For a recent project I read (and translated to plain english)  every single article in the GDPR legislation and for our purposes it can be summed up as:
"Treat user data like names and emails as if they were credit card numbers"
AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
Obviously that's not the entirety of it, but as a working mental model I think it goes a long way.
1 - https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...
The alternative is to only collect data that is strictly necessary to provide the service. In that case GDPR allows you to collect the data even without explicitly given consent – according to GDPR in that case the user can reasonably expect the data to be necessary to provide the service. (This does not apply to sensitive personal data and biometric/genetic data – then you always need consent.)
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement." 
"Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." 
This is more nuanced than it appears, as it is balanced against the firm's right to conduct business.
If you're generating leads by providing a whitepaper, then realistically you're not going to be penalised for saying "you need to consent to receive our newsletter to access this whitepaper".
On the other hand, an airline saying "you can only book a flight on our plane by consenting to us sharing everything we know about you with loads of third parties" would be frowned upon.
Our GDPR lawyer at least has advised not to ask for consent, since it is difficult to establish whether it was given, and has not been withdrawn. It's easier to rely on legitimate business use and NOT ask for consent, as long as it genuinely falls into that category.
Can such publisher claim that collecting data is strictly necessary to provide the service? With threefold difference in ad revenue, that could be actually the case.
* it must be reasonable from the user's perspective
* there must be alternative; you cannot achieve the goal (your "legitimate interest") without it
* it must be balanced with the rights of the user, and not infringe on their freedom or fundamental rights
* if your "legitimate interest" is direct marketing, the user can always object, and you are required to actively inform the user of this right
See also 
If you can provide a service strictly devoid of the PII it means there is no logical necessity for PII.
You can't provide a call-waiting service without a phone number, but you can provide a mail-redirection service without one even though it makes it easier to administer when you have a customer phone number, you can strictly provide (and bill/administer) the service when that information is absent.
While I agree with your comment, I suspect that for any given law firm, paramTotalHours_Billable(SubjectID = necessary) will be a much larger value.
you mean just create a checkbox somewhere that people click without thinking about it?
I have no idea what I am consenting to when I "agree" to all the EULAs.
Most sites' approach to credit card numbers is to not touch them with a barge pole, have a third party receive them instead and never let the business have any sight of them, so it's a bit of a stretch to expect the same treatment for a customer's name and email address.
If Google and Facebook see everything because of oauth, we can ask them what data they have and tell them to delete it, but they won't be deleting whatever models they've been training about us.
Neither Google nor Facebook own Oauth, they just have very incompliant implementations that force everyone to treat them as special.
Most sites are incapable of receiving, storing and handling credit card numbers. This is because the staff building the service either lacks the technical knowhow or the organizational wherewithal to deal with the problem in a successful way.
Why should it be any different for emails, names, usernames or passwords (because end users re-use those).
If everyone starts acting like this data is important (it is) and valuable (it is and that might decrease with the passage of this law) - we might just get to a better place. In the absence of regulation companies will get away with whatever they can - ethics be dammed.
Would filtering out EU IP ranges be sufficient, or does this also apply to EU citizens traveling outside of the EU?
The referenced page says that asking users to provide a birth date isn't sufficient proof that they're over 16 years of age, how should one verify age for something like an IRC bot?
---- begin quote ----
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
---- end quote ----
Based on this, it looks like for GDPR to apply to an establishment in regard to a particular person, at least one of those two parties must be in the Union. An EU citizen traveling outside the Union dealing with an establishment that is not in the Union appears to not be covered.
> 1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
Are Dutch citizens in Oklahoma protected by Dutch narcotics laws? Of course not. They are subject to the jurisdiction in which they are physically present.
However, a US citizen can be subject to US laws overseas, however, that’s between the American and the US government — the intermediary country has no involvement unless it’s an extradition request.
This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU. The idea that GDPR requests have to be honored by some local ecommerce company in Idaho is just nonsense and not supported by any international legal precedent.
- banks all over the world have to ask their customers if they aren't American, when signing up for an account. Even a local bank in rural Poland, which couldn't care less about international markets, has to now ask people to explicitly confirm that they are not American citizens
- if you're doing a security offering, and you happen to sell to an American, even if they live in Europe, and you're blocking IPs from U.S., you have to follow the US regulations as well
And yes - it is kind of shitty, but EU wasn't the one to start a trend of applying the local laws on foreign soil.
I'm no expert, but I thought on the whole the constitution has nothing to do with citizens -- it's a list of rules that the US government must follow. It certainly has no hold over the German government.
> This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU.
If you, as someone who breaks the conditions in the GDPR, have nothing to do with the EU, then you're fine.
However the GDPR applies to you, an American citizen in America who's never been to the EU, just as the DMCA applied to Dmitry Sklyarov, a Russian citizen who had never been to the U.S.
Sklyarov charges were dropped in a typical american plea-bargain
"Mr. Sklyarov agreed to cooperate with the United States in its ongoing prosecution of Mr. Sklyarov’s former employer, Elcomsoft Co., Ltd. Mr. Skylarov will be required to appear at trial and testify truthfully, and he will be deposed in the matter. For its part, the United States agreed to defer prosecution of Mr. Sklyarov until the conclusion of the case against Elcomsoft or for one year, whichever is longer. Mr. Sklyarov will be permitted to return to Russia in the meantime, but will be subject to the Court’s supervision, including regularly reporting by telephone to the Pretrial Services Department"
I see nothing about jurisdiction there.
The US has pushed the world around for along time, the world is pushing back.
This is true. GDPR would only apply there if they were "offering goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the European Union". 
This is understood to mean they must be marketing to the EU, for example by offering their site in European languages (apart from English), using European currencies, or using a European domain.
If a small hotel in California had a French language information page, that doesn’t make that hotel subject to an EU law. If I am wrong, then where is the case law? Where is the legal precedent?
(And - case law? Not really a thing in most countries executing the GDPR.)
You are the only person who has this view. EU citizens are subject to the local laws of whatever country they reside in. However if they are interacting with an EU company then GDPR applies to that company, no matter where they reside. But an EU citizen living in America and using an American service has no GDPR protections. Just like they have no EU right-to-work protections if they decide to work in America. GDPR explicitly states that it (generally) only applies to companies which do business with people who are within the EU's borders (citizenship is not a prerequisite of GDPR protection) or EU businesses.
There is no jurisdiction if those companies don't have a presence in the EU. None. Show us international law where this would be applicable. As the grandparent was pointing out, any country can now make any law where if any of their citizens access some internet service where ever in the world, somehow their laws magically apply to everybody in the world "doing business over some fiber".
I don't think so.
If you are doing business with people in the EU, then you have to be incorporated or otherwise have agreements (explicit or implicit) with the EU countries you are doing business with. GDPR applies to you or you will no longer be able to do business with the EU. If a company wishes to not have their ability do business with the EU revoked, they have to comply with GDPR (including its fines) as well as all other EU (and local) laws.
I really don't understand how this concept is difficult to grasp. Countries give you permission to do business with them -- if you break their laws they can revoke your ability to do business with their residents. Most large companies would probably lose much more money breaking off ties with the EU than they would complying with GDPR fines. If you continue to violate a country's laws you could be extradited and so on.
> somehow their laws magically apply to everybody in the world "doing business over some fiber".
If you are providing a service to a group of people, for money, then you are doing business with them. Pretending as though this is not the case just because the process is conducted through under-sea fiber cables rather than mail couriers is ridiculous.
While most of GDPR is common sense and shouldn't be much of a burden on companies, I was always confused about jurisdiction. While most larger companies have a legal presence somewhere within the EU that can be held accountable for this, I do wonder how the EU is supposed to be enforce penalties on a company outside of the EU.
: well, the difficulty grows the larger your company/product is, but chances are you have more resources available to dedicate to it anyway
Realistically, they can't and won't unless it's a very large scale that's worth pursuing, for a multi-national corporation with enough money to pay a big fine. If a company is not doing business in the EU, not selling into the EU, they can of course entirely ignore the GDPR.
In the case of a large company that sells into the EU, and refuses to obey GDPR, what you'd likely see is the EU pursuing that company on its domestic turf legally. A company out of NYC for example could be pursued in a court there for fines related to GDPR violations. The larger those violations, the more likely it'd be pursued by the EU across the Atlantic. This is how it works already, there's a lot of international business precedence. The stronger the legal system in the home country you're pursuing the multi-national into, the better for the EU's case.
If I set up a business in Germany, dump large amounts of toxic waste and cause very costly environmental damage, and then (somehow) quickly flee the country leaving no assets or business behind - but back in NYC my company has vast assets, you'd find the company pursued from Germany to its home in NYC for those damages. They still have to win the case of course.
The EU fortunately wasn't dumb enough to attempt a global claim on regulating privacy. They pushed the line pretty far, but did not cross their own boundaries. I think they fully understood there was no scenario where the US and China (40% of the global economy) - or frankly most nations - were going to care about EU law projections external its jurisdiction.
IANAL but I can imagine a similar situation happening with GDPR.
In addition, authorities could for example seize local servers in the case of non-compliance. In many EU countries including Germany, data privacy violations can also be prosecuted as criminal offenses.
All of this is nothing new, it's been working like that for centuries, back when business correspondence was still on old-fashioned paper.
I used to think protectionism was stupid, but after seeing how The Great Firewall is working out for China and their services, I’m not so sure anymore. The big problem with any inbound restrictions is retaliation, but if you can manage to make a country restrict exports themseleves, well, yes please!
I’m looking forward to seeing EU competitors flourish.
 Since visiting China I’m convinced TGF is about protectionism as much as it is about filtering. Internet to any non-China service is terrible and unreliable. The result is simply you can’t depend on it, so you choose a Chinese provider. This has clearly worked out very well for some of their companies!
Could you please block my IP address as well: 184.108.40.206
If you feel that being responsible with my personal information and metadata is not worth the trouble, then I don't want to accidentally ever use whatever service you maintain. Thanks.
That doesn’t mean that sites that haven’t gone to the expensive lengths required under it are going to expose or abuse your data. If you are this big of a fan of the GDPR, I imagine that you’ll have to limit your Internet browsing only to sites run by EU-based companies that are large enough to afford scores of attorneys to advise them on how to comply.
Why should I trust a US business with my personal data when I can give it to a EU business that will face harsh punishment for doing bad things with my data (the US seems to have no problem with large corporations loosing millions of user data entries as long as the big CEO says "oops, sowwy!")
That is a terrific idea, thank you. In fact, for sites that require providing much information (email providers, etc) I'll start doing just that. Though HN does not require much data, I will review how the site intends to deal with GDPR.
Being responsible with someone's personal data is inherently difficult, expensive, onerous and uncertain.
The idea handling personal data wasn't already all of that is exactly the abuse that got us where we are today.
Ignore Europe if you like. Just be aware that you are allowing your competitors to gain an uncontested foothold without having to fight for it. Once they are the incumbent in the European market, they will be hard to unseat, even if you change your mind later.
It was useless in the sense it was trying to play nice. It was a gentle call for the industry to self-regulate. The only problem with that law was how naïve it was.
Go ahead and block the whole European IP range. See if we care.
And then everyone put it up "just in case" or "because the law says all cookies". (Of course some smart people figured out that local storage is not a cookie and the law only covers cookies, atleast what they gather from hearsay instead of checking the actual text)
But tbh, I'd prefer US services IP blocking European users. It'll encourage EU startups to fill the gap and they will have the privacy regulation of the EU as marketing bullet point over any US company, eg "In the US privacy is a pinky-promise, for us privacy is law".
This privacy thing is, like, their option, man. Even if you and I agree with the EU.
"Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed....the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR."
With regard to enforcement....
"...EU regulators rely on international law to issue fines. Written into GDPR itself is a clause, stating that any action against a company from outside the EU must be issued in accordance with international law."
Most US states have adopted the Uniform Foreign Money Judgments Recognition Act (UFMJRA), which allows for judgments issued by foreign courts to be domesticated. Once that is done, the judgment carries the same force and effect as if it were originally issued by a US court.
Think about it. If it was true, then the entire global legal system would get very chaotic.
Frankly, the political agenda by people telling these lies is quite tiresome.
Just ignore them.
In which case would you you think it's alright for any site to not protect, say, a user home address ?
And what are the "many ways" you can "accidentally run afoul of this law while still protecting user data" ?
It's hard for me to grasp.
I'd like to see a complete and concise list of exactly what needs to be done to comply with GDPR. Everything I've seen so far has been vague legalese open to subjective interpretation. Pretty scary when the punishment for an incorrect interpretation is a 20M EUR fine.
A lot of us who admire what the EU has the courage to do - and wish that the US had half that courage - would rather disappear from everything but European websites. What many US corporates have done, and are doing, is rotten to the core. It is demonstrably destroying the internet that so many of us spent time bringing to life, and had so much hope for.
I suspect that if someone with some balls and power suggested corraling all US trackers and data brokers - along with companies trying to turn the net into a shopping mall - into a single domain outside of which they could not operate - most Americans would applaud. The EU has done some of what it could, and cheers to them for having the courage to serve their citizens. Wish I was among them.
So EU traffic means nothing to any of the above example sites, yet all of them will be massively exposed under the GDPR. If I ran a web hosting company, I’d offer EU IP blocking as an optional, free service.
You need to have new procedures for obtaining, storing, using, and delete customer data. This is known as a "code of conduct". You need sufficient logging to aid incident analysis too.
I also think a lot of companies are entering a bit of panic mode because there is no clear guideline on what is sensitive data. If you make a booking system, then everything you store is potentially sensitive if you have end user data in it. If you're making IoT devices for the home with cloud access, then you have sensitive data.
The conclusion we've reached is fairly simple. If there a even a remote chance that normal day to day use of our systems contains data that can be used to build a profile of a user, then the systems data is considered sensitive.
which includes IP addresses and seems to extend to things like email addresses and usernames.
How this will end up affecting functionality and implementations of online services is not yet clear, at least to me.
Could you make it a git repo so we can field alterations, additions and discussion?
If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this. So it's hard to imagine how many readers of HN are getting their answers on HN (or similar). If you are small time nobody is going to come after you. Sure something could happen and you could also get a traffic ticket going 57 in a 55 zone and a host of other outlier events.
> AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
One size fits all advice doesn't make sense in this and in other similar cases. You will spend a great deal of time and effort dealing with 'maybe's' instead of the day to day.
You'd be surprised. GDPR is vague enough and just open to interpretation enough that there are many different companies interpreting it in many different ways. I'm a consultant and I talk to many multi-nationals and all of them have their own spin on it. Especially around the "except when necessary for security purposes" section. That right there is broad enough that "security purposes" can mean almost anything as long as you make sure your security team has access to that data.
Either way, you shouldn’t be doing it out of fear. You should be complying for practical business reason
1. This is how you should be treating personal data.
2. In exchange for complying with GDPR, you get access to a market of >700m people. If you’re a service provider, it’s illegal for any EU business to be your customer without GDPR compliance.
The EU and politcians are anti UX, they have no clue about the effect of their laws on people.
"The first place" would be not collecting it, an option that companies are seriously considering for nonessential data that they previously collected merely because it was convenient and accepted to do so.
Fixed that for you.
Usually commas aren't important, but that specific sentence really suffers in readability without it.
No, it will basically make a newsmedia site unprofitable. I think it is the EU that has not fully thought this through. Most of the news industry is already sickly, financially, and they mostly have no model other than advertising (with a very few exceptions). The reason all this data got collected, was to try to make the advertising valuable enough that they could sell it. It may be that it never really worked, but it sure won't work without it. I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent (because people consider those websites too valuable to do without), but most other advertising-supported media cannot; or they will see that the long-term impact of this is that it accelerates the current death spiral of newsmedia, as all ad spending goes to Google and Facebook and almost no one else.
I leave it as an open question as to whether this would be a good or bad thing.
We have publicly funded broadcasters in most EU countries. The ad-supported news sites, on the other hand, are generally doing more harm than good.
News outlets existed before the web, so they're not going to be threatened by breaking the ad-supported website model. If anything, the traditional newspapers will be saved by this, because if free online news disappears, people will start buying newspaper subscriptions again.
> I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent
They can't. The consent has to be for a specific purpose.
You may be happy with the state sponsored options now, but will that always be the case? Would you feel the same if you living in the Soviet Union or Germany circa 1940?
I trust state paid media in the EU, way more than any US news media.
The reason why most EU countries have state paid media, is so that its non commercial, non partisan, and cant be bought. There are different principles in place, so government has no say, in what is broadcast/not broadcast. This also means that all political parties get the same amount of exposure etc.
The problems with Fox News and Sinclair aren't based on advertising, they are based on ownership. State sponsored media isn't going to be any better under an autocrat and will in fact be worse than the situation in the US because there may not be any other options.
Those are three publications that have sent shockwaves around the world with their privately-funded investigative journalism.
What I dislike about all news sites is that they are inconsequential. They throw sooooo many different news items at you that it really does not matter. Today's outrage will be quite forgotten two days later, or two weeks if it was something really bad. They should instead follow a few selected topics long-term and investigate what happens, and point readers to ways to affect a change. That means not reporting on each and every little thing as extensively any more but instead focus on a few things over a very long time. Just being fed thousands of news stories is McNews - you get short term satisfaction and a feeling that you stuffed something into your brain, but it feels hollow quickly because it's not very nutritious.
And don't get me started on all the Russia hype, one would think those guys in their in large parts poor 3rd world country have capabilities far beyond what the orders of magnitude richer West does not (I speak some Russian and was there a few times, also in Ukraine). That all the media jumped so willingly on this wagon is quite amazing. Note that I don't doubt they (Russian) did most of what is claimed, but when, for example, sums of money spent for the campaign are mentioned it's so little that it's obvious it could not have had a significant impact, at least not on the scale fitting the amount and the tone of the reporting. What is also missing is that they take the opportunity to talk about the many ways the US and the West has influenced internal politics of other countries. For controversial topics they usually try to give such views some room, but Russia seems so incredibly overblown and one-sided to me - so impossible, and it all looks like that recent video about Sinclair where they all say the exact same things and one can see not much effort went into that reporting. I don't know, it all feels very weird - and very wrong, like when you put on very strong glasses and the world looks weird.
Not well, and I'd add MSNBC to that list, however much I may be a dirty pinko who agrees with their editorial stance. NPR and PRI do what they can, but I really wish we had something like the BBC here, with non-corporate funding and a remit to report current events.
I’m currently more concerned about private media having an agenda that promotes the right.
(As a sidenote because it's confusing for people from both sides: In Germany we differentiate between taxes which end up in the general budget and can be used for everything and fees which are purpose-bound from the moment of collection, e.g. in this case the levied money must be used for broadcasting. This differentiation is not common elsewhere.)
Of course, sometimes fees and fines can be seen as "stealth taxes" when they intrude too far into everyday life, particularly when state monopolies are involved. For example, the cost of First Class postage with USPS is technically a fee for an optional service, but the USPS monopoly on First Class letter delivery makes it at least partly a tax, to the extent that another carrier might have provided the same service for a lower price in the absence of the monopoly.
In Germany that may be true, but I was speaking of the US, where the terms are used differently. There is no expectation here that "fees" can only be used to defray the cost of providing specific services.
But I'm guessing that it's the same in Germany. They call them "fees" but they're really taxes. Except that they can't be used for other purposes.
If all your eggs are in one basket what happens when something goes wrong with that basket?
Anyhow, newspaper advertising isn't personally targeted by tracking readers, so it's a lot more palatable.
That's a direct result of online advertising eating most of the advertising dollars, making the big papers less valuable advertising venues. Cutoff the things that make online advertising uniquely valuable, like the flow of personal data that enables far more focussed targeting, and that’ll shift back.
> Anyhow, newspaper advertising isn't personally targeted by tracking readers
No, instead it's targeted by every business decision of the paper ultimately being made against a backdrop of how it impacts the papers size and demographics of readership, which is how it sells itself as an advertising venue, which ends up with the major media all being crafted to narrowly appeal to the most valuable advertising audience.
To get the most ad revenue they need to cater to the majority. See e.g. clickbait. For stable income, finding a group and catering to their opinions/narratives is also an option, and is also not independent news. See e.g. infowars. Finally, to get any ad revenue, they need ads. Unlikely many corporations will run ads on anything that is perceived even slightly controversial nowadays. See e.g. YouTube.
None EU media would still exist.
Several UK media outlets use paywalls already, presumably they too would remain.
Strong emphasis that I'm not equating those to your examples. Rather, pointing out that even a subtle version of undesirable or extreme politics can lead to a similar concern.
Given the wild political swing going on in about half of Europe, it's a legitimate concern today, no need to look back 80 years. Not to mention persistently growing censorship and criminalization of speech in more liberal countries such as France.
There are other private TV outlets in those countries in EU and this legislation will not change it. Lets stop being paranoid and portraying legislation that should protect our privacy as something that will destroy democracy.
They will thrive even more :(.
Fun fact: oligarchs in Greece have been doing this to their own country for financial gain for decades. Most Greek newspapers are mouthpieces for the interests of the great families.
We're also seeing very concerning trends in the readerships and profitability of print media (because of the Web, many think). So I don't think you can use the "News outlets existed before the web" line, without much more justification.
I doubt it. Cryptocurrencies seem to be terrible for micropayments.
Any sources for this? I don't think this was the case at all at least in my part of Europe.
Why is it "very concerning" (assuming no financial interests) that a legacy form of media is struggly to dominate in terms of profitability?
That would be a terrible dependency for eastern europe, you wouldn't want putin-friendly government media teaching people what to vote next.
Why am I not surprised that a European is saying that the government-backed "broadcaster" are all so good, and evil private American new sites are bad.
this pretty much sums up the real agenda behind GDPR.
It would be better to call the bluff of these EUrocrats and see what they'll really do. Other countries can retaliate.
You are not surprised because you have a gigantic filter in your head that turns everything into exactly what you already expect regardless of what it is. The second part of that sentence makes it quite clear what your mindset is.
Nowhere in that comment I can find a reference to American (evil) news sites. There are more than enough private news sites based in Europe, so I wonder why you are so hell-bent on making this an EU vs US thing.
Most EU residents will read news in their own language (which in most cases isn't English).
Every time the EU implements some law or regulation regarding control of personal data and privacy, someone (an American) has to dismiss all the problems those laws are intended to address entirely, and go on to post some defensive, nationalist spiel about it being an attack on US companies.
Perhaps the problem is that these companies make their money in an incredibly unethical way that an increasing number of people are very uncomfortable with?
Stop turning this into something it isn't. All you are doing is poisoning the debate.
Personally I'd live to have most media completely in the dark about visitors to solely speculate on the quality of their own content. Only metric they need is daily visitor count. Everything else can be shaped by type and quality of content. A great example is HN where we have a very targeted audience due to the content it serves. It obviously also has some sponsored articles but also the indirect benefits it has on new startups and so on. Just treat it as TV marketing and not a per person customized monetization strategy.
As someone who works in media: I'm sorry, what? Publishing is certainly not more lucrative than ever, and publishing online now is a far worse business than publishing a physical newspaper pre-cable TV. The proliferation of outlets is due to lower barriers to entry and less need for capex. Plus a little bit of VC optimism.
Everybody seems to be joining the race to the bottom by delivering more questionable content for 2 more clicks per day instead of relevant articles and real journalism.
Also not to step on anyones toes, this obviously doesn't apply to every individual, however a large majority seems to be doing it. This also makes it hard for the good guys to prevail I guess.
Why do you think so? I don't see clickbait industry seriously affected. They churn out a ton of crappy content which costs almost nothing to produce (at least if compared with reputable journalistic work), monetize it with low quality ads for shitty CPM rates, but as long as part of their content goes viral, tons and tons of pageviews allow to balance everything.
GDPR changes nothing in this business.
GDPR in my mind influences this indirectly in the long run. It's not like it will kill fake news the week after.
The most simplest solution is that newspapers host the ad on their own server as a .png or .jpg that gets shown to all visitors. It's tracking free and GDPR compliant.
None of the hundreds of suppliers we use are truly ready, and how would they be? It took 45 years to build this tech, you can’t just replace the innards in a few years. Estonia is the only country that is close to ready, and that’s mostly because they’ve build their entire system with a focus on sharing and securing data. Nobody else has anything close to it.
It’ll be interesting to see how this plays out in the courts. I mean, keeping privacy data safe should be an important concern, but do we really want to close hospitals and schools because we can’t afford to pay the fines when it fails?
To add to this, the quote paints complying with the legislation as a simple redesign. It would require much more than a redesign. The technical, administrative and legal costs of implementing the new system from scratch would be magnitudes higher than implementing the current system from scratch. And add on changing requirements as the legislation is in its infancy.
Let's face it, despite social media being a great enabler for realtime news the quality of news is sub-par. The biggest bane of social media is the transfer of responsibility of filtering real news from a firehose of fake news, to the end user. Until that issue is solved people are going to probably pay for news. This is just my speculation of how things might go after GDPR.
What makes privacy-sensible internet newsmedia nonviable might very well be the much more profitable spying on the client. If regulation makes that competition illegal, and demand for news is unaffected by GDPR (and why wouldn't it be), then it becomes more difficult for advertising companies to find newsmedia that provide tht extra illegal profit-taking sugar, so they will go back to more traditional advertising plans. This, in turn, will make newsmedia's lives easier in regards to finding advertiser's that do not demand spying on their readers.
At the end, sellers still need to advertise, providing ads supply, and readers still demand free newsreading, providing ad demand. The market still exists.
> No, it will basically make a newsmedia site unprofitable.
Another point to consider is that need for news or just for some brain filler: I am puzzled by appareant inability of many today to be alone and in silence. As if then some thought that they cannot be comfortable with start to be loud enough to be heard.
The "we" is where you have a problem.
Is there any evidence for this at all?
Telling a person "if you install this they'll stop tracking you in some abstract way" is way less effective than "install this and you wont have to wait to watch youtube videos."
Exactly the reason I installed an ad blocker. If YouTube had released their Red subscription in the UK I might never have installed the blocker (actually probably would have eventually, but later than I did)
There's dozens of us! Dozens!
But more seriously, there's actually lots of us. You don't hear about us because we don't narcissistically post about it on facebook. We just block shitty software and move on with our lives.
I have no stats for you though, because stats are usually collected through third party trackers, and I block them all, so I'm never represented on anyones metrics. Based on some rough stats like these and my own experience, I'd guess something like 1-3% of the population in western countries.
ad and tracking blockers:
I'm mostly blocking trackers.
uBlock origin is 2nd and rising in popularity and it blocks trackers by default.
Both they (and others) depend upon the EasyList collection of urls/regexes, etc. to block out sites and includes
An example of this mindset:
In fact, I want to white list certain websites (a dozen or so) to continue seeing ads, but I don’t want to because I know that they are likely using Google for their ads and I don’t want Google’s little grabbling hands tracking me.
For users I deal with, I do it as a preventive measure - I worry about phishing/spearphishing and other email vectored attacks, compromised websites, and the risk of a compromised ad network where even if something malicious is killed in minutes it could still reach tens of thousands of people.
And I still get AV alerts at least a couple times a month where the AV has blocked access to something that's recognizably part of a remote access scam.
No, outside of a few echo chambers, no one cares about privacy or knows what GDPR is. Until GDPR shows everyday on the evening news for weeks it will not be well-known, and there are many things more important to most people than online privacy. Heck, Cambridge Analytica was only a scandal because the "bad guy won".
I think we've crossed that point few months ago in Europe. Last year I felt I was probably the only one of my real-life friends who even knew what GDPR was. These days, I see streams of articles about it on social media, aimed at non-technical people. Hell, last week my SO told me she started receiving GDPR-related e-mails at work from companies that are in business with her place.
I feel people do know. Unfortunately, I also fear they only think of it as yet another random EU regulation thing, and not realize the benefits it'll bring.
Not only do the site owners not even know that the site contains these things, if they do, they don't even realize the extent of data collection going on. I had a chat this morning with an owner like that. The site runs GA (they didn't know), the site runs ShareAholic (which they said wouldn't be a problem as they only use it to see in aggregate where their site visitors come from).
They never made a distinction between what data their site provides to these services through scripts or cookies, and what they themselves then get/use through the service provider.
This is not a special case. There are probably millions of these little business sites out there.
Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from....
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Then, once you've replied, they can request deletion of any or all of that.
If you send that letter, expect to receive a standard response/report of data with a form response that politely & legally amounts to “piss off”.
Large organizations have considerable resources set aside to make sure their “piss off” letter is legally defensible & GDPR compliant.
That letter is likely only a problem when selectively used by a malicious actor against a small organization. Frankly not the kind of org that is systematically tracking personal data.
Which is what is so annoying and economically destructive about regulations like these that are broadly applied to all companies, especially on the internet where single person companies are very popular. They are designed in a vindictive way against large companies like Facebook or major online retailers who burned customera due to minimal information security investment.
But they so often ignore the reality of the burden it places on small firms who account for 90% of businesses and 50% of employment, who cant afford lawyers or the legal risks of a 'piss off' letter.
The western economic environment countinually gets more and more structured favouring large firms, encouraging large scale merging, which usually generates the type of large oligopoly companies who most often does the things that cause regulations to get created, then imposed on smaller firms.
If Japan's economy is any indication we do not want to state heavy economy where big companies are the only sanctioned winners and smaller companies are heavily disincentived by the state (whether indirectly, by side effect, or overtly).
If not having these laws created isnt an option (seemingly impossible in an administrative heavy org like EU), I then hope someday these regulation start being structures like progressive income tax using size minimums or are contained to specific industries where it's clearly a problem (both of which would apply well to minimum wage laws for example). So laws are pinned directly to a specific problem area justifying the heavy-handed state intervention, not just blanket laws on everyone.
Basically you need to make sure you 100% know what data you collect (including any third parties) and make sure you have a good reason to collect it.
Honestly most of GDPR should be considered "common sense". It's just that many corporations actively act against the interest of individuals they collect data on, and it's precisely these practices that GDPR tries to correct.
You likely have a reason to log that data but GDPR requires that you document it.
Further it reaches into your business even if you aren’t trying to do business in the EU, as EU citizens can come to your site without your control.
There is a lot to like with GDPR but it absolutely is expansive & easy to have many interpretations.
If anyone wants to get their feet wet in open source, there are thousands of high profile projects out there that could use a patch to scrub PII from their logging, and these are probably simple diffs.
Maybe, but logging useful things is reasonable. We investigate problems with our systems using server logs. We diagnose various security threats, fraud risks and ToS violations using server logs.
We're generally respectful of users' privacy, but we also have a legitimate interest in knowing how our systems are being used and preventing people from doing bad things with them. Those legitimate interests may take precedence over a visitor's right to privacy in some cases, in the same way that you can't tell a government to forget your criminal record or a bank to forget that you owe them money.
And what’s wrong in telling the truth to the police? Sounds great to me. Also, see how signal responds to such requests.
This is where socialism differs from communism - in socialism you have big privately owned companies, whereas in communism these are state owned. Everything else is more or less the same. Europe is currently under transition from group of mostly free mostly capitalist countries into full retard socialist authoritarian regime.
Regardless of that, GDPR is a very good thing, shame it has only been introduced now and not 10 years ago.
These rights include:
* the right to be informed about what data is processed
* the right to access all data gathered about them
* the right to rectification of incorrect data
* the right to receive an export of the data in a common format
* the right to object, to have all data removed, and to restrict processing until further notice
GDPR also requires a data controller to respond within a month, and not charge any fee for this unless the requests are excessive (because they are repetitive). 
In that sense it’s a great way to rattle someone without specific GDPR guidance. But all things being equal, the large orgs that are capable of systematic data collection, are not at all troubled by it & certainly won’t be answering it with direct point by point answers.
My general feel is that if he didn’t cite a specific article it was on purpose. He took implications or broad interpretations for anything not explicitly cited.
A couple that jump out immediately are the requests for server locality information, retention periods & specifics about security policies are the ones that are likely to get a very polite “we conform to industry best practices piss off” replies.
I'm not a lawyer but having extensively studied all of GDPR recently I'm afraid the letter seems legit. If there's any error it will be a minor one.
I’m not suggesting that the letter won’t get a response. I’m suggesting there isn’t anything in it that would cause a large organization to send any different a response than if they got a letter written in crayon that said “gives us the GDPR data”.
In that way it’s not a “nightmare” letter. It’s the default thing you pay lawyers for.
I mean, you do handle your data in mostly universal way, instead of randomly copying pieces of your database to random parties? Right?
What's the process for authenticating who sent the letter? Seems like a potential new attack vector.
"Authentication" for this is provided by harsh penalties on signature forgeries. Also, you'd only get one single data point and everything really sensitive has address data and they will* send their response to a known address.
Imagine I’m sending a request for information from a given IP address, requesting all the personal information you hold on that IP. I kinda proved that I’m using this IP and it’s part of my private data... but providing all information on this IP is likely to leak data on other people and there’s no way legitimate the requester
Note that he's propably still risking jail time over this.
The GDPR makes anything that can be potentially traced back to a person personal data, it's a much wider definition than PII.
It also means that constructing data sets may lead to personal data being generated out of non-personal data. So even if you only store IPs without timestamp, if you stored timestamps elsewhere and you could reconstruct the IP of the user, you're up for grabs.
I feel like most criminals are OK with that.
-- hidden in their database --
(date_deleted = now())