Hacker News new | comments | ask | show | jobs | submit login
2018 reform of EU data protection rules (europa.eu)
132 points by Geekette 8 months ago | hide | past | web | favorite | 139 comments

Enforcement factsheet: https://ec.europa.eu/commission/sites/beta-political/files/d...

Pretty clearly primarily enforced by national regulatory agencies, who are the only ones who can apply fines.

It mentions citizens taking companies to court, but https://ec.europa.eu/commission/sites/beta-political/files/d... says that's for monetary damages, not for fines. This is unchanged from previous laws.

Can people stop freaking out now?



The authority must ensure that fines imposed in each individual case are effective, proportionate and dissuasive. It will take into account a number of factors such as the nature, gravity and duration of the infringement, its intentional or negligent character, any action taken to mitigate the damage suffered by individuals, the degree of cooperation of the organisation, etc.

There's a problem when "The authority must ensure...", i.e. when there's a lot of discretion granted to "The authority", that's because "The authority" will use any law available to try to silence or harm dangerous individuals when there are "hidden" political reason to do so.

Example: http://www.bbc.com/news/world-europe-39973864

An antidote to this potential abuse is to make laws scarce and highly specific and make judges apply laws in the most textual form possible.

And a will the EU favor European companies over foreign companies in enforcement practices?


> Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

(emphasis mine)

Correct me if I'm wrong, but I think that changes as soon as you have one paying customer located in the EU (even if you were not specifically targeting the EU).

I would guess most people selling something on the internet have at least some small percentage of customers in the EU.

GDPR applicability for those outside the EU still requires at least some active targeting of users (website in EU languages, currencies) in the EU rather than EU users passively coming to your website to purchase.

If I make a purchase from a bespoke banjo shop in Guatemala whose site is in Spanish and prices in Cuetzals that I've stumbled across on the internet then they don't go into scope of GDPR.

Article 3 says it applies when -EITHER- of the following is true:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Yes, that's right. Are you implying that our notional Guatemalan banjo seller is monitoring the behaviour of EU based subjects? I confess I was working on the basis that out the two potential options, Art 3(2)(b) would be inapplicable here, but you may know more than me about their activities!

They're responsible for whatever user monitoring their third-party ecommerce platform does, right? All the ones I've seen process and retain user data. And maybe their web analytics, A/B testing, email newsletter tracking, etc.

If your point is that static brochureware sites that don't target EU members at all and don't do anything interesting on the web probably don't have much to worry about... then I agree, but I don't think that's very insightful.

Your earlier comment said that GDPR required "at least some active targeting of EU users." But a less contrived example, say a US-based SaaS that accepts credit card payments, probably needs to be very worried about GDPR even with absolutely no active targeting of EU users.

Heh, apologies for not being more insightful! I was simply rebutting your point over the GDPR applying once you’ve made a few sales to customers in the EU which is not the case on those facts alone.

Obviously each case should be dealt with on its own facts to assess the application of GDPR. In the example you give, GDPR may well apply. Some companies may be worried, others may see it as an opportunity.

I know lots of US SaaS companies are embracing GDPR rather than being worried about it. Clearly if you are looking to get business from EU customers but want to argue GDPR doesn’t apply due to the fact you are not strictly speaking targeting EU users then that might present an issue for certain potential EU customers (or maybe they could offer a cost discount because they haven't had to go through a GDPR compliance exercise). On that basis lots of companies outside the EU are pro-actively looking to comply with GDPR.

Arguments over the appropriateness of extra-territoriality applicability are a separate matter of course!

Assuming you actually do something with your user's data -- and virtually every online business does -- then I think it is true that GDPR comes into play as soon as you have a single EU user. How you market the service is no longer relevant.

I wish it were as easy as saying the law doesn't apply if your business doesn't target EU business. Unfortunately I don't actually think it's possible to escape GDPR. Even refusing to serve all EU IP Addresses wouldn't be completely effective.

I'm sure lots of companies view this as an opportunity. Especially the big ones with experience with compliance issues, in-house counsel, etc. It's going to be tougher on the small guy.

Great site that summarises GDRP in plain english: https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...

In Germany offenses against the GDPR can cause a "Abmahnung" which do not result in a fine but a charge. There a legions of filthy lawyers waiting for the 25.5.

I don't think that's possible. Do you have a source to back that up? (Also, they don't automatically result in a charge.)

"Abmahnungen" are cease and desist letters by the way.

Sounds like the piracy law. I was getting letters for downloading movies and shows I had never even heard of let alone seen. Chancers were casting a wide net hoping people would panic and pay.

This is a big problem here in Germany and might very well be a reason to shut down my site on 5/24.

Would the downvoters care to explain what offended them? Looking the other way does not help solve a problem.

Well, my immediate thoughts in response to that reply were:

"Why is some extra law specific to Germany relevant to my comment? This is a discussion about the GDPR, not about national data protection laws."

It's not about national laws, it's about the implementation of the GDPR on a national level (namely C&D letters).

This is a great resource because it is from the EU, provides clear examples, cites the actual legislation and Article 29 Working Party Guidelines (which is the group that is tasked with preparing official opinions on GDPR).

I think that if you want to really comprehend something, you should go to the primary source. The GDPR legislation is far more approachable than it seems (as an official 261 page PDF). When the preamble and the mechanical bits about how the GDPR will be governed are removed, the parts that important to companies are only 34 pages long. You can use this to guide your reading: https://www.enterpriseready.io/gdpr/how-to-read-gdpr/

I respectfully disagree. This is a terrible resource, which frequently says things that are either mostly vacuous or just plain wrong.

For example, here's their page on the right to erasure:


Its opening paragraph reads as if data subjects have an automatic right to have their data deleted unless one of the three exceptions applies. In fact, Article 17 of the GDPR itself grants that right only under a list of specific circumstances, and the exceptions are just that, which is an entirely different situation that will lead to the opposite decision on whether data must be erased in many normal situations. Even the list of exceptions shown isn't complete.

For another example, here's their page on demonstrating compliance:


There is literally nothing on that page that would help any business I'm dealing with to demonstrate compliance, unless you count the references to the primary sources at the end. There are a couple of ideas about codes of conduct or certifications that contain no substantial details, and even the vague hints about other things you might have to do don't go into any detail about who does or doesn't, leaving the entire page almost entirely content-free unless you happen to be in an industry where the kind of scheme they mention exists.

This sort of "guidance" is everything that is wrong with how the GDPR is being handled. It is verbose, ambiguous, sometimes seriously misleading, and almost entirely non-actionable. I'm actually worse off than I was before I read it, because I know nothing useful now that I didn't know before, I would have been misled by several of the pages such as the one I mentioned above if I hadn't already known better, and that's still half an hour of my life wasted.

Well, you're clearly thinking deeply about this and you seem to care. Which is great. I've been digging in deep on this the last few months so I have some thoughts. Respectfully (srsly), I think you might be misinterpreting the legislation (this resource is provides more concrete examples of how you should interpret it).

For example, Article 17(1) lays out the MANY grounds upon which a Data Subject can request erasure. If ONE of the mentioned criteria is met including the very broad Right to Object (Article 21) then it must be erased. 17(2) states you must fwd this request on to other online orgs. 17(3) provides the exceptions for which a Controller can object to the erasure.

It is important to note that the spirit of GDPR is one where Data Subjects rights (to their data, to object) are the default. Sort of like innocent until proven guilty. This is a big shift for most companies who would contend that they own the data & data exhaust from use of their application.

As for compliance demonstration... yes, this is still a mess. My only suggestion there is that if you're working with software companies, try to study what the leaders are doing and take some inspiration. https://www.enterpriseready.io/gdpr/preparing-for-gdpr/

Happy to hear your thoughts. Genuinely interested in other people's perspectives on this.

For example, Article 17(1) lays out the MANY grounds upon which a Data Subject can request erasure. If ONE of the mentioned criteria is met including the very broad Right to Object (Article 21) then it must be erased.

Yes, but crucially, if the data is still relevant and you're processing it on a proper basis, the data subject doesn't necessarily have a right to have it erased.

If your only legal basis for processing is consent, subjects get most of the rights under the GDPR automatically and you have very little choice about complying. One of the big changes in the new regime is that consent can be withdrawn retrospectively.

If your basis is legitimate interests, things are more complicated. Subject rights are stronger in this situation than with some of the other legal bases, because they can object to processing. However, the right to object is itself subject to balancing tests that aren't clearly defined, except in the specific case of direct marketing.

For the stronger bases, such as performance of a contract or compliance with legal obligations, subject rights are still quite limited even under the GDPR. For example, under EU VAT rules, we are required by law to keep evidence of where our customers are located for quite a long time, and customers can't require us to delete that evidence prematurely.

There are some other important details to be considered, for example if you're processing data about children, but that seems to be the basic situation.

This guide does not clarify one important question: Does a company in the EU have to apply gdpr guidelines for none European users. If so, this would be a significant disadvantage for all European companies since their none European competitors obviously only have to comply for European users.

One scenario in which this would be very relevant: A website needs to show a very long consent form to users that want to use their service, under gdpr regulation. Under gdpr these consent forms are very alarming and they will have a drop-off rate. The drop-off rate of the form will be the competitive advantage of none European companies.

Hence, will we see an exodus of European startups from Europe to the US?

Maybe I'm just stupid, but that seems very clear to me from article 3.1 [0]:

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

[0]: https://gdpr-info.eu/art-3-gdpr/

Ok, let's assume this interpretation is correct.

Targeted advertising will require explicit user consent under gdpr since pii is collected. It's fair to assume that there is no big incentive for a user of a website to consent to targeted ads. Targeted ads are usually way way more profitable that contextual ads. If you are a large publisher, would you really want to have your company in the EU in future?

They're only way more profitable right now because they exist. I guess if you want to sell something the EU has pretty much banned, basing your business inside the EU won't work.

How can an alternative be more profitable? Targeted ads allow to TARGET someone. That means that instead of wasting views on someone that won't be interested (and thus, be a waste of money) you use it on people that will care.

For sure if you have 5$ of budget per sale, if it takes 1000 views to get a sale or 1 views, you won't pay the same for views in both situation depending on the efficiency of the ad.

He did not say that an alternative would be more profitable.

What he meant is that right now, because targeted ads exist, non-targeted ads sell far worse. Once targeted ads are not an option anymore, non-targeted ads will get more attention again, because the demand for advertising will not go away.

There will be somewhat of a drop in demand, because advertising might be less effective, so it makes more sense for companies to invest into developing their products instead. But you can hardly justify unethical behaviour with some industry making money off of it. Drug dealing, slavery, forced prostitution etc. are also illegal, even though there's a hugely profitable market for those.

You have to draw the line somewhere. Governments are supposed to draw the line there, where the effect of doing something results in a net negative for this society by given values that this society considers important.

But even assuming a society only cares about its overall profit, I would be surprised if there's not some effects going on, due to targeted advertising being sharp enough of a tool to psychologically influence people to buy useless crap they don't need. And people buying useless crap they don't need is not good for the overall profit of a society. They could be buying useful crap that they can use to make more of a profit instead.

Life isn't only about profit.

Advertising often can have a very negative and destructive effect, we shouldn't base our societies around how best to sell stuff.

Web companies and web advertising companies have been building huge, secret dossiers on all their visitors, unexpectedly selling, sharing and distributing sensitive data about their customers with totally unrelated third parties.

Now society's saying, that's not cool. Here are the new rules. We'll heavily punish your companies if you do it again.

AFAIK that simply means that GDPR applies even if your servers are in the US (or anywhere else outside of the EU).

No, that's what article 3.2 means:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

- the monitoring of their behaviour as far as their behaviour takes place within the Union.

If your company is located in the EU the regulation applies to all your users worldwide. Actually i don't think what you are suggesting is a big concern - people were predicting that about the cookie laws.

I think the guidelines for cookie laws are not comparable, since gdpr required explicit checking a box until the service can be provided as opposed to a not very intrusive box in the footer.

> gdpr required explicit checking a box until the service can be provided

You don't need opt-in for things that are essential to providing the service. You need that for non-essential data storage and sharing. Unless you want to make providing your service conditional on extra collection, what you describe shouldn't be necessary.

This is probably going to happen, yeah. It will however likely also establish European companies as particularly secure and trustworthy.

For a long time already, it's been common practice to avoid Chinese services, because of the surveillance that the Chinese government does. And there's a growing number of people who avoid US-based services, too. The recent CLOUD Act certainly doesn't weakening their position either.

It also gives some non-eu based companies the same secure and trustworthy benefits. They just need to have an obvious presence in the EU, and not check if someone is in the EU when they are asked to apply GDPR.

> This guide does not clarify one important question: Does a company in the EU have to apply gdpr guidelines for none European users.

Yes, the GDRP applies to anyone "in the Union". Someone on vacation from the US would be covered _while they are in the EU_.

If your company is based in the EU, then you must comply for all users, regardless of their current country or citizenship.

So the obvious solution is to base all companies in the US or Asia? I am hesitant to believe the EU is that short sighted

> This guide does not clarify one important question: Does a company in the EU have to apply gdpr guidelines for none European users

Does it really matter? Just give all users a fair treatment.

+1 for fair user treatment, but the way the laws are written, companies that serve users globally from within the EU will have a hard time competing with their international competitors under the new regulation. I just wonder if European law makers have thought this through.

I think in the current situation, having strong privacy for all users will be a feature you can bring to the market, especially for US users it can be a big plus since the US doesn't have any comparable privacy law.

How do you communicate this? Most people don't care.

There are already companies like ProtonMail that sell the privacy laws of Switzerland as a pro and they seem to do alright.

First, I am not a lawyer. I don't even play one on TV.

The big question I keep hearing is; I'm in the US (or other non-EU country), does GDPR apply to my company or organization?

The shortest possible answer is: Maybe :)

The answer is: YES if your company has a physical or legal presence (like an office, employee, parent-company, subsidiary, etc.) in an EU country. The GDPR applies to you and you need to to start reading up ASAP as you only have a few weeks to figure this all out.

The answer is likley: NO (but be careful here) if you have no physical or legal presence in the EU. Bonus points if your business isn't really aimed at the EU.

The answer is likley still: NO if again, you have no physical or legal presence in the EU but do rely on EU traffic as a direct or significant part of your business. At that point is all about how much risk you're willing to take on as we see how this law is interpreted.

Any country can claim this over any other territory they wish. But that doesn't make it true. For the claim to be effective (except by use of force), it must be agreed either with the legal authority of the country.

Right now there appears to be none. No one is clearly citing any treaty with the EU as giving them this authority.

  Disclaimer: This isn't legal advice. This is my personal view 
  on a complicated issue that I'm trying to discuss in order 
  to learn more myself.

They explicitly contradict you.


The law applies to... 2. a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.

Do you have any evidence? You're doing business with EU citizens. You allow them to connect to your site.

Wouldn't this operate similarly to how extradition by the US of foreign hackers work?

In most countries, extradition requires that you’re being charged with a crime in another country with something for which you could also be charged in your current country, and which carries a one year prison sentence. If you’re not breaking the law in America, you have nothing to worry about. (This is at least the case for the UK-US treaty - I’ve not verified for other treaties, but I’d highly doubt the US would agree to a treaty with anyone which requires them to extradite anyone for something that isn’t a crime in the US.)

Of course, if you ignore the EU repeatedly, you’re going to be stuck if you ever want to expand to the EU, or have any assets there ever. That’s about all they can do.

I'm not sure what you're implying here but allowing somebody to connect to your site obviously doesn't qualify as providing goods/services. The actual legal text makes that pretty clear.

"Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, [...], is insufficient to ascertain such intention, [...]" (https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...)

Extradition is an extreme example and not applicable here.

My whole point is, just because the EU makes a law doesn't mean it can enforce it.


It does not matter what EU thinks. What matters if what can EU do and the answer is nothing unless your company operates in Europe

> Wouldn't this operate similarly to how extradition by the US of foreign hackers work?

It would not.

I think the problem for orgs in non EU and non Third Countries is that a lot of EU based orgs will be (or already done so) moving as much as possible to providers that are GDPR compliant - or offer assurances that satisfy the GDPR (Like the Privacy Shield)

So by not being compliant, or at least offering a way for orgs that are compelled to follow GDPR to be compliant, they will start to miss out on business from B2B or B2C.

Especially after May 25th, there are already radio and TV adverts about it here in the UK, and I imagine that a lot of consumers are going to start questioning this before they use a service

Yes - and I hope they do!

I'm a big fan of this law, but I also see a lot of panic and inaccurate claims being made.

Remember physical presence in the EU can come from something as small as your airplane to Africa having to make an emergency landing in a EU country for some reason. That is you have to not travel at all in the direction of the EU.

Where are you getting the physical or legal presence requirement from? I don't think that's correct.

This is the same EU that turned a blind eye to VW and other companies blatantly lying to regulators. In terms of EU regulation NO is normally a safe bet as long as you are big enough. You think Germany is going to fine an automaker or Lux is going to fine a bank?

Nice guidelines, seems like for most small businesses it will be straight forward to be GDPR compliant

Maybe if you don't have ads on your site, otherwise its going to be a problem.

Why do you think so? After you document/publish what information you pass to which network, what problems do you expect related to the ads?

Because I apparently need affirmative check-the-box consent before I can actually use those ad networks.

I'm not doing anything shady: all the information I collect and why I collect it has always been in my privacy policy. But making people have to opt-in to see ads on the site is a big problem.

Correct. There are a few things to note here:

One single ad unit may try and load several tracking services so that it can re-target you later, track that the ad was served, and also load in extra services (Facebook Like button) that in turn track you for their own reasons.

On any given Page Load you DO not know in advance what ads will be in your page.

In getting User Consent before you load ads you cannot possibly know what the services are that will eb injected into the page ahead of time.

Thats an impossible situation.

Even if, and I stress this is hard, even if you were able to limit your ads from one network to direct-sold campaigns under the control of just a few agencies that agree to use only a subset of trackers and other services, you might still be talking 20 to 80 items you need to provide the user in a Consent Form.

You can do non-targetted ads without explicit consent as far as I understand. You only need it for the extra personal information use. Sure it's a bit worse for the publishers. (But I'm happy with that)

Where would "non-targeted" ads even come from? How can you use an ad network or even run a standard ad server in a way that doesn't share at least the reader's IP Address?

Mom and pop publishers who don't have the resources or ability to staff their own ad sales team are going to be in trouble. The big players who can work around this obstacle are going to be fine. I'm not happy about this.

IP address is only personally identifable info if it is coupled with other info that links it to a real person.

Storing an IP address by itself and sharing it is not, by itself PII

No, I'm pretty sure that is incorrect. The EU believes that an IP itself is personally identifiable and it must be secured and processed like any PII [1]. I think you could make a case that the IP being sent to an ad network is an "acceptable" business practice for which you don't need consent, but IANAL.

[1] https://www.enterprisetimes.co.uk/2016/10/20/ecj-rules-ip-ad...

That is incorrect.

In the US, legally thats fine. In the EU they classify it as personal information.

like, have you read the guideline?

As a joke I might make a popup for each URL in our ads.txt files (at work) asking for consent. There are over 300 lines which I've always thought was ridiculous but maybe this will drive the point home to my boss.

you are vastly underestimating the ease of implementation

Depends on your business. I didn't find it as hard as PCI compliance for instance

Unless you actually maintain full payment account numbers, PCI compliance pretty much boils down to "I pinky-swear I'm not doing anything wrong" and the rules have virtually no teeth.

What’s going to be difficult?

And for a nice easy to read version of the regulation; http://gdpr-info.eu/

With the minor caveat that gdpr-info.eu looks official due to the .eu domain, but is actually run by 'intersoft consulting services AG' as advertising for their consulting service (the content is just the laws of course)

True. (although I wouldn't associate .eu with anything being official)

I just like it as it is broken up nicely and has links to any relevant recitals and deregations etc

PSA: Please make sure you're not relying on HN comments for your understanding of the GDPR if you're the one responsible in your organization. I need to get back to all the panicked questions CS has forwarded to me (the DPO equivalent for my company), but please understand that there's a lot of misunderstanding in every HN thread on this topic.

And it's not just HN. I've listened to at least three podcasts by now where "well-known figures" offer advice that is just plain wrong.

US readers: EU law is different from US law in that it is generally approachable and readable. While in the US it is difficult to even know which laws apply to you without the help of an experienced lawyer (because of case/precedent law), in the EU this is much easier. So don't be afraid to reach for the sources.

The fact that there's so much confusion suggests that it is not that easy to understand.

I've read it and I'm still confused. Without caselaw and a lawyer how am I to determine which data processing are considered "legitimate interest" in Article 6? Recital 47 is supposed to clarify this, but it's still pretty vague and it says legitimate interests may provide a legal basis for processing. May? How do I know if they do or do not?

It's disappointing to see comments like the parent being downvoted. Evidently the situation still isn't clear, because if it were then we wouldn't be having GDPR-related discussions on HN almost daily now where people who are currently dealing with these issues professionally have reached very different conclusions and/or received very different advice.

I think the biggest problem for many of us is still the uncertainty. For all the mountains of "guidance" now being generated by the EU and the national regulators at five to midnight, there is still very little advice provided that is unambiguous and actionable when it comes to some of the most fundamental questions. What does or doesn't constitute a legitimate interest basis for processing data? When is such an interest is or isn't overridden by the subject's own interests? How long would be considered a reasonable period to retain data for common purposes? Answers like "as short a time as possible, but that might be 20 years" simply aren't useful.

It's really hard to tell. Between the people who haven't read the GDPR, the people who are trolling, the people who are willfully misrepresenting the GDPR because they politically oppose it, the people who don't understand privacy or nuance, and the people who are trying to interpret the GDPR into an American legal system, there's so much low-quality discussion.

Meanwhile, I don't know of any Europeans who don't support it (on an individual level) or who finds it confusing. The hardest part seems to be putting processes in place for the right to erasure, but then we've had similar provisions in EU countries for a while, so it's not a big deal.

As for "reasonable period to retain data", unless required by law, you won't get into trouble for deleting data more quickly. So what's the minimum period you absolutely need that data/those logs/those backups for?

There's no one-size-fits-all approach, so the law isn't written like that. We just assume most people will be decent/"reasonable" in implementing it, and if not, there's the sanctions.

[0[ https://ico.org.uk/for-organisations/guide-to-the-general-da...

Meanwhile, I don't know of any Europeans who don't support it (on an individual level) or who finds it confusing.

Hi, I'm a European who doesn't support it and who does find it confusing.

To be more precise, while I'm generally in favour of better privacy protections in law, I don't support this poorly implemented attempt, because I think it will have all sorts of unintended consequences that may not be in individuals' best interests, while also imposing a disproportionate burden on controllers and processors who weren't abusing that data for unsavoury purposes anyway, particularly smaller organisations.

And maybe "confusing" isn't quite the right word, but in my view it's far too ambiguous in its treatment of some of the most fundamental issues to provide a good platform for future data protection. Much of the official guidance is confusing, often to the point of being misleading and counterproductive, however.

we've had similar provisions in EU countries for a while, so it's not a big deal.

All regulation is a big deal if you're running a microbusiness and don't have dedicated staff to deal with it. In any case, there are several new or significantly extended rights introduced by the GDPR that certainly weren't there before in my country (the UK).

So what's the minimum period you absolutely need that data/those logs/those backups for?

Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that. I can, however, state as fact that we have had to rely on detailed log records from several years ago when threatened with actual action by someone who was clearly trying to take advantage of the situation and hadn't expected us to still have evidence that undermined their claims, so any claim that we can just cycle these things out after a few days is demonstrably false. Given that we're not doing anything particularly unusual either legally or in processing data for everyday business purposes, I have to assume we are far from alone in having these experiences and the concerns they raise.

There's no one-size-fits-all approach, so the law isn't written like that.

While that may be true, it is entirely useless to someone well-intentioned and acting in good faith who is trying to work out what they actually have to do to comply with the new regulations.

> Hi, I'm a European [...] (the UK)

Not for much longer :D But seriously, the British government and the various police forces don't have a great track record with regards to privacy (e.g. Investigatory Powers Act), so it's no wonder the ICO is underfunded and has had a very limited mandate.

> Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that.

Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us! Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.

The GDPR is maybe a bit heavy-handed compared to a gradual approach, because EU countries have previously had a hard time getting companies to comply with their data protection laws.

the British government and the various police forces don't have a great track record with regards to privacy (e.g. Investigatory Powers Act)

I'd be the first to agree, and I'm generally in favour of stronger privacy protections in law, particularly around government behaviour. But of course governments get a pass on many things that are otherwise restricted anyway, because they just have to whisper the magic words (usually something like "national security") and the carefully written exemptions in almost every piece of privacy and data protection legislation ever written are activated.

Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us!

That's the problem, though, isn't it? These needs are vague and you can't predict when they will arise. Nevertheless, they do happen. In fact, the example I mentioned before happened just this week.

Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.

In my experience, having spoken now to several different people who are consulting on the GDPR including some who are lawyers, even they don't know the answers here. They have no crystal ball, and the language is so open to interpretation, and the regulators are so late at providing any guidance, and what guidance they have provided is often so poor that no-one really knows how this is going to play out yet. This of course creates uncertainty that is damaging in itself.

I think very few people here are trolling. I'm certainly not. And I think it's unkind to attribute malice to those who are confused or merely disagree.

> We just assume most people will be decent/"reasonable" in implementing it, and if not, there's the sanctions.

My definition of "reasonable" isn't the same as that of European regulators. I know this because I don't consider IP Address to be PII. Luckily for me on this particular point the GDPR is explicit in saying that it is. If I were left to define PII myself though, I could well have opened myself to regulatory action as IP Addresses were logged and shared incidentally with third parties in many places.

I think this style of writing laws gives way, way too much power to regulators. Particularly for companies with no physical EU presence and thus no way to vote or have any say in how the regulators work.

I think very few online businesses will be fully 100% compliant with every provision of the GDPR and all it's current and future interpretations. So we need to just hope and trust that all the regulators in all the Union countries won't punish anyone who doesn't really deserve it. That's not a good situation.

> So what's the minimum period you absolutely need that data/those logs/those backups for?

There is no answer to this question. Strictly speaking I don't need any backups or logs. I've also, rarely, encountered subtle data corruption bugs in the wild where having backups that go back months was critical and the more the better.

Legitimate interests and consent should be the two processing grounds that you rely on as a last resort here.

As to your point, legitimate interests requires a balancing act between your interests and others' interests and so is by its nature going to be uncertain.

If you are looking to rely on legitimate interests, you should look to document your interests that you think are being served through the processing, and also check to see if any other processing bases may be more suitable to achieve your objective. The aim is to at least have a defensible position behind your use of legitimate interests.

Here an example of Facebook listing out their legitimate interests in making use of data:


To generalise this, there's a lot of misunderstanding in every HN thread on most every topic.

Heh, I'd say that it's even worse than "misunderstanding".

Besides honest misunderstanding, there's so much FUD being spread by people on HN who are afraid that their greedy data manipulation plan for a startup has been completely foiled...

So much FUD that you definitely feel sometimes that the comments are straight out of http://n-gate.com/

Caricaturizing (a bit):

"HN1: The GDPR takes away our freedom to make tons of money from your private data! Dirty EU commies and their superstate imposing their law worldwide!

HN2: The law doesn't apply worldwide and it protects my privacy. Just block users which are geographically in the EU. Also, read the law, it's only 60 page and more readable than most RFCs.

HN2: Nah, I'm good, I'll just rely on internet FUD as my main source of info. Dirty EU commie bureaucrats!"

PS: Obviously not all comments are misguided, but good God, there's soooooo many which miss the mark by a mile...

Please do not violate the Prime Directive. Thanks.

> Be civil. Don't say things you wouldn't say face-to-face. Don't be snarky. Comments should get more civil and substantive, not less, as a topic gets more divisive.

I was snarky but it is definitely something I would say to you face-to-face.

The quality of discussion around the GDPR here on HN was not up to the standard quality. Part of it was because, in my opinion, a lot of people here are entrepreneurs and this made them really subjective and almost blind-sided them to the benefits for users.

The GDPR is not perfect but it's a great long term measure, one I hope will be followed (and improved upon!) by other administrations.

The more i read about it the more it seems like gdpr will either

- cause an uproar from small and middle-size businesses in europe

- not become enforced

the facebooks and amazons of the world are already fine so they won't complain.

How does this affect server logs? Under the "what is personal data" section they list ip addresses as personal data.

It requires you to have a management and retention policy for server logs which contain personal data.

Do you have a legitimate reason for storing that data? Probably not, so just stop it from being logged.

Never have been in a DDOS attack? Good luck doing anything without getting the IP.

It's useful to know where the requests come from too. You get a bunch of request from IP that come from a specific peer and that peer is saturated? How could you verify that without a log? You want to add CDN to the right locations. Where should you?

Really, I think it's just make more sense for any small company to block EU and when you have the means to do it correctly (with the help of a competent DPO), then yeah add that EU in your market.

Yes. One of the key parts of GDPR is breach reporting. Assume you discover your company has been breached. How do you investigate the breach? Discover who was impacted, what was done and by whom? Is that significantly harder/impossible if your logs don't contain IP addresses?

Edit: Also consider Log retention. Yahoo discovered a data breach 3 years after it happened. What if they'd only kept logs for 1 year.

Don't log ip addresses, or anonymise them.

How would you anonymise an IPv4 address? Hashing isn't enough, because that would be easy to brute force. And you can't create a table mapping IPs to anonymized-IPs, because then you are still storing them.

You could just remove parts of the IP address so it could no longer be used to identify a unique individual. For example, if you removed the last 3 digits, it could no longer be used on IP lookups (presumably), or an ISP would not be able to disclose the particular individual that is associated with the user account that the IP is linked to, because there is insufficient information available.

Here's Google's approach: https://support.google.com/analytics/answer/2763052?hl=en

Removing the last 3 digits would often uniquely identify a larger company or a city and if you only have 1 user from that city/company, those records would be easy to connect.

Maybe Google is hoping the EU will accept that balance of concerns, but it doesn't sound like it realises the spirit of the law.

If your reference to 'you' means someone running a site who only has possession of a reduced IP address, then how would connection work?

Or are you saying that if I went to an ISP with the reduced IP address, they could disclose details of the person, if they only had 1 account within the range of IP addresses that the restricted IP address covered? This doesn't seem particularly likely to me? I thought ISPs hold a block of IPs and dole them out on that basis, and so resulting in only a loose connection between IP address and location?

On large companies, that would be out of scope, because whilst the reduced ISP may be linked to 1 large company, the assumption would be that the large company had multiple employees. On that basis although the account may be linked to a particular employee, no one employee could be singled out because multiple people would be relying on the same base IP potentially I would have thought?

Nothing to do with the isp - but if you have users so you know who they are and then you also track people by ip network, you are now storing tracking logs that can be identified with a specific user.

For example if hacker news did this and one of your comments contained your city or company, now they can connect your account to an anonymized analytics user.

Google Analytics drops the last octet IIRC. Hashing isn't anonymizing because the hash can later be used to re-identify a user. (See https://ec.europa.eu/info/law/law-topic/data-protection/refo...)

Since there are legitimate use-cases where you need to be able to somehow identify requests coming from the same IP (protection against DDoS), you would be allowed to do it, given that you take reasonable steps to protect the user (such as deleting the logs after a few days when there's no suspicious activity).

And then hashing the IP addresses would be such a reasonable step, too, since it removes location information from the stored data.

Can the average lawyer get rich off this?

Can lawyer A (who is not affiliated with the EU government) sue Company B on behalf of the users and get a payday?

For reference, I read a thread where a guy in my town sues businesses for violating the ADA and the settlement is like loser must fix steps and pay plaintiff some compensation. Maybe its this story or maybe its another guy: http://www.startribune.com/st-paul-landlord-wins-case-agains... , actually I think its this guy http://www.startribune.com/doctor-lawyer-wheelchair-user-it-...

Sue every European company on the basis of logging IPs, should be free money for lawyers

An important one to note as it's applicable to all businesses whose customers include EU residents because it addresses the collection and processing of their personal data locally and internationally.

I honestly can't wait to ask my local retailer what data they have on me based on their loyalty cards. So far they were exempt from data disclosure laws because they were not an IT company.

Yes, grocery loyalty cards amass an inordinate amount of data on its users based on frequency and nature of use. It's interesting how the lower ticket loyalty schemes (grocery stores, etc) have arguably more powerful info than the higher-end types (air mile clubs, etc) for this reason; you can get more insight on a granular level.

I always lose my loyalty card from time to time (it doesn't have any loyalty advantages you just have to have it to get the discounts) and ask for a new one. I wonder if they were able to link them back together

Unless you always pay cash - it should be trivial to link by the payment card number.

Do they actually see a card number? Anyway, I have a couple and I have a habit of losing/breaking those as well. I'm just really bad at holding on to cards it seems

I always switch my loyalty cards with random people I meet on the subway, etc.

I always just use the phone number approach -- give them <local-area-code> 867-5309 an when they ask "yeah, I'm Jenny". Works every time. Last time at the Walgreens they tried to give me a $5 discount but I had to know the zip code assigned to the account so was like "nah, next time."

Ooh, I never thought of that, but now I am very very excited about it myself.

But the answer you get might be less exciting. They might say: "We know you bought A, B, and C".

What if they give you only part of what they know? How would you be able to tell if they know more? And even if you could, how would you convince authorities that something is wrong?

Also, they may have data that they just didn't "mine" yet. This may be data that they simply can't give you because it may concern you AND other people.

If you are in the UK, you can already ask for the information under the DPA.

But they could charge you a reasonable fee before. Now it will be free!

I would assume that he has all the data on you, you ever gave him. What else did you do expect when you signed up for the loyalty program?

> him

I think we're probably talking about national chains here.

I would imagine stores will use the loyalty cards to profile users, and if they've every stored any of the profiling data then this data will be the data you will be getting.

I do not believe that is correct.

Right now, for example, if you are a US business with no offices or employees in EU jurisdiction then there is little the EU can do if you are not GDPR compliant - regardless of whether you deal with EU traffic or not.

The EU might wish their laws were global, but that doesn’t make it so.


You're not wrong, but, what internet company doesn't operate within the EU? If you operate in the EU, and handle EU citizen's data, you have to conform to the GDPR.

I don't think there's many internet companies that would not serve the EU because of it. Although, Google did pull out of China due to the censorship demands and the like.

If you have users in the EU, but no actual physical or legal presence whatsoever within the EU, technically you "have to" comply. But if you do not do so, there will not be any consequences.

As such, effectively it is not in scope and does not need to be considered.

However there are cases where you might still run into trouble. For example, if you accept payments from people in the EU, you may well end up being forced to comply via the payment networks' presence in the EU.

Hmm. You just agreed with me and then disagreed me :)

Again, I say this as someone who is implementing GDPR for a US-based company, and is also a EU citizen (Irish) and has sat more meetings with various legal groups than I care to remember (again, stress I'm not a lawyer).

It is all about a companies appetite for risk and how tied the are __PHYSICALLY__ to the EU (offices/employees/parent-companies/subsidiaries).

This also gets into areas of Extraterritorial Jurisdiction. Any country can claim this over any other territory they wish. But, for the claim to be effective (except by use of force), it must be agreed either with the legal authority of the country.

Right now there appears to be none. No one is clearly citing any treaty with the EU as giving them this authority.

The GDPR goes beyond physical presence. It's strange that your legal team would not know this. See my previous comment [1]. My own understanding based on conversations with lawyers (who spoke to regulators in France) is that the law is designed to target any business that targets EU citizens. The territorial scope is formally global but obviously this is very much narrowed to businesses who (1) are pursuing EU customers and (2) are carrying out surveillance of EU customers. Surveillance does not include legitimate business needs btw, but it does include a lot of things that web sites do today without even realizing that it is surveillance (the classic example here is targeted advertising where ads are selected based on personal data).

BTW it's important to understand the real enforcement vector here. It's not like you'll have "EU cops" knocking on doors in America. Nor will anybody waiting for you to get off the plane in Germany. (I've actually seen this nonsense on HN in recent days.) The very real power they do have is over banks and payment processors. It's quite possible that if you're doing business with EU customers and you have bank accounts in EU or work with EU banks or EU payment processors then they'll be able to exert significant leverage against your business. But if you have no direct contact with the EU financial system and your website is hosted in the US in English (or even if it's in French but it's clear you're pursuing US customers) there's little they could do to you even if they wanted to.

[1] https://news.ycombinator.com/item?id=16956123

OK. I think we agree on the core parts. Its a question of being able to enforce and your level of risk.

Right now, everyone is in "wait and see" mode on how this will play out.

Just to clarify, as I learned this the other day, it's not about EU citizenship, but about being "in the Union". A resident alien is covered as are vacationers, but only while they are physically in the EU.

The regulation asserts the scope of data protection as global; it's applicable to all foreign companies processing data of EU residents, whether the companies are based in the EU or not.

It will be interesting to see how the mechanisms of enforcement play out but I imagine there are plans for direct and indirect implementation in situations that warrant the harshest options (ban on processing and/or monetary fine). E.g. getting cooperation from payment or logistics processors to stop processing EU sales of a offending foreign company. A halt on sales or delivery of goods to such a large region could be crippling for a company.

This is not true. Just read the regulation. It's pretty clear that unless you're located in the EU or you're pursuing EU residents then the GDPR does not apply to you. Logically, it should be clear that the GDPR cannot apply to any business who an EU citizen stumbles upon and decides to buy something. The entire motivation of the GDPR is to prevent surveillance of EU residents with respect to their actions in the Union.

It is true. Article 3.2 reads:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

- the monitoring of their behaviour as far as their behaviour takes place within the Union.

Mechanisms of enforcement is another discussion but the regulation clearly asserts the scope of data protection as global; it's applicable to all foreign companies processing data of EU residents, whether the companies are based in the EU or not.

Does anyone have an example of the "documentation of data processing activities"?

Edit: Especially in the context of a company that does not handle/store customer data, but only employee info.


The above link contains a sample Excel template with details of the various information a record of processing should contain. If you are only processing employee data this should be straightforward. It's a link to the ICO, the UK's data protection authority, but it should be useful regardless of where you are (assuming GDPR applies to you of course!).


Can't wait for the pile of lawsuits to appear over this one

So .... github, sourceforce, bitbucket. When someone asks to delete their data do all their commits have to be deleted or edited to remove their name from the commit logs? How about changelog if the project has one? Comments from source? I'm guessing you'll say "no, because they agreed to open source their data" but how is that any different from agreeing to so-and-so's terms of service?

In the same manor what happens to wikis and wikipedia when a user wants to delete their data?

If the data was copied by another user does that data become their's to keep or does that need to be deleted too? Example: Jill sends Karen Jill's address via Facebook. Jill want's all of Jill's data deleted from Facebook. Does Jill's address she sent to Karen have to be deleted? Pictures? Pre-internet that data would be on a piece of paper in Karen's possession. Now it's less clear as it's really in Facebook's possession and Karen just has access to the data on Facebook's servers. As Karen I'd be upset if what I considered my data (my copy of Karen's address) to be deleted but is that clear in the GDPR?

Let's stop coming up with stupid, stupid examples where you have spend more time thinking about how to troll than thinking how the GDPR applies.

(Hint: The right to erasure is not absolute, and applies to personal data.)

And what is personal data? this problem exists even without the GDPR, my question is does the GDPR make it law in the EU. In Google Docs if Jill shares a document with Karen and then Jill deletes her account Karen will lose access to the Jill's document. That situation doesn't map to the real world where sharing a document meant Jill sending Karen a physical copy. Personally I consider it a bug given it doesn't fit expectations from the real world. If a document shows up in Karen's files it's Karen's copy of that document. Karen shouldn't have to track which docs are actual copies and which are still considered Jill's.

In any case given it's possible to delete Jill's data from Google is Google required to delete the document from Karen's account even if Karen has made a copy? Where is this covered? It's not really Karen's copy, both are Google's copy. It's on their servers.

This is not trolling. This is trying to understand the GDPR.

What, just like you don't "own" software, you buy a license which can be revoked at any time? The digital world doesn't map to physical concepts any more. Even before the GDPR, Google has always been able to shutter your account for various ToS violations, and you better hope you had backed it up.

What happens at google is irrelevant except to demonstrate the issue. The question is whether or not the GDRP REQUIRES that Jill's copies she sent to Karen get deleted from Karen's account.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact