Hacker News new | comments | show | ask | jobs | submit login

"but I would like it a lot better if it said that in the actual law"

Have you read the bloody law! http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

This is legislation designed to protect not only me (as an individual) but you as well (as a probable foreigner) from me!




Reading the law, I only see a single exception for small companies: Article 30.1 and 30.2 doesn't apply for companies less than 250 employees.

Out of an 88 page law, 1% of an auxiliary middle of the law is carved out for small companies.

I'm not sure that counts as differential application for small companies. In the US at least, large portions of entire key burdensome laws don't apply for employers below size 50, 10, 5, etc. This does not seem to be the case here.

Does anyone know whether an official impact study on innovation was even done before its passage?


You can be a company of ten people and still turn over millions by selling your users’ data in shadowy ways. Why shouldn’t you be stopped just because you’re small. How can the size a company be used as a rational differentiator in a law like this?


Because the vast, vast, vast majority of small companies aren't turning over millions of dollars. That's the same logic as, "some people cheat on welfare, so lets defund it." This logic gets pushed around a lot by GOP pundits.

The law may be good as a whole but be overly burdensome for small companies. You should at least acknowledge that instead of just dismissing that outright.


Similar laws have existed for many decades. In The Netherlands, privacy laws date back to the 1970s.

At least my reading of the GDRP is that it tries very hard not be a big burden. If you are a small company or organisation and you collect a minimal amount of information (for example to contact them) there is not a lot you have to do.

The main thing is, you are not allowed to be sloppy. If you collect personal data, you have to think about whether you should collect it at all, where to store it, process it, and when to delete it. And you have to tell people that before you ask them for personal data.

Nothing like, we just collect a bunch of data, give copies to everybody, and have no idea what we collected. That attitude no longer works.

If you set up food regulations, are you going to exempt restaurants with only one cook? Or have aviation regulations that do not apply to airlines with only one pilot?

Given that the entire GDRP is less then a hundred pages, you can easily read it in one evening and get an idea of what you can do, have to do, and what the corner cases are that you may need to discuss with a lawyer.


> If you set up food regulations, are you going to exempt restaurants with only one cook?

But restaurants with only one cook can't afford a $300/h lawyer to tell them how to keep their shit hygienic!


And in the EU we have a different way of working. In the UK you can literally phone up the ICO and get free advice, specific advice on how to stay compliant.

If it turns out that you are in breach, they will write to you with information about what you're doign wrong and how to fix it.

In the EU we don't rely on lawyers for a fraction of the stuff you do in the US.


> Does anyone know whether an official impact study on innovation was even done before its passage?

So if it's "innovative" a small 5-person startup should be able to wreak havoc to my personal data in whatever way they see fit? What is that nonsense. Are you seriously suggesting that "innovation" in startups should be more important than my privacy?


Are you seriously proposing that regulations move forward without an understanding of their impacts?

No matter what the ultimate decision is, no matter how sensitive the subject matter, impact studies are critical to making smart decisions.


If a regulation is going to impact "innovative" startups that sell my data, I am totally for it. I don't want more innovative ways to sell my personal information.


> sell my data

I think you're justifying a really extreme reaction based on the worst behavior of a few companies. GDPR doesn't just go after data-resellers. It targets how a well-intended company can use and keep your data even with no third party involved.

Laws that mess up the good-guys lives are bad laws. GDPR is from the same folks who thought a law that lead to pestering users about cookies was a good idea.


It's not stopping any well intended company from fairly using data. A law making it harder for well intentioned gun enthusiasts from getting guns is a good law according to me. All well intentioned gun enthusiasts should support it. Otherwise there'd be a day people would get tired of the bad intentioned gun owners and legislate a complete ban on guns.

Also I like the cookie idea. If only people really cared about misuse of their data they'd like it too. We've seen how good 3rd party cookies have been for some democracies.


Maybe it's just me, but the 2nd Amendment talk in this case really seems like a hamfisted way to spout political opinion that's in no way relevant.

>All well intentioned gun enthusiasts should support it.

Really black/white argument there which the issue is not. And nor is this topic. There should be more nuance in GDPR, but there isn't which creates a lot of discomfort.

>It's not stopping any well intended company from fairly using data.

It actually is, but whether or not that is an overall good thing is yet to be seen. Certainly, they did some level of testing before proceeding.


So without curiosity or concern for any other impact you say yes...

I might say yes but I still want an impact study.

I prefer governing bodies operate with an awareness of how their actions affect society.


I don't think we're going to lose as many "well intentioned" websites as much as we'll get rid of bad intentioned businesses.


You’re missing the point. One last time: it is ideal to operate with an awareness of consequences.


> Are you seriously proposing that regulations move forward without an understanding of their impacts?

No, and it is dishonest of you to suggest that was claimed.

> impact studies are critical to making smart decisions.

Which were done as was consulting with industry etc. well before the law was passed two years ago.


In the history of laws, many of the ones designed with good intentions have been quite harmful.

And yes, I've read the law. It's typical of legislation in that it obviously wasn't written by people who knew what it looked like to perform that in a real life business.


> And yes, I've read the law.

Have you read recital 1? https://gdpr-info.eu/recitals/no-1/ ? The starting point of the law is that data protoection is a fundamental human right,. The data subject owns their PII, not some company collecting it.

It's all up whether you are willing to accept that as a fundamental right or not.

I mean there is a billion of Chinese that live with the fact that free speech is not a fundamental human right. Most Westerners have a problem with that.

Now many US based IT professionals seems to have problems with accepting that nobody else can own the data about a human.

> It's typical of legislation in that it obviously wasn't written by people who knew what it looked like to perform that in a real life business.

That's what a cotton farmer could have said when they made slavery illegal. Obviously respecting other's human rights makes some business models illegal.


First, let me say that, I'm not the person you're replying to, I haven't read through the entire GDPR (yet), and I think that stronger privacy laws are a very good thing. (Part of the reason I regularly donate to the EFF.)

> The starting point of the law is that data protoection is a fundamental human right,. The data subject owns their PII, not some company collecting it.

> It's all up whether you are willing to accept that as a fundamental right or not.

As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

> Now many US based IT professionals seems to have problems with accepting that nobody else can own the data about a human.

I think the idea that someone can own facts about anything is bound to cause some amount of confusion or even cognitive dissonance.

At what point does one's right to be forgotten supersede another's right to remember?

If Alice knows something about Bob because of their personal interactions, as he asks her to forget about it, but she still remembers it, is she violating Bob's right to be forgotten? How about if she had written it down in a journal? Does she need to erase what she wrote? What if her journal was stored electronically? In any of these cases is she allowed to tell another person? What if she already told another person before Bob told her to forget about it?

More concretely, suppose Bob visits Alice's house, and then a couple of weeks later tells Alice that she must forget that he visited. If she ignores his request is she violating Bob's rights?

Now suppose Bob is visiting Alice's website, which records his IP address in a log file. Bob asks to be removed from the log, and again Alice ignores his request.

I think for many technically minded people there seems like an awfully smooth gradient between these last two scenarios, and so classifying one as reasonable and the other as a violation of human rights can be surprising. Precisely where is the line drawn that makes one scenario reasonable, while the other is completely unacceptable?


> As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

Yes, in Germany, everyone, meaning citizen(EU/EEA) or not, enjoys the right of forgotten from surveillance cameras or any image/personal information that is not subject to the legal registry, from public record beyond 90 days. Unless you are targeted for an otherwise legal reason.


Which law is that exactly (german here, but i dont know what you’re referring to€


Not able to answer that question but the Auskunftspflicht also covers police surveillance footage.

Personal anecdote: I was involved in a student demonstration once that ended with the police recording every individual separately in addition to checking our national ID cards. After about 14 days I wrote them a letter requesting information about what data they had kept and to destroy that data if it is not part of an active investigation.

I received a formal response saying they had already destroyed the data shortly after collecting it because they didn't end up needing it.

I presume the law is exactly the same as with any other organisation, i.e. the BDSG (Bundesdatenschutzgesetz) which as of now implements the GDPR (DSGVO) in Germany.


Yes, and meanwhile they illegally sniff your whole Internet traffic... just one current example https://blog.fefe.de/?ts=a5f2e96c


Generally, Bundesdatenschutzgesetz (BDSG), mainly Kapitel 3. §57, §58 and §61.


> At what point does one's right to be forgotten supersede another's right to remember? > > If Alice knows something about Bob because of their personal interactions, as he asks her to forget about it, but she still remembers it, is she violating Bob's right to be forgotten? > > etc.

No, no-one can force you legally to forget something, and I think this brings up the main problem with your argument, which is that we're not talking about Alice and Bob, we're talking about Alice and Bob's Widgets INC.

I'm technically minded and I see a 100% separation between the interaction between Alice and Bob, and Alice and Bob's Widgets INC. Yes, I do think it's completely reasonable for Alice to ask bob to be removed from log files, journals whatever.

Lets look at a parallel you drew:

> More concretely, suppose Bob visits Alice's house, and then a couple of weeks later tells Alice that she must forget that he visited. If she ignores his request is she violating Bob's rights?

I wouldn't say that Alice is violating anyone's rights here. Being unreasonable, yes. Asking for something with no legal or enforceable basis, yes.

> Now suppose Bob is visiting Alice's website, which records his IP address in a log file. Bob asks to be removed from the log, and again Alice ignores his request.

This is a non sequitur, these are different scenarios with different requests, just with the names kept the same. Businesses aren't people, and they don't have memories like people. Businesses don't (for the most part, legal actions notwithstanding) need IP address information. It can be helpful, certainly. Knowing your customer has returned, knowing what they have looked at etc., but it's not essential.

So yes, it's reasonable to ask for removal from logs, and no, it isn't reasonable to ask someone to forget you visited their house.


I guess this demonstrates a prime example of one of the biggest differences in the US:

In the US, corporations are people.

In the EU, corporations are legal persons but don't inherently enjoy the same rights/protections as natural persons (i.e. humans).

Just remember the Hobby Lobby ruling: in the US, corporations can have religious beliefs. In the EU that sentence doesn't make any sense because a corporation cannot hold beliefs (though the people employed by or owning it can).


> In the US, corporations are people.

> in the US, corporations can have religious beliefs. In the EU that sentence doesn't make any sense because --

It doesn't make sense because in the EU we didn't artificially create a legal construct to support the notion of corporations having religious beliefs (or "being people").

Please don't act as if both ideas are equally valid descriptions of the real world when one of them is strictly a legal fiction and completely meaningless in any other sense.

I'm sorry but just like the notion that a 2-person startup would need $300/h lawyers for any significant amount of time to ascertain they're sufficiently in compliance with the GDPR to not get sued into oblivion (.. or something? over here people can just read and implement the needed provisions by themselves in under a week, is what I heard from my friends in the business), this seems to be a problem inside the US legal system, doesn't really seem to me like it's the EU's problem to take into account when it's broken like that.


I'm not disagreeing with you. I'm just trying to be objective rather than judge the two models based on my opinion. My opinion would be that the US system is the result of Friedman free market capitalism trumping civil rights over decades. And in Europe I'd consider myself libertarian.


> No, no-one can force you legally to forget something, and I think this brings up the main problem with your argument, which is that we're not talking about Alice and Bob, we're talking about Alice and Bob's Widgets INC.

I assume you mean Alice's Widgets INC., since Alice was the one with the website.

But in any case, I didn't say "Alice's business's website". I said "Alice's website", as in her personal website. Are you saying that an individual's website can record visitor's IP addresses and store them indefinitely, but a business cannot?


What if it is a personal website, not affiliated with any corporation?


> Precisely where is the line drawn that makes one scenario reasonable, while the other is completely unacceptable?

1. don't be unreasonable

2. be acceptable


Perhaps you should take your own advice.


> As a fundamental right, doesn't that mean that the government needs to abide by it as well? Can an EU resident demand that their image be removed from all footage collected by public surveillance cameras, for example?

That's a good point. The term "fundamental right" occurs only the recitals, not in the law itself IIRC. The laws applies to authorities, but not when they carry out the legal tasks in prosecuting and preventing crimes and dealing with public security. So you would not have any rights with respect to video surveillance by authorities, unless you could prove that that is not done for public security :(

When it comes to authorities practices differ a lot in the EU. Let me give 2 examples because I live/lived there

1. In Germany video surveillance of public spaces is not very popular. One of the biggest cities in Germany, Frankfurt/M. seems to have 6 (six) such cameras now. And whenever there is a new one, it still makes big headlines http://www.fnp.de/lokales/frankfurt/Datenschuetzer-Es-wird-z... (In socialist East Germany they had them already in the 1980, but I am sure they all disappeared in 1990)

Google has stopped rolling out Streetview in the very early beginnings. Not that it is an authority, but it shows the public opinion, even if it's a single picture every couple of years and faces are blurred.

It appears that the resistance is more and more broken. At my last visits in Germany I saw cameras on trains/buses for the first time. I'd assume they are not counted as public spaces, but private properties. Which is a problematic classification considering their function. In Northern Ireland cameras were standard on buses already in the 1990s, no idea for how long before that.

When you get a German passport they will store the fingerprint on it (I guess that's a nearly world-wide standard for machine readable passports). However, in Germany they make a big fuzz about it that the fingerprint is erased from all databases as soon as you have accepted your new passport. If you detect a typo in your passport after accepting it, you have to apply for a new one, pay again and have your fingerprints taken again.

2. In Finland public videos surveillance has existed in all big cities (not that there are many...) for decades. There are also street condition (think snow) cameras on the internet. It's not their purpose, but some of them show fully identifiable people when they happen to walk by. Not many people seem to be bothered about it.

In Finland the fingerprints for the passports are stored until there will be a law how they are allowed to be used. Only few people believe that the police would not use them to solve a high profile crime before the law is ready.

A common Europe is still a big fiction in many aspects.


FWIW the cameras on public transit (which have been the norm in Cologne for at least a decade I think) are legal (under the old data protection laws anyway) because the recordings are automatically destroyed after 24 hours or so.

I think the GDPR would protect them because of a number of factors:

* there's a legitimate security interest (vandalism, terrorism, rape and other personal crimes)

* the recordings are not stored longer than necessary to fulfill that purpose

* there is clear signage indicating you are entering an area with surveillance cameras (i.e. you are giving informed consent)

The GDPR protects the individual's right to privacy but it's a balancing act and the security interests are fairly valid.


> * there is clear signage indicating you are entering an area with surveillance cameras (i.e. you are giving informed consent)

So if I don't want to be filmed on the bus I take a taxi for 10 times the price? (Not sure whether they might have cameras, too. Haven't taken a taxi in Germany for many years.) Or I walk 2 hours?

That's not what I would call informed consent. It's information yes, but as long as there are no competing bus lines without cameras there is no choice really.


We're going in circles. Let me repeat: nobody has a problem with increased data protection and privacy. We're all better off for it.

But the laws regarding it are not clear for an actual operating business. Instead of being simple and straightforward to implement, they are an ambiguous mess that are wasteful and misplaced. Laws designed that way almost never actually accomplish what they set out to do.


> Instead of being simple and straightforward to implement,

I am not sure I can fully follow you here.

If implementers accepted that they only collect what is absolutely necessary and they delete what the they are not legally requited to keep things would be much easier.

Problems start when the business model is that customers'/users' data is our product/an asset and we somehow try the find the minimum possible implementation that just meets the requirements of the law while still using all loopholes it might possibly leave.

I agree that the law is not very clear for how you should code it. Nor very detailed what you can do with a certain piece of data. So it depends on your approach: If you take a conservative approach that if in doubt, we don't keep the data it suddenly gets much clearer. If you start fiddling maybe I could still do it if we did it like this and that you end up in endless work.

And of course if you have an existing system that never had the requirement of deleting anything there is a lot of work. But the law has been in force for 2 years, so businesses that wake up now when the transition period has ended it can be a mess.

>Laws designed that way almost never actually accomplish what they set out to do.

How would you have written the law? Do you have counter-examples of laws being written so clearly that you could recommend them?

The key point really is: Many business models and practices on the internet are incompatible with the spirit of GDPR. It's a fundamental right that the users own their data and businesses are not allowed to do with it whatever they want.

Lawmakers did not want it write it that so clearly, because lobbyists would not have accepted it. And business owners still don't want to accept any suich fundamental right. So complaining about the law being too complicated is somewhat canting.


They are not "simple and straightforward to implement" for two reasons. First one, the problem domain is not simple and straightforward to implement. It may be surprising, but it's only because we've never learned to treat PII with proper respect. Second one, it's because businesses did their best to avoid and abuse privacy laws previously, so the new law has to counter the usual workarounds.

Yeah, it might be getting harder making a startup working on personally-identifiable data - even if it's not doing anything shady. But it's also hard to make a food or healthcare startup; you can't just "move fast and break things" there either. In EU, PII were finally granted the status of something actually important.

As for startups that depend on abusing user data, I'm very happy they have problems now.


A datum is not actually important just because it relates to a person in some way. It's not as if this a regulation about venturing into deviantly risky territory: running a network service of any kind involves the processing of peer IP addresses.


And processing that IP address is neccersary for the operation of the service offered so entirely acceptable.


Exactly. Plus they don’t simply concentrate on people intentionally/ignorantly abusing data (putting my email on mailing lists again and again and ignoring me telling multiple times i don’t want it, reselling, etc) but put a lof of insecurity and bureaucracy on people with nothing more than a static website with IP adresses in logfiles...


May I ask what is not clear to you? I can try to help. As I can see it, it very simple, it is same thing as with borrowing someones car:

- personal data (car) are any data that have potential identifying a person

- person owns its data (car). You cant buy them (well this part is different than the car), you cant steal them, you cant sell them, but you can borrow them from. But for that you need to ask (consent), where it is not allowed to trick the owner to give them to you, whithout beeing fully aware what was borrowed and why. And if you are borrowing the data for someone else, you need to ask about that too. And tell when you will return it.

- it is immature and unfair to play grumpy if someone doesn't want to allow to use its data. Or try to force/blackmail them from him. So its not allowed to do that (noyb.eu)

- once you borrow the data (like property, envision a car), behave acordingly, owner can demand them back, demand to see them, demand to know what you are doing with them and if stolen it is completely normal to tell them about that. And if they were stolen due to your fault (leaving keys in a car), they might demand to be compensated. Same goes if you misuse them (let me put some fertiliziers on back seat, forget to return them, giving it to all your friends without asking,...)

- if the data owner asks you to do something that requires his data ("hey, can you please take my car and bring me icecream from the store") you don't need to ask for data, it is expected you can have them.

Did I forget something? I consider it simple, as long as you try to stay genuinly respecting to other persons ownership. Just think about borrowing your car or borrowing car from your best friend and you wont go far wrong.


things as opposed to knowledge are fundamentally different things.

if yoi tell me your birthday how can i forget it?

if you borrow me a car i have something i can return...


> if yoi tell me your birthday how can i forget it?

That's not really relevant. GDPR doesn't ask people to forget things out of their minds.

So let's rephrase to a more relevant example:

> if yoi provide me your birthday on a web form and I put it in a database how can i forget it?

This now becomes relevant, and easy do answer. You delete it.


>if yoi tell me your birthday how can i forget it?

Ask any husband.

Joking aside, if the memory is on a computer system, as opposed to a person, you can, you know, just delete it.


Out of curiosity, could I legitimately ask Google, GitHub, etc. under the GDPR to delete my name in the AUTHORS file of the git commit it was added in when I contributed to Chrome's v8 engine 10 years ago? Would they have to comply if I did?

Obviously, removing the commit would break git's ability to sign any hashes for that repository after that point…

And thinking it through a bit more, what about the companies that use v8? Could I ask my regulator to get Joyent to remove it from their systems? I'm sure they have copies…


You could ask, but them not complying fall neatly in the legitimate need case...


Ah, this is so interesting! It seems like you're allowed or not allowed to keep data based on the data structure that you use to store it!


Data structure has nothing to do with it. If you stored social media users as fake AUTHORS lines in a git repo, that still wouldn't make you allowed to keep it. In the inverse situation, storing git authorship in the comments table of your photo site's database, you would be allowed to keep it for legal uses.


I interpreted the original posters point that the git repository could not be modified without destroying it. I thought that's how the next poster was responding to it. If you cannot modify an old entry without destroying the integrity of your system, are you required to modify? Either the answer is yes and you effectively cannot use certain data structures (with their integrity) or the answer is no and certain data structures allow you to keep data.


You would want to avoid using a git-like data structure for data you have to delete. But the example was data that's part of making the copyright license function, and you can keep it for legal purposes.


> But the example was data that's part of making the copyright license function

You entirely missed the point of my hypothetical, which was about immutable data structures like git employs.

As it turns out, our business also uses a git-like hash-chained commit log for our normal database. Deleting old entries would thus violate the integrity of our database. Is that now illegal under the GDPR?


When, it's about being able to judge things on their specific merits -- as opposed to having some blanket one size fits all rule.

Law has nuance and cases (and corner cases), it's not some strict predicate.


I agree and understand, but it does give us a likely unintended consequence: no sequential hashed data structures when you are required to be able to modify it. Probably a good thing for hearing less about blockchains!


No. They're required to know who the authors are for legal reasons.


Extreme over-exaggeration in my opinion.

Actually, just because one critcices the way the law is made doesn’t mean they think it’s basic intention is wrong.

As of your slavery example: Forbidding slavery is one(good) thing. Saying „everbody having somebody work for them out of anything but total free will and not being able to prove it is doing forbidden slavery“ is something else. If i must work because i need to eat and pay rent, is that total free will? How can anyone prove that?

So sure, the wording is extremely important.


Yes, indeed I have. But if there's something I've missed, I'd surely appreciate a quote or specific reference.


Please point to the specific section you’re referring to.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: