I can't honestly agree. (re: ambiguity of interpretation, and cost being limited only to privacy-violating business models) Two reasons.
1. HN discussions themselves. Literally EVERY TIME this comes up, you see a massive back and forth from various crowds of GDPR; some of whom swear that it's perfectly comprehensible even as significant portions of the conversation are interpreting the same points in a variety of ways. (Are IPs PII? What exceptions can be allowed? What falls under "security requirement"? What forms of data are associated PII? What sort of deanonymization is sufficient? IS it sufficient? are some common questions I saw in the past, not even getting into the wonderful world of third party data processors.) This seems like enough pragmatic evidence that a (to give the benefit of the doubt) educated and professional community hasn't reached consensus, so to say there's a variety of interpretation seems very fair.
2. I implemented GDPR for a small corner of a notable BigCo. I do not consider myself an expert, but I certainly got my marching orders from experts, (The legal teams who interpreted the document and evaluated the implementation methods) and the sheer amount of horsepower put behind finding an interpretation we believed and were confident in was staggering. Granted this is something where we _really wanted to get it right_ but if it were really trivial to interpret I question if the process would have been as intensive as it was. (To preempt the inevitable; our (my team's) business model has _literally nothing_ to do with your data, but we had many of the same confusions/questions that I saw from companies who did, so I'd be hesitant to say that the burden isn't somewhat widespread.)
> The legal teams...and the sheer amount of horsepower put behind finding an interpretation we believed and were confident in was staggering
You shouldn't be getting down voted. I just went through a GDPR compliance review. We have a service model which is incredibly serious about customer confidentiality. We don't sell ads and, to my recollection, have never even bought them. Still required an army of lawyers. Two top London law firms ended up agreeing to disagree on major points, ultimately concluding the Polish data regulator would probably rule one way and the French the other.
Complying with the spirit of a law doesn't mean complying with the statue of it. With GDPR, it's the latter that's a pain in the ass.
>ultimately concluding the Polish data regulator would probably rule one way and the French the other
Wait, this is being handled on the national level??? I thought you guys had some singular EU court thing for this, not a clusterF of the different countries' justice systems.
Yup, each of the EU's twenty-eight member states have a national data regular who is responsible for interpreting the law. One can appeal to EU courts. But the local context must be considered.
it's worse.
in germany the dsvgo (german gdpr) will be regulated by the states of germany, i.e. every state has his own regulation administration.
which means that there will be even more room for interpretation.
in the end the gdpr is more about opening new jobs.
also sites like:
http://www.spiegel.de/
or
https://www.bild.de/
do not care about the gdpr/dsvgo... so it won't happen that there will be many groundbreaking changes on how the governments will see privacy issues. at the end they just wanted to scare of the silicion valley.
These companies were in violation of the Bundesdatenschutzgesetz. It mandates information minimization which many fail to adhere to. The problem is more with enforcement, which was (is) weak. GDPR in fact is seen more lax (by our privacy prtection authorities) than the Bundesdatenschutzgesetz but it has more teeth.
A business that operate in, say, Germany, reports to the German authority.
A business that operates in 10 EU countries, can declare which one is the major country for them, and they have to deal only with the authority in that one country.
That's not how my lawyer explained it to me. They said that I was liable for violating privacy laws, or the opinion of the regulator, in any German state, even though I am a US company. And it doesn't matter if I have an EU subsidiary and I declare a major country. Maybe your lawyer has a different opinion, but they tell me I shouldn't go hire the lawyer that says what I want to hear.
And in some countries that agency employs a dozen to two dozen people total. In other words, it's entirely possible to get screwed because somebody doesn't like you.
The whole point of EU is to garner trade advantage by negotiating as a block instead of as small countries when they saw large countries like US, USSR and China get negotiating power. It is also to not have any tarrifs and free movement of labor internally. Everything else has been iffy at best. EU is not a federal nation like US or India
There is a EU law(such GDRP) that all member states must transpose into their state legislation. A citizen of a "foreign" member state enjoys the same rights as the "local" citizen.
The point if EU is/was to achieve an "ever closer union" so that war between European states would never happen again. It's not just an economic bloc.
Btw the immigration is the main issue which has nothing to do with trading.
The GDPR does remove variation between countries, before the GDPR each of the 28 member states would have had their own data protection laws and while you wouldn't have had to comply with all of them the only law you generally have to comply with under the GDPR is... the GDPR, plus or minus some minor opt-in or opt-outs that some member states may choose. It's one piece of legislation that is a hell of a lot more navigable and accessible than 28 different pieces of legislation.
What the poster above is lamenting over is that each member state is in charge of their own investigatory authority, and this makes a lot of sense, if you have a data leak that affects only Spanish citizens you wouldn't want the investigation being carried out by a country like Sweden or even by the EU itself. However if a data leak affects multiple member state citizens each of those member states are invited to and can enter a joint investigation. The issue they believe is that France may have a stricter interpretation of the law than a country like Poland which may make cooperating with the law more difficult as you don't know how strict to be, and while this certainly is going to be the case it's not so different from any other facet of life - In the US you may favour a certain state to be prosecuted in, you may prefer to have a different prosecutor or judge, etc.
The European Court of Justice has the final say. As far as I know the local(supreme) courts ask the ECJ for an opinion if they think their local law could be incompatible the the EU law. The EU laws such GDRP must be transposed by the menber states but they may have slight variations(i.e. the amount of fines)
The EU court sets binding precedents across the Union, but the law is still enforced at a national level and discrepancies can arise and take time to be cleared up. There's also the fact that Union law is not perfectly uniform in any case, there are national differences where they go beyond the minimum requirements of Union law.
HN as a community is so defensive about the wisdom and necessity of the spirit of the law (which isn't an unreasonably position) that a lot of commenters reflexively reject any claim that the implementation may leave something to be desired (just see the top comment in this thread). It's entirely unsurprising to me that the EU implemented this sloppily, for the simple reason that legislators all over the world are shitty at understanding tech, and sweeping changes have a high prior likelihood of being poorly implemented.
> Complying with the spirit of a law doesn't mean complying with the statue of it. With GDPR, it's the latter that's a pain in the ass.
I've never understood why people try to comply with the text of a new law that doesn't have case-law under it yet, rather than the spirit.
Surely, the first time anyone gets sued for noncompliance of the text of GDPR, when they are compliant with the spirit under which GDPR was issued, case-law will be created that "bends" the interpretation of the text more toward the spirit?
> I've never understood why people try to comply with the text of a new law that doesn't have case-law under it yet
Continental Europe uses civil law [1]. Case law is less relevant than it is in the U.K. or United States.
More broadly, people try to "comply with the text of a new law" to avoid becoming the precedent. (Even if you prevail, it's distracting and expensive.)
> Surely, the first time anyone gets sued for noncompliance of the text of GDPR, when they are compliant with the spirit under which GDPR was issued, case-law will be created that "bends" the interpretation of the text more toward the spirit?
Surely? Based on what? For anyone with material revenue, that basis will be legal advice.
We're all over Europe and the U.S. It was pretty painless. Our business does not rely on the ignorance of users or the abuse of their privacy. What "army of lawyers" did you have and why was the spirit of the law not enough? We had several different business units get through compliance without any problems.
This isn't a hard thing to address at the end of the day (so long as your entire business doesn't depend on it). I just can't help but feel a few ways A) You didn't understand what the law says B) what your lawyers were actually worried about or C) this story is just made up.
What specifically were the discrepancies in the interpretation of the law between various countries that caused two "top" tier law firms to be unable to come to a clean consensus?
why was this downvoted? as far as I can see the claims of excessive burden have been equally vage, I don't see how this comment will lead into trolling
I'm pro GDPR, but I get tired of the immense amounts of shade some pro GDPR people throw the way of some who complain about it.
These arguments tend to be very circular. It goes something like this: GDPR is reasonable and easy to understand; if you're having trouble with it you are probably user hostile/don't understand it; you're having trouble with it which means you are user hostile/don't understand it; therefore your complaints are not legitimate; therefore GDPR is reasonable and easy to understand.
Let me just respond to this in short: No. They're not circular.
The same vague claims keep getting repeated, with absolutely nothing to back them up. Not even a "here's the problem with the law in our case" super fuzzy high level overview. It's always about the effort of adhering to the law without any discussion about why these companies are facing difficulties in the first place. Not the actual difficulty with implementing the law, just the vague effort they've put up with.
Hundreds of thousands of businesses have not had issue with the law. Suddenly some guy on HN with two "top tier" law firms at his back faces this unimaginably heavy burden and extreme obstacles when trying to adhere to the law. Sounds like a nightmare, in the sense that it never happened.
OP's post and the many others like it are just typical American business favoritism against any kind of regulation masquerading as a personal True Story (TM). I still remember when cookie warnings were "hard" to do and businesses actively implemented them in obviously shit ways, in bad faith with the regulations. It's so obviously contrived for a particular audience it's kind of absurd it immediately doesn't get flagged.
Are you basically asking "Why does no one want to share specific details of their company's difficulty complying with a giant new regulatory framework?"?
Surely the issue is harmless, and has nothing to do with the stuff GDPR is legislating against, right? Why not just share a general, fuzzy overview?
I am pretty sure that's what they're asking for. I didn't see a request for specific details. Just some high level details, rather than "we've had to spend so much money/time => clearly bad".
We’re told not to talk about any details (even high level) of this sort by legal because anything we put on the internet could be used against the company in court even if it seems harmless to us. If you want to find out about the difficulties just find an engineer working at a major company and ask them about it in person.
Maybe because some subset of the audience on HN seems to have a habit of downvoting facts they don't like, or data points that counter their narratives.
I can't count the number of times I've posted factual, verifiable information — with sources — and been downvoted (or, often enough, downvoted, then voted back up, then down again, and so on) for my troubles, or the number of times I've seen such comments from others treated the same.
The most plausible explanation I can come up with is, "Your facts dispute my narrative, and we can't have that!"
EDIT: I'm not saying that's what's happening here, and I'm certainly not saying there's brigading or shilling going on (indeed, I think it's purely individual action), but this is a clear pattern, which I've reliably observed happening for years.
It doesn't even have to be on a controversial topic; I once linked to an explanation of a nuance of copyright law, of which the other participants in the thread were demonstrably ignorant. The extent of the response? Downvotes.
Oh lord speaking of copyright law, trying to rationally discuss Copyright law during the Oracle vs Google case on this site was basically an exercise in how much mental pain you were wiling to take. Comments that only contained direct quotes from the case to negate what the OP was stating were downvoted. The Google fanaticism was insane.
I'm going to guess what's happening here is a good amount of developers work for companies where GDPR would directly impact their revenue directly or indirectly (and most likely jobs as a whole). This is especially true for smaller "middle man" analytic firms and general web agencies. It pays to be anti-GDPR.
Never underestimate the kind of mess lawyers can think up. I know of a big organisation providing all kinds of services. I was involved from the sidelines in GDPRing a small part of a very unimportant and almost forgotten service of them.
My personal guess was they wouldn't need consent, as it was a clear-cut case where all requested data was clearly needed to provide the service. And asking for consent to use the data a customer just typed in the site for requesting the service seems a sure-fire way to annoy them without any upside.
Then the GDPR lawyers came.
It turns out, if you interpret the company charter in a very nasty but still legal way, there might be a very rare edge cases where a service was provided to someone who was not strictly 100% a customer. Yeah, I'm a bit vague here, sorry about that.
To be clear: No real-life example was found now or in the 10+ year history records of the service, both the almost-but-not-quite customer and the company would have to do insane things, and service delivered in the case was almost non-existant, but theoretically, on paper, it was possible. I'm pretty sure nobody would care if it happened, either.
People keep going to consent, but I'm pretty sure in many cases they're wrong to do so.
> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
and the ICO guidance is
> Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
Even when consent is given, the users interests still have to be considered during processing, so it's not like it's a do-whatever-you-like card. Just because a user says they consent to you doing something with their data, doesn't necessarily mean you can if that thing is obviously not in their interests.
I wish the fact that consent is only a weak basis under GDPR were made more clear, since if we just end up with an internet that requires consent on every site then the law has just made things worse and made nothing better.
This sort of thing seems to happen a lot. Legal departments are responsible for making sure the company doesn't get sued, and are not really responsible for working towards company success. So Legal's arse gets covered by denying absolutely everything that they don't believe is guaranteed legal, and the company loses business because things become unreasonable. I think legal should instead be more risk management, working for the benefit of the company to manage the legal risk rather than minimize it, and stay within ethical boundaries. It already is risk management, since all legal departments have to work with are their opinions and not facts about how future rulings will go, so it is just a case of accepting it. In the above example, it seems like that didn't happen, with lawyers creating a wall of red tape costing money and annoying customers, instead of realizing the risk was minimal, and if they were at all competent they could easily argue their case even if the low risk event occurred.
And it is even more insane blindly accepting this sort of advice with GDPR, worrying about getting sued for for theoretical edge cases when the first round of warnings haven't even gone out to the worst offenders yet.
It doesn't matter if you need the data to provide the service, you still need to ask for consent for any personal data - and personal data is defined extremely broadly.
To understand that, I think you'd need to be a lawyer who worked in european law. The point is that each country has their own regulators who often enforce the laws differently. So what might be "perfectly clear" to you, could be interpreted completely differently where a different body of law and precedent has been set.
GDPR is not a prohibition on selling personal data. It’s a prohibition on having and using personal data, unless the specific data and usage can be justified under one of the lawful bases. An army of lawyers is required to assess whether each code path and business process is truly covered under one of those bases, given how specific regulators are likely to interpret the subjective judgement calls embedded in the definitions of those bases (necessary, legitimate, reasonable, balanced, etc).
Defining what those simple statements like "customer data is secure" means in the context of hundreds or thousands of use cases throughout a complex organization.
Speaking as somebody who actually has - was teaching computer security last term - I found it relatively easy to read (as legal documents go) - but it still took a weekend. I will guarantee you, that not all of the high powered lawyers whose job it is to read it, have done that.
True story: back in the days when libraries still stamped your book with the date it was due back, I took out a copy of Keynes General Theory from the main library where I lived. It's not that thick of a book, and according to the date stamps it had been borrowed at least 20 or so times. About half way through the pages hadn't been cut.
It was a few years before the significance of that finally dawned on me. As in many things in life, HN discussions on the GDPR are a wonderful example of nobody actually reading it, and everybody having an opinion of it.
I am just seeing a couple of scrolls worth of text---definitely not weekend-long reading material. Am I reading the right thing, or is your link mis-pointed?
Yeah, I’m willing to bet the people that think this is easy and clear are not trying to implement it. I have not met anyone working at a large internet company (these companies have high likelyhood of being sued so it’s very important the law is followed as accurately as possible) that thinks the law is clear.
99% of the people screaming here that it's incomprehensible either very clearly haven't read the source material or just don't understand how the law works in the EU (I guess they are from somewhere else and didn't bother to look anything up before forming an opinion).
Regarding your point about consensus, that's fair - however this has not been my experience. Most parties that you would ask for advice on the matter have a pretty good handle on what the different terms mean.
Your second point is mostly evidence (to my mind) of large corporations trying to get away with as much malicious compliance as they can possibly manage. You really do have to put a lot of effort in that, as you cannot assume the agency checking you will see good faith (which is, as far as I understand it, one of the requirements for not being slapped with fines very quickly).
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"
The law is pretty clear (not 100% clear, obviously, there is going to be loophole and unclear things), and it's easy to decide about unclear spots by following the spirit of the law, and by understanding that any unclear technical requirements really means "what a sane engineer would do, that you could defend against a jury of your peer".
To answer a few of your questions (obvisouly IANAL):
- are IPs PII? Yes, there are legal case about that, your lawyer should have a more detailed answer.
- what exceptions can be allowed? When you have a case you could defend that doesn't go against the spirit of the law
- what falls under "security requirements"? You should be able to defend your choices securiy-wise against a jury of your peer, using your internal documentation. If you have unsalted passwords hashs for example, you are in trouble
- what sort of deanonymization is sufficient? Best practices at the current date.
Technical details aren't going to be in the law, because the goal of a law is to not be outdated every year.
Laws are enforced by humans, not by computers. Your company should be prepared to defend its interpretation of the law (that's your lawyer job) and your technical choices (that's your job).
Edit: obviously, that's a simplified vision, and you should always consult your lawyer. The biggest your company is, the more important it is to try your best to be compliant.
You've had sizeable replies and I've yet to read them, so forgive if I'm reiterating something here.
But as for 1):
IPs are distinctly /not/ PII (AKA: PD). They're identified /by name/ in the regulation, unless you sell that info. Anyone who brings this up as a topic has not actually read the regulations.. or they have and are trying to create uncertainty for some objective.
It sounds like you've done enough of reading the regulation to actually know this, it's part of your job and you've spoken to legal experts (as I have).
> IPs are distinctly /not/ PII. They're identified /by name/ in the regulation. Anyone who brings this up as a topic has not actually read the regulations.. or they have and are trying to create uncertainty for some objective.
Have you yourself read the regulation? You are wrong.
The regulation makes a single reference (by name) to IP addresses. In recital 30. In that recital, it specifically declares IP address to be PD (GDPR doesn't use the term PII at all).
Not to confuse the matter, but if you stopped there, and decided IP addresses were PD, you would have stopped short. It requires deeper analysis. Here are two good ones:
Sorry, was going on the case of "if you're not an ISP"
IP, when tied to other data becomes the scope of personal data.
However, removing the other data renders it no longer personal data.
This firmly puts it in the "it's not personal data" camp. Since it's the other data that is personally identifiable that gives it context.
It's only relevant for ISPs really, but really good job on proving my "creating confusion for no reason" point.
In the context of online accounts (in video games, where I work) it can't be used to identify real world people because we don't ever link to a real world identity. In cases where you log details about people individually (as in- a bank) you just don't log user details beside access logs and you're set. IP on it's own is not personally identifiable, and is out of scope for GDPR.
I have taken the same stance. Have had lawyers tell me that I am wrong. Have had other lawyers telle the opposite. -shrug- when it specifically lists IP address as an example of PD in one section, the fact that another says things are only PD if you can identify a person doesn't NECESSARILY over rule that.
I think a lot of this is a red herring. If you are gathering the IP address under the contract lawful basis, then it doesn't matter if it's personally identifying or not. Where it get's tricky is when you are not gathering the IP address under contract lawful basis.
The tricky thing about GDPR is choosing the correct lawful basis. I think people reach for the legitimate interest card too quickly because they see it as a "get out of jail free" card. But then it ends up complicating things enormously -- especially since legitimate interest can be objected to. I've seen people agonising in public about what to do because the personally identifying information is necessary to provide the service they are offering. If you're in the situation where if someone objects to the use of their data, then it breaks the whole service -- well you're in contract lawful basis territory.
IP addresses are potentially complicated, though. I'm not sure what's supposed to happen when you receive personally identifying information from someone that you don't have a contract with. The law does seem to be vague on what constitutes a "contract", because in some cases it seems to imply something different than what contract law says (i.e. if there is no consideration, it seems I can still use contract lawful basis). In this situation, if I have a P2P network and I need your IP address to fulfil my side of the protocol, then I should be able to use it under contract basis. However, I'm unclear about the actual legality of it -- especially when the information is sent to you by an intermediate node.
To me, that's what needs to be cleared up. I expect it will be over a period of time. I don't think the law was written with that kind of stuff in mind. It's kind of interesting, though. I imagine it is a violation of the GDPR to track what individuals are downloading in bittorrent without giving them a legitimate interest notice, though (and allowing them to object! and be forgotten!). It will be interesting to see if anybody complains about that kind of thing.
That case literally does not support the claim you make. The court decided that:
* dynamic IPs can be considered personal info if the entity collecting them has legals means to get additional information related to that IP (these legal means exist in Germany, if the entity believes they are being cyberattacked)
* according to the less restrictive law though, "The operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks"
* note then that: this issue is no longer an issue (since GDPR is in play now) and that GDPR actually allows the collection of dynamic IPs if the entity needs to do this to protect from cyberattack
It's kind of funny. You say "case literally does not support the claim" I make then continue to say what I said in a different way.
I was responding to a person that was claiming that essentially IP addresses are only personal data for ISPs or ISP like businesses. Which is simply not the case.
I didn't say IP addresses were always considered personal data, I simply said it can be personal data, which you also stated in your post. That it's not cut and dry. The person I was responding to was posting that IP addresses are definitively NOT personal data.
The point is, context for IPs matters. The person I was replying to was way over simplifying.
I'm not entirely sure what claim you think I made that the case doesn't back up as you essentially stated what I did just with more specificity. In any case I totally agree with your post since it's the same point I was making :)
1. HN discussions themselves. Literally EVERY TIME this comes up, you see a massive back and forth from various crowds of GDPR; some of whom swear that it's perfectly comprehensible even as significant portions of the conversation are interpreting the same points in a variety of ways. (Are IPs PII? What exceptions can be allowed? What falls under "security requirement"? What forms of data are associated PII? What sort of deanonymization is sufficient? IS it sufficient? are some common questions I saw in the past, not even getting into the wonderful world of third party data processors.) This seems like enough pragmatic evidence that a (to give the benefit of the doubt) educated and professional community hasn't reached consensus, so to say there's a variety of interpretation seems very fair.
2. I implemented GDPR for a small corner of a notable BigCo. I do not consider myself an expert, but I certainly got my marching orders from experts, (The legal teams who interpreted the document and evaluated the implementation methods) and the sheer amount of horsepower put behind finding an interpretation we believed and were confident in was staggering. Granted this is something where we _really wanted to get it right_ but if it were really trivial to interpret I question if the process would have been as intensive as it was. (To preempt the inevitable; our (my team's) business model has _literally nothing_ to do with your data, but we had many of the same confusions/questions that I saw from companies who did, so I'd be hesitant to say that the burden isn't somewhat widespread.)