Hacker News new | comments | show | ask | jobs | submit login

I'm a Brit. I am the MD of a small IT company. I have two partners and 20 employees. We started in 2000. We turn over about £1.5Mpa. We sell our services to people and organisations. Our backups are now smaller these days (thanks to GDPR).

I understand that because you are outside the EU you might feel like a target but that is not the point of GDPR. There is no way on earth that the EU as a whole has looked on your company/project or whatever and decided to screw you.

Have a look at the first few paras of this: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX... after it says "Whereas". Does the language look a little familiar? Do the sentiments look strangely familiar in some way?

GDPR is not about destroying people's livelihoods. It is about protecting basic, fundamental rights that say 30 years ago we never knew needed to exist.

After all the knee jerk reactions have calmed down a bit, you may find that you personally have benefited in some way from EU regs. If you find that, then I suggest you fight tooth and nail for similar to be enacted at home. I'll be the first to thank you for that.




It's reassuring to hear that the GDPR is not meant to target little startups and projects but I would like it a lot better if it said that in the actual law, rather than just trusting all current and future regulators to treat me kindly.

If it's only meant to be used against big companies or extreme offenders, why doesn't it say so? It seems like the spirit of the law and the language of the law are not aligned and in my opinion that's a sign of poorly designed regulation.

I object to the idea that small projects should be ok with breaking the law merely because they very likely won't get caught.


Because if your business model is based on selling user data, it doesn't matter if you're a small startup, it absolutely is meant to target you.

If you aren't competent at responsibly handling personal data and you want to build a project or startup, pick one that doesn't handle personal data, or put in the effort to learn how to do things properly.


How does for example a small yoga studio’s email list fit in your examples? Or even just it’s website? Without cookies and login even - the IP adress in the log files alone is considered potential personal data that basically puts people in the need of consulting a lawyer about how to safely deal with that. And makes you a potential target to being sued and getting a lot of hassle. Even found nit guilty in the end, no one will pay days of time and energy needed for defense.

And then: What kind of online business can reasonably be done without using an email adress, if only for login/resetting password if lost? You either have no option to reset passwords, or must do it by phone, which is extremely expensive.


IP address are permitted under the security exception: Storing personal information in order to protect information or information systems is permitted without need for consent. Using your log files for security explicitly permitted and there is nothing that changed a system administrators job before or after GDPR on this point.

If you are using a email list in order to fulfill a contract to your members by informing them about times and so on then that is also permitted by GDPR. If a customer buys a subscription then the company in order to fulfill their side of the contract can then naturally store information to do so.

Mailing lists also has had a long history of best practices in order to not get marked as spam by the large email services. Get consent so users don't mark it as spam and allow unsubscribing. If a small yoga studio used a email list for a significant time and not been forced to do shady behavior in order to bypass spam filters, then they are almost guarantied to be compliant with GDRP.

Similar an online business has a contract when a customer buy a product or service. In order to fulfill that contract a email address is commonly used. Perfect GDPR compliant. Hard to imagine a online business before GDRP that did not have a contract with customers.


So what you're saying is there's lots of complexity and nuances in how you do this with some commonly done things illegal and others not ... and you should probably consult a lawyer to make sure.

Correct ?


You don't have to get it all right on the first try. If you get something wrong, the regulatory body will contact you (via letter or email) and tell you what they feel like is not correct (that is the official guidance on how to handle GDPR violations).

As long as you do your best to implement the GDPR and interact with the regulatory agency in a friendly and helpful manner then there won't be much need for a lawyer (but do consider that the GDPR being written as it is is also the result of being written in the EU where law is written a bit differently)


Your comment sounds so Orwellian I can’t help but cringe.


I’m increasingly convinced that a majority of people who use the term “Orwellian” haven’t actually read Orwell’s books.


I find the use of "Orwellian" rather ironic in this context.

I run a company based in the UK, but I myself am American and most of my business experience is in the US. Despite that, I honestly have had no issues adapting to the GDPR. Considering that the business I operate has systems specifically designed to store as much data on people as possible, I find it absurd other businesses are unable to handle user/client data responsibly.

That said, I cared about privacy BEFORE GDPR and intended to act responsibly regardless of regulation.


It's not orwellian to be friendly towards authority, especially when you're a business and it's about the privacy of the users, protecting the very data that orwellian governments seek to collect and abuse.

Otherwise, I would love to hear which part of my comment was orwellian in nature?


I'd guess he's referring to your (likely correct) implication that the regulators will give more weight to your "friendly and helpful" behavior than to how the text of the law applies to the facts of your case.

The concept of the rule of law was invented primarily in countries that now belong to the EU. Is there no one left there who still thinks it's important? It's not even that people argue "the GDPR couldn't be less vague without loopholes, and this is important enough that it's worth the cost". The idea that a powerful human's best attempt to objectively apply stable, published rules is generally better than a powerful human's unrestrained discretion just seems foreign to most commenters here.

If you ran an organization publicly associated with George Soros in Hungary (whose prime minister has described him as an "enemy of the state"), then would you still feel good relying on your friendly relationship with the government? What steps would you take to comply with the GDPR as it's currently written, if you couldn't rely on the goodwill of the people interpreting it? With a sufficiently corrupt government, there's nothing you can do; but the point where a judge will accept an obvious lie tends to come long after the point where a regulator lets politics disambiguate a vague standard.


The GDPR is a regulation and not a law, thusly the implications are different.

If you produce a device that accidentally violates FCC guidelines, would you rather be immediately punished to the extend of the regulation or rather work with the FCC to rectify the issue and how to fix it for affected customers?

The other reason is that yes the GDPR is vague. It must be because in the past corporations have abused loopholes and the only way to prevent people abusing loopholes without punishing people who don't abuse them is to make it vague and then decide on their behaviour.

And again, these are corporations, legal persons. They don't even have the remotely same rights as a natural person.


At least in the USA, a regulation has the force of law. To say "regulation" instead of "law" just means the rule gets its legal power indirectly from some statute (which probably also limits the scope of the rules), instead of directly from the legislative process. I'd thought the EU was similar. Is it not?

If I ship a device that fails to comply with FCC rules, then I would prefer that the maximum penalty provided by law is also a fair and reasonable one. I understand that most regulated fields are complex enough that if we don't give regulators some discretion, then the law will be filled with loopholes and impossibly complex; but I would like to give them the minimum discretion they need to do their job. I think the GDPR fails that test spectacularly. Do you really think they need the statutory authority to fine someone 20M EUR for their semi-commercial side project that made $1k lifetime total? If not, then why give it to them?

The GDPR applies to natural persons too. Imagine if it didn't! Facebook could just contract all the creepy stuff to a sole proprietorship operated by Mark Zuckerberg...

ETA: From https://ec.europa.eu/info/law/law-making-process/types-eu-la...

> Regulations are legal acts that apply automatically and uniformly to all EU countries as soon as they enter into force, without needing to be transposed into national law. They are binding in their entirety on all EU countries.

So not quite the same as the US, though maybe some analogy in that the regulation is still "secondary law", subordinate to the EU treaty? But I don't see how you can describe a set of rules "binding in its entirety" as anything but law.


To my understanding the EU handles it differently. Regulation as opposed to law is supposed to be enforced in a guiding manner, recognizing that sometimes you accidentally don't comply or there is otherwise a differing implementation. You can somewhat also see that in how the EU ramps up regulation in case nobody is playing ball.

Stage 1 is when they want to fix it and they express wishes that the industry changes their ways. Stage 2 is the cookie law and Smartphone USB charging. A very vague regulation or law is implemented as a sort of warning for the industry to better go and fix it. Stage 3 is nuclear; GDPR.

The smartphone industry is as mentioned at Stage 2. The EU expressed wishes to reduce the charger garbage, nobody did anything, so they simply put out a regulation that almost literally just says "all smartphones need one common charger". Largely this has been microUSB but vendors are switching to microUSB.

The regulations are to my knowledge and experience also employed and enforced in a similar manner; first you get a nice letter informing you that your website is in violation of X. Ignore that or get aggressive towards the regulatory body and you get a less nicely worded letter with a threat of a fine. Continue that path and you get a fine.

The ultimate goal is that everyone should be compliant but it's okay to be occasionally not as long as you are willing to be helpful and fix it immediately.

>Do you really think they need the statutory authority to fine someone 20M EUR for their semi-commercial side project that made $1k lifetime total? If not, then why give it to them?

They don't you have a legal right for a proportional punishment. Unless your little side project caused damages the fine will be appropriate such that you can pay it without going bankrupt. And if it did you'll have to pay those damages on top of course.

>The GDPR applies to natural persons too. Imagine if it didn't! Facebook could just contract all the creepy stuff to a sole proprietorship operated by Mark Zuckerberg...

It only sorta does, it only does not apply to natural persons while they don't engage in commercial activity.

And a sole proprietorship is to my knowledge a legal person, even if the only natural person involved is 1. (I would know, I am basically one, or rather, small business operator would be the more accurate translation, which also has limits on turnaround and profit)

The sole proprietorship would have less rights than the person behind it and has no option but to fully implement the GDPR in any project or product. A natural person on the other hand, publishing a hobby on the internet with no commercial or business activity (which are different things in german law and you can certainly run a commercial activity without ever touching money or forming contracts).


Enforcement of regulations in the USA isn't grossly different in practice. For the kinds of topics that regulations tend to cover, I doubt it could be otherwise--the complexity of the topic makes it impossible to draft law that can be objectively applied to all cases, that ambiguity makes accidental noncompliance common, and regulatory discretion is required so the accidental noncompliers don't get screwed. I accept that as unavoidable, but not as good. The regulations have the force of law, and the penalties--the loss of one's livelihood, or even prison in the extreme--may be just as life-altering as for any other law. So all other things being equal, I'd prefer that the regulators act with as little discretion as possible. That gives everyone the fairest chance to comply with the rules, even if the regulators for whatever reason dislike them.

The GDPR indeed says the punishment should be proportional; but what does that mean to you? Are you sure it would mean the same thing to a regulator? A regulator who dislikes you? If they said that 10k email addresses and MD5-hashed passwords leaked from someone's game server was a worst-case breach, then I'd say that was ridiculous; but I don't see what in the text of the law lets me say that it's objectively false.

The USA has no concept of a separate entity for sole proprietors. It's just you, even if you're trading under a business name. If the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does. In any case, the real question is perhaps commercialness, where (a) lots of hobby projects have some small commercial element, ads or donations or a tee shirt or whatever (and to be clear, I do think privacy regulation should apply to them, just more specific regulation); and (b) I strongly suspect the GDPR applies to some noncommercial activity too--would the EU let a political group pull a Cambridge Analytica with all volunteer staff? I haven't researched that, though.

If I lived in Germany, then I'd probably have pretty good faith in my regulators. But imagine the example of that Soros-linked group in Hungary (which I'd edited my first comment to add, so you may have missed it). I don't think that's hypothetical--political organizations keep lots of data, so I suspect that somewhere, a group is making plans to comply with the GDPR, as interpreted by regulators whose government considers them "enemies of the state". What would you do in their place? Wouldn't you wish the text of the regulation gave the regulators less room to maneuver?


>if the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does.

Well, they are seperate entities so the loophole exists for how the US handles it but in the EU there is no loophole.

>In any case, the real question is perhaps commercialness

Last I checked you don't need commercial elements like ads, donations or anything like that to be considered commercial. Running your own git server with open registrations would be considered commercial (there is additional seperation in that you don't have to pay taxes unless you are profit-interested).

>I strongly suspect the GDPR applies to some noncommercial activity too-

Monitoring of any kind that is strictly outside private interest.


That's something that utterly amazes me about the EU, and your comment. A lot of the protections that exist for privacy in the US against authorities mostly don't exist in the EU.

The EU lets every police force in the EU, or in Interpol request data interception. That is a LOT of organizations, and of course, they got caught doing abuse just the same. But, for instance, the default practice in the US is that you get told your phone is tapped (yes, really), unless the police explains to a judge why not (nearly always), BUT in that case you still get told afterwards. This does not exist in the EU. You will never be told you got tapped.

Second, in the US, the provider looks at the order, verifies it with the proper authorities, and decides for itself on scope, reasonableness, ... etc. In the EU, nope. If an order is received the only actions that a provider can take must be technical in nature. In theory an employee that does the actual tapping of the phone can't even tell his manager he's tapping phones, and definitely he can't tell anyone which phones are to be tapped or why (nor is there any obligation on the part of the requesting force to tell him why, but it is a field on the form). In many countries, this can be done without judicial oversight, or in nearly all cases with only very, very light oversight. This, to me, is far more worrying than the situation in the US.

If a local police officer in Latvia wants to tap the phone of anyone in the EU, he just has to fill out a form and fax it to interpol.

This is even weirder given that Europe has actual experience with abuse of surveillance powers, everywhere from Germany Eastward, as well as during WWII. They KNOW what can go wrong, they just have to ask their parents or grandparents to find people who were actually exposed to this. And yet ...

Next we find out that large-scale spying on the own population is done in, at least, UK, France, Germany, the Netherlands ... and not a peep. This was barely reported in the local media, in fact. We all know that most other countries are going to be worse than these, not better. And, of course, they cooperate with the NSA as well.

Hell, the US has reporting on how much they spy on their own citizens (in fact, that's the source of most of the outrage). No such stats in the EU. Nobody, not even the police forces themselves, feels the need to have the most banal, basic level of transparency.

Clearly when it comes to spying the EU is of the opinion, them, yes, perfectly allowed. Think of the children ! I mean, clearly these guys do not believe in privacy.

So yes, it is very Orwellian when they just request that you work with them on the privacy of their citizens. Clearly the result they want is not actual privacy and protections for their citizens.

If they believe in privacy protections, they have a lot of state agencies that they need to attack for not having any decent respect for privacy, as well as the fact that what few protections do exist only exist in a vast complex tangled web that errs on the side of violating people's privacy. And that's ignoring the fact that privacy protections have been systematically eroded further and further in Europe (e.g. recently in Germany).


>A lot of the protections that exist for privacy in the US against authorities mostly don't exist in the EU.

They actually do, the german police for example, generally destroys any video or image footage they make after 24 hours if there is no reason to believe they would help solve a crime.

I can't say anything about Latvia but in germany atleast the privacy of letter and remote communication is heavily protected and usually not granted lightly (exceptions being stuff like actual nazis)

People are definitely aware of the past and there is always a lot of outcry whenever a new law attempts to encroach on that territory, politicians have destroyed their careers with such proposals.

>And that's ignoring the fact that privacy protections have been systematically eroded further and further in Europe (e.g. recently in Germany).

Please note that the BND, the german intelligence service, recently shutdown a surveillance program after several thousands of people requested the deletion of their datasets.

>You will never be told you got tapped.

I don't understand why you should be told that the police is trying to get evidence of you doing a crime? Or someone else's crime?

Again, we have different laws and legal systems (!) in the EU up to and including not having the US constitutions. I think it would benefit the conversation if you recognize these differences instead of applying american laws and principles on the EU.


> They actually do, the german police for example, generally destroys any video or image footage they make after 24 hours if there is no reason to believe they would help solve a crime.

Source ? This, to me, seems unlikely in the extreme. I mean this is strict enough that even I would agree they would regularly shoot themselves in the foot with such a policy.

> Please note that the BND, the german intelligence service, recently shutdown a surveillance program after several thousands of people requested the deletion of their datasets.

I doubt it's the only one. Call me when they change the law back so they can't legally do this.

> I don't understand why you should be told that the police is trying to get evidence of you doing a crime? Or someone else's crime?

The idea, in the US, is that you get informed afterwards. How else will you sue the police if it wasn't reasonable at all ? How will abuses be discovered ?

Keep in mind that more than a few police officers have been sued for using surveillance on women they were merely interested in, in some cases then proceeding to beat up and harass other interested parties. I doubt that this behavior is in fact limited to (a few) US cops, we both know the truth is that (some) EU cops simply get away with it.


>Source ? This, to me, seems unlikely in the extreme. I mean this is strict enough that even I would agree they would regularly shoot themselves in the foot with such a policy.

General guidance policy and numerous court cases. Not all footage is 24 hours, most is however. Some exceptions go for 48 hours. [http://timetravel.mementoweb.org/list/2010/http://www.polize...]

Video surveillance, especially when in public spaces, is frowned upon and there is a long rat tail of court cases.

The law is very strict in when, what, who and how long video surveillance is allowed, including the 24 hour limits, though in case a crime is suspected the footage can be kept for 14 days until a crime is confirmed. [https://recht.nrw.de/lmi/owa/br_bes_text?anw_nr=2&gld_nr=2&u...]

>we both know the truth is that (some) EU cops simply get away with it.

Generally, they are reprimanded or even punished when such behaviour is discovered as it is a violation of various laws, including privacy.

>How else will you sue the police if it wasn't reasonable at all ? How will abuses be discovered ?

Generally, any evidence the police brings up in a court case requires that the police has an explanation on how they got to that evidence. That may have been illegal, in which case a second case might be brought up and the involved officers will be punished.

However, unless the evidence they collected is wrong due to the surveillance (the bar is very low on the police being guilty of forcing you to commit a crime), the evidence will be used regardless (a few edgecases but generally evidence is not poisoned if gained by wrong means like in the US IIRC).

>I doubt it's the only one. Call me when they change the law back so they can't legally do this

Already is, which is in part why the BND stopped this too.

The bar is high for someone tapping the phone or otherwise doing remote communication surveillance, [GzBBPF, Section 1, 2, 4 and 7]. Unless there is a very strong suspicious that you commited treason or commited a federal crime and there is absolutely no other way to prove you did it, they can't legally tap the phone.


I can't believe you can be this naive. Your arguments basically boil down to "the state can be trusted".

Basic dependencies of your argument: the police force will never abuse surveillance, then not make a court case out of it.

Second basic dependency of your argument: the court will easily rule against the very forces they depend on if they find violations.

These are reports German police officers that got caught, shall we say, being VERY untrustworthy:

https://www.itproportal.com/2011/09/12/privacy-boss-slams-ge...

https://www.thelocal.de/20161213/cannibal-cop-convicted-of-m...

http://www.scmp.com/news/world/europe/article/2142710/dozens...

http://www.spiegel.de/international/germany/hanover-police-o...

https://www.thelocal.de/20121017/45615

https://www.youtube.com/watch?v=vM1c_58e6jk

https://www.youtube.com/watch?v=juQD0OU6SD8

So I feel like I've provided plenty of evidence that the police cannot be trusted to act correctly, or even just sane. The German police, clearly, is no exception to this rule. Therefore Germany trusting them to do the right thing is just hiding abuse, not preventing it.

You also left the question unanswered: if tapping is so correctly and justly done, then why does it need to be such a big secret ? There is a case to be made that, sometimes, it needs to be kept secret DURING an investigation, but why afterwards ? In many cases, even that is not necessary, when for instance following or tracing someone who was brought in to the police station, it seems to me like there is no reason whatsoever to keep it a secret that the police reads his mail/call logs/... Why do they want this perpetual secrecy, if not to hide abuse ?

The answer is very simple: because Germany hires neonazis, cannibals, violent bullies and worse into their police force, and police officers like those are also trusted with tapping people's conversations.


Which is exactly my point put a bit shorter :)


I would sincerely hope that the small Yoga studio is not attempting to custom code their website in this case, in which case the economical solution is for the Yoga studio to use a GDPR compliant website and mailing list toolset, and simply migrate to a different set if they find that they aren't.

Now compliance is largely handled by the tool makers, and the Yoga studio can focus on their business case and any custom coded extensions to ensure they remain compliant. (For popular stuff like Apache, compliant configurations are probably already available or will be shortly, once we all figure out if we are allowed to keep logging IP addresses by default.)

I'm not sure I understand the email jab; obviously you can store data, you just must obtain consent first, and must allow the data to be deleted on request. That's an opt-in mailing list with an unsubscribe feature that actually works and properly deletes the relevant data. Why should that be difficult for a small business to do right?


> I would sincerely hope that the small Yoga studio is not attempting to custom code their website in this case, in which case the economical solution is for the Yoga studio to use a GDPR compliant website and mailing list toolset, and simply migrate to a different set if they find that they aren't.

You just gave a perfect example of why GDPR will hurt startups and innovation.


How so?


Parent just admitted that it would be unreasonable for a small business to comply with GDPR and that larger organisations were better equipped to deal with it.


Many small business rely on wordpress because it's free and hosting is cheap. There's plugins for nearly every functionality you can imagine. Perhaps having them migrate to proprietary systems is the better solution, but I can't help but feel it's a net loss for the World Wide Web.


On the contrary, I think this is secretly a benefit. As soon as WordPress updates to include all the necessary tools to be GDPR compliant, every small business using their platform should be able to easily pull those features in with minimal developer work. The common platform is a boon here because it helps everyone work together on the issue, rather than requiring the smaller players to implement a mountain of work by themselves.


> the IP adress in the log files alone is considered potential personal data

Stop logging the IP address then. Hopefully default settings in web servers will change.

> What kind of online business can reasonably be done without using an email adress, if only for login/resetting password if lost?

That means you have a legitimate interest, so long as you don't send marketing emails to those addresses, or sell them, and so long as you delete them if someone deletes their account.

> How does for example a small yoga studio’s email list fit in your examples?

If someone signs up to your email list, they've consented to receiving emails. Just don't sell the list, and remove people if they unsubscribe.

The only real complication (if you're in the UK, I don't know about other countries) is that there is a fee to register as a data controller. https://ico.org.uk/for-organisations/data-protection-fee/


Ip adresses are needed for security anslysis in case of attacks, for example.

the thing is not about doing what you propose but that however you‘re doing it, you have a lot of bureaucracy and legal insecurity right now.

The examples of wrongdoing you give should be leading to hard measures. But those with good intentions shouldn’t have high bureaucracy costs.

To be clear: i don’t say these laws shouldn’t exist. They just should have been targeted at the actual wrongdoers and put smallest possible burden on all with no bad intentions.


> Ip adresses are needed for security anslysis in case of attacks, for example.

Then you have a legitimate need for the data, so store it for a reasonable length of time and then delete it.


>Ip adresses are needed for security anslysis in case of attacks, for example

People repeat this a lot, but it sounds like complete nonsense.

Why does your business need to perform “security anslysis in case of attacks”? Do you get paid to do that? Why would you need IP addresses for that?


One obvious case is DoS attacks. Rudimentary attacks can be mitigated by blocking IP addresses of the attacker.

Another example is logging requests to secure sections of the site and/or server and perform IP blocks on fishy activity.


You can do that with a hash of the IP.


How would this work? You can't just sha256 IPs as that'd be trivial to reverse, no different from storing the plaintext.

I don't see why the IPs would ever have to hit the disk for this purpose, just keep them cached in RAM for a few minutes.


Salt the hashes, perhaps use PBKDF2. The problem is solved for passwords, just treat IPs like low entropy passwords.


there's only 4 billion possible IPs, you can reverse the entire search space in a few hours

the only way round this is to make the webserver spend a non-trivial amount of time running some derivation function on the IP for each and every request (remember you can't cache the result if the entire point is not to store the IP)


And all that stuff is super complex... for a number which is not person bound and personally identifying in the furst place. Only with a lot more effort. So my critique is, the lawmakers should have made actions to use ip‘s to identify persons illegal, but not storing ips themselves.


IP is person bound and personally identifying, in a lot of countries you can trace back an IP to a list of people and with an additional information like a last name or a timestamp you can fairly reliable identify a single person.


How would all these things be legal just because an IP in a logfile isn’t?


Largely they aren't. It's not important that they are legal or illegal.

The problem is that it's possible and that is where the GDPR hooks in.


It’s probably also possible to identify people based on the combination of their car color, built timestamp, model and specifically ordered extras. Shall storing these, without a name, be made illegal then and forcing someone to save these in a database to hire a lawyer to ubderstand their legal position? Just because if the name is added to such a database of cars produced, it will be personal identifying?

Put another way:

If the goal is to prevent certain actions by making them illegal and a given boundary can already ensure that, whats the point in widening that boundary even more?


>If the goal is to prevent certain actions by making them illegal and a given boundary can already ensure that, whats the point in widening that boundary even more?

Atleast in germany the boundary has not been widened and most corporations seemed to operate just fine.

> Just because if the name is added to such a database of cars produced, it will be personal identifying?

When you add data to your database you'll have to consider this, yes.

Privacy under the GDPR means that you evaluate whether or not it is necessary to store such data.

Why? Because the GDPR is not only about the present but also about potential problems. If your database gets breached and someone runs of with the data, the GDPR seeks to ensure that the data contained is the absolute minimum necessary and does not threaten the privacy of the users if possible.

Put another way:

Under GDPR you do not own data like car color, built, model, extras. People give you stewardship of the data and you are responsible for it. It is your task to protect it. Protecting people's data is easier when you don't have as much of it.


> Stop logging the IP address then. Hopefully default settings in web servers will change.

But in legal matters, you need to identify people and have some kind of audit trail, especially if they tried to breach your system. That makes no sense.


Depends what's on the site. If it's just a static site, there isn't a lot of point trying to investigate a breach, just fix the changes and move on.


Why stop at IP addresses then?

If IP addresses in logs are necessary for audit trails, why aren’t fingeprints?


You put it to a total overexaggerated extreme here.

That doesn’t help.

IP adresses are not 1:1 assigned to a person for a whole lifetime, fingerprints are.

Only with a lot additional effort and connection to other databases, IP adresses can actually be connected with a person, but only for an uncertain period of time, finding out this timespan, and ensuring it’s really only exactly this one person requires even more effort.

So a properly crafted law would have made all these efforts illegal, and put high fines on them, but not the decades old practice of storing ip adresses in logfiles.


Why do you need to store IP addresses in log files?

I understand audit logging for authenticated users, but that's hardly a general case.


Why are ip adresses even considered personal data? They aren’t for most people and situations, unless a lot if other activities are done. All of which would be already illegal without consent by the law. The ip adress i write this from changes every day, and nobody can know if i share it with someone or not.

I want to be protected from marketing firms that sell my email adress , and everyone who uses it to send me mails for whatever product to buy judt because i entered it for some totally different reason. Those shall be fined with 5 figure amounts.

I don’t see how my(and my housemates/office colleagues etc) ip in the logfiles of the webserver which a small business rented for 3€ to upload 3 html filed can be abused (without storing my email and name without consent which is actual personal data and therefore illegal) and i dont want my hairdresser, car mechanic etc be in need to consult a lawyer to understand all that stuff and have a day worth of bureaucracy and adfing a “we have your current ip in the logs” note just because they want me to be able to google their street adresses.

The law is simply not well crafted for no use if the latter is the case.


>If you aren't competent at responsibly handling personal data and you want to build a project or startup, pick one that doesn't handle personal data, or put in the effort to learn how to do things properly.

Or, alternatively, just don't do business where it would put you under the jurisdiction of the GDPR. That's what a lot of companies are doing, and there seems to be a lot of resentment over it.


There isn't a law banning the use of Electron instead of learning how to build desktop applications properly, and there's a lot of resentment over people doing that too.


>There isn't a law banning the use of Electron instead of learning how to build desktop applications properly, and there's a lot of resentment over people doing that too.

Yeah, and that resentment makes no sense to me either. In both cases it's simply people doing what, in their estimation, makes the best use of their available resources.


> If it's only meant to be used against big companies or extreme offenders, why doesn't it say so?

Because, and this has been repeated millions of times on HN, Europe and the US follow different systems in writing laws


Perhaps we should then take some lessons from how they in USA write laws.


Lol hell no, the US is horrible at writing laws that are good for the common person. I'd rather trust the the EU with its clumsy but well-intentioned laws over the USA's malicious, designed-by-companies laws


In the Czech Republic, small companies and self employed people are commonly fined for breaking extremely complex and unclear laws, some of them set by the EU (e.g. VAT) - without any malicious intent, ready to pay whatever should've been paid. It's the big companies that get to make deals with the government and avoid punishment. They also consistently favour big companies over small ones with tax breaks, dotations etc. I don't trust the EU in the slightest.


Most regulation seems to fall into that category in the US too. Big companies have the money to combat it and still make a windfall of profits, while the small guy trying to build a company gets crushed because some regulatory prosecutor is trying to make a name for himself.

Tax law is probably the most common example of this.


lol, no thanks.


He's talking a nice talk, but history has shown us that when EU makes regulations/laws then they just don't care about the consequences or the collateral. As evidence I would bring the completely useless cookie law and the completely botched "digital VAT" change.

In the latter it just confounds me that the legislators set up a situation, where a small business in the UK is better off not selling a digital good (that you can make infinite copies of) to a buyer in Malta, because the bureaucracy would cost more than the sale would pay. You can't have a "single market" like that.


"but I would like it a lot better if it said that in the actual law"

Have you read the bloody law! http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

This is legislation designed to protect not only me (as an individual) but you as well (as a probable foreigner) from me!


Reading the law, I only see a single exception for small companies: Article 30.1 and 30.2 doesn't apply for companies less than 250 employees.

Out of an 88 page law, 1% of an auxiliary middle of the law is carved out for small companies.

I'm not sure that counts as differential application for small companies. In the US at least, large portions of entire key burdensome laws don't apply for employers below size 50, 10, 5, etc. This does not seem to be the case here.

Does anyone know whether an official impact study on innovation was even done before its passage?


You can be a company of ten people and still turn over millions by selling your users’ data in shadowy ways. Why shouldn’t you be stopped just because you’re small. How can the size a company be used as a rational differentiator in a law like this?


Because the vast, vast, vast majority of small companies aren't turning over millions of dollars. That's the same logic as, "some people cheat on welfare, so lets defund it." This logic gets pushed around a lot by GOP pundits.

The law may be good as a whole but be overly burdensome for small companies. You should at least acknowledge that instead of just dismissing that outright.


Similar laws have existed for many decades. In The Netherlands, privacy laws date back to the 1970s.

At least my reading of the GDRP is that it tries very hard not be a big burden. If you are a small company or organisation and you collect a minimal amount of information (for example to contact them) there is not a lot you have to do.

The main thing is, you are not allowed to be sloppy. If you collect personal data, you have to think about whether you should collect it at all, where to store it, process it, and when to delete it. And you have to tell people that before you ask them for personal data.

Nothing like, we just collect a bunch of data, give copies to everybody, and have no idea what we collected. That attitude no longer works.

If you set up food regulations, are you going to exempt restaurants with only one cook? Or have aviation regulations that do not apply to airlines with only one pilot?

Given that the entire GDRP is less then a hundred pages, you can easily read it in one evening and get an idea of what you can do, have to do, and what the corner cases are that you may need to discuss with a lawyer.


> If you set up food regulations, are you going to exempt restaurants with only one cook?

But restaurants with only one cook can't afford a $300/h lawyer to tell them how to keep their shit hygienic!


And in the EU we have a different way of working. In the UK you can literally phone up the ICO and get free advice, specific advice on how to stay compliant.

If it turns out that you are in breach, they will write to you with information about what you're doign wrong and how to fix it.

In the EU we don't rely on lawyers for a fraction of the stuff you do in the US.


> Does anyone know whether an official impact study on innovation was even done before its passage?

So if it's "innovative" a small 5-person startup should be able to wreak havoc to my personal data in whatever way they see fit? What is that nonsense. Are you seriously suggesting that "innovation" in startups should be more important than my privacy?


Are you seriously proposing that regulations move forward without an understanding of their impacts?

No matter what the ultimate decision is, no matter how sensitive the subject matter, impact studies are critical to making smart decisions.


If a regulation is going to impact "innovative" startups that sell my data, I am totally for it. I don't want more innovative ways to sell my personal information.


> sell my data

I think you're justifying a really extreme reaction based on the worst behavior of a few companies. GDPR doesn't just go after data-resellers. It targets how a well-intended company can use and keep your data even with no third party involved.

Laws that mess up the good-guys lives are bad laws. GDPR is from the same folks who thought a law that lead to pestering users about cookies was a good idea.


It's not stopping any well intended company from fairly using data. A law making it harder for well intentioned gun enthusiasts from getting guns is a good law according to me. All well intentioned gun enthusiasts should support it. Otherwise there'd be a day people would get tired of the bad intentioned gun owners and legislate a complete ban on guns.

Also I like the cookie idea. If only people really cared about misuse of their data they'd like it too. We've seen how good 3rd party cookies have been for some democracies.


Maybe it's just me, but the 2nd Amendment talk in this case really seems like a hamfisted way to spout political opinion that's in no way relevant.

>All well intentioned gun enthusiasts should support it.

Really black/white argument there which the issue is not. And nor is this topic. There should be more nuance in GDPR, but there isn't which creates a lot of discomfort.

>It's not stopping any well intended company from fairly using data.

It actually is, but whether or not that is an overall good thing is yet to be seen. Certainly, they did some level of testing before proceeding.


So without curiosity or concern for any other impact you say yes...

I might say yes but I still want an impact study.

I prefer governing bodies operate with an awareness of how their actions affect society.


I don't think we're going to lose as many "well intentioned" websites as much as we'll get rid of bad intentioned businesses.


You’re missing the point. One last time: it is ideal to operate with an awareness of consequences.


> Are you seriously proposing that regulations move forward without an understanding of their impacts?

No, and it is dishonest of you to suggest that was claimed.

> impact studies are critical to making smart decisions.

Which were done as was consulting with industry etc. well before the law was passed two years ago.


In the history of laws, many of the ones designed with good intentions have been quite harmful.

And yes, I've read the law. It's typical of legislation in that it obviously wasn't written by people who knew what it looked like to perform that in a real life business.


> And yes, I've read the law.

Have you read recital 1? https://gdpr-info.eu/recitals/no-1/ ? The starting point of the law is that data protoection is a fundamental human right,. The data subject owns their PII, not some company collecting it.

It's all up whether you are willing to accept that as a fundamental right or not.

I mean there is a billion of Chinese that live with the fact that free speech is not a fundamental human right. Most Westerners have a problem with that.

Now many US based IT professionals seems to have problems with accepting that nobody else can own the data about a human.

> It's typical of legislation in that it obviously wasn't written by people who knew what it looked like to perform that in a real life business.

That's what a cotton farmer could have said when they made slavery illegal. Obviously respecting other's human rights makes some business models illegal.


First, let me say that, I'm not the person you're replying to, I haven't read through the entire GDPR (yet), and I think that stronger privacy laws are a very good thing. (Part of the reason I regularly donate to the EFF.)

> The starting point of the law is that data protoection is a fundamental human right,. The data subject owns their PII, not some company collecting it.

> It's all up whether you are willing to accept that as a fundamental right or not.

As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

> Now many US based IT professionals seems to have problems with accepting that nobody else can own the data about a human.

I think the idea that someone can own facts about anything is bound to cause some amount of confusion or even cognitive dissonance.

At what point does one's right to be forgotten supersede another's right to remember?

If Alice knows something about Bob because of their personal interactions, as he asks her to forget about it, but she still remembers it, is she violating Bob's right to be forgotten? How about if she had written it down in a journal? Does she need to erase what she wrote? What if her journal was stored electronically? In any of these cases is she allowed to tell another person? What if she already told another person before Bob told her to forget about it?

More concretely, suppose Bob visits Alice's house, and then a couple of weeks later tells Alice that she must forget that he visited. If she ignores his request is she violating Bob's rights?

Now suppose Bob is visiting Alice's website, which records his IP address in a log file. Bob asks to be removed from the log, and again Alice ignores his request.

I think for many technically minded people there seems like an awfully smooth gradient between these last two scenarios, and so classifying one as reasonable and the other as a violation of human rights can be surprising. Precisely where is the line drawn that makes one scenario reasonable, while the other is completely unacceptable?


> As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

Yes, in Germany, everyone, meaning citizen(EU/EEA) or not, enjoys the right of forgotten from surveillance cameras or any image/personal information that is not subject to the legal registry, from public record beyond 90 days. Unless you are targeted for an otherwise legal reason.


Which law is that exactly (german here, but i dont know what you’re referring to€


Not able to answer that question but the Auskunftspflicht also covers police surveillance footage.

Personal anecdote: I was involved in a student demonstration once that ended with the police recording every individual separately in addition to checking our national ID cards. After about 14 days I wrote them a letter requesting information about what data they had kept and to destroy that data if it is not part of an active investigation.

I received a formal response saying they had already destroyed the data shortly after collecting it because they didn't end up needing it.

I presume the law is exactly the same as with any other organisation, i.e. the BDSG (Bundesdatenschutzgesetz) which as of now implements the GDPR (DSGVO) in Germany.


Yes, and meanwhile they illegally sniff your whole Internet traffic... just one current example https://blog.fefe.de/?ts=a5f2e96c


Generally, Bundesdatenschutzgesetz (BDSG), mainly Kapitel 3. §57, §58 and §61.


> At what point does one's right to be forgotten supersede another's right to remember? > > If Alice knows something about Bob because of their personal interactions, as he asks her to forget about it, but she still remembers it, is she violating Bob's right to be forgotten? > > etc.

No, no-one can force you legally to forget something, and I think this brings up the main problem with your argument, which is that we're not talking about Alice and Bob, we're talking about Alice and Bob's Widgets INC.

I'm technically minded and I see a 100% separation between the interaction between Alice and Bob, and Alice and Bob's Widgets INC. Yes, I do think it's completely reasonable for Alice to ask bob to be removed from log files, journals whatever.

Lets look at a parallel you drew:

> More concretely, suppose Bob visits Alice's house, and then a couple of weeks later tells Alice that she must forget that he visited. If she ignores his request is she violating Bob's rights?

I wouldn't say that Alice is violating anyone's rights here. Being unreasonable, yes. Asking for something with no legal or enforceable basis, yes.

> Now suppose Bob is visiting Alice's website, which records his IP address in a log file. Bob asks to be removed from the log, and again Alice ignores his request.

This is a non sequitur, these are different scenarios with different requests, just with the names kept the same. Businesses aren't people, and they don't have memories like people. Businesses don't (for the most part, legal actions notwithstanding) need IP address information. It can be helpful, certainly. Knowing your customer has returned, knowing what they have looked at etc., but it's not essential.

So yes, it's reasonable to ask for removal from logs, and no, it isn't reasonable to ask someone to forget you visited their house.


I guess this demonstrates a prime example of one of the biggest differences in the US:

In the US, corporations are people.

In the EU, corporations are legal persons but don't inherently enjoy the same rights/protections as natural persons (i.e. humans).

Just remember the Hobby Lobby ruling: in the US, corporations can have religious beliefs. In the EU that sentence doesn't make any sense because a corporation cannot hold beliefs (though the people employed by or owning it can).


> In the US, corporations are people.

> in the US, corporations can have religious beliefs. In the EU that sentence doesn't make any sense because --

It doesn't make sense because in the EU we didn't artificially create a legal construct to support the notion of corporations having religious beliefs (or "being people").

Please don't act as if both ideas are equally valid descriptions of the real world when one of them is strictly a legal fiction and completely meaningless in any other sense.

I'm sorry but just like the notion that a 2-person startup would need $300/h lawyers for any significant amount of time to ascertain they're sufficiently in compliance with the GDPR to not get sued into oblivion (.. or something? over here people can just read and implement the needed provisions by themselves in under a week, is what I heard from my friends in the business), this seems to be a problem inside the US legal system, doesn't really seem to me like it's the EU's problem to take into account when it's broken like that.


I'm not disagreeing with you. I'm just trying to be objective rather than judge the two models based on my opinion. My opinion would be that the US system is the result of Friedman free market capitalism trumping civil rights over decades. And in Europe I'd consider myself libertarian.


> No, no-one can force you legally to forget something, and I think this brings up the main problem with your argument, which is that we're not talking about Alice and Bob, we're talking about Alice and Bob's Widgets INC.

I assume you mean Alice's Widgets INC., since Alice was the one with the website.

But in any case, I didn't say "Alice's business's website". I said "Alice's website", as in her personal website. Are you saying that an individual's website can record visitor's IP addresses and store them indefinitely, but a business cannot?


What if it is a personal website, not affiliated with any corporation?


> Precisely where is the line drawn that makes one scenario reasonable, while the other is completely unacceptable?

1. don't be unreasonable

2. be acceptable


Perhaps you should take your own advice.


> As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

That's a good point. The term "fundamental right" occurs only the recitals, not in the law itself IIRC. The laws applies to authorities, but not when they carry out the legal tasks in prosecuting and preventing crimes and dealing with public security. So you would not have any rights with respect to video surveillance by authorities, unless you could prove that that is not done for public security :(

When it comes to authorities practices differ a lot in the EU. Let me give 2 examples because I live/lived there

1. In Germany video surveillance of public spaces is not very popular. One of the biggest cities in Germany, Frankfurt/M. seems to have 6 (six) such cameras now. And whenever there is a new one, it still makes big headlines http://www.fnp.de/lokales/frankfurt/Datenschuetzer-Es-wird-z... (In socialist East Germany they had them already in the 1980, but I am sure they all disappeared in 1990)

Google has stopped rolling out Streetview in the very early beginnings. Not that it is an authority, but it shows the public opinion, even if it's a single picture every couple of years and faces are blurred.

It appears that the resistance is more and more broken. At my last visits in Germany I saw cameras on trains/buses for the first time. I'd assume they are not counted as public spaces, but private properties. Which is a problematic classification considering their function. In Northern Ireland cameras were standard on buses already in the 1990s, no idea for how long before that.

When you get a German passport they will store the fingerprint on it (I guess that's a nearly world-wide standard for machine readable passports). However, in Germany they make a big fuzz about it that the fingerprint is erased from all databases as soon as you have accepted your new passport. If you detect a typo in your passport after accepting it, you have to apply for a new one, pay again and have your fingerprints taken again.

2. In Finland public videos surveillance has existed in all big cities (not that there are many...) for decades. There are also street condition (think snow) cameras on the internet. It's not their purpose, but some of them show fully identifiable people when they happen to walk by. Not many people seem to be bothered about it.

In Finland the fingerprints for the passports are stored until there will be a law how they are allowed to be used. Only few people believe that the police would not use them to solve a high profile crime before the law is ready.

A common Europe is still a big fiction in many aspects.


FWIW the cameras on public transit (which have been the norm in Cologne for at least a decade I think) are legal (under the old data protection laws anyway) because the recordings are automatically destroyed after 24 hours or so.

I think the GDPR would protect them because of a number of factors:

* there's a legitimate security interest (vandalism, terrorism, rape and other personal crimes)

* the recordings are not stored longer than necessary to fulfill that purpose

* there is clear signage indicating you are entering an area with surveillance cameras (i.e. you are giving informed consent)

The GDPR protects the individual's right to privacy but it's a balancing act and the security interests are fairly valid.


> * there is clear signage indicating you are entering an area with surveillance cameras (i.e. you are giving informed consent)

So if I don't want to be filmed on the bus I take a taxi for 10 times the price? (Not sure whether they might have cameras, too. Haven't taken a taxi in Germany for many years.) Or I walk 2 hours?

That's not what I would call informed consent. It's information yes, but as long as there are no competing bus lines without cameras there is no choice really.


We're going in circles. Let me repeat: nobody has a problem with increased data protection and privacy. We're all better off for it.

But the laws regarding it are not clear for an actual operating business. Instead of being simple and straightforward to implement, they are an ambiguous mess that are wasteful and misplaced. Laws designed that way almost never actually accomplish what they set out to do.


> Instead of being simple and straightforward to implement,

I am not sure I can fully follow you here.

If implementers accepted that they only collect what is absolutely necessary and they delete what the they are not legally requited to keep things would be much easier.

Problems start when the business model is that customers'/users' data is our product/an asset and we somehow try the find the minimum possible implementation that just meets the requirements of the law while still using all loopholes it might possibly leave.

I agree that the law is not very clear for how you should code it. Nor very detailed what you can do with a certain piece of data. So it depends on your approach: If you take a conservative approach that if in doubt, we don't keep the data it suddenly gets much clearer. If you start fiddling maybe I could still do it if we did it like this and that you end up in endless work.

And of course if you have an existing system that never had the requirement of deleting anything there is a lot of work. But the law has been in force for 2 years, so businesses that wake up now when the transition period has ended it can be a mess.

>Laws designed that way almost never actually accomplish what they set out to do.

How would you have written the law? Do you have counter-examples of laws being written so clearly that you could recommend them?

The key point really is: Many business models and practices on the internet are incompatible with the spirit of GDPR. It's a fundamental right that the users own their data and businesses are not allowed to do with it whatever they want.

Lawmakers did not want it write it that so clearly, because lobbyists would not have accepted it. And business owners still don't want to accept any suich fundamental right. So complaining about the law being too complicated is somewhat canting.


They are not "simple and straightforward to implement" for two reasons. First one, the problem domain is not simple and straightforward to implement. It may be surprising, but it's only because we've never learned to treat PII with proper respect. Second one, it's because businesses did their best to avoid and abuse privacy laws previously, so the new law has to counter the usual workarounds.

Yeah, it might be getting harder making a startup working on personally-identifiable data - even if it's not doing anything shady. But it's also hard to make a food or healthcare startup; you can't just "move fast and break things" there either. In EU, PII were finally granted the status of something actually important.

As for startups that depend on abusing user data, I'm very happy they have problems now.


A datum is not actually important just because it relates to a person in some way. It's not as if this a regulation about venturing into deviantly risky territory: running a network service of any kind involves the processing of peer IP addresses.


And processing that IP address is neccersary for the operation of the service offered so entirely acceptable.


Exactly. Plus they don’t simply concentrate on people intentionally/ignorantly abusing data (putting my email on mailing lists again and again and ignoring me telling multiple times i don’t want it, reselling, etc) but put a lof of insecurity and bureaucracy on people with nothing more than a static website with IP adresses in logfiles...


May I ask what is not clear to you? I can try to help. As I can see it, it very simple, it is same thing as with borrowing someones car:

- personal data (car) are any data that have potential identifying a person

- person owns its data (car). You cant buy them (well this part is different than the car), you cant steal them, you cant sell them, but you can borrow them from. But for that you need to ask (consent), where it is not allowed to trick the owner to give them to you, whithout beeing fully aware what was borrowed and why. And if you are borrowing the data for someone else, you need to ask about that too. And tell when you will return it.

- it is immature and unfair to play grumpy if someone doesn't want to allow to use its data. Or try to force/blackmail them from him. So its not allowed to do that (noyb.eu)

- once you borrow the data (like property, envision a car), behave acordingly, owner can demand them back, demand to see them, demand to know what you are doing with them and if stolen it is completely normal to tell them about that. And if they were stolen due to your fault (leaving keys in a car), they might demand to be compensated. Same goes if you misuse them (let me put some fertiliziers on back seat, forget to return them, giving it to all your friends without asking,...)

- if the data owner asks you to do something that requires his data ("hey, can you please take my car and bring me icecream from the store") you don't need to ask for data, it is expected you can have them.

Did I forget something? I consider it simple, as long as you try to stay genuinly respecting to other persons ownership. Just think about borrowing your car or borrowing car from your best friend and you wont go far wrong.


things as opposed to knowledge are fundamentally different things.

if yoi tell me your birthday how can i forget it?

if you borrow me a car i have something i can return...


> if yoi tell me your birthday how can i forget it?

That's not really relevant. GDPR doesn't ask people to forget things out of their minds.

So let's rephrase to a more relevant example:

> if yoi provide me your birthday on a web form and I put it in a database how can i forget it?

This now becomes relevant, and easy do answer. You delete it.


>if yoi tell me your birthday how can i forget it?

Ask any husband.

Joking aside, if the memory is on a computer system, as opposed to a person, you can, you know, just delete it.


Out of curiosity, could I legitimately ask Google, GitHub, etc. under the GDPR to delete my name in the AUTHORS file of the git commit it was added in when I contributed to Chrome's v8 engine 10 years ago? Would they have to comply if I did?

Obviously, removing the commit would break git's ability to sign any hashes for that repository after that point…

And thinking it through a bit more, what about the companies that use v8? Could I ask my regulator to get Joyent to remove it from their systems? I'm sure they have copies…


You could ask, but them not complying fall neatly in the legitimate need case...


Ah, this is so interesting! It seems like you're allowed or not allowed to keep data based on the data structure that you use to store it!


Data structure has nothing to do with it. If you stored social media users as fake AUTHORS lines in a git repo, that still wouldn't make you allowed to keep it. In the inverse situation, storing git authorship in the comments table of your photo site's database, you would be allowed to keep it for legal uses.


I interpreted the original posters point that the git repository could not be modified without destroying it. I thought that's how the next poster was responding to it. If you cannot modify an old entry without destroying the integrity of your system, are you required to modify? Either the answer is yes and you effectively cannot use certain data structures (with their integrity) or the answer is no and certain data structures allow you to keep data.


You would want to avoid using a git-like data structure for data you have to delete. But the example was data that's part of making the copyright license function, and you can keep it for legal purposes.


> But the example was data that's part of making the copyright license function

You entirely missed the point of my hypothetical, which was about immutable data structures like git employs.

As it turns out, our business also uses a git-like hash-chained commit log for our normal database. Deleting old entries would thus violate the integrity of our database. Is that now illegal under the GDPR?


When, it's about being able to judge things on their specific merits -- as opposed to having some blanket one size fits all rule.

Law has nuance and cases (and corner cases), it's not some strict predicate.


I agree and understand, but it does give us a likely unintended consequence: no sequential hashed data structures when you are required to be able to modify it. Probably a good thing for hearing less about blockchains!


No. They're required to know who the authors are for legal reasons.


Extreme over-exaggeration in my opinion.

Actually, just because one critcices the way the law is made doesn’t mean they think it’s basic intention is wrong.

As of your slavery example: Forbidding slavery is one(good) thing. Saying „everbody having somebody work for them out of anything but total free will and not being able to prove it is doing forbidden slavery“ is something else. If i must work because i need to eat and pay rent, is that total free will? How can anyone prove that?

So sure, the wording is extremely important.


Yes, indeed I have. But if there's something I've missed, I'd surely appreciate a quote or specific reference.


Please point to the specific section you’re referring to.


I'm sure a whole cottage industry around GDPR compliance will be up and running by the 26th. :|

We're a small agency and all of the legal worries around the GDPR have essentially put one of our revenue streams on hold until we sort out the legalities. Like the comment above, we simply do not have $300/hr available for lawyers to go over everything.


In legal contracts "whereas" often expresses sentiment but it's really the actual terms that matter. Having drafted a number of contracts, I feel most contracts generally have a section that approximates "whereas everyone wants things to go well and everyone to benefit..."

That's great that your company works well with GDPR. I imagine many companies will. I'm also sure that the impact on your backups could have been had without the law if you so chose.

However, an organisation that works inside the UK (EU) serving many EU paying customers (presuming here) is very different from say, Instapaper, who pulled out of the EU today because they don't make very much money from EU customers.

If we pass a regulation that says everyone who is in New York for any amount of time must pass an annual 1 hour health exam (conducted by NY state), I imagine this to be totally acceptable to New Yorkers. It correlates with good public policy: you prevent communicable diseases, and can catch health problem before it gets big. However, if this rule were to be enforced strongly, someone who might stop by once or twice a year probably is better off never coming.


That’s the wrong analogy. How about “everyone who is in new york for any amount of time had to not be actively harming new yorkers”. Sure some people who want to actively harm new yorkers are going to go away and never come back... but they’ll all be better off for it - and really every other state should probably pass a similar law.

Edit: duely noted. Libertarian capitalists of hacker news do not agree.


I find it amazing that you came up with the most one-sided argument you could think of ("not actively harming") and still didn't realize how badly it can misfire.

Here's a hint: my dentist is actively harming me when taking out a tooth.


> my dentist is actively harming me when taking out a tooth.

if that was true you wouldn't pay them to do it. They are causing you pain in the short term, yes. That's not the same as harm.


This comment is personal data about you, specifically your political views. It's now in my browser cache. If you were to ask me to clear it, I'd probably say no. Am I actively harming you?


I was actively harmed by kennywinker's idea I actually would like to seek restitution from him for expressing it because I don't know of a way for him to have it fully erased from my mind.

...or maybe I shouldn't have used this site if I didn't want to be exposed. This is going to end up being less exposure for the EU to things on the internet until someone figures out how to monetize them. If they cost money without somehow contributing something they will be actively excluded.


oh no! Parasitic corporations that provide little or negative value to society are going to make less money of off europeans!! What will they do!!!


I shared my political views publicly. I happened to also use a psuedo-anonymous account to do it. If I suspected my government was cracking down on vaguely anti libertarian-capitalist viewpoints I would probably ask hacker news to remove the extra metadata they might have on their machines that could be used to de-anonymize the comment.

I'm not too worried about your browser cache, but it could under the right circumstances give you some small power to harm me, yes.


How do you handle developer computers with possible client data on them, even semi-anonymized? Or when communicating issues on the live server, you might transfer client information to other stake holders to debug issue. Are you tracking that communication. Where does the communication data reside, perhaps on a server outside of the EU?

There is a lot of complications that arise if you think about the second order/third order consequences of the law.


I don’t know GDPR inside and out, but I have worked at places (not military) where I could be held criminally liable for misuse or negligent disclosure of PII.

The answer to “How do you handle...” is that you get your shit together. Separation of duties, build and configuration standards, no customer data on random laptops.

When I was in high school, I worked at a sandwich/coffee shop. The precious commodity in that store was cash. We didn’t leave cash on a counter, or on a roll in our pockets it was in a locked register. When there was more than $500, we withdrew down to $250 and put the cash in a safe. At the end of the night, we put the cash in a locked pouch and two of us walked to the bank and put it in a dropbox.

Data is no different, just more complex.


And if getting your "act together" is a substantial cost for small companies, no matter?

The word choice almost presumes the conclusion, that data privacy rules are obvious, and cheap, and akin to just washing hands after using the toilet.

Every regulation has costs and benefits. I also would love to have better worldwide privacy at no or little cost, but the fact that people are blocking the EU shows that some companies just don't see this to be the case. And they're voting with their feet.

EU citizens should accept the fact that if they support the law, they will further data privacy protections, which are good, and they will face the music if some innovation leaves or whatever compliance costs may come with it.


> And if getting your "act together" is a substantial cost for small companies, no matter?

Yes, no matter. Should small companies also get free pass on food safety laws? Health inspections are a PITA for restaurants too.

This reaction is pretty much textbook psychological reactance[0]. People doing business had some freedoms wrt. user data, but it turned out in practice that they should never have them in the first place. Now that those excess freedoms are being removed, businesses cry foul.

--

[0] - https://en.wikipedia.org/wiki/Reactance_(psychology)


Exactly. It's very sad that reasonable privacy measures present such a technical challenge, but nobody promised being responsible was easy. That's why we have regulations - to force businesses to place the common good ahead of profits, where applicable.


>Should small companies also get free pass on food safety laws? Health inspections are a PITA for restaurants too.

But if you look at how reality works, then you'll see that small companies often do not implement the proper food safety standards. This causes all sorts of problems, because if a company already does one shady thing, then doing one more isn't as much of a problem anymore.


And then they get closed down when a food inspection takes place.


Yep, that's exactly the case, but another one of these opens up somewhere else at the same time. We've had inspections like this happen for many years, but it's still happening. And these companies that don't adhere to the law could outcompete those that do by saving in some costs.


Yes, it is unfortunate that the authorities lack resources to track down all misbehaviors, but that doesn't make crime acceptable.


But it means that the laws are poorly thought out, if only some of them get caught and it gives a big advantage to those that do it.


Data privacy isn’t trivial, but the core concepts are pretty straightforward. Like cash, data is both an asset and liability. The business model of tech insulates the investors completely from liability, so there is no incentive to self-police.

The contempt shown for us collectively as users and people is what triggered the regulatory backlash.

The 2016 electron demonstrated that better than anything why this is important.


The internet's role in the 2016 election was primarily its ability to connect like-minded people and capture their attention in a venue where advertising can be purchased cheaply and casually. Data may have helped with ad targeting, but was basically incidental. The insufficiently regulated thing there was speech, not data, and there are good reasons we don't really regulate speech.


I agree that the Facebook/Cambridge Analytica debacle should have been prevented. I'm not totally sure what's the best legislation to have helped that while having the minimum side effects.

As mentioned before, size limits is probably good for compliance costs; if the problem is political influence, make that a key part of the law. Making part of the law liability per privacy breach can be useful too (to deter companies from lax security that end up with them hacked).


> I'm not totally sure what's the best legislation to have helped that while having the minimum side effects.

Legislators don't have the luxury of saying "I'm not totally sure what's the best legislation" to fix this issue; they are forced to propose an actual fix. If you don't have a better alternative on hand, I'd urge you to consider that which legislators have arrived upon after months or years of consideration.


The problem with carving out exceptions for small companies is that larger ones would simply subcontract out all their data handling.

Like encryption, data privacy is either all or nothing.

And personally? I'd rather live in a world without tracking-enabled Google and Facebook business models than the one we're currently in.

Holding personally identifiable data is a toxic externality: Experian simply exposed a clear case.

If you want to do so, you should have to bear that cost. Or design your business model differently so that you don't.


For size limits, as logicians, we would think that companies would just split infinitely but that doesn't seem to be the case.

For example ACA 2012 (Obamacare) applies the most onerous terms on companies greater than 50, but not a lot of 100 person companies split into two groups of 50 to dodge it.

I think privacy is indeed along a spectrum and not binary. I certainly think that EU citizens are more concerned with Facebook and the vast trove of data they have and political irresponsibility with it than with GarethsFirstApp in the Android store handling user data well.


Splitting core business functionality and siloing data handling to a contractor are apples and oranges.

And I'd point out that the latest Facebook media privacy outrage was caused by a smaller (1 person?) third party company.

GarethsFirstApp isn't so innocent when it's providing Facebook with data they can no longer collect themselves (given a hypothetical "You're small, so we'll let you get away with it" GDPR).


Let me shed some light into this: I am having my own mail server and I am using a separate mail address (and now it will be close to 10 years of doing that) for every registration to any website, lets say domain_url@mydomain.com. As you can imagine, I can track who sent me the email and where it got my address from. 99% of addresses that I get spam on came from registering to small bussinesses, never from large sites. Get it?

So based on that some might argue, that the small bussinesses should be regulated more as majority of violations are comming from them, not well established bussinesses. It is probably not true, but it might also be.

So... binary only is a right way to go.


"The answer to “How do you handle...” is that you get your shit together."

Yes it is


I have keyed in and deleted so many efforts at an answer to your question that I have given up and find myself merely asking: "Have you actually read the regs?"

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

My reading of them finds no second/third order anything. The regs are surprisingly clear.

I forgot to mention that unless you are trying to abuse EU citizens in some way then you have no problems. A useful side effect of the internet is that deciding whether someone is an EU citizen or not is tricky. That means that most companies have decided to treat all citizens in nearly the same way:

For you as a private individual, a foreign power now provides you (indirectly) with way more "rights" than you might have had in the past on the internet. Have a read of the regs, please. The first few paras are a bit "we the people" but then, that is what is required. Then go through the articles. Read them as a person first and then consider them as a company or whatever you do later.


>I forgot to mention that unless you are trying to abuse EU citizens in some way then you have no problems.

Half of commenters are making this assertion; the other half are asserting it's a damn good thing that small companies will be eviscerated for insufficient seriousness, whether or not they are doing anything abusive. Some of you are necessarily wrong.


I could argue that not protecting my data constitutes abuse.


> surprisingly clear

This is an 88 page document with extremely dry language. Just confirming your assertion will be time consuming. No wonder many American services would rather shut out EU users than comply.


This is a silly and downright crude comment. My mortgage contract was 56 “dry” pages and I found time to read/understand it, to the best of my ability.

If you own a business, the cost of reading this document is about 2 days (with consideration for googling terms). To disenfranchise a whole continent because you are inconvenienced is ridiculous.

Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?

American services are just busy because they are doing their best to keep the lights on. Within a week, the handful of companies will comply. They’re just cautious because they have to pay folks and don’t want to make a silly mistake that will shut down their business.

Edit: structure


> If you own a business, the cost of reading this document is about 2 days

I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

If you make any amount of reasonable money, you need a lawyer to work with your devs (hope you didn't outsource the work!) on a lot of this. And your usual lawyer, if in the US, might not be qualified to deal with EU laws. It's a tough situation. For businesses that don't even target EU markets on purpose, well...

If you're a medium to large international business, then this is just business as usual: dealing with new laws popping up, small or large, is just something you do. It sucks, but hey: it increases the barrier for entry of your next competitor!!

Disclaimer: I think GDPR is fine, and in a few years when every new startup or mom and pop company and 3rd parties are all setup for it, it will be a no brainer, just like email (not many people running their own email servers these days!). But the transition is hard, especially on smaller players.


> For businesses that don't even target EU markets on purpose, well...

See https://ec.europa.eu/info/law/law-topic/data-protection/refo...

> When the regulation does not apply

> ...

> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.


This boils down to relying on each of the EU's twenty-eight data regulators interpreting "specifically target" favorably into perpetuity. One of them takes an unusual view, once, at any time in the future, and you lose 4% of your global revenues.


> I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

I totally agree with you. But like you said, "It sucks, but hey...". That's totally the approach.

Yeah, it sucks, and what's new? There is always something that sucks. Within the next two months, there is: TLS1.2, new PCI guidelines, and GDPR that go live.

GDPR has more nuance then most other situations but just like PCI, you just deal with it.

What I imagine is this situation is like a bunch of stores stop taking credit cards because the new PCI guidelines require TLS1.2, anonymized customer data, and all customer data stored at rest to be encrypted or hashed.

Would folks have same reaction if their neighborhood deli said "fuck it!" I ain't protecting the CC data cause its tough and requires too much work?


The cost of PCI compliance is baked into the transaction fee, and yes, businesses are sometimes cash only; particularly if the business is small and its products are affordable, customers understand and appreciate the owner's unwillingness to pay those fees.


PCI is well defined. It's a lot of process, but nobody is confused on what the process is.


How true was that on week 1 that PCI went live?


There was still a pretty easy line between "I take credit cards" and "I don't take credit cards". The rules for PCI drastically vary between company size too, in that compliance for small companies is pretty easy, and your responsibilities increase as you go. To this day, there are companies that don't take credit cards too (though usually its not to avoid PCI, heh).

But yes, once there's an industry of GDPR auditors, precedents in lawsuits, and the threshold for "Do not market explicitly to europeans" is obvious and well understood, this will be much easier.

And still, until the end of time, there will be companies that aren't GDPR compliant and don't work with EU customers. Maybe with the goal of doing so once they have more time and resources.


100%.

It's basically a checklist, and you're either compliant or you're not. It includes various levels with actual numbers and explicit requirements, there's very little interpretation needed.

If anything, it should've served as the model for GDPR.


Wow, the entitlement.

The GDPR is most of my job right now, and I have a relevant background. To say that the cost of reading the document is two days clearly shows that you have very little idea of what the law means. I've been arguing with other privacy professionals about the details of this law and how to implement it likely for longer than you've known about it, and on a number of those questions there is still no consensus.

This is an incredibly expensive regulation to comply for most small and medium companies not because they're doing villainous things with the data, but because learning this law and then documenting your compliance for this law is ridiculously expensive for many types of businesses.


Your comment came off a bit combative against me vs. the idea I'm trying to argue. Perhaps I didn't make my point very well.

Lets swap GDPR for PCI compliance, which has a new standard (or fully implemented standard, if you may) coming soon. PCI deals with credit card information.

My relevant background allows me to make a few assumptions: 1. If you are in the US.

2. AND you have visited a Quick Service restaurant in the last five years (think Subways, Chipotle, etc.)

3. AND they use one of the major POS (point of sale) providers.

That your credit card, name, expiration date, and CVV is in plain text.

You may know the GPDR very well, as it is your job and you are most likely very qualified for it. And yes, there are probably lots of nuances to this law. However, thats every single law there is, every standard, guidelines, etc.

I'm not entitled. I am, however, a realist that understands that you just have to comply. Taking two days to read the 88 page PDF will make you more familiar then most. It might not make you an expert but for a small to medium sized business, it would give you the necessary tools to comply with majority of the law.

Quite frankly, I don't have a bunch of lawyers and I do have to implement GDPR. Will there be an official review? YES. There will be folks who know more then I and are professionals to double check my work. But I can't tell my stakeholders "Sorry, We can't do that because its just too tough". That seems entitled...


Complying with the majority of the law isn’t good enough when you can be sued for not complying with a small part of the law.

It’s like complying with 99% of securities laws and forgetting to comply with the insider trading laws. That’s not a defense.


Remember that this is EU, not USA where anyone can sue you for anything. If you feel a company is not complying with the law you can complain to your national agency who will follow it up. If the company don't comply after getting a warning the agency can bring the case to court and the company get on trial


The problem with selective enforcement is you may be treated nicely until e.g. your founder takes a political view a European politician disagrees with.


This is europe. We use laws to prevent conflict not to build a battlefield. We don't have ambulance chasing lawers here.


To disenfranchise a whole continent because you are inconvenienced is ridiculous

Oh, please. To not offer a service or website or whatever to people half a world away is not to "disenfranchise" them. I don't think you have room to call anyone else's comments "silly".


It's making your company's products and services irrelevant, as we'll just shrug and move on. That's got to hit the bottom line.


No, not really. Not to be shocking or anything, but Europe is not a target market for every company.


Half a world, but only 100ms.


I would like to share an anecdote with you, which might highlights the difference in mindset some folks have.

When I was 20/21, I worked at PJ Clarke's on the Hudson, a restaurant in downtown Manhattan. Back then, the Merc was still staffed by traders on all floors (they switched to computerized trade desks, I believe, and there were less people there).

During one shift, I had a party of 10+ people and had to grab extra tables from other area. The tables had tops made from granite and heavy. As I was moving the table, the majority owner Phil Scotti jumped in and started helping me. I said something like "I got it" and he looked me in the eye and said "Anything for a buck".

That quote might not be popular but I what I realized is that work is work and money is money. If a multi-millionaire could move tables and his wife (in custom, expensive, suits) can bus tables, then yes...Disenfranchising, or not servicing a bunch of folks, because you don't feel like it is fucking stupid.

I apologize for calling it silly.


I dunno what the point of this anecdote was, but the parent poster was right to mock the word "disenfranchise". If the American business doesn't want the buck, they don't want the buck. If they do want the buck, they do want the buck. Their call, not disenfranchising anyone.


Ha, I actually thought the comment was relevant for an article on blocking EU users with Cloudflare.

This regulation calls for legal expertise, trusting google to save on fees seems risky for a business. In all seriousness, biz owners should shell out for expert advice for compliance, or stop doing business in the EU.

Google and Fb have already seen litigious groups claim $9.3B in fines on the first day[1]. There will certainly be a cottage industry of lawyers going after online businesses that have erred with GDPR.

[1] https://www.cnet.com/news/gdpr-google-and-facebook-face-up-t...


Those groups don't get to keep the fine money? What is with all the disinformation about people sueing companies for GPDR violations like it's a civil court issue and one side gets damages?

People can refer an issue to the regulators claiming that the GPDR has been violated. The regulators will determine if they believe the regulations have been violated and whether it's a large enough violation to enforce. If fines are levied they go to the government and are intended to be punitive, hence the percentage of revenue as the max fine so that you can't just ignore the regulation by being rich.

No individual or group other than the government is going to make money off of this, and the government has to balance the loss in taxes and cost to enforce against any gain from a fine.

This whole kerfuffle about the GPDR has just shown that american companies will lose their fucking mind if they have to follow anyone else's rules and can't just lobby the US government to force their laws on everyone else.


Irrespective of who gets to keep the fine money, it will cost money and time (and likely lawyers) to handle any regulator inquiries. These complaints barely a day after the law came into force clearly shows that this law has come as a bonanza invitation for "activists" to impose legal costs on whatever target catches their fancy. I wouldn't be surprised with anti competitive targeting. Large corporations will write off the risk and the cost. Small business will choose not to do business and avoid the risk.


The law has been in effect for 2 years and the regulatora have given everyone that much time to implement their GPDR compliance. These large companies have not done so. We're people supposed to just ignore them forever because they didn't feel like getting around to following the law?


The GDPR has been there for 2 years, the 25th was just the start date for handing out fines.

Shame on them for ignoring the law for that long, just because there weren't any fines yet.


> litigious groups claim $9.3B

Incorrect. They are civil right groups, which filed complaints with the authorities. Even if the complaints were fully accepted and the offenders fined to the maximum possible amount the groups would not "earn" a cent.


"This is a silly and downright crude comment" - easy mate. My ISO 27001 docs are a bit dry as well and I wrote the bloody things as well as the sob ISO 9001 ones.

In my opinion you absolutely hit the nail on the head with this:

"If you own a business, the cost of reading this document is about 2 days"


> Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?

Umm, no, I won't read them?

I seriously cannot remember the past time so ever went and read all the official docs for a new tech.

Instead I learning by doing, and reading stack overflow.

If I have to read through 50 pages of docs to use something, I seriously am just going to use something else.


That's fine when you only hurt yourself but when you are dealing with personal data you can hurt others because you want to take the quickest path.

These same arguments could be applied to just dumping waste from manufacturing in the rivers. Does "If I have to spend 50 days disposing of my waste in a way that doesn't harm others I'm not gonna do it. I'm just gonna dump it somewhere else" sound acceptable?

Modern society has mostly decided it's not


I am not advocating that people break privacy laws. I am instead advocating that US internet businesses simply stop doing business with EU customers.

If the EU doesn't wants these services, then hopefully these services will decide to leave, and the EU citizens can decide if it was all worth it.

I am certainly going to block EU customers on all my future side projects. It really isn't worth the bother for something that I just made for fun, and isn't making many money. Easier to just block this small market wholesale.

I even found a way to block them with a single line of frontend code!


That seems perfectly fine. You'll have to watch out if you have assets/money flowing through the EU jurisdictions still as they can still fine you and take your stuff I'd you violate the GPDR.

I'd you are completely outside their jurisdiction though, there's no much they can so to you without starting a war or convincing your own government that the GPDR should be enforced.

I do think it's leaving money on the table though. The EU is 500 million people, 2/3rds more than the US and with a bigger aggregate economy. The US also has regulations that have a cost to implement so it's not like you are avoiding the issue just by focusing there


Small sidenote here. I'm the creator of https://documentation.agency/ and I've seen quite a few devs actually choose their tech/libraries based on the quality of the documentation.

I agree with you in everything though, everyone should be reading and following the law!


"This is an 88 page document with extremely dry language"

It starts along these lines after the usual intro:

"The processing of personal data should be designed to serve mankind The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality"

I'll grant you that lacks a certain something but the language is compatible with another well respected charter of rights that you should be more familiar with.

FFS, do you not notice the similarities!


Don't forget the brilliant and deeply meaningful paragraph 37:

"A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings."


Even without any context that seems pretty clear.


I'm guessing you're hinting at the Universal Declaration of Human Rights? It's not well-known or well-regarded in the US.


Sadly, this is true.


Are there no laws in the US?


Not if you are rich, and a many small business owners labor under the delusion that they will be the next Gates or Zuckerberg


"No wonder many American services would rather shut out EU users than comply."

Good bye and good riddance. And I don't really care if the door hits you in the ass.

If Instapaper, to name an example, wouldn't do shady shit with user data, there would be no reason at all to forgo the European market.


If you have developer computers with client data on it, semi-anonymized or not, I want you fined until you stop. What the hell is wrong with that hypothetical business?

It's like restaurants putting the toilet in the kitchen. Shut the business down!


> There is no way on earth that the EU as a whole has looked on your company/project or whatever and decided to screw you.

The rules are enforced via third-party litigation. So its not the "EU", but some lawyer looking for a nice payday that you have to worry about.


While the GDPR allows for third party litigation, the violations are expected to be handled though relevant data protection authorities, and direct litigation is a last recourse if all else fails. If you haven't tried and failed to resolve your GDPR complaint through the relevant authorities, you'll be laughed out of the court, if you try to bring a GDPR case to it.

Edit: any replies instead of just downvotes? Yes, it isn't spelled out entirely in the GDPR but it isn't operating in an empty place. The civil law systems of most of EU have certain assumptions in place, like that you will first try to find recourse through proper avenues, and only then try direct litigation. If anything, you might actually try to sue the data protection authority for mishandling your case.


I'll try to answer. The law doesn't actually say that you can sue only after complaint resolution through authorities have failed. That is merely expected practice and assumptions. Potentially facing a frivolous lawsuit in Europe is high risk for a business which small businesses may not want to take. If that's the intent, it should be codified in law.


Even if true, how are small American companies supposed to know about any of that without investing in a lot in European lawyers? Easier to just not serve the market.


Thank you for a sensible and balanced opinion. The Americans seem to be shitting themselves over this, when it is meant to help us all work toward better privacy - not shoot people or put them in prison. That is what years of living in a police state has done to them - turned them into wall building nervous wrecks !

There are no GDPR police looking to shut you down. Calm down.


> Have a look at the first few paras of this: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX.... after it says "Whereas". Does the language look a little familiar? Do the sentiments look strangely familiar in some way?

The thing after "Whereas" is just a preamble stating the intentions, not the actual legal text. In this case, I scrolled down no fewer than 31 pages, thinking to myself "The whereas section can't be that long" until I finally found the real start of the legal text "HAVE ADOPTED THIS REGULATION" on page 32 of 88.


>It is about protecting basic, fundamental rights that say 30 years ago we never knew needed to exist.

No. GDPR is an overreaching and idiotic law, where standard IP logs are illegal.


Thanks for posting that, makes me feel much better about the spirit of the GPDR.

I decided to remove any use of cookies from all of my sites() a week ago. For my business (writer, and sometimes consultant) that makes sense for me but I understand that most businesses need some access to customer data so they have a motivation to properly handle personal data.

() except my blog is on blogger - still trying to deal with that - I will probably go back to using Jekyll.


It's curious how these "basic, fundamental" rights only apply to select industries, while others are free to completely ignore them (art. 85). What kind of basic, fundamental right is that?


Are we reading the same Article 85 here?

Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.[1]

Not sure how that's 'complete freedom to ignore' exactly, nor is that an exhaustive list, just some examples of where they may need to be balanced against other freedoms.

[1] https://gdpr-info.eu/art-85-gdpr/


http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

(see below for my response wrt SS85) I prefer to dwell on things like this:

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

Below:

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.


Even the beloved First Amendment does not protect all forms of speech. Your point…?


Please explain why the parent comment attracted downvotes. In the US Constitution, the first amendment protects Americans' right to free speech. However, not all forms of speech are protected. The same legal principle applies to the GDPR; not all industries need to follow the GDPR, as laid out in the Article 85.


You’re missing the point completely.

I’m really glad to hear that I’m not being targeted. However, I don’t much care about what the intent is, I care about what the effect is.

And what I see is a law that is vague and enforcement agents are given broad discretion. What this looks like is that each case become “facts and circumstances” case, which is an absolute nightmare from a compliance standpoint.

And the additional paperwork and personnel requirements appear to be non-trivial and will add a significant amount to the minimum necessary capital and labor needed to start a startup .

The inevitable and undisputable result is that at least some startups on the margin which could’ve made it before the law was passed will not make it after the law was passed.

Supporters would argue this is a good thing, but I would argue it is not.


The thing for me is that it requires me to log additional data. Now I need to know where my users are from, how old they are, and how often and how they access their account.

All data I happily ignored so far to increase privacy.


>Now I need to know where my users are from

Why do you need to know that? Why don't treat all users with respect?


What respect? Saving additional metadata?

I totally get your point. But my product already focuses on privacy. Saving any kind of metadata/communication data is more than I do now.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: