
GDPR: sorting the fact from the fiction - fanf2
https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/
======
eadmund
The thing which bothers me the most isn't the fine structure — steep fines for
bad behaviour are fine (pun intended) — it's the so-called 'right to be
forgotten.' It essentially makes simple immutable logs illegal. I'm still not
certain how we're going to handle it. Encrypting each record with a per-
identifier key works, but that makes doing anything with the data as a whole
prohibitively expensive.

And there's the whole question of what counts as identifying information. My
understanding is that IP addresses do — so an immutable plaintext server log
is now illegal.

Privacy is really, _really_ important. But expanding the definition of privacy
too far is just too much.

~~~
Spearchucker
Log files are easy (from a design perspective). Keep identifying information
(IP, UID, DoB, etc) in one table, and activity data in another, with a join
linking the two.

When user asks to be forgotten, simply overwrite all the identifying
information with generated data. Backups work the same way, but depending on
where and how those are stored it could get expensive.

We're seperating personally indentifying information out of our normal backups
(held warm -> cold over time), and keeping PII backups offsite as warm data,
so we can delete/ammend relatively pain-free.

Yes. GDPR compliance _will_ cost money and I'm not trivialising that. The
degree of panic it's causing baffles me though. Sure, it requires design up
front. Oh woe. But regulatory compliance always does. Ref. previous rending of
hair and gnashing of teeth in the run-ups to Glass–Steagall, HIPAA,
Sarbanes–Oxley, and so on.

~~~
kalms
It sounds like you just made a simple log into something that definitely
belongs to the GDPR ruleset!

But that's just my interpretation.

Can anyone, with citation, please shed some light on this. What's fair use, in
broad terms, when it comes to simple HTTP logs or similar structures?

~~~
kuschku
For HTTP logs, allowed use would be e.g. stripping the last octet of an IPv4,
or stripping the last 64 to 80 bytes of an IPv6.

That’s generally not identifying a single person anymore, and usually good
enough for anything else.

~~~
eadmund
> For HTTP logs, allowed use would be e.g. stripping the last octet of an
> IPv4, or stripping the last 64 to 80 bytes of an IPv6.

> That’s generally not identifying a single person anymore, and usually good
> enough for anything else.

'Usually'? Even if true (highly doubtful), that's not the same as 'always.'
The whole purpose of logs is to be truthful accounts of pertinent data. A full
IP address is a pertinent datum.

I'm going to step up on my soapbox and assert that any law which forbids me
from indelibly recording that 192.0.2.17 requested /all-your-records-are-
belong-to-us is a bad law.

~~~
lokedhs
The GDPR does not forbid you to do those things.

It does require you to treat the information as PII, which is going to give
you some hassles, but you are not banned from recording it.

~~~
eadmund
I'm banned from recording it immutably, which is the only proper way to record
a log (it should be impossible to alter a log after it's written).

If I want to record that a particular address accessed my system forever, that
is my right.

Interestingly, the GDPR exempts records required for legal compliance. So it's
okay to hold onto data for the law's purposes, but not my own? That's a bit
one-sided.

------
Azeralthefallen
Honestly i think the GDPR is a great idea, unfortunately after going through 3
different firms who are supposed experts on the GDPR. We are still struggling.
When you ask them about a possible situation, and the response you get is
"that is kind of a gray area", to "that is open to interpretation".

For example nobody has been able to give me a clear definition of what counts
as identifying information. I have heard IP addresses count, so what about our
cloudfront logs? They have the client ip address. If i pipe them straight to a
logging SaaS, is it on the logging service to handle it? Or is it on me?

Furthermore for the right to be forgotten, how do i handle that with backups
that are not under our control? E.g. AWS RDS backups? Amazon says there is no
way to modify those backups, and our TAM has suggested managing our backups
our selves.

What about data that our customers pipe to our service, how is that handled by
the GDPR, it is all encrypted. But apparently we need to handle cases, but we
don't have the decryption keys. Is it on the customer who uses our SaaS or is
it on us? How do these scenarios work?

While i feel more and more we are ready for the GDPR at the same time i am
terrified. I feel many of the laws can be interpreted far too many different
ways which makes me uncomfortable.

~~~
the_mitsuhiko
> If i pipe them straight to a logging SaaS, is it on the logging service to
> handle it? Or is it on me?

That’s not gray at all. That’s very clear cut. The SaaS acts as a data
processor if it gets IP adresses or other PII.

> Furthermore for the right to be forgotten, how do i handle that with backups
> that are not under our control?

You need to ensure PII in your database is encrypted already with a per
customer key and have these keys be backed up separately where the retention
is low.

~~~
geocar
The GDPR doesn’t say anything about encryption or IP addresses.

The ICO has said that if you have a breech that encryption would protect
against them _that_ could be a violation: [https://ico.org.uk/for-
organisations/guide-to-data-protectio...](https://ico.org.uk/for-
organisations/guide-to-data-protection/encryption/)

~~~
the_mitsuhiko
The gdpr does mention encryption and pseudonymisation. It does not mention ip
adresses because the law is very clear about anything being in scope that can
be used to identify individuals.

~~~
geocar
You’re right. I should have said the GDPR doesn’t require encryption. I blame
wee hours commenting.

And an IP address cannot always be used to identify individuals.

~~~
the_mitsuhiko
That’s why ips are not directly listed in the law.

------
fencepost
I haven't really dug into it being in the USA, but from what I've heard the
big takeaway for my clients might be: "You can never again accept a European
as a patient, and for your own protection you might need to dismiss any
European patients you have." I'm not really worried about legitimate cases
where someone wants their data removed, as that seems unlikely. I'm less sure
about the risks of some enterprising young lawyer over there finding a way (or
a possible way that would end up thrown out) to leverage it to extort money.

Read at its bluntest, as I understand it this law seems to basically ban
backups, at least those retained for any significant amount of time. Have a
customer/patient database on a cycle of daily/weekly/monthly backups that get
pruned as they get older? You need to be able to purge any individual who
requests it from those backups. Have regulatory or contractual requirements on
keeping records? Well, that's what the courts are for, hope you like the
attorneys you're going to be paying. Heck, for medical practices I've heard of
insurance companies doing clawbacks of payments _years_ after the date of
service - what does a practice do if it serves a European with temporary
insurance, gets a request to purge that person's data, then gets a request for
clarification from an insurance company?

Perhaps this is a complete non-issue for US companies, but I'm not so certain
of that that I'd be willing to just dismiss it out of hand and if it's not
dismissed then parts of it are pretty scary.

~~~
geocar
I’m currently doing GDPR consulting for an American company.

The GDPR doesn’t ban backups. You must inform the subject of how long you keep
those backups though. If payment processing stays open for years, then years
is fine. I have a customer who keeps data for ten years.

The GDPR doesn’t say that a European can claim “right to be forgotten” and
force you to destroy invoices proving you did Work for hire.

If for some reason they want you to stop processing (right to object) then
they end up owing the money themselves- since they can’t force you to forget
the invoice, having you unable to send their invoice to insurance sounds like
a bad move on their part.

Reading the GDPR “at its bluntest” is not the correct way to do things:
European courts are not amused by a narrow view of the law when it is used to
argue something is technically legal, not do they use their maximum force for
minor infraction.

That’s why you don’t need to worry about an “enterprising” European taking you
to the cleaners because the courts won’t think it’s funny either.

It also means that if you know what personal data you have, what you do with
it, disclose to the subject those things including who specifically you share
it with, and protect that personal data like your business depends on it, then
you’ll be fine because the point of the GDPR is that _this is what you should
be doing_.

~~~
Silhouette
_The GDPR doesn’t ban backups. You must inform the subject of how long you
keep those backups though._

And if you use a deduplicating backup system -- and you may have few viable
alternatives at small scale -- the answer to that latter part will be
"indefinitely". So yes, the GDPR does effectively ban backups, at least in
this sort of scenario.

 _Reading the GDPR “at its bluntest” is not the correct way to do things_

And yet there is nothing else you can reasonably do in the absence of more
specific, enduring and legally binding guidance from your national regulator,
and even that guidance is at risk of being overturned in court at European
level.

 _It also means that if you know what personal data you have, what you do with
it, disclose to the subject those things including who specifically you share
it with, and protect that personal data like your business depends on it, then
you’ll be fine because the point of the GDPR is that this is what you should
be doing._

Nope, because the right to erasure is not negated because of those sorts of
common sense, only specific criteria listed explicitly in the GDPR. And as
things stand right now, that right to erasure immediately runs into all the
issues of uncertainty raised by many in this discussion and other forums.

~~~
geocar
> And if you use a deduplicating backup system -- and you may have few viable
> alternatives at small scale -- the answer to that latter part will be
> "indefinitely". So yes, the GDPR does effectively ban backups, at least in
> this sort of scenario.

If the blocks are deduplicated because the reference count of the bit map
remains greater than one then I don't see the problem: Just because John Smith
can ask you to delete him from your database doesn't mean he can ask you to
delete all John Smiths.

Also: European courts aren't amused by this kind of nonsense.

> And yet there is nothing else you can reasonably do in the absence of more
> specific, enduring and legally binding guidance from your national
> regulator, and even that guidance is at risk of being overturned in court at
> European level.

Sure you can. You can look to the historical application of various other
similar laws and get an idea of what the regulators are likely to do.

For what it's worth: European courts cannot be legally bound to do anything.
If they think you're being an asshole but are "technically within the law"
they'll still fine you.

That's just how it works here: Hurting people is simply not ok.

> Nope, because the right to erasure is not negated because of those sorts of
> common sense

It's not "common sense" at all: Being afraid of the government and the police
isn't something civilised countries have to deal with.

Why would anyone think that the government is trying to hurt people if
everyone agrees hurting people is not okay?

------
nrjames
Eh... that's the voice of one regulator and you never know who may decide to
be more draconian with the regulations. My suggestion is to read it yourself
and think carefully about the various data protection and portability
requirements. IMO, all it takes is a small band of trolls who want to harm
your company to start to cause problems. Here's a clear way to read through
it: [https://www.privacy-regulation.eu/en/index.htm](https://www.privacy-
regulation.eu/en/index.htm)

~~~
geocar
> IMO, all it takes is a small band of trolls who want to harm your company to
> start to cause problems.

I suspect strongly the courts will use their energy to go after the biggest
most flagrant violators of European law first: the equifaxes, facebooks,
googles, and so on.

The fines are there for those companies who continue to have a flagrant
disregard for IT security practices, or who try to make personal data their
business by trying to trick the subject instead of offering real value in
trade.

If you’re not trying to play legal chicken with privacy law, you know what
personal data you have and protect it like your business depends on it, then
you’re probably going to be fine.

And unless you’re a lawyer or familiar with how European courts do things, I
think a more plain language guide is better: [https://ico.org.uk/for-
organisations/guide-to-data-protectio...](https://ico.org.uk/for-
organisations/guide-to-data-protection/)

~~~
woolvalley
The facebooks and googles can afford to follow GDPR. If you know some people
that work there, you'll realize there have been multi-year efforts to become
GDPR compliant in those companies.

It's the small companies who literally can't afford the staff to properly
implement the GDPR. It looks like it's turning into a regulatory barrier that
protects the big guys and scares the small guys away.

There is nothing in the GDPR that says: "if your a small < 5 person corp not
in europe that isn't a subsidary of another corporation, then the GDPR does
not apply (ie: Joe's blog, Sue's landscaping)". Or "If your revenues &
employee counts are within this band, then the maximum fine can only be
applied on a percentage basis and not millions.". IF these regulators really
didn't want to scare away the small guys, they would of put that into the law.

"Don't worry, the european courts are nice people" is not a strong enough
guarantee for most people and corporations.

~~~
geocar
“Following the GDPR” is easy for most companies because the amount of personal
data they keep and have at risk is extremely low. The ICO has some great
guidance for them:

[https://ico.org.uk/for-organisations/business/](https://ico.org.uk/for-
organisations/business/)

> “Don't worry, the european courts are nice people" is not a strong enough
> guarantee for most people and corporations.

The GDPR is already law and people, and corporations are still here.

That’s how courts work in Europe. They can fine you for hurting consumers or
putting them at risk even if the specific actions you’re taking aren’t
necessarily coded and specified.

As an American living here I understand how strange that can seem, but the
advantage is that companies getting prepared for the GDPR are treating the
personal data they keep as a liability instead of treating it as an asset.

------
tyler_larson
The GDPR was specifically sold as limiting the things that well-known US tech
companies (Facebook, Google, Twitter, etc.) can do with respect to EU
citizens. The sad irony is that only well-resourced tech companies with a
small army of lawyers and a large army of programmers can _afford_ to be GDPR
compliant.

The sort of unintuitive machinations it takes to maintain honest compliance
while providing useful services is kind of mind-blowing. Every bit of it that
I've delt with has left me depressed about what this will do to small
companies and innovation. Facebook will have no trouble at all being GDPR
compliant, but your average 50-person startup or small-town business hasn't
got a _chance_.

~~~
geocar
I’m currently doing some GDPR consulting for an American company.

I don’t think the GDPR is as difficult as you suggest. The biggest problem
companies seem to struggle with is this idea that the personal data they keep
isn’t _theirs_ and they need to protect it like anything else in their
possession that isn’t theirs.

Then, there’s also the issue that Americans aren’t used to the idea that a
European court might think they’re in their jurisdiction, and they don’t know
how to interact with a European court. Treating them as adversaries (as is
often done in the USA) doesn’t go well. The courts basically decide if you
fucked up and did harm that you could’ve prevented, and not if you were
technically against the law.

Are you treating someone’s personal data the way they would want you to?

 _Really?_

If so then you’re probably better than 90% of the way there.

~~~
Silhouette
_I don’t think the GDPR is as difficult as you suggest. The biggest problem
companies seem to struggle with is this idea that the personal data they keep
isn’t theirs and they need to protect it like anything else in their
possession that isn’t theirs._

You keep writing things like this, and I'm not going to just post the same
reply every time, so let's try another one here.

Let us assume for the sake of debate that Privacy Shield will at some point be
struck down by the courts, like Safe Harbor before it, since the fundamental
objections involving US government access have not changed.

At that point, please explain the conditions under which an EU business can
share PII with a US business without violating the GDPR.

~~~
smu
Sure thing, that's described in articles 44-50. In short:

1) if the EU has declared a country "adequate", you can transfer data (there
is a list of adequate countries. Canada is on it, the US with Privacy Shield
too)

2) in absence of an adequacy decision, there are other possibilities: binding
corporate rules (internal rules for data transfers within multinational
companies[1]), contractual arrangements (for example, the EU approved
clauses), adherence to a code of conduct with a binding commitment (look at
this like some kind of "privacy certification")

3) Finally, if the above are not possible, a transfer is still possible if the
subject gives consent after being informed of all risks.

So, for the sake of debate: I would go with either binding corporate rules (in
case of a multinational) or contractual arrangements.

[1] [https://ec.europa.eu/info/law/law-topic/data-
protection/data...](https://ec.europa.eu/info/law/law-topic/data-
protection/data-transfers-outside-eu/binding-corporate-rules_en)

------
woolvalley
"Trust us, we won't use this big stick that has no legal repercussions from us
using it."

~~~
Sylos
Not like they get enjoyment or an advantage by using that stick.

~~~
b4lancesh33t
Sarcasm often doesn't come across on the internet. Is my surmise that you are
joking correct?

~~~
Sylos
I was not joking or sarcastic. They are a regulatory institution. They get
paid to look after companies, so that those keep to the law.

Presumably, the workers at this institution do not get paid for how high the
fines are that they can push through. Nor does their office get paved with
gold floors. So, they have no incentive to swing the biggest stick they have.
There's no concrete reason to distrust them here.

Really, part of their job description for which they do get paid, is probably
that they should not fine companies inadequately. If companies leave the
country or even just do less business there, that's probably more damaging to
the country than recieving that one-time 4% of turnover.

~~~
AndrewKemendo
I think this ignores the reality of who populates these beuraucracies. I
worked for the DoD alongside the FBI, NSA and others and the sheer delight
that case agents and officers get for "hammering" people/entities under
scrutiny cannot be overstated - it's part of the ethos.

It has little to do with how much they get paid. It has everything to do with
wielding power backed by a state enforcement entity.

~~~
rahoulb
Yet when the Cookie Law came out the ICO basically said "we know it's
complicated, it's an education job, not an enforcement one".

------
rdtsc
Wonder how much of a secondary consultancy market this is going to create. I
can just see "GDPR consultant charging $450/hour with a minimum 2 weeks worth
of work" job listings.

It would be interesting what companies do about it. Will any of them pull out
of the EU market. Or maybe make users sign away their rights on their next
login "If you use this service, you give us permission to use your data in
this and that way which may or may not be GDPR compliant, if you refuse we'll
delete your profile and you'll have to find an another service to solve your
problem".

As a consumer, I like what GDPR is doing. As a developer having to implement
compliance for it, it is a huge pain.

~~~
matthewheath
> Or maybe make users sign away their rights on their next login

The GDPR explicitly disallows this. You're not allowed to make access to your
service conditional on consent because it's considered to be "not true
consent".

~~~
wtfstatists
Expanding on this, official guideline on consent [1] gives 2 relevant
examples. TLDR: you cannot offer no, degraded or higher-priced service if
consent is not given. I would say this is effectively banning targeted ads as
revenue stream. IMO this goes too far.

[Example 1]

A mobile app for photo editing asks its users to have their GPS localisation
activated for the use of its services.

The app also tells its users it will use the collected data for behavioural
advertising purposes. Neither geo-localisation or online behavioural
advertising are necessary for the provision of the photo editing service and
go beyond the delivery of the core service provided. Since users cannot use
the app without consenting to these purposes, the consent cannot be considered
as being freely given.

[Example 6]

A bank asks customers for consent to use their payment details for marketing
purposes. This processing activity is not necessary for the performance of the
contract with the customer and the delivery of ordinary bank account services.
If the customer’s refusal to consent to this processing purpose would lead to
the denial of banking services, closure of the bank account, or an increase of
the fee, consent cannot be freely given or revoked.

[1]
[http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48849](http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48849)

~~~
TeMPOraL
And IMO this is exactly right, and I'm actually surprised people tolerated the
current state of things for so long. The examples you quoted are clear-cut
cases of abusing the user.

Marketing is cancer on society, and it infected everything deeply. I welcome
anything that changes the incentives so that it's _less_ rather than _more_
profitable to try and suck in every piece of data you can get your hands on.

~~~
foobiekr
I agree with the spirit of this but can’t help but believe that the Googles
and Facebooks if the world will just ignore the intent and get away with it.
Their profit margins basically require them to do so.

~~~
TeMPOraL
They'll try, for sure. We'll see how this pans out pretty soon now.

------
gressquel
Our company receives sensitive data from external members by email, which is
considered insecure. So we need to buy or create our own solution to receive
these files encrypted.

Does anyone here have github repo to such a solution?

~~~
kuschku
You could use the system the big US banks use for that: FTPS or SFTP.

Alternatively, you could simply set up a cloud share they can upload files to,
e.g. a Seafile instance, and have them link it in the email.

If you want to go fancy, you can build your own HTTPS protected upload form.

Or you can use OpenPGP / GPG / PGP for your emails.

This isn’t exactly rocket science.

~~~
JdeBP
Whilst the point about this stuff being well known is sound, I shall just
point out that FTPS alone is quite likely (according to circumstances of
course) to be not enough. I know of at least one system that _already_ used
FTPS for a decade or so that now has to be modified to use GPG encryption _as
well_ , for GDPR compliance. Security of data once they have arrived is as
important as security of data that are in transit.

------
cobookman
Google cloud has a good blog post summarizing gdpr
[https://www.google.com/cloud/security/gdpr/](https://www.google.com/cloud/security/gdpr/)

------
brad0
The tone of this article feels very different to the words she’s saying.

