
GDPR: Removing Monal from the EU - maufl
https://monal.im/blog/gdpr-removing-monal-from-the-eu/
======
jacquesm
This is a ridiculous over-reaction based on an extremely shallow
interpretation of the GDPR.

If you are running a small business and you feel that you won't be able to
operate your business because of the GDPR consider all those other laws that
you have to be in compliance with as well. If that's your attitude towards
legal compliance then you should probably shut your business down completely
rather than to hope that just ignoring European customers is going to make the
bogeyman go away.

Legal compliance is a requirement for _any_ business, and privacy law is just
one more thing to take into account and for a small business that does not
process super sensitive data (such as medical information or financial
information) the costs of compliance are negligible. They're not '0', but then
again it is a business and costs of doing business are the norm.

~~~
fcbrooklyn
It is impossible to sell raw-milk cheese in the United States. Are French
cheese makers overreacting by simply choosing not to do business here rather
than change their centuries-old production techniques? It is illegal to sell
kinder eggs in the US, because of some law that involves children accidentally
swallowing toys. Is Kinder overreacting by refusing to sell those candies
here? You cannot buy Bovril in the US, because of a panic about mad cow
disease from 20 years ago. Are the manufacturers of bovril overreacting by
refusing to create a separate production facility that uses only beef sourced
from outside the UK? Compliance with laws outside your primary market has a
cost, and potentially a benefit. Every business, large or small, is going to
do that cost-benefit analysis, and make their own decisions. As an american I
can hardly blame the Kinder people for failing to provide me with convenient
access to chocolate eggs containing plastic toys. It's my government, and the
laws they've put in place that have had that effect.

~~~
jacquesm
Thank you for making a coherent argument. You are missing one point I think:
if not for those regulations those companies would love to do business. They
are _forbidden_ from doing business, this guy sees the law and runs off
without even trying to become compliant. That's a different thing. There is
_no way_ that Kinder could be compliant with US law in such a way that they
would not be exposed to what - to EU sensibilities - amount to exorbitant
damage claims.

Similar arguments apply to the other examples you use, I see your point and
there are valid reasons to not enter a certain market because of the legal
climate there but the point I am trying to make is that the OP has not raise
any valid point at all other than 'I don't want to comply'. And that's fine by
me but then don't bother dressing it up in a bunch of made up requirements.

~~~
kingofhdds
>this guy sees the law and runs off without even trying to become compliant

This guy quite clearly states that he doesn't have resources to become
compliant, while it is too risky to make a mistake here.

There are fans of GDPR on this website, who prefer to ignore the fact that the
compliance has its cost, and added to that still unknown risks of practical
interpretation of legislation which also have their cost. But these are real
life things.

~~~
Angostura
I respect his right to do whatever he would like with his own hobby, but we
should be clear that the guy is _stating_ he doesn’t have the resources, based
on a series of misunderstandings.

So, for example, he says he is _required_ to appoint a DPO.

The U.K. Information Commissioner has this to say:

>Do we need to appoint a Data Protection Officer?

A> Under the GDPR, you must appoint a DPO if:

> _you are a public authority (except for courts acting in their judicial
> capacity);

> _ your core activities require large scale, regular and systematic
> monitoring of individuals (for example, online behaviour tracking);

> * or your core activities consist of large scale processing of special
> categories of data or data relating to criminal convictions and offences.

~~~
kingofhdds
And "large scale" means how many records in DB? How many users? Or records per
day?

~~~
Angostura
Why have you isolated one element from a multiple element sentence:

If

* core activities * require * large scale * regular * systematic

If you tick all those other boxes, but are concerned that your processing may
be teetering on the boundary of 'large scale', I would be cautious and assume
your liable.

~~~
kingofhdds
All repeatable processes are systematic, almost the whole IT goes into the
category. And "core" is undefined too.

I agree that it is safer to imply you're liable.

------
mnkypete
There is so much misconception about GDPR. It is cleary directed at large
data-tracking corps, not single person IM apps. Even if someone tries to "sue"
you (which he can't, only report you to authorities), it first needs to go
through many iterations where you can make your case.

At the very least read this:
[https://privacylawblog.fieldfisher.com/2016/what-you-
think-y...](https://privacylawblog.fieldfisher.com/2016/what-you-think-you-
know-about-the-gdpr-and-why-you-may-be-wrong)

~~~
ucaetano
Directed or not at large companies, it applies to all companies.

It introduces a fixed cost for operating with any user-related data, which
effectively kills any companies operating below that cost.

~~~
Y_Y
Maybe companies that are so flimsy didn't have long left anyway.

You're required to have a fire safety officer at these companies too, but it's
not a full-time position.

~~~
ucaetano
> You're required to have a fire safety officer at these companies too, but
> it's not a full-time position.

AFAIK, most of the "safety committee" regulations usually have waivers for
small companies.

~~~
Sean1708
Well that's terrifying...

------
danbruc
_While Monal is privacy focused, it is also free, open source and run by a
single person — me. I simply do not have the resources or the time to jump
through the regulatory hoops required by the EU._

As a new and small construction company we simply don't have the resources to
comply with all the building codes and the related paperwork. I just can't
afford to meet all food safety requirements, I just want to provide free meals
for homeless people in my spare time. I just built this car from scratch for
myself and now they tell me I can not drive it on public roads just because I
don't have the time and money to meet the required standards?

~~~
fcbrooklyn
Your first two examples are cute, but your third has the unfortunate side
effect of undercutting your argument. A car you built yourself (or more often
a motorcycle) actually _can_ be driven on roads in the US, as long as it has
the appropriate indicators (brake lights, turn indicators, headlights).
There's a crazy subculture around building bikes that would never in a million
years pass muster as production vehicles. (let's drop a chevy small block into
a harley).

~~~
bkor
> A car you built yourself (or more often a motorcycle) actually _can_ be
> driven on roads in the US

Such a car cannot be driven on the road within The Netherlands without it
being validated as safe (plus some other inspections).

For US, same seems to apply. Per [https://www.dmv.org/car-
registration.php](https://www.dmv.org/car-registration.php) it mentions: "Pass
a vehicle safety inspection.". So again you need to deal with paperwork and
read what those safety regulations are.

~~~
nathanaldensr
Some rules are decided by state. For example, Idaho has no vehicle inspection
process, just registration (i.e., paying a fee and getting a license plate and
license plate sticker).

FWIW, dmv.org is not an official government site.

------
eterm
Why not give the user control and have things such as crash reporting be opt-
in?

We sleep-walked into a society where the expectation is that any and all data
is scooped up and sent off remotely without adequate controls and I think it's
great that the EU GDPR is making people wake up to the scale of it.

Suggesting that XMPP federation isn't compatible with GDPR seems like an over-
reaction, isn't that like saying that SMTP isn't compatible?

~~~
jimmaswell
>We sleep-walked into a society where the expectation is that any and all data
is scooped up and sent off remotely without adequate controls

We used to live in a society where webmasters' rights to the fruits of their
labor weren't trampled on by inane regulation (to this degree at least). Now
if you run a website in the EU, any user who signs up to it has control over
the contents of your servers and you have to ask in extremely specific detail
to do anything with some of that content, and that "consent" can be revoked at
any time.

The EU has shot themselves in the foot and more and more companies are going
to refuse to do business with them because of it.

~~~
BinaryIdiot
> We used to live in a society where webmasters' rights to the fruits of their
> labor weren't trampled on by inane regulation (to this degree at least)

So someone having a copy of my data that I wish be removed is trampling on a
webmaster's rights? That makes no sense whatsoever.

> Now if you run a website in the EU, any user who signs up to it has control
> over the contents of your servers

This isn't even true. They have _a tiny bit more_ control of what you can do
_with their_ data. That's it.

Buckle up because this type of regulation is only going to happen more
frequently and in large part because of your attitude that it is "your" data
versus the user's data.

~~~
jimmaswell
But it's not "their" data. It's the webmaster's data. It rightfully belongs to
the webmaster. It just happens to pertain to the user. There is no
justification for that information still belonging to the user after the user
surrenders it to the website.

~~~
anonymouz
> But it's not "their" data. It's the webmaster's data.

No

> It rightfully belongs to the webmaster.

No, you are completely wrong here. The basic point of the legislation (and
other privacy legislation in the EU that came before GDPR) is that a users
personal data absolutely does not belong to the someone else once collected.

~~~
jimmaswell
I obviously wasn't talking in a legal sense, I was talking in a "what's
actually right and good" sense. The law doesn't make something right.
Rightfully, the information belongs to the webmaster. Under GDPR, users get to
put a leash and muzzle on webmasters.

~~~
anonymouz
Well, I'd say it's also not at all rightful in a "what's actually right and
good" sense.

And as others have pointed out, no the users don't get to put a leash on
webmasters, it just allows the users to retain some degree of control over
what the webmasters are allowed to do with personal information about their
users. But feel free to argue that it is your moral right to sell user's
e-mail addresses to some spammer or whatever.

~~~
jimmaswell
"users don't get to put a leash on webmasters, it just allows the users to
retain some degree of control over what the webmasters are allowed to do"

I'll let that excerpt speak for itself.

And yes, I'm arguing it's anyone's moral right to profit off information
voluntarily entered into their website unless a specific agreement was made on
the website to the contrary.

~~~
GordonS
> And yes, I'm arguing it's anyone's moral right to profit off information
> voluntarily entered into their website unless a specific agreement was made
> on the website to the contrary

Views like this are _exactly_ why we need the GDPR.

I find it utterly ridiculous - _disgusting_ even - that you really believe you
have the right to do whatever you want with someone else's personal
information. When you provide an email address, physical address, name or
other PI, it's with the expectation of it being used for a specific purpose -
you should absolutely _not_ give you the right to sell that information to the
highest bidder.

~~~
wilsonnb
Why not? I have yet to see anyone arguing for data protection legislation
actually give a reason that they think a users data belongs to the user.

~~~
lagadu
Equifax.

~~~
wilsonnb
The Equifax breach was already illegal - I assume you mean you think that
websites shouldn't keep user information to prevent future data breaches.

This is a bad solution to that problem. So many people's data was stolen that
preventing future data from being stolen isn't the most important thing we
should be doing. Last I heard it was 150 million people - that's enough that
it no longer really matters to the average person if their data is leaked in
the future because there's such a high change it already has.

The real solution is to change our systems so that data leaks aren't a big
deal. If people didn't ask for a 9 digit number to identify me, as if that's a
reasonable thing to keep secret, then it wouldn't matter if everyone in the
world knew it. That's the problem with data breaches like this. That's what we
should be fixing in response to it.

------
Hamuko
>I do not have the resources to hire a Data Protection Officer (DPO) or EU
Representative as required by GDPR.

>1\. The controller and the processor shall designate a data protection
officer in any case where: (a) the processing is carried out by a public
authority or body, except for courts acting in their judicial capacity; (b)
the core activities of the controller or the processor consist of processing
operations which, by virtue of their nature, their scope and/or their
purposes, require regular and systematic monitoring of data subjects on a
large scale; or (c) the core activities of the controller or the processor
consist of processing on a large scale of special categories of data pursuant
to Article 9 and personal data relating to criminal convictions and offences
referred to in Article 10.

I thought this guy was a single person who put something on Github. How is he
required to appoint a DPO? What kind of large-scale processing of personal
information is he doing?

~~~
CobrastanJorji
That seems insane, and I'm definitely not a lawyer, so maybe there's an out,
but I think maybe he's right. Article 37 is pretty clear that if your core
business involves processing data that's subject to the GDPR, you need to
appoint a DPO, and it can't just be you, because they also require that the
DPO can't have a conflict of interest. Man, that's unfortunate.

[https://gdpr-info.eu/art-37-gdpr/](https://gdpr-info.eu/art-37-gdpr/)

~~~
unilynx
which clause would apply to require a DPO?

clause a: not a public body

clause b: not systematically monitoring (eg. installing video cameras all over
the streets)

clause c: not processing large scale sensitive or criminal information.

doesn't look to me like a DPO is needed based on this article?

~~~
kaspm
It really comes down to the definition of "systematically monitoring". On our
service we capture behavior (say in FullStory) and Google Analytics at a
"large scale". How the DPO clause gets interpreted is going to be a key
finding in the next few months. This is imho the most confusing and
potentially difficult part of GDPR

~~~
arianvanp
Not that's irrelevant in this case. The question is whether you're processing
sentive PII on a large scale. DPO is only necessary when processing sensitive
PII. Sensitive is very clearly defined in the law as race, religion, medical
records or biometric data. And IP addresses certainly do not qualify as
sensitive PII (they are PII though) so I don't understand the entire
discussion here. Seems to be just a political kneejerk

~~~
kaspm
That's fair in this case, at my company we track "pregnancy status" and "due
date". It's unclear at this point whether that's considered sensitive PII.

------
TomasEkeli
I keep telling people - the thing that changes with GDPR is that personal data
you handle is now still owned by the person and only in your custody as long
as they explicitly allow it.

All of our infrastucture has to change to honour that. If you cannot honour
that change, maybe you shouldn't have been handling personal data.

I don't have any knowledge about monal.im (don't know what it is - some kind
of im client?), but this person is making some claims:

\- he needs a data-protection officer: no, only larger orgs handling lots of
personal data need this. If he's making an im-client and not servers that
store data he certainly doesn't, but I don't know what his setup is.

\- crash analytics: This can be handled by telling the users clearly that
you'll be gathering the data (and defaulting to not gathering if they don't
actively approve). As long as you have a proper PURPOSE for gathering and
storing the data and don't use it for anything else you're golden. You do have
to document this, in case of a review (hyper-unlikely).

\- Push: he's getting a message and storing the device/ip combination. This
seems to be central to the service he's providing. Therefore he can and should
put that in the description/terms of his service (as he cannot deliver the
service without this). As long as it is clearly explained to the end-user this
is fine, and he can keep doing it. If he stores it and does anything with this
data other than the central purpose that he informed the end-user of he's in
violation. I'd suggest putting it in clear text in front of the end-user and
deleting the data as soon as it's no longer needed. Don't do any non-approved
analysis on it. If you want to analyse - ask for permission.

XMPP federation may be a problem, I agree with that. The problemer here (as I
see it) is that each service getting the personal data must only process it
for the purposes explicitly agreed to by the end-user and honour any
subsequent notifications of rectification and deletion. This is a hard nut to
crack indeed.

~~~
tobltobs
> no, only larger orgs handling lots of personal data need this.

I can't find any exemption for small companies in Article 37 of the GDPR. Can
you give me a hint what part do you interpret this way?

~~~
advisedwang
Section 1 only requires A DPO when you are operating at "large scale".

~~~
tobltobs
Article 1 (c): the core activities of the controller or the processor consist
of processing on a large scale of special categories of data pursuant to
Article 9 or ....

What makes you believe that the "large scale" refers to the size of the
organisation and not on the amount of processed data.

------
pavlov
_>... I frequent Europe and do not want to get into legal trouble on
vacation._

Does the author seriously believe this could happen? Enforcement of GDPR is
similar to antitrust law. A regular police officer isn't going to fine you for
that.

The author's anxiety makes as much sense as not traveling to the United States
because you're worried that your one-person pottery business might be
considered a monopoly under the Sherman Act.

~~~
kybernetikos
BetOnSports, an AIM listed UK company took sports bets over the internet,
including from US customers:

> In July 2006, their then-CEO, David Carruthers, was arrested while changing
> planes in Texas on the way to Costa Rica from the U.K. In April 2009 he
> pleaded guilty to federal racketeering charges, and in January 2010 was
> sentenced to 33 months in prison.

~~~
anonymouz
From Wikipedia:

> BetonSports plc is a British online gambling company founded by Gary Kaplan
> in 1995. The company was one of the biggest players in the United States
> online gaming market, drawing in several billion US dollars in wagers in the
> early 2000s.[1] In June 2006 US authorities indicted the company and a
> number of its executives on RICO, mail fraud, and tax evasion charges
> arising from its supplying online betting to customers in the United States
> (the alleged crimes took place before the adoption of the Unlawful Internet
> Gambling Enforcement Act of 2006).

This is about federal crimes committed by executives of a billion-dollar
company.

OP seems to be a solo open-source project, and violating the GDPR is not a
criminal offense. This isn't even close to being comparable.

~~~
kybernetikos
While I agree that violating the GDPR is much less likely to result in being
pulled off a plane than running a company that allows people to _gasp_ gamble
on the internet, your characterisation of the problem as 'federal crimes'
seems to suggest that there was something much more nefarious going on than
simply allowing people in another jurisdiction to do something over the
internet that is completely legal in the jurisdiction you are based in. I
could be wrong, but according to my understanding, that's not the case.

The 'federal crimes', were precisely enabling US customers to gamble over
their phone lines. That was enough to get a publicly traded company in a
friendly nation categorised as 'organised crime'.

The other thing you mention about how it's not a criminal offense is something
important a lot of people seem to be missing. If you're violating the GDPR and
someone notices, the first thing that happens is that they work with you to
try to correct the problem, not that they hit you with huge fines and laugh
while twirling their mustaches.

~~~
anonymouz
Maybe we just misunderstood each other a bit: My point about the 'federal
crime' is not to judge gambling as more nefarious, but to simply point out
that the violated law in this case is a completely different type of law
(criminal).

As you correctly note, the GDPR is an EU regulation that will be enforced by
national regulatory bodies through warning letters and fines. Unlike for
criminal offenses, there simply is no way for it to be enforced by a police
force or through arrests.

------
viraptor
I'm both surprised that people react so strongly and... mostly ok with it.
Majority of GDPR is pretty reasonable - know what data you have and make sure
your users know it as well. Allow removing it, make sure you don't share with
parties who don't need it. For normal services it doesn't appear to be a tough
retirement.

You certainly don't need to hire extra people like author suggests and
federation should be just fine. (it's essential to what the service does)

~~~
GalacticDomin8r
"Allow removing it" is a pretty big barrier for many.

~~~
dbbk
You can just do it manually... I have a feeling deletion requests will be
pretty few and far between anyway.

~~~
kasey_junk
There are already services that are automating them for you. They send to
2-300 companies on your behalf.

------
BillinghamJ
This project is completely out of scope for GDPR, not having any presence
whatsoever in the EU. You aren't going to be arrested when going on holiday.
You wouldn't be breaking the law at all, even if it was possible to enforce
anything.

Even if it was in the EU, it wouldn't require a DPO, and your use of IP
addresses is very reasonable and within the standard allowances which don't
require user consent.

Maybe bother reading _anything_ from an official source before coming to this
conclusion? This reads to me more as something you want to have a rant about
because you don't like it - rather than as any kind of pragmatic decision.

~~~
kasey_junk
_Disclaimer: I work on GDPR stuff for a company it certainly applies to, this
is my opinion not my companies_

We’ve spent tons of money & interacted with lots of official sources trying to
get opinions about what GDPR means and it just isn’t available.

 _Everything_ is a risk mitigation technique right now with no real answers in
sight. If I had _any_ personal projects serving traffic in the EU right now
that weren’t profitable I’d likely shut them down.

I think it’s _likely_ that the regulatory agencies will act with restraint and
this will all be hysteria without merit, but I’ve seen enough legal opinions
to know that’s not the worst case scenario.

~~~
ascorbic
What are you talking about? There's a ton of information about what GDPR
means, both from the EU and the national regulators (particularly the ICO).
The best sign that the regulators aren't going to go crazy with this, is that
they already have quite significant powers and they're not throwing their
weight around now.

~~~
kasey_junk
[https://www.google.com/amp/s/www.xda-
developers.com/facebook...](https://www.google.com/amp/s/www.xda-
developers.com/facebook-privacy-lawsuit-belgium/amp/)

Mind you Belgium us 1/30 the size of the US

~~~
Sacho
This lawsuit doesn't seem to stem from the GDPR, despite the article
(mistakenly[1]) mentioning it. I don't even know if the regulatory bodies are
enforcing the GDPR yet, much less in February this year, or even worse, 2015.

Here's a statement from the CPP, connected to the 2015 lawsuit. They mention
Facebook being in breach of Belgian privacy laws from 1992.

[https://www.privacycommission.be/sites/privacycommission/fil...](https://www.privacycommission.be/sites/privacycommission/files/documents/recommendation_04_2015_0.pdf)

[1] - none of the other reporting I found on the subject(Guardian, Bloomberg,
etc) mentions the GDPR. They also don't show the court order, which is
frustrating.

~~~
kasey_junk
It doesn’t relate to GDPR specifically other than it’s the same regulatory
body.

That lawsuit is being interpreted as a signal that they intend to be very
aggressive in their enforcement of GDPR.

------
chx
Honestly, most small USA businesses take one look at "Up to €20 million, or 4%
annual global turnover – whichever is higher." and just run. There's no point
in even trying to salvage the situation.

> For the 3.7 million small businesses with 1 to 4 employees, the Census
> Bureau figures show average annual sales in 2007 were $387,200.

Given that, who wants to risk a 20M fine? All this advice in this thread to do
this, run it through a lawyer (lawyers are expensive especially international
ones), makes no sense to the majority of the businesses in the USA: there are
less than 8M employers in the USA and a very small percentage has a yearly
turnover of even a mil not to mention the ~600M USD where the fine changes
from a constant to a percentage.

To give you another idea of how much money this is, about a quarter of public
companies have less than 25M USD market cap.

As a dual Canadian-EU citizen I am stupefied by this law.

~~~
blackbrokkoli
Please actually read the law before you try to argue with “as a...“. The fine
scales with the violation and it does -surprise- not mean that arbitrary
Github projects will have to pay 20m€...

~~~
fenwick67
The sentiment of a law doesn't always translate to the enforcement of it in
practice

~~~
dbbk
Similar laws already exist and have existed for a long time. There’s no
evidence of disproportionately and illogically large fines having been handed
out in the past, and nothing to suggest regulators will start now.

~~~
chx
Show me a law where you need to make half a billion euros before the potential
fine becomes proportional of your turnover.

It only takes one opportunistic apparatchik to make your life hell and this
GDPR thing is now law in such places like Hungary where I haul from and if
they can get away with it, trust me, they will go overboard. Maybe not 20M
overboard but still.

------
matthewmacleod
The overreaction to GDPR from US tech startups in particular surprised me at
first. But my partner is a lawyer working on GDPR compliance for a variety of
tech firms, and he explained that there's almost a _historical cultural
difference_ in terms of attitudes to ownership of personal data.

European regulation typically treats personal data as being the property of
the person being identified; US tradition considers data generated by a
company to the be the property of that company, not of the person.

This made the whole massive unnecessary panic by primarily US-based small
companies much more understandable to me.

~~~
jcims
It's not really 'unnecessary' if you didn't account for the objectives of the
GDPR in your initial design. Assign any moral attributes you like to it, if
GDPR requires substantial tinkering with your product then it's reasonable to
be concerned.

------
zerostar07
While this developer may be overreacting (he probably doesn't need a DPO), i
understand why it might just be easier to block it , at least until there are
precedents about how to comply and more info on how the regulation will be
enforced.

GDPR can be scary for developers, because nobody actually knows how a website
or app is supposed to work (I have yet to see a single example), and it
requires a series of steps that are not trivial on the administrative side.
The Right to be forgotten is the easy part. Having to document everything you
do and introduce data-dumping mechanisms that are both anonymous and secure is
administrative burden. Having to do that for every little project that you
release, even if it has 10 users, is a bit too much. Many developers cast a
wide net, releasing products often, and this is practically unnecessary work
unless you have a significant amount of users.

Introducing opt-in forms everywhere is also not great. It didn't work for
Windows Vista so why do we expect this to work on the web? Opt-ins for things
like cookies should be implemented on the browser. What's the point of warning
a person before sharing their email? What's the point of warning them even you
'll install a cookie? IP addresses and cookies etc are integral parts of the
HTTP protocol and the browser so why not introduce anti-tracking regulation
that targets browser vendors and telcos instead of introducing regulation that
targets every developer on the planet? It doesn't seem like an optimal plan
imho. The example of the cookie law (for which it's hard to argue that it has
not utterly failed) should act as a bad precedent, not a good one.

It's easy for US developers to be positive of GDPR because they can avoid the
overreaching parts, but for us in the EU its something we have to abide by
100% of the time. I 'd like to hear what other people think about those,
because otherwise i hear a lot of emotional praise for GDPR which is blind to
how problematic it is at day 0.

~~~
slrz
> The example of the cookie law (for which it's hard to argue that it has not
> utterly failed) should act as a bad precedent, not a good one.

It is an utter failure but mostly because services try hard to turn it into a
travesty _and_ simultaneously manage to deceive their users by attributing
blame for the annoying cookie warnings to regulators.

"We are required by law to show you this stupid warning because our site uses
advanced features that need cookies to work. Without them, you couldn't even
login! (OK)"

Which, of course, is utter bullshit. If you can stop this deception, things
might actually work out as intended. Sites may rethink their need for personal
data gathering if cookie warnings would have to look more like the following.

"We'd like to analyze your site usage for ad targeting and other things that
make us some more money.

Do you agree we use cookies for that? (yes/no)

NOTE: Even if you disagree, standard site functionality like logins will
continue to work unharmed."

~~~
aembleton
But how would you handle logins without cookies? How would you know that a
customer has already agreed not to allow cookies without a cookie?

~~~
slrz
I don't think you need to get explicit agreement when using cookies to
implement expected site functionality, as long as you don't use re-purpose
them for profiling/targeting purposes. IANAL, though.

See:
[http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#se...](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#section_2)
(starting at "Howewer, some cookies are exempt …")

------
maufl
Please be nice to the developer. I didn't post it to shame him. I'm just very
sad about the post because I was hoping to establish XMPP as the group chat in
my family, of which half are iPhone users.

~~~
kodablah
Just curious (to you or anyone else affected), would you be willing to give up
your rights under the GDPR, with regards to this company specifically, to
regain access? Do you believe you should have a right to trade these rights of
yours or is it in the general good that companies cannot offer an easy GDPR
opt out?

~~~
tobltobs
If the result of the GDPR is that only big companies, employing as much
lawyers as developers, will be able in the future to provide the tools I need,
then yes I would be willing to give up my rights under the GDPR. Because what
is the alternative, if all small messenger provider have to give up everybody
will be using FB? Is that better for privacy then the current state?

~~~
badsectoracula
> Because what is the alternative

Wouldn't a better alternative be to design a messenger that complies with
GDPR? Simple user accounts that can be deleted at the request of the user,
peer-to-peer encryption (and where possible, communication), a "storage
cabinet" for each user where encrypted data end in when the user is offline
(with an encryption/decryption key that is generated client-side and
transmitted while both users communicate) and can easily be deleted and i
think this covers most uses.

This is just an idea that i came up with right now, but if you start your
design with the goal to store as little data as possible and anything you
store needs to be both encrypted and easy to delete, then i believe you can
come up with several ideas for most issues.

It also helps to see this as respecting the users' privacy and giving them
control, as opposed to a development burden :-P.

~~~
nemothekid
I don't think you actually answered his point. Sure you could build an IM
client that is GDPR compliant, but at what point do the costs become so high
that everyone just defaults to using Facebook because (1) they can afford to
be compliant and (2) they are trained well enough to not fuck up their
encryption.

In other words, are we moving towards a world where unless you are VC backed
(Signal, Telegram, Whatsapp, etc) don't bother building an IM client? Also
note, I don't think there might be anything wrong with that - if we expect all
our communications to be E2E encrypted, maybe Joe Shmoe shouldn't be writing
an IM client.

~~~
badsectoracula
There is an assumption that there is some additional "natural" cost involved
because of GDPR, but where does that assumption come from? The cost might
currently exist if you are not compliant and you need to convert (or you need
to skirt the edge between what is allowed and what not), but if you start with
being firmly compliant from the design phase, where does the cost come from?

~~~
tobltobs
Eg. the DPO.

------
jwdunne
You don't need a DPO. I work with healthcare businesses and some of them don't
even need a DPO.

You only need a DPO if you are a public authority, if you do large scale
processing or large scale processing of sensitive data (ambiguous in the
GDPR).

If you collect some data, all you need is a privacy policy outlining such,
stating what you collect in general and that your legal basis for doing so is
to provide the user a service and to monitor for app crashes / bugs - both
within your legitimate interests.

Many people have interpreted GDPR to be stricter than it is. In fact, those
who have to do the most work are those that cause incredible damage to
individuals when they lose data - especially those that have had recent,
massive data breaches e.g Equifax.

~~~
sparrish
I'd feel better if there were a definition of 'large scale' somewhere but the
official documents are just too ambiguous.

Are 1 million IPs in my logs 'large scale'?

~~~
jwdunne
It's not defined. It was left intentionally ambiguous in the GDPR so member
states have some flexibility in definition.

I've got a call with a lawyer on Monday to clarify some bits of the GDPR.
Number one Q for me is "how far can you take legitimate interests?".

Some lawyers are advising that marketing data and usage falls under legitimate
interest, in a way that these higes drives for consent seem unnecessary.

If anyone else has any questions, I can ask and feedback. I'm sure I'll have
those questions too.

~~~
DanBC
> Some lawyers are advising that marketing data and usage falls under
> legitimate interest,

Even ICO says legitimate interests might be okay for some marketing.

[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-
legitimate-interests/#marketing_activities)

------
slackoverflower
I'm convinced this is the start where EU citizens become second class Internet
users. Many businesses just don't want to go through the troubles of GDPR
regulatory hoops. For most businesses, there's enough customers to sustain
their business in the US, Canada, rest of the world that they can ignore all
EU customers.

~~~
lossolo
> I'm convinced this is the start where EU citizens become second class
> Internet users.

This is free market with 550 mil potential users/citizens, void will be filled
pretty quickly by other companies/developers that actually spent some time
reading about what GDPR is.

~~~
nickpp
You sure? Europe doesn’t have a stellar record when it comes to high tech
startups. For many reasons. And I am afraid GDPR has just added another one.

~~~
lossolo
> Europe doesn’t have a stellar record when it comes to high tech startups.
> For many reasons.

For many reasons indeed, this is broad topic and GDPR doesn't change anything
if we are talking about big US players and their domination. None of them is
getting out of EU.

> And I am afraid GDPR has just added another one.

I disagree, it's the other way around. Small single person
companies/developers that will get out from EU market will could only
strengthen local market. Any other US/EU/outside EU startup/developer can fill
that void.

~~~
nickpp
I fail to see how adding another onerous regulation makes the EU founder more
likely to succeed where the US founder decided to give up.

~~~
lossolo
You wrote:

> Europe doesn’t have a stellar record when it comes to high tech startups

Which automatically implies that you were talking about non-EU tech companies
leaving EU because of GDPR and EU startups filling their space. And now you
fail to see how this will make more likely succeed EU companies? What?

I think you fail to understand what the point of my argument was. It doesn't
matter if this will be EU founder or US founder or XX founder, if there is a
void it will be filled, doesn't matter who will fill it. This is an axiom
describing the free market.

> onerous regulation

I am conducting online business in EU handling personal data and I don't find
it onerous at all. Adding to that as EU citizen I am happy that this
regulation was introduced in EU law system.

------
rwcarlsen
Many of the comments here are rebutting - saying that a DPO isn't needed or
that this guy gave up unnecessarily. But the fact that he had to spend who
knows how much of his time to even discover whether he needs to do anything
(or what sort of trouble he could get into) is too much of a barrier for many
people and their hobby side projects. This is unfortunate and not surprising
collateral damage of the GDPR.

~~~
GordonS
I'm a small businesses owner. When I first found out about the GDPR, this was
exactly my view, and I even posted on HN to that effect.

Then I actually spent a little time to find out more and, as someone who cares
about privacy, quickly realised the positive intent behind it, and how simple
it is to comply with in principle: let users know what data you collect and
what you do with it, and give them the possibility to request it or request
it's deleted.

TBH, if someone requested any of this, I'd do it without the GDPR.

------
jimnotgym
> I do not have the resources to hire a Data Protection Officer (DPO) or EU
> Representative as required by GDPR.

A DPO is most certainly not required by all organisations[0], and I would be
suprised if it applied to this project. I know lots of blogs are saying it is,
but it is simply untrue. I'm not saying that this totally relieves the burden
however.

[0]:[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/accountability-and-governance/data-protection-
officers/)

~~~
tobltobs
> most certainly not ... but it is simply untrue.

Most certainly simply untrue?

~~~
eindiran
There are two sentences there.

A lot of people are claiming that a DPO is required. GP is saying that a DPO
is most certainly not required and that the claim [that a DPO is required] is
simply untrue.

------
adambrenecki
> I do not have the resources to hire a Data Protection Officer (DPO) or EU
> Representative as required by GDPR.

Lots of people are responding to the DPO side of this sentence, saying that
it's not as onerous as the author of this article is making it sound, but as
someone who's also not based in the EU it's the "EU Representative" part that
I'm more worried about myself.

Article 27 says:

> (1) Where Article 3(2) applies, the controller or the processor shall
> designate in writing a representative in the Union.

Article 3(2) is the bit that says the GDPR applies to processing outside the
EU of EU citizens' data etc.

> (2) The obligation laid down in paragraph 1 of this Article shall not apply
> to: > a) processing which is occasional, does not include, on a large scale,
> processing of special categories of data as referred to in Article 9(1) or
> processing of personal data relating to criminal convictions and offences
> referred to in Article 10, and is unlikely to result in a risk to the rights
> and freedoms of natural persons, taking into account the nature, context,
> scope and purposes of the processing; or > b) a public authority or body.

It's clear here that not everyone outside the EU needs to have an EU
representative, but 2a is wordy and confusing enough that it's real hard for a
non-EU non-lawyer to figure out with certainty whether or not they need one.
The ambiguous combination of 'and's and 'or's don't help, but 'unlikely to
result in a risk to the rights and freedoms of natural persons' sounds like
something that's ambiguous enough on its own that you might need an EU lawyer
to actually interpret it.

------
snogaraleal
You do not necessarily need to hire a DPO.

Read the law or, at least, read the official FAQ. Your evaluation of the
impact of the law on your project is lazy.

~~~
drcode
Reading the FAQ, the only way to really safely ignore the DPO provision would
be to hire a law firm with GDPR expertise to parse the vague language in the
law and to give written guidance as to whether the law applies to each
specific web site, which you can then present to EU authorities in the future
to show you performed due diligence to try to meet the requirements of the
law.

~~~
jimnotgym
I can only think you are not familiar with European principle based law vs US
rule based law. Where you see 'vague', I see 'flexible' and 'able to move with
the times'

~~~
yesco
Have you considered that a law being "flexible" and "able to move with the
times" is exactly why someone wouldn't like it being vague? A law that is
"flexible" means that it's a law that can be arbitrarily applied. A law that
can "move with the times" means that what might be fine now won't be fine
later and just maybe you will be the first to find out.

It doesn't matter if European law has a history of being "principle based", if
it can fuck you then someday it just might. Europeans might be fine with this,
but I think most Americans would not be. If I was in OP's position I would do
the same thing, by simply blocking an IP range all possibility of being made
an example of by some people from another continent is flushed down the drain.
I'm absolutely baffled why people think this is absurd, if you're not even
making any income off of it, why would you ever open yourself up to such
expensive potential liability?

~~~
jimnotgym
I think comments like that just open you up to rather obvious jibes about how
long European law has been around vs the US.

I will leave the reader to make their own jokes.

------
m-arnold
Hugo (static blog generator) is spending non-insignificant efforts to comply:
[https://github.com/gohugoio/hugo/issues/4616](https://github.com/gohugoio/hugo/issues/4616).

It looks like a simple thing like embedding a Youtube video in your blog post
is no longer so simple. As well as loading any external JS dependencies.

~~~
blub
Youtube, disqus, twitter are designed to collect as much info about persons as
possible, so yes, it might be difficult to prevent them from doing that.

The fault lies entirely with those companies, which did the wrong thing with
impunity until it was _literally_ outlawed.

------
josecastillo
This is going to sound crazy, but I spun up an instance of a simple open-
source comments system[1] for a blog that I write, and I chickened out of
deploying it because I wasn't sure if it complied with GDPR. I distrust Disqus
over their ad-driven model and deep tracking of users, so for now I’m just
doing without comments.

Is it possible to self-host something that handles user data (name, comment,
IP address) and comply with this regulation? What if there's more data,
federated data? Can one just spin up an instance of Friendica, for example, or
are there additional steps required for compliance? I'm honestly not sure
anymore.

[1]: [https://posativ.org/isso/](https://posativ.org/isso/)

~~~
ozim
If you do it for hobby it is not a problem. For IP address if you don't store
it indefinitely, like you can anonymise IP after a month. I think you store IP
for spam protection, solving user issues, which is lawful basis so you can
protect your good interest. Most important you are not passing it to some
third party. Second you can always make consent checkbox.

DPO is required only if you really store race, religion, credit card data,
health records. If you keep name and IP you do not need a DPO.

There is so much FUD about GDPR, it will pass after a year. Now compliance
vendors are having part, a lot of champagne will be opened on May 25th.

In the end if you know, what data you have, why do you have it and who you
share it with, it should be good enough.

------
treve
Two questions come to mind:

1\. Isn't this person allowed to be the Data Protection Officer themselves?
2\. Is APNS inherently not compliant or if there something unique about this
use-case?

What's kind of great about this new regulation is that we get a clear view on
businesses that can't adequately protect user's privacy. It's painful for
businesses such as these, but ultimately it seems that consumers would come
ahead of it.

If the weak link in this case may not have been the developer themselves, but
external factors but it's still a pretty interesting data point.

~~~
DanBC
This person doesn't need a DPO.

------
oneplane
This makes little sense. There is nothing in the GDPR that you shouldn't
already have done. Besides, even if you don't operate in the EU, it makes
sense to have a basic privacy setup anyway, and GDPR compliance is just
that...

[https://gdprchecklist.io](https://gdprchecklist.io) (was on HN a few days ago
IIRC)

On top of that, this isn't american lawyering. If you make a mistake or are
simply trying but not having a good time at it, you're not automatically
destroyed, put in jail, fined for billions of euros etc.

The GDPR is beneficial to everyone, except people with bad intentions or bad
practises (like having big budgets for PR, Ads and the CEO but not for tech).

The GDPR for basic FOSS and other single-person software boils down to:

\- Don't capture data and not ask first \- Don't capture data and not tell \-
Don't capture data and now show \- Don't capture data and not say where it is
\- Don't capture data and not say who can access it \- Generally, users should
be able to CRUD their data \- Delete data on request \- Export data on request

Most of that is common sense and in most non-commercial services this is
available anyway. You can make it even simpler:

\- Only CRUD when a user CRUDS and tell them that is what they are doing while
they are doing it \- Make sure the delete/opt-out/close account button
actually works \- Have a line somewhere saying "i'm hosting this on platform
XYZ in country ABC"

Since you are likely going to build CRUD + delete account anyway, that's a
solved problem. Unsubscribe/Delete account usually already exists, no problems
there either. That leaves writing a few lines telling users where you are
storing stuff and how to contact for issues.

Don't forget: laws comparable to the GDPR were already in effect long before
the EU came up with a EU-wide version. In the UK for example, you could ask a
business to send an export of all the data they have on you via mail, and they
were bound by law to comply. In the netherlands, if you store PII of people
who are not your clients and send them mail/spam/offers, you get fined. Hell,
they even had a more universal version where you aren't allowed to put mail in
someone's mailbox unless it was addressed specifically to them, and there was
one where you weren't allowed to put any ads in if the mailbox was marked for
that. And you have a system where cold-calling was not allowed, same for fax-
ads.

------
elephant0xffff
I don't really get it. So what's the burden for the developer here - he argues
that the IP is PII (personally identifiable information), which is true, but I
don't think it means you can't log IPs in general anymore?

So is now every standard apache2 installation a non-compliant (illegal?)
service, as it logs GETs?

I don't think that's the case.

//edit: It seems to be the case that you are ok if you do log-rotation and
delete old ones - which makes sense, so you can still use them for debugging.

~~~
crysin
The burden is if the EU does investigate him, for whatever reason whatsoever,
even if he is 100% compliant he needs to spend money to prove he is compliant
and deal with the EU.

~~~
rawfan
Why would you think that? If he wanted to be compliant he only needs two
things:

1\. Some procedure that allows him to answer users privacy requests ("what
information about me do you have?", "Please delete my personal data from your
servers.")

2\. A so called "directory of procedures" which states what data you collect
and who's responsible for it.

If your fail to comply with 1. the user can call upon their local data
protection agency who will contact you and request the contents of 2..

At no point would he need a lawyer or spend money, even if he were based in
the EU. That's not saying it's a bad idea to ask a lawyer for advice if you do
handle lots of user data.

Most of this stuff has been law in Germany for years, I've dealt with the
German data protection agencies many times (from both sides of the aisle).

\- They helped me force my university remove personal information about me
from the public uni website (by constructively explaining to them why it's a
bad idea to have this information about student online in the first place).

\- When someone trolled me by registering me to a dating platform which
refused to delete the fake profile and spammed me for a year, one mail to the
agency was enough to stop these idiots.

\- When I worked with social workers, the data protection agency (after a
client accused us of mishandling their data) helped us go through our
communication procedures and identified some point where client privacy could
easily be improved.

As a US company, if you don't want to deal with this, just don't. If you do
handle user data you should, though.

~~~
GordonS
> Why would you think that?

I think the majority of users on HN are from the US. And going by the GDPR
related comments over the past few months, it seems the litigious US
stereotype really is true - a lot of people seem to be prepared to "lawyer up"
at the drop of a hat!

------
tobyhinloopen
I like the GDPR panic. People should think twice before handling our data. If
they don't think they can handle it, I'm fine with them gone.

------
hackersword
A "society" is all about building up information about the people around you
and knowing about them. Complete anonymity often leads to the breaking down of
people filters and behaviours, they think they can do whatever they want
without consequences.

Many countries outlaw face coverings as they imply correlation with
lawlessness.

The direct linking of IP address as PII flies in the face of that. If I am
logging IP addresses for security and to monitor against abuse, and I in fact
determine that an IP address is abusive, it behooves me to have any/all data
that ip address used in my system to try to identify them.

The right to be forgotten .. why just online? Why just digital?

What if a shop owner or waiter in small town notes which customer like what,
or what client tips well. Which local has annoying kids that she lets wander
an vandalize the store.

If that owner/waiter writes that down in a log, and shares with co-worker on
next shift ... is that in violation. What if they don't write it down and just
have a really good memory ... what if they just 'organically' get a reputation
and word gets around.

Is old wives gossip illegal under GDPR , or the "sterotypical" Italians
mothers who keep an eye out on all the kids in street and report to each other
who is doing what.

Plenty of stores and bars will have a list "don't take personal checks from
these people" ... are those types of lists not allowed anymore?

If the GDPR was JUST limited to "customers" or people who have explicitly
created accounts that might be one thing, but over reaching to say ANY apache
webserver that automatically logs IP addresses had to be GDPR compliant is
absurd.

If I post a tech blog with how-tos , personal ramblings, or even example code
projects I release as open source that you are completely free to use or not
use ... why do I have now have some obligation to you? You chose to walk up to
my storefront and look inside ... I'm free to remember whatever I want about
you while you looked around.

The US passed pretty broad overreaching Computer Fraud and Abuse Act
[[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)]
that many have argued is so broad that a violation of TOS could be considered
abuse/hacking. If you view my site without agreeing to my TOS, should I be
able to have you prosecuted?

------
ultim8k
I'm pretty sure lawyers and "consultants" are the only ones super happy about
GDPR. Companies will still harvest user data with updated T&Cs and more
buttons for the user to click, because all services will be useless without
accepting. Governments will also continue gathering users' data for "the
common good".

~~~
TomVDB
I'm pretty sure that many ordinary European (and US!) citizen are pretty happy
about the GDPR as well. If clicking an extra button is really all it takes.

But despite the assurances of many here that it's not hard to comply, I'd
probably have shut down the servers of my own hobby non-profitable location
data gathering website as well, simply because even reading the GDPR document
would be too much effort.

~~~
DanBC
Personal projects are exempt.

[https://gdpr-info.eu/recitals/no-18/](https://gdpr-info.eu/recitals/no-18/)

> This Regulation does not apply to the processing of personal data by a
> natural person in the course of a purely personal or household activity and
> thus with no connection to a professional or commercial activity. 2Personal
> or household activities could include correspondence and the holding of
> addresses, or social networking and online activity undertaken within the
> context of such activities.

------
avar
> I do not have the resources to hire a Data Protection Officer (DPO) or EU
> Representative as required by GDPR.

Is there any actual requirement within the GDPR that this needs to be a
dedicated person, or does being a DPO just need to be someone's
responsibility, e.g. in the case of a one-man open source project the guy who
runs the project?

~~~
ucaetano
[https://gdpr-info.eu/art-38-gdpr/](https://gdpr-info.eu/art-38-gdpr/)

> The data protection officer may fulfil other tasks and duties. The
> controller or processor shall ensure that any such tasks and duties do not
> result in a conflict of interests.

I guess you could say that it is literally impossible for the DPO to not have
conflicts of interest if the DPO is also the owner and manager of the company.

More:

[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/accountability-and-governance/data-protection-
officers/)

> The DPO must be independent, an expert in data protection, adequately
> resourced, and report to the highest management level.

~~~
unilynx
Well, if you're owner and manager, I think you've got the independence,
adequately resourced and reporting about right.

If you're a sole proprietor and managing data at volume and sensitivity levels
that a DPO is required, I hope you're an expert at protecting that data..

------
pheleven
If this is the sort of enforcement we can expect, this could suck:
[https://ico.org.uk/action-weve-taken/enforcement/sse-
energy-...](https://ico.org.uk/action-weve-taken/enforcement/sse-energy-
supply-ltd/) (there are several others, this one is just interesting because
it's a very simple mistake with very minimal PII)

Also, my understanding is Germany allows for whistle-blowers to take a cut of
fines. Language in the GDPR calls for over-estimating damages for loss of PII
when compensating individuals as well.

Generally, I appreciate the GDPR. That said, it's a huge burden trying to go
through many dozens of workflows, technical or otherwise, where (typically
minimal) PII is recorded, catalog them, limit (and purge) intake of data to
bare minimums, create documentation supporting said workflows to be able to
provide the SA's, create a plan for being able to search ALL those
workflows/databases/spreadsheets/apps that have PII to supply that data upon
request, and then be able to delete all cases of such data upon request.

Turns out that's actually a mountain of work. It will probably force us to
significantly improve workflows and combine data repositories moving forward
but it's a large burden up front. Likely many hundreds, if not thousands, of
hours for our fairly small enterprise.

~~~
jacquesm
I read that enforcement report. I think it was fully warranted that the 1,000
pound fine was levied against that company. (1) they did not immediately
report the fact that they disclosed that customers private information and (2)
they did not have appropriate technical measures in place to avoid such
problems, specifically: they were tasking their cs reps to cut-and-paste
information between screens that could display the information of two
unrelated customers, a super stupid and error-prone set up.

The fine, 1000 pounds is proportionate given the size of the entity it is
levied against, the resources at their disposal and the turnover of the
company, if the company had been much smaller one would hope for leniency but
the fine would have not been levied at all or it would have been 1000 pounds,
no middle ground there.

You'd hope they learned their lesson.

------
hackersword
The GDPR is by most accounts and interpretations aimed at "the big players"
... but it is not SPECIFICALLY written to be limited to them.

Two view points to this:

1) If make to specific, big players will find a way to slip through the
exceptions and game/lawyer the system

2) So vague , that only the "big players" will have the infrastructure/legal
approval to actually guarantee 100% compliance. Smaller fish that the reward
just doesn't justify the risk/uncertainty will certainly pull out of the
market.

If the law is about "supercookies" and targeting an individual throughout the
entire internet ... it should say that.

If its about the transfer/monetization of the aggregation of data ... PII
being sold for money or some other in-kind transaction ... say that.

If a single entity uses a cookie and retains data for one single domain and
that is ok ... say that.

If retaining logs that contain an IP Address and the logged in credentials are
ok to keep for security auditing. .... say that ... if its only ok to store
them for a year(??), 6 months(??) , 1 month(??) ... say fucking that!

If a company/site is aggregating PII of over a million unique users is
troubling and should be specifically bound by these restrictions and need a
DPO ... say that.

If a site only has a few 1,000 - 10,000 Unique PII records/users of note , and
is not the focus of these regulations .... say that.

Give concrete examples, lawyer the shit out of it ... leave open for
amendments so when abused can be modified.

It's just a shitty law trying to fix an already shitty situation.

------
abritinthebay
Long story short: Monal developer doesn't understand GDPR, makes a bunch of
incorrect claims about it, doesn't want to understand it, and so removes his
software from the EU.

That's his right, go him.

He didn't have to write a ton of incorrect nonsense about the GDPR though. He
could have just skipped to the last step.

GDPR compliance is not actually that hard - I'm in the middle of doing it for
a very large company - as long as you're not storing information about users
it's almost trivial tbh, but there are a lot of unfortunate vague terms in the
law (the intent is rather clear however).

The reaction to this law in the US is rather funny because the rest of the
world has been dealing with strange US laws for decades on the web... finally
something bites the other direction and people freak out.

~~~
abiox
> The reaction to this law in the US is rather funny because the rest of the
> world has been dealing with strange US laws for decades on the web...
> finally something bites the other direction and people freak out.

i'm quite positive that i've seen people call for europeans to not do business
with american businesses on account of said us laws (in other HN threads).

~~~
abritinthebay
Usually over data privacy/hosting & law enforcement AFAIK. That’s more due to
_lack_ of laws there

------
belorn
> registering for a push does make an HTTP call which logs a user’s IP and
> this requires GDPR compliance. APNS push tokens are associated with devices
> which can be traced back to a user if combined with info on the originating
> XMPP server. Obviously, this is needed for a notification to be delivered to
> the right person.

Article 6, Paragraph 1, seems to cover those two parts of data collection.
Logging a user's IP for security is acceptable, as is logging for a legitimate
interests of the user (or operator) as long as it do not conflict with the
interest of the data subject in regard to their need for data protection. APNS
push tokens seems to fit that description quite well.

~~~
hackersword
it covers it ... except when it doesn't. Which is open to 'interpretation'

Where is the scale balanced on this ... will it be the same in each of the
different countries implemeting it?

>as long as it do not conflict with the interest of the data subject in regard
to their need for data protection

Article 6.1.f

>processing is necessary for the purposes of the legitimate interests pursued
by the controller or by a third party, except where such interests are
overridden by the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, in particular where the
data subject is a child.

So ... I can retain IP records in my logs , as long as they aren't a child?

~~~
belorn
In regard to children I view it as part of two different interpretations. One
is that data in regard to children need to be considered with extra care and
in those cases that the process is written down or is more formal then that
consideration need to addressed.

The other way to see it is a bridge to the US regulation COPPA, where
operators in the US and EU now have to follow the same rules in regard to
children. In this case Monal would have to move out of both EU and US in order
to avoid the regulations in regard to children.

------
eksemplar
You don’t need a DPO if you’re a one man company, or your revenue is under a
certain amount of which I can’t remember, because it hasn’t been relevant at
our 10.000 employee municipality.

You’re allowed to track ips in your log, if there is a reason for it and you
only keep them for a reasonable amount of time.

You do need to gather consent for push messages. But you can do so by simply
asking your users, and frankly, you should always ask your users before you
spam them, but it’s obviously going to be a little work to implement.

This is an overreaction, especially because no one knows how the GDPR plays
out until it’s been tested in the courts.

------
kybernetikos
> Obviously, this is needed for a notification to be delivered to the right
> person.

This seems pretty clearly a case of 'Legitimate Interest'. Filling in a couple
of page word document (a LIA) and keeping it somewhere on the off-chance that
someone queries you, is likely sufficient from my understanding. (This is not
legal advice).

------
noobiemcfoob
Another one bites the dust

/Where dust == blocking EU

~~~
coldacid
And won't be the last either, I bet.

------
wlll
> Data Protection Officer

He doesn't need one

> Crashes

So don't send the users IP with the crash report?

> Push

I don't know enough about this, but:

"APNS push tokens are associated with devices which can be traced back to a
user if combined with info on the originating XMPP server."

I didn't think monal ran their own XMPP servers? If they don't then is there
really a danger of someone combining the data from the two services?

> Honestly, I do not know if XMPP federation is legal anymore in the EU with
> GDPR.

I have no idea, but if the monal developer isn't running any XMPP servers then
is this even an issue?

This all seems like someone who doesn't like GDPR having a bit of a tantrum
and interpreting the laws in a way that makes it seem like they are in a worse
position than they actually are.

------
vbezhenar
How can I be non-compliant with GDPR? If I could care less about it, is it
enough for me to do nothing? Should I expect that European users should find
out themselves that they my website is not GDPR-compliant? Or I must actively
ban EU IPs?

------
StreamBright
"Data Protection Officer

I do not have the resources to hire a Data Protection Officer (DPO) or EU
Representative as required by GDPR. I do not have designated EU contacts."

What? Where does it say in the law that:

a, you need one

b, it cannot be you

I mean come on, this is just a very ignorant post from the author.

------
megous
I think the part about rather big enforcement penalties made it easy for
various consultants to scare companies and sadly also some individual
developers.

I already had to fend off implementing some ridiculous features. I've pushed
against misconceptions and use of non-existent terminology that's not even in
the law. People are taking info from all kinds of sources, some of them
sketchier than others, despite the existence of official EU guides, and the
law itself.

But I bet it will be easy to comply for most non-adtech/tracking businesses.
And as an internet user, I'm looking forward to better data exports, data
removal and more transparency.

------
fiatjaf
If you find yourself in this same situation, maybe you'll want to take a look
at [https://euroshield.xyz/](https://euroshield.xyz/) (direct EU IP blocks
coming soon).

~~~
tobyhinloopen
Cool, the new cookie wall. "Are you european-wall?"

------
matchagaucho
My understanding of GDPR, if the logs remain anonymized... i.e. the IP
addresses are not correlated with user records, then the solution is
compliant. The IP addresses are not considered PII.

~~~
TomasEkeli
When I worked with GDPR compliance we tried and tried but still ended up with
the opnion that IP adresses are considered personal information.

Article 4 point 1 in the GDPR indicates this (unless you can somehow prove
that the IP is not related to the person, which I think we all know it
effectively is in most cases)

------
intrasight
One thing I see missing from these discussions is budget - specifically the
budgets for the regulatory agencies responsible for enforcing GDPR. Lack of
enforcement budget will, I think, make GDPR a non-issue for the vast majority
of organizations. And as the EU ramps up its infighting over the new budget,
there will be LESS budget allocated for something like this that has no vested
constituents who will be helped or harmed by such allocation.

------
fcbrooklyn
Every time something like this comes up, we see similar objections. They
normally take one of three forms:

1) You are overreacting. The EU isn't going to come after some small fry
operation, or some non-business entity.

This is an easy thing to say when you're not personally exposed to the risk.
Would advocates of this position be willing to personally indemnify open
source projects / side projects against GDPR enforcement? I suspect not, but
perhaps there's a business opportunity in giving them the opportunity to do
so. Sort of a GoFundMe for peer-to-peer insurance.

2) The GDPR is all about not being a jerk with your users' data. As long as
you don't do that, and do relatively minor things X, Y and Z, you're totally
fine.

This flavor of argument might actually be true, but if I'm assuming the risk
I'm probably going to want to hear it from someone with skin in the game, like
a lawyer, who I can point to if it turns out to be false. Even if I had the
desire to read through the law (I don't) and understand the specific
implications for my project (I wouldn't), the very act of doing this
represents a cost that I could more simply avoid by excluding EU residents
from my service. I'd choose the latter path every time, and put "support EU
residents, check into the legal implications of GDPR" on the roadmap, for
"someday".

3) You're exposed to millions of risks anytime you do anything. This is just
one more and you're making a big deal of it.

Often this accusation comes with a subtext that you're trying to prove some
political point, suggesting that you're making a decision in bad faith to
"punish" the EU. Well, I personally think something like the GDPR is needed,
and have no particular axe to grind, but I also have no idea if the legal
exposure is serious, and no particular desire to put in the work to find out.

Yes, business, or really any activity, involves legal risk. In this case
though, the risk is pretty serious, first of all because the penalties (20M
Euros max) are serious, and secondly because it will be very difficult to
claim that you've never heard of the GDPR. If Tonga creates some law impacting
side hustles on the internet, at a minimum I can credibly claim to be unaware
of that law. The GDPR on the other hand has been all over the news for weeks.
I've clearly heard of it (especially now that I've commented on a discussion
of it on HN).

My feeling is there's a real risk that this law will lead to a general
practice of non-EU individuals, and non-EU startups launching MVPs to at least
temporarily block the EU to avoid unnecessary risk. That's not the intended
purpose of the law, but laws have unintended consequences all the time. If the
EU wants to avoid this unintended consequence they should provide a clear,
objective, and cheap (in terms of both time and money), set of instructions
that will allow projects like monal to continue operating there. If such a set
of instructions exists, I haven't seen it.

~~~
ozim
"Even if I had the desire to read through the law (I don't)"

"If such a set of instructions exists, I haven't seen it"

[https://gdpr-info.eu/](https://gdpr-info.eu/)

Maybe for me it is easy set of instructions, for some maybe not.

~~~
fcbrooklyn
You have pointed me to the entire content of the GDPR. It's 11 chapters, with
99 articles. I'm unashamed to admit that I don't consider even skimming such a
document "easy". I was imagining something more along the lines of a one pager
with 4-8 bullet points, each of which was easy to address.

~~~
ozim
HACCP has nice 7 points, are you comfortable with implementing it on your own?
Each country has its own regulator making rules. Restaurants are fined on
violations all the time. (20M fine for GDPR violation is upper bound, if you
have 10K/month revenue, you are not going to be fined with millions)

[https://en.wikipedia.org/wiki/Hazard_analysis_and_critical_c...](https://en.wikipedia.org/wiki/Hazard_analysis_and_critical_control_points)

------
zenovision
Just block all EU users. EU only makes 15% of the world population and after
Brexit even much less than 15%, so they are not that important.

------
howard941
If I continue to maintain mail and web server syslogd logs and Europeans
access one of the swervers do I risk getting nailed under the GDPR?

~~~
unilynx
If you're not in the EU and not actively trying to market your services to
people in the EU, GDPR does not apply

~~~
tobltobs
And if no one of your customers is using your service to process data from EU
users.

------
djhworld
It seems to me like he's overreacting a bit

I get that the GDPR regulations seem quite complex and daunting but his
usecase seems pretty simple to me.

------
lagadu
> I do not have the resources to meet the letter of the law for compliance
> especially with respect to retention and processing these tokens.

Harsh words but I feel they're warranted: If you don't want to treat my
private data with the due diligence you should, then we're better off not
using your service.

~~~
zerostar07
> _my_ private data

> _we_ 're better off not using

Just pointing out that some people may want to choose how they want their data
treated case-by-case, instead of having no option to use the website because
its blocked

------
floatingatoll
Does GDPR have any non-monetary enforcement? For a site with no revenue, can
they take any action other than a $0 fine?

~~~
ucaetano
> Does GDPR have any non-monetary enforcement?

Yes:

[https://gdpr-info.eu/art-84-gdpr/](https://gdpr-info.eu/art-84-gdpr/)

> Member States shall lay down the rules on other penalties applicable to
> infringements of this Regulation

So every country can create whatever penalties they want, as long as they are
"effective, proportionate and dissuasive".

------
brandonjm
If a similar law to GDPR was introduced in other countries such as the US,
complying now would probably cost considerably less than dumping business in
every country that does it and complying with all the laws only once you can't
operate sustainably as a business anymore.

------
amurgul
You CANNOT, by any means, consider an IP address to be "personal data". You
cannot say "I don't want my IP to lay around in a database somewhere" because
... IT IS NOT YOUR IP. An IP address is used to uniquely identify a device on
a network, not a person. This device can be (and usually is) a router, a
proxy, a server of some kind, a corporate computer, a public computer and so
on. Not to mention the fact that a device can also have multiple IP addresses
at the same time. So, an IP address CANNOT be used to uniquely identify a
person and it really shouldn't be considered in the context of GDPR. Ah, an IP
address + some other identification data, that's another discussion. Depending
on the combination, it might be considered personal data.

~~~
lewiseason
What GDPR says about this is:

> [A]n identifiable natural person is one who can be identified, directly or
> indirectly, in particular by reference to an identifier such as a name, an
> identification number, location data, an online identifier or to one or more
> factors specific to the physical, physiological, genetic, mental, economic,
> cultural or social identity of that natural person.

I think the principle is that since an IP address could be used to identify
you, it is considered personal data.

------
Stenzel
If you sell hardware, you have to deal with CE/FCC/RoHS and -worst of all-
WEEE compliance, to name just a few. In comparison, GPDR is a piece of cake.
Just sayin.

------
akshatpradhan
I started ComplianceChaos.com to sell my Policy Writing Services. I specialize
in ISO 27001, HIPAA, and PCI-DSS.

I’d love the opportunity to add GDPR to my current list of specialities.

------
peterburkimsher
> Do you know a good GDPR consultant?

>> Yes.

> Can you tell me their email address?

>> No.

------
borlum
Super over reaction. "End of an era"

------
interdrift
Again, an absolutely uninformed opinion on GDPR. Shame that you can't be
bothered to care about your users.

------
hashmal
> I get the impression that it is an end of an era for the internet.

This is an era many of us won't regret.

------
solotronics
this is the natural reaction to a business model such as Facebook. they are
making billions from everyones private data and the result is an overreaction
that hurts mostly small companies

------
5874-4b22-a4e0
How would they even enforce GDPR? Can't companies just claim to clear your
data?

~~~
AnsisMalins
Guessing: even if you don't have assets in EU, you have a Google (or Facebook,
or Amazon) account, and Google has assets in EU. EU could ask Google to ban
you, or else.

~~~
pluto9
That seems like a bit of a stretch, unless you were actively using Google's
services as a tool of your wrongdoing. The EU would be forcing an unrelated
private company to act as an arm of law enforcement. It would be like the
local police punishing you for speeding by leaning on Applebee's to refuse you
service.

Maybe there's a legal precedent for that sort of thing, but I'm not aware of
it.

------
kerng
Probably a good reason to not use this product, even outside the EU.

------
fapjacks
See ya!

------
consto
Goodbye to bad rubbish.

------
Tomte
Never heard of Monal. We won‘t miss it.

~~~
tobltobs
Pluralis Majestatis?

------
merinowool
Comments here only show how terrible this law is, as nobody has a clue how to
interpret the requirements. EU direction is simple - cripple the internet so
that only handful of companies could afford to navigate regulational hurdles
and that way it will be easier for bureaucrats to control it. Any small
initiative kill with fines. In few years internet will be under full control
of socialist regime and people are sleep walking into new reality with the
help of do-gooders.

