Pretty clearly primarily enforced by national regulatory agencies, who are the only ones who can apply fines.
It mentions citizens taking companies to court, but https://ec.europa.eu/commission/sites/beta-political/files/d... says that's for monetary damages, not for fines. This is unchanged from previous laws.
Can people stop freaking out now?
The authority must ensure that fines imposed in each individual case are effective, proportionate and dissuasive. It will take into account a number of factors such as the nature, gravity and duration of the infringement, its intentional or negligent character, any action taken to mitigate the damage suffered by individuals, the degree of cooperation of the organisation, etc.
An antidote to this potential abuse is to make laws scarce and highly specific and make judges apply laws in the most textual form possible.
> Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
I would guess most people selling something on the internet have at least some small percentage of customers in the EU.
If I make a purchase from a bespoke banjo shop in Guatemala whose site is in Spanish and prices in Cuetzals that I've stumbled across on the internet then they don't go into scope of GDPR.
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
If your point is that static brochureware sites that don't target EU members at all and don't do anything interesting on the web probably don't have much to worry about... then I agree, but I don't think that's very insightful.
Your earlier comment said that GDPR required "at least some active targeting of EU users." But a less contrived example, say a US-based SaaS that accepts credit card payments, probably needs to be very worried about GDPR even with absolutely no active targeting of EU users.
Obviously each case should be dealt with on its own facts to assess the application of GDPR. In the example you give, GDPR may well apply. Some companies may be worried, others may see it as an opportunity.
I know lots of US SaaS companies are embracing GDPR rather than being worried about it. Clearly if you are looking to get business from EU customers but want to argue GDPR doesn’t apply due to the fact you are not strictly speaking targeting EU users then that might present an issue for certain potential EU customers (or maybe they could offer a cost discount because they haven't had to go through a GDPR compliance exercise). On that basis lots of companies outside the EU are pro-actively looking to comply with GDPR.
Arguments over the appropriateness of extra-territoriality applicability are a separate matter of course!
I wish it were as easy as saying the law doesn't apply if your business doesn't target EU business. Unfortunately I don't actually think it's possible to escape GDPR. Even refusing to serve all EU IP Addresses wouldn't be completely effective.
I'm sure lots of companies view this as an opportunity. Especially the big ones with experience with compliance issues, in-house counsel, etc. It's going to be tougher on the small guy.
"Abmahnungen" are cease and desist letters by the way.
"Why is some extra law specific to Germany relevant to my comment? This is a discussion about the GDPR, not about national data protection laws."
I think that if you want to really comprehend something, you should go to the primary source. The GDPR legislation is far more approachable than it seems (as an official 261 page PDF). When the preamble and the mechanical bits about how the GDPR will be governed are removed, the parts that important to companies are only 34 pages long. You can use this to guide your reading: https://www.enterpriseready.io/gdpr/how-to-read-gdpr/
For example, here's their page on the right to erasure:
Its opening paragraph reads as if data subjects have an automatic right to have their data deleted unless one of the three exceptions applies. In fact, Article 17 of the GDPR itself grants that right only under a list of specific circumstances, and the exceptions are just that, which is an entirely different situation that will lead to the opposite decision on whether data must be erased in many normal situations. Even the list of exceptions shown isn't complete.
For another example, here's their page on demonstrating compliance:
There is literally nothing on that page that would help any business I'm dealing with to demonstrate compliance, unless you count the references to the primary sources at the end. There are a couple of ideas about codes of conduct or certifications that contain no substantial details, and even the vague hints about other things you might have to do don't go into any detail about who does or doesn't, leaving the entire page almost entirely content-free unless you happen to be in an industry where the kind of scheme they mention exists.
This sort of "guidance" is everything that is wrong with how the GDPR is being handled. It is verbose, ambiguous, sometimes seriously misleading, and almost entirely non-actionable. I'm actually worse off than I was before I read it, because I know nothing useful now that I didn't know before, I would have been misled by several of the pages such as the one I mentioned above if I hadn't already known better, and that's still half an hour of my life wasted.
For example, Article 17(1) lays out the MANY grounds upon which a Data Subject can request erasure. If ONE of the mentioned criteria is met including the very broad Right to Object (Article 21) then it must be erased. 17(2) states you must fwd this request on to other online orgs. 17(3) provides the exceptions for which a Controller can object to the erasure.
It is important to note that the spirit of GDPR is one where Data Subjects rights (to their data, to object) are the default. Sort of like innocent until proven guilty. This is a big shift for most companies who would contend that they own the data & data exhaust from use of their application.
As for compliance demonstration... yes, this is still a mess. My only suggestion there is that if you're working with software companies, try to study what the leaders are doing and take some inspiration. https://www.enterpriseready.io/gdpr/preparing-for-gdpr/
Happy to hear your thoughts. Genuinely interested in other people's perspectives on this.
Yes, but crucially, if the data is still relevant and you're processing it on a proper basis, the data subject doesn't necessarily have a right to have it erased.
If your only legal basis for processing is consent, subjects get most of the rights under the GDPR automatically and you have very little choice about complying. One of the big changes in the new regime is that consent can be withdrawn retrospectively.
If your basis is legitimate interests, things are more complicated. Subject rights are stronger in this situation than with some of the other legal bases, because they can object to processing. However, the right to object is itself subject to balancing tests that aren't clearly defined, except in the specific case of direct marketing.
For the stronger bases, such as performance of a contract or compliance with legal obligations, subject rights are still quite limited even under the GDPR. For example, under EU VAT rules, we are required by law to keep evidence of where our customers are located for quite a long time, and customers can't require us to delete that evidence prematurely.
There are some other important details to be considered, for example if you're processing data about children, but that seems to be the basic situation.
One scenario in which this would be very relevant:
A website needs to show a very long consent form to users that want to use their service, under gdpr regulation. Under gdpr these consent forms are very alarming and they will have a drop-off rate. The drop-off rate of the form will be the competitive advantage of none European companies.
Hence, will we see an exodus of European startups from Europe to the US?
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Targeted advertising will require explicit user consent under gdpr since pii is collected. It's fair to assume that there is no big incentive for a user of a website to consent to targeted ads. Targeted ads are usually way way more profitable that contextual ads. If you are a large publisher, would you really want to have your company in the EU in future?
For sure if you have 5$ of budget per sale, if it takes 1000 views to get a sale or 1 views, you won't pay the same for views in both situation depending on the efficiency of the ad.
What he meant is that right now, because targeted ads exist, non-targeted ads sell far worse. Once targeted ads are not an option anymore, non-targeted ads will get more attention again, because the demand for advertising will not go away.
There will be somewhat of a drop in demand, because advertising might be less effective, so it makes more sense for companies to invest into developing their products instead. But you can hardly justify unethical behaviour with some industry making money off of it. Drug dealing, slavery, forced prostitution etc. are also illegal, even though there's a hugely profitable market for those.
You have to draw the line somewhere. Governments are supposed to draw the line there, where the effect of doing something results in a net negative for this society by given values that this society considers important.
But even assuming a society only cares about its overall profit, I would be surprised if there's not some effects going on, due to targeted advertising being sharp enough of a tool to psychologically influence people to buy useless crap they don't need. And people buying useless crap they don't need is not good for the overall profit of a society. They could be buying useful crap that they can use to make more of a profit instead.
Advertising often can have a very negative and destructive effect, we shouldn't base our societies around how best to sell stuff.
Web companies and web advertising companies have been building huge, secret dossiers on all their visitors, unexpectedly selling, sharing and distributing sensitive data about their customers with totally unrelated third parties.
Now society's saying, that's not cool. Here are the new rules. We'll heavily punish your companies if you do it again.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
You don't need opt-in for things that are essential to providing the service. You need that for non-essential data storage and sharing. Unless you want to make providing your service conditional on extra collection, what you describe shouldn't be necessary.
For a long time already, it's been common practice to avoid Chinese services, because of the surveillance that the Chinese government does. And there's a growing number of people who avoid US-based services, too. The recent CLOUD Act certainly doesn't weakening their position either.
Yes, the GDRP applies to anyone "in the Union". Someone on vacation from the US would be covered _while they are in the EU_.
If your company is based in the EU, then you must comply for all users, regardless of their current country or citizenship.
Does it really matter? Just give all users a fair treatment.
The big question I keep hearing is; I'm in the US (or other non-EU country), does GDPR apply to my company or organization?
The shortest possible answer is: Maybe :)
The answer is: YES if your company has a physical or legal presence (like an office, employee, parent-company, subsidiary, etc.) in an EU country. The GDPR applies to you and you need to to start reading up ASAP as you only have a few weeks to figure this all out.
The answer is likley: NO (but be careful here) if you have no physical or legal presence in the EU. Bonus points if your business isn't really aimed at the EU.
The answer is likley still: NO if again, you have no physical or legal presence in the EU but do rely on EU traffic as a direct or significant part of your business. At that point is all about how much risk you're willing to take on as we see how this law is interpreted.
Any country can claim this over any other territory they wish. But that doesn't make it true. For the claim to be effective (except by use of force), it must be agreed either with the legal authority of the country.
Right now there appears to be none. No one is clearly citing any treaty with the EU as giving them this authority.
Disclaimer: This isn't legal advice. This is my personal view
on a complicated issue that I'm trying to discuss in order
to learn more myself.
The law applies to... 2. a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.
Do you have any evidence? You're doing business with EU citizens. You allow them to connect to your site.
Wouldn't this operate similarly to how extradition by the US of foreign hackers work?
Of course, if you ignore the EU repeatedly, you’re going to be stuck if you ever want to expand to the EU, or have any assets there ever. That’s about all they can do.
"Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, [...], is insufficient to ascertain such intention, [...]" (https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...)
My whole point is, just because the EU makes a law doesn't mean it can enforce it.
> Wouldn't this operate similarly to how extradition by the US of foreign hackers work?
It would not.
So by not being compliant, or at least offering a way for orgs that are compelled to follow GDPR to be compliant, they will start to miss out on business from B2B or B2C.
Especially after May 25th, there are already radio and TV adverts about it here in the UK, and I imagine that a lot of consumers are going to start questioning this before they use a service
I'm a big fan of this law, but I also see a lot of panic and inaccurate claims being made.
One single ad unit may try and load several tracking services so that it can re-target you later, track that the ad was served, and also load in extra services (Facebook Like button) that in turn track you for their own reasons.
On any given Page Load you DO not know in advance what ads will be in your page.
In getting User Consent before you load ads you cannot possibly know what the services are that will eb injected into the page ahead of time.
Thats an impossible situation.
Even if, and I stress this is hard, even if you were able to limit your ads from one network to direct-sold campaigns under the control of just a few agencies that agree to use only a subset of trackers and other services, you might still be talking 20 to 80 items you need to provide the user in a Consent Form.
Mom and pop publishers who don't have the resources or ability to staff their own ad sales team are going to be in trouble. The big players who can work around this obstacle are going to be fine. I'm not happy about this.
Storing an IP address by itself and sharing it is not, by itself PII
In the US, legally thats fine. In the EU they classify it as personal information.
I just like it as it is broken up nicely and has links to any relevant recitals and deregations etc
US readers: EU law is different from US law in that it is generally approachable and readable. While in the US it is difficult to even know which laws apply to you without the help of an experienced lawyer (because of case/precedent law), in the EU this is much easier. So don't be afraid to reach for the sources.
I've read it and I'm still confused. Without caselaw and a lawyer how am I to determine which data processing are considered "legitimate interest" in Article 6? Recital 47 is supposed to clarify this, but it's still pretty vague and it says legitimate interests may provide a legal basis for processing. May? How do I know if they do or do not?
I think the biggest problem for many of us is still the uncertainty. For all the mountains of "guidance" now being generated by the EU and the national regulators at five to midnight, there is still very little advice provided that is unambiguous and actionable when it comes to some of the most fundamental questions. What does or doesn't constitute a legitimate interest basis for processing data? When is such an interest is or isn't overridden by the subject's own interests? How long would be considered a reasonable period to retain data for common purposes? Answers like "as short a time as possible, but that might be 20 years" simply aren't useful.
Meanwhile, I don't know of any Europeans who don't support it (on an individual level) or who finds it confusing. The hardest part seems to be putting processes in place for the right to erasure, but then we've had similar provisions in EU countries for a while, so it's not a big deal.
As for "reasonable period to retain data", unless required by law, you won't get into trouble for deleting data more quickly. So what's the minimum period you absolutely need that data/those logs/those backups for?
There's no one-size-fits-all approach, so the law isn't written like that. We just assume most people will be decent/"reasonable" in implementing it, and if not, there's the sanctions.
Hi, I'm a European who doesn't support it and who does find it confusing.
To be more precise, while I'm generally in favour of better privacy protections in law, I don't support this poorly implemented attempt, because I think it will have all sorts of unintended consequences that may not be in individuals' best interests, while also imposing a disproportionate burden on controllers and processors who weren't abusing that data for unsavoury purposes anyway, particularly smaller organisations.
And maybe "confusing" isn't quite the right word, but in my view it's far too ambiguous in its treatment of some of the most fundamental issues to provide a good platform for future data protection. Much of the official guidance is confusing, often to the point of being misleading and counterproductive, however.
we've had similar provisions in EU countries for a while, so it's not a big deal.
All regulation is a big deal if you're running a microbusiness and don't have dedicated staff to deal with it. In any case, there are several new or significantly extended rights introduced by the GDPR that certainly weren't there before in my country (the UK).
So what's the minimum period you absolutely need that data/those logs/those backups for?
Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that. I can, however, state as fact that we have had to rely on detailed log records from several years ago when threatened with actual action by someone who was clearly trying to take advantage of the situation and hadn't expected us to still have evidence that undermined their claims, so any claim that we can just cycle these things out after a few days is demonstrably false. Given that we're not doing anything particularly unusual either legally or in processing data for everyday business purposes, I have to assume we are far from alone in having these experiences and the concerns they raise.
There's no one-size-fits-all approach, so the law isn't written like that.
While that may be true, it is entirely useless to someone well-intentioned and acting in good faith who is trying to work out what they actually have to do to comply with the new regulations.
Not for much longer :D But seriously, the British government and the various police forces don't have a great track record with regards to privacy (e.g. Investigatory Powers Act), so it's no wonder the ICO is underfunded and has had a very limited mandate.
> Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that.
Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us! Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.
The GDPR is maybe a bit heavy-handed compared to a gradual approach, because EU countries have previously had a hard time getting companies to comply with their data protection laws.
I'd be the first to agree, and I'm generally in favour of stronger privacy protections in law, particularly around government behaviour. But of course governments get a pass on many things that are otherwise restricted anyway, because they just have to whisper the magic words (usually something like "national security") and the carefully written exemptions in almost every piece of privacy and data protection legislation ever written are activated.
Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us!
That's the problem, though, isn't it? These needs are vague and you can't predict when they will arise. Nevertheless, they do happen. In fact, the example I mentioned before happened just this week.
Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.
In my experience, having spoken now to several different people who are consulting on the GDPR including some who are lawyers, even they don't know the answers here. They have no crystal ball, and the language is so open to interpretation, and the regulators are so late at providing any guidance, and what guidance they have provided is often so poor that no-one really knows how this is going to play out yet. This of course creates uncertainty that is damaging in itself.
> We just assume most people will be decent/"reasonable" in implementing it, and if not, there's the sanctions.
My definition of "reasonable" isn't the same as that of European regulators. I know this because I don't consider IP Address to be PII. Luckily for me on this particular point the GDPR is explicit in saying that it is. If I were left to define PII myself though, I could well have opened myself to regulatory action as IP Addresses were logged and shared incidentally with third parties in many places.
I think this style of writing laws gives way, way too much power to regulators. Particularly for companies with no physical EU presence and thus no way to vote or have any say in how the regulators work.
I think very few online businesses will be fully 100% compliant with every provision of the GDPR and all it's current and future interpretations. So we need to just hope and trust that all the regulators in all the Union countries won't punish anyone who doesn't really deserve it. That's not a good situation.
> So what's the minimum period you absolutely need that data/those logs/those backups for?
There is no answer to this question. Strictly speaking I don't need any backups or logs. I've also, rarely, encountered subtle data corruption bugs in the wild where having backups that go back months was critical and the more the better.
As to your point, legitimate interests requires a balancing act between your interests and others' interests and so is by its nature going to be uncertain.
If you are looking to rely on legitimate interests, you should look to document your interests that you think are being served through the processing, and also check to see if any other processing bases may be more suitable to achieve your objective. The aim is to at least have a defensible position behind your use of legitimate interests.
Here an example of Facebook listing out their legitimate interests in making use of data:
Besides honest misunderstanding, there's so much FUD being spread by people on HN who are afraid that their greedy data manipulation plan for a startup has been completely foiled...
So much FUD that you definitely feel sometimes that the comments are straight out of http://n-gate.com/
Caricaturizing (a bit):
"HN1: The GDPR takes away our freedom to make tons of money from your private data! Dirty EU commies and their superstate imposing their law worldwide!
HN2: The law doesn't apply worldwide and it protects my privacy. Just block users which are geographically in the EU. Also, read the law, it's only 60 page and more readable than most RFCs.
HN2: Nah, I'm good, I'll just rely on internet FUD as my main source of info. Dirty EU commie bureaucrats!"
PS: Obviously not all comments are misguided, but good God, there's soooooo many which miss the mark by a mile...
I was snarky but it is definitely something I would say to you face-to-face.
The quality of discussion around the GDPR here on HN was not up to the standard quality. Part of it was because, in my opinion, a lot of people here are entrepreneurs and this made them really subjective and almost blind-sided them to the benefits for users.
The GDPR is not perfect but it's a great long term measure, one I hope will be followed (and improved upon!) by other administrations.
- cause an uproar from small and middle-size businesses in europe
- not become enforced
the facebooks and amazons of the world are already fine so they won't complain.
It's useful to know where the requests come from too. You get a bunch of request from IP that come from a specific peer and that peer is saturated? How could you verify that without a log? You want to add CDN to the right locations. Where should you?
Really, I think it's just make more sense for any small company to block EU and when you have the means to do it correctly (with the help of a competent DPO), then yeah add that EU in your market.
Also consider Log retention. Yahoo discovered a data breach 3 years after it happened. What if they'd only kept logs for 1 year.
Here's Google's approach: https://support.google.com/analytics/answer/2763052?hl=en
Maybe Google is hoping the EU will accept that balance of concerns, but it doesn't sound like it realises the spirit of the law.
Or are you saying that if I went to an ISP with the reduced IP address, they could disclose details of the person, if they only had 1 account within the range of IP addresses that the restricted IP address covered? This doesn't seem particularly likely to me? I thought ISPs hold a block of IPs and dole them out on that basis, and so resulting in only a loose connection between IP address and location?
On large companies, that would be out of scope, because whilst the reduced ISP may be linked to 1 large company, the assumption would be that the large company had multiple employees. On that basis although the account may be linked to a particular employee, no one employee could be singled out because multiple people would be relying on the same base IP potentially I would have thought?
For example if hacker news did this and one of your comments contained your city or company, now they can connect your account to an anonymized analytics user.
And then hashing the IP addresses would be such a reasonable step, too, since it removes location information from the stored data.
Can lawyer A (who is not affiliated with the EU government) sue Company B on behalf of the users and get a payday?
For reference, I read a thread where a guy in my town sues businesses for violating the ADA and the settlement is like loser must fix steps and pay plaintiff some compensation. Maybe its this story or maybe its another guy: http://www.startribune.com/st-paul-landlord-wins-case-agains... , actually I think its this guy
What if they give you only part of what they know? How would you be able to tell if they know more? And even if you could, how would you convince authorities that something is wrong?
I think we're probably talking about national chains here.
I would imagine stores will use the loyalty cards to profile users, and if they've every stored any of the profiling data then this data will be the data you will be getting.
Right now, for example, if you are a US business with no offices or employees in EU jurisdiction then there is little the EU can do if you are not GDPR compliant - regardless of whether you deal with EU traffic or not.
The EU might wish their laws were global, but that doesn’t make it so.
I don't think there's many internet companies that would not serve the EU because of it. Although, Google did pull out of China due to the censorship demands and the like.
As such, effectively it is not in scope and does not need to be considered.
However there are cases where you might still run into trouble. For example, if you accept payments from people in the EU, you may well end up being forced to comply via the payment networks' presence in the EU.
Again, I say this as someone who is implementing GDPR for a US-based company, and is also a EU citizen (Irish) and has sat more meetings with various legal groups than I care to remember (again, stress I'm not a lawyer).
It is all about a companies appetite for risk and how tied the are __PHYSICALLY__ to the EU (offices/employees/parent-companies/subsidiaries).
This also gets into areas of Extraterritorial Jurisdiction. Any country can claim this over any other territory they wish. But, for the claim to be effective (except by use of force), it must be agreed either with the legal authority of the country.
BTW it's important to understand the real enforcement vector here. It's not like you'll have "EU cops" knocking on doors in America. Nor will anybody waiting for you to get off the plane in Germany. (I've actually seen this nonsense on HN in recent days.) The very real power they do have is over banks and payment processors. It's quite possible that if you're doing business with EU customers and you have bank accounts in EU or work with EU banks or EU payment processors then they'll be able to exert significant leverage against your business. But if you have no direct contact with the EU financial system and your website is hosted in the US in English (or even if it's in French but it's clear you're pursuing US customers) there's little they could do to you even if they wanted to.
Right now, everyone is in "wait and see" mode on how this will play out.
It will be interesting to see how the mechanisms of enforcement play out but I imagine there are plans for direct and indirect implementation in situations that warrant the harshest options (ban on processing and/or monetary fine). E.g. getting cooperation from payment or logistics processors to stop processing EU sales of a offending foreign company. A halt on sales or delivery of goods to such a large region could be crippling for a company.
Especially in the context of a company that does not handle/store customer data, but only employee info.
The above link contains a sample Excel template with details of the various information a record of processing should contain. If you are only processing employee data this should be straightforward. It's a link to the ICO, the UK's data protection authority, but it should be useful regardless of where you are (assuming GDPR applies to you of course!).
In the same manor what happens to wikis and wikipedia when a user wants to delete their data?
If the data was copied by another user does that data become their's to keep or does that need to be deleted too? Example: Jill sends Karen Jill's address via Facebook. Jill want's all of Jill's data deleted from Facebook. Does Jill's address she sent to Karen have to be deleted? Pictures? Pre-internet that data would be on a piece of paper in Karen's possession. Now it's less clear as it's really in Facebook's possession and Karen just has access to the data on Facebook's servers. As Karen I'd be upset if what I considered my data (my copy of Karen's address) to be deleted but is that clear in the GDPR?
(Hint: The right to erasure is not absolute, and applies to personal data.)
In any case given it's possible to delete Jill's data from Google is Google required to delete the document from Karen's account even if Karen has made a copy? Where is this covered? It's not really Karen's copy, both are Google's copy. It's on their servers.
This is not trolling. This is trying to understand the GDPR.