Hacker News new | comments | show | ask | jobs | submit login
GDPR for lazy people: Block all European users with Cloudflare Workers (apility.io)
755 points by jgrid007 3 months ago | hide | past | web | favorite | 1467 comments



I’ve been reading hacker news for about a decade, and it’s getting to the point where I don’t think there are many entrepreneurs and/or technical people on here anymore.

The number of people who are saying it’s no big deal to comply with this huge law, especially for very small startups, is mind boggling.

Let’s just take one feature: the requirement that you can permanently delete all of your information. Most early-stage startups use the (in 2008, when I did mine) best practice of “delete=1”. Changing your whole database over to permanent cascade delete is only easy if you’re a very experienced programmer or who knows what he’s doing. And that sets aside the fact that even if you know what you’re doing technically, there are lots of business logic problems with just deleting things out of the database and anonymizing users is very tricky.

I was not a great programmer when I started my first startup. I was learning as I went along.

We couldn’t afford a lawyer, and the amount of time for me (the only programmer) to go through and read all the regulations and make all the requisite changes in the product I would estimate might take on the order of a month or two, which if timed poorly would’ve killed our company. I say again: at an early stage startup with one programmer, you cannot have that one programmer spending two months on compliance.

It’s just gotten to the point that there’s one comment after another responding to this regulation or that regulation or this situation or whatever with “well, just call HR“, or “I can’t believe you don’t have a company policy for that!”

Or “well just ask your lawyers“. It ain’t that easy. Do you have any idea how much it would cost to have “your lawyers” go through the GDPR, tell you what you need to do, and deal with all of the edge cases and gray areas? $20k or $30k doesn’t seem too high.

My biggest fear is that all of these complex bureaucratic laws are just raising the bar for doing a startup. Maybe the days of two people doing a startup in someone’s garage should be in the past? If so, that makes me kind of sad.

Regardless it’s not obvious that GDPR is the right policy or that it’s well designed or clear.


I'm a Brit. I am the MD of a small IT company. I have two partners and 20 employees. We started in 2000. We turn over about £1.5Mpa. We sell our services to people and organisations. Our backups are now smaller these days (thanks to GDPR).

I understand that because you are outside the EU you might feel like a target but that is not the point of GDPR. There is no way on earth that the EU as a whole has looked on your company/project or whatever and decided to screw you.

Have a look at the first few paras of this: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX... after it says "Whereas". Does the language look a little familiar? Do the sentiments look strangely familiar in some way?

GDPR is not about destroying people's livelihoods. It is about protecting basic, fundamental rights that say 30 years ago we never knew needed to exist.

After all the knee jerk reactions have calmed down a bit, you may find that you personally have benefited in some way from EU regs. If you find that, then I suggest you fight tooth and nail for similar to be enacted at home. I'll be the first to thank you for that.


It's reassuring to hear that the GDPR is not meant to target little startups and projects but I would like it a lot better if it said that in the actual law, rather than just trusting all current and future regulators to treat me kindly.

If it's only meant to be used against big companies or extreme offenders, why doesn't it say so? It seems like the spirit of the law and the language of the law are not aligned and in my opinion that's a sign of poorly designed regulation.

I object to the idea that small projects should be ok with breaking the law merely because they very likely won't get caught.


Because if your business model is based on selling user data, it doesn't matter if you're a small startup, it absolutely is meant to target you.

If you aren't competent at responsibly handling personal data and you want to build a project or startup, pick one that doesn't handle personal data, or put in the effort to learn how to do things properly.


How does for example a small yoga studio’s email list fit in your examples? Or even just it’s website? Without cookies and login even - the IP adress in the log files alone is considered potential personal data that basically puts people in the need of consulting a lawyer about how to safely deal with that. And makes you a potential target to being sued and getting a lot of hassle. Even found nit guilty in the end, no one will pay days of time and energy needed for defense.

And then: What kind of online business can reasonably be done without using an email adress, if only for login/resetting password if lost? You either have no option to reset passwords, or must do it by phone, which is extremely expensive.


IP address are permitted under the security exception: Storing personal information in order to protect information or information systems is permitted without need for consent. Using your log files for security explicitly permitted and there is nothing that changed a system administrators job before or after GDPR on this point.

If you are using a email list in order to fulfill a contract to your members by informing them about times and so on then that is also permitted by GDPR. If a customer buys a subscription then the company in order to fulfill their side of the contract can then naturally store information to do so.

Mailing lists also has had a long history of best practices in order to not get marked as spam by the large email services. Get consent so users don't mark it as spam and allow unsubscribing. If a small yoga studio used a email list for a significant time and not been forced to do shady behavior in order to bypass spam filters, then they are almost guarantied to be compliant with GDRP.

Similar an online business has a contract when a customer buy a product or service. In order to fulfill that contract a email address is commonly used. Perfect GDPR compliant. Hard to imagine a online business before GDRP that did not have a contract with customers.


So what you're saying is there's lots of complexity and nuances in how you do this with some commonly done things illegal and others not ... and you should probably consult a lawyer to make sure.

Correct ?


You don't have to get it all right on the first try. If you get something wrong, the regulatory body will contact you (via letter or email) and tell you what they feel like is not correct (that is the official guidance on how to handle GDPR violations).

As long as you do your best to implement the GDPR and interact with the regulatory agency in a friendly and helpful manner then there won't be much need for a lawyer (but do consider that the GDPR being written as it is is also the result of being written in the EU where law is written a bit differently)


Your comment sounds so Orwellian I can’t help but cringe.


I’m increasingly convinced that a majority of people who use the term “Orwellian” haven’t actually read Orwell’s books.


I find the use of "Orwellian" rather ironic in this context.

I run a company based in the UK, but I myself am American and most of my business experience is in the US. Despite that, I honestly have had no issues adapting to the GDPR. Considering that the business I operate has systems specifically designed to store as much data on people as possible, I find it absurd other businesses are unable to handle user/client data responsibly.

That said, I cared about privacy BEFORE GDPR and intended to act responsibly regardless of regulation.


It's not orwellian to be friendly towards authority, especially when you're a business and it's about the privacy of the users, protecting the very data that orwellian governments seek to collect and abuse.

Otherwise, I would love to hear which part of my comment was orwellian in nature?


I'd guess he's referring to your (likely correct) implication that the regulators will give more weight to your "friendly and helpful" behavior than to how the text of the law applies to the facts of your case.

The concept of the rule of law was invented primarily in countries that now belong to the EU. Is there no one left there who still thinks it's important? It's not even that people argue "the GDPR couldn't be less vague without loopholes, and this is important enough that it's worth the cost". The idea that a powerful human's best attempt to objectively apply stable, published rules is generally better than a powerful human's unrestrained discretion just seems foreign to most commenters here.

If you ran an organization publicly associated with George Soros in Hungary (whose prime minister has described him as an "enemy of the state"), then would you still feel good relying on your friendly relationship with the government? What steps would you take to comply with the GDPR as it's currently written, if you couldn't rely on the goodwill of the people interpreting it? With a sufficiently corrupt government, there's nothing you can do; but the point where a judge will accept an obvious lie tends to come long after the point where a regulator lets politics disambiguate a vague standard.


The GDPR is a regulation and not a law, thusly the implications are different.

If you produce a device that accidentally violates FCC guidelines, would you rather be immediately punished to the extend of the regulation or rather work with the FCC to rectify the issue and how to fix it for affected customers?

The other reason is that yes the GDPR is vague. It must be because in the past corporations have abused loopholes and the only way to prevent people abusing loopholes without punishing people who don't abuse them is to make it vague and then decide on their behaviour.

And again, these are corporations, legal persons. They don't even have the remotely same rights as a natural person.


At least in the USA, a regulation has the force of law. To say "regulation" instead of "law" just means the rule gets its legal power indirectly from some statute (which probably also limits the scope of the rules), instead of directly from the legislative process. I'd thought the EU was similar. Is it not?

If I ship a device that fails to comply with FCC rules, then I would prefer that the maximum penalty provided by law is also a fair and reasonable one. I understand that most regulated fields are complex enough that if we don't give regulators some discretion, then the law will be filled with loopholes and impossibly complex; but I would like to give them the minimum discretion they need to do their job. I think the GDPR fails that test spectacularly. Do you really think they need the statutory authority to fine someone 20M EUR for their semi-commercial side project that made $1k lifetime total? If not, then why give it to them?

The GDPR applies to natural persons too. Imagine if it didn't! Facebook could just contract all the creepy stuff to a sole proprietorship operated by Mark Zuckerberg...

ETA: From https://ec.europa.eu/info/law/law-making-process/types-eu-la...

> Regulations are legal acts that apply automatically and uniformly to all EU countries as soon as they enter into force, without needing to be transposed into national law. They are binding in their entirety on all EU countries.

So not quite the same as the US, though maybe some analogy in that the regulation is still "secondary law", subordinate to the EU treaty? But I don't see how you can describe a set of rules "binding in its entirety" as anything but law.


To my understanding the EU handles it differently. Regulation as opposed to law is supposed to be enforced in a guiding manner, recognizing that sometimes you accidentally don't comply or there is otherwise a differing implementation. You can somewhat also see that in how the EU ramps up regulation in case nobody is playing ball.

Stage 1 is when they want to fix it and they express wishes that the industry changes their ways. Stage 2 is the cookie law and Smartphone USB charging. A very vague regulation or law is implemented as a sort of warning for the industry to better go and fix it. Stage 3 is nuclear; GDPR.

The smartphone industry is as mentioned at Stage 2. The EU expressed wishes to reduce the charger garbage, nobody did anything, so they simply put out a regulation that almost literally just says "all smartphones need one common charger". Largely this has been microUSB but vendors are switching to microUSB.

The regulations are to my knowledge and experience also employed and enforced in a similar manner; first you get a nice letter informing you that your website is in violation of X. Ignore that or get aggressive towards the regulatory body and you get a less nicely worded letter with a threat of a fine. Continue that path and you get a fine.

The ultimate goal is that everyone should be compliant but it's okay to be occasionally not as long as you are willing to be helpful and fix it immediately.

>Do you really think they need the statutory authority to fine someone 20M EUR for their semi-commercial side project that made $1k lifetime total? If not, then why give it to them?

They don't you have a legal right for a proportional punishment. Unless your little side project caused damages the fine will be appropriate such that you can pay it without going bankrupt. And if it did you'll have to pay those damages on top of course.

>The GDPR applies to natural persons too. Imagine if it didn't! Facebook could just contract all the creepy stuff to a sole proprietorship operated by Mark Zuckerberg...

It only sorta does, it only does not apply to natural persons while they don't engage in commercial activity.

And a sole proprietorship is to my knowledge a legal person, even if the only natural person involved is 1. (I would know, I am basically one, or rather, small business operator would be the more accurate translation, which also has limits on turnaround and profit)

The sole proprietorship would have less rights than the person behind it and has no option but to fully implement the GDPR in any project or product. A natural person on the other hand, publishing a hobby on the internet with no commercial or business activity (which are different things in german law and you can certainly run a commercial activity without ever touching money or forming contracts).


Enforcement of regulations in the USA isn't grossly different in practice. For the kinds of topics that regulations tend to cover, I doubt it could be otherwise--the complexity of the topic makes it impossible to draft law that can be objectively applied to all cases, that ambiguity makes accidental noncompliance common, and regulatory discretion is required so the accidental noncompliers don't get screwed. I accept that as unavoidable, but not as good. The regulations have the force of law, and the penalties--the loss of one's livelihood, or even prison in the extreme--may be just as life-altering as for any other law. So all other things being equal, I'd prefer that the regulators act with as little discretion as possible. That gives everyone the fairest chance to comply with the rules, even if the regulators for whatever reason dislike them.

The GDPR indeed says the punishment should be proportional; but what does that mean to you? Are you sure it would mean the same thing to a regulator? A regulator who dislikes you? If they said that 10k email addresses and MD5-hashed passwords leaked from someone's game server was a worst-case breach, then I'd say that was ridiculous; but I don't see what in the text of the law lets me say that it's objectively false.

The USA has no concept of a separate entity for sole proprietors. It's just you, even if you're trading under a business name. If the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does. In any case, the real question is perhaps commercialness, where (a) lots of hobby projects have some small commercial element, ads or donations or a tee shirt or whatever (and to be clear, I do think privacy regulation should apply to them, just more specific regulation); and (b) I strongly suspect the GDPR applies to some noncommercial activity too--would the EU let a political group pull a Cambridge Analytica with all volunteer staff? I haven't researched that, though.

If I lived in Germany, then I'd probably have pretty good faith in my regulators. But imagine the example of that Soros-linked group in Hungary (which I'd edited my first comment to add, so you may have missed it). I don't think that's hypothetical--political organizations keep lots of data, so I suspect that somewhere, a group is making plans to comply with the GDPR, as interpreted by regulators whose government considers them "enemies of the state". What would you do in their place? Wouldn't you wish the text of the regulation gave the regulators less room to maneuver?


>if the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does.

Well, they are seperate entities so the loophole exists for how the US handles it but in the EU there is no loophole.

>In any case, the real question is perhaps commercialness

Last I checked you don't need commercial elements like ads, donations or anything like that to be considered commercial. Running your own git server with open registrations would be considered commercial (there is additional seperation in that you don't have to pay taxes unless you are profit-interested).

>I strongly suspect the GDPR applies to some noncommercial activity too-

Monitoring of any kind that is strictly outside private interest.


That's something that utterly amazes me about the EU, and your comment. A lot of the protections that exist for privacy in the US against authorities mostly don't exist in the EU.

The EU lets every police force in the EU, or in Interpol request data interception. That is a LOT of organizations, and of course, they got caught doing abuse just the same. But, for instance, the default practice in the US is that you get told your phone is tapped (yes, really), unless the police explains to a judge why not (nearly always), BUT in that case you still get told afterwards. This does not exist in the EU. You will never be told you got tapped.

Second, in the US, the provider looks at the order, verifies it with the proper authorities, and decides for itself on scope, reasonableness, ... etc. In the EU, nope. If an order is received the only actions that a provider can take must be technical in nature. In theory an employee that does the actual tapping of the phone can't even tell his manager he's tapping phones, and definitely he can't tell anyone which phones are to be tapped or why (nor is there any obligation on the part of the requesting force to tell him why, but it is a field on the form). In many countries, this can be done without judicial oversight, or in nearly all cases with only very, very light oversight. This, to me, is far more worrying than the situation in the US.

If a local police officer in Latvia wants to tap the phone of anyone in the EU, he just has to fill out a form and fax it to interpol.

This is even weirder given that Europe has actual experience with abuse of surveillance powers, everywhere from Germany Eastward, as well as during WWII. They KNOW what can go wrong, they just have to ask their parents or grandparents to find people who were actually exposed to this. And yet ...

Next we find out that large-scale spying on the own population is done in, at least, UK, France, Germany, the Netherlands ... and not a peep. This was barely reported in the local media, in fact. We all know that most other countries are going to be worse than these, not better. And, of course, they cooperate with the NSA as well.

Hell, the US has reporting on how much they spy on their own citizens (in fact, that's the source of most of the outrage). No such stats in the EU. Nobody, not even the police forces themselves, feels the need to have the most banal, basic level of transparency.

Clearly when it comes to spying the EU is of the opinion, them, yes, perfectly allowed. Think of the children ! I mean, clearly these guys do not believe in privacy.

So yes, it is very Orwellian when they just request that you work with them on the privacy of their citizens. Clearly the result they want is not actual privacy and protections for their citizens.

If they believe in privacy protections, they have a lot of state agencies that they need to attack for not having any decent respect for privacy, as well as the fact that what few protections do exist only exist in a vast complex tangled web that errs on the side of violating people's privacy. And that's ignoring the fact that privacy protections have been systematically eroded further and further in Europe (e.g. recently in Germany).


>A lot of the protections that exist for privacy in the US against authorities mostly don't exist in the EU.

They actually do, the german police for example, generally destroys any video or image footage they make after 24 hours if there is no reason to believe they would help solve a crime.

I can't say anything about Latvia but in germany atleast the privacy of letter and remote communication is heavily protected and usually not granted lightly (exceptions being stuff like actual nazis)

People are definitely aware of the past and there is always a lot of outcry whenever a new law attempts to encroach on that territory, politicians have destroyed their careers with such proposals.

>And that's ignoring the fact that privacy protections have been systematically eroded further and further in Europe (e.g. recently in Germany).

Please note that the BND, the german intelligence service, recently shutdown a surveillance program after several thousands of people requested the deletion of their datasets.

>You will never be told you got tapped.

I don't understand why you should be told that the police is trying to get evidence of you doing a crime? Or someone else's crime?

Again, we have different laws and legal systems (!) in the EU up to and including not having the US constitutions. I think it would benefit the conversation if you recognize these differences instead of applying american laws and principles on the EU.


> They actually do, the german police for example, generally destroys any video or image footage they make after 24 hours if there is no reason to believe they would help solve a crime.

Source ? This, to me, seems unlikely in the extreme. I mean this is strict enough that even I would agree they would regularly shoot themselves in the foot with such a policy.

> Please note that the BND, the german intelligence service, recently shutdown a surveillance program after several thousands of people requested the deletion of their datasets.

I doubt it's the only one. Call me when they change the law back so they can't legally do this.

> I don't understand why you should be told that the police is trying to get evidence of you doing a crime? Or someone else's crime?

The idea, in the US, is that you get informed afterwards. How else will you sue the police if it wasn't reasonable at all ? How will abuses be discovered ?

Keep in mind that more than a few police officers have been sued for using surveillance on women they were merely interested in, in some cases then proceeding to beat up and harass other interested parties. I doubt that this behavior is in fact limited to (a few) US cops, we both know the truth is that (some) EU cops simply get away with it.


>Source ? This, to me, seems unlikely in the extreme. I mean this is strict enough that even I would agree they would regularly shoot themselves in the foot with such a policy.

General guidance policy and numerous court cases. Not all footage is 24 hours, most is however. Some exceptions go for 48 hours. [http://timetravel.mementoweb.org/list/2010/http://www.polize...]

Video surveillance, especially when in public spaces, is frowned upon and there is a long rat tail of court cases.

The law is very strict in when, what, who and how long video surveillance is allowed, including the 24 hour limits, though in case a crime is suspected the footage can be kept for 14 days until a crime is confirmed. [https://recht.nrw.de/lmi/owa/br_bes_text?anw_nr=2&gld_nr=2&u...]

>we both know the truth is that (some) EU cops simply get away with it.

Generally, they are reprimanded or even punished when such behaviour is discovered as it is a violation of various laws, including privacy.

>How else will you sue the police if it wasn't reasonable at all ? How will abuses be discovered ?

Generally, any evidence the police brings up in a court case requires that the police has an explanation on how they got to that evidence. That may have been illegal, in which case a second case might be brought up and the involved officers will be punished.

However, unless the evidence they collected is wrong due to the surveillance (the bar is very low on the police being guilty of forcing you to commit a crime), the evidence will be used regardless (a few edgecases but generally evidence is not poisoned if gained by wrong means like in the US IIRC).

>I doubt it's the only one. Call me when they change the law back so they can't legally do this

Already is, which is in part why the BND stopped this too.

The bar is high for someone tapping the phone or otherwise doing remote communication surveillance, [GzBBPF, Section 1, 2, 4 and 7]. Unless there is a very strong suspicious that you commited treason or commited a federal crime and there is absolutely no other way to prove you did it, they can't legally tap the phone.


I can't believe you can be this naive. Your arguments basically boil down to "the state can be trusted".

Basic dependencies of your argument: the police force will never abuse surveillance, then not make a court case out of it.

Second basic dependency of your argument: the court will easily rule against the very forces they depend on if they find violations.

These are reports German police officers that got caught, shall we say, being VERY untrustworthy:

https://www.itproportal.com/2011/09/12/privacy-boss-slams-ge...

https://www.thelocal.de/20161213/cannibal-cop-convicted-of-m...

http://www.scmp.com/news/world/europe/article/2142710/dozens...

http://www.spiegel.de/international/germany/hanover-police-o...

https://www.thelocal.de/20121017/45615

https://www.youtube.com/watch?v=vM1c_58e6jk

https://www.youtube.com/watch?v=juQD0OU6SD8

So I feel like I've provided plenty of evidence that the police cannot be trusted to act correctly, or even just sane. The German police, clearly, is no exception to this rule. Therefore Germany trusting them to do the right thing is just hiding abuse, not preventing it.

You also left the question unanswered: if tapping is so correctly and justly done, then why does it need to be such a big secret ? There is a case to be made that, sometimes, it needs to be kept secret DURING an investigation, but why afterwards ? In many cases, even that is not necessary, when for instance following or tracing someone who was brought in to the police station, it seems to me like there is no reason whatsoever to keep it a secret that the police reads his mail/call logs/... Why do they want this perpetual secrecy, if not to hide abuse ?

The answer is very simple: because Germany hires neonazis, cannibals, violent bullies and worse into their police force, and police officers like those are also trusted with tapping people's conversations.


Which is exactly my point put a bit shorter :)


I would sincerely hope that the small Yoga studio is not attempting to custom code their website in this case, in which case the economical solution is for the Yoga studio to use a GDPR compliant website and mailing list toolset, and simply migrate to a different set if they find that they aren't.

Now compliance is largely handled by the tool makers, and the Yoga studio can focus on their business case and any custom coded extensions to ensure they remain compliant. (For popular stuff like Apache, compliant configurations are probably already available or will be shortly, once we all figure out if we are allowed to keep logging IP addresses by default.)

I'm not sure I understand the email jab; obviously you can store data, you just must obtain consent first, and must allow the data to be deleted on request. That's an opt-in mailing list with an unsubscribe feature that actually works and properly deletes the relevant data. Why should that be difficult for a small business to do right?


> I would sincerely hope that the small Yoga studio is not attempting to custom code their website in this case, in which case the economical solution is for the Yoga studio to use a GDPR compliant website and mailing list toolset, and simply migrate to a different set if they find that they aren't.

You just gave a perfect example of why GDPR will hurt startups and innovation.


How so?


Parent just admitted that it would be unreasonable for a small business to comply with GDPR and that larger organisations were better equipped to deal with it.


Many small business rely on wordpress because it's free and hosting is cheap. There's plugins for nearly every functionality you can imagine. Perhaps having them migrate to proprietary systems is the better solution, but I can't help but feel it's a net loss for the World Wide Web.


On the contrary, I think this is secretly a benefit. As soon as WordPress updates to include all the necessary tools to be GDPR compliant, every small business using their platform should be able to easily pull those features in with minimal developer work. The common platform is a boon here because it helps everyone work together on the issue, rather than requiring the smaller players to implement a mountain of work by themselves.


> the IP adress in the log files alone is considered potential personal data

Stop logging the IP address then. Hopefully default settings in web servers will change.

> What kind of online business can reasonably be done without using an email adress, if only for login/resetting password if lost?

That means you have a legitimate interest, so long as you don't send marketing emails to those addresses, or sell them, and so long as you delete them if someone deletes their account.

> How does for example a small yoga studio’s email list fit in your examples?

If someone signs up to your email list, they've consented to receiving emails. Just don't sell the list, and remove people if they unsubscribe.

The only real complication (if you're in the UK, I don't know about other countries) is that there is a fee to register as a data controller. https://ico.org.uk/for-organisations/data-protection-fee/


Ip adresses are needed for security anslysis in case of attacks, for example.

the thing is not about doing what you propose but that however you‘re doing it, you have a lot of bureaucracy and legal insecurity right now.

The examples of wrongdoing you give should be leading to hard measures. But those with good intentions shouldn’t have high bureaucracy costs.

To be clear: i don’t say these laws shouldn’t exist. They just should have been targeted at the actual wrongdoers and put smallest possible burden on all with no bad intentions.


> Ip adresses are needed for security anslysis in case of attacks, for example.

Then you have a legitimate need for the data, so store it for a reasonable length of time and then delete it.


>Ip adresses are needed for security anslysis in case of attacks, for example

People repeat this a lot, but it sounds like complete nonsense.

Why does your business need to perform “security anslysis in case of attacks”? Do you get paid to do that? Why would you need IP addresses for that?


One obvious case is DoS attacks. Rudimentary attacks can be mitigated by blocking IP addresses of the attacker.

Another example is logging requests to secure sections of the site and/or server and perform IP blocks on fishy activity.


You can do that with a hash of the IP.


How would this work? You can't just sha256 IPs as that'd be trivial to reverse, no different from storing the plaintext.

I don't see why the IPs would ever have to hit the disk for this purpose, just keep them cached in RAM for a few minutes.


Salt the hashes, perhaps use PBKDF2. The problem is solved for passwords, just treat IPs like low entropy passwords.


there's only 4 billion possible IPs, you can reverse the entire search space in a few hours

the only way round this is to make the webserver spend a non-trivial amount of time running some derivation function on the IP for each and every request (remember you can't cache the result if the entire point is not to store the IP)


And all that stuff is super complex... for a number which is not person bound and personally identifying in the furst place. Only with a lot more effort. So my critique is, the lawmakers should have made actions to use ip‘s to identify persons illegal, but not storing ips themselves.


IP is person bound and personally identifying, in a lot of countries you can trace back an IP to a list of people and with an additional information like a last name or a timestamp you can fairly reliable identify a single person.


How would all these things be legal just because an IP in a logfile isn’t?


Largely they aren't. It's not important that they are legal or illegal.

The problem is that it's possible and that is where the GDPR hooks in.


It’s probably also possible to identify people based on the combination of their car color, built timestamp, model and specifically ordered extras. Shall storing these, without a name, be made illegal then and forcing someone to save these in a database to hire a lawyer to ubderstand their legal position? Just because if the name is added to such a database of cars produced, it will be personal identifying?

Put another way:

If the goal is to prevent certain actions by making them illegal and a given boundary can already ensure that, whats the point in widening that boundary even more?


>If the goal is to prevent certain actions by making them illegal and a given boundary can already ensure that, whats the point in widening that boundary even more?

Atleast in germany the boundary has not been widened and most corporations seemed to operate just fine.

> Just because if the name is added to such a database of cars produced, it will be personal identifying?

When you add data to your database you'll have to consider this, yes.

Privacy under the GDPR means that you evaluate whether or not it is necessary to store such data.

Why? Because the GDPR is not only about the present but also about potential problems. If your database gets breached and someone runs of with the data, the GDPR seeks to ensure that the data contained is the absolute minimum necessary and does not threaten the privacy of the users if possible.

Put another way:

Under GDPR you do not own data like car color, built, model, extras. People give you stewardship of the data and you are responsible for it. It is your task to protect it. Protecting people's data is easier when you don't have as much of it.


> Stop logging the IP address then. Hopefully default settings in web servers will change.

But in legal matters, you need to identify people and have some kind of audit trail, especially if they tried to breach your system. That makes no sense.


Depends what's on the site. If it's just a static site, there isn't a lot of point trying to investigate a breach, just fix the changes and move on.


Why stop at IP addresses then?

If IP addresses in logs are necessary for audit trails, why aren’t fingeprints?


You put it to a total overexaggerated extreme here.

That doesn’t help.

IP adresses are not 1:1 assigned to a person for a whole lifetime, fingerprints are.

Only with a lot additional effort and connection to other databases, IP adresses can actually be connected with a person, but only for an uncertain period of time, finding out this timespan, and ensuring it’s really only exactly this one person requires even more effort.

So a properly crafted law would have made all these efforts illegal, and put high fines on them, but not the decades old practice of storing ip adresses in logfiles.


Why do you need to store IP addresses in log files?

I understand audit logging for authenticated users, but that's hardly a general case.


Why are ip adresses even considered personal data? They aren’t for most people and situations, unless a lot if other activities are done. All of which would be already illegal without consent by the law. The ip adress i write this from changes every day, and nobody can know if i share it with someone or not.

I want to be protected from marketing firms that sell my email adress , and everyone who uses it to send me mails for whatever product to buy judt because i entered it for some totally different reason. Those shall be fined with 5 figure amounts.

I don’t see how my(and my housemates/office colleagues etc) ip in the logfiles of the webserver which a small business rented for 3€ to upload 3 html filed can be abused (without storing my email and name without consent which is actual personal data and therefore illegal) and i dont want my hairdresser, car mechanic etc be in need to consult a lawyer to understand all that stuff and have a day worth of bureaucracy and adfing a “we have your current ip in the logs” note just because they want me to be able to google their street adresses.

The law is simply not well crafted for no use if the latter is the case.


>If you aren't competent at responsibly handling personal data and you want to build a project or startup, pick one that doesn't handle personal data, or put in the effort to learn how to do things properly.

Or, alternatively, just don't do business where it would put you under the jurisdiction of the GDPR. That's what a lot of companies are doing, and there seems to be a lot of resentment over it.


There isn't a law banning the use of Electron instead of learning how to build desktop applications properly, and there's a lot of resentment over people doing that too.


>There isn't a law banning the use of Electron instead of learning how to build desktop applications properly, and there's a lot of resentment over people doing that too.

Yeah, and that resentment makes no sense to me either. In both cases it's simply people doing what, in their estimation, makes the best use of their available resources.


> If it's only meant to be used against big companies or extreme offenders, why doesn't it say so?

Because, and this has been repeated millions of times on HN, Europe and the US follow different systems in writing laws


Perhaps we should then take some lessons from how they in USA write laws.


Lol hell no, the US is horrible at writing laws that are good for the common person. I'd rather trust the the EU with its clumsy but well-intentioned laws over the USA's malicious, designed-by-companies laws


In the Czech Republic, small companies and self employed people are commonly fined for breaking extremely complex and unclear laws, some of them set by the EU (e.g. VAT) - without any malicious intent, ready to pay whatever should've been paid. It's the big companies that get to make deals with the government and avoid punishment. They also consistently favour big companies over small ones with tax breaks, dotations etc. I don't trust the EU in the slightest.


Most regulation seems to fall into that category in the US too. Big companies have the money to combat it and still make a windfall of profits, while the small guy trying to build a company gets crushed because some regulatory prosecutor is trying to make a name for himself.

Tax law is probably the most common example of this.


lol, no thanks.


He's talking a nice talk, but history has shown us that when EU makes regulations/laws then they just don't care about the consequences or the collateral. As evidence I would bring the completely useless cookie law and the completely botched "digital VAT" change.

In the latter it just confounds me that the legislators set up a situation, where a small business in the UK is better off not selling a digital good (that you can make infinite copies of) to a buyer in Malta, because the bureaucracy would cost more than the sale would pay. You can't have a "single market" like that.


"but I would like it a lot better if it said that in the actual law"

Have you read the bloody law! http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

This is legislation designed to protect not only me (as an individual) but you as well (as a probable foreigner) from me!


Reading the law, I only see a single exception for small companies: Article 30.1 and 30.2 doesn't apply for companies less than 250 employees.

Out of an 88 page law, 1% of an auxiliary middle of the law is carved out for small companies.

I'm not sure that counts as differential application for small companies. In the US at least, large portions of entire key burdensome laws don't apply for employers below size 50, 10, 5, etc. This does not seem to be the case here.

Does anyone know whether an official impact study on innovation was even done before its passage?


You can be a company of ten people and still turn over millions by selling your users’ data in shadowy ways. Why shouldn’t you be stopped just because you’re small. How can the size a company be used as a rational differentiator in a law like this?


Because the vast, vast, vast majority of small companies aren't turning over millions of dollars. That's the same logic as, "some people cheat on welfare, so lets defund it." This logic gets pushed around a lot by GOP pundits.

The law may be good as a whole but be overly burdensome for small companies. You should at least acknowledge that instead of just dismissing that outright.


Similar laws have existed for many decades. In The Netherlands, privacy laws date back to the 1970s.

At least my reading of the GDRP is that it tries very hard not be a big burden. If you are a small company or organisation and you collect a minimal amount of information (for example to contact them) there is not a lot you have to do.

The main thing is, you are not allowed to be sloppy. If you collect personal data, you have to think about whether you should collect it at all, where to store it, process it, and when to delete it. And you have to tell people that before you ask them for personal data.

Nothing like, we just collect a bunch of data, give copies to everybody, and have no idea what we collected. That attitude no longer works.

If you set up food regulations, are you going to exempt restaurants with only one cook? Or have aviation regulations that do not apply to airlines with only one pilot?

Given that the entire GDRP is less then a hundred pages, you can easily read it in one evening and get an idea of what you can do, have to do, and what the corner cases are that you may need to discuss with a lawyer.


> If you set up food regulations, are you going to exempt restaurants with only one cook?

But restaurants with only one cook can't afford a $300/h lawyer to tell them how to keep their shit hygienic!


And in the EU we have a different way of working. In the UK you can literally phone up the ICO and get free advice, specific advice on how to stay compliant.

If it turns out that you are in breach, they will write to you with information about what you're doign wrong and how to fix it.

In the EU we don't rely on lawyers for a fraction of the stuff you do in the US.


> Does anyone know whether an official impact study on innovation was even done before its passage?

So if it's "innovative" a small 5-person startup should be able to wreak havoc to my personal data in whatever way they see fit? What is that nonsense. Are you seriously suggesting that "innovation" in startups should be more important than my privacy?


Are you seriously proposing that regulations move forward without an understanding of their impacts?

No matter what the ultimate decision is, no matter how sensitive the subject matter, impact studies are critical to making smart decisions.


If a regulation is going to impact "innovative" startups that sell my data, I am totally for it. I don't want more innovative ways to sell my personal information.


> sell my data

I think you're justifying a really extreme reaction based on the worst behavior of a few companies. GDPR doesn't just go after data-resellers. It targets how a well-intended company can use and keep your data even with no third party involved.

Laws that mess up the good-guys lives are bad laws. GDPR is from the same folks who thought a law that lead to pestering users about cookies was a good idea.


It's not stopping any well intended company from fairly using data. A law making it harder for well intentioned gun enthusiasts from getting guns is a good law according to me. All well intentioned gun enthusiasts should support it. Otherwise there'd be a day people would get tired of the bad intentioned gun owners and legislate a complete ban on guns.

Also I like the cookie idea. If only people really cared about misuse of their data they'd like it too. We've seen how good 3rd party cookies have been for some democracies.


Maybe it's just me, but the 2nd Amendment talk in this case really seems like a hamfisted way to spout political opinion that's in no way relevant.

>All well intentioned gun enthusiasts should support it.

Really black/white argument there which the issue is not. And nor is this topic. There should be more nuance in GDPR, but there isn't which creates a lot of discomfort.

>It's not stopping any well intended company from fairly using data.

It actually is, but whether or not that is an overall good thing is yet to be seen. Certainly, they did some level of testing before proceeding.


So without curiosity or concern for any other impact you say yes...

I might say yes but I still want an impact study.

I prefer governing bodies operate with an awareness of how their actions affect society.


I don't think we're going to lose as many "well intentioned" websites as much as we'll get rid of bad intentioned businesses.


You’re missing the point. One last time: it is ideal to operate with an awareness of consequences.


> Are you seriously proposing that regulations move forward without an understanding of their impacts?

No, and it is dishonest of you to suggest that was claimed.

> impact studies are critical to making smart decisions.

Which were done as was consulting with industry etc. well before the law was passed two years ago.


In the history of laws, many of the ones designed with good intentions have been quite harmful.

And yes, I've read the law. It's typical of legislation in that it obviously wasn't written by people who knew what it looked like to perform that in a real life business.


> And yes, I've read the law.

Have you read recital 1? https://gdpr-info.eu/recitals/no-1/ ? The starting point of the law is that data protoection is a fundamental human right,. The data subject owns their PII, not some company collecting it.

It's all up whether you are willing to accept that as a fundamental right or not.

I mean there is a billion of Chinese that live with the fact that free speech is not a fundamental human right. Most Westerners have a problem with that.

Now many US based IT professionals seems to have problems with accepting that nobody else can own the data about a human.

> It's typical of legislation in that it obviously wasn't written by people who knew what it looked like to perform that in a real life business.

That's what a cotton farmer could have said when they made slavery illegal. Obviously respecting other's human rights makes some business models illegal.


First, let me say that, I'm not the person you're replying to, I haven't read through the entire GDPR (yet), and I think that stronger privacy laws are a very good thing. (Part of the reason I regularly donate to the EFF.)

> The starting point of the law is that data protoection is a fundamental human right,. The data subject owns their PII, not some company collecting it.

> It's all up whether you are willing to accept that as a fundamental right or not.

As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

> Now many US based IT professionals seems to have problems with accepting that nobody else can own the data about a human.

I think the idea that someone can own facts about anything is bound to cause some amount of confusion or even cognitive dissonance.

At what point does one's right to be forgotten supersede another's right to remember?

If Alice knows something about Bob because of their personal interactions, as he asks her to forget about it, but she still remembers it, is she violating Bob's right to be forgotten? How about if she had written it down in a journal? Does she need to erase what she wrote? What if her journal was stored electronically? In any of these cases is she allowed to tell another person? What if she already told another person before Bob told her to forget about it?

More concretely, suppose Bob visits Alice's house, and then a couple of weeks later tells Alice that she must forget that he visited. If she ignores his request is she violating Bob's rights?

Now suppose Bob is visiting Alice's website, which records his IP address in a log file. Bob asks to be removed from the log, and again Alice ignores his request.

I think for many technically minded people there seems like an awfully smooth gradient between these last two scenarios, and so classifying one as reasonable and the other as a violation of human rights can be surprising. Precisely where is the line drawn that makes one scenario reasonable, while the other is completely unacceptable?


> As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

Yes, in Germany, everyone, meaning citizen(EU/EEA) or not, enjoys the right of forgotten from surveillance cameras or any image/personal information that is not subject to the legal registry, from public record beyond 90 days. Unless you are targeted for an otherwise legal reason.


Which law is that exactly (german here, but i dont know what you’re referring to€


Not able to answer that question but the Auskunftspflicht also covers police surveillance footage.

Personal anecdote: I was involved in a student demonstration once that ended with the police recording every individual separately in addition to checking our national ID cards. After about 14 days I wrote them a letter requesting information about what data they had kept and to destroy that data if it is not part of an active investigation.

I received a formal response saying they had already destroyed the data shortly after collecting it because they didn't end up needing it.

I presume the law is exactly the same as with any other organisation, i.e. the BDSG (Bundesdatenschutzgesetz) which as of now implements the GDPR (DSGVO) in Germany.


Yes, and meanwhile they illegally sniff your whole Internet traffic... just one current example https://blog.fefe.de/?ts=a5f2e96c


Generally, Bundesdatenschutzgesetz (BDSG), mainly Kapitel 3. §57, §58 and §61.


> At what point does one's right to be forgotten supersede another's right to remember? > > If Alice knows something about Bob because of their personal interactions, as he asks her to forget about it, but she still remembers it, is she violating Bob's right to be forgotten? > > etc.

No, no-one can force you legally to forget something, and I think this brings up the main problem with your argument, which is that we're not talking about Alice and Bob, we're talking about Alice and Bob's Widgets INC.

I'm technically minded and I see a 100% separation between the interaction between Alice and Bob, and Alice and Bob's Widgets INC. Yes, I do think it's completely reasonable for Alice to ask bob to be removed from log files, journals whatever.

Lets look at a parallel you drew:

> More concretely, suppose Bob visits Alice's house, and then a couple of weeks later tells Alice that she must forget that he visited. If she ignores his request is she violating Bob's rights?

I wouldn't say that Alice is violating anyone's rights here. Being unreasonable, yes. Asking for something with no legal or enforceable basis, yes.

> Now suppose Bob is visiting Alice's website, which records his IP address in a log file. Bob asks to be removed from the log, and again Alice ignores his request.

This is a non sequitur, these are different scenarios with different requests, just with the names kept the same. Businesses aren't people, and they don't have memories like people. Businesses don't (for the most part, legal actions notwithstanding) need IP address information. It can be helpful, certainly. Knowing your customer has returned, knowing what they have looked at etc., but it's not essential.

So yes, it's reasonable to ask for removal from logs, and no, it isn't reasonable to ask someone to forget you visited their house.


I guess this demonstrates a prime example of one of the biggest differences in the US:

In the US, corporations are people.

In the EU, corporations are legal persons but don't inherently enjoy the same rights/protections as natural persons (i.e. humans).

Just remember the Hobby Lobby ruling: in the US, corporations can have religious beliefs. In the EU that sentence doesn't make any sense because a corporation cannot hold beliefs (though the people employed by or owning it can).


> In the US, corporations are people.

> in the US, corporations can have religious beliefs. In the EU that sentence doesn't make any sense because --

It doesn't make sense because in the EU we didn't artificially create a legal construct to support the notion of corporations having religious beliefs (or "being people").

Please don't act as if both ideas are equally valid descriptions of the real world when one of them is strictly a legal fiction and completely meaningless in any other sense.

I'm sorry but just like the notion that a 2-person startup would need $300/h lawyers for any significant amount of time to ascertain they're sufficiently in compliance with the GDPR to not get sued into oblivion (.. or something? over here people can just read and implement the needed provisions by themselves in under a week, is what I heard from my friends in the business), this seems to be a problem inside the US legal system, doesn't really seem to me like it's the EU's problem to take into account when it's broken like that.


I'm not disagreeing with you. I'm just trying to be objective rather than judge the two models based on my opinion. My opinion would be that the US system is the result of Friedman free market capitalism trumping civil rights over decades. And in Europe I'd consider myself libertarian.


> No, no-one can force you legally to forget something, and I think this brings up the main problem with your argument, which is that we're not talking about Alice and Bob, we're talking about Alice and Bob's Widgets INC.

I assume you mean Alice's Widgets INC., since Alice was the one with the website.

But in any case, I didn't say "Alice's business's website". I said "Alice's website", as in her personal website. Are you saying that an individual's website can record visitor's IP addresses and store them indefinitely, but a business cannot?


What if it is a personal website, not affiliated with any corporation?


> Precisely where is the line drawn that makes one scenario reasonable, while the other is completely unacceptable?

1. don't be unreasonable

2. be acceptable


Perhaps you should take your own advice.


> As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

That's a good point. The term "fundamental right" occurs only the recitals, not in the law itself IIRC. The laws applies to authorities, but not when they carry out the legal tasks in prosecuting and preventing crimes and dealing with public security. So you would not have any rights with respect to video surveillance by authorities, unless you could prove that that is not done for public security :(

When it comes to authorities practices differ a lot in the EU. Let me give 2 examples because I live/lived there

1. In Germany video surveillance of public spaces is not very popular. One of the biggest cities in Germany, Frankfurt/M. seems to have 6 (six) such cameras now. And whenever there is a new one, it still makes big headlines http://www.fnp.de/lokales/frankfurt/Datenschuetzer-Es-wird-z... (In socialist East Germany they had them already in the 1980, but I am sure they all disappeared in 1990)

Google has stopped rolling out Streetview in the very early beginnings. Not that it is an authority, but it shows the public opinion, even if it's a single picture every couple of years and faces are blurred.

It appears that the resistance is more and more broken. At my last visits in Germany I saw cameras on trains/buses for the first time. I'd assume they are not counted as public spaces, but private properties. Which is a problematic classification considering their function. In Northern Ireland cameras were standard on buses already in the 1990s, no idea for how long before that.

When you get a German passport they will store the fingerprint on it (I guess that's a nearly world-wide standard for machine readable passports). However, in Germany they make a big fuzz about it that the fingerprint is erased from all databases as soon as you have accepted your new passport. If you detect a typo in your passport after accepting it, you have to apply for a new one, pay again and have your fingerprints taken again.

2. In Finland public videos surveillance has existed in all big cities (not that there are many...) for decades. There are also street condition (think snow) cameras on the internet. It's not their purpose, but some of them show fully identifiable people when they happen to walk by. Not many people seem to be bothered about it.

In Finland the fingerprints for the passports are stored until there will be a law how they are allowed to be used. Only few people believe that the police would not use them to solve a high profile crime before the law is ready.

A common Europe is still a big fiction in many aspects.


FWIW the cameras on public transit (which have been the norm in Cologne for at least a decade I think) are legal (under the old data protection laws anyway) because the recordings are automatically destroyed after 24 hours or so.

I think the GDPR would protect them because of a number of factors:

* there's a legitimate security interest (vandalism, terrorism, rape and other personal crimes)

* the recordings are not stored longer than necessary to fulfill that purpose

* there is clear signage indicating you are entering an area with surveillance cameras (i.e. you are giving informed consent)

The GDPR protects the individual's right to privacy but it's a balancing act and the security interests are fairly valid.


> * there is clear signage indicating you are entering an area with surveillance cameras (i.e. you are giving informed consent)

So if I don't want to be filmed on the bus I take a taxi for 10 times the price? (Not sure whether they might have cameras, too. Haven't taken a taxi in Germany for many years.) Or I walk 2 hours?

That's not what I would call informed consent. It's information yes, but as long as there are no competing bus lines without cameras there is no choice really.


We're going in circles. Let me repeat: nobody has a problem with increased data protection and privacy. We're all better off for it.

But the laws regarding it are not clear for an actual operating business. Instead of being simple and straightforward to implement, they are an ambiguous mess that are wasteful and misplaced. Laws designed that way almost never actually accomplish what they set out to do.


> Instead of being simple and straightforward to implement,

I am not sure I can fully follow you here.

If implementers accepted that they only collect what is absolutely necessary and they delete what the they are not legally requited to keep things would be much easier.

Problems start when the business model is that customers'/users' data is our product/an asset and we somehow try the find the minimum possible implementation that just meets the requirements of the law while still using all loopholes it might possibly leave.

I agree that the law is not very clear for how you should code it. Nor very detailed what you can do with a certain piece of data. So it depends on your approach: If you take a conservative approach that if in doubt, we don't keep the data it suddenly gets much clearer. If you start fiddling maybe I could still do it if we did it like this and that you end up in endless work.

And of course if you have an existing system that never had the requirement of deleting anything there is a lot of work. But the law has been in force for 2 years, so businesses that wake up now when the transition period has ended it can be a mess.

>Laws designed that way almost never actually accomplish what they set out to do.

How would you have written the law? Do you have counter-examples of laws being written so clearly that you could recommend them?

The key point really is: Many business models and practices on the internet are incompatible with the spirit of GDPR. It's a fundamental right that the users own their data and businesses are not allowed to do with it whatever they want.

Lawmakers did not want it write it that so clearly, because lobbyists would not have accepted it. And business owners still don't want to accept any suich fundamental right. So complaining about the law being too complicated is somewhat canting.


They are not "simple and straightforward to implement" for two reasons. First one, the problem domain is not simple and straightforward to implement. It may be surprising, but it's only because we've never learned to treat PII with proper respect. Second one, it's because businesses did their best to avoid and abuse privacy laws previously, so the new law has to counter the usual workarounds.

Yeah, it might be getting harder making a startup working on personally-identifiable data - even if it's not doing anything shady. But it's also hard to make a food or healthcare startup; you can't just "move fast and break things" there either. In EU, PII were finally granted the status of something actually important.

As for startups that depend on abusing user data, I'm very happy they have problems now.


A datum is not actually important just because it relates to a person in some way. It's not as if this a regulation about venturing into deviantly risky territory: running a network service of any kind involves the processing of peer IP addresses.


And processing that IP address is neccersary for the operation of the service offered so entirely acceptable.


Exactly. Plus they don’t simply concentrate on people intentionally/ignorantly abusing data (putting my email on mailing lists again and again and ignoring me telling multiple times i don’t want it, reselling, etc) but put a lof of insecurity and bureaucracy on people with nothing more than a static website with IP adresses in logfiles...


May I ask what is not clear to you? I can try to help. As I can see it, it very simple, it is same thing as with borrowing someones car:

- personal data (car) are any data that have potential identifying a person

- person owns its data (car). You cant buy them (well this part is different than the car), you cant steal them, you cant sell them, but you can borrow them from. But for that you need to ask (consent), where it is not allowed to trick the owner to give them to you, whithout beeing fully aware what was borrowed and why. And if you are borrowing the data for someone else, you need to ask about that too. And tell when you will return it.

- it is immature and unfair to play grumpy if someone doesn't want to allow to use its data. Or try to force/blackmail them from him. So its not allowed to do that (noyb.eu)

- once you borrow the data (like property, envision a car), behave acordingly, owner can demand them back, demand to see them, demand to know what you are doing with them and if stolen it is completely normal to tell them about that. And if they were stolen due to your fault (leaving keys in a car), they might demand to be compensated. Same goes if you misuse them (let me put some fertiliziers on back seat, forget to return them, giving it to all your friends without asking,...)

- if the data owner asks you to do something that requires his data ("hey, can you please take my car and bring me icecream from the store") you don't need to ask for data, it is expected you can have them.

Did I forget something? I consider it simple, as long as you try to stay genuinly respecting to other persons ownership. Just think about borrowing your car or borrowing car from your best friend and you wont go far wrong.


things as opposed to knowledge are fundamentally different things.

if yoi tell me your birthday how can i forget it?

if you borrow me a car i have something i can return...


> if yoi tell me your birthday how can i forget it?

That's not really relevant. GDPR doesn't ask people to forget things out of their minds.

So let's rephrase to a more relevant example:

> if yoi provide me your birthday on a web form and I put it in a database how can i forget it?

This now becomes relevant, and easy do answer. You delete it.


>if yoi tell me your birthday how can i forget it?

Ask any husband.

Joking aside, if the memory is on a computer system, as opposed to a person, you can, you know, just delete it.


Out of curiosity, could I legitimately ask Google, GitHub, etc. under the GDPR to delete my name in the AUTHORS file of the git commit it was added in when I contributed to Chrome's v8 engine 10 years ago? Would they have to comply if I did?

Obviously, removing the commit would break git's ability to sign any hashes for that repository after that point…

And thinking it through a bit more, what about the companies that use v8? Could I ask my regulator to get Joyent to remove it from their systems? I'm sure they have copies…


You could ask, but them not complying fall neatly in the legitimate need case...


Ah, this is so interesting! It seems like you're allowed or not allowed to keep data based on the data structure that you use to store it!


Data structure has nothing to do with it. If you stored social media users as fake AUTHORS lines in a git repo, that still wouldn't make you allowed to keep it. In the inverse situation, storing git authorship in the comments table of your photo site's database, you would be allowed to keep it for legal uses.


I interpreted the original posters point that the git repository could not be modified without destroying it. I thought that's how the next poster was responding to it. If you cannot modify an old entry without destroying the integrity of your system, are you required to modify? Either the answer is yes and you effectively cannot use certain data structures (with their integrity) or the answer is no and certain data structures allow you to keep data.


You would want to avoid using a git-like data structure for data you have to delete. But the example was data that's part of making the copyright license function, and you can keep it for legal purposes.


> But the example was data that's part of making the copyright license function

You entirely missed the point of my hypothetical, which was about immutable data structures like git employs.

As it turns out, our business also uses a git-like hash-chained commit log for our normal database. Deleting old entries would thus violate the integrity of our database. Is that now illegal under the GDPR?


When, it's about being able to judge things on their specific merits -- as opposed to having some blanket one size fits all rule.

Law has nuance and cases (and corner cases), it's not some strict predicate.


I agree and understand, but it does give us a likely unintended consequence: no sequential hashed data structures when you are required to be able to modify it. Probably a good thing for hearing less about blockchains!


No. They're required to know who the authors are for legal reasons.


Extreme over-exaggeration in my opinion.

Actually, just because one critcices the way the law is made doesn’t mean they think it’s basic intention is wrong.

As of your slavery example: Forbidding slavery is one(good) thing. Saying „everbody having somebody work for them out of anything but total free will and not being able to prove it is doing forbidden slavery“ is something else. If i must work because i need to eat and pay rent, is that total free will? How can anyone prove that?

So sure, the wording is extremely important.


Yes, indeed I have. But if there's something I've missed, I'd surely appreciate a quote or specific reference.


Please point to the specific section you’re referring to.


I'm sure a whole cottage industry around GDPR compliance will be up and running by the 26th. :|

We're a small agency and all of the legal worries around the GDPR have essentially put one of our revenue streams on hold until we sort out the legalities. Like the comment above, we simply do not have $300/hr available for lawyers to go over everything.


In legal contracts "whereas" often expresses sentiment but it's really the actual terms that matter. Having drafted a number of contracts, I feel most contracts generally have a section that approximates "whereas everyone wants things to go well and everyone to benefit..."

That's great that your company works well with GDPR. I imagine many companies will. I'm also sure that the impact on your backups could have been had without the law if you so chose.

However, an organisation that works inside the UK (EU) serving many EU paying customers (presuming here) is very different from say, Instapaper, who pulled out of the EU today because they don't make very much money from EU customers.

If we pass a regulation that says everyone who is in New York for any amount of time must pass an annual 1 hour health exam (conducted by NY state), I imagine this to be totally acceptable to New Yorkers. It correlates with good public policy: you prevent communicable diseases, and can catch health problem before it gets big. However, if this rule were to be enforced strongly, someone who might stop by once or twice a year probably is better off never coming.


That’s the wrong analogy. How about “everyone who is in new york for any amount of time had to not be actively harming new yorkers”. Sure some people who want to actively harm new yorkers are going to go away and never come back... but they’ll all be better off for it - and really every other state should probably pass a similar law.

Edit: duely noted. Libertarian capitalists of hacker news do not agree.


I find it amazing that you came up with the most one-sided argument you could think of ("not actively harming") and still didn't realize how badly it can misfire.

Here's a hint: my dentist is actively harming me when taking out a tooth.


> my dentist is actively harming me when taking out a tooth.

if that was true you wouldn't pay them to do it. They are causing you pain in the short term, yes. That's not the same as harm.


This comment is personal data about you, specifically your political views. It's now in my browser cache. If you were to ask me to clear it, I'd probably say no. Am I actively harming you?


I was actively harmed by kennywinker's idea I actually would like to seek restitution from him for expressing it because I don't know of a way for him to have it fully erased from my mind.

...or maybe I shouldn't have used this site if I didn't want to be exposed. This is going to end up being less exposure for the EU to things on the internet until someone figures out how to monetize them. If they cost money without somehow contributing something they will be actively excluded.


oh no! Parasitic corporations that provide little or negative value to society are going to make less money of off europeans!! What will they do!!!


I shared my political views publicly. I happened to also use a psuedo-anonymous account to do it. If I suspected my government was cracking down on vaguely anti libertarian-capitalist viewpoints I would probably ask hacker news to remove the extra metadata they might have on their machines that could be used to de-anonymize the comment.

I'm not too worried about your browser cache, but it could under the right circumstances give you some small power to harm me, yes.


How do you handle developer computers with possible client data on them, even semi-anonymized? Or when communicating issues on the live server, you might transfer client information to other stake holders to debug issue. Are you tracking that communication. Where does the communication data reside, perhaps on a server outside of the EU?

There is a lot of complications that arise if you think about the second order/third order consequences of the law.


I don’t know GDPR inside and out, but I have worked at places (not military) where I could be held criminally liable for misuse or negligent disclosure of PII.

The answer to “How do you handle...” is that you get your shit together. Separation of duties, build and configuration standards, no customer data on random laptops.

When I was in high school, I worked at a sandwich/coffee shop. The precious commodity in that store was cash. We didn’t leave cash on a counter, or on a roll in our pockets it was in a locked register. When there was more than $500, we withdrew down to $250 and put the cash in a safe. At the end of the night, we put the cash in a locked pouch and two of us walked to the bank and put it in a dropbox.

Data is no different, just more complex.


And if getting your "act together" is a substantial cost for small companies, no matter?

The word choice almost presumes the conclusion, that data privacy rules are obvious, and cheap, and akin to just washing hands after using the toilet.

Every regulation has costs and benefits. I also would love to have better worldwide privacy at no or little cost, but the fact that people are blocking the EU shows that some companies just don't see this to be the case. And they're voting with their feet.

EU citizens should accept the fact that if they support the law, they will further data privacy protections, which are good, and they will face the music if some innovation leaves or whatever compliance costs may come with it.


> And if getting your "act together" is a substantial cost for small companies, no matter?

Yes, no matter. Should small companies also get free pass on food safety laws? Health inspections are a PITA for restaurants too.

This reaction is pretty much textbook psychological reactance[0]. People doing business had some freedoms wrt. user data, but it turned out in practice that they should never have them in the first place. Now that those excess freedoms are being removed, businesses cry foul.

--

[0] - https://en.wikipedia.org/wiki/Reactance_(psychology)


Exactly. It's very sad that reasonable privacy measures present such a technical challenge, but nobody promised being responsible was easy. That's why we have regulations - to force businesses to place the common good ahead of profits, where applicable.


>Should small companies also get free pass on food safety laws? Health inspections are a PITA for restaurants too.

But if you look at how reality works, then you'll see that small companies often do not implement the proper food safety standards. This causes all sorts of problems, because if a company already does one shady thing, then doing one more isn't as much of a problem anymore.


And then they get closed down when a food inspection takes place.


Yep, that's exactly the case, but another one of these opens up somewhere else at the same time. We've had inspections like this happen for many years, but it's still happening. And these companies that don't adhere to the law could outcompete those that do by saving in some costs.


Yes, it is unfortunate that the authorities lack resources to track down all misbehaviors, but that doesn't make crime acceptable.


But it means that the laws are poorly thought out, if only some of them get caught and it gives a big advantage to those that do it.


Data privacy isn’t trivial, but the core concepts are pretty straightforward. Like cash, data is both an asset and liability. The business model of tech insulates the investors completely from liability, so there is no incentive to self-police.

The contempt shown for us collectively as users and people is what triggered the regulatory backlash.

The 2016 electron demonstrated that better than anything why this is important.


The internet's role in the 2016 election was primarily its ability to connect like-minded people and capture their attention in a venue where advertising can be purchased cheaply and casually. Data may have helped with ad targeting, but was basically incidental. The insufficiently regulated thing there was speech, not data, and there are good reasons we don't really regulate speech.


I agree that the Facebook/Cambridge Analytica debacle should have been prevented. I'm not totally sure what's the best legislation to have helped that while having the minimum side effects.

As mentioned before, size limits is probably good for compliance costs; if the problem is political influence, make that a key part of the law. Making part of the law liability per privacy breach can be useful too (to deter companies from lax security that end up with them hacked).


> I'm not totally sure what's the best legislation to have helped that while having the minimum side effects.

Legislators don't have the luxury of saying "I'm not totally sure what's the best legislation" to fix this issue; they are forced to propose an actual fix. If you don't have a better alternative on hand, I'd urge you to consider that which legislators have arrived upon after months or years of consideration.


The problem with carving out exceptions for small companies is that larger ones would simply subcontract out all their data handling.

Like encryption, data privacy is either all or nothing.

And personally? I'd rather live in a world without tracking-enabled Google and Facebook business models than the one we're currently in.

Holding personally identifiable data is a toxic externality: Experian simply exposed a clear case.

If you want to do so, you should have to bear that cost. Or design your business model differently so that you don't.


For size limits, as logicians, we would think that companies would just split infinitely but that doesn't seem to be the case.

For example ACA 2012 (Obamacare) applies the most onerous terms on companies greater than 50, but not a lot of 100 person companies split into two groups of 50 to dodge it.

I think privacy is indeed along a spectrum and not binary. I certainly think that EU citizens are more concerned with Facebook and the vast trove of data they have and political irresponsibility with it than with GarethsFirstApp in the Android store handling user data well.


Splitting core business functionality and siloing data handling to a contractor are apples and oranges.

And I'd point out that the latest Facebook media privacy outrage was caused by a smaller (1 person?) third party company.

GarethsFirstApp isn't so innocent when it's providing Facebook with data they can no longer collect themselves (given a hypothetical "You're small, so we'll let you get away with it" GDPR).


Let me shed some light into this: I am having my own mail server and I am using a separate mail address (and now it will be close to 10 years of doing that) for every registration to any website, lets say domain_url@mydomain.com. As you can imagine, I can track who sent me the email and where it got my address from. 99% of addresses that I get spam on came from registering to small bussinesses, never from large sites. Get it?

So based on that some might argue, that the small bussinesses should be regulated more as majority of violations are comming from them, not well established bussinesses. It is probably not true, but it might also be.

So... binary only is a right way to go.


"The answer to “How do you handle...” is that you get your shit together."

Yes it is


I have keyed in and deleted so many efforts at an answer to your question that I have given up and find myself merely asking: "Have you actually read the regs?"

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

My reading of them finds no second/third order anything. The regs are surprisingly clear.

I forgot to mention that unless you are trying to abuse EU citizens in some way then you have no problems. A useful side effect of the internet is that deciding whether someone is an EU citizen or not is tricky. That means that most companies have decided to treat all citizens in nearly the same way:

For you as a private individual, a foreign power now provides you (indirectly) with way more "rights" than you might have had in the past on the internet. Have a read of the regs, please. The first few paras are a bit "we the people" but then, that is what is required. Then go through the articles. Read them as a person first and then consider them as a company or whatever you do later.


>I forgot to mention that unless you are trying to abuse EU citizens in some way then you have no problems.

Half of commenters are making this assertion; the other half are asserting it's a damn good thing that small companies will be eviscerated for insufficient seriousness, whether or not they are doing anything abusive. Some of you are necessarily wrong.


I could argue that not protecting my data constitutes abuse.


> surprisingly clear

This is an 88 page document with extremely dry language. Just confirming your assertion will be time consuming. No wonder many American services would rather shut out EU users than comply.


This is a silly and downright crude comment. My mortgage contract was 56 “dry” pages and I found time to read/understand it, to the best of my ability.

If you own a business, the cost of reading this document is about 2 days (with consideration for googling terms). To disenfranchise a whole continent because you are inconvenienced is ridiculous.

Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?

American services are just busy because they are doing their best to keep the lights on. Within a week, the handful of companies will comply. They’re just cautious because they have to pay folks and don’t want to make a silly mistake that will shut down their business.

Edit: structure


> If you own a business, the cost of reading this document is about 2 days

I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

If you make any amount of reasonable money, you need a lawyer to work with your devs (hope you didn't outsource the work!) on a lot of this. And your usual lawyer, if in the US, might not be qualified to deal with EU laws. It's a tough situation. For businesses that don't even target EU markets on purpose, well...

If you're a medium to large international business, then this is just business as usual: dealing with new laws popping up, small or large, is just something you do. It sucks, but hey: it increases the barrier for entry of your next competitor!!

Disclaimer: I think GDPR is fine, and in a few years when every new startup or mom and pop company and 3rd parties are all setup for it, it will be a no brainer, just like email (not many people running their own email servers these days!). But the transition is hard, especially on smaller players.


> For businesses that don't even target EU markets on purpose, well...

See https://ec.europa.eu/info/law/law-topic/data-protection/refo...

> When the regulation does not apply

> ...

> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.


This boils down to relying on each of the EU's twenty-eight data regulators interpreting "specifically target" favorably into perpetuity. One of them takes an unusual view, once, at any time in the future, and you lose 4% of your global revenues.


> I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

I totally agree with you. But like you said, "It sucks, but hey...". That's totally the approach.

Yeah, it sucks, and what's new? There is always something that sucks. Within the next two months, there is: TLS1.2, new PCI guidelines, and GDPR that go live.

GDPR has more nuance then most other situations but just like PCI, you just deal with it.

What I imagine is this situation is like a bunch of stores stop taking credit cards because the new PCI guidelines require TLS1.2, anonymized customer data, and all customer data stored at rest to be encrypted or hashed.

Would folks have same reaction if their neighborhood deli said "fuck it!" I ain't protecting the CC data cause its tough and requires too much work?


The cost of PCI compliance is baked into the transaction fee, and yes, businesses are sometimes cash only; particularly if the business is small and its products are affordable, customers understand and appreciate the owner's unwillingness to pay those fees.


PCI is well defined. It's a lot of process, but nobody is confused on what the process is.


How true was that on week 1 that PCI went live?


There was still a pretty easy line between "I take credit cards" and "I don't take credit cards". The rules for PCI drastically vary between company size too, in that compliance for small companies is pretty easy, and your responsibilities increase as you go. To this day, there are companies that don't take credit cards too (though usually its not to avoid PCI, heh).

But yes, once there's an industry of GDPR auditors, precedents in lawsuits, and the threshold for "Do not market explicitly to europeans" is obvious and well understood, this will be much easier.

And still, until the end of time, there will be companies that aren't GDPR compliant and don't work with EU customers. Maybe with the goal of doing so once they have more time and resources.


100%.

It's basically a checklist, and you're either compliant or you're not. It includes various levels with actual numbers and explicit requirements, there's very little interpretation needed.

If anything, it should've served as the model for GDPR.


Wow, the entitlement.

The GDPR is most of my job right now, and I have a relevant background. To say that the cost of reading the document is two days clearly shows that you have very little idea of what the law means. I've been arguing with other privacy professionals about the details of this law and how to implement it likely for longer than you've known about it, and on a number of those questions there is still no consensus.

This is an incredibly expensive regulation to comply for most small and medium companies not because they're doing villainous things with the data, but because learning this law and then documenting your compliance for this law is ridiculously expensive for many types of businesses.


Your comment came off a bit combative against me vs. the idea I'm trying to argue. Perhaps I didn't make my point very well.

Lets swap GDPR for PCI compliance, which has a new standard (or fully implemented standard, if you may) coming soon. PCI deals with credit card information.

My relevant background allows me to make a few assumptions: 1. If you are in the US.

2. AND you have visited a Quick Service restaurant in the last five years (think Subways, Chipotle, etc.)

3. AND they use one of the major POS (point of sale) providers.

That your credit card, name, expiration date, and CVV is in plain text.

You may know the GPDR very well, as it is your job and you are most likely very qualified for it. And yes, there are probably lots of nuances to this law. However, thats every single law there is, every standard, guidelines, etc.

I'm not entitled. I am, however, a realist that understands that you just have to comply. Taking two days to read the 88 page PDF will make you more familiar then most. It might not make you an expert but for a small to medium sized business, it would give you the necessary tools to comply with majority of the law.

Quite frankly, I don't have a bunch of lawyers and I do have to implement GDPR. Will there be an official review? YES. There will be folks who know more then I and are professionals to double check my work. But I can't tell my stakeholders "Sorry, We can't do that because its just too tough". That seems entitled...


Complying with the majority of the law isn’t good enough when you can be sued for not complying with a small part of the law.

It’s like complying with 99% of securities laws and forgetting to comply with the insider trading laws. That’s not a defense.


Remember that this is EU, not USA where anyone can sue you for anything. If you feel a company is not complying with the law you can complain to your national agency who will follow it up. If the company don't comply after getting a warning the agency can bring the case to court and the company get on trial


The problem with selective enforcement is you may be treated nicely until e.g. your founder takes a political view a European politician disagrees with.


This is europe. We use laws to prevent conflict not to build a battlefield. We don't have ambulance chasing lawers here.


To disenfranchise a whole continent because you are inconvenienced is ridiculous

Oh, please. To not offer a service or website or whatever to people half a world away is not to "disenfranchise" them. I don't think you have room to call anyone else's comments "silly".


It's making your company's products and services irrelevant, as we'll just shrug and move on. That's got to hit the bottom line.


No, not really. Not to be shocking or anything, but Europe is not a target market for every company.


Half a world, but only 100ms.


I would like to share an anecdote with you, which might highlights the difference in mindset some folks have.

When I was 20/21, I worked at PJ Clarke's on the Hudson, a restaurant in downtown Manhattan. Back then, the Merc was still staffed by traders on all floors (they switched to computerized trade desks, I believe, and there were less people there).

During one shift, I had a party of 10+ people and had to grab extra tables from other area. The tables had tops made from granite and heavy. As I was moving the table, the majority owner Phil Scotti jumped in and started helping me. I said something like "I got it" and he looked me in the eye and said "Anything for a buck".

That quote might not be popular but I what I realized is that work is work and money is money. If a multi-millionaire could move tables and his wife (in custom, expensive, suits) can bus tables, then yes...Disenfranchising, or not servicing a bunch of folks, because you don't feel like it is fucking stupid.

I apologize for calling it silly.


I dunno what the point of this anecdote was, but the parent poster was right to mock the word "disenfranchise". If the American business doesn't want the buck, they don't want the buck. If they do want the buck, they do want the buck. Their call, not disenfranchising anyone.


Ha, I actually thought the comment was relevant for an article on blocking EU users with Cloudflare.

This regulation calls for legal expertise, trusting google to save on fees seems risky for a business. In all seriousness, biz owners should shell out for expert advice for compliance, or stop doing business in the EU.

Google and Fb have already seen litigious groups claim $9.3B in fines on the first day[1]. There will certainly be a cottage industry of lawyers going after online businesses that have erred with GDPR.

[1] https://www.cnet.com/news/gdpr-google-and-facebook-face-up-t...


Those groups don't get to keep the fine money? What is with all the disinformation about people sueing companies for GPDR violations like it's a civil court issue and one side gets damages?

People can refer an issue to the regulators claiming that the GPDR has been violated. The regulators will determine if they believe the regulations have been violated and whether it's a large enough violation to enforce. If fines are levied they go to the government and are intended to be punitive, hence the percentage of revenue as the max fine so that you can't just ignore the regulation by being rich.

No individual or group other than the government is going to make money off of this, and the government has to balance the loss in taxes and cost to enforce against any gain from a fine.

This whole kerfuffle about the GPDR has just shown that american companies will lose their fucking mind if they have to follow anyone else's rules and can't just lobby the US government to force their laws on everyone else.


Irrespective of who gets to keep the fine money, it will cost money and time (and likely lawyers) to handle any regulator inquiries. These complaints barely a day after the law came into force clearly shows that this law has come as a bonanza invitation for "activists" to impose legal costs on whatever target catches their fancy. I wouldn't be surprised with anti competitive targeting. Large corporations will write off the risk and the cost. Small business will choose not to do business and avoid the risk.


The law has been in effect for 2 years and the regulatora have given everyone that much time to implement their GPDR compliance. These large companies have not done so. We're people supposed to just ignore them forever because they didn't feel like getting around to following the law?


The GDPR has been there for 2 years, the 25th was just the start date for handing out fines.

Shame on them for ignoring the law for that long, just because there weren't any fines yet.


> litigious groups claim $9.3B

Incorrect. They are civil right groups, which filed complaints with the authorities. Even if the complaints were fully accepted and the offenders fined to the maximum possible amount the groups would not "earn" a cent.


"This is a silly and downright crude comment" - easy mate. My ISO 27001 docs are a bit dry as well and I wrote the bloody things as well as the sob ISO 9001 ones.

In my opinion you absolutely hit the nail on the head with this:

"If you own a business, the cost of reading this document is about 2 days"


> Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?

Umm, no, I won't read them?

I seriously cannot remember the past time so ever went and read all the official docs for a new tech.

Instead I learning by doing, and reading stack overflow.

If I have to read through 50 pages of docs to use something, I seriously am just going to use something else.


That's fine when you only hurt yourself but when you are dealing with personal data you can hurt others because you want to take the quickest path.

These same arguments could be applied to just dumping waste from manufacturing in the rivers. Does "If I have to spend 50 days disposing of my waste in a way that doesn't harm others I'm not gonna do it. I'm just gonna dump it somewhere else" sound acceptable?

Modern society has mostly decided it's not


I am not advocating that people break privacy laws. I am instead advocating that US internet businesses simply stop doing business with EU customers.

If the EU doesn't wants these services, then hopefully these services will decide to leave, and the EU citizens can decide if it was all worth it.

I am certainly going to block EU customers on all my future side projects. It really isn't worth the bother for something that I just made for fun, and isn't making many money. Easier to just block this small market wholesale.

I even found a way to block them with a single line of frontend code!


That seems perfectly fine. You'll have to watch out if you have assets/money flowing through the EU jurisdictions still as they can still fine you and take your stuff I'd you violate the GPDR.

I'd you are completely outside their jurisdiction though, there's no much they can so to you without starting a war or convincing your own government that the GPDR should be enforced.

I do think it's leaving money on the table though. The EU is 500 million people, 2/3rds more than the US and with a bigger aggregate economy. The US also has regulations that have a cost to implement so it's not like you are avoiding the issue just by focusing there


Small sidenote here. I'm the creator of https://documentation.agency/ and I've seen quite a few devs actually choose their tech/libraries based on the quality of the documentation.

I agree with you in everything though, everyone should be reading and following the law!


"This is an 88 page document with extremely dry language"

It starts along these lines after the usual intro:

"The processing of personal data should be designed to serve mankind The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality"

I'll grant you that lacks a certain something but the language is compatible with another well respected charter of rights that you should be more familiar with.

FFS, do you not notice the similarities!


Don't forget the brilliant and deeply meaningful paragraph 37:

"A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings."


Even without any context that seems pretty clear.


I'm guessing you're hinting at the Universal Declaration of Human Rights? It's not well-known or well-regarded in the US.


Sadly, this is true.


Are there no laws in the US?


Not if you are rich, and a many small business owners labor under the delusion that they will be the next Gates or Zuckerberg


"No wonder many American services would rather shut out EU users than comply."

Good bye and good riddance. And I don't really care if the door hits you in the ass.

If Instapaper, to name an example, wouldn't do shady shit with user data, there would be no reason at all to forgo the European market.


If you have developer computers with client data on it, semi-anonymized or not, I want you fined until you stop. What the hell is wrong with that hypothetical business?

It's like restaurants putting the toilet in the kitchen. Shut the business down!


> There is no way on earth that the EU as a whole has looked on your company/project or whatever and decided to screw you.

The rules are enforced via third-party litigation. So its not the "EU", but some lawyer looking for a nice payday that you have to worry about.


While the GDPR allows for third party litigation, the violations are expected to be handled though relevant data protection authorities, and direct litigation is a last recourse if all else fails. If you haven't tried and failed to resolve your GDPR complaint through the relevant authorities, you'll be laughed out of the court, if you try to bring a GDPR case to it.

Edit: any replies instead of just downvotes? Yes, it isn't spelled out entirely in the GDPR but it isn't operating in an empty place. The civil law systems of most of EU have certain assumptions in place, like that you will first try to find recourse through proper avenues, and only then try direct litigation. If anything, you might actually try to sue the data protection authority for mishandling your case.


I'll try to answer. The law doesn't actually say that you can sue only after complaint resolution through authorities have failed. That is merely expected practice and assumptions. Potentially facing a frivolous lawsuit in Europe is high risk for a business which small businesses may not want to take. If that's the intent, it should be codified in law.


Even if true, how are small American companies supposed to know about any of that without investing in a lot in European lawyers? Easier to just not serve the market.


Thank you for a sensible and balanced opinion. The Americans seem to be shitting themselves over this, when it is meant to help us all work toward better privacy - not shoot people or put them in prison. That is what years of living in a police state has done to them - turned them into wall building nervous wrecks !

There are no GDPR police looking to shut you down. Calm down.


> Have a look at the first few paras of this: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX.... after it says "Whereas". Does the language look a little familiar? Do the sentiments look strangely familiar in some way?

The thing after "Whereas" is just a preamble stating the intentions, not the actual legal text. In this case, I scrolled down no fewer than 31 pages, thinking to myself "The whereas section can't be that long" until I finally found the real start of the legal text "HAVE ADOPTED THIS REGULATION" on page 32 of 88.


>It is about protecting basic, fundamental rights that say 30 years ago we never knew needed to exist.

No. GDPR is an overreaching and idiotic law, where standard IP logs are illegal.


Thanks for posting that, makes me feel much better about the spirit of the GPDR.

I decided to remove any use of cookies from all of my sites() a week ago. For my business (writer, and sometimes consultant) that makes sense for me but I understand that most businesses need some access to customer data so they have a motivation to properly handle personal data.

() except my blog is on blogger - still trying to deal with that - I will probably go back to using Jekyll.


It's curious how these "basic, fundamental" rights only apply to select industries, while others are free to completely ignore them (art. 85). What kind of basic, fundamental right is that?


Are we reading the same Article 85 here?

Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.[1]

Not sure how that's 'complete freedom to ignore' exactly, nor is that an exhaustive list, just some examples of where they may need to be balanced against other freedoms.

[1] https://gdpr-info.eu/art-85-gdpr/


http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

(see below for my response wrt SS85) I prefer to dwell on things like this:

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

Below:

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.


Even the beloved First Amendment does not protect all forms of speech. Your point…?


Please explain why the parent comment attracted downvotes. In the US Constitution, the first amendment protects Americans' right to free speech. However, not all forms of speech are protected. The same legal principle applies to the GDPR; not all industries need to follow the GDPR, as laid out in the Article 85.


You’re missing the point completely.

I’m really glad to hear that I’m not being targeted. However, I don’t much care about what the intent is, I care about what the effect is.

And what I see is a law that is vague and enforcement agents are given broad discretion. What this looks like is that each case become “facts and circumstances” case, which is an absolute nightmare from a compliance standpoint.

And the additional paperwork and personnel requirements appear to be non-trivial and will add a significant amount to the minimum necessary capital and labor needed to start a startup .

The inevitable and undisputable result is that at least some startups on the margin which could’ve made it before the law was passed will not make it after the law was passed.

Supporters would argue this is a good thing, but I would argue it is not.


The thing for me is that it requires me to log additional data. Now I need to know where my users are from, how old they are, and how often and how they access their account.

All data I happily ignored so far to increase privacy.


>Now I need to know where my users are from

Why do you need to know that? Why don't treat all users with respect?


What respect? Saving additional metadata?

I totally get your point. But my product already focuses on privacy. Saving any kind of metadata/communication data is more than I do now.


The business culture defined in this post is really freaky, to say the least. You can't point me to one other industry where you can start selling shit w/o "knowing what you're doing". Or if you can't sell your things you lure people in with free stuff and sneakily fuck them up w/o no laws to work around which protect them.

Simply and brutally put: if you are incompetent and/or malevolent in your business practices and for that reason your business faces existencial threat from a piece of regulation that codifies the ideal setting for the industry, your business better dies ASAP.

I want that just like you can't have a random person design cars, architect buildings or teach our kids, similarly a random person cannot code up a commercial/government web site where they were "learning as I went along"; and an enterprise that can't afford to consult a lawyer can not get their hands on people's private data that they'd rather not change throughout their lives. Entrepreneurs to the hell, the amount of irresponsibility some people posting here want conceded to them is mind-boggling. I really hope that the upcoming decade will bring some sanity to this wild-west of an industry where who don't know what they are fucking doing can't just go out and handle stuff that they should not be allowed to even observe with a telescope from miles and miles away.


This culture has driven innovation of the last 2 decades. You can't point me to one other industry which enjoyed as much success.

Of course, Europe couldn't care less - they never had a real startup industry in the first place.


This culture has been riding a wave of innovation, a wave driven by big chip companies (e.g. Intel, NVidia, Arm), big SaaS companies (e.g. Amazon, Microsoft, Google), big content / ads companies (e.g. Facebook, Google), big hardware companies (e.g. Apple, Samsung, recently Google and Microsoft) and big software companies (e.g. Apple, Microsoft, Google). From that big farm of company-flowers which live for only a couple days, founded on the most fragile of practices, only a handful actually produce some service that has any interaction with the general public, and these businesses' most innovative thing was to app-ify a thing that we used to do day to day (which I do not look down upon, but it's no "innovation"). Examples are Uber (however controversial), AirBnB, Etsy, etc., if we exclude those who feed themselves exclusively on users' private data (Facebook, partially Google, Twitter, etc., but these are not businesses whose customers are the general public, their customers are the ad publishers).


This kind of US-centric "only we know how to do startups" is tiring. And wrong, as there are in fact hubs here full of startups - you just don't generally hear about them online because it really is incredibly focused on everything American. I'm not saying that is a bad thing, but it is important to keep that in mind before you form opinions that are frankly a little distant from reality.


I actually think it is exactly the opposite: the culture like this was killing the innovation. That is reason biggest companies are ads companies: Facebook, Google, Twitter, etc.

And that is the reason companies like Oracle and other will still make big $$ - why? Because you cannot "break things and sell ads" and do "delete=1" when you are developing RDMBS.


I find this pretty rich. Breaking things and selling broken stuff to clients, and then turning around and selling them expensive consulting services is pretty much the biz-model of Oracle.

And then there's this: "In 1990, Oracle laid off 10% (about 400 people) of its work force because of accounting errors.[53] This crisis came about because of Oracle's "up-front" marketing strategy, in which sales people urged potential customers to buy the largest possible amount of software all at once. The sales people then booked the value of future license sales in the current quarter, thereby increasing their bonuses.[54] This became a problem when the future sales subsequently failed to materialize. Oracle eventually had to restate its earnings twice, and also settled (out of court) class-action lawsuits arising from its having overstated its earnings. Ellison stated in 1992 that Oracle had made "an incredible business mistake."[53]"

So Oracle isn't a particularly good example of a well run business with good internal processes (I also wouldn't put them in a list of ethically run companies either)


The other side of this is that the GDPR puts all those companies from jurisdictions with no privacy regulations to speak of in front of a choice to either stop doing business with a huge market or actually stop ignoring privacy concerns.

The important consequence of this is that it puts EU startups on more equal footing than in the past. Most EU countries already had fairly solid privacy regulations, some more, some less, but certainly more than the US (generalization, but that's the trend). If you were a company from a different jurisdiction, you could mostly skirt those regulations (up to a point) because they weren't enforced in most cases. Not so much if the regulation is from your home country.

With GDPR, actual EU startups now play by the same rules as non-EU companies who do business in the EU. If a US startup wants to be international, they'll have to compete with EU startups on a more level playing field now.


> The important consequence of this is that it puts EU startups on more equal footing than in the past.

I can easily say that if I had to choose between a US service and an EU one, from now on the answer is almost always the EU one.


> all those companies from jurisdictions with no privacy regulations

What gives EU the right to legislate in those jurisdictions? What non-privacy laws will EU enact in non-EU countries?

> If a US startup wants to be international

Well I have no intention of being international now, but I still have to play by EU's rules on the possibility that I might ever want to do business there.


driving innovation while having the biggest number of homeless people in the streets and no health care.


Not even close[0]

There is healthcare in America[1]

[0] https://en.wikipedia.org/wiki/List_of_countries_by_homeless_...

[1] Doesn't actually need a source


Holy shit. As a Canadian who moved to the US, that was quite surprising.

Homeless people in big American cities are everywhere. In the couple of large Canadian cities I lived in, they were present, but not nearly as much. I guess Canada is better at hiding the problem.

I'm mostly surprised though that the Canadian social safety nets don't prevent it from happening more. As a kid my family was.... "not doing well" (understatement), and we were able to bounce back up and avoid becoming homeless reasonably easily by using every program imaginable (it took a lot). In the US, we would have been screwed. Yet those numbers...


Yeah I'm not sure. The presence of homeless people seems to be far more a function of how aggressive the government is at removing them than anything else. Melbourne is absolutely packed with homeless, but Sydney far less so, and I have a feeling it's not because of Sydney's cheap rent[0] or a lack of broken homes in the city. I suspect such a business oriented, conservative city is just more tough on its homeless.

[0] Sydney rents are insanely steep


I don't think the commenter meant healthcare as in hospitals and medicine being available; AFAIK the US has nothing like what most other countries has where it is facilitated for most or all citizens to access health care at minimum or no costs.


The commenter is responsible for the disconnect in their hyperbole as far as I'm concerned. America has a mix of systems including Medicare and Medicaid which are actually very similar to the systems we have in Australia. I just got out of hospital recently and didn't have to pay a cent, and at that moment I was really glad for the system we have in some ways, even if it doesn't totally gel with my professed ideology.

However if I were earning any kind of money at all, I would have paid out the nose for it, with some small help from the Government. The system here is actually very similar to what the American system would be if it functioned better. Medicare subsidises but doesn't eliminate costs for many low-income people, you pay for private insurance if you have money or else you get a big fat tax which is worse than any insurance fees. The Australian system is definitely nicer if you are absolutely dirt poor (by Western Standards) like me, but otherwise it's pretty much a correctly functioning version of what the American system aims for, ideologically and conceptually it actually doesn't differ much. I'm not sure why ours seems to work so much better.


Firstly, that list is useless because you're comparing wildly different definitions of "homeless". The US was counting

> The U.S. Department of Housing and Urban Development released its annual Point in Time count Wednesday, a report that showed nearly 554,000 homeless people across the country during local tallies conducted in January. That figure is up nearly 1 percent from 2016.

> Of that total, 193,000 people had no access to nightly shelter and instead were staying in vehicles, tents, the streets and other places considered uninhabitable. The unsheltered figure is up by more than 9 percent compared to two years ago.

While the UK was counting

> The study, by housing charity Shelter, found that 307,000, or one in every 200, people are now either sleeping rough or in temporary accommodation.

Temporary accommodation includes bed&breakfast, staying with friends, emergency shelters. There are about 5000 people sleeping rough in the UK at the moment in a population of about 60million.

And then look at the countries who have worse homelessness than the US.

Nigeria, South Africa, Russia, Indonesia, China, Haiti, Venezuela, India, Zimbabwe, Honduras, Ukraine.


the land of the 98% free!


> This culture has driven innovation of the last 2 decades.

So what? Communism turned feudal Russia into a world superpower in less than 2 decades. Do the ends justify the means?


Not making a moral argument. @gkya's comment paints a picture where entrepreneurs unhappy with GDPR are perhaps just a small contingent of incompetent amateurs who shouldn't be doing business in the first place.

While I, in agreement with OC/OP, see it as a threat to the entire industry.


Nearly, what I think is that, those unhappy with GDPR are either malevolent actors or incompetent people. And I think the bar to entry to the industry should be elevated (while bar to entry to learning ones way to that bar and to hacking should always be as low as possible; but you can't hack together and end user product, period).

BTW I'm not in the US not in a country where GDPR is effective. But I CRAVE that my country implement the same measures or better. Unfortunately that's unlikely.

Finally, it's a threat to the bad part of the industry. And then there are those who exaggerate the situation while they are not really affected by the regulation. But the hysteria will diminish and hopefully most of the bad actors wil either change their business or just go out of the industry, searching for other places to exploit (which hopefully they will not find).


The problem isn’t so much as there’s a cost to implementing GDPR, but that the tech community has been “move fast and break things” and refused to handle things properly before.

If all you do about my PII is “set delete = 1” (which one could argue isn’t even the best practice in every scenario), then I probably don’t want you to handle my PII at all.

To your example, you could easily not switch to a CASCADE, but instead set delete=1 and rewrite every sensitive field with a special value. Doesn’t even require a DB migration.

If your attitude to properly handling sensitive information is “it’s too complicated and costly, so we’ll just not handle it and YOLO”, perhaps GDPR is a good reflecting moment for you.

[edit:typo, edit:clarification]


This may be an edgy and rebellious sentiment that makes me a radical anti-privacy activist, but unless you're storing levels of information on me that are similar to facebook/google/etc., I do not give a damn whether you're soft-deleting or hard-deleting my IP address and my user account. If your web app is just a web app, and not one component of a vast surveillance octopus which puts tentacles on almost every website using social media buttons and GA.js, I don't think it matters in the slightest.

It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.

There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.


> This may be an edgy and rebellious sentiment that makes me a radical anti-privacy activist, but unless you're storing levels of information on me that are similar to facebook/google/etc., I do not give a damn whether you're soft-deleting or hard-deleting my IP address and my user account. If your web app is just a web app, and not one component of a vast surveillance octopus which puts tentacles on almost every website using social media buttons and GA.js, I don't think it matters in the slightest.

> It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.

If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights

> There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.

I think it's mainly a difference in viewpoint: this is my data for me. Not yours. GDPR makes it easier for me to enforce that. From my perspective I don't care about you violating my rights "in good faith", just like most people don't cares if you trespass on my property and steal something "in good faith".


If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights

The problem is not the work that the GDPR requires, the problem is the work I'll have to put into understanding the GDPR.

I think it's mainly a difference in viewpoint: this is my data for me. Not yours.

This is the part that I don't understand. If I own a shop, and you come in and buy something, you have absolutely no right to demand that I forget your face and your purchase. In the real world, it's not your data, it's my memory. If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.

I don't understand the concept of data ownership, because it does not align with how I understand the real world to work.


> In the real world, it's not your data, it's my memory.

This is where there's been a divergence on thought. In the real world you have limited capabilities to collect and store the data that is currently being collected. You're physically limited in how much you can retain and retrieve. In your old timey example I assume the diary to be sitting there in the back of the shop just being a record of my name and what I bought, but that's not how a lot of data is being used or being collected online.

The equivalent would be you making the diary automatically write down a potential unlimited amount of data on me and then using it to sell advertising the moment I enter the shop.

If I went past your store and it automatically retrieved physical details about myself, what I'm wearing, my interests, hobbies, location and you then built a profile and then sold this information to advertisers there absolutely would be regulations regarding this in the real world.

A better example:

http://www.bbc.com/news/technology-23425297

Privacy limits As retailers trial such tech they are well aware there is a risk of a privacy backlash.

Clothes store Nordstrom recently cancelled a scheme which tracked customers' movements through its stores using their phones' wi-fi signals after complaints.

"Are we willing to accept our everyday movements being monitored and analysed, not to keep us safe but purely to allow advertisers to target us? I think people will start to say no, our privacy is worth more than a few advertising dollars."

--

You say shop with a diary to present the most innocent of examples but for every shop with a diary there's billions of stalkers following people everywhere they go to learn as much about them as possible in order to sell them products and influence how they think which they never agreed to.


I totally agree, but that's an argument against some specific practices, while the GDPR is a scattergun approach that legislates much more than behavioural profiles and advertising. Barely-profitable or loss-making services acting in good faith are now under the same requirements as odious billion-dollar advertising companies, and some of the former are going to go under because of the GDPR, while all of the latter are going to be fine.


If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.

I asked this question in a comment [1] here on HN a few weeks ago. There were affirmative responses that yes, the shopkeeper should in fact be held to account for keeping notes on who came into his store.

[1] https://news.ycombinator.com/item?id=16509598


This is largely because the law doesn't care about implementation details. If a grocery store had a system which meticulously logged every customer that came into their store, when, and what they bought (i.e. loyalty card profiles) then we have to deal with issues related to privacy and data protection. Doing the same thing with pen and paper won't be seen as a meaningful difference.


If you're using the data to make money, and the user is generating that data, why do you just get to keep and sell it? How is that any different than you owning some forest land and I just come in and take some animals from the land to sell for meat?

You might call it poaching, but that only became a crime when society made it one, and that's what the GPDR is doing now with personal data


What an absurd analogy. Nothing is being stolen from the user. The user has no copyright on their browsing habits.


They do now with the GPDR. You talk like all other IP is something that is a physical fact and not something that the government decided to create


Yes, I know they "do" now with GDPR. The EU has descended into complete madness.


Does this law not apply to organisations that don't make money? I was under the impression it applied to anybody and everybody.


It does apply to everyone, but since data is so valuable now, I would think the ethics still apply.

Data about users has become a valuable asset, and taking it from people now is depriving them if that value, whether or not you personally use it to make a profit.


The problem is that I can't afford the services of a lawyer, or a data protection officer, for a non-profit project. Especially not to satisfy regulations made in a foreign land far away from my own. So the only option left on the table is to block the EU.


> you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.

I hate to break it to you but yes I do: by doing business within the EU market you're accepting that. In fact you're accepting that the very same way that you're accepting that you can't store all your clients' credit card/cvv numbers that are used on your store.


See, to me, that looks like an intolerable imposition onto my basic humanity. It's legal for me to remember you, but not to write down anything about you in my diary? Does that not seem unsound to you? Does it not seem to trample all over common decency and common sense, to in some way cause harm to older people who can't just rely on their grey matter?

I freely admit that keeping a diary is not the same as keeping customer details, but that's the point here: why are they treated the same?


There is a qualitative difference between degrees of data collection. What you can see and remember is a different category from what you can write down; what you can write down is a different category from recorded audio/video; what you can record with conventional equipment is a different category from what you may capture and store using all available technology e.g. DNA sequencing. In general, the more powerful the technological aid, the stronger the regulation.

Even just the first two, seeing and writing down, are legally distinct. Supermarket checkout staff handle hundreds of credit cards a day. How do you think the law would react to such an employee writing all of them down?

It's not discriminatory against old people, because even a completely amnesiac person armed with a notepad can permanently capture vastly more information than all but a photographic memory.


They are treated the same because you are collecting data about others and GDPR regulates how this should happen.

If you want to collect the data, then it must relevant for your business and that warrants you should treat it properly.

Upon request to erasure you should go use reasonable measure to remove it. Wiping your memory is absurd and is never considered reasonable – no need for a lawyer to rule that out.


Many of these people would happily give their government the power to wipe your memory if the technology to do so existed. It's insane.


What makes you think that? Why do you intentionally spread absurdities?


> If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights

A server 'processing' (which seems to include using it in any way, not just storing [1]) your IP address appears to fall under the GDPR[1], and said server would be in violation of the law unless its processing falls under one of the exemptions.

The main exemption appears to be getting the user's explicit consent, though there's also this super vague exemption: "for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted." [2]

In general, it seems very hard to avoid the GDPR because what is considered 'personal data' is extremely broad.

Maybe I'm misunderstanding something.

---

[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...

[2] https://ec.europa.eu/info/law/law-topic/data-protection/refo...


Yeah, you're putting too much emphasis on consent. It's only one of six lawful bases for processing data, and in fact the one with the most stringent rules.

I used "legitimate interest" as my lawful basis for logging IP addresses and website usage information. From the UK ICO's guidelines [1]:

"It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing."

There's a three part test:

1. Identify the legitimate interest: ensure the security and stability of my systems.

2. Show that processing is necessary to achieve it: need to know when and how the site is used in order to troubleshoot problems and detect abuse

3. Balanced against individuals' interests: We pseudonymize logins so usage information is not obviously related to specific individuals. There is no sensitive data on the site that can be revealed by usage data. The retention period is short which further limits what can be revealed.

Now, people here on HN might nitpick my logic, but fortunately they're not the regulators. I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.

[1] https://ico.org.uk/for-organisations/guide-to-the-general-da...


> I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.

Every business owner in Romania knows two things:

- the IRS equivalent will investigate them periodically, usually every few years - they will ALWAYS find something to fine the company for

Sure, you will have to correct the something, but that doesn't mean you don't have to pay the fine anyway.

Also, incidentally, the company I was branch manager for has been once investigated by the police for credit card theft (they received a complaint). They couldn't find anything (because we didn't steal any credit cards - we just had a lot of computers because we were programmers, working for the main company in the US) but, in order not to have wasted the raid, they decided to prosecute us for copyright violations (they found a few pirated games).

So, at least in Romania, there is no such thing as "correcting mistakes before fines come into play".


That's a local problem in Romania, not a GDPR problem.

As in your example, they'll use any law to beat people over the head. That should not be an argument against a privacy protection law.


> That's a local problem in Romania, not a GDPR problem

It's actually a human problem. The history of political bodies granted immense discretion to fine and punish is consistent and terrible.


If your business was in the UK, the ICO can and would be able to stop you processing data, and get a search warrant for your business address. This is because they report directly to the government.

I doubt you'd be able to fix any issues before they get involved.

PS. it's Cambridge Analytica


> PII

GDPR has no concept of PII. Personal data is anything relating to a natural person. It's not just an identifier like an address or phone number.


I have a blog. No ads. No revenue.

1. I have been using Google analytics for their entertainment value. I assume that's verboten now.

2. I assume the IP addresses in my logs are PII. Should I shut off logging?


(standard IANAL disclaimers)

1. yeah, probably.

2. There's a comment elsewhere in the thread to this effect, but short-term logging for the usual purposes of managing stability/security of a system almost certainly qualifies as legitimate interest. Don't keep the logs indefinitely, but I figure nginx's defaults with a week's retention period is quite reasonable.

The relevant authorities also have a track record of giving people warnings and time to fix things, so especially for something so trivial, I'd basically just make a good faith effort and not stress about it.


1. No, but you shouldn't need to store PII. Simply disable cookie usage and enable IP address anonymization in Google Analytics.

2. You can simply exclude IP addresses from logging.


You can't have a legitimate opinion on whether GDPR is a good thing or not, because you don't event understand what data is.


> I do not give a damn whether you're soft-deleting or hard-deleting my IP address and my user account

You don't give a damn; neither do those computer illiterate people who use the same email address and password for everything, and one leak of some shitty inconsequential website may obliterate their entire online presence.


I'm not sure how the GDPR fixes anything, since those people aren't going to be capable of finding the hidden "delete account" button five pages into a big tech company's byzantine privacy settings.


The GDPR says "It shall be as easy to withdraw as to give consent". If you're hiding the "delete account" button, you're breaking the law.

https://gdpr-info.eu/art-7-gdpr/


Wait, I thought we were talking about tiny inconsequential websites here? You moving the goalposts or what?


TBH location tracking is the most sensitive PII I've seen anywhere, and plenty of 1 man shops are doing it. It takes like 100 lines of code.


>properly handling sensitive information

But the thing is that GDPR affects all PII not just sensitive one so your random small useless app/blog/game/forum that has some personally identifiable but harmless and unimportant data stored is now under the same restrictions like your email or FB data.


Like, say, a personality quiz on Facebook?


> your random small useless app/blog/game/forum that has some personally identifiable but harmless and unimportant data

Unimportant like your email address and your one password you're reusing everywhere? Yes, they should know better but that's neither here nor there.


> If all you do about my PII is “set delete = 1” (which one could argue isn’t even the best practice in every scenario), then I probably don’t want you to handle my PII at all.

Are you aware that setting “delete=1” is essentially what file systems do when deleting a file? What file system do you suggest companies to use when they want to comply with GDPR?


It is simple. You have to apply reasonable measures to delete the data.

That is vague, for sure, but hopefully you have the engineering skills and domain knowledge to make a good call.

Dealing with credit card data? Think a lot about it.

Dealing with movie preferences? Deleting from the database should be adequate.

Dealing with attendants from a local conference? Delete the files when you don’t need them.

(And remember: nobody will ever show up with a fine one day. It will always start with a warning and a chance to improve before any fine is applied – unless there is serious neglect.)


I’m well aware of that, but are you aware of any SQLi that can output a deleted file? There’s a big difference between the two things you’re trying to equalize.


Does the GDPR actually draw that line somewhere above the filesystem, but below the database?


Totally different. deleted=1 would be like adding a tag to a file saying "hey, this file is deleted" and never doing anything again.

A filesystem will remove the entry pointing to the data on disk, and mark that region as free and ready to be reused - and it will get overwritten.


And going through all the backups to overwrite the data? Backups that would have been written to CD or tapes?


Yep, you have one month.

If you are storing backups for longer than this then perhaps you have to ask yourself why.

For instance, the last company I worked for deliberately didn't keep database backups past 30 days and had that policy for some years prior to GDPR. The idea being that it would be expected by a user that when they hit "delete" on something in the web app it would actually be deleted.

(Additionally there is a whole minefield of crap that could happen if you got subpoenaed and had to due process on months or years worth of backup data, but this wasn't the primary driver of the policy)

This is a pretty good read on the matter:

https://ico.org.uk/for-organisations/guide-to-the-general-da...


Your backup retention policy should comply with GDPR, and you should be prepared to justify extended retention periods.


From technical perspective, overwriting values is more deleting than deleting itself. God knows when DELETEd records will be overwritten in the database file. I once found very interesting remains in our ‘cleared copies’ of financial databases during the restoration process.


Merely setting a delete flag is not compliant with the GDPR, that's why a cascading delete is necessary. Any programmer worth their salt knows mass random deletes and updates are extremely inefficient.


To your post specifically, I think a cascade of "zero outs" or the like to blank out a user's data would be sufficient is it not? It could happen at most once for each user account so it shouldn't be ruinously inefficient unless a system was already on the verge of collapse.

But on the topic in general, could someone explain to me what the real world consequences are likely to be for a small business not based in the EU, of not complying? If I've never cared where my users were as long as their payments cleared (oh, is that where they get you? the payment processor?), and I'm selling handcrafted bobbins online in Canada without letting people delete their email address, what is likely to happen if someone complains to EU authorities?


That would make it compliant but there will still be efficiency problems.

Databases such as Cassandra are made so that updating doesn't actually delete the old data until some time later so frequent updates will degrade performance and storage. Other databases that allow for immediate overwriting the data will cause fragmentation and thus performance decline and wasted storage until you compact (basically recreating the entire database) which is not something you want to do all the time, especially on SSDs.


I mean, come on.

1. GDPR gives you 40 days to respond. You don’t have to run VACUUM everyday.

2. The entire point of my post was acknowledging that there are costs to being GDPR compliant, and why it’s responsible to have that cost.


It's not frequent updates to delete a piece of data once in its lifetime.

If it takes a week to garbage collect that's fine, it just can't stick around forever.


The problem isn't to delete 1 piece of data 1 time. The problem is different people demanding thousand+ rows randomly spread out in your database deleted every day that is the problem.


Look at the cavalier attitude people have with their data until now. Do you really think starting today every one of them is going to start caring and requesting full deletes everywhere?

Maybe a percentage will be better educated, and actually request data deletion here and there, sometimes but I don't thing anything is going to massively change in general customer behavior. The GDPR just gives the means to those who really want to control their data (which were there before, by the way, just not really enforced. Now that there's a number figure to the possible fine, now is everyone paying attention.)


The problem isn't the odd paranoid submitting a delete request once a month, it's when some influential person publicly requests a delete for whatever outrage is going on that day and causes his 10k followers to do the same


You're suggesting that a business should be able ignore the privacy concerns of its users because they're inconvenient. That is decidedly worrying. If a startup can't afford to run ethically then it shouldn't really be in business.


Is deleting an arbitrary set of rows every fortnight such a problem?


Yeah, this sort of thing is like a pessimistic case for Cassandra and various databases that are designed to model data as an immutable set of facts and to model deletions as retractions or the like.


Apparently it defaults to 10 days for tombstone purging and recommends not going below 5 days. How bad is performance actually going to be at a nice slow several-day compaction rate?

The pessimistic case sounds like trying to remove things within hours.


All I can say is that not everyone's situation is the same. If you have a small forum where a few hundred people post a few dozen messages a day, it obviously won't be a big deal. There are situations where the amount of generated information is much larger than that. Webserver logs are one possible example.

It isn't an impossible problem to solve, but the GDPR is a significant time and a money burden that will especially be an issue for small startups that don't have millions in venture funding to spend on this.


I encourage you to read my comment again, and point out where I mentioned merely setting a delete flag. Any reader worth their salt will point out that it’s not what I suggested at all.


I believe the confusion is around your statement "mark every sensitive field". I think you mean "overwrite every sensitive field", but that definitely took a re-reading to infer, and I'm still not 100% sure.


Thanks, the processs reminded me of the “redaction” process, so I used mark. That’s definitely on me. Clarified.


"you could easily not switch to a CASCADE, but instead set delete=1 and mark every sensitive field with a special value"


you ignored "and mark every sensitive field with a special value", which is the key part. As long as all sensitive data has been essentially zero'd out (for some value of zero), all is fine.


Marking a field sounds to me like labeling and not zeroing it out.


What if "a special value" == NULL?


If you choose that value, and it's the only, or one of the few values that break your software, then it's your fault.


The thing is, affected persons can not only request a data deletion, but also the pausing of data processing. In that case, you are not allowed to delete them but they must not be used any longer, which is essentially a soft delete. So to be compliant, you’d have to implement both a soft and a hard delete.


Wouldn't it be possible to just delete the 'idetifiabel' parts in the database in order to be GDPR compliant?

If you for instance save all the user data like user preferences under a random userId, and then delete the personal data (such as email address, name etc.) associated with the userId I would expect this to be GDPR complaint without having to do a cascading delete.


If you're absolutely certain that the user's identity cannot be reconstructed from the remaining data points, then yes, a full anonymization is enough. You are, after all, removing personally identifiable information, even if the record structure remains in your database.

It's a law, not a technical constraint. No one gives a fuck about some foreign key relations, they care that personal data cannot be accessed, or somehow reconstructed.


This may well be harder to get right than just deleting the data. Just as in the saying (and this is a terrible paraphrase) goes:

  "Anyone can design a lock that they themselves can't pick"
If you think you have anonymised data sufficiently you may well not have done it sufficiently to prevent others from re-conctructing it:

https://en.wikipedia.org/wiki/AOL_search_data_leak


Yes, but this is actually more difficult than you think. It doesn't take very many data points to ID a user.


Anonymizing like that would be GDPR compliant yes, as long as the remaining information absolutely cannot be used to identity the original subject.


That it isn’t known with confidence is your answer to whether it is worth implying it is easy.


I read a lot about cascading deletes, which I interpret as holding personally identifiable data redundantly.

I can see two reasons why this would be a problem:

You have a really shitty un-normalized database design. Granted that you may have to denormalize specific columns for performance reasons. But why that would be the case with, for example names, phone numbers or sexual preferences, totally escapes me.

Or, you're referring to actual cascading deletes, meaning that you need to get rid of child relations, based on deletion of the parent relation. If this poses a problem then I'd argue that you're guilty of a shitty database implementation, arguably with criminally bad definition of your primary / foreign key pairs.

I really don't see a problem here, unless the database schema is implemented in a totally incompetent manner.

Edit: Clarity


A cascading delete is not necessary. You need only to remove personal information, not all information. Now if you are producing an application that only contains personal information like a chat app, then sure, you might need to remove everything.

But often all you need to do is overwrite the name, address, or similar bits of information, and you can then leave the rest of the data intact and set your delete flag.


HN won’t let me go deeper, so here it goes:

> "you could easily not switch to a CASCADE, but instead set delete=1 and mark every sensitive field with a special value"

Emphasize on the part after “and”


That is insufficient. You can still infer identities through metadata and behavioural analysis. For instance purchase history and geolocation is often enough to identify some individuals.


“Move fast and *break things.” Although, GDPR seems to be throwing on the brakes.


Tired of the eternal startup excuse to justify bad behaviour when it comes to protection of consumer privacy.

If it is impossible for some startups to respect strong privacy practices maybe we simply don't need those startups.

This 'startupism' is almost an ideology. No mechanical engineer would complain about safety regulation just because it means that they cannot start a business in their garage. In other industries, strong safety standards and regards for customer privacy is simply the norm, not an annoyance.


Also tired of people thinking that a company not wanting a rule means they were intending to do the exact the opposite of that rule, especially given said rule is incredibly vague and designed to be applied "on principle".

Fortunately for all of us, safety regulation is actually very specific in requirements.


> especially given said rule is incredibly vague and designed to be applied "on principle".

You know, I'm starting to feel that at least some of this contention is based on how Americans interpret the law vs. how Europeans do it. Somehow it seems that Americans (and the UK) has this huge legal corpus but everything has to be nitpicked to the letter, or the common law judges' interpretations may vary wildly, and some people might skate on technicalities, i.e. abuse of the letter of the law.

Whereas in civil law, which the EU is, there's less leeway for interpretation, however, the spirit of the law is also taken into account.


It's the opposite. "In-principle" creates lots of potential for interpretation, depending on who is doing the reading. The spirit of the law is also taken into account all the time in America.

It's really not as simple as you make it out to be and the EU has plenty of argumentative litigation.


Upthread we have the claim that "most early-stage startups use the... best practice of 'delete=1'," pretending to delete user data while actually retaining it. So, the exact opposite of the rule.


Yes, and many things will remain that way with GDPR because of necessity (ie: old invoices and transactions will continue to have your details). Most startups are doing their best to be good stewards of data, and they didn't need big global regulation to force them.

But do let me know when GDPR actually does anything to deal with ISPs, credit unions, medical companies, and plenty of other institutions that have breaches all the time and have endured roughly $0 in penalties.


> Most startups are doing their best to be good stewards of data, and they didn't need big global regulation to force them.

lol


So you work for a big company like Canonical. Glad to know you guys always get it right:

http://www.wired.co.uk/article/canonical-warns-2m-users-of-p...

https://arstechnica.com/information-technology/2013/07/hack-...


Who he works for won't negate the fact how ridiculous the original statement is at just bare face value.


> Most startups are doing their best to be good stewards of data, and they didn't need big global regulation to force them.

If that were true we wouldn't be seeing daily threads here (like this one) that effectively amount to "I don't want to follow the law/protect the data I collect" for months now.


...you just repeated it again. Not wanting regulation does not mean not wanting to follow the law or protect data.

Complying with GDPR can involve a significant cost, but as said multiple times already, the issue isn't data privacy and security but the vast ambiguity of the law. Costs and risk explode when the rules are vague and applied "on-principle".

There are numerous comments on this page that keep saying you need "a good reason" without realizing that is absolutely useless in a legal sense and can open up a large volley of litigation against any business.


If you're a small company and making a good faith effort to acquire express consent from your users for data collection, follow best practices to secure that data, and allow users to delete their data (even if it's a manual customer service driven process) then I don't see why you have any reason to be afraid.

You're not opening yourself up to litigation from random 3rd parties -- they can only file complaints to regulators who will decide how to respond.


Well then, you’ve never been the target of a lawsuit.

Forgive me if it doesn’t make me comfortable that the decision whether to file a lawsuit against me or not is left to some often uneducated and inexperienced regulators.


I think it is an important point about "many things will remain that way with GDPR because of necessity (ie: old invoices and transactions will continue to have your details)". Most people doing business have _very_ legitimate reasons for having sensitive data; invoices, charges, security, etc. all require having personally identifying and sensitive information, and GDPR recognizes that-- but what it means is that companies _will_ and _should_ have customer information. Just because it isn't sitting in their database to improve customer experience doesn't mean it won't be sitting in the billing department for accounting & auditing purposes. So GDPR doesn't actually change much about people having your data, just kind of shuffles it around.


Why is delete=1 a best practice? There are competing concerns here. The government has now decided for everyone. Agree or disagree it is not worth implyng immorality where no immoral intent is present.


I’m not sure that delete=1 is a good idea, because you’re still mutating database records. But, it’s often lot cleaner conceptually to model state as an append-only log of assertions and retractions or via a log-structured system, where you never delete old records but just push a new index record that leaves the appropriate record out.


Sure, but it also leaves a much bigger attack surface, because you still have all the deleted data ready to be leaked, as has repeatedly happened in practice. It's only a cleaner solution if your risk accounting allocates close to zero cost to that, which is what most startups do.

It's hardly only EU bureaucrats who have pointed this out. See Bruce Schneier from a few years ago: https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...


Yeah, my point is just that the way databases have been developing recently has been towards eliminating mutation and deletion. The GDPR’s conception of deletion is fundamentally opposed to these models.

However, you can sort of match the two by storing personal data in a separate key-value map, using the (random) key from that map to link your data to the personal data and then just deleting the map entry when someone asks to be forgotten.

The annoying part is retrofitting data scrubbing into things like data warehouses and other systems of record, without accidentally deleting data you have a legal obligation to retain to satisfy, e.g. anti-money laundering laws or audit requirements.


It is insufficient to only mask PII because behavioural data can in some cases uniquely identify an individual, such as purchasing history. You have to destroy all data from the user.

By the way it is this stuff that is so maddening about GDPR. The EU steadfastly refused to be helpful by even answering frequently asked questions clearly.


Here's a thought: regulation like this is, along with the heavy-handed ideology that lead to it, is the reason why the EU is still lagging regarding technical innovation. I think this attitude is the primary reason Silicon Valley took hold in the USA and that the EU has nothing comparable. If the EU wants to legislate itself out of the future they're more than welcome to do so -- and I applaud every site who makes the tough decision to stonewall EU users.


I'm not onboard with the idea that Silicon Valley holds a monopoly on technical innovation. Getting people to click on ads on smartphones doesn't capture the entire scope of technology. Europe's economy is roughly as large as that of the United States. Many world-leading companies from the car industry, to chemicals, to biotech reside in Europe.

The US holds one dominating advantage in one subset of technology. Consumer-facing internet tech. While a lot of people employed in this field commentate on this website, it's a marginal part of the tech industry, and it's not worth sacrificing privacy for, Europe does not need Silicon Valley to produce high-value products.

And if adtech is supposed to be the definition of the future, rather than genomics, complex manufacturing and the life sciences than I'm okay with us skipping that part. There are business models that don't rely on sacrificing the attention and privacy of consumers.


That's exactly my point. The EU is built for entrenched institutions. There is no entrepreneurial spirit -- and that's why there's N-number of self driving car companies in the US and zero(?) in the EU, for example.


The EU had self-driving cars in the 1980s (Ernst Dickmanns & Mercedes, demo: https://www.youtube.com/watch?v=I39sxwYKlEE ). The most expensive robot car project was in Europe (https://en.wikipedia.org/wiki/Eureka_Prometheus_Project).

I do agree that the EU has less of an entrepreneurial spirit. Some cultural elements, but also practical: It is difficult to scale an app, since there are such large language and culture barriers between EU member states. There is a decades long brain-drain of highly technical (AI) people. Finally, it is very hard to compete with US companies, as they skirt the rules, winning all network effects with huge VC infusions.

I always suspected some of that was accomplished with military and intelligence support: The American economy and intelligence apparatus stands to benefit a lot with the entire world using Google and Facebook. The other side of this coin is that the pro-privacy anti-surveillance movement may also be supported by foreign intelligence agencies in an attempt to hurt US economic and military interests. https://en.wikipedia.org/wiki/Lernout_%26_Hauspie#History was close to establishing an AI-type Silicon Valley in Belgium in the early 2000's, but was unsuccessful.


All (or most?) of the big European car manufacturers in Europe provide and actively research self-driving technology. Volkswagen's research budget is five times as large (iirc correctly) as Tesla's.

You are succumbing to a lot of stereotypes here, which I might add is fuelled by a cargo cult tendency within Silicon Valley.


No, you see, if it's not a startup, it cannot be innovative.


You think you're being funny, but it took silicon valley to invent a machine to press juice of proprietary only bags of pre-chopped fruit, so I think you look rather foolish now!


But they're all providing that technology to American firms who are implementing the technology rather than developing it at home. See what I'm driving at?


So they do some research and then let some american companies that can't even imagine why you'd create safety regulations do the practical testing which kills American citizens instead of European ones when the inevitable mistakes happen.

Then they get access to the technology through partnerships. This sounds like a win-win for the EU companies


Indeed, it’s a win for the American economy too, when the IP is owned by American companies and the majority of profits go there.


Sounds like the Tesla and Mobileye partnership.


Apple recently gave up their self driving shuttle and told Volkswagen to do it for them. So yeah...cargo cult and tunnel vision.


European car companies sell identical technology to Tesla, it's just they call it lane assist (accurately), not autopilot.


You are mistaken. Lane assist is not the same level as available in a Tesla. No European car has or has ever had the higher autonomous level than the late model Tesla has. https://medium.com/iotforall/the-5-autonomous-driving-levels...


Tesla has ambitious goals, especially when it comes to reusing existing hardware, but right now the software is level 2.


>"There is no entrepreneurial spirit"

That betrays a deep lack of knowledge of what happens in Europe. There are a ton of innovative ideas and services that originated here.

Just off the top of my head, Skype and Spotify are huge and well-known.


Famously French has no word for entrepreneur.

/s


Whereas the US with its ISP, fossile fuel, pharmaceutical monopolies, it’s GM and Apple, Google, Amazon, Apple, and Facebook, Lockheed, and Boeing is obviously a Randian utopia. Yes indeed, no entrenched institutions in the US!

/s In cased you missed it.


> Getting people to click on ads on smartphones

Clicking on ads is how they fund AI research. Not all tech is equally profitable but you need all kinds. Meanwhile EU is still debating whether it's worth getting into the AI game.


>The US holds one dominating advantage in one subset of technology. Consumer-facing internet tech. While a lot of people employed in this field commentate on this website, it's a marginal part of the tech industry, and it's not worth sacrificing privacy for, Europe does not need Silicon Valley to produce high-value products.

> it's a marginal part of the tech industry

Hilarious


Is it?

Visit Germany sometime. Drive through the countryside. Most parts of the US look like a hollowed out shell by comparison.


That might have something to do with the fact that Germany has 7x higher population density.


You may or you may not have an argument - but you only present the most cliché, most superficial version. You merely divide total population by total area, which is utterly useless and misleading. Why does that keep happening on a supposedly "better" forum like HN? Each time this topic is touched this exact same tired and wrong pseudo-argument is presented as if population follows an equal distribution per area.

Just like in the rest of the world, in the US too the vast majority of people are clustered in and around urban areas. In order to achieve your goal/argument you counted vast stretches of nothingness. At least since the early 20th century migration to cities has been going on, and it still does - large urbanized areas continue to suck in people from the already emptier areas of the country.

https://en.wikipedia.org/wiki/Megaregions_of_the_United_Stat...


> Drive through the countryside. Most parts of the US look like a hollowed out shell by comparison.

In what way do you mean? Wind power?


Basic housing is the thing that stands out most for me. I'm originally an American, and now live in a rural area in Europe. Rural parts of the more affluent Western European countries aren't advanced per se, but they're, I dunno, reasonably modern. Decent housing and decent internet access. The U.S. countryside is just incredibly backward in this weirdly visible way by comparison. Entire swaths of countryside, especially in the southern US, but not exclusively there, are full of a mix of trailer parks on the one hand, and questionably habitable shacks with missing wallboards and plastic-tarp roof patches on the other (parts of Louisiana are seriously shocking). And good luck getting broadband.


I used to live in Europe and have also lived in many parts of the US. Just trying to understand, since I didn't notice much visible difference other than wind power. I'm from a rural area in the US, and it was a great place. I haven't spent much time in rural areas of the south though.


Small and especially medium business is vaporized.

Textiles? Gone

Light industrial? Gone

Regional banks? Dying

Local banks? Dead

Small retail? Dead

Dairy agriculture? Dying

Family agriculture? Dead

I grew up in a small town. 20 operating farms circa 1990. 2 today. 3 agricultural/equipment dealers, today 0. 5 small/medium manufacturers... 1 today, because of a military contract. School enrollment? -25%.

I watched the beginning of decline when I was in high school. There is no anchor businesses that sustain local economies, and no access to capital. Without government spending, either indirect or direct transfer payments, a shockingly high number of US localities would be in a state of complete implosion.


This is an inevitable consequence of globalization and conglomeration (especially of agriculture).


It’s an inevitable consequence of our current economic policy.

Conglomerates are all about capital, not efficiency. We are paying more, not less, by eliminating market participants.


Here's a thought: You don't know what you're talking about and I applaud the EU for protecting me against people like you.


GDPR only has an effect starting from yesterday, I highly doubt it had a retroactive effect up to the early 2000's to wipe out EU startups, that point is moot.


Hey, man, that's totally fine that you don't want those services.

Which is why those services are responding by blocking all EU customers.

Seems like a win win for everyone. Businesses don't have to deal with ounerous laws, and EU citizens don't get to use those services.


Plus it leaves the market open for other businesses who are actually compliant so they can capture a bigger slice of the market than the existing services. There really is a lot to win.


if a preexisting startup doesn't care for the market, its probably because it's too small to be worth it. This is not 1999, most ideas have been tried at least once. And experience shows that "extra privacy" is just not a selling point.


> if a preexisting startup doesn't care for the market, its probably because it's too small to be worth it.

It's not just that. It's that there is no money in cloning unsuccessful startups. Nobody wants to copy you until you're a success, but by then it's too late. By then the first mover has the momentum and resources.

This doesn't change that. By the time a startup becomes successful it will have the resources to pay compliance costs and enter the other market.

The problem is that having to exclude EU users until you're big enough to afford compliance will cause more ventures to die on the vine, before they ever become successful enough for anyone to want to copy them.

It also puts the local EU startups at an obvious disadvantage, because they have to pay the compliance costs up front instead of only after proving themselves in the US market.


>No mechanical engineer would complain about safety regulation

Mechanical engineering projects are too costly to be undertaken casually in the first place. Regulation is unlikely to be the long pole, so do you don't hear them complain about it. It only takes a few minutes and some easily self-teachable skills to start serving HTTP traffic; now it's going to take a few months and some lawyer hours to create the bureaucratic cover for doing so.


> Mechanical engineering projects are too costly to be undertaken casually in the first place.

Yes, because of the implications, as the parent said. Just making stuff is cheap these days, that's not just true for software. You don't have to build a factory, if you want you can even outsource the actual construction entirely if you don't want to go through the trouble and remain flexible, just like "cloud computing" using startups.

> It only takes a few minutes and some easily self-teachable skills to start serving HTTP traffic;

Because people do it without caring for or knowing the consequences.

> now it's going to take a few months and some lawyer hours to create the bureaucratic cover for doing so.

I don't understand your point, it's exactly what the parent said? Yes, this forces the startups to actually care about the consequences of what they are doing.


I've been wondering the same thing. Maybe the true hacker spirit is dead.

I just want to roll my eyes when I see comments to the effect of, "Oh, it's so simple, just read the 80+ pages! The language is clear and straightforward, we promise! Also, you should have separated duties, full CI/CD that sanitizes any possible user data from leaving its hermetically sealed tier, and delete data early and often. If you don't, you'll be fined several tens of MegaEuros." The risk-reward ratio there is just insurmountably high for a small one- or two-person team.

I'm sure there are actually good parts of GDPR, and, hell, for all I know, the whole thing is the overarching achievement of Western civilization. But, unfortunately, reading 80 pages of dry foreign legalese when I'm not a lawyer is somewhere between a waste of time and a very bad idea (e.g. I think the regs are simple, make a mistake, then have huge legal liability). I will sadly be blocking the EU from any services I work on going forward until the point where I'm successful enough that I can actually have my lawyer look over everything.


"The hacker spirit" was NEVER about harvesting user data so you could sell it to advertisers. Bite your tongue.


Yes, and? No one claims that it is. It is, however, about iterating quickly on networked software in the absence of heavy bureaucratic process. Process that is now necessary to ensure auditable, provable compliance with the letter of the law, even for activities that are already complaint with its spirit. One can argue this is necessary for society, but it's certainly a crackdown on the hacker spirit.

Fun fact: GDPR has not one word to say about advertising in particular. Ad targeting may still be legal in some cases! Meanwhile all networked software is illegal by default unless its operator can prove that it stays within the defined GDPR exceptions.


I don't agree that keeping track of data processing operations, where you store data, creating an ability to delete user data and basic security hygiene is onerously burdensome on projects where you know about these requirements ahead of time. Yes it absolutely is a major pain in the butt for existing projects but that's a different argument and not a good reason not to improve consumer protections.

> Meanwhile all networked software is illegal by default unless its operator can prove that it stays within the defined GDPR exceptions.

This doesn't make sense to me. Can you please instruct me how I would go about suing the curl project? Please help me understand how this networked software is "illegal by default." I actually don't understand precisely what you mean by "networked software" so perhaps my misunderstanding lies there.

Overall I find statements like this "all networked software is illegal" to be FUD hogwash. It's just the same as when environmental regulations are going to "destroy the energy industry" and labor regulations are going to "destroy the service industry" etc.. Industry (represented here by tech entrepreneurs) is doing their typical disingenuous wringing of hands they always do when consumer/worker/environmental protections are brought forth.

Let's get rid of the GDPR, the EPA and the Paris climate accords while we're at it.


>suing the curl project

Any server you curl is processing your personal data by addressing the HTTP response to your IP address. Curl itself arguably fails "privacy by design" test in that there is no Tor, etc. enabled by default, although I admit that's a stretch. The entire HTTP protocol design of obtaining documents by interacting directly with their publishers is similarly careless from a privacy perspective.

>"all networked software is illegal"

It's not always illegal. It's illegal by default, and up to you to demonstrate that it falls within one of the defined exceptions.

>"destroy the energy industry"

I'm quite happy that only serious and well-capitalized entities can surmount the regulatory hurdles to running a smoke-billowing power plant. I'm not happy that we're doing the same things to websites.


Not about creating broken networking software or broken software in general.

Have you been in Usenet in a networking group around 2000. Good luck with these fake opinions.

Just because some startup incubator is great at grabbing words from the hacker culture ("ycombinator", "hacker" "news"), does not mean they get to redefine the meaning.

They are just greedy, greedy for money and words they can appropriate.


This is a false dichotomy that I fully reject. I feel disgust for the current generation of creepy, centralized, ad-ridden websites that make a pittance on each of us and use our data to create the next generation of (proprietary) AI.

I also don't think the _solution_ to that problem is to create a new bureaucracy and complex set of rules ("you won't be targeted, trust us!") that seems to address a "problem" (if it even is so) that is a large superset of ad-driven tech. Overcharged bureaucracy goes against the hacker spirit.

By the way, a way out of this mess seems to include crypto. We know right now that most ICOs are scams, crypto has lots of technical issues, and is in general still not ready for "prime time." That being said, when it _is_ ready for prime time, it's hard to even imagine how a crypto network could even comply with any of the basic ideas of GDPR, despite the fact that privacy is not really a concern.

How would you implement a "right to be forgotten" on a blockchain ledger? It may not even matter that the EU itself would not interfere, as GDPR also apparently creates private rights of action. Any sufficiently loony EU citizen can drag foreigners to court with gigantic lawsuits.


My understanding of "blockchain ledgers" is that it's not the case that every single byte of a ledger entry is present in the blockchain, but that some other ledger is maintained and its digest (at various points along the way) is incorporated into the blockchain.

That being the case, "the network" doesn't own these 'side ledgers.' They have owners who may well keep non-public data. Further, that the data comprising a particular digest needn't be disclosed, only that the owner of the digest vouches for the digest. For forgettable mode, said owner validates their own data, generates the digest, adds it to the blockchain, and subsequently 'forgets' the data that created the digest.

Now maybe that flies in the face of a fully public blockchain, but it allows the implementation of that which you couldn't fathom: a right to be forgotten alongside blockchain technology.


The european union provides a FAQ for the GDPR so you don't need a lawyer if you have a small business: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

The "best practice" you mention was already illegal if you have European users, the right to be forgotten was already a consequence of existing laws and directives (just ask Google).

As for startups the GDPR already takes company size into account, so unless their business is literally being a private NSA/Stasi/etc. they don't have much burocracy to deal with (https://ec.europa.eu/info/law/law-topic/data-protection/refo...)


Funny thing is there are also mandatory data retention regulations that say data MUST be maintained for a certain period of time by law.

It's getting worse, but it's generally been the case that it's impossible for an individual to bootstrap a company and be 100% compliant with every law and tax regulation. You would never have any time to actually provide a product and service customers. You just do the best you can and as you get bigger you become more complaint.


GDPR just says that if you are keeping data, you have to have a good reason for it.

If you have to retain certain data for eg tax purposes, then that sounds like a good reason to me.


That's so reductionist as to be useless. What is a "good" reason? Are you a judge that will be presiding over these cases? Things like that are massive holes for litigation and the cause of all these compliance issues in the first place.


Every law will be interpreted according to its spirit, it won't be used like a hammer on anything... It's like HN suddenly discovers how a legal system works..


It has 99 articles arranged over 11 chapters. It does not "just [say] that if you are keeping data, you have to have a good reason for it".


Ok, sure. How do you interpret Article 6, section 1. Especially subsection f) ?

https://gdpr-info.eu/art-6-gdpr/


More than that, "compliance with a legal obligation" is specifically called out as one of the six legal bases for processing data.

It's like people are complaining about something they haven't taken the trouble to understand. That couldn't possibly happen HERE, the bastion of rational hacker ethic, could it?

I miss the days when "hacker ethic" meant weird Unix enthusiasts and not neolibertarian grifters...


Thank you for saying this, another thing that is ridiculously difficult is to delete specific user from all your backups. This is made even worse if you have multi region backups and cold back ups.

Even a one-year-old start up could have literally thousands of database dumps in different places if they followed best practice of triple redundant daily dumps.


The general recommendation is that if it's too difficult to purge specific users from your backups then:

* Have a clear data retention policy and make sure that all backups have an expiration date.

* Secure your backups with strong encryption to protect user data in the event of a leak.

* Explain it to the user when the account is deleted when the deletion will filter through your backups.

* Guarantee that if a restore is needed, their data will be immediately deleted from the restored system.


How do you keep track of what info needs to be deleted on restore without violating GDPR?


Save "on restore, delete all data sets pertaining to user id 47263".


You should be able to record the deletion request for the life of the backup and purge those records once the backups are deleted (all tied to the same rolling dates)


It sounds to me like this reflects more on the startup's sloppy practices than anything else. Prevalence of this bad practice shouldn't be an excuse for it.


Regular database backups are a bad practice?


Keeping a backup from a year ago when three backups from yesterday are available, is.


I mean, I see the general wisdom of what you're saying, but I think older backups are still good practice. I've seen it take almost a week for a data corruption issue to be noticed. Not crazy to think it'd take even longer, sometimes.


You have a month to delete data under GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-da...

I'd suggest this is a reasonable safety/compliance balance.


No, read again.


They also had 2 years to come up with a way to fix all of that and if they haven’t I don’t think it’s ok for them to be holding that information in the first place. GDPR does give a window for you to remove the data. They could delete the information from the backups over a period of time.


> Thank you for saying this, another thing that is ridiculously difficult is to delete specific user from all your backups.

You have to do very little if you're keeping backups for less than month, simply delete from the DB and wait for backups to age out:

https://ico.org.uk/for-organisations/guide-to-the-general-da...

If you are keeping for longer than a month be prepared to justify that.

> This is made even worse if you have multi region backups and cold back ups.

You should be automating this. I assume you're automating the dumps. Automate the deletion. Deleting three encrypted files off S3 every day really isn't particularly hard. I've written stuff to do this a bunch of times.

> Even a one-year-old start up could have literally thousands of database dumps in different places if they followed best practice of triple redundant daily dumps.

If you have backups sprinkled willy-nilly about the place that you may have lost track of then it shows you have a significant lack of care about my data, and so I don't want you to have it at all.


They'd also be spending a shitload for storing those dumps.

If information is backed up (in a way that it cannot be easily accessible and queried directly from the backup,) and the backups are stored securely, and there is a mechanism/policy (it doesn't have to be a purely technical measure) to replay the deletion in case if the backup is restored, you're going to be fine.


> We couldn’t afford a lawyer, and the amount of time for me (the only programmer) to go through and read all the regulations and make all the requisite changes in the product I would estimate might take on the order of a month or two, which if timed poorly would’ve killed our company. I say again: at an early stage startup with one programmer, you cannot have that one programmer spending two months on compliance.

"We couldn't afford a lawyer and the amount of time for me (the only chef) to go through and read all the regulations and make all the requisite changes in the kitchen I would estimate might take on the order of a month or two, which if timed poorly would’ve killed our restaurant. I say again: at an early stage restaurant with one chef, you cannot have that one chef spending two months on compliance."

Would you eat in a place like that?


Yes, in fact I think I have eaten at literally hundreds of places like that all over the world.

Also: your equivalency is ridiculous. I have had a "food manager's card", which means that I am certified to oversee an entire restaurant of chefs and cooks who all presumably have their own "food handler's card". The certification took about an hour. Food handler's cards take even less time, and you'll be shocked to know that many people working in restaurants don't actually have them.


>Would you eat in a place like that?

a vast majority of the food places in my home country were like that when I was growing up, and such places likely still make up a sizable portion of the food businesses down there now. I can't help but be a bit offended by this attitude, because it seems to not only be implying that these businesses are likely to be operating in bad faith, but that the world would legitimately be better off without them as well. It's great that you probably grew up and live in a situation where that might've been feasible, but I can't in good conscience defend those views having lived in places where such strictness is out of reach for most entrepreneurs.

The world isn't entirely comprised of Europe and North America.


> because it seems to not only be implying that these businesses are likely to be operating in bad faith

I think there is a subtle difference between negligence and bad faith.

> but that the world would legitimately be better off without them as well

Well, that's precsiely what laws forbidding businesses like that say. "We'd rather not have them if they can't stick to those rules."

Are you making the argument that the west is generally over-regulating food safety and public health? If so, on what basis? Looks to me like a variant of the old "when i was young we didn't have [seatbelts|gun regulation|hard hats on construction sites] and i turned out just fine!"


>"We'd rather not have them if they can't stick to those rules."

Right, but the alternative in certain situations is having no businesses at all, as was the case in my home country.

>Are you making the argument that the west is generally over-regulating food safety and public health? If so, on what basis? Looks to me like a variant of the old "when i was young we didn't have [seatbelts|gun regulation|hard hats on construction sites] and i turned out just fine!"

No, and again, it's offensive that this is legitimately the first thing that comes to mind when somebody from a developing nation says that it's local population has reasons for doing things the way it does. Nowhere was I arguing that public safety is a bad thing, and don't appreciate having words put in my mouth. I was merely stating the fact that businesses down there almost unanimously don't have the resources to be hiring lawyers, or whatever other services that they would need in order to guarantee compliance with overly strict regulations like you see in the west. If such regulations were in place, and they were strictly enforced somehow, what would happen is that nearly all entrepreneurship would disappear altogether, except possibly for the wealthy (which are often the most corrupt down there), or outside investors with potentially dubious motives for dealing with the local population. It would literally price-out the very people you'd be trying to help with your regulations.

I never said that situation was better than the west, or that things were somehow better "back then" (I much prefer living in the US today), I was saying it was better than nothing, and that these entitled western sentiments can't feasibly be applied everywhere to positive effect. Has it come to the point now that small villages will be needing to apologize to westerners for liking the convenience of having some semblance of commerce in their neighborhoods, due to all the benefits that brings, like not having to worry about cooking dinner in equally poor conditions every night at home? It's not an attack on the west, it's annoyance with the west's over-the-top moralizing of the choices different people make under constrained circumstances that westerners seem to forget exist.


I fail to see how any of this is offensive.

Do you find it offensive that people prefer to live in countries with a high standard of living if given the choice? Is that somehow disrespectful to the people who do not have that choice? Bringing emotion into this seems counterproductive.

Generally you seem to agree that regulation can be beneficial (if compliance is feasible).

I'm sure you also agree that you'd like the toys you buy for your kids in the US to comply with US safety standards, even when they're made in china, and regardless of whatever standards exist in china?


>I fail to see how any of this is offensive.

Because judging countries for not being able to meet standards its incapable of meeting is plain naive colonialist mentality. It's like criticizing a school yard basketball player for not being up to NBA standards, then getting mad when people point out that they aren't in the NBA. Like what are you expecting to accomplish by projecting your beliefs about regulations in a situation like that, and then acting as if people are attacking your way of life? Again, it must be really convenient to have been sheltered and only ever have known environments where abundant regulations are possible, but stop projecting your morals on people that live differently.

>Do you find it offensive that people prefer to live in countries with a high standard of living if given the choice?

I don't see the need for you to be asking such an obvious question, other than to intentionally try to put words in my mouth or paint some kind of strawman of my arguments. The answer should be obvious to anyone.

>Is that somehow disrespectful to the people who do not have that choice?

No, but accusing people of suffering from some kind of cognitive bias ("when i was young we didn't have [seatbelts|gun regulation|hard hats on construction sites] and i turned out just fine!") when all they're doing is explaining why a certain situation is the way it is, is definitely disrespectful. Again, re-read my original comment: nowhere was I even remotely attacking western standards, yet you chose to respond to it by criticizing someone for explaining how they lived through sub-par circumstances. Like seriously, what need was there to get all holier-than-thou about this?

>Generally you seem to agree that regulation can be beneficial (if compliance is feasible).

Only up to a point. I am generally pessimistic about how government intervention in the free market tends to turn out. I'm an entrepreneur here in the US, and enjoy some of the luxuries the US has compared to my home country, but I'd be lying if I didn't think certain regulations were hindering my ability to even start certain businesses (not because I try to do anything questionable, but because I have ADHD and literally can't stand to jump through endless hoops and file mountains of paperwork). I've already switched states once here to move to one that had more favorable business regulations than the one I originally came to.

>I'm sure you also agree that you'd like the toys you buy for your kids in the US to comply with US safety standards, even when they're made in china, and regardless of whatever standards exist in china?

What does this have to do with anything? I'm not opposed to businesses following the regulations of the countries they intend to do business in. The problem with the GDPR is that now a lot of businesses that weren't even intending to do business in the EU, now have a huge universal liability on their hands. Yeah "they've had enough time" and all that, but that still doesn't change the fact that the EU has done the equivalent of police china's toy manufacturers according to its own standards, simply because these toys may potentially get shipped to the EU at some point. It's not the same as having a requirement that toys entering the country meet a certain standard, because a public web server can be accessed by anyone at any time, even if the host was never intending to serve EU people specifically.


Yes. Shove perishables in a refrigerator/freezer, cook any meat thoughly, slap an allergy poster somewhere, and then allocate 30 minutes a night to cleaning and you're 95% of the way there

In contrast there's so much FUD surrounding this bill that you'll end up having to hire a lawyer to figure out how to clear up your EULA without accidentally leaving a loophole for the predatory lawyers on the American side that are partly the reason those EULAs are such a impenetrable wall in the first place


> My biggest fear is that all of these complex bureaucratic laws are just raising the bar for doing a startup.

A senior executive at a large bank once told me "that's the idea!". Specifically, complex and onerous regulation makes it a lot harder for upstarts and, while costly for large established players, they can bear it.


I'm in the US and I can't agree with this sentiment.

1) Don't collect more information than is necessary to provide service. Why do you need to care about someone's physical address? "Shipping physical product" is a good answer. Why do you need to maintain historical usage data? "Providing user the ability to view their own usage history" seem acceptable. If any of your answers involve "Just in case", "because marketing said so", or "I don't know", then your plan smells. If you think you need to make money selling my data, think again: maybe you should be charging me enough to cover your costs and make a profit; or if you already are doing that and you still want to sell my data, the you should just stop being greedy.

2) Allow the user to fix incorrect data. I mean, you wrote it to a database at one point in time, you can issue UPDATEs to allow the user to edit information.

3) Remove data when it's no longer needed (e.g. when it's out of date, or when a user says "I'm outta here") If you can't be arsed to figure out how to properly delete data from your database, or hire someone who knows how, then I suggest you're not really dedicated to the business of creating software of value to customers.

4) Provide all of a user's data to that user. It's right there in your systems, and your software is accessing it to make decisions, provide service, etc. How hard can it be to put it all into some CSV files to download? You don't have to copy the users rows from your MySQL tables into a SQLite database that the user can download. Some files with basic explanation of content will suffice.

Yep, it raises the bar on what's "bare minimum" to get your company going. But keep in mind this is more 'line of business' than all the other requirements foisted on you by the law: things like corporate structure, taxes, occupancy permits, etc.

VC firms pair your technical ability with another founder who, presumably, has more of a business bent. That person should understand how to set your business up and how it's regulated - and if not, know where to find answers.

You sound to me like all the GOP whiners about how "regulations hurt business" who fail to see that lack of regulations hurts consumers.


> Most early-stage startup use the best practice of “delete=1”

Honestly that's a bad best practice if the data your collecting is sensitive, which PII is.


It's not so easy. Someone buys a book. Transaction is recorded, and now we know total book sales.

Someone says "delete me and my purchases", so you do, and oops - total book sales are now wrong.

There's ways around it, obviously. But they are not easy. Much easier to just mark as deleted.

Another example: Threaded conversation - someone deletes their post, and oops all the replies are now orphaned.


> Someone says "delete me and my purchases", so you do, and oops - total book sales are now wrong.

Erase the name and address fields from the user in the database. You don’t have to delete any line, and that person doesn’t have any personal info in your database anymore. Problem solved.


Two days later the customer files a chargeback with their credit card company and the credit card company wants you to provide documentation for the transaction.


Then you have a legal obligation to keep the data, which counts as one of the valid reasons for keeping it, AFAICT.


Credit card company is not a government. It's helpful for business purposes to have records, but it's not always a legal requirement.

Anyway this stuff is super complicated and there's no rollback for data that was mistakenly deleted and shouldn't have been, so the point is there are layers and layers of complications and scenarios and it's not as simple as everyone likes to make it out to be. It's not impossible, but it's definitely a lot of difficult work.


IF my understanding is correct, you can actually keep a denormalized version of user information (name, shipping info etc) and still be compliant, assuming you do not use that billing information for any purpose other than billing.

The "right to erasure" isn't as strict as the "right to be forgotten" -- You (the end-user) would need to prove that merely having your name and address in billing records violates your right to privacy. And to make that argument you'd have to provide evidence the business is using said information for purposes other than billing.

Personal data can be used lawfully to "fulfill contractual obligations with a data subject" (eg: fulfilling a purchase, and retaining information for warranty/returns/RMA etc purposes) and "To perform tasks at the request of a data subject who is in the process of entering into a contract with the controller. " and "For the legitimate interests of a data controller or a third party"


Assuming the remaining data can't be used to deanonymize them. This solution buys into the myth that anonymizing data protects PII.


"Anonymizing" would be replacing each user's PII with a value that's unique to that user. Instead, you could just blank it out or overwrite with universal "data removed because of GDPR" token.


That highly depends on the DB used. If you're using a log structured database, it's possible the original data could still be there. Immutable databases that never delete or overwrite entries exist.

And what if the PII is stored in a blockchain? Then what?


> And what if the PII is stored in a blockchain? Then what?

No clue. But I can't wait for that to be tested, because I'm very curious what the solution will turn out to be.


Mostly solved. Anonymized data sets can sometimes be de-anonymized if the conditions are right and external factors can be applied.


Someone says "delete me and my purchases", so you do

In many cases, that will be your mistake. The right to erasure is not absolute, and if you need to keep those records for a good reason -- for example, as evidence to support tax returns or defend chargebacks -- then you are entitled to refuse to delete them and to continue processing them for the necessary purposes. Otherwise mortgages would suddenly become a very fast way to send lenders under, since everyone could just demand they delete all identifiable records of who owes them money...


Great, so now we get to spend money on lawyers and time in the courts to decide what information falls under “OK to keep for a good reason”


I couldn't agree more. The rules about erasure are full of holes like this. So are the rules about legitimate interests. And those represent, respectively, probably the most significant new subject right and probably the most common lawful basis for processing that isn't strictly necessary for some sort of legal compliance.


No, if you say you need the information for tax purposes (say) then the user will complain to the data protection authorities. These authorities will then accept or reject the complaint, and if accepted will help you to come into compliance.


The trouble is, that's an assumption on your part, and it might not be a valid one. We have no idea yet how 28 different regulatory authorities will handle this sort of situation, or how much of an effort they will expect controllers and processors to make on their own if they are to receive the benefit of the doubt. And even if everything you assume proves to be correct, any formal interaction with authorities is stressful and expensive for a small business with limited time and resources available, and being confident that you aren't doing anything wrong in the first place is obviously preferable.


A simple example: another law requires it.


Your bank's requirement to verify a chargeback is not a law. It's a business contract.


And therefore saving the data is allowed.


Not necessarily. The performance of contract basis under the GDPR is for contracts with the data subject. You can't just agree a contract with some arbitrary third party and use that to circumvent any subject rights you don't like.

For data processing purposes like this, you will normally have to rely on the legitimate interests basis. That's the one with the almost entirely non-specific definition, combined with the almost entirely non-specific balancing requirements.

With a case like defending an unjustified chargeback, we might assume that the interest is surely both legitimate and overriding, but even that is only a personal view and not something any regulator has explicitly addressed in guidance, as far as I'm aware. In any case, plenty of other scenarios won't be so black and white.


More GDPR strawmen.

If a user requests deletion, assign anyYassociated entities (eg purchases, conversations etc) to an anonymous user. Or, keep the original user record and just blank all of the fields. You've had two years to think about these problems.


What about if you need to report any payouts made to an individual as required by a tax authority? How are you also supposed to delete all their information and be in compliance with tax law? You can't say, "I paid <ANONYMOUS> 12,152.00" in 2018.

Edit:

Ok, looks like there is a clause for these scenarios:

"However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for COMPLIANCE WITH A LEGAL OBLIGATION, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims."

Then there's:

"It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller."

And, in terms of technical burden at least it seems like they try to alleviate it somewhat...

"The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible"


It’s only a strawman if you assume that everybody knows the right way to do everything. There was nobody around when I did my start up to tell me how to do all of this stuff.


The entire point of GDPR is that it creates a set of requirements, and allows you to make decisions in your professional judgement to fill those requirements. This is no different to how management in any software company will present business requirements for the software you are to make, and request that you decide the technical implementation. That's your job if you're a developer.

As long as you're confident enough in your PII solution to be willing to present it in front of other software developers who have been called as expert witnesses and declare that it meets the GDPR requirements, you can pick any "right way" you like to meet those requirements.

If you think it's an unreasonable burden to have to make PII handling solutions that are robust enough that you can honestly defend them in court if challenged, maybe you shouldn't be handling PII. Like, at all.


I’m not confident in anything I’ve written ever to have it picked apart by a team of expert witness programmers. Maybe that means I have no business working at a startup. Maybe we should think about the implications of that.


>I’m not confident in anything I’ve written ever to have it picked apart by a team of expert witness programmers.

Then you shouldn't be handling PII, any more than you should be handling credit card details, genetic information or military intelligence.

>Maybe that means I have no business working at a startup. Maybe we should think about the implications of that.

The EU has, and has decided that having seen the alternative, it would rather just not have the startups. I think that's a reasonable position to take.


> Maybe we should think about the implications of that.

A good thing because it means startups stop playing fast and loose with my data. These are just growing pains. In a few years, enough stuff will be written online about best practices to stay GDPR compliant. The new guys can follow that.


[flagged]


> Part of creating a business is figuring out how to do things that won't get you sued into oblivion.

The harder that gets, the fewer businesses there will be.

If you look at businesses that managed to exist, sure, you'll see stories of how they used their "innovative entrepreneurial spirit" to triumph over every obstacle. Hurrah! What you won't see are the companies that just barely weren't able to exist, the ones that didn't quite make it through every hoop -- and it is this unseen cost that should keep every regulator up at night.


> The harder that gets, the fewer businesses there will be.

And at what point is it more important to have more businesses than it is to have more businesses that treat consumers fairly? Usury laws have eliminated some companies, reigning in student loan companies would probably eliminate a few more. But that's a balance deemed worth it because usury is predatory and harmful. Profiting by being lazy and sloppy with people's personal information where the risks (e.g. identity theft) are huge isn't a particularly well balanced justification for "more businesses above all else".


Continue to set deleted=1, but also now just set name="DELETED" and email="DELETED@DELETED" at the same time?

You don't need to actually delete the row, just overwrite the information which you no longer have consent to store...

This is obvious isn't it?


update books set total_sales = total_sales+1;


Before GDPR: You had to decide whether you could take the time to do right by your users w.r.t. privacy, because your competitor certainly wasn't.

After GDPR: Everyone's required to do it, so at least you don't have to worry about your competitors.

That's what this is about: Self-regulation failed. Here's the externally imposed regulation. Be thankful it's as well-written and aligned with our interests as it is!


The transition period will be difficult for some people, but I think that GDPR will probably be good for the world in the long-term. New companies will start building their systems correctly from the beginning, and, ideally, the law won't be too heavily enforced on small companies during the transition period. The next generation of programming tutorials will show people how to build things in privacy-conscious ways.

I don't think that blocking Europe with Cloudflare is a good idea. How is blocking Europe going to fix the problem of already having European data in your databases?


Maybe. It is more likely the United States will create the opposite regime. Since all major Internet software firms are American or Chinese it is also possible that the EU May sideline itself.


I think it's more likely that other countries will adopt similar data protection rules (and they should).


Why do you think that likely? I don't think it is at all likely, the CIA et. al. like facebook too much.


I disagree strongly. "...cascade delete is only easy if you’re a very experienced programmer or who knows what he’s [sic] doing." No it's not. Nothing could be easier than foreign key constraints & cascade deletes in a relational database. It's literally "built in."

If you're a garage-startup, you're unlikely to be slapped with fines under GDPR. Let's be honest- if you're a garage startup you're lucky to be noticed by anyone, much less European regulators. The argument expressed here is sleight of hand: complaining about the supposed impact on "the little guy" when the regulations themselves are designed to target Facebook & Google (among others) specifically.

The regulations are not that complex, they just require a new standard of respect for users, one that we should have always had as an industry. The fact that we had to wait for regulators to force this on us is our shame, no one else's.


> If you're a garage-startup, you're unlikely to be slapped with fines under GDPR. Let's be honest- if you're a garage startup you're lucky to be noticed by anyone, much less European regulators.

You might be noticed by your competitor, who reports you to the regulator.

> The argument expressed here is sleight of hand: complaining about the supposed impact on "the little guy" when the regulations themselves are designed to target Facebook & Google (among others) specifically.

No, that is not how they are designed. They might have been motivated by the behavior of Facebook and Google (or not, who knows actually) but they have been designed to target the big and little guys equally. Many GDPR proponents here in comments espouse that as a good thing.


And if you're flagged to the regulator, what do you think is going to happen?

They'll contact you and let you know there's a problem, and you need to fix it - that's it.

If you continually flout the regulations after being warned then sanctions will be escalated.

Half the world is running around saying "I'm going to be fined 20 million euros!" and it's just fear-mongering.


Even if you delete it from disk and remove from memory, you may be required to remove it from offline backups too like tapes and other media.


You don't necessarily have to delete stuff from cold storage right away. You just need to have a process to remove deleted PII when you retrieve/rewrite your backups.


This might be a bit of a weird question, but how do you remember which information needs to be deleted when you're at the point where you need to use backups?


You would keep a list of unique identifiers (opaque) that were deleted and filter data out prior to rewriting/restoring it. It’s cumbersome but not impossible.


So I need to keep a list of people to delete from my backups when I restore them? Is keeping that list even GDPR compliant?


The gist seems, if you are sticking your fingers into your ears hard enough and shouting loud enough, it should count, maybe, in at least most European nations.

But remember, strictest interpretation wins.


So you then need to make sure that dataset is at least as resilient as your cold backups. That's not exactly a trivial problem in most cases.


So basically more work.


[flagged]


>Why not throw your trash on a neighbor's lawn? Why not enslave your workers so you don't have to deal with turnover and hiring replacements? Why dont you stop paying taxes so you don't have to do work to get the same amount of income as you would without taxes?

None of those examples make sense from a classical economics perspective, nor would they be considered sustainable from a game theoretic perspective either.

Meanwhile, not complying with the GDPR doesn't seem to have any obviously severe economic/game-theoretic consequences if you're not based in the EU, or don't already have a large profitable presence there. So it's a bit disingenuous to just lump it in with all those other behaviors.


>None of those examples make sense from a classical economics perspective, nor would they be considered sustainable from a game theoretic perspective either.

Please explain how. Not complying with the GDPR doesn't have any obvious consequences because every company that sells user data is pushing their negative externalities onto others. The GDPR is trying to make it so that the people creating the negative externalities are the ones paying for them


>Please explain how.

Assuming you legitimately want to know, and aren't just trying to ask a pointed rhetorical question, ok:

>>Why not throw your trash on a neighbor's lawn?

Because unless you like having other people's trash on your lawn, a simple tit-for-tat strategy in game theory would suggest that it's in your best interest to not do that yourself either. In other words, the most sustainable course of action in this case is to follow The Golden Rule ("do unto others as you would like them to do unto you").

The thing with the GDPR, is that the parties involved in the game are you and the EU government, and you not complying with the GDPR by just refusing to serve EU customers doesn't put you in line for any kind of equivalent retaliation if you delete all your EU user data first.

>>Why not enslave your workers so you don't have to deal with turnover and hiring replacements?

Because in a developed free market economy, that business strategy is doomed to fail, since your workers can choose to go work somewhere else that has more favorable conditions, and will likely warn any potential future workers against working for you. If you maintain these sorts of business practices long enough, eventually your pool of workers to choose from will shrink to the point where you'll no longer have enough viable candidates to replenish your workforce.

Similarly, if your business is in fact collecting sensitive data and abusing its use of it for shady purposes, your customers will eventually start looking for a way out of dealing with you (as is possibly the case with facebook right now).

However, the key distinction that seems to be missed by a lot of people here, is that not complying with the GDPR does not inherently guarantee that a business is either collecting dubious data, nor that it's doing shady things with it. And this is a result of the fact that companies around the world are not obligated to conduct business in the EU. If they magically were obligated somehow, it'd be a different story, but that's never going to be the case.

For example, if a new business starts up in the US right now, it will not actively have any EU user data yet, but could still opt to not comply with the GDPR purely because of the overhead costs, and just block EU users altogether in order to avoid any hassles in the future. Does this mean that the business is doing questionable things with user data? Obviously not, since it hasn't even had a chance to collect any data yet, but clearly it positioned itself in a way that it found to be the most advantageous for its given resources, at the detriment of any potential future EU users, without risking any obvious repercussions other than having a slightly smaller potential market. If all of its competitors decide to comply with the GDPR and serve EU customers however, then the strategy could turn out to be a losing one, but it's far from a given that this will happen.

>>Why dont you stop paying taxes so you don't have to do work to get the same amount of income as you would without taxes?

Because not paying taxes will get you jail time and/or non-trivial fines in pretty much every country you could possibly be based out of. I know there are quacks in the US that claim you can "legally" not pay any income taxes, but none of those crazy arguments have ever stood up in court, and have historically landed tax avoiders that tried to argue for them in jail. Regardless of how you feel about taxes, needlessly incurring large fees and/or landing yourself in jail, just isn't gonna be good for business, so it's in your best interest to pay them even if you're a raging psychopath/narcissist.

>Not complying with the GDPR doesn't have any obvious consequences because every company that sells user data is pushing their negative externalities onto others.

Not complying with the GDPR != selling user data.

This argument is moot because it doesn't logically follow that not complying with the GDPR necessarily produces these "negative externalities" that you're referring to. Therefore, it doesn't explain anything about why not following the GDPR doesn't have obvious consequences. Refer to my hypothetical startup example above for elaboration, because this is an example of conflating "data collection/dubious practices" with "GDPR compliance", which are two very different things.

>The GDPR is trying to make it so that the people creating the negative externalities are the ones paying for them

I agree that that's what it's trying to do. Unfortunately, it seems like it might be having some unintended consequences along the way regardless.


>Because unless you like having other people's trash on your lawn, a simple tit-for-tat strategy in game theory would suggest that it's in your best interest to not do that yourself either.

That's why company's trash the commons instead of someone's direct property, and then zealously guard their property rights. With actual trash it's dumping into a river instead of a front yard. With personal data they spend millions to suck up and infer personal data and then spend more millions guarding all of their information with lawyers crafting NDAs, obfuscateing their information with accounting tricks, and suing people or trying to bring criminal charges against people who gain access to their information.

When a company puts a secret tracking pixel on a website that users don't know about, it's good business. When an individual puts a secret program in an email the company doesn't know about, that's hacking and they need to go to jail.

>Because in a developed free market economy, that business strategy is doomed to fail, since your workers can choose to go work somewhere else that has more favorable conditions, and will likely warn any potential future workers against working for you

I'm not sure you know what enslave means. People wouldn't be allowed to leave.

To the rest of your point there, the argument that, "the market will respond to people's preferences" doesn't work with such one sided information. Sure people are leaving Facebook, but to go where? Instagram, another Facebook property that steals data? Snapchat, a different company this time but still stealing data. Cambridge Analytical has had to close up shop due to outrage, so they just reopened under another name so that most people will be unaware. Same with Blackwater -> Xi -> Academi. The entire Industry is engaging in these tactics and only dealing with the cost of renaming or a PR push because it is so lucrative. The GPDR is the EU's attempts to make it not lucrative anymore and allow for other business models to now be viable because they don't have to deal with shitty companies making a ton of money off of stealing data from people.

>Because not paying taxes will get you jail time and/or non-trivial fines in pretty much every country you could possibly be based out of.

And now not following the GPDR will get you serious fines followed by jail time if you continually flaunt the regulators. Literally everytime you said "pay taxes" in that paragraph could have been replaced with "comply with GPDR" and it would have been just as accurate

>This argument is moot because it doesn't logically follow that not complying with the GDPR necessarily produces these "negative externalities" that you're referring to.

It's not moot. Even if you don't sell the data, you are creating a pool of user data that is valuable to steal, and the constant stream of breaches from companies ranging to startups to enterprise is evidence that security is extremely difficult if not impossible. Look at the Equifax breach. They didn't have to sell any of that data for the breach to have caused actual damages to both users who had done business with them, and people who had never even entered into an agreement with Equifax. That is a negative externality generated entirely by the company.

The GPDR allows individuals to now say, "no I don't trust you to hold my data".

>I agree that that's what it's trying to do. Unfortunately, it seems like it might be having some unintended consequences along the way regardless.

Everything humans do has unintended consequences, that's a feature of not being omniscient, but using that as an argument for not trying something like the GPDR is disenguous.

If this was the governments first warning shot against data collection companies I'd probably be in the camp that thought it was going to far. It's not though, there was the cookie law, the DPD, and warnings from the government. The corporations have ignored the intent of all of them and gone on with business as usual. So now that trying a weaker form of regulation has already been done and failed the options are to let companies continue as usual and continue to harm society, or create a regulation that has actual teeth to it and starting doing a governments job of protecting it's people. Everyomes entitled to their opinion, but I am firmly in the camp of actually forcing companies into stopping this practice


>I'm not sure you know what enslave means. People wouldn't be allowed to leave.

Ok, apologies for thinking we were discussing a more mundane/realistic scenario then. However that kind of slavery that you're talking about is very niche and not something that could be universally applied by any entrepreneur like you seemed to be suggesting. Furthermore, it'd be illegal pretty much everywhere, and you'd end up in the same sort of scenario of tax avoidance where it's still in your best selfish interest to comply with the law anyway.

>"the market will respond to people's preferences" doesn't work with such one sided information. Sure people are leaving Facebook, but to go where?

Going nowhere is also a feasible option by the way. People lived just fine without having any kind of facebook/snapchat/instagram/etc not that long ago, so there's no reason why they couldn't just go back to that if the alternatives are distasteful enough. I know that's certainly the path I've taken. It may be a minority stance still, but give it time, the markets don't just respond to abstract things like this over night. I'd wager that we won't be able to adequately gauge the real effects of these sorts of privacy breaches until at least a couple decades from now, because the whole questionable online advertising industry isn't just going to run out of money and disappear that quickly.

>And now not following the GPDR will get you serious fines followed by jail time if you continually flaunt the regulators.

Did you skip over the example in my comment of that not being the case? If you don't do business in the EU (e.g. by range-banning them), and aren't holding on to EU user data, then you're not facing any consequences, plain and simple. Doing that doesn't mean you're complying with all that the GDPR is requesting either, so you can't just hand-wave it away as if that were the case.

>Even if you don't sell the data, you are creating a pool of user data that is valuable to steal

Once again, not following all the little rules that the GDPR entails, and/or not doing business in the EU, does not logically imply that a company is even collecting sensitive data in the first place. A small static site could potentially still be non-compliant if all it does is collect ip addresses in its server logs, or uses a 3rd party analytics service of any kind (without keeping any of the actual data itself).

I'm not arguing that amassing pools of personal data are in any way a good idea for anybody, but that's a separate issue than the one of "is it worth it to comply with the GDPR?", which is how most entrepreneurs outside the EU will inevitably approach the problem, even if they weren't planning to collect data. For example, startups will now have to consider if they'll ever collect any kind of data at all, at any point in the future, before they even decide to start, just so that they know whether or not it's in their interest to try serving the EU market at all, even if they have no plans to collect data yet. You could argue that the GDPR will disincentivize such activity and make entrepreneurs think twice about it, but most likely, the path of least resistance for them will just be to range-ban the EU.

>but using that as an argument for not trying something like the GPDR is disenguous.

No one is saying the EU shouldn't have tried passing the GDPR. What's actually happening, is a discussion between businesses/entrepreneurs outside the EU about whether it's worth it to comply with the GDPR or not. I have yet to see anyone legitimately advocate for it to get repealed or anything like that. We're all just looking out for what the best strategy to take is now that it's in place, and it seems like people in the EU are getting upset that not serving EU users is even being taken into consideration as a serious option, when it's a perfectly rational course of action for any outside business to consider.

>Everyomes entitled to their opinion, but I am firmly in the camp of actually forcing companies into stopping this practice

Right, and I'm in the camp that it's your right to try and do so, but also I'm pessimistic about using force to achieve this as opposed to starving the market via ubiquitous ad blockers and things like ad-nauseum. Only time will tell if the approach was successful or not.


Yes, so just block EU. End of story.


I mean yeah. I think it's leaving money on the table, but it's certainly a valid option as long as you aren't processing EU residents personal data in violation of the GPDR still and have money/assets flowing through the EU.

If you don't have anything within their jurisdiction there's not much they can do to you


You need backups of which information needs to be deleted. Or you can just store PII separately from the rest of your data so most of your backups don't need to be modified.


How long are you keeping backups in cold storage for - usually you'd want maybe 6 months there, but no more, otherwise it's just going to grow unbounded and become a financial burden.


That's certainly a valid point, but it still doesn't solve the problem of having to remember to delete something in the event of data loss.

As far as I can tell to comply with a deletion request with absolute certainty requires infallible storage (which would remove the need for backups) or modifying backups (which contradicts the concept of a backup). Maybe you can claim 'force majeure' at some point, but perfect compliance seems impossible.


It's impossible to have absolute certainty about almost anything. That's not what the law requires.


And remove it from the off site backup, like AWS, which helpfully makes copies of the backup data, and you have to remove it from all of them.


Presumably you are also required to delete it from any training data for an ML model, does that make any models trained on previous set of data illegal to use?


Are the weights in the NN “relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”?

If not, then it isn’t personal information.


Not true.


> Not true.

... unless you plan to use the backups.

Then you have to have another service that tracks entities to delete when a backup it's restored... and back that up separately.


If you back up a list of things to delete is that GDPR compliant? Ponder.


> If you back up a list of things to delete is that GDPR compliant? Ponder.

There's little to ponder, that's why I mentioned "entities" rather than "user data." Use unique keys to reference the data rather than sensitive identifiers. The nontrivial part is storing your backup of entities to be deleted in a way that doesn't get destroyed at the same time as the event that forces you to revert to a backup. This now requires a separate storage, backup, and retrieval mechanism to maintain compliance.


> Use unique keys to reference the data rather than sensitive identifiers.

This is terrible advice. All identifiers are PII and covered by the GDPR, not just the "sensitive" ones.


The GDPR does not use the term "personally identifying information" anywhere in the text. Using that term suggests that you either haven't read the text or haven't understood it.

"Personal data" (the term actually used in GDPR) means any information relating to an identified or identifiable natural person. The GDPR specifically states that the regulations do not apply to anonymous data. A list of unique keys marked "never restore this data from backups" is not personal data. The data associated with those identifiers is not personal data if it cannot be associated with an identifiable natural person.

https://gdpr-info.eu/art-4-gdpr/

https://gdpr-info.eu/recitals/no-26/

Quantum has produced a very useful white paper on GDPR in relation to backup and archive systems.

https://landing.quantum.com/GDPR_WP_0118_RP.html


You italicized the wrong data here: "Personal data" means any information relating to an identified or identifiable natural person"

Here's how to read it: "Personal data" means any information relating to an identified or identifiable natural person"

The "any information relating to" part is exactly the "unique keys" that you seem to think are not covered. The uniqueness and mapping to a person is literally the problem.

And re: PII, seriously? You're upset because I didn't type out "Personal Data"—even though you knew exactly what I was referring to, as did everyone else? Fight bigger battles…


>"any information relating to" are the "unique keys" that you seem to think are not covered. The uniqueness is literally the problem.

The uniqueness is completely irrelevant unless it identifies someone. If there's no way to trace that unique key back to the identity of a natural person, then it isn't an identifier within the meaning of the GDPR and the data associated with that identifier isn't personal data.

>And re: PII, seriously? You're upset because I didn't type out "Personal Data"—even though you knew exactly what I was referring to, as did everyone else? Fight bigger battles…

It's a highly significant difference. Other legislation talks about "personally identifiable information" - in the US, NIST define a finite list of things that constitute PII. The GDPR talks separately about "personal data" (stuff you know about someone) and "identifiers" (the information that ties the data to a natural person). Lots of stuff that isn't PII is personal data. Data can become personal data through association with an identifier or cease to be personal data through anonymisation. Apropos of nothing, PII isn't necessarily personal data. Without that distinction, large parts of the GDPR are incomprehensible.


I couldn't disagree more with your understanding of the legislation.

If I discovered your company was storing my personal data under "unique keys" that considered by themselves didn't personally identify me, I'd report you to my GDPR regulator immediately.

Unique keys with no personally-identifiable data in the key aren't some sort of innovative workaround that will allow you to store my personal data without my consent. It's not even remotely consistent with the spirit of the law, and IMO, with the plain text of the legislation.


If data is stripped of all identifiers that could be used to associate it with a natural person by any reasonable means, then it isn't personal data. If a unique key could in any way be used to identify a natural person, even indirectly, then it constitutes an identifier and any data associated with it is personal data.

https://gdpr-info.eu/recitals/no-26/

A salted hash of your IP address is an identifier, because it can be used to indirectly identify a natural person. If I see the same IP again, I can hash it with the same salt and check for a match. The IP can then be used to identify you through your ISP's DHCP logs. If I associate the hash value with any other data, then that data becomes personal data.

If I delete the salt value, then it's impossible for me to match the hash to an IP, so the hash ceases to be an identifier. Assuming that the data associated with that hash does not contain any other identifiers, or data that when combined in aggregate could identify a natural person, then it ceases to be personal data.


Has that interpretation changed? I recall reading that in some circumstances it could. Or was that misinformation?


No-one actually knows. What constitutes erasure and how to deal with all the edge cases around backups, archives, unstructured data and so on is one of the big ambiguities under GDPR, and one of the areas most in need of (but mostly lacking) actionable guidance from official sources.


I'm surprised with the law being around for 2 years nobody has received the official guidance needed.


The law might have been around for 2 years, but in practice many smaller organisations didn't find out about it until a few months ago. Much of the official guidance is more recent even than that. And much of that guidance doesn't really help anyway, because it is often almost as vague and/or incomplete as the original regulations themselves. Questions about numerous everyday issues that will affect literally millions of businesses across the EU are still lacking useful answers.


I'm kind of surprised by the number of people surprised that companies are thinking this way:

If GDRComplianceCost > EUVisitorProfitMargin Then BlockEUVisitors


Yep. Doing a one person startup (in the US) I absolutely do not have time (or money) to mess around trying to figure out GPDR compliance. I'm not selling data to anyone, and I'm not collecting anything beyond an email address during sign-ups at this point, in any case. If a user decides they want to store PII or other sensitive data on my system, I can't stop them, but I'm not going to go combing through their data in order to sell it either. Most likely I'm just going to have to avoid doing business with Europe for the time being.

A quick read of some of the provisions of GPDR immediately brought to mind this passage from Atlas Shrugged:

> “Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with.”


Sounds like you wouldn't have to change anything then.

Make extra personal data stuff opt-in, rest should be the same as usual.


Incorrect: Even a single person company described above will still need to handle GPDR requests. The operational requirements is not 0 even for a company retaining no unnecessary records.


> the requirement that you can permanently delete all of your information. Most early-stage startup use the best practice of “delete=1”.

What's your system for dealing with COPPA then? You're required to have a way for permanently removing data of children.


COPPA only applies to sites that are directed towards children or have "actual knowledge" that they're collecting data from children. It's legally sufficient to ask for birthdays and refuse signups from anyone under 13.


Can companies do the same here?

“Are you in the EU? Y/N”


When you learn that someone lied and they are under 13yo, the rule applies again.


I'm not aware of any rule or case which supports this claim.


It doesn't have to be a specific rule. You learn that the age declaration was invalid so the "§312.10 Data retention and deletion requirements" applies unless you have a verifiable parent consent.


Not many companies are going out of their way to learn that their users are lying about their age.


Honestly? During the first year of our start up, I didn’t have time to understand all of that stuff so I just put a checkmark on the sign up that users were over the age of 13, and moved on.


COPA was struck down by the courts last decade.



I get where you’re coming from, but maybe the bar has to be raised. Computing has gotten more capable and software frameworks are exponentially more powerful than they were even 20 years ago when the internet started going bananas.

The barrier to entry is so low that anyone with a credit card can setup complex IT environments quickly and collect valuable and sensitive information with no consequence to the principals.


Many industries are already like this. Certainly anything that touches securities laws or payments. Or safety regulations, or government customers. It was once possible to start a bank (Goldman Sachs origins buying receivables), a hedge fund, PayPal, etc etc without heavy compliance costs and infrastructure. Then things change. Though GDPR has a longer history, the US election showed that data-collecting people-connecting internet companies can do even more systematic damage and e.g. permit more foreign election manipulation than any one financial institution.

They might not crash an economy but they can crash a democracy.

So really the regulation is somewhat deserved and levels the playing field with other industries that have the potential to damage society.

Personally I wish two people could start an internet company or a bank or an exchange or an investment fund without deep pockets for compliance and legal. But it’s no more. Mourn it and think about the next sector that is open for growth.


First off, the GDPR just harmonizes existing data protection laws, and increases the associated penalties to give those laws teeth. If you need to do something fundamentally new today, you probably broke these laws yesterday already. Stop whining because you feel forced to comply now, just due to the fines having been increased. That's a basic risk of entrepeneurship.

Next, something like the deletion right has to submit to other laws that mandate data retention, like having to keep sales and bookings records for 10 years due to tax laws. If you do a cascading deletion in your data set, you're probably breaking these, so flagging records as deleted, or moving them to an archive to comply with these other laws still is perfectly find.

So this is just another regulation a startup has to think about. It's way easier than, i.e., tax laws, so please. Just stop panicking -.-


Regulations absolutely raise the bar for new companies and give an unfair advantage to established companies who can afford the legal costs and additional staff. If I were a strategist for a large corporation, I would push for regulations that would hurt smaller competition.

Startups that specialize in easing the pain of compliance do help. I recently had to implement tax collection in an app and a third-party API saved me a lot of work. However, it was still a drain on resources and took over a month to implement and test.

I don't know a lot about GDPR, but the requirement to permanently delete all your information is absurd, especially if you need that information for a legal context. What if a customer sues you years later and you've deleted all their information? I don't get it.


As the solo developer/cofounder of a two man business I have absolutely no time to worry about these things. Only a few days ago I've googled GDPR to get a facile understanding of what it is.

If at some point I create something that is large enough to matter, I can worry about it then and will have the resources to do so. Until then I'll continue working on software as if it does not exist. It's hard enough to build a profitable product that is valuable to people, don't need to think about any laws handicapping my creativity and design decisions.


> Do you have any idea how much it would cost to have “your lawyers” go through the GDPR, tell you what you need to do, and deal with all of the edge cases and gray areas? $20k or $30k doesn’t seem too high.

The worst thing is those who can afford the $300k lawyers to get away with doing whatever to my privacy.


So . . . what we have here is a law that assumes that if you are a good enough engineer to create software that makes money, you are a good enough engineer to comply with the law, given two years' notice.

I don't have a problem with that.

If the law has a side-effect of people who suck at understanding and organizing and managing data responsibly not starting companies and making money off of data, I'm also okay with that.

Maybe the days of two guys starting a company in a garage learning how to handle other people's information before they start a company dependent on it is just beginning.

I'm also okay with that.

You don't have a right to be incompetent. You don't have a right to be clueless when it comes to databases and information. You especially don't have a right to take advantage of other people who don't understand exactly what it means when they agree to a ToS page.

The reason there are so many comments to the effect that this is a non-issue is that it's just not hard to comply unless the business you're running is doing something shady. There is nothing technically difficult about complying with GDPR. If it's hard for you and everyone in your company, I don't know what to say. Hire someone who doesn't suck at this.

This is only difficult from a business point of view. Not a technical one.


> Most early-stage startups use the (in 2008, when I did mine) best practice of “delete=1”. Changing your whole database over to permanent cascade delete is only easy if you’re a very experienced programmer or who knows what he’s doing.

If you can't handle cascading deletes, continue to set delete=1 and overwrite the other columns with random data / empty strings / whatever.

Less risky than implementing cascading deletes, but still effectively gets rid of PII.


I think businesses should just charge EU customers more for their products, in order to make up for the compliance costs of GDPR. That should make most people happy.


Great! That opens the door for other startups that ARE responsible with people's personal data.


> Most early-stage startup use the best practice of “delete=1”

Who are you people who can’t/won’t actually delete something from your db’s?


DBs, memcaches, tape backups, offsite storage, log files, etc.

Past that, deleting things from databases is sometimes hard. If, for example, I delete userX, and userX was the founder of a number of forums, or chat rooms, or groups, or facebook pages that are linked to userX? Do those groups and forums and things count as 'belonging' to userX? If userX happened to be the guy who created /r/news, do we delete that subreddit, and all of the content therein?

What if userX was a paying member? Do you delete all his old invoices? How do you make sure that doing so still allows you to balance your books?

There are indeed real world scenarios wherein just deleting a user and cascading that delete throughout the system breaks things. In some cases, it might be better to replace userX's personal details with 'AnonymousUserX', but then that might leave behind content they've generated, which you then have to replace with "DELETED CONTENT" or some other stub, which causes complications.


Absolutely. It just isn’t easy.


I only know of two group of people, either incompetent or just plain dishonest.

Because they either argue that it is hard to design a database that allows deleting or anonymization, or it is that they're in the business of selling data and won't delete anything and rather lie to their user and customers.

I would be interested to know if there is any other argument for this.


The problem is dealing with software and databases that weren't designed for deleting and anonymization. I do not envy all the developers who are going to have to rewrite crappy legacy code to be compliant.


What if the contents of that DB get pre-rendered to disk or memory for caching (eg: prerendering a bunch of HTML)? Do you blow those away? Which ones? What if it turns out to be a substantial number of cache records you need to blow away? Whats gonna be the performance impact of that?

I agree with the OP. People who assume this shit is easy haven't really thought about the problem much at all. There is a lot of data stored out there in ways that wasn't really designed to be mutable.


You have 30 days to comply, so if you regenerate those cached pages regularly (e.g. once every 3 weeks) you're fine.


Technical person here! I was tech lead at an energy company in the Netherlands. We had a compliance dept (mostly 1 person) I worked closely with before GDPR was on the radar as the energy sector here is fairly well regulated.

It’s true that compliance can sometimes be scary and requirements are not always clear. Big company ending fines probably keep some people awake at night.

The point is regulators don’t generally want to end your company, they want to see (proof of) reasonable efforts towards full compliance.

Compliance does take time and effort and can be technically challenging. It can be a constant overhead on regular technical / development efforts. But it also isn’t rocket science. It would help people to not overreact (also, there has been lots of time to prepare for it).


Bullshit. Sometimes regulators want to shut down your company. Bureaucrats are not immune from politics.


You have delete as a boolean? My standard (well, Mongoid::Paranoia) is a timestamp and after a reasonable time to cover accidental deletions (like facebook does) a worker job can do the actual deletion.


DHH has a video about how this is implemented in Basecamp. https://www.youtube.com/watch?v=AoxoPfilKqE


Oh, did the series move to a different channel, I missed that announcement. I only watched upto #5, thanks for reminding me :)


It's no big deal because not everyone in here is in B2C marketplace. I have SaaS services aimed at businesses. I don't give a damn about GDPR. It mostly doesn't affect me. On the other hand as a EU citizen I wholeheartedly welcome it. Sure, it's a draconian law and given time it will get polished but let's just face reality. Online advertising and whatnot has gotten out of hand. You visit any given site and it loads two dozen trackers. Facebook tracks you even if you don't have a profile on them. Google collects shitloads of personal information and none knows what they're doing with it exactly.

Back in the days we used to say that the Internet self-regulates. Well guess what, that's not happening anymore. Companies like FB or Google are actually breaking the web as we know it because they exploit our trust. If GDPR means that their business model will break then so be it. I have huge appreciation for Google, and none for FB, but enough is enough. And they're just the low hanging fruits. There are countless other companies out there working in unethical ways. If anyone's business model is to invade user's privacy then fuck off and die. That's not entrepreneurship, that's greed and a total disregard for human rights.

And by the way, we're not just professionals. We're also users.


If you store emails or people's names, you need to care. It has nothing to do with the type of business you are.


>I’ve been reading hacker news for about a decade, and it’s getting to the point where I don’t think there are many entrepreneurs and/or technical people on here anymore.

The number of people who are saying it’s no big deal to comply with this huge law, especially for very small startups, is mind boggling.

You want it to sound like the second phrase is the observation that proves the first, but in my eyes the two sentences are contradicting.

You can very well be technical and/or entrepreneur and think it's "no big deal to comply with this huge law".

Because, in fact, one of the defining characteristics of being an entrepreneur is taking risk, including the risk to not comply 100% with all BS laws. And one of the defining characteristics of hackers and programmers is thinking they can solve a problem (and often underestimating how long it would take).

So your GDPR-related observation would in fact prove the opposite of what you're stating: that there are plenty of entrepreneurs and technical people on HN.

Now, if you wanted to say: "there are no conservative, risk adverse entrepreneurs, and by-the -book corporate software engineers in HN anymore", then yes, that would be something that your GDPR related observation would support.

P.S Note that I'm not making an argument either way. There might be many or few entrepreneurs and technical people on HN. I'm just saying that if the latter is the case, it's not at all supported by your observation re: GDPR.


While i agree with your last 2 paragraphs i don't agree with the rest. I have a small team (2 fulltime devs and a designer) and we have no problem achieving GDPR compliance.


SaaS idea: I am a EU citizen and I will test that for every company that sends me a link to their website, by creating an account and then complaining to the Romanian authority that the site doesn't comply with the law.

Sarcasm... maybe :)


I'm running a small startup and finding GDPR compliance is small beans compared to the tax code and employment law, both of which we have no trouble complying with.


This is mostly false.

The GDPR doesn’t fine small companies that aren’t making a lot of money. The fines also don’t apply fully to startups until they are a certain age, depending on country.

The GDOR doesn’t require you to delete user data that you need. That would be insane, you could obtain a loan and ask to have the record of it deleted if it did. The GDPR does require you to inform people that you keep their data, and it requires you to tell your national how you plan to keep the data safe.

You’re not required to have GDPR legal representation in one man - small companies or startups.

The GDPR is only really a problem if your business model evolves around selling privacy data. I won’t lose any sleep over it being harder to make a new Facebook and I’m looking forward to see what new business models spring up.

I work in the Danish public sector by the way. I have around 500 systems that need to comply, some of these systems run on mainframes and have bits of software that are older than me. I’m not worried, especially not when we haven’t seen a single case in the courts. Until that happens the GDPR is really just a piece of paper because nobody knows exactly how it’ll be interpreted by the legal system.


As a start-up, you do what you need to do, and probably skirt the laws in some areas (I do anyway).

We can't get to full compliance, and in the timeframe with the workload we're working with, we didn't send out a message to all of our users asking them to reconfirm that we can email them.

That's just a hassle I don't think is worthwhile at this stage. So, we're risking it. Are we going to get a $4m fine for this. No, did we every implement the cookie law, which because we are an embed would create a brutal UI and result in some of our customers having multiple "accept cookie" messages on a single page? No, we said screw it, it's a stupid law.

If we listened to every stupid law on the books, nobody would have any fun.

BUT, in my opinion, we work within the objective of the law. The law is about protecting users private data. That is a good thing. Due to GPDR, we are taking extra steps to protect user data, and making it easier for users to delete their data. We have had to create Data Processing Agreements for our customers.

Take a look at the law, see what you can implement, understand why the EU has implemented the law as they have, and get as close to legal as you can.

Every start-up is making trade-offs, just because this is a big-bad LAW, does that mean it should get all the attention and that your customers should suffer while you implement.

Weigh the odds and get to work. If this kills a start-up, I suspect it is the start-up gave up or needed to act shady.

This is definitely doable for a one-man start-up with no lawyer.

Just like Terms of Use, take a look at what others are doing, and then copy what works for you and your busy.


What is the fear about startups? If you look at the ones you actually use reliably for a decade, very few would have been stymied by GDPR. To add on to this, for every successful startups there seem to be many mostly replaceable ones.

If anything, a reduction in the rate of new startups would indicate that perhaps the market is growing MORE rational, which corroborates the recognition of risk of PII that the GDPR manifests.


For some reason when I read your comment I had a vision of the Reddit founders in the very early days, waking up in the middle of the night to restart the server when it had crashed. Their sanity was very nearly wrecked because they didn't know about the existence of daemon supervisor tools yet. God help them if they'd had to deal with GDPR while still sleep-deprived.

Early-stage startups do not, in general, have their shit together. A straw may not break a camel's back, but a camel embryo would have a harder time with it.


...or I can just not sell to Europe. Solved.


I'm so so sorry that my right to privacy is inconvenient for you.


I’ve been reading web news for over a decade, and it’s getting to the point where I don’t think there are many hackers and/or privacy sensitive people on here anymore.

The number of people who are saying it’s no big deal to ignore privacy rights that should be law, especially for sensitive information, is mind boggling.


There are literally hundreds of laws, some very large, that tech startups must comply with from day 1. Yet somehow we still have startups and small companies, and the world goes on, round and round. Why no complaints about these other big laws? None of them get the vitriol hurled at them quite like GDPR. I suspect this is because having to comply with big laws is not really the issue. The real issue is that GDPR hits Silicon Valley right in the soft spot where it hurts: Callous and unrestrained collection of user data. Everyone is complaining "I don't want to have to comply with big laws!" but what they are really thinking is "I don't want to get busted for the crazy amount of data we suck up (or want to suck up) and store!"


>There are literally hundreds of laws, some very large, that tech startups must comply with from day 1.

> The real issue is that GDPR hits Silicon Valley right in the soft spot where it hurts: Callous and unrestrained collection of user data.

I've kept myself to lurking in those threads, simply because there's been so much FUD about this for the last few months. This, however, is spot on and it needs to be pointed out.

If people think GDPR is bad, then they should have a look at what it takes for a small startup that want to sell chicken eggs for breeding purposes, especially if you buy/sell across the EU borders. The requirements are quite insane compared to GDPR. :)


Clearly you have a different definition of entrepreneurs/technical people than I do.

Those seems like impositions on people who implement bad practice or work in fields that have morally questionable practices regarding people's data and identification. Many people I know don't engage or work in such industries because of the moral implications of doing so and what people are doing with data.

Its not about "just ask your lawyers" or "just call HR". Its about "well don't do dodgy/disrespectful stuff with customer data".

And if everyone is doing it or its regarded as "best practice" (as the old joke goes, best practice is just orwellian-speak for average), then that seems like MORE of an arguement why GDPR type activities and policies are required.


Again, I was in my early 20s and fresh out of college. I had no idea what I was doing.

It’s not that I was trying to cut ethical corners or do things poorly, I just didn’t know what the right way to do things was. Computer science education is often very theoretical and high level and not at all practical .

I’ll be the first person to say that I was not the most experienced and or talented programmer in the world, but do we want to prevent such people from starting companies?

And secondly, not all PII is the same. We stored names and addresses and phone numbers and websites. Not exactly medical histories or DNA profiles.


> I’ll be the first person to say that I was not the most experienced and or talented programmer in the world, but do we want to prevent such people from starting companies?

Yes. You should be fine as long as you're not collecting anybody's data or potentially harming them in any way, but apart from that, there should be established a bar to entry to what has become the fundamental motor of almost every single thing on the earth.


Perhaps this is a cultural difference, but I've collected names and addresses and phone numbers, and I worked under legislation where I can go to jail if i disclose the information i saw or had access to.

Later, outside of that legislation, when I'm collecting it, I deal with the Australian Privacy Principles [0].

It doesn't bother me that much, because I take a "well if we don't need it, we shouldn't be collecting it, and if we are collecting it, we should do so minimally and protect it anyway."

I believe under GDPR, if you need it, you can collect it. If you don't need it, why would you be/collecting or holding it?

There are certainly legal problems/ambiguities around ip and data collection, and yes, its usually legislated by people who really don't understand tech or information theory or data linking, but frankly I haven't heard very many legitimate ones brought up in relation to GDPR.

What I think someone naive and fresh out of college would do, for instance, when asked to delete data is...delete data.

And if they think that "delete my data" means go through a database and put a '1' in a delete flag against a record that is still retained, then I think they're not so naive, they picked that up somewhere from someone acting nefariously who told them it was "best practice".

And if they picked that up somewhere and it is industry "best practice", that's the kind of bullshit we should be weeding out of the tech industry.

If the user can't view/delete their data, that's a dark pattern. Which again, see above: needs to be weeded out of tech.

[0] https://www.oaic.gov.au/privacy-law/privacy-act/australian-p...


I think that to the hardcore GDPR fans that you're arguing with, this is like asking if we should let someone who is interested in structural engineering go build a skyscraper and figure it out as they go. Or someone who is interested in medicine start doing brain surgery on people.

They don't really agree that all PII is not the same. To them, storing their IP address without permission is a horrific violation of their human rights.

It strikes me personally as illogical and paranoid to the point of hysteria. However, that's just me, and at the end of the day, I think there's a cultural divide here as to what constitutes privacy, who owns what data, and what power we should trust the government with.


+1 to this. GDPR is just the personal data equivalent of the "don't be a dick" principle.


It's that, plus a whole lot of unreasonable demands. Just take the requirement to have an EU representative[0]...even a 1-person US startup that processes data now needs to hire someone in the EU and designate a qualified DPO, which they'll likely need to hire as well. That's way more than not being a dick, it's a huge jobs program that will cost companies millions. One estimate I saw indicated that they expected there would be a need for more than 30,000 DPOs in the EU (and it's that low because a single person can act as a DPO for more than one company).

There's a lot in the GDPR that I like, but having just been through a massive compliance effort, there's a lot in there that overreaches and is just there to leech money out of the companies that make an effort to comply.

[0] https://gdpr-info.eu/art-27-gdpr/


How would EU enforce laws on your business there, if you don't have any representation in the EU?


Dumb question, but how is the EU going to come over here to the US and file charges against me?


They won't, but they'll levy fines that will be in effect should you ever want to expand into Europe. And they might be able to prevent you from doing business with any company that has an EU presence. If you're making a profit off of EU citizens, there are ways to target that revenue.

Look at the ways that the US targeted online poker sites. None of them are in the US and subject to US law. But lots of banks are, and US lawmakers made it illegal for those banks to transfer money into or out of the poker sites and that basically worked.


Except it's now codified law, with real punishments based off the ambiguous "don't be a dick" directive. There are serious ambiguities here, and unfortunately no one knows how they'll be handled.


Funny how the very people who rail about corporations and Too Big To Fail are the same ones asking for regulations which raise the barrier of entry for small startups and protect large ones from competition.


HN has been overrun by MBAs a long time ago


I'm not sure whether you're agreeing or disagreeing with your parent comment, but I'm just tacking this on there because it feels right:

I think HN has just hit peak stupidity.

The amount of paranoia, misreading, misunderstanding, etc. about the GDPR is just insane (or intentional shilling, but let's not go all tin-foil-hatty prematurely).

Nobody who's doing anything even remotely above-board is panicking or anything of the sort. If you weren't already mostly complying with the GDPR (paperwork notwithstanding) your security practices and/or business practices were sloppy and/or dishonest and/or exploitative to begin with.

EDIT/Addendum: People who are not in the know are (somewhat understandably) a little bit nervous about "interpretation" and such, but there's a reason there's a "sliding scale" of potential penalties. Regulators don't tend to go for people/companies who are actually trying to do the right thing. They go for the people/companies who are the most egregious violators. (I hope I don't have to explain the reasoning behind this, but do ask if you're confused.)


> paperwork notwithstanding

thats the main point for me. Some of GDPR is good: right to delete in a reasonable fashion is great. Right to not be personally identified is awesome, but that's much easier to do in the ISP level. Adtech creates problems - that should mean you have to regulate adtech. But GDPR is more about documentation, bureaucracy and Vista-style popups than about how to protect data. You need a lawyer just to put ads on your site. It's a draconian law designed by a single-issue Green leftist, which relegated IP addresses to the status of some kind of fatally dangerous information. It breaks the web from a "web" to a series of tubes with doors in between. The severity of the law is out of proportion with the average internet user's concern about privacy: time and again people have shown they just don't value it as much as the law suggests.

After a few days, when the cheerleading has stopped people are going to be faced with some unpleasant realities: small business switching to facebook (because otherwise their website would contain more legalese than content) and ecommerce turning more towards the large marketplaces. In this sense, Facebook, Google and ebay/amazon become one-stop shops for GDPR-compliant solutions. The reason: GDPR removes options but offers no alternatives.


This is paperwork you should already have in some form if you're actually following (and I hate this phrase) "best practices" for customer data and trying to explain to your employees how to handle a (suspected) security breach, etc.

IMO, it's good to actually at least try (as a company) to come with some sort of consistent set of guidelines as to how a security breach should be handled. And a company-wide policy on how company laptops should be treated (disk encryption, etc.).

It's just that nobody actually bothered to actually do these things because the potential penalties were absolutely trivial.

I know of at least one company which chose to just pay the regulator in their country a monthly fine instead of fixing the problem because it was cheaper than paying developers to fix the issue.

How is that not broken?

(I should say that I have problems in which this was "released", so to speak, since there hasn't been time for any establishment of practice based on the intent of the law, etc. It should definitely have been a gradual rollout, but that's not really relevant now that it has been "released".)


If you don't have the ability to delete a user from your database, you got issues.

Getting a banking permit requires an awful lot of money and you have to go though a lot of bureaucracy to get it, do you also have a problem with that?

What if a startup leaked your private data, like Equifax did? would you still feel the same way about this?

If the industry would have been able to self regulate, big bad government wouldn't have dropped the hammer on them.


>* Most early-stage startups use the (in 2008, when I did mine) best practice of “delete=1”. Changing your whole database over to permanent cascade delete is only easy if you’re a very experienced programmer or who knows what he’s doing.*

You do not have to do cascade delete. Just invalidate the data that identifies the user (this includes also transaction dates).

Well, maybe it is possible to cross reference a person based on the transaction volume?


So because the sentiment here is that it's no big deal, which you yourself say "is only easy if you’re a very experienced programmer or who knows what he’s doing" somehow the audience is less technical here. Perhaps the sentiment is that it's no big deal precisely because the audience knows how to solve this problem.


“...it’s no big deal to comply with this huge law”

Sorry but this comment has been driving me crazy. The GBDR about 100 pages? Obamacare is 20,000.

This law may be a lot of things. It may have a huge impact. It may require companies to do things hugely differently. It may require a huge amount of work for some. It could do a huge amount of good or bad.

But, it is NOT a huge law.


The fact that it is such a big problem for so many companies just demonstrates how badly things have been handled thus far.

I'm sitting through tons of GDPR meetings & there are quite a few conclusions amounting to "maybe we shouldn't have stored the data that way".


> Let’s just take one feature: the requirement that you can permanently delete all of your information.

Let's take that feature because it's mentioned often, but it doesn't exist.

Read Article 17* carefully yourself. It doesn't say "permanent". It never even says the word "delete". Elementary, My Dear Watson.

* https://gdpr-info.eu/art-17-gdpr/

> at an early stage startup with one programmer, you cannot have that one programmer spending two months on compliance.

And then here's the other straw man.

An early stage startup in the US with one programmer has more to worry about from US regulation than European regulation. Nonetheless, if you want to trade with Europe then reading the ICO guidance on the GDPR for your business should take a couple of hours.

> My biggest fear is that all of these complex bureaucratic laws are just raising the bar for doing a startup.

There are so many things I care about more than whether you can create a startup with wilful disregard for people's rights.

Did you even notice that Equifax* lost control of personal data on pretty much every single American? Your name, date of birth, your SSN. Equifax did this because they are actually incentivised to make their systems as insecure as they can get away with.

The only thing you're right about is that real security has real costs, but you're not convincing me that they're not needed.

* https://www.sec.gov/Archives/edgar/data/33185/00011931251815...


HN is a good reflection of Silicon Valley actually. Mostly people working for big companies who loves to read about and criticize startups but don’t have the guts to attempt one themselves.


Not to mention all the backups of said databases. Imagine sitautions where you’ve got tape backups stored in vaults or places like AWS Glacier. It’s the stuff of ops nightmares.


Imagine situations where people actually read the regulation and its commentaries.

You don't have to delete specific records from every one of your backups; in case of a deletion request, you have to be able to replay that if you restore the backup. Also, have some kind of policy in place for how exactly you're handling your backups and how long you're storing them.


who says it must be possible or easy to run a 1 man company that handles user data? I rather not have my data handled by a company who can’t handle GDPR


> the requirement that you can permanently delete all of your information.

Can you point to the bit of GDPR that says I can have all my data permanently deleted?


>I was not a great programmer >amount of time for me (the only programmer) well theres your problem. in any other industry you have to have professionals and competent people only in tech can you gobbel together something you can charge for by browsing StackOverflow. it is time that your clowning gets checked and you need to take things seriously. and if deleting data from your database causes "business logic problems" then you are obviously doing shady shit with users data and I am glad this is causing you pain.


> I’ve been reading hacker news for about a decade, and

> it’s getting to the point where I don’t think there are

> many entrepreneurs and/or technical people on here

> anymore.

Not sure, I tried my luck with co-founding 2 companies but I work now as an employee. I notice that the number of Stars on popular Github projects is rising every year, leading me to the conclusion there is an ever growing number of technical people. More over I realize it becomes easier every year to deal with more complexity.

That said, it becomes more feasible to handle more business logic - or compliance logic if you will.

I know that especially Lean Startup proponents say one should start with low tech solutions. Also I attended an accelerator program and was surprised that most startups there were not tackling exactly super complex things. In fact one Startup worked with some kind of modified Wordpress or so - which has GDPR logic already included.

So yeah, things become more technical and complex but I think it's for the good. Also when handling other people's data I guess there should be some responsibility. For the 2 companies I co-founded data-export would have been trivial to implement as the Web Apps were AJAX powered, I would have had just to provide a link to the user. In case of Startup #1 users were anyway only there to train for some test, so it would have been no problem to delete the user records. Probably delete cascade would have been fine as I worked with backups. Deleting data from backups would have been fine as well, they take up only precious space and use up bandwidth. Startup #2 was more about producing content that was not from users.

Also I want to note that in times where TDD is something even known to barely technical people, delete cascade is safe and a no-brainer.

Anyhow, the most challenging thing looking back would be all those 3rd party tools. To name some: Google Analytics, Mixpanel, managed DB/Redis/etc. I was never a fan of any of those tools and in times of Docker, we can run our software on whichever computers seem most suitable.

> My biggest fear is that all of these complex

> bureaucratic laws are just raising the bar for doing a

> startup. Maybe the days of two people doing a startup

> in someone’s garage should be in the past? If so, that

> makes me kind of sad.

GDPR isn't really complex, it's more like a collection of vague rules and recommendations. Basically most of them are like keep only the data you need, offer export and deletion following best practices.


I think it's mind boggling how you equate startup with abusing user data without users consent. Is that really the only way you think someone can make a business and earn money?


[flagged]



I assume it is your tone getting you down voted, but the message is true. If a cascading delete is too hard for someone building the tech at a startup, it's no wonder emails and passwords are leaked every single day.


>The number of people who are saying it’s no big deal to comply with this huge law

It's not if you're actually thinking about what you should be doing with user data from an ethical perspective. Our company has had zero problems complying with GDPR.

>My biggest fear is that all of these complex bureaucratic laws

Allow me to be extremely blunt here. If you think these laws are complex and if you have to resort to meaningless U.S. connotations of bureaucracy, you shouldn't be handling user data.


I started coding in 2012 as a funder with 0 experience in programming. From day one I avoided "delete=1". I implemented real data deletion from the very start and it has never been an issue. If someone like me (self thought from 0) could do it, I can't see any reason why this should ever be a problem. The GDPR does not pose any particular problem to start-ups, if you take the time to read it (no lawyer needed for that). Sure, as long as your business model does not rely on exploiting personal data.


The world is not coming to an end, the sky is not falling.

Nothing has to be automatic as far as the deletion requests go. It's fine for you to go through the db manually and grant a specific request within 30 days.

If you're big enough to get enough requests to not be able to handle the load, you can afford a couple of days of dev work.

It's mind boggling the amount of people who's interpretation of GDPR is overzealous (to the max) based on third party interpretations. Get to the source of it and you might find it's not that bad.

You're only in trouble if your business model actually relies on doing things to the data your users would not want you to do (which could be argued is for the better good).

More

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: