In fact it's not at all onerous, unless you are determined to violate it's provisions. If your business doesn't depend on privacy violations, then the "bureaucracy" that GDPR calls for is trivially easy to implement. There are no licences, and no registration requirements. Provided you aren't playing fast and loose with the personal data of Europeans, you're fine.
There's no "personal vendettas" going on; can you substantiate that allegation at all? The GDPR applies to everyone equally. And unlike some laws, it's fairly easy to read; it's meant to be understood. Don't bother reading some biased summary of the Regulation; read the GDPR itself. That's the best guidance on the intent, and the best guidance on how to comply.
/me: former data protection officer at a web development outfit.
"iTs nOt aT aLl oNeRoUs" said the DPO. lol, what a clown. So all these companies scrambling to hire lawyers to document every single aspect of the "legal basis" or whatever nonsense is in the language are just crazy in your books?
And that's just ONE sub clause of a hundred or so.
The overhead is both in the arbitrary nature of the requirements (Good Laws are objective, not subjective) and the sheer lack of consistency in the enforcement is ridiculous for any European business. Consider the adequacy clause that's taken decades to litigate and is still fucking criminal as of this writing.
Answer this simple question: "Can I, as a small business use AWS services that may or may not have a compute instance located in the EU?". You know pretty well what the answer is there, so, basically every small business in the EU is in violation right now. And it's bureaucratic assholery that keeps this deliberately inconsistent so they can choose to enforce it at any point of their choosing (read, a negative PR cycle) - Monarchy, inconsistency, arbitrary and ambiguous rulemaking that has tossed out the interests of businesses.
The vendetta against Google is well documented and it's insulting for you to even say otherwise. Look at the most recent example of the CNIL (Frances privacy enforcement body, a part of the executive) choosing arbitrary standards and refusing to even elaborate on concrete standards for recommended analytics solutions that businesses may use. They have gone full psycho with not even wanting to give Google the opportunity to come into compliance with standards that they choose not to reveal and instead openly ask industry to turn Google Analytics off. Its ridiculous and bad for their own economies.
There's a difference between the way French and Germans write laws and the way we write them in the UK; I prefer the UK style, which leaves less room for interpretation.
> basically every small business in the EU is in violation right now
Only if they're handling personal data. Most small businesses don't.
Sure, if your business is collecting personal data, then GDPR is a problem for you; in the same way as the Road Traffic Act is a problem if you're determined to drive uninsured. If you want to sail close to the wind, then it's probably wise to lawyer-up.
And, of course, you don't have to use AWS.
> And it's bureaucratic assholery that keeps this deliberately inconsistent
That's not how I read it. The way I read it, GDPR is astonishingly lenient. Before they prosecute, they'll warn you; provide advice on how to come into compliance; and give you time to do it.
> choosing arbitrary standards
If GA involves depositing personal data in US jurisdiction, then you can't use GA in a GDPR jurisdiction. That's not vague or arbitrary. It may be - um - bold; But this law was flagged up years before it came into force. It's not as if the law came out of nowhere, and suddenly everyone's in violation.
> Its ridiculous and bad for their own economies.
Others have argued that GDPR is an attempt by the EU to steal Silicon Valley's breakfast, implying that it's good for European economies.
> There's a difference between the way French and Germans write laws..(and the U.k.)
Interesting way of saying they are bad laws. If you cannot, as a business have certainty in your prediction of the regulatory environment, you're pretty fucked. I wouldn't expect a piece of the bureaucratic establishment such as yourself to understand the struggles of setting up and running a business. What was your role as DPO again? An ornamental peace offering to the burdens imposed by regulation? Not all businesses have the luxury of throwing money at legal resources.
> Only if they're handling personal data. Most small businesses don't.Sure, if your business is collecting personal data, then GDPR is a problem for you; in the same way as the Road Traffic Act is a problem if you're determined to drive uninsured. If you want to sail close to the wind, then it's probably wise to lawyer-up.
It must take a special kind of asshole to say this. In just another one of your recent comments here you mention that even the mere presence of an IP address that ISNT EVEN STORED would put a business in violation and liable to large fines. So you pretty much agree that all small businesses are in violation if they use AWS in any reasonable way to run their business but you don't want to say it explicitly here since it makes you look bad. Gotcha.
> And, of course, you don't have to use AWS.
And of course, the European people elected you their lord and savior to tell businesses which tech stacks they pick and choose because of your interpretation of arbitrary laws. See the problem here yet?
> That's not how I read it. The way I read it, GDPR is astonishingly lenient.
Is it? So why did other member states of the EU take offense at the decision of the Irish DPA ? The one stop provision clearly stipulates that the onus of enforcement falls to the one stop shop and instead, the arbitrary nature of the law as it stands, other member states and bureaucrats in Brussels seem to deem it necessary to impose their will and personal vendettas against the perceived soft touch approach of an entity fully within their rights to do so.
> If GA involves depositing personal data in US jurisdiction, then you can't use GA in a GDPR jurisdiction
Has there been any warnings against AliCloud for instance? Or all the analytics bundles shipped in Huawei phones?
I can't seem to recall any press release or webpage dedicated to a single company like the CNIL and now Italian authorities have adopted towards Google Analytics?
Is there any oversight to these agencies allowed where these decisions are up to public scrutiny such as the FOIA act in the US to assure the public that these highly paid public officials are not wasting all their time and money chasing personal vendettas as seems to be the case here? Of course fucking not.
Is Google Analytics perfect? Maybe not. But this is the crucial point . . THE LEGISLATURE CANNOT DISCRIMINATE AGAINST A SINGLE ENTITY THIS WAY. While turning a blind eye to practices by Huawei and other companies, it is simply against the rule of law.
> Others have argued that GDPR is an attempt by the EU to steal Silicon Valley's breakfast, implying that it's good for European economies.
A weasel through and through. What else did i expect from someone in your position?
So, illegal abuse of power by Government to target a company is fine by you, Mr. DPO ?
> I wouldn't expect a piece of the bureaucratic establishment such as yourself
Good Lord, presumptions much?
I said I was DPO in my last job. I was also the main sysadmin, and as my main role a website developer. This was a company of 10 people including the bosses. Someone had to take on the role.
> It must take a special kind of asshole to say this.
It must take a special kind of asshole to say that, to someone you haven't met and know nothing about.
> but you don't want to say it explicitly here since it makes you look bad. Gotcha.
Not really; I've never evaluated AWS for compliance. The reason I didn't say that is because it's not something I know about. We didn't use AWS; I've used it, but in someone else's coding shop, where AWS compliance wasn't my concern.
May I suggest that you're a bit hasty with words like "clown", "asshole", "weasel" and "gotcha"?
> And of course, the European people elected you their lord and savior to tell businesses which tech stacks they pick and choose because of your interpretation of arbitrary laws. See the problem here yet?
How are things over there in Conclusions, where you seem to have jumped? I have never told anyone what tech stack they should use.
> THE LEGISLATURE CANNOT DISCRIMINATE AGAINST A SINGLE ENTITY THIS WAY.
Where in the GDPR is GA mentioned? Or AWS, for that matter?
For the sake of clarity, no legislature had anything to do with the GDPR; it was promulgated by the European Commission, an important part of the EU bureaucracy, and I have never worked for any part of the EU bureaucracy. In fact, I no longer even live in the EU.
> A weasel through and through. What else did i expect from someone in your position?
And what position is it, that you think I occupy? FTR, I'm a retired software developer. The position I occupy is sitting in an armchair.
> So, illegal abuse of power by Government to target a company is fine by you, Mr. DPO ?
Nope. In fact I'm also against legal abuse of power, whether by government or anyone else.
You seem to be very angry; perhaps social media is not for you.
The fact that you still can’t bring yourself to admit here what you did in another comment says more than I ever could.
ie, that any small or big business inadvertently sending even an IP address that isn’t even stored to touch a US based resource in something as innocuous as AWS.
Seeing your other recent comment here, it seems you’re just a moron with a nationalistic tendency to support your countrymen (and women). Oh well, objectivity dies and future generations on your continent suffer. Who cares, right? You’re retired.
If it's inadvertent, then they can remedy the error once they've been notified.
If an IP address is sent to the USA, then whether it's stored or not ceases to be a matter that European courts can oversee. Since US courts and European courts are not in accord on these matters, Europeans are faced with either banning the export of IP addresses to the USA, or giving up on legislating privacy at all. We chose the former.
> it seems you’re just a moron with a nationalistic tendency
Oh, more name-calling, and more conclusions jumped to. If you can't make an argument, make a personal insult, and decorate it with insulting epithets based on nothing at all.
> future generations on your continent suffer
Ah, you're not from these parts! I thought not. But in the light of that fact, it's our concern, not yours, right? So why do you get SO angry about European law? If you want to trade in Europe, you have to comply with European regulations. Same wherever you want to trade.
I don't approve of the US trade environment. For example, about half the world is under US trade sanctions; but you don't get me marching around accusing USAians of being morons, weazels, assholes, and clowns.
Perhaps the truth is that it is you that is the nationalist?
I don't care much what decisions random businesses make.
It has been my view for a long time that entrusting your infrastructure to the tender mercies of a firm like Amazon is reckless. Here we have a situation where the legal environment has changed; AWS hasn't changed to match; so those companies that chose to rely on a 3rd-party infrastructure provider appear to have made a mistake.
If I had been advising one of those companies, I would have advised them to bring critical infrastructure in-house. But there might have been other options, like using Europe-based infrastructure providers.
I've never been involved with budgets and so on. It's not my concern how much different solutions cost. I just think the principals of companies have a responsibility to avoid third-party risk - which is what you have, if you rely on a third-party for critical company infrastructure.
That's why I was able to persuade my employers to bring their email service in-house. It worked, and the bosses were pleased with the improved service and reliability. We also constructed our own in-house build and deployment train; that worked very nicely too.
Maybe the cost-benefits vary according to the type and size of business. I'm not a researcher, and I only know about the things I've looked into. But my guess is that AWS works well for companies that are after a quick buck (e.g. an IPO).
There's no "personal vendettas" going on; can you substantiate that allegation at all? The GDPR applies to everyone equally. And unlike some laws, it's fairly easy to read; it's meant to be understood. Don't bother reading some biased summary of the Regulation; read the GDPR itself. That's the best guidance on the intent, and the best guidance on how to comply.
/me: former data protection officer at a web development outfit.