
GDPR Hysteria Part II, Nuts and Bolts, Actionable Advice - shabble
https://jacquesmattheij.com/gdpr-hysteria-part-ii-nuts-and-bolts
======
Animats
Google and Facebook will now directly control most Internet advertising. All
those intermediary organizations that live under a rock, passing tracking data
around, have a big problem - they have no connection to the user. So they
can't ask for permission to do anything. They have no way to do so.

Google has made some big changes in how they deal with third parties in the
advertising chain.[1][2] Third party trackers are being cut off, and
advertisers are being encouraged to dump them and switch to Google Ads
DataHub.

Google is frantically trying to get user consent for tracking, popping up a
deceptive message on every Google search result page. That popup asks you to
"log in" to Google. They just assume everyone has a Google account. Without
that permission, Google can only serve you "non-personalized ads".

[1] [http://www.thedrum.com/news/2018/05/01/publishers-hit-out-
go...](http://www.thedrum.com/news/2018/05/01/publishers-hit-out-google-s-
imposing-gpdr-policies) [2] [https://adexchanger.com/platforms/google-sharply-
limits-doub...](https://adexchanger.com/platforms/google-sharply-limits-
doubleclick-id-use-citing-gdpr/)

~~~
jacquesm
There will be some places where this will have a huge impact. For instance in
the cases of real time bidding on advertising through open exchanges based on
data about the user.

I think it is also an opportunity though, we might be able to roll back some
of the more annoying ad-tech and get users to selectively switch off ad
blockers again.

Another option is that more parties will switch to advertising space sold
directly to media buyers without all those intermediaries (much like it used
to be until we started to track everything and anything).

Once you are logged in to Google you can turn off the targeting of the ads
through this link:

[https://adssettings.google.com/authenticated](https://adssettings.google.com/authenticated)

Slide the slider at the top right of the page to the left and confirm the
change, targeted ads gone. This takes about 10 seconds or so if you are
already logged in to Google.

~~~
zerostar07
> switch off ad blockers again.

We remember the internet before targeted ads came. 100 flashy and gif banners
on the page. Websites still need to make money, they'll just increase the ad
spots if the ads are not profitable enough.

~~~
jacquesm
The ads were plenty profitable. It's a matter of squeezing the last drops from
the lemon that make it super annoying and invasive.

~~~
true_religion
Ads cpm has been falling year to year, for anyone who isnt google. I do not
think personalization made it better. It very well may have made it worse.

~~~
jacquesm
The main reason for that is because the advertising industry is trying to
allocate the same advertising budgets to more inventory aimed at fewer users.
Ad blockers are making a real impact and the novelty factor of ads wears off
quickly.

That's why there is such an explosion of ad-tech firms, anything to get back
to where they were last year in terms of CTR and engagement. Then the users
become de-sentisized and then the whole cycle restarts.

------
ocdtrekkie
After reading a large number of GDPR-related articles and summaries, I've
generally come to the belief that if you are doing the right thing with user
data, it is unlikely GDPR is going to cause you to suddenly start suffering.

If you aren't selling user's data, you keep it reasonably secure, and they can
delete their account, you are probably good. Most of the services you use will
already be GDPR (and Privacy Shield) compliant, and it is easy to list your
cloud and payment providers and link to their statements of compliance.

And almost everything a user could ask for, if you don't have an automated
solution to, you can generally comply with by checking your email and
responding accordingly, so for small userbases, this is hardly really even an
issue.

Furthermore, as far as actual enforcement goes, the EU is not going to shut
you down or put you out of business on a technicality. They are going to take
you out if you show flagrant disregard for your users. This is going to hit
the Unroll.me's of the world, not your average web forum.

~~~
zerostar07
> If you aren't selling user's data

I am curious when people mention this: Who literally sells user's data ?

~~~
scrollaway
Usually when people say "selling user data", they usually mean "monetizing
user data". There are four levels to doing that:

\- Level 1: Monetizing aggregates. Aggregating lots and lots of data, running
statistics on all of it, and selling the outcome. Example: An online streaming
site that sells TV analytics to TV channels.

\- Level 2: Selling proxied access. That's the Twitter/Facebook/Google ads
model: Allow interested parties (advertisers) access to an audience, but they
never are _directly_ told "Mary Jane is a 33 year old woman with 2 children
and an income of $80000/year."

\- Level 3: Selling personal data. This is what people think is happening in
level 2, but is much rarer than it sounds. For example, let's say you have
influencers on your site, you'll sell to potential sponsors data about that
influencer. Or sites with personal statistics and insights that will sell
access to it to their users' competitions (a known practice in sports
services).

\- Level 4: Selling confidential data. That's where we're talking the really
shady/illegal stuff. Gathering emails/credit cards and selling them to
spammers and fraudsters, that sort of stuff.

~~~
zerostar07
Great points. It's confusing when people say "selling user data" to refer to
3rd party advertising.

------
chx
I already commented on the previous post feeling the author has no idea what
he is talking about but this nails it:

> What’s important with any law is - besides the letter of the law - what the
> spirit of the law is, the laws intent.

This very conveniently forget the GDPR will not be interpreted by a single
authority in Brussels but rather by the relevant authority in every single EU
country. Whatever the lawmakers intended, who gives a hoot? I can pretty much
guarantee the Hungarian NAIH will see this as a fantastic cash grab
opportunity. (I am a dual Canadian-Hungarian citizen, I know my birth country
all too well.)

Despite all this "pah-pah, it'll all be fine" there is not even a guidance
much less any law describing who shall be fined for how much. Spirit of the
law protecting you from Hungarian bureaucracy , good luck Chuck. The courts
will eventually curb this madness and set some best practices but meanwhile
those who got fined excessively will stay bankrupt. Don't be the patsy. At
this time, unless you are a big enough company to have a sizable legal
department do not do business with the EU. This is not hysteria, this is just
good business sense.

~~~
jacquesm
Yes, I saw your previous comment. If you feel that you can discard a whole
article because you find one line in it that confirms your prior belief then
that's fine with me. But I've been in this business for long enough and have
seen EU regulators at work often enough that there is no mystery to me about
how this will play out. What will happen is that the small fry will be ignored
unless they cross the lines in very visible ways. Larger companies and
companies with more risky models will be more at risk of having the regulators
take an active interest in them. Large companies because there is a large
chance of complaints to the regulators, companies with more risky models
because they will be acting against the spirit of the law even if they will do
everything they can to comply with the letter.

If you don't believe that's how it will work that's entirely fine with me but
about 30 years of data confirm my point of view.

~~~
chx
> If you feel that you can discard a whole article because you find one line
> in it that confirms your prior belief then that's fine with me.

The entire spirit of these articles are completely misguided because the
adverse reaction to GDPR is not hysteria. Here's the unique nature of this
which makes it a recipe for disaster:

1\. Every business interacting practically any way with European citizens is
affected

2\. The potential fees for breaching a very complex regulation are
unprecedentedly high.

3\. Determining the actual fees for each breach is in the hand of every EU
country, including some which today wouldn't be admitted into the EU.

~~~
jacquesm
The oft bandied around 20 million euro fine is the reason for that particular
choice of words. People shutting down their projects without having spent a
minimum amount of time on the impact, bloggers worried about having to hire a
DPO. I haven't seen this much bullshit since the Y2K days and even then with
some work and planning it got taken care of.

People were genuinely surprised when the world didn't end. This is going to be
just like that. May 25th the world will continue to turn and none of these
bogeyman stories will come to pass with anything approaching fidelity.

Regulators will target the worst excesses to show they mean business and are
severely limited in manpower anyway so the vast majority of interaction that
has to do with the GDPR will amount to a change in mindset and some best
practices. In edge cases things will get a bit more interesting (someone
mentioned federated services and that's a really good question).

FWIW I've been looking at companies from the GDPR angle for about a year and a
half now, we slowly ratcheted up the push for compliance and it is interesting
to see how (EU based) start-ups have adapted to the new legislation. We have
also found some companies that were ill prepared but that's to be expected.

The worst position to be in is a small (10...20FTE) company operating in the
US running a SaaS that stores critical information. That's an expensive
affair. For most other companies - including the really large ones - the
impact will be mostly a one-time investment in software and inventory of data
and processes. After that they will be in much better shape and that's a good
thing.

Companies that make a business of selling data are expected to be hit hard,
and rightly so.

~~~
chx
> Regulators will target the worst excesses

Your confidence scares me. What about this, I have the same amount of evidence
you have: Some regulators will target the weakest. It's really easy to slap a
few tens of thousand of euros fine on a small business. Sure, fining a big
company for many tens, hundreds of millions makes news but a few ten thousands
is a good income.

~~~
jacquesm
> Some regulators will target the weakest.

Do you have any evidence for this?

I have plenty of evidence for the opposite, if you want I will collect it.

Here is one sample dataset, NL:

[https://www.computable.nl/artikel/nieuws/overheid/6345059/25...](https://www.computable.nl/artikel/nieuws/overheid/6345059/250449/privacywaakhond-
ap-legde-geen-boetes-op-in-2017.html)

No fines in all of 2017, in spite of 10,009 data leaks that were reported.

In one case there was a settlement of 48K, but it is not quite clear what the
circumstances were, probably to protect the guilty.

"De AP stelt in een samenvatting van het jaarverslag 2017 dat het niet altijd
direct een onderzoek start. Het gaat eerst in gesprek met partijen die een
overtreding begaan en in veel gevallen leiden die zogenoemde alternatieve
interventies niet tot een officieel onderzoek."

Rough translation:

"The Authority says in the summary of their annual report for 2017 that it
does not always immediately starts an investigation. It first tries to talk to
the parties that have violated the law and in many cases these so called
alternative interventions do not lead to an official inquiry."

~~~
chx
Proof of what? The GDPR is not yet in force. Proof of Hungarian authorities
targeting small businesses for minor or even non existing infractions? Here's
one: the tax authority starts garnishing many taxes a few days after the
payment deadline -- it's common the entrepreneur realizes they are in trouble
when all the cash is gone from their bank account. But if you so want, I can
find you any number of horror stories of how small businesses are treated in
Hungary, now that they will have a chance to mess with rich westerns (as
perceived at least), I have zero doubt they will take this chance.

~~~
jacquesm
Well, you may be right. I don't have a crystal ball but so far all the other
EU law that had this potential has not been activated in that way. VAT law for
instance is a good candidate. I've missed one filing by a few days in 2016
because I was switching bookkeepers and I got fined 115 euros, it's my
responsibility vv the tax authorities but the bookkeeper that messed up paid
the fine so it didn't cost me anything.

I don't really understand your tax authority example though, doesn't that mean
the payments are late and that the tax authority is fully with in their right
to take what's theirs?

Did they take more than was their due?

~~~
chx
Nowhere in the (developed) world would the tax authority start garnishing
without a notice first -- mostly because they might be in error. And yes, they
did take more than their due, more than once.

~~~
jacquesm
That's not very nice of them. If I were in the receiving position on an action
like that I'd take them to court.

Let's hope that kind of behavior won't be the norm. But I wish the Hungarian
Data Protection Authority much good luck trying such tactics against other EU
companies, it will most likely not play out how they think it will.

I recall a case of the Irish tax authority trying to fine EU companies for
failure to pay VAT, that blew up pretty badly for them, and in the end it
turned out they themselves had fucked up. Since then they've been well
behaved.

I've tried to find a citation for that particular case but can't find it. I
own one of the companies that got fined.

------
josecastillo
Since there seem to be a lot of knowledgable folks in these threads, I have a
question about GDPR's impact on decentralized or federated social networks
like Diaspora[1]. On these networks, users can create a profile on any server,
and be connected with users on any other server via a federation protocol[2].

All the ideals of user control and data portability are there and central to
the Diaspora project; but technically, the underlying protocol involves
passing users' posts and comments from one server to another. This seems like
it would fall afoul of guidelines against passing data to third parties, and
the same technical constraint seems to be fundamental to other federated
services like Friendica[3] and Mastodon[4]. I'm really curious how the GDPR
would affect services like this, especially as someone who's quit Facebook and
is looking at decentralized networks as an alternative.

[1] [https://diasporafoundation.org](https://diasporafoundation.org) [2]
[https://diaspora.github.io/diaspora_federation/](https://diaspora.github.io/diaspora_federation/)
[3] [https://friendi.ca](https://friendi.ca) [4]
[https://joinmastodon.org](https://joinmastodon.org)

~~~
jacquesm
That's a good point and I will research this because I also would like to know
exactly how this influences such networks. I consider them a positive
development, and as such would like to know exactly what the impact is.

From the top of my head it would require the software to implement the various
GDPR principles, and it would be wise for operators of servers to verify that
they are not exposed. Better yet if EU residents connect to EU servers and let
the federation take care of the connections across legal boundaries. That's
smart for a variety of non-GDPR related reasons too.

------
tzs
Note that the requirement to have a designated representative does not apply
to: "processing which is occasional, does not include, on a large scale,
processing of special categories of data as referred to in Article 9(1) or
processing of personal data relating to criminal convictions and offences
referred to in Article 10, and is unlikely to result in a risk to the rights
and freedoms of natural persons, taking into account the nature, context,
scope and purposes of the processing; or". (See Article 27).

Anyone know what counts as "occasional"?

Also, the regulation says the representative must be in one of the member
states where the data subjects are located. I know of some non-EU businesses
that have just a handful of customers in the EU, scattered among a few member
states. They slowly get new customers, and slowly lose old customers. Whatever
member state they put their representative in, there is a decent chance that
in a year or two all the customers in that member state will be gone. Do they
have to keep changing representatives?

~~~
jacquesm
Occasional: Not re-occuring regularly. So once per year but every year is not
occasional. Once and then never again is occasional. In between: consult a
lawyer, and if you can't afford that err on the side of caution.

As for the whole designated representative thing I'm looking at solving that
in a somewhat creative way, but this will take some time and preparation.

~~~
thinkulum
Would you say a personal blogger in the US needs an EU representative if
they're running a WordPress installation on a shared web host? I've been
debating with myself whether I need to move my content somewhere like
wordpress.com to avoid that requirement. The personal information I process
comes from comments and web server logs, and I'm not sure that counts as
occasional.

On the other hand, I look at Article 3, and I'm not sure posting content on a
personal blog counts as offering goods and services. Or do blog comments count
as a service?

~~~
DanBC
I'm not sure a personal blog counts. I think the people who created the
blogging and comment software need to do something, but not you as the
blogger.

[https://gdpr-info.eu/recitals/no-18/](https://gdpr-info.eu/recitals/no-18/)

> This Regulation does not apply to the processing of personal data by a
> natural person in the course of a purely personal or household activity and
> thus with no connection to a professional or commercial activity. 2Personal
> or household activities could include correspondence and the holding of
> addresses, or social networking and online activity undertaken within the
> context of such activities. 3However, this Regulation applies to controllers
> or processors which provide the means for processing personal data for such
> personal or household activities.

~~~
thinkulum
The only thing is that I'm running the site myself. That's why I was thinking
of moving the content to a blog host that would manage the back end for me.
But maybe even moderating the comments myself would make me the processor or
controller. If every blogger on Tumblr or wherever is subject to GDPR that
way, wow is the web in trouble.

~~~
jacquesm
There's a big difference between bloggers operating their own infrastructure
(like me) and bloggers that use some platform. The platform operators would
have to make sure their platform is compliant, so the bloggers that do not
operate infrastructure will be covered.

That leaves people like me (and you, apparently), I solve the problem in the
simplest way: no logs, no analytics, no comments on my site.

~~~
thinkulum
Yeah, I've been thinking about closing the comments. I don't get many anyway,
but the people who do comment might care that they're gone.

I'll be curious to see whether GDPR results in a web with fewer features, or
maybe features that don't work as well. I tried DuckDuckGo, for example, but I
dropped it quickly because Google's results are so much better. I actually
like that it takes my previous searches into consideration.

~~~
jacquesm
There definitely is a tension between functionality and privacy. The problem
is that companies that could offer certain functionality without invading
people's privacy have made a habit of grabbing what they can. The number of
apps on mobile phones for instance that require access to your location and
your contacts is staggering. Slowly people are wising up to the impact this
has, I think for many people retargeted ads was their first 'aha' moment.

Convenience and privacy will always be at odds. If the largest excesses are
taken care of then this will already have been worth it.

------
hartator
> There are countless examples a short search away of such violations, I’m not
> going to catalogue them here [...]

I think it's important to cite precise examples.

If we're asking developers of small websites to give up a significant amount
of their time to be compliant, we have to be rock solid into the why it is a
good regulation. For example, most of the recent privacy violations in the
news - FB leaks, Snowden leaks, etc. - seems untouched by GDPR.

------
scrollaway
Excellent post Jacques. This was well needed. Wish I had it a few weeks/months
ago to point several people towards it...

GDPR feels like the opposite of Y2K. Unheard of by most until very shortly
before the deadline, underplayed by those who haven't researched it, and
overplayed by many of those who have.

------
syntheticnature
In my not-so-copious free time, I help maintain the online back-end for a
membership organization (about 1500 members). I've found little guidance on
GDPR for a volunteer-based membership organization, but have managed to piece
a good bit together. I was feeling pretty good about the work done versus
compliance, hand-wringing from other officers notwithstanding, e.g. if we
delete old member records, someone might rejoin and get a different member
number, and what if they wanted to keep the original?

Now, though I'm wondering about the discussion e-mail lists we have and if we
need to auto-prune archives. They have folks' real names and such in them,
after all, from participating in discussion.

(I also wonder how this affects big email lists, e.g. linux-kernel)

~~~
beberlei
You are not excluded from the law as volunteer organization.

As far as deleting old member records and public archives, it depends on what
consent members have given before. Membership information, especially receipts
for subscription must be kept usually for 10 years for bookkeeping purposes.
As for public posts, unless the members withdraw their consent (Excercise
Right to be Forgotton) i don't see why. They knew then that the posts are
public?

edit: you must formalize this with a privacy policy though, what data you
keep, what type of consent (article 6) and for what reason you need it, if you
haven't done so yet. Then ask every member for approval of the policy.

~~~
syntheticnature
Not excluded indeed, figured that out late but not too late.

The lists are not public, but only visible within the organization. I think
part of my concern is not knowing how easy it would be to rip a given set of
messages out of the archive in Mailman. I don't expect it is likely Right to
be Forgotten will be exercised, but it sounds to be a bear if it does get
exercised.

------
alkonaut
I was under the impression that GDPR did not differentiate between offline and
online data.

If that’s true, then the recommendation about backup in the article doesn’t
work (you can’t store PII on offline backup media in the basement and _not_
comply with erasing the data there too on request).

It also means that deletion requests can’t easily be automated. Chasing down
records on archive media is likely going to involve physical labor. It’s even
the case that for write-only media it’s impossible to delete, you’d have to
re-write a backup without the offending data.

All this of course suggests this isn’t the case, that offline data must be out
of scope. But why isn’t this clearer?

~~~
jacquesm
Storing data offline is not meant as a way to get the data 'out of scope' but
simply to reduce the effect of a breach. It shows that you have taken active
measures to reduce the impact of a breach which will definitely get you points
for trying.

As for backups, I am going on the assumption that they are properly encrypted,
I will update the article to that effect.

------
btilly
One challenge is that everyone's reading is different. What reading will
regulators have? And what reading will they have in 6 months vs now?

For example in this article it is assumed that everyone needs a data
protection officer - the only question is whether you want someone full-time,
or you want to share one with several other companies. However when I read
[https://gdpr-info.eu/art-37-gdpr/](https://gdpr-info.eu/art-37-gdpr/) it
seems that most companies don't fall under 1.a or 1.c.

The question mark is 1.b, _the core activities of the controller or the
processor consist of processing operations which, by virtue of their nature,
their scope and /or their purposes, require regular and systematic monitoring
of data subjects on a large scale_. If you're just recording transactions,
clearly you are not monitoring them. If you're running a data broker, clearly
you are monitoring them. If you're running queries against your transactional
data to decide who to send a marketing email to..is that monitoring? "Find all
people who put something into a cart yesterday and then didn't complete the
transaction." I don't think of that query as monitoring, but I can see how
someone else might.

~~~
BinaryIdiot
> One challenge is that everyone's reading is different.

Really? I haven't heard of people who have vastly different opinions in what
specific pieces of GDPR means. Do you have any links?

> For example in this article it is assumed that everyone needs a data
> protection officer

What? Where is that assumed? The first thing it talks about are the reasons
you may need one and nothing about assuming everyone needs one.

~~~
btilly
Search for the phrase, "Do I need a (dedicated) Data Protection Officer?"

You will see that the only two options that he discusses are having a
dedicated Data Protection Officer versus a designated Data Protection Officer.
With the difference being whether they are your full time employee doing
nothing else, versus a part time responsibility.

Neither in the article nor in his comments here does he admit the possibility
that it might be a role that you don't actually need filled.

~~~
jacquesm
> Neither in the article nor in his comments here does he admit the
> possibility that it might be a role that you don't actually need filled.

I replied to your other comment in this thread, and I will update the article.

------
trendia
I would like to know how this will affect Microsoft.

I run a Pi-Hole [0] to redirect all advertising-related queries to a black
hole. When tracking the most-blocked domains, Microsoft is at the very top
[1].

For instance, when I enter "Office" into the start menu, Microsoft immediately
sends a ping to bing.com and Microsoft's telemetry servers. That is, Microsoft
is sending all of the data entered into the start menu to Microsoft's servers,
even when using the 'Pro' version and with 'full' telemtry off.

When it was first detected that Microsoft was adding telemetry calls to all
compiled programs in Windows [2], Microsoft said it was mostly for event
debugging for programmers. Now I'm not so sure -- look at your Microsoft
account privacy settings to see that Microsoft tracks when you open
applications. (They say on the page that not _all_ data is shown there).

Unforutnately, there is no way to opt out of this. You can "disable" full
telemetry, but you still have to opt into "Basic" telemetry, which still sends
your advertiser ID, the programs you run, and the queries you put into the
start menu. I'm concerned that Microsoft is not going to stop here. They have
a real incentive to capture as much data about you as they can -- they
currently earn about $1 billion in advertising through Bing.com search
queries. Unlike Google or especially Facebook, however, it's much more
difficult to opt out of Microsoft's tracking -- so many people depend on
Microsoft Office or other Windows programs that I can't fully switch to Linux.

I don't know how this is acceptable through GDPR. There are so many problems
with what Microsoft is doing:

1\. There is no way to opt out of telemetry

2\. There is no way to see all of the data that Microsoft has collected

3\. Microsoft has severe lock-in because so much software is written for
Windows-only

4\. Microsoft has an incentive to increase their telemetry, not decrease it.

[0] [https://pi-hole.net/](https://pi-hole.net/)

[1] [https://imgur.com/a/MbjtYJe](https://imgur.com/a/MbjtYJe)

[2]
[https://old.reddit.com/r/cpp/comments/4ibauu/visual_studio_a...](https://old.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_function_calls_to/)

~~~
flukus
> and the queries you put into the start menu.

I've long suspected this but couldn't prove it. Aside from the privacy
implications I've found it makes windows unsable. Basic operations can take
several seconds and if you're on an intermittent connection (which developers
never test on) the menu can be frozen for over a minute.

> however, it's much more difficult to opt out of Microsoft's tracking -- so
> many people depend on Microsoft Office or other Windows programs that I
> can't fully switch to Linux.

This comes up a lot but I think we need to change how we think about it. Yes
there will be pain and yes there will be things you could do before but can no
longer do, but we need to treat it like ripping off a bandaid and embrace the
pain rather than hope to mitigate it.

------
mercurialuser
Edge case, eu based travel agency serving eu citizens. They need to book an
hotel in a far away country, in the middle of nowhere, asking for a kosher
lunch (religion) or wheelchair (health)... legal basis is contract
fullfilment, article 49.1.b and .c seems to cover this cases but to me it is
still very muddy situation.

~~~
jacquesm
Before you get into edge cases I'd focus on the bulk. That's a far more
productive way to spend your budget.

------
venning
There are a couple mentions in this article that reference marketing emails
and consent and the GDPR affecting them. I'm pretty sure this is wrong. The
Privacy and Electronic Communications Regulations (PECR) govern marketing
communications, not the GDPR. Wired did a good breakdown of how these two are
getting confused recently: [http://www.wired.co.uk/article/pecr-gdpr-
emails](http://www.wired.co.uk/article/pecr-gdpr-emails)

~~~
justinator
PECR is merely a directive. It's not law, it's not enforceable.

~~~
DanBC
What does the R in PECR and GDPR stand for, and why do you think these are
different?

PECR is the implementation of [http://eur-lex.europa.eu/legal-
content/EN/ALL/?uri=CELEX:320...](http://eur-lex.europa.eu/legal-
content/EN/ALL/?uri=CELEX:32002L0058) which is European law.

There are a number of regulatory actions available to eg ICO if companies are
violating PECR.

[https://ico.org.uk/about-the-ico/what-we-do/taking-action-
pr...](https://ico.org.uk/about-the-ico/what-we-do/taking-action-privacy-and-
electronic-communications-regulations/)

> There are a number of tools available to the Information Commissioner’s
> Office for taking action to change the behaviour of anyone who breaches the
> Privacy and Electronic Communications Regulations (PECR). They include
> criminal prosecution, non-criminal enforcement and audit. The Information
> Commissioner also has the power to serve a monetary penalty notice imposing
> a fine of up to £500,000.

> These powers are not mutually exclusive. We will use them in combination
> where justified by the circumstances.

I'd agree that the lack of enforcement of PECR certainly makes it feel like
just a suggestion.

~~~
justinator
> I'd agree that the lack of enforcement of PECR certainly makes it feel like
> just a suggestion.

If it's not enforced, then what was its point?

I think it's best to think of the GDPR as its replacement, rather than
thinking of them side by side, to be honest.

Wired getting something wrong is... believable.

------
anfogoat
Slightly off-topic: Is there a short history of the GDPR somewhere? History
might be an odd word choice given that it isn't even in effect yet, but I'm
simply referring to something that documents and chronicles what parties or
individuals set the regulation in motion, the public discussions around the
regulation, and what third parties were consulted in the process etc.

As an EU citizen, I'd like to know what or whom I should direct my ire
towards.

------
Tharkun
Been wondering about this for a while now, maybe someone in this thread can
shed some light on this? What about processing httpd access logs to count
visitors? Most tools use IP addresses to count unique visitors. Does that mean
this now qualifies as "processing personally identifiable data"?

~~~
jacquesm
That's just fine. You are collapsing the IP addresses into a count and that
count can not be reversed back in to the IP addresses you started out with.
And then, after you're done with your log analysis (and any security related
work you need to do with them) you can dispose of them.

There are some instances where it may make sense to have a very long log
history but I'd be careful to properly document the need for that unless that
need is an obvious one and easily explained. Anything longer than a year would
be outright wrong and anything shorter than 30 days will definitely be ok.

------
hartator
> Data that is not associated with a particular individual is not ‘in scope’
> when it comes to the GDPR unless that data can be re-associated with that
> individual.

I wonder if that make the ETH and BTC blockchains illegal to have nodes in
Europe from now on. Like if I post a series of transactions that are linked to
me, can I ask all the EU nodes to remove this information?

~~~
narrator
Also, what if a person engaging in illegal activity wants their data removed?
Can they just have their financial transaction history erased and subsequently
unavailable to the authorities? GDPR almost seems designed to allow for
destruction of evidence and coverups.

~~~
salvar
Financial transaction history no, precisely because there is a legal
requirement to retain these. Other data? Of course they can. You shouldn't
even concern yourself with why that person wants their data removed. It's
their data.

------
helpme420
Thanks for the series of articles. I can't wait to see the rest of the
world(especially the US) catch up with the visionary EU regulations. It's sad
that so many Americans/Anglos dislike regulations so much.

~~~
baxtr
I, too like more data privacy, but think for a second about this: who can
afford more regulation? The giant corporations like FB, Google etc. The small
alternatives will suffer.

EDIT: take a look at that slide, google invested 40 human years for assessment
alone
[https://twitter.com/winfriedveil/status/995951301132537857?s...](https://twitter.com/winfriedveil/status/995951301132537857?s=21)

~~~
josteink
> I, too like more flight safety/healthcare hygiene/safer cars, but think for
> a second about this: who can afford more regulation?

As an end-user/customer, I’ll have the regulated version every single time,
thank you.

You can reframe this either way you like, but what it will come down to is
that IT has so far been one of the few completely unregulated industries, with
only its own merits to show for why such regulation shouldn’t be needed. So
far it’s not doing a very good case for itself.

People like Alan Kay has _warned_ about this. If we don’t start taking our
profession seriously (like doctors take not killing their patients seriously),
someone else will. And then the future of programming will be _legislated_.

If that’s how it all will turn out, that’s because we as a industry has
deserved it.

The GDPR is merely about basic decency and should only be considered a taste
of what the future holds. Unless we ourselves show that we can act responsibly
without further regulation.

Edit: Ofcourse if you are the world’s biggest privacy-violater with 100s of
thousands of employees worldwide working every day to mine and AI even more
shit out of you, ofcourse trying to get GDPR-compliant will take some effort.
That’s the whole fucking point.

Smaller businesses treating user-data decently and with respect won’t have any
such issues or conflicts of interests.

~~~
baxtr
That’s an interesting view. Do you own a business where you had to implement
GDPR or is this theoretical? Oh, and did you know that GDPR also affects the
work of teachers, solo entrepreneurs, doctors and the like?

~~~
DanBC
> GDPR also affects the work of teachers, solo entrepreneurs, doctors and the
> like?

You say that like it's a bad thing.

~~~
baxtr
My strong believe is that regulation is a big burden for small companies and
solo entrepreneurs and a big opportunity for the large corporations. Facebook
and Co will use all the power and wit they have to circumvent any regulation.
The solution is not more regulation. The solutions needs to be architectural

------
hartator
> not from the perspective of those that happen to come in posession [sic] of
> data on those subjects. Their interests are legitimate, but secondary.

Until EU reaches mass debt and mass unemployment, and wonders why every tech
startups are in the US, or in Asia.

~~~
kazen44
if you think the economy is entirely based on VC's and startups i have news
for you...

also, being GDPR compliant gives companies a competitive edge.

I'm utterly shocked at the HN bubble about what constitutes a proper bussiness
model.

~~~
frockington
It absolutely does not give companies an edge. If you are a small company, the
fine itself could cripple you before you even factor in the legal time, money
and effort

~~~
jacquesm
You are still stuck in the 'small companies will get fined millions of euros
for small infractions' mindset.

~~~
_rpd
You make such strong statements with great certainty. Are you going to be
paying people's fines when they rely on your advice?

~~~
jacquesm
> Are you going to be paying people's fines when they rely on your advice?

Following my advice will substantially reduce the chances of people having to
pay fines. That's a public service. If you want me to assume liability for
that then you are clearly asking for more than I can give you.

But rather than trying to play word games with you I'd like to point to the
track record of the various EU data protection entities and you'll see that on
the whole they are doing a very good job.

Finally, as for paying people's fines, if you break the law you are liable for
the fine, long before you will be fined (unless you are really making a mess
of things) you will be warned so that you are able to come into compliance. If
you ignore that and then you are fined you really have only yourself to blame.

------
hartator
> ignore requests for deletion, correction or insight from your users

This is an obvious slippery slope, and it's probably going to be challenged by
the U.S. 1st amendment. It's already an issue with the previous "right to be
forgotten" law which was way more limited in scope. [1][2][3]

[1]
[http://www.dailymail.co.uk/news/article-3156779/More-280-000...](http://www.dailymail.co.uk/news/article-3156779/More-280-000-people-
ask-Google-right-forgotten-request-MILLION-pages-wiped-search-engine-s-
results.html)

[2]
[https://www.telegraph.co.uk/technology/google/10833894/Polit...](https://www.telegraph.co.uk/technology/google/10833894/Politician-
paedophile-and-GP-claim-right-to-be-forgotten.html)

[3] [https://www.wired.com/2014/07/google-right-to-be-
forgotten-c...](https://www.wired.com/2014/07/google-right-to-be-forgotten-
censorship-is-an-unforgettable-fiasco/)

~~~
jacquesm
Why are you polluting threads about the GDPR with countless low quality top
level comments?

~~~
hartator
I am replying to your arguments, I think you don't realize how evil a law like
GDPR is. Many small projects will get killed while privacy abusers will just
find a way to avoid the law. You still have to point to one example where this
law will make someone's life better.

~~~
jacquesm
> I think you don't realize how evil a law like GDPR is.

I've read the law end-to-end several times, I do not think it is evil.

> Many small projects will get killed while privacy abusers will just find a
> way to avoid the law.

This is Europe, not the United States.

> You still have to point to one example where this law will make someone['s]
> life better.

It's already making my life better.

For instance, this email I just received:

\--

Let's stay in touch!

As many of you know, the new General Data Protection Regulation ("GDPR")
requirements go into effect on 25 May 2018. Your privacy is very important to
us, so please consent by clicking the button below if you would like to
continue receiving updates from YouPic on announcements, insights and
potential opportunities. Yes, let's stay in touch!

Sent with from YouPic Viktor Rydbergsgatam 14, Gothenburg, Sweden

\--

From a company that I've never done business with, that has absolutely no
right to spam me and that I've tried many times to get them to stop spamming
me with zero result.

So no, let's not stay in touch, fuck off with the spam, the targeted
advertising, the profiles, the retargeting, the selling of profiles, the
stealing of contact lists and so on.

~~~
hartator
> So no, let's not stay in touch, fuck off with the spam, the targeted
> advertising, the profiles, the retargeting, the selling of profiles, the
> stealing of contact lists and so on.

I do agree with all of that, but I think the solution is more technical than
regulatory.

Ublock Origin, uMatrix, and Ad Nauseum are doing an infinite better job to
protect user privacy than any legislation we can make up.

At the end of the day, users are responsible for their own security and
privacy as the web is global, and you can't expect all juridictions to comply
with EU laws.

~~~
jacquesm
We tried technical, it's a losing battle. All that will happen is more and
more sleazy ways to get around the technical countermeasures. Ad-blocker
detectors, track-walls, back-end filled ad slots and so on. There is no way
short of going the legal route that this will ever stop.

What would have worked is self regulation but the industry has clearly shown
that it is utterly incapable of doing so.

> At the end of the day, users are responsible for their own security and
> privacy as the web is global, and you can't expect all juridictions to
> comply with EU laws.

That's the beauty of it: now we can. I'm really curious how the EU will go
after foreign parties that decide to flaunt the law because they have no
residence in the EU (and because they decided they did not want to play the
representative game). That will be the real test. If that fails then the law
will fall apart.

Time will tell.

~~~
hartator
> That's the beauty of it: now we can. I'm really curious how the EU will go
> after foreign parties that decide to flaunt the law because they have no
> residence in the EU (and because they decided they did not want to play the
> representative game). That will be the real test. If that fails then the law
> will fall apart.

Copyrights are very different as they are already everywhere. We don’t want
reprocity for laws concerning content. Picture if China or Russia demands
enforcement of their Internet laws globally.

------
nick45674748
Many years ago the world figured out that "Medical school is a requirement for
a doctor career" [1].

Somehow our ancestors did not have the brilliant idea to just put a fine to
any hospital that breaches medical protocols and send patients to death.

The first web browser was released in 1993. Any computer science professional
born before 1970 had not seen a web browser as a student (because it did not
exist).

25 years after 1993 the EU decided that a law that regulates the profession
with fines (GDPR) is enough.

Good luck EU!

[1]
[https://www.learnhowtobecome.org/doctor/](https://www.learnhowtobecome.org/doctor/)

------
Asooka
Question: What if a US company puts up a clickthrough agreement on their site
that reads

"It looks like you're accessing this site from the EU. This site is not
compliant with EU law and cannot be accessed from within the EU. If this is an
error and you do not reside within the EU, please read the following:

... very long legalese about claiming that you are definitely not an EU
citizen and the EU-seeming IP address is in fact a VPN or proxy, so you are
definitely not subject to EU law. In case this agreement is signed
fraudulently, damages will be ascertained by $US_STATE court (wherever company
HQ is) ...

[ ] I agree, under penalty of perjury, that the above applies to me. In the
case that this agreement is signed fraudulently, I agree to pay the damages
awarded by $US_STATE court and waive my right to sue within the US."

Can this company continue doing business as usual, given that any EU user who
tries to invoke GDPR will subsequently be fined and potentially deported to
the US for hearing?

~~~
Animats
_" Consent: If the data subject’s consent is given in the context of a written
declaration which also concerns other matters, the request for consent shall
be presented in a manner which is clearly distinguishable from the other
matters, in an intelligible and easily accessible form, using clear and plain
language. Any part of such a declaration which constitutes an infringement of
this Regulation shall not be binding."_[1]

So, no.

[1] [https://gdpr-info.eu/art-7-gdpr/](https://gdpr-info.eu/art-7-gdpr/)

~~~
Asooka
I'm not saying the GDPR won't apply, the company will still have to spend
resources on complying with GDPR requests. However, any user who invokes the
GDPR will be in violation of the CFAA and face very seriouos consequences. The
question is more "can we engineer a MAD situation where users won't dare
invoke GDPR in fear of the consequences"?

~~~
Animats
No, because the user can both have a government agency do it for them, and
delegate the right to apply the GDPR to a nonprofit advocacy organization.

