Thank you for making a coherent argument. You are missing one point I think: if not for those regulations those companies would love to do business. They are forbidden from doing business, this guy sees the law and runs off without even trying to become compliant. That's a different thing. There is no way that Kinder could be compliant with US law in such a way that they would not be exposed to what - to EU sensibilities - amount to exorbitant damage claims.
Similar arguments apply to the other examples you use, I see your point and there are valid reasons to not enter a certain market because of the legal climate there but the point I am trying to make is that the OP has not raise any valid point at all other than 'I don't want to comply'. And that's fine by me but then don't bother dressing it up in a bunch of made up requirements.
>this guy sees the law and runs off without even trying to become compliant
This guy quite clearly states that he doesn't have resources to become compliant, while it is too risky to make a mistake here.
There are fans of GDPR on this website, who prefer to ignore the fact that the compliance has its cost, and added to that still unknown risks of practical interpretation of legislation which also have their cost. But these are real life things.
I respect his right to do whatever he would like with his own hobby, but we should be clear that the guy is stating he doesn’t have the resources, based on a series of misunderstandings.
So, for example, he says he is required to appoint a DPO.
The U.K. Information Commissioner has this to say:
>Do we need to appoint a Data Protection Officer?
A> Under the GDPR, you must appoint a DPO if:
> you are a public authority (except for courts acting in their judicial capacity);
> your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking);
> * or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
You are correct as to a DPO, but if he is, say in the US, and subject to GDPR, he must have an EU Representative, who by all indications would be liable for his violations. That's a significant burden if not a practical impossibility for most in his position. Also, if he's transferring personal data from the EU to the US directly from individuals, his only practical way of making that transfer compliant is likely to be privacy shield certified which is not cost free (although he could maybe rely on consent as a derogation, but relying on that has risk). I can think of many things like this that have, if not a hard cost, then a definite cost in time and resources to comply including keeping up with compliance. Could easily be not worth the effort for a single individual.
If you tick all those other boxes, but are concerned that your processing may be teetering on the boundary of 'large scale', I would be cautious and assume your liable.
These are excellent questions that you will have to have shown you've considered if you get audited. If there's disagreement with the regulator, you'll come together to resolve it, and then may need to appoint one.
Well, so it's undefined, at least until practice of legal application establishes. Undefined means risk, and stopping serving EU is a meaningful mitigation, if your profits don't compensate you for all the hassle. Where's "overreaction“ then?
A UK privacy attorney I know considered 20k records (individuals) to be large scale. I haven't seen much helpful guidance. The WP29 guidance I've read only gives examples at the very extremes of large and small so not too helpful. Practical guidelines will evolve over time.
"There must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any."
Specifically they recommend against also being the data controller. I.e. you shouldn't be responsible both for handling personal data and verifying compliance of said handling.
I'm not seeing any interpretation being done here, but judge for yourself. Here is what the GDPR actually says (Art. 37 Designation of the data protection officer):
> (1) The controller and the processor shall designate a data protection officer in any case where:
> a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
> b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
> c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
That's the UK's straight-forward unequivocal explanation of the rules. Where there is room for interpretation or uncertainty, the ICO is very good at pointing this out. It doesn't here.
As poisan42 points out - it echoes the words in the actual article, directly.
The GDPR replaces the 1995 Data Protection Directive.[4] Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.[5]
Only for the sake of correctness/completeness: GDPR does allow member states to adjust certain details to bring them in line with local regulations (see Chapter 9). These are explicit opening clauses though that must not basically weaken or augment GDPR.
It's an EU Regulation, which under EU law the local courts have a duty to enforce. Local courts and laws will be dealing with all the details unless a case is appealed to ECJ.
To say that local courts and laws will have no influence is complete rubbish.
GDPR compliance takes resources. I would say for a small business it takes about 1 or 2 days. Not hard work but tedious. In the end you will have around 5 documents that will show your processes, what you do to keep data save, a plan how you deal with questions from customers and regulators, that you trained your employees and that you choose your subs carefully.
Essentially that's it.
I am no lawyer but I am a CPO.
Pro tip: Speak with the regulators they are on your side.
Yes - I guess having an EU contact is something not easy to come by on the other hand there might soon be a service for it.
I guess an XMPP Server could be considered a communication service an could be subject not to the GDPR but to regulations concerning ISPs and Phone companies.
Well many of us find it completely normal to spend days on having a good security, setting up HTTPS, encrypting content to protect privacy. I wonder why GDPR seems so different, it's just more of the same, just less technical.
I guess I am a fan of GDPR, certainly compliance to anything has a cost. I personally don't find the costs of GDPR compliance onerous unless you have already built up lots of non compliant systems that now need to be fixed, in which case the free ride is over. Anyway, this guy is pulling out of the EU but if he allows anyone from the EU to use his service from a non-EU location anyway he would be risking non-compliance.
They did that in a rather smart way, too, by diverging it enough from the original that they could sell it elsewhere as a new thing.
I mean, it never really took off here, very few people prefer it over the original, but better than not being able to sell it outside of the US at all.
Yes. Rather a step back from the original offering isn't it? If I'm being honest, I couldn't give a damn about the kinder eggs prohibition, as I am not a child, and I do not have children. The Bovril issue is by far my biggest personal concern, although I'd really like to be able to buy raw milk cheese.
There are states in the US where you can buy raw milk cheese legally. You just can't do it through interstate commerce, but for example it can be done in person at farmer's markets with cash. New York is one such state, I dunno about the other major tech hub states.
Bovril could easily comply. They would simply have to open a manufacturing facility that did not use UK beef. The French cheese makers could sort of comply, by pasteurizing their milk. Kinder, I admit, has a more difficult problem, and has, in fact attempted to comply, by creating a completely different product with the same name.
"The French cheese makers could sort of comply, by pasteurizing their milk"
And why should the French cripple a delicious and traditional product, which is gladly gobbled up by millions of happy consumers to sell their product in the US?
Because otherwise they can’t sell it there. Their country, their rules. A French cheese maker doesn’t get to dictate the rules abroad. Take it or leave it.
It seems to me that French and other European cheese makers are much more interested in protecting the integrity of their product than opening up the US market for it.
You mean, exactly what we are doing right now, causing all kind of outrage in France ? Funny you should bring that up, because it's a very hot topic currently :-D
Except EU has always (well, Sweden since 1973) had regulation, if you would gave followed that, you would not have to change much in most cases. Just write some documents and smaller changes.
But in this case this is not even a business. It is a zero-revenue open-source project. It seems to me that only very well-funded charities are allowed to run web services now.
P.S. I sincerely hope my country gets out of this ASAP.
Kinder is a great example actually on how a company adjusted their product. Now I believe in all markets (even beyond USA) the product is safer and less dangerous for kids to get injured.
It takes some special talent, even as an adult, to take such a big bite off of a classic Kinder egg that you'd have any chance of accidentally swallowing the plastic capsule or somehow else hurting yourself on it.
And with the new egg, I'd be concerned that my kids swallowed that plastic spoon. Like, that's something they actively have to put into their mouth and it's not as interesting as the toy for them to be motivated to not swallow it.
It's also small enough for them to realistically pull this off.
They marketed it as a new thing beside the original here in Germany.
Most people seem to prefer the original, though. They lost a lot of charm by going from toy+edible+tinfoil to plastic+toy+plastic+edible+plastic spoon+plastic.
They're not forbidden to so business, they're forbidden to so business unless they adapt their product or practices. I'd say that is pretty much the same as this case?
Similar arguments apply to the other examples you use, I see your point and there are valid reasons to not enter a certain market because of the legal climate there but the point I am trying to make is that the OP has not raise any valid point at all other than 'I don't want to comply'. And that's fine by me but then don't bother dressing it up in a bunch of made up requirements.