
2018 reform of EU data protection rules - Geekette
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
======
Dayshine
Enforcement factsheet: [https://ec.europa.eu/commission/sites/beta-
political/files/d...](https://ec.europa.eu/commission/sites/beta-
political/files/data-protection-factsheet-role-edpb_en.pdf)

Pretty clearly primarily enforced by national regulatory agencies, _who are
the only ones who can apply fines_.

It mentions citizens taking companies to court, but
[https://ec.europa.eu/commission/sites/beta-
political/files/d...](https://ec.europa.eu/commission/sites/beta-
political/files/data-protection-overview-citizens_en.pdf) says that's for
monetary damages, not for fines. This is unchanged from previous laws.

Can people stop freaking out now?

~~~
tobltobs
In Germany offenses against the GDPR can cause a "Abmahnung" which do not
result in a fine but a charge. There a legions of filthy lawyers waiting for
the 25.5.

~~~
nils-m-holm
This is a big problem here in Germany and might very well be a reason to shut
down my site on 5/24.

~~~
nils-m-holm
Would the downvoters care to explain what offended them? Looking the other way
does not help solve a problem.

~~~
Dayshine
Well, my immediate thoughts in response to that reply were:

"Why is some extra law specific to Germany relevant to my comment? This is a
discussion about the GDPR, not about national data protection laws."

~~~
nils-m-holm
It's not about national laws, it's about the implementation of the GDPR on a
national level (namely C&D letters).

------
grantlmiller
This is a great resource because it is from the EU, provides clear examples,
cites the actual legislation and Article 29 Working Party Guidelines (which is
the group that is tasked with preparing official opinions on GDPR).

I think that if you want to really comprehend something, you should go to the
primary source. The GDPR legislation is far more approachable than it seems
(as an official 261 page PDF). When the preamble and the mechanical bits about
how the GDPR will be governed are removed, the parts that important to
companies are only 34 pages long. You can use this to guide your reading:
[https://www.enterpriseready.io/gdpr/how-to-read-
gdpr/](https://www.enterpriseready.io/gdpr/how-to-read-gdpr/)

~~~
Silhouette
I respectfully disagree. This is a terrible resource, which frequently says
things that are either mostly vacuous or just plain wrong.

For example, here's their page on the right to erasure:

[https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/dealing-citizens/do-we-
always-have-delete-personal-data-if-person-asks_en)

Its opening paragraph reads as if data subjects have an automatic right to
have their data deleted unless one of the three exceptions applies. In fact,
Article 17 of the GDPR itself grants that right only under a list of specific
circumstances, and the exceptions are just that, which is an entirely
different situation that will lead to the opposite decision on whether data
must be erased in many normal situations. Even the list of exceptions shown
isn't complete.

For another example, here's their page on demonstrating compliance:

[https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/obligations/how-can-i-
demonstrate-my-organisation-compliant-gdpr_en)

There is _literally nothing_ on that page that would help any business I'm
dealing with to demonstrate compliance, unless you count the references to the
primary sources at the end. There are a couple of ideas about codes of conduct
or certifications that contain no substantial details, and even the vague
hints about other things you might have to do don't go into any detail about
who does or doesn't, leaving the entire page almost entirely content-free
unless you happen to be in an industry where the kind of scheme they mention
exists.

This sort of "guidance" is everything that is wrong with how the GDPR is being
handled. It is verbose, ambiguous, sometimes seriously misleading, and almost
entirely non-actionable. I'm actually worse off than I was before I read it,
because I know nothing useful now that I didn't know before, I would have been
misled by several of the pages such as the one I mentioned above if I hadn't
already known better, and that's still half an hour of my life wasted.

~~~
grantlmiller
Well, you're clearly thinking deeply about this and you seem to care. Which is
great. I've been digging in deep on this the last few months so I have some
thoughts. Respectfully (srsly), I think you might be misinterpreting the
legislation (this resource is provides more concrete examples of how you
should interpret it).

For example, Article 17(1) lays out the MANY grounds upon which a Data Subject
can request erasure. If ONE of the mentioned criteria is met including the
very broad Right to Object (Article 21) then it must be erased. 17(2) states
you must fwd this request on to other online orgs. 17(3) provides the
exceptions for which a Controller can object to the erasure.

It is important to note that the spirit of GDPR is one where Data Subjects
rights (to their data, to object) are the default. Sort of like innocent until
proven guilty. This is a big shift for most companies who would contend that
they own the data & data exhaust from use of their application.

As for compliance demonstration... yes, this is still a mess. My only
suggestion there is that if you're working with software companies, try to
study what the leaders are doing and take some inspiration.
[https://www.enterpriseready.io/gdpr/preparing-for-
gdpr/](https://www.enterpriseready.io/gdpr/preparing-for-gdpr/)

Happy to hear your thoughts. Genuinely interested in other people's
perspectives on this.

~~~
Silhouette
_For example, Article 17(1) lays out the MANY grounds upon which a Data
Subject can request erasure. If ONE of the mentioned criteria is met including
the very broad Right to Object (Article 21) then it must be erased._

Yes, but crucially, if the data is still relevant and you're processing it on
a proper basis, the data subject doesn't necessarily have a right to have it
erased.

If your only legal basis for processing is consent, subjects get most of the
rights under the GDPR automatically and you have very little choice about
complying. One of the big changes in the new regime is that consent can be
withdrawn retrospectively.

If your basis is legitimate interests, things are more complicated. Subject
rights are stronger in this situation than with some of the other legal bases,
because they can object to processing. However, the right to object is itself
subject to balancing tests that aren't clearly defined, except in the specific
case of direct marketing.

For the stronger bases, such as performance of a contract or compliance with
legal obligations, subject rights are still quite limited even under the GDPR.
For example, under EU VAT rules, we are required by law to keep evidence of
where our customers are located for quite a long time, and customers can't
require us to delete that evidence prematurely.

There are some other important details to be considered, for example if you're
processing data about children, but that seems to be the basic situation.

------
meinstream
This guide does not clarify one important question: Does a company in the EU
have to apply gdpr guidelines for none European users. If so, this would be a
significant disadvantage for all European companies since their none European
competitors obviously only have to comply for European users.

One scenario in which this would be very relevant: A website needs to show a
very long consent form to users that want to use their service, under gdpr
regulation. Under gdpr these consent forms are very alarming and they will
have a drop-off rate. The drop-off rate of the form will be the competitive
advantage of none European companies.

Hence, will we see an exodus of European startups from Europe to the US?

~~~
gnud
Maybe I'm just stupid, but that seems very clear to me from article 3.1 [0]:

This Regulation applies to the processing of personal data in the context of
the activities of an establishment of a controller or a processor in the
Union, regardless of whether the processing takes place in the Union or not.

[0]: [https://gdpr-info.eu/art-3-gdpr/](https://gdpr-info.eu/art-3-gdpr/)

~~~
meinstream
Ok, let's assume this interpretation is correct.

Targeted advertising will require explicit user consent under gdpr since pii
is collected. It's fair to assume that there is no big incentive for a user of
a website to consent to targeted ads. Targeted ads are usually way way more
profitable that contextual ads. If you are a large publisher, would you really
want to have your company in the EU in future?

~~~
mattmanser
They're only way more profitable right now because they exist. I guess if you
want to sell something the EU has pretty much banned, basing your business
inside the EU won't work.

~~~
dwild
How can an alternative be more profitable? Targeted ads allow to TARGET
someone. That means that instead of wasting views on someone that won't be
interested (and thus, be a waste of money) you use it on people that will
care.

For sure if you have 5$ of budget per sale, if it takes 1000 views to get a
sale or 1 views, you won't pay the same for views in both situation depending
on the efficiency of the ad.

~~~
Sylos
He did not say that an alternative would be more profitable.

What he meant is that right now, because targeted ads exist, non-targeted ads
sell far worse. Once targeted ads are not an option anymore, non-targeted ads
will get more attention again, because the demand for advertising will not go
away.

There will be somewhat of a drop in demand, because advertising might be less
effective, so it makes more sense for companies to invest into developing
their products instead. But you can hardly justify unethical behaviour with
some industry making money off of it. Drug dealing, slavery, forced
prostitution etc. are also illegal, even though there's a hugely profitable
market for those.

You have to draw the line somewhere. Governments are supposed to draw the line
there, where the effect of doing something results in a net negative for this
society by given values that this society considers important.

But even assuming a society only cares about its overall profit, I would be
surprised if there's not some effects going on, due to targeted advertising
being sharp enough of a tool to psychologically influence people to buy
useless crap they don't need. And people buying useless crap they don't need
is not good for the overall profit of a society. They could be buying useful
crap that they can use to make more of a profit instead.

------
donohoe
First, I am not a lawyer. I don't even play one on TV.

The big question I keep hearing is; I'm in the US (or other non-EU country),
does GDPR apply to my company or organization?

The shortest possible answer is: _Maybe_ :)

The answer is: _YES_ if your company has a physical or legal presence (like an
office, employee, parent-company, subsidiary, etc.) in an EU country. The GDPR
applies to you and you need to to start reading up ASAP as you only have a few
weeks to figure this all out.

The answer is likley: _NO_ (but be careful here) if you have no physical or
legal presence in the EU. Bonus points if your business isn't really aimed at
the EU.

The answer is likley still: _NO_ if again, you have no physical or legal
presence in the EU but do rely on EU traffic as a direct or significant part
of your business. At that point is all about how much risk you're willing to
take on as we see how this law is interpreted.

Any country can claim this over any other territory they wish. But that
doesn't make it true. For the claim to be effective (except by use of force),
it must be agreed either with the legal authority of the country.

Right now there appears to be none. No one is clearly citing any treaty with
the EU as giving them this authority.

    
    
      Disclaimer: This isn't legal advice. This is my personal view 
      on a complicated issue that I'm trying to discuss in order 
      to learn more myself.

~~~
mattmanser
They explicitly contradict you.

[https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/application-regulation/who-
does-data-protection-law-apply_en)

 _The law applies to... 2. a company established outside the EU offering goods
/services (paid or for free) or monitoring the behaviour of individuals in the
EU._

Do you have any evidence? You're doing business with EU citizens. You allow
them to connect to your site.

Wouldn't this operate similarly to how extradition by the US of foreign
hackers work?

~~~
notyourday
It does not matter what EU thinks. What matters if what can EU do and the
answer is nothing unless your company _operates_ in Europe

> Wouldn't this operate similarly to how extradition by the US of foreign
> hackers work?

It would not.

------
config_yml
Nice guidelines, seems like for most small businesses it will be straight
forward to be GDPR compliant

~~~
tradedash
you are vastly underestimating the ease of implementation

~~~
outsideoflife
Depends on your business. I didn't find it as hard as PCI compliance for
instance

~~~
saryant
Unless you actually maintain full payment account numbers, PCI compliance
pretty much boils down to "I pinky-swear I'm not doing anything wrong" and the
rules have virtually no teeth.

------
bennyp101
And for a nice easy to read version of the regulation; [http://gdpr-
info.eu/](http://gdpr-info.eu/)

~~~
a_bonobo
With the minor caveat that gdpr-info.eu looks official due to the .eu domain,
but is actually run by 'intersoft consulting services AG' as advertising for
their consulting service (the content is just the laws of course)

~~~
bennyp101
True. (although I wouldn't associate .eu with anything being official)

I just like it as it is broken up nicely and has links to any relevant
recitals and deregations etc

------
Matticus_Rex
PSA: Please make sure you're not relying on HN comments for your understanding
of the GDPR if you're the one responsible in your organization. I need to get
back to all the panicked questions CS has forwarded to me (the DPO equivalent
for my company), but please understand that there's a lot of misunderstanding
in every HN thread on this topic.

~~~
oblio
Heh, I'd say that it's even worse than "misunderstanding".

Besides honest misunderstanding, there's so much FUD being spread by people on
HN who are afraid that their greedy data manipulation plan for a startup has
been completely foiled...

So much FUD that you definitely feel sometimes that the comments are straight
out of [http://n-gate.com/](http://n-gate.com/)

Caricaturizing (a bit):

"HN1: The GDPR takes away our freedom to make tons of money from your private
data! Dirty EU commies and their superstate imposing their law worldwide!

HN2: The law doesn't apply worldwide and it protects my privacy. Just block
users which are geographically in the EU. Also, read the law, it's only 60
page and more readable than most RFCs.

HN2: Nah, I'm good, I'll just rely on internet FUD as my main source of info.
Dirty EU commie bureaucrats!"

PS: Obviously not all comments are misguided, but good God, there's soooooo
many which miss the mark by a mile...

~~~
DonbunEf7
Please do not violate the Prime Directive. Thanks.

~~~
oblio
> Be civil. Don't say things you wouldn't say face-to-face. Don't be snarky.
> Comments should get more civil and substantive, not less, as a topic gets
> more divisive.

I was snarky but it is definitely something I would say to you face-to-face.

The quality of discussion around the GDPR here on HN was not up to the
standard quality. Part of it was because, in my opinion, a lot of people here
are entrepreneurs and this made them really subjective and almost blind-sided
them to the benefits for users.

The GDPR is not perfect but it's a great long term measure, one I hope will be
followed (and improved upon!) by other administrations.

------
zerostar07
The more i read about it the more it seems like gdpr will either

\- cause an uproar from small and middle-size businesses in europe

\- not become enforced

the facebooks and amazons of the world are already fine so they won't
complain.

------
seanalltogether
How does this affect server logs? Under the "what is personal data" section
they list ip addresses as personal data.

~~~
bennyp101
Do you have a legitimate reason for storing that data? Probably not, so just
stop it from being logged.

~~~
dwild
Never have been in a DDOS attack? Good luck doing anything without getting the
IP.

It's useful to know where the requests come from too. You get a bunch of
request from IP that come from a specific peer and that peer is saturated? How
could you verify that without a log? You want to add CDN to the right
locations. Where should you?

Really, I think it's just make more sense for any small company to block EU
and when you have the means to do it correctly (with the help of a competent
DPO), then yeah add that EU in your market.

------
0x4f3759df
Can the average lawyer get rich off this?

Can lawyer A (who is not affiliated with the EU government) sue Company B on
behalf of the users and get a payday?

For reference, I read a thread where a guy in my town sues businesses for
violating the ADA and the settlement is like loser must fix steps and pay
plaintiff some compensation. Maybe its this story or maybe its another guy:
[http://www.startribune.com/st-paul-landlord-wins-case-
agains...](http://www.startribune.com/st-paul-landlord-wins-case-against-
serial-ada-litigant/370215081/) , actually I think its this guy
[http://www.startribune.com/doctor-lawyer-wheelchair-user-
it-...](http://www.startribune.com/doctor-lawyer-wheelchair-user-it-s-the-
same-person-and-he-s-filing-disability-lawsuits-by-the-bundle/381330311/)

~~~
frockington
Sue every European company on the basis of logging IPs, should be free money
for lawyers

------
Geekette
An important one to note as it's applicable to all businesses whose customers
include EU residents because it addresses the collection and processing of
their personal data locally and internationally.

~~~
the_mitsuhiko
I honestly can't wait to ask my local retailer what data they have on me based
on their loyalty cards. So far they were exempt from data disclosure laws
because they were not an IT company.

~~~
yread
I always lose my loyalty card from time to time (it doesn't have any _loyalty_
advantages you just have to have it to get the discounts) and ask for a new
one. I wonder if they were able to link them back together

~~~
viraptor
Unless you always pay cash - it should be trivial to link by the payment card
number.

~~~
yread
Do they actually see a card number? Anyway, I have a couple and I have a habit
of losing/breaking those as well. I'm just really bad at holding on to cards
it seems

------
cromulen
Does anyone have an example of the "documentation of data processing
activities"?

Edit: Especially in the context of a company that does not handle/store
customer data, but only employee info.

~~~
grabeh
[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/accountability-and-governance/documentation/)

The above link contains a sample Excel template with details of the various
information a record of processing should contain. If you are only processing
employee data this should be straightforward. It's a link to the ICO, the UK's
data protection authority, but it should be useful regardless of where you are
(assuming GDPR applies to you of course!).

------
tokyodude
So .... github, sourceforce, bitbucket. When someone asks to delete their data
do all their commits have to be deleted or edited to remove their name from
the commit logs? How about changelog if the project has one? Comments from
source? I'm guessing you'll say "no, because they agreed to open source their
data" but how is that any different from agreeing to so-and-so's terms of
service?

In the same manor what happens to wikis and wikipedia when a user wants to
delete their data?

If the data was copied by another user does that data become their's to keep
or does that need to be deleted too? Example: Jill sends Karen Jill's address
via Facebook. Jill want's all of Jill's data deleted from Facebook. Does
Jill's address she sent to Karen have to be deleted? Pictures? Pre-internet
that data would be on a piece of paper in Karen's possession. Now it's less
clear as it's really in Facebook's possession and Karen just has access to the
data on Facebook's servers. As Karen I'd be upset if what I considered my data
(my copy of Karen's address) to be deleted but is that clear in the GDPR?

~~~
guitarbill
Let's stop coming up with stupid, stupid examples where you have spend more
time thinking about how to troll than thinking how the GDPR applies.

(Hint: The right to erasure is not absolute, and applies to personal data.)

~~~
tokyodude
And what is personal data? this problem exists even without the GDPR, my
question is does the GDPR make it law in the EU. In Google Docs if Jill shares
a document with Karen and then Jill deletes her account Karen will lose access
to the Jill's document. That situation doesn't map to the real world where
sharing a document meant Jill sending Karen a physical copy. Personally I
consider it a bug given it doesn't fit expectations from the real world. If a
document shows up in Karen's files it's Karen's copy of that document. Karen
shouldn't have to track which docs are actual copies and which are still
considered Jill's.

In any case given it's possible to delete Jill's data from Google is Google
required to delete the document from Karen's account even if Karen has made a
copy? Where is this covered? It's not really Karen's copy, both are Google's
copy. It's on their servers.

This is not trolling. This is trying to understand the GDPR.

~~~
guitarbill
What, just like you don't "own" software, you buy a license which can be
revoked at any time? The digital world doesn't map to physical concepts any
more. Even before the GDPR, Google has always been able to shutter your
account for various ToS violations, and you better hope you had backed it up.

~~~
tokyodude
What happens at google is irrelevant except to demonstrate the issue. The
question is whether or not the GDRP __REQUIRES __that Jill 's copies she sent
to Karen get deleted from Karen's account.

