
So Your Startup Received the Nightmare GDPR Letter - janvdberg
https://jacquesmattheij.com/so-your-start-up-receive-the-nightmare-gdpr-letter
======
Arathorn
We already received one of these for Riot.im; kinda depressing that despite
all the GDPR work we’ve done for Matrix
([https://matrix.org/blog/2018/05/08/gdpr-compliance-in-
matrix...](https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix/) etc)
folks think it’s worth burning yet more of our time in proving it to them (but
just to them). So much for writing software and actually making Matrix
better...

~~~
ainiriand
The letters are FUD. Take a look at the process:

[https://ec.europa.eu/commission/sites/beta-
political/files/d...](https://ec.europa.eu/commission/sites/beta-
political/files/data-protection-factsheet-role-edpb_en.pdf)

~~~
dnomad
The letters aren't even smart FUD. This sort of stuff gets made up by dumb
people to validate the fears of other dumb people. It's a kind of self-
propaganda. The idea that rando customers can ask for arbitrary information
like backup policies and safe-guards or the location of your servers is just
silly. The SARs have clear, well-defined limits [1] and the response can and
should be automated (once identity has been verified).

[1] [https://ico.org.uk/media/for-
organisations/documents/2014223...](https://ico.org.uk/media/for-
organisations/documents/2014223..).

~~~
czardoz
> The idea that rando customers can ask for arbitrary information like backup
> policies and safe-guards or the location of your servers is just silly.

Why is this silly? Does the law explicitly forbid people from asking stuff
like this?

~~~
JumpCrisscross
> _Does the law explicitly forbid people from asking stuff like this?_

No. The expectation is each of the EU’s twenty-eight national data regulators
will be nice and reasonable into perpetuity.

------
cdevs
I think the ridiculous thing is every mom and pop site and blog and website
needs to be gdpr compliant? insane. If the true intent was to make sure large
players have their system in check then they should have simply said if you
have 50,000 or more users giving you data a month or something to protect
anyone interested in software from being afraid of having 2 users because now
they need to read every international law. I know someone will fire back at
this but what stop the United States from coming up with some law as well on
the internet against how logins should be and then filing a lawsuit against
every other country company that doesn’t comply. A business should follow the
laws of based on the owners location and if other countries don’t like it then
that’s for allies to group up and ask that minority country for change. gdpr
to me is of reaching on the internet in a scary way.

~~~
mrtksn
So how exactly it's O.K. for customers if their privacy is breached by mom&pop
businesses but not O.K. if it's breached by businesses that have 50K or more
users?

It's common theme here on HN to think that users are just some kind of
resource and the regulations are anti-climactic things that slows down the
party.

Seriosly, As a user, I don't want my information to be sold to random people
that I have no information about even if the seller is a tiny business because
my feelings are not against the business but against the practice. The size of
the violator is irrelevant to me.

If not breaching my privacy and my rights makes your business unprofitable,
then simply you don't have a business.

Users are people, not just pageviews or hits or goals - despite what your
analytcs software says.

~~~
ascar
It's not just small businesses. The serious effort to fullfil this legislation
and the constant threat that you still don't is simply too much for small non-
profit organizations and personal websites. A lot of one person blogs that are
inactive but a valueable source of information have been taken down because of
that.

I also stopped hosting demos of my side-projects (just for github or cv
links), because following this law for this kind of service is just
unreasonable. And I do not even have to cause any kind of harm to be fineable
in Germany.

~~~
dorfcakeling
If your demos required storing or using someone else's personal information,
taking them down was the right thing to do (assuming you weren't going to put
effort in to become compliant). If they didn't, you panicked and took down
potentially valuable data of your own volition.

~~~
ascar
Just adding a legally correct data protection and privacy policy is often too
much of a burden. Even for otherwise fully GDPR compliant websites. Especially
as I can not be sure if it is legally correct without consulting a lawyer
(that's one of the big pain points for non-profit and private websites).

One of my demos required multiple roles for the service and hence had
authorization and authentication build in. I.e. it was storing email addresses
(though I happily handed out prepared near full-admin accounts to everyone
interested). It was on a subdomain with robots.txt set to disallow, so very
little chance someone would find it by accident. Still making this GDPR
compliant without consulting a lawyer was too much effort and risk for me.

I'm not even sure without consulting a lawyer, if a fully static pure html
website would be DSGVO (the German GDPR) compliant without adding a privacy
policy to it. After all I could still be tracking users by HTTP/TCP/cookies
and would have to inform the visitor, if I do or don't.

~~~
gcthomas
The Information Commissioner's Office (the regulatory body in the UK) says:

 _Who needs to document their processing activities?

There is a limited exemption for small and medium-sized organisations. If you
have fewer than 250 employees, you only need to document processing activities
that: are not occasional; or could result in a risk to the rights and freedoms
of individuals; or involve the processing of special categories of data or
criminal conviction and offence data._

GDPR is designed to be easy for small organisations to adhere to. No
documentation needed if you have only small, non-sensitive data flows. IANOL,
of course.

------
Saaster
I updated my web service (solo dev, side project) with a GDPR compliant terms
and privacy policy, got this form letter already from a few of my users. I
have to tell, it's seriously depressing and I was contemplating shutting the
whole side project down over the weekend.

~~~
donatj
I have a tiny project in closed beta right now I've been working on in my
spare time for 7 years I'm considering closing to the EU. The idea is even
entirely privacy minded with all data save email address being client side
encrypted so we never see it unencrypted.

I never intended to make real money off it except maybe covering server costs
if I'm lucky, but the time it would take dealing with requests like this it
enough to scare anyone off.

~~~
ColinWright
Broadly speaking, and noting that IANAL, _etc, etc, ..._

I'm not sure what the problem is.

Your obligation is to keep the data secure, and only keep data that you need.
Then you need to respond to requests to (a) tell a person what data you hold
on them, (b) tell them what you do with the data, and (c) delete it if asked,
unless you have a legitimate reason to keep it.

So if someone has given you data for the purpose of you providing a service
then all you need to do is treat that data with care, don't do anything your
customer doesn't expect you to do, and be able to provide and/or delete it.

 _Fair do, someone disagrees and has down-voted me. Please, having read the
actual regulations[0] several times, including the recitals[1], I 'd be
pleased to see what's missing from that outline, so I can improve my
understanding._

[0] [https://gdpr-info.eu/](https://gdpr-info.eu/)

[1] [https://gdpr-info.eu/recitals/](https://gdpr-info.eu/recitals/)

~~~
JumpCrisscross
> _you need to respond to requests to (a) tell a person what data you hold on
> them, (b) tell them what you do with the data, and (c) delete it if asked,
> unless you have a legitimate reason to keep it_

Over the course of a few years, doing these things might take up as much time
as it would to learn a new language. For a side project, I’m not sure that’s a
smart trade-off.

~~~
badestrand
> might take up as much time as it would to learn a new language

How so? Just build yourself a tiny tool that takes an email address or
username and sends them their database entries along with the standard
explanations about why you need that data.

For my side projects that will be around two hours per project and then 2
minutes for every request.

Or am I missing something?

~~~
JumpCrisscross
> _Just build yourself a tiny tool that takes an email address or username and
> sends them their database entries along with the standard explanations about
> why you need that data_

You're assuming automated responses will satisfy requestors and, for the
unsatisfied, be seen favorably by each of the twenty-eight national
regulators, today and into perpetuity.

In any case, I got curious about your 2 hours / project + 2 minutes / request
metric. One can achieve "basic fluency" in a number of languages within 480
hours [1]. We thus find a trade-off hyperbola [2]. For 1 project, after 14,340
requests you could have learned a new language. For 5: 2,820 per project. For
10: 1,380. At one request per day, that's under 4 years. TL; DR, even with
optimistic figures, a significant toll is extracted purely for administration.

[1] [https://blog.thelinguist.com/how-long-should-it-take-to-
lear...](https://blog.thelinguist.com/how-long-should-it-take-to-learn-a-
language)

[2] 2 * Projects + (1 / 30) * Projects * Requests = 480

~~~
hartator
I think most people pro-gdpr never had to run a website.

~~~
Matticus_Rex
TBH I suspect most of them have never run _anything_. I did an info session
for a team of consultants, and was careful to include a lot of information on
the positive intentions of the law, and every single one realized quickly that
most of the costs of compliance for the vast majority of businesses had
nothing to do with improving the state of privacy, and that for many business
models that aren't abusing data this law is still going to be incredibly
expensive.

There's just a huge gap between people who viscerally understand making high-
level business decisions and people who don't, and the vast majority of the
writers and supporters of this law appear to be in the "don't" group.

------
cageface
I think the GDPR is well intentioned and has provoked some important and
useful conversations about how we make use of users’ data.

But reading stuff like this makes me that much more inclined to use that
Cloudflare option of IP blocking the whole continent. This feels like a very
slippery and dangerous can of worms that’s not worth opening.

~~~
annabellish
There's already a tonne of laws every company has to comply with. The GDPR
isn't any more onerous than any of those, it's just new. Even the "nightmare
letter" doesn't have anything unreasonable in it and the only reason why it
might be difficult for a company to comply with would be that their internal
systems and processes were already horrifying - something which we have now
collectively deemed that permitting is causing more harm than good.

~~~
cageface
What other laws do I have to comply with right now that are so vaguely defined
and carry such horrifyingly punitive fees? I guess we'll have to wait and see
how it's actually enforced but no other legal obligations I've had to consider
so far when building products feel this threatening to smaller online
businesses.

It's bad enough we have to deal with patent trolls. I'm not inclined to add
this to my risk profile.

~~~
fwdpropaganda
> What other laws (...)

You can't sell guns and drugs online.

If you're taking money, you have to make sure you know your customer (KYC).

I would also like to hear other examples.

~~~
cageface
I feel like I have a pretty clear idea of the rules in the cases you describe.
For GDPR I have no such confidence.

It seems like the smart thing for US startups to do right now is ignore EU
customers until they’ve validated the business idea enough to justify the
engineering and legal expenses of taking this on.

~~~
empath75
The alternative is to not collect personal information from your customers.

~~~
JumpCrisscross
> _The alternative is to not collect personal information from your customers_

If that worked I'd embrace GDPR. Problem with "any consumer can make a
complaint which requires expensive follow-up" regimes is one doesn't have to
do anything wrong to incur costs. Someone can mis-interpret something and make
a complaint. Now you have to interface with a regulator, which tends to be
risky, expensive and time consuming.

~~~
aninhumer
If you're not collecting any information "interfacing with the regulator"
means replying to their email by saying "we're not collecting any
information". (Assuming they even got that far, given that they'd likely take
a look at your website and notice you aren't collecting any information.)

I'm not sure what's risky, expensive or time consuming about that.

~~~
JumpCrisscross
Consumer says “I think you’re lying” and forwards to their national data
regulator. (This is as simple as writing an e-mail.)

Data regulator now asks you questions. You must respond. Hopefully they agree
with you. But maybe not! Twenty-eight regulators appointed by different
political groups are a complex system. You will need to gain expertise on them
or hire someone with it.

All I’m saying is that time and money might be better used elsewhere.
Particularly by someone just making side projects.

~~~
aninhumer
> Twenty-eight regulators appointed by different political groups are a
> complex system. You will need to gain expertise on them or hire someone with
> it. All I’m saying is that time and money might be better used elsewhere.
> Particularly by someone just making side projects.

If you're not collecting data, then all of this is irrelevant. You just say
"I'm not collecting data". There's no nuance here.

~~~
JumpCrisscross
> _There 's no nuance here_

This is your interpretation. Many prominent lawyers disagree.

In any case, convincing a regulator that you are not, in fact, collecting data
could be harrowing, distracting and expensive. The risk of incurring those
costs probably isn’t a smart one to take for a hacker or very early-stage
start-up.

~~~
aninhumer
So in this hypothetical scenario, for some reason the regulator looks at your
website, which presumably has no personal information inputs, no tracking
analytics etc. and which you have asserted collects no personal information,
and they decide that you're still _somehow_ collecting information, and for
some reason hounding your low traffic website is the best use of their limited
resources.

~~~
JumpCrisscross
Taking that risk (of a regulator mis-interpreting something and needing
clarifications, again and again, or worse, mis-interpreting something and
getting hostile) across the EU’s twenty-eight members is a good one for
Facebook. Probably not for a hobbyist.

~~~
aninhumer
What exactly is the risk to a hobbyist here?

Even if we assume a completely bizarre and pathologically incompetent
regulator that somehow ends up zeroing in on some tiny website which exhibits
no evidence of violation, the hobbyist _might_ have to... delete their
website?

~~~
JumpCrisscross
> _What exactly is the risk to a hobbyist here?_

Have you ever responded to a regulatory enquiry?

~~~
tome
If you have then perhaps you could share your experience more explicitly. It
would be helpful to clarify your point of view.

------
Ralfp
What worries me most is how little is being said about private-operated sites.
I am little Joe running internet forum about space battles with maybe 5 active
users right now and no more than 100 active members historically. Should I
sign data processing agreement with Google because I am using Gmail to send
E-mails? Should I hire DPO? Am I risking my house being taken from me to cover
multimilion fine because user posted their photo or e-mail 5 years ago and
I’ve missed it because I don’t delete user-posted content together with their
account?

~~~
jacquesm
> What worries me most is how little is being said about private-operated
> sites.

If you want I can research the matter in more detail, someone else came up
with federated sites like Mastodon nodes and that's another pretty gray area.

> I am little Joe running internet forum about space battles with maybe 5
> active users right now and no more than 100 active members historically.

Ok.

> Should I sign data processing agreement with Google because I am using Gmail
> to send E-mails?

No. You _could_ try to stretch the law to include that particular example but
from my reading of it this is perfectly acceptable.

> Should I hire DPO?

No, but you _are_ the de-facto DPO, so if you receive a DSAR then you probably
should answer it, though with your user counts I think the chances of that are
very small.

> Am I risking my house being taken from me to cover multimilion fine because
> user posted their photo or e-mail 5 years ago and I’ve missed it because I
> don’t delete user-posted content together with their account?

No.

But if a regulator should tell you that you should remove a users data
(because you refused to for some reason or other) you probably should. The EU
does not 'fine first and ask questions later', they will investigate first,
warn and then when ignored they will fine. And for a small entity like yours
which is more of a hobby than anything else I highly doubt regulators would
even bother but you can't rule it out completely. Better increase you comet
insurance as well if that's your main worry :)

~~~
Ralfp
Thanks for answers!

> You could try to stretch the law to include that particular example but from
> my reading of it this is perfectly acceptable.

But I should still note about the fact in my privacy policy, shouldn't I?

Couple other things I've noted when working on GDPR compliance for my forum:

\- It may be good idea to write in your forum rules that you don't allow users
to embed their data outside of forum profile. \- Forums accumulate tons of
lurker accounts (users that register account but don't post or browse
anything) that could be automatically deleted \- Forums like to log IP's used
by users when they, say, post messages. Those could be overwritten to 0.0.0.0
for items older than X days.

I've also been working on privacy policy template for people in my position
that I have on GitHub and would love to have any feedback:

[https://github.com/rafalp/misago-privacy-policy-
examples/blo...](https://github.com/rafalp/misago-privacy-policy-
examples/blob/master/PRIVACY-POLICY.md)

~~~
jacquesm
> But I should still note about the fact in my privacy policy, shouldn't I?

Yes, I would disclose any third party that sees all or part of the data, and I
would also disclose what reason there is for me to make use of that service.

> I've also been working on privacy policy template for people in my position
> that I have on GitHub and would love to have any feedback:

I will do that, but not right now, wildly busy today, but if you drop me a
line (jacques@mattheij.com) I promise I will do that within the next couple of
days.

------
GiuseppaAcciaio
I have to confess, it's a guilty pleasure of mine to respond with a variant of
the Nightmare GDPR letter to SOME companies who sent me the classic "we're
sure that you want to access all the amazing benefits of our data processing
so if you REALLY want to opt-out you'll need to click on this link and
manually remove consent from a couple hundred 3rd party providers" email. I'd
never do that to any company (big or small) with whom I have legitimately
interacted, but a lot of this drivel has come from random recruitment
companies that must have scraped my details from my CV or Linkedin or
wherever.

~~~
jacquesm
If you're not legitimately concerned then you are actually devaluing the GDPR
by abusing it. If you have a legitimate concern with a particular company I'd
send them a custom letter rather than a form letter and I'd try to work with
them in order to achieve the desired effect (for instance: for them to delete
my data once and for all) rather than to get a bunch of information that I
have no further use for.

~~~
laumars
Anywhere that has made my acceptance an "opt in" I have then sent a polite
email asking for my details to be removed. I'm happy to continue to use any
services that follow GDPR and use them with the minimum of fuss; but anywhere
that feels like they're trying to worm their way around the law feels like the
kind of organisation the GDPR is designed to protect us against.

Thankfully the responses I've had thus far have been equally amicable.

~~~
jacquesm
The most friction so far that I've seen are some news organizations that seem
to do what they can do mis-interpret the law. I have no idea what made them
think that's the right response but it is almost as if they are doing it
willfully.

For the rest of it hardly any interaction to date other than that the spam
volume seems to have dropped 50% or even more overnight.

~~~
laumars
I can't speak for news outlets outside of the UK but the ones here are largely
anti-EU anyway.

------
mlthoughts2018
It seems like a lot of the comments are about one issue:

\- do you believe generally, even for an “upstanding” company you’ve done
business with for a while, that commercial entities can be trusted with your
data?

If yes, you’ll see the template as overbearing and needlessly aggressive
outside the context of some specific incident when a company proved to be
untrustworthy. Especially if you operate a side project or business of your
own, and believe you personally would not abuse consumer data collection,
you’ll see it as rude in the best case, trollish resource wasting in the worst
case.

If you’re a consumer with a general mistrust of all commercial entities, even
“upstanding” ones, when it comes to data practices, or if you just happen to
believe that the potential risks for data abuse or harm are too high to be
offset by anyone’s good intentions or past good behavior, then you’ll see this
as a reasonable template, perhaps needing a few modifications for differing
contexts, and that jumping straight away to legalese boilerplate just has to
be assumed necessary when dealing with self-interested commercial entities.

~~~
jacquesm
Sending boilerplate almost guarantees that a regulator will put your request
at the bottom of the pile if you decide to take it to the next level unless
the company responds in a way that shows their contempt for the law.

~~~
mlthoughts2018
I think that will depend on how seriously GDPR non-compliance is treated.

I’m hopeful some big corps will be heavily fined to set precedent and to ease
concerns that GDPR is a mild form of regulatory capture intended to be misused
(regardless of its wording) to asymmetrically inhibit new entrants and small
firms.

~~~
ggg9990
But that’s what the big corps want. They’d gladly each cough up a billion for
a permanent state where market entry is harder. Especially the easy to disrupt
consumer services like Facebook and Snapchat.

------
cm2012
I just want to note how non-obvious compliance with GDPR is. Two experts on
GDPR and privacy in this thread (Jacquesm and Ainiriand) have been disagreeing
throughout the thread on just the basis of whether one should reply to GDPR
complaints like this. Imagine how much up for interpretation the more gritty
parts of the law will be.

~~~
msie
And Jacquesm is saying don't be alarmed in some comments while in other
comments he admits there could be problems with people trolling with this
letter. So I'm even more skeptical of allowing any EU users.

~~~
jacquesm
It's a very consistent position: no need to be alarmed, yes you will have to
answer a letter like this, even if it is trolling. But if a letter like this
alarms you then you probably have bigger problems.

~~~
Permit
It's alarming because you describe the letter as analogous to an "exploit
toolkit" and we all know no patch is coming.

Perhaps proponents of GDPR should have considered this very obvious
weaponization of the law...

~~~
jacquesm
They did consider it, there is a pretty extensive part written on what can go
into a DSAR and from what I can see this letter skirts the edge and in some
places goes over it but on the whole it is not an unreasonable burden to deal
with it as it is.

Take into account the lengths to which companies will go to collect data, it
stands to reason that in that context there is some balance to be found if a
Data Subject makes a request about that collected data. If you don't collect
data the request can be answered immediately and without further work.

------
throwaway13456
I've said it many times, GDPR is such a waste of time and resources for
startups unless your market is really EU.

GDPR is super expensive to remain compliant, simply because of the broadness
of the terms used, leading to undefined scope of liability.

The cheapest way to stay compliant with GDPR is to completely block access to
EU customers. In fact, this is what I did with my business. I redirect to a
generic text file (not even a HTML that could trigger a GDPR clause by itself)
explaining my stance.

~~~
3pt14159
What? How does HTML trigger a GDPR while text file does not?

~~~
throwaway13456
"Sorry, this site is for non-EU users only" something to that effect. A HTML
can execute scripts (ie., collect data) while a text file does not, atleast
that's my understanding.

~~~
tome
If that's your understanding then you have bigger problems than the GDPR.

------
outside1234
My approach for my startup is that if anyone sends me a Subject Access Letter
that I thank them for being a customer, cancel their account, and delete their
data. I note this in the terms of service up front to be transparent and
totally comply with GDPR.

Sadly, I think this is the lowest cost approach to dealing with the law, and
removes the ability of an insane customer from causing us millions in
liability.

~~~
arghwhat
I did some quick searching, and my gut feeling would appear to be correct: It
is _not_ legal to delete user data in order to avoid fulfilling a subject
access request. It is okay if data has been routinely modified or deleted, but
it must _not_ be a result of the access request.

Quoting the Information Commisioner's Office:

    
    
        Q: We have received a request but need to amend the data before sending out the
           response. Should we send out the “old” version?
        
        A: It is our view that a subject access request relates to the data held at the
           time the request was received. However, in many cases, routine use of the
           data may result in it being amended or even deleted while you are dealing with
           the request. So it would be reasonable for you to supply information you hold
           when you send out a response, even if this is different to that held when you
           received the request.
    
           However, it is not acceptable to amend or delete the data if you would not
           otherwise have done so. Under the DP Bill, it is an offence to make any
           amendment with the intention of preventing its disclosure.

------
kylnew
I was having trouble visiting the article so I used a web archive link, in
case it’s useful to anyone else
[https://web.archive.org/web/20180529120012/https://jacquesma...](https://web.archive.org/web/20180529120012/https://jacquesmattheij.com/so-
your-start-up-receive-the-nightmare-gdpr-letter)

------
zwaps
I like how the article starts with "the nightmare letter is clearly a troll
attempt we need to deal with"

and closes with "actually, those are are all valid and reasonable questions
that you should have answers to if you were not breaking the law in the last
five years. Answering them automatically should be easy

If you, no matter what company size, are not dependent on illegally and
immorally profiting from personal data, then GDPR may even be good for you."

hehehehehehehe

~~~
jacquesm
The letter is clearly a troll attempt because it is engineered to inflict
maximum damage even if the claimant has no use for a lot of the information
they are requesting.

Even so, in isolation and moderation the questions make good sense and
answering them properly using an automated system and an updated privacy
policy should not be a huge burden.

~~~
eadmund
The _law_ was engineered to inflict maximum damage.

Look, we all know that you think the GDPR is a great idea, but a law which
can't be used to its full extent is IMHO _not_ a great law. I agree with the
goals of the GDPR: they're laudable. But its details & its implementation are,
quite simply, wrong.

You don't install a self-destruct mechanism which can be triggered by just
pushing a single un-guarded button. Likewise, you don't pass a law which can
inflict grave economic harm just by sending a letter.

~~~
blub
Given the involved scale, corporate lobbying and stated goals, this was the
best that could be done.

It's probably not even possible to create a great law. The industry that can't
even agree on something as simple as coding guidelines is suddenly screaming
that the law isn't good (enough).

------
pawurb
I've described how I'm preparing for GDPR as a solo developer running
commercial side projects without a legal team to back me up:
[https://pawelurbanek.com/gdpr-compliance-blog-
rails](https://pawelurbanek.com/gdpr-compliance-blog-rails)

------
amelius
What's the worst that can happen if you reply to this letter with incomplete
information?

I imagine the client will then send you another letter, to which you reply
that you've already sent the information. And so on.

In the end, the client may sue you. But in that situation, you make the effort
of deleting the information you said you didn't have, and you win the case.

~~~
saintPirelli
Is there amy regulation about how the data has to be formatted? Say I send a
json string like "this is LITERALLY the data we use", but the avergae Joe is
left irritated and annoyed, am I in trouble?

~~~
jacquesm
JSON or XML would be an excellent way to answer, alternatively you could
format it for easier human consumption.

Going out of your way to make the response useless is probably not a good
idea.

~~~
floatingatoll
CSV is also a viable choice here, for the simple reason that it can be
imported directly into any spreadsheet software* for inspection and filtering.

* Ironically, people are using Google Drive to do this.

------
donatj
The vagueness of the meaning of "processing" PII is one of my handful of
problems with GDPR. Is the mere act of having a unique index on an email
address column a form of processing? I'd argue it is. It's can be construed
really far.

~~~
bulatb
Processing is defined in Article 4(2):

> 2\. ‘processing’ means any operation or set of operations which is performed
> on personal data or on sets of personal data, whether or not by automated
> means, such as _collection, recording, organisation, structuring, storage,
> adaptation or alteration, retrieval, consultation, use, disclosure by
> transmission, dissemination or otherwise making available, alignment or
> combination, restriction, erasure or destruction_

[https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/)

\- BUT -

Article 2(1) limits the whole GDPR to personal data "processed" in the context
of a filing system, whether electronic or physical.

In other words (in my non-lawyer reading): If I have your business card in my
pocket, or I leave it on the table, or throw it away, I'm not "processing"
your data in a covered way—even though I have it. If I put it in my stack of
business cards or add you to my CRM, I am.

[https://gdpr-info.eu/art-2-gdpr/](https://gdpr-info.eu/art-2-gdpr/)

~~~
JumpCrisscross
> _retrieval, consultation, use_

These three words can mean everything and nothing. It will take years to see
how each of the EU's twenty-eight members' regulators take to interpreting
them.

~~~
bulatb
I read this part as being broad, but not vague. Processing personal data means
doing anything with it in any way, including simply having it.

If the data takes part in a process you have, you're processing that data.

~~~
lucideer
Exactly. The term could have been "storing", but that would have been
potentially too narrow, as it could be argued that proxies are excluded. As
such, "processing" is like a more complete term for "storing or handling".

------
jacquesm
Apparently there is some BGP related issue, if you can't reach the site
directly here is a google cache link:

[https://webcache.googleusercontent.com/search?q=cache:QSStS_...](https://webcache.googleusercontent.com/search?q=cache:QSStS_885I0J:https://jacquesmattheij.com/so-
your-start-up-receive-the-nightmare-gdpr-letter+&cd=4&hl=en&ct=clnk&gl=nl)

------
relics443
I'm beginning to highly doubt that anyone defending the GDPR has ever had any
responsibilities that included:

1\. Running a tech company

2\. Funnels, conversions, and retentions

3\. Writing software

Either that or they just want to watch the world burn.

------
arbuge
I have a general question about this. If you have a privacy policy which
discusses (amongst other things) the answers to these questions, would it be
sufficient to just reply directing the customer to that privacy policy? i.e.
let him dig out the answers he "needs" from there.

~~~
jacquesm
In part this form letter seems to assume that all the burden is on the
company, whereas if the company has already answered these questions in a
public medium you could (1) take that as a signal that the claimant is a troll
(otherwise they would have read your privacy policy) and (2) that they
probably don't care about the answer, they're just looking for a reason to
stir the pot, so any deficient answer will be used to contact the regulator.

The best way to deal with that is to answer the request in detail (which makes
it very unlikely that a regulator would follow up if there was a complaint)
and to refer to public resources such as your privacy policy because that's
something that indicates that the claimant didn't do their homework, which is
something a regulator will use to weigh whether or not to follow up on the
complaint.

~~~
arbuge
> The best way to deal with that is to answer the request in detail

I keep hearing this but I think in reality the volume of troll requests will
dictate whether that is practical or not for any given company. Small startups
might have problems if that volume is not proportionately small.

~~~
jacquesm
The problem would be in answering just one of these, then the amount of effort
would be disproportionately large. But to answer a whole bunch of them is a
'mere matter of programming' unless you've really made a mess of things.

~~~
arbuge
That assumes the trolls will all use the same form letter with no variations,
which might not be the case.

------
iaml
Can someone tell me is it legal (or even viable) to just automatically
completely remove all the information on the person sending those letters?
Certainly beats banning whole EU by IP.

------
ainiriand
Please folks, GDPR investigations are only undertaken by the EU. No single
actor can try to 'sue' you for infringment. The maximum they can do is to
complain to the GDPR office in your country. And then, maybe, the office is
gonna undertake an investigation. This whole is process can be a matter of
years. Don't be afraid, if you receive one of those letters just ignore it.

~~~
vertex-four
If your failure to comply with the GDPR has cost someone damages, they can
recover those damages in civil court by suing you, though.

~~~
gsnedders
But, unlike the US, in most (all?) of the EU, the most you can sue for damages
is the total damages incurred (plus court expenses).

------
notacoward
Won't this DoS the regulators as well as the companies? Carpet-bombing
everyone with DSARs is not just annoying but self-defeating. Even though the
basic ideas behind GDPR seem pretty reasonable to me, the implementation so
far is almost enough to make me join the "regulation is evil" crowd.

~~~
jacquesm
Yes it will, which is why if you are serious sending a form letter is a bad
decisions.

------
cdjk
I'm waiting for the first time a GDPR DSAR deletion/retrieval portal is
breached. Mass exfiltration or mass deletion are both great attack vectors.

~~~
jacquesm
That's a legitimate concern.

------
czardoz
So the lawyer provided a letter which demonstrates what would happen in the
worst case due to the GDPR. How does that make him dumb?

~~~
jacquesm
Because people then use that letter to increase the burden on companies 'just
for kicks', it creates an asymmetry that the law did not intend. It forces
attention away from the positive effects of the law and gives companies
reasons to say 'see, this is what you get'. It's irresponsible.

~~~
sailfast
I know I’ve posted this before but the law does not intend anything. The law
is written, and then stuff happens. People intend and make broad laws that
then more precisely get to intent after legal battles / precedent.

This is allowed under the law! If you don’t like it, change the law!

The reason people have been complaining about GDPR this whole time is exactly
this. Things take on a whole new meaning when complied with at scale when all
you need to send is an email. This seems worse than FOIA (the US Freedom of
Information Act) and Europe placed it on their entire private sector.

EDIT: clarity.

~~~
jacquesm
This is a very US centric view of things, the EU and the US have a very
different approach to legislation.

~~~
sailfast
I admit that my view is somewhat US-centric but also has roots in Europe. I
would challenge / I am asking: what is the real difference in the EU, that you
could fall back on if sued because of these letters? You have to prepare for
that if you want to be responsible, right?

Is it because this is not law, but rather, regulation which is only
selectively enforced and suits cannot be brought by individuals but rather by
central regulators that will never keep up with the avalanche?

Does the EU never enforce law by the letter, so the letters are unreliable and
really more like a guideline? (If so, why bother with law?

Lack of EU sovereignty over member states means it won't get enforced if it's
really an inconvenience anyway?

Something else?

~~~
jacquesm
> what is the real difference in the EU, that you could fall back on if sued
> because of these letters?

This is the first part where your view of how things would likely play out and
reality diverge. Under the GDPR a Data Subject whose request is not answered
satisfactorily or timely _could_ sue but that will likely go nowhere because
they _should_ direct their complaints towards the regulators, not towards the
courts.

> You have to prepare for that if you want to be responsible, right?

No, to prepare you have to be 'in compliance', which is a different thing.
Essentially you should read the law, decide which part of your operation is
'in scope' and adapt your business to reflect your understanding of the law.

In case of a complaint to a regulator they _may_ (but not necessarily)
investigate and if they find transgressions they will issue some guidance on
how you should achieve compliance. If upon re-testing it appears that you have
not followed the guidance you will most likely be hit with a fine. If the
original investigation was because of a data breach or other serious issue
they may decide to fine you immediately as well.

> Does the EU never enforce law by the letter, so the letters are unreliable
> and really more like a guideline? (If so, why bother with law?

The EU tries to achieve a certain effect with the law: to make it harder for
companies to wipe breaches under the carpet, to give Data Subjects more
control over their data and to stop the worst excesses in the world of data
brokering.

So if you cross any of those you can expect enforcement.

> Lack of EU sovereignty over member states means it won't get enforced if
> it's really an inconvenience anyway?

All member states have automatically adopted the law when it went in force
(April 2016).

> Something else?

That's up to you :)

~~~
sailfast
Thank you for the thoughtful responses! As someone with experience in
regulation in the United States it makes sense to me that it is at the
regulator's discretion to enforce these rules so there will (necessarily) be
enforcement of intent, at least for the current regime. (might change in the
next one)

All that said, it likely can and will be mis-used, and citizens will likely
sue and cite the regulation if the regulator refuses to enforce the regulation
so if I were Europe, I would try my best to prepare for such an eventuality as
part of the law to reduce burden. I don't think it's alarmist to suggest this.

I also don't think it is alarmist to suggest that regulators will not always
be rational actors, and there are politics at play. It will be interesting to
see if any blatant cases of prosecution result from crossing an EU government
or leader. Fingers crossed that never happens.

------
MockObject
Am I right that the only risk for a small, side project for non-compliance are
the EU legal sanctions should they grow to a significant enough size as to
open an EU office? Other than they, why shouldn't a US side project ignore the
DSARs?

------
rdlecler1
How do I know someone didn’t just steal someone’s username and password? I
assume I should be asking for personally identifying information such as a
password or ID? There is some irony here.

------
emiliobumachar
The lawyer who published the nightmare letter is not dumb at all, just
ambitious and selfish. They're making a name for themselves and do not care
about massive externalities.

------
stevoski
Jacques, thanks a million for your work on this topic. It makes me feel much
more confident about being able to efficiently handle such a nightmare letter
if it one day comes.

------
omegbule
The only response this would get is 'you have been confirmed in our systems
and your right to be forgotten has been processed. Thank you.'

------
lgregg
If only non-Europeans could do these requests. There are a few companies I'd
love to know what they are doing with my data.

------
ggg9990
When you’re doing shitty work to comply with this shitty law, perhaps you can
find some comfort in the fact that people have suffered more from stupid
government policies, and that misbehavior of foreign governments is a
persistent risk of international business. This is one place where the EU is
vexingly successful — if it was just, say, France doing this, most companies
under $1 billion would have no trouble just giving France the finger and
blocking their users.

------
dtougas
Here's an idea: how about charging more for European users to access your
site. If it is a cost issue, how about reflect that cost in the price of your
service. So, if your web app is free for North American users, put it behind a
paywall for Europeans. It's not ideal, but maybe if enough sites/services did
that, it would help reflect the reality of the situation. Consider it a
European service tax.

------
ggg9990
“GDPR is great and will cost nobody anything”

------
ashelmire
Step 1: be an American company with no European offices or accounts.

Step 2: Ignore letters about GDPR.

Alternatively, set up a form response to autosend whenever you get an email
with some of those keywords.

~~~
pmlnr
So anyone outside of US should ignore DMCA I believe? Just an example.

~~~
dazilcher
So you wouldn't have an issue implementing Chinese regulations?

~~~
pmlnr
I'm unaware of similar Chinese laws, can you please point me at them? To the
official English translation I mean.

------
ColinWright
I feel like I'm missing something - the site/article/page hasn't loaded for me
for the last 40 minutes or so, and yet people are upvoting it.

Am I missing something? Is it just me? "Is It Up"[0] says it's up ...

Maybe I'll try via a different IP address.

 _Edit: The number of upvotes (twelve and counting) shows it 's not just me.
I've now changed my IP address and it loaded almost instantly._

Jacques - FWIW the IP address that's not working is 92.18.56.74 - it's been
failing to load your site for at least the past hour, I have no data from
before that.

[0]
[https://isitup.org/jacquesmattheij.com](https://isitup.org/jacquesmattheij.com)

~~~
downandout
It is not just you. I had to access it from a proxy. I assume that means he is
blocking certain parts of the US, if not the US in its entirety.

~~~
jacquesm
> I assume that means he is blocking certain parts of the US, if not the US in
> its entirety.

On what basis do you make that assumption?

It is still the internet, routing issues can and do occur. There is absolutely
nothing in the configuration of my server(s) that would block anybody from any
nation.

I'll alert my hosting provider to make sure they know about it just in case
it's a novel thing and their monitoring didn't pick it up yet but it could
easily be further upstream.

~~~
downandout
Your site has been offline, at least for me, since Saturday.

~~~
jacquesm
Interesting. Ok. I have passed on the info, thank you for the heads up.

~~~
alex_hitchins
I experience the same, UK based.

~~~
vidarh
I'm in the UK and had no problems accessing it (Sky)

~~~
pinum
datapoint++: UK, BT, cannot access

------
amingilani
Hey @dang, the article was updated to remove the typo in the heading. Maybe
edit the HN title too?

Receive => Received

~~~
sctb
Updated. Thank you!

~~~
amingilani
Thanks Scott!

------
zerostar07
Nobody expects the Spanish Inquisition

------
beilabs
Website is blocked for pretty much everyone but the US? Just accessed from
Nepal, blocked.....oh dear...

Edit: apparently not blocked, but still can't connect apart from via VPN.

~~~
jacquesm
No, there appear to be some connectivity issues of the non-obvious kind
(apparently BGP related), the hosting provider is working on it and there are
several work-arounds posted in this thread.

------
CryptoPunk
The fact that you have to respond to an information request letter under the
GDPR makes the legislation tyrannical.

The idea that information about someone belongs to that person, no matter
where it is stored, is a philosophically flawed perspective that if fully
implemented, would lead to total global tyranny, by obligating people to do
the work of disclosure and information deletion on demand, and ironically, by
eradicating all privacy in relation to information people have about other
people.

You have no moral right to dictate what I remember about you, to compel me to
disclose what I know about you, to compel me to disclose what steps I took to
disremember you, or to restrict who I may relay the information I remember
about you to. The GDPR empowers you to do all of these to me in the context of
a web service.

