This is not written in unintelligible legal-ese. It is very approachable, understandable by a layman, and organized such that relevant Articles are easy to find.
It might take an hour or two, yet may have a fundamental impact on how you approach your job for the foreseeable future. Time very well spent.
Here is an accessible version of it: https://gdpr-info.eu/
EDIT: for clarity, that site is accessible from an organizational point of view (i.e., broken out by articles, not one long string of text). I do not know if it is accessible by screen readers or alternate input devices.
: https://en.wikipedia.org/wiki/Article_29_Data_Protection_Wor... WP29 is "an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission."
What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected? If so, that seems like it'd be likely as helpful as current terms of service.
Another item mentioned is "Where possible, pseudonymize personal data.". What's a practical example of that?
Yet another item – "Don’t enable social media sharing by default.". Is the thinking that user's shouldn't be able to share something via social media without first explicitly enabling that option? That just seem unfriendly. Or is the idea that doing so protects someone from doing so accidentally? This seems a lot like the 'cookie law', itself an annoying mandated nagging that probably backfired (because everyone was effectively trained to just do whatever necessary to get rid of the corresponding notification on every site they visited).
Again from the privacy-by-design page:
> There is no checklist of ready-made questions that will get you there; General Data Protection Regulation requires developers to come up with the questions as well as the answers.
That's a really unsettling description of a law.
> What's the minimum amount of data? Who decides that? Is it dependent on context? I'd hope so!
The GDPR says when you collect data, you have to tell the user what you intend to use it for. "Minimization" applies within the context of those stated uses. So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.
As a corollary, if you can't link a piece of data to a business use, you shouldn't be collecting it. This was a good idea before, but GDPR makes it more relevant.
Note that this is similar to the ethical guidelines for medical research. "Harm Minimization" is a central pillar of ethical research. Harm, and risk of harm, is acceptable, but there is an affirmative duty to seek the least-harmful means of achieving your goal from those available.
> That's a really unsettling description of a law.
That's how HIPAA works, actually. I have a professor who argues this model of legislation is more effective than traditional sector-specific regulation, because it puts the onus of subject-matter expertise onto the people who are actually subject-matter experts, and because it allows for creative and adaptive solutions.
I would also like to stress out that, from my understanding, this data would rather be deleted immediately after use. That is, not saved at all after the query, or the delivery, unless the user explicitly opted-in to give you such data for advertising, etc...
Can you be GDPR complaint ( in theory) with zero encryption?
Generally speaking, encryption is an obvious choice when it comes to measures designed to protect user data.
In fact, encryption (security) is mostly orthogonal to how you track and handle personal and sensitive data (privacy protection). You could encrypt everything and still be wildly GDPR non-compliant, if the encrypted information you're storing lacks clear purpose and explicit consent.
We store data encrypted because it
A) leaves no room for misunderstanding with different regulators or their respective auditors, and
B) provides a computationally infeasible barrier against accidental personal information disclosure even if the storage system was improperly decommissioned
Point B in particular can be explained to auditors without problems. They understand both the intent and the technical measures put in place. But how we store data is only tangentially relevant to how we handle data. Let alone what we need to collect in the first place.
(The KYC/AML/SOW requirements in gambling are quite demanding; they impose significant data collection and retention needs.)
Then that part is worthless, just another click-through "agreement" practically nobody reads.
That part won't change anything.
> So if your business purpose is to mail something to the customer, full physical address is OK to collect. If your business purpose is to help them find a nearby store location, you may be expected to collect something less granular like ZIP code or metro area, depending on how many locations you have.
I always wonder one thing: Is the penalty going to be high enough to justify not breaking this law?
All business decisions are cost-benefit. If the costs of doing something outweigh the benefit, you don't do that. This includes following the law: If you can reliably get more money by breaking the law, you break the law, and pay the penalty if you get caught. Unless you're very unlucky, you're still right-side-up after you pay the penalty, so your behavior was, on the whole, justified.
GDPR requires that the use cases be itemized, and the user can opt out of each one individually. So if the user opts out of receiving a mailing but not the store locator, you have to manage how much data you collect about that person. I agree that for the most part this will just be another click-through like the cookie law was, but companies will be required to accommodate those minority that do care.
> Is the penalty going to be high enough to justify not breaking this law?
The penalty is up to 4% of annual global revenue. Global revenue.
Of course, paying the fine doesn't mean that you can continue with the action - it'd also likely involve imposing a temporary or permanent ban on data processing and ordering the rectification, restriction or erasure of data gathered unlawfully.
Elizabeth Denham, UK's information commissioner in charge of data protection enforcement, had this to say:
"Having larger fines is useful but I think fundamentally what I'm saying is it's scaremongering to suggest that we're going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm. Our office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven't made any effort."
In other words, the compliance decision is not in your hands, but there's a promise of certain lenience. At least to start with.
A practical trouble is that once a company reaches a certain size, they no longer even know what data they have, never mind why. Do we already store personal data? Where? Is it important data such as "names + credit cards", or some god-forgotten IP addresses in a log? Email archives and attachments? How about GoogleDrive and SharePoint? Then, do we redact it, or delete it? How? How do we answer Subject Access Requests?
We've built a product to help companies take care of the most common "private data" cases (https://gdpr-tools.eu), but we're not fooling ourselves that we've solved "personal data". Or that the task is even solvable. That whole space is very much in turmoil and how hard the GDPR whip will get cracked remains to be seen.
Funnily, one of the common fears that clients have is not about the general public. It comes from disgruntled employees ratting on the company. Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage by reporting their employer to the "authorities".
That's a very good reason to do a little inventory then. Not knowing what data you have is a real problem in my book.
The automated inventory analysis tools, like ours and others, are only just becoming useful thanks to ML. The previous generation was mostly regex-based and mired by constant false alarms.
> As one dramatic example, PayPal’s recent updated notice lists over 600 third-party service providers. The fact that PayPal shares data with up to 600 third parties is not news. That information is simply being brought into the open.
From what I can see of the list of those "600 third parties", a large number are banks and other financial institutions.
The ICO seems reasonable, so hopefully they won't crush a small software shop for fucking up on something, but they're going to want to go after some people to send a message at some point. I'd guess you'd want to check that professional indemnity insurance policy, just in case.
It is, of course, all down to context. You need to show that you at least took the guidance seriously and tried to mitigate things. A notice of "collect ALL THE THINGS" won't fly, as you're basically admitting you're not prepared to consider it.
I think you're right on the social media sharing thing, it should be fairly well handled by the OAuth notices from most networks (I'd have guessed - "allow this app to post on my behalf" counts as consent?), but yeah, can't be taken as a given. IANAL, of course.
In a weird way, VATMOSS and GDPR kind of work together on this...most things we collect at work that will be covered by GDPR are collected because of VATMOSS.
VATMOSS requires that we be able to justify what country's VAT we collect on a given online purchase with two pieces of "non-contradictory" evidence. So, right there we have to collect at least two things that provide location data about the customer, and GDPR expands the definition of personal data to include location data. I say "at least" because since it is required to have two non-contradictory pieces of evidence, it's prudent to collect at least three.
I think we currently use: (1) country the person selected from the "Country" drop-down on our site, (2) GeoIP at time of purchase, (3) GeoIP at time of filling out quarterly VATMOSS report, (4) GeoIP on IP addresses that they have used when downloading updates, (5) Country of bank that issued the credit card or debit card used for the purchase.
> Can any site just 'do an end run around' the law by requiring their users to agree to allow them to collect whatever data they collect now or that they've already collected? If so, that seems like it'd be likely as helpful as current terms of service.
Under the GDPR you're not allowed to store personal data.
However, if you have purpose, and need data to fulfil that purpose, you can.
You can also ask for data, in clear terms, and if an informed user, freely choose to share, you might store that.
So, you sell shoes and magazines online. You need an address to ship both. You need a shoe size to ship the right shoes. You can demand to know the shoe size before you ship shoes - but not before you ship a magazine.
You can store order information (indeed have to, due to financial regulation). So you have a record of shipped shoe size and customer data.
You may not, without consent, store a permanent profile with shoe size and magazine preference. But it's OK to let users opt in to a profile.
> Another item mentioned is "Where possible, pseudonymize personal data.". What's a practical example of that?
Good question. Off the top of my head I can't think of useful pseudonymyzation related to the GDPR.
Perhaps things like hashing IP addresses for traffic stats, or using opaque identifiers for storing session interactions rather than linking directly to IP or real names. Useful pseudonymyzation is hard.
> What do you do about users who have used plaintext or silly passwords?
I don't even know what to write about that. The whole tone of the page is lecturing – about "fundamental human rights"! – and yet it's suggested that developers handle "plaintext or silly passwords"!
You decide, based on context and consent. I think consent now needs to be non-blanket.
> That's a really unsettling description of a law
I know it's not ideal, but it's far from the only vague area. The law of negligence is very important to anyone running a business and is almost entirely caselaw, for example.
It's also a lot like CE certification, which takes a while to get your head around but is similarly based around both standards and self-certification.
You must provide the user with a detailed description of what personal data of theirs you are collecting, who you are sharing it with and what your business purpose for collecting it is, and if the data is something that you need their consent to collect, you get their explicit consent to collect that data and you must let them opt-out of providing that consent without preventing them from doing business with you.
No: a consent from a user must be for granular information with a specific listed purpose.
That seems sensible but is that really based on the actual text of the law or is this just your own summary?
e.g., I run a free, ads and promotion funded site, but I actually supplement revenue by selling the user's actions on the site to a third party. users can also have accumulated virtual currency as rewards, which can be used for premium sections of the site.
then along comes GDPR, and I tie acceptance of some virtual currency rewards with acceptance of the GDPR consent, with the threat of site access being cut off if they don't consent.
is that still legal?
https://gdpr-info.eu/recitals/no-43/ "Consent is presumed not to be freely given if ... the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
If the data is actually needed to execute the contract (i.e. a delivery address if you're mailing stuff to the user), then you don't need separate consent; but if it's not (e.g. just revenue) then any "confirmation clicks" that are tied to site access being cut off would be just that - simply clicks that don't count as freely given consent.
Also, if you consider giving a reward for acceptance of GDPR consent, then you must also consider that consent can be revoked at any time (including 5 seconds afterward) and it must be literally as easy to withdraw consent as it is to give it.
Most social media sharing buttons are in fact scripts hosted outside the website currently visited. So even without using them a lot of data is send to Facebook, G+ and other social medias. If you want to see a good implementation of the idea, check Schneier's website: https://www.schneier.com/
The CRM database is copied over to a separate database that the reporting system feeds from. Now in reality the reporting system (which will generally give you aggregated trend reporting) doesn't need a full copy of all production data as it only needs to utilise a limited subset of the overall data.
So instead of the full copy of the CRM database being copied over to the reporting database, you filter the data so you only copy over an anonymised dataset. That is pseudonymisation in a nutshell. Because you still retain the separate dataset in your system, the data is not truly anonymised, so is said to be pseudonymised. Overall I see it as linked to the requirement for data minimisation. Any particular system should only have access to the data it needs to perform its role.
What many SVers call "innovation", other industries would call "reckless".
How embarrassing for us!
EDIT: In terms of regulation, we're practically chiropractors.
Knowing all regulations in the world for any given industry would be a full time job. The people you seem to be implying exist do not exist.
If those local UK construction companies want to do business in Japan they'll have to know the building codes of Japan.
But seriously, the GDPR standardize the body law for the whole Europe. That makes thing easier for devs.
New York lawyers who do business in France do.
If you're accepting ~dollars~ euros to place French ads on your pages targeting French customers, seems reasonable to know the relevant French regulations.
That's not true.
Am I misunderstanding? Why is this incorrect?
So long as my country isn't willing to extradite me, I don't really care what their laws are and I will adamantly refuse to comply with them as they're entirely irrelevant to me.
The obvious answer is by geographically identifying them by IP. Which GDPR makes pains to point out is personal data.
It seems you can't be bothered to not store data.
Now I’m instrumenting my systems with geo lookup databases which usually also include much more fine grained data (such as home/business) than that.
In any case, your original point was to just not interact with those people, which requires active filtering and isn’t the same thing as saying ‘just don’t watch that tv show’ in that it demands actions on my part due to behaviors and preferences on someone else’s.
You can learn as much as you want as long as you don't store it or provide that information to a third party.
I believe our industry has too long gotten away with a "store everything" mentality. I have zero sympathy for web sites which slurp up everything from their visitors.
Based on my own experience, I've 'known' about regulations that governed the industries with which I've worked. I'm not sure what evidence specifically you or the author have that leads you to believe software developers should be embarrassed.
And? Making sure that the bridge will hold under the weight that its required to is demonstrably bad for my profits (if I were the construction company). That doesn't mean that we should loosen the regulations or whatever. We don't owe anyone the right to profits, regulations are meant to protect us and keep the playing field fair. Of course that will always negatively affect someone.
As well, some things are so bad that you don't want to punish after the fact.
This would be a much more difficult thing for them to do if it was easy to track the history of bad behavior of the relevant people. This seems like something that should be relatively easy to do nowadays, module some probably not-too-significant obstacles like the 'right to be forgotten'.
> Big projects will often be done by a pool of companies. Which would you hold accountable then.
In the absence of detailed information, one would reasonably hold them all partially accountable.
> As well, some things are so bad that you don't want to punish after the fact.
There's no perfect way to do this. Murder seems like it's "so bad that you don't want to punish after the fact" but I don't think either of us would want to live in a society that was perfectly capable of preventing any murders.
I challenge you to give me an example of some "demonstrably bad" effect caused by "avoiding recklessness" that isn't the direct result of shirking responsibility.
To go along with your devil's advocate argument: I could argue that "taking extra measures to ensure the security of sensitive data" would have been "demonstrably bad" for Equifax. But don't you agree that it was extremely irresponsible of them to not do that?
Eh, not substantially or consistently more than in software. It's possible to cherry-pick examples where engineers in other fields are more aware of relevant regulations, but overall, it's roughly comparable.
I'm generally very critical of the move-fast-and-break-things mentality, but engineers in other fields are generally not more knowledgeable about industry regulations than software engineers are.
Having been in the software industry for a while, it is often discouraging to see how both explicitly and often inadvertently move-fast-and-break-things has resulted in some pretty bad software industry wide.
Just look at the sense of most of the comments here--there seems to be a consensus of how to get around this, or how it doesn't apply to me.
Is it my responsibility to follow the censorship rules from China on my webapp in California? Is it my responsibility to know all the regulations on web apps from Sri Lanka?
Building software with care and professionalism is unrelated to understanding all the rules in place all around the world.
> Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Note that "the use of a language or a currency generally used in one or more Member States ... may make it apparent that the controller envisages offering goods or services to data subjects in the Union". So simply using a language in use in a EU member country may be sufficient that you "envisage" offering your goods or services. That seems significantly different than your claim that one need merely not "specifically target those countries".
I have plenty of friends and relatives who work in construction or architecture and knowing the building codes and everything related to it is something you learn at university, update every year and is something every person involved in planning and constructing a building is aware of. Lawyers only get involved if a building fails.
McDonalds goes and retrofits all of their buildings in the world because they have shops in the EU at great cost. Some pizza shop that does delivery in the USA, and the owners go on vacation once in a while in Europe? ️They probably are not even aware of it.
That is what the GDPR is in a nutshell.
You are reaching. I give you a better example: it does not matter where a building part is being produced, if it ends up in a building in Europe it needs to be up to the local building codes and to the regulations of the single market.
Lets say your visiting the USA as an EU citizen and you get a pizza delivery from a local small pizza shop. They put your name and delivery address in their computer in an MS Access database that makes stickers, emails the delivery guy's gmail account and a person delivers a pizza to you.
They have no idea your an EU citizen and they just put enough information into their computer that would violate the GDPR. They have no real way to comply unless they retrofit their computer system to some vendor that is GDPR compliant, if it even exists. Just deleting your info from the msaccess db and asking the delivery guy to delete their emails isn't enough for the GDPR. And a computer system retrofit for most business might as well be like asking them to retrofit their building as far as costs go.
The end effect might be just outright banning all EU citizens from doing business with various places, because it's just not worth the hassle.
'Sorry you cant stay at our hotel, we are not GDPR compliant'
'Sorry we won't deliver to you, we are not GDPR compliant'
'Sorry you can't enroll in our classes, we are not GDPR compliant'
'Sorry we won't treat you at this hospital, we are not GDPR compliant'
'Sorry you can't get a bank account with us, we are not GDPR compliant' (Like a lot of EU banks with US citizens with FATCA)
Article 3 clearly states that it applies to
> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> the monitoring of their behaviour as far as their behaviour takes place within the Union.
It does not apply EU citizens while traveling outside of the EU. It applies when you are monitoring or offering goods or services to someone in the EU.
If that pizza store has no relation to the EU then there is no legal ground by which the GDPR could become relevant. There is no treaty which would establish some sory of leverage here.
//EDIT: which btw is unlike FATCA for which there actually are bilateral agreements.
I wouldn't really have much of a problem with the GDPR if it had some small business and non-eu business exceptions. It doesn't and regulators saying 'trust us we wont prosecute the easy to prosecute!' makes most businesses uneasy.
Let's not forget that the EU and national governments have form when it comes to this sort of thing. The new EU VAT rules on digital sales a few years back were similarly overweight, and they really did result in a lot of microbusinesses either literally shutting down or just plain breaking the law.
A lot of slightly larger ones, my own included, went to considerable lengths to update systems to comply, but with hindsight would have simply declined custom from any (other) EU nation instead because the overheads were and continue to be excessive.
Those same rules really did also result in national tax authorities abusing their new-found powers to go after businesses in other countries within the EU, sometimes through their own incompetence rather than any legitimate grievance, resulting in some very scary threats being received by other small businesses.
It's tough to give much credit to arguments about regulators exhibiting common sense and moderation when the evidence of previous sweeping EU rule changes suggests we shouldn't count on that.
The law itself does not even put itself into scope. You either need a treaty (Article 3, paragraph 3) or the data subject or processing is in the union.
> 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
So unless there is a treaty that puts GDPR into scope, the pizza guy is fine.
They’re the ones who prepare the trainings for your relatives and the other architectural students, or at the minimum the changes that a policy-wonk will react to when creating curriculum.
The site operator has the limited range to act (we’ll call them decision rights) under the CEO who is ultimately guided by his counsel (firm or in-house).
Lawyers also oversee zoning, permitting, and certifying every step of the way - not limited to, but including licensing and contracting.
I suspect that this is the kind of thing which larger/established companies would worry about. If you're a seed/series-A startup, it seems like you have far more important things to focus on, because there's nothing that the EU can realistically do to you anyway.
First of all, the enforcement path is as yet unclear. If they (europe) see you are doing something (like not responding to "right to be forgotten" request) it is not clear what enforcement they will attempt.
Second, there is the customer perception. If you have one European customer that buys something from you, or enters their email for you to give them some product information, and they request later to be forgotten and you don't, there is then a chance of public perception that you don't comply.
But there can be other avenues of exposure. For example, if you are dealing with a US bank that does comply with GDPR and you don't, there may be some pushback from the bank. So while EU may not come for you directly, there could be a secondary effect.
From a little conversation with European partners, I got the sense that US was taking GDPR more seriously than some EU companies.
How do you prove you have forgotten someone?
Also, we are not talking about forgetting someone personally, but deleting their data. I assume that's clear.
1) When you grow sufficiently large to go global, it will suddenly start to matter a lot, as EU is one of the largest markets worldwide. In the best case scenario you'd have to change your processes and systems to comply (i.e. you'd have technical debt which you could've avoided if you did it properly in the first place); in the worst case you'd have some complaints from EU users resulting in fines that aren't enforced yet but would be as soon as you'd want to actually get money from EU. This would be a meaningful impact to your valuation at that point.
2) As the risks implied in the first part have an impact on your valuation if you succeed and go global (which is the only scenario that matters to investors, the exit valuation about which they're thinking), you'd expect this compliance to be included in the due diligence done by series B/C investors and any acquisitions; if you've made no effort to comply, this will result in a lower valuation in those rounds of funding.
If you're a high-growth startup whose valuation is not based on current revenue but on the (long) future market size and you declare that you're choosing to be incompatible with, say, 25% of the global market (to a very rough approximation, EU revenue share is something like that for many major tech companies), then investors will discount your future value (and thus current value) by 25%. So at the very least this is something that you should have on your roadmap for investors i.e. "we're planning to do that diligence and related work in quarter X after we've done A, B and C" instead of simply ignoring the issue.
Ultimately, there are all sorts of laws all over the world. With an online, potentially global business, you're breaking some of them. Turkey does not really expect some international user generated content site to comply with their political content laws. A bigger site based in Istanbul... You'll get a knock on the door.
About ten years ago, I had a client with an e-commerce site, for workplace safety gear in Australia. They sold to the US, but rarely. During bird flue, they somehow got on the radar of some US advertising standard. There were some politicians actively policing it anyway they could (not courts).
Tldr is that they had their payment gateway and PayPal shut them down immediately (someone got scary phone calls). Even shutting off all US shipping, and adding a big red "No US" sign didn't help. They had to drop the products. So.. jurisdiction is often erratic.
I think the last (possibly most important) point is cultural. If it takes, GDPR may impact consumer expectations and you may need to do it for that reason.
If you want to avoid GDPR, just hold back for 3-6 months until after the date. It'll get clearer as it progresses and if you're as outside the purview as you suggest, you're probably going to be fine ignoring it at the start (or forever).
If you're B2B, it's going to be a problem from day one. GDPR has a defacto viral component for service providers. Basically, any the business that wants to become your customer that is itself GDPR compliant needs to ensure that you too are GDPR compliant. Accordingly, GDPR will come up with a large portion of web-facing B2B sales, even for US companies.
That doesn't necessarily follow.
For example, EU but non-UK customers represent only a small fraction of the user base for one of my businesses. With hindsight, we would have done better to exclude those customers entirely, avoid spending time and money complying with ever-more-onerous EU rules, and invest that time and money in growing our business in more lucrative markets instead.
It is entirely possible for the EU to make itself so unattractive as a market that this will be the case for others too. Indeed several of the near-future measures it is already working on may have exactly that effect. The saddest part is that those running the EU have so little idea about how small business works that they don't even realise they're doing it.
Governments tend to obsess about big businesses, and the EU more than most. However, in the entire UK, there are only about seven thousand large businesses. Smaller businesses collectively contribute the majority of almost every important economic metric (jobs, tax revenues, etc.).
And of course, even the successful large businesses used to be successful smaller businesses.
Given that heavyweight EU regulations disproportionately affect those smaller businesses, because their compliance costs are relatively high, and given that excessive regulation makes it harder or in some cases impractical for businesses to trade within the EU, it is kind of crazy that the EU keeps putting these barriers up. Its own economic fortunes and those of its member states fundamentally depend on maintaining a good environment for smaller businesses to start and grow. Things rarely end well for economies that fail to do so.
That might be true if you're lucky enough to have a single third-party payment service that collects all of your revenues including administering the VAT parts for you. Unfortunately, there are many reasons why that might not be the case or even possible. Even if you do use one of those services, it can't magically cope with all the edge cases any more than you or I can, and of course they tend to take an extra cut out of your revenue.
For everyone who needs to manage their taxes a bit closer to home, it takes longer than your suggested time just to check the rates regularly in case some member state decided to increase them with about a week's notice again. There's not really any good answer to VAT MOSS, there are just more inconvenient and/or expensive and slightly less inconvenient and/or expensive.
Publishing the rates is certainly better than not publishing them, but unless that information is updated in close to real time so it picks up those short-notice changes and unless it's supplied in a machine-readable format so that you can use it as a basis for automatically calculating correct VAT at the time of sale, it's of limited value for anything other than spotting mistakes retrospectively.
The EU really isn't a single large market though for most practical purposes. For the purposes of complying with regulations and accepting payment it is, but for every other practical consideration that matters to a company doing business there, it's a few dozen separate markets.
> I, personally, believe that logs should be fundamentally append-only, and thus will not be doing business with EU subjects (since the GDPR requires that I delete records from my logs on demand).
That statement does not hold a lot of force without a link to your business and how big a %age of your turnover you are willing to throw out.
The problem is that IP addresses — a fundamental requirement for an acceptable network logging system — are considered PII.
If this were about things like names, dates of birth &c. then I'd be in full agreement. But considering an IP address personal information which must be deleted on demand is IMNSHO insane.
> That statement does not hold a lot of force without a link to your business and how big a %age of your turnover you are willing to throw out.
I'm just a guy, y'know? I'm not going to pretend that it would be easy or cheap for others to make the same decision. But it is easy & cheap for me.
If you're an ISP that changes, in that case there is a retention requirement. But a regular business in the normal course of performing its expected activities has no business retaining IP addresses longer than necessary. If that to you is unacceptable because you want append-only logs that stretch back years then that's your choice.
But if I had to choose between cutting off roughly half of my turnover because I didn't want to comply with the law or complying with the law and slightly re-arranging my logging then I'd happily pick the latter.
So no need to delete on demand, simply don't store them longer than you feel you need to in order to meet your business goals. 30 days or so should do it. Six months or longer would require a detailed explanation.
And most importantly: disclose what you do. That way your customers can make informed decisions and you won't look bad in the eyes of the law if they decide to decide on whether or not you meant to act in good faith or if you took to interpreting things in the way that suits you best.
If you feel that your users rights are of no concern to you then you are of course entirely able to ignore this law and to pretend it does not exist because in practice there will most likely not be any consequences whatsoever. You do not have a place of business in the EU, you do not transact any business there to begin with so you are free to ignore the law. And this is doubly true because you are 'small fry', nobody will notice.
Except for your customers maybe. And then that time that you got hacked and you lost all the data you collected over the years because you forgot to implement life cycle management. And this will then marginally affect the ability of other companies like yours to be able to do business.
And little by little the people that chose to ignore the law will start to become a large enough problem that something will be done about it (I hope). Which might mean harmonizing EU law and US law, or it might mean that you can be fined just as if you were in the EU for those breaches were you are clearly deficient.
In the end I don't think that you will enjoy the results much. But since you are small fry you probably will get away with it. But collectively, you and your buddies will harm American enterprise more than you probably realize.
I agree with the above. I disagree however that "what's best for your users" is universally a superset of GDPR regulations.
My personal view is that if your company/service becomes so powerful that people can't escape from its influence, the above regulations are a necessary evil in order to counter your outsized influence.
For a tiny startup on the other hand, you have so little influence on the world that if a consumer doesn't like the way you operate, they can just choose not to interact with you. Such startups can best serve both themselves and society at large, by focusing on building valuable features/services.
Reasonable people can disagree about the specifics of a law. As a EU citizen, I can understand your wishes for everyone to comply with EU regulations. It helps to put yourself in others' shoes, and ask yourself how much time/energy you, as a startup founder, would be willing to put into regulatory compliance with Canadian/Russian/Indian laws.
If I were to target my business at Canadians, Russians or Indians I would definitely make an effort to comply, especially if those laws in general did not originate from protectionism or were particularly hard to implement (which I don't think the GDPR is, at least not in spirit).
Wrong. If you have a customer from the EU or any component of your infrastructure in the EU, you must comply with GPDR.
Nope, you have to specifically target people in the EU:
"In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. (...) the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention"
The EU tends to go after the larger entities and tends to fine rather than arrest.
I comply with the general intent (always have), but the law as currently written is near impossible to comply with. My feeling is this will be realised by the EU and a more rational set of guidelines will emerge.
Since we are not based in the EU and don’t have a business presence there I think I might just keep following the intent and wait for the EU to be more sensible.
I really do wonder how EU companies are going to comply with all this. What an enormous waste of resources to catch a few bad actors.
Of course, for the policymakers, it's a win, because as part of a rent-seeking bureaucracy, they can expand their empires as they produce more policies.
If you explicitly accept Sterling/Euros, provide localisations for EU countries, talk explicitly about your EU shipping options etc. then you would probably be seen as accommodating the EU market and might find yourself in scope.
And a default judgement.
High profile cases would have a much higher risk and companies that went out of their way to advertise the fact that they are going to break the law would run a significant risk.
Show me just one example of a company located outside the EU without a legal presence inside the EU that had an executive detained upon entry for breaking an EU law that does not normally result in criminal prosecution.
The only other extra-territorial laws I know of currently is FATCA and the FCPA, which are from the USA.
Now, would an EU court rule that someone who kept permanent records of an EU citizen be violating the GDPR if the business has no EU presence? In the American system (imagining if the US passed a GDPR and prosecuted a non-US citizen), no, because the government would not have standing to sue: the violation took place outside of US sovereignty. If the EU takes a similar approach, then the law is not extra-territorial in enforcement, otherwise it is.
Edit: GDPR Recital 23, Article 3(2)(a). Excellent!
GDPR exists because the EU wants to be the primary legislating entity in Europe, replacing local governments, and because it likes the idea of funding itself through huge fines. It exists to serve political ends.
Also, if any component of your cloud ecosystem(AWS, GCS, etc.) are based in the EU, you must comply with GPDR. Which in today's world means almost everyone is affected by this.
Make sure those "American" platforms you speak have every single component of their infrastructure based physically in America.
The whole thing may be difficult to enforce, but meh why risk it?
The only country that does this sort of thing is the US.
It does not. Article 3 clearly limits it to people in the EU. It says nothing about applying to EU citizens.
 I affirm that I an not an EU citizen.
On the other hand, if you actually want to sell stuff to EU and get a nontrivial number of deals, then no amount of weird checkboxes is going to convince the regulator that it's okay, they aren't stupid.
Edit: downvotes? Really? Did you guys read the law at all?
> The first half is the General Data Protection Regulation (GDPR), which becomes enforceable across Europe on 25 May 2018. This is an overhaul, modernization, and replacement of the existing framework, the Data Protection Directive of 1995 (yes, 1995.)
> All of the existing principles from the original Directive stay with us under GDPR. What GDPR adds is new definitions and requirements to reflect changes in technology which simply did not exist in the dialup era. It also tightens up requirements for transparency, disclosure, and process: lessons learned from 23 years of experience.
It's talking about the new definitions and requirements, but says nothing about what they are!
I also suggest reading a report that's helped inform the text of the GDPR:
"Privacy and Data Protection by Design":
Can you even legally do a customer churn analysis under the GDPR without explicit consent?
One of the biggest complaints I have about this is that the uses for data keep growing, and legally, you can't even test a hypothesis before getting consent, which you won't be able to do frequently because users hate being asked about anything.
My intuitive response to this law is to want to split my data into EU/non-EU parts, do all my work on the non-EU parts and hope that the insights gained there can be applied to EU users.
Are you just trying to see which deals interest people (zero issue, but you could annonymise this) or profiling the customer based on the logs and offering different prices (you are going to have to be more careful and transparent).
> Can you even legally do a customer churn analysis under the GDPR without explicit consent
There a lots of ways to look at churn with anonymised data. I do it with account ID's. If you are looking at churn rate of Asian people vs Afro-Caribbean then GDPR is going to be amongst your problems,
Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage by reporting their employer to the "authorities". GDPR introduces a whole new dynamic.
This doesn't mean that we don't need food health and safety inspection laws. It does mean that you actually need to run your business in a way that respects your customers.
Stop running your company with the attitude of "It's fine, as long as I can get away with it." I have no sympathy for that.
 You can be a disgruntled employee, and also be 100% in the right, if your boss is behaving illegally.
Is this type of case covered by the GDPR?
Also how are things like access logs supposed to handled according to the GDPR? Our software records all requests made to our API, they log your userid, ip address, and what you were trying to do.
We have clients who are in the US who required the above feature for auditing purposes.
If you don't want to be a processor, the best thing to do is probably in your contracts disallow usage of your service for anything containing GDPR covered personal data.
As for access logs, those will be some mixture of the two bases offered in the GDPR. Some will be required by legitimate interests (such as those collected for legal requirements) and some will be subject to consent. This is a complex discussion.
You ensure that those users have a way to delete the data again.
Now with GDPR pending, I think I won't. I'll just leave my 'no sh*t delete' function in place. If I get a request to restore any data I can say, "Sorry, the Europeans made me burn your data when you unwittingly clicked the red 'delete' button (as well as the confirmation dialog you didn't read)."
Of course, IANAL.
An extreme example of this is in hosted email—if Alice writes an email to email@example.com with some of Charlie's personal information, it would be absurd if Charlie could ask Google to remove the email. (Although maybe reasonable if Charlie could request to not have his data used by Google to target him or anyone else with ads.)
The law is meant to protect people from companies rather than people from themselves.
As in, it's not illegal to to do most of the same things we do now with data, however we now need to educate our users on what data we are using and exactly how we are using it, in a way that is understandable to the average user.
With all due respect to the average user, I cannot fathom how anyone doing anything with user data more complicated than a basic record will explain it simply enough to be in compliance.
Certain information can be classified as PII if it possible to cross reference it with other stored information to identity a user. For example a European court in a recent ruling stated that a full IP address could be considered PII because an ISP would have a record of IP address and time with a persons name.
A user alias on some random site would meet that criteria, assuming they took name/address/etc when you signed up.
Unless PII has some other significance than I'm interpretting it to have?
Screw you data vampires.
If you need everything, then you'll need to use "fulfilment of a contract" as the basis, and in that case, you probably need to make your ToS pretty tight too.
For the users that refuse this consent, can I prevent them from accessing the self-driving feature of the car? If not, how would the company deal with the free-rider problem - nobody opts in because they want their privacy but they also want the feature?
AI and ML have to be careful , as you need to be explicit about the data's use and impact on the end-user. The most given example for this is ML algos that determine eligibility for financial products, but we could probably twist that Tesla example to fit a similar to be "my data is used to inform an algo that determines what the car does in a dangerous situation", so you might have to abide by rights to explanation and data editing.
(links to actual text at http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN... )
One big difference is that the material scope of GDPR is so extremely broad: it regulates any PII that can be touched by EU law. That's important because it means that all of your SaaS vendors that touch this data may be in scope, not just your hosting stack. If you're marketing or selling in the EU, your entire growth/CRM/customer success stack will be regulated. If you have EU employees or contractors, all of their HR data is covered. I'm not sure if most companies realize this. It may be less of a problem for B2B, we'll see.
Questions to ask yourself: What is the scope of GDPR personal data across your business? Are you marketing in Europe? Are you selling into Europe? What business processes touch that data?
1) There isn't any way to "opt-in" to them
2) You would need to have a tool to remove every entry for an IP address when requested?
Hashing (only useful for IPv6) or truncating is recommended.
The EU subsidiary would not be legally able to use any of that data (it can't take it from the China subsidiary in any way whatsoever); and the China subsidiary would not be practically able to use any of that data, since they don't have any users/customers in EU.
Of course, I suggested that more for the situation where the EU had data privacy laws, and China required intense tracking of customers.
GDPR would apply if an EU company would track people in China (Article 3 section 1); it would apply if an multinational company tracks people in EU when offering goods or services to them (Article 3 section 2); but it wouldn't apply when that same multinational company tracks people in China.
I.e. Facebook can be fully GDPR compliant if it applies the privacy requirements only to people in EU and gratuitously violates the privacy of everyone else.
Furthermore, if China has a legal requirement for intense tracking of customers (I'm not sure what their legal requirements are), then GDPR would allow an EU company to do that without consent. (Article 6, 1c : "Processing shall be lawful [..] if ... processing is necessary for compliance with a legal obligation to which the controller is subject")
Will this also apply for citizens of a EU country living outside the EU?
My understanding is the GDPR applies to residents of the EU, not just citizens, and it also applies when they are outside the EU. In practice this means it is impossible to determine if it applies unless you gather far more information than you really need from your users - “sorry we have to invade your privacy to protect your privacy”.
That makes no sense.
This sounds unenforceable.
The next fun job is working out how to remove the data from all your backups when you get a removal request.
I have taken the approach that I will comply with the general intent of the GDPR (which I did long before it existed), but not try to apply the ridiculous parts.
You're going to have to provide proof to back up that statement.
"The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”
Yes the regulations make no sense and they really aren’t enforceable outside of the EU.
I think it's both.
If someone in the EU (say a visitor) asks to have their data removed that was collected while they were outside the EU, then the controller or processor is supposed to comply.
How is any business supposed to know if a user while they were in the USA of a service located in the USA will not later travel to the EU and make a data removal request while there? If the request comes from someone located in the EU then the regulations apply.
The practical result is you can’t just geo ban people from the EU and this is before we get to the problem of proxies.
> where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.
It is interesting that the monitoring clause only applied if the subject is inside the EU when the monitoring is done, while the service or goods clause applies if the person is inside the EU with no requirement that the service or good was acquire or used within the EU. I can’t really think of any logical reason for this distinction. The “takes place within the Union” for one and not the other is strange.
> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union
If you get a request from someone in the EU to remove their data you have to comply no matter where or when the data about them was acquired. The clause is quite clear on this point and it why it is written differently to the clause about monitoring.