My firm put out these materials, and having seen a lot of FUD on here, to the point of people closing up shop and other similar "overcorrection" activities, I felt these needed to be shared with the HN community. It kills me to see people closing up shop and throwing their work away out of fear.
Definitely watch the videos. I can tell you having done GDPR legal risk assessments for the past few years that if you're only thinking about this now, you're probably too late. The good news is the regulators are 1) going after low hanging fruit first (Facebook, Google, Apple, etc); 2) many of them are in disagreement about enforcement and priorities; 3) much of this is really about pseudo-taxation (hence the 4% of global gross revenue scare tactic); 4) some regulators are going to fight about who "gets to" go after certain companies; 5) if you're a tiny solo shop that does messaging apps, the likelihood of you even being noticed is so slim that closing up shop is really extreme; 6) compliance is probably easier than you think if you are that small.
Thank you. It so happens that right before I heard about GDPR I took a FOSS forum I run down for maintenance. I was about to just keep it down, as most of my audience are EU members. But maybe a more nuanced approach is doable.
What part of his comment gives you any comfort? ALL of the quoted text below looks insanely scary to me when we are taking about potential fines of $20 million:
“2) many of [the regulators] are in disagreement about enforcement and priorities; 3) much of this is really about pseudo-taxation.... 4) some regulators are going to fight about who "gets to" go after certain companies;”
So it says a) the rules are extremely unclear, even to regulators (which means that each of the 28 countries WILL have different interpretations of GDPR), b) that it WILL be abused to “tax” international companies; and c) each of the countries are so eager to abuse their newly granted “pseudo-taxation” collection powers that they will literally be waiting in line to do so.
Unless you're facebook (and even then) you're not going to get fined $20 million
Facebook will face much larger fines. The maximum fine is 4% of revenue, or $20 million, whichever is greater. Have you not read the GDPR?
Before you say “yeah but they won’t hand out big fines,” please show me where in the GDPR it says that they legally can’t. Because according to GP, GDPR will be used as a form of “pseudo-taxation”. That means abuse, and going after anyone and everyone for as much as they can.
(b) It's possible to simultaneously believe that the GDPR is basically lawless (i.e., that regulatory discretion determines who pays what more than the text of the law does), and basically fine. That's how most of the countries in the world work--China has no law explaining who they'll kill for their organs, but I still know they won't kill me for mine. I happen to like the rule of law, and I'm sad to see Europe degrade that, with its citizens cheering the way; but most humans in history have lived without it.
China has no law explaining who they'll kill for their organs, but I still know they won't kill me for mine
I don’t live in China, and the odds that they will come to the US and kill me for my organs are quite small. However, the odds that the EU may be able to use existing, well-established international treaties regarding the enforcement of EU judgments to impose their new “pseudo-tax” on me in the US are considerably higher.
I still think the US is unlikely to enforce a judgment for behavior that would have been lawful under US law. The existence of Privacy Shield (a program where US companies can voluntarily subject themselves to EU-style privacy regulations) seems to imply that, since it wouldn't be necessary otherwise. But no one can say for sure until the judge rules, so I can see not wanting to roll the dice...
They will get a 4% fine if and only if they do something worse than they're doing right now, make no effort to comply to the GDPR and they respond to every regulator enquiry with a scan of their private parts.
Quite amazingly 4% of FB's revenue for 2017 is 1.6 Billion Dollars. Intel's anti-competition fine was bigger than that.
What a bargain. And here I was, ridiculously thinking that the fines were high! For a small business like mine, I only have to pay up to 20 million EUR to foreign governments in countries I have never been to and do not operate in.
Never mind that it would take me a lifetime or two to come up with that.
I often wondered about these cases. What kind of forum software do you use if you don't mind answering? Maybe someones working on a GDPR compliant plugin or the maintainers in the longer term?
I think updating the ToS would be part of it and a plugin that allows an admin to delete a user + all their posts / threads would suffice in the context of a forum? It's been ages since I last used PunBB so maybe also delete all their private messages as well. If someone else quoted them it's slightly trickier cause that's someone else's post, but at this point you could tell them they would have to contact you to remove any other posts. I have my suspicion it's not very common for people to ask to be obliterated from online forums having been a user in many for years, it's more common for them to merely abandon their accounts.
Again though, the concerns are real, and I wish I had a better answer other than "don't worry, it's highly unlikely anything bad will happen."
In the UK, a third party legal firm can bring a civil case on your behalf with nothing more than your signature and admission that the processing of your personal information for a particular purpose without your explicit consent has caused 'distress'.
That's what the full-time solicitor at my company said. It will be like PPI, only worse.
But as a general principle, you sue for actual damages here in England, and thus you would normally need to demonstrate the real harm that has been done in order to be awarded compensation accordingly. We also tend to have a loser-pays default when it comes to costs. So unless this all goes south and winds up being like our infamous defamation laws (see "libel tourism") it seems unlikely that the GDPR will create a lucrative hunting ground for ambulance-chasing lawyer types. After all, if you were being sensible about privacy and security anyway, one would hope that actual damage to anyone whose personal data you held would be little if anything, even if you're in breach of the technicalities and paperwork requirements under the GDPR.
The big punitive fines people are talking about are the ones available to the regulators via a separate mechanism. As far as I can see, they do potentially apply to technical breaches as well, but that's quite a different context legally speaking.
Thanks... another thing I wonder is if this has implications in electronic crime detection. If the data can be irretrievable soon after a deletion request has been made doesn’t that make crimes harder to investigate after the fact? I haven’t done any real research on this so maybe it’s been addressed in the law.
Most people seem to agree that under GDPR, IP addresses count as personal information and you either need to get rid of IP addresses, or encrypt the data at rest and respond to deletion/retrieval requests. What makes you sure that this is not the case?
Most people, especially non EU folk, seem to be misinformed.
You don't have to purge your system of all PII upon request. An IP address is only considered PII if it can be used with other data to identify a person. If you delete the user's account, you can keep your server logs with IP addresses as long as you have a compelling business reason.
That reason is "security and monitoring".
Really most of the GDPR is just best practices codified. You are only really in trouble if you are using customer data for purposes that you A) haven't received their consent for and B) aren't what the customer would expect given what they are using your service for.
Your comment doesn’t do much to assuage my fear. All I see is uneven and arbitrary enforcement of an ill defined system that’s basically an excuse to tax tech companies more. Oh and “if you're only thinking about this now, you're probably too late”
Well, it's true. Sorry if it doesn't help you, but the regulation was announced almost two years ago. Even some Fortune 1000 companies are way behind on preparing for this.
Not yet because it's not even in effect until May 25th. Then enforcement can begin. But yes, in the legal industry we expect it to be very uneven enforcement. The German regulator may be more worked up than the Spanish one, for example. And again, it's going to be low hanging fruit. Why would a regulator bring an enforcement action against some solo practitioner making $100k a year to maybe get $4k in fines when they can go after Facebook?
"Why would a regulator bring an enforcement action against some solo practitioner making $100k a year to maybe get $4k in fines when they can go after Facebook?"
Because the little guy won't put up much resistance?
"...subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher."
It also says "...the fines imposed shall be effective, proportionate and dissuasive."
"Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:"
Proportionate how? That's obviously up to them to decide and they probably mean that large companies like Google will be subject to the 4% instead of 20 million euro. Are you going to bet your life savings that they will fine you 4k euro instead of 1 million euro?
Why would they bother to add the phrase with "whichever is higher" if they were even going to consider a fine lower than 20 million euro? Think about it. They don't care about the fine being proportionate to the downside, they are just worried about it not being strict enough to companies like Facebook and Google.
Really? There is a long list of criteria to consider on that exact page you link, and those will be checked by courts if the DPAs appear unreasonable. I didn't say a 20 million fine is impossible, but it'll need a very good basis.
Yes, the maxima are high, but it's crazy to believe the DPAs will be able (both legally and politically) to hand fines even close to that out left and right, even if you assumed they over night suddenly turn into organizations hell-bent to do maximum damage.
It's weird how people see that maximum amount and somehow believe those will be the norm, throwing all experience with both the DPAs and other regulations out of the window. How many undeserving businesses have been fined to death in other areas (financial regulation, environmental protection, ...) and why should this suddenly start with privacy law? No government has an interest in its enforcement arm ruining business, of course they care about downsides. Regulation and its enforcement doesn't exist in a vacuum, as much as the revenge-boner some "privacy advocates" (ideally selling some GDPR advice on the side...) get right now wishes it were otherwise.
(On the other hand, these numbers seem to be the only thing motivating some business owners to care, so even if they're never used they've served a purpose. Really, the amount of conversations you see that go "And they are complaining that suddenly doing X is so much work", "Didn't they have to do X under previous law as well?" "..." is mind-boggling)
And tell me, how exactly does this long list show that you won't be fined a ridiculous amount? Where does it say that if you only broke X out of Y rules that you will be fined Z less?
There's absolutely NO detail on how exactly the fines will scale DOWN other than to say that the fine could be as low as 10 million euro to 2% of global turnover. And it is filled with vague, totally up to the imagination terms like "nature, gravity and duration".
Do you really want to leave this up to the imagination of poor EU countries like Croatia or Romania and think they are going to care about making some random people bankrupt so they can cash in millions?
If the law does not prevent it, you can bet it will be abused.
How many business have been fined to death in other areas? I don't know but I am sure you won't hear about them. No one wants to be the guinea pig.
This law probably has the widest and easily enforceable scope out of any others in the past. That's what makes it different from before.
> 1) going after low hanging fruit first (Facebook, Google, Apple, etc)
I say as a strategy they don't go after those but the middle tier who is less able to put up a fight legally. Perhaps you remember how long it took the Justice Department to fight Microsoft in the 90's. These large corporations have a great deal of brains and legal muscle. It's hard to believe that they will be the initial targets (although anything is possible). The 2nd tier is more likely the ones that will have issues (if any). Most companies aren't even close to this they are probably 7 or 10th tier targets. Some (small company with nominal user base) aren't even going to get noticed. That's the reality. Powerful law firms. Connected people. Even access to powerful US politicians. What's the chance? (Look at what is happening with ZTE now in China). To big to fail. This is not Monsanto dumping chemicals or asbestos type harm anyway.
It's like spam (but not because major companies are not abusing that typically). You can do what you want as long as you are not operating an industrial strength spam machine. The emails that you send to your customers for whatever reason w/o even explicit approval will not get you into hot water (sure anything is possible but highly unlikely).
That's why it's called a strategy. It's not a science. And what has been done in the past (in a different case) does not mean it will be what is done going forward.
I get paid for strategy and get paid highly providing that type of advice to companies including one that was mentioned in this thread.
Quite possibly, though there will be more non-compliance in that slice of companies than regulators and resources to prosecute enforcement actions. Some of this is going to be "security by obscurity" to an extent. Not that any company use that as their strategy, but most should not expect a regulator contact on May 26th.
Why do law firms believe GDPR is a legal issue? Privacy and Security have not been an entirely legal issue, though legal representation is often in the mix when dealing with regulations. I'm curious why GDPR continues to be treated as a legal problem when the regulation is more than clear on its intent and requirements?
Because a lot of detailed questions are not obviously more than clear, especially if you have an interest in not just taking the strictest possible reading, and thus people want legal opinions on that. And where those legal opinions strongly disagree, there'll be legal proceedings to have the courts clarify those.
Definitely watch the videos. I can tell you having done GDPR legal risk assessments for the past few years that if you're only thinking about this now, you're probably too late. The good news is the regulators are 1) going after low hanging fruit first (Facebook, Google, Apple, etc); 2) many of them are in disagreement about enforcement and priorities; 3) much of this is really about pseudo-taxation (hence the 4% of global gross revenue scare tactic); 4) some regulators are going to fight about who "gets to" go after certain companies; 5) if you're a tiny solo shop that does messaging apps, the likelihood of you even being noticed is so slim that closing up shop is really extreme; 6) compliance is probably easier than you think if you are that small.