This may be an edgy and rebellious sentiment that makes me a radical anti-privacy activist, but unless you're storing levels of information on me that are similar to facebook/google/etc., I do not give a damn whether you're soft-deleting or hard-deleting my IP address and my user account. If your web app is just a web app, and not one component of a vast surveillance octopus which puts tentacles on almost every website using social media buttons and GA.js, I don't think it matters in the slightest.
It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.
There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.
> This may be an edgy and rebellious sentiment that makes me a radical anti-privacy activist, but unless you're storing levels of information on me that are similar to facebook/google/etc., I do not give a damn whether you're soft-deleting or hard-deleting my IP address and my user account. If your web app is just a web app, and not one component of a vast surveillance octopus which puts tentacles on almost every website using social media buttons and GA.js, I don't think it matters in the slightest.
> It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.
If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights
> There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.
I think it's mainly a difference in viewpoint: this is my data for me. Not yours. GDPR makes it easier for me to enforce that. From my perspective I don't care about you violating my rights "in good faith", just like most people don't cares if you trespass on my property and steal something "in good faith".
If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights
The problem is not the work that the GDPR requires, the problem is the work I'll have to put into understanding the GDPR.
I think it's mainly a difference in viewpoint: this is my data for me. Not yours.
This is the part that I don't understand. If I own a shop, and you come in and buy something, you have absolutely no right to demand that I forget your face and your purchase. In the real world, it's not your data, it's my memory. If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I don't understand the concept of data ownership, because it does not align with how I understand the real world to work.
> In the real world, it's not your data, it's my memory.
This is where there's been a divergence on thought. In the real world you have limited capabilities to collect and store the data that is currently being collected. You're physically limited in how much you can retain and retrieve. In your old timey example I assume the diary to be sitting there in the back of the shop just being a record of my name and what I bought, but that's not how a lot of data is being used or being collected online.
The equivalent would be you making the diary automatically write down a potential unlimited amount of data on me and then using it to sell advertising the moment I enter the shop.
If I went past your store and it automatically retrieved physical details about myself, what I'm wearing, my interests, hobbies, location and you then built a profile and then sold this information to advertisers there absolutely would be regulations regarding this in the real world.
Privacy limits
As retailers trial such tech they are well aware there is a risk of a privacy backlash.
Clothes store Nordstrom recently cancelled a scheme which tracked customers' movements through its stores using their phones' wi-fi signals after complaints.
"Are we willing to accept our everyday movements being monitored and analysed, not to keep us safe but purely to allow advertisers to target us? I think people will start to say no, our privacy is worth more than a few advertising dollars."
--
You say shop with a diary to present the most innocent of examples but for every shop with a diary there's billions of stalkers following people everywhere they go to learn as much about them as possible in order to sell them products and influence how they think which they never agreed to.
I totally agree, but that's an argument against some specific practices, while the GDPR is a scattergun approach that legislates much more than behavioural profiles and advertising. Barely-profitable or loss-making services acting in good faith are now under the same requirements as odious billion-dollar advertising companies, and some of the former are going to go under because of the GDPR, while all of the latter are going to be fine.
If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I asked this question in a comment [1] here on HN a few weeks ago. There were affirmative responses that yes, the shopkeeper should in fact be held to account for keeping notes on who came into his store.
This is largely because the law doesn't care about implementation details. If a grocery store had a system which meticulously logged every customer that came into their store, when, and what they bought (i.e. loyalty card profiles) then we have to deal with issues related to privacy and data protection. Doing the same thing with pen and paper won't be seen as a meaningful difference.
If you're using the data to make money, and the user is generating that data, why do you just get to keep and sell it? How is that any different than you owning some forest land and I just come in and take some animals from the land to sell for meat?
You might call it poaching, but that only became a crime when society made it one, and that's what the GPDR is doing now with personal data
It does apply to everyone, but since data is so valuable now, I would think the ethics still apply.
Data about users has become a valuable asset, and taking it from people now is depriving them if that value, whether or not you personally use it to make a profit.
The problem is that I can't afford the services of a lawyer, or a data protection officer, for a non-profit project. Especially not to satisfy regulations made in a foreign land far away from my own. So the only option left on the table is to block the EU.
> you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I hate to break it to you but yes I do: by doing business within the EU market you're accepting that. In fact you're accepting that the very same way that you're accepting that you can't store all your clients' credit card/cvv numbers that are used on your store.
See, to me, that looks like an intolerable imposition onto my basic humanity. It's legal for me to remember you, but not to write down anything about you in my diary? Does that not seem unsound to you? Does it not seem to trample all over common decency and common sense, to in some way cause harm to older people who can't just rely on their grey matter?
I freely admit that keeping a diary is not the same as keeping customer details, but that's the point here: why are they treated the same?
There is a qualitative difference between degrees of data collection. What you can see and remember is a different category from what you can write down; what you can write down is a different category from recorded audio/video; what you can record with conventional equipment is a different category from what you may capture and store using all available technology e.g. DNA sequencing. In general, the more powerful the technological aid, the stronger the regulation.
Even just the first two, seeing and writing down, are legally distinct. Supermarket checkout staff handle hundreds of credit cards a day. How do you think the law would react to such an employee writing all of them down?
It's not discriminatory against old people, because even a completely amnesiac person armed with a notepad can permanently capture vastly more information than all but a photographic memory.
They are treated the same because you are collecting data about others and GDPR regulates how this should happen.
If you want to collect the data, then it must relevant for your business and that warrants you should treat it properly.
Upon request to erasure you should go use reasonable measure to remove it. Wiping your memory is absurd and is never considered reasonable – no need for a lawyer to rule that out.
> If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights
A server 'processing' (which seems to include using it in any way, not just storing [1]) your IP address appears to fall under the GDPR[1], and said server would be in violation of the law unless its processing falls under one of the exemptions.
The main exemption appears to be getting the user's explicit consent, though there's also this super vague exemption: "for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted." [2]
In general, it seems very hard to avoid the GDPR because what is considered 'personal data' is extremely broad.
Yeah, you're putting too much emphasis on consent. It's only one of six lawful bases for processing data, and in fact the one with the most stringent rules.
I used "legitimate interest" as my lawful basis for logging IP addresses and website usage information. From the UK ICO's guidelines [1]:
"It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing."
There's a three part test:
1. Identify the legitimate interest: ensure the security and stability of my systems.
2. Show that processing is necessary to achieve it: need to know when and how the site is used in order to troubleshoot problems and detect abuse
3. Balanced against individuals' interests: We pseudonymize logins so usage information is not obviously related to specific individuals. There is no sensitive data on the site that can be revealed by usage data. The retention period is short which further limits what can be revealed.
Now, people here on HN might nitpick my logic, but fortunately they're not the regulators. I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.
> I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.
Every business owner in Romania knows two things:
- the IRS equivalent will investigate them periodically, usually every few years
- they will ALWAYS find something to fine the company for
Sure, you will have to correct the something, but that doesn't mean you don't have to pay the fine anyway.
Also, incidentally, the company I was branch manager for has been once investigated by the police for credit card theft (they received a complaint). They couldn't find anything (because we didn't steal any credit cards - we just had a lot of computers because we were programmers, working for the main company in the US) but, in order not to have wasted the raid, they decided to prosecute us for copyright violations (they found a few pirated games).
So, at least in Romania, there is no such thing as "correcting mistakes before fines come into play".
If your business was in the UK, the ICO can and would be able to stop you processing data, and get a search warrant for your business address. This is because they report directly to the government.
I doubt you'd be able to fix any issues before they get involved.
2. There's a comment elsewhere in the thread to this effect, but short-term logging for the usual purposes of managing stability/security of a system almost certainly qualifies as legitimate interest. Don't keep the logs indefinitely, but I figure nginx's defaults with a week's retention period is quite reasonable.
The relevant authorities also have a track record of giving people warnings and time to fix things, so especially for something so trivial, I'd basically just make a good faith effort and not stress about it.
> I do not give a damn whether you're soft-deleting or hard-deleting my IP address and my user account
You don't give a damn; neither do those computer illiterate people who use the same email address and password for everything, and one leak of some shitty inconsequential website may obliterate their entire online presence.
I'm not sure how the GDPR fixes anything, since those people aren't going to be capable of finding the hidden "delete account" button five pages into a big tech company's byzantine privacy settings.
It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.
There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.