Just to clarify your point: it applies to users physically located in the EU. Fines assessed under it apply businesses that serve them anywhere in the world, which is what makes it so damned scary. The EU government has essentially declared itself the Emperor of the Internet.
Money doesn't have to change hands to create a GDPR obligation. And if you mean "HTTP transactions," it's a fundamental shift in the nature of the internet to block countries by default and enable them only after studying and complying with local regulations. Maybe it's an inevitable or even healthy shift, but it's certainly not a "usual" dynamic today.
It's certainly not a recent development to require compliance with law even for products or services that are free.
Transactions do not have to involve money and in fact, the very topic of this entry on HN is about a website that was free, with transactions that did not involve money.
Really? If it's a currently established practice, what are some prior examples of countries punishing foreigners on foreign soil over websites with no payments component?
Maybe each jurisdiction should be the business of regulating locally-accessible websites, not just locally-hosted ones, but that's a fundamental shift in the nature of the internet. "Not available in your country" is currently an anachronism. In that world, a prudent web publisher would start out local and enable specific countries for cross-border traffic only as its legal team expands. Internet communities like this one would splinter as people get tired of clicking links they can't follow.
The countries currently regulating available web content do so with network blocks, not extraterritorial enforcement actions against publishers.
The end of the sentence was "not a recent development to require compliance with law even for products or services that are free".
Free doesn't mean you are exempt from complying with law, that is all I'm saying. I did not comment on how this one applies to EU citizens even for foreign services.
In this regard though, it is similar to US law requiring foreign banks to go through special steps when they are dealing with US citizens so that's not anything new either. Money being involved or not in my opinion is not really significant (I actually think that private data is more important and needs more protection than money) but that was not the point of my comment.
I was just clarifying that the Internet’s new Dear Leader will be trying to reach outside its borders to enforce this law. It doesn’t just apply to companies in the EU.
All websites provide services to users in all countries unless they take positive steps not to. Framing this as a conditional, or a counterpoint to parent's claim about enforcement outside EU borders, is bizarre.
People that say this have not actually read the law, talked to “experts” about how to comply, or attempted to comply themselves. I have, and you’re just flat wrong.
I have read the law, read the guidance, been through the GDPR compliance process for a data-heavy product, have talked to lawyers about the same, and my partner has drafted GDPR policies for several large tech firms. I don’t know everything, but I’m reasonably well-informed.
I’m confident that compliance is:
- Straightforward for any non-tech firm;
- More complex but not that hard for most tech firms that handle data;
- Far more complex for large organisations than small ones;
- Basically only a real problem for fly-by-night tech companies that want to operate by reselling personal data.
I’m not sure what your motivations are it making it seem disproportionately burdensome to comply with, but I don’t think they’re good.
I won’t contue arguing with you, other than to say that what you’re saying flies in the face of everything we have been told after spending thousands of dollars on experts and independently researching the issue for hundreds of hours. If you do a simple Google search, you’ll find that we are not alone in this view, and in fact you may find yourself alone in your view that compliance is easy and costs next to nothing. Chances are quite good that if you thought it was “easy,” you’re not fully in compliance.
One thing is completely curious to me. All around the thread there are some people saying that they will block EU users.
I wonder how people from other parts of the world are understanding this and how do they look to the site like that? I mean, this legislation that is designed to protect people and their data is making them such a problem to rather block roughly 500 milion people. I personally would have a huge trust issue, but this is not about me, what do non EU, who don't run any site (conflict of interest) guys think?
I would for instance rather put a huge mark on all pages "GDPR compliant, protecting data even for non EU visitors" or something like that and try to get some money out of that. But that is just me.
@matthewmacleod GDPR in spirit is good for users as it tries to ensure that companies are following good practices wrt user data and users have control over data. But implementing it completely is not easy for small projects and startups.
I completely disagree. Implementing GDPR compliance should be straightforward for most startups and small businesses. Much easier, in my experience, than doing so at a large company.
As a small business owner, I disagree - I was essentially compliant already, with the policy changes required taking an evening to implement. (OK, there was some time spend reading before then, but still).
Ok, I will take a stab here to see how you ended up doing it in one evening.
- What did you do about logs? Things like request logs will at least contain ip address which is PII. Now logs can be cleared after a fix interval but the time for honoring the data delete request is a month I guess. If you want to keep logs for a period more than that, what do you do? If you anonymize IP , it makes other analysis on top of those logs useless.
- What did you do about data backups?
- What did you do about external error reporting services?
- What did you do about analytics services?
The only reason we log IP addresses is for security purposes (e.g. to block IPs that hammer the service, for forensic investigations, fraud prevention) - in GDPR terms, that is a "legitimate interest".
Regarding backups, realistically you are not going to have to delete data from them, as it's completely impractical to delete only data for a particular user from archive. If a user requests their data to be deleted, delete it from the live site and be open with them that some data will remain in archive - securely encrypted and untouched - for your defined retention period.
Regarding analytics, we use Google Analytics, which uses IP addresses to guess location, but doesn't make them available in the admin site - so GA doesn't actually give us any PII. As such, we simply reworded the privacy policy to be more easily readable, so it's completely clear what data we collect and why. The forthcoming Privacy and Electronic Communications Regulation (aka ePrivacy Regulation) should provide some clarity if anything else is required, but it seems likely that simply having cookies enabled in your browser will count as consent.
The EU citizen living abroad doesn't get the benefit of this EU regulation, just like an American living in London can't assert US laws against the British pub he's drinking in.
