Hacker News new | past | comments | ask | show | jobs | submit login
How GDPR Will Change The Way You Develop (smashingmagazine.com)
526 points by _petronius on Feb 27, 2018 | hide | past | web | favorite | 688 comments



While this article is interesting, I strongly encourage anyone - from CEOs, to managers, to individual developers - to actually read the text of the GDPR.

This is not written in unintelligible legal-ese. It is very approachable, understandable by a layman, and organized such that relevant Articles are easy to find.

It might take an hour or two, yet may have a fundamental impact on how you approach your job for the foreseeable future. Time very well spent.

Here is an accessible version of it: https://gdpr-info.eu/

EDIT: for clarity, that site is accessible from an organizational point of view (i.e., broken out by articles, not one long string of text). I do not know if it is accessible by screen readers or alternate input devices.


If you work for a big company and are not a lawyer, you should listen to your lawyers and not try to interpret the law yourself. There are pitfalls and misunderstanding you will run into otherwise. If your company is large enough, they should meet with privacy regulators and work with them to show them implementation decisions and make sure the regulators are in alignment with the approach taken.


The documents published by the Article 29 working party[1] are also very useful and digestable: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50...

[1]: https://en.wikipedia.org/wiki/Article_29_Data_Protection_Wor... WP29 is "an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission."


What's troubling to me is that it's very unclear what specifically is required. I know the linked post isn't legal advice, but in the page about 'privacy by design' linked to by the origin link, they list "Minimize the amount of collected data" as as an item (supposedly to be achieved to be in compliance with the law).

What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!

Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected? If so, that seems like it'd be likely as helpful as current terms of service.

Another item mentioned is "Where possible, pseudonymize personal data.". What's a practical example of that?

Yet another item – "Don’t enable social media sharing by default.". Is the thinking that user's shouldn't be able to share something via social media without first explicitly enabling that option? That just seem unfriendly. Or is the idea that doing so protects someone from doing so accidentally? This seems a lot like the 'cookie law', itself an annoying mandated nagging that probably backfired (because everyone was effectively trained to just do whatever necessary to get rid of the corresponding notification on every site they visited).

Again from the privacy-by-design page:

> There is no checklist of ready-made questions that will get you there; General Data Protection Regulation requires developers to come up with the questions as well as the answers.

That's a really unsettling description of a law.


> ...they list "Minimize the amount of collected data" as as an item (supposedly to be achieved to be in compliance with the law).

> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!

The GDPR says when you collect data, you have to tell the user what you intend to use it for. "Minimization" applies within the context of those stated uses. So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.

As a corollary, if you can't link a piece of data to a business use, you shouldn't be collecting it. This was a good idea before, but GDPR makes it more relevant.

Note that this is similar to the ethical guidelines for medical research. "Harm Minimization" is a central pillar of ethical research. Harm, and risk of harm, is acceptable, but there is an affirmative duty to seek the least-harmful means of achieving your goal from those available.

> That's a really unsettling description of a law.

That's how HIPAA works, actually. I have a professor who argues this model of legislation is more effective than traditional sector-specific regulation, because it puts the onus of subject-matter expertise onto the people who are actually subject-matter experts, and because it allows for creative and adaptive solutions.


> So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.

I would also like to stress out that, from my understanding, this data would rather be deleted immediately after use. That is, not saved at all after the query, or the delivery, unless the user explicitly opted-in to give you such data for advertising, etc...


my company seems to be going on a encrypt everything spree. I am not sure how GDPR requires encryption.

Can you be GDPR complaint ( in theory) with zero encryption?


The GDPR, as with existing EU data protection law requires technical & organisational measures in place to protect data. The GDPR specifically calls out (Article 32 if you're interested) encryption as one measure that entities should consider in determining whether their technical & organisational measures are fit for purpose.

Generally speaking, encryption is an obvious choice when it comes to measures designed to protect user data.


Of course—if you don't store personal data (trivially).

In fact, encryption (security) is mostly orthogonal to how you track and handle personal and sensitive data (privacy protection). You could encrypt everything and still be wildly GDPR non-compliant, if the encrypted information you're storing lacks clear purpose and explicit consent.


Indeed.

We store data encrypted because it

A) leaves no room for misunderstanding with different regulators or their respective auditors, and

B) provides a computationally infeasible barrier against accidental personal information disclosure even if the storage system was improperly decommissioned

Point B in particular can be explained to auditors without problems. They understand both the intent and the technical measures put in place. But how we store data is only tangentially relevant to how we handle data. Let alone what we need to collect in the first place.

(The KYC/AML/SOW requirements in gambling are quite demanding; they impose significant data collection and retention needs.)


To further emphasize your point You could encrypt everything and still be wildly GDPR non-compliant, we need to be able to respond to a request by each and every individual user to delete the information that they no longer wish us to carry.


... unless you actually need that data (billing for past services, keeping records as required by law, etc).


> The GDPR says when you collect data, you have to tell the user what you intend to use it for.

Then that part is worthless, just another click-through "agreement" practically nobody reads.

That part won't change anything.

> So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.

I always wonder one thing: Is the penalty going to be high enough to justify not breaking this law?

All business decisions are cost-benefit. If the costs of doing something outweigh the benefit, you don't do that. This includes following the law: If you can reliably get more money by breaking the law, you break the law, and pay the penalty if you get caught. Unless you're very unlucky, you're still right-side-up after you pay the penalty, so your behavior was, on the whole, justified.


> Then that part is worthless

GDPR requires that the use cases be itemized, and the user can opt out of each one individually. So if the user opts out of receiving a mailing but not the store locator, you have to manage how much data you collect about that person. I agree that for the most part this will just be another click-through like the cookie law was, but companies will be required to accommodate those minority that do care.

> Is the penalty going to be high enough to justify not breaking this law?

The penalty is up to 4% of annual global revenue. Global revenue.


Up to 4% or €20 million, whichever is greater.


Let me get it straight: if your global revenue is €10 million, you won't pay 4%(€400k) penalty, you'll pay €20 million, because it's greater of the two? It seems like this will be especially harmful to small companies.


Up to $20 million, depending on the severity of the infringement. I think the reason that floor is there is to handle cases where an organization doesn’t have much revenue, either through accounting shenanigans or because it is a non-profit (made up example: a free PDF to text converter that claims to be stateless but mines passwords and information to blackmail people with)


Almost, it requires the users to actively opt in rather than opt-out.


Not every little thing needs to be opted into individually. If you have a legitimate use of data for the user’s benefit, you can collect that data after a general consent as long as you provide a way for the user to see that data and delete it. If you use that data for your own benefits (like building an advertising profile), that needs to be opted into separately.


The fines are up to €20 million, or 4% annual global turnover – whichever is higher.

Of course, paying the fine doesn't mean that you can continue with the action - it'd also likely involve imposing a temporary or permanent ban on data processing and ordering the rectification, restriction or erasure of data gathered unlawfully.


> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!

Elizabeth Denham, UK's information commissioner in charge of data protection enforcement, had this to say:

"Having larger fines is useful but I think fundamentally what I'm saying is it's scaremongering to suggest that we're going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm. Our office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven't made any effort."

In other words, the compliance decision is not in your hands, but there's a promise of certain lenience. At least to start with.

A practical trouble is that once a company reaches a certain size, they no longer even know what data they have, never mind why. Do we already store personal data? Where? Is it important data such as "names + credit cards", or some god-forgotten IP addresses in a log? Email archives and attachments? How about GoogleDrive and SharePoint? Then, do we redact it, or delete it? How? How do we answer Subject Access Requests?

We've built a product to help companies take care of the most common "private data" cases (https://gdpr-tools.eu), but we're not fooling ourselves that we've solved "personal data". Or that the task is even solvable. That whole space is very much in turmoil and how hard the GDPR whip will get cracked remains to be seen.

Funnily, one of the common fears that clients have is not about the general public. It comes from disgruntled employees ratting on the company. Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage by reporting their employer to the "authorities".


> A practical trouble is that once a company reaches a certain size, they no longer even know what data they have, never mind why.

That's a very good reason to do a little inventory then. Not knowing what data you have is a real problem in my book.


Indeed, and not only yours. The same issue crops up in B2B due diligence and risk management, irrespective of GDPR.

The automated inventory analysis tools, like ours and others, are only just becoming useful thanks to ML. The previous generation was mostly regex-based and mired by constant false alarms.


Except that's precisely 1/28 of the regulators to which you are subject if you are an American company and, therefore, most likely don't have a lead regulator.


A really weird example from the same privacy-by-design link [here: https://www.smashingmagazine.com/2017/07/privacy-by-design-f...]:

> As one dramatic example, PayPal’s recent updated notice lists over 600 third-party service providers. The fact that PayPal shares data with up to 600 third parties is not news. That information is simply being brought into the open.

From what I can see of the list of those "600 third parties", a large number are banks and other financial institutions.


This is one of the things that's bothered me with it - in a similar vein to VATMOSS, GDPR will probably have more of a burden on smaller businesses, whereas larger business will have the development/consultant resource to get it right, and have those larger law firms to provide that "extra context" to brush things under the carpet if something goes awry.

The ICO seems reasonable, so hopefully they won't crush a small software shop for fucking up on something, but they're going to want to go after some people to send a message at some point. I'd guess you'd want to check that professional indemnity insurance policy, just in case.

It is, of course, all down to context. You need to show that you at least took the guidance seriously and tried to mitigate things. A notice of "collect ALL THE THINGS" won't fly, as you're basically admitting you're not prepared to consider it.

I think you're right on the social media sharing thing, it should be fairly well handled by the OAuth notices from most networks (I'd have guessed - "allow this app to post on my behalf" counts as consent?), but yeah, can't be taken as a given. IANAL, of course.


> This is one of the things that's bothered me with it - in a similar vein to VATMOSS, GDPR will probably have more of a burden on smaller businesses

In a weird way, VATMOSS and GDPR kind of work together on this...most things we collect at work that will be covered by GDPR are collected because of VATMOSS.

VATMOSS requires that we be able to justify what country's VAT we collect on a given online purchase with two pieces of "non-contradictory" evidence. So, right there we have to collect at least two things that provide location data about the customer, and GDPR expands the definition of personal data to include location data. I say "at least" because since it is required to have two non-contradictory pieces of evidence, it's prudent to collect at least three.

I think we currently use: (1) country the person selected from the "Country" drop-down on our site, (2) GeoIP at time of purchase, (3) GeoIP at time of filling out quarterly VATMOSS report, (4) GeoIP on IP addresses that they have used when downloading updates, (5) Country of bank that issued the credit card or debit card used for the purchase.


> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!

> Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected? If so, that seems like it'd be likely as helpful as current terms of service.

Under the GDPR you're not allowed to store personal data.

However, if you have purpose, and need data to fulfil that purpose, you can.

You can also ask for data, in clear terms, and if an informed user, freely choose to share, you might store that.

So, you sell shoes and magazines online. You need an address to ship both. You need a shoe size to ship the right shoes. You can demand to know the shoe size before you ship shoes - but not before you ship a magazine.

You can store order information (indeed have to, due to financial regulation). So you have a record of shipped shoe size and customer data.

You may not, without consent, store a permanent profile with shoe size and magazine preference. But it's OK to let users opt in to a profile.

> Another item mentioned is "Where possible, pseudonymize personal data.". What's a practical example of that?

Good question. Off the top of my head I can't think of useful pseudonymyzation related to the GDPR.

Perhaps things like hashing IP addresses for traffic stats, or using opaque identifiers for storing session interactions rather than linking directly to IP or real names. Useful pseudonymyzation is hard.


In e-commerce, order data and item level data can be exported to reported engines to gather info but you can pseudorandom the names to prevent data leakage


Another bad sentence (from the original link):

> What do you do about users who have used plaintext or silly passwords?

I don't even know what to write about that. The whole tone of the page is lecturing – about "fundamental human rights"! – and yet it's suggested that developers handle "plaintext or silly passwords"!


> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!

You decide, based on context and consent. I think consent now needs to be non-blanket.

> That's a really unsettling description of a law

I know it's not ideal, but it's far from the only vague area. The law of negligence is very important to anyone running a business and is almost entirely caselaw, for example.

It's also a lot like CE certification, which takes a while to get your head around but is similarly based around both standards and self-certification.


A good chunk of europe isn't common law, how much does case law apply in these cases? In those countries the statute matters a lot more.


The GDPR is a series of rights given to people, and not a list of requirements given to business. That's the difference.


What is specifically required is pretty clear:

You must provide the user with a detailed description of what personal data of theirs you are collecting, who you are sharing it with and what your business purpose for collecting it is, and if the data is something that you need their consent to collect, you get their explicit consent to collect that data and you must let them opt-out of providing that consent without preventing them from doing business with you.


> Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected?

No: a consent from a user must be for granular information with a specific listed purpose.


And consent can be revoked, and must be as easy to revoke as to give.


How granular? Every field? Every character? Every bit?


You’re thinking about it in terms of pieces of information, but GDPR thinks about it more in terms of the uses of that information. You wouldn’t expect to ask a user “Can we store your email address?“. The granular action for storing the email address is “Can we email you from time to time product offers?”. Once the user consents then that email address (and potentially full name, etc etc) can only be used for that consented action.


> You’re thinking about it in terms of pieces of information, but GDPR thinks about it more in terms of the uses of that information.

That seems sensible but is that really based on the actual text of the law or is this just your own summary?


Oh, absolutely only my own interpretation based on the reading I’ve been doing. IANAL and I’ve only skipped through the legal text.


The problem I have is that a site could tie acceptance with allowance.

e.g., I run a free, ads and promotion funded site, but I actually supplement revenue by selling the user's actions on the site to a third party. users can also have accumulated virtual currency as rewards, which can be used for premium sections of the site.

then along comes GDPR, and I tie acceptance of some virtual currency rewards with acceptance of the GDPR consent, with the threat of site access being cut off if they don't consent. is that still legal?


No, that's not presumed to be freely given consent.

https://gdpr-info.eu/recitals/no-43/ "Consent is presumed not to be freely given if ... the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."

If the data is actually needed to execute the contract (i.e. a delivery address if you're mailing stuff to the user), then you don't need separate consent; but if it's not (e.g. just revenue) then any "confirmation clicks" that are tied to site access being cut off would be just that - simply clicks that don't count as freely given consent.

Also, if you consider giving a reward for acceptance of GDPR consent, then you must also consider that consent can be revoked at any time (including 5 seconds afterward) and it must be literally as easy to withdraw consent as it is to give it.


> Yet another item – "Don’t enable social media sharing by default.". Is the thinking that user's shouldn't be able to share something via social media without first explicitly enabling that option? That just seem unfriendly. Or is the idea that doing so protects someone from doing so accidentally? This seems a lot like the 'cookie law', itself an annoying mandated nagging that probably backfired (because everyone was effectively trained to just do whatever necessary to get rid of the corresponding notification on every site they visited).

Most social media sharing buttons are in fact scripts hosted outside the website currently visited. So even without using them a lot of data is send to Facebook, G+ and other social medias. If you want to see a good implementation of the idea, check Schneier's website: https://www.schneier.com/


If you want a practical example of psuedonymisation then consider a case where you have two internal systems that serve different purposes (say one is used as a CRM, the other is used for business reporting).

The CRM database is copied over to a separate database that the reporting system feeds from. Now in reality the reporting system (which will generally give you aggregated trend reporting) doesn't need a full copy of all production data as it only needs to utilise a limited subset of the overall data.

So instead of the full copy of the CRM database being copied over to the reporting database, you filter the data so you only copy over an anonymised dataset. That is pseudonymisation in a nutshell. Because you still retain the separate dataset in your system, the data is not truly anonymised, so is said to be pseudonymised. Overall I see it as linked to the requirement for data minimisation. Any particular system should only have access to the data it needs to perform its role.


Agreed, if that page is accurate, than basically it was all very best effort, except some things about requiring consent.


You have discovered the difference between principles-based regulation and rules-based regulation .


>GDPR will require developers to know the legal and policy landscape of their profession. (This has been the norm for other fields for centuries: how embarrassing for us.)

Favourite takeaway.


I thought that was needlessly snarky. I'm pretty sure other fields rely on lawyers to know the relevant legal landscape just like we do.


No. Professionals in engineering or the trades have to know the regulations that govern their industry and abide by them.

What many SVers call "innovation", other industries would call "reckless".

How embarrassing for us!

EDIT: In terms of regulation, we're practically chiropractors.


The comparison is disingenuous. The internet makes anything you build automatically global. You're blasting software engineers for not knowing worldwide regulations. How many New York lawyers know the regulations of France? How many local UK construction companies know the building codes of Japan? None.

Knowing all regulations in the world for any given industry would be a full time job. The people you seem to be implying exist do not exist.


> How many local UK construction companies know the building codes of Japan? None.

If those local UK construction companies want to do business in Japan they'll have to know the building codes of Japan.

But seriously, the GDPR standardize the body law for the whole Europe. That makes thing easier for devs.


The comparison doesn't hold up when developers create solutions that in breach with the regulation of the city and country they live in.


> How many New York lawyers know the regulations of France?

New York lawyers who do business in France do.

If you're accepting ~dollars~ euros to place French ads on your pages targeting French customers, seems reasonable to know the relevant French regulations.


It's a bit more strict than that. If I have customers in France, this affects me, no matter how many, no matter if it's one dude in Florida who happens to also be French. The reach is absurd.


Is the reach more absurd than what US court claim?


The worst transgressions of US courts shouldn’t be the standard we aim for.


Fair point!


"no matter if it's one dude in Florida who happens to also be French."

That's not true.


Is he a French citizen? My understanding is that GDPR applies to you (in theory) if you have any EU citizens as customers.

Am I misunderstanding? Why is this incorrect?


Yes, that's incorrect, unless you are an EU business yourself. If not, you are only subject if your customers are in the EU. And more, "the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established" is not enough to show that you're targeting customers in the EU.

https://gdpr-info.eu/recitals/no-23/


Thanks for that reference! Really helpful.


You don’t need to make money off Europeans to be targeted by the GDPR - you just need to have data about Europeans.


That's pretty disingenuous as it seems impossible to "make money off Europeans" without having any data about them.


So, the GDPR is doing you a favour by forcing you to think in advance "who will my users be?". So far web applications were "accidentally" global, now you have to be more careful and deliberate. Which is a good thing.


Ah yes, digital isolationism and segregated networks are great. Have we given up on the idea of the internet being a force for global human interaction? Are vague and impotent privacy protections more important?


I live in EU. -> Are vague and impotent privacy protections more important ? More important than "global human interaction" ? Yes, in my opinion. "Global human interaction" doesn't mean it should be the Far-West gold rush. It aims at fair and equal human interactions with the respect for the freedom of each single human on Earth. Freedom means equality for all, and to ensure more equality, we created laws. Laws are not perfect, but sometime they are the only tool we have. Laws are not fixed in stone, they can be improved over-time. Essentially we want global human interaction with respect of individuals.


I assume GDPR would only impact you if you operate a business from European locations, right? Not like they can enforce their laws on my small business run from the other side of the planet.

So long as my country isn't willing to extradite me, I don't really care what their laws are and I will adamantly refuse to comply with them as they're entirely irrelevant to me.


Your reasoning sounds like an easy excuse to not bother looking at any regulations period. Because knowing every single regulation is too onerous and you probably know all your local ones intuitively, right?


Don't slurp up data worldwide, then. If you don't do that, you're fine. If you do business you'd better know the law of your target audience, isn't it?


How does one avoid people making web requests originating in Europe from reaching your servers else where?

The obvious answer is by geographically identifying them by IP. Which GDPR makes pains to point out is personal data.


So you don't store data from that IP? How is this a problem? And that's perfectly compliant with the GDPR.

It seems you can't be bothered to not store data.


You don’t see the humor (at least) of a privacy regulation requiring me to learn more about the consumers hitting the site? Previously they were so private I knew nothing but an IP.

Now I’m instrumenting my systems with geo lookup databases which usually also include much more fine grained data (such as home/business) than that.

In any case, your original point was to just not interact with those people, which requires active filtering and isn’t the same thing as saying ‘just don’t watch that tv show’ in that it demands actions on my part due to behaviors and preferences on someone else’s.


There is no active filtering required if you don't store anything. I don't understand why this is so hard to grasp.

You can learn as much as you want as long as you don't store it or provide that information to a third party.

I believe our industry has too long gotten away with a "store everything" mentality. I have zero sympathy for web sites which slurp up everything from their visitors.


A lot of what you might call 'avoiding recklessness' is demonstrably bad for some people so it's not clear that the current tradeoffs are optimal. And it's not at all obvious that, overall, regulation does much more than protect incumbents in a given field or industry at the expense of everyone else.

Based on my own experience, I've 'known' about regulations that governed the industries with which I've worked. I'm not sure what evidence specifically you or the author have that leads you to believe software developers should be embarrassed.


> A lot of what you might call 'avoiding recklessness' is demonstrably bad for some people

And? Making sure that the bridge will hold under the weight that its required to is demonstrably bad for my profits (if I were the construction company). That doesn't mean that we should loosen the regulations or whatever. We don't owe anyone the right to profits, regulations are meant to protect us and keep the playing field fair. Of course that will always negatively affect someone.


It isn't obvious that is a case. Some companies make bad short-term decisions. But many take a longer-term view. Who would hire the construction company again that made the bad bridge? Or consider food and drug regulation. Countries with more lax requirements for proof of drug efficacy and large-scale trails don't have worse health outcomes. In fact, the countries with stricter policy regimes are often slower to have receive life-saving drugs. Does the suppression of a drug with adverse effects that only shows up in a wider population or after more prolonged exposure have a stronger benefit than that the suppression of drugs without such downsides? Often countries optimize in the wrong direction here. Many licensing laws fall in this category too. Do barbers and hair stylists need a license? Probably not to ensure safety and we have plenty of comparable jurisdictions with and without such rules to prove it. People don't just start doing bad things in the absence of rules.


Construction companies circumvent this by going bankrupt all the time and setting up the next shell company. Big projects will often be done by a pool of companies. Which would you hold accountable then.

As well, some things are so bad that you don't want to punish after the fact.


> Construction companies circumvent this by going bankrupt all the time and setting up the next shell company.

This would be a much more difficult thing for them to do if it was easy to track the history of bad behavior of the relevant people. This seems like something that should be relatively easy to do nowadays, module some probably not-too-significant obstacles like the 'right to be forgotten'.

> Big projects will often be done by a pool of companies. Which would you hold accountable then.

In the absence of detailed information, one would reasonably hold them all partially accountable.

> As well, some things are so bad that you don't want to punish after the fact.

There's no perfect way to do this. Murder seems like it's "so bad that you don't want to punish after the fact" but I don't think either of us would want to live in a society that was perfectly capable of preventing any murders.


If we want to accept that privacy is important and valuable then we need to accept that it is not okay for our industry to continue to do what it has been doing.

I challenge you to give me an example of some "demonstrably bad" effect caused by "avoiding recklessness" that isn't the direct result of shirking responsibility.

To go along with your devil's advocate argument: I could argue that "taking extra measures to ensure the security of sensitive data" would have been "demonstrably bad" for Equifax. But don't you agree that it was extremely irresponsible of them to not do that?


> No. Professionals in engineering or the trades have to know the regulations that govern their industry and abide by them.

Eh, not substantially or consistently more than in software. It's possible to cherry-pick examples where engineers in other fields are more aware of relevant regulations, but overall, it's roughly comparable.

I'm generally very critical of the move-fast-and-break-things mentality, but engineers in other fields are generally not more knowledgeable about industry regulations than software engineers are.


American engineer building a bridge or tunnel in EU is certainly going to know EU regulations. An EE designing circuits for EU needs to know about lead-free solder requirements. On the other side, Mies van der Rohe needed to work with a US-certified architect to build the Seagrams.

Having been in the software industry for a while, it is often discouraging to see how both explicitly and often inadvertently move-fast-and-break-things has resulted in some pretty bad software industry wide.

Just look at the sense of most of the comments here--there seems to be a consensus of how to get around this, or how it doesn't apply to me.


Right, but the point is that you KNOW the country your bridge or tunnel is going to be used in, because you build it there. If I build a web app and deploy it on a server in California, it can immediately be used by people in almost any country in the world.

Is it my responsibility to follow the censorship rules from China on my webapp in California? Is it my responsibility to know all the regulations on web apps from Sri Lanka?

Building software with care and professionalism is unrelated to understanding all the rules in place all around the world.


If you don't do any business in the EU I'm not sure how the new law would apply.


So we should have a whitelist of countries we decide we are "doing business" in and block all other traffic globally?


You don't need to block traffic, just don't specifically target those countries[1]. And don't track people connecting from them.

[1] https://gdpr-info.eu/recitals/no-23/


That "recital" is still pretty vague; the relevant text:

> Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

Note that "the use of a language or a currency generally used in one or more Member States ... may make it apparent that the controller envisages offering goods or services to data subjects in the Union". So simply using a language in use in a EU member country may be sufficient that you "envisage" offering your goods or services. That seems significantly different than your claim that one need merely not "specifically target those countries".


Yes, but these things are assessed by judged, not by dice-throwing. I'm sure we can devise contrived examples that fall into gray area, but for the most part I think what I wrote is correct.


EEs everywhere know about ROHS simply because it makes no sense to have seperate designs for Europe and everywhere else. Also lead free solder really isn't that bad...


And most of those industries have been stagnant for decades.


> I'm pretty sure other fields rely on lawyers to know the relevant legal landscape just like we do.

I have plenty of friends and relatives who work in construction or architecture and knowing the building codes and everything related to it is something you learn at university, update every year and is something every person involved in planning and constructing a building is aware of. Lawyers only get involved if a building fails.


Construction workers and architects don't tend to work internationally. If they do, they hire lawyers to sort out legal requirements for them before they even sign a contract.


The same should be true for most software companies going forward. The approach to just assume it's the obligation of the user to ensure compliance won't work for much longer.


Imagine the EU made a law requiring every country in the world follow their building codes whenever an EU citizen enters one of their buildings, even if the building was made before the law was created. And if you don't comply, they will fine you millions of dollars.

McDonalds goes and retrofits all of their buildings in the world because they have shops in the EU at great cost. Some pizza shop that does delivery in the USA, and the owners go on vacation once in a while in Europe? ‍️They probably are not even aware of it.

That is what the GDPR is in a nutshell.


> Imagine the EU made a law requiring every country in the world follow their building codes whenever an EU citizen enters one of their buildings

You are reaching. I give you a better example: it does not matter where a building part is being produced, if it ends up in a building in Europe it needs to be up to the local building codes and to the regulations of the single market.


You think I am reaching, but the GDPR does act this way.

Lets say your visiting the USA as an EU citizen and you get a pizza delivery from a local small pizza shop. They put your name and delivery address in their computer in an MS Access database that makes stickers, emails the delivery guy's gmail account and a person delivers a pizza to you.

They have no idea your an EU citizen and they just put enough information into their computer that would violate the GDPR. They have no real way to comply unless they retrofit their computer system to some vendor that is GDPR compliant, if it even exists. Just deleting your info from the msaccess db and asking the delivery guy to delete their emails isn't enough for the GDPR. And a computer system retrofit for most business might as well be like asking them to retrofit their building as far as costs go.

The end effect might be just outright banning all EU citizens from doing business with various places, because it's just not worth the hassle.

'Sorry you cant stay at our hotel, we are not GDPR compliant'

'Sorry we won't deliver to you, we are not GDPR compliant'

'Sorry you can't enroll in our classes, we are not GDPR compliant'

'Sorry we won't treat you at this hospital, we are not GDPR compliant'

'Sorry you can't get a bank account with us, we are not GDPR compliant' (Like a lot of EU banks with US citizens with FATCA)


You clearly don't know what you are talking about.

Article 3 clearly states that it applies to

> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

> the monitoring of their behaviour as far as their behaviour takes place within the Union.

It does not apply EU citizens while traveling outside of the EU. It applies when you are monitoring or offering goods or services to someone in the EU.


Why was this downvoted? Is it wrong?


> Lets say your visiting the USA as an EU citizen and you get a pizza delivery from a local small pizza shop

If that pizza store has no relation to the EU then there is no legal ground by which the GDPR could become relevant. There is no treaty which would establish some sory of leverage here.

//EDIT: which btw is unlike FATCA for which there actually are bilateral agreements.


You don't need a treaty to enforce the law, you just need a pizza shop owner who likes to vacation in europe sometimes. You carry out the default judgement if they ever arrive in the EU. The GDPR explicitly has a very global scope because it is targeting companies in and out of the EU.

I wouldn't really have much of a problem with the GDPR if it had some small business and non-eu business exceptions. It doesn't and regulators saying 'trust us we wont prosecute the easy to prosecute!' makes most businesses uneasy.


It doesn't and regulators saying 'trust us we wont prosecute the easy to prosecute!' makes most businesses uneasy.

Indeed.

Let's not forget that the EU and national governments have form when it comes to this sort of thing. The new EU VAT rules on digital sales a few years back were similarly overweight, and they really did result in a lot of microbusinesses either literally shutting down or just plain breaking the law.

A lot of slightly larger ones, my own included, went to considerable lengths to update systems to comply, but with hindsight would have simply declined custom from any (other) EU nation instead because the overheads were and continue to be excessive.

Those same rules really did also result in national tax authorities abusing their new-found powers to go after businesses in other countries within the EU, sometimes through their own incompetence rather than any legitimate grievance, resulting in some very scary threats being received by other small businesses.

It's tough to give much credit to arguments about regulators exhibiting common sense and moderation when the evidence of previous sweeping EU rule changes suggests we shouldn't count on that.


> You don't need a treaty to enforce the law

The law itself does not even put itself into scope. You either need a treaty (Article 3, paragraph 3) or the data subject or processing is in the union.


How is that different from say Dimitry Sklyarov, a Russian who broke a US law while living in Russia, who later goes to the US for a convention and gets arrested and thrown in jail?


That's how it should be. Sadly the EU is taking a very different approach of trying to set laws for the whole world based on very unclear (and definitely unprecedented) requirements. It's true that they will have no jurisdiction over the pizza guy - just until he comes to the EU or to an allied country. Another comment talks about how it's very likely that GDPR will be a requirement of trade deals.


Even then not. The territorial scope in Article 3 of the GDPR is not that far reaching. It applies to processors with establishment in the EU, non union data processors who perform a service to data subjects in the union or the case of the pizza guy:

> 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

So unless there is a treaty that puts GDPR into scope, the pizza guy is fine.


Unlikely. Lawyers are an invisible hand, always present.

They’re the ones who prepare the trainings for your relatives and the other architectural students, or at the minimum the changes that a policy-wonk will react to when creating curriculum.

The site operator has the limited range to act (we’ll call them decision rights) under the CEO who is ultimately guided by his counsel (firm or in-house).

Lawyers also oversee zoning, permitting, and certifying every step of the way - not limited to, but including licensing and contracting.


Sure, and it is one of the main reasons those professions require licensure. It seems to me that most people in the industry would like to avoid that for software development. Speaking purely for myself, I would welcome it. But it would be a large and disruptive change that we may not be ready for.


And another compliance industry is born.


Developers should already know the "legal and policy landscape."

Sending email? You should know the CAN-SPAM act. Do business with CA citizens? You'd better know about CA's privacy policy requirements. Doing ecommerce? You need to learn about sales tax and PCI requirements.


Not true. Developers should consult with lawers and privacy experts and not try to “know legal and policy landscape” themselves.


Suppose you were a small startup based in America, accepting online payments from users/advertisers using American platforms or financial institutions. Suppose you make no effort to comply with GPDR - what realistic consequences can you face?

I suspect that this is the kind of thing which larger/established companies would worry about. If you're a seed/series-A startup, it seems like you have far more important things to focus on, because there's nothing that the EU can realistically do to you anyway.


So having been through the preliminaries of GDPR, I took away a few things.

First of all, the enforcement path is as yet unclear. If they (europe) see you are doing something (like not responding to "right to be forgotten" request) it is not clear what enforcement they will attempt.

Second, there is the customer perception. If you have one European customer that buys something from you, or enters their email for you to give them some product information, and they request later to be forgotten and you don't, there is then a chance of public perception that you don't comply.

But there can be other avenues of exposure. For example, if you are dealing with a US bank that does comply with GDPR and you don't, there may be some pushback from the bank. So while EU may not come for you directly, there could be a secondary effect.

From a little conversation with European partners, I got the sense that US was taking GDPR more seriously than some EU companies.


>and they request later to be forgotten and you don't

How do you prove you have forgotten someone?


You attest so legally binding. The legal system does not function on mathematical proofs. If it turns out you did not speak the truth, you can be fined, and maybe even jailed. That's how it works.

Also, we are not talking about forgetting someone personally, but deleting their data. I assume that's clear.


So if you're willing to indefinitely lie, you just get out? This seems inefficient.


Considering this is not about human memory but about computers and data storage, and those things are traditionally pretty bad at lying, it seems like a bad path to take, personally.


Depending on your industry, or your global customer requirements, you might have to have an audit that shows that you have such procedures in place. If you are small, don't get breached, and attest that you have done the deletion.


You better have not a breach in this case...


The realistic consequences would probably be the following:

1) When you grow sufficiently large to go global, it will suddenly start to matter a lot, as EU is one of the largest markets worldwide. In the best case scenario you'd have to change your processes and systems to comply (i.e. you'd have technical debt which you could've avoided if you did it properly in the first place); in the worst case you'd have some complaints from EU users resulting in fines that aren't enforced yet but would be as soon as you'd want to actually get money from EU. This would be a meaningful impact to your valuation at that point.

2) As the risks implied in the first part have an impact on your valuation if you succeed and go global (which is the only scenario that matters to investors, the exit valuation about which they're thinking), you'd expect this compliance to be included in the due diligence done by series B/C investors and any acquisitions; if you've made no effort to comply, this will result in a lower valuation in those rounds of funding.

If you're a high-growth startup whose valuation is not based on current revenue but on the (long) future market size and you declare that you're choosing to be incompatible with, say, 25% of the global market (to a very rough approximation, EU revenue share is something like that for many major tech companies), then investors will discount your future value (and thus current value) by 25%. So at the very least this is something that you should have on your roadmap for investors i.e. "we're planning to do that diligence and related work in quarter X after we've done A, B and C" instead of simply ignoring the issue.


It's hard to say at this point, or even after. It's on a nexus of vague things. First "internet laws" have a history of leading to nothing much, like the EU "cookie law" which everyone "complies" with by popping up a nag. Second because online jurisdictions and how these get enforced is ambiguous. Third, because the enforcement path is still pretty unclear. It may be all about a handful of high priority cases, with small sites getting a pass.

Ultimately, there are all sorts of laws all over the world. With an online, potentially global business, you're breaking some of them. Turkey does not really expect some international user generated content site to comply with their political content laws. A bigger site based in Istanbul... You'll get a knock on the door.

About ten years ago, I had a client with an e-commerce site, for workplace safety gear in Australia. They sold to the US, but rarely. During bird flue, they somehow got on the radar of some US advertising standard. There were some politicians actively policing it anyway they could (not courts).

Tldr is that they had their payment gateway and PayPal shut them down immediately (someone got scary phone calls). Even shutting off all US shipping, and adding a big red "No US" sign didn't help. They had to drop the products. So.. jurisdiction is often erratic.

I think the last (possibly most important) point is cultural. If it takes, GDPR may impact consumer expectations and you may need to do it for that reason.

If you want to avoid GDPR, just hold back for 3-6 months until after the date. It'll get clearer as it progresses and if you're as outside the purview as you suggest, you're probably going to be fine ignoring it at the start (or forever).


If you're consumer focused, you're probably fine and will just need to clean up some mess later when you get big enough to care.

If you're B2B, it's going to be a problem from day one. GDPR has a defacto viral component for service providers. Basically, any the business that wants to become your customer that is itself GDPR compliant needs to ensure that you too are GDPR compliant. Accordingly, GDPR will come up with a large portion of web-facing B2B sales, even for US companies.


Explicitly banning Eurozone citizens from using the service is the easiest solution I have thought of.


The collective economic effect of that will be massive. Please do. And realize that you are ceding the single largest market to your competition.


The collective economic effect of that will be massive. Please do. And realize that you are ceding the single largest market to your competition.

That doesn't necessarily follow.

For example, EU but non-UK customers represent only a small fraction of the user base for one of my businesses. With hindsight, we would have done better to exclude those customers entirely, avoid spending time and money complying with ever-more-onerous EU rules, and invest that time and money in growing our business in more lucrative markets instead.

It is entirely possible for the EU to make itself so unattractive as a market that this will be the case for others too. Indeed several of the near-future measures it is already working on may have exactly that effect. The saddest part is that those running the EU have so little idea about how small business works that they don't even realise they're doing it.


It might be that the EU willingly rejects certain business. Maybe, if you aren't GDPR compliant, you are not wanted by the EU.


It's crazy how many businesses think they're so awesome that no market would ever think they're better off without them.


Why is that crazy? Why is it not crazy that the EU thinks it's so awesome that no business would ever think it's better off without them?


Because most of the people complaining are tiny businesses, and the EU is the single biggest market out there.


Most businesses are tiny businesses. In the UK, 96% of all businesses are microbusinesses (classed as having 0-9 employees) and 99.9% of all businesses are SMEs (classes as having up to 250 employees).

Governments tend to obsess about big businesses, and the EU more than most. However, in the entire UK, there are only about seven thousand large businesses. Smaller businesses collectively contribute the majority of almost every important economic metric (jobs, tax revenues, etc.).

And of course, even the successful large businesses used to be successful smaller businesses.

Given that heavyweight EU regulations disproportionately affect those smaller businesses, because their compliance costs are relatively high, and given that excessive regulation makes it harder or in some cases impractical for businesses to trade within the EU, it is kind of crazy that the EU keeps putting these barriers up. Its own economic fortunes and those of its member states fundamentally depend on maintaining a good environment for smaller businesses to start and grow. Things rarely end well for economies that fail to do so.


That would be a plausible theory if the EU even realised that many thousands of these smaller businesses exist, but as we learned with the VAT mess, they literally didn't.


Yes, the VAT mess definitely does not deserve the beauty prize but with the MOSS it is actually manageable. I've done it for a couple of years and as long as your IPSP cooperates it shouldn't be more than 15 minutes of work per quarter.


I've done it for a couple of years and as long as your IPSP cooperates it shouldn't be more than 15 minutes of work per quarter.

That might be true if you're lucky enough to have a single third-party payment service that collects all of your revenues including administering the VAT parts for you. Unfortunately, there are many reasons why that might not be the case or even possible. Even if you do use one of those services, it can't magically cope with all the edge cases any more than you or I can, and of course they tend to take an extra cut out of your revenue.

For everyone who needs to manage their taxes a bit closer to home, it takes longer than your suggested time just to check the rates regularly in case some member state decided to increase them with about a week's notice again. There's not really any good answer to VAT MOSS, there are just more inconvenient and/or expensive and slightly less inconvenient and/or expensive.


At least in the UK, HMRC email me whenever rates in a member country change, and they publish them online too:

https://www.gov.uk/government/collections/vat-information-sh...


We've had some emails from them as well, but we still assume it's our responsibility to check the rates weekly, based on the fact that at least one rate change has come into effect with little more notice than that and nobody (including HMRC) actively notified us first.

Publishing the rates is certainly better than not publishing them, but unless that information is updated in close to real time so it picks up those short-notice changes and unless it's supplied in a machine-readable format so that you can use it as a basis for automatically calculating correct VAT at the time of sale, it's of limited value for anything other than spotting mistakes retrospectively.


> single largest market

The EU really isn't a single large market though for most practical purposes. For the purposes of complying with regulations and accepting payment it is, but for every other practical consideration that matters to a company doing business there, it's a few dozen separate markets.


and they're still in the eurozone, so banning eurozone users is still removing yourself from the largest economic bloc in the world


Are you arguing with my point or just trying to be contradictory? I never said blocking the EU was a good solution, but calling it a single market makes it sound more enticing than it is.


Some people may find that a valuable trade-off, because the alternative would be to permit their customers to demand that they rewrite their logs at any time. I, personally, believe that logs should be fundamentally append-only, and thus will not be doing business with EU subjects (since the GDPR requires that I delete records from my logs on demand).


Perhaps you could encrypt your logs after a predefined “live data” period passes. Each log line’s key would be derived from a key that is itself derived from the data subject’s unique identifier. If that subject invokes their “right to be forgotten” then the subject’s key is destroyed, rendering all thus-encrypted log lines irretrievable. This does mean analysis of “cold logs” would first require a potentially burdensome decryption process — but it would be possible, and the resulting logs would only contain data relating to permitted data subjects.


Guess what? The EU agrees with you. That's why the recommendation is that you strip PII from your logs for everybody. That way they can still be append only and you won't have to do any rewriting.

> I, personally, believe that logs should be fundamentally append-only, and thus will not be doing business with EU subjects (since the GDPR requires that I delete records from my logs on demand).

That statement does not hold a lot of force without a link to your business and how big a %age of your turnover you are willing to throw out.


> That's why the recommendation is that you strip PII from your logs for everybody.

The problem is that IP addresses — a fundamental requirement for an acceptable network logging system — are considered PII.

If this were about things like names, dates of birth &c. then I'd be in full agreement. But considering an IP address personal information which must be deleted on demand is IMNSHO insane.

> That statement does not hold a lot of force without a link to your business and how big a %age of your turnover you are willing to throw out.

I'm just a guy, y'know? I'm not going to pretend that it would be easy or cheap for others to make the same decision. But it is easy & cheap for me.


For a network logging system yes. But for a commercial entity on the web: no. Beyond a class 'C' you're not going to get much mileage out of IP addresses, unless you're trying to track people without using cookies and that would be one very good reason why you should not be keeping those IP addresses in the first place.

If you're an ISP that changes, in that case there is a retention requirement. But a regular business in the normal course of performing its expected activities has no business retaining IP addresses longer than necessary. If that to you is unacceptable because you want append-only logs that stretch back years then that's your choice.

But if I had to choose between cutting off roughly half of my turnover because I didn't want to comply with the law or complying with the law and slightly re-arranging my logging then I'd happily pick the latter.

So no need to delete on demand, simply don't store them longer than you feel you need to in order to meet your business goals. 30 days or so should do it. Six months or longer would require a detailed explanation.

And most importantly: disclose what you do. That way your customers can make informed decisions and you won't look bad in the eyes of the law if they decide to decide on whether or not you meant to act in good faith or if you took to interpreting things in the way that suits you best.


What you do or do not do should not be grounded in the consequences that you will face but in what's the best for your users.

If you feel that your users rights are of no concern to you then you are of course entirely able to ignore this law and to pretend it does not exist because in practice there will most likely not be any consequences whatsoever. You do not have a place of business in the EU, you do not transact any business there to begin with so you are free to ignore the law. And this is doubly true because you are 'small fry', nobody will notice.

Except for your customers maybe. And then that time that you got hacked and you lost all the data you collected over the years because you forgot to implement life cycle management. And this will then marginally affect the ability of other companies like yours to be able to do business.

And little by little the people that chose to ignore the law will start to become a large enough problem that something will be done about it (I hope). Which might mean harmonizing EU law and US law, or it might mean that you can be fined just as if you were in the EU for those breaches were you are clearly deficient.

In the end I don't think that you will enjoy the results much. But since you are small fry you probably will get away with it. But collectively, you and your buddies will harm American enterprise more than you probably realize.


> What you do or do not do should not be grounded in the consequences that you will face but in what's the best for your users.

I agree with the above. I disagree however that "what's best for your users" is universally a superset of GDPR regulations.

My personal view is that if your company/service becomes so powerful that people can't escape from its influence, the above regulations are a necessary evil in order to counter your outsized influence.

For a tiny startup on the other hand, you have so little influence on the world that if a consumer doesn't like the way you operate, they can just choose not to interact with you. Such startups can best serve both themselves and society at large, by focusing on building valuable features/services.

Reasonable people can disagree about the specifics of a law. As a EU citizen, I can understand your wishes for everyone to comply with EU regulations. It helps to put yourself in others' shoes, and ask yourself how much time/energy you, as a startup founder, would be willing to put into regulatory compliance with Canadian/Russian/Indian laws.


> It helps to put yourself in others' shoes, and ask yourself how much time/energy you, as a startup founder, would be willing to put into regulatory compliance with Canadian/Russian/Indian laws.

If I were to target my business at Canadians, Russians or Indians I would definitely make an effort to comply, especially if those laws in general did not originate from protectionism or were particularly hard to implement (which I don't think the GDPR is, at least not in spirit).


"You do not have a place of business in the EU, you do not transact any business there to begin with so you are free to ignore the law. "

Wrong. If you have a customer from the EU or any component of your infrastructure in the EU, you must comply with GPDR.


If you have a customer from the EU (...) you must comply with GPDR.

Nope, you have to specifically target people in the EU:

"In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. (...) the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention"

https://gdpr-info.eu/recitals/no-23/


I'm not saying he's not in scope and should not comply I'm saying he can get away with ignoring it in practice, which was what he was asking about.


He'd be exposed to increased risk by not complying(lawsuits, criminal action, etc.). It's based on his risk tolerance, the problem is it's hard to quantify at this point.


Based on a pretty thorough bit of search I can confidently say that no small (or even mid sized) US company has ever been fined or any executives detained or extradited because of breaking an EU law that would have not normally resulted in a criminal conviction.

The EU tends to go after the larger entities and tends to fine rather than arrest.


The history of laws suggest that to rely on non-enforcement of a law is not wise. The GDPR is a good idea that has been written badly.


I've read most of it and I disagree that it has been written badly. As laws come it is accessible, has some pretty clearly defined goals and it is for the most part something you could easily comply with.


Yes the first 90% is reasonable, it is the last 10% that is a nightmare.

I comply with the general intent (always have), but the law as currently written is near impossible to comply with. My feeling is this will be realised by the EU and a more rational set of guidelines will emerge.


Acting in good faith is the best protection you can have. In your case if there are parts that you can not comply with I would note these as clearly as possible and disclose those specifically to customers and why you can't comply with them. And another thing you could do is to get yourself a $500/hour lawyer specializing in privacy for an hour or two to tell you what to do on a sheet of letterhead.


Great another shake down by a lawyer :(

Since we are not based in the EU and don’t have a business presence there I think I might just keep following the intent and wait for the EU to be more sensible.

I really do wonder how EU companies are going to comply with all this. What an enormous waste of resources to catch a few bad actors.


It really does feel like a lot of policymakers don't actually realize how onerous their requirements are, and in turn, how much this hurts smaller businesses that can't afford dedicated resources to keep up with all these issues.

Of course, for the policymakers, it's a win, because as part of a rent-seeking bureaucracy, they can expand their empires as they produce more policies.


If your company is not targeting the EU as a market you are out of scope of GDPR.

If you explicitly accept Sterling/Euros, provide localisations for EU countries, talk explicitly about your EU shipping options etc. then you would probably be seen as accommodating the EU market and might find yourself in scope.


So basically this legislation will make it less likely websites will accept European currency and localize to European languages?


Consider the case of an EU citizen traveling in the US transaction in USD. This person is covered. Even if they are in the US.


Wrong. You don't get to make up new laws for the country you are visiting.


This is exactly what I was coming to HN to query about. Without some agreement with the US federal government, I don't believe they would have any mechanism of enforcement that would affect your business in the U.S. I imagine they could do something like block your site from EU ip addresses but nothing like coming after you or your company for damages.


This sort of argument is like saying you can commit murder then flee to Algeria, and the US will have no mechanism of enforcement. It's true, but heaven help you if they figure some mechanism out.


Technically true, but what does the enforcement action actually look like against the small town ice cream shop that doesn't know or care about the rights under the GDPR of a tourist from Spain?


I don't think it's even technically true. The GDPR applies to EU businesses or businesses dealing with people in the EU, not all EU citizens.


I really want to know where this idea is coming from. I do not see how GDPR applies here.


You're gonna have to provide a citation for that.


Yeah, like the sites doing that for China.


Arrest when you have a layover in the EU for some reason, on purpose or because of an emergency.

And a default judgement.


Not a chance. The only country that has a history of such actions is the United States.


So if I ignore a law in Canada or the EU (extradition request, default judgement, etc) as an officer of a corporation, I wouldn't get arrested when I show up on the border? Really?


For ignoring the GDPR as a small business owner operating on the internet the chances of individual consequences are nil.

High profile cases would have a much higher risk and companies that went out of their way to advertise the fact that they are going to break the law would run a significant risk.

Show me just one example of a company located outside the EU without a legal presence inside the EU that had an executive detained upon entry for breaking an EU law that does not normally result in criminal prosecution.


Does the EU have any other extra-territoral law as far reaching as the GDPR? Or any other extra-territoral law? A business shipping something to the EU doesn't count.

The only other extra-territorial laws I know of currently is FATCA and the FCPA, which are from the USA.


The GDPR is not an extra-territorial law. It merely concerns itself with EU citizens.


If the law applies outside the EU (for instance, if EU citizens travel to a non-EU country), then it is an extra-territorial law. As far as I understand the discussion here (which may or may not correspond with the actual law), the GDPR goes with the person. Wherever an EU citize goes, that EU citizen must be able to be forgotten, despite if the location they are in is outside EU jurisdiction. That is practically the definition of extra-territorial.

Now, would an EU court rule that someone who kept permanent records of an EU citizen be violating the GDPR if the business has no EU presence? In the American system (imagining if the US passed a GDPR and prosecuted a non-US citizen), no, because the government would not have standing to sue: the violation took place outside of US sovereignty. If the EU takes a similar approach, then the law is not extra-territorial in enforcement, otherwise it is.


EU citizens outside of the EU are out of scope for the GDPR.


Could you point at the language that unambiguously says that?

Edit: GDPR Recital 23, Article 3(2)(a). Excellent!


No one is forcing you to follow it, but I suspect this is just the begining, GDPR is comming from EU due to history reasons, Europe has a lot of bad memories about keeping lists and tracking users. From Nazis to Stasi, USSR and so on and on. What is today done by google, fb, twitter is a light years ahead of that. Try to understand that GDPR is not something bad, it is rasing credibility for your bussiness and is doing something right. I bet a lot of, lets say, USA cityzens will value text "we are GDPR compliant for whole world" on web site. It is oportunity that Backblaze grabbed and soon sites that don't follow it will be on fishy side of the internet. And I also believe, a lot of non EU contries will adapt similar laws, the attack on privacy has gone too far, don't blame EU, blame ggl and fb.


It's not related to the Nazis. Please. If it were really related to memory of abusive governments they wouldn't have just written a law with phenomenal penalties and ultra-vague language that everyone can be argued to violate - exactly the sort of law that all totalitarian states love to have.

GDPR exists because the EU wants to be the primary legislating entity in Europe, replacing local governments, and because it likes the idea of funding itself through huge fines. It exists to serve political ends.


If you have a customer from the EU, you must comply with GPDR. Full stop.

Also, if any component of your cloud ecosystem(AWS, GCS, etc.) are based in the EU, you must comply with GPDR. Which in today's world means almost everyone is affected by this.

Make sure those "American" platforms you speak have every single component of their infrastructure based physically in America.

The whole thing may be difficult to enforce, but meh why risk it?


So what's the definition of "customer from the EU"?


In the typical web/e-commerce context someone whose IP address geolocates to an EU based end point or someone who lists their delivery address as inside the union.


The problem is that the law applies to them even if they use a proxy. If they report/sue you afterwards, you might be looking at a huge amount of trouble.


Yes, but like with all this stuff: Your intent to comply with the law carries a lot more weight than actual compliance in edge cases.


That's not very comforting when your goal is avoid having unforeseen problems like being arrested on your European vacation due to violating a law that doesn't apply to your country but you still violated because it applies to all EU citizens regardless of their geographical location.


This has never happened as far as I can detect.

The only country that does this sort of thing is the US.


If you're that worried, then stop scooping up every bit of data you find. Start asking if you actually need it.


> it applies to all EU citizens regardless of their geographical location

It does not. Article 3[1] clearly limits it to people in the EU. It says nothing about applying to EU citizens.

[1] https://gdpr-info.eu/art-3-gdpr/


People will just add a checkbox that the customer must check to complete the transaction:

[] I affirm that I an not an EU citizen.


The general direction is correct, but not the specific implementation - since it applies to everyone in the EU, no matter what their citizenship, you can just reject all transactions where the shipping address (or credit card address for virtual goods) is in the EU; and that should probably be fine.

On the other hand, if you actually want to sell stuff to EU and get a nontrivial number of deals, then no amount of weird checkboxes is going to convince the regulator that it's okay, they aren't stupid.


That's not possible according to GDPR.

Edit: downvotes? Really? Did you guys read the law at all?


If it's not possible then it's a rather breathtaking claim of authority that a non EU based business cannot exclude EU citizens.


For something you ship that wouldn't fly.


Is it just me or does this article manage to give advice while saying nothing at all about what is required?

For example:

> The first half is the General Data Protection Regulation (GDPR), which becomes enforceable across Europe on 25 May 2018. This is an overhaul, modernization, and replacement of the existing framework, the Data Protection Directive of 1995 (yes, 1995.)

> All of the existing principles from the original Directive stay with us under GDPR. What GDPR adds is new definitions and requirements to reflect changes in technology which simply did not exist in the dialup era. It also tightens up requirements for transparency, disclosure, and process: lessons learned from 23 years of experience.

It's talking about the new definitions and requirements, but says nothing about what they are!


You could simply go and read the GDPR text. It's actually ok. Compared to say the Verified-by-VISA spec :)


Aye. There's a nicely formatted (non official, hosted by a consulting company) at:

https://gdpr-info.eu/

I also suggest reading a report that's helped inform the text of the GDPR:

"Privacy and Data Protection by Design":

https://www.enisa.europa.eu/publications/privacy-and-data-pr...


I have been through a number of GDPR resources and seminars and I am still of the opinion that there is nothing in it to worry people who are acting in good faith with their customers data. The organisations fined under existing laws seem to have been breathtakingly negligent or just deliberately callous.


Q: would I still be able to keep session logs of user journeys through my site without explicit consent? If not, this seems like huge issue for ecommerce analytics. If I need to obtain explicit consent, that the user isn't required to provide to continue accessing the site then I don't see how these technologies are not basically dead in the EU.

Can you even legally do a customer churn analysis under the GDPR without explicit consent?

One of the biggest complaints I have about this is that the uses for data keep growing, and legally, you can't even test a hypothesis before getting consent, which you won't be able to do frequently because users hate being asked about anything.

My intuitive response to this law is to want to split my data into EU/non-EU parts, do all my work on the non-EU parts and hope that the insights gained there can be applied to EU users.


Yes you can keep session logs, it is a 'legitimate interest'.

Are you just trying to see which deals interest people (zero issue, but you could annonymise this) or profiling the customer based on the logs and offering different prices (you are going to have to be more careful and transparent).

> Can you even legally do a customer churn analysis under the GDPR without explicit consent

There a lots of ways to look at churn with anonymised data. I do it with account ID's. If you are looking at churn rate of Asian people vs Afro-Caribbean then GDPR is going to be amongst your problems,


No, put up a “trap” page, tell the user you need to collect certain data to operate the site and make the user clicks Accept before they can use your it.


I think the GDPR explicitly forbids that; if your site doesn't need the data to keep functioning, it can't just stop working.


Funnily, one of the common fears our clients (https://gdpr-tools.eu) have with regards to GDPR is not about the general public. It comes from disgruntled employees ratting on the company.

Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage by reporting their employer to the "authorities". GDPR introduces a whole new dynamic.


This is the case for every law. A disgruntled[1] employee at a coffee shop that has mold growing on the kitchen ceiling can, after being ignored by management for weeks, rat on the company. (And then get shitcanned, with no recourse, because none of their co-workers will testify to the truth on their behalf, because they are cowards who don't want to lose their jobs. Understandable, but sad.)

This doesn't mean that we don't need food health and safety inspection laws. It does mean that you actually need to run your business in a way that respects your customers.

Stop running your company with the attitude of "It's fine, as long as I can get away with it." I have no sympathy for that.

[1] You can be a disgruntled employee, and also be 100% in the right, if your boss is behaving illegally.


I am curious, if you offered a service that allowed users to post their own data to your service. How do you protect against customers posting data that violates the GDPR. I.e. peoples personal information being posted in plaintext?

Is this type of case covered by the GDPR?

Also how are things like access logs supposed to handled according to the GDPR? Our software records all requests made to our API, they log your userid, ip address, and what you were trying to do.

We have clients who are in the US who required the above feature for auditing purposes.


The GDPR defines two types of companies: processors and controllers. The crucial distinction is (roughly) if a company makes decisions. Someone performing targeting or operating a website is probably a controller, whereas AWS, who makes no decisions and just follows directions, is a processor.

If you don't want to be a processor, the best thing to do is probably in your contracts disallow usage of your service for anything containing GDPR covered personal data.

As for access logs, those will be some mixture of the two bases offered in the GDPR. Some will be required by legitimate interests (such as those collected for legal requirements) and some will be subject to consent. This is a complex discussion.


> I am curious, if you offered a service that allowed users to post their own data to your service. How do you protect against customers posting data that violates the GDPR. I.e. peoples personal information being posted in plaintext?

You ensure that those users have a way to delete the data again.


I'd actually considered implementing a "soft delete" function for my service (knowledge management SaaS), out of fear that a user would accidentally delete something important.

Now with GDPR pending, I think I won't. I'll just leave my 'no sh*t delete' function in place. If I get a request to restore any data I can say, "Sorry, the Europeans made me burn your data when you unwittingly clicked the red 'delete' button (as well as the confirmation dialog you didn't read)."


If you purge soft-deleted records after (say) 2 months, and don't use those records for anything unless they are undeleted by the users request, I don't think that should cause any problems with GDPR.

Of course, IANAL.


It should be very clear to the user how the data will be used and shared. If a hotel asks for free-form feedback, it shouldn't magically post the response as a review, under the user's name, on a public site, for example.


I am not a lawyer nor a security expert but we've decided at the place where I work that unstructured fields which are unlikely to contain personal data—but might in edge cases where a user chooses to enter it—don't fall under the GDPR purview.

An extreme example of this is in hosted email—if Alice writes an email to bob@gmail.com with some of Charlie's personal information, it would be absurd if Charlie could ask Google to remove the email. (Although maybe reasonable if Charlie could request to not have his data used by Google to target him or anyone else with ads.)


I have to guess this is why gmail stopped (or at least announced stopping) personalized targeting: the difficulty of deciding if anyone on the email is subject to GDPR.


Typically, privacy violations are instances where the user has not consented to sharing the information. In the scenario you describe, if someone willingly posts their own personal information they have forfeited their right to privacy.

The law is meant to protect people from companies rather than people from themselves.


Your joe blogger using somesmallwordpresshosting.com and you have a freeform comments page. People post 'private' comments of others. Who is responsible for what? How the fuck do you know if its of an 'EU citizen' if that isn't made obvious? Can you get fined literal millions because you fucked up some detail for your blog newsletter's email list?


I've been digging into GDPR for the last year or so and the major conclusion I came away with was that, in effect, it is a massive effort to educate the population about data collection and processing online while also beefing up guarantees for data security.

As in, it's not illegal to to do most of the same things we do now with data, however we now need to educate our users on what data we are using and exactly how we are using it, in a way that is understandable to the average user.

With all due respect to the average user, I cannot fathom how anyone doing anything with user data more complicated than a basic record will explain it simply enough to be in compliance.


In this article the author states: "The latter definition is important for developers. It includes things like IP addresses, mobile device IDs, browser fingerprints, RFID tags, MAC addresses, cookies, telemetry, user account IDs, and any other form of system-generated data which identifies a natural person.". This information does NOT automatically qualify as personal data. Information being unique is not the same as personally identifiable. A random cookie sent by the browser is not PII. A cookie stored in conjunction with say an email address could be.

Certain information can be classified as PII if it possible to cross reference it with other stored information to identity a user. For example a European court in a recent ruling stated that a full IP address could be considered PII because an ISP would have a record of IP address and time with a persons name.


Are you mixing up ‘personal data’ and ‘personally identifiable information’ (a US legal concept that differs from the EU definition of personal data)?


No, I am simply using shortened text not the USA PII legal concept. GDPR has many more restrictions than the USA concept of PII.


To me it seems quite simple, if the information can be used to identify user it is personal information and you need explanation why you need it and opt in. If this is a problem for you, maybe avoid collecting what you don't need. The idea of "collect everything and audio & canvas fingerprint them, maybe I will need it later" wont pass, you will never get consent. Collect only what you really need.


This doesn't make sense to me. Wouldn't that make every id that is one to one or one to many with a customer PII? That seems absurd.

A user alias on some random site would meet that criteria, assuming they took name/address/etc when you signed up.

Unless PII has some other significance than I'm interpretting it to have?


Right. So you'd have to have a business case for the user to have a persistent login, if you want to offer login functionality, beyond simply "track the user to see what they want". It's ridiculous.


Sounds good to me.

Screw you data vampires.


cookies is about the only thing in there that may not qualify as personal data as defined by the gdpr.


I’d love to understand GPDR but this article isn’t helping. Can anyone suggest something more focused and direct?


Very simplified, you can not use or give personal data to someone else without optin given consent (where you must state in non legal, non tech speech for what they will be used) and same goes for enabling others (ad networks, google,..) to get those data. Or you are breaking the law. Further, user must be allowed to view, change or delete those data and remove consent to use them in whole chain (your site, ad network used on your site,...) Furthermore the consent must be freely given (forget trackwalls).


And also, there's also the slightly grey-area requirement that (if you're using it as your legal basis) consent should not be required in order to utilise your product, merely to utilise the feature set that requires the data.

If you need everything, then you'll need to use "fulfilment of a contract" as the basis, and in that case, you probably need to make your ToS pretty tight too.


Question about the freely given consent - Say I'm a car company like Tesla and I collect telemetry from the car to train a self-driving car model. I ask the user for consent to collect this data to train the self-driving model.

For the users that refuse this consent, can I prevent them from accessing the self-driving feature of the car? If not, how would the company deal with the free-rider problem - nobody opts in because they want their privacy but they also want the feature?


In that instance, I (personally, IANAL) wouldn't use consent as the legal basis. You could (esp with a legal team like Tesla could afford) pretty easily work that into either fulfilment of a contract, or legitimate interests.

AI and ML have to be careful [0], as you need to be explicit about the data's use and impact on the end-user. The most given example for this is ML algos that determine eligibility for financial products, but we could probably twist that Tesla example to fit a similar to be "my data is used to inform an algo that determines what the car does in a dangerous situation", so you might have to abide by rights to explanation and data editing.

[0] https://ico.org.uk/for-organisations/guide-to-the-general-da...


The number of potential free-riders is tiny, so there's no reason to retaliate against them. The same problem exists in Internet services. If blekko (a startup search engine) saw a DNT do not track header from a user, we wouldn't even include their queries in our anonymized dataset. That slowed our learning-to-rank process, but only by a little.


It would be useful if people downvoting this could say which bit is incorrect, or what it's missing.




GDPR is so complex, but this helped my understanding a little bit: https://www.convert.com/gdpr/ab-testing-application-complian...



GDPR has a lot of parallels to HIPAA and SOC 2. Many developers here have worked with companies subject to HIPAA, or that do SOC 2 reporting.

One big difference is that the material scope of GDPR is so extremely broad: it regulates any PII that can be touched by EU law. That's important because it means that all of your SaaS vendors that touch this data may be in scope, not just your hosting stack. If you're marketing or selling in the EU, your entire growth/CRM/customer success stack will be regulated. If you have EU employees or contractors, all of their HR data is covered. I'm not sure if most companies realize this. It may be less of a problem for B2B, we'll see.

Questions to ask yourself: What is the scope of GDPR personal data across your business? Are you marketing in Europe? Are you selling into Europe? What business processes touch that data?


What I like about GDPR is that it might help change the mindset that storing customer data is purel an asset - it should be a liability. Hopefully other countries will ratify similar laws. Then something like the Equifax breach could go unpunished!


Does this make Apache access logs illegal?

1) There isn't any way to "opt-in" to them

2) You would need to have a tool to remove every entry for an IP address when requested?


It looks like the answer is yes:

https://www.ctrl.blog/entry/gdpr-web-server-logs


If you store the full IP address forever, that’s already today illegal if you have German users.

Hashing (only useful for IPv6) or truncating is recommended.


I wonder if we will see a kind of dual universe privacy in implementations once countries like China become equal as a market for internet services, and they create some sort of a reverse GDPR law. Then for all customers from the EU you will have to completely anonymize and protect all data to the last bit, while for Chinese customers you'll have to implement the most rigid and total tracking possible?


Perhaps separate subsidiaries for the EU, which does respect the GDPR, and one for China, which tracks everything that could be tracked?


How would that be useful to you?

The EU subsidiary would not be legally able to use any of that data (it can't take it from the China subsidiary in any way whatsoever); and the China subsidiary would not be practically able to use any of that data, since they don't have any users/customers in EU.


The China subsidiary would be able to use the data in China, to advertise and acquire more Chinese customers.

Of course, I suggested that more for the situation where the EU had data privacy laws, and China required intense tracking of customers.


You don't need subsidiaries for that.

GDPR would apply if an EU company would track people in China (Article 3 section 1); it would apply if an multinational company tracks people in EU when offering goods or services to them (Article 3 section 2); but it wouldn't apply when that same multinational company tracks people in China.

I.e. Facebook can be fully GDPR compliant if it applies the privacy requirements only to people in EU and gratuitously violates the privacy of everyone else.

Furthermore, if China has a legal requirement for intense tracking of customers (I'm not sure what their legal requirements are), then GDPR would allow an EU company to do that without consent. (Article 6, 1c : "Processing shall be lawful [..] if ... processing is necessary for compliance with a legal obligation to which the controller is subject")


Typo in the title: GPDR vs GDPR


How would this be enforceable for companies that have their headquarters only in the USA even if they have european users?

Will this also apply for citizens of a EU country living outside the EU?


The EU is going to send over its army and force you to comply.

My understanding is the GDPR applies to residents of the EU, not just citizens, and it also applies when they are outside the EU. In practice this means it is impossible to determine if it applies unless you gather far more information than you really need from your users - “sorry we have to invade your privacy to protect your privacy”.


So a US company providing services to a US naturalized citizen in the US that is also a dual citizen of a country in the EU makes the company liable to follow these regulations?

That makes no sense.

This sounds unenforceable.


Yep. It is worse that it can be a EU resident (non-citizen) visiting the the USA using a USA only service and the law as currently written still applies. Good luck.

The next fun job is working out how to remove the data from all your backups when you get a removal request.

I have taken the approach that I will comply with the general intent of the GDPR (which I did long before it existed), but not try to apply the ridiculous parts.


"Yep. It is worse that it can be a EU resident (non-citizen) visiting the the USA using a USA only service and the law as currently written still applies. Good luck."

You're going to have to provide proof to back up that statement.


The regulations are ridiculously broad [0]. They appear to cover everyone in the world no matter where they are or what their citizenship. The EU seems to be aiming for a universal human right.

"The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”

0. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...


That's the intro statement. That's like saying the Declaration of Independence is overly broad because it says that "all men are created equal."


See my posts down thread for the more detailed clauses.


It is not citizenship, but residency.

Yes the regulations make no sense and they really aren’t enforceable outside of the EU.


> It is not citizenship, but residency.

I think it's both.


There is nothing in the regulations that talk about citizenship, just residency.


It does not apply to people outside of the EU. Article 3[1] is quite clear about that it applies to people in the EU.

[1] https://gdpr-info.eu/art-3-gdpr/


It says it applies to the “...processing of personal data of data subjects who are in the Union…”.

If someone in the EU (say a visitor) asks to have their data removed that was collected while they were outside the EU, then the controller or processor is supposed to comply.

How is any business supposed to know if a user while they were in the USA of a service located in the USA will not later travel to the EU and make a data removal request while there? If the request comes from someone located in the EU then the regulations apply.

The practical result is you can’t just geo ban people from the EU and this is before we get to the problem of proxies.


You're leaving off the end of the sentence. Data collected about someone outside of the EU is not covered by GDPR even if they later enter the EU.

> where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.


There is an “or” not an “and” between these two clauses. It applies if you offer any goods or service, OR monitor behaviour inside the EU.

It is interesting that the monitoring clause only applied if the subject is inside the EU when the monitoring is done, while the service or goods clause applies if the person is inside the EU with no requirement that the service or good was acquire or used within the EU. I can’t really think of any logical reason for this distinction. The “takes place within the Union” for one and not the other is strange.


Both clauses explicitly limit their scope to the EU.

> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union

> the monitoring of their behaviour as far as their behaviour takes place within the Union.


No they don't. The first is limited to subjects in the EU while the second is limited to activity in EU. If the first clause was limited to activities that take place within the EU the clause would say this - actually there would be no need for two clauses as you would just have one clause that says sale, service and monitoring.


It clearly says offering goods and services to subjects in the Union. It only applies if they are in the Union when you are offering them goods or services. If you offer them goods or services outside of the Union and they later enter the Union, you didn't offer goods to someone in the Union, so GDPR doesn't apply.


If you offered them a service and they are in the EU then it is covered. There is no location exemption that this clause only applies when the service was offered when they are in the EU unlike the monitoring clause. Why do you think they broke this out into two separate clauses?

If you get a request from someone in the EU to remove their data you have to comply no matter where or when the data about them was acquired. The clause is quite clear on this point and it why it is written differently to the clause about monitoring.


Trade agreements.


Trade agreements don’t enforce laws, they just mean the countries are supposed to draft local laws that cover the action. This assumes that the GDPR is covered by trade agreement.


Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: