Thus, complying with something somewhat ambiguous like the GDPR is still an expense -- of time, money and risk -- that many small website owners won't be willing to spare.
Look, it's not hard to encrypt all personally identifiable information; there are ready-made frameworks that let you choose which DB columns you encrypt and how. You can generate a key for each user on creation and have their data encrypted with it. The problem is NOT that.
The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).
Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.
Except this isn’t really true. Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.
The really ironic thing about that this is that streetlab imagined itself “ethical” when it’s entire business model was selling your data...
The GDPR isn’t really that hostile to small business and it doesn’t require an understanding of law. You can hire a data protection officer at a legal firm for almost nothing, and as long as you follow their advice on how to pass audits, you’re really not in trouble.
That being said, the GDPR is really hostile toward startups trying to make money the same way Facebook and Google does. You need to have a massive legal department to do that, and Streetlend obviously did not. But is that really so terrible?
It may call for a new business model for the internet, and that may seem impossible right now. But do you remember when the EU outlawed environmentally shitty lightbuilbs and everyone said we were going dark because it was impossible to do anything else? Today 95% of lightbuilbs are LEDs because of that.
Startups will find a way to make money that isn’t selling your data.
If you mean he just slapped some Amazon ads on his site to support his side project, then accusing that guy of "selling your privacy data" requires quite a bit of mental gymnastics and is a pretty dishonest description of the facts.
The blame here is wholly with the users for putting their data online in the first place (really, you can go a very long way with email@example.com!) and especially Facebook for providing the framework that enables this all.
*edited for grammar
Blaming users for providing their personal data is strange -- if the implication is that nobody should provide their personal data because it can be abused then is it not obvious that the use of personal data should be regulated?
If the majority of banks lost your money regularly, would you blame customers of the bank for using banks -- or would you say that banks should have stricter regulations to stop people from being screwed?
As for the Amazon bit, I think you're underselling it. Amazon tracks users in arguably unethical ways (due to the lack of consent, and the scope, and the inability to opt-out) and display their ads is inflicting that on your users. If you care about your users privacy (which is what GDPR is trying to enforce) then you would know that "just slapp[ing] some Amazon adds on [your] site" is not the correct approach to handling users' personal data. I do agree it's not trivial to handle GDPR if you don't have a lawyer (though you can get a data officer from a legal firm), but complying with laws is part of doing business.
See, I disagree with this very premise. Why is it true? It's _not_ my data; it's data about me. Even things like pictures, once shared, are no longer under my control. I actually feel it's fundamentally dangerous to make users think they actually control data they don't.
> If you care about your users privacy (which is what GDPR is trying to enforce)
I also disagree with this. The GDPR doesn't do anything to make companies handle my data more carefully or responsibly.
If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely. The rest of my data is no different. I own my data and the data about me, not them.
GDPR gives users the controls and governance over their data that should have always existed, but that tech companies gaslighted users into believing doesn’t exist.
This is where it becomes murky for me.
If you send me that photo via email, should you subsequently be able to revoke my access to that photo. If so, by what means?
If you used a closed messaging system (say Facebook's messaging system, or Apple's Messages), should you be able to revoke access?
If you follow the argument a hop, skip and a jump away, what happens if I submit a photo to a publication and they run it on their website? Can I revoke access? What if that publication has published that photo in a physical form?
ie, where is the line where a reasonable person should expect that the data they have willingly shared/published has slipped beyond their control?
All other rights are reserved. Would it change the dynamic to be able to revoke access to assets in a private messaging system? For sure. But copyright law (at least in the US) supports this right of the copyright owner. The inability to revoke access is a failing of the tool or the product, not the law.
> The inability to revoke access is a failing of the tool or the product, not the law.
Does the law need to change? Or (in the case of email) is it fine as is because the reasonable person realizes that once you hit 'send', the content is out of your control?
I'm sorry, but it's not. Full stop.
> If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely.
I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.
> The rest of my data is no different.
Exactly, you have no control over it.
> I own my data and the data about me, not them.
No, you don't _own_ your data.
> GDPR gives users the controls and governance over their data that should have always existed
No, on all accounts. There is no reason at all that you need to delete accounts or force anyone to delete any information about you. That's all just silly.
> but that tech companies gaslighted users into believing doesn’t exist
That's also silly. If you don't control something, you don't control it. Full stop. I don't understand why you don't understand that.
On the one hand, the other guy is legally correct - gdpr's purpose is to legally give individuals control over data about them (pictures they upload, addresses they input, whatever). That control is responsible on a site to site basis - if a person's naked picture is leaked online, every single IP address that hosts it must take it down if requested, or violate gdpr.
You're making a functional argument - if a person's nudies are leaked online, they don't functionally have control over that data. Morals and laws be damned, that picture is staying on the internet.
You can both disagree about the morality of this but simply restating both of your points with more "full stops" is pointless. If you're both really having trouble understanding each other's positions, step back and try to defend the opponent's decision.
Which is my point. You no longer retain any control over it. A law saying you have control over it is silly, because it's worse than worthless: it makes me think I have control over something I don't have control over.
Laws cannot magically manufacture things which cannot ever be created.
Moreover, the gdpr doesn't prevent any of the problems that have caused data breaches in the past. The way that Target and Equifax (both of which could easily claim the data they had was essential to their business: Target with credit cards and Equifax being used by banks to coordinate information) are both equally likely under the gdpr and both equally unpublishable.
As for Facebook and Cambridge Analytica, how would this have been prevented? Facebook can just ask you to opt in to their usage of your info to use their service. Facebook can share information with other entities that claim to be gdpr compliant. Other entity then shares information with other people outside of Facebook's control.
I just don't see how the gdpr changes a fundamental fact: you no longer control something someone else has. Laws cannot change that. Laws can give you recourse, but they cannot change it. I actually believe that it's dangerous to believe that I have control over things I don't: it's a false sense of security.
Also there's the fact that companies can end up sharing data to other parties, or a company can be acquired and change their mind about what the data will be used for (which is allowed because of the originally nebulous scope of their T&C which was specifically designed to allow for expansion without asking for user consent explicitly when usage changes). GDPR provides methods for users to be protected in both of those cases -- while just enforcing education does not.
Not to mention that if education was mandatory, then the same companies complaining about GDPR today would be complaining about educating users how their services abuse their dignity. Cutting Google/Amazon/Facebook/etc slack for making hundreds of billions from users' personal data and creating "Big Brother"-esque profiling systems for their billions of users doesn't really seem rational to me.
If I owned a site I would not have a problem to delete someone's personal data.
Also your sugguestion is that if you want to keep your data protected then you should not be using anything on the Internet or make any deals because once you have ordered something on Amazon it can sell your data to everyone else? Or when you rent an apartment, realty agency should be allowed to share your name, SSN, bank card number and address with everyone? No, I don't think it should be this way.
If I find the person that owns the server hosting my data, and I put a gun to his head, and I say, "remove my data," do I now control that data?
What if I instead pay someone else to go around putting guns to the heads of server owners? If I build an army?
What if instead of that I communitize my resources into a legal system that doesn't put guns to people's heads, but will take their money away and put them in jail if they don't follow the laws?
Don't get me wrong, I'm with you in the hacker-culture sense: fuck the system, man, if Google wanted to it could probably blackmail individual US government officials to the point that it took the country over. I get that. I guess we can get deep into a political science debate about governments and social contracts.
Put it this way: Is your sense that you can walk to work without getting mugged a false sense of security? If not, the only alternative is homesteads with militias (not walking to work anymore), or, arming entire populations (putting the burden of self-defense on the people). In the past, this has been tried, and led to gang rule.
If we "give up" on legal systems, we have ample evidence for what happens. When you apply those lessons to the digital space, maybe it's not 1:1, I guess some countries will be learning that for us, while others will try things like GDPR.
It's all a journey for human civilization. People like you that promote self-defense are great because we get amazing government-agnostic tools out of the deal. People that support GDPR are also great because we can test out "social contract" methods.
What's wrong with dancing around both sides of the aisle?
The gdpr makes people think that they don't need to think about what they share and with whom. Do you really think companies are going to significantly change just because of this? I highly doubt it. Sure there will be some things, but in the end many of the same patterns and uses will emerge.
You keep writing as if everyone has a meaningful choice about who gets data about them, but clearly that is not always the case. Someone may obtain data about someone else from a third party, and you can't avoid sharing a certain amount of data and still function as a normal member of society.
The idea of absolute, black-and-white privacy, where either you share personal information or you keep something completely to yourself, isn't very useful in the modern world. Our conventions must be more nuanced than that, and in practice that means what really matters is who gets access to data about you and what they're using it for.
That means basically don't share them with anyone, don't sign any contracts, don't work and live in the street. Because even your employer or real estate agent can sell them to anyone else in your model.
Aside from the "nuh uh; uh huh" nature of this exchange, I really don't understand what your position.
> I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.
I'm not sure what youre definition of "control" is, but based upon the arguments you've made about "control" above, I assume you mean it in some absolute sense.
Ownership definitely implies control. He can use DMCA to compel a third party to stop publishing his photo, for example. How is that not "control"?
Your definition of control seems to be somehow about capability or power, rather than normative ethics or legal right. Which is a rather absurd way of talking about this issue.
In that sense of control, I don't even control my own body. Someone who is stronger than me can hurt me; can rape me; can even kill me. I have no control.
Of course, for normative reasons, we make laws against other people controlling me in certain ways even though they have the power to do so.
Data privacy is no different. The discussion is not about what degree of control a party is physically capable of exerting. The discussion is about what degree of control the government should grant to each party.
The fact that someone somewhere is capable of hoarding my data, does not imply that this outcome is just or optimal. Your position is a textbook example of the naturalistic fallacy.
No, control is only one thing: the ability to constrain the actions of another. You can _never_ prevent your ex from sharing nudes of you; you can only recover damages.
> Save your apologies
I'm not appologizing for anyone.
> regulation is coming to fix the deficiencies in data rights and protection
No, regulations are coming to give users a false sense of empowerment at the cost of everyone else.
I actually cannot think of a single instance where someone has "control" over something and the law exists purely as a way of exercising that control, and I can think of hundreds of examples where laws exist to stop people from doing things they may be physically capable of doing but would produce a negative effect on society if permitted. Maybe there is such an example, but it'd be an outlier.
If anything, the anomaly here is that inappropriately using or sharing personal data about someone is in most cases still only a regulatory or at most civil matter and not a criminal offence. Obviously such an act can potentially cause far more harm to that individual than many physical acts of violence that do carry jail time.
Actually, this isn't true, for the purposes of this analogy.
You can only lock up people who are in your country and under the control of your legal system. If your ex flees to Russia and sends out these photos from there, good luck prosecuting them and putting them in jail.
This is the internet we're talking about. An EU law doesn't apply outside the EU, in places like Russia, the US, China, and many other locales. What's the EU going to do when sites in those other countries refuse to take down pictures based on this EU law?
What are you actually trying to say here?
This is similar to some other laws, you can be as slanderous as you want to someone in private but if that slander makes publication then you open yourself up to a lawsuit. You may own copyrights to the image you take of someone in public, but you cannot use their image in your merchandise despite owning the copyright to that image. If someone is doxed in an email, and the email hosting provider used is compromised and has their emails linked to the public, the person who was doxed has just as much right to request that the publicly available emails be removed from search engines, etc.
It requires the entity to give you the ability to delete your personal data, which means a contract where you grant a service a permanent and irrevocable right to data about you in exchange for a service is illegal.
It also requires the entity to provide an equivalent service to any site visitor that chooses to not grant their data to the entity, thus making the business model of trading even revocable access to one's data for a service unviable in the long run.
It makes it illegal to offer a service in exchange for data that is stored without end-user retrievability. Therefore, it makes a contract where you grant a service irretrievable data about you in exchange for a service is illegal.
All of these reduce the range of possible voluntary interactions. It's anti consent.
And it is bonkers to imply that something that requires you to actually get affirmative consent from the user is "anti consent". You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.
>>You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.
I agree that it is anti-consent. I don't have a problem with laws requiring more legible consent forms.
My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored.
No, you didn't. You gave a list of one-sided transactions where the user has no freedom or really consent at all in the matter.
"My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored."
No, you didn't. All you did was post a list of "transactions" where the company has all the say, and the user really has no input whatsoever. No one is going to miss those transactions.
If you truly, honestly are concerned with "consent", then you should be applauding this law, as it does require actual, informed, affirmative consent. Not the "Here's a great wall of text, agree to give us every little bit of data with no recourse whatsoever for you or don't get any access to the service at all" form of "consent".
I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".
I have difficulty responding to such an immature mischaracterization of what I listed.
I listed a set of contractual arrangements that are now illegal. All of them could be entered into completely consensually, and cannot be reduced to being categorically one sided, given we don't know what the value of the service the user gets in exchange for their personal data will be in every instance that said contract is used.
You're infantilizing people when you claim they're not capable of consenting to the sale of their personal data. In fact, no court of law would ever agree with you that these contracts are non-consensual ipso facto what the user offers, which is why the only way these kinds of contracts could be categorically disqualified is to circumvent the courts' purview of establishing consent, by resorting to statutory interventions like GDPR.
And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.
What you're doing is absolutely reckless.
>>I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".
Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.
Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.
And in that set, you predicated that the user could not revoke consent. That means that it is not a free contract.
>And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.
A contract in which one can not revoke consent is a contract in which one can never truly give consent. If I am unable to revoke my consent, then it can never be in the interest of the user, because my interest may change in the future.
>What you're doing is absolutely reckless.
No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.
>Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.
Which is what you're pushing for. You don't want me to be able to withdraw consent later, thus my selling of data WILL affect my future self.
>Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.
It still affects your future self.
Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent! You should be ecstatic that you will now be able to exercise greater freedom than you could before. You will have that most basic of freedom to evaluate whether or not something is still in your interest, and if it's not, withdraw, without the other party still benefiting off of your information.
No I didn't. I said that these contracts enable the user to sell their personal data. If a personal data sales contract includes a clause allowing you to 'revoke consent' AFTER 'selling' your data, then you are renting your data, not selling it.
By making contracts without such clauses illegal, you are reducing the space of contractual interaction, in making it impossible to sell one's personal data.
>>That means that it is not a free contract.
Again, I have difficulty responding to such immature mischaracterizations of reality.
Selling your personal data is a 100% "free contract".
>>No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.
You obviously don't care to debate this issue based on rational arguments and facts. You're debating in bad faith. You've already made up your mind and are more than willing to mischaracterize the situation, and people's position, to push your views.
>>It still affects your future self.
Everything you do affects your future self, but this particular type of sale does not cover data genereted by your future self. It only covers what you have already generated.
It's absurd and totally dishonest to compare it to selling oneself into slavery. It's nothing more than hysterical fearmongering about the free market, in support of government limiting people's contractual rights.
>>Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent!
You're once again mischaracterizing the ability to re-voke a sale, after the fact, as "withdraw consent".
When you sell something to someone, you no longer have a claim to that something, and thus the other party no longer needs your consent to maintain ownership of it.
That I really need to explain the semantics of ownership to you, and explain how allowing retroactive and unilateral reversals of sales makes it impossible to sell something, shows just how completely delusional and dishonest you're being.
All the changes are to "consent", which is the naive consent of clicking "I accept".
You can still do anything with a proper, considered, contract.
I don't see why the new rules couldn't have been limited to those of this sort, which ensure that users are providing considered agreement.
At the very least, my original statement was overly broad.
So if I investigate you, take your picture, etc. have I stolen from you?
I actually hadn't considered it before, but I imagine that being a PI in e.g. Germany must be a veritable legal minefield.
Why do we protect any rights by law? Usually it's because some harm is likely if the right is not protected and the potential victim cannot effectively protect themselves due to some imbalance of power.
Reasonable people can debate how far privacy rights should be protected and where the balance lies between protecting the data subject and allowing data processors to do useful things. Maybe the GDPR doesn't strike the ideal balance here and favours one side too much at the expense of the other.
However, it makes no more sense to argue that someone can't have any legal control over how personal data concerning them is processed than to argue that, for example, someone can't have any legal control over whether their physical property remains in their possession. Many social conventions have proven to be useful, and we codify them in laws so that everyone can see what is considered acceptable behaviour and so that people who try to undermine those norms for their own benefit at the expense of others can be dealt with.
No, it's more like making it a crime to break or lose something lent to you. At most it's a civil matter handling damages, not an extension of control over the item lent (baring any contractual agreement).
Put another way, how is protection of privacy by restricting what someone may lawfully do with personal data any different to protection of physical property by restricting when someone may lawfully use or remove it? Typically you can't physically stop someone from sending your email address to someone else once they have that information, but then typically you also can't physically stop someone from stealing your TV while you're out once they have a big sledgehammer and access to your front window.
I think most of us would still say that we have legal control over our possessions, and most of us would still say that theft is unacceptable behaviour and should be punished. In Europe, where perhaps we tend to have stronger feelings about privacy than in some parts of the world, a lot of people similarly feel that they should have the ability to restrict how data about them is being used and shared, and that some things that some organisations have been doing until now are unacceptable behaviour and should be punished if they continue to do them.
"To have legal control over your PII" and "To have legal control over your possessions" are similar in nature. The fact that such purposes are implemented in different ways, for mostly technical reasons, does not diminish the argument.
The main technical reason is that, right now, loss of control over PII is widespread, and individually processing each claim would likely overload the judicial system of EU countries which usually don't have class action lawsuits. GDPR simulates a class action lawsuit using regulatory bodies, to be triggered by refusal to comply with a significant number GDPR requests.
GDPR attempts to fix that.
(not perfect control, but that is the same in every area where law is broken, e.g., there are burglars, but still I think you would consider being in control of your personal belongings, and nobody would argue that we should stop prosecuting burglary because many burglars will always get away with it)
Intentions and effects do not always align. The effect of GDPR is to make any business model where a user trades their personal data for a service illegal.
Business models involving voluntary exchange should not be prohibited.
The fact is, the free market already gives users control over their data. They are not obligated to use any service that requires private information from them.
And by mandating an option to remove your data, it makes a contract where a user gives a permanent grant of their data to a service provider, in exchange for a service, illegal.
they could have alredy fined current privacy abusers under the existing law framework. this will be used to stromgarm independent news sources.
I honestly thought this kind of reasoning was a right-wing caricature. No, it is not obvious that choices with risks attached should always be regulated away.
Disclosing information in proportion to trust is a basic life skill. I understand that many in the tech community are frustrated to see the general public failing to exercise this discipline, and maybe regulation is the best way to protect them from themselves, but that's not obvious.
>If the majority banks lost your money regularly, would you blame customers of the bank for using banks -- or would you say that banks should have stricter regulations to stop people from being screwed?
False dichotomy. You want a spectrum of financial products that depositors can choose from according to their risk tolerance. It's essential that we have stable, regulated, insured checking accounts. It's also essential that we have self-directed brokerage accounts.
>"just slapp[ing] some Amazon adds on [your] site" is not the correct approach to handling users' personal data.
A site sending your browser Amazon ads does not oblige it to execute or display them. And this isn't some secret backend upload. If someone is willing to use a site with this revenue model, why is that your business?
The assumption is that all users are actively making a choice. Many are not aware of the choices they are making, and I think it's wrong to punish them for it -- when companies profit off this lack of literacy and people rush to their defense whenever people start talking about regulation.
I don't want companies like Google and Amazon to be able to hoard massive amounts of personal information about a large portion of the world's population, and not have to respect the rights of the people whose information they have acquired.
> You want a spectrum of financial products that depositors can choose from according to their risk tolerance.
If effectively everyone of importance just uses Amazon (or Google) ads then you don't get a "spectrum" and there's no choice involved. You have an option to either use or not use a majority of the internet. Yes, you can use ad-blockers but that's not a long-term solution.
> A site sending your browser Amazon ads does not oblige it to execute or display them. And this isn't some secret backend upload. If someone is willing to use a site with this revenue model, why is that your business?
Most users are not aware of how these things work. I agree that if everyone knew how to block those ads and what the actual problems are with them, then things like GDPR might be less necessary (though the right to retract consent is something that should be enforced).
But even then, ad-blockers are a defense against an industry that is over-stepping ethical boundaries every day. At which point do you say that companies which inflict systemic violations of ethics on billions of people should be held accountable? Or is it always the fault of the people because they didn't care enough about their personal information?
What ethical boundaries do you think are being overstepped through advertising?
I could imagine a major ad campaing where this question is posted all over the city:
"What ethical boundaries do you think are being overstepped through advertising?
Think for yourselves, don't let the government tell you what to think!
Sincerly, your friends the advertising business"
That's a hard fucking question for me to answer concisely, so I wont do that. Sry.
The current state of data privacy doesn't even include the spike.
As you point out, education is a fine idea, but it isn't going to work if there is a major industry based on it not working.
Are you going to stop using all these services that track you some way or another?
Most digital companies wouldn't exist if they weren't allowed to use the data.
So instead of just blanket calling it something it isn't and something that certainly isn't unique to FB or Google why not actually discuss the fundamentals rather than scapegoting someone just because they are some of the most successful.
This is a statement you're not possibly able to prove, and you've even left "the data" open, so you can quibble about the definition in future replies (despite the GDPR clearly giving one).
Terminating replies here due to the gross intellectual dishonesty; have a great night.
> Most digital companies wouldn't exist if they weren't allowed to use the data.
GDPR does not deny you the right to use user data, it regulates usage. This is such a ridiculous strawman that it doesn't even classify as a fallacy, it's just simply a lie.
> Are you going to stop using all these services that track you some way or another?
(I have stopped using many of the services you mentioned, but you're actually touching on the reason why regulation is necessary.) It is unreasonable to tell the general public they should stop using the internet if they want to maintain their privacy and dignity. And that's why there need to be regulations to provide protections for the general public when using a technology that is so central to the modern world.
You are still using them one of the biggest users of personal data your ISP and that's a service you pay for.
Don't pretend you are stating facts when you are just stating you personal opinion.
I had the impression that this is rather clearly regulated by the
GDPR. A user has to consent to each use of her data. And you have to
explain the use in an understandable way, no legalese. Just make a
list where you explain in simple words how you want to use the data
and add a checkbox to each item (default not checked). I don’t see
how this could hurt any ethical business model.
If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.
This arbitrarily limits the range of businesses that can exist. For the sake of people who value their privacy having nothing denied to them, it reduces the services available to everyone.
they can. a business does not even need to do business with you. it's not a right that a business needs to service you.
and btw. this is german law.
heck they can even rely on other laws to cancel your service any time they want.
in the next years GDPR will change nearly nothing. except that it will kill some smaller businesses.
GDPR is not strongly enforceable, if people think they have a right to something they still need to go to court.
the only thing which might change is that it will be easier to delete accounts and data (which is a good thing).
Even better, it requires the use to say “yes”.
It won’t. It will just replace the common “no one reads but clicks”
TOS. And the user can change her mind anytime she wants.
> The amount of "no clue what this is" among non technical people I know is 100%.
If you can’t explain a non engineer or scientist how personal is
collected and used it’s probably not a bad idea to outlaw this
> But the EU pats itself on the back cause they're tackling privacy issues. It's a joke.
It’s certainly not enough but a step in the right direction.
I'm actually pro-GDPR but this needs to be kept in mind.
This is a misunderstanding. Consent is only one acceptable legal basis for processing personal data under the GDPR. Almost everyone is going to use it as little as possible in future because of all the extra red tape involved. Ironically, that probably means a lot of organisations will now be straining to justify processing on some other basis and to minimise use of data subjects' explicit consent and exposure to the associated subject rights.
Just make a list where you explain in simple words how you want to use the data and add a checkbox to each item (default not checked).
It's not that simple, because for example organisations may have legal obligations or legitimate interests in processing data about someone even though it may not be in that person's interest. Consider these:
[ ] I agree that my bank may keep records of the money I owe them.
[ ] I agree that the car rental firm may keep a record of me borrowing their vehicle.
[ ] I agree that the school where I'm applying for a job may do a background check before trusting me to look after kids.
Obviously there are many issues like this where consent for the data processing can't be voluntary and independent of everything else that is going on.
Speaking of false dichotomies...
I think you'll find that self-directed brokerage accounts have more regulations than checking accounts because they provide more opportunity to commit fraud.
That might be the theory, but there may be unintended consequences in practice.
As others have said, introducing regulation always has a cost. In this case, the cost appears to be that a small side business that has been providing a useful service to the local community for several years will no longer be available.
It doesn't matter whether the business was actually violating the GDPR. It doesn't matter if the person running it misunderstood the new regulations and formed an exaggerated view about the potential risks. The end result is still that his service isn't there any more.
The level of risk and profit is going to adjust to the correct balance over time.
It apparently wasn't running at a profit even before these new overheads. It was essentially being provided as a gift to the community by the person running it, and that person is not prepared to accept what he perceives to be a lot of extra risk just for doing people a favour. Why then is it reasonable to assume that someone else will step in and be willing to provide the same benefit to others despite the additional overheads?
Again, why should we make such a strong assumption in general? Previous ill-judged regulation of tech industries by the EU hasn't gotten any better with time. They still haven't fixed the "cookie law", which must be on the short list for most useless and widely ridiculed law in history! More seriously, they still haven't fixed the VAT mess, which finished too many microbusinesses and caused significant damage to many more slightly larger ones.
"But it's such a small site/ the person's side project" all the more reason to stay away from this. Having a code of ethics where you end up using the most profitable option anyways is not a real code of ethics
The point of ethical judgement is that it's _not_ the best choice by other factors
He's not making a profit. Meaning he's actually paying out of pocket to allow neighbours to lend stuff to each other. Yet he's abandoned his code of ethics?
But many ads are those that track you across pages and use many of the same stuff as Facebook to show you products. So if you're uncomfortable with that, it's important to put pressure on that.
If he were just throwing up Google AdWords /FB ads or whatever he would be participating in an ecosystem that is unethical for many. It's helping to support a good cause, but wouldn't it be nice to get good things without contributing to an unethical system in the process?
But likely in complete compliance with GDPR... As Adwords and FB Ads would be in compliance.
That is the entire point of laws like GDPR, it has nothing to do with User privacy and everything to do with Ensure their can be no competition to Adwords or FB in the future.
So many contradictions in one paragraph.
You most likely already had one and are now paying them to do this as well
In the UK the ICO is the governing body, and they say I don't need one. From their guidance linked below
>The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.
I am neither a public authority or carry out those certain types of activity.
That is COMPLETELY IRRELEVANT to what people are saying. If someone complains about me, am I obliged to defend myself? If I don't, am I subject to ruinous penalties? If I do and am victorious is the complainer required to compensate me for all of my costs?
Again, part of the problem is that it's not clear what does and doesn't constitute a violation.
I can tell you as someone who is working in an old school retailer/wholesaler we are not, and neither is anyone we are talking to through various trade bodies, employing lawyers to do GDPR.
Lawyers can't help you with ambiguous laws very much as it takes precedents to make sure what the words mean.
The reality is that almost all businesses are small businesses, and most businesses are microbusinesses. These sorts of organisations don't have full time resources watching out for potential legal hurdles coming down the line in a few years. Many of them don't have full time resources at all.
It's ironic that a law where one of the main effects is to dramatically increase notification requirements has resulted in barely any media coverage and no notification from any official sources to any of my businesses yet. What media coverage there has been mostly seems to have been prompted by people being surprised by the sudden wave of privacy-related emails. So, how is this not going to be a surprise move for millions of small businesses if no-one did anything to tell them about it?
If you run a business and were not aware of GDPR then you incompetent or employ people who are feeding you bad information.
Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.
Why? Most businesses are very small and don't have any sort of in-house legal team, and won't go actively looking for expensive external legal advice if they aren't aware that they have a need to.
That is an entirely unfounded assumption. There is literally no relationship between being technically competent in protecting personal data, having a positive attitude towards respecting privacy, and being aware of new laws coming out of the EU.
GDPR punishes the vast majority of businesses that do not have business models reliant on selling user data in favor of trying to catch the ones that do.
Unfortunately, I fear this regulation will do absolutely nothing to stop the bad actors from selling data as they do now.
But I'm completely in favour of it anyway.
Failed reality check.
A Data Protection Officer, especially from a law firm, is not in any way imaginable "almost nothing" regards the cost.
I can't imagine it's a cost less than five figures.
Google and Facebooks manoeuvring to adapt to the GDPR give a clear road map of the legal requirements. Bluntly, they're not that bad, and they're better for a new startup who can adapt to them from the ground up than an established venture who has to find new ways to make money.
The reporting requirements of the GDPR can be large, but for most companies most of the time you're dealing with a relatively unchallenging piece of legislation. Most of the requirements are just to be able to explain what happens with user data and handle sporadic deletion requests. Loosely connected, separately stored, IDs are the solution to this (pseudonymization). It's a different style of development, but far from tricky. That's systems development, not legal.
This is a legitimate threat to startups reselling user data and overly friendly web-tracking solutions, yeah. To them I say "boo-hoo". For the rest of us? IT regulation with legal teeth is a promising indicator for IT companies. There are more of "them" than there are of "us", and if our legal issues are getting play that means our salesmen will also get play.
I know you didn't intend to, but you've nailed the problem: the ambiguity and doubt. Most (<100%) * most (<100%) is a fraction times a fraction, never a good equation if the upside is low.
I doubt the StreetLend dude made much cash out of this project, so why bother? It was likely just a convenient excuse to kill a side project that had little value that sucked a lot of time, but still, the ambiguity no doubt helped push him towards this outcome.
This doesn’t feel particularly onerous, especially as any good business plan will include getting public liability insurance for inevitable occasional serious mistakes.
Even though we never resell, mine nor monetize data, the increased risk of legal action was not acceptable to us.
Have you ever filed a claim on an insurance policy? Your premium will certainly go up next time that policy is up for renewal.
It’s unfortunate for our users. They’re quite upset that we’ve decided to drop all EU customers. But, we’re not willing to take on any additional risk for such a small revenue source.
1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
2. If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.
Luckily, my organization is not “established” in the EU.
Its only the end-user-is-product companies that have to have armies of lawyers, and that is no bad thing surely?
Note that you're on a site pretty much dedicated to the ongoing viability of end-user-is-product companies, hence the backlash here. My experience, same as yours, is that anyone who provides a service for money isn't having any difficulty at all complying with the GDPR.
I don’t think you’re going to disrupt Google or Facebook without trying something new, and the GDPR certainly forces startups to think different.
The best moves liquidates Facebook and google.
This is an unviable move.
The next best move is to build laws which enforce behavior.
This always results in additional complexity which cuts into the profit profile of firms.
The same way that health regulations hurt many fly by night operators, and force standards on bigger firms.
This is the only outcome in the game which is acceptable to all parties.
It is the rational move.
The law is needed, otherwise everyone would continue to abuse users' data more and more. So that's clearly not the solution. The ideal solution is fining both Google and Facebook for all the money they've made from that abuse from at least the past 5 years, to level the playing field.
People say that capitalism is the "worst economic system, except for all the others", and that's true. But one of the main issues with capitalism and why it gets to be so broken in the end, is that when companies abuse their powers, the punishment almost never fits the crime. If it did, I think capitalism would be a much more optimal economic system. I think this is by far the biggest issue.
As an example, Intel made tens of billions from anti-competitive moves against AMD, and it was only fined $1.4 billion, a fine that's still under dispute even a decade later (Intel has yet to pay it).
Samsung, and other memory makers have been caught at least once in the past, and now again, doing price fixing. But the fine was and likely will be again much smaller than the profits they made.
Then we have the big banks, which also made a ton of money from screwing people over, and again they were fined at "record levels" but still much less than they made in profits.
This is how the incumbents keep getting ahead of the others, even when stronger regulations pass - they never have to truly pay for the crime they did in the past, and they get to keep 95% of their profits from that crime. That isn't how things should work - the governments should take all of the profits they made from the crime and the fine should be added on top of that. If a company grows 10x in size in a decade from abusing some law and consumers, then the governments should absolutely take back 90% of its size when it's punished later. That's the deterrent.
Now in regards to privacy, the laws weren't that strong before, and I don't really believe in punishing people or companies for laws that didn't exist, which is why governments need to be much more vigilant from the birth of new industries, and not wait until they are mature and most damage has already been done.
Maybe my solutions are a little too extreme, but I do believe more needs to be done compared to what governments are doing now. We can't just let companies get away with almost all the profits they made from abusing consumers.
Also, there need to be stronger anti-merger laws. That's for sure. We almost never need to let companies merge, and if they do merge, that almost always ends-up not being in the consumers' favor. If some companies can't compete on their own anymore, then so be it - let them go bankrupt. The rest will either become stronger, or new entrants will appear. I think that's still preferable over allowing them to "survive" under a bigger company. Let the creative destruction flourish in the market, as it's supposed to.
Probably not far enough. You need to outright shut them down, put them in a prison of sorts, fine them, and then let them continue operating after their term is up. Do not let them sell, do not let them split. But people will lose jobs, ads will be taken out to fight it, and it will be held up in court for far too long. Google and such have ingrained themselves in a way that to properly punish them for their actions is not politically tenable, because the only fitting punishment would destroy these companies and cause significant economic harm.
Alas, many people make money off of loose regulation and they are thus biased.
I am afraid we won't see any improvement anytime soon.
Users have been giving away data to google and facebook to use their services. What exactly do you mean have been abused about that.
Calling that stolen is mixing your personal opinions with facts.
At it's core it is the most ethical a free service can make money (aside from donations).
He isn't selling the data or showing personally targeted ads. (Of course it could be using some amazon plugin that does it anyway for convenience or from ignorance, but he can do it without it through amazon apis)
Founder here. Streetlend never passed personal data to Amazon. It used the search term eg “ladder” and showed ladders on sale from Amazon. No personal data was passed.
Unless you're doing something shady with user data (and you _know_ if you are) the GDPR essentially comprises having _some way_ of giving a user all the data you store on them, and _some way_ of deleting that data.
In this case both of those appear trivial to automate, and even more trivial to just do if somebody actually wants those things. Shit, dropping email login and only accepting federated auth would get you there in one step, unless you're doing things you're not saying.
I've been running websites and doing IT for a long time. I've spent least 10 hours on my employer's dime reading about GDPR and trying to figure it out. There's a lot of ambiguity. We're in the US, we don't do a lot in Europe, so we're at less risk, and my conclusion was that we're small enough (while MUCH bigger than streelend) that we're not going to be a target while some of the ambiguities get worked out in courts. This poor guy has no protections.
I'm not faulting the person, I'm just saying the response doesn't seem founded in firm reasoning, but in (self-admitted, by the link!) "I need to look into this but I haven't, so we're shutting down". This isn't a newsworthy event or "proof the GDPR ruins businesses".
> This isn't a newsworthy event or "proof the GDPR ruins businesses".
It is anecdote that complying to a far reaching and ambiguous law has real consequence.
This is, again, because the legal text is ambiguous.
I posited this to our counsel when discussing what to do about GDPR. He cautioned that he’s seen investigations start due to a nosey bureaucrat.
I don’t know if your product is public facing, but if it is, all it takes is a single sufficiently powerful government employee to get curious about your business and start asking questions.
Even if you’re not doing anything wrong, having to engage counsel to respond to the government could get pricey.
Clearly you have no understanding of any legal system in the world works if you believe only people that are guilty of violating the law are sued and ruined by the law.
Because the GDPR is extraordinarily ambiguous.
Patent, Copyright and Disability Access laws in the US are to examples commonly Abused laws for this type of behavior
The problem is the legal system in most nations are setup in away that gives the guilty and the wealthy an advantage over the innocent with limited resources
Laws and Legal Systems should be
1. Very Specific and not open to interpenetration
2. Have options for "settlement" as this rewards the guilty, and harms the innocent
3. Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access
4. All Civil Cases must have to show Actual Damages not Theoretical Damages
that would be a start
Except with GDPR all you could do is report them to the member states governing body. So no trolling.
> Very Specific and not open to interpenetration
Except this makes them inflexible and leads to them having to be constantly redrafted. So no use to the world of the HN.
> Have options for "settlement" as this rewards the guilty, and harms the innocent
GDPR is between you and the regulator, they already do this work and the whole aim of the process is to stop you doing bad things. A fine is a late step in the process for organisations who wont listen.
> Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access
Is off topic when it comes to GDPR, see my previous answers
> All Civil Cases must have to show Actual Damages not Theoretical Damages
Again off topic with GDPR, but in the UK that is how damages works already, isn't it?
What? Define almost nothing. For small businesses it is a wishful thinking they can hire anybody from a legal firm. They probably don't even have a lawyer or a legal department as they can't afford such luxury.
And now we are finding out LED lights are bad for our eyes and our sleep, so we may go blind sooner and die sooner.
Ok that might be a bit extreme, and besides there is an efficient incandescent tech that will probably come back and save us (and you can argue the EU helped that too)... but my point is the EU has good intents but their creations seem polarised into either extremely preemptive or extremely reflexive and are often premature and poorly thought out, fighting for something for the people but often without thought for how they will directly hurt the people.
For tech the EU isn't exactly unique in this respect though, the UK for instance recently tried to inact some pretty rediculous laws that undermine basic technologies that make the internet work.
Yeah, I'll just get a small loan from my father.
"From the description Streetlend didn’t violate the GDPR in concept though. Addresses are public record, available in public databases, and there is nothing stopping you from doing lending eBay. All it needed to do was clear it’s records every 6 months and let people delete their accounts."
> But the comment you commented on said:
"The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous)."
The issue seems to be that the resources required to resolve a delta - from Streetlend's pov - are perceived as excessive. Too much risk; not enough reward.
Look at what happened with Thiel and Gawker. Right or wrong is irrelevant if the opposition has deeper pockets and can bleed you to death (in legal fees).
> Startups will find a way to make money that isn’t selling your data.
Perhaps, that could be true. But plenty will not want to be caught in the crossfire in the meantime. And that too is a biz decision.
Out of touch with reality much?
Just like all regulation its very doable but its way more cost effective for the big players.
They can take some credit for the dim and dimmer mercury containing CFLs, and the ludicrously expensive and somewhat unreliable early LEDs, if they like.
when did that happen?
>Startups will find a way to make money that isn’t selling your data.
It's hard to argue with statements like that. What if they don't? There are plenty of startups providing extremely valuable or fun services (like flightradar24 for example) that are supported by ads. After GM, Ford and Chrystler there were basically no successful auto startups in the US for 70 years.
This regulation makes life for startups disproportionately harder than for Google and FB that already have an army of EU lawyers on payroll.
This is not true. The US has parallel regulation that encourages the phase out of incandescent bulbs . True to form it's a lot weaker than the EU regulation but it sends the same message.
> This regulation makes life for startups disproportionately harder than for Google and FB that already have an army of EU lawyers on payroll.
This is not true. In fact the GDPR makes it clear that for small businesses (<250 employees) most of the control burden is relieved.
I also found some LED bulbs that have simulated filaments inside clear bulbs for an old-fashioned look, and again the incandescent color temperature.
I've even found cheap LED replacement bulbs for the various interior lights in my car that look just like incandescents.
So I think it's kind of passé to be debating LEDs at this point.
1. This regulation is specifically (deliberately?) anti small business. If your revenue is less than €20m their fine is up to €20m, i.e. can be 100% of your revenue, meaning bankruptcy. If your revenue is greater than €500m, your fine is capped at only 4% of your revenue, i.e. an acceptable fluctuation. It's worse than a regressive tax.
2. China also has many regulations. Instead if trying to extend their jurisdiction to foreign sites, they simply block them. I thought about this and I actually prefer the Chinese non-expansionist model: I would rather outsource due diligence to the Chinese government than hire expensive EU lawyers and then implement EU specific blocks.
FYI we do not collect any data other than for spam and DDoS attack mitigation, but apparently if you have any third party code in your site like ads you have to subject all of that to this expensive audit.
Well meaning regulation like this written by people who have never created anything pratical in their lives other than regulations illustrates why entrepreneurship in modern Europe is nearly impossible.
Rubbish, this is just spreading FUD.
From the UK ICO: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.
But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."
Look at the track record of the UK ICO - how many small businesses and side gigs have been fined £500k? How many businesses of any type have been fined the current maximum of £500k?
So where does this ludicrous assumption that everyone is always going to be hit with the maximum fine from here on in come from?
Even TalkTalk were only fined £400k for the most ridiculous incompetence leading to 4 breaches in 18 months and failing SQL injection 101. They make profit in the tens of millions yet still didn't hit the maximum (They should have in my opinion). I think at the time that was the largest penalty yet issued.
Same goes for other data protection bodies across the EU - there will be few instances of maximum penalty under current data protection. I'm sure some countries have never imposed the current maximum.
nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.
That's the most interesting thing about the GDPR. While some developers are picking up their ball and huffing off home, others are actually 100% behind the regulation.
It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.
Or the competitors' software.
Consider some business that was doing what GDPR requires already: users could delete their data, they could request a complete copy of it as well as an explanation what it is used for, and it was only used for defined purposes that the user signed off prior anyway.
Sadly, that reduces flexibility somewhat, but they're doing it because they consider it the right thing.
For them, GDPR levels the playing field and makes sure that they never have to stray from this conduct just to remain competitive with companies that aren't so nice to their users.
Nothing about the gdpr solves the problems of companies having insecure systems that _leak_ user data. I also don't believe that data about me is data I own. To me, the gdpr feels ineffective at the real issues causing me harm (leaked info) and also a giant burden on companies that fundamentally changes how the industry has worked, but in a way that quite frankly, doesn't make any sense to me. The data about my order isn't my data to control.
It doesn't directly prevent insecure systems, but discouraging companies from storing information they don't need and transferring it on to third parties for whatever reason they feel like massively reduces most people's exposure to this risk.
>The data about my order isn't my data to control.
If you believe people have a right to privacy, then you believe they have a right to decide who gets to know what information about them.
That's not even remotely true. A right to privacy does not mean I get to control the actions of others.
Nothing restricts what others can do with them, they just have to state it so I can decide whether that's ok for me or not.
The lack of this clearly defies the right to privacy, just consider the extreme case of "I'll dump your data on GitHub next week"
Requiring disclosure of a breach within 3 days of it happening, as opposed to the several months that is commonplace now, is a big help.
"I also don't believe that data about me is data I own."
Everyone disagrees on this point. Right now, Europe says the opposite.
"also a giant burden on companies that fundamentally changes how the industry has worked"
Good. Currently the industry is geared to suck up every last bit of user data like a vacuum, regardless of whether it's actually needed, so they can sell it. This has gone on for far too long, and I'm glad to see the industry hopefully move away from it.
If I place a camera in my house so that it's recording what's going on in your bathroom- is that data you would like to be kept private, or not?
I'm fully behind the GDPR. It might not be perfect, but I've read the law and it's surprisingly straightforward and sane.
Why is it sane to assume data I've sent to a service is my data to control?
GDPR increases maximum penalty to be high enough that it could be a penalty to a Google or Facebook for a serious, wilful, breach of regs, in an environment where the tiniest fraction of reported cases get any fine at all (16 of 17,300 reports for 2017 in the UK) let alone the maximum. Internet now certain that one man software companies and hobbyists with non-commercial regex sites will receive £17m fines, every time and it will be used as a stick to beat one's political enemies with or, most comically of all, pay for local infrastructure improvements.
I don't understand why - the regs seem reasonable and not especially difficult to meet unless your business is built on wilful abuse of personal data. Just a reasonable effort to enhance DPA taking into account new techniques and misuses of data. Deletion for everyone, not just a minority - thanks to FB et al feeling it's fine to never delete, and run shadow profiles on all. The highest penalty will be saved for the most offensive cases involving multi-nationals. It will be interesting in a few years to see how many maximum fines have been levied. My bet is none at all, once or twice if there's an especially egregious breach from an Amazon or Google.
I've little doubt that just as I feel more should have attracted fines under DPA I'll feel more should have got GDPR fines.
My intuition is that the people who complain are that fraction of developers who actually care about their profits more than their users' privacy.
For us in Europe 20 years of DPA must help - I doubt there's many here would want to go back to pre-data protection.
No, in fact, most people get served with nothing more than a formal caution or a £90 fine. This is normal - this is how the law works in this country. Anyone who doesn't understand this hasn't even been paying attention to the lowest-common-denominator newspapers, which are constantly screeching about how people usually don't get anything close to maximum sentencing.
It’s not complex - we don’t let people away with flouting regulation because it’s burdensome. “It would make me unprofitable” is not a valid reason to ignore health and safety laws, or hygiene laws.
“I just want to run a food truck as a side project but not care about making people sick or not” is obviously ludicrous. Why is personal data somehow fair game?
Someone doing it for love or passion is now faced with GDPR compliance and the risks and hassle that come with it.
Just because you are not making revenue doesn’t mean that you don’t have to abide by regulation. The GDPR is intended to solve a very real and present issue; if you run a side project that deals with personal data, then the fact that it makes no money doesn’t mean that your mistreatment of personal data isn’t harmful!
How do you revoke PII from a distributed information system, like anything using a blockchain or distributed version control? You don't.
If you choose to block all EU IPs instead of implementing the most basic data security and retention policies, then it’s for the best that EU users are not able to use your compromised service.
Once you've got that sorted and you can change/remove identity information, the likes of GitHub have no issue so long as they have GDPR-compliant contracts with any business partners who can access git repos. Obviously, anyone using GitHub who decides to store all identity data forever is, generally speaking, not GitHub's problem, same as someone who noted down the names of all their friends on Facebook isn't Facebook's problem.
Misuse of git isn't a problem inherent to git.
Can you explain why they can cope with PECR but can't cope with GDPR?
The law will be enforced, just as current data protection is.
The law can be enforced without every case attracting the maximum penalty. That's why nearly every law has a range of penalties.
Accidental and minor breaches can attract a minor penalty or a letter asking you try harder. Wilful and repeated breaches affecting many customers will attract harsher penalties.
Same goes for speeding offences - go 40 in a 30 limit, get a fixed penalty ticket. go 140 with the GoPro race footage of you and your buddy posted to twitter expect a much larger fine and a driving ban.
In neither instance is it not enforced, or damaging to the concept of law.
What @megaman22 is saying fully matches my experience as an Eastern European -- piss off the wrong people and the law will fall on you with its full might. Some people would really love to make an example out of you if you give them the chance. And I don't think that only applies to E.E. but have no data either way, it's just an observation from news and hearsay from affected people around here.
I fully support the GDPR and I'll do my utmost to comply with it even for hobby projects.
That was never something I disputed in my root comment that spawned this big sub-thread.
What I said and will continue saying is -- laws like these open even more doors for legal trolls, big players and nasty competitors to exhaust you out of business. The fact that it doesn't happen on a massive scale in my eyes means nothing; or rather, it means that agents used as an example to scare off others isn't something that's done often because usually just a few lawsuits and their aftermath are plenty enough for those many others to get the message.
So IMO using statistics here is not a strong enough argument. I am not trying to alter your thinking. We actually agree on most points but I simply can't agree that past statistics are a good proof that the new law won't be used in a more heavy-handed manner than originally intended.
To me, that remains to be seen yet and none of us can claim with certainty that what seems likely to them will materialize.
> I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.
You may be right in our chances of agreement!
I see a judiciary separate from state which is more than happy to put politicians back in their box when they introduce bad or overreaching law. Governments of all colours complain about the judiciary and Lords here in the UK - which I see as proof that the separation basically still works. I see data protection bodies that are separate from government and politics. I see occasional stories of record fines or breaches from mainly Western Europe and talk to friends and conclude small business and solo developers are not being fined or trolled into oblivion in nearby countries either. Yet EU DPA is most of what GDPR is with smaller maximum fines. Why isn't the disaster scenario you foresee already happening with current DPA and other laws? Why are so few fined for breaches and only the most extreme cases getting fines?
I'm less aware of justice systems further east and yes it's obvious that former Soviet bloc are going to be rightly more sensitive to and concerned about corruption. I'm also not aware how successfully that's been left behind from adopting EU laws and years of membership. That said, reading the pieces that turn up on HN it seems that the US is the one with problems of corruption in the justice system currently. No doubt that's also unrepresentative thanks to what's being shared about a vast nation.
So, the legal trolls - it's going to be registrars and data protection bodies bringing cases or seeking sanctions. Just like happens with current DPA. This does not appear to be akin, or anywhere near, the US DMCA where large media companies massively abuse takedowns via automated software and triggering numerous trivial errors. I don't see the scope to exhaust someone out of business - yet it's clearly easy with DMCA. There's nothing a Sony can abuse to pick on a little guy with GDPR - they can report me to the registrar.
You're right that it remains to be seen, but I sincerely doubt our data protection bodies are suddenly going to break out thumb screws and bring orders of magnitude more cases when they've kept fines for the final, extreme, and rare sanction til now.
I honestly expect that just as I feel more should have attracted fines and sanctions under DPA I'll find that GDPR is also being too lightly applied. We'll see. I've been wrong on the internet before. :)
Because speed limits are not enforced, everyone goes somewhere between 5 and 15 mph over, all the time. But catch a pissy cop, or one in a town that uses speed traps as a revenue source, and you can get pinched for hundreds of dollars arbitrarily. Yeah, the jackhole that burns tire at 110 past a school-zone is most likely to get pinched, but almost everyone on the road could.
> But catch a pissy cop, or one in a town that uses speed traps as a revenue source, and you can get pinched for hundreds of dollars arbitrarily.
Sounds like enforcement to me.
The solution is also simple. Don't drive over. I don't do it. If the sign says "50 kph", I drive "50 kph" and not more.
Driving over is entirely voluntarily ignoring the limitation set by the law so don't go and be all surprised when somebody CAN FINE YOU FOR THAT.
When a corporation is compliant and only has minor infractions, they will (most likely) write a sternly worded letter.
But if you're constantly and repeatedly or willfully ignoring or breaking the regulation they definitely won't leave it at a simply tap on the fingers.
Plus, I don't think any regulatory body is looking for bankrupting a corporation. They will obviously size the fine according to how much the corporation has in turnover or profit.
If you have minor infractions caused accidentally and you cooperate I have doubts that any regulatory body for the GDPR will go beyond sending a simple letter asking you to fix a problem.
I am not one to say "trust the EU government, it is good".
But the intent of the legislator is obviously not to kill businesses willy nilly, it is to punish certain behaviours, they have no reason to willingly cause a business to shut down, which is why the GDPR explicitly accounts for collaboration.
In the end, it is up to you to decide not to abide to the law. There have been local regulations forever, this won't change much.
Note that, in parallel to the EU regulation, the statutory maximums can be enacted(ever since Booker judges can use their discretion again), but in reality most judges rule within the sentencing guidelines.
Yet. Wait until the company is another political organization that is identified as an enemy or competition. Then these laws become tools for shutting down dissenters with selectively applied fines, even to companies outside of the EU.
And unlike you say the law does say the regulatory body for the GDPR has to consider the business needs of smaller businesses and adjust their fines accordingly if they even hand them out.
There is a good flowchart in this thread too, I recommend to study it.
I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced. Either way, the net result will be that EU residents will have access to a far smaller universe of content and services. Most businesses just won’t take the risk.
We both contributed to a conversation where you made the same point, a few days ago:
Back then, I was not convinced that you had a clear idea of how such a money-grabbing scheme could be implemented. I would kindly ask whether you have a clearer understanding of the relevant procedures now.
The people saying how easy it is don’t know what they are talking about.
By "28 different interpretations I assume you mean those of different member states. It would actually be 27 now that the UK is leaving, but even so, the GDPR is a regulation (General Data Protection Regulation) and not a directive, partly in order to eliminate inconsistencies in national laws. To clarify, as a regulation, the GDPR does not need to be passed into national law.
Additionally, this reduces the burden on companies that would previously have to deal with multiple local authorities, in the context of the Data Protection Directive.
Further, there are provisions for the consistent application of the GDPR across all member states, particularly a European Data Protection Board.
This is from an article I quoted earlier:
Coordination and Consistency
Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.
One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.
Generally, I have no idea why you say that the GDPR will be nearly impossible or actually impossible to comply with. Different member states have different regulations for drug use, for instance, but that is never used as an excuse to violate drug laws "becuase they are impossible to comply with" due to different national interpretations.
What would be the mechanics of enforcing the GDPR against a US company with no EU presence? I'd understood the opposite, and that the EU's best options to enforce were probably indirect (via customers, vendors, etc. with EU presence).
If the US court doesn't decide that, the EU will have to resort to indirect measures (Google AdSense will probably stop working since Google doesn't want the EU courts on their butts for making business with someone who violates the EU law and other measures)
So how does that affect companies that don't elect to join Privacy Shield?
Agreed that AdSense will probably start indirectly enforcing the GDPR at some point. Someone will probably make a lot of money picking up the traffic they lose, in exchange for never changing planes in Frankfurt again...
I guess we'll have to wait and see what happens in that case, if the US court system is willing to enforce GDPR fines on their side, that would be a win for the EU (the US has been doing this for ages)
> "While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."
That sounds pretty murky to me, more a statement that she expects regulators to cooperate than one that current law provides a clear path. Not that I can find a more confident article in the other direction, of course...
He wasn't 'almost jailed' - he was fined £800. And the video involved him saying 'Gas the Jews' over and over again to his dog, to which the dog reacted.
What part of this is a problem for you?
(And for that matter it was his girlfriend's dog).
But yes, I agree with you - you have no control over the Court's decision if found guilty.
There's no good way to frame this for a small business. Are you seriously suggesting that the mere benevolent feelings of a judge or board and how their mood is that day is the only thing standing between a startup and bankruptcy? If you're saying a small business should never be fined that much, why isn't that the letter of the law? Why does the court even have the option to completely destroy a startup like that?
> So where does this ludicrous assumption that everyone is always going to be hit with the maximum fine from here on in come from?
Where are you getting this ludicrous assumption that the law won't apply the maximum fine? If you don't think they should be able to, why isn't the law simply sensible, and should apply a lesser fine?
> Where are you getting this ludicrous assumption that the law won't apply the maximum fine
They have never yet applied the maximum in 20 years of the current DPA, why presume they're itching to start next month? This makes no sense to me.
Under the DPA 1998 the largest fine was issued in 2016, to a multi million pound company. £400k, so still only 80% of the maximum. Look to precedent across the entire EU.
Supposing 100% of the startup's revenue comes from GDPR violations and they've been doing so for, say, 5 years, then the fine should really be 500% of annual revenue. Or even multiply that by 2 or 3 for punitive purposes. It may or may not destroy the startup, depending on how well funded they are. They could be breaching privacy for reasons other than revenue.
The only place and time where the concept of punitive damages and GDPR overlap is the United Kingdom between May 25, 2018 and March 29, 2019.
[edit: and Ireland. They might want to reconsider, given that they host many of the European HQs of US companies.]
As I posted elsewhere, this is NOT true.
>The $20 million fine is not automatically applied. Here's a flow chart which details the process of a GDPR breach: https://40uu5c99f3a2ja7s7miveqgqu-wpengine.netdna-ssl.com/wp...
These rules look at whether your company has infringed before, whether you've notified the state on your own, etc. pp.
The current Information Commissioner Office system has a similar system in place. Out of 17,300 cases reported in 2017, 16 resulted in a fine. Source: https://www.infosecurity-magazine.com/opinions/gdpr-timebomb...
Edit: to those downvoting this (and all of my other comments) - this comment contains only facts. So please show me where it says that there are circumstances under which they must fine you less than the maximum. Otherwise there is nothing to downvote.
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
In the EU you tend to trust your bureaucrats to make a "Fair and Just" application of the law
In the US we tend to expect our bureaucrats to be vindictive, corrupt, petty, and generally impose fines and penalties not based on the law but based on their personal feelings about the target of their "legal action"
Thus such open ended wording like you posted being classified as a "rule" scares the shit out of most Americans
And the differences in the legal systems specifically. I think this is why a lot of HN commentators are finding the GDPR vague. In the US rule based regulations are the norm. For better or worse this tends to allow those with clever lawyers to search for loopholes. UK law is much more principle-based, which means trying to abuse the exact wording is not going to save you from a fine, and equally a technical-breach of wording is not going to get you prosecuted. It's not just the civil servants that we trust with this, it is the judges too.
The big number max fines in GDPR are there to deal with companies like Google and Facebook who can write of $5m as a rounding error.
People who have been fined at all under the existing DPA, being enforced by the very same people as GDPR, have been negligent, repeat offenders. I don't believe anyone has ever received the maximum fine in the existing regulations. That just isn't how UK law works
There's at least twenty years of regulation under existing DPA law, where the maximum fine has never been asked for nor applied.
Some people just accept it when someone says they won’t do something that they totally can.
I know, it doesn’t really make sense. If someone tells me “well it says that we can do that if you go by what’s on paper, but we wouldn’t actually do that”, then change it so that it says on paper that you won’t, or I’m inclined to think that you totally will, because you totally can.
The penalty isn't meant to be something you afford. It's a penalty. (It's a feature, not a bug.) I'm having a really hard time not being sarcastic right now but compliance with the law might also end up being an economical option worth looking into. Cheaper than lawyering-up for being sued by shysters for non-compliance, and cheaper than being penalized for non-compliance.
Mind you, taking whatever-it-is off the internet is fine too. I totally understand. What I don't like is all the whiny sanctimony and martyrdom. "Yes I'm taking my thing off the internet, but first I'm going to make a big deal about what a tragedy it is for the world." Um no. The fact that your thing is a "small business" means few people care about it. (Sad to say. More people care about Facebook than about you. That's why they're the big incumbent.) And it emphatically doesn't mean for example, that you're some hallowed, heroic underdog who deserves protection, especially when you won't even afford the same to your own users and their data.
I'm a hobby developer. I once made a tool mostly for myself, but decided to put it online. A couple thousand people use it, and it runs at a loss but I keep it up mostly because it's useful to some people out there. My tiny website isn't hurting anyone or breaking the internet the way Facebook or Google may be. To claim that having to spend my hobby time implementing a bunch of extra features is just "complying with the law" is bullshit, I'm sorry. In terms of scale, it's basically as if I forced you to do full safety test on a toy car you made for your kid, just because GM cars had safety issues.
And I'm not special. There are plenty of other small devs like me with thousands of small niche web tools out there, most of which are ran purely as a hobby, out of our own pocket. I may not make a blog post and get it to the top of HN, but devs like us have 0 incentive to keep our sites online.
HN loves to complain about things like AMP killing the web, but to me this is orders of magnitude worse.
I really think some people are just completely blowing this up into something it's not, probably because the only thing they've read about it is others scaremongering.
How do you deal with user requests? You need at least somehow be able to gather the data, pack it into an user underdstandable format, and delete database entries, also from your backups.
Regarding backups, realistically you are not going to be required to delete from them as it's completely impractical to delete a single user's data from backup. You just need to be straight with your users - tell them that their data will be removed from your live system immediately, but that some data will remain in archive, securely encrypted, until the end of your defined retention period.
gather data: select * from every table that has userId
pack it into understandable format: every language i have used makes json, xml, csv pretty darn easy
delete: delete from....
backups: i am surprised your hobby project takes backups. perhaps have a table with userIds that were deleted, and when you make your new backup, remove all their data?
Ah yes, and then all of my data has holes in it that I need to deal with. "Hmm, we only have 5 orders for this, but we're missing 6". "hmmm, we charged this credit card, but there's no order for it and I'm not sure if we ever shipped anything?" "hmmm, how do I delete this tracking number from the postal systems' records?"
Will regulators agree with what I "must" keep?
I found the ICO's guide fairly straightforward to understand though.
Your argument boils down to "I don't want to take special measures to protect your personal data, so I shouldn't have to".
If what you're doing could cause a problem I'm pretty sure I'd rather you didn't without the ability to deal with it.
Essentially, all you have to do is tell your users what data you are collecting and how you will use it.
Also, if a user asks for their data, you give it to them, and if a user asks for their data to be deleted, you delete it. I imagine if either of these things were to happen today, you would do as they wished GDPR or not.
It's not even remotely okay to use random people's blog posts as a compliance strategy.
> It's not even remotely okay to use random people's blog posts as a compliance strategy.
Then use the simple, human friendly guide from the body who will be enforcing it in the UK. I did. I thought it was simple.
It takes 30 seconds to find out whether your identifier violates a trademark. Your content is trivially not a copyright violation if you created it yourself. Hobby projects are not debating the finer points of fair use and whether the conflicting name is for a sufficiently different kind of business to avoid confusion. But every HTTP server handles personal data, and a web-based tool with a database backend especially so, so all the subtlety of GDPR is in play.
But not all of them have a good reason to log it. /dev/null
How about asking and recording a persons birthday when really all you need to know is if they are the age of majority? A birthday is more information than needed which seems like a violation GDPR when interpreted strictly with my cursory knowledge. Seems unlikely though that any regulator would enforce such a distinction though.
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual. 
So once the account info is deleted, that link is broken. This another piece of DP legislation that has been subject to a great deal of FUD since most of the headlines just went with ‘court confirms IP address are PII’ and omitted ‘in some cases’. TBH, this was already pretty explicitly obvious from the legislation defining Personally Identifiable Information (hint: clue’s in the name).
Given the above still seems like a potential issue to not delete the ip logs.
1) Bob signs up for a service and is logged
2) Bob than asks for his account to be deleted. Account details are deleted, but the ip logs are retained.
3) Bob signs back up for a new account allowing the data processor to make the link from his new account to his ip old logs with the first account.
Weather the data processor can relink the two records with reasonable probability in step 3 depends on the particulars of the circumstance.
I assume cases like the above will be judged, at least in part, based on the data processor following best practices, and operating in good faith(not actively trying to unmask individuals and actively try to prevent unmasking).
Currently I would not let the GDPR stop me from going forward with any web services plans, however my casual reading of GDPR articles on HN and beyond have not made it obvious how cases like the above will be handled.
Nothing. Anything. This regulation assigns huge amounts of legal and financial risk to any hobbyist and will likely be selectively applied.
100% agree. And your situation applies to millions of hobbyists, personal websites, projects, startups, and small businesses around the world.
GPDR appears to be intentionally burdensome, a classic regulation strategy aimed at protecting large incumbents while stifling small business, innovation, and newcomers, or even side projects like your own.
It is by far best GDPR presentation and explanation of lots of misconceptions. Please report back what you think about GDPR when you finish, I am curious it you will still feel threatened.
From the presentation: "guilty until proven innocent". How can you NOT feel threatened?!
Guilty... is really not something special, IRS anyone? ;) Did you catch something else? Something useful maybe? About borrowing a car for instance? :)
The GDPR is actually late, I have a few IoT devices and I verify them by isolating them on network and sniff out communication (mitm on wifi and old school 10 port hub (yeah, the one screaming everything to all ports) for wired. It is a sad sight, even if they have absolutely no need to contact outside servers (I would never have a device like Siri in my home) they still do, another case would be broadcom drivers on android calling home. Someone has to stop this madness.
I know a lot of people are pissed off due to GDPR, but I will gladly ask them again in 10 years. I think they will change their mind.
You can continue running all hobby tools you want.
Compliance depends on how well your understanding of of a bunch of fuzzy terms like "legitimate interest," "level of security appropriate to the risk," "necessary in relation to the purposes for which they are processed," "no longer than necessary," etc. align with 28 different regulators and judiciaries. That's as far from "trivial" as it gets. Bozho.net is not a lawyer, not your lawyer, and even if here were your top-tier lawyer specialized in data privacy he wouldn't have a clue what courts were going to take these things to mean in the context of GDPR, because there aren't any judgements yet. Security and minimization standards are also about "taking into account the state of the art" - do you know what the state of the art is, and is your organization capable of implementing it? An entirely plausible outcome here is that only the most advanced engineering organizations have technology that meets these standards.
Horeshit. There is nothing advanced about storing only the data you need. However, if you've been hoarding like crazy and weighed down with technical debt, and haven't used the last two years, then yeah, might be hard.
Yes, it's a new law, yes, in practice it will be defined by judgments. How is this different from any other new law, other than this one impacts IT harder?
And let me guess what the alternative is: do nothing.
Consider also that European law is different to US law. We draft laws and contracts in a conceptual/abstract way, whereas in the US where everything has to be exhaustive, explicit, and over-worked; just in case anybody dare sues.
GDPR recognises one-size-fits-all won't work. Yes, that means it has some vague terms. Yes, you might have to show you thought about the implementation, and that you erred on the side of privacy.
It's funny how everybody always talks about the maximum fines, not the other sanctions that the GDPR can impose. Guess that's just more sensational.
Isn't that besides the point?
You can be 100% compliant and still be sued by somebody. And you'd have to pay some lawyer a lot of money to make it go away.
That risk already existed before the GDPR (anybody can sue anyone for whatever reason they can come up with), but GDPR is high profile enough to make people scared.
About a decade ago, I ran a website that made heavy use of user uploaded GPS data. I didn't sell any data. The only ad income was Adsense.
If I had bothered to restore the server from backups after a HD crash, I'd probably take it down now. Just not worth the potential trouble.
I fail to see how GDPR makes that new. You can be sued for any reasons already, being in the right or not.
E.g. 99% of useful websites violate some patents (that shouldn't ever have been issued), actual predatory suing about this issue happens, yet no one closes his website because "the patent situation makes it too uncertain".
No, someone can report you to a member state's compliance organisation.
Indeed it is: the first 100 pages of the text detailing what compliance means are a manual for how to read the remaining 5000 pages, and a warning that there will be per-country variants of the law, which I'm sure will all be very clear, made easily available and not at all weird or objectionable, or require being well-versed in the legal intricacies of said member state at all !
Here is a set of (easily available) interactive tools, explainers and guidelines from ICO in the UK which explicitly outline what compliance looks like and what steps you can take to achieve and demonstrate it . It’s available as a 162 page PDF, if you insist on counting pages, but much of it relates to the processing of sensitive data or data relating to children which the majority or orgs can skip.
We won’t take our services off the Internet. We’ll simply block you and your overbearing friends in the EU from accessing them. You might not miss one of us, but you’ll likely miss hundreds of thousands of us. Enjoy Facebook. That may be the only site you still have access to when the dust settles.
Compliance is trivial
Since you are saying that, I can guarantee that you haven’t actually read the law or been in charge of trying to make a website compliant. That is an absurdly incorrect statement. Billions are being spent around the world on attempts to comply with it.
Hell of a way to defend the most absurd and overreaching displays of censorship we see on the modern web.
That is easily one of the more absurd statements I've seen this month.
> Well meaning regulation like this written by people who have never created anything pratical in their lives
And websites whose customers advertising agencies, and whose product is people, create something? Attempting to track and then monetize everything everyone does online is _creating_ something now?
This is snarky, and intentionally simplifies things down to a dumb level. Here's a list of things that "create something" while relying on an advertisement model for revenue:
- Reddit (to some extent)
I can find a hundred other examples that are ad-revenue supported by create immense value.
It's a difficult balance to strike, and while not perfect, this model has allowed us access to so many good services that would otherwise not exist. Saying that none of them "create something" is just wrong.
With the amount of creativity observable for inventing tax-avoiding business structures, I'm sure if the minimum clause weren't there, big players would quickly find a way to spread their revenue over dozens of small entities, each looking like a "small business" on paper.
So I'm not sure it would be even possible to make a regulation "with teeth" that explicitly exempts small players.
No, it is not.
"Well meaning regulation like this written by people who have never created anything pratical in their lives other than regulations illustrates why entrepreneurship in modern Europe is nearly impossible."
No, it doesn't. It demonstrates that far too many "entrepreneurs" are people who want to play fast and loose with regulations, and not be held accountable for anything.
The higher you turn the knob, the harder it becomes to (compliantly) do things. Also (if the regulations are working as they should), the less the things that people do produce bad side effects. But the "harder to do things" part mean that fewer things get done - fewer new products and services get created. As the knob goes higher, not all of the things that don't get done are things that the regulations are designed to prevent. Some are perfectly fine things, but the burden of proving it is too much for the single person tinkering in their apartment to ever try to turn their idea into releasable reality.
And you prefer China's policy of censorship over the EU's policies of protecting consumer's privacy. Well that's interesting.
I am pro small business, and I am against censorship.
I see however historically opposite trends over the last 20 years: China is getting more free speech and is getting more pro small business, and Europe is the opposite. And it's not a coincidence. I think eventually the censorship curves of China and EU will cross. Small business friendliness curves crossed perhaps 15 years ago.
That's just not true. The West hoped that would be the case when Xi took charge, but it's gone in the opposite direction since then. How many chat apps can you use where the CCP isn't listening in on your conversation? They practice wide scale censorship on their own social media, Western social media sites are blocked, and important sources of information like Wikipedia and the New York Times are blocked too.
> China’s authoritarian regime has become increasingly repressive in recent years. The ruling Chinese Communist Party (CCP) is tightening its control over the media, online speech, religious groups, and civil society associations while undermining already modest rule-of-law reforms.
The GPDR might end up being bad regulation, but we we're already getting bad results for the average citizen. If the industry wasn't going to regulate itself, and it's hurting citizens, are governments supposed to just stand back and hope it works out for the best? Maybe in a libertarian paradise, but no national government is currently running on that paradigm
Edit: also free speech != No regulations. Companies aren't people and they shouldn't be getting the same rights as people. You can't just do whatever you want to make a dollar and then try and claim free speech protections
Should a union be denied freedom of speech? Because a union is a corporation as well. What about the Sierra Club? Should they be silenced? They too are a corporation. Should a teachers union be allowed to speak, but Khan Academy denied the same right? Should organizations advocating free WiFi be allowed speech, but Comcast be denied the same right?
The “companies are not people” tripe being parroted since Citizens United is a naïve and dangerous road down which people are attempting to travel. At the core of the issue is the right of free association. Free association is fundamental to free speech and a free society. Profit motive is irrelevant because profit is just as valid of a goal as “better schools” or “better public policy” or whatever the cause might be.
Governments are people who have joined together for the common purpose of governing. Does that make a government indistinguishable from an individual person, which is basically just a cell?
Is there a difference between one kid running across your lawn and 10,000 kids organized for the purpose of running across your lawn?
A corporation is a piece of paper registered for $100 that can be destroyed without penalty. It is a tool for achieving an objective, just like a computer. Many people join together to make Wikipedia, but we don't grant that website free speech...
I upvoted you and I am seeing this on HN more often now. That people would use downvote as a signal of disagreement.
Yes. This I think is a downside of the law. Some small owners are going to have a more difficult time.
But this is true for any regulation like food safety regulations, construction regulations, etc. They hurt more a small restaurant than a big chain. But in the end, these regulations are there to protect the customers. Small restaurants have closed and will continue closing for not following food safety regulations. But what is the alternative? Is business creation the final goal of our society? Or there are things more important?
In summary, small businesses are going to have to extend their insurances to also cover risks related to GDPR. But it's the price to pay for having safer data.
For construction, you build your building to 'code', an inspector comes in and stamps the building and then your done. If your not code compliant, then you can correct without much penalty at all, not get a $million penalty and you don't have to go to court or get lawyers. Making your own shack in your backyard isn't an arduous process as far as code compliance goes.
Since most software is constantly modified and edited, I don't think the construction model really works. More the food safety one or a data fiduciary one.
But the GDPR works like this too? The $20 million fine is not automatically applied. Here's a flow chart which details the process of a GDPR breach: https://40uu5c99f3a2ja7s7miveqgqu-wpengine.netdna-ssl.com/wp...
If you breach the rules, a simple reprimand without a fine is possible too.
It actually doesn’t say that. This law has the effect of small business essentially needing a 20 million insurance policy to protect against the possible whims of an overzealous regulator? It’s either insure yourself for 20 million or risk losing your entire business over potentially a trivial matter.
When people in the UK have been jailed 8 months over traffic cameras or prosecuted and jailed for speech, I wouldn’t give a European government the benefit of any doubt. Willingly inviting an unelected regulator, accountable to nothing but the letter of a badly written law created by another unelected government body — that’s just foolish.
The maximum fine is a cap, not a guideline.
That's one of the funniest statements I've read today. Or annoying, I'm not sure. Definitely meaningless.
Article 83 (including related recitals)
Work in best interest of your users and you will be compliant. I don't think that this is harder than food safety regulations.
By the way, the technology is changing fast and a strictly defined law with "do" and "don't"s would be downplayed in weeks. that's why GDPR is conceptual (and thats why everyone is pissed off, as they can't downplay it - how many sites have you seen that are giving you a fair cookie choice?)
And in food or construction if you willfully break the law then that can be criminal and you will face severe fines and/or jail. It's all about your intent.
There's a huge chunk of the web that is filled with niche web tools, mostly made as a hobby, running for free. I myself own 2-3 such sites. Now, I'm forced to spend my hobby time adding a bunch of new features on a site that already loses money? I'm sorry but the couple thousand people that depend on this tool will have to find someplace else I guess.
HN sure loves to worry about AMP killing the internet, well to me this is far more dangerous. Can't wait for larger troll companies bullying small devs with lawsuits and killing all their competition using GDPR.
What new features do you think you need to implement to comply with GDPR?
`id, name, email_address`
You could simply blank out everything apart from `id`.
Regarding logs, it might be worth thinking about whether you actually need them to contain personally identifying information (e.g. IP addresses, usernames) - if not, just don't log them.
If not, then why do you expect the EU to go after the equivalent site with a few thousand users?
Does this apply? 
* the fine has been cancelled and the council has apologised
* this is such a rare occurrence to be worth news reports
I'm going to say it validates the point.
> why do you expect the EU to go after the equivalent site with a few thousand users
You are saying that they DO that, but then will (probably) apologize afterwards. Some website owners consider that an unacceptable risk.
Status quo? Baby steps? Enforcement of existing statutes? Consumer education? Promotion/support of preferred alternatives? Codified small business leniency? Objective enforcement clarity?
The alternative is to let consumers fend for themselves, and if government is going to help, limit that help to investigating and punishing fraud, enforcing contract law, and providing free information resources to help consumers make better informed decisions.
Yes business creation should be the highest goal of society. New businesses are what counteract income inequality and drive innovation.
We need innovation to solve the already existing problems in society, that claim tens of millions of lives every year. There is no zero risk path open to society.
TalkTalk lost 150k peoples information (including bank account numbers, sort codes, dates of birth, etc - people who later then received scam phone calls with people who knew their details) due to extremely basic security failings. They were fined £400k (a record fine). They then did it again and paid £100k.
Properly securing the site and the data over many years could easily cost more than that, added to the chance you'll not get hacked or fined and it is perhaps even a financially sensible position to not put the effort in.
> That makes more sense as it doesn't invalidate 90% of standard tools processes in technical marketing for example.
Can you explain in more detail?
Stronger restrictions on what data you can hold without good reason or consent means that inevitable breaches become less important.
I'm not sure how it's "easy to avoid sharing identifiable data"?
Companies have failed to regulate themselves since the dawn of time, this is how the world works.
It’s a false dichotomy to compare the risk of DEATH from bad food safety to the annoyance of getting a targeted ad whilst enjoying an online newspaper article for which you didn’t have to pay.
Elevating data obtained while surfing the internet to the level of food safety or building codes is ridiculous.
Companies worldwide have consistently failed to safely store and process personal data. There are new data breaches every day. Irresponsible processing of data has a direct negative effect, and that’s not related to the idea that it’s misused for advert targeting.
Minimising the incompetence we’ve seen worldwide by treating it as “just some data collected while surfing” is baffling to me.
I'm afraid that in your overreacting rush, you might have removed your app from European countries that are not within the European Union.
Though if you are collecting more data on your users than you need (why would you need personal data at all for this app?), you might have been doing them a favour anyway.
Most apps nowadays aren't tools, they're sophisticated scams designed to steal people's information.
> It has Google Analytics
There's a real issue, you've been bundling spyware with your application for years.
GDPR applies to you if a EU citizen signs up from somewhere outside EU as well, but since you don't have any physical or online presence in EU I don't think they will do anything.
Transactions do not have to involve money and in fact, the very topic of this entry on HN is about a website that was free, with transactions that did not involve money.
Really? If it's a currently established practice, what are some prior examples of countries punishing foreigners on foreign soil over websites with no payments component?
Maybe each jurisdiction should be the business of regulating locally-accessible websites, not just locally-hosted ones, but that's a fundamental shift in the nature of the internet. "Not available in your country" is currently an anachronism. In that world, a prudent web publisher would start out local and enable specific countries for cross-border traffic only as its legal team expands. Internet communities like this one would splinter as people get tired of clicking links they can't follow.
The countries currently regulating available web content do so with network blocks, not extraterritorial enforcement actions against publishers.
Free doesn't mean you are exempt from complying with law, that is all I'm saying. I did not comment on how this one applies to EU citizens even for foreign services.
In this regard though, it is similar to US law requiring foreign banks to go through special steps when they are dealing with US citizens so that's not anything new either. Money being involved or not in my opinion is not really significant (I actually think that private data is more important and needs more protection than money) but that was not the point of my comment.
It doesn't, but free on the internet has so far meant you're only on the hook for your own jurisdiction's laws.
All websites provide services to users in all countries unless they take positive steps not to. Framing this as a conditional, or a counterpoint to parent's claim about enforcement outside EU borders, is bizarre.
I’m confident that compliance is:
- Straightforward for any non-tech firm;
- More complex but not that hard for most tech firms that handle data;
- Far more complex for large organisations than small ones;
- Basically only a real problem for fly-by-night tech companies that want to operate by reselling personal data.
I’m not sure what your motivations are it making it seem disproportionately burdensome to comply with, but I don’t think they’re good.
I wonder how people from other parts of the world are understanding this and how do they look to the site like that? I mean, this legislation that is designed to protect people and their data is making them such a problem to rather block roughly 500 milion people. I personally would have a huge trust issue, but this is not about me, what do non EU, who don't run any site (conflict of interest) guys think?
I would for instance rather put a huge mark on all pages "GDPR compliant, protecting data even for non EU visitors" or something like that and try to get some money out of that. But that is just me.
- What did you do about logs? Things like request logs will at least contain ip address which is PII. Now logs can be cleared after a fix interval but the time for honoring the data delete request is a month I guess. If you want to keep logs for a period more than that, what do you do? If you anonymize IP , it makes other analysis on top of those logs useless.
- What did you do about data backups?
- What did you do about external error reporting services?
- What did you do about analytics services?
Regarding backups, realistically you are not going to have to delete data from them, as it's completely impractical to delete only data for a particular user from archive. If a user requests their data to be deleted, delete it from the live site and be open with them that some data will remain in archive - securely encrypted and untouched - for your defined retention period.
What about companies like Alibaba?
if you’re so risk averse that any minuscule chance of GDPR noncompliance precludes you from running an online service... aren’t you already not running anything because of existing legal risk?
Can we just flat out assume the GDPR won't indeed be abused to scare away smaller players though? You are claiming they will be safe for years but what if bigger players want to make an example out of 5-10 smaller players and just report / sue them to hell and back?
I know I am reaching but this possibility can't be dismissed just like that. Historically, bigger players have exhausted smaller competition with legal fees and effectively drove them out of market. We cannot in good conscience claim GDPR won't ever be used like that.
I'll be happy to be proven wrong in several years time from now, but right now I am simply not sure if GDPR is gonna be used for or against the free market (competition). Not claiming either way, just saying the risk wouldn't be worth it for me for now.
That's what I'm afraid of, not getting randomly picked by the regulators.
The language of the GDPR makes frequent references to the scope of the processing activity and to its frequency. The law purposefully applies less to smaller controllers. The authorities have made their job harder for going after smaller controllers.
Moreover, the GDPR is done in the scope of the EU, which is not very litigious. Bigger players are unable to bring legal claims against smaller players in any way. The only way for them to game this system would be to fraudulently lodge complaints at the data protection authorities who would have to not notice what is going on and actually bring action against the smaller players.
Defending even from bogus lawsuits is a huge expense of human energy for the non-experts (I'd wager that's 99% of the world's population).
Maybe as a countermeasure for abuse it's too small, but it's not a totally absent concern.
The authorities are not idiots, and have limited resources - they are only going to be chasing the true bad apples that are willfully infringing the GDPR.
I suspect the DPA will start with a letter, where you will need to explain your current practices.
Then, nothing more happens (if you are mostly-complind and good-willed). Maybe you will get some written instructions to better yourself.
Even if they could fight, why would they want to? There are lots of us with tiny things on the internet where the burden of maintenance is only slightly below the enjoyment we get making it available. Increase that burden and the costs are negative and things get shuttered.
Question, if I have a small thing and don't want to preemptively concern myself with GDPR, as a non-EU site operator can I tell an information requester "no"? Might I harm my ability as a person to travel to the EU? Ignoring the standard "if you do nothing wrong you have nothing to worry about" and "the GDPR is really easy to understand" arguments, and assuming I'm not wanting to do any real work, would it be wise for me to just add known EU subnets to my firewall?
Hobby or goodwill projects (==not turning a profit) just aren't worth that risk.
Incorporate in the US?
I got a couple of small details wrong, but not the main point: citizenship of the data subject is irrelevant.
However, IP blocks are still useless for the reverse reason: someone "in the Union" could be vpned through another country. (For example, I'm on vacation somewhere in the EU and VPN through my home computer to purchase something and have it delivered to my house in the US. By virtue of being in the EU at the time, at the least that specific information collected during my stay would be subject to the gdpr. How would said company ever know?
Examples they list: use of EU languages or currencies not used in the host country, use of EU domain names, specific wording addressing an EU audience.
This kind of nuance is where it's good that humans are the ones enforcing the GDPR, instead of needing a programmable rule.
a. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b. The monitoring of their behavior as far as their behavior takes place within the Union."
This doesn't seem to discuss intent at all? I mean, we could mince words about what offering a service means, but that doesn't seem productive and unless there is some other part of the law redefining this, won't make me comfortable.
While that point of guidance won't have region-wide binding force of law unless the European Court of Justice rules that way, I'd be extremely surprised if any national supervising authority or court system would contradict such a document, since the official guidance's reading is clearly among the possibilities consistent with the text (admittedly not the only one) and predictability of this kind of law is key to achieving its goals. Even if they do, they wouldn't likely penalize people with more than a warning if they haven't announced their weird interpretation in advance.
Q: is it possible to be in violation of the gdpr in a situation where you could never know you needed to be compliant and have taken steps to avoid serving EU countries?
A, official: Yes.
A, unofficial: Most likely not if no one's having a bad day or has a bone to pick or is just being uppity.
Also, both answers are official and from the EU institutions. One is the law, and the other is meant to help interpret and apply the law. I'm not talking about third party compliance guides (except for the link I shared), of which there are many.
With all of that said... If you have both taken steps to avoid serving EU countries AND have also done things which they view as targeting EU countries, the answer would be murkier. For example, if you block European IP addresses but also use .de and .fr IP addresses and accept Euros, they might consider it to apply despite the IP block.
I'm also not sure what would happen if you took no explicit steps to target, but saw 80% of your customers coming from Europe on a sustained basis and did nothing to stop that.
Overall, the law will be interpreted with its own intent in mind: it should apply if you're engaging with Europe, but not automatically globally.
I understand if you want more certainty, but that's how computer programs operate, not laws.
The recitals do sound as if it applies to citizens, however the actual definition of a data subject for a company outside the EU is someone "in the Union".
An EU government could try to convince your own government to enforce their fine / injunction / extradition / whatever. I don't think the USA has any treaty or other law that would compel them to. I'd guess that Trump's administration would treat the request as something between a joke and an attack on American sovereignty, so I doubt that's a major risk here. Other countries may vary.
The easiest path for the EU to enforce is probably through your customers and vendors, probably starting with payment processors--like, require everyone who processes payments in the EU to transact only with people who transact only with GDPR-compliant companies. My personal guess is that everyone with a business model that depends on breaking the GDPR will move offshore, and the EU will play the same game of merchant account whack-a-mole that the USA does for online poker and such. I'd guess that the effort to enforce offshore will be big enough that only the most egregious violators will be worth the attention.
There is nothing in the GDPR that allows for a person or lawyer to sue a company for GDPR non-compliance. All they can do is complain to the regulatory authority in their EU country, which has the sole power to issue fines. And if you're not taking care of my data, then I have no problem at all with you being fined.
I stated exactly what I had in mind, the rest is your projection and fantasy.
You say there is nothing in the GDPR that allows a person / lawyer to sue a company. I have no reason to doubt that. Okay. But laws aren't that clear and cut; there are overriding laws, parent laws, derivative laws... the spaghetti black hole is huge and everybody who isn't a hardcore specialist lawyer can't possibly hope to be 100% informed and protected.
That was my original point and still is. How did you transition to the hint that I am (1) farming personal info, (2) not taking care of it, and (3) I deserve a fine.. guess that's one of the Universe's mysteries.
Society doesn't owe entrepreneurs a business model, but it does owe people a dignified life and some control over information that can be used to harm them.
I fully agree and that's why yesterday I deleted 7 hobby projects -- all their databases and hosted apps, cancelled VPS subscriptions and never made any backups.
Never put ads, never put trackers, never sold anything to anyone. Hell, I just checked their VPS dashboard once a month, that was all.
Since I don't want to deal with the legal baggage I am doing my part in NOT contributing to the rampaging privacy abuses and simply destroyed anything goodwill that I created in the past that might have collected any shred of personal data.
Thus I am perfectly okay with my personal project being a collateral damage of the GDPR. I believe in the GDPR and want to see responsible private data usage.
Sorry, but society doesn't work like that. You are always responsible for your actions no matter if you earn a profit or not. And not bothering to read up is also not an excuse.
Companies take risks. This is just another one, that has to be managed like all other.
(1) I have a few hobby and free projects hosted on the net where people sign up and might fill up full names. Never made a penny out of them, never had any trackers or ads -- just a bunch of acquaintances used them, and maybe 50-100 strangers.
(2) I don't want to deal with the GDPR.
(3) I delete the entire database without backing it up.
(4) I delete my hosted app and don't renew my VPS subscription.
Zero damage done now and in the past because I never sold any data to anyone.
What part of that gives you the hint I am irresponsible? Society might "not work like that" as you say and since I don't want to deal with extra legal baggage, I am simply doing my best not to contribute to the abusing privacy problem. I delete any and all traces of personal data my hobby apps gathered.
Really, what's so unclear or tempting in my original comment that makes you people attack me?
Fact is, at we have a giant tragedy of the commons due to loose and fast play with peoples personal data. This is similar to what happens in third world countries where people play fast with working safety or environmental laws..
My point was, any data you collect has a risk of doing harm and we have historically grabbed everything in sight, just in case - as if there was no potential downsides to it.
What happens when somebodys sideproject (which hasn't been updated for 18 months due to lack of interest) gets hacked and a gay persons sexual preference and home address is leaked and that person is killed by haters? (extreme example I know)
I have no problem with you doing the above 4 steps, but I do think that we, programmers, have a collective responsibility to safeguard people against non-obvious (to the layman) dangers, the same way as any other industry.
And the tone in this thread is hysterical from the "ooh the GDPR is devil incanated" group.
Fact is that the "new" regulation aligns with what most europeans would have belived had been the law all along (and actually was, just mostly non-enforced).
I also acknowledge that the US have vastly different ethical standards and that everyone is free to be exploited as much as they want..
Click-through EULAs are also not binding in Europe for example, I am interested to see what happens when a DPA takes an american company to court due to having given themselves unlimited consent on page 2712 in their EULA.
If those companies withdraw from Europe, I welcome the collateral damages of some innocent but lazy projects..
Do you really think that a thought about what data you really need (and why), the need to actively safeguard the data (especially the sensitive) and a need to formalize those thoughts on paper is a unbearable burden?
All the american scare-mongering about the fines are people that don't understand European law practice.
And the whole affair of Facebook moving non-EU people away from the Irish juristiction to have them not under the GDPR shows, that it will probably work as intended. (Some people call it Lex Facebook already)
You did misunderstand me. I take partial responsibility but really, give us the programmers at large a bit credit. A good amount of us have a lot of culture in other areas and aren't that immature. (Sadly however, a lot are so I can understand your negative assumption.)
> Fact is, at we have a giant tragedy of the commons due to loose and fast play with peoples personal data. This is similar to what happens in third world countries where people play fast with working safety or environmental laws..
100% agreed with this and your next several paragraphs. I never thought that was okay. Never. But I had a rather cynical view on it: no laws about it? Sure, let's abuse as much as we can! That's how corporations are and that's how they will always be -- it takes a certain mindset to grow into a corporation and I am afraid that being rather scummy is practically a job description for the people who make the corporations come into being, and grow. I also always thought that when the inevitable regulation comes, that's NOT gonna change like anything.
Imagine if FB made you click "I Accept" on a dialog box that deliberately obscures the fact that they want to gather and use your data. What can you do? Report them? By the time a judge calls to them, they might have a switch to make the popup look 100% legit but who cares -- by that time FB or any other corp. might have the "informed constent" of millions of people, again.
It's a huge game of cat and mouse and IMO the regulation we see now is just the first step. I anticipate tens of other steps so things aren't gonna get better anytime soon.
So there you have it. An opinion from an Eastern European dev. ;)
> And the tone in this thread is hysterical from the "ooh the GDPR is devil incanated" group.
IMO only if you feel you are on a mission to calm down histerics. Our perceptions are warped by our preconceptions, we all know it. Example: in my eyes yes, there are alarmists, but much more people who are outraged by the inevitable fact that all of us have to become a little bit of lawyers in order to not get chased by the EU (and not only in terms of the GDPR, of course; there are many other venues through which we can be attacked). I understand the idea of GDPR and I support it fully but that doesn't stop me from disliking legalese.
I don't want to ever abuse people's privacy but I also like to remain a programmer, not become a half-hawyer. Okay? That was my message all along.
> I also acknowledge that the US have vastly different ethical standards and that everyone is free to be exploited as much as they want..
As an European, yes, that has been my observation for a LONG time. USA tech sector has a huge ethics problem and the VC-enabled tech bro culture in SV is only making things worse with time. Somebody should definitely do something because the world is taking notice. VCs operate on reputation as well and sooner or later more and more of them are gonna start refusing to fund startups.
> Do you really think that a thought about what data you really need (and why), the need to actively safeguard the data (especially the sensitive) and a need to formalize those thoughts on paper is a unbearable burden?
OF COURSE NOT. But again, that's my point. It's an expense you absolutely have to spend when you make profit. But I didn't; like the OP, I had hobby websites. It's a simple cost calculation. I don't want to become GDPR expert for things that don't make me money. Thus I shut down my personal projects. If and when I become a guy running a service for profit, I will go the extra mile and shoulder the burden of protecting personally identifiable information.
> All the american scare-mongering about the fines are people that don't understand European law practice.
Not sure it's only that. You can call me a scaremonger in this instance as well. It's just that I am no expert lawyer -- and for me this fact leads to the conclusion that I can be brought down if an expert lawyer wants to get their hands dirty with me. Nothing more, nothing less. Our so-called "justice system" favors the side with the better-paid / more-experienced lawyer and that's pretty much historically proven, especially in Eastern Europe. Maybe it's less visible in most of EU and USA but from what I've read through the years it seems to happen quite a bit there as well.
Maybe the people disagreeing with me believe in the system much more than I do. Perhaps my cynicism is seen as non-constructive. But it's well-founded in the reality I live in.
I just want to add, there is a huge difference between working as a programmer for somebody else and for yourself.
In the latter situation, you have implicitly agreed to shoulder all risks and burdens..
In the former you are a salaried professional, and somebody else has the potato.
I don't currently run a business online, but if I were, honestly I'd be more worried about the usual headaches like accepting payments legally, dealing with spam/fraud/abuse, finding product/market fit, etc. GDPR would be somewhere around 500th on my list of "start-up things that give me crippling anxiety."
So from getting sued 28 times with 28 different laws you have reduced your risk to being sued with just 1. Now, in order to have an online business in the EU you just need to comply with 1 data protection law instead of with 28. How is this bad?
What I suspect is that many people were just not aware of the 28 previous data protection laws that they needed to comply with, at all, and are now realizing that these laws exist.
GDPR simply made me aware that I am not willing to go the extra mile for hobby projects so I shut them down and never sold any info to anyone, nor have I served ads/trackers.
Many commenters of my sub-thread here are making me look like a histeric and that's seriously annoying. It's all about deciding if a cost is worth it and I figured in my case it wasn't. Why make it more complex than that?
Further, in my opinion the GDPR is wholesome. You ought to implement it even if it didn't exist. If your business relies on playing fast and lose with user data then IMO it's not an honest business ...
Further still, the worse punishment is 4%/20M; it's not the default intervention or anywhere near the only way that the GDPR will be enforced.
They don't even need to dig up any possible violations - just the legal process alone is enough to kill any side project.
Or, "You can beat the rap, but you can't beat the ride." For a small company or individual, even winning a GDPR case will be a Pyrrhic victory.
Guess they believe in the system more than I do. My country -- and the EU -- has been known to have cases where a big player makes a grizzly example out of a small player, in basically every business area.
>Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.
Isn't this the same with the other laws, like copyright,trademark, patents, software licenses?
I could say the same about one of this other laws, like you may have a video of you doing something cool and a bit of copyrighted music could be heard in background then you coulg get sued by a big bad law firm, the difference is that in this case the regular citizens are protected and not the budget of big music publishers.
The point to protect users, not to prosecute companies for operating. However, GDPR would be enforced if you just ignored it.
It really isnt such a big deal.
Nothing. GDPR enforcement is carried out by each country's regulatory authority; they're the only ones who can sue, target or take action against you for non-conformity.
A lot of people here: please CHILL. You make me look like a histeric. Not what I had in mind.
- I don't want to become a semi-lawyer or hire a lawyer until absolutely necessary.
- I had 7 hobby projects where people could fill out full names if they wanted to.
- I deleted all of them -- apps and database -- without backing them up. Never served ads or trackers, never had a 3rd party JS on any of them. Unless somebody had unfettered access to the VPS-es without me knowing it, I never leaked personal info.
It's a very simple cost calculation: I don't even want to invest 2 hours in reading the GDPR in details nor do I want to rework the hobby projects to encrypt the personal data in the DBs, hence I refuse to be a part of the abusing privacy problem and delete anything that might have gathered any personal data. I believe in the GDPR and this was my way to at least not contribute to the problem.
Seriously, what's so unclear? You can repeat to me that "knowing laws and protecting from bogus lawsuits is a fact of life" but it doesn't have to be before I have a business -- which I don't. So I still respectfully disagree that I have to learn legalese today.
So seriously, don't get so worked up over a comment that expresses a sentiment that I want to become more law-aware only when absolutely necessary and not a minute before that.
You don't want to hire a lawyer until absolutely necessary, but you're willing to delete everything way before absolutely necessary?
My hobby projects were inconsequential. Nobody cares about them much, including myself. I prefer tinkering, not becoming better versed in legalese.
It's rather fascinating to me how I keep being misunderstood. I guess I am not stating things as clearly as I imagine.
I am not asking anybody to take my word for it, just saying how my ethics and tech education tell me I should be doing things.
Then maybe those people shouldn't be opening side businesses? Running a business implies having to deal with business matters which include legal.
For example in Switzerland if I want to open a small cafe in the corner selling home made cheesecake, I'll have to first figure out what the exact regulations in my state are, obtain a permit for opening one, create a "Hazard Analysis and Critical Control Points" concept and send it to the authorities, make somewhat sure I get accounting right, maybe getting a permit for infrastructure changes, etc.
I'm not talking about GDPR especially because I don't know enough about it yet. And in general I am sceptical of laws and regulations that don't seem absolutely necessary.
What I don't get is why anyone should care that some tech people running a business don't want do deal with legal like everyone else? What makes us so special?
I had 7 hobby projects that very few people used. After I read on the GDPR yesterday, I simply deleted all their databases and apps (without backing anything up) and didn't look back.
I believe in the GDPR and I don't want to become a part of the problem. The lowest friction solution was to just delete stuff I don't deem at all important.
If I am to open a business, I'll cross 100 rivers to be GDPR compliant. And you are correct -- us the techies aren't special, of course.
I only asserted that for hobby projects or projects that are not turning a profit the extra effort is simply not worth it. Nothing more.
This is still debatable, because what if in near future your encryption turns out to be weak and all the personal data become readable again? Things like this... This law was really not thought through.
As I understand it, you will be able to appeal or somehow else address the European Data Protection Board, that will be tasked with ensuring the consistent application of the regulation:
My intent isn't malicious. I simply don't want to invest in more maintenance. Hence I'd block EU, yes.
Users of free services will just set their country to non-EU, and continue to consume the services. GDPR will gave achieved nothing in that case.
This stems from the United States making their laws apply globally.
My company has no presence in EU, and neither myself, nor any one of my employees are going there.
What's the risk?
that seems simple enough - I think I'll add that to the projects I'm working on.
There is so much info I read on this today I closed the article but it said that their ticked-box consent and IP is not sufficient.
You need to be able to show the user agreed and what they agreed to exactly. A screenshot might do that but might also not be sufficient (if there is more text elsewhere on the signup process related to privacy)
Scroll to: How do I store consent under GDPR?
The record of the IP address, location and time at which someone submitted a consent form is insufficient without a screen capture of the form itself.
A screen capture is the easiest way to achieve compliance but the regulation leaves open other methods as long as you can show that someone gave consent and to what exactly. (IMO you could also store the HTML of the webpage they viewed at the time)
The law says you have to be able to prove the user ticked the box and provide an audit trail for it, IIRC some recitals mentioning that you should be able to reproduce the exact agreements the user made (ie, either in text or as a screenshot) so that you can later show the user and any regulatory body that asks what they agreed on.
"Within" is a physical location, so arguing that IP block associated with request is a perfect proxy is at best a legal grey area. For example, an EU citizen could use a VPN to access your services and then send you a data request. See here for discussion: https://www.gdpr360.com/gdpr-ip-addresses-and-classification...
If this seems like a low risk incident, consider that there are litigious people inside the EU (as everywhere) that may actively explore the boundaries of the law.
Profiling data subjects in the EU is covered, regardless of where the processor/controller is located.
If you are processing personal data but not profiling and you are not established in the union it only applies if the processing is related to the offering of goods and services to data subjects in the Union.
For those who are not profiling, blocking EU IP addresses should help establish that they were not envisaging offering goods and services in the Union.
In fact, there are many ways someone might be profiling without knowing it. For example, precedent about when logging IP addresses constitutes PII is still evolving and seems to apply in cases that would be unintuitive to many US businesses: https://www.whitecase.com/people/tim-hickman. And there have been arguments that geolocating based on IP might itself be data enrichment that contributes to an argument that you are profiling!
Similarly, I haven't seen a clean interpretation of what constitutes offering (or clearly not offering) services to EU users, which determines application to a data processor. For example, if I offer a Portuguese translation of my site for Brazilian users, have I offered service to continental Portuguese?
IANAL but nobody knows exactly where GDPR will apply yet. I think the better takeaway for someone who is trying to respond with minimum effort is: IP blocking might help you build a defense, but it might matter how you implement it and it might not be sufficient.
Some legitimate experts have concluded that this wording allows someone in the EU using a vpn they reports them as coming from outside the EU to be covered.
That seems like a low risk incident to me, but I’m not a lawyer & I can see where that interpretation comes from.
There's no need to shut the thing down just in case someone sues you when that hasn't happened yet.
On the other hand, there's a good reason to shutter your site because you don't have time to make it respectful of people's privacy. By all means, shut down your site because the GDPR makes you realise that! But that's not what OP is saying.
The problem is also not botching the encryption process -- and relying blindly on some "ready-made frameworks" is a sure-fire way to do that.
I shut down my hobby projects because I didn't want to rework them. Deleted everything, never sold info to anyone, never served ads and had exactly zero external JS snippets on them.
If I am to open a business, I'll however work a lot to be GDPR-compliant. I believe it was about damn time for something like that to emerge.
GDPR is highly vague omnipresent regulation with huge strict fines. It's like infamous cookie law times a million.
They could make it into a good law, my opinion on what should have been done:
Keep good parts, such as:
- Appoint official 'security' representative who're responsible for breach disclosures, promoting security practices etc, that person can be personally held responsible for shifty company behavior (though nothing draconian) like non-disclosing a breach, so they would be motivated to be on user side in the company.
- Let users ability to download their own data
- Let users clear way to tell company that they want to stop using their account (and related data gathering)
- Mandate more open disclosure of what is done with data gathered from users
- Mandate easier ways to review EULA and changes to EULA (like each change should be available separately, describe what changed and why)
- Create system of centralized disclosure of security vulnerabilities by third parties, with record showing request and response publicly after some time. Maybe also create some system of grants for third party penetration testing for larger players in the internet.
- Split available data into categories, like 'non-sensitive data', 'sensitive data', 'highly sensitive data'. Medical records, financial records etc is highly sensitive and higher standards are applied. Email and name is non-sensitive data (so you could run a simple forum, or any other simple free service, where you only want email from a user, without being afraid).
- Split companies into tiers, under 50 employees or 100000 users nothing applies; 51-1000 employees higher standard applies; over 1000 - full power applies. This also should be tied with previous point - for example, smallest tier company should still be responsible for some rules if they deal with highly sensitive data, and if it's largest tier company they should be following some rules even if they only deal with non-sensitive data.
- More sensible fines. For example 1% or $100k, whichever is smaller for the first time, 2% or $1m second time etc. Designated security officer can also be held responsible in the same manner (like, % of salary and later being forbidden to work as a security officer). It can also be tied to tiers of companies.
- Start applying law gradually, beginning with just applying it only for european countries.
I believe that would keep benefits for users and won't create giant problems for the industry as a whole.
The exception being: there is no minimum for fines. So a small company could be fined absolutely nothing for an infringement if it was representative of the harm caused or they fixed the issue.
Also. Security representatives--actually called data protection officers--are only necessary at large scale or highly sensitive operations.
The law is being applied gradually. It is already in effect and has been for two years. The approaching deadline is when the penalty clauses will come into effect. How it will be applied remains to be seen, but has no bearing on the validity of the legislation itself.
It is pretty clear what streetlend needs to do to be GDPR compliant: if the user data is actually being sent to the third parties (the ad networks) then users need to explicitly be told this. If the data is not being sent to third parties then users already consent to their data being stored by entering the data (the data is necessary for the performance of the service operated).
Next to that: allow users to delete their data when they close their account (this should be as easy as setting cascade on foreign key constraints).
As for the geography: if your interaction with European citizens is incidental and not purposeful, you cannot be charged under the GDPR. It is only if you are actively trying to target your goods or services to the European market that they will enforce against you. This is obviously the case since they will have no power to enforce the law otherwise, but it is also covered by the three paragraphs of Article 3.
> Next to that: allow users to delete their data when they close their account (this should be as easy as setting cascade on foreign key constraints).
That is definitely not easy and doesn't work like that. That's why it's common practice in any serious system to have 'deleted' flag instead of actual deleting.
> It is only if you are actively trying to target your goods or services to the European market that they will enforce against you.
Yes, and if you target whole world like most sites in the internet do, you're targeting Europe?
Eventually some good souls gathered the fine money and bailed the poor man. And then the suers got pissed and tried to raise the fine, eventually had to pay for... I don't know the legalese for that, but basically they took it too far and the judge called them out on it and forced them to cover ALL legal expenses.
My point however is that for ordinary people even the nerves and time lost in a lawsuit are too big a price to pay. We aren't machines, these things get to us.
Besides, who said it will never happen? What can you be sure will "never happen"
Can I use your crystal ball?
Because there are ~25 existing sets of laws on the same topic [based on GDPR's predecessor framework, but evolved in different ways] that GDPR normalized into a single, common modern framework. Nothing horrible happened with those old laws.
This article sounds a lot like sour grapes and shows no real attempt to actually figure out what compliance would look like.
Which is what the site in question did...
And in that case the regulator would write you a letter asking you to fix it. At that point you have the choice to fix it, or to write back and explain why you can't fix it now. Or you can ignore the regulator, which may lead to a small fine.
Considering one can be sued for just about anything, or accused of patent infringement for just about anything in tech, the fear of litigation isn't a compelling argument.