Hacker News new | comments | ask | show | jobs | submit login
Complete guide to GDPR compliance (gdpr.eu)
229 points by lainon 14 days ago | hide | past | web | favorite | 122 comments



Warning: The privacy notice template on this site (https://gdpr.eu/privacy-notice/) omits basic mandatory elements (e.g. retention periods, right to lodge a complaint). The template's section on cookies is insufficient and misleading. Cookies are regulated by a different law (the ePrivacy Directive) and their explanation does not go into these rules at all.

As frereubu notes elsewhere in this thread, the UK regulator's GDPR guide is excellent, and is a much better starting point in my opinion: https://ico.org.uk/for-organisations/guide-to-data-protectio...


For those like me that hadn't linked Proton Technologies AG and ProtonMail, it's worth noting that this guide may actually have a service to sell you (ProtonMail).

The ICO guide linked by the parent doesn't.


We have made some updates to the template so it is now more comprehensive. e-privacy technically is not GDPR, but since it is closely related, we have also incorporated this now.

> GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union. This is not an official EU Commission or Government resource. The europa.eu webpage concerning GDPR can be found here. Nothing found in this portal constitutes legal advice.

I'm not sure why you're pointing this out – it could be because it's interesting or it could be as a warning. If as a warning, nothing here seems particularly unreasonable.

> GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union.

This is probably a requirement of the funding.

> This is not an official EU Commission or Government resource. The europa.eu webpage concerning GDPR can be found here.

This seems reasonable. Funded by does not mean endorsed by. Here's the official page.

> Nothing found in this portal constitutes legal advice.

Realistically it can't be legal advice, even though it's dealing with an area that could get you into legal trouble. It's referring to a directive which has been implemented by member states. Each member state has its own enforcing body, and some will take a more firm approach than others.

As for legal advice, in at least some jurisdictions even paid advice is treated as just that – advice – and if you get bad advice, there is little to no realistic prospect of redress.

This appears at first glance to be one of the better resources on the GDPR I have seen.


It's a warning. The site is authored by a private entity whose only qualification may be that they registered the gdpr.eu domain most quickly. It claims to be a "complete guide to GDPR compliance" but is nothing of the sort. Most pages end with the disclaimer that "nothing found in this portal constitutes legal advice" and to consult a lawyer.

Legally, it's quite dangerous since it might give you the feeling of being compliant while still being at risk. "But Proton Technologies AG said ..." isn't going to hold up in court.


> Legally, it's quite dangerous since it might give you the feeling of being compliant while still being at risk.

If you're soliciting free advice online – even from a law firm – it may as well contain such a disclaimer. Nearly always the terms of service do contain such a term.

> "But Proton Technologies AG said ..." isn't going to hold up in court.

"But our law firm said…" seems to be the alternative here. I'm not sure how well that would hold up in court.

I'm all for getting legal advice from professionals. That said, there's a lot of law firms that will give you advice on the GDPR without really knowing what they're talking about. Their risk is pretty minimal – as a business client you're unlikely to be entitled to the same redress as consumers. The bar is very high for demonstrating negligence.


I think it's not paid vs unpaid but official vs private.

I found the warning very useful, as I assumed this was a publication from an EU institution as well.

If this had been the case, you could have assumed that the page had been produced with the primary goal of informing the public and clearing up confusion - and that the page were likely to have input from people close to who actually drafted the regulation. All that would put my trust in the accuracy of the information way higher than that in a random law firm, no matter how much legal weight that would have in either case.

Additionally, it would be some news if an EU body published an "official" guide how to implement the GDPR, whereas there are likely many such guides by private advisors.


On deeper inspection it seems the whole thing is a bit of a plug for Proton Mail. For some reason my disengaged brain hadn't linked Proton Technologies AG with ProtonMail, which was plugged frequently enough for me to notice on first glance but not quite enough to make me suspicious.

I think the point here may be that it could be different if this was an official EU page. I think the justification of "But we followed your guidance" is a pretty reasonable one in a court (I'm not a lawyer though).

It is an important warning for people in the US, where websites published under .gov are run by the federal government. When I saw the short domain followed by .eu, I assumed this would be an official government site providing GDPR compliance guidance.

Anybody can register a .eu domain. There are many companies that operate across EU borders in different countries, and use .eu domains to advertise their pan-European targeting.

Any EU citizen. There was the fracas recently when it turned out that .eu domains registered by British people would be decomissioned post-Brexit: https://ec.europa.eu/info/sites/info/files/notice_to_stakeho...

>It's referring to a directive which has been implemented by member states. Each member state has its own enforcing body, and some will take a more firm approach than others.

That's not true. The GDPR is a regulation (hence the R in GDPR!) which does not need to be implemented by member states. Regulations have direct effect, meaning the same legal text applies in every EU member state directly.


However the header states "This project is co-funded by the Horizon 2020 Framework Programme of the European Union", so maybe they had to pass some review.

What all these checklists lack is some real advice for software architects/developers, something along the lines of "I'm a Java developer, should I do something different now?" Reading the real GDPR [1] is more useful and not more complex than any technical document we are used to study. It contains several hints here and there both in Recitals and in Articles (Recitals are the claims between "Whereas" and the Articles.)

For example Recital 29, which is more cryptic than most of the others, hints about a best practice of separating personal data from all the other ones and from the information required for reconciliation. Maybe different databases on different machines. This is not the naive soup of fields in a users table. Thinking about a classical MVC web app, it could be that the code in the controllers should have zero knowledge about personal data, with the exception of the part of the application that for example deals with user profiles. That could be a separate application with its own database and admins.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...


Of course the only way to have legal advice is to pay for legal advice. Free is subtantially cheaper.

The way to use such sites is to rely on them at first, to help you navigate the waters. They should help you become MOSTLY compliant. Once you're done, THEN hire some legal experts to finish off the last few ommissions or mis-interpretations.

It's a lot cheaper than starting with a law firm from the beginning. Know that there's always a risk that the informative site lead you down a wrong path so if you're about to make a decision that's hard to undo, you can engage the legal advice sooner.


Anyone else not a fan of private entities squatting on domains in a subversive way?

I like protonmail like I like sourcegraph but they are disingenuous in the squatting of gdpr.eu and langserver.org. The latter is even more egregious


If you want to read an excellent guide on GDPR from a regulatory authority (i.e. an organisation that is actually tasked with implementing the legislation) the UK's ICO website is the best place. It uses plain English as far as possible while not oversimplifying things to the point of uselessness.

https://ico.org.uk/for-organisations/guide-to-data-protectio...


They have Google Analytics enables without consent and in the privacy policy they claim this:

>> “Google Analytics does not identify individual users or associate your IP address with any other data held by Google.

This is wrong, GA may anonymize IPs, however they drop a tracking cookie in order to identify unique visitors.

Tracking cookies under the GDPR fall under “personal data”, even if they are pseudo-anonymous. Also note that usage of Google Analytics cannot be a “legitimate purpose”.

So is this legal what they are doing? Or what am I missing?


In the sense of art. 6 §1 (f) GDPR, there is nothing preventing analytics to be justified by a legitimate interest. Recital 47 also says the processing of personal data for direct marketing purposes can be carried out for legitimate interests. Per the e-privacy directive, we provide notice that there is a cookie.

The updated Privacy notice is now supplemented with extra information.


Ironic that a site about GDPR compliance has 6 potential trackers according to Privacy Badger.

Which might be fine, depending on their privacy policy. Let's take a look...

Their privacy policy indicates they are claiming Legitimate Interest as the legal basis for using Google Analytics. My network tab also sees hits form ShareThis and Facebook, which are not mentioned in the Privacy Policy. There's a section on Embedded Content, but I don't see any content embedded in the privacy policy itself.

https://gdpr.eu/privacy-policy/

I will say this does a good job of being straightforward and readable, and covering what a privacy policy needs to cover. But it's still incomplete with regards to what data is being sent where.


Except Google Analytics cannot be a "legitimate interest".

A legitimate interest is one that prevents the service from operating. E.g. if you're a pizza delivery service, you need to use the customer's address, since it's implicit in what the service does and the customer expects you to use their address for the purpose of home delivery.

If you block Google Analytics however, in what way will the service be impacted from the perspective of the user experience? There is no impact, even if this costs the business optimization opportunities or money. You can argue that the inability to use Google Analytics can have a long term impact on user experience, but that's not how legitimate interests work.

In general, "making more money" or "becoming more popular" are invalid reasons for stating a legitimate interest.


GDPR compliance doesn't imply that tracking is disallowed, right? The GDPR specifies the allowed, legal protocols for tracking users and consumer behavior on sites.

Which includes a firm opt-in, which none of these does.

IF the legal basis for processing is Consent, then that consent needs to be opt-in and freely given.

If. If if if if IF IF IF.

Consent is not the only legal basis for processing. This website in particular claims Legitimate Interest as their legal basis for Google Analytics. If you can support a claim of Legitimate Interest, then none of the restrictions specific to Consent apply. Starting with opt-in vs out-out.


You’re not allowed to store personal data in GA by their own terms of service, so the argument is moot: neither consent nor legitimate interest is needed.

True - however wouldn't "legitimate interest" be subject to precedents and also depend on what exactly you're tracking?

As a layman I'd assume that if one site gets to claim Google Analytics as "legitimate interest", this would imply GA being fair game for any site, provided they don't do anything special with it.


Which is fair; I shouldn't have to ask for consent from the user to have analytics on my site. Having analytics is a necessary part of running a web app successfully.

This doesn't imply GA, sending data to a third party (and one of the worst offenders with respect to privacy at that). The same can be achieved solely by first party means. It's just not that convenient.

I don't think the EU would agree with that, but IANAL.

I don't care what the EU agrees to, there's this thing called national sovereignty; I'm not subject to the laws of every country that simply asserts I am. The world cannot function if we're subject to every law every country decides to claim we're subject to.

IIF they are processing personally identifying information.

Personal data, not personally identifying information.

The former is a lot broader then the latter (and the latter is a US legal term and means precisely nothing in the EU).


The checklist especially is a great resource IMO: https://gdpr.eu/checklist/

Also shows how much of this is truly just sensible privacy protections.


A GDPR checklist goes against the basics of GDPR: privacy is a human right not a consumer right. Any site that provides a GDPR checklist should beter be discarded and not given attention.

Are IP addresses personally identifiable information under GDPR?

Yes, and also cookie IDs. Both are called out as examples in recital 30:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...


I should have been more clear that I meant IP addresses alone.

It seems like this only addresses when IP addresses are combined with other data.


That particular guidance has provided a lot of gnashing of teeth because some readings of it have an implicit “because” before the final sentence. That is IP addresses are personal data as sometimes they uniquely identify people.

The guidance my firm received was to treat them, by themselves, as an ID. YMMV.


IP Addresses are Personal Data.

I think the easy way to check is to ask yourself if the data can directly link to someone's IRL identity.

If no, ask yourself if the police could identify them if they demanded and got the data.

If still no, ask yourself if the data is of a protected category (gender, religion, sexuality, etc.).

If you need any of this data, minimize your need first (ie this means storing IPs only for a limited timespan, german authorities have IIRC recommended 7 days as normal).

If you can't reduce your need, find another way to do what you do that has less need.

If all else fails, cover under legitimate interest and hope you're not Adtech.


Here is a write-up of the decision from EU’s highest court on this topic: https://www.whitecase.com/publications/alert/court-confirms-...

It’s easy to see why quote I gave says what it says with this context.

Also, if you’re worries, talk to your lawyer.


DSGVO concerns 'directly' identifying information (Name, SSN...)

aswell as 'indirectly' identifying information like IP adresses where the technical possibilities exist to link them back to the person.

EVEN if you do not actively link them to the person DSGVO treats them the same way as the directly identifying information


PII is a US concept, ‘personal data’ is the equivalent in GDPR. But yes, IP addresses are considered personal data.

if you're running a SaaS or software company, we compiled an abridged version of the full GDPR text that is only 34 pages in this format, very easy to consume: https://www.enterpriseready.io/GDPR-abridged-text-for-SaaS-C...

if you want to read the full thing, we created a quick guide for understanding which sections you might want to skim: https://www.enterpriseready.io/gdpr/how-to-read-gdpr/


Oh, so now strangers can claim their rights on my mailbox, good times. I'm happy I'm a private person (and that lawgivers decided to spare ordinary people for now).

A much better and complete checklist tool is available at https://autoprivacy.eu

Simple, block the EU, problem solved.

There is no reason to block them. If you are not in the EU, you are not subject to it's laws.

Sadly it's not that simple.

If you're seen (by EU courts) to be soliciting business from the EU (which could just mean running advertising that appears in the EU), you're subject to the laws.

So, blocking EU traffic to avoid being seen as doing business there may be a prudent step in some cases.

https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-af...


Yes, it is that simple; the GDPR can claim whatever it wants, that doesn't make it true. The EU has no jurisdiction over me in the US period. And referencing the GDPR as a source isn't valid, just because it's written doesn't make it enforceable. China doesn't get to tell me what to do, nor does the EU.

I mean it's not that simple if you wanted to travel in the EU or actively engage in business there if you were ever found to be in breach and penalised.

I don't like it any more than you do.

But the fact remains that it's not that simple.


I could give a shit about travelling to the EU, the vast majority of Americans never leave the US, that's not going to change.

If you are a business owner in US, you will probably go to EU at some point in time.

If you have a small website, you're not even a target. Unless you're selling personal data.


> If you are a business owner in US, you will probably go to EU at some point in time.

Not remotely true; the vast majority of US citizens never leave the US.


1. You violate the GDPR

2. One of the Supervisory Authorities fines you

3. The SA applies to a court in the EU for an order compelling payment of the fine

4. The SA applies to a US court for enforcement of the EU judgment

5. You have to pay up


What is the mechanism by which step 4 is accomplished, and why would this work for the EU and not one of the other myriad of legal systems with mutually exclusive laws?

There isn't one; that's the point these GDPR supporters aren't comprehending, national sovereignty is a thing, the world cannot function if every country can impose its laws on every citizen in the world.

“National sovereignty” is exactly the idea that every state has only the constraints imposed either by it's physical power and behavioral constraints it voluntarily (and revocable) imposes on itself.

> the world cannot function if every country can impose its laws on every citizen in the world.

You seem to want to abandon the idea of national sovereignty for a global sovereign with geographically-bounded subordinate jurisdictions that may have broad discretion but which face mandatory constraints designed to optimize what you see as the desirable function of the world system. Which is a perfectly legitimate view, but you shouldn't confuse it with the idea of national sovereignty, to which it radically opposed.


You're very confused. Nothing I said implies anything you said.

> You seem to want to abandon the idea of national sovereignty

Uh, no, try reading that again, I implied no such thing.


> You're very confused

Well, someone is; specifically, you are confused on what “sovereignty” means, and are confusing it for having limitations which are directly contrary to what it means. What you claim is demanded by “national sovereignty” is instead radically opposed to it (though it would be consistent withstand global sovereign imposing particular limits on a geographically-bounded subordinates.)


Again, I think you're misreading something.

> You seem to want to abandon the idea of national sovereignty for a global sovereign with geographically-bounded subordinate jurisdictions

No I don't, nor did I say or imply that.

> “National sovereignty” is exactly the idea that every state has only the constraints imposed either by it's physical power and behavioral constraints it voluntarily (and revocable) imposes on itself.

Correct and I'm well aware of that, and I used it with exactly that meaning. So your response to that comment simply doesn't make sense. Watch...

> What you claim is demanded by “national sovereignty”

Which is the point I was making, I'm in support of national sovereignty; if you think I've implied otherwise, you've misread something.

> is instead radically opposed to it

You seem to have not understood what I claimed, but I assure you it's not opposed to national soverenty, here I'll add context to my original statement which I think you misread or understood.

>> (OP)What is the mechanism by which step 4 is accomplished

> There isn't one;

I'm telling OP step 4 doesn't exist yet; the US courts don't just accept and execute the judgement of foreign courts. Certainly not in cases where said actions are perfectly legal in the US.

> that's the point these GDPR supporters aren't comprehending, national sovereignty is a thing

I'm saying the people supporting the GDPR don't seem to understand it's a violation of national sovereignty for the EU to be able prosecute non-EU citizens for crimes that are only crimes in the EU when said citizens are not subjects of the EU. I'm subject to the laws of the US only, not the EU's laws. We have treaties that allow such prosecutions in cases where said behavior is a crime in both countries, but that doesn't apply in the case of the GDPR.

> the world cannot function if every country can impose its laws on every citizen in the world.

Saying nations are sovereign, that's how the world works. That's what a nation "is".


US seems to enforce laws in an interesting ways.

6. Don't even think about travelling to the EU if you've ignored the fines.

That's a bit harsh, but you really have to be an egregious offender to get banned from EU.

Debt jail is illegal in Europe.


True; but I don't care about that; never been to the EU and likely never will, same as most Americans.

> 4. The SA applies to a US court for enforcement of the EU judgment

The US courts says fuck off, you don't have jurisdiction over our citizens. That's what's going to happen; lets stop pretending there's any actual legal right for the EU to impose laws on non EU citizens, there isn't.


A market of 512M well situated people surely is not an issue to ignore, great business advice here...

It's not a market of 512M, it's many small markets of different languages and different cultures that all need to be targeted individually whereas the US is actually a much larger market of a single culture. Focusing on the big mono language mono culture market instead of chasing dozens of smaller markets that require much more effort in internationalization is actually good business advice.

It is a single market. That's the whole point of the EEA.

Your personal interpretation of the situation is irrelevant.


From a business standpoint trying to market goods, no, it isn't. That's just a fact. Every culture has to be marketed to differently, they are different markets.

US is actually not a single market. At least, not as much as you'd like to believe.

There are regions, but they all speak the same language and use the same date formats: you do not have to internationalize or target your app, it is thus a single market. Not remotely so in the EU.

My guide to being GDPR compliant: don't do business in the EU.

Much simpler.


Sounds amazing, to be honest.

I'm quite enjoying the weird interstitial pages from a variety of US-based sites that block EU users. It's like a massive billboard saying "WE ARE USING YOUR DATA IN WAYS THAT YOU DON'T CONTROL", and is a reminder to use other services elsewhere.

GDPR is relatively straightforward to comply with, particularly for the simpler kind of sites that don't seem to have bothered. It basically codifies the sort of best practice that should have been in place already, and I'm sure many of us are happy to see that there is movement towards regulating the disastrous dumpster fire of personal data in this way.


It’s not at all simple for ad supported publishers who are the most prominent users of the blocking.

It maybe a case where this is the intended consequence of the law but it wasn’t sold that way ahead of time.

European publications are being even more impacted by this as they can’t resort to blocking. It will be very interesting how this impacts the publishers in the next few years.


Here's the kicker - most European online publications were already in compliance. GPDR is only slightly more stringent, than most EU privacy laws on file.

The biggest complaints come from foreigners, if you haven't noticed.


No one knows if they are in compliance or not yet. For instance https://www.bankinfosecurity.com/fresh-gdpr-complaints-take-... outlines a complaint that all of real time bidding that is compliant with the IAB compliance framework is not compliant with GDPR.

Major publications, for instance Der Spiegel, which are trying to be compliant by following that standard (and they had to do major work to do so) may find they are out of compliance http://www.spiegel.de/extra/what-we-do-with-your-data-a-1211...

Similar complaints have been brought against publishers that used googles compliance framework.


> GDPR is relatively straightforward to comply with, particularly for the simpler kind of sites that don't seem to have bothered.

For a small site, having to appoint a representative in the Union might not be straightforward. See Article 27. They might be excused from this requirement by meeting the three conditions given in Article 27(2)(a), but that is vague.


> My guide to being GDPR compliant: don't do business in the EU.

> Much simpler.

As an American, could you please tell me what businesses you run, so that I can make a note to avoid dealing with them in the future?

Thanks in advance.


It's going to be funny when we learn he works for the IRS. ;)

My company is over and above compliant with the requirements of the GDPR - not because we bothered to give a crap about the EU, but because we did it on our own years in advance, of our own volition and the need for heavy data protection.

As an American, I'm suprised you aren't skeptical of a foreign government trying to control what you do.


How not to pay taxes: don't sell anything.

It's a foolproof plan really.


How not to pay taxes: don't sell anything.

You jest, but this is exactly what at least one of my businesses is about to do. We are in the UK, so Brexit uncertainty dominates any sort of EU-related planning for the next few months. The EU VAT rules for digital sales were already full of complication and red tape, and right now we don't even know whether the existing UK government systems will still be operating after the end of the current quarter on 31 March because it might all disappear with Brexit on 29 March.

When we took professional advice on how to prepare for this as well as we can under the circumstances, no-one in the room had any confidence in what little formal guidance exists so far or that the official positions currently set out by either the UK or EU governments will be realistic when the time comes. The consensus (by which I mean "view strongly advocated by literally every professional advisor in the room") was to suspend sales to rEU states until the dust has settled, and just redirect our efforts and finite budgets towards customers elsewhere in the meantime. That will inevitably involve some short term financial cost, but then so would making major changes in our technical systems and accounting practices at short notice to comply with all foreseeable possibilities at the start of April.

I don't find it inconceivable that lawyers in places like the US might give similar advice to some clients regarding the GDPR for similar reasons. If the clients are primarily dealing with data subjects outside the EU as well, avoiding the entire area as much as possible might be a reasonable position to take, even if again it's only temporarily until there is more known about the real implications of the GDPR as guidance and the first enforcement actions start to resolve the uncertainties.


Hang on a sec, I'll move my EU-based company's entirely EU customer base as well as all of our EU citizen staff and EU-based suppliers... oh wait.

Thanks for staying away! If you’re not interested in caring about our privacy and personal data concerns, you‘re very welcome to shove your products up to where the sun doesn’t shine...

These kinds of responses are unhelpful. Yes, data protection is incredibly important. That doesn't mean that GDPR as written is a well-done regulation - in point of fact its insanely complicated and its pretty much impossible to know whether or not you comply, even if you store zero data about users. It also doesn't mean that people who don't want to deal with GDPR don't care about privacy. Tarring and feathering someone for such things is lazy and unfair.

> in point of fact its insanely complicated

I disagree. I'm not sure what you've read about GPDR, but see the link I posted above. If you read the ICO guidance and still think it's insanely complicated, I'm not sure what to suggest because by that yardstick any legal matter is going to be insanely complicated and you'd be saying the same about any legislation. Do you have an example of any legislation that you'd say is better?


If you read the ICO guidance and still think it's insanely complicated

Just the scale of the ICO's guidance -- which still primarily covers only general principles without getting much into specific practices and concrete examples -- tells us that this is a complicated issue.


I didn't mean to imply that it wasn't complicated - any legislation is going to need careful consideration because the wording is paramount. I was objecting more to the rather overheated phrase "insanely complicated," particularly when a counter-example of legislation that isn't "insanely" complicated wasn't given. Insanely complicated compared to what?

Insanely complicated compared to what?

I'd suggest that one obvious comparison is with not having the GDPR.

I know my own businesses spent considerable time and money understanding the implications and updating our documentation to comply with the new requirements. However, that was basically all we changed in the end, because we weren't doing anything particularly unusual or dodgy in the first place. In other words, for us, the whole thing was basically an expensive box-ticking exercise with no real benefit to anyone.

I imagine there are many other small businesses that could tell a similar story. The most likely alternative for those that can't is probably that they're not compliant, either deliberately or through ignorance of their new legal obligations, so that still doesn't benefit data subjects in any useful way.

It seems realistic to estimate that several billion pounds has been spent on this sort of paper-pushing exercise in the UK alone, which does suggest some level of rhetorical insanity here if it hasn't really benefited anyone in any measurable way. Perhaps time will tell and regulators will be more effective in curbing the excesses of the big data crunchers that these rules were presumably aimed at, but until we start seeing evidence of real benefits for the average person in the street, I for one will remain sceptical about whether all the extra red tape and complexity was justified.


> I'd suggest that one obvious comparison is with not having the GDPR.

> Perhaps time will tell and regulators will be more effective in curbing the excesses of the big data crunchers that these rules were presumably aimed at...

Fair points. We've spent a decent amount of time working through GDPR implications for clients, and if nothing concrete comes out of this for the Googles / Facebooks of the world - which may take 5-10 years to judge - I'll be pretty angry too.

> until we start seeing evidence of real benefits for the average person in the street

I think there are already obvious tangible benefits. Our clients now have very clear markers on their websites about what data is going to be used and how. We've persuaded some of them to purge tens of thousands of email addresses from their lists that probably weren't even DPA compliant just because of the threat of GDPR, and I've spoken to non-tech people who feel more in control of data when signing up for things now. Not all organisations are following best practices - bundled consent seems to be pretty common still - but it feels like it's going in the right direction.


>its pretty much impossible to know whether or not you comply, even if you store zero data about users.

Can you explain how you store Zero data but you are not sure? Are you referring at the fact that you include third party code or use third party services?

The fact that the laws are not simple is because they need to define things very specifically to make it impossible for "clever" people to interpret them different then the "spirit oft he law"


Servers have logs, which can have a lot of personal data in them. Not all of that logging is under your control, especially if you rely on 3rd party services like AWS. This is a simple example but there are many more.

I get what you're saying here, but if those [for example] logs contain personal information, and those logs are exposed (or have the possibility of being exposed) then that information should be redacted. Sure it's often not trivially simple, but it's your responsibility (AWS seems a wired example to use as well, given that any logging facilities actually provided by them offer redaction).

What logs are you thinking of? There are none that I can think of that require a lot of personal data. IP address storage is explicitly covered provided you log them for security etc.

an exception stack trace containing the data of a customer object could put in a name by accident, for example. And then you're in trouble. The third parties you use could be storing data, even if they tell you they don't. If they do you need to get a DPA signed up. You might still need a DPO, and so on and so forth. It's a massive undertaking for any org of a reasonable size.

Worth it in the long run, as once we're used to it and tweaks to the law happen to make it easier/better? Sure. Easy? Heck no.


I think this can't happen in the scenario you mentioned of zero personal data stored, since you have a simple webpage , no personal data is stored, then your backend should have no customer objects to handle.

I seen the issue you described where an exception will log all the function parameters but if I am not wrong this logs are configurable so you can check the framework you use about this logs and probably is a good idea to delete old error logs(I know as developers we are busy and don't want to mess with log configs and cronjobs etc but even without GDPR an error log file containing DB data since 2017 is a security risk)


This isn't an issue I've come across. I've always put customer IDs in logging data, which is fine according to GDPR. Names, or other PII for that matter, shouldn't be in there, period. Stack traces are actually fine, just make sure you rotate your logs. Error and debugging logs are covered in the GDPR.

Third parties lying to you wont get you in trouble, it'll get them in trouble with the GDPR enforcers, so it's not worth doing that sort of "what if" exercise.

I've worked for organisations of many sizes. Basic data sanitation (aka, don't be daft) is enough. Give the GDPR a read, it's clear enough for almost all cases and isn't nearly as bad as some folks here on HN would have you believe.


Customer ids may or may not be ok. You will get different guidance on that. For instance cookie ids are personal data.

Third parties won't get you in trouble as long as you have a DPA, but you need to get it.

Customer IDs are fine as long as they can't be associated with other information anywhere else, but if they can, it's an issue.

Sanitation is easy but someone, somewhere will screw it up when you're not looking.


Yes, exactly. Thanks for chiming in.

So when you said "even if you store zero data about users" you meant "except for when you store data about users.

Okay then...


Obviously, the number of people who think that GDPR and its rollout has gone perfectly is probably zero.

I think the reason there's so much defensiveness about GDPR is because it is legitimately a rare and valuable victory of data privacy advocates. From that perspective, the smug "just don't do business in the EU" meme might seems like a sentiment that ignores that victory so much that many probably assume it was born out of hostility to data privacy advocacy.


Frankly, I think that GDPR was rolled out quite well. And I think there was way more fear mongering and intentional confusion by the "no regulations should exist ever and all are badly horrible" then actual problems with legislations or its rollout.

I did seen institutions doing unnecessary crazy things or waking up a day before it went valid etc. There is no way this was avoidable entirely and given people trying to lobby against it by essentially lying, all in all it went quite well.


So the post i replied to was helpful/constructive?

I am not even thinking that GDPR is implemented/written very greatly, and i was fearing too that it will mainly help to put small businesses out of any product category where storing even just an Email address is necessary(eg have an login and want to enable users to restoa forgotten password) while big companies have their lawyers to allow them keep abusing our data on the edge of legal possibilities and not to our favour...

So Im not yet sure if having no GDPR is better or worse than having none... Just, simply saying if you have data protection laws i avoid your market without any detailed reason or proposal how to improve doesn’t bring us forward...


That reply was pretty bad as well. But at least he didn't tell someone to shove things up their butt.... :-)

Not explicitly - nor did I, you know, the sun don’t shine in many places - but implicitly it was saying i should do just that with my privacy expectations and our laws about them.

The U.S. market? ;)

Yes! There you can let yourself get sued for a few millions because you didn’t mark a coffee cup as containing hot stuff or didn’t write in the usage instructions of a microwave oven that it’s unsuited to dry a cat after bathing... much simpler, clearer, and safer market there...

I can't believe people would even consider foreign laws apply to US small businesses that operate solely in the U.S.

Edit: no you don't need a guide on how to comply. No you don't need to pay some consultant to see if you are compliant. Simply ignore.

Edit 2: to comply means you except all foreign laws and rule.


You’re welcome to ignore it if you like, but compliance doesn’t mean ‘accepting foreign rule’ if you look at it as a compilation of good practices for user privacy.

GDPR is unfortunately a paper tiger I have come to realize. The only thing that impresses Americans is a bit of good old violence. And the EU simply doesn't have the balls to drag executives off their private jets and drop them in a secret prison.

The question is, what are you going to say when you have an office in the EU? Or you use one of the EU states to launder your money (Ireland is very popular, for example)? The big firms are affected by it and about the small ones... I doubt, "dragging executives off their private jets" is the most effective strategy when it comes to handling business related to money. Don't be too pride, it is a big market after all, you are talking about.
zorga 13 days ago [flagged]

No any authority over sites not hosted/run in the EU. I'm a US citizen running a business in the US; the EU has no legal authority whatsoever over me. If an EU citizens buys something from my site, as far as I'm concerned they came to the US virtually to do it, and US laws apply here, not EU laws. They can shove their GDPR where the sun doesn't shine.

Unfortunately unless you are explicitly not soliciting business from EU residents, you fall under that regulation.

One possible consequence is reputational damage.


No I don't, I'm not an EU citizen and have no EU physical presence; they can claim whatever they want, they have no jurisdiction over me, I am not subject to EU laws no matter what the GDPR tries to assert. It's toothless, they have no enforcement mechanism on a US citizen in the US. I'm am not subject to the laws of every country that asserts it so; I'm subject to the laws of the US only.

While GDPR is supposed to apply to any controller processing personal data where the processing activities are related to the offering of goods or service to data subjects in the Union, I believe it is fair to say that we have no idea yet how this will exactly be enforced outside of the EU (when it is enforced) until the first attempts appear.

It's true that this extra-territorial scope is a bold move when it comes to international law. I see a trend in the latest EU regulations that would suggest they are not close to abandoning this idea.


> It's true that this extra-territorial scope is a bold move when it comes to international law

Not really. Foreign opponents (especially American opponents) of the law make a big deal out of it, but extraterritorial application of laws, especially to acts occurring outside of but having effect within the territorial boundaries of the State whose law is concerned, is in no way novel.


You are right. It is something that has been known in criminal law for a long time. However, the possibilities to enforce have always been submitted to the rules of legal assistance that most of the time provides the limits of another national law.

We might end up in a situation where US authorities could accept to apply GDPR, but with fees limited to what US law allows, for example.


Ironically, the US is one of the worst countries for extraterritorial application of laws, but I guess it's convenient to ignore for the sake of argument. See e.g. Foreign Account Tax Compliance Act (FATCA).

The UK's ICO has already taken action against a Canadian company (Aggregate IQ Data Services Ltd)



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: