
GDPR: Don't Panic - grabeh
https://jacquesmattheij.com/gdpr-hysteria
======
frereubu
For those of you understandably intimidated by the GDPR regulations
themselves, here's a good summary in plain English:
[https://blog.varonis.com/gdpr-requirements-list-in-plain-
eng...](https://blog.varonis.com/gdpr-requirements-list-in-plain-english/)

The UK's ICO also has a good structured summary: [https://ico.org.uk/for-
organisations/guide-to-the-general-da...](https://ico.org.uk/for-
organisations/guide-to-the-general-data-protection-regulation-gdpr/)

In general I agree with the sentiments in this article. I've probably spent a
total of three to four days reading around the GDPR and I don't really see
what's special about this law other than it's imposing decent standards on
what was in effect a wildly unregulated industry in people's personal data. If
you have a broad distrust of any government activity then I suppose any new
laws with "fines up to €X" might feel like "I run a small site on a Digital
Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't
make it true.

~~~
downandout
There is nothing - and I do mean nothing - written into the GDPR that
_requires_ any warnings of any kind, or places any limits on fines, except for
$10/$20 million or 4% of revenue, whichever is greater. Period. A
multimillion-dollar fine without warning for a first, minor violation is
perfectly lawful under GDPR. The idea that "yes it says that but we can trust
EU regulators to not assess large fines against foreign companies, even though
they would benefit handsomely from them" rings hollow to me.

~~~
meredydd
I think you and everyone making similar points in this thread are getting
tripped up by the difference between _rules-based_ regulation and _principles-
based_ regulation. This is unsurprising, given that the US is so heavily
rules-based, but the EU (certainly the UK) has a long history of principles-
based regulation.

In rules-based regulation, all the rules are spelled out in advance, and the
regulator is basically an automaton once the rules are set. In principles-
based regulation, the rules are extensive rather than complete and you expect
the regulator to have some lattitude (and, if the system is well designed, a
mechanism of recourse if they do something stupid).

An advocate of rules-based regulation would say this can make regulators
unpredictable and capricious. An advocate of principles-based regulation would
say it is an important safeguard against "rules-lawyering" and regulatory
capture (especially the kind that ties new entrants up in check-box compliance
that doesn't actually affect your business because all the rules have been
worked around).

A classic example would be the time PayPal tried to tell the UK regulators
they shouldn't be regulated like a financial institution (which is a claim
they successfully made in the US). They pointed to chapter and verse of the
relevant law, and said that according to subparagraph 2.b.c(iii)... and the
relevant regulator essentially told them "shut up, you keep consumers' money
for them and will be treated accordingly". As a result, the worst "PayPal took
all my money and I can't get it back" stories generally do _not_ come from the
UK. (And when they do, they are accompanied by referrals to the Financial
Conduct Authority, who have teeth.)

You can approve of this way of working or not, but the GDPR is a principles-
based regulation, and you'll have to engage with it on those terms.

~~~
AmericanChopper
>and you'll have to engage with it on those terms

Or you can just disengage with Europe all together, which is an obvious choice
for many small to medium sized companies, given the risks and costs involved.

~~~
phyzome
Good lord, it's like you didn't read the article.

Or, you're fine with a competitor who isn't afraid of entirely reasonable
international laws coming in and eating your lunch.

~~~
AmericanChopper
We ran the numbers on how much it would cost to establish compliance, and with
that alone it was barley worth it based on the current EU customer base we
have.

We also considered all the additional liability we’d be taking on, and with
that alone it was barely worth it based on the current EU customer base we
have.

We’d also be very happy if one of our competitors started investing in the EU
market. It’s worth about 10 times less than the US market in our industry, so
having them chasing peanuts in Europe (and investing in compliance with
European - absolutely not international - regulations) would be a truely
fantastic outcome for us.

~~~
jiveturkey
thanks, you’ve pointed out a great signal that now exists. don’t do business
with companies that choose to pull out of the eu market rather than comply
with gdpr. these are companies that have made an explicit decision that user
data privacy is a burden not to be cared about.

my company OTOH is choosing to apply gdpr principles globally.

~~~
apple4ever
There is a difference between complying with GPDR and caring about privacy.

I completely and utterly care about privacy, but things like not tracking IP
address and allowing people to request removing them are a bridge to far. I
can’t comply with that. I treat my customers important PII (names, addresses,
etc) very delicately. But the cost of complying GPDR is too must.

~~~
jacquesm
> I completely and utterly care about privacy

and

> allowing people to request removing them are a bridge to far.

Are dissonant. You will have to pick the one or the other but you can't both
care about privacy and not allow people to request removal of their data. That
should be fairly obvious.

------
mrleiter
The GDPR gets so much hate because it hits so many businesses where it hurts:
data. GDPR "simply" gives you guidelines on how you can handle data from
people within the EU. And that that data cannot be handled so liberally as it
has been before. Of course that's annoying from a business perspective, but
from an individuals privacy perspective, it's fantastic.

~~~
thomaskcr
It's not that it's annoying, it's that I literally cannot answer "are we GDPR
compliant?". If you search for GDPR IP address, you get a ton of different
opinions. Do I need to sanitize logs? How does that fit in with the
requirements for security compliance we are also subject to?

At the end of the day, I am the one person who has to answer that question/is
responsible for being GDPR compliant. I've spent hours doing research,
figuring out what we need to do and implementing it -- and it's a hollow
victory because even though I've said yes and have 100s of articles/white
papers/opinions that back up the decisions I've made, the real answer is still
"I don't know".

And I absolutely know I'm not alone in this. I got GDPR compliance dropped on
my lap because I did security compliance -- if you contrast NIST
800-53/800-171 against GDPR you'll see why people are pissed off. One has
clear guidelines with enough room for evolving best practices written by
obviously competent/experienced professionals, the other is written as
basically "we'll know it when we see it".

~~~
guitarbill
So everything should be written out explicitly, because you'd rather complete
a checkbox-ticking exercise rather than thinking about it and do the correct,
ethical thing in good faith?

Sounds like a win for the GDPR to me, we know rigid checkbox-ticking is
ineffective.

Apart from that, NIST 800-53/800-171 are catalogs of "security controls and
associated assessment procedures" for "Federal Information Systems and
Organizations". GDPR is a data protection regulation in the context of the EU
legal system. Apples to oranges.

~~~
spelunker
If I'm going to be fined or penalized for not being compliant then yes,
explicit would be nice. Checkboxes sound great.

~~~
guitarbill
Fair enough. As an implementer at a company, I can understand that sentiment.
But the GDPR isn't for companies, it's for users.

Laws and regulations tend to stick around for longer than expected, and
they're static. Technology and "cyber criminals" are dynamic. For better or
worse, the GDPR acknowledges this. I think that's a testament to the Article
29 Working Party, in a world where most politicians are clueless about
technology.

~~~
Kalium
> Fair enough. As an implementer at a company, I can understand that
> sentiment. But the GDPR isn't for companies, it's for users.

You're absolutely right! GDPR is _wonderful_ for users as a ringing and clear
statement of human rights.

Unfortunately, it also needs to be for companies because it affects companies
just as much as users. I would go so far as to say GDPR rests almost
_entirely_ on companies to turn this stirring declaration of human rights into
rights said humans can actually make use of. In this regard, it's a collection
of opportunities for improvement of awe-inspiring proportions.

You're right. Technologies and threat landscapes change. Regulation _needs_ to
acknowledge this or be worse than useless. Yet, perhaps there are ways to deal
with this that don't rest largely on handwaving away critical questions of
what compliance actually might look like with weasel-words like "reasonable".

Does that seem possible?

~~~
jimmaswell
GDPR protects nobody's legitimate rights. It only infringes rights of server
owners.

------
Malarkey73
Here in UK I have been receiving about 5-10 emails a day from various
companies - most of whom I don't remember - telling me I need to sign up again
so they can keep my details and keep spamming me.

Fantastic.

~~~
brynjolf
I have a lot of companies emailing me saying I can opt-out, I thought that was
the opposite of what the law is saying? Eg. If you continue using our service
after 23th of May you automatically agree to the new terms. Huh?

~~~
jdietrich
The GDPR requires affirmative consent for each specific use of your data. If
the company had previously asked you "Please tick this box if you would like
to receive marketing messages from us in the future", they don't need to ask
for your consent again but they do need to offer an opt-out. If the opt-in was
pre-ticked, vaguely worded or mandatory to submit the form, then that consent
is no longer valid and they'll need to ask you to opt-in. If you didn't
specifically opt-in but were getting marketing messages because you had done
business with them, they need an opt-in to keep sending those messages.

------
megaman22
Constantly trying to whitewash over the fact that GPDR is a huge pain in the
ass and will involve a lot of work for a lot of companies is what I don't
understand, but Mr. Mattheij has been doing it for months, so that's evidently
very important to him for some reason.

It's chewed up a few weeks of active development time putting in features for
purging and exporting anything that looks like it might be personal
information, plus a considerable magnitude more hemming and hawing and trying
to figure out if, how and to what extent the regulations apply to us, and how
the customers that we sell our products interpret the regulations and what
features they require for their interpretation of compliance. It's a big
headache, especially where we are also dealing in industries that have
conflicting data retention requirements.

If we didn't have EU-based customers with sufficient sales to justify the
effort, there are a thousand and one other things that we could have better
spent that time and energy on.

~~~
jonathanyc
Oh man, the rest of us are so sorry that you are now required to responsibly
handle personal information.

To quote the author:

> Then automate it. If you could automate the collection of the data in the
> first place then you definitely can automate the rest of the life cycle.
> There is no technical hurdle companies won’t jump through if it gets them
> juicy bits of data but as soon as the data needs to be removed we’re
> suddenly back in the stone age and some artisan with a chisel and hammer
> will have to jump into action to delete the records and this will take
> decades for even a small website. Such arguments are not made in good faith
> and in general make the person making them look pretty silly after all
> nobody ever complained about collecting data, in fact there are whole armies
> of programmers working hard to scrape data from public websites which is a
> lot more work than properly dealing with the life cycle of that data after
> it has been collected. So yes, it is a burden, no, the burden isn’t huge
> unless you expressly make it so but that’s your problem.

~~~
sunir
I am happy the author is fighting the power. However since most of us live in
society we generally would prefer less chaos.

The difference between investment to collect data and investment to protect
dat is there is no ROI for compliance (in any compliance domain) so the
capital is not easily available.

Instead of punishing companies for existing in the universe and subject to the
laws of thermodynamics, the most effective compliance regimes help transition
companies proactively to lower the pain which will lower the cost to GDP and
thereby angst from human beings.

The GDPR body won’t even answer basic questions like whether IP addresses need
to be retained or not because of the competing requirement of the EU security
directive.

They have had 23 years too to prepare for this change. And they own the
privacy directives. You’d expect them to be better prepared themselves. But
they are being kind of arrogant and unhelpful. I suspect because they know
they did not make a perfect law and they will figure it out in case law later.
This capriciousness is also super annoying.

~~~
snom380
The ROI for compliance is you get to do business with EU citizens and
businesses.

What EU security directive are you thinking of, regarding IP addresses?

~~~
lajhsdfkl
Go look up what CPMs are for the EU. Having your website in the EU will simply
not mske you much money, why even bother?

~~~
snom380
Sorry, I don't even know what CPMs are. Could you provide a link?

~~~
sunir
Cost per thousand people. It is an advertising metric.

------
BjoernKW
There's certainly no need to panic. The article doesn't address that apart
from mindless hysteria there are some very real issues with GDPR. It doesn't
have to of course because as the title suggests it's more about dispelling
panic than about giving concrete advice.

However, many real-life problems seemingly haven't even been considered by
legislative bodies. In GDPR support forums questions like these have been
routinely asked in recent months and there isn't always a clear, dependable
answer:

\- How will I be able to operate my small company website in the future in a
legally compliant manner? Some companies even consider shutting down their
websites completely and - of all things - only using a Facebook page in the
future. Hence, ironically we might very will see GDPR actually benefitting
companies like Facebook at the detriment of small companies that consequently
won't have complete ownership of their content anymore.

\- How exactly does a privacy policy have to be worded so I don't get sued on
day 1?

\- In which way will I still be able to store address data for contacting my
existing customers?

\- Will I still be able to use anti-spam and security plugins for my website?
These tools might store users' IP addresses, which in some jurisdictions are
considered personal data.

\- Can I still load resources like Google Fonts from CDNs or do I now have to
host those myself?

~~~
gnud
Run your small company website without gathering personal data?

No-one can sue you now, that couldn't before. I'm baffled that so many people
believe this. I could complain about you to my country's regulation body. Then
they could decide to audit you, and for a first offense issue a warning.

If you need the address data for marketing only, and you didn't get an
explicit (opt-in) yes to receive marketing, then sorry. Get that explicit opt-
in yes in the next week, or delete the data.

If you need the address data for other reasons, for example fullfilling your
contract with the customer, or tax records, then keep it. But _only use it for
those real reasons_. No free marketing lists. Sorry.

Storing an IP for a limited time for security reasons is fine. Have rules in
place for how this data is used and when it is deleted. Don't keep it longer
than nessescary.

Google seems to think you can still use Fonts. They also seem to think like
they will be the data controller, and not data processor, for any user data
they scoop up [1]. This seems a bit weird to me. This is the only one of your
questions that I'm really not sure about. If it was me, I would just host the
font locally so I was sure.

1:
[https://github.com/google/fonts/issues/1495#issuecomment-382...](https://github.com/google/fonts/issues/1495#issuecomment-382128243)

~~~
halr9000
I liked the aisle, but have a lot of issues with it. This is one of my main
ones: IP addresses and information security. Quoting you:

> Storing an IP for a limited time for security reasons is fine. Have rules in
> place for how this data is used and when it is deleted. Don't keep it longer
> than nessescary.

How long is necessary? What does limited mean? Does a regulator now get to
determine what sort of algorithms I can use to protect my assets? Advanced
persistent threats
([https://en.m.wikipedia.org/wiki/Advanced_persistent_threat](https://en.m.wikipedia.org/wiki/Advanced_persistent_threat))
can exist over a very extended--and arbitrary time period! I'm in the security
software industry, and we and our customers need to detect and react to these
threats. That requires data which you simply cannot obtain an opt-in for.
Sure, you put that in a posted privacy policy, but if you can only keep the
data for 30 days, this means actual evidence of a crime might need to be
thrown out.

~~~
shabble
> How long is necessary?

As long as is needed for the stated purpose. If you're doing IP-based rate
limiting with a 1 hour window, it probably doesn't need to still be in your
systems >12 hours from now. If you're doing longer term IP reputation or
something, keeping it around longer can probably be justified.

> What does limited mean?

The same. Long enough to serve its purpose, and no longer (without justifiable
exception, such as being evidence of an actual crime, etc)

> Does a regulator now get to determine what sort of algorithms I can use

Not really, any more than they already do.

"Not guilty, Your Honour; you see, we do store people's HIV status against
their real names on the public blockchain, but don't worry, it's ROT-13
encrypted! Twice!"

Also, remember that it's not _really_ the IP that you care about (from a
privacy perspective). An IP+timestamp is a very discerning selector, if you
have any other data at all.

Nobody knows that '192.168.1.1' is actually me. And even if they did, does it
really matter?

But maybe they know that only $IP hit /orders/confirm within 5 minutes of some
other system recording that $ME placed an order with other details.

From a privacy standpoint, it's your ability to cross-correlate that IP and
whatever else you know about it that could allow identifying and
tracking/profiling the actual person using it.

Suppose your marketing dept asked you to scan the last few weeks of security
logs to see if you'd had any hits from ranges belonging to $BIGCORP who you're
in tense negotiations with? Is that Ok? Or would you refuse because the
security logs are collected exclusively for certain purposes of which that
isn't?

~~~
apple4ever
That is silly. IP addresses should not be covered. I should be able to keep
IPs for years. They change often anyway.

IP addresses being covered is one of my big issues with GDPR.

~~~
shabble
what value do you get from keeping them for years? Are you actively analysing
and re-analysing them for any particular purpose, or is it more of a 'well,
you never know...' sort of deal?

"they change often" is arguably a good reason for not keeping them. What
advantage do you get from knowing that 10 years ago $IP was sending you spam
if it's been though 20 different re-allocations and tens of thousands of
'actual owners' since then?

Imagine if google or cloudflare were logging every since query to their public
DNS and correlating it with other access logs or google analytics or whatever.
They'd be able to relatively trivially deanonymise huge numbers of actual
people's identities and browsing history (beyond what they can obtain
already).

------
abraae
This doesn't consider some factors that dictate how strong any company will
experience their firehose of GDPR requests to be:

\- how incentivised people are to make GDPR subject access requests of the
company (how angry, confused, hostile curious they are)

\- how easy it is for them to make requests (entirely manual vs. online
service)

\- wildcard factors (internet flash mobs bent on vengeance against a
corporate)

There are also possible business models that might incentivize technology
players to deliberately ramp up GDPR requests.

For example, unsuccessful candidates applying for a job at a company could
forward their rejection email to a bot. The bot parses the details and fires a
GDPR access request in to the HR department. The candidate gets back a
formatted dump by email of all sorts of recruitment data, including interview
notes, etc. There are obvious ways to monetise a service like this, hence
incentive for someone to do it. Recruitment at a large company means engaging
with thousands of people and then rejecting them. It is natural for people to
have bruised feelings, and also to be curious about why they were not hired. A
GDPR button lets them indulge their curiousity and start digging in to
interview notes etc.

Naturally GDPR requests like this won't flood a company on the first day of
GDPR. But the internet is a turbulent place.

~~~
AnabeeKnox
I agree, and there seems to be a lack of conversation around this! Next week
could be ground-zero for all sorts of unintended consequences. Especially, a
flashmob of GDPR requests could sink a company.

~~~
cbg0
It is highly unlikely that a lot of requests will "sink" your company. As per
the GDPR, you have a month to respond to requests and you can extend this
period by two more months by telling the user that you need more time to
process their request. (See article 12 for reference)

~~~
AnabeeKnox
If 10% of the members of my website request a GDPR, then my website will no
longer exist. The processing time for that would be a decade.

~~~
cbg0
If this is such a serious concern, you should automate this process as much as
possible. You don't necessarily need to respond manually to these requests if
you put in place the required features on your website which will allow your
EU data subjects to benefit from their rights.

Realistically, how hard is it to automatically grab some data from a database
and export it as JSON, as well as remove data from your database pertaining to
a user? With a relational database, this would be a cinch. I mention the right
to access the erasure right, as I estimate these will be the most frequently
called upon.

~~~
desas
Depends on your system. We have an automated process that produces a PDF,
which a human will then go through and redact so we're not leaking through the
non-relevent PII of other people if one of our users isnt using the system
quite properly.

------
xtrapolate
There's currently no case law surrounding GDPR. Moreover, some elements of the
GDPR are up for interpretation. People are rightfully concerned.

> "This post is an attempt to calm the nerves of those that feel that the(ir)
> world is about to come to an end"

This post is actually a single person's viewpoint, a mere speculation of how
things may or may not turn out to be. Your mileage may vary.

~~~
zorked
I guess we should only enact new laws which already have established case law.
/s

~~~
xtrapolate
> "I guess we should only enact new laws which already have established case
> law. /s"

I disagree with the author's lenient and dismissive take on people's genuine
concerns. Interpret it as you will.

~~~
salvar
That's fair. I do have my doubts about how genuine some of these concerns are
though.

------
AnabeeKnox
I was hoping for a nice respite to the anti-GDPR stuff we've seen recently,
but this is just naked propaganda. In particular, the sentence:

"the GDPR has the potential to escalate to those levels but in the spirit of
the good natured enforcers ..."

The author seems to have the idea that bureaucratic EU systems are inherently
"good" and that even if things look bad on paper, it will be fine because they
are "good" people. This is not how the legal system or legal compliance works.

~~~
vidarh
I think this is a very distinct difference between the EU with the
scaremongering removed, and e.g. the US: My experience of the EU has been that
they've consistently looked out for my interests. Even in the face of the
local government (I live in the UK) that have kept fighting for positions I
find abhorrent (e.g. UK governments keep complaining about having to abide by
EU human rights regulations for example).

Yes, we shouldn't aim to give governments power to push things to an extreme,
but on the other hand we should also ensure that they have the ability to
actually react to serious abuses.

In particularly in the area of data protection, I don't know of a single
example where the rules have been pushed to the extreme. If anything, as a
private citizen I'm disappointed there's not been stricter enforcement. As
someone who has had to deal with it on the corporate side as well, it's not
been hard to comply with.

Enforcement here is generally always strongly predicated on not jumping
straight to the strictest possible outcome, but in carefully considering how
serious a transgression is. It's not that EU systems are inherently good, but
that history and practice have shown that when they give flexibility, it takes
serious abuses and ill intent to end up with the strictest reactions allowed,
and there'd also be little reason to assume that anyone rushing to the
strictest interpretations possible wouldn't get shut down hard by the courts.

~~~
AnabeeKnox
You are transposing your like of certain EU institutions (human rights
regulations) and grafting them onto this legislation. This isn't how it works,
not least because there has been no case-law yet, so we have no idea how it
will be interpreted. Therefore a legal compliance unit has no choice but to
follow GDPR the letter, which is hugely difficult and bureaucratic. The notion
that they are "good-natured" is meaningless in a legal sense.

It seems many commentators here are confusing criticism of the GDPR with
criticism of the EU itself. Surely people are sophisticated enough to
understand that they are 2 hugely different things, and that a robust
criticism of regulations and laws are part of a healthy democratic society.

~~~
bkor
As mentioned elsewhere, these regulators have been operating for a very long
time. Even when dealing with the whole Facebook / Cambridge Analytica they're
moving quite slowly. There have been various legal changes regarding privacy
in the past. E.g. for The Netherlands it is not allowed to have a checkbox on
by default to sign up to a mailing list. There's a fine if you don't abide and
this fine can be very hefty. In case of problems the regulator first reaches
out, a fine is the very last resort.

There has been ample history on how these regulators have been working over
the past 20-40 years.

~~~
mseebach
The substance of this line of criticism is that yes, it's _probably_ going to
be fine. But if it's not, they can fine you at 4% of global turnover. They
_probably_ won't, but they _literally can_. "I read on a blog that they'd be
nice and send me a warning first" gets you exactly nowhere in court ("very
well, but what did your lawyer tell you?"). The article praises the GDPR for
having teeth -- being timid can be something you are because that's your
nature, or it can be something your are because you don't have teeth.

This is what risk is. Absolutely, don't panic. But responsibly managing risk
means considering the 100% real and existing option of regulators abandoning
their previous caution and trying out their new teeth. Perhaps they get reined
in, but perhaps that takes 10 years, or perhaps it turns out to be politically
convenient not to rein them in a all. There are 28 EU countries, so 28
regulators, only one ambitious rising star at one of which need to "break
bad".

Yes, I agree that this is probably a very small risk. But having a calm and
correct view of the fact that there _is_ a risk is 100% the right move here.
Something like every other lawyer in Europe is worried about this right now,
and do think it's a bit of a big deal. Don't panic, but take the advice of a
non-lawyer's blog over your actual lawyer's at your own extreme peril.

~~~
bkor
> "I read on a blog that they'd be nice and send me a warning first"

That's not what happened. Various people pointed out various cases where it's
shown over the course of 20 years what happened. Ample history.

> Don't panic, but take the advice of a non-lawyer's blog over your actual
> lawyer's at your own extreme peril.

Are you from the US or EU? Immediately going to a lawyer seems strange and
unique to me. Within a big company, yeah, lawyer. Anything else unless you're
doing something specific I don't see why.

~~~
mseebach
> Various people pointed out various cases where it's shown over the course of
> 20 years what happened

Yes, and other various other people are pointing out that now there's a new
law that changes a lot of things, perhaps what happened in the last 20 years
isn't a perfect guide for what's going to happen in the future.

> Immediately going to a lawyer seems strange and unique to me

I'm from the EU, and I go to lawyers for things much smaller than those that
can get me fined 4% of turnover. And so should you, if you're serious about
managing your risk. If your things are in order, it's not terribly expensive,
and you get to lean on your lawyers professional liability insurance if things
get weird regardless.

------
caffeine5150
I'm an attorney who's spent the last year or so working on GDPR compliance for
a US SaaS provider some of whose clients have EU employees. My understanding
is that it's true that EU enforcement is more in the spirit of "how can we get
you compliant?" before doling out fines (vs. the US where it can be more
"let's make an example of this company by hitting them with a big fine" and
scaring others into compliance). I also agree that the authorities aren't
going to be handing out 7 figure fines like candy, both because it's not their
historical approach and because they don't have the resources to fight too
many of those battles. I want to say I read that the Irish authority's annual
budget is around $9M. Theirs is higher than most and Ireland is where most of
the US tech giants are established due to tax laws. That said, I think to say
that GDPR compliance is simple because it's text is fairly readable or that EU
data protection law is simply a matter of transparently respecting people's
personal data and not being a bad actor as to privacy is an overstatement. For
example, the ePrivacy Directive, most known for prompting all those cookie
consent banners, can be incredibly complex to comply with. Each member state
has implemented that Directive in different ways. Look at this example
[https://ico.org.uk/media/action-weve-
taken/mpns/2013732/mpn-...](https://ico.org.uk/media/action-weve-
taken/mpns/2013732/mpn-honda-europe-20170320.pdf) where Honda sent out emails
to its 350k database simply trying to confirm continued interest in being on
their list and got a 13k euro fine for their troubles. I don't know all the
facts, but from the document, it doesn't appear that Honda got the fine
because they were recalcitrant or being terrible actors. And if the fine is
proportionate to the offense (not to the size of the violator), then 13k euro
might be levied against a small company for whom it is a significant penalty
(not to mention costs, legal fees, etc. in dealing with it).

~~~
charleslmunger
The Honda case actually seems pretty reasonable to fine - Honda had an issue
where consent from dealer events and other sources wasn't correctly recorded.
So they have a large list of emails, where consent falls into three
categories:

* Person did not consent, they left the form blank

* Person consented, but it was not recorded

* Person actively denied consent ( wrote "no")

Honda then sent commercial email to this set of users, to "confirm" their
preferences. In my view, that's not reasonable - if I leave a "would you like
to receive email" item in a form blank, that is not permission to send me
email.

~~~
mindslight
Also 13k/350k is 4 pence per email, which is tiny! Well below what they'd have
had to pay if pay-to-be-received had been workable.

I'm not a fan of government or of fines, but this amount isn't even a slap on
the wrist.

------
losvedir
It's like if a new law were introduced requiring a license in order to ride a
bike, to make sure people don't hit pedestrians or bike dangerously in the
road. The license is free, it just takes a weekend to go take a written test
and demonstrate that you can safely ride a bike. Some people _who would pass_
but can't be bothered to give up a weekend would instead choose to just stop
biking. It's an unavoidable consequence of introducing a friction where there
wasn't one, and there's no way to carefully target or wordsmith the
requirement so that this doesn't happen.

I think people miss that there is a very large qualitative difference between
"no law" and "law". Even a very carefully targeted law will still have the
effect, on the margin, of preventing or stopping compliant activities. But in
the case of something like privacy, or control of data about you, maybe that's
worth it in order to stop the noncompliant activities.

On a non-hypothetical topic: does anyone have a good resource on the
requirements with regard to backups? That's one of the larger technical
sticking points for me - do we have to delete from our backups as well on such
a request?

~~~
Tomte
That‘s all true, but quite boring, isn‘t it?

Because the reverse also hold: if we remove the need for driver‘s licenses for
cars, more people will be able to drive.

The fallacy is IMO that many people always consider the status quo ante as the
perfect balance. Because we have gotten used to driver‘s licenses.

So the argument that new regulation stifles some non-harmful behaviour is a
truism, but doesn‘t really contribute anything, unless it comes with numbers.

------
Radim
Clearly an emotional topic. The fact remains, GDPR is a well-meaning but fuzzy
law, with implications that cannot be foreseen at this point in time.

To remove _some_ of the uncertainty and automate _some_ of the compliance
steps, we built a data discovery AI tech that scans corporate data to answer:

* "Do we even store personal information?"

* "Where do we keep it?"

* "How do we make sure PII is consistently stored only in the designated places?"

This may seem trivial to a micro-business that runs on a handful of database
tables, which I think is where the author is coming from. But for larger
companies, even understanding what's where and why (backups? emails? cloud
storages?) is a highly non-trivial—if ultimately rewarding—endeavour.

------
raquo
The problem of multiple ambiguities in GDPR hasn't really been addressed here.

Also, must be nice to live in a country where the regulator is as benevolent
and reasonable as is described in this article.

I think it's ok for foreigners to be skeptical of this promise, as the article
implies that this reasonableness is not encoded in law.

~~~
gcthomas
The regulators have been running for two decades, and this is EXACTLY how they
operate. Scepticism in this case is unreasonable, given the massive evidence
base.

~~~
repolfx
But that's purely your own opinion.

I do have some direct experience of working with EU data protection
regulators. My experience has been that they vary wildly in "reasonableness".
UK ICO is pretty OK, they want companies to succeed. France's CNIL is a joke.
Petty, spiteful and utterly inconsistent. I watched as a company worked
closely with them to get their sign-off on a change to their terms of service
and privacy policy. CNIL were happy to be involved and taken so seriously,
they were satisfied with the changes and even praised them in private. After
the company announced the change, some journalists saw an opportunity to make
some noise and did so. CNIL then immediately changed their mind and dished out
a fine, despite having previously agreed to it. What a farce.

That's at the national level. I can give many examples of cases where the EU
has been anything but reasonable.

The entire argument Jaques presents here boils down to his belief that
everyone working in GDPR enforcement in the EU will not only be totally
predictable and reasonable _today_ but also going forward into the indefinite
future.

As pointed out in the other thread, this belief is itself unreasonable,
because the nature of the GDPR means that even in the unlikely even it's true
today, if in 10 years a new Commission arrives and changes their mind they can
retroactively decide that things previously allowed were actually illegal. The
GDPR says virtually nothing about anything so they'd certainly argue such a
thing was merely a "clarification" and not a retroactive change to the law.

There are plenty of examples of governments doing this sort of thing over
time, including the EU, like with Apple's tax situation. Mr Mattheij appears
to just write this possibility off entirely.

~~~
AnabeeKnox
"his belief that everyone working in GDPR enforcement in the EU will not only
be totally predictable and reasonable today but also going forward into the
indefinite future."

EXACTLY! There seems to be an almost cultish devotion to the benevolent
institution that it can do no wrong, neither now nor henceforth.

I understand WHY people have this belief. The EU is under constant attack at
the moment from many sides, and people feel they need to defend it at all
costs, even it they are wrong.

~~~
skummetmaelk
> EXACTLY! There seems to be an almost cultish devotion to the benevolent
> institution that it can do no wrong, neither now nor henceforth.

You have to trust someone. Either the vast expanse of companies clearly
mishandling your data, or the "benevolent" body which so far at least has a
fairly good track record. It's not perfect. It's dangerous to give them too
much power because you don't know how they will change in the future. But at
the end of the day, I'd rather trust a governmental body which is at least
supposed to look out for my interests, rather than a company whose main
motivation is to exploit me for every penny I have.

~~~
frockington
A fairly good track record in which its own member states are constantly
threatening to leave and one has already successfully left. As an American
lokoing in from across an ocean, it does not look like a stable region that I
would put trust in

~~~
acdha
As a fellow American, that sounds like you need to reconsider your news
sources. Brexit was driven by propaganda, not some principled opposition to
intractable problems. The “EUrocrats gone wild” stories are popular in certain
circles but there’s an entire cottage industry debunking them:

[https://en.wikipedia.org/wiki/Euromyth](https://en.wikipedia.org/wiki/Euromyth)

~~~
dennisgorelik
Both "stay" and "exit" sides were covered pretty well.

But if Brussel's bureaucracy behaved more reasonably, UK would not run away
from European Union.

~~~
acdha
Again, that's taking a talking point as a given. Some people cited that or
hypothetical cost savings as a justification but the claims tended to be based
on urban legends or outright wishful thinking rather than actual analysis.

------
nabla9
> The GDPR will require me to hire people and my entity is too small to be
> able to afford this

Q: Does my business need to appoint a Data Protection Officer (DPO)?

A: DPOs must be appointed in the case of: (a) public authorities, (b)
organizations that engage in large scale systematic monitoring, or (c)
organizations that engage in large scale processing of sensitive personal data
(Art. 37). If your organization doesn’t fall into one of these categories,
then you do not need to appoint a DPO.

source: [https://www.eugdpr.org/gdpr-faqs.html](https://www.eugdpr.org/gdpr-
faqs.html)

~~~
flexie
GDPR requires those organisations to appoint a DPO, not to hire anyone new.
It's like when you designate Ben to answer the phone after 5PM, Lisa to water
the plants and the last guy to leave the office to turn off the light and
close the windows (and for many companies there will be a lot less work
involved with being a DPO, than with switching off the lights).

~~~
pjc50
Exactly. Most businesses will already be required to have several "responsible
person" roles for e.g. health and safety and fire evacuations. It's just that
in a 1-person business they're all the same person.

~~~
cbg0
Most small companies (below 10 employees) will refrain from appointing a DPO
claiming that they don't do large scale systematic monitoring (not clearly
defined).

The issue however is that for a DPO you need to avoid conflict of interest, as
the DPO should be as independent as possible, even though the DPO could be an
employee of the company.

Shareholders, C-level execs, employees that establish means and purposes of
processing or handle the actual processing cannot be reasonably expected to
place the interests of the data subject(s) above those of the company.

See article 38 for reference.

------
muro
> I don’t want to end up being arrested for GDPR violations when I go on a
> holiday in Europe (yes, I really saw that one)

The US did it recently:
[https://www.theguardian.com/business/2017/dec/06/oliver-
schm...](https://www.theguardian.com/business/2017/dec/06/oliver-schmidt-
jailed-volkswagen-emissions-scam-seven-years)

~~~
pjc50
I got into digital rights when Dmitry Sklyarov was arrested in the US for
writing a PDF reader sold from Russia.

[https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd](https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd).

------
pilsetnieks
> • The GDPR will enable anybody to be able to sue me, even from abroad

> The GDPR does not have this effect, but you may be interested to know that
> anybody can sue you or your business for whatever reason strikes their
> fancy. This is a direct consequence of doing business and has nothing to do
> with a particular law. What the GDPR allows private individuals to do is to
> contact their regulators and to complain if you decide to ignore their
> requests.

That's not exactly correct. Art. 79 of the GDPR allows people to sue directly
for violations of GDPR although it's very non-specific.

~~~
cbg0
People in Europe are not extremely litigious by nature and will likely resort
to calling upon their supervisory authority instead of suing directly.

What is however very interesting is article 80, which will allow a data
subject to mandate a not-for-profit body to seek judicial or non-judicial
remedy on his/her behalf. This will give quite a bit of power to non-profit
organisations built for this purpose and will likely add quite a bit of
pressure to large companies that don't comply with the law.

------
kasey_junk
This article actually points out my philosophical problem with GDPR. In one
point he says you have to be compliant if you want to do business in the EU.
In another he observed that it is difficult (maybe impossible) to block EU
folks from coming to a web presence. It’s the expansive reach that bugs me.

I’ll note that for real businesses this is just a thought excercise, but it’s
one I keep coming back to. What if some less reasonable entity attempted to
regulate in this way?

~~~
oblio
Are you American, by any chance? The whole internet dances to the US tune,
legally.

Welcome to our world :)

~~~
adventured
For 20+ years the US - as the dominate controlling agent regarding the
Internet - ensured the modern (post early 1990s) Internet remained extremely
non-regulated and non-interfered with by ~195 nations (when it came to the
global Internet system). It worked globally out of the gate and required no
special adherence to US laws. The Chinese did not have to adopt US freedom of
speech approaches to use the Internet. The Iranians or Saudis did not have to
adopt US freedom of religion approaches to use the Internet. The EU did not
have to adopt US legal approaches or laws to use the Internet. Any other
scenario than the one the US pursued would have resulted in a fractured,
mostly useless global Internet. The US was about as good of a shepherd as any
nation could have ever been: thus we got several billion users onto the
Internet from wildly diverse background jurisdictions. The way the US built
the Internet made it possible for the EU to say: hey, we're going to do GDPR,
because that works for us (and yet the Internet still works); and for other
jurisdictions to say: hey, we're going to do this that or something else
because that works for us.

> The whole internet dances to the US tune, legally.

You've got that almost exactly backwards. The US approach has required almost
no dancing at all to the US tune. That's precisely why ~4 billion people can
use the Internet from 195 nations, all with dramatically varying laws. They're
not adopting US law to use the Internet. That's why the Chinese have been able
to implement their unique approach and still use the Internet (restricted to
fit their tolerances at a government level).

You very specifically do not have to dance to US legal tunes to use the
Internet. Even when it comes to IP laws, you do not have to dance to the US
tune (Europe has varied widely from the US on such, eg as it relates to
piracy, and yet the Internet keeps on regardless).

~~~
oblio
While I agree the US was generally benevolent, it did it because it knew it
had the tech superiority. It's the same thing with the Opium Wars and China or
Perry's gunboat and Japan: we'll force you to trade with us because we know
our goods are superior and you'll buy them.

Same thing with the internet: the US was the biggest developed country, it had
a large, stable, rich internal market, it had big universities churning out
graduates (many of them coming from other countries!), it was the inventor of
many tech things that make up the internet. So of course a less regulated
internet would benefit it since its companies were best positioned to take
advantage.

My guestion for the next 30-40 years: unless China screws up badly, it will
overtake the US. It's simple math: a moderately rich Chinese population will
overtake the US one, as it outnumbers it 4 to 1 or so. Will the US be as
benevolent and open when it's the underdog?

Based on some reactions I've seen here, regarding the EU and the GDPR and also
on reading a ton of comments about China, I'm not so convinced.

TL;DR: The US is reasonable, for a super power, but it didn't do it out of the
goodness of its heart.

~~~
adventured
> Will the US be as benevolent and open when it's the underdog?

US benevolence will increase in direct proportion to the extent that it isn't
the sole global superpower (realistically it has been the sole superpower
since WW2, the USSR power projection was mostly a facade, as it always had a
terrible economy). Its perceived role as global policeman, has put it into an
endless number of ridiculous positions (both politically and militarily). The
less the US believes it has to be the prime actor in that regard, and the more
the US has to inter-operate with everyone else in a normal fashion, the less
obnoxious it will be about a lot of things. It will be able to semi-normalize
back to closer to how other major nations behave.

Obviously the US will remain an outsidzed global superpower. Its economy and
military scale alone will ensure that. However the coming future in which
China is a real rival that can stand toe to toe, will force a number of
fascinating adjustments to all politics around the globe (and I mean not just
to US politics, all politics for all countries).

The real question to ask is, will China be benevelont with its future power?
Look at what they're doing to their people right now for the answer (vast
Muslim torture camps like the Mao days, where people are being forced with
violence and psychological torture to give up their Islamic beliefs; literally
torturing homosexual people to convert them away from homosexuality;
restricting "homosexual speech" because it's anti-Socialism; wiping out what
limited speech the people of China had acquired; using its military to annex
the South China Sea away from its neighbors, which is 4x the size of France or
Texas; etc). Now consider for a moment that that is China just getting warmed
up as a global power, and consider what other horrific things they may choose
to do under dictator Xi (dictatorships have a near universal record of getting
worse, rather than better, as it pertains to human rights).

Consider that China has begun an aggressive expansion of its military outside
of its borders (laying down plans to build numerous foreign military bases to
give it global projection capability). Now one might fairly criticize the US
for its global military expanse; however the US hasn't used its might to annex
nations or territory globally, it hasn't actually acted as a traditional
empire (ie Ramstein military base in Germany is no threat such that the US
might suddenly attempt to annex Germany). Meanwhile China routinely threatens
to invade Taiwan and annex it, they get upset if you so much as recognize
Taiwan as an independent nation or talk to its leader directly. Maybe next
week China will decide that Mongolia too is a proper part of the greater China
strategy.

So with that growing power, is China suddenly going to become a soft
benevolent giant? Or will they get worse? I think the answer is obvious and
the planet should be terrified about what's coming. The entire Chinese
approach is incompatible with democratic values across the board, and they are
without question going to throw their weight around as it pertains to
censorship (they already are). They're currently busy buying up Eastern Europe
and using their investments to get countries like Greece to block actions
against them as it pertains to eg the South China Sea. Imagine a world under
the reign of Xi, forced by threat (direct or implied) to comply with how the
the CPC operates China today. If people thought the US superpower behavior was
bad (a democratic nation with vast human rights protections), that's going to
be 10x worse.

------
LoSboccacc
> I was actually surprised by how easy it is to read it

there's a whole two hundred post debate around here whether ip are or aren't
pii on their own, with the wast majority holding the wrong position.

there's a whole branch of gdpr that people aren't considering, which is not
related to software but to your business (i.e. your mail calendar). you also
need a privacy policy if you are receiving phone calls. did you know that?

there's a whole bunch of implication on how liable you are about holding
unwanted personal information, including unwanted medical personal information
i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am
unable to walk due a permanent disability and requiring a ramp is present to
access your gazebo, is that so?"

there is a huge surface area for uncertainty, up and including 'best
practices' that are a constantly shifting target.

edit: to clarify the calendar part: if you have a meeting with someone, that
links an identity with a location. that's why it's an issue, even without
considering the address book, which is another issue by itself.

~~~
zaarn
>there's a whole two hundred post debate around here whether ip are or aren't
pii on their own.

Largely pointless. EU courts have in the past ruled that IPs are personal data
because they can be tracked back to a person. End of story.

>there's a whole branch of gdpr that people aren't considering, which is not
related to software but to your business (i.e. your mail calendar).

was largely already covered by the previous EU privacy law and the german
privacy law. Courts largely agree that calendars for appointments are fine as
long as you keep them reasonably secure and don't throw them around in public.

>you also need a privacy policy if you are receiving phone calls. did you know
that?

Yes I did. I informed myself when I registered as a small business.

~~~
apple4ever
> Largely pointless. EU courts have in the past ruled that IPs are personal
> data because they can be tracked back to a person. End of story.

They are wrong. IPs are not personal data. End of story.

~~~
zaarn
What personal data is is a legal definition, so no, you are wrong.

In the EU IP addresses are legally defined as personal data and have been for
a long while now. End of story.

------
lol-lol
Dont panic. Panic when you get something like this.

[https://www.linkedin.com/pulse/nightmare-letter-subject-
acce...](https://www.linkedin.com/pulse/nightmare-letter-subject-access-
request-under-gdpr-karbaliotis)

Bottom line, DONT store/sell/mangle with personal data of your users unless
you are able to fulfill this. I was thinking a bit about having an online
store:

\- make login as it is on Hacker News, you dont need email

\- once user has selected and payed the goods, request sending address and
contact (phone/email/whatever)

\- ship it, print the requested / store into cold store (it is not that hard,
you do it for bitcoins, right?), delete everything except username and
password (and maybe the attached goods) from server

The described process will pass the GDPR Nightmare Letter in 10 minutes (to
write a general reply) that you sent to everyone requesting.

This is what traditional "physical" stores do, not the large chains, the
traditional, one employee, family store. And it works.

For everything else require consent, including tracking, but think very hard
if you need anything else as it will complicate your business progressively.

I really dont understand all the fuss about the GDPR, if you explain (and
prove) this to ICO, I would really like to see who will punish you for that.

~~~
flatfilefan
This is actually a great boilerplate for a response. Somebody should create a
product that collects this information inside your company and formats it for
sending it to any and every GDPR requester. End of story.

------
MatthewWilkes
My (EU) clients fall into two camps. Those who haven't had to do a single
thing to be GDPR compliant because they were already following the various
data protection and privacy laws, and the ones panicking.

The latter group say things like "this is ridiculous, they're making us change
so much" but never have an answer to the fact that they're already violating
PECR or the Data Protection Act.

------
grigjd3
Whatever one thinks about the subject matter, the writing in this piece is
awful. You can get the substance of what the writer is saying by skipping 90%
of the content. Moreover, the tone is talking down at the audience - unless
that audience is already excited about gdpr. This comes across as not being
interested in convincing anyone but in cheerleading their position.

------
eleitl
It ain't hysteria if you're in Germany, and a private individual or a
nonprofit (e.V.). Due to specialities of German law third parties can serve
you legal writs for hundreds or thousands of EURos.

Which is why I'm shutting down these 20 domains running HTTP/SMTP services I'm
hosting in less than a week, and wait until the smoke clears.

~~~
DanBC
GDPR doesn't apply to personal projects unless those are commercial projects.

~~~
acejam
Do you have a source for this?

~~~
DanBC
[https://gdpr-info.eu/recitals/no-18/](https://gdpr-info.eu/recitals/no-18/)

> This Regulation does not apply to the processing of personal data by a
> natural person in the course of a purely personal or household activity and
> thus with no connection to a professional or commercial activity. 2Personal
> or household activities could include correspondence and the holding of
> addresses, or social networking and online activity undertaken within the
> context of such activities. 3However, this Regulation applies to controllers
> or processors which provide the means for processing personal data for such
> personal or household activities.

------
weehobbes
As a solo business owner based in the US, I’ve been spending the last couple
weeks learning about GDPR and getting compliant. While it has not been a fun
process, I do think in general the regulation is quite reasonable and overall
good for the world in general. So far, GDPR compliance has not cost me any
money, only time.

There are three problems however that I have with GDPR and I’d love to hear
how other small non-EU businesses are dealing with this.

First is the requirement to have EU representation (Art. 27). Since I don’t
have any physical presence in the EU, GDPR requires the appointment of a
representative. It would appear that a new industry has been created selling
non-EU businesses GDPR representation in the EU which in my brief Google
searching can cost $1000 per year or more. Are other small businesses owner
out there paying for this? Or how else to deal with this requirement? Not a
lawyer but this is the only part of GDPR I am tempted to ignore.

Second is the common practice of using lead magnets to collect emails for
marketing. My email signup forms are very clear about marketing use, and are
double opt in, and subscribers can opt out with a single click. But my
research suggests that this is still not GDPR compliant unless there is an
explicit consent, which I believe will reduce email signup rates. Also, while
Mailchimp has a GDPR form, but it is quite large and doesn’t work embedded in
web page headers, sidebars or popups. I’ve only seen one of these Mailchimp
GDPR signups in the wild and they opened a new browser tab to present the
hosted Mailchimp GDPR form which to me isn’t ideal. How are others handling
email marketing signups? Disclosure and checkbox for consent seems a
reasonable compromise but I haven’t seen this very often in the wild, at least
not yet, that may change come May 25. Not a lawyer but I’m tempted to keep my
current forms until I see more websites make changes.

Third, I have a medium sized mailing list (less than 10,000) mostly US based
emails which is important for my business. Are people running consent
campaigns (as suggested by Mailchimp?) I’m concerned that I will lose a
substantial part of my list due to non-response. Again, the list is double opt
in and I am very reasonable with my marketing emails. (Not a lawyer) but my
thought is to segment my list into EU and non-EU customers and run a consent
campaign only on EU emails. Has anyone run a consent campaign and how did it
work out for you?

Any thoughts or suggestions from other small and solo business owners would be
much appreciated.

~~~
mychael
> has not cost me any money, only time

It sounds like you don't value your time. In my universe (software
development), time is money.

~~~
weehobbes
No, I definitely value my time. I actually (and maybe strangely) have
appreciated the opportunity to review my data processes, privacy policies and
security. I think my business is better for it. Also, getting compliant is
mostly a one-time effort with little maintenance, whereas paying $1000+ every
year for a EU representation service that will in reality probably do
absolutely nothing is very irritating to me.

That said, your point is still fair. I sometimes spend my time less-than-
optimally because it feels "free."

------
therealmarv
This is no hysteria. Depending on where your company is located the sueing
risk is really high. E.g. in countries like Germany there is a whole industry
which lives from sueing companies and people and I can imagine that GDPR will
open a whole new sueing market there. In other countries like Austria you get
first warned and then sued on big GDPR violations which is a much better
solution.

So it all depends.

~~~
weavie
As per the article, GDPR does not enable you to sue the company.

> What the GDPR allows private individuals to do is to contact their
> regulators and to complain if you decide to ignore their requests.

The individual will not receive a payout from a GDPR violation.

~~~
sfifs
Not as per the law. The law explicitly states that option for judicial remedy
exists. The article is the opinion of a lawyer based on current practice, but
this is not what the law actually says.

------
glogla
There's no hysteria. There's just FUD disinformation campaign - businesses who
make a lot of money thanks to privacy violations are very unhappy with this
and they have a lot of voices.

~~~
horseLOGIC
_I 'm unhappy_ with this because now I have to do a lot of extra work
verifying that I'm not breaking some law, then implement changes in both code
and license agreements, then get all the users to agree.

I've had zero profit from user data so far - to the contrary. If everyone
could be billed just with some cryptocurrency, totally anonymous, _that would
be great_.

~~~
krageon
The only thing I can do as a _customer_ is be mildly amused at the fact that
you're complaining it's inconvenient for you to respect my privacy now that a
law is coming into effect forcing you to do so.

From the other end of the spectrum, I _know_ you're wildly exaggerating the
difficulty of compliance.

~~~
horseLOGIC
It's not inconvenient, it's _costing me money_. I don't _want_ your data, I
_need to_ collect it and store it to comply with other laws, now I need to
_verify_ that the particular way I collect and store that data isn't violating
some other new law.

You _are not my customer_ , but even if you were, keep in mind that for every
piece of regulation (and there's tons of it!) I need to fulfill, I have to
pay, which means _you_ need to pay. I need to set prices to keep my bottom
line. If I can't keep my bottom line, I'll eventually stop providing the
service, because I'm not providing it for fun. That's for _paid_ services.

Now, some companies don't even charge you, they provide (aggregate) data about
you to advertisers, who are then willing to pay more for their ads. It only
makes sense, how much would _you_ pay for an ad for a piece of specialized
software that gets shown to the wrong audience 99.99% of the time? What's
going to happen if that kind of data usage becomes infeasible? Those companies
need to start charging, or go out of business. There will be less free
services. I suppose that helps companies who _do_ charge, but it hurts people
who can't pay and don't care about data collection.

I'm not providing such a service, but if I was, you would be _paying me_ with
your "privacy". If "respecting your privacy" means you don't want to pay, _you
can get lost_ , because you're only costing money. The definition of
"customer" is that you _compensate_ the other side.

~~~
gnicholas
Your comment led me to wonder if any businesses are considering raising prices
for EU customers as a result of this law. I'm not so much wondering about the
"we lost revenue because we can't sell your data anymore", but more along the
lines of "complying with the regulatory environment in this region is
expensive, and we pass the cost of compliance along to customers in the
region".

I recently learned about the AU warranty rules, which are very consumer-
friendly — and which a commenter pointed out might be the reason that Apple
and others charge significantly more when selling products in AU.

Note: I'm not saying anyone _should_ raise prices as a result of GDPR, just
wondering if anyone has done so.

~~~
pheleven
Yes, it's being considered.

~~~
gnicholas
Do you think companies will/should make explicit the cause of
higher/differential pricing? On the one hand, it could anger consumers. On the
other hand, it would provide transparency so that consumers would understand
where the price increase came from.

~~~
pheleven
Honestly, it's not my call to raise prices or not, but it doesn't seem like
they intend to hide it, should it happen.

------
mbrumlow
I can tell you that GDPR is going to cause issues with block based backups.
Many hosting providers don't separate customers on different block devices.
When you back up a block device you have snapshots that have many different
organizations data on them.

Part of making good backups is knowing that the backup can't change. The only
solution now is to add paths to go back and modify those backups to remove
customer data when asked too.

That is my plight anyways.

~~~
icedchai
The solution is to keep a list of "things to exclude" if a backup is ever
restored. This is reasonable. Rewriting old backups is not reasonable.

~~~
badwolf
Would such a list not by nature consist of PII?

~~~
icedchai
Not necessarily. It might consist of user IDs (integers, UUIDs) or hashed
values of something that can be mapped to the user...

~~~
badwolf
User ID's are considered PII though. If it can be mapped to the user, it's by
definition identifying information

~~~
icedchai
Identifiers that have no meaning outside of your system are not PII.

~~~
Boulth
Reading [https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/what-personal-data_en) I would agree, of course if that
identifier is not in some other database, that maps it to a person. If you
have just ids in a backup and you remove the person-ID mapping this should be
fine.

------
tezza
> this particular one has the interesting side effect of causing mass hysteria
> in the otherwise rational tech sector.

* Y2K

* Dot Com hysteria

* Dot Com crash hysteria

* AWS outages

* Will robots replace us ?

* Will Microsoft crush me ?

* Will Google crush me ?

* I just raised £30M series A, where my Aeron at

* Nosql means I can throw away everything I knew about databases

* Web first

* Mobile first

* XML everywhere

* OO everywhere

* Javascript everywhere

* AI everywhere

Where is the evidence for rational behaviour ?

~~~
horseLOGIC
I chuckled at that sentence as well. It's not that the tech sector is
rational, it's that a lot of the _people working in it_ are desperate to
maintain a self-image of being a rational, scientific-minded person. Then, if
some evidence collides with that self-image, we just _blame it on management_.
Problem solved!

------
danieltillett
One question that I have thought about is how are foreigners supposed to learn
about the GDPR's existence? If it wasn't for the fact that I spend more time
on HN that I should I would never have heard of it. I doubt there are many
businesses here in Australia that know about it.

~~~
PebblesRox
I first learned about it when I did a google search to figure out why I was
getting so many “we’ve changed our privacy policy” emails.

------
tlrobinson
Is the system of warnings and increasing fines described in the post a part of
the law, or does one need to rely on the "spirit of the good natured
enforcers" if they are unable (or unwilling) to immediately comply fully?

~~~
riffraff
It is, but in a vague way, see article 83[0], where to choose what fine to
apply you must consider, amongst other things:

(f) the degree of cooperation with the supervisory authority, in order to
remedy the infringement and mitigate the possible adverse effects of the
infringement

If an authority did not go this way any fine could be voided by an appeal.

[0]
[http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...](http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf)

------
spacenick88
I don't think it's really that simple. especially the deletion requirements.
There are just so many IT systems that really don't support deletion. An
absolute worst case I can imagine is GitHub being asked to delete an account
which had commits in multiple large projects. Are they going to alter those
projects source code?

~~~
madeofpalk
This is already a “solved problem” though. If you post copyrighted material to
Github, Github will have to remove it.

If you’re posting users information to a public repo, then you fully deserve
whatever impacts you’ll face when you have to delete it.

~~~
aeorgnoieang
> If you’re posting users information to a public repo

Like their name and email address in every commit they submit?

I've already seen a notice from GitLab requiring me to consent to waive my
rights to have that info deleted if, e.g. I were to contribute to the GitLab
open source project. But I'm not sure that that's even enough for GDPR.

~~~
jhurewitz
The waiver is only one aspect of it. Waiver only applies when consent is
required. Article 6 of GDPR also allows for the use of personal information
when "processing is necessary for the performance of a contract to which the
data subject is party..." Consent is not required when it is a necessary part
of performance under a contract. GitLab's updated terms state that as part of
the agreement to voluntarily contribute to GitLab projects, contributors
acknowledge and agree that their personal information will become part of the
repository as part of the Git functionality. Therefore, their personal
information will not be deleted and will remain in the repository so as not to
impact the code base. This only applies to those who contribute to GitLab
projects. This does not apply to general use of the software. There is still
much that is unclear regarding GDPR but we are doing our best to comply and
protect individuals' privacy. An important function of this waiver and
acknowledgement is to provide transparency to our contributors. If an
individual does not want their information to be maintained, they have the
option not to contribute.

------
ealexhudson
I'm not sure about the point regarding the DPD. EU Directives themselves don't
have teeth, but they're supposed to be transposed into national laws - e.g.
the DPA in the UK - and would be enforced nationally. A regulation comes into
law across the EU, but is still often transposed, and the enforcement
mechanism (to begin with) is still basically the same.

He's right that the DPD was not well-adhered to, though.

~~~
gcthomas
The problem with the laws stemming from the DPD was that there were different
laws in each EU country, and the enforcement options were too weak for
slippery international corporations.

One critical change in the GDPR is the mandatory reporting of significant
breaches. Before, it was entirely optional, so reports could come out years
after the even once the material surfaced online.

~~~
ealexhudson
Sure, it wasn't consistent, but the argument about lack of enforcement really
comes down to the national regulators not taking their jobs seriously enough
or being given sufficient resources. The ICO in the UK has only ever issued
pretty small beer fines.

The problem with self-regulation in this area is that there is significant
competitive advantage to be gained by not being particularly careful. In that
sense, I think GDPR evens the playing field.

------
cbg0
I've been doing a bit of consulting work on the GDPR and for the most part
small sites aren't going to have a lot of headache dealing with the GDPR
requirements.

Typical, simplified, workflow (varies):

1) Review what data you collect and why

2) Document these in an updated privacy policy along with third parties you
share data with and why

3) Update all forms on your site collecting personal information

4) Update your cookie policy and the way you handle cookies, for some of these
you might need consent, for some there might be exemptions

5) If you expect this to be an issue, set up automated means of handling
requests pertaining to data subject rights, otherwise process them as they
come via email

While some smaller sites are getting around the need for an EU rep by claiming
that they are only processing data occasionally and not on a large scale
(whatever that means, as it's not defined by the GDPR) there is a big problem
with getting an EU rep, because as opposed to a DPO, which doesn't have
liability, your EU representative "should be subject to enforcement
proceedings in the event of non-compliance by the controller or processor."
making that natural or legal person liable, so you won't be able to easily
outsource this.

If you have set up shop in the EU, then it's pretty easy to handle the aspect
of an EU rep. Also, if you're transferring data between your EU and US
offices/datacenters, you can self-certify under the privacy shield, starting
from ~$250 per year to not have to deal with binding corporate rules or
standard contractual causes, so that you can effectively make these transfers
"safe" under the GDPR, along with various technical safeguards, of course.

~~~
tchock23
Privacy Shield starts at $500 per year for the smallest company, and that’s
before you contract with a mediator (lowest cost there is $50/year if you use
the EU options). Unless I’m missing the option for $250/year on their website?

~~~
cbg0
I was referring to [https://www.privacyshield.gov/Program-
Overview](https://www.privacyshield.gov/Program-Overview) where single
framework (EU-U.S.) for companies with between $0-$5 million the yearly fee is
$250. If you want to add Swiss-U.S. privacy shield as well, then $375 per year
for both.

~~~
tchock23
Thanks - I have no idea where I got the $500 number in my head. Maybe I was
thinking of one of the private mediators I was researching? Sorry for
questioning your initial number...

------
ryanwaggoner
I think much of this probably comes down to cultural and ideological
differences between the US and the EU. It certainly seems that almost all of
the rabidly pro-GDPR crowd is from the EU.

Interesting: I have a number of anti-GDPR comments here and on last night’s
GDPR thread that got upvotes last night US-time, heavily downvoted throughout
the night, and are now going back up :)

~~~
krageon
Yes, because being against a law that is both reasonable and the right thing
to do doesn't make any sense when you're a real live human being. The hysteria
about businesses imploding under legislation is classic internet outrage at a
phenomenon not very well understood. If you actually took the time to read the
source material, you could very see that it's reasonable and made to protect
you. At the same time, you would see that there will not be any world-ending
fines handed out for literally no reason (on a slight tangent I don't
understand why it is so impossible to grasp that this isn't something that
happens in the EU).

~~~
ryanwaggoner
This is a law with good intent that was very poorly written and is very
ambiguous. Most of the people with your view posting here aren’t experts in
this regulation or the law in general, but just armchair lawyers who scanned
this regulation and like the intent so they argue that it’s simple.

Ironically, if you asked 10 different people with that position about basic
facts about this law, you’d all have different answers. Maybe if it’s so
simple you could all take a few mins to get your story straight on how it
works?

------
jstanley
> As soon as you do business abroad you will have to comply with the laws of
> those countries.

But are you doing business abroad, just because you're on the internet?

Is it not the customer who is coming to you to to do _their_ business abroad,
while you do your business in the country you live in?

~~~
adventured
The author claims that local law compliance has always been the case. That is
in fact incorrect and is a glaring mistake in the article. For the first 20
years of the Web's popular usage globally, you in fact mostly did not have to
comply with local laws when it came to commerce online - there were few laws,
and most jurisdictions had yet to flesh out how they were going to regulate
and apply their laws or not. You simply opened up shop and sold to anyone from
anywhere that wanted to buy from you, and you did not need to give a second
thought to anything else.

Coming next is a global compliance nightmare. If you want to sell globally,
you'll have to comply with dozens of unique local approaches. Small businesses
won't stand a chance of being able to deal with that. An army of fee charging
middle-men will spring up offering solutions, extracting fees accordingly.

------
merinowool
This is just an author wishlist and not the reality. I especially find the
"clearing house" fantasy amusing. How he thinks this house of bureaucrats will
be able to judge that John Does complaint has any merit?

~~~
orcdork
I recognized your user name from the other thread
([https://news.ycombinator.com/item?id=17095217](https://news.ycombinator.com/item?id=17095217)),
it looks like you've made up your mind (to the point where your comments where
ridiculous enough to be deleted) and no amount of argument will even get you
to consider any other options.

Why don't you tell us how you really feel?

~~~
zone411
And the author of this article, who was also very active in the same thread
hasn't made up his mind?

------
peterburkimsher
> Do you know a good GDPR consultant?

>> Yes.

> Can you tell me their email address?

>> No.

~~~
tinus_hn
My DPO didn’t allow me to store that kind of personal information /s

------
mingodad
Do what I say do not do what I do.

Today I've been asked by a library of "Junta de Anadalucia - Spain" to accept
it's terms and conditions to use the wifi internet connection provided for
it's users and it's a clear violation of the GDPR by a government body,
basically they're asking for a blank check to do whatever they want without
boring to ask/inform the user.

Translation by translate.google:

====

The Telecommunications Corporate Network of the Junta de Andalucía reserves
the right to monitor and collect information while the user is connected to
the Service. This information can be used at the discretion of the
Telecommunications Corporate Network of the Junta de Andalucía and can even be
shared with the State Security Bodies, their associates or suppliers.

Likewise, the Telecommunications Corporate Network of the Junta de Andalucía
reserves the right to revise this agreement at any time.

The user must accept the General Conditions of Access each time they use the
service and, it is your responsibility to review it each time the Service is
accessed in case there has been any change.

The Telecommunications Corporate Network of the Junta de Andalucía, reserves
the right to withdraw the Service, modify the specifications or forms of use
thereof, as well as change access codes, users, passwords and other security
elements necessary to access the Service . IF YOU DO NOT AGREE TO THESE TERMS,
INCLUDING ANY MODIFICATIONS, DO NOT ACCESS OR USE THIS SERVICE.

====

~~~
tincholio
Well, presumably you can report them to the relevant regulator, then. That's
the point of the law.

------
losvedir
As someone more on the hysterical side, good post, thanks. Can you clarify one
part for me? Take this bullet:

> _The GDPR is going to expose me to fines of up to 20 million Euros for even
> the slightest transgression_

> _No, the GDPR has the potential to escalate to those levels but in the
> spirit of the good natured enforcers at the various data protection agencies
> in Europe they will first warn you with a notice that you are not in
> compliance with the law, give you some period of time to become compliant
> and will - if you ignore them - fine you. That fine will be proportional to
> the transgression. You can of course ignore the fine and then ‘all bets are
> off’ but if you pay the fine and become compliant you can consider the
> matter closed._

What if you get warned and _decide at that point_ to just shut the
site/app/business/project down?

Or is it the case that once you begin operating under the GDPR era, you'll
have to handle those "good natured" enforcement warnings, delete data, etc?

I get that I'm _probably_ compliant, and _probably_ wouldn't have any
complaints against me. I just don't know if it's worth waiting it out to see
if there's an issue, or if _now_ is my only chance to easily not deal with it
by just blocking EU users.

------
LaundroMat
I applaud the GDPR for automatically unsubscribing me from mailing lists I
bothered to take the time to unsubscribe from.

------
pawurb
[https://pawelurbanek.com/gdpr-compliance-blog-
rails](https://pawelurbanek.com/gdpr-compliance-blog-rails)

My take on GDPR compliance from a solo developer perspective without a legal
team to back him up.

~~~
dingo_bat
> IP addresses collected by Google Analytics

Why should this be _your_ headache? It's collected by Google, not you.

~~~
pawurb
I am afraid it is not so simple. There is a thing with data collector, and
data controller in GDPR I don't full understand yet. It's not like you're not
responsible for data collected by services that you hook up to your
application.

------
frockington
Anyone know if it is easy to block any user from the EU in AWS? It's been
determined that Google Analytics has a greater value than Europe.

------
andrewla
I find this confusing:

> Note that the 20 million Euros or 4% of global turnover is the maximum fine,
> the specific language is ‘a fine up to €20 million or up to 4% of the annual
> worldwide turnover of the preceding financial year in case of an enterprise,
> whichever is greater’, so that’s the maximum of the fine that’s being set by
> the 20 million or the 4%, and this bit is there to ensure that even the
> likes of Facebook and Google will not simply ignore the law and pay the fine
> to be able to continue as they have so far. This in no way should be read as
> you, the small business operator will face a fine of 20 million for each and
> every infraction that could be found.

Saying that this is intended to be aimed at the Facebooks and Googles is all
well and good, but that's covered by the "4%" criterion. The €20 million
figure is aimed at companies that have a global turnover of less than €500M,
not the Googles and Facebooks. That's why it's scary.

------
tannhaeuser
Does anybody know if it's required to remove CDN links (such for Google fonts,
cdnjs, etc.) and host all assets locally instead unless consent is given?
Assets from CDNs are required for a site to function; what's not required is
to send `Referer:` so maybe it's sufficient to set a referrer-policy.

~~~
domakidis
I wonder the same. Would I need the web visitor's consent for loading a
reCaptcha to verify they're indeed human?

Google fonts is just one of the many font libraries. For example, most web
font licenses at myfonts.com don't permit webmasters to self host them.
Bypassing the HTTP referer download protection, downloading them and then self
hosting the font files could lead to significant legal problems.

------
donatj
Where is the form on this site that claims to be GDPR compliant to get my IP
removed from the server logs?

~~~
acdha
Keep reading the rest of that paragraph:

> Well, this website is fully compliant with the law, so at least in this
> particular case it seems to work. Why? Because I don’t store any information
> about you. That’s a conscious choice on my part which I made long before the
> GDPR was even talked about in public. But if your situation is more complex
> then you too can be compliant, or at least - and this is key - you could try
> to be compliant. For instance, one oft heard argument is that no webserver
> (or even any internet service) is going be able to be compliant because all
> web servers log IP addresses, and IP addresses are PII. But that argument
> does not hold water. There are several reasons for that, the major ones
> being: webservers only log IP addresses if you configure them to do so.
> Almost all webservers have a formatting option that determines what exactly
> is logged and you could configure your webserver to not log the whole
> address but just the network portion. You also have the option to log the
> address and to disclose that you do so in your privacy policy, but then you
> will have to allow for the removal of that data on request, which you may
> find burdensome (or not, that depends on the volume of such requests).
> Finally, you may have a legitimate reason to log the IP address, provided
> you delete it after you are done with whatever use you collected it for in
> the first place. There is enough room in the GDPR to hold on to the address
> for 30 days with a possible extension of another 60 days after which an
> automated reply to the user can tell them their IP address was purged and
> you’d be in compliance. That’s one of the reasons why I think the GDPR is a
> surprisingly good law, most of the times when legislation is written that
> impacts technology the end result is absolutely unworkable, in this case
> most scenarios seem to work well for all parties involved.

~~~
taysic
Ok but we have to trust this person that they don't store IP information.
There is no way of knowing for sure. And there is no obvious way to detect a
lie on this.

------
zaarn
>Don’t Panic

That's thoroughly good advice. Panic reduces efficiency and the capability to
react rationally.

>Becoming compliant with this law will cause my business to go under

>If becoming compliant with the law will cause your business to go under that
is more or less the same as saying that your business is built on gross
privacy violations. So if that’s your busines model then good riddance to you
and your company

Hmm, I would nitpick on that, Google Adsense has been ass about getting GDPR
compliant, they don't offer any method of serving ads without storing consent
including their tracking-free ads. This is not something that affects me
personally but I know people running larger websites that rely entirely on ad
revenue (premium model is hard since they drive visitors with UGC, most people
don't have an account, they don't want to paywall anything or ask money from
the people that drive traffic). The site itself is already fully compliant and
with exception of very minor changes (minimum age 13 -> 16, adding a "download
everything" button) was compliant in the past.

I blame Adsense on that one, not GDPR though. The ad industry has to adapt,
pushing the work on the website operators won't help and is not appropriate.
IMO Adsense should either offer a fully consent-free ad experience in
compliance with the GDPR or operate the consent dialog for the website owner
in a non-intrusive manner.

Maybe this means there will be an opening for a GDPR-compliant adnetwork in
Europe

------
TekMol
This is how I understand the GDPR:

    
    
        You cannot store a users personal data like IP
        or cookie id unless you have consent from the user.
    

I expect that _nobody_ will comply with this.

Smaller companies seem to think GDPR is something they can fix by changing the
legalese in their impressum and privacy policy. "Yet another trip to the
impressum generator".

Bigger companies seem to pretend they misunderstand the GDPR. I got emails and
popups from Facebook, Twitter, Instagram etc informing me about all kinds of
nonsense about how they changed their policies and asking me all kinds of
unrelated questions about what kind of ads I want to see.

Not a single company asked me for permission to store my personal data.

~~~
pjc50
> You cannot store a users personal data like IP or cookie id unless you have
> consent from the user.

This isn't true; there's a list of reasons you can keep information and "with
consent" is one of them, "legitimate business need" another:
[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/lawful-basis-for-processing/)

But: "However, an individual always has the right to object to processing for
the purposes of direct marketing, whatever lawful basis applies."

So: you can store IP addresses as part of your information security needs, but
_not_ turn round and use them for direct marketing. (I'm not sure if web
advertising counts as "direct marketing" here)

------
vbezhenar
How can I be non-compliant with GDPR? If I could care less about it, is it
enough for me to do nothing? Should I expect that European users should find
out themselves that they my website is not GDPR-compliant? Or I must actively
ban EU IPs?

~~~
cbg0
If you actively choose not to pursue compliance, you should make it clear in
your own privacy policy that the site is not for use by EU/EEA citizens and
also use IP geolocation to block their requests.

~~~
_rpd
You should require users to positively certify that they are not EU/EEA
citizens, and refuse service if they are. Blocking by IP is a good idea but
not sufficient.

------
hartator
> There are several reasons for that, the major ones being: webservers only
> log IP addresses if you configure them to do so.

That’s not true. Apache and Nginx default logs IPs. Maybe OP should check his
Nginx logs.

------
chx
> This in no way should be read as you, the small business operator will face
> a fine of 20 million for each and every infraction that could be found.

Thank you, random stranger on the Internet! However, that is not the law. And
even if you are right? As I posted yesterday, half of the employers in the USA
has 1-4 employees and make $387,200 on average yearly. Even if they get fined
to 1% of the maximum, they are completely wiped out. So no, it's not hysteria,
it's plain business sense for them to slap an IP ban on it and move on.

------
mychael
I'm a citizen of the United States, which is a sovereign nation.

I will never pay the EU "internet transgression fees", no matter how well
intentioned they are. Full Stop.

------
davidcd
Hi thanks for his very interesting,

What I think is a big problem this stuff about requiring consent. This is a
big issue at the moment for website owners and app developers who have on line
advertising from vendors such as Google (Admob/Adsense) and use e.g. Google
Analytics for development support. These guys do not record individual user
details and have no interest in doing so.

Specifically for such people there is an issue where personalised advertising
(according to to Google and others) needs an opt in, fine but for app
developers and web site owners they don't have any user details other that
maybe ip address so if they put up a pop-up and record consent how do they
know who the user is if they don’t have any other users info.

This is leading to absurd discussions re for example Google Analytics used by
millions of websites and apps. There is something called client id which GA
uses to identify unique "users” or website visitors. Now apparently as it is
unique this is personal data so should require consent according to some
experts I have read. But as it anonymous how can it be identified who it “is”.
If a user demands to know what data a website/app has and mentions the client
id info well who knows for sure what any client id represents in the real
world ?

More to the point what is the likely legal/financial consequence if a user
claims that the website id did not ask for consent for this client id to be
recorded (how would they be able to prove which one it was that was theirs
anyway) ?

Would they be able to sue ? I presume not. So is the IC going to be interested
in this apparent breach ? And if the developer/website owner had a data breach
where they GA account was compromised would they have to inform all the Client
ID individuals ? Again obviously not but you see how these discussions are
going !

------
frockington
What is stopping competitors from burying each other in legal work? Just start
commenting names and addresses on various pages and submit complaints

~~~
SomeGermanGuy
What does competitors stop doing that now? No business is 100% compliant in
any law. If they want they can just for the sake of it bury you in legal work
already.

See Google vs Oracle. Apple vs Google.

------
hartator
> So if that’s your business model then good riddance to you and your company.

That’s the best way to ensure EU will never have a decent startup scene.

------
mark_l_watson
I spent two hours today at our campsite working on my web sites to make them
reasonably compliant. One problem area is that I serve my blog on Google
Blogger. With pained reluctance I turned off comments and stopped showing my
followers. I also linked to Google’s own GDPR info page. I used to use Jekyll
and maybe I should go back to doing that.

Any suggestions?

------
hartator
> As soon as you do business abroad you will have to comply with the laws of
> those countries.

Serving a webpage is not doing business though.

------
marichards
Not sure what "it will ensure that the public will not be able to use the GDPR
to harass businesses" as GDPR explicitly empowers individuals to seek
compensation. [https://gdpr-info.eu/art-82-gdpr/](https://gdpr-
info.eu/art-82-gdpr/)

------
AndrewKemendo
GDPR puts into jeopardy the business model that almost every consumer internet
business has run on, post internet bubble: advertising.

That's what is at jeopardy here and nobody is willing to just say it.

Don't agree with the concept of tracking users to serve them ads? Great, make
the case that GDPR ends the scourge of advertising subsidized applications as
services.

Let's not ignore it though. The reality is, a lot of internet companies that
consumers use and like, rely on either selling advertisers access to their
market or sell user contact data outright, because there is no other way to
make money.

If the argument is that this is an unethical and harmful way to keep services
alive then we need to agree that the bulk of the last 20 years of startups
business models are broken and what the implications for future internet
business models are.

~~~
SomeGermanGuy
> we need to agree that the bulk of the last 20 years of startups business
> models are broken

I agree.

If a startup is build on selling my data, I am more willing to pay a fee then
to have them sell my data.

If we could go back to WhatsApp having a fee instead of Facebook using and
selling my (meta)data, I would switch anytime. If Telegram starts raising a
fee for using their messenger without anybody reading my
messenges/location/... I am all in.

------
adambrenecki
> ... it may not be possible for you to lock Europeans out reliably enough...

Here's a fun little example of this: If one of your parents was a British
citizen, then you're a British citizen 'by descent'—not merely eligible to
become a British citizen after you fill out a form, you're an automatic
British citizen by default unless you renounce your citizenship. (This has
caught out at least one member of the Australian parliament, where dual
citizens aren't allowed to serve.) This means that you can have someone who's
an EU citizen (for the time being, at least), who doesn't live in the EU, has
never set foot on EU soil, and maybe isn't even aware that they're an EU
citizen themselves.

~~~
jacquesm
Your example is interesting but the fact that it is such a remote edge case
means that _if_ such a person were to raise an issue with their _local_ DPA
they will find that no such institution exists so you are safe to ignore that
situation for all intents and purposes. Even so it would be common courtesy to
honor a removal, update or insight request from that individual as well as
from all other individuals that your service caters to.

------
hartator
> The EU regulators see their job as ensuring compliance, not as creating a
> source of income.

I thought one of the objective of EU is to make US social media pay their fair
share. Citing same article:

> European holdings or that use the EU to avoid paying taxes rightly worry
> about this particular aspect

So, what is it?

------
bowlofpetunias
This is what pisses me off the most about all the hysteria and whining:

" _The law has been in effect for over two years at this point, and the DPD,
the European Data Protection Directive has been in effect for over two
decades. So no, this law was not sprung on anybody, though it is very well
possible that you only became aware of it a few weeks or months (or days?)
ago. If that’s the case do not panic, you too will most likely be fine._ "

Nevermind the fact that the underlying privacy laws are much older, and so
many practices were already essentially illegal but went unchallenged so far.

~~~
aeorgnoieang
> > The law has been in effect for over two years at this point

So what's this whole thing that's going to happen soon? It's going into double
effect or something?

~~~
SomeGermanGuy
The law was made public two years ago, to give companies time to get
compliant. It actually goes into effect next friday.

~~~
jacquesm
It was already in effect, it just wasn't enforceable and that is what is
changing next Friday.

~~~
taysic
In effect but not enforceable means its not in effect in a way that matters to
anyone.

------
whataretensors
> in the spirit of the good natured enforcers at the various data protection
> agencies in Europe

Is this serious? Why would we assume enforcers to be good natured if they
benefit from fines. Or to assume they would stay good natured, even if you
have the most perfect humans there now.

It's far more likely that the EU is creating tools to prevent disruption and
manipulate markets. The template will likely be followed elsewhere,
effectively elevating the state's data collection abilities over all other
organizations.

Note, Bitcoin does not seem compatible with their laws.

~~~
depr
Yes I'm sure enforcers are looking to fine Bitcoin.

~~~
whataretensors
I'm not making that argument. It's a reflection of how the law is about
expanding government power without considering technology.

------
sandrobfc
What really annoys me about GDPR is that, given all the confusion surrounding
the law, a lot of GDPR professionals are popping up everywhere.

There are a lot of people making money by providing GDPR-compliant-solutions.
To avoid this, all that had to be done was to write a clear text with
everything everyone had to do to be compliant, instead of pilling up some big
and dubious words that no one really knows what they mean.

Concerning the law itself, it's a lot of fireworks. Give it a few months and
no one will care about it again.

------
maxk42
How does this affect people who aren't based in Europe?

~~~
merinowool
How do you check if someone is an EU resident?

~~~
bausshf
Geolocation, IP Lookup etc. You generally shouldn't care whether they're a
resident in the EU, but just whether they are in EU or not. Remember GDPR
doesn't cover any citizens from EU who aren't in EU.

~~~
merinowool
I read that GDPR applies to EU residents. That means someone who is EU
resident non necessarily could be browsing from the EU. For example when on
holidays.

~~~
bausshf
Yes, but you cannot check whether a person is a resident unless you explicitly
ask them. There are no "public" API.

It's much easier and safer to just assume someone who's in Europe is a
resident, rather than figuring out if they really are.

GDPR only applies to EU residents, yes, but not if they're on ex. holiday
outside of EU.

Say, a EU citizen is on holiday in The U.S.

In such case the EU citizen is not protected by GDPR.

~~~
merinowool
But this is only your assumption and not a fact. Person on holiday is still EU
resident and enjoys protection of GDPR. Do you have a source that says that
GDPR doesn't apply to IP outside of EU?

~~~
bausshf
It's not by my assumption. I work with GDPR implementations. Read the GDPR
yourself if you want a source.

------
robotdan
For a lighter take on a Friday, read how Site-Lokd™ brewery technology solves
GDPR crisis: [https://www.inversoft.com/blog/2018/05/16/site-lokd-
brewery-...](https://www.inversoft.com/blog/2018/05/16/site-lokd-brewery-
technology-solves-gdpr-crisis/)

Enjoy.

------
SomeGermanGuy
Thanks for this article. I wholeheartedly support your stance of: > In that
case please shut down or do not serve EU customers

------
willvarfar
> If you’re Mark Zuckerberg however I would definitely advise not to ignore
> this, however the chances of Mark reading this blog post are nil.

As this is top of HN, perhaps there is a good chance he _will_ read this
because of the his FB staff who read this and can't resist telling him? :)

------
commenterx
I'm a EU citizen and proud of EU actually, something I don't feel very often
btw, for being in the forefront in law-making that protects the privacy of
individuals.

My vocabulary has been enriched with a new word: PII. I like it. It simplifies
when thinking about GDPR. I expect one or two years from now I'll know the
important parts of GDPR like the back of my hand.

But right now every person in the world running a multinational company needs
to understand a new piece of legislature that threatens 4% of their annual
revenue. You have better things to do and so I understand everyone's anger.

But is it wrong to force business-runners to learn about GDPR, stuff that's
pretty close to human rights, like "don't track any of my PII without telling
me exactly what you plan to do with it"? Is it wrong to now have to learn
this, as a web/app developer?

I'm sooooo sick of being tracked. It has definitely made me exit the social
media world all together, six months ago. Even though it is detrimental to my
career I even asked Linkedin to erase my data. I truly hope my career isn't
screwed just because I refused to give Microsoft a detailed description of 30%
of my person, my whole work life that they can connect to an email address
(some people even give them their phone number), IP, tracking cookie, thus a
Facebook profile, real or shadow, thus to the most detailed graph of PII there
is, probably in the whole universe. Hopefully in the whole universe otherwise
civilizations on other planets took a wrong step somewhere.

I hope GDPR leads to PII being treated as gold by the market because it's so
rare. Because isnt' it better to skip all this tracking-business that having
to deal withstuff like GDPR?

No cookies for me please. Ans I'm also sick of having to run javascript.

------
Angostura
I just wanted to register my appreciation for this post, it's a breath of
fresh air.

------
tobyhinloopen
GDPR: Don't sell/leak/publish customer data you're fine :)

------
dingo_bat
Remember guys, while you are stressing over how to work with GDPR, Facebook
literally listed all their existing data collection items and forced everyone
to consent. Total increase in privacy: 0

~~~
rsj_hn
People can now remove that consent whenever they want and force their data to
be deleted at any time. This is a win. There are other wins, too.

------
hartator
> The GDPR is going to expose me to fines of up to 20 million Euros for even
> the slightest transgression > No, the GDPR has the potential to escalate to
> those levels but in spirit

So, yes, but maybe no?

------
thisismyusernam
You missed a key question here. As a business owner, what on earth do I need
to do next?? Do I need to email all my users giving them an opt-out option?!

~~~
jacquesm
Working on that, there will be a second installment on Monday and - possibly,
if I can find the time - a third with a number of case studies.

This whole sequence was sparked through a discussion about the GDPR on HN a
few weeks ago and I've been working on it off-and-on hoping to get it done
before the law becomes enforceable.

------
Reedx
"Add filters keeping out children"

What are some methods for doing this? (aside from asking for birthdate, which
is far from fool proof)

------
zerostar07
There is no need for hysteria. On the other hand many people from the EU (me
included) will want to keep using HN after May 25.

------
hitechnomad
GDPR is just good data protection practice.

------
emiliobumachar
Nice post.

Typo: "food safety laws" is listed twice in the bullet points for the lemonade
stand.

~~~
jonathanoliver
I was wondering if that was a joke, for added emphasis, or a mistake.

~~~
jacquesm
It was a mistake, thank you both, it has been fixed.

------
gregknicholson
> If becoming compliant with the law will cause your business to go under that
> is more or less the same as saying that your business is built on gross
> privacy violations. So if that’s your business model then good riddance to
> you and your company.

Hear hear!

------
StreamBright
Exactly. People try to explain to me how it is impossible to comply and
usually it turns out that it would be easy. I think the problem most of time
that people misunderstanding the requirements or not reading GDPR (not even
TLDR versions).

~~~
merinowool
It is easy if they believe particular person's interpretation. But that
doesn't mean they are right. People have huge problems with interpreting
written word if it is not written without a room for interpretation and if you
add to the mix bureaucrats that have targets to meet you'll see it will not be
easy at all.

~~~
willvarfar
Am in EU, am involved in some compliance stuff and have talked to plenty
others at other companies, and it really does seem to be a nothing-to-see-here
for all companies except the sleezy ones.

~~~
hvidgaard
In all of my research, talking to lawyers, and seminars on GDPR, it is about:

1\. Ask permission for collecting data

2\. Keep sensitive data safe

3\. Restrict access to said data

4\. Keep a log of what happens with the data

5\. Delete it upon request

6\. Have all of the above documented and adhere to the protocol.

It's such a none issue unless you're relying on the very thing GDPR is
designed to combat. If you not collecting and selling peoples data, and you
don't do the above already, see this as a good opportunity to do what you
should have been doing all along. There is such an awareness now, that it's
the easiest it has ever been to know how to handle sensitive data properly.

~~~
willvarfar
Completely agree with everything you list, and would add that 6. you can't
force a user to give up privacy in order to get some other benefit, e.g. you
can't offer to unlock some feature in return for more tracking

~~~
merinowool
Example: How do you ask user for a permission to log access logs (which
contain IP address) in the server, so that you can detect spam, ddos and other
attacks? How do you store that consent information and what do you do if user
doesn't consent? What do you do if user connecting from given IP address wants
you to send him data you have collected about him. If people share IP
addresses how do you know which log data is about which person?

~~~
willvarfar
Some entity runs a webserver. This entity has a legitimate business purpose in
retaining access logs for e.g. 3 months for e.g. spam and security reasons.
This entity just has to document that.

This entity can allow a 3rd party service to access these logs so that 3rd
party can do whatever needs to be done if it is within the reasons the entity
gave for having the data.

What neither can do is go use that data for anything other than the said
purposes.

And if the given reasons are gratuitous and somehow the regulators notice,
expect to get a nastygram and have to comply or face fines.

Basically what you can't do is collect data for longer than you have a
legitimate need for, or cash-in and sell data you've collected. Basically, all
said and done, just don't be sleezy and you'll be ok.

~~~
merinowool
Who defines what is a legitimate business purpose? Let's say I comply with all
that, but someone makes a complaint and particularly bitter civil servant
judges that the collection is not legitimate, because he doesn't like the
content of the website?

~~~
acdha
That’s like arguing that we shouldn’t have laws in case a cop is having a bad
day and follows you around writing tickets. This is a legal process like
anything else: your standard should be what you’re comfortable defending in
court. Being able to show a good faith decision process, compliance with
common industry practice, etc. are going to help the case that any lapse was
unintentional.

If your angry ex is hired by a regulator you’d appeal it but there’s no reason
to think that’s a common problem.

~~~
merinowool
But appeal might take forever and by the time it is resolved you file for
bankruptcy because the fine ruined the cash flow. I've seen in it many times
in the EU, for example in Poland. Civil servants are immune from taking
responsibility and if you manage to get any compensation you'll find yourself
spending years in courts.

------
michaelsjoeberg
>Every company and every project or hobby ever has to be compliant with the
law.

wrong.

if everyone always followed the laws, earth would still be considered flat (at
least until more recently).

~~~
DanBC
> and every project or hobby ever

But, in particular, that's wrong because personal projects are exempt.

------
raverbashing
Thank you (the author) for this.

------
tzahola
I can't help but love the turmoil GDPR is causing in the adtech "industry".
Like wasps buzzing around the exterminator who's about to destroy their nest.

~~~
whataretensors
When people losing their jobs due to government overreach makes you happy,
check your motivations.

~~~
seba_dos1
People keeping their jobs is not the most important thing one should strive
for with no regards to anything else. Especially not in tech, where it's more
than likely that it won't really hurt them.

------
yani
GDPR is a beautiful thing.

------
dnomad
The GDPR hysteria demonstrates that:

1\. Many people (even "rational hacker-types" ha-ha!) do not take the time to
research, analyze or understand the regulations and laws that affect them.

2\. Many people, even though they don't understand said regulations, will have
an extreme negative reaction to the new regulation especially when they see
big scary numbers like numbers like "$20M Euro". This is true even of
regulations like the GDPR which most anybody should be able to read and
understand in a couple of hours.

3\. Many people don't understand where regulations come from or how they work.
They have no understanding of scope, process, judegement criteria or
enforcement vectors. This leads to terrifying visions of "EU cops" waiting at
airports to arrest people the moment they get off the plane.

Frankly, the whole situation speaks to the profound ignorance and fear that
lies at the heart of the modern nation state. Citizens do not understand the
government, they have no understanding of how or why it does what it does, all
they really understand is that the government can and will completely ruin
them should they violate one the tens of thousands of laws and rules and
regulations and decrees that modern governments impose on their domains.

This ignorance has real consequences and costs. You can see this now
particularly in Britain where many people are now learning how their country
actually works _after_ voting to tear down their current regulatory and
economic framework. But you can also see it in all the fear and the moaning
and the teeth gnashing every time some new regulation is proposed. (The funny
thing here is that even the most hardcore libertarian economists are coming to
understand that regulation does not impede economic growth [1]. Indeed there's
ample evidence that regulation, by imposing best practices on firms and
increasing trust within the market, is a significant _driver_ of economic
growth.)

The reason I point this out on HN is because I think, at the end of the day,
being an entrepreneur or an investor is all about learning how the world
really works and then changing the world to work for you. And while most
people can perhaps afford to plod along with all sorts of misguided notions
about how the world works because their jobs do not require them to have any
real understanding of the big picture, entrepeneurs and investors absolutely
cannot. Buffet says it best: _" Risk is not knowing what you're doing."_ The
sites shutting down in the face of the GDPR out of fear and ignorance are
making the most basic mistake, they literally do not know what they're doing.

[1]
[https://marginalrevolution.com/marginalrevolution/2018/02/fe...](https://marginalrevolution.com/marginalrevolution/2018/02/federal-
regulation-not-cause-declining-dynamism.html)

~~~
whataretensors
I'm not sure about that paper. It's based on someone's research who works at
the census bureau and a university professor. They're interest is also in
making their employer look good.

Also the paper ends in "we also may be mis-measuring dynamism."

------
Malarkey73
Hear hear...

------
zitterbewegung
Thanks for this post. I appreciate that you took the time to write this guide.

------
dorkusmcgavin
I personally am not hysterical about any of this, I just am concerned for the
citizens of the EU while living under this law. My main issue with the GDPR is
that articles and supporters are constantly thinking in terms of "business"
and not in terms of other services, and also not thinking in terms of long
term impact.

For instance, I run a small community website (~30 people). I receive no
income, and I know everyone involved. Everyone is in the United States. Is it
open to the world? Yes, technically. What happens when an EU resident signs
up? Well, I'll continue to do exactly the way things are currently set up.

How does this situation play out long term? First, I'll tell whomever contacts
me that I am in compliance with US law, and I'm a US citizen. I do not have to
follow their laws because it's not within my jurisdiction. Second, they will
order me to block EU citizens from my site, which I will not do because it's a
mandate of work on me for no reason by a foreign country.

So what happens in this situation? The only recourse for the EU is the
internet version of "sanctions", to block my website from the EU.

Now they've set a really interesting precedent. How do they now enforce these
blocks? Technical issues aside, are they going to do a whitelist or a
blacklist? Regardless, they are setting up the equivalent of the Great
Firewall for the purposes of maintaining the GDPR.

So why does this matter? It's only an isolated incident that will likely never
occur, right?

Wrong. One community website like mine with one EU citizen that decides to
file a GDPR complaint means that somehow this situation occurs. It can even be
an intentional, "sign up, file complaint" immediately to trigger this legal
situation. Think there aren't any foreign governments that wouldn't flood a
system like this to censor the EU citizens in various mild ways? Think some
random anarchist activist will not decide to monkey with the system by finding
and reporting all the small violators?

The end product is a curation of the internet for EU citizens by EU
government. Hopefully your leaders are benevolent, and nothing crazy happens
in the democratic process. I remember being told during the Bush and Obama
administrations that my views against government surveillance due to potential
for abuse were unjustified because we could never have a horrible president
and that our presidents will always be benevolent, so the policy would never
change toward the worse. How did that play out? How do people think democracy
functions, honestly?

Again, I really don't care too much. They can self censor if they want, but it
really seems like GDPR is a win for Russian and Chinese meddling.

~~~
cbg0
> For instance, I run a small community website (~30 people). I receive no
> income, and I know everyone involved

You may be able to ignore GDPR compliance in your situation, as per article 2:

> This Regulation does not apply to the processing of personal data: [...] by
> a natural person in the course of a purely personal or household activity;
> [...]

There is some more information in recital 18, that says

> This Regulation does not apply to the processing of personal data by a
> natural person in the course of a purely personal or household activity and
> thus with no connection to a professional or commercial activity.

So if you're not making money, and you're not established as a business you
should be okay.

If you have any doubts or concerns, become compliant or ban all EU/EEA users.

~~~
dorkusmcgavin
That's an interesting statute. The problem is it can be interpreted in many
ways. Your interpretation is how some may see it, however there are others as
well.

For instance:

> by a natural person in the course of a purely personal or household activity

First off, this isn't purely personal nor household activity. I serve others,
not myself.

> and thus with no connection to a professional or commercial activity.

If the goal of the community is to help people develop professional skills
(writing, for instance), couldn't that have a connection to professional
activity? Also, I use this website as an example on my resume to bolster my
own professional competence as a coder. That could qualify.

As always, laws are words that generally end up with the best paid lawyer's
interpretations winning in court. It's a roll of the dice, that statute is not
clear at all.

We're still debating the meaning of nearly all statutes in the US constitution
242 years later. Some in the legal community have declared "consensus" by case
law, but even those end up getting changed and overturned all the time.

