Is it scaremongering to assume the maximum fine? Of course - years of legal precedent for current DPA clearly demonstrates this. If the track record showed hundreds of small business people rendered destitute thanks to half million fines it wouldn't be, but it doesn't. It's a maximum not a fixed penalty as one would typically get for a parking offence. If they're not fining anyone £500k why are they going to suddenly fine everyone £17m?
Even TalkTalk were only fined £400k for the most ridiculous incompetence leading to 4 breaches in 18 months and failing SQL injection 101. They make profit in the tens of millions yet still didn't hit the maximum (They should have in my opinion). I think at the time that was the largest penalty yet issued.
Same goes for other data protection bodies across the EU - there will be few instances of maximum penalty under current data protection. I'm sure some countries have never imposed the current maximum.
nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.
>> nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.
That's the most interesting thing about the GDPR. While some developers are picking up their ball and huffing off home, others are actually 100% behind the regulation.
It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.
> It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.
Or the competitors' software.
Consider some business that was doing what GDPR requires already: users could delete their data, they could request a complete copy of it as well as an explanation what it is used for, and it was only used for defined purposes that the user signed off prior anyway.
Sadly, that reduces flexibility somewhat, but they're doing it because they consider it the right thing.
For them, GDPR levels the playing field and makes sure that they never have to stray from this conduct just to remain competitive with companies that aren't so nice to their users.
> It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.
Nothing about the gdpr solves the problems of companies having insecure systems that _leak_ user data. I also don't believe that data about me is data I own. To me, the gdpr feels ineffective at the real issues causing me harm (leaked info) and also a giant burden on companies that fundamentally changes how the industry has worked, but in a way that quite frankly, doesn't make any sense to me. The data about my order isn't my data to control.
>Nothing about the gdpr solves the problems of companies having insecure systems
It doesn't directly prevent insecure systems, but discouraging companies from storing information they don't need and transferring it on to third parties for whatever reason they feel like massively reduces most people's exposure to this risk.
>The data about my order isn't my data to control.
If you believe people have a right to privacy, then you believe they have a right to decide who gets to know what information about them.
"Nothing about the gdpr solves the problems of companies having insecure systems that _leak_ user data."
Requiring disclosure of a breach within 3 days of it happening, as opposed to the several months that is commonplace now, is a big help.
"I also don't believe that data about me is data I own."
Everyone disagrees on this point. Right now, Europe says the opposite.
"also a giant burden on companies that fundamentally changes how the industry has worked"
Good. Currently the industry is geared to suck up every last bit of user data like a vacuum, regardless of whether it's actually needed, so they can sell it. This has gone on for far too long, and I'm glad to see the industry hopefully move away from it.
Probably in part because it's exactly those developers that see how easy it is to leak data to third parties that won't respect it at all and will track the everliving shit out of it.
I'm fully behind the GDPR. It might not be perfect, but I've read the law and it's surprisingly straightforward and sane.
I started writing a lengthy reply, but instead let me ask you this: why would a service be privileged to do anything with your data that they did not ask you for permission to do?
Interesting part for me is the hilarious FUD where we got none when DPA came in. A good part of GDPR is already here with EU Data Protection Acts and what constitutes personal data is much the same. Many of the Kafkaesque and corruption scenarios should be possible under DPA and other laws yet haven't been happening.
GDPR increases maximum penalty to be high enough that it could be a penalty to a Google or Facebook for a serious, wilful, breach of regs, in an environment where the tiniest fraction of reported cases get any fine at all (16 of 17,300 reports for 2017 in the UK) let alone the maximum. Internet now certain that one man software companies and hobbyists with non-commercial regex sites will receive £17m fines, every time and it will be used as a stick to beat one's political enemies with or, most comically of all, pay for local infrastructure improvements.
I don't understand why - the regs seem reasonable and not especially difficult to meet unless your business is built on wilful abuse of personal data. Just a reasonable effort to enhance DPA taking into account new techniques and misuses of data. Deletion for everyone, not just a minority - thanks to FB et al feeling it's fine to never delete, and run shadow profiles on all. The highest penalty will be saved for the most offensive cases involving multi-nationals. It will be interesting in a few years to see how many maximum fines have been levied. My bet is none at all, once or twice if there's an especially egregious breach from an Amazon or Google.
I've little doubt that just as I feel more should have attracted fines under DPA I'll feel more should have got GDPR fines.
>> I don't understand why - the regs seem reasonable and not especially difficult to meet unless your business is built on wilful abuse of personal data.
My intuition is that the people who complain are that fraction of developers who actually care about their profits more than their users' privacy.
I'm sure that's a big part of it when every app wants to do a data grab. I'm also left thinking US law doesn't really do proportionate after a few of these discussions! :)
For us in Europe 20 years of DPA must help - I doubt there's many here would want to go back to pre-data protection.
So you did the research and found out that England probably won't endorse a law to the fullest extent. My point is that a simple tech guy building a company won't know that statistic and how it relates to their specific case.
If I tell you that the maximum sentence in the UK for possession of marijuana is 5 years in prison or an unlimited fine, are you going to tell me that everybody who's ever been caught with marijuana has been thrown in prison for half a decade or bankrupted?
No, in fact, most people get served with nothing more than a formal caution or a £90 fine. This is normal - this is how the law works in this country. Anyone who doesn't understand this hasn't even been paying attention to the lowest-common-denominator newspapers, which are constantly screeching about how people usually don't get anything close to maximum sentencing.
Well then your “side project website” is unsustainable.
It’s not complex - we don’t let people away with flouting regulation because it’s burdensome. “It would make me unprofitable” is not a valid reason to ignore health and safety laws, or hygiene laws.
“I just want to run a food truck as a side project but not care about making people sick or not” is obviously ludicrous. Why is personal data somehow fair game?
Just because you are not making revenue doesn’t mean that you don’t have to abide by regulation. The GDPR is intended to solve a very real and present issue; if you run a side project that deals with personal data, then the fact that it makes no money doesn’t mean that your mistreatment of personal data isn’t harmful!
You can. You just need to think about it and have the correct controls in place.
If you choose to block all EU IPs instead of implementing the most basic data security and retention policies, then it’s for the best that EU users are not able to use your compromised service.
You cannot force peers of any decentralized distributed system to forget data. They can pretend to and appear as compliant peers and yet retain the data.
That is also PII being used for the purpose it was collected for (identifying a contributor) and I believe falls under Art.6(1)(f) of the GDPR. You would likely have a hard time convincing anybody that you can apply the right to be forgotten to a git repo - especially as that particular processing can be argued to not be requiring consent once you have submitted your commits.
The author details are not necessary for the core function of git; the change itself does not need the PII. Moreover, my concern is general for when PII is in such a distributed system; git is just one example of many.
I've always felt that git is poorly designed for that reason. At the very least, there should be an "identity block" that commits etc point into, rather than embedding names, emails, and other identity information into immutable commits. Under GDPR, that's how it would've been designed in the first place. Of course, this'll never happen without a complete fork of git.
Once you've got that sorted and you can change/remove identity information, the likes of GitHub have no issue so long as they have GDPR-compliant contracts with any business partners who can access git repos. Obviously, anyone using GitHub who decides to store all identity data forever is, generally speaking, not GitHub's problem, same as someone who noted down the names of all their friends on Facebook isn't Facebook's problem.
> I've always felt that git is poorly designed for that reason. At the very least, there should be an "identity block" that commits etc point into, rather than embedding names, emails, and other identity information into immutable commits.
So the GDPR is entirely irrelevant because we could just give fake details to companies? And giving correct details to anyone, ever, is in fact “misuse”? That’s not how the law works, nor is it how it should work.
This was specifically about git. However, it does appear that you need to at least provide a user identifier for git. I can understand why that would be useful in a distributed system. It could be opaque identifier, but you're points taken in this case.
This was about git in the context of the GDPR, so a company (say, a git hosting provider) is by definition involved. If you're sending commits to other private developers in some way that doesn't involve a company storing the data, the right to be forgotten/right for records to be corrected/etc in the GDPR is irrelevant in the first place.
Laws that are stupid and not widely enforced because they are stupid are damaging to the entire concept of law. Particularly if they can hang over like a sword of Damocles if you piss off the wrong people.
The law will be enforced, just as current data protection is.
The law can be enforced without every case attracting the maximum penalty. That's why nearly every law has a range of penalties.
Accidental and minor breaches can attract a minor penalty or a letter asking you try harder. Wilful and repeated breaches affecting many customers will attract harsher penalties.
Same goes for speeding offences - go 40 in a 30 limit, get a fixed penalty ticket. go 140 with the GoPro race footage of you and your buddy posted to twitter expect a much larger fine and a driving ban.
In neither instance is it not enforced, or damaging to the concept of law.
I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.
What @megaman22 is saying fully matches my experience as an Eastern European -- piss off the wrong people and the law will fall on you with its full might. Some people would really love to make an example out of you if you give them the chance. And I don't think that only applies to E.E. but have no data either way, it's just an observation from news and hearsay from affected people around here.
I fully support the GDPR and I'll do my utmost to comply with it even for hobby projects.
That was never something I disputed in my root comment that spawned this big sub-thread.
What I said and will continue saying is -- laws like these open even more doors for legal trolls, big players and nasty competitors to exhaust you out of business. The fact that it doesn't happen on a massive scale in my eyes means nothing; or rather, it means that agents used as an example to scare off others isn't something that's done often because usually just a few lawsuits and their aftermath are plenty enough for those many others to get the message.
So IMO using statistics here is not a strong enough argument. I am not trying to alter your thinking. We actually agree on most points but I simply can't agree that past statistics are a good proof that the new law won't be used in a more heavy-handed manner than originally intended.
To me, that remains to be seen yet and none of us can claim with certainty that what seems likely to them will materialize.
Almost missed this thanks to the incorrectly flagged message up thread.
> I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.
You may be right in our chances of agreement!
I see a judiciary separate from state which is more than happy to put politicians back in their box when they introduce bad or overreaching law. Governments of all colours complain about the judiciary and Lords here in the UK - which I see as proof that the separation basically still works. I see data protection bodies that are separate from government and politics. I see occasional stories of record fines or breaches from mainly Western Europe and talk to friends and conclude small business and solo developers are not being fined or trolled into oblivion in nearby countries either. Yet EU DPA is most of what GDPR is with smaller maximum fines. Why isn't the disaster scenario you foresee already happening with current DPA and other laws? Why are so few fined for breaches and only the most extreme cases getting fines?
I'm less aware of justice systems further east and yes it's obvious that former Soviet bloc are going to be rightly more sensitive to and concerned about corruption. I'm also not aware how successfully that's been left behind from adopting EU laws and years of membership. That said, reading the pieces that turn up on HN it seems that the US is the one with problems of corruption in the justice system currently. No doubt that's also unrepresentative thanks to what's being shared about a vast nation.
So, the legal trolls - it's going to be registrars and data protection bodies bringing cases or seeking sanctions. Just like happens with current DPA. This does not appear to be akin, or anywhere near, the US DMCA where large media companies massively abuse takedowns via automated software and triggering numerous trivial errors. I don't see the scope to exhaust someone out of business - yet it's clearly easy with DMCA. There's nothing a Sony can abuse to pick on a little guy with GDPR - they can report me to the registrar.
You're right that it remains to be seen, but I sincerely doubt our data protection bodies are suddenly going to break out thumb screws and bring orders of magnitude more cases when they've kept fines for the final, extreme, and rare sanction til now.
I honestly expect that just as I feel more should have attracted fines and sanctions under DPA I'll find that GDPR is also being too lightly applied. We'll see. I've been wrong on the internet before. :)
The speed limit analogy is terrible. Or maybe perfect, for my point.
Because speed limits are not enforced, everyone goes somewhere between 5 and 15 mph over, all the time. But catch a pissy cop, or one in a town that uses speed traps as a revenue source, and you can get pinched for hundreds of dollars arbitrarily. Yeah, the jackhole that burns tire at 110 past a school-zone is most likely to get pinched, but almost everyone on the road could.
Even TalkTalk were only fined £400k for the most ridiculous incompetence leading to 4 breaches in 18 months and failing SQL injection 101. They make profit in the tens of millions yet still didn't hit the maximum (They should have in my opinion). I think at the time that was the largest penalty yet issued.
Same goes for other data protection bodies across the EU - there will be few instances of maximum penalty under current data protection. I'm sure some countries have never imposed the current maximum.
nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.