Hacker News new | past | comments | ask | show | jobs | submit login
Facebook to change user terms, limiting effect of EU privacy law (reuters.com)
384 points by pwtweet 11 months ago | hide | past | web | favorite | 390 comments



Zuckerberg went to Congress and told them Facebook would support GDPR, as if the only thing GDPR is are just some controls you'd do at the user interface level (and as we learned today, that they're attempting to get around with dark pattern designs [1]).

GDPR is much more comprehensive than that, but most importantly it gives data privacy regulators real teeth to enforce with (fines up to 4% of global revenue).

The only way Americans (or anyone else besides EU citizens) will get GDPR protection is if GDPR-style regulation is enacted into law.

[1] https://twitter.com/zeynep/status/986591125262749696


> that they're attempting to get around with dark pattern designs [1]

The downside with trying to use dark patterns: The courts say "Nah that doesn't count. Ergo you don't have consent, ergo fine!"


All major tech companies are going to make the GDPR tools available globally for fear of accidentally misidentifying someone as not covered by the GDPR. Facebook will not be an exception regardless of what they are saying now.


Yup, I work at a firm where we care about GDPR a lot, and IMO it's wayyyyy easier to implement globally then to cordon off some subset of our users into a different codepath/databasee/workflow.

If FB actually leaves it like this, then they clearly believe that there's a lot more to be gained by not complying with GDPR


The depends on how much easier "wayyyyyyyy" represents. If it is harder to do but protects there use of data to make money enough that the extra effort is worth it, then they'll make the extra effort.

> then they clearly believe that there's a lot more to be gained by not complying with GDPR

This. Though more precisely it is the other way around: they have something to lose by complying globally rather than something to gain by not.

Extracting every last cent out of every bit of data they could possibly hoover up is their business model. I expect they'd be better of telling EU users to go elsewhere than applying GDPR style protections to non-EU users (which they won't do: even if they can extract less from EU users less is presumably better than none especially when network effects are taken into consideration).

> I work at a firm where we care about GDPR

Same here. Our clients use our systems to store a lot of information about their own users and their customers. But unlike facebook that information is not their primary business and source of income.


I hope this is true.


Actually he was asked if Facebook would roll out the GDPR requirements globally and he said they aren't and that America has different sensibilities


Facebook just needs to be gone forever now.


In the long run it would not change a thing. Personal data is a huge business, Facebook demise would just put some smoke and mirrors in the media, then their customers would be sucked in by Google and others, at the same conditions.

Limiting corporations power would be one thing but I don't expect any politician to move in that direction when either they're lobbied/bribed by the same entities they should limit, or face the risk of having their career destroyed (search for "mccarthysm").


Why?


Because:

a) it is not possible to tear it down and start over with good material/intentions/ethics

b) they do not want to change their model, because they are making money from their current practices

c) it is a VERY useful tool for evey government's dark/shady practices (gag order + give-us-everything)(exactly what every dictatorship does)

d) people need to be protected even if they don't understand the risks (e.g. houses are built following a code - even if people don't understand that walls need X material and I-beams need to have Y width).


e) 'Black Mirror' was supposed to be a screenplay, not a business plan


Same for 1984


Edgy


You are assuming GDPR is good. I don’t think so. I don’t want GDRP in the US. The worst abuser of privacy - right now - is the government. I don’t think putting redtapes on startups will solve anything.


Just because we can't limit all players, we shouldn't even try to limit the vast majority of them? I'm not sure I agree with that logic...

Yes, the federal government is as bad (in reality, worse) than you say, but that's no reason to not take action against the thousands of other players that are blatantly following in their footsteps in terms of data collection.


If the government were serious about personal privacy, it wouldn’t mandate the storage of large amounts of personal information by banks on innocent people via KYC/AML laws.

Government is pretending to save people’s privacy with one hand, while forcing private companies to store people’s personal information with the other.


That is a somewhat valid concern, but here in Denmark (EU) GDPR har actually been helpful to highlight some of the data collection by the state, and some of it, has been set on standby or at least been postponed because of concerns (student mental health/well beeing, was so to be registered, and stored on a SSN level “for research”)


In Sweden (before GDPR) some inofficial list of "known elements of problems" or somesuch was kept by some police officers. This was already illegal before GDPR and lead to a lot of problems and news.


It was also racial profiling. Lots of problems, as you said.


Got any articles on that? I wonder what local agencies I could fuck with in my country thanks to GDPR :)


Heh, several EU countries already have FOI laws in place. Together with the GDPR regulation one has a handy and effective combination of tools to reign in governmental abuse. Oh, I’d never imagine I would ever use the word “synergy”! :D


Here is it article for the qouted example. Its in danish https://politiken.dk/indland/art6451755/Minister-uds%C3%A6tt...


> The worst abuser of privacy - right now - is the government

Lol, that could not be further from the truth, you have no idea of the amount of data private companies gather, the government has nowhere near as much data as Facebook, that's why the NSA has programs to incorporate Facebook data, the reason being that it's much better than anything they have got by themselves.


If the government has facebook data plus any other single piece of data then they have more than facebook.


They have more now but only because Facebook gathered all of that, by themselves there's no way they could have the same kind of precision Facebook had.

There's no government program which records your position in real time, your interests, all the messages sent to your friends, the list of your friends, their occupation and where they are in real time, the news you read, all the information you are looking for... All of that in real time with an accuracy similar to Facebook (and aggregated as well, people often forget that most government files are not as neatly organised as Facebook...) . I could go on forever on the data Facebook has, no government program gathered as much as this, it's not even close. Not even the Soviet Union managed to get that much data on their citizens.


"Government can just steal Facebook's data" is definitely one more reason to limit what Facebook can gather and process.


Of course FB was funded by In-Q-Tel, the VC arm of the CIA...


Do you also think that food industry should not be regulated, I mean is it important that rats could walk on your food ingredients as long as users don't know and are happy with the final product? Do you think that food businesses are affected by this regulations and we do not see the a move fast and kill people in the industry?

Same for fire safety,road safety, air transport safety regulations, I am sure that many business people would benefit by ignoring this laws, so let's do what is better for some business people and who cares about society.

Related to GDPR specifically, don't collect personal data that your product does not need, is it hard? Maybe you need to put a bit of effort to be in compliance but if your product is hones then you are fine, if you are not honest and you were collecting data in the hope you maybe could sell it later then I understand why you don't like it,


Rats should only be allowed in the kitchens of startups


You are right, the business could fail but they have the option to pivot and sell rat hide, regulation would harm the possibilities of making money on the back of society.


The European governments are bound by GDPR in the same way companies are. Surely bringing a GDPR-like law to the US would be a good thing?


Data collection for security and intelligence purposes by governments is exempt from GDPR rules, I think.


Oh yes, silly me, I forgot that the government isn't bound by the rule of law. What was I thinking?


And I think you haven't read through GDPR rules.


No it's bloody not.


Article 2d "This Regulation does not apply to the processing of personal data: [...] by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security." exempts data collection by gov't for security purposes.

Article 6.1c "Processing shall be lawful only if and to the extent that at least one of the following applies: [...] c) processing is necessary for compliance with a legal obligation to which the controller is subject;" exempts data collection by private parties if ordered by gov't, e.g. if they require communications operators to track subscriber identities or something else, then GDPR consent requirements don't apply.

So I'd say that it's materially true that "Data collection for security and intelligence purposes by governments is exempt from GDPR rules", as long as governments are doing this data collection according to whatever other laws they have passed and not in violation of them (which sometimes has been the case, though, with executive branch doing what legislative branch has forbidden them).


It’s tricky: Law enforcement data collection has its own, separate directive, the LEDP (https://edri.org/data-protection-directive-law-enforcement-l...), which will come into force at the same time.

Member states have argued that intelligence services aren’t covered by EU law (their management is reserved to the member states), but since the basic principle of data protection is embedded in the European Charter of Human Rights, you can argue that EU residents (indeed, everybody) should be protected. It’s just that, unless individual countries write it into their law or a court successfully asserts its jurisdiction, there is nobody to enforce it against the intelligence services.


Better start with baby steps than none at all.


GDPR also applies to government.


The GDPR applies to government agencies as well.


Weird. Libertarians keep on saying that government is less efficient in producing practically all possible services than private sector. Why would that not apply to service "collecting and using private data for gain"?


They do have more info but they're really bad at processing it.


This doesn't mean Facebook should get a free pass. If anything it should get less of a pass because governments love to use the hands of corporations to do what they do (e.g. Hollywood blacklists of communists back in the day, dipping into Facebook's or Google's data stash with a warrant, etc.).

At this point private corporations 'helping' the government is exactly the worrying part because the government at least has some decorum and is keeping up some pretenses and you have to really be in the wrong place, at the wrong time and have an ethnicity that somewhat matches the supposed crime.

Meanwhile with corporations it's starting to look like a free for all between machine learning, big data, hidden internal Terms of Service kangaroo courts and so on. You can get blacklisted, flagged, (shadow)banned and not even know it. And then government or other corporation buys that Big Data DB and real fun starts.

If the government actually wants to capitalize on the data it has there is a lot of instant red tape applied. You can't just get arrested, told you're a terrorist and put in jail for 10 years with 0 process, 0 appeal and 0 documents (well, except with Gitmo but it's a special case).

Meanwhile the corporations can turn you into a functional half-leper in the modern increasingly online society and deny you business arbitrarily (or even secretly) as hell because their deep learning said so (and what they feed in there, what comes out, who made it and how - you don't get to know that), they don't care enough to admit a mistake and the most appeal opportunity you get is customer support ran by lobotomy patients. There's 0 recourse to being shadowbanned, hellbanned, blacklisted, whatever, sometimes even 0 contact option other than making a new account (which breaks their ToS in itself) and unlike the government that has watchful eyes on it from all sides for abuses you'll be told it's "a private business so they can do anything" or that you deserved it because it's a Cool and Good Company.

There was a story that some Palestinian guy got arrested because Facebook translated his "good morning" in some Arabic dialect into "attack them"[0]. If it wasn't the Israeli police arresting him but instead Facebook doing some deep mind big data crap and covertly flagging him as a potential terrorist then he might have found out 5 or 10 years from now that he can't get a plane ticket because some airline or other secretly sourced Facebook's DB and he has no way to even find out where that flagging came from because corporations are free to be secretive in their decision making.

Government also follows some logic (simplistic, biased, populist, racist or reductionist - sure, but still), while corporations can just spit out a verdict with 0 explanations with a link to 20 page ToS written in pseudo-lawyer pseudo-English and say that a video making fun of a mass shooter is suitable for advertisers and one of eating a carrot in a silly hat or swinging a banana around (it's not an euphemism, I mean an actual banana) is not[1].

[0] - https://www.theguardian.com/technology/2017/oct/24/facebook-...

[1] - https://www.youtube.com/watch?v=7uIn_3704pk


Why would the US congress want Facebook to go out of their way to maximise their liability to a piece of legislation intended to cripple US corporations and supplement EU budgets with US corporate profits?!

Congress should convene a hearing about how current and incoming EU laws are thinly veiled protectionism against US corporations and what should be done about it.


I have to disagree. As someone who is grappling with the impact of these laws on US business I'm acutely aware of the non-existent privacy we all have and how our information is abused and resold.

The GDPR, while a pain, are a response to decades of an industry that should have known better.


I think you're understating how much of this law is about EU resentment of US tech companies' mindshare and marketshare.


We need a domestic version of GDPR with penalties just as severe. GDPR is a much-needed godsend for privacy.


We should protect our companies or at the very least not harm them.


Right, because it's the poor poor companies who are being abused and targeted. Oh will you just think of the companies! Companies are people too! What would we do without our exalted job creators?


Companies which abuse the public trust so severely and unethically should be forced to shape up or fined into the ground.


So when the EU does it, it's protectionism.

But we get to "protect our companies" as a matter of policy.

Cool.


We should protect our citizens, which is sometimes achieved by helping companies and sometimes achieved by harming them.


On what do you base that statement?

Just because many companies and startups are U.S.-based, does not mean that universal privacy laws/rights are targeting U.S. companies.

From my understanding, the GDPR applies equally to all companies, regardless of where they are founded.


That is your opinion. Just because you think so doesn't make it true.


I've posted this before, I'll post it again:

I wonder if you know that the US passed legislation a few weeks back that lets the US government request any data on any user of an American company even if that user and their data are not on American soil. (Possibly thanks to GDPR) companies may object to that request if it contradicts local laws.

But yeah. Go on pretending that the EU lives to target American companies. From a European's point of view, American companies are not fined enough as they view privacy, data, sovereignty etc. as some abstract concepts that don't apply to them.


Are you certain it’s protectionism and not simply believing human beings have a right to privacy?


[flagged]


How are you capable of saying that privacy rights are well protected with a straight face. There are breaches every week in US companies and no on goes to jail, and no company fixes their shit because there's no reason for them to.

The only way I could see someone believeing that it's well protected is due to making money off of violating that privacy


> Privacy rights are well protected as it is

Yes, the US regulations protecting our privacy rights are well-known, which is why the current Cambridge Analytica scandal couldn't happen, and triggered all sorts of... what's that? In fact, we have no privacy protections whatsoever? Oh.


> this law is about limiting and controlling what american companies can do on their platforms

The law also applies to European companies.


Facebook might be known as a US company, but they pay taxes in Ireland (amongst other low tax territories) and hold most of their assets there to avoid paying taxes in US.


Not since the new tax code went into effect, but what does that has to do with anything?


More bollox. Just stop fucking lying, you're just showing yourself to be an ignorant ass.


Personal attacks will get you banned here, so please don't post like this.

You've unfortunately posted other uncivil comments in the past, too; could you please (re-)read the site rules at https://news.ycombinator.com/newsguidelines.html and use HN as intended from now on?


It is not US corporate profits when it is from advertisements bought by Europeans for Europeans. Would you also suggest that the EU should not tax those profits?


It's US corporate profit since they are profits (revenue - expenses) made by a US corporation. This is not a tax law, what are you talking about?


Are you serious? Do you really think nations don't have any right to tax economic activity happening in their borders because one of the entities involved has one of their numerous sub companies headquartered in another country?


I think GDPR will harm European companies and tax payers much more than any US company. Any European company processing personal data will be liable even as a subcontractor. US multinationals can easily avoid liability for non-Europeans as demonstrated. A European startup or even government organization (like also a European universities) will be bound and have much higher cost due to legal and thus monetary risk.


"piece of legislation intended to cripple US corporations and supplement EU budgets with US corporate profits".

The most ignorant fucking statement I have read on HN in a long time. The 2016 GDPR is an update to the 2002 EU Data Protection Regulation. It has nothing to do with taxes, profits or crippling any company. It is an enforcement of the EU Charter of Fundamental Rights.


Budget supplements come from potential fines which are set at an exuberant rate.

"An update" as in adding new laws and regulations all of which are unneeded and all of which are targeting US companies.


Fines without teeth won't produce the desired effect. Privacy matters more than profit.


>... all of which are targeting US companies.

Clearly not true, but exquisite in the context of the FB factory dodging tax via the Irish loopholes, and now moving away from Ireland as a base.


[flagged]


The new tax code provides Facebook a 0.6% tax rate? Because that's what they're currently paying in Ireland.


> And on that note what's with all the commies on HN?!

I very much value the good faith exhibited on this forum. This comment is the antithesis of that. It is nothing more than bigotry.


That's weird. I don't see similar responses whenever someone calls those who lean right of center "Trumpkins" or other witty epithets.


Trump isn't right of center, Trump is right of right.


This article is really confusing. Basically the point is that under the current terms of service they tell you that if you are outside of the US then you are doing business with their Ireland office. Since the Ireland office is in the EU, it is subject to the GDPR. So that means that everybody outside of the US will be covered by the GDPR (because they are doing business with an EU company).

They are changing their terms of agreement to now say that people outside of the US are doing business with the US company. This means that only people in the EU will be covered by the GDPR. Probably that's what they should have been doing all along, but there were probably massive tax advantages to running their international company in Ireland.

For what it's worth, I'm a huge proponent of GDPR and I would probably do the same thing -- at least initially. They have a lot of users and GDPR is really tricky to implement when dealing with any manual processes. Limiting your exposure is common sense.

I'm looking forward to seeing what actually happens to Facebook when GDPR comes into force. You know people are going to exercise their rights and I just can't imagine they are prepared. As I've been going through this stuff in my job I can't see any easy ways to sweep this under the carpet -- you not only need to inform the user about what's going on, you actually need to record the lawful basis that you've told them you are using. If you just say, "Oh I have consent" then the user can withdraw consent. If you actually needed that information (like the user's name!) then you are absolutely screwed.

I fully expect some thoughtful users to nail them to the wall. And when that happens, I expect them to implement everything world wide because it will be a lot easier/cheaper than maintaining different processes all over the place.


Not contradicting, worth pointing out for the Americans in the audience: even if you have an exclusively US-based company, working with any EU users means you are in scope for GDPR.

The consequences for violating GDPR are quite severe -- up to 20 million euro, or 4% of global turnover, whichever is greater. Again, this applies to US companies even if it's a single record of EU personal data.

Furthermore, individuals are fully entitled to sue in the event of a data breach, and there is legal precedent in the EU for compensation of between 10-15k euro per person.

As to the question of EU law applying in the US, just look to financial regulation like Sarbanes–Oxley to see it going the other way.


> Furthermore, individuals are fully entitled to sue in the event of a data breach, and there is legal precedent in the EU for compensation of between 10-15k euro per person.

This means that I can bankrupt small, careless companies that hold a few hundred users data?


I think this kind of point has come up quite a few times in this thread, and I'm gonna use your comment to go over something which I don't think has been discussed much.

The ICO (UK) has been fairly clear that the intention is not to fine businesses to the point where they cannot operate. It also seems fairly clear to me that they do not expect smaller organisations to jump through the same hoops as large ones such as Microsoft and Facebook. If you are a small organisation and you can show that you have and will continue to take meaningful steps towards protecting the data you hold and providing your users with transparency as to your processing, then the ICO and other regulatory authorities are not going to hit you with a 20M Euro fine [1].

I certainly feel as though the law is being perhaps misrepresented as some sort of anti-business regulatory overreach. I highly doubt the European Union wants to a) Drive businesses away from Europe and all that yummy tax money that they bring with them, or b) Piss off European consumers by restricting their access to all the fun things being provided by non-EU companies. It's not in the EUs interest to do either of those things, but there has to be a balance, right? The fact that organisations can collect huge amounts of personal data and when/if something happens just shrug it off (exaggeration, I'll admit). The current legislation doesn't give supervisory authorities (such as the ICO) enough of a bite to encourage compliance from larger companies. £500k (current fine limit) is nothing to an organisation that turns over billions a year globally. I'm sure in many of these circumstances the cost of compliance would far outweigh any fines handed out.

The debate here is very interesting though, as there are plenty of people viewing this from different angles. I wonder if some residents of non-EU countries here feel as though the EU (to them an unelected body) is effectively overruling their domestic legislation, and that this is not right. I can certainly understand the argument that whilst (in my opinion) this law could be overwhelmingly good for consumers, especially given the current climate, it could be viewed as setting a dangerous precedent for extraterritorial reach.

[1] https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-...


> The ICO (UK) has been fairly clear that the intention is not to fine businesses to the point where they cannot operate

That's a problem, imho. We cannot rely on good intentions when it comes to the interpretation and enforcement of the law. Anyone who's gotten caught up in the quagmire of legal bureaucracy understands that.

The law is the law, and will outlast the good intentions of the authors or people currently in charge. If the law, as written, was not intended to be as such, then it should be amended.


I agree with you, I think your point is in a similar vein to my comment about the extraterritorial nature of the law. It's great whilst we have people in charge who we might agree with, but where are the protections if you do not agree or if the circumstances change. I can envisage the legislation, being interpreted in the strictest fashion, being used against organisations for political or other motives. Do we have adequate protections against this in the legislation?


Almost all criminal law I know of has a clause "...up to x years/month". We are pretty fine with this since decades. Why should this be different?


That is reflective of the nature of the crime, and history of the criminality of the accused, not their intrinsic characteristics, such as being small businesses or large businesses.

Depending on the nature of the violation, it may also reflect the scope of the violation, such as fraud. This is a scenario where, again, the size of the business, or the risk of the business going under, is not taken into account.

If we really want two separate punishments for the same crime- one for small businesses and one for large businesses, because we don't intend on putting anyone out of business- then that should be a codified part of the punishment.


So companies that are careless with personal data and get hacked get out of business? That sounds like a benefit!

Within small companies, it's now easier to push for proper data security, for not being careless. "Boss, I know it'll slow down our release, but if we don't do it, we could go bankrupt!"


If I don't have a server in your country, I shouldn't be in your jurisdiction.

And as for ANY regulation, progressive enforcement should be the norm. We shouldn't expect the same level of data security from John Buckley's local tool supply that we expect out of Amazon.


> If I don't have a server in your country, I shouldn't be in your jurisdiction.

Ha! Try telling that to the Americans ;)


If you don't want to be in their jurisdiction, don't do business in their jurisdiction. If you do business in their country, why would you not be subject to their laws?


If I do business in, say, Australia, but Europeans fly to me to purchase my services, am I then bound by European law? The internet is basically the same deal, no?


Fun fact - Americans invented this concept. If you're doing anything fintech with a citizen of U.S., you have to uphold to certain regulations invented by the U.S.A. Even if you're doing it on European grounds.


It is obviously not the same.


No.


What makes you think progressive enforcement is not going to be the norm here?


Facebook almost certainly has servers, and subsidiaries, and staff in the EU


They do currently but it's sounding like they might not for much longer:

Facebook moves 1.5bn users out of reach of new European privacy law https://www.theguardian.com/technology/2018/apr/19/facebook-...


I'm from Quebec, I can nearly never play contest for a simple reason, if I win, they have to pay taxes over the winning for me. That's not much and the likelihood that I win is still low, yet that amount scared them enough to ignore me in most contest.

I feel like that's going to be more an incentive to ignore EU resident if the fees are that high. Even with a huge security budget, mistakes are made, is it worth it to risk that much cash? Check any gaming console, they have a pretty big incentive to keep the security pretty high, yet failed to do it so often.


The EU will retain its current ability to impose lower fines than the maximum, which I imagine they'll do in most cases where the fine would bankrupt a company unless the behavior is amazingly egregious (e.g. "We refuse to do the barest attempts to comply even after several warnings despite dealing very heavily with Europe and collecting lots of data").

That said, the existing legal precedents won't prevent the imposition of much larger fines when warranted after May 25, given the new law's higher maximums.


Yes, because they hold user data and are careless.


If you run a small US company with a few hundred paying customers and low single digit EU customers, how is the EU going to penalize you? Especially if those EU customers' funds go directly to a US bank account?


It's an unlikely scenario - but block your domain, block bank transfers (not for small offenses, though). "Ask" any EU based payment providers (pretty much all have offices in the EU) to stop servicing you. You can use crypto currencies and the like but the inconvenience is there.

Then probably (or your employees) would not like to visit the countries there, etc.

Technically you should not be selling electronic services in the EU w/o EU VAT, so that already is sort of a breach... but no one chases so small fish.


>> If you run a small US company with a few hundred paying customers and low single digit EU customers, how is the EU going to penalize you?

By forcing EU ISPs to block your ip.


It might be worth specifying your co. is for US users only in your TOS until you are more attractive to European customers.


Maybe put you on a naughty list and inhibit internet access - as the UK does for TPB, et al.?


I don't know if they can.

But if you're a VC funded business aiming to "change the world" and grow big, then it might be a problem for you later.


My counter example to this is that nobody in the US does the super annoying cookie popup thing that's required in the EU already - why would they do GDPR which is orders of magnitude more complicated.


My counter example is that I live in the US and I see that cookie popup seemingly almost everywhere I go.


I live in the US and am constantly annoyed by the stupid cookie popup.


You are annoyed by stupid people who think they need a bunch of third party trackers on their site. Nobody, even not the EU, has problems with first party cookies.

This will change anyways with the GDPR.


Agreed that many, if not most, of the trackers on most websites are at the very least overkill, if not actively negative. I disagree that I need to be reminded that websites use cookies with a modal or popover every single time I visit a website that I visit daily.


Not exactly correct. GDPR is closer to FATCA meaning — non US banks that deal with US citizens are subject to FATCA reporting IF they also have US assets. The penalty for a foreign bank not complying with FATCA is a penalty against US assets.

A bank with zero US financial system exposure can’t be penalized under FATCA because they have nothing to penalize. FATCA only works because banks have exposure to US assets.

The unintended consequence of FATCA is that it is dramatically harder for a US person to do any business with European banks — banks have closed accounts in order to reduce operational risk. So this “good law” (occurring to Democrats that passed it) actually made it much more difficult for Americans overseas and American companies who need overseas banking.

GDPR could be considered similar — it won’t have any jurisdiction if the company involved has no EU presence, but it could result in companies denying services to EU persons based on operational risk.

People should have thought this through much better.


FATCA was designed to apply to non-US entities it provides clear definitions and channels on what to do and who do you work with, the GDPR has no functional models for non-EU entities.


Actually it kinda does... Article 27: "the controller or the processor shall designate in writing a representative in the Union"


No it's a joke article 27 says that you need to establish a presence in the union which isn't going to happen article 3 is also vague as hell.

Compare this to FATCA: https://www.irs.gov/businesses/corporations/foreign-account-...

And again FATCA and SOX applies to huge financial institutions that can afford all the lawyers in the world.

Say I make guitar picks and tuning forks in Zimbabwe I sell it online and I have costumers in the EU. I either need to comply with the GDPR which will be prohibitively expensive or will have to stop selling to EU customers.

The problem with the GDPR is that people don't understand both the inconsistency and the scope of it. Come 25th of May I'm sending a data access request letter to my dry cleaner which they will have to comply with within 30 days or face fines.


what happens if they don't ?


That’s not exactly correct GDPR is a mess.

If you are a non-EU company and you don’t have any legal entities in the EU even if you deal with EU customers (retail) the application of GDPR isn’t going to be relevant at least initially.

(The fear for example is that PayPal etc. will force you to comply in the usually blind and deaf PayPal manner for fear of EU retaliation)

If you are a non-EU company with no legal entities in the EU but you are dealing with EU companies and process data for them those companies would have to ensure you are compliant this is a purely B2B route.

If you are a non-EU company with EU legal entities this is the vector the DPAs will use to go after you.

The GDPR is currently in a retarded state with near zero official guidance and definition for things that matter. And as far as non-EU companies go GDPR is well in a though spot. GDPR does not trump lawful data retention and data access requirements in the EU those fall under then final jurisdiction of the high court but there is no way for them to influence non-EU law.

And SOX is a terrible example SOX affects a tiny portion of companies and those who need to comply are huge and there are clear definitions, requirements and arbitration channels which the GDPR lacks.

P.S. we’re talking so far about the periphery of the EU, Canada, Australia The US etc... when you’ll find a way to make Alibaba and China at al comply let me know please.


> Again, this applies to US companies even if it's a single record of EU personal data.

This is part of why I think GDPR is a disaster for startups. It's a massive regulatory burden which big companies will be able to comply with but small startups don't have the legal horsepower to handle.

Typical EU regulatory overreach.


What aspects of the law are disastrous for startups? What startups might see as a "massive regulatory burden", I see it as, at long last, a means of finally holding irresponsible companies to account.

The spirit of the law is really quite simple; my personal data is an extension of me, and if you want to store or process it, you need a legal basis for doing so, and need to be able to demonstrate this legal basis to me. If your startup is at odds with this, well then perhaps you're not the kind of company the EU wants to be doing business with.


The scope of personal data is disastrously large and the guidance is fuzzy at best.

Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics.

No part of my "business model" is attempting to profit from personal data yet I have to jump through a bunch of new hoops.

My likely solution for projects is to simply block EU traffic going forward.


IP addresses aren't PII. If you're capturing IP + real name, or similar (email + real name) then AIUI you'll need to tell people on request who you sell that info to and allow removal.

Assuming it's a personal blog then just don't capture any PII. Don't sell it, be prepared to delete a user's comments on request. Don't capture PII without informed consent.

Easy, no?


> IP addresses aren't PII.

I personally think so, but everything I've read about GDPR says they usually now are considered in scope.

Deleting comments is non-trivial. How do I verify that the person requesting deletion is the original commenter? How do I then wipe out every mention of their IP address from all my logs?

These are easily solvable questions for large companies, but overheard for small startups and personal projects.


> be prepared to delete a user's comments on request.

Or, just block users from EU from commenting. I can see the win for the Internet here.


IP by itself is not considered private. It's only when you attach it to other identifying data. Anonymous comments are not covered with GDPR.


> Anonymous comments

Wordpress asks for your name and e-mail to post a comment, doesn't it?

I guess the tuple (ip,name,email,comment_text) is PII?


Name is, email is, IP combined with either (or both) is.


However, is it not thought that because the ISP keeps a log of dynamic IP addresses, these could (in theory) be matched to the IP address of anonymous comments, thus de-anonymise them?


No, because you need to take into account the effort needed to de-anonymise the IP address.

> > (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.


This article makes a compelling argument that it could be: http://privacylawblog.fieldfisher.com/2016/can-a-dynamic-ip-...

IANAL, but I'd be wary of saying that you'll be fine storing dynamic IP addresses. You'll probably need to have a rationale as to why you don't consider it.


> Anonymous comments are not covered with GDPR.

There is no guarantee that comments stay anonymous. Commenters can, and do, enter their real name as their display name.


For Apache can't you just change LogFormat to exclude IPs and delete the old logs?


Yet, you're still collecting it, and it doesn't seem like you're taking steps to protect it.


Because I fundamentally don't think a random foreign entity should dictate how I manage logs on my personal blog. It's challenging enough to debug issues without having IP issues.

I don't even consider a random IP to be PII.


> my personal data is an extension of me, and if you want to store or process it, you need a legal basis for doing so, and need to be able to demonstrate this legal basis to me.

In the U.S., freedom of speech usually trumps privacy rights. It will be very damageable if the supreme court ruled that any EU citizen can limit US speeches based on their laws.


I am not sure I follow you here:

When I store your personal data, I should be allowed to do so under the 1st amendment that is about speech?


Yes. Like I can’t retroactively ask you to remove what I said from your blog post.


> Yes. Like I can’t retroactively ask you to remove what I said from your blog post.

No. But I can ask you to remove my name and personal information from it.


That's precisely the problem and is a clear example of how Europeans value privacy differently.

Personally, I think it is a fundamentally important right that I be able to post a blog about how "the_mitsuhiko wronged me" in some way and have that information publicly accessible. European courts think you should be able to suppress such information—even if it is true.


That's.. that's not at all true. If it's a news story, then the GDPR isn't applicable.


Isn't it like more that the state itself can't ask/force you to remove something, but i as a natural person can?


> If your startup is at odds with this, well then perhaps you're not the kind of company the EU wants to be doing business with.

The EU is not a single entity. It’s dozen of nations, more than 300M individuals.


> What aspects of the law are disastrous for startups?

Any law that gives power to users instead of companies harms companies.

To me, it's an acceptable trade off


"perhaps you're not the kind of company the EU wants to be doing business with"

Europeans want Facebook and Google and the rest, the EU doesn't. The EU != the europeans.

So international startups must now care more about what the EU wants than what european customers want. That's wrong.

In the meantime, european governments take measures that jeopardise private life, like putting black boxes at ISPs in France to watch everyone (aka. fight terror...).

GDPR is ideology. Not private life protection.


People living in the EU absolutely want control of the gathering of their PII.

The only complaints I've seen about it are concerning people responsible for administrating data in companies.

GDPR represents an ideology of not giving corporations free reign to make profits at any human/social cost, but to reign them in and give people chance to consent rather than be data-raped.

Could you expand on how you think it's (solely?) ideology? What's bad about informed consent wrt PII?


"The only complaints I've seen about it are concerning people responsible for administrating data in companies": now that we're sure some people are annoyed... how many truly benefit from it? I do understand you think it's a good thing. How many in your FB friends share your point of view? How many even know? How many will benefit?

"GDPR represents an ideology": one point we agree on.... "at any human/social cost": what cost? Can't I sue Facebook in a civil court if I suffer any prejudice just like I can sue any company?

Is there any "data-rape": if your data is processed only to choose which ad you will see, does it count as a "data-rape" for you? The ad you're seeing is the only thing of value on Facebook: your data has no value except to show you this ad.

Can you tell me where I can buy data from Facebook? I'd love to buy the friend-list of influencers who have set their privacy settings so that data doesn't leak. What? I can't? Doesn't FB sell people's data? ;-) What about famous artists private pictures then?

That's what people think of when they hear "Facebook is selling your data". They don't hear "Facebook is using your data to show you better ads which pay for the whole service".

Informed consent isn't bad. Have you read FB Terms&Conditions? Have you read the paragraph that says you're OK that FB has the right to use and reproduce the content you're posting on FB? You have already given your informed consent. Now you're trying to take it back.


> What's bad about informed consent wrt PII?

The cookie pop-up is an example of EU overeach. Doesn’t help privacy, doesn’t UI, and now everyone is just dismissing them.


One of the reasons GDPR was enacted is because the cookie law wasn't taken seriously. Companies used technical means (removing any meaningful opt out) to render the law moot in practice; as the industry failed to self regulate, the EU took the nuclear option.


I truly believe GDPR will have a similar impact as cookie pop-ups: extravagant annoyance for 0 benefit.


> People living in the EU absolutely want control of the gathering of their PII.

I know everyone here wishes this to be true, but what data are you basing this claim on?


Thank you. I for one don't care, I'm french and I live in Spain.

People SHARE their life on FB. They don't expect it to be private.

When journalists tell them Facebook is "selling" their data, they believe it because many want to believe they're victims of capitalism (that's even more true in Europe because the economy is mostly in a bad shape). Instead, they fall victim of politicians who want control (EU politicians now have POWER over american companies! how exciting), and of journalists who don't like competition (journalists work for TV stations or newspapers who sell... ads).

The only thing that has value on your Facebook page is the ad. Not your photos. Not your comments. Not your sexual or political preference. Only the ad.

We've all been fooled.


It's pretty crazy to me that people can feel this way after things like the Equifax breach. Equifax was sitting on all that data that people didn't even know they were included in, and probably didn't even WANT Equifax to possess.

But that's just business as usual, businesses are allowed to do things we consider morally wrong because that's just how things work.

And the second a law springs up that helps out the little guy, it's a massive governmental overreach. How dare government actually try to help people, think of all the businesses they are hurting!


You're using a non sequitur. Equifax is of course a massive data processor which should be regulated. Choosing to instead regulate every single person who even accidentally has an IP address in their logs somewhere is the overreach.

This helps massive corporations (who can afford to comply) and hurts small businesses which cannot.


> Choosing to instead regulate every single person who even accidentally has an IP address in their logs somewhere is the overreach.

It doesn't help your argument when you misrepresent the truth like this.

There's absolutely no requirement for every individual who accidentally has an IP address in their logs to comply with GDPR.


I never really felt the need to store ips actually


You might not, but your webserver did. Or did you change the logging configuration of your webserver to not store or obfuscate IPs in the past?


This law suggests a shift to assuming no consent for gathering of PII, only gathering data when you have informed consent and a justifiable business need.

In the case of web servers I can't see a problem with not recording IP if you're also gathering PII; or asking for permission in the PII submission; or say dropping the last digits from a dotted-quad as a default.


Consent is only one possible justification for processing, you do not need it for everything. It's more a shift to "processing PII is forbidden unless for one of the following reasons", consent being one of them, and requiring assigning purposes to collected data. You can't just have webserver logs piling up somewhere without reason, but you probably can have a policy like "We keep IP addresses for 48 hours for security purposes", if you have an appropriate security process needing that data.


You don't want to log access requests to your web servers based on IP? I disagree with you at pretty much the lowest, most fundamental level.


If you do, then ask the user.


Explain how you ask the user whether you can get their IP address when any such request requires receiving their IP address.

This is draconian legislation which unnecessarily causes many more problems than it solves.


In light of recent revelations about the way social media companies treat their users’ data and privacy, strong regulation is not “overreach” but “overdue”.


The law could have easily been tailored to target large social media companies. Instead it applies to everyone, including tiny businesses who accidentally have one European visitor.

I'm strongly considering simply taking down all my old blogs/sites because it's far too much work to deal with GDPR for anything less than a medium-sized business.


And then huge media company just creates small subsidiary (tiny business) to "accidentally" collect personal information. Got caught? No problem, close that one, open another...


There are plenty of laws and legal instruments / concepts (controlling stake, anti-avoidance laws, etc) that stop large companies from doing this.


And that is just as "possible" under the current structure of GDPR.


Not really. For example, if Facebook Inc. establishes a "Totally not FB LLC" for the purpose of skirting GDPR, Facebook Inc. is still the data controller according to the law, as it is directing the data collection and purpose, even if "Totally not FB LLC" does all of the handling as a data processor. Except now the fine is levied on the total turnover of both companies, not just one.


Right, I meant it's just as "possible" in the sense of it not really being practically possible.


What PII are you gathering? Can't you just remove those fields, add a consent field, drop old PII from your DBs?

I imagine most CMS will have the option to do that at update?


It would be a shame to take down your old blogs as I'm sure people get value from them.

My approach is one very much based on risk - how likely am I to receive requests from data subjects requesting deletion of their data? How likely am I to be subject to a targeted attack where people try to remove information from my server? How likely am I to be the subject to enforcement action if my server is hacked and data is leaked?

On one argument operating a blog is a purely personal activity and so out of scope of GDPR in any event. If you're outside the EU, GDPR will only apply if you are actually offering goods/services to those in the Union, or are monitoring them. I take the point about analytics in the second place, but in the absence of analytics, I don't see that making available a blog constitutes the offering of goods/services?


> My approach is one very much based on risk

Mine too. The risk is massive fines, while I currently derive virtually no benefit from my online presence.

> On one argument operating a blog is a purely personal activity and so out of scope of GDPR in any event.

I also own a business and previously several of my clients have come through my blog postings.


Just to be clear, there is little to no risk of someone running a simple blog getting fined by a data protection regulator.

In the UK for example the ICO who regulate data protection matters concluded 17,300 cases, in which only 16 of them resulted in fines.

I’m just intrigued as to how you have developed this perception of GDPR and data protection law looking to regulate small one man blogs out of existence?

/edit oh and my other point still remains - even if you’ve got some customers through a blog, you don’t appear to be within scope of GDPR on the assumption you’re not directly looking to do business with EU based customers (for example through offering payment options in European currencies).


> I’m just intrigued as to how you have developed this perception of GDPR and data protection law looking to regulate small one man blogs out of existence?

There are huge industries with vested interests against privacy and consumer data protection and they have deep pockets. That person, if not instrumental in spreading misinformation, must then be a victim of it.


Do you habitually post personally identifiable information of other people in your blog without their consent?


I don't know why people were downvoting this.

GDPR outside of the EU (for purely non-EU entities) is a non sequitur there are zero internal processes to make it work.

Lets take the most basic example the GDPR does not apply in a vacuum it's enforced and supported by Data Protection Agencies (DPA) in each member state which are responsible to ensure that companies in those member states comply with EU regulation like the GDPR within the context of local laws and regulations.

The DPA is responsible for the application of the GDPR within it's member state (and it's power is limited to that member state only but the GDPR does have a few venues for applying a local DPA directive across member state lines) it's also responsible for handling complaints in that state and it provides directives and advice to both law makers and the industry.

If I'm a UK company and need to deal with the GDPR (till Brexit do us part) I work with the ICO which is the UK Data Protection Agency. While other DPA might affect me the ICO is my primary source of both advice and enforcement and any issues that might originate in another DPA would still pass through the ICO.

Now I am a company in don't know where lets take Argentina I want to sell to EU customers which DPA do I answer too? which DPA to I ask for advice? How do I arbitrate complaints filed against me and to which DPA do I prove I handled data disclosure requests in a manner compliant with the GDPR? which DPA would know my local laws to ensure if my application with the GDPR was complaint with local data retention and lawful access laws? In fact other than going through my own state/trade department and organizations what venue do I have as a non-EU resident and a non-EU entity to any EU services and resources.

The question to all of this is none as a non-EU company there is fuck all you can do even if you want to comply with the GDPR.


You use the legislation to guide your internal processes, systems and employee/user education. You ask your legal counsel for advise. Other than what you'd normally do anyway, you'd provide evidence of disclosure only to the DPA that asks. The DPA doesn't care about your local laws - seek local legal counsel instead.

To a developer used to systems thinking this should not be rocket science. Most of it is just good practice. Kim Cameron came up with the laws of identity many years ago, which the GDPR is surprisingly similar to.


DPA cares for local laws the GDPR does not trump local EU legislation.

What court do you use to appeal a complaint or a fine?

There are no processes at all for a non-EU entity to function within the GDPR and saying it’s not rocket science isn’t going to change that.


If the ICO (UK) issued a fine, you wouldn't appeal in Spain, would you? Because of course you respond to the DPA that issued the fine or complaint. Am I not understanding your question?


We’re not talking about EU companies or entities but non-EU ones.

In case of the EU you have your own local DPA other DPA local courts and high courts to appeal too and or work with.

As a non-EU entity you get nothing.


The only entities that can enforce GDPR are the DPAs in various EU countries. So if some action is taken against a non-EU company, it's anyway done by one of the DPAs - e.g. if there's a complaint against some USA company by a German citizen, it would be the German DPA handling that.

Any decisions of German DPA can be contested just as any other administrative decisions in German courts, the German DPA is fully under their authority. Yes, you won't have your local courts, but it doesn't mean that you can't appeal - you simply have to file this appeal where the contested decision was made.


You get the courts that the person you're servicing uses. Like when you sell to someone in a particular country and have to abide by their sales and tax laws.


That’s not true on both accounts EU courts have no jurisdiction over non-EU entities and there is no process on how to arbitrate a lawful retention requirement which trumps GDPR between EU and none EU entities.

As for the taxation part of your comment that is again an incorrect statement in fact it’s categoriclaly false.

If I as say a Brazillian company want to sell goods to an EU resident I do not perform any tax collection other than the local taxes in my country.

In fact it likely means that I can forgoe some local taxes like VAT or sales tax due to export.

You as the customer are obliged to pay all taxation related to this purchase which is usually paid when the item clears customs as the customs duty.

The only cases when one would collect tax on behalf of another country is when there is an explicit tax agreement to do so and process to support it. This is extremely rare and usually only happens within shared customs unions.

As a non-EU entity I legally can not collect VAT on behalf of EU customers because I have no way of paying that tax on their behalf.


What, like US courts have no jurisdiction in the EU? I can pirate US movies, and as a EU bank, not report on US citizens in the EU to the US?

Those weird things aside, this isn't about collecting VAT. It's about remaining within the confines of the law of the country you're conducting your affairs in.

It's like if I, as a Russian, wanted to sell a car to someone in the US, I'd have to ensure that my car meets whatever requirements/standards the US sets out for vehicles. If my vehicle doesn't meet those standards, which court do you think I'd have to appeal in, as a Russian selling a car to an American?


Those copyright laws are enforced through local copyright holders and or existing trade agreements which again is something that understood and is established in international law including WTO regulations.

The GDPR has no mandate under existing international law.

The level of strawmaning is getting ridiculous when 2 countries sign a trade agreement you have 2 electorates which have a say in what is going to happen.

The GDPR extra-territorial application isn't just extra-territorial it's extra-judicial in which you have a law forced on you that you have had no saying in how it was passed and you have no saying it how it would be interpreted and or enforced.

This is tyrannical and I'm an EU citizen.


> As a non-EU entity I legally can not collect VAT on behalf of EU customers because I have no way of paying that tax on their behalf.

That’s not how this works. You are required to collect VAT and use the MOSS system to pay it quarterly.


That's not correct as a non-EU entity I'm under no obligations to register for MOSS or to collect VAT unless under TBES (which is nothing new since it's an extension of the old VOES scheme) which applies to a limited number of services only: https://ec.europa.eu/taxation_customs/business/vat/telecommu...

Even if by some chance you are a small business that for an inexplicable reason does fall under this you can get out of this scheme fairly easily (VAT exemption rules apply) and more importantly VAT can be handled by a proxy e.g. a payment processor.

For businesses there is no VAT collection at all and all businesses must pay reverse VAT when purchasing (or providing) services from (and to) outside of the EU regardless if they fall under TBES or not.


If you sellnon physical goods you are required to collect VAT when you cross a per country threshold.


Again only if the goods fall under the criteria set by TBES if you are above the limit in a specific country which in the UK for example is £85,000 and it's more or less similar across the EU.

This means that most businesses it's not an issue since you can have a turn over of a few 100,000 EUR spread across the EU without being required for registration.

This is also solved via your payment processors and what would you know the EU also offers you the infrastructure to register where is the one stop shop for GDPR?


Double check the thresholds in the various EU member states. They differ considerably, and the UK is an outlier in that it is so high.


34,000 EUR on average 31,000 without the UK, and 37,000 without the Nordic countries.

You also must provide a service that is qualified for VAT since it doesn't cover all non-tangible goods e.g. anything that is actually produced by a human but is delivered digitally like professional services.


You should use more punctuation, your writing is very hard to read and understand (as a non native speaker)


Yeah sorry writing on an iPhone is a makes it a bit hard.


> UK company and need to deal with the GDPR (till Brexit do us part)

Brexit will make little or no difference unless you refuse to deal with EU citizens in any way the involves you having access to their PII or storing any information about them (including traces of their activity in your product/app/site.

GDPR will be carried over post-brexit, and even if it is later revoked by act of parliament and not replaced by something equivalent you'll still need to deal with it if you want to trade with EU citizens. If the UK refused to play ball and somehow blocked us from the punishments for non-compliance we will face inconvenient sanction by other means.

GDPR isn't perfect (is any regulation?) and their are certainly significant questions to be answered from the PoV of people operating outside the EU, and even some issues that may still require more clarity for those entirely operating here, but I wholeheartedly welcome it (UK citizen here, FWIW) despite being a data specialist and therefore having a bad nervous-twitch reaction to any idea of a non-soft delete operation!


That was a joke, the ICO will continue post Brexit I have no problems from the UK.

The GDPR isn't perfect it's just none workable for companies that are not in the EU.


I'm not a lawyer, but I would think your Argentina company can be in one of 2 states:

1. You have a subsidiary in EU, in which case that is who will get fined or will have to deal with the DPA where it is registered 2. You don't, in which case the EU can not fine you?


Well the GDPR doesn’t define that it applies to anyone who touches PII belonging to EU residents.

The logic dictates is that it won’t apply to companies that simply dont have any legal presence in the EU.

But that is not defined because again there are no exceptions.

However PayPal might enforce it on you in fear of the EU going after PayPal because it’s expected that all EU companies would require GDPR compliance from their business partners overseas that perform any data processing for them or are exposed to EU PII.

However how this compliance to be achieved, validated and arbitrated isn’t defined either.


Article 3 is clear about the scope of the regulation when an entity is outside the EU. It states that it will apply where that entity is offering goods/services or is monitoring data subjects in the EU. Enforcement is a separate matter but the underlying law is clear. Art 2 then contains general exceptions to the application of the regulation also.


It’s not clear at all by this definition if I sell guitar picks on my personal store and I’m located in say Zimbabwe I’m either forbidden form selling it to the EU or will have to comply with the GDPR which can be prohibitive to me due to local laws.

The GDPR isn’t clear only anything it rewrittes agreeable concepts of localization which have much more severe applications than simply the GDPR.

It also provides zero channels and infrastructure for non-EU entities to comply to the GDPR in a manner which is offered to local EU companies.

If the GDPR would define its scope as if I can buy form you you must comply what stops the EU form mandating I must collect VAT on their behalf?


Laws are not always crystal clear in each case because to do so risks making them capable of being worked around (and of course in some cases they are just badly drafted - but I don't see this so much with GDPR). Laws are then subject to interpretation by the courts and by lawyers. If you're having issues with understanding laws, then you may need an expert to guide you, as in many areas of life.

Recital 23 of GDPR will give you insight into how your Zimbabwean guitar pick seller would be treated. If they are consciously offering picks to data subjects in the EU, either through specifically referencing EU data subjects, or through offering picks in EU currencies or tailoring the site for different European languages, then they are likely in scope.

Conflict of laws provisions are a separate point, however in various areas, the GDPR expressly states that legal obligations override GDPR obligations in various areas.

Whenever any company considers that a law may apply to them (whether as a result of operating in the country or because of the extra-territorial implications of certain laws, like GDPR) they generally take advice from local lawyers as to the implications or do independent research.

The regulation is obviously available and there is a host of interpretative guidelines issued by the Article 29 Working Party which will enable anyone with enough time and desire to understand the implications of compliance. I'm not sure what kind of assistance you're looking for here? It's incumbent on the party who wants to operate in a country/provide services to users in that country to understand the relevant laws.

If you disagree with the extra-territorial application of the GDPR then that's a separate issue. Bringing international tax treatment into the discussion is also not of relevance.


Yes laws are not crystal clear but you don't understand the problem because when laws are unclear in your country / union there is a clear channel to debate it which is the regulator and the courts this channels are not available to extra-territorial parties.

Add to that the fact that you now have laws enforced on you that you have no control on how they were written or are enforced because you are not part of the electorate that passed them.

International law is applied when 2 countries agree on a common set of rules in which case you have 2 representative electorates which are mediating an agreement.

The GDPR has no legal basis of application it's not part of any trade agreement or any other international agreement between the EU and other countries.

The claim that it somehow applicable is essentially tyrannical despite the intent of the law the means through which and the fact that people support it's universal application is terrifying.

What is even more terrifying is the likely means of enforcement which will be through the multinationals.

>The regulation is obviously available and there is a host of interpretative guidelines issued by the Article 29 Working Party which will enable anyone with enough time and desire to understand the implications of compliance. I'm not sure what kind of assistance you're looking for here? It's incumbent on the party who wants to operate in a country/provide services to users in that country to understand the relevant laws.

What are you even trying to say here? If I don't live in the EU, have no legal presence in the EU I have no means through which I must comply with the GDPR.

Mandating that I would create a local legal entity to serve as a proxy in a member state is a violation of existing trade agreements and WTO rules.

Enforcement of extra-territorial laws must be done through a process which is agreeable and understood by all parties.

>If you disagree with the extra-territorial application of the GDPR then that's a separate issue. Bringing international tax treatment into the discussion is also not of relevance.

This entire debate is about the extra-territorial application of the GDPR, bringing international tax treatment is super relevant because it's an established framework and it already establish things like localization which are critical for extra-territorial application that the GDPR must follow.

People really need to wake up and understand that the GDPR isn't about Facebook or eBay, Amazon or the likes it applies to them equally as it applies to your local dry cleaner or hair dresses which collect and process Personal Information as defined under the GDPR and are subject to the full extent of it's regulatory requirements.

What is more frighting is that through commerce of either tangible goods or services this regulation can be applied to non-EU entities in not only a extra-territorial fashion but in also extra-judicial one.

The reality is that either many small businesses or businesses regardless to which the volume of trade they have with the EU is less than the cost of compliance would likely be forced to stop offering services to EU consumers or switch to a proxy like well eBay or Amazon.

The scope of regulation like FATCA or SOX which were mentioned here as examples applies to institutions that can afford it and can handle it.

The GDPR applies to everyone equally, actually that isn't true if it applies to non-EU entities it doesn't apply equally it's much more costlier to them. If nothing else is then just by your ridiculous example "consult a lawyer" then a GDPR lawyer in Belgium or the UK would be fairly cheap since it's an established local law, to get the same level of advice and to get arbitration with a DPA in say Bolivia you can't go to an ambulance chaser you'll be limited to an international law firm. Not to mention that getting legal advice for such services can be achieved for free in the EU through the local DPA and or various organizations like Citizen Advice which provide legal assistance.


> What are you even trying to say here? If I don't live in the EU, have no legal presence in the EU I have no means through which I must comply with the GDPR.

I was responding to your point that there were zero channels to help non-EU companies to comply.

I’m really not sure on what resources you think are available to EU companies that are not available to non-EU companies? You would definitely not get GDPR advice at the Citizens Advice as they have more important matters to deal with. To the extent a local regulator would provide guidance to an EU company, I am certain they would also provide to a non-EU company looking to comply. You present it as a clear distinction between EU vs non-EU companies but that simply is not the case!

We can agree to disagree on the pros and cons of an extra-territorial law but don’t misrepresent the position in terms of help available to EU vs non-EU companies.

Also your point about hairdressers is nonsense. A non-EU based hairdresser is very muh out of scope of GDPR!


Local DPA, local courts, local MPs, industry unions, EU MPs, EU high courts.

And please tell me how say I as a small merchant in any country outside of the EU can get in touch with them and get services from any of them.

Better yet please tell me how a lawyer in Mexico or the Philippines would be able to advise me on GDPR unless they are part of a top tier international law firm which operates in the EU and has experience with GDPR.

Please let me know to which non-EU bar associations were provided with materials and guidance and have conducted workshops and seminars in order to ensure that they would be able to provide legal advice on this manner by a DPA or any other EU regulatory agency.

>You would definitely not get GDPR advice at the Citizens Advice as they have more important matters to deal with.

Wanna bet? citizens information board (CA in Ireland) already offers such service (so does Citizens Advice Edinburgh), in the UK the ACF provides GDPR related legal council to foundations, a lot of other industry organizations offer similar services.

> I am certain they would also provide to a non-EU company looking to comply. You present it as a clear distinction between EU vs non-EU companies but that simply

They will not provide any service or information to you, in fact they are forbidden from doing so trying contacting an MP who isn't yours or an agency outside of your member state.

>We can agree to disagree on the pros and cons of an extra-territorial law but don’t misrepresent the position in terms of help available to EU vs non-EU companies.

There is anything to disagree about, this isn't about extra-territorial law this is about extra-judicial application of it which is tyranny since you are applying laws and regulation outside of the scope of international law and frameworks. The fact that you accept this as something good makes me think that the brexiters might have had a point.

>Also your point about hairdressers is nonsense. A non-EU based hairdresser is very muh out of scope of GDPR!

I think you should practice on your reading comprehension I'm in the EU on the 25th of May I am submitting a data access request letter to my dry cleaner (I like my hairdresser), Pristine Dry Cleaners just for the lolz and to show just how ridiculous it can be.

I know for a fact that they have my name, address and phone number since it was required during registration and I also know that their branch in East Finchley shares the same database as the one in Lancaster Gate since I've used both despite being different franchises so I really want to know who they shared those with.


Ok, my apologies for not picking up on the fact you are in the EU. Is it the cost that is stopping you from making a subject access request today under existing laws?

Apologies also - I took Citizens' Advice in the narrow sense of the Citizens Advice Bureau (I used to work there so it's in my subconscious) who generally deal with benefits, employment and housing law queries. I took a look at the citizensinformation.ie and did a search for GDPR - I can't see much in the way of materials unfortunately. ACF makes materials available which can be read by anyone regardless of location. Sure, they might make advice available to local entities, but this would be a small benefit to EU orgs vs non-EU orgs.

However I still don't really follow your point how organisations will approach GDPR compliance in general and the idea that there is a massive gap between what is available to EU entities versus non EU entities.

For lots of organisations, GDPR will not be on their radar, and life will go on as normal post May 25th.

For organisations aware of GDPR, their route to compliance will be through reading the source materials and supporting materials available on the Art 29 Working Party website. That is the case regardless of whether the organisation is in or out the EU. They can consult materials from third parties like ACF but the core materials are as above.

I don't really think contacting your MP or actually contacting a regulator is something which many entities have actually done because actually the base regulation and the interpretation notes are sufficient to understand what an organisation has to do to comply (again available to anyone who cares to read). In terms of court access

In terms of access to legal advice, then I don't quite think it's as bad you paint out here! I've instructed local counsel in multiple countries direct and it's a straightforward process and those firms were not part of a top tier international law firm network. Often smaller local firms have firms of similar sizes in other countries that they can refer work to. If other peoples' implementations of GDPR are anything like my company's then the extent of legal advice sought will have been limited.

I think overall I take your point that resources on offer to non EU companies may be a more limited, but overall the core resources are the same. Lots of non-EU entities have been working very hard on looking to comply with GDPR using the above resources and taking local legal advice where relevant. I agree that for smaller organisations this is more problematic, but this is the case regardless of location to an extent.

I do take your point about the extra-judicial nature though. We will have to see how things work out. My instinct is that for lots of companies it will be business as usual and the local regulators will have bigger targets that they want to go after.


The company I work for has been working on GDPR compliance for the better part of 3 years.

We also maintain compliance in the financial sector and we have both very good in house and external counsel which works with both the ICO and political institutions to ensure we meet our compliance.

The fact is that as an EU citizen you have a say about how the GDPR is applied and you have a say in how it will be enforced and interpreted.

As a non-EU entity you have no voice.

You also cannot ask for assistance from any EU or member state body.

You also don’t have access to DPA run events for example: https://ico.org.uk/about-the-ico/news-and-events/speaking-en...

Now if you want a good comparison as you have worked for a legal aid organization before you can likely estimate the hourly billable of a lawyer in the UK to provide you counsel on UK or EU law vs say FATCA or SOX.

My bet is that it would likely be at least 3 zeros in difference.

The fear isn’t that a DPA would go after you, but rather that they’ll force service providers to compell you to comply.

Under the GDPR for PayPal to remain compliant it needs to ensure that all merchants that use it to receive payments from EU residents are also compliant because you share your Personal Information with PayPal who then shares it with the merchant (name, email, address, phone number etc.).

This is going to be the likely channel of enforcement not them dragging you to court.


I don't think any of this is entirely clear, but from my understanding it seems like the EU wants to apply GDPR even if you don't have an EU presence.

In practice, I doubt that they'd get the US to enforce judgements. But it might mean that I can never risk going to Europe again lest I risk having a default judgement enforced against me for one of my businesses.


If your store front is accessible to EU based citizens then you have an EU presence.


The threshold for determining establishment is a low threshold however there will still be various factors taken into account in determining whether that establishment is there (for Art 3(1), and indeed whether goods and services are being offered to data subjects in the EU (for Art 3(2)).

The mere availability of a website is not sufficient however to satisfy the above. Recital 23 below gives more details about those factors:

  *Whereas the mere accessibility of the controller's, 
  processor's or an intermediary's website in the Union, of 
  an email address or of other contact details, or the use 
  of a language generally used in the third country where 
  the controller is established, is insufficient to 
  ascertain such intention, factors such as the use of a 
  language or a currency generally used in one or more 
  Member States with the possibility of ordering goods and 
  services in that other language, or the mentioning of 
  customers or users who are in the Union, may make it 
  apparent that the controller envisages offering goods or 
  services to data subjects in the Union.*


Yes, I should have better specified "accessible". If you ship to those customers, and make that publicly known, that appears to satisfy the intent to provide service to that country?

Add on language and currency, basics of accessibility, and you're meeting the definition AFAICT.


No if you aren’t a legal entity in the EU you have no presence in the EU.

If you would push for this the only thing that would happen is that companies would stop accepting orders from the EU.

If this is going to be the definition expect a lot of store fronts to be closed to EU residents following May 25th or more likely the first time this precedence will be set in court.


It seems a direct parallel of being tried for copyright infringement in USA when you have an offshore website - like O'Dwyer who had to bribe himself out of being extradited from UK to face charges of copyright infringement in USA. He'd never been there, didn't have servers there, and was acting legally in his jurisdiction of residence.

Similar things happened with USA's actions on Silk Road, KAT, with Kim Dotcom, and I'm sure many other legal situations I'm not aware of.

EU is seemingly extending logical contact to be equivalent to entry to a jurisdiction as USA appear to have established is desirable as a facet of inter-national application of law in the internet age.

I much prefer the extension of jurisdiction in protection of member states citizens rights than in the service of media conglomerates.


Copyright is enforced via local copyright holders / representatives, trade agreements and WTO rules AKA local or international law.

In no way shape or form does US law has a direct mandate outside of the US.

All the examples you've given were those of actions performed through established legal channels to which all parties had and have a saying in.

Extra-territorial application of the GDPR under existing frameworks (or the lack thereof) is tyrannical because you apply it to people that have had no saying in the establishment of the regulation and have no control over the interpretation and or the enforcement of it.


So, given that there's no DPA in the US (as far as I'm aware, there are also none in China, India, Australia, etc), how would the GDPR be enforced against an entity with no physical presence in the EU?


On paper it can’t. In practice since the EU expects EU entities to essentially mandate GDPR compliance form their non-EU partners in order to be complaint it’s is pretty simple at least for ecommerce.

PayPal could tell you you must comply to accept payments form the EU and likely in the same manner they handle everything which means no guidance, benchmarks or clear directions and it would be up to you to figure it out.

By PayPal I don’t mean just PayPal but any other payment processor or service provider which you are dependent on.


Yup. It's crazy to me that this law is going into effect without even such basic questions being answered.


I work for a startup in the EU and will be affected by GDPR. It's a nuisance but not a disaster. In fact, any small company that really can't employ good enough processes to comply is probably doing something very, very wrong.


It is nice that you think that but actually startups have the least amount of problems regarding GDPR. You can start coding with GDPR in mind (privacy by design) and you will hardly have a lot of problems. Big companies have huge codebases and databases and they will have to integrate privacy into them which is FAR more complicated than any startup can even imagine. On the other side, if you are doing startup where you want to use privacy breaching as a business model, then you shouldnt exist in a first place, so no damage done.


This is why I don't think it is. For far, far, far too long, startups have treated user data, privacy, and security as an afterthought. Now, they are going to be required to give consideration to those things. This can be nothing but a good thing. The age of "move fast and don't care about user data" is coming to a close, and all should be happy.


You suggest an exemption for startups? Wait until a Facebook decides to buy all their 'analytics' from a small startup they funded, basically circumventing the whole GDPR.


Laws are not code. You could have the exemption be based on the number of individuals whose data is processed, for example: Facebook can use as many shells as they want, but they'd still need to comply if they want to look at their massive user base, but my small business with a few dozen customers wouldn't need to worry.


If it is so typical, multiple examples please.


without trying to be harsh to EU, they do have a bad record. 2 examples: Cookie Law, EU VAT (by common admission it is a system that is impossible to implement correctly)


> It's a massive regulatory burden which big companies will be able to comply with but small startups don't have the legal horsepower to handle.

Where's the burden? Only collect the data you need; tell people what you're collecting and why; only keep it for as long as you need; keep it safe.

These are not burdens.


They have provided a real-world example elsewhere in the thread. It really seems to support their point:

"Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics."


Well, he is not a company. So he doesn't need to do anything. If it's a personal website GDPR does not apply.

If it is a company. Yes, it will require more work. That is the nature of regulation, but the demands placed on companies are not unreasonable in any way. I would place it on the same level as stores being required to provide receipts, or restaurants being required to clean the kitchen. It certainly was easier when they didn't need to do that, but don't we agree it's an reasonable burden to place on businesses to guarantee an acceptable level of service?


My personal blog is registered to my company.

Restaurants being subject to local laws around hygiene makes sense. It would be far stranger for restaurants to be subject to health codes from across the world just because tourists occasionally visit.

I had no say in GDPR but am forced to comply, despite the overheard it entails without any actual benefit to user privacy (in my case).


So why is it registered to your company if it is your personal blog? To deduct taxes? If you are, you must derive business benefit from it. So it is in face not a personal blog.

Also, you can keep logs (with IPs) if the purpose of the log is to prevent abuse. If you are only keeping the log on because it was the default, that is a bad reason to keep them, and is not in compliance with GDPR.

If you are keeping the log because you are selling the data to Facebook for data analysis, and are sad because you have to turn them off for EU citizens. I’m not sorry that you are forced to comply.


> So why is it registered to your company if it is your personal blog? To deduct taxes? If you are, you must derive business benefit from it. So it is in face not a personal blog.

It's not strictly personal, in the sense that I post technical content which sometimes leads to me being hired for consulting engagements.

> If you are keeping the log because you are selling the data to Facebook for data analysis, and are sad because you have to turn them off for EU citizens. I’m not sorry that you are forced to comply.

I honestly cannot tell if you are trolling or not.

Do you truly think Facebook has a program where I can sell them my Apache logs of a few daily visitors?


He can also just choose to not log ip addresses.


Not logging IPs makes debugging and abuse detection much more challenging. Moreover, it is also the current default in most software which touches HTTP requests.


We could make it easier for states to find and prosecute criminals by not requiring warrants and making encryption illegal, but we don't (and we shouldn't) because the peoples' rights are inalienable, whereas the rights of states, corporations and other entities to interfere with that privacy are not.

Yes, it would be more challenging, and inconvenient, and probably a massive pain in the ass not to log IPs by default, but if the end result is a weakening of the power of modern social media companies (and political and law enforcement agencies) to exploit people's data for nefarious ends without consequence, then society as a whole, and the web, benefit.

Mind you, I don't necessarily believe GDPR is the solution, or that logging IPs is unreasonable, but I do welcome the conversation people seem to be having about who owns their identity.


You missed the part about the blog comments. He would also need to implement a mechanism which allows users to delete their old comments.


The mechanism is they send you an email, you verify it as you wish (have them post a comment using their credentials), you overwrite all comments from that uid in the db with a simple query?

If you're using a CMS then it's going to be type the username and hit "delete all comments"; maybe WordPress et al. do this already.

With a small blog the administration of that is going to be facile, surely.


Sure it is facile. But it is a burden and a exposure to risk, which wont be worthwhile for the most non profit blogs.

And by the way, most blog comment systems don't require you to create an account before commenting. So this "have them post a comment using their credentials" wont work anyway.


I don't have a login system for my blog.


Not to stretch out this comment any more, but are we seriously arguing that adding a delete button is hard? I mean, most people on here would agree that its not something they would worry about. It sounds more like people are upset they are forced to do it, and have no say in it.


How want you add a delete button with out adding a complete login system? Or do you want to allow everybody to delete every comment? And of course this is also doable, but the question is, is it worth for a non profit (non tracking) blog? Probably not. Is it worth for Facebook and Google? Sure.


Exactly. I'm not arguing it's impossible, but that it imposes a meaningful additional burden on small operators without any real benefit to privacy.

Personally, I don't even think people should have the right to go back and delete a comment from years ago, which might have started a whole interesting discussion. But the EU requires that I think through such a system, including finding a way to identify them as the commenter and purge their PII from all logs/backups/caches as well.


We argue why putting people in jail for not implementing a delete button is regulatory overeach.


> (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work

If the blog is purely personal the GDPR does not apply.

https://ico.org.uk/media/for-organisations/data-protection-r...

> The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

And if GDPR does apply you only have to do the extra work if the IP addresses can be used to identify a natural person. Note here "can be", not "is".

> Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

> (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

And article 4

1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


"purely for personal/household activities."

IANAL but for me this doesn't sound like a blog, open to the public, maybe even with a public commenting system, would be freed from the burden of the GDPR.

IPs "can be", not "is" personal data

It doesn't help you that IPs are not always personal data, as soon as they can be, you have a problem if you store them.


They have a lot of users and GDPR is really tricky to implement when dealing with any manual processes.

Though they have a lot of users in the EU (population 700M), it seems that once they figure out how to do it for their 250M (?) EU users, expanding it to 2B users is not a huge stretch.


My point is that I don't think they have it figured out ;-) (and they have just over a month left!) I agree that once they get it sorted (which they will have to do), they will almost certainly roll out the majority of it world wide just because it is easier.


Very few companies (care to) understand GDPR and the full extent or its reach/scope. Most think that it's all about "adding the privacy policy to our website" and that's it.

When the flood of letters starts, THEN they will feel the true pain/essence/extent of GDPR.

E.g. when my bank will get MY letter asking them who they share my data to, and asking them to STOP sharing my data with friggin FB (WTF???) on their app.. it will be fun to watch them squirm.


Here's some help to make your bank cry a little: The GDPR Nightmare Letter -- https://www.linkedin.com/pulse/nightmare-letter-subject-acce...


I have yet to see a GDPR article with concrete , worked out example cases. I think EU should have published such a guide out. The law is more vague than a gospel.


It's not hard to do, but it limits a lot of stuff that their business is built on. So implementing it world-wide could have a negative business impact and will definitely impact the stock price in the short term.


> population 700M

You are probably counting 'Europe the continent' rather then the EU (where the GDPR will come in effect) which is rather lower at 525 million or thereabouts.


Yeah, I just Googled "EU population" and used the number Google gave, if I search "European Union population", then it gives 508M.


I predict Max Schrems will continue his legal cases against Facebook. He has co-founded an NGO (NOYB) which has raised €330k in donations & membership fees to use the GDPR to protect privacy. https://noyb.eu/


Indeed. If you care about getting Facebook to fix its issues without deleting your account, then donating to NOYB is probably an effective way to do that.

Schrems has basically single-handedly proven that Safe Harbor, and I think the Privacy Shield, too (soon to be decided) have been violating the EU Charter of Fundamental Rights and the right to privacy under the European Convention of Human Rights.


What does noyb mean? I can't see it anywhere and it's really frustrating me.


"None Of Your Business"

> What does "noyb" stand for? > > We use “noyb” as a brand name. The name was suggested by a twitter user, and is the abbreviation of “none of your business”, which fits quite well with the goals of “noyb”, because your privacy is none of a company´s business.

https://noyb.eu/faqs


I'm afraid that's none of your business, Mr Fastball.


If you're one of the people that fancies exercising your rights to the max: https://www.linkedin.com/pulse/nightmare-letter-subject-acce...


> If you just say, "Oh I have consent" then the user can withdraw consent. If you actually needed that information (like the user's name!) then you are absolutely screwed.

Well, only screwed if they want to keep their account? I can assume that resulting in Facebook closing down your account.

All in all, I doubt millions of people will request data under the GDPR. But I guess the fines are significant enough to worry about it.


The really, really, really awesome thing about GDPR is that you can't deny service because someone wants to opt out of sharing their data. You actually have to keep their account active and make it work somehow. If you can't, then you are libel for a really huge penalty. I can't add enough smileys to that, so you will just have to imagine them.


> The really, really, really awesome thing about GDPR is that you can't deny service because someone wants to opt out of sharing their data.

That's actually pretty horrible. How about freedom of association and freedom to contract? These two are basic human rights. If one thinks their privacy rights are not respected they are free not to associate or contract and same thing for the entity on the other side of the contract, why should one party be forced to contract anyway? This is authoritarian. The basis of a free society is the freedom to contract and associate between individuals. If the GDPR makes that impossible and it's highly liberticidal.


It's a bit different - you can deny service to people; however, if offering or denying service is conditional on consent, then this means that this consent isn't freely given and thus "doesn't count", doesn't give you any rights to handle that data.

It's done in the same manner as with other consumer contracts - there's a broad range of contractual terms that (in EU) automatically are unenforceable if they're put into a "take it or leave it" consumer contract; GDPR clarifies that permission to use private data is one of such terms; this permission cannot be transferred by some term in a nonnegotiable contract.

I.e. if customer A clicks "agree", customer B clicks "disagree", and you deny service to customer B because of that - then this means that the "agreement" of customer A (and everyone else) is worthless to you, it means that these clicks don't indicate freely given consent and thus do not give you permission to use their data, as customer A can reasonably claim that they did not really want you to use that data in this manner and they clicked "agree" only because you'd refuse them service otherwise.

The legal wording is such that you can't (and shouldn't be able to) gain GDPR-consent unless the users actually want you to do the thing you do with their data; GDPR requires that they know what exactly you'll do, and they without any coercion give an explicit opt-in indication that they want you to do it, and they can freely revoke that permission.


> How about freedom of association and freedom to contract

How free are you when one of the parties is naive (in the context of the contract) and has little power, and the other party has the interest, the means and the power to force an unfair contract?

Freedom of association implies the freedom to NOT associate. Yet non-Facebook users are tracked by Facebook, without their consent.

Laws like GDPR are needed to help protect individuals from powerful interests.


It's not as bad as you imagine. Essentially, you can use data if you have consent, if you need it for a contract, if you need it for some "legitimate interest" (complicated), if you need it for regulatory reasons, etc. So there are plenty of avenues for using the data. The key is that you have to say up front under what "lawful basis" you are using the data. Each "lawful basis" has specific things the user is allowed to do and things the user is not allowed to do.

If you choose the consent lawful basis, then the user is allowed to withdraw consent. In fact, they are allowed not to give consent in the first place. If you choose the contract lawful basis, then the user can't withdraw without cancelling the contract. However, they can object if they believe that there is no reason you need the information to complete the contract. If you choose "legitimate interest", then the user can object and you have to show that the interest is indeed legitimate and that there is no other way to do what you are doing without the private information. One of the things explicitly prohibited is profiling. So it's quite complicated.

The key is that once you have informed the user of how you are going to use their data, you can't change your mind (within the same business context). This means that you have to be very, very careful. If you decide to use consent (in my example), but you should have used contract, then you are in big trouble. If you say that it's part of the contract but it's not strictly necessary to provide service, then you are in big trouble. Etc, etc.

One thing that I think will be very interesting is under what lawful basis FB publishes your real name. If it's consent, then you can withdraw it. If it's contract... do the really need you real name to give you service? Legitimate interest... Yes, potentially, but I don't see how they will get away with sharing your name with the whole world.

I'm very much looking forward to seeing how it pans out.


> If one thinks their privacy rights are not respected they are free not to associate or contract

We tried that. It didn't work.

> The basis of a free society is the freedom to contract

You cannot write any contract as you want. They are limited, and for very good reasons. One example is indentured servitude. It's basically a contract you voluntarily sign that binds you to work for a party for a duration of time. Does it sound reasonable at a first glance? It's considered slavery today and is almost globally banned.


> > If one thinks their privacy rights are not respected they are free not to associate or contract

> We tried that. It didn't work.

It did and still does work. People freely give away their information, giving up their rights to privacy, in exchange for services they want. I really don't see what the big deal is, and GDPR is a massive overregulation.


Freedom to contract isn't a basic human right, it also wouldn't affect companies acquiring my PII from third parties - as Facebook and the like did when harvesting address books.

In most (?) countries we deny the right to contract on many things, contracts that avoid taxation, contracts that involve selling human organs, contracts that make slaves.

It avoids power imbalances from causing desperate people to do things that dehumanise, disenfranchise, and devalue them.


> freedom to contract

I think you'll find this libertarian "right to enter into any contract for anything" doesn't exist in EU law.

The Charter of Fundamental Rights doesn't list it. It does list the right to protection of personal data.


Pretty sure Freedom of association is at least part of French constitution https://fr.wikipedia.org/wiki/D%C3%A9cision_Libert%C3%A9_d%2...


This is not about business associates, it's more about… think non-profits.


Article 12 of the Charter of Fundamental Rights of the EU has a freedom of association:

> 1. Everyone has the right to freedom of peaceful assembly and to freedom of association at all levels, in particular in political, trade union and civic matters, which implies the right of everyone to form and to join trade unions for the protection of his or her interests.

But I don't think the person I'm replying to above was thinking of labour unions. ;)


Companies aren't humans. They only have the rights we choose to give them.


> You actually have to keep their account active and make it work somehow. If you can't...

If you don't, not if can't. If you can demonstrate a reason that that piece of information is absolutely necessary for your service then you can deny service if the person doesn't want to provide the data. Otherwise you could submit a complaint about any delivery service for refusing delivery if you refuse to give them your address.

If you don't provide a reason why that data is necessary and still require the person to give it to you, then yes, you're in for some pain.


This is great in theory, but will it work in practice? That remains to be seen. I can't help but compare it to Javascript: technically, you can disable it in a browser, but most websites will promptly stop working properly.

Not that I'm against the GDPR. It seems to be a great law for consumers.


Is that not only the case for consent as legal basis though? If you're signing up to a service, then surely they can use fulfilment of a contract (with some very expensive lawyers drafting some nice ToS language), or legitimate interests (i.e. argue that a social network relies on real names etc to function)?

I see this turning into an in-app clicking contest though soon, a card comes up in the app with a little description, a cutesy graphic, and a "Consent" "No Consent" box to click before you can get to the newsfeed.


Yes there are two separate bases for processing of data, but the point is that consent cannot be bundled and made a precondition to another form of processing i.e. to provide a service.

Put another way, Facebook should not make the provision of a service (which technically should not require usage of data for other purposes i.e. marketing/advertising, ignoring any business model points) conditional upon providing consent for that other form of processing.

Bundling of consent means the consent is not freely given here because the user wants the service and so is less likely to refuse than if the consent decision was isolated from the provision of service.


> I just can't imagine they are prepared

It sure seems that way and I find it amazing. It has been known for a long time that the GDPR will come into effect in May. Maybe they thought they could lobby it away?


> Since the Ireland office is in the EU, it is subject to the GDPR. So that means that everybody outside of the US will be covered by the GDPR

Can someone explain this as my understanding is that only EU residents are covered by GDPR. So EU based companies do not have to comply with GDPR for non EU residents.

So this change to the user terms seems to me to have nothing to do with GDPR. The EU privacy law cannot be applied to non EU residents.


You must abide by GDPR if your organisation is based in the EEA [1].

Edit: Is further backed up by Recital 22 [2].

[1] https://www.gdpreu.org/the-regulation/who-must-comply/ [2] https://gdpr-info.eu/recitals/no-22/


> I'm a huge proponent of GDPR

Why?

From what I can tell it does three things. Limits the secret data collection market to the government and bad actors, limits new companies by creating an additional artificial cost of entry through regulation, and sets up infrastructure to allow government to block any arbitrary site.

Edit: Another tool given to them is the potential to destroy any small business anywhere on the globe. Think about that.


It sounds like they are preparing themselves to the wave of EU class action law suits about privacy, that the US won't be able to do, by limiting the number of users under EU scrutiny. Haven't we seen that sort of move by Google earlier before they got slapped in the the same way facebook is probably going to be?


This is a nice summary, but it is a little fuzzy on one key point, as I understand it:

Facebook is still going to legally operate out of Ireland to dodge taxes.


well if that is what they're doing it's not very useful, if I as a EU citizen do business with their US office they better follow the GDPR in relation to me or I'm going to mess with them.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: