But they haven't. Makes things clear.
They also control the enforcement mechanism. Let's see if they will modify it to save face or if they'll just ignore it. Or do you think they'll fine the parliament (not that they haven't exempted themselves, of course) ?
Should they eat their own dog food? Probably. But pretending there's some kind of hypocrisy going on is stretching it.
Let me assure you: there is absolutely no shortage of hypocrisy. You don't need anything more than to walk around their offices and ask what all those weird marking on public and private spaces mean. You'll be disgusted, and cured of any notion that the EU intends to do anything for anyone but themselves.
But outside of that, there are clear personal status cult being upheld everywhere around the European organisations, with the biggest distinction between the "fonctionnaires" and everybody else (although as an employee of the commission you're still several rungs above "les gens de la rue" (which does not mean homeless, like in France, it just means normal people of Brussels). And may God help you if you're working for ISS or any of the cleaning companies. At that point your status is so low that people routinely throw things at you just to cool their frustration. This is accepted and normal behavior, despite how incredibly immoral it is.
(The "European quarter" of Brussels has a ton of public and private spaces, from "public" parks to a small shopping center (with mostly cafes), and the highly coveted parkings and parking spaces that are reserved, by law, for European officials' use only. So does Woluwe, even if they're a lot better hidden there. To say that these people have no intention to use their power to improve people's lives is absurd when you walk around their offices)
The EU isn't a state it's a union of states and there is EU elections happening.
By that standard the Soviet Union, China and Saudi Arabia are/were democratic too. They all have/had elections. Elections that do not determine who has legislative and executive power are not elections.
The reason why is of course simple. People in member states do not care about the EU. They care about local politics 99% of the time. On top of that member states electorates do not agree on the issues. Not on what the issues are in the first place and certainly not on what is to be done about them. There is no way for politicians to campaign across the EU, it's all done locally. Therefore the assessment of most fonctionnaires in Brussels is probably correct: there is no way to have an effective democratic EU. They also asses that they don't want to do that, as it would not be a unifying force.
Either prove that it isn't or please stop this rhetoric. Thanks
Compliance with the law is always about context. What is gathered, why and how is it used, and last is there additional factors to consider. Google Analytics in itself is interesting because it is not clear if Google themselves then process the data and for what use, especially for the enterprise version.
The list is as following:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
The GDPR really spells out that you can't ask for consent / basis to do one thing and then flip around and do more with it.
Aka, if you consent to signing up for a newsletter they can't turn around and sell your email to another list, take that list to their next startup that's unrelated, etc.
For Google this gets tricky, you're consent to using them for analytics (most everyone on the free, non enterprise, version). Are they also using that to feed their search engine? Tweak display ads? Check for fraud? Build profiles of people across sites/browser sessions, and devices?
And while this is about analytics, the same can be said for Maps, Docs, Domains, Fonts, etc. all of which have a primary use and (for Google) a stack of juicy secondary uses they can make money off of. Most of it doesn't even strike me as nefarious (it seems reasonable that they'd index pages that come up in Google analytics), but it's not disclosed so nobody is exactly sure what's being done.
Even this anonymize IP business is tricky b/c:
1. They still get the IP as surely as you browsing to www.google.com
2. They may be tracking in other ways (fingerprinting, cookies, etc.) that unique identify you, so does it matter?
That's not how reality works. Laws, despite god knows how many attempts, don't change that. If you have the information, you can use it.
> Aka, if you consent to signing up for a newsletter they can't turn around and sell your email to another list, take that list to their next startup that's unrelated, etc.
Ok. When the spam problem stops, I'll believe this. Until then, I reserve judgement.
> For Google this gets tricky, you're consent to
Sure, but with a chunk of their operating expenses ($9 billion a year) spent on lawyers ... tricky is not a problem. For everyone else, it is.
It gives them a legal way to destroy any company they don't like, it's a land-grab for both their own jurisdiction (as opposed to member nations' jurisdictions), it's land-grab for global jurisdiction, it's a (partial) denial of private contracting rights and it's explicitly designed for selective enforcement.
What more could one want in a big new law ?
Effectively European companies below a certain size can't allow for forums anymore.
Obviously this will impact things like newspaper forums, tech support, webfora on specific topics, ...
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
- PII is Personal Data.
- If a user has PII, then all of the userdata is Personal Data.
My advice would be to legally and technically isolate PII and other_userdata. GDPR/etc compliance become quite easier this way.
The GDPR also states that consent alone isn’t a legal reason to collect or process PII and “advises” against relying and structuring terms of service to collect PII.
Basically you can’t build a service ask people for their data and then relying on their consent for the legal reasoning of having that data.
You need an actual legal basis e.g. a regulatory requirement or a business requirement to collect that data, and in all cases the requirements unless stated in law must be evaluated against the best interests of those you collect data from.
ToU can by prohibiting user from entering any PII. In case of email, ToU would say that only non-identifying email can be used.
For the rest of your comment, I dont see any relevance here. There is no need for consent for non-PII userdata. All PII userdata is behind legal and technical wall and cannot be accessed by the processor/controller of non-PII userdata.
> You cannot use ToU to bypass GDPR.
Just to clarify this is not buried in ToU but laid out clearly.
So the website says dont give PII. User still does. And GDPR would penalize the website ? Citation please.
The GDPR defines PII and there isn't anything you can do about it you can't ask users to make a throwaway email account and hope that you can pass GDPR by claiming that it's not PII this isn't how regulation works.
What matters isn't that the email address reveals your name is that someone can use it to identify additional information about you such as if you are subscribed to a specific service or not.
>So the website says dont give PII. User still does. And GDPR would penalize the website ? Citation please.
If the website asks for an email address that is PII under the GDPR.
> the fact that your email isn't email@example.com doesn't make it any less identifiable.
The only official guidelines about email I could find are in here . It does not say all email addresses are PII. It just says "firstname.lastname@example.org" type addresses are PII and "email@example.com" type addresses are NOT PII. So even "firstname.lastname@example.org" may be non-PII.
> someone can use it to identify additional information about you such as if you are subscribed to a specific service or not.
Thats not enough. The service need to have PII. That is, if none of the services has PII, the email address is not PII.
> you can't ask users to make a throwaway email account
Throwaway is not needed. At best an individual need 2 email accounts. One address for the services where he is identified (eg bank website) and one address for where he is not (eg random forum).
So this is not an onerous condition at all. If thats the case you are making.
> If the website asks for an email address that is PII under the GDPR.
This is not a (official) citation.
"Disclaimer: This is not an offical EU Commission or Government resource. This is a education portal and the information contained within this portal does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required."
> Examples of personal data
> - an Internet Protocol (IP) address;
If you wish to keep IPs for forensic reasons then you will have to put some kind of reasonable upper limit on how long you will keep them (say 90 days) if no specific reason to keep an IP (say an active investigation) comes up in that time justifying further retention.
> If the processor has the legal option to oblige the provider to publish additional information which can identify the user who is behind the IP address, this is also personal data.
I wouldn't call it a gross violation.
The goal is not to improve people's privacy. It's too vague to achieve that. Obviously the EU doesn't care as even its own websites aren't in compliance - assuming this guy's definition of compliance is the same as theirs. How likely is it the rest of the EU's operations are? Zero likelyhood of that.
But that's OK. GDPR doesn't even have a concrete notion of what privacy or personal information actually are. The goal is not to improve privacy, that's just a fig leaf. The goal is to grant the EU large new powers over the private sector and in particular over American tech firms, who will repeatedly be fined and treated as, effectively, a new source of tax income. GDPR is so vague and open ended that there's no way they can ever be compliant, meaning the EU has a new source of cash for years to come. Very useful at a time when they are asking for budget increases despite years of austerity, and facing a budget hole due to Brexit, and member states are getting upset at their financial demands.
GDPR enforcement will be very similar to EU anti-trust policy - deeply political and immediately controversial. It is best understood not as a law but as a political move, sort of like how China uses laws against pornography to justify blocking foreign search engines, or how it uses a law against 'spreading rumours' to censor domestic social media.
The EU uses large fines as a fairly effective threat to dissuade organizations from doing things that the EU believes are not beneficial to its members. Of course it's not perfect, and of course there are political motivations as well... but Europe (and other lower corruption countries, for that matter) have grown tired with the US and its money-above-all behavior.
US citizens will benefit from GDPR because it will force some change in behaviors of profit-seeking entities.
This is nonsense. I really don't see what's so difficult to understand. Personal information is information to which the person can be identified.
For example, additional restrictions are in place for “large scale” processing of personal information, yet “large scale” is never defined. Is that hundreds, thousands or millions of records?
As the owner of a very small SaaS business (that does not sell personal information of its users) I found it tremendously difficult to figure out how to comply given the vagueness of it all.
I don't know if the EU has a contactperson to whom you can ask these questions, if they do, you can simply ask them to clarify. If you've done that, you're in the clear because you've put in the effort to comply.
But yeah in this case they should just give you a number.
lol of course there isn't an office you can ring to help you with this! If there were we wouldn't be spending quite so much effort working out what it all means.
> If there were we wouldn't be spending quite so much effort working out what it all means
People love drama.
Firstly, no, your national regulators cannot give you binding answers about GDPR. This is one thing the EU Commission has been clear on. They can advise, but their advice has no more weight than this Hacker News thread does - the EU is not required to care about what national regulators said and they have no special powers to interpret the law. Only the EU gets to decide what GDPR means, and they have said explicitly they will not answer questions about it. The only time answers finally come is during legal actions.
Secondly, no, people do not "love drama" in the business context, far from it. Maybe you should consider that your own interpretation of the problem is the issue rather than other people just causing drama for the sake of it.
Hundreds or thousands not, millions definitely yes, somewhere in the middle you get to draw a line which to me is an indication that the closer you get to those millions the more you'll have to work and then those additional restrictions kick in.
There are companies that store billions of profiles (Google, Facebook), and for those the 'large scale' moniker is a no-brainer. If you're a small company that stores a few hundred to a few tens of thousands of records because you are doing direct business with those people then that would most likely still qualify as small. But from 100K and up I'd make sure the house was in order, not just because of the GDPR but because you are becoming a nice, fat & juicy target for miscreants as well.
That way one law will allow banks, insurance companies, hospitals and a mid-sized e-commerce company all to figure out for themselves what their comfort zone is, add a little room for safety and you're most likely going to be good, and even if not you can point at the law and say 'it wasn't explicit', so unless you are purposefully mis-interpreting a few million records as 'small scale' you will likely get away with that. Note the 'likely', this isn't a certainty but in my experience to date everybody that is fear mongering about the GDPR is coming up with the wildest of scenarios rather than to just look at the law as if it was intended well (which I really believe it is).
Bringing up the "parade of horribles" is a standard way of reacting to regulations, and it's normally countered by the regulators just pointing out that the horribles rely on really tortured interpretations that aren't intended. With the GDPR, that hasn't been the response (which has instead been a double-down on "it's just common sense" without confirming or refuting what will happen)--for me, that's some cause for concern.
We'll see what happens after may 25th but for now I'm really hopeful that we will finally see some counterbalance to all this ridiculous profile building for marketing purposes.
Does that include email addresses and IP addresses? If so, that means things like using email addresses to log in for comments or logging IP addresses for traffic analysis causes all sorts of GDPR to kick in. As the OP points out, this means that things like the EU's own websites are in violation of the GDPR.
All you need to be able to do though is say what you're using the information for. If that is "To allow you to log in to your account" and "Your IP and page requests are logged and kept for 2 weeks to for traffic analysis and troubleshooting" you're good to go - just say that on the sign-up form. If you want add the email address to a mail list too you need to add an opt-in consent checkbox and a bit more information on what the checkbox agrees to.
If you want to pass along the information (indirectly, I know) to Google Analytics for example then you have to mention that too, and don't load the GA snippets until the user has accepted that
You also need a way to tell a user what data you have on them and delete the data where appropriate if the user requests it. You do not need to automate this process, chances are you'll never get either of those requests. Do Things That Don't Scale applies when it comes to the user's ability to request info/deletion
It's just another cost of doing business like if you want to take card payments don't store the card number without getting PCI compliant. Don't store user info without getting GDPR compliant.
This whole thing is good for all of us as users of sites and software too
 Actually for a signup form you don't need to say you're using the information to sign them in, that's "unambiguous consent", as long as you're not doing anything but registering them and signing them in you can avoid clogging up your form with that information
As with all things GDPR you can of course try to skirt the rules but you're risking the 20mil fine if you don't get it absolutely spot on
Actually, it doesn't. There are plenty of valid reasons to collect those things. Collecting them to track your users and to spam them to death are not on that list.
Proving this can be expensive and is risky. Who knows what any individual judge in any EU country will decide is "reasonable"?
Companies can easily be destroyed by filing multiple charges against them. Guilt, innocence, or reasonableness doesn't come into it: the process is the punishment.
Look at Amanda Knox (Americans tend to think she's innocent, Brits tend to think she's guilty) - after appeals the Italian Justice System found her not guilty of the murder of her roommate. She still spent almost four years in prison in her early twenties and had to spend a huge amount of money on lawyers to arrive at this result. Just because you eventually get what you see as the right result doesn't mean you won't go through hell to get there.
A major reason why Americans are having such a big problem with GDPR is because the EU system appears to change its interpretations and decisions abruptly, with retrospective effect. You set up companies in certain jurisdictions thanks to their tax rates and how transactions are treated. You follow every aspect of national and EU law. These arrangements are widely known, are accepted as legitimate practice, and they continue for decades. The EU commissioners change - suddenly your corporate arrangements are wildly illegal and you are subject to penalties and back taxes stretching over a decade.
If staff changes and they say that they will interpret a rule differently going forward, you can adjust your behavior to comply. New legislation, sure abide by it. But when the rules change and your behavior 15 years ago is now viewed to be illegal you can't do anything. Retroactivity is accepted in Europe but it is explicitly unconstitutional in the US. It's a major reason why the US is not currently part of the UK.
So the GDPR is terrifying because of the massive discretion granted to judges and prosecutors in every EU country and their habit for changing their interpretations. On its face it's not too threatening, but the fines are massive, there are no hard rules, and you can't be sure that today's interpretation will be tomorrow's.
Facebook and Google will manage - they can write billion dollar checks and get the US government to protect them. Many of us can be completely wiped out by a $20MM fine. Just a court case would be existentially threatening in terms of the resources it requires and its impact on fundraising and gaining customers.
And bringing up some unrelated (murder!) case has no effect at all than to point out that justice systems aren't perfect, they are not expected to be perfect and we have lots of evidence to that effect already. That's a totally different discussion.
The EU itself is hyping up how fearsome this law is to win approval from their citizens and politicians. As well as to strongly encourage firms to take this change seriously.
But I am at fault for taking the EU seriously rather than being blase. I am fearmongering for trying to explain why businesspeople who are not in the EU are afraid of its actions and are afraid of a brand new law that grants a huge amount of discretion to prosecutors and judges.
What I know is that the EU can capriciously change its mind and go after the biggest companies for billions of dollars. I know that I don't have the resources to prove my innocence in a foreign country. I don't even have the resources to understand the charges against me, since legal translation is expensive and I could be faced with actions in any or all of the languages of the EU. If I get a package of documents in Estonian or Bulgarian I won't even know that I'm facing charges!
Claiming universal jurisdiction against every company in the world with a reverse onus of proof is a dangerous and malevolent tactic. Because it's your local government that you have confidence in, you're comfortable with it. I doubt that you would be so blase about a similar approach by the US or Japan.
That presumption is probably roughly in line with what I've seen in my daily practice over the last decade or so. Some to minor degrees, some in major ways. But overall, very very few companies take the privacy of their customers so serious that they would make choose for their users privacy if ther was a buck to be made, of the top of my head over the last 75 or so companies I looked at two would check that box.
> That storing IP addresses can be construed as illegal.
What's so surprising about that? You see a whole pile of lawsuits that - erroneously - hinge on IP addresses being PII (Copyright lawsuits) and at the same time you expect the law to treat IP addresses as through they are not PII? That simply won't fly. So yes, IP addresses are - in many places - seen as PII.
> That everyone is liable for a fine of $20MM for any mistake, innocent or malevolent.
> The EU itself is hyping up how fearsome this law is to win approval from their citizens and politicians.
Where have they done so? All I've seen to date is some pretty dispassionate pieces and the text of the law itself.
> As well as to strongly encourage firms to take this change seriously.
Yes, you should take it seriously. Of course you should, it is the law.
> But I am at fault for taking the EU seriously rather than being blase.
No, you're at fault by drawing this out of proportion, just like you are doing in this comment.
> I am fearmongering for trying to explain why businesspeople who are not in the EU are afraid of its actions and are afraid of a brand new law that grants a huge amount of discretion to prosecutors and judges.
Your fearmongering is to exaggerate, to focus on the edge cases rather than on the bulk and then to start assuming that all cases are edge cases. They're not. The bulk of the businesses will be just fine. Those that chose to creatively interpret the law to see how far they can push things will hopefully find out that the EU actually means business.
By your reasoning we never should make new laws to deal with changing conditions. The EU tried a gentle approach aka the cookie law, companies tried hard to work their way around the law rather than to stop tracking users every which way they could so now you get this.
Self regulation -> mild regulation -> strong regulation+
(+ you are here now).
> What I know is that the EU can capriciously change its mind and go after the biggest companies for billions of dollars.
Capriciously? I have not seen the EU act capriciously yet. I've seen them act too slow and too late.
> I know that I don't have the resources to prove my innocence in a foreign country.
Poor you. Well, then better not to commit any crimes. That's a pretty good protection against having to defend yourself, stay well clear of that bright line.
> I don't even have the resources to understand the charges against me, since legal translation is expensive and I could be faced with actions in any or all of the languages of the EU.
More bullshit, the law is written in English and if you want to go so far as to take something to court - which I would highly advise against, it is much easier to comply with the law - you will find that the EU courts are set up to deal in English just fine. Lucky you, as opposed to say someone from Latin America, China or Outer Mongolia who does not speak or write English.
> If I get a package of documents in Estonian or Bulgarian I won't even know that I'm facing charges!
The chances of that happening are nil. Really, could you please stop the fearmongering, it does not serve any purpose.
> Claiming universal jurisdiction against every company in the world with a reverse onus of proof is a dangerous and malevolent tactic.
As opposed to what the US does? See: David Carruthers.
> Because it's your local government that you have confidence in, you're comfortable with it.
> I doubt that you would be so blase about a similar approach by the US or Japan.
If the US or Japan has laws that apply to my situation I will take great care to comply with them. One such law (the DMCA) has caused me a lot of work over the years and I see this as a cost of doing business. If you don't want to comply with the law then you are taking your chances. Similar to speeding or deciding to kill someone: it's not what you can get away with that determines what is legal or not and if you are caught breaking the law you can expect trouble. So better don't break the law.
Some of them from the top of my head, that you might or might not recognize: Asos, JustEat, Skyscanner, SoundCloud, LastFM, DailyMotion, Raspberry PI (foundation more than company though), Shazam, Mojang, Skype, King, Spotify, Klarna, Trivago, Xing and BlaBlaCar. I'm pretty sure some of these are quite popular in even the US.
(maybe some of them are not having their HQ in EU anymore, but they certainly had at one point)
As you are apparently well aware, Skype is owned by Microsoft. It's an American product now (from the perspective of who pays any fines). Mojang sold to Microsoft. It and Minecraft are owned by the Americans now.
Asos is an online fashion and beauty retailer. Having a website doesn't make you a tech firm. Ditto for JustEat.
Raspberry Pi - as you note - isn't even a firm at all, let alone a tech firm.
Shazam is in the process of being bought by Apple, although the EU appear to be trying to block it.
You tried to name tech firms that are based inside the EU and mostly ended up listing firms that either aren't tech firms by any conventional definition, or are now owned by US companies. I think that proves the original point.
That point was correct. The responses all ended up naming either firms that are tiny, or which aren't any longer based in the EU (so there's no need to protect them from the effects of bad laws that primarily affect tech firms). Where they started is irrelevant to the discussion because what matters is who pays fines today.
Skype (Before it was bought and killed by Microsoft)
Those are all of the big ones off the top of my head. Most founders opt to start in the US since there are less taxes and greater profits.
- Raspberry Pi
> EU anti-trust policy - deeply political and immediately controversial
; it's not as if American industrial policy is apolitical and uncontroversial, e.g. https://www.theguardian.com/business/2018/jan/26/bombardier-...
For his part, President Barack Obama called the EU's actions protectionism. "[Americans] have owned the Internet. Our companies have created it, expanded it, perfected it in ways that [European companies] can’t compete," Obama said in an interview with Recode in 2015. "And oftentimes what is portrayed as high-minded positions on issues sometimes is just designed to carve out some of their commercial interests."
No, it really is intended to provide greater control for citizens over their privacy and data stored by corporations.
Do not ascribe to conspiracy, what is adequately explained by incompetence.
These companies can attack any fines they receive in the courts.
If your data was used without your knowledge you might have had some damage and you could request compensation, removal or other way of fixing damage - with court help of course. GDPR violations can be used as base for court case. So GDPR does not really bring anything new because I believe you already could sue companies for selling your data, but in practice it is not possible to get evidence, prove damage, put price on damage, and it takes too long.
What changes is that if you don't have all data usages listed for user to view it is enough for some action so offended users can suspect something. If watchdog goes and checks you might be in problem with fines and then with court cases from offended users.
”It is your responsibility to get enough evidence but it is hard and no one cares enough.”
In this case, every “doesn’t comply with the GDPR” case a company starts will be immediately dismissed because:
a) you can’t start a lawsuit on the GDPR. The only way is through a national data protection authority.
b) even if you could, companies wouldn’t be interested parties in such a case.
(By the way, I think the national data protection authorities are the sore spot in the GDPR. I don’t think it is good that they are both prosecutor, jury, and executioner)
"I received unsolicited marketing information from company X, with contact information which was obtained from company Y. I did not agree on sharing my information by company Y. My wife noticed I receive 'grow my manly parts' advertisements from company X. Because of this she concluded I am cheating on her and requested divorce. For such humiliation I request company Y to reimburse damages. Noted by protection authority AU, company Y did not comply to GDPR."
If a speeding car driver hits and injures you, you aren’t going to try and sue him for speeding, either, are you?
You probably would sue under something like “Reckless behavior causing injury” (with the bonus that that even is possible if the driver wasn’t speeding)
I'm guessing the rest of the world will just pull their operations out of the EU and then ignore the law. It obviously has no jurisdiction outside of the EU...despite what EUrocrats and some propaganda here on HN would have you believe.
The rest of the world could also impose sanctions on the EU for illegally claiming global jurisdiction.