As frereubu notes elsewhere in this thread, the UK regulator's GDPR guide is excellent, and is a much better starting point in my opinion: https://ico.org.uk/for-organisations/guide-to-data-protectio...
The ICO guide linked by the parent doesn't.
> GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union.
This is probably a requirement of the funding.
> This is not an official EU Commission or Government resource. The europa.eu webpage concerning GDPR can be found here.
This seems reasonable. Funded by does not mean endorsed by. Here's the official page.
> Nothing found in this portal constitutes legal advice.
Realistically it can't be legal advice, even though it's dealing with an area that could get you into legal trouble. It's referring to a directive which has been implemented by member states. Each member state has its own enforcing body, and some will take a more firm approach than others.
As for legal advice, in at least some jurisdictions even paid advice is treated as just that – advice – and if you get bad advice, there is little to no realistic prospect of redress.
This appears at first glance to be one of the better resources on the GDPR I have seen.
Legally, it's quite dangerous since it might give you the feeling of being compliant while still being at risk. "But Proton Technologies AG said ..." isn't going to hold up in court.
If you're soliciting free advice online – even from a law firm – it may as well contain such a disclaimer. Nearly always the terms of service do contain such a term.
> "But Proton Technologies AG said ..." isn't going to hold up in court.
"But our law firm said…" seems to be the alternative here. I'm not sure how well that would hold up in court.
I'm all for getting legal advice from professionals. That said, there's a lot of law firms that will give you advice on the GDPR without really knowing what they're talking about. Their risk is pretty minimal – as a business client you're unlikely to be entitled to the same redress as consumers. The bar is very high for demonstrating negligence.
I found the warning very useful, as I assumed this was a publication from an EU institution as well.
If this had been the case, you could have assumed that the page had been produced with the primary goal of informing the public and clearing up confusion - and that the page were likely to have input from people close to who actually drafted the regulation. All that would put my trust in the accuracy of the information way higher than that in a random law firm, no matter how much legal weight that would have in either case.
Additionally, it would be some news if an EU body published an "official" guide how to implement the GDPR, whereas there are likely many such guides by private advisors.
That's not true. The GDPR is a regulation (hence the R in GDPR!) which does not need to be implemented by member states. Regulations have direct effect, meaning the same legal text applies in every EU member state directly.
What all these checklists lack is some real advice for software architects/developers, something along the lines of "I'm a Java developer, should I do something different now?" Reading the real GDPR  is more useful and not more complex than any technical document we are used to study. It contains several hints here and there both in Recitals and in Articles (Recitals are the claims between "Whereas" and the Articles.)
For example Recital 29, which is more cryptic than most of the others, hints about a best practice of separating personal data from all the other ones and from the information required for reconciliation. Maybe different databases on different machines. This is not the naive soup of fields in a users table. Thinking about a classical MVC web app, it could be that the code in the controllers should have zero knowledge about personal data, with the exception of the part of the application that for example deals with user profiles. That could be a separate application with its own database and admins.
The way to use such sites is to rely on them at first, to help you navigate the waters. They should help you become MOSTLY compliant. Once you're done, THEN hire some legal experts to finish off the last few ommissions or mis-interpretations.
It's a lot cheaper than starting with a law firm from the beginning. Know that there's always a risk that the informative site lead you down a wrong path so if you're about to make a decision that's hard to undo, you can engage the legal advice sooner.
I like protonmail like I like sourcegraph but they are disingenuous in the squatting of gdpr.eu and langserver.org. The latter is even more egregious
>> “Google Analytics does not identify individual users or associate your IP address with any other data held by Google.”
This is wrong, GA may anonymize IPs, however they drop a tracking cookie in order to identify unique visitors.
Tracking cookies under the GDPR fall under “personal data”, even if they are pseudo-anonymous. Also note that usage of Google Analytics cannot be a “legitimate purpose”.
So is this legal what they are doing? Or what am I missing?
The updated Privacy notice is now supplemented with extra information.
A legitimate interest is one that prevents the service from operating. E.g. if you're a pizza delivery service, you need to use the customer's address, since it's implicit in what the service does and the customer expects you to use their address for the purpose of home delivery.
If you block Google Analytics however, in what way will the service be impacted from the perspective of the user experience? There is no impact, even if this costs the business optimization opportunities or money. You can argue that the inability to use Google Analytics can have a long term impact on user experience, but that's not how legitimate interests work.
In general, "making more money" or "becoming more popular" are invalid reasons for stating a legitimate interest.
If. If if if if IF IF IF.
Consent is not the only legal basis for processing. This website in particular claims Legitimate Interest as their legal basis for Google Analytics. If you can support a claim of Legitimate Interest, then none of the restrictions specific to Consent apply. Starting with opt-in vs out-out.
As a layman I'd assume that if one site gets to claim Google Analytics as "legitimate interest", this would imply GA being fair game for any site, provided they don't do anything special with it.
The former is a lot broader then the latter (and the latter is a US legal term and means precisely nothing in the EU).
Also shows how much of this is truly just sensible privacy protections.
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
It seems like this only addresses when IP addresses are combined with other data.
The guidance my firm received was to treat them, by themselves, as an ID. YMMV.
I think the easy way to check is to ask yourself if the data can directly link to someone's IRL identity.
If no, ask yourself if the police could identify them if they demanded and got the data.
If still no, ask yourself if the data is of a protected category (gender, religion, sexuality, etc.).
If you need any of this data, minimize your need first (ie this means storing IPs only for a limited timespan, german authorities have IIRC recommended 7 days as normal).
If you can't reduce your need, find another way to do what you do that has less need.
If all else fails, cover under legitimate interest and hope you're not Adtech.
It’s easy to see why quote I gave says what it says with this context.
Also, if you’re worries, talk to your lawyer.
aswell as 'indirectly' identifying information like IP adresses where the technical possibilities exist to link them back to the person.
EVEN if you do not actively link them to the person DSGVO treats them the same way as the directly identifying information
if you want to read the full thing, we created a quick guide for understanding which sections you might want to skim:
If you're seen (by EU courts) to be soliciting business from the EU (which could just mean running advertising that appears in the EU), you're subject to the laws.
So, blocking EU traffic to avoid being seen as doing business there may be a prudent step in some cases.
I don't like it any more than you do.
But the fact remains that it's not that simple.
If you have a small website, you're not even a target. Unless you're selling personal data.
Not remotely true; the vast majority of US citizens never leave the US.
2. One of the Supervisory Authorities fines you
3. The SA applies to a court in the EU for an order compelling payment of the fine
4. The SA applies to a US court for enforcement of the EU judgment
5. You have to pay up
> the world cannot function if every country can impose its laws on every citizen in the world.
You seem to want to abandon the idea of national sovereignty for a global sovereign with geographically-bounded subordinate jurisdictions that may have broad discretion but which face mandatory constraints designed to optimize what you see as the desirable function of the world system. Which is a perfectly legitimate view, but you shouldn't confuse it with the idea of national sovereignty, to which it radically opposed.
> You seem to want to abandon the idea of national sovereignty
Uh, no, try reading that again, I implied no such thing.
Well, someone is; specifically, you are confused on what “sovereignty” means, and are confusing it for having limitations which are directly contrary to what it means. What you claim is demanded by “national sovereignty” is instead radically opposed to it (though it would be consistent withstand global sovereign imposing particular limits on a geographically-bounded subordinates.)
> You seem to want to abandon the idea of national sovereignty for a global sovereign with geographically-bounded subordinate jurisdictions
No I don't, nor did I say or imply that.
> “National sovereignty” is exactly the idea that every state has only the constraints imposed either by it's physical power and behavioral constraints it voluntarily (and revocable) imposes on itself.
Correct and I'm well aware of that, and I used it with exactly that meaning. So your response to that comment simply doesn't make sense. Watch...
> What you claim is demanded by “national sovereignty”
Which is the point I was making, I'm in support of national sovereignty; if you think I've implied otherwise, you've misread something.
> is instead radically opposed to it
You seem to have not understood what I claimed, but I assure you it's not opposed to national soverenty, here I'll add context to my original statement which I think you misread or understood.
>> (OP)What is the mechanism by which step 4 is accomplished
> There isn't one;
I'm telling OP step 4 doesn't exist yet; the US courts don't just accept and execute the judgement of foreign courts. Certainly not in cases where said actions are perfectly legal in the US.
> that's the point these GDPR supporters aren't comprehending, national sovereignty is a thing
I'm saying the people supporting the GDPR don't seem to understand it's a violation of national sovereignty for the EU to be able prosecute non-EU citizens for crimes that are only crimes in the EU when said citizens are not subjects of the EU. I'm subject to the laws of the US only, not the EU's laws. We have treaties that allow such prosecutions in cases where said behavior is a crime in both countries, but that doesn't apply in the case of the GDPR.
Saying nations are sovereign, that's how the world works. That's what a nation "is".
Debt jail is illegal in Europe.
The US courts says fuck off, you don't have jurisdiction over our citizens. That's what's going to happen; lets stop pretending there's any actual legal right for the EU to impose laws on non EU citizens, there isn't.
Your personal interpretation of the situation is irrelevant.
I'm quite enjoying the weird interstitial pages from a variety of US-based sites that block EU users. It's like a massive billboard saying "WE ARE USING YOUR DATA IN WAYS THAT YOU DON'T CONTROL", and is a reminder to use other services elsewhere.
GDPR is relatively straightforward to comply with, particularly for the simpler kind of sites that don't seem to have bothered. It basically codifies the sort of best practice that should have been in place already, and I'm sure many of us are happy to see that there is movement towards regulating the disastrous dumpster fire of personal data in this way.
It maybe a case where this is the intended consequence of the law but it wasn’t sold that way ahead of time.
European publications are being even more impacted by this as they can’t resort to blocking. It will be very interesting how this impacts the publishers in the next few years.
The biggest complaints come from foreigners, if you haven't noticed.
Major publications, for instance Der Spiegel, which are trying to be compliant by following that standard (and they had to do major work to do so) may find they are out of compliance http://www.spiegel.de/extra/what-we-do-with-your-data-a-1211...
Similar complaints have been brought against publishers that used googles compliance framework.
For a small site, having to appoint a representative in the Union might not be straightforward. See Article 27. They might be excused from this requirement by meeting the three conditions given in Article 27(2)(a), but that is vague.
> Much simpler.
As an American, could you please tell me what businesses you run, so that I can make a note to avoid dealing with them in the future?
Thanks in advance.
As an American, I'm suprised you aren't skeptical of a foreign government trying to control what you do.
It's a foolproof plan really.
You jest, but this is exactly what at least one of my businesses is about to do. We are in the UK, so Brexit uncertainty dominates any sort of EU-related planning for the next few months. The EU VAT rules for digital sales were already full of complication and red tape, and right now we don't even know whether the existing UK government systems will still be operating after the end of the current quarter on 31 March because it might all disappear with Brexit on 29 March.
When we took professional advice on how to prepare for this as well as we can under the circumstances, no-one in the room had any confidence in what little formal guidance exists so far or that the official positions currently set out by either the UK or EU governments will be realistic when the time comes. The consensus (by which I mean "view strongly advocated by literally every professional advisor in the room") was to suspend sales to rEU states until the dust has settled, and just redirect our efforts and finite budgets towards customers elsewhere in the meantime. That will inevitably involve some short term financial cost, but then so would making major changes in our technical systems and accounting practices at short notice to comply with all foreseeable possibilities at the start of April.
I don't find it inconceivable that lawyers in places like the US might give similar advice to some clients regarding the GDPR for similar reasons. If the clients are primarily dealing with data subjects outside the EU as well, avoiding the entire area as much as possible might be a reasonable position to take, even if again it's only temporarily until there is more known about the real implications of the GDPR as guidance and the first enforcement actions start to resolve the uncertainties.
I disagree. I'm not sure what you've read about GPDR, but see the link I posted above. If you read the ICO guidance and still think it's insanely complicated, I'm not sure what to suggest because by that yardstick any legal matter is going to be insanely complicated and you'd be saying the same about any legislation. Do you have an example of any legislation that you'd say is better?
Just the scale of the ICO's guidance -- which still primarily covers only general principles without getting much into specific practices and concrete examples -- tells us that this is a complicated issue.
I'd suggest that one obvious comparison is with not having the GDPR.
I know my own businesses spent considerable time and money understanding the implications and updating our documentation to comply with the new requirements. However, that was basically all we changed in the end, because we weren't doing anything particularly unusual or dodgy in the first place. In other words, for us, the whole thing was basically an expensive box-ticking exercise with no real benefit to anyone.
I imagine there are many other small businesses that could tell a similar story. The most likely alternative for those that can't is probably that they're not compliant, either deliberately or through ignorance of their new legal obligations, so that still doesn't benefit data subjects in any useful way.
It seems realistic to estimate that several billion pounds has been spent on this sort of paper-pushing exercise in the UK alone, which does suggest some level of rhetorical insanity here if it hasn't really benefited anyone in any measurable way. Perhaps time will tell and regulators will be more effective in curbing the excesses of the big data crunchers that these rules were presumably aimed at, but until we start seeing evidence of real benefits for the average person in the street, I for one will remain sceptical about whether all the extra red tape and complexity was justified.
> Perhaps time will tell and regulators will be more effective in curbing the excesses of the big data crunchers that these rules were presumably aimed at...
Fair points. We've spent a decent amount of time working through GDPR implications for clients, and if nothing concrete comes out of this for the Googles / Facebooks of the world - which may take 5-10 years to judge - I'll be pretty angry too.
> until we start seeing evidence of real benefits for the average person in the street
I think there are already obvious tangible benefits. Our clients now have very clear markers on their websites about what data is going to be used and how. We've persuaded some of them to purge tens of thousands of email addresses from their lists that probably weren't even DPA compliant just because of the threat of GDPR, and I've spoken to non-tech people who feel more in control of data when signing up for things now. Not all organisations are following best practices - bundled consent seems to be pretty common still - but it feels like it's going in the right direction.
Can you explain how you store Zero data but you are not sure? Are you referring at the fact that you include third party code or use third party services?
The fact that the laws are not simple is because they need to define things very specifically to make it impossible for "clever" people to interpret them different then the "spirit oft he law"
Worth it in the long run, as once we're used to it and tweaks to the law happen to make it easier/better? Sure. Easy? Heck no.
I seen the issue you described where an exception will log all the function parameters but if I am not wrong this logs are configurable so you can check the framework you use about this logs and probably is a good idea to delete old error logs(I know as developers we are busy and don't want to mess with log configs and cronjobs etc but even without GDPR an error log file containing DB data since 2017 is a security risk)
Third parties lying to you wont get you in trouble, it'll get them in trouble with the GDPR enforcers, so it's not worth doing that sort of "what if" exercise.
I've worked for organisations of many sizes. Basic data sanitation (aka, don't be daft) is enough. Give the GDPR a read, it's clear enough for almost all cases and isn't nearly as bad as some folks here on HN would have you believe.
Customer IDs are fine as long as they can't be associated with other information anywhere else, but if they can, it's an issue.
Sanitation is easy but someone, somewhere will screw it up when you're not looking.
I think the reason there's so much defensiveness about GDPR is because it is legitimately a rare and valuable victory of data privacy advocates. From that perspective, the smug "just don't do business in the EU" meme might seems like a sentiment that ignores that victory so much that many probably assume it was born out of hostility to data privacy advocacy.
I did seen institutions doing unnecessary crazy things or waking up a day before it went valid etc. There is no way this was avoidable entirely and given people trying to lobby against it by essentially lying, all in all it went quite well.
I am not even thinking that GDPR is implemented/written very greatly, and i was fearing too that it will mainly help to put small businesses out of any product category where storing even just an Email address is necessary(eg have an login and want to enable users to restoa forgotten password) while big companies have their lawyers to allow them keep abusing our data on the edge of legal possibilities and not to our favour...
So Im not yet sure if having no GDPR is better or worse than having none...
Just, simply saying if you have data protection laws i avoid your market without any detailed reason or proposal how to improve doesn’t bring us forward...
Edit: no you don't need a guide on how to comply. No you don't need to pay some consultant to see if you are compliant. Simply ignore.
Edit 2: to comply means you except all foreign laws and rule.
One possible consequence is reputational damage.
It's true that this extra-territorial scope is a bold move when it comes to international law. I see a trend in the latest EU regulations that would suggest they are not close to abandoning this idea.
Not really. Foreign opponents (especially American opponents) of the law make a big deal out of it, but extraterritorial application of laws, especially to acts occurring outside of but having effect within the territorial boundaries of the State whose law is concerned, is in no way novel.
We might end up in a situation where US authorities could accept to apply GDPR, but with fees limited to what US law allows, for example.