
Fixing your app for the new EU Privacy Laws - daenney
https://medium.com/nedap-talks/fixing-your-app-for-the-new-eu-privacy-laws-4be55a06dd0c#.pp1wbjykw
======
nailer
> This right is also suspect since it could be seen as censorship. What if a
> newspaper uses your name in an exposé about you, can you use your right to
> be forgotten to wipe the slate clean? Google would love your input here.

This has been happening in the UK: searches for figures who have been
convected of crimes are removed from Google results under the EU law. The
public's right to know is being superseded by the individual's right to have
their crimes forgotten.

------
DiabloD3
This sounds like an absolute disaster for technology businesses in the EU,
especially ones that do not rely on code they wrote.

I'm all for privacy, but most of this doesn't really do anything to enhance
it.

~~~
janpieterz
The issues it raises are just as valid for any business anywhere. If you're an
American business and I sign up for your website, you apparently have to
comply with these laws as well, as far as I understand it.

~~~
BillinghamJ
You "have to comply", but the EU courts have no jurisdictional control over
you, so in reality you don't.

~~~
ygjb
Clearly you have a nuanced legal argument to support the notion that a company
that does business in a jurisdiction doesn't have to adhere to their laws?
What about companies that have subsidiaries or employees in the jurisdiction
of those laws?

It's not as simple as you make it sound.

~~~
BillinghamJ
Running a website in the US and allowing EU IPs to connect generally does not
constitute doing business in the EU.

Accepting payments from EU cards, having employees/offices, etc. all clearly
do.

It depends on the case.

------
DiabloD3
As an owner of a US business myself, I will not be complying with these EU
laws, period.

The US government already requires me to know who my users are in the sense
that they must be able to warrant/subpoena me for any data that belongs to my
customers, even if my customers attempt to delete their accounts with me: if I
still have the data in my company's possession, whatever data I have that is
covered by the warrant/subpoena must be turned over.

So, if a EU customer says "oh, you must delete every data you ever had about
me", and the US government THEN comes and warrants/subpoenas my company
shortly after, can I theoretically be held in contempt of court or be charged
with destruction of evidence? Possibly.

I'm sorry, but as an American, I'm going to comply with US law here.

It's one thing to require explicit consent to share data with non-government
third parties, or with the government without warrant or subpoena, but it is
another thing to explicitly require consent for _them_ to enter data into
_your_ app, service, or product.

As in, real name field? Address field? Phone number field? Email field?
Somehow, the user inputting data into those fields of their own volition still
does not constitute explicit consent to store and use that data for purposes
of making the service/product happen.

The law, as mentioned in the article, also has no provisions for legal,
financial, or tax purposes. Let's say I am someday audited by the IRS, and I
can't match where money came from to an actual customer, they can punish me
for that: I can't go tell them, "oh, User #1931, they used some EU law to
force me to delete all their data, so all I know is they sent me money in
exchange for goods and/or services, but I no longer know their name, their
address, or even their Paypal account name."

So, yeah, no. I'm all for privacy and rights, but this just doesn't work. This
is just as backwards as the cookies law they passed a while back, forcing me
to close annoying banners at the tops of websites to "consent" to cookies, and
I'm not even European!

Also, one last thing, I must be able to let my user download all data about
them? No more "walled silos"? I imagine there is an entire classification of
apps that you could never produce useful results out of this, ie, you can't
just import it into another service or app and continue on as if nothing
changed. Like, imagine being able to export your entire Evernote everything
and try to import into OneNote, or vise versa. It just wouldn't work all that
well, even though they are similar apps.

~~~
icebraining
_> Somehow, the user inputting data into those fields of their own volition
still does not constitute explicit consent to store and use that data for
purposes of making the service/product happen._

The article says precisely the opposite ("Naturally when users enter
information themselves that is considered consent"), so why are you saying
that?

What you need to do is explain _why_ you're asking for that information, and
not use the information for other purposes without asking the user again.

 _> The law, as mentioned in the article, also has no provisions for legal,
financial, or tax purposes._

You can store it as long as there are "legitimate grounds for retaining it".
Legal or tax purposes certainly fit. A marketing database doesn't.

 _> I imagine there is an entire classification of apps that you could never
produce useful results out of this, ie, you can't just import it into another
service or app and continue on as if nothing changed.._

There are plenty of services that provide cheap data transformation/syncing
for when you want to move to another service. Sure, the mapping won't be
perfect, but so what?

