Like any regulation, once enacted, it creates yet another reason to harass, burden and encumber businesses - no matter what business model they have or if they are shady or not.
Large companies truly love this. Their already considerable legal departments chew any new regulation the moment it appears while the newly erected walls keep those pesky startups away.
Small business do not even pay the price - they simply cease to exist, to be founded. It's a chilling effect. The prospective founder says "why bother with this shit when I can simply get a job"?
The visible end result: an Europe more and more hostile to startups staying on the sidelines while the US wins the innovation race for the future. Fewer startups means also fewer large business (just look at the most valuable companies in the world, how many of those are European?) and thus fewer well paid jobs in the future (just check out the difference between an IT salary in USA vs Europe).
Please provide actual evidence that it will do so and that small data processing businesses actually had to endure big legal fees due to privacy protections.
The lack of start-up scene in most of Europe is caused by very different factors, mostly more conservative and less wealthy investors.
I think ”GDPR compliance” is not a binary thing - there are levels of compliance. No smaller normal company or Google or Facebook will be able to “fully comply” at any point in time. There will always have to be incremental improvements over time, hopefully in the right direction.
Also recognize that the obligations in GDPR “scales” with the size of operation/amount of data that is processed. For example smaller companies:
- are exempted from some of the record keeping obligations,
- may not have to appoint a data protection officer,
- may often not have to do data protection impact assessments,
- may not have to set up and implement some policies relating to data protection
- may also have less obligations when it comes to Privacy by Design (since reasonable costs are a recognized factor)
- may generally have fewer data processing activities that requires consent (most normal personal data processing does not)
I would also forget about scares of 4% fines unless you are doing something really bad or do not care at all even after a fine, repremand or warning from a Data Protection Authority.
My guess is that the “normal level of fine amount” will not change with GDPR for data protection violations in the EU (compared to current UK levels). This seems to be what the UK:s Data Protection Authroity (ICO) is going around and telling everyone as well (if I have not misunderstood).
Which makes it ripe for abuse. By making a regulation that is impossible to fully comply with, they have created a situation where any (or all) of the 28 countries in the EU can fine any company at will, because they're never fully in compliance. Further, individual users can seek compensation under GDPR - companies will be deluged with such claims.
Just having to depend on the goodwill of regulators who you think will just be attempting to enforce the spirit of the law is a terrible position to put companies in. When these countries and individual citizens are starved for cash, all of a sudden the letter of the law will be the only thing that matters, as is always the case with regulations that put all market participants in violation by default.
When it comes to compensation, you have to show what material or non-material damages you’ve suffered. Class actions are generally not a big thing in the EU. Sure, there is an exposure here but in practice I think it will be very limited, especially for smaller companies.
You realize that "material or non-material damages" can mean just about anything right? If it were limited to "material" damages, that would at least impose some form of sanity. The way this is written, it's a free-for-all. Saying "I have had alot of trouble sleeping since I found out that only 45 of 46 tracking companies were listed on the disclosure" is all it would take for an individual to obtain money from a company under this absurd regulation.
Assuming they do this - how much do you think a compensation payput for insomnia is worth? How many thousands of pounds do you think people would get?
I mean, those people can already do this, and they don't appear to do it, so I'm not persuaded GDPR will trigger a bunch of claims.
But now we have GDPR I wanted to state facts (as I understand them) so people can get a more nuanced view of what to expect and hopefully help them with how to deal with compliance in a reasonable manner.
A digital-advertising firm called AdUX recently closed a service that harvested location data from people’s smartphone apps to show them targeted ads, said CEO Cyril Zimmermann, because his firm had little hope of asking for—much less getting—consent from users. Instead, AdUX will aggregate data from bigger companies. He said the shift has cut into revenue. “For them, it’s easy,” he said. “The problem is, who knows AdUX?”
As they explicitly said, there is no way anyone would volunteer this yet somehow they think it is ok to abuse it just because they could.
This truly is wonderful.
Hopefully it will bite the giants the same way.
What is this supposed to be an example of?
- granular consent (like you might opt into a newsletter, but not retargeting ads)
- right to request what a company knows about you
- right to get that data in digital format (json, xml)
- right to know when your data is exposed in a data breach
- right to request that your data be deleted
- right to request that an organization stop processing data about you
fwiw - I wrote a bunch more about it (link) and am happy to answer questions.
I suppose someone could make a service that lets you request every known company delete your info.
No. If you process my data you can only give / sell it to other companies that are GDPR compliant.
People keep saying that GDPR means you must have consent, but that's not true for all forms of GDPR compliance.
If I have a small business with 5 employees, and I use a company to do payroll, I don't need to get my employee's permission to send their data to the payroll company. I do need to tell them it's happening, and give them the ability to query what data is being held and processed, and to make corrections to incorrect data.
Governments already have the tools to deal with market dominance: antitrust enforcement. The EC has three antitrust cases against Google. One decision has already been given, and the Android decision will be made sometime within the next few months. The Federal Cartel Office in Germany has opened a probe into Facebook .
That is the fundamental issue and it has nothing to do with monopoly.
Just like you need progressive taxation to not choke out the poor, you need progressive regulation to not choke out the small business.
> The 1-5 man bootstrapped start up does not.
In my current company we are only two developers and we will comply with GDPR, it's going to take us a week or two worth of technical work, it's really not a big deal.
I wish it was easy as just manually looking for user data after an email, deleting it, and keeping that email request as part of the 'audit log'. And getting affirmative consent during signup.
Most small businesses would be fine with something that casual.
EDIT: If you guys winged it by actually just reading the regulations and winging it, you probably did something wrong.
Most of the work in my company for GDPR is around user profiles, we store very few data about the users so we don't have that much to take care of. I guess if your business is to gather customer data, it's a completely different story.
If I use your service to store a photo of my mom, you now have a legal obligation to her even though you don't even know she exists. Any text that you store, you are required to know who is mentioned in it and give them tools for download, right to be forgotten, etc.
We have zero data on non-users so this part is not relevant to us, like I said it's not a data-gathering company. For the tools to download, remove data, consent... That's what I meant with that one or two weeks worth of work.
If I take a photo of a crowd of people and upload it to a cloud service, that does not create an obligation on either me or the cloud service to identify all those people and give them to opportunity to opt out (or in).
I own the copyright of photos I take. I don't need permission from people to take their photo in a public space. They have no right to ask me to delete the photo or remove their face from any photo that includes them. Even if I store it on a computer.
If I provide a service that identifies all the people in a photo, then I am storing personally-identifiable information and I need to give the person I have identified the opportunity to remove their data from my system.
That doesn't mean removing their face from the photo, but does mean removing the data that allowed me to identify them in the photo. There's a difference.
Accidental uploads of private data by the user are perfectly fine in terms of GDPR but you must allow for these to be removed on request.
If you automatically scrub them it is good, but you do not really have to do that. Telling the user how any pictures will be used and how to get rid of them is enough.
That's like screening all your binary executables for accidental inclusion of someone's name in ASCII amongst the bytes.
If I, party A, send a message to party B that happens to contain information about party C, party C does not get to see the messages between parties A and B just because it concerns them or has personally identifying information about them.
GDPR does not cover only data you collect through your primary business model but ALL DATA defined as Personal Information under the GDPR.
What toy have to doo is to provide a way to scrub accidental data leaks.
I'm thinking cases like "someone posted a picture of their friend with a cat on your site". Not explicitly labelled "send in a photo of yourself".
Or if someone posted another's address. You should respond to it at least in request, preferably earlier.
The discovery service is mostly to help people transition by checking their third party operators if they do not know who that is.
In the long run, it's good for all of us if those business models are discouraged.
I think the best thing to take away from GDPR compliance is 'it's not as easy as you think it is', 'it's not as obvious as you think it is', and small businesses who totally respect privacy will probably still be breaking GDPR.
The abuses are happening from these big companies, not the thousands of tiny startups that live and die within months that have a few hundred thousand users.
And startups that exploit users don't really provide much of anything anyway.
They can make it all opt-in fairly easily as a requirement for using certain features. People will blindly click and continue like normal.
For example, how do the decentralized social platforms (mastadon, diaspora), exist under GDPR?
The networks will not be able to process the data in other ways than making it available.
If you break someone's privacy laws you will be liable directly.
Probably also a note that data on this network cannot be completely deleted for specific technical reasons.
GDPR or not, that could already be judged as some form of stalking by the already existing national laws.
Edit, people don't seem to like that, but the fact is that just having saved the contact info of people who did not want it has already been used as sufficient proof in harassment (I think? "harcèlement") cases in France. I would be surprised if it was not already the case elsewhere as well.
I did not see anything in GDPR which does not make sense to me, it looks like common sense applied to data management
I get a feeling you haven't tried to actually properly implement the GDPR regs, talking to lawyers and everything
Which can be further shortened to:
common sense versus talking to lawyers
While interpretation of laws by necessity is at best difficult and at worst fraught with peril - reality in all its complexities is hard to catch in a few written pages - the legal profession has turned themselves into virtual toll collectors for anything related to law. Ask a lawyer about the legal implications of preparing a peanut butter sandwich and you'll be first presented with a legal disclaimer - pay me if you want advice - and then treated to a tale worthy of Lewis Carroll. GDPR is a $deity-send in this respect, good for many a year of steady income, especially given the stiff fines which threaten.
...which does not mean the person who used common sense to interpret the law is wrong. He is very much likely to be right and, having spent two weeks of technical work to prepare their infrastructure they're probably set to fulfil the obligations the law puts on them. It might need some fine-tuning here and there but that can mostly likely be handled as well without incurring the wrath of the courts.
In short, talking to a lawyer about being able to do something like this by yourself is more or less guaranteed to give the same reply as e.g. talking to someone who does data rescue whether you could replace the head stack on a hard drive by yourself. In both cases it is possible as long as you're careful and use the right tools, in both cases the answer will be 'you could do this at your own peril, disaster is waiting to strike, you take up enormous risks, let the professionals handle it'. Which is true to a certain level, there are risks just like there are risks in any venture.
It's a lawyer's job to worry about everything that could go wrong, and assume a worst-case scenario, but surely in many cases GDPR will be about the spirit of the law rather than the letter?
For example, while I personally think the backing-up-now-deleted-user-data issue is not insurmountable, assuming it's not, I cannot imagine that these 'small companies' will be fined left and right for failing to remove a user's data from every backup. And that's even assuming that there's a high likelihood that said backups will be investigated.
To make an analogy: there are quite a number of regulations in effect concerning invoicing that are flagrantly violated by almost every single small-business owner that I know. Some of them have won the 'audit-lottery' and did not suffer any significant consequences, because their transgression was relatively minor (stuff like correcting an invoice and sending it without properly sending a credit-invoice first to nullify the initial invoice).
Again, I'm way out of my depth here so by all means yell at me for being irresponsible about this :).
-How big is "probably? 5% chance? 0.01% Chance?
-Maybe they will only investigate the big public giants, or maybe they will respect maliciously-intented complaints from competitors?
This is why, for example, Delaware is the chosen state for corporations -- case law is settled and has a very predictable legal frame work. In the absence of data, its hard to know WHERE people will get the hammer.
Doesn’t seem to make a whole lot of sense.
Guys debating with you is a blast but if you keep downvoting all correct information because it doesn’t match your gut feelings you’ll just become even more of a circlejerk of what you already have here.
You are being downvoted because you are factually incorrect. IP addresses are only personal data if you can identify a natural person from them. You can't do so unless you've linked them to other information. Thus, by themselves IP addresses are not personal information.
Article 4: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...
> 1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Keyword indirectly. There’s plenty literature regarding ip and gdpr.
“The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address.”
And many others up and including the gdpr preamble
Please stop confusing the readers on the matter.
In particular, if the website operator cannot legally access third party information that could be used to identify an IP address owner, or if access to such third party information is “practically impossible”, then the IP address is not personal data from that operator’s perspective.
There ya go. You sucker can keep downvoting facts as you wish, reality won’t care.
it's not like down voting these post changes the GDPR wording and definitions guys.
Here is another piece of GDPR PII:
9-5 Allée des 4 Vents
69160 Tassin-la-Demi-Lune, France
Random address I pulled from google maps of someone's house.
Who is 22.214.171.124?
Etc. That’s what the european justice court said last time it was called to determine whether ip were personal information or not. What you gonna do now, downvote the proceedings?
> an internet service provider ("ISP") has a record of the temporary "dynamic IP address" assigned to a particular user's device (potentially identifiable data); and
Here they're not talking about "IP addresses", they're talking about "IP addresses assigned to particular users".
> In answering the BGH’s first question, the ECJ confirmed that dynamic IP addresses are considered personal data within the meaning of the Directive in circumstances where the data collector (e.g., a website operator) is likely or reasonably able to obtain information from a third party that would allow it to identify the user.
This clearly says that an IP address by itself is not personal information. It only becomes personal information when you can identify a natural person - when you link it with other data.
> reasonably able
it clearly states 'legal means' to identify the user. a subpoena is a perfectly reasonable and legal way to disclose an identity from an ip and doesn't require access to any other personal data, merely that such a link from ip to identity exists. the link is the "third party information to identify the user". it's not that you correlate an ip with a cookie or other technical means. you have to get out of the engineering mindset.
I think it’s good that EU tries to eradicate “let me steal and sell your secrets” business model that most SV startups are built on
Everybody in the business knows that big companies become targets.
Therefore for startups it's a land grab, aka break as many social rules as you can before getting big enough to get noticed.
The most immoral companies around are the startups. The difference being that they don't have the resources or the reach of big companies. But that's no excuse.
On progressive taxation, that's simply a tax on productivity, plain and simple. The majority being made of people that earn minimal to medium wage and of socially assisted folks, it's simply a way to increase taxes without pissing off the electorate. And it's choking the middle class and the small businesses.
And that's because the big companies and the big earners have good lawyers and accountants that can come up with legal tax evasion schemes. The EU can't wait to fine the likes of Google and Facebook, as they've been evading a lot of taxes ;-)
NO THEY WON'T. This is just untrue. We've had decades of regulation - the regulators are not new - and so you can see how they work. They do not pursue everyone looking for easy cases. They go after the worst offenders, and they write letters asking them to come back into compliance.
There are also some relaxed rules in GDPR for SMEs also.
A company that can afford to comply with the regulations can squash competitors who can't without being a monopoly.
And even companies that are declared monopolies benefit from burdensome regulations in the sense that people thinking of starting startups that might compete with them decide not to.
In fact the law requires us to do many things for other people without compensation. Part of the give and take of living in society.
EDIT: regarding response times, I found a breakdown:
Obviously this kinda-example ignores the point about forced forgetting which will be interesting in many ways; the astroturf market for example.
In most cases that will be considered "repetitive" and "excessive" - Art. 12 (5) - and businesses will be allowed to charge for fully responding to your "button presses".
This is similar outlawing free speech and then blaming everyone else for not doing the same because free speech keeps leaking back across your borders. Non-EU corporations will get the intel business, and that's a good thing. A demonstration of why sovereignty is important in the WOGPC.
You block their companies from doing business in the EU. You confiscate bank accounts set in the EU, you confiscate shipments to/from the EU.
Regardless the US decided to 'bring em democracy' which in this case translated to seizing their domains, freezing assets in banks worldwide, and staging arrests in all nations with extradition treaties. This cooperation by banks was quite surprising and disturbing, but I suppose the US is in a position to make them an offer they can't refuse. It's unclear if the EU would go the 'Team Merica' route, but we're increasingly deciding that laws are no longer constrained to borders.
As much as the "cookie law" was enforced. 99.9% of all websites on the net were in infraction. To people supporting this under pretense of fighting for privacy, it will have no effect on Facebook or Google business model.
As a hacker, I enjoy the spirit of the thing. It’s nowhere near as dumb as the cookie pop-up law. Categorically I would prefer default third party services to flush logs rather than retain.
As a founder, the cruel business logic very much favors removing support/refusing to onboard European users.
Your exposure is in a fine for 4% of global revenue or 20 million euros. Whichever is greater. No big deal. Europe may make up 10% of your revenue. The effort is going to decrease resources by 20%+ in the short term, add unknown long term complexity and overhead, and longer term employing a compliance officer. Also can we go back to the 20 million Euro fine thing for a second? Any potential acquirer is going to want to double down on diligence before assuming risk like that.
The requirements initially seem innocent enough - ability to hard delete/export user history. Easy right. Some notes from my meeting with legal:
Well what about backups?
Do you retroactively go through your backups and remove R2BF users? Do you only keep backups for 6 days? What happens if you delete the user and restore from a 5 day old backup? Do you keep a second list of users who requested you delete their data - and if so how do you store that? How do you now represent activity that materially effected other users still on the platform? Is this subbed out with a “blank shadow” user? The legislation very much does not solve for the recursive logic of “how do you track users who’ve requested deletion”. Counter-intuitively we would now have to log more user activity so we can gracefully handle rendering deleted data. Why do we have to file with a third party that we’ve deleted info on a user that requested we remove all trace of them?? What if a user enter’s PII in table entries owned by other users through that other users account? What if they do it through a third party API? Speaking of, how do you ensure your third party API partners are in compliance? What if a user enters in PII in a field that you thought should have no PII in it? How do you treat EU citizens using your service outside the EU vs inside it? What if they use it in both places? What if you have an American user who happens to be located...
Sure most of these are solvable along with the another hundred edge cases not illustrated, but for bigger apps at 50+ person companies almost every one of those points is a bullet point in a meeting that requires nuanced development from multiple stakeholders. Don’t think it’s hard? Try roll into a meeting a Twitter and explain to them how easy it would be to add a button that lets you edit tweets. Some requirements are a BFD - you can imagine how things went over in a meeting where we half-jokingly suggested we no longer make backups rather than take on the burden of implementing a backup policy that may or may not be compliant with a new law that has no precedents in court to guide drafting a spec.
The net result is implementing it with the least effort and suddenly it’s just this dogpile of cludgey UI popover screens that people click through without reading and TOS updates and mandatory log outs and a lot of other things besides that add overhead to make it “non-trivial.”
It’s a big deal because pre-series A startups will choose to avoid these waters rather than navigate them.
All your remaining points seem more easily solved than the backup bit, but I do not understand what could be so hard about deleting a user from a backup. Perhaps I'm dumb, but just go in there and delete it retroactively? If it affects other users, that's ok. They see a [deleted] a la Reddit.
You're not responsible for ensuring the API partners are in compliance. Those companies should have to fend for themselves.
When you delete everything you stored about a user, you also delete all potential personally identifiable information, so I again do not see what the problem is.
It just sounds like a bit of whining from where I am standing. It's like a small bridge builder saying "but the standards are too damn hard!". We start with the end goal of safe Bridges and safe users and then go backwards. Not the other way around.
The easiest way to comply with it would be have a list with all user deletion requests stored somewhere else and every time you restore from a backup, you also apply this list from the backup. But have you really deleted users if you keep backups?
It certainly sounds like the possibility of deleting all your users might actually make us all more careful, less gun-slinging, shoot-from-the-hip programmers.
I do backups for a living. I do them on tape, every day, and then once a month a trucks takes them to a dedicated safe. 6 backups are incremental, one is full. Please explain it to me how I'm going to delete one single user. Thank you.
You could also keep a record of "to-delete" primary keys in event of a restore along with your backups.
All of this should have been implemented a long time ago, some European countries demanded this already.
I am surprised by the lack of imagination of people if they don't want to implement something (too burdensome, technically impossible,...) who can come up with decent solutions if it fits them.
A little anecdote for this: Recently I wanted to buy some insurance. The insurance company demanded wide leeway in handling personal data which by law (in Germany) has to be opt-in. I returned the paperwork, explicitly stating that I do not consent to use of the data beyond what is strictly necessary for the contract. I was told that contract can be made only with consent and that I could revoke consent later (the latter is mandated by law. What a bull-shit show. I am looking forward to GDPR coming into effect to give these businesses a middle-finger.
Want to hoover up all available data, well then you'd better go to great lengths keeping it safe.
Find yourself holding data that you now need to do something about? Delete it, unless it's business critical.
I really don't buy into this idea that the backups thing is that hard of a problem: if you're a startup, you'd design your infrastructure from the ground up with GDPR in mind which is going to put you in front of the competition and incumbents.
Is it really, really, really that hard to have something that deletes stuff from backups? How long are we planning to keep backups anyways? Surely, when a user requests their data to be deleted it can be deleted from the main production database. Then when that db is backed up it'll overwrite previous versions (this new update then replicated out to other places) and just like that you've successfully (and easily) removed all applicable user data from all current db's and backups...
I understand your sentiment, but I think dismissing the issue of barrier to entries for small businesses is very shortsighted. Remember that excessive consolidation in the Internet industry is what led to the wholesale violation of consumer's privacy in the first place. So enforcing stricter data handling rules and protecting small businesses's ability to compete are two sides of the same coin. To truly protect consumers in the long run, regulators need to address both issues in a comprehensive way.
There is really no perfect way to do it, and it speaks to how unreasonable 'the right to be forgotten' actually is. When did people ever have a right to be forgotten? No one can force me to forget embarrassing things I've witnessed others do, and vice versa. The same goes for my local copies of photos, videos, diary entries, etc. of such events. Can't make me destroy those love letters you sent. You can't instigate a county-wide manhunt to destroy copies of every local newspaper that covered you in some way you want to forget. You cannot delete most of your public records in real estate, justice, business, etc. You cannot start fresh on your credit history whenever you want.
Sure, there is more easily accessible data on the average person with the Internet now, but the majority of the types of data already existed in the pre-Internet-era, perhaps with the exception of ad profiles. Consider all of the political scandals (particularly ones that happened long before they were unearthed) in the pre-Internet era.
So, what about when companies have data breaches and expose your data? I think they should absolutely be held liable. But it should be their choice to choose to be liable and determine how much they would need to forget to avoid liability. Furthermore, all of the active users are still compromised with GPDR -- only the people who opted to be forgotten benefit. So instead, there needs to be a framework for addressing data breaches and poor security, rather than deleting every trace of a specific type of data profile that a user and/or associated users posted on your platform.
> only the people who opted to be forgotten benefit
That is not true. One of the main points of GDPR is that you only store data as long as it is reasonable for your business. If I haven't been a customer at a store for 5 years, I can fully expect that my data has been deleted. How long reasonable is will be determined in the court, but I expect it is going to be in the customers favor.
Exceptions for slander and copyrighted information (e.g. photos) that were posted by other users? (or even regular content posted by the user that they 100% own) Absolutely -- but even in these cases, requiring that the third-party platform owners track down all potentially offensive content (much of which may be posted by other users) and then purge every layer of their backups after removing the offending content is overkill and shifts the responsibility away from the offender (whoever posted the content, even if it was the user himself) to the platform owner.
Ultimately, the ability to un-publish content you own that you published should be sufficient regulation-wise, and most popular platforms already enable that as a basic feature.
It's not about undoing participation in information sharing. GPDR does not require Wikipedia to delete everything I've contributed, but the fact that I have contributed is subject to be deleted if I request so. Furthermore, there must be explicit opt-in, and that is a good thing.
It's a trivial problem to purge from the backup, really. It's not a hard problem to solve. Many companies have done so before, and now we might even see standard tools to do so.
Rehabilitation of offenders act came into force in UK in 1974, so over 40 years.
Do it, that's fine. I'd prefer to know if you can't be trusted with my data.
People whined about HTTPS, it was often an afterthought. Now you wouldn't dream of submitting stuff via HTTP. GDPR will be the same, just on a business level instead of a technical one.
> What if a user enters in PII in a field that you thought should have no PII in it?
> What happens if you delete the user and restore from a 5 day old backup?
> What if they enter PII in table entries owned by other users through that other users account?
A lot of these are a red herrings, put in there to muddy the debate. Mistakes happen, the GDPR "punishments" acknowledge that. On the other hand, many companies already treat free-form user entered text as sensitive information. Everybody who's been neglecting privacy will have a bad time adopting this. Technical debt or over-complicated systems will also make it harder, but that is also to be expected.
> How do you ensure your third party API partners are in compliance?
If I had to guess, for many companies outside the EU, this is going to be the biggest issue.
One of my main issues with GDPR is the increased Red Tape. If I need customer data for whatever reason, extract data and deliver to Risarkivet (required by law every now and then), I must get a Data Processor Agreement. Fair enough, except if I need to do a different thing the customer asks me for, I need a new DPA. Only thing that'll happen is that we have a standard made by Datatilsynet, put in customer details and job detail, and that is it. A mail provides exactly the same, it could even reference the standard DPA. That just isn't accepted by the law. I guess middle managers need something to do as well.
After consultation with GDPR experts, this, unfortunately, is the conclusion we came to at my company as well - and is the same one that many other smaller companies will arrive at as they try to comply with this unwieldy and burdensome regulation. It might take a few years, but the incredibly unhealthy end result of this law will be two Internets: one that people in the EU have access to, which will mostly be operated by large companies that can afford to implement GDPR, and another including all sites that the rest of the world can access. My guess is that this will also have a significant negative impact on EU startup funding, as the risk of being wiped out by fines for even minor violations of this very complicated law that is subject to unique legal interpretations in each of 28 different countries is quite high. Few investors are going to take on that kind of risk.
In short, this law is already on track to create a fractured Internet that deprives EU citizens of access to the vast majority of Internet services, and consolidates the private data that their regulators are so worried about in the hands of a few giants.
Also, why does a company or anyone else "own" personally identifiable information in the first place? The logic is completely inverted and we seem to have all been OK with it in the first place. Why does a company like Facebook "own" what is mine from the beginning — is it just because it is in a row in their database? Is it because I once clicked OK on a TOS? Now I can revoke this consent and Facebook and others have to comply. Previously they could just tell me to FO. Sounds like a great win for users!
The issue isn't really even about any desire on the part of companies to abuse personal data. It comes down to the many ways that even companies with the best of intentions can violate this regulation.
It is also trivial to enforce a routine manual scrub of small amounts of private data.
The only people who might have trouble are "small" data resellers having millions of accounts of personal data. It is good they will have to comply.
If you're using a third party service, you will have to use it with prejudice. No more randomly including J. Random noncompliant Ad Agency as a middle man illegitimate handler and washing hangs of it.
Guess where the air is purest?
Not the EU, that's for sure.
Archives should be pruned.
* User A requests to be deleted and is from prod.
* Deploy bad code between backup 1 and 2 - oh noes prod is corrupted!
* Restore backup 1, which restores user A
So - how doesn't this work for GDPR?
Now let's try to figure out that tricky backup problem!
Good one, hadn't even though of this. I planned on my VPN provider handling off-site backups for me, but this would mean I'm unable to delete a use from backups.
Does anybody have a solid solution for this?
It's not fucking hard, although a lot of people seem to be struggling with the concept of not hoarding data, or privacy in general.
So you don't have to do every single perfectly, just that you the basics done properly and your filling to fix things as they are shown to be broken.
Well, unless your broken system leaks millions of users data into the wild I'd guess you're pretty safe.
I still think it is illegal for those other agencies to spy within the home country. Not to mention countries they don't have agreements with.
The home agency does not do anything illegal itself, but the other agency does illegal stuff for them.
I generally feel positive about the law but I'm curious how this feels from a position of paranoia. (Very tangential followup this is just the first time I've seen intelligence agencies and GDPR mentioned at the same time).
This is a mixed blessing.
Laws like RIPA (in the UK) sound draconian and scary, but they do mean that almost all law enforcement activity comes under a legal framework and that there are checks and balances on use of investigatory powers.
The UK has more CCTV than any other country in the world, but now CCTV is regulated by the information commissioner. We even have a surveillance commissioner to look at what the security services are doing.
This is exactly what I said back in November.
Stuff Facebook has tracked, despite not using their app on my phone (preloaded but completely disabled) and using their website only with uBlock Origin):
a) everywhere you ever used Facebook to login to a website. I thought I never did this but apparently I still had 5+ websites linked to this. They seem to use this to profile you. Facebook mentions about this _"These are active apps and websites. This means that you recently logged in to them using Facebook, and they can request information you've chosen to share with them."_ I never wanted to share anything, but Facebook often changes settings or pretends I did
b) every time you connected an app to your Facebook account. Apparently I again did at a few times (to easily upload some photos). I also saw old phones in here, Runkeeper (don't recall using that), Tinder (haven't used in years). All of those seem to forever be able to get information from you.
c) topics (yet another new name). Not sure how they figured things like that out. Fortunately you can completely disable the personal tracking, though you need to do that in various different places.
d) advertisers whom added their contact list to Facebook. Really!! So some other company shared my details with Facebook. Which means they've also shared details of people not using Facebook with Facebook.
e) used websites and apps. This is surprisingly accurate and complete (hundreds of sites+apps!), despite having the Fb app disabled plus always using uBlock Origin. I really wonder if they somehow are able to retrieve the browser history. It seems Facebook also tracks you using "apps using Facebook technology", which I guess is a library to show ads or something which uses the app permissions to further track the user.
f) it uses your profile (relationship status, employer, job title, education) to targets ads
g) somehow puts you into categories. E.g. "uses a mobile device (xx to xx months)". I disabled this crap yesterday, it updated it today with more information. I assume through Whatsapp/Instagram or maybe some kind of Facebook ad library? Again, I don't want it to track me, yet they seem to be easily able to do this. I turned off all the settings but apparently still missed a few.
i) ads topics. Not sure how topics differs from the 3 other ways they call this.
j) your location. It doesn't show what it does with this. You cannot disable the location tracking; it suggests to turn it off in the phone settings (which is a cop-out). I'll need to download my data to further determine this. I'm pretty sure Facebook is big enough to figure out additional ways of location tracking than just what Android/iPhone allows.
k) websites visited. I assume any link clicked. This is somehow different than all the other ways it already showed websites.
l) the existing "Who can contact you using email address / phone number". It says "Who", but it is used for the API as well, that's not a user so I find the usage of "Who" misleading.
Despite doing all of this, still not sure how to prevent something like Cambridge Analytica from downloading my data through others ("friend"). Further as I already mentioned it seems to continue tracking me despite turning everything off. Not cool.