Hacker News new | past | comments | ask | show | jobs | submit login
Publishers Haven't Realized How Big a Deal GDPR Is (baekdal.com)
607 points by transpute on Apr 8, 2018 | hide | past | web | favorite | 454 comments



GDPR articles seem to be getting some traction on HN as everyone is trying to figure out: "Do I need to do something for this? Is so, what?"

For a recent project I read (and translated to plain english) [1] every single article in the GDPR legislation and for our purposes it can be summed up as:

"Treat user data like names and emails as if they were credit card numbers"

AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.

Obviously that's not the entirety of it, but as a working mental model I think it goes a long way.

1 - https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...


I’d add: Get (documented, active) permission of users to store and use their data, understand that permission is given only for a defined cause/usage (and not indefinitely for everything you right now might not even think of), be prepared to tell users what data you store about them, why and (briefly) how it is used. Be prepared to delete user data on request. Be prepared to show documentation on how you handle the (personal) data. And delete data that is not necessary any longer in regular intervals. And: Don’t share, sell or rent personalized data to any third party without given user consent.


Be careful with hiding everything behind "consent", because consent cannot be a precondition for providing a service. Put differently: if a user does not consent, you cannot refuse them the service if the data you wanted to collect is not strictly necessary to provide the service.

The alternative is to only collect data that is strictly necessary to provide the service. In that case GDPR allows you to collect the data even without explicitly given consent – according to GDPR in that case the user can reasonably expect the data to be necessary to provide the service. (This does not apply to sensitive personal data and biometric/genetic data – then you always need consent.)

Quoting GDPR:

"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement." [1]

"Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." [2]

[1] https://gdpr-info.eu/recitals/no-32/ [2] https://gdpr-info.eu/recitals/no-43/


> consent cannot be a precondition for providing a service

IANAL.

This is more nuanced than it appears, as it is balanced against the firm's right to conduct business.

If you're generating leads by providing a whitepaper, then realistically you're not going to be penalised for saying "you need to consent to receive our newsletter to access this whitepaper".

On the other hand, an airline saying "you can only book a flight on our plane by consenting to us sharing everything we know about you with loads of third parties" would be frowned upon.

Our GDPR lawyer at least has advised not to ask for consent, since it is difficult to establish whether it was given, and has not been withdrawn. It's easier to rely on legitimate business use and NOT ask for consent, as long as it genuinely falls into that category.


I think we agree; it seems better to rely on legitimate interest than ask for consent for everything. (Although it does require thinking about and actually having a legitimate interest.)


It raises interesting question. What if some publisher, say, newspaper, can show highly targeted ads for $3 CPM, or generic ads for $1 CPM.

Can such publisher claim that collecting data is strictly necessary to provide the service? With threefold difference in ad revenue, that could be actually the case.


Good question. This would be an appeal to "legitimate interest" as a legal basis for collecting personal data. GDPR explicitly states that if the legitimate interest is direct marketing, then the user may always object to such processing, and this right must be clearly indicated.

[1] https://gdpr-info.eu/art-21-gdpr/


IANAL, but most probably not. When thinking about "strictly necessary to provide the service", one should think in terms of technical feasibility, as in "can the service be technically provided without that data?" not in terms of profitability.


I do wonder if you can charge a consent price and a non-consent price, or if that would be fundamentally equivalent to not providing the service?


How is "strictly" defined? I'm going to guess it's define as "the magistrate knows it when it sees it", so take to be both "don't use the most egregious interpretation", and "don't be a populist punching bad that governments can make hay out of attacking".


Any data you collect that you do not unambiguously need to provide the service would be an appeal for "legitimate interest" as a legal basis for collecting it. There are a number of things GDPR writes about it and of course you cannot be sure how this will play out in practice, but the main points are:

* it must be reasonable from the user's perspective

* there must be alternative; you cannot achieve the goal (your "legitimate interest") without it

* it must be balanced with the rights of the user, and not infringe on their freedom or fundamental rights

* if your "legitimate interest" is direct marketing, the user can always object, and you are required to actively inform the user of this right

See also [1]

[1] https://gdpr-info.eu/recitals/no-47/


I think you meant "no alternative" under the second bullet point.


Strictly has a pretty clear definition.

If you can provide a service strictly devoid of the PII it means there is no logical necessity for PII.

You can't provide a call-waiting service without a phone number, but you can provide a mail-redirection service without one even though it makes it easier to administer when you have a customer phone number, you can strictly provide (and bill/administer) the service when that information is absent.


from molf's comment: >The alternative is to only collect data that is strictly necessary to provide the service.

While I agree with your comment, I suspect that for any given law firm, paramTotalHours_Billable(SubjectID = necessary) will be a much larger value.


I assume it's "you cannot provide said service without having said data".


Genuine question - What if the service is defined as the publisher letting you read content in exchange for being shown targeted advertising? That IS the business model of most publishers right?


Right, but that means you have to have some mix of legitimate interests and consent, and makes this whole thing an expensive exercise, both in terms of code and legal time. If you have an ad supported service, this is going to be painful.


This sounds no different to current UK data protection laws (which appear to be flaunted widely). I thought the main change was putting teeth behind the legislation?


Also called "Informed Consent"


> without given user consent.

you mean just create a checkbox somewhere that people click without thinking about it?

I have no idea what I am consenting to when I "agree" to all the EULAs.


Read up. Consent under GDPR is like you've never seen before, but like (as a private citizen) you've always dreamed of.


will do. That was an ignorant comment on my part. :D


> "Treat user data like names and emails as if they were credit card numbers"

Most sites' approach to credit card numbers is to not touch them with a barge pole, have a third party receive them instead and never let the business have any sight of them, so it's a bit of a stretch to expect the same treatment for a customer's name and email address.


So...use oauth?


Hurrah so now sites won't use their own logins and I'll be forced to let Google or Facebook know every site I want to connect to. That's an improvement?


This actually brings up a point that was made in a cambridge analytica post. If personal information is deleted after it has already trained a dimension-reducing model, is it really deleted?

If Google and Facebook see everything because of oauth, we can ask them what data they have and tell them to delete it, but they won't be deleting whatever models they've been training about us.


OpenID Connect exists, it allows OAuth from and to unrelated services.

Neither Google nor Facebook own Oauth, they just have very incompliant implementations that force everyone to treat them as special.


Let me re-state what your saying:

Most sites are incapable of receiving, storing and handling credit card numbers. This is because the staff building the service either lacks the technical knowhow or the organizational wherewithal to deal with the problem in a successful way.

Why should it be any different for emails, names, usernames or passwords (because end users re-use those).

If everyone starts acting like this data is important (it is) and valuable (it is and that might decrease with the passage of this law) - we might just get to a better place. In the absence of regulation companies will get away with whatever they can - ethics be dammed.


If I have an IRC service that shows quotes from people and has 'last seen' functionality is that covered by GDPR? Some of the users are from EU countries, does that mean those features need to be turned off or have some sort of acceptance exchange with users?

Would filtering out EU IP ranges be sufficient, or does this also apply to EU citizens traveling outside of the EU?

The referenced page says that asking users to provide a birth date isn't sufficient proof that they're over 16 years of age, how should one verify age for something like an IRC bot?


IIRC it applies to EU citizens wherever they are, not just people who are on EU territory.


Article 3, "Territorial Scope":

---- begin quote ----

(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

 a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

 b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

---- end quote ----

Based on this, it looks like for GDPR to apply to an establishment in regard to a particular person, at least one of those two parties must be in the Union. An EU citizen traveling outside the Union dealing with an establishment that is not in the Union appears to not be covered.


I liked your explanation of the three points from a few days ago [1] a lot.

[1] https://news.ycombinator.com/item?id=16752857


It applies to EU residents. So someone who's Spanish living in US would not be covered, but an American living in Spain would be.


The scope is wider. It applies to people in the EU, regardless of resident or not. A US resident on vacation in Spain would be covered.

See https://cybercounsel.co.uk/data-subjects/

> 1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.


So do American constitutional protections apply to Americans living in France? I am having a hard time understanding GDPR jurisdictional power. US citizens in France aren’t protected by the US Fair Credit Act with French banks, even when those French banks have US subisidiaries because a French company in France isn’t subject to US legal jurisdiction. Even FATCA doesn’t subject a French bank to US law — it subjects French assets in the US to the withholding provisions of US law, meaning, if a French bank has zero US exposure, then FATCA has zero effect.

Are Dutch citizens in Oklahoma protected by Dutch narcotics laws? Of course not. They are subject to the jurisdiction in which they are physically present.

However, a US citizen can be subject to US laws overseas, however, that’s between the American and the US government — the intermediary country has no involvement unless it’s an extradition request.

This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU. The idea that GDPR requests have to be honored by some local ecommerce company in Idaho is just nonsense and not supported by any international legal precedent.


Not the constitution, but certain laws were enacted in a similar way by US. Especially in finance and securities:

- banks all over the world have to ask their customers if they aren't American, when signing up for an account. Even a local bank in rural Poland, which couldn't care less about international markets, has to now ask people to explicitly confirm that they are not American citizens

- if you're doing a security offering, and you happen to sell to an American, even if they live in Europe, and you're blocking IPs from U.S., you have to follow the US regulations as well

And yes - it is kind of shitty, but EU wasn't the one to start a trend of applying the local laws on foreign soil.


> So do American constitutional protections apply to Americans living in France?

I'm no expert, but I thought on the whole the constitution has nothing to do with citizens -- it's a list of rules that the US government must follow. It certainly has no hold over the German government.

> This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU.

If you, as someone who breaks the conditions in the GDPR, have nothing to do with the EU, then you're fine.

However the GDPR applies to you, an American citizen in America who's never been to the EU, just as the DMCA applied to Dmitry Sklyarov, a Russian citizen who had never been to the U.S.


Charges against Sklyarov were dropped due to jurisdiction. Your example proved my point. And actually he DID visit the US; that’s where he was arrested.


So an American can be expected to be arrested on arrival in Paris on holiday because the company they work for ignores the provisions of the GDPR

Sklyarov charges were dropped in a typical american plea-bargain

"Mr. Sklyarov agreed to cooperate with the United States in its ongoing prosecution of Mr. Sklyarov’s former employer, Elcomsoft Co., Ltd. Mr. Skylarov will be required to appear at trial and testify truthfully, and he will be deposed in the matter. For its part, the United States agreed to defer prosecution of Mr. Sklyarov until the conclusion of the case against Elcomsoft or for one year, whichever is longer. Mr. Sklyarov will be permitted to return to Russia in the meantime, but will be subject to the Court’s supervision, including regularly reporting by telephone to the Pretrial Services Department"

I see nothing about jurisdiction there.

The US has pushed the world around for along time, the world is pushing back.


> The idea that GDPR requests have to be honored by some local ecommerce company in Idaho is just nonsense and not supported by any international legal precedent.

This is true. GDPR would only apply there if they were "offering goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the European Union". [1]

This is understood to mean they must be marketing to the EU, for example by offering their site in European languages (apart from English), using European currencies, or using a European domain.

[1] https://gdpr-info.eu/art-3-gdpr/


European languages? That’s absurd. Your product could be targeting US Spanish speakers, African speakers of French or newly arrived German speaking US citizens. Using language as a determinant is without any legal basis. Having your website in French doesn’t mean you are selling to French citizens. Language doesn’t equal location. Language does not impart jurisdiction.

If a small hotel in California had a French language information page, that doesn’t make that hotel subject to an EU law. If I am wrong, then where is the case law? Where is the legal precedent?


Targeted Language by itself certainly won't be enough, but it is definitely seen as one indicator by the CJEU.

https://iapp.org/news/a/what-does-territorial-scope-mean-und...

(And - case law? Not really a thing in most countries executing the GDPR.)


> This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU.

You are the only person who has this view. EU citizens are subject to the local laws of whatever country they reside in. However if they are interacting with an EU company then GDPR applies to that company, no matter where they reside. But an EU citizen living in America and using an American service has no GDPR protections. Just like they have no EU right-to-work protections if they decide to work in America. GDPR explicitly states that it (generally) only applies to companies which do business with people who are within the EU's borders (citizenship is not a prerequisite of GDPR protection) or EU businesses.


GDPR explicitly states that it (generally) only applies to companies which do business with people who are within the EU's borders (citizenship is not a prerequisite of GDPR protection) or EU businesses.

There is no jurisdiction if those companies don't have a presence in the EU. None. Show us international law where this would be applicable. As the grandparent was pointing out, any country can now make any law where if any of their citizens access some internet service where ever in the world, somehow their laws magically apply to everybody in the world "doing business over some fiber".

I don't think so.


> There is no jurisdiction if those companies don't have a presence in the EU. None. Show us international law where this would be applicable.

If you are doing business with people in the EU, then you have to be incorporated or otherwise have agreements (explicit or implicit) with the EU countries you are doing business with. GDPR applies to you or you will no longer be able to do business with the EU. If a company wishes to not have their ability do business with the EU revoked, they have to comply with GDPR (including its fines) as well as all other EU (and local) laws.

I really don't understand how this concept is difficult to grasp. Countries give you permission to do business with them -- if you break their laws they can revoke your ability to do business with their residents. Most large companies would probably lose much more money breaking off ties with the EU than they would complying with GDPR fines. If you continue to violate a country's laws you could be extradited and so on.

> somehow their laws magically apply to everybody in the world "doing business over some fiber".

If you are providing a service to a group of people, for money, then you are doing business with them. Pretending as though this is not the case just because the process is conducted through under-sea fiber cables rather than mail couriers is ridiculous.


This is my main question actually.

While most of GDPR is common sense and shouldn't be much of a burden on companies[1], I was always confused about jurisdiction. While most larger companies have a legal presence somewhere within the EU that can be held accountable for this, I do wonder how the EU is supposed to be enforce penalties on a company outside of the EU.

[1]: well, the difficulty grows the larger your company/product is, but chances are you have more resources available to dedicate to it anyway


> I do wonder how the EU is supposed to be enforce penalties on a company outside of the EU

Realistically, they can't and won't unless it's a very large scale that's worth pursuing, for a multi-national corporation with enough money to pay a big fine. If a company is not doing business in the EU, not selling into the EU, they can of course entirely ignore the GDPR.

In the case of a large company that sells into the EU, and refuses to obey GDPR, what you'd likely see is the EU pursuing that company on its domestic turf legally. A company out of NYC for example could be pursued in a court there for fines related to GDPR violations. The larger those violations, the more likely it'd be pursued by the EU across the Atlantic. This is how it works already, there's a lot of international business precedence. The stronger the legal system in the home country you're pursuing the multi-national into, the better for the EU's case.

If I set up a business in Germany, dump large amounts of toxic waste and cause very costly environmental damage, and then (somehow) quickly flee the country leaving no assets or business behind - but back in NYC my company has vast assets, you'd find the company pursued from Germany to its home in NYC for those damages. They still have to win the case of course.

The EU fortunately wasn't dumb enough to attempt a global claim on regulating privacy. They pushed the line pretty far, but did not cross their own boundaries. I think they fully understood there was no scenario where the US and China (40% of the global economy) - or frankly most nations - were going to care about EU law projections external its jurisdiction.


It depends. When Canada's anti-spam law was introduced in 2014, the intent was to allow a private right of action effective July 1, 2017. This would theoretically mean US/foreign companies could be dragged into class-action lawsuits in Canada. This private right of action was delayed and is currently under review, but nevertheless anyone marketing to Canadians is subject to CASL laws, regardless of where their business is located. We'll see what happens, but if/when the private right of action is implemented it could potentially be a big deal.

IANAL but I can imagine a similar situation happening with GDPR.


According to art. 27 GDPR, affected data processors outside the EU have to establish a data privacy representative in the EU.

In addition, authorities could for example seize local servers in the case of non-compliance. In many EU countries including Germany, data privacy violations can also be prosecuted as criminal offenses.


But this doesn't answer my question: I'm running a little side project here in Australia but with customers who happen to be in the EU. I have nothing in the EU - no sales office or support in Ireland, no hosting anywhere in the EU. How is the EU supposed to mandate that I do anything?


The EU can (and in fact does) mandate that you comply with the GDPR. It cannot, however, enforce compliance since there is limited legal leverage. The Australian government is unlikely to help the EU to bring a case unless there'd be a treaty or an agreement (Safe Haven laws in the US for example). They could theoretically go via your revenue stream and seize your European customers payments or hold you or any officer of your company liable if you ever set foot on European soil or hold any assets that your company has in or moves via Europe. That's all very unlikely to happen over minor infractions, but some business folks already had their private jets impounded for outstanding payments as for example the Thai Prince learned the hard way: http://www.airliners.de/kronprinzen-boeing-in-muenchen-besch... (sorry, german only, but google translate should correctly translate the gist of the story)

All of this is nothing new, it's been working like that for centuries, back when business correspondence was still on old-fashioned paper.


As long as you don't go on holiday to Rome, you'll be fine.


I have the feeling nobody knows this. To me it seems this part of GDPR is particularly targeted at major companies and they can be held accountable through subsidiaries or branch offices in the EU. It doesn't seem very likely to me that small businesses that happen to sell to EU customers too will be the primary target of enforcement anytime soon.


Last seen is in the grey zone, but I'd say that it can potentially be PII if combined with other data. So I would not store that data for now, until we have some clear rulings on similar topics.


Honestly, the best thing to do if you don’t have a high percentage of EU users/customers is to simply block EU IPs. First it was the completely useless cookie notifications, now it’s GDPR, and nobody knows what the next thing will be - we only know that there will be a next thing (there always is), and that it too will be costly and burdensome to comply with. Unless you derive a significant percentage of your revenue from EU users, it just isn’t worth it to try to keep up with the increasingly demanding whims of a heavy-handed European government.


That sounds ideal. Please make sure you do this, and convince many of your colleagues and compatriots to do the same. Maybe finally give us some breathing space to grow our own popular services in the face of US dominance.

I used to think protectionism was stupid, but after seeing how The Great Firewall[1] is working out for China and their services, I’m not so sure anymore. The big problem with any inbound restrictions is retaliation, but if you can manage to make a country restrict exports themseleves, well, yes please!

I’m looking forward to seeing EU competitors flourish.

[1] Since visiting China I’m convinced TGF is about protectionism as much as it is about filtering. Internet to any non-China service is terrible and unreliable. The result is simply you can’t depend on it, so you choose a Chinese provider. This has clearly worked out very well for some of their companies!


The large US sites you’re worried about “dominating” the EU, who have significant EU traffic, will be able to comply with the GDPR and continue to compete just fine. They have the resources to hire the necessary phalanx of attorneys to advise them on how each feature and tweak to their sites interact with the GDPR, and it is a worthwhile investment for them. I was saying that smaller sites that don’t have internal legal departments and don’t need EU traffic should consider blocking EU IPs.


> Honestly, the best thing to do if you don’t have a high percentage of EU users/customers is to simply block EU IPs.

Could you please block my IP address as well: 192.117.111.61

If you feel that being responsible with my personal information and metadata is not worth the trouble, then I don't want to accidentally ever use whatever service you maintain. Thanks.


What an absurd statement. This isn’t about being able to be “irresponsible with [your] personal data”. GDPR compliance is a difficult, expensive, onerous, and uncertain endeavor. Sites that don’t rely on EU visitors for revenue don’t need to expose themselves to the additional liability that the GDPR imposes.

That doesn’t mean that sites that haven’t gone to the expensive lengths required under it are going to expose or abuse your data. If you are this big of a fan of the GDPR, I imagine that you’ll have to limit your Internet browsing only to sites run by EU-based companies that are large enough to afford scores of attorneys to advise them on how to comply.


I'm a big enough fan of the GDPR and a big enough opponent to SESTA/FOSTA/CLOUD that I have moved almost all my business into the EU. The only remaining US business I depend on my DNS provider.

Why should I trust a US business with my personal data when I can give it to a EU business that will face harsh punishment for doing bad things with my data (the US seems to have no problem with large corporations loosing millions of user data entries as long as the big CEO says "oops, sowwy!")


> If you are this big of a fan of the GDPR, I imagine that you’ll have to limit your Internet browsing only to sites run by EU-based companies

That is a terrific idea, thank you. In fact, for sites that require providing much information (email providers, etc) I'll start doing just that. Though HN does not require much data, I will review how the site intends to deal with GDPR.


>What an absurd statement. This isn’t about being able to be “irresponsible with [your] personal data”. GDPR compliance is a difficult, expensive, onerous, and uncertain endeavor.

Being responsible with someone's personal data is inherently difficult, expensive, onerous and uncertain.

The idea handling personal data wasn't already all of that is exactly the abuse that got us where we are today.


The EU has a population of over half a billion people and a GDP per capita of $41k PPP (although those numbers will shrink a little bit post-Brexit). Ignoring Europe as a potential market ignores half the western world - and it is westerners, for the most part, who have disposable income to spend money on goods and services.

Ignore Europe if you like. Just be aware that you are allowing your competitors to gain an uncontested foothold without having to fight for it. Once they are the incumbent in the European market, they will be hard to unseat, even if you change your mind later.


There are thousands of types of sites, such as geographically focused message boards, local professionals, smaller ecommerce sites, etc. who are exposed under the GDPR but for whom EU traffic is incidental and worth nothing. A US plumber doesn’t need or want appointments in London, but is technically exposed under the GDPR. So for businesses like this, blocking EU traffic should be an easy decision - there is no downside.


IANAL but I believe the GDPR is tolerant of incidental traffic. So if an European accesses a local job board in South Korea, the EU will not go after the Korean company and demand compliance. Now if said Korean company is running a job board for Berlin, in German, charging in Euros, etc. it's a different story.


That, along with many other parts of the GDPR, is both open for interpretation and may vary from country to country within the EU. See https://aristilabs.com/how-the-gdpr-apply-to-your-us-based-c...


That shouldn't be an issue. If you offer your services only within the US then you're out of scope. It doesn't matter if EU citizens visit your site, as long as you don't try to get any customers from the EU or target your content towards visitors from the EU you don't have to comply with GDPR.


For most American pubs - and hence producing English language content -- there's very little risk. Most of the EU won't read it anyway, and if the uk privacy regulator wants to complain, let them.


> First it was the completely useless cookie notifications

It was useless in the sense it was trying to play nice. It was a gentle call for the industry to self-regulate. The only problem with that law was how naïve it was.

Go ahead and block the whole European IP range. See if we care.


The cookie law was also largely overblown. It only require notifications for any non-essential cookies and I think the wordpress plugins for this simply put up a blanket banner because the blog author might just be using the Google Anal ytics plugin too.

And then everyone put it up "just in case" or "because the law says all cookies". (Of course some smart people figured out that local storage is not a cookie and the law only covers cookies, atleast what they gather from hearsay instead of checking the actual text)

But tbh, I'd prefer US services IP blocking European users. It'll encourage EU startups to fill the gap and they will have the privacy regulation of the EU as marketing bullet point over any US company, eg "In the US privacy is a pinky-promise, for us privacy is law".


You do care. Everytime some web service is US only there's endless ranting from Europeans about it.


That's because, most of the time, a service is US-only because of some bullshit reason like exclusive region-locking deals or MAFIAA copyright terrorism. I don't think that "this service is unavailable in your country because your law doesn't let us sell your private data to the highest bidder" is going to induce that much ranting.


Once blocking by US websites becomes a little more widespread there will be EU alternatives to fill the gaps. Normally I'm not a huge fan of such solutions, but if the alternative is exposing myself to the wild west of unregulated selling of my personal data that is the US I'll learn to live with it.


Ehhhh, I'd leave it as is. Unless you have business licenses in EU countries, EU laws have no legal authority over you. If you do have such licenses, then you're probably big enough to foot the bill and possibly also can't afford to not foot the bill (due to suspended licenses).

This privacy thing is, like, their option, man. Even if you and I agree with the EU.


I’ve been looking into this, as I run several sites myself, and apparently this isn’t true. They can go after you even if you have no EU presence, and US courts will domesticate any EU judgment against you for fines levied under it.


Do you have a source on this? Seems like a major concern if true.


Several, but this one explains the issue most succinctly:

https://aristilabs.com/how-the-gdpr-apply-to-your-us-based-c...

"Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed....the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR."

With regard to enforcement....

"...EU regulators rely on international law to issue fines. Written into GDPR itself is a clause, stating that any action against a company from outside the EU must be issued in accordance with international law."

Most US states have adopted the Uniform Foreign Money Judgments Recognition Act (UFMJRA), which allows for judgments issued by foreign courts to be domesticated. Once that is done, the judgment carries the same force and effect as if it were originally issued by a US court.


It's not true, but something that is bantered about on HN by people that wish it was true.

Think about it. If it was true, then the entire global legal system would get very chaotic.

Frankly, the political agenda by people telling these lies is quite tiresome.

Just ignore them.


It's interesting that I posted a source for this 5 minutes before you posted this comment.


And since I can't reply to the parent directly, I'll just say that there is no international law that covers this. None, zilch, zero....so anybody says that you're somehow beholden to GDPR when you have 0 presence in the EU is either lying or ignorant of the reality.


So basically we create a law to protect user data and your answer is "let's only work with countries that think messing up with my users is ok" ?


It’s not about being able to “mess with [your] users”. It’s about sites that don’t need EU traffic anyway being unnecessarily exposed to fines for even accidental violations of a very complex law.


Btw. same goes the other way around: if you don’t want or need US customers, it might make sense to block people from the US based on IPs, because if you do business with US citizens, they can sue you according to US laws with their ridiculous high fines.


But any of your sites should protect user data, it's the respectful thing to do. Right ?

In which case would you you think it's alright for any site to not protect, say, a user home address ?


Reasonably protecting user data and complying with the GDPR are two entirely different things. There are many ways to accidentally run afoul of this law while still protecting user data.


Define "reasonably", because what I see in the wild as a freelancer is 9 times out of 10 not matching what's "reasonable" to my standards.

And what are the "many ways" you can "accidentally run afoul of this law while still protecting user data" ?

It's hard for me to grasp.


(I'm not the one you replied to.)

I'd like to see a complete and concise list of exactly what needs to be done to comply with GDPR. Everything I've seen so far has been vague legalese open to subjective interpretation. Pretty scary when the punishment for an incorrect interpretation is a 20M EUR fine.


simply block EU IPs

A lot of us who admire what the EU has the courage to do - and wish that the US had half that courage - would rather disappear from everything but European websites. What many US corporates have done, and are doing, is rotten to the core. It is demonstrably destroying the internet that so many of us spent time bringing to life, and had so much hope for.

I suspect that if someone with some balls and power suggested corraling all US trackers and data brokers - along with companies trying to turn the net into a shopping mall - into a single domain outside of which they could not operate - most Americans would applaud. The EU has done some of what it could, and cheers to them for having the courage to serve their citizens. Wish I was among them.


Better yet, comply and get your privacy/data management chops together so that you're comfortably able to navigate a world where this type of legislation is likely to become more and more common. Not to mention the fact that there's an increase in interest/awareness about these matters amongst the general public.


I love this comment. Waiting for people to take the bait and reply to you!


Take the bait? I’m not saying anything controversial. A large percentage of websites are directed at the home country of their owners anyway, and EU traffic is often incidental and worthless to them. A US dentist or doctor likely has no interest in receiving appointments from people in the EU, for example. An online store based in the US, who would have to charge outlandish shipping rates to ship to the EU, is unlikely to get orders from the EU and thus should have no interest in that traffic. An online message board where nurses in a US city talk to each other probably wouldn’t want to spend the money to comply with GDPR even if the occasional nurse from the EU might pop in with an interesting comment every now and then.

So EU traffic means nothing to any of the above example sites, yet all of them will be massively exposed under the GDPR. If I ran a web hosting company, I’d offer EU IP blocking as an optional, free service.


You don't think it's controversial to tell business to block the other half of the civilized world?


It's a start, but that is only the easy part, where the goal is relatively simple to figure out. You also have to explicitly get legal documents signed if you make a system for companies that "own" the user data.

You need to have new procedures for obtaining, storing, using, and delete customer data. This is known as a "code of conduct". You need sufficient logging to aid incident analysis too.

I also think a lot of companies are entering a bit of panic mode because there is no clear guideline on what is sensitive data. If you make a booking system, then everything you store is potentially sensitive if you have end user data in it. If you're making IoT devices for the home with cloud access, then you have sensitive data.

The conclusion we've reached is fairly simple. If there a even a remote chance that normal day to day use of our systems contains data that can be used to build a profile of a user, then the systems data is considered sensitive.


It's in some ways worse, because with credit card numbers you can and should avoid storing them at all, but if you need an email that's not an option.


Would usernames be included? Seems incredibly taxing to encrypt usernames too but is that what's suggested?


The GDPR specifically introduces a class of data called "online identifiers":

https://gdpr-info.eu/recitals/no-30/

which includes IP addresses and seems to extend to things like email addresses and usernames.

How this will end up affecting functionality and implementations of online services is not yet clear, at least to me.


This is a GREAT project!! Thanks!

Could you make it a git repo so we can field alterations, additions and discussion?


That's a good thought, right now it's actually a google spreadsheet that I write markdown into the individual cells export as a CSV and then run through a ruby script that turns it into HTML. Which (obviously) sounds insane, but it's significantly better than trying to edit a raw html doc of this size, get feedback, etc.


> some traction on HN as everyone is trying to figure out: "Do I need to do something for this? Is so, what?"

If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this. So it's hard to imagine how many readers of HN are getting their answers on HN (or similar). If you are small time nobody is going to come after you. Sure something could happen and you could also get a traffic ticket going 57 in a 55 zone and a host of other outlier events.

> AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.

One size fits all advice doesn't make sense in this and in other similar cases. You will spend a great deal of time and effort dealing with 'maybe's' instead of the day to day.


>If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this

You'd be surprised. GDPR is vague enough and just open to interpretation enough that there are many different companies interpreting it in many different ways. I'm a consultant and I talk to many multi-nationals and all of them have their own spin on it. Especially around the "except when necessary for security purposes" section. That right there is broad enough that "security purposes" can mean almost anything as long as you make sure your security team has access to that data.


My company is one that everyone on HN has heard of, and they are interpreting it as "don't worry, we don't need to make any changes because _____". It will be interesting to see if they change their tune as May 25 approaches.


The EU are totally threatening fines of the greater of €20M or 4% of global turnover because they want to preserve the status quo. /s


If you outside the EU, it really isn’t about “anyone coming after you”. Even within the EU the enforcement actions currently err of the side of a stern warning rather than fine (except in the most deliberate cases). Though that may change.

Either way, you shouldn’t be doing it out of fear. You should be complying for practical business reason

1. This is how you should be treating personal data. 2. In exchange for complying with GDPR, you get access to a market of >700m people. If you’re a service provider, it’s illegal for any EU business to be your customer without GDPR compliance.


I wonder if a significant amount of small businesses/startups are going to simply not do business with the EU because of GDPR. I know I'd probably rather not have to deal with it if I had a small app or something.


In general I agree with your assessment, that being said I do think that the GDPR is a decent set of guidelines for putting in place a system that respects user data in a way that clearly has not been happening.


Why not prevent personal data from leaking in first place? It's a solution applied at the wrong level, a or wrongly drawn system boundary if you will. The damage it causes is psychological, preventing many EU businesses from starting in first place. They're destroying the food chain for startups (small independent businesses).

The EU and politcians are anti UX, they have no clue about the effect of their laws on people.


> Why not prevent personal data from leaking in first place?

"The first place" would be not collecting it, an option that companies are seriously considering for nonessential data that they previously collected merely because it was convenient and accepted to do so.


This is totally awesome! Thank you, it has been sent round the office... I too second the idea of putting this onto GitHub so it can live and be updated as understanding of the requirements increases!


That's a fair analogy! I do think having a service like stripe for pii would make things easier. Why would we need first name and email address? As programmer I only need user ID!


I don't think this would be sufficient in many cases. If you store any form of user-generated content, or even a recommendation model generated from a user's past behavior, I'm pretty sure that's also considered personally identifiable information under GDPR, and since it's part of your product, you can't just outsource handling of it. It gets even stickier if that data is intertwined with data from other users, as could be the case in machine learning models or used-generated collaborative projects.


> For a recent project, I read

Fixed that for you.

Usually commas aren't important, but that specific sentence really suffers in readability without it.


What constitutes user data?


In fact, I think the author is underestimating the impact, right here: "Of course, making this change will have a dramatic impact on your revenue for single-visit traffic, because you basically have to design your ad model to work completely differently from how it works today."

No, it will basically make a newsmedia site unprofitable. I think it is the EU that has not fully thought this through. Most of the news industry is already sickly, financially, and they mostly have no model other than advertising (with a very few exceptions). The reason all this data got collected, was to try to make the advertising valuable enough that they could sell it. It may be that it never really worked, but it sure won't work without it. I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent (because people consider those websites too valuable to do without), but most other advertising-supported media cannot; or they will see that the long-term impact of this is that it accelerates the current death spiral of newsmedia, as all ad spending goes to Google and Facebook and almost no one else.

I leave it as an open question as to whether this would be a good or bad thing.


> No, it will basically make a newsmedia site unprofitable. I think it is the EU that has not fully thought this through. Most of the news industry is already sickly, financially, and they mostly have no model other than advertising (with a very few exceptions).

We have publicly funded broadcasters in most EU countries. The ad-supported news sites, on the other hand, are generally doing more harm than good.

News outlets existed before the web, so they're not going to be threatened by breaking the ad-supported website model. If anything, the traditional newspapers will be saved by this, because if free online news disappears, people will start buying newspaper subscriptions again.

> I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent

They can't. The consent has to be for a specific purpose.


You don't see the potential problem if the only media that is able to exist is that which is state sponsored?

You may be happy with the state sponsored options now, but will that always be the case? Would you feel the same if you living in the Soviet Union or Germany circa 1940?


How is CNN, Fox News and the sinclair group, working out for you guys?

I trust state paid media in the EU, way more than any US news media.

The reason why most EU countries have state paid media, is so that its non commercial, non partisan, and cant be bought. There are different principles in place, so government has no say, in what is broadcast/not broadcast. This also means that all political parties get the same amount of exposure etc.


CNN isn't great journalism, but it isn't the only source of information.

The problems with Fox News and Sinclair aren't based on advertising, they are based on ownership. State sponsored media isn't going to be any better under an autocrat and will in fact be worse than the situation in the US because there may not be any other options.


I don't read news but I'm sure that GDPR would hurt the smaller, independent news websites or aggregators that people find reputable more than CNN, Fox News and sinclair group. The latter at least have TV advertising. Their website is just horizontal integration for them.


New York Times, Washington Post, Boston Globe?

Those are three publications that have sent shockwaves around the world with their privately-funded investigative journalism.


I used to like WP but especially since Trump they've almost become a single-issue publication following every fart of that guy, and a lot of it is way overblown and they leave out "details" and overstate the importance of others. I loved their investigative series such as the one about asset forfeiture, lots of investigation; the Trump reporting instead is more "instigation" than "investigation". And I can't open the comment section any more, it's like the Fox News comment section only the opposite.

What I dislike about all news sites is that they are inconsequential. They throw sooooo many different news items at you that it really does not matter. Today's outrage will be quite forgotten two days later, or two weeks if it was something really bad. They should instead follow a few selected topics long-term and investigate what happens, and point readers to ways to affect a change. That means not reporting on each and every little thing as extensively any more but instead focus on a few things over a very long time. Just being fed thousands of news stories is McNews - you get short term satisfaction and a feeling that you stuffed something into your brain, but it feels hollow quickly because it's not very nutritious.

And don't get me started on all the Russia hype, one would think those guys in their in large parts poor 3rd world country have capabilities far beyond what the orders of magnitude richer West does not (I speak some Russian and was there a few times, also in Ukraine). That all the media jumped so willingly on this wagon is quite amazing. Note that I don't doubt they (Russian) did most of what is claimed, but when, for example, sums of money spent for the campaign are mentioned it's so little that it's obvious it could not have had a significant impact, at least not on the scale fitting the amount and the tone of the reporting. What is also missing is that they take the opportunity to talk about the many ways the US and the West has influenced internal politics of other countries. For controversial topics they usually try to give such views some room, but Russia seems so incredibly overblown and one-sided to me - so impossible, and it all looks like that recent video about Sinclair where they all say the exact same things and one can see not much effort went into that reporting. I don't know, it all feels very weird - and very wrong, like when you put on very strong glasses and the world looks weird.


Absolutely, and they would benefit from the end of ad supported, low quality but free online news. All three are subscription funded.



That article is literally about 60% of their revenue being from subscriptions.


> How is CNN, Fox News and the sinclair group, working out for you guys?

Not well, and I'd add MSNBC to that list, however much I may be a dirty pinko who agrees with their editorial stance. NPR and PRI do what they can, but I really wish we had something like the BBC here, with non-corporate funding and a remit to report current events.


You do have some very reputable newspapers though (NY Times, WSJ), which are subscription funded and hence losing out to the free ad funded stuff.


German public media is not state sponsored. It’s an independent entity which is paid for by public fees (not taxes, the money never goes through the governments coffers). There are some levers that could be used to exert some level of control, for example the height of the fee is set by a commission that is partly under government control and many ex-politicians get elected into high positions, but all in all, public media is fairly well removed from the governments control here. The constitutional court watches over this pretty well, too. The system has been set up in such a fashion exactly due to the experiences under the nazi rule.

I’m currently more concerned about private media having an agenda that promotes the right.


What is the difference between a tax and a mandatory fee? If government requires me to pay a fee, it’s a tax.


While there is a law (to be precise: one in each state) mandating to pay this fee it is levied by the broadcasters themselves and the money is at no point touching accounts controlled by the government.

(As a sidenote because it's confusing for people from both sides: In Germany we differentiate between taxes which end up in the general budget and can be used for everything and fees which are purpose-bound from the moment of collection, e.g. in this case the levied money must be used for broadcasting. This differentiation is not common elsewhere.)


in german law a tax is general purpose, government can use the money to pay for any of their "services". whereas a fee has a specific purpose and cannot be used for anything else.


It's the same in the US. For example, there's a fee for getting a passport, and it's not considered to be a tax.


That's not the same, though, because it is not mandatory to obtain a passport (at least not for everyone—you may need one if you want to travel abroad, but this is viewed by the government as a non-essential privilege and not a right). Broadly speaking, in the US, a "fee" is something you pay in order to receive some form of optional service, such as the issuing of a passport, and a "fine" is something you are ordered to pay as a penalty for breaking the law. Everything else—any payment required of a law-abiding citizen either for simply existing or as a condition for carrying out law-abiding actions (e.g. owning property, earning income)—is a tax.

Of course, sometimes fees and fines can be seen as "stealth taxes" when they intrude too far into everyday life, particularly when state monopolies are involved. For example, the cost of First Class postage with USPS is technically a fee for an optional service, but the USPS monopoly on First Class letter delivery makes it at least partly a tax, to the extent that another carrier might have provided the same service for a lower price in the absence of the monopoly.


I was going to say driver's license. But I guess that's optional too. There are garbage fees or charges. Sometimes you must pay them, even if you contract with a private hauler. But you need that to get an occupancy permit. Also water/sewer fees. Unless you have a well and septic system.


Right, the line does get rather blurry when a service provider has the power to compel people to purchase their "service" whether they want to or not. Local governments like to position such payments as "fees"—it makes for better PR—but if there are penalties for opting out (such as not being permitted to occupy your own property) then I would consider it a tax. In the cases you mentioned, for example, there really isn't any significant difference between those mandatory utility "fees" and property taxes.


There is a substantial difference between fees and taxes. Fees are tied to something specific. This has two implications: First, they cannot be used for something else. Second: The height of the fee must not exceed the cost of the service and thus is at least in principle something that can be checked. For example, some public health insurance providers in germany had excess money and they had to refund that to their customers. Taxes are under no such regime. It may seem like one is like the other, but it’s really an important distinction.


> Fees are tied to something specific. ... they cannot be used for something else. ... The height of the fee must not exceed the cost of the service....

In Germany that may be true, but I was speaking of the US, where the terms are used differently. There is no expectation here that "fees" can only be used to defray the cost of providing specific services.


> but if there are penalties for opting out (such as not being permitted to occupy your own property) then I would consider it a tax.

I agree.

But I'm guessing that it's the same in Germany. They call them "fees" but they're really taxes. Except that they can't be used for other purposes.


What protections are in place to prevent an internal takeover of the organization by a political party? Let's say the Roger Ailes of Germany finds his way to the top of German public media and uses that position to tilt coverage to be more favorable to his own party, what happens?

If all your eggs are in one basket what happens when something goes wrong with that basket?


We have 12 public broadcasters that are independent of each other each with their own board (and on top working under the laws of different states ensuring that no one political institution has power over all them, the federal government is strictly barred of interfering by the constitution). 10 of those cooperate closely, share some resources, and produce a common TV station in addition to their own radio and TV stations. One is a radio broadcaster using resources of the others. The last one is a TV broadcaster that works separately. It's pretty inefficient but ensures that there is no single entity controlling everything.


Why would you only have state sponsored media? You also have private media that you pay for (newspapers).


Newspapers are mostly paid for by advertising; having readers pay is mostly important because paid circulation is a signal of level of engagement that helps sell ads (though there are free papers that are entirely as supported, too.)


Perhaps in the past, or for local media, but the big newspapers (e.g NY Times) are primarily subscription funded now.

Anyhow, newspaper advertising isn't personally targeted by tracking readers, so it's a lot more palatable.


> Perhaps in the past, or for local media, but the big newspapers (e.g NY Times) are primarily subscription funded now.

That's a direct result of online advertising eating most of the advertising dollars, making the big papers less valuable advertising venues. Cutoff the things that make online advertising uniquely valuable, like the flow of personal data that enables far more focussed targeting, and that’ll shift back.

> Anyhow, newspaper advertising isn't personally targeted by tracking readers

No, instead it's targeted by every business decision of the paper ultimately being made against a backdrop of how it impacts the papers size and demographics of readership, which is how it sells itself as an advertising venue, which ends up with the major media all being crafted to narrowly appeal to the most valuable advertising audience.


Ad supported publications aren't immune from this though, if anything they are just as susceptible.

To get the most ad revenue they need to cater to the majority. See e.g. clickbait. For stable income, finding a group and catering to their opinions/narratives is also an option, and is also not independent news. See e.g. infowars. Finally, to get any ad revenue, they need ads. Unlikely many corporations will run ads on anything that is perceived even slightly controversial nowadays. See e.g. YouTube.


I don’t think ownership structure is the key factor. More important is robustness of institutions that protect freedom of expression and freedom of the press. The Nazi government had little patience for critical private media either.


At least a determined propagandist would need to corrupt every state media in the EU, much harder than just one.

None EU media would still exist.

Several UK media outlets use paywalls already, presumably they too would remain.


How about Hungary 2020? Poland 2022?

Strong emphasis that I'm not equating those to your examples. Rather, pointing out that even a subtle version of undesirable or extreme politics can lead to a similar concern.

Given the wild political swing going on in about half of Europe, it's a legitimate concern today, no need to look back 80 years. Not to mention persistently growing censorship and criminalization of speech in more liberal countries such as France.


Publically funded TV is prone to become a propaganda tube of the government. In some cases it already has (in Poland for example). Relying on it as the only news source would be silly (relying on a single news source in general is usually silly, but even more if the government directly handles the staffing).


You should never rely exclusively on domestic media. There's always too much conflict of interest. In state media this is obvious, but it's there for private media as well.


BBC is counterargument to what you wrote. It shows that publicly founded news outlets can work without being government propaganda tube.


His argument wasn't that all state-funded news media is a propaganda machine. His argument was that it easily can become one, and you won't have a better option, since all the other news media would be choked out of existence.


> since all the other news media would be choked out of existence.

There are other private TV outlets in those countries in EU and this legislation will not change it. Lets stop being paranoid and portraying legislation that should protect our privacy as something that will destroy democracy.


That's just going to fuel nationalism.


Let me tell you how it works in central/eastern europe - ad-supported sites are financially sick, but more and more 'info' is spread out by well funded russian propaganda sites (imo they carry the ads only to seem 'legit').

They will thrive even more :(.


Is there anything that can be done about this? The whole situation is surreal. Surely it must be possible to decrease these sites impact without having to resort to censorship. It's just 21st century propaganda.

Fun fact: oligarchs in Greece have been doing this to their own country for financial gain for decades. Most Greek newspapers are mouthpieces for the interests of the great families.


> News outlets existed before the web, so they're not going to be threatened by breaking the ad-supported website model. If anything, the traditional newspapers will be saved by this, because if free online news disappears, people will start buying newspaper subscriptions again.

We're also seeing very concerning trends in the readerships and profitability of print media (because of the Web, many think). So I don't think you can use the "News outlets existed before the web" line, without much more justification.


I do not think it is bad, I think that is evolution. Ads only content is total crap. We have to teach people to pay for content. Second part is we have to teach publishers not to be greedy. Just like iTunes with music, easy small payments, not subscribtions no one wants. Maybe they could make actually some use of crypto currencies but there would have to be strong player like apple to press for consensus. Otherwise each one would like to have its own payment system and charge others for using it.


> Maybe they could make actually some use of crypto currencies but there would have to be strong player like apple to press for consensus.

I doubt it. Cryptocurrencies seem to be terrible for micropayments.


That's my point. Get rid of the free “news" sites and people will start paying for print media (and digital subscriptions) again.


Print news media was dying for decades before online media came online, and was almost entirely paid for by ads (many local publications were and are free of charge, and many of the paid ones charged primarily to have paid circulation numbers and shape the socioeconomic demographics of their audience, both of which were and are mechanisms to boost advertising revenue.)


> Print news media was dying for decades before online media came online

Any sources for this? I don't think this was the case at all at least in my part of Europe.


It may not have been the case in Europe; the decline in circulation in the print media in the US was widely discussed as long trend in the late 1980s and early 1990s, and attributed to a number of factors, most notably (but not exclusively) the wave of mergers and associated cuts in local newsrooms and non-wire-service content in the preceding couple of decades.


>We're also seeing very concerning trends in the readerships and profitability of print media

Why is it "very concerning" (assuming no financial interests) that a legacy form of media is struggly to dominate in terms of profitability?


It's concerning in relation to the gp's post. Online media is having existential problems. The gp's response to this (in part) is that we have had print media for a while. My response is that it is unclear we'll have print media for much longer, so we should still be concerned about online media (otherwise we might end up with no media).


> We have publicly funded broadcasters in most EU countries.

That would be a terrible dependency for eastern europe, you wouldn't want putin-friendly government media teaching people what to vote next.


There is only one "eastern europe" country that is really Putin friendly and it's Hungary, the rest is anti Putin.


Many urban, educated folks in Serbia see Putin as a better ally than any European leader.


I think you could find a lot of pro Putin people in EU. Some of my family members are pro Putin while I live in probably the most anti-Putin country in EU. I could elaborate more about reasons for that but I don't want to digress too much from original discussion.


That's probably due to the rather unusual recent history of Serbia I assume


We have publicly funded broadcasters in most EU countries. The ad-supported news sites, on the other hand, are generally doing more harm than good.

Why am I not surprised that a European is saying that the government-backed "broadcaster" are all so good, and evil private American new sites are bad.

this pretty much sums up the real agenda behind GDPR.

It would be better to call the bluff of these EUrocrats and see what they'll really do. Other countries can retaliate.


> Why am I not surprised that a European is saying that the government-backed "broadcaster" are all so good, and evil private American new sites are bad.

You are not surprised because you have a gigantic filter in your head that turns everything into exactly what you already expect regardless of what it is. The second part of that sentence makes it quite clear what your mindset is.


Why am I not surprised that a European is saying that the government-backed "broadcaster" are all so good, and evil private American new sites are bad.

Nowhere in that comment I can find a reference to American (evil) news sites. There are more than enough private news sites based in Europe, so I wonder why you are so hell-bent on making this an EU vs US thing. Most EU residents will read news in their own language (which in most cases isn't English).


Why am I not surprised that an American is crying over potential harm to unethical business practices of some of its most darling corporations by an EU rule to protect its citiziens.

Every time the EU implements some law or regulation regarding control of personal data and privacy, someone (an American) has to dismiss all the problems those laws are intended to address entirely, and go on to post some defensive, nationalist spiel about it being an attack on US companies.

Perhaps the problem is that these companies make their money in an incredibly unethical way that an increasing number of people are very uncomfortable with?

Stop turning this into something it isn't. All you are doing is poisoning the debate.


Privacy first, profit second. I think that is a wise decision the EU makes (disclosure: I'm an EU citizen). 'The media' surviving on a distorted revenue model is not healthy and I will not believe it is necessary to break your customers privacy in order to make a profit.


I completely disagree with this. Firstly, the media currently are too lucrative for my taste and thats why we have everyone being a journalist and publisher. By cutting down on the easy money, only those worth surviving will probably stand. This will seriously cut down on more than just ads, ie fake news and unverified sources. An alternative I'd love to see is sponsored articles as the main source of income for these. Let the corporations have to pay bigger bucks to have their posts published. This will hopefully reduce the clutter, force the media outlets to provide quality content to keep a certain level of trust and quality to attract businesses as well as a good targeted audience.

Personally I'd live to have most media completely in the dark about visitors to solely speculate on the quality of their own content. Only metric they need is daily visitor count. Everything else can be shaped by type and quality of content. A great example is HN where we have a very targeted audience due to the content it serves. It obviously also has some sponsored articles but also the indirect benefits it has on new startups and so on. Just treat it as TV marketing and not a per person customized monetization strategy.


> Firstly, the media currently are too lucrative for my taste and thats why we have everyone being a journalist and publisher.

As someone who works in media: I'm sorry, what? Publishing is certainly not more lucrative than ever, and publishing online now is a far worse business than publishing a physical newspaper pre-cable TV. The proliferation of outlets is due to lower barriers to entry and less need for capex. Plus a little bit of VC optimism.


Depends how you look at it. You are an employee in the media space, I guess you're in an ok situation but also not swimming in cash. However I thought more in the line of media companies and solopreneurs.

Everybody seems to be joining the race to the bottom by delivering more questionable content for 2 more clicks per day instead of relevant articles and real journalism. Also not to step on anyones toes, this obviously doesn't apply to every individual, however a large majority seems to be doing it. This also makes it hard for the good guys to prevail I guess.


>This will seriously cut down on more than just ads, ie fake news and unverified sources.

Why do you think so? I don't see clickbait industry seriously affected. They churn out a ton of crappy content which costs almost nothing to produce (at least if compared with reputable journalistic work), monetize it with low quality ads for shitty CPM rates, but as long as part of their content goes viral, tons and tons of pageviews allow to balance everything.

GDPR changes nothing in this business.


There has to be some limit to how low they can go cost wise in delivering crap. Also as it becomes harder to get big bucks, people will shift to other lines of crap work.

GDPR in my mind influences this indirectly in the long run. It's not like it will kill fake news the week after.


Nothing about ads on the internet implies tracking.

The most simplest solution is that newspapers host the ad on their own server as a .png or .jpg that gets shown to all visitors. It's tracking free and GDPR compliant.


I don’t think the EU has thought it through. I work in a municipality in Denmark, one of the most digitized public sectors in the EU and we’re not anywhere close to being ready.

None of the hundreds of suppliers we use are truly ready, and how would they be? It took 45 years to build this tech, you can’t just replace the innards in a few years. Estonia is the only country that is close to ready, and that’s mostly because they’ve build their entire system with a focus on sharing and securing data. Nobody else has anything close to it.

It’ll be interesting to see how this plays out in the courts. I mean, keeping privacy data safe should be an important concern, but do we really want to close hospitals and schools because we can’t afford to pay the fines when it fails?


> In fact, I think the author is underestimating the impact, right here: "Of course, making this change will have a dramatic impact on your revenue for single-visit traffic, because you basically have to design your ad model to work completely differently from how it works today."

To add to this, the quote paints complying with the legislation as a simple redesign. It would require much more than a redesign. The technical, administrative and legal costs of implementing the new system from scratch would be magnitudes higher than implementing the current system from scratch. And add on changing requirements as the legislation is in its infancy.


Or it could go the other way. If all media outlets decide to put up a paywall it forces people to actually pay for reading the news. Currently there are a few news outlets who plead for ad blockers to be turned off while still offering content for free. And since ad blockers allow you to add exceptions this doesn't create a level playing field between those outlets that advertise and those that are locked behind a paywall. GDPR might end up forcing the outlets reliant on advertising to also shift to paywalls effectively creating the level playing field that was lacking earlier.

Let's face it, despite social media being a great enabler for realtime news the quality of news is sub-par. The biggest bane of social media is the transfer of responsibility of filtering real news from a firehose of fake news, to the end user. Until that issue is solved people are going to probably pay for news. This is just my speculation of how things might go after GDPR.


Television and newsPAPERs were viable businesses before the advent of the internet. And on the internet, the need to spy your reader is also quite new.

What makes privacy-sensible internet newsmedia nonviable might very well be the much more profitable spying on the client. If regulation makes that competition illegal, and demand for news is unaffected by GDPR (and why wouldn't it be), then it becomes more difficult for advertising companies to find newsmedia that provide tht extra illegal profit-taking sugar, so they will go back to more traditional advertising plans. This, in turn, will make newsmedia's lives easier in regards to finding advertiser's that do not demand spying on their readers.

At the end, sellers still need to advertise, providing ads supply, and readers still demand free newsreading, providing ad demand. The market still exists.


Publishers are getting squeezed out of the web by various forces. There is this GDPR, then there is also the web giants Facebook and Google squeezing them with their algorithms and in-app browsers. However, I'd say the net effect is positive because I'm seeing the lowest quality aggregator type blogs getting squeezed out and the only ones that are standing strong are the well funded publishers, which means better content.


I thought about it before. Yeah it will make analytics driven journalism unprofitable. But why this is a bad thing anyway? The old subscription model works and the quality of the content is high.


  > No, it will basically make a newsmedia site unprofitable.
Good. We don't need that much "news" anyway. And I think my need would be more than covered by national TV which is sponsored by taxpayers money and BBC, which also has no advertising. There really won't be much of the value lost if we won't have sensationalized and invented news any more.

Another point to consider is that need for news or just for some brain filler: I am puzzled by appareant inability of many today to be alone and in silence. As if then some thought that they cannot be comfortable with start to be loud enough to be heard.


Good. We don't need that much "news" anyway.

The "we" is where you have a problem.


Ok, care to share why you personally need to be fed news 24/7. What's so important and fulfilling to know about the latest antics of some celebrity, or some crime blown out of the proportion so much that you will think a killer is waiting for you on each corner, etc. What value does it add apart from creating more anxiety? Not to mention that news tend to misreport things a lot. (https://www.goodreads.com/quotes/65213-briefly-stated-the-ge...)


> Today, for instance, we see that a majority of people who install an ad blocker don't actually do it to block ads (that's just an added bonus). They are actually doing it to block tracking.

Is there any evidence for this at all?


No, and I would say that statement is laughably wrong. Users install ad blockers to prevent annoying stupid things from monopolizing their time and space.

Telling a person "if you install this they'll stop tracking you in some abstract way" is way less effective than "install this and you wont have to wait to watch youtube videos."


> install this and you wont have to wait to watch youtube videos

Exactly the reason I installed an ad blocker. If YouTube had released their Red subscription in the UK I might never have installed the blocker (actually probably would have eventually, but later than I did)


I don't think so - I think blocking goes for both annoying and dangerous ads, _and_ blocking trackers like facebook/google's invisible pixels. At least I run ublock origin, adguard, scriptsafe and privacy badger for maximum protection.


How many users do you think are like you? Especially in the number of plugins?


Here's #2 running a pretty similar cocktail (ublock origin, umatrix, privacy badger, httpseverywhere, cookie autodelete and decentraleyes).

There's dozens of us! Dozens!

But more seriously, there's actually lots of us. You don't hear about us because we don't narcissistically post about it on facebook. We just block shitty software and move on with our lives.

I have no stats for you though, because stats are usually collected through third party trackers, and I block them all, so I'm never represented on anyones metrics. Based on some rough stats like these[1] and my own experience, I'd guess something like 1-3% of the population in western countries.

[1] https://www.quantable.com/analytics/how-many-users-block-goo...


But the statement wasn't "many people block tracking", it's "the majority of people using ad blockers are doing it for tracking and not for ads". That's a far different statement that is far harder to back up.


So, of that list I just posted:

ad blockers: ublock origin

ad and tracking blockers: umatrix privacy badger

tracking blockers: cookie autodelete decentraleyes

other: httpseverywhere

I'm mostly blocking trackers.


Good job repeatedly misunderstanding what the other commenter was saying.


Yes, I do it too - I have ublock orogin, privacy badger and httpseverywhere. I do it because the web is faster without ads and trackers. Just look at devtools and see how much time is saved by blocking requests.


I did some research on this last year. ABP still has the largest install base and about 50% of users click the 'block trackers' option when installing.

uBlock origin is 2nd and rising in popularity and it blocks trackers by default.

Both they (and others) depend upon the EasyList collection of urls/regexes, etc. to block out sites and includes

https://easylist.to/tag/tracking-protection-lists.html


I'd completely reverse the phrase: "majority of people who install an ad blocker do it to block ads. Blocking trackers is just an added bonus".


I don't believe the majority of people do not understand what 'tracking' entails even after the major outlets have talked about it. Most people do hate intrusive ads though so I do find that very hard to believe


Not evidence, but a portion of the users install blocking software to speed up browsing, and and tracking blocking will often be the first target (it can be under “block third party script”, same effect)

An example of this mindset: http://www.zdnet.com/article/how-to-speed-up-browsing-by-usi...


One of our mobile apps, Firefox Focus, pointedly targets users who want to block tracking but don’t care about advertising otherwise. I’ve personally heard a pair of unprompted non-tech people in a non-tech city discussing it over beer after work. I submit the existence of our app and my personal experience as sufficient to meet the terms of your question. “is there any evidence at all”: yes!


your anecdote - not evidence - supports a claim that some people care about blocking trackers more than blocking ads. Which is a lot less contentious a claim than "a majority of people who install an ad blocker don't actually do it to block ads"


Indeed. If you’re truly in need of proof of the original claim, search advertising industry news for their various survey results of real people. The ad industry is pretty convinced that people are generally anti-trackers and not as much anti-ads. (They could be wrong, as could their surveys — but if you trust nothing, then no point can be proven.)


Every person I know that uses an ad blocker (5, including myself) does it to prevent tracking.

In fact, I want to white list certain websites (a dozen or so) to continue seeing ads, but I don’t want to because I know that they are likely using Google for their ads and I don’t want Google’s little grabbling hands tracking me.


I work in IT and I don't know anyone(myself included) who uses ad blockers to block tracking. It's just about the annoying ads for me.


So 5 people out of how many million? Just Adblock Plus on Chrome has over 10,000,000 installs, and "most" of 10,000,000 is a big number. Even bigger when you say "not using it for ad blocking"


The #1 reason I use adblock is to block youtube ads.


Personally I do it for both, but I also run pretty locked down on my daily driver Firefox (less so on Chrome, which I use for sites that Just Won't Run without a bunch of dependencies that I don't want to individually whitelist).

For users I deal with, I do it as a preventive measure - I worry about phishing/spearphishing and other email vectored attacks, compromised websites, and the risk of a compromised ad network where even if something malicious is killed in minutes it could still reach tens of thousands of people.

And I still get AV alerts at least a couple times a month where the AV has blocked access to something that's recognizably part of a remote access scam.


Personally, I use adblocker for both purposes, but if not for tracking, I would be disabling it on many more websites to support them.


Agreed, I doubt this and if they have evidence, should link to a source/study.


I d wager adblocker usage correlates with youtube ad frequency.


Yes. I’ve seen private studies on this. However it’s not the primary use-case BUT it’s still a significant enough reason.


I should note another (statistically) significant but smaller reason is to reduce bandwidth.


Not a majority. But I know GA is staying in the "not trusted" list of Noscript.


"If you look at what is happening around us, you can see very clear signals that the public has had enough."

No, outside of a few echo chambers, no one cares about privacy or knows what GDPR is. Until GDPR shows everyday on the evening news for weeks it will not be well-known, and there are many things more important to most people than online privacy. Heck, Cambridge Analytica was only a scandal because the "bad guy won".


While concern about privacy may indeed remain a niche thing, GDPR is intruding into the European public consciousness. In recent weeks I have received a number of e-mails from hotels I once stayed in, associations I am a member of, my old university, etc. to alert me to the fact that they have my personal data and under the GDPR I have rights regarding it.


> Until GDPR shows everyday on the evening news for weeks it will not be well-known

I think we've crossed that point few months ago in Europe. Last year I felt I was probably the only one of my real-life friends who even knew what GDPR was. These days, I see streams of articles about it on social media, aimed at non-technical people. Hell, last week my SO told me she started receiving GDPR-related e-mails at work from companies that are in business with her place.

I feel people do know. Unfortunately, I also fear they only think of it as yet another random EU regulation thing, and not realize the benefits it'll bring.


In which EU? :) Over here (Belgium), there has been a lot of talk in business fore (which are only frequented by a specific minority of companies), but in the general press I can't even recall seeing a single article. Even with those 'in the loop', the attitude is mostly 'wait an see', 'who is going to work on enforcement (the regulators haven't expanded), and 'maybe it will be another cookie-law (meaning a much hyped 'the sky is falling' regulation which turned out to be we'll install a component that handles the implicit 'ok' click and be done) and 'you never get a fine the first time, so why be proactive?'.


I am yet to find one friend or family member who has changed their attitude or behaviour towards Facebook after the Cambridge Analytica.


This is all anecdotes but I've had some (non tech) family members ask about the facebook privacy scandal and they wanted to review their privacy settings.


There is a huge long tail of SME 'website owners' that have no idea what they are in for. These sites are often developed/maintained by very cheap labor (students/off-shored etc) and sprinkled liberally with all sorts of 3rd party analytics/counters/share-buttons etc etc.

Not only do the site owners not even know that the site contains these things, if they do, they don't even realize the extent of data collection going on. I had a chat this morning with an owner like that. The site runs GA (they didn't know), the site runs ShareAholic (which they said wouldn't be a problem as they only use it to see in aggregate where their site visitors come from).

They never made a distinction between what data their site provides to these services through scripts or cookies, and what they themselves then get/use through the service provider.

This is not a special case. There are probably millions of these little business sites out there.


It's even bigger than that. It's been mentioned on HN before, but see the "GPDR Letter."[1] Anyone in the EU can send you such a letter, and you have 30 days to reply.

Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.

a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.

b. Additionally, please advise me in which countries my personal data is stored, or accessible from....

c. Please provide me with a copy of, or access to, my personal data that you have or are processing.

2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.

3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.

Then, once you've replied, they can request deletion of any or all of that.

[1] https://www.linkedin.com/pulse/nightmare-letter-subject-acce...


You should note that lots of what that letter suggest it has rights to, are not rights granted under GDPR. Or at least would be subject to legal clarification.

If you send that letter, expect to receive a standard response/report of data with a form response that politely & legally amounts to “piss off”.

Large organizations have considerable resources set aside to make sure their “piss off” letter is legally defensible & GDPR compliant.

That letter is likely only a problem when selectively used by a malicious actor against a small organization. Frankly not the kind of org that is systematically tracking personal data.


> That letter is likely only a problem when selectively used by a malicious actor against a small organization.

Which is what is so annoying and economically destructive about regulations like these that are broadly applied to all companies, especially on the internet where single person companies are very popular. They are designed in a vindictive way against large companies like Facebook or major online retailers who burned customera due to minimal information security investment.

But they so often ignore the reality of the burden it places on small firms who account for 90% of businesses and 50% of employment, who cant afford lawyers or the legal risks of a 'piss off' letter.

The western economic environment countinually gets more and more structured favouring large firms, encouraging large scale merging, which usually generates the type of large oligopoly companies who most often does the things that cause regulations to get created, then imposed on smaller firms.

If Japan's economy is any indication we do not want to state heavy economy where big companies are the only sanctioned winners and smaller companies are heavily disincentived by the state (whether indirectly, by side effect, or overtly).

If not having these laws created isnt an option (seemingly impossible in an administrative heavy org like EU), I then hope someday these regulation start being structures like progressive income tax using size minimums or are contained to specific industries where it's clearly a problem (both of which would apply well to minimum wage laws for example). So laws are pinned directly to a specific problem area justifying the heavy-handed state intervention, not just blanket laws on everyone.


For most smaller businesses there is no real reason to do all that much as long as you can answer such questions on an ad-hoc basis. Although of course we still have to see how widespread it will become in practice.

Basically you need to make sure you 100% know what data you collect (including any third parties) and make sure you have a good reason to collect it.

Honestly most of GDPR should be considered "common sense". It's just that many corporations actively act against the interest of individuals they collect data on, and it's precisely these practices that GDPR tries to correct.


Unfortunately even if you're already handling personal data responsibly, the GDPR still also requires that you be able to provide various documented policies to your regulator on demand, still contains lots of ambiguity about how far subject rights can go in practice, still imposes obligations to include lots of extra detail in privacy policies or otherwise provide lots of information and active warnings to data subjects, etc.


How about, “Our documented policy is to not collect personal information from users at all.” Assuming it’s true, wouldn’t that be compliant?


GDPR also expands what is personal data to include things that are collected as a matter of course such as IP address.

You likely have a reason to log that data but GDPR requires that you document it.

Further it reaches into your business even if you aren’t trying to do business in the EU, as EU citizens can come to your site without your control.

There is a lot to like with GDPR but it absolutely is expansive & easy to have many interpretations.


Maybe these things shouldn’t be collected as a matter of course. Should web servers log client IP addresses by default? Why? Does my mail server need to log email addresses of incoming mail by default? “Logging all the things” as default behavior really needs to be a thing of the past.

If anyone wants to get their feet wet in open source, there are thousands of high profile projects out there that could use a patch to scrub PII from their logging, and these are probably simple diffs.


“Logging all the things” as default behavior really needs to be a thing of the past.

Maybe, but logging useful things is reasonable. We investigate problems with our systems using server logs. We diagnose various security threats, fraud risks and ToS violations using server logs.

We're generally respectful of users' privacy, but we also have a legitimate interest in knowing how our systems are being used and preventing people from doing bad things with them. Those legitimate interests may take precedence over a visitor's right to privacy in some cases, in the same way that you can't tell a government to forget your criminal record or a bank to forget that you owe them money.


What if you have a forum and users of that forum commit a crime, police asks you to give up their data and you say you don't have any data?


> you say you don’t have any data?

And what’s wrong in telling the truth to the police? Sounds great to me. Also, see how signal responds to such requests.


Presumably it would, but since approximately 0% of businesses that actually do anything could make such a statement truthfully, that doesn't help very much.


> The western economic environment countinually gets more and more structured favouring large firms, encouraging large scale merging, which usually generates the type of large oligopoly companies who most often does the things that cause regulations to get created, then imposed on smaller firms.

This is where socialism differs from communism - in socialism you have big privately owned companies, whereas in communism these are state owned. Everything else is more or less the same. Europe is currently under transition from group of mostly free mostly capitalist countries into full retard socialist authoritarian regime. Regardless of that, GDPR is a very good thing, shame it has only been introduced now and not 10 years ago.


While I agree with your opinion about the GDPR, your analysis of Europe is otherwise plainly wrong. You would be aware of this if you actually followed EU politics (there is currently a strong trend towards right-wing / center politics. Left-leaning parties are moderately out of favour), which you definitely do not have to do. Just try not to spread misinformation on the internet: There is plenty of it to go around already.


Not true; GDPR explicitly grants a large number of rights to the data subject. [1]

These rights include:

* the right to be informed about what data is processed

* the right to access all data gathered about them

* the right to rectification of incorrect data

* the right to receive an export of the data in a common format

* the right to object, to have all data removed, and to restrict processing until further notice

GDPR also requires a data controller to respond within a month, and not charge any fee for this unless the requests are excessive (because they are repetitive). [2]

[1] https://gdpr-info.eu/chapter-3/

[2] https://gdpr-info.eu/art-12-gdpr/


The letter is a nice mix of asks that are specifically covered, rights that might be covered & things that are not covered at all.

In that sense it’s a great way to rattle someone without specific GDPR guidance. But all things being equal, the large orgs that are capable of systematic data collection, are not at all troubled by it & certainly won’t be answering it with direct point by point answers.


Which things that are mentioned do you believe are not covered?


I’m not a GDPR lawyer or auditer, do nothing in this reply should be seen as advice.

My general feel is that if he didn’t cite a specific article it was on purpose. He took implications or broad interpretations for anything not explicitly cited.

A couple that jump out immediately are the requests for server locality information, retention periods & specifics about security policies are the ones that are likely to get a very polite “we conform to industry best practices piss off” replies.


That's all neatly laid out in article 13. [1]

I'm not a lawyer but having extensively studied all of GDPR recently I'm afraid the letter seems legit. If there's any error it will be a minor one.

[1] https://gdpr-info.eu/art-13-gdpr/


Article 13, to my reading, provides no basis for requiring locality information or security policies. The retention declarations I’ve seen have been legal niceties that don’t answer the question in a way that makes it clear what the retention policy is.

I’m not suggesting that the letter won’t get a response. I’m suggesting there isn’t anything in it that would cause a large organization to send any different a response than if they got a letter written in crayon that said “gives us the GDPR data”.

In that way it’s not a “nightmare” letter. It’s the default thing you pay lawyers for.


Is there anything stopping these letters from being abused like DMCA Takedowns? Just one of these look like they'd tie up a human worker for days. How much personal information are you going to have to provide to ask for such data? Especially for ".. provide me with a copy .." Does any of this apply to "anonymized" data?


You can charge reasonable administrative fees or refuse to act if the request is "manifestly unfounded or excessive, in particular because of their repetitive character". [1]

[1] https://gdpr-info.eu/art-12-gdpr/


Is a single request like this from a single individual excessive or repetitive though??


I think GDPR intends to protect businesses from "denial of service attacks" through sending many repetitive or bogus requests. A single, legitimate request is definitely not excessive.


So if you get 100000 individual requests is that going to be excessive? There are people organising already to send such requests to various sites.


Unless your PII workflow is bonkers, you should be able to respond to those letters in mostly automated fashion.

I mean, you do handle your data in mostly universal way, instead of randomly copying pieces of your database to random parties? Right?


How do you automate checking if person requesting the data is the person claims to be. How do you automate reading an email and giving meaningful response?


I admit I'm not sure how the verification part is supposed to look like. For the rest, I assume that if you have a standardized data flow (and don't randomly resell people to different parties), you could automate the part that writes responses, and only have humans read the original mail and check appropriate checkboxes to generate a standardized reply covering all the relevant points.


> Anyone in the EU can send you such a letter, and you have 30 days to reply.

What's the process for authenticating who sent the letter? Seems like a potential new attack vector.


Precisely this. Once you’ve dealt with sensitive data where authentication is required (real life, signatures with witnesses and all), the surface area for attack when it comes to data request is huge if the burden to reply is based simply on an email. Sending an email request is practically free with automation, which provides a nice way for phishers to know where targets store their information. Anyone know of how some companies are authenticating requests?


Im Germany you generally need to send a real letter (or a fax) and it needs to contain your signature.

"Authentication" for this is provided by harsh penalties on signature forgeries. Also, you'd only get one single data point and everything really sensitive has address data and they will* send their response to a known address.


If all information you have about a person is their email (and usage data) then this won’t make a difference though... The GDPR considers even an IP address personal data, even if you have no way to correlate it with a real person. So where does this leave you if you have to respond?

Imagine I’m sending a request for information from a given IP address, requesting all the personal information you hold on that IP. I kinda proved that I’m using this IP and it’s part of my private data... but providing all information on this IP is likely to leak data on other people and there’s no way legitimate the requester


An IP address is only personal data in combination with a timestamp or similar time-related information. I don't see an attack scenario where an attacker would gain anything useful.

Note that he's propably still risking jail time over this.


German courts have ruled that IP addresses are personal data. EU courts so far agree. The timestamp is irrelevant.

The GDPR makes anything that can be potentially traced back to a person personal data, it's a much wider definition than PII.

It also means that constructing data sets may lead to personal data being generated out of non-personal data. So even if you only store IPs without timestamp, if you stored timestamps elsewhere and you could reconstruct the IP of the user, you're up for grabs.


> Note that he's propably still risking jail time over this.

I feel like most criminals are OK with that.


Do you have a source of that?


I dream of the day that I can ask various companies to delete every piece of data they have about me.


I dream of the day that I can discover the various companies who have any data about me...


Agreed, sadly there’s no chance for the US to get this for the next 2.5 years at a minimum


and you really think that they will? you pretty sure will get the following response:

ok -- hidden in their database -- (date_deleted = now()) fixed.


That's exactly what GDPR is for - I can be somewhat sure they'll delete it, and and if I'm wrong and they do what you described, I'll laugh hard as they bleed money when discovered.


Yeah, the companies I know of who are implementing "right to be forgotten" because of GDPR are taking it 100% seriously and going through, in some cases, significant pains (dealing with legacy systems) to ensure compliance.


Well the problem is who will control it? Angela Merkel? Manuel Macron? Oettinger - the European Comissioner? Seriously.. nobody will control.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: