Hacker News new | comments | ask | show | jobs | submit login
GDPR and Google Analytics (adactio.com)
91 points by philnash 11 months ago | hide | past | web | favorite | 129 comments

Let’s all have a moment of silence for John Perry Barlow’s Declaration of Cyberspace Independence back when it was envisioned the internet would be a place where any entities could communicate or associate free of government control or censorship.

Loads of people in here who support the concept of net neutrality which helps enable permissionless innovation by not imposing huge costs on those who publish or allowing others to impose costs on them, now cheerlead for the right to impose extraterritorial regulation without representation.

There was a time you could just set up a site on the net and not have to worry about much, apparently now you have to worry about the Union of all possible foreign laws in case anyone from outside geographic regions visits your site. It’s could be a race to the lowest common denominator of freedom, or conversely yield bulkanizarion of the internet as more Geo-IP blocks go up or more great firewalls.

How many of you love “this video or music isn’t available for playback in your region”?

That could be much more common in the future and contrary to commentary far more likely to hurt smaller and medium sized players than the real targets of the laws.

You can still set up a site and not have to worry about much, as long as you're not processing other peoples personally identifiable information without their explicit consent.

Or as long as nothing on my site insults the Thai king, or mentions the Armenian genocide, or Tiananmen Square?

There is a process for international regulations, we sign treaties like with copyright, and I get some legal representation in these regulations from my elected representatives. I didn’t elect the European Parliament. If you don’t like my website, don’t use it.

I mean, obviously you’d say that if you physically flew to the US and bought something in a store, those store only need to obey US regulations. Or if you ordered an international package and had it delivered.

So why do you think sending packets to my geographic location suddenly imposed restrictions on my sovereignty? Virtual goods require more regulations than physical ones?

Even if I agreed with the spirit of these regulations, the idea that you can force your local regulations on a global audience without negotiation opens up a real slippery slope.

By what ethical or legal argument are European regulations any more relevant to Chinese, Thai, or Turkish? Doesn’t Saudi Arabia have an equal right to claim you can’t run a site that slanders the prophet Mohammed and you have Saudi Citizens on your site?

Why are your regulations more relevant than anyone else’s? What if my country rules that running a web site is protected free speech?

Any kind of international regulation of the internet must be agreed to by international treaty.

But then you don't consider the IP address personally identifiable information? The GDPR does.

You can serve web content without storing the IP address of the user. If you need to use it for anonymous correlation of requests, you can hash it first.

In addition, you can store the IP address if you want to use it for infosec (such as, finding out who to block in case of a ddos attack). See https://gdpr-info.eu/recitals/no-49/

The recital also mentions "accidental events that compromise availability, integrity, authenticity,..." That seems to cover debugging for me. No need to ask for consent.

To do certain analytics like page count, you don't need the IP, so that seems ok for me. To track individual customers however, that's something else.

PS: according to GDPR, a hashed IP will be "pseudonimisation", not anonymisation because you can have a key to go back to the original value. True anonymisation removes all info (the IP in this case)

Most small web sites don’t have the resources for this. Many don’t even know if they will have analytics in the beginning, or info sec.

People tend to set up sites and just stash web logs in the beginning. They then learn later what their business needs are and may decide to post process their logs.

You're suggesting a new site pay all of these costs up front to comply with these regulations, you can’t time shift concerns by collecting data and deciding whether you need it later.

Granted, you could argue that this is bad practice anyway, but many startups work exactly like this, maximum logging early, dropping rention later after beta.

If you are not physically hosting in the EU, how many people want to even read the GDPR? A lot of sites don’t even know where their users are coming from until they run analytics.

Actually, I was trying to point out ways to not have to remove/prune your logs...

Right but these days, if you rent a cloud hosted docker container with say, nginx or httpd, you'll get HTTP logs via fluentd with full IP address information, and a lot of people will push these into storage like S3 or GCP buckets for analysis later.

If you say, use a point-and-click installation of Wordpress on AWS/GCP/Azure, you're going to get IP logs being held. I'm just pointing out that the regulations impose a lot of costs and expose people to huge risks.

I mean, can I be held liable if I use an open source downstream dependency from npm or Maven, and it just so happens to have debug logs that are storing info, and I didn't know about this logging cause I didn't audit every line of code from a downstream dependency?

For large companies, this isn't going to be a problem, but the entire open source ecosystem operates on a system that for the most part, you aren't exposed to legal liability by them, except in cases like patent violations or copyright infringement, but now there's a huge cognitive burden being levied on top by a massively complicated new regulatory framework.

The IP space is so tiny that hashing doesn't make any difference.

In addition, watch out for logs. By default all web servers log requests with the IP address, and depending on what you do with these logs, the IP are there.

Yes sure, an internet free of control and censorship is a nice fantasy. But look at today's internet. It's a giant surveillance machine. And that's not going away on its own, because collecting user data is such good business. So the market will not solve this, quite the opposite, it will only do more of the same if it gets the chance. Regulation is the only thing that can save the internet from itself now.

My problem with the GDPR is the EU can't even be bothered to tell us what it is before the effective date. And the GDPR itself is quite vague; lots of balancing tests and blah blah with very little guidelines on what those mean in practice. So where do the guidelines come from? Funny you should ask.

Consider the ICO -- the UK privacy commission -- has been promising final GDPR guidance for perhaps half a year now, and instead are sitting around with their thumbs up their asses waiting on the Article 29 Working Party final guidance. The Article 29 Working Group held comments open until 23 January 2018. Some unknown amount of time later, that working group will finalize, and then some unknown amount of time later, the ICO will issue their guidance.

But don't you worry, the ICO plans to offer no grace period to us!

How the hell organizations are supposed to be ready by 25 May when they may receive final guidance in late February is a hell of a question. Realistically, considering the ICOs adherence to deadlines so far, they're gonna deliver their final guidance promptly for May 2019.

I'm essentially assuming users will be hit with a blizzard of opt-in dialogues.

One of the few things in the GDPR that will have impact is if you use consent as a legal basis for processing, everything has to be default opt-out.

While I largely agree with you, for the most part enough guidance has been available that many companies have been preparing to handle GDPR. They should have done a far, far better job with this but it's not entirely a "We won't know anything until late Feb" kind of thing.

That's true, however, there's no fixed limit to the possible distance between draft and final guidance.

Say you have a large marketing database and you're trying to figure out the nuances of consent. Or you are a large bank and run on a fidgety mix of consent and legitimate interests. Three months is nowhere near enough time to get everything finished.

To be fair, it isn't really ICO's fault - the government has never wanted the ICO to be really effective, judging by the UK laws the ICO was given to work with, and the laughably tiny fines they can impose. Wouldn't surprise me if they're underfunded and stuck in the Brexit mess, never mind that the GDPR will come into effect soon.

It might be an unpopular opinion here, but I'm not entirely sure that the GDPR is going to be a good thing. It seems strange to me to have this enforcement of policies from countries that are not my own just because my website is accessible from those countries.

On top of that, developing business software becomes incredibly complex when navigating all of the potential ramifications of these policies. I thought it was strange that the SAP SDK at a hackathon essentially required the app to get OAuth permission from the user to access / write an encrypted payload that the app couldn't read / access / delete / update without user consent.

It might be an unpopular opinion here, but I'm not entirely sure that the GDPR is going to be a good thing. It seems strange to me to have this enforcement of policies from countries that are not my own just because my website is accessible from those countries.

I see your point, but a large majority of web sites are extremely misbehaving, since they allow Google (any typically a bunch of other analytics firms) to track users around the web without any consent (through Google Analytics). I find this terribly frustrating. I decided to opt out of the Google ecosystem completely, but data about me is still vacuumed through Google analytics and Google-hosted JavaScript/CSS. I use uMatrix, but blocking Google-hosted assets is out of reach for most non-technical users.

We would not be here in the first place if companies and website owners treated the user's privacy with respect. I don't feel pity for them that they jump through hoops now.

If you host a small personal site, just consider axing Google analytics. You can get reasonably good statistics by just using a local log analyzer that does not upload your visitor's data to an analytics/ad company. Respect your user's privacy.

>. You can get reasonably good statistics by just using a local log analyzer that does not upload your visitor's data to an analytics/ad company.

1) Has your user consented to your webserver's access logging?

2) Has your user consented to the use of access log entries about them for analytical purposes?

3) How will you delete the access log entries corresponding to a user upon request?

4) How will you provide a user with the access log entries about them upon request?

(I am not a lawyer, this is not legal advice).

from what i catched talking to our lawyer, there are other levels of consent than explicit by the user explicit consent that might be revoked, in this case.

1. concerns of security and quality of service (gathering logs with full ip addresses is allowed for a reasonable time, a few days for example).

2. you don't need to delete the logs if you use them for this specific purpose only.

3. for analytical purpose it is enough to use pseudonomic identifiers, in case of ip address zero out the last part and you are fine.

4. using Piwik or your own cookies? Suddenly its not a third party cookie anymore and you are more free to do things.

The problems for operators begin when they are handing this over to a third party.

It is remarkable how many websites use Google fonts. I wasn't really aware until I used uBlock to disable third party fonts, and icons started disappearing on many fonts. Web designers are inadvertently enabling mass corporate surveillance by simply trying to save bandwidth on font icons.

Google Fonts is actually not a problem from a GDPR perspective as long as the EU-US 'Privacy Shield' is in force. All in all, Google's data privacy compliance is outstanding in comparison with most other US companies, only Amazon and Microsoft are probably on the same level.

Maybe I’m misunderstanding GDPR, can you explain how tracking your users through logs is OK within the GDPR, but Google Analytics isn’t Ok.

Logfiles are necessary to operate a service securely and guarantee quality of service. This is one form of implicit consent that users are giving you without you having to ask them for it.

But Storing IP addresses for each access indefinitely (> some days) is the problem.

If you rotate the files into a version where IP addresses are without the last part after a few days, then this is considered pseudonymous data and GDPR has no problem with you keeping this for a long time anymore.

Local log files are not automatically compliant by my reading of the GDPR, but IANAL. My understanding is that PII is a huge risk, regardless of it being local or with a vendor, and you aren't allowed to track things that you aren't actively using for some business process. Many default log formats have data that people don't actively use, which seems to be a violation of GDPR even for local files.

Again, IANAL.

IANAL, so this is not legal advise!

First: I think it is ethically better, because you are not giving your user's data to a large company that builds profiles of your users for their own purposes.

Second: if you pass the data to an analytics company, you share responsibility in ensuring that that data is processed according to the GDPR. Article 83 states on imposing/determining fines:

the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them

It is up to you (as the controller) to ensure that you use a data processor that is GDPR-compliant (Article 28):

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

(By the way, it seems from the same article that you also need a written contract with the data processor that specifies exactly what data is provided, for which period, etc.)


tl;dr: it seems much easier to fulfil the obligations of the GDPR when you do not involve third parties.

I still don't see how local files are by default compliant with the GDPR. I get that you prefer it from an ethical point of view, but that's unrelated to the specifics of the GDPR.

For sure it's a bit of a blunt tool, but we've seen companies can't be relied on to do it themselves.

And yes, as devs it does force us to ask hard questions that we've been conveniently ignoring, usually at the request of management or marketing. Does this need detailed analytics? Do we need to store this information? How do we need to store this information? How do we design UX to withdraw consent? How do we handle the absence of consent? Etc. More difficult, but more ethical, too.

One nice thing (maybe) is that it's so much effort to get consent to run pervasive analytics on EU users, that many people might just stop running pervasive analytics on EU users at all. Maybe all users? At least I can dream...

> It seems strange to me to have this enforcement of policies from countries that are not my own just because my website is accessible from those countries.

If you open shop in a different country, you follow their laws. Your website being accessible in a country is seen as the same thing. It's not hard to implement geo blocking if you want to show best effort and thereby opt out of it.

This can very quickly become onerous for anyone wanting to run a website, if they have to understand the law of any country where it might be accessed. I think the onus of geoblocking should be in the country that decides this website doesn't obey it's laws, otherwise only large corporations with lawyers will be able to run websites.

If your website is doing business (i.e. Has some sort of legal presence) in another country, well, that's a different story.

If I'm just serving cat pictures, then I agree. But as soon as money and/or PII is involved, then a different set of rules apply.

This is where the technical complexity comes in. All of a sudden my static hosted page on github which gets a few hundred visitors per month and uses analytics should have Geo blocking? How much overhead will that add to the small site?

It's very unlikely your static page contains personal data that would be ok in the US but not in EU.

If you're referring to logging, there are some good responses in this discussion on how that will still be ok.

> It might be an unpopular opinion here, but I'm not entirely sure that the GDPR is going to be a good thing

Feedback from the trenches: it is a very good thing. Suddenly corporate people are beginning to care about security and privacy: we receive spontaneous inquiries from customers about compliance as well as various questions about password storage policy and proper encryption. Previously the very same people were laughing in our face when we told them passwords must not be stored as plaintext. Whatever the content itself, the message of the GDPR is clear: companies have to care about their users privacy and security, or they'll get a wild kick in the guts.

> It seems strange to me to have this enforcement of policies from countries that are not my own just because my website is accessible from those countries.

If you don't process PII about people from EU then GDRP does not apply. Merely accessing the page from EU does not trigger GDRP.

PII is an American concept, not a GDPR concept. The GDPR has a notion of personal data and it is much more expansive than PII. While merely accessing the page from the EU doesn't trigger GDPR, logging and analytics may.

I do think DPAs attempting to regulate EU external sites will be something to behold.

I'm pretty sure it does trigger in this case, if you have any tools like GA on your site.

Can the US please just pass this too? The EU's current stance on privacy and individual rights makes me want to pack up my life and move there. I'd much rather the law just come here though.

A lot of the GDPR's provisions are admirable, and fundamentally good for citizens. I'd like (some) similar rules in my country.

I just wish they'd drop the absurd pretense that the EU is somehow capable of imposing their provincial laws on foreign companies with no physical presence in the EU.

I think it makes sense when your activities infringe on the rights of citizens inside their borders.

It's not like the EU is saying "These activities must be abolished from the planet!"; the EU is saying "You can't do these things to our citizens without their explicit consent, and we will punish you if you do, regardless of where you host your website."

Indeed. The idea that a country would zealously protect it's citizens' rights is practically unheard of these days, but that's what's starting to happen. GDPR is a great example, another one was Canada pushing a Right To Be Forgotten ruling worldwide as well.

It's a statement that someone's private data and intellectual property is theirs. You aren't free to steal it just because you're in another country. Google and Facebook have no divine right to people's personal data, and I am thrilled to see countries protecting their people.

>It's a statement that someone's private data and intellectual property is theirs

Private data is data you don't share. Under some very limited circumstances, you might entrust private data to a third party for safekeeping, i.e. Dropbox, Google Photos, iCloud Drive, and it's important that they not leak or abuse it.

But that's only a tiny portion of what the GDPR is about. It concerns records of your interactions with others. It's a statement that one side of an interaction is entitled to force the other side to delete their memory of that interaction, or to dictate the situations under which they are permitted to remember it.

You are anthropomorphizing companies here, and I think it's a pretty poor analogy. Corporations do not have a memory, they have records, and those records comprise the personal data of everyone who encounters them; data those companies don't own. You seem to be characterizing GDPR as unfair towards the corporate end of the interaction, but that ignores the massive power differential that currently exists.

Corporations have incredible power compared to the individual, and before GDPR, it was commonplace for services to require unreasonable privacy violations: And consumers had to either accept it, or be cut off. (In many cases, the companies doing this have monopolies, making this even more problematic.)

Realistically, this is not going to impact small companies a lot. This is about big ad and tech companies, and giving citizens some minor semblance of tools to resist them.

>data those companies don't own

I don't know if it's possible to have a productive discussion about what seems to be a question of fundamental philosophy and values, but that's ridiculous on its face.

If I'm a shop owner and a customer buys something from me, the cash register prints two receipts: one the customer owns, one I own. If a customer writes me an email, I own my copy of that email. If a customer comes in and makes a scene, and I ban him from my stores's premises, the paper I generate telling my staff to call the police if they seem him is mine.

If I follow him around and write down everywhere he goes... at some point a line gets crossed, sure. If I start asking other shopkeepers if they've seen him or what he purchased, yeah, something's wrong. But to claim that my records of the interactions he knowingly, willingly had with me are his property just sounds bizarre.

>Realistically, this is not going to impact small companies a lot. This is about big ad and tech companies, and giving citizens some minor semblance of tools to resist them.

The GDPR does not discriminate by the size of the operation. It's large companies which can reliably afford the consultant, lawyer, and engineering time to understand and adapt to new regulation. The violators are going to be those without security and compliance departments.

Receipts and (most likely) EMails will not be affected. The former since it has to be kept around for tax purposes and the later since they fall under freedom of expression, both are exempted from the GDPR.

The paper you printed to ban someone from you store falls under Art1, §1, Section f of the GDPR; your interest in keeping that person out of the store outweighs their interest in keeping their details private.

To which the entirely reasonable response from anyone without a legal nexus in the EU (or physical products to ship) is "we don't care and you have no legal right or ability to enforce that". And the entirely reasonable response from anyone thinking of creating a legal nexus in the EU without an extremely business-critical reason is "let's stay in our own country where it's safer and we only have one jurisdiction to care about".

For the record, when I build services, I personally don't intend to ever keep any records that aren't absolutely necessary to provide the service. That's a personal decision, a voluntary one, and also one that can be marketed to certain customers, though that isn't the reason. I also believe that if you send data to a website then it becomes subject to whatever terms they want to apply to it, and if you don't like how they use your data then don't send it to them, and block them.

That'll get you an interesting interaction with your bank, which does want to have a branch in the EU, so they'll simply comply and freeze your accounts if the EU requests it.

The US has forced its laws on other countries in this way for decades, always to protect profits, it's great that now another actor enforces its laws the same way, for the public.

And the "reasonable" response to this is to act like China: block those services. China showed it is possible so now the "lol it is Internet you can't stop people accessing things, VPN, crypto blablabla" spiel is proven to do jack-shit for services which need a lot of people and their data.

If I'm a US company, with a non-GDPR compliant website, and a visitor from the EU visits my site, under what jurisdiction does the EU have to reprimand me? Or will my site just be blocked in the EU?

It's unlikely foreign sites catered to foreign viewers would be impacted. When I buy something from a site that only sells in another country's currency, I know I'm probably going outside my own nation's protections a bit.

But if you're a company specifically soliciting EU customers, and especially if you have a presence in the EU physically, expect to have issues if you're collecting data on them without consent.

Bear in mind, the US will extradite people for committing crimes against US entities who live fully within other countries. Presumably if the act is bad enough... that sort of thing starts to play in. (Seriously, if the EU tried to extradite Sundar Pichai... that'd be something, wouldn't it?) The crime has to be befitting such effort though. One EU citizen's data sweeped up in your Google Analytics data does not make you worthy of a legal case. Do it several million times... maybe.

tl;dr: If you're an average company not operating in or marketing to the EU, this doesn't affect you. If you're the size it's likely to be an issue for you, you're likely big enough to handle the additional requirements and do fine.

Extradition typically only applies to things which are crimes in both jurisdictions. Since these things aren't crimes in the US extradition is very unlikely.

> the EU is saying "You can't do these things to our citizens without their explicit consent, and we will punish you if you do, regardless of where you host your website."

The EU has neither the right nor the ability to deliver on that threat. I will continue to ignore the GDPR, as I ignore the ridiculous cookie laws, without worrying about European police raiding my home at night.

Looking at the EUs antitrust fine for Google - https://www.google.ch/amp/s/www.bloomberg.com/amp/news/artic... it's clear it does have the ability. The message is "you want to profit from EU citizens? You follow the rules"

No, you're confused. Google has a physical presence and business partners in Europe; I do not. (Profiting from EU citizens is beside the point.)

Yeah, but what would you do if the EU decides that you cannot sell your product in the EU?

I would continue to do nothing special to support the EU's provincial laws. If EU citizens want to send me money, fine. If the EU decides to block its citizens from doing so, that's also fine.

But I will take no actions on my end to implement EU laws, and it's laughable that some people in this thread imagine the EU has the power to coerce me to do so.

Well, if they really really wanted it, they might be able penalize you. How about everytime you travel, make sure the country won't extradite you. How about your employees? Is that risk acceptable and fair to them?

I don't like what is happening here, but when people want a particular outcome strong enough, they tend set aside more principled concerns.

Will you be traveling to an EU country at any point in your life? Imagine fines are levied against you or your company and you refuse or ignore them and continue to operate as before. Could cause you trouble at the border

Against small companies with almost no footprint in EU maybe. But against huge multinational corporations that want access to the 500m+ people market they sure can.

Exactly, that's the distinction.

What is your website? And which bank do you happen to use for your company and personally?

Enforcing laws internationally is easy, considering that there are systems designed to allow the police of one country to freeze the assets of citizen of another country.

You might just wake up one morning with your bank accounts frozen and your credit cards revoked if you violate the GDPR.

Governments have previously seized entire airplanes to pay for a single $500 fee that an airline refused to pay, don't expect it won't happen to you.

> You might just wake up one morning with your bank accounts frozen and your credit cards revoked if you violate the GDPR.

Please, spare me. I'm no more worried about EU laws than I am about China seizing my accounts for mentioning Tiananmen Square. You overestimate the EU's reach.

How would they punish though?

> I just wish they'd drop the absurd pretense that the EU is somehow capable of imposing their provincial laws on foreign companies with no physical presence in the EU.

They aren't capable of doing that, if those companies do not do business within the EU. As soon as those companies have the power to negatively impact EU citizens, however, the EU has the power to protect those citizens.

I hope everyone is nice and busy setting up encryption, access control and timely erasure for all their server and application logs: https://www.ctrl.blog/entry/gdpr-web-server-logs

The article is full of misunderstandings. The following sentence for example is just wrong:

'You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from.'

Consent is just one option. You can do logging without personal data. You might have a legal obligation do to (full) logging. You might have a legitimate interest. And so one …

It is wrong to summarise the GDPR as 'consent is always necessary'.

Your comment does clarify the issue by pointing out the alternative, and the article could have mentioned that, but the quoted sentence is completely correct as quoted. It fails to mention the alternative, but there's nothing actually wrong in the statement.

I'll give you that the article is not very comprehensive, but the GDPR is large and complex and the author doesn't set out to cover it in every detail. What misunderstandings did you see?

Why doesn't the main browsers implement some mechanism to help with the notification and consent of cookies?

Some standards based description about the cookies/etc. that could be consented. Non-consent means the cookie isn't accepted by the browser.

Certainly with the cookie law, I feel the EU should have legislated the top browser makers to make this a spec and be implemented in the browser, than to rely on each and every website.

The 'cookie law', the new ePrivacy Regulation, is still work in progress. And yep, opt-in via browser configuration (instead of opt-out or no option at all) might become a thing through the upcoming ePrivacy Regulation.

There's a ux problem here, because Google needs to be able to determine if it can save the data and the company using google analytics might also have a requirement to notify the user they are saving other types of data.

Too many notices, requests for confirmation will be a problem. So I expect the company should be able to instantiate analytics with a parameter saying that they asked for confirmation and what the response was.

Aside from that I think there might end up being a performance benefit from the GDPR. The difficulty of keeping permissions to track across different adtech providers becomes onerous, and big media companies start throwing out a bunch of them.

Speaking of GDPR, I, like many others, am a little bit confused. I've read parts of the legislation but not all of it, so perhaps somebody here can help me out.

Moving towards slightly more delicate issues (compared to tracking someones browsing habits), in relation to the right to be forgotten, if I make a request to Equifax and Experian to remove all personal identifiable information they hold about me, will this actually be possible?

Will my bank then contact me for consent to pass my data back over to them? Will I be able to open a new bank account in the future if Experian and Equifax delete my data?

How would this whole legislation deal with something like this?

(This response is quite late, but hopefully it helps at least a bit.)

1. All third parties that a site might pass information to must be listed.

2. The site is responsible for ensuring all the third parties it passes information to support a way to delete that information. So if you ask them to delete something, they have to forward that request to third parties, who then have to delete what was provided by that site. The site is liable, so they have to make sure they have contracts covering this with any third parties they would pass the information to.

3. The deleted information by the third party only has to be the information from that site, not every site.

4. There are a number of exceptions specifically involving things like baking, especially if you have a legal, signed contract that obviously cannot be erased with the click of a button. So specifically in the case of Equifax and Experian, its unclear.

5. I am not a lawyer, disregard everything I said lololol.

well.. yes. super useful those google analytics. but maybe it is making things to easy for you :)

if you come to think of it, it is also a privacy nightmare.. therefore google analytics is blocked by my Privacy Badger!

I got a speeding ticket in Germany last year. I want them to delete my record. I own the data, they just tracked me over-speeding.

Data retention policies in GDPR specifically address the case, if there is a legal reason to keep the data it should take precedence. That's it you can't tell that you wish your 10k euro bank credit to be forgotten.

Accounting logs might need to be kept up to seven (in some cases 10) years, so the data related to them should be kept. The data is sort of field based and some might need to be able to be forgotten earlier.

So if another country says it's not legal to comply with the GDPR in their country, they get off scot free? :P

totally, but then again you won't be able to transact with the EU, besides all the diplomatic aftermath.

And sure, by German law, your data will be deleted after you paid your fine. (Plus some time for processing and record keeping)

This doesn’t make this a good analogy though. The GDPR does not prohibit storing private data, it just requires explicit and informed consent. It does not require deletion of data that is required to conduct a transaction, such a receipts, order data or adresses required to fulfil an order. It doesn’t impact storage of data required for law enforcement or any other reason that is mandated by law. It just doesn’t allow unconsentual tracking and accumulation of private data.

The GDPR isn't as good as you think it is. It's going to turn into one of those laws where small software startups / or normal small businesses are just going to be in constant violation, because the amount of resources required to do it properly requires a team of 5 or 10 expensive software engineers. It's going to be a great way to nip small companies in the bud and consolidate this kind of stuff into bigger companies.

It gets even worse with it's extraterritoriality, because you can still be under it if your dealing with a person who lies that they are an EU citizen and they are using your service in your own non EU country as a resident of the non EU country. It's like data FATCA.

And there are other loopy catch 22 ambiguities, like if you want to delete someone from your audit log, do you delete their personal info (which is fairly expansive definition under GDPR) from the audit log too? Then how can you show you deleted the person's info if they are also deleted from your audit log?

Read this to see more from the small company side and how much of a mess it is:


Think of this theoretical situation. If your an EU citizen vacationing in a developing nation who has a medical emergency, could that hospital just decide to reject you because the hassle & cost of dealing with GDPR is too great? Remember, it's a developing nation, they can choose to just refuse service to you.

Kind of like how a lot of americans get rejected by non US banks because dealing with FATCA is just too much of a pain ass today?

> Read this to see more from the small company side and how much of a mess it is:

> https://www.brentozar.com/archive/2017/12/gdpr-stopped-selli...

I read his post, and wonder if the 'attorneys' he consulted are specialists in EU law, or were his standard ones. There's a lot of FUD around GDPR but the guidance is getting better, and people assume it's being 'policed' when the UK's body (the ICO) is more about guiding into best practices than punishment.

The comments (esp around medical records) suggest ignorance of how it's working.

Source: reading the GDPR and accompanying notes from the ICO; discussions with a large company's GDPR advisor, who was involved in drafting the legislation.

Disclaimer: this is not legal advice, I am not a lawyer, and you are an idiot if you act on anything I say.

You might have noted that I have refrained from giving an opinion on how good or bad I think that the GDPR is. I just pointed out that it does not at all apply to the case that the GP pretended to have a problem with. By all means, there's enough to criticize about the GDPR, but do it with an argument that has merits, but not by attacking a strawman. (Your hypothetical case is a strawman, too, since the hospital doesn’t do business in the EU and is most likely required to keep records by law, which is a specific exemption clause)

I'm pretty sure the hospital in the developing nation doesn't sell in the EU, so they don't need to comply.

Phew, crisis averted!

Government bodies are exempt from the regulation like always.

> This regulation is not limited to companies based in the EU—it applies to any service anywhere in the world that can be used by citizens of the EU.

That's fundamentally incorrect. As a non-EU citizen, I reject the notion that a foreign government has the right to impose their own laws on me, be it the EU or China or anyone else. If the EU thinks it's a problem that I'm offering a service to EU citizens that doesn't comply with laws I have no vote on, frankly they can sod off.

You are aware that this does not make sense, since to do business with people from other countries you already have to comply with their laws in terms of taxes and accounting anyway.

Selling to EU customers as US business already requires you to have a VAT ID in EU, so what does this change for you? In the end the main provision is to only require and store customer data which is effectively needed for providing the services and goods you offer. If you are doing business responsibly, this should not affect you at large as it mainly formalises these processes and requires you to actually write down and document what data you need for what processing steps. If you can not do that, your business is already flawed and not because GDPR does not work for you.

> Selling to EU customers as US business already requires you to have a VAT ID in EU

That's not quite right. If you are digital service provider based in the US, no, you don't need EU VAT ID.

Yes, it's your right to block the EU users. But, if you want their money (and that's up to you to decide), you have to obey to their law, nothing new here.

It's not their money, it's if you store or process personal data about individuals in the European Economic Area (slightly larger than the EU).

If you're running a Chinese site aimed at Chinese you're good.

If you're running an Indonesian site aimed at Germans you need to honour the GDPR.

You don't need any personal data to conduct most of the business.

I work in a place that would be beyond heavily affected by GDPR and I find the legislation a good change as companies should not hoard data they don't need - just in case... or just to sell.

Wouldn't you need personal data to accept payments? Or maybe a broker (like Stripe) would store these and the end business just a reference to payment.

You can get external ref to payment providers. Depending on the business you might need KYC and anti laundering procedures and then it's harder.

However if you have some direct business and do accept payments - by all means make it secure and transparent to your customers.

In lawyers terms: a payment apparently is just a contract. So you can store the data needed for the payment under that legal basis.


Probably... not really? Maybe?

For starters, if you don't take payment and aren't in the EU, EU enforcement power is going to be extraordinarily limited. And even if you do require payment, if you don't have a physical nexus in the EU, it's unclear what exactly the EU can do?

I think the GDPR was basically aimed at some of the scummier adtech practices and businesses like Facebook, and for those, it will be very enforceable.

> And even if you do require payment, if you don't have a physical nexus in the EU, it's unclear what exactly the EU can do?

You need an EU VAT ID to accepts payments from EU citizens. So they will revoke that and then you can't accept payments from EU.

> You need an EU VAT ID to accepts payments from EU citizens.

This was mentioned before: No, you don’t.

Millions of business around the world accept transactions from EU citizens every day without collecting any VAT or having any relationship with the EU.

Why are you storing and processing their data if not for profit?

personal data in the GDPR has a very expansive definition, and definitely includes things like IP. Processing likewise has an expansive definition, including collection and recording. Lots of sites will be processing and storing this data for internal analytics.

> Lots of sites will be processing and storing this data for internal analytics.

Just because you can doesn't mean you should. And not asking that questions has got us where we are today.

Did your customers consent to what is effectively someone following them round the store with a clipboard?

So just don't do internal analytics. Or, if you feel you must, ask consent first. Easy peasy.

It isn't my responsibility to block them, or to take any action whatsoever to comply with another country's laws.

Well, the point of the GDPR is to make you aware that collecting personal data of EU citizens requires their explicit consent. Just ask me for it, that's not a big deal, is it?

If you don't, you're effectively stealing from me and I shall expect my government to go after you to the full extent of the law.

What makes you imagine your government has any jurisdiction over me?

EU citizens can choose to use services offered under other countries' laws, or not. The EU can choose to implement their own Great Firewall to block such services, or not. Frankly I don't care either way.

Uh? This is already how the world works. It does not matter where you are located as long are you are transacting with EU citizens.

In extreme cases of non-compliance, avenues for enforcement that have been discussed reuse existing Anti Money Laundering mechanisms: once flagged in the system, banks will simply freeze your business assets connected to EU countries and you might be arrested upon crossing any EU border.

I have no business assets connected to any EU countries, and I don't have any desire to cross any EU borders. So I will continue to enjoy life in my home country and ignore your provincial laws.

So why are you so nervous? Just ban all those 500 millions "provincial" users and feel free to ignore GPDR. It's nothing new that countries extend protection for their citizens and business entities well beyond its borders, for example, US routinely extradites foreign citizens that have nothing to do with USA for DMCA violations, hacking and whatnot.

Nervous? Not at all. My point is, it isn't my responsibility to ban them or take any other action on my end. That's a problem to be resolved between the EU's governments and its citizens.

> provincial

... because laws that enable mass-surveillance are somehow worldly?

>What makes you imagine your government has any jurisdiction over me?

It doesn't. But once you enter Europe expect to be in trouble (if there is anything going on against you). Also forget to do business in Europe (with EU citizens).

So if you don't care about these, then you don't have to care about this law.

Right, hypothetically if I were to physically enter the EU I could expect trouble, and that's the EU's right. But in the meanwhile, if EU citizens wanted to do business with me, that's not my problem.

I basically agree with your assessment.

That is actually not correct, consent is one of several options (and usually not the best option because there are strict requirements for a valid consent).

It being fundamentally incorrect and you not liking it are two very different things.

Yet it is fundamentally incorrect. I'm not an EU citizen, so I have zero reason to care about their laws. I will simply ignore them, and the EU has no recourse, other than possibly mandating that their ISPs block me or something. Which I also do not care about.

If you want to do business with EU citizens, you have to follow EU law. Before the internet, you had to open a shop here, or send your goods over the border. The only thing that has changed is the fact that you provide a virtual service over the internet.

No, if I want to have a physical presence in the EU I have to follow EU law. But if I'm residing entirely in another country, and EU citizens want to do business with me over the internet, I could care less what EU law says. And no amount of whining on this thread will change the fact that the EU has no leverage over me.

>I could care less what EU law says You need a way to sell to EU (if you wish to do business there).

Digital services (say from US) do require EU VAT registration. If you don't have that and your country has tax agreement with the EU (or some countries from EU), there is a risk to be prosecuted. It won't happen if you get like 1000 customers in each country of the EU (as the latter has no global tax organization like IRS).

Keep in mind also that if you have too much unexplained income your own tax authorities can investigate the case, incl. anti money laundering.

Bottomline is: it's rather hard to sell services (lest goods), in cases where you non-compliant with the laws. Internet is not a magic wand.

If I break US law over the internet against a US company/person, even though I do no business in the US, have never been there, and don't plan to be there, guess how long before I'm dragged making license plates with words like "liberty" or "freedom" on them in an American rape gulag?

So, you do not care one iota about laws, or security of PII and other sensitive information, unless there can be sanctions against you?

Regardless, businesses have been dropped from their payment provider for less, so there is certainly leverage.

To me this reads with the focus in reverse. The EU's aim is not specifically to regulate or punish non-EU service providers - rather, that's (one effect of) the tool they are using to protect the rights of its citizens which is the real focus here. Since service providers the world over have been unwilling to voluntarily protect those rights, what alternative approach could they take?

GDPR is coming really soon, but it's still unclear how "Big Data companies" prepare to it from technical perspective. In addition to "getting consent" requirement there are "the right to be forgotten" and "the right of access", and it's not obvious how implementing these two are feasible or, at least, cost effective.

Edit: I want to make my distinction clearer - I don't SPECIFICALLY target/show my site to EU citizens, I show it to everyone, unbiased, the same way. But, if EU citizens SPECIFICALLY visiting my site have a problem with the way it works (cookies, tracking, etc.), then they should simply stop visiting it instead of their government trying to bully us webmasters.

What bothers me the most is, as a non-European citizen of a country that has nothing to do with Europe, I'm expected to modify the source code of my website to adhere to their laws, which aren't from my country. The important part: WWW is a global platform to showcase your service/work globally. I have a problem because one entity thinks the global service needs to be customised specifically for them. How about "don't like it, don't visit it?"

Simply put, I don't want to get into an argument whether this GDPR is bad/good, but, I know that I didn't vote for or against this and it's not in my jurisdiction. I don't belong to Europe either, so what are you going to do?

This is what I'm going to do: I'm going to block access to my services to anyone based in Europe. It WILL affect our cash flow in the long run, but, I'm tired of governments that I don't care about expect me to follow some nonsense I have no part of under the guise of compliance on a global platform that is WWW ("WORLD WIDE Web"). I think, if enough webmasters fight back, then they'll realise. And the only way is to block your services to EU.

As a cherry on top, I'll even put up a redirect notice stating:

    "Sorry, you belong to the EU and we're not going to follow 
    your laws. Please fight back with your GOV if you wish to 
    have access to our services. This has nothing to do with 

So, what are you going to do?

edit: clarity

> I'm going to block access to my services to anyone based in Europe... I'm tired of governments that I don't care about expect me to follow some nonsense I have no part of under the guise of compliance.

Ever been on a plane? ... Used a cellphone outside your own borders? ... Eaten a beautifully ripened imported cheese along with a stunning imported wine?

Put your money where your mouth is: boycott all benefits of transnational cooperation and international legislation. NGOs are how a lot of the capitalism on this planet gets done. 'Compliance' is how we protect our businesses and consumers against fraud and mislabeled products.

Functionally "compliance" is a judicial equivalent of an API... All I'm reading is "Why do I gotta use Googles APIs? I wanna make my own APIs! No more API use, no matter the costs to my customers, because I'm sick of giant oligarchies demanding I comply to their demands! What are you gonna do?"

They'll stop doing business with you, that's what. And shrug about it. Your website will be replaced with one from Romania, and you'll probably develop a deep sense of irony if you feel they've infringed on your IP in any way and want to sue them... because all that stuff is based on 'compliance' too.

Sorry, wrong example.

When I take a plane to some country I will follow their rules, protocols, yes.

But imagine, I had a museum that can be accessed world wide, instantly and some guy from a specific country/region had a problem with one of my showcases in the museum, do you expect me to alter my museum for this guy and his groupies so they'll be happy?

Sorry, incorrect rebuttal.

Whenever you or anything you ship touches an commercial airliner you enter a globally coordinated network of non-governmental compliance and multi-government regulation spanning every aspect of every device and every protocol. The only reason you CAN take planes to other countries is this international "compliance". Where "you" had to do exactly what "we" have said, because if "you" don't then "you" get to be excluded from global trade.

I have already addressed your hypothetical in my comment... There is no "expect", only business reality. The same solution as above, and the same irony, applies.

Imagine you’re living in a country which allows you to sell drugs freely, then it’s clear that you can sell them in a country where they are banned. I don’t really think this is different regarding privacy. You have to obey to the law where you run your business. It’s up to you wether you change your business or leave the market.

Your argument that it’s weird that you have to “adhere to their laws” is a fallacy. Your decision to leave the market is up to you.

While I agree with most of what you said, where my perspective differs is this - The WWW is called the World Wide Web for a reason. A platform to showcase your service globally, without borders.

Suddenly, the EU thinks "Oh, if you have a website that is accessible from the EU, then you need to display X". Sorry, then what was the point of WWW? And more important, why should I update my code? It costs me money and you're not paying me, obviously (you = GOV). Why don't you ask your citizens to stop visiting websites that track them? I showcase my service on a global platform. Don't like it? Don't visit it.

The EU didn't start this.

I may remind you of the Megaupload case, where a German is under arrest in New Zealand for breaking US law by offering his site to American visitors.

The US has created the precedence for enforcing local law internationally during both the piracy enforcement cases, and the NSA cases.

As result, it is just expected that other countries will use this tool for their own purposes — in this case, the EU is using it even for ghe benefit of the people. Something you can't say about the use the US made of it.

World Wide Web as a borderless, lawless place is only a long gone dream of cyber anarchists of early nineties.

If your website is of any use, they will be copied from an EU-internal website that adheres to local legislation. If you subsequently tried to sue according to your country's legal concepts, whatever, why should they adhere to another country's legal requirements?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact