy of individuals but I'm cynical that we'll see any real progress as a result of this and the negative consequences are real, and possibly more significant than any positive effects. Time will tell.
I can shutdown my site at any given moment, citing attack from Mars. And? I think that GDPR was just an excuse, if this would be a booming bussiness, he wouldn't have problem adjusting to GDPR.
(not OP) I scrolled down and didn't find an answer. The section labeled "why shut down" mentions (paragraph by paragraph):
- "[GDPR] creates uncertainty and risk" -- which?
- "fines of 4% of turnover or €20 million (whichever is higher)" -- as if a small infraction is going to get the maximum punishment. He can't be serious here.
- "ambiguously-defined hoops" -- which requirements are ambiguous?
- "parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting" -- if you ever needed one of those companies (I did unfortunately), you'd know that someone always ends up paying the lawyers. Either the sued company or the client. It's definitely not risk-free for the client.
- "this new EU law hurts small and ethical startups" -- what clause of GDPR would ethical startups run afoul of anyway? It's aimed at unethical ones. And as for "small", then you can't get a big fine anyway right? At least, unless you intentionally cause big damages, I don't see how a small firm like this could unintentionally cause such big damages that large fines are in order.
So it's not answered. And I am still wondering what part of GDPR he doesn't already comply with in the website's current form, as the Dutch "WBP" from 2001 required 95% the same things. I assume the UK generally has somewhat similar laws.
Some people are under the impression that ip addresses fall under "personal information". So if the user account is deleted and the associated ip logs are not deleted this would be a GDPR violation.
Another potential violation would be asking a users age(like asking their birthday), but not needing their age for the operation of the service.
It is currently unclear how rigorously GDPR will be enforced. In the extreme case of rigorous enforcement nearly all current server/frameworks would cause violations by default and would need to be overhauled.
There are a bunch of other examples in the comments that are likely violations for the site as well. It is unclear how many of these apply since it is unclear how the GDPR will be enforced.
> Another potential violation would be asking a users age(like asking their birthday), but not needing their age for the operation of the service.
In theory, in the US this could be driven by COPPA, but I havn't seen a birthday asked for that reason in a long time. It also wouldn't be a reason to store it, only to ask and process ephemerally. I believe it's also common in the US for alcohol-related websites to ask age, although that could be misguided, it is common. Again, not a reason to store, but to ask.
Yeah I was not clear. My intent was to talking about storing of a birthday vs storing a boolean indicating if the user was the age of majority or a boolean for weather they were 13+ for COPPA.
Storing the value, rather than ephemerally processing it, is a matter of convenience so you do not have to ask your authenticated user to re-input their age/birthday/<are you an adult> all of the time.
That said it seems unlikely that a regulator would come down hard on a data processor that stored a date vs storing a boolean value.
I didn't really understand the implications of GDPR until I read this. Now I understand the paranoia.
Basically, in good faith, everyone is happy: website owners take measures to protect their users' data, and ask for consent. But 1 unsatisfied user, or heck a slimy competitor, can bring you down (I assume €20 million fine is business-killing for most startups).
The key is "targeted". If you're targeted, since it's ambiguous, your chance of losing is higher.
On the brighter side: Some people make extra income! /snark
What bothers me about GDPR is that you can’t make consent a precondition for service. Maybe user data is my business model. Or maybe I’m a US company and I don’t want to have to deal with issues of Europeans accessing my site. Why should the GDPR be my problem if I’m not in the EU. Don’t like it, don’t use it. There’s too much over reach here.
Then block anyone from the EU from accessing your website. If you don't want to deal with EU laws then don't do business with the EU -- it's that simple. If you operated a legal online narcotics or pornography business you would have to do the same thing to not do business with countries where your wares would be illegal to sell.
You can't have it both ways. Either you want to have EU residents as customers, or you don't want to deal with EU laws.
Typical.. Equifax gets off with a slap on the wrist. Facebook talks to Congress for a bit before returning to business as usual. Nothing happens to Cambridge Analytica.
But damn if they don't destroy a few small businesses to show that the government is on the case.
Equifax is US. Congress is US. Cambridge Analytica got raided by ICO, the UK's data protection agency, investigation is ongoing (although on of the witnesses is a bit... shaky). Troll somewhere else.
Thus, complying with something somewhat ambiguous like the GDPR is still an expense -- of time, money and risk -- that many small website owners won't be willing to spare.
Look, it's not hard to encrypt all personally identifiable information; there are ready-made frameworks that let you choose which DB columns you encrypt and how. You can generate a key for each user on creation and have their data encrypted with it. The problem is NOT that.
The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).
Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.