Loads of people in here who support the concept of net neutrality which helps enable permissionless innovation by not imposing huge costs on those who publish or allowing others to impose costs on them, now cheerlead for the right to impose extraterritorial regulation without representation.
There was a time you could just set up a site on the net and not have to worry about much, apparently now you have to worry about the Union of all possible foreign laws in case anyone from outside geographic regions visits your site. It’s could be a race to the lowest common denominator of freedom, or conversely yield bulkanizarion of the internet as more Geo-IP blocks go up or more great firewalls.
How many of you love “this video or music isn’t available for playback in your region”?
That could be much more common in the future and contrary to commentary far more likely to hurt smaller and medium sized players than the real targets of the laws.
There is a process for international regulations, we sign treaties like with copyright, and I get some legal representation in these regulations from my elected representatives. I didn’t elect the European Parliament. If you don’t like my website, don’t use it.
I mean, obviously you’d say that if you physically flew to the US and bought something in a store, those store only need to obey US regulations. Or if you ordered an international package and had it delivered.
So why do you think sending packets to my geographic location suddenly imposed restrictions on my sovereignty? Virtual goods require more regulations than physical ones?
Even if I agreed with the spirit of these regulations, the idea that you can force your local regulations on a global audience without negotiation opens up a real slippery slope.
By what ethical or legal argument are European regulations any more relevant to Chinese, Thai, or Turkish? Doesn’t Saudi Arabia have an equal right to claim you can’t run a site that slanders the prophet Mohammed and you have Saudi Citizens on your site?
Why are your regulations more relevant than anyone else’s? What if my country rules that running a web site is protected free speech?
Any kind of international regulation of the internet must be agreed to by international treaty.
The recital also mentions "accidental events that compromise availability, integrity, authenticity,..." That seems to cover debugging for me. No need to ask for consent.
To do certain analytics like page count, you don't need the IP, so that seems ok for me. To track individual customers however, that's something else.
PS: according to GDPR, a hashed IP will be "pseudonimisation", not anonymisation because you can have a key to go back to the original value. True anonymisation removes all info (the IP in this case)
People tend to set up sites and just stash web logs in the beginning. They then learn later what their business needs are and may decide to post process their logs.
You're suggesting a new site pay all of these costs up front to comply with these regulations, you can’t time shift concerns by collecting data and deciding whether you need it later.
Granted, you could argue that this is bad practice anyway, but many startups work exactly like this, maximum logging early, dropping rention later after beta.
If you are not physically hosting in the EU, how many people want to even read the GDPR? A lot of sites don’t even know where their users are coming from until they run analytics.
If you say, use a point-and-click installation of Wordpress on AWS/GCP/Azure, you're going to get IP logs being held. I'm just pointing out that the regulations impose a lot of costs and expose people to huge risks.
I mean, can I be held liable if I use an open source downstream dependency from npm or Maven, and it just so happens to have debug logs that are storing info, and I didn't know about this logging cause I didn't audit every line of code from a downstream dependency?
For large companies, this isn't going to be a problem, but the entire open source ecosystem operates on a system that for the most part, you aren't exposed to legal liability by them, except in cases like patent violations or copyright infringement, but now there's a huge cognitive burden being levied on top by a massively complicated new regulatory framework.
In addition, watch out for logs. By default all web servers log requests with the IP address, and depending on what you do with these logs, the IP are there.
Consider the ICO -- the UK privacy commission -- has been promising final GDPR guidance for perhaps half a year now, and instead are sitting around with their thumbs up their asses waiting on the Article 29 Working Party final guidance. The Article 29 Working Group held comments open until 23 January 2018. Some unknown amount of time later, that working group will finalize, and then some unknown amount of time later, the ICO will issue their guidance.
But don't you worry, the ICO plans to offer no grace period to us!
How the hell organizations are supposed to be ready by 25 May when they may receive final guidance in late February is a hell of a question. Realistically, considering the ICOs adherence to deadlines so far, they're gonna deliver their final guidance promptly for May 2019.
I'm essentially assuming users will be hit with a blizzard of opt-in dialogues.
One of the few things in the GDPR that will have impact is if you use consent as a legal basis for processing, everything has to be default opt-out.
Say you have a large marketing database and you're trying to figure out the nuances of consent. Or you are a large bank and run on a fidgety mix of consent and legitimate interests. Three months is nowhere near enough time to get everything finished.
On top of that, developing business software becomes incredibly complex when navigating all of the potential ramifications of these policies. I thought it was strange that the SAP SDK at a hackathon essentially required the app to get OAuth permission from the user to access / write an encrypted payload that the app couldn't read / access / delete / update without user consent.
We would not be here in the first place if companies and website owners treated the user's privacy with respect. I don't feel pity for them that they jump through hoops now.
If you host a small personal site, just consider axing Google analytics. You can get reasonably good statistics by just using a local log analyzer that does not upload your visitor's data to an analytics/ad company. Respect your user's privacy.
1) Has your user consented to your webserver's access logging?
2) Has your user consented to the use of access log entries about them for analytical purposes?
3) How will you delete the access log entries corresponding to a user upon request?
4) How will you provide a user with the access log entries about them upon request?
(I am not a lawyer, this is not legal advice).
1. concerns of security and quality of service (gathering logs with full ip addresses is allowed for a reasonable time, a few days for example).
2. you don't need to delete the logs if you use them for this specific purpose only.
3. for analytical purpose it is enough to use pseudonomic identifiers, in case of ip address zero out the last part and you are fine.
4. using Piwik or your own cookies? Suddenly its not a third party cookie anymore and you are more free to do things.
The problems for operators begin when they are handing this over to a third party.
But Storing IP addresses for each access indefinitely (> some days) is the problem.
If you rotate the files into a version where IP addresses are without the last part after a few days, then this is considered pseudonymous data and GDPR has no problem with you keeping this for a long time anymore.
First: I think it is ethically better, because you are not giving your user's data to a large company that builds profiles of your users for their own purposes.
Second: if you pass the data to an analytics company, you share responsibility in ensuring that that data is processed according to the GDPR. Article 83 states on imposing/determining fines:
the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
It is up to you (as the controller) to ensure that you use a data processor that is GDPR-compliant (Article 28):
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
(By the way, it seems from the same article that you also need a written contract with the data processor that specifies exactly what data is provided, for which period, etc.)
tl;dr: it seems much easier to fulfil the obligations of the GDPR when you do not involve third parties.
And yes, as devs it does force us to ask hard questions that we've been conveniently ignoring, usually at the request of management or marketing. Does this need detailed analytics? Do we need to store this information? How do we need to store this information? How do we design UX to withdraw consent? How do we handle the absence of consent? Etc. More difficult, but more ethical, too.
One nice thing (maybe) is that it's so much effort to get consent to run pervasive analytics on EU users, that many people might just stop running pervasive analytics on EU users at all. Maybe all users? At least I can dream...
If you open shop in a different country, you follow their laws. Your website being accessible in a country is seen as the same thing. It's not hard to implement geo blocking if you want to show best effort and thereby opt out of it.
If your website is doing business (i.e. Has some sort of legal presence) in another country, well, that's a different story.
If you're referring to logging, there are some good responses in this discussion on how that will still be ok.
Feedback from the trenches: it is a very good thing. Suddenly corporate people are beginning to care about security and privacy: we receive spontaneous inquiries from customers about compliance as well as various questions about password storage policy and proper encryption. Previously the very same people were laughing in our face when we told them passwords must not be stored as plaintext. Whatever the content itself, the message of the GDPR is clear: companies have to care about their users privacy and security, or they'll get a wild kick in the guts.
If you don't process PII about people from EU then GDRP does not apply. Merely accessing the page from EU does not trigger GDRP.
I do think DPAs attempting to regulate EU external sites will be something to behold.
I just wish they'd drop the absurd pretense that the EU is somehow capable of imposing their provincial laws on foreign companies with no physical presence in the EU.
It's not like the EU is saying "These activities must be abolished from the planet!"; the EU is saying "You can't do these things to our citizens without their explicit consent, and we will punish you if you do, regardless of where you host your website."
It's a statement that someone's private data and intellectual property is theirs. You aren't free to steal it just because you're in another country. Google and Facebook have no divine right to people's personal data, and I am thrilled to see countries protecting their people.
Private data is data you don't share. Under some very limited circumstances, you might entrust private data to a third party for safekeeping, i.e. Dropbox, Google Photos, iCloud Drive, and it's important that they not leak or abuse it.
But that's only a tiny portion of what the GDPR is about. It concerns records of your interactions with others. It's a statement that one side of an interaction is entitled to force the other side to delete their memory of that interaction, or to dictate the situations under which they are permitted to remember it.
Corporations have incredible power compared to the individual, and before GDPR, it was commonplace for services to require unreasonable privacy violations: And consumers had to either accept it, or be cut off. (In many cases, the companies doing this have monopolies, making this even more problematic.)
Realistically, this is not going to impact small companies a lot. This is about big ad and tech companies, and giving citizens some minor semblance of tools to resist them.
I don't know if it's possible to have a productive discussion about what seems to be a question of fundamental philosophy and values, but that's ridiculous on its face.
If I'm a shop owner and a customer buys something from me, the cash register prints two receipts: one the customer owns, one I own. If a customer writes me an email, I own my copy of that email. If a customer comes in and makes a scene, and I ban him from my stores's premises, the paper I generate telling my staff to call the police if they seem him is mine.
If I follow him around and write down everywhere he goes... at some point a line gets crossed, sure. If I start asking other shopkeepers if they've seen him or what he purchased, yeah, something's wrong. But to claim that my records of the interactions he knowingly, willingly had with me are his property just sounds bizarre.
>Realistically, this is not going to impact small companies a lot. This is about big ad and tech companies, and giving citizens some minor semblance of tools to resist them.
The GDPR does not discriminate by the size of the operation. It's large companies which can reliably afford the consultant, lawyer, and engineering time to understand and adapt to new regulation. The violators are going to be those without security and compliance departments.
The paper you printed to ban someone from you store falls under Art1, §1, Section f of the GDPR; your interest in keeping that person out of the store outweighs their interest in keeping their details private.
For the record, when I build services, I personally don't intend to ever keep any records that aren't absolutely necessary to provide the service. That's a personal decision, a voluntary one, and also one that can be marketed to certain customers, though that isn't the reason. I also believe that if you send data to a website then it becomes subject to whatever terms they want to apply to it, and if you don't like how they use your data then don't send it to them, and block them.
The US has forced its laws on other countries in this way for decades, always to protect profits, it's great that now another actor enforces its laws the same way, for the public.
But if you're a company specifically soliciting EU customers, and especially if you have a presence in the EU physically, expect to have issues if you're collecting data on them without consent.
Bear in mind, the US will extradite people for committing crimes against US entities who live fully within other countries. Presumably if the act is bad enough... that sort of thing starts to play in. (Seriously, if the EU tried to extradite Sundar Pichai... that'd be something, wouldn't it?) The crime has to be befitting such effort though. One EU citizen's data sweeped up in your Google Analytics data does not make you worthy of a legal case. Do it several million times... maybe.
tl;dr: If you're an average company not operating in or marketing to the EU, this doesn't affect you. If you're the size it's likely to be an issue for you, you're likely big enough to handle the additional requirements and do fine.
The EU has neither the right nor the ability to deliver on that threat. I will continue to ignore the GDPR, as I ignore the ridiculous cookie laws, without worrying about European police raiding my home at night.
But I will take no actions on my end to implement EU laws, and it's laughable that some people in this thread imagine the EU has the power to coerce me to do so.
I don't like what is happening here, but when people want a particular outcome strong enough, they tend set aside more principled concerns.
Enforcing laws internationally is easy, considering that there are systems designed to allow the police of one country to freeze the assets of citizen of another country.
You might just wake up one morning with your bank accounts frozen and your credit cards revoked if you violate the GDPR.
Governments have previously seized entire airplanes to pay for a single $500 fee that an airline refused to pay, don't expect it won't happen to you.
Please, spare me. I'm no more worried about EU laws than I am about China seizing my accounts for mentioning Tiananmen Square. You overestimate the EU's reach.
They aren't capable of doing that, if those companies do not do business within the EU. As soon as those companies have the power to negatively impact EU citizens, however, the EU has the power to protect those citizens.
'You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from.'
Consent is just one option. You can do logging without personal data. You might have a legal obligation do to (full) logging. You might have a legitimate interest. And so one …
It is wrong to summarise the GDPR as 'consent is always necessary'.
I'll give you that the article is not very comprehensive, but the GDPR is large and complex and the author doesn't set out to cover it in every detail. What misunderstandings did you see?
Some standards based description about the cookies/etc. that could be consented. Non-consent means the cookie isn't accepted by the browser.
Too many notices, requests for confirmation will be a problem. So I expect the company should be able to instantiate analytics with a parameter saying that they asked for confirmation and what the response was.
Aside from that I think there might end up being a performance benefit from the GDPR. The difficulty of keeping permissions to track across different adtech providers becomes onerous, and big media companies start throwing out a bunch of them.
Moving towards slightly more delicate issues (compared to tracking someones browsing habits), in relation to the right to be forgotten, if I make a request to Equifax and Experian to remove all personal identifiable information they hold about me, will this actually be possible?
Will my bank then contact me for consent to pass my data back over to them? Will I be able to open a new bank account in the future if Experian and Equifax delete my data?
How would this whole legislation deal with something like this?
1. All third parties that a site might pass information to must be listed.
2. The site is responsible for ensuring all the third parties it passes information to support a way to delete that information. So if you ask them to delete something, they have to forward that request to third parties, who then have to delete what was provided by that site. The site is liable, so they have to make sure they have contracts covering this with any third parties they would pass the information to.
3. The deleted information by the third party only has to be the information from that site, not every site.
4. There are a number of exceptions specifically involving things like baking, especially if you have a legal, signed contract that obviously cannot be erased with the click of a button. So specifically in the case of Equifax and Experian, its unclear.
5. I am not a lawyer, disregard everything I said lololol.
if you come to think of it, it is also a privacy nightmare..
therefore google analytics is blocked by my Privacy Badger!
Accounting logs might need to be kept up to seven (in some cases 10) years, so the data related to them should be kept. The data is sort of field based and some might need to be able to be forgotten earlier.
This doesn’t make this a good analogy though. The GDPR does not prohibit storing private data, it just requires explicit and informed consent. It does not require deletion of data that is required to conduct a transaction, such a receipts, order data or adresses required to fulfil an order. It doesn’t impact storage of data required for law enforcement or any other reason that is mandated by law. It just doesn’t allow unconsentual tracking and accumulation of private data.
It gets even worse with it's extraterritoriality, because you can still be under it if your dealing with a person who lies that they are an EU citizen and they are using your service in your own non EU country as a resident of the non EU country. It's like data FATCA.
And there are other loopy catch 22 ambiguities, like if you want to delete someone from your audit log, do you delete their personal info (which is fairly expansive definition under GDPR) from the audit log too? Then how can you show you deleted the person's info if they are also deleted from your audit log?
Read this to see more from the small company side and how much of a mess it is:
Think of this theoretical situation. If your an EU citizen vacationing in a developing nation who has a medical emergency, could that hospital just decide to reject you because the hassle & cost of dealing with GDPR is too great? Remember, it's a developing nation, they can choose to just refuse service to you.
Kind of like how a lot of americans get rejected by non US banks because dealing with FATCA is just too much of a pain ass today?
I read his post, and wonder if the 'attorneys' he consulted are specialists in EU law, or were his standard ones. There's a lot of FUD around GDPR but the guidance is getting better, and people assume it's being 'policed' when the UK's body (the ICO) is more about guiding into best practices than punishment.
The comments (esp around medical records) suggest ignorance of how it's working.
Source: reading the GDPR and accompanying notes from the ICO; discussions with a large company's GDPR advisor, who was involved in drafting the legislation.
Disclaimer: this is not legal advice, I am not a lawyer, and you are an idiot if you act on anything I say.
Phew, crisis averted!
That's fundamentally incorrect. As a non-EU citizen, I reject the notion that a foreign government has the right to impose their own laws on me, be it the EU or China or anyone else. If the EU thinks it's a problem that I'm offering a service to EU citizens that doesn't comply with laws I have no vote on, frankly they can sod off.
Selling to EU customers as US business already requires you to have a VAT ID in EU, so what does this change for you? In the end the main provision is to only require and store customer data which is effectively needed for providing the services and goods you offer. If you are doing business responsibly, this should not affect you at large as it mainly formalises these processes and requires you to actually write down and document what data you need for what processing steps. If you can not do that, your business is already flawed and not because GDPR does not work for you.
That's not quite right. If you are digital service provider based in the US, no, you don't need EU VAT ID.
If you're running a Chinese site aimed at Chinese you're good.
If you're running an Indonesian site aimed at Germans you need to honour the GDPR.
I work in a place that would be beyond heavily affected by GDPR and I find the legislation a good change as companies should not hoard data they don't need - just in case... or just to sell.
However if you have some direct business and do accept payments - by all means make it secure and transparent to your customers.
For starters, if you don't take payment and aren't in the EU, EU enforcement power is going to be extraordinarily limited. And even if you do require payment, if you don't have a physical nexus in the EU, it's unclear what exactly the EU can do?
I think the GDPR was basically aimed at some of the scummier adtech practices and businesses like Facebook, and for those, it will be very enforceable.
You need an EU VAT ID to accepts payments from EU citizens. So they will revoke that and then you can't accept payments from EU.
This was mentioned before: No, you don’t.
Millions of business around the world accept transactions from EU citizens every day without collecting any VAT or having any relationship with the EU.
Just because you can doesn't mean you should. And not asking that questions has got us where we are today.
If you don't, you're effectively stealing from me and I shall expect my government to go after you to the full extent of the law.
EU citizens can choose to use services offered under other countries' laws, or not. The EU can choose to implement their own Great Firewall to block such services, or not. Frankly I don't care either way.
In extreme cases of non-compliance, avenues for enforcement that have been discussed reuse existing Anti Money Laundering mechanisms: once flagged in the system, banks will simply freeze your business assets connected to EU countries and you might be arrested upon crossing any EU border.
... because laws that enable mass-surveillance are somehow worldly?
It doesn't. But once you enter Europe expect to be in trouble (if there is anything going on against you). Also forget to do business in Europe (with EU citizens).
So if you don't care about these, then you don't have to care about this law.
I basically agree with your assessment.
Digital services (say from US) do require EU VAT registration. If you don't have that and your country has tax agreement with the EU (or some countries from EU), there is a risk to be prosecuted. It won't happen if you get like 1000 customers in each country of the EU (as the latter has no global tax organization like IRS).
Keep in mind also that if you have too much unexplained income your own tax authorities can investigate the case, incl. anti money laundering.
Bottomline is: it's rather hard to sell services (lest goods), in cases where you non-compliant with the laws.
Internet is not a magic wand.
Regardless, businesses have been dropped from their payment provider for less, so there is certainly leverage.
What bothers me the most is, as a non-European citizen of a country that has nothing to do with Europe, I'm expected to modify the source code of my website to adhere to their laws, which aren't from my country. The important part: WWW is a global platform to showcase your service/work globally. I have a problem because one entity thinks the global service needs to be customised specifically for them. How about "don't like it, don't visit it?"
Simply put, I don't want to get into an argument whether this GDPR is bad/good, but, I know that I didn't vote for or against this and it's not in my jurisdiction. I don't belong to Europe either, so what are you going to do?
This is what I'm going to do: I'm going to block access to my services to anyone based in Europe. It WILL affect our cash flow in the long run, but, I'm tired of governments that I don't care about expect me to follow some nonsense I have no part of under the guise of compliance on a global platform that is WWW ("WORLD WIDE Web"). I think, if enough webmasters fight back, then they'll realise. And the only way is to block your services to EU.
As a cherry on top, I'll even put up a redirect notice stating:
"Sorry, you belong to the EU and we're not going to follow
your laws. Please fight back with your GOV if you wish to
have access to our services. This has nothing to do with
Ever been on a plane? ... Used a cellphone outside your own borders? ... Eaten a beautifully ripened imported cheese along with a stunning imported wine?
Put your money where your mouth is: boycott all benefits of transnational cooperation and international legislation. NGOs are how a lot of the capitalism on this planet gets done. 'Compliance' is how we protect our businesses and consumers against fraud and mislabeled products.
Functionally "compliance" is a judicial equivalent of an API... All I'm reading is "Why do I gotta use Googles APIs? I wanna make my own APIs! No more API use, no matter the costs to my customers, because I'm sick of giant oligarchies demanding I comply to their demands! What are you gonna do?"
They'll stop doing business with you, that's what. And shrug about it. Your website will be replaced with one from Romania, and you'll probably develop a deep sense of irony if you feel they've infringed on your IP in any way and want to sue them... because all that stuff is based on 'compliance' too.
When I take a plane to some country I will follow their rules, protocols, yes.
But imagine, I had a museum that can be accessed world wide, instantly and some guy from a specific country/region had a problem with one of my showcases in the museum, do you expect me to alter my museum for this guy and his groupies so they'll be happy?
Whenever you or anything you ship touches an commercial airliner you enter a globally coordinated network of non-governmental compliance and multi-government regulation spanning every aspect of every device and every protocol. The only reason you CAN take planes to other countries is this international "compliance". Where "you" had to do exactly what "we" have said, because if "you" don't then "you" get to be excluded from global trade.
I have already addressed your hypothetical in my comment... There is no "expect", only business reality. The same solution as above, and the same irony, applies.
Your argument that it’s weird that you have to “adhere to their laws” is a fallacy. Your decision to leave the market is up to you.
Suddenly, the EU thinks "Oh, if you have a website that is accessible from the EU, then you need to display X". Sorry, then what was the point of WWW? And more important, why should I update my code? It costs me money and you're not paying me, obviously (you = GOV). Why don't you ask your citizens to stop visiting websites that track them? I showcase my service on a global platform. Don't like it? Don't visit it.
I may remind you of the Megaupload case, where a German is under arrest in New Zealand for breaking US law by offering his site to American visitors.
The US has created the precedence for enforcing local law internationally during both the piracy enforcement cases, and the NSA cases.
As result, it is just expected that other countries will use this tool for their own purposes — in this case, the EU is using it even for ghe benefit of the people. Something you can't say about the use the US made of it.