If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights
The problem is not the work that the GDPR requires, the problem is the work I'll have to put into understanding the GDPR.
I think it's mainly a difference in viewpoint: this is my data for me. Not yours.
This is the part that I don't understand. If I own a shop, and you come in and buy something, you have absolutely no right to demand that I forget your face and your purchase. In the real world, it's not your data, it's my memory. If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I don't understand the concept of data ownership, because it does not align with how I understand the real world to work.
> In the real world, it's not your data, it's my memory.
This is where there's been a divergence on thought. In the real world you have limited capabilities to collect and store the data that is currently being collected. You're physically limited in how much you can retain and retrieve. In your old timey example I assume the diary to be sitting there in the back of the shop just being a record of my name and what I bought, but that's not how a lot of data is being used or being collected online.
The equivalent would be you making the diary automatically write down a potential unlimited amount of data on me and then using it to sell advertising the moment I enter the shop.
If I went past your store and it automatically retrieved physical details about myself, what I'm wearing, my interests, hobbies, location and you then built a profile and then sold this information to advertisers there absolutely would be regulations regarding this in the real world.
Privacy limits
As retailers trial such tech they are well aware there is a risk of a privacy backlash.
Clothes store Nordstrom recently cancelled a scheme which tracked customers' movements through its stores using their phones' wi-fi signals after complaints.
"Are we willing to accept our everyday movements being monitored and analysed, not to keep us safe but purely to allow advertisers to target us? I think people will start to say no, our privacy is worth more than a few advertising dollars."
--
You say shop with a diary to present the most innocent of examples but for every shop with a diary there's billions of stalkers following people everywhere they go to learn as much about them as possible in order to sell them products and influence how they think which they never agreed to.
I totally agree, but that's an argument against some specific practices, while the GDPR is a scattergun approach that legislates much more than behavioural profiles and advertising. Barely-profitable or loss-making services acting in good faith are now under the same requirements as odious billion-dollar advertising companies, and some of the former are going to go under because of the GDPR, while all of the latter are going to be fine.
If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I asked this question in a comment [1] here on HN a few weeks ago. There were affirmative responses that yes, the shopkeeper should in fact be held to account for keeping notes on who came into his store.
This is largely because the law doesn't care about implementation details. If a grocery store had a system which meticulously logged every customer that came into their store, when, and what they bought (i.e. loyalty card profiles) then we have to deal with issues related to privacy and data protection. Doing the same thing with pen and paper won't be seen as a meaningful difference.
If you're using the data to make money, and the user is generating that data, why do you just get to keep and sell it? How is that any different than you owning some forest land and I just come in and take some animals from the land to sell for meat?
You might call it poaching, but that only became a crime when society made it one, and that's what the GPDR is doing now with personal data
It does apply to everyone, but since data is so valuable now, I would think the ethics still apply.
Data about users has become a valuable asset, and taking it from people now is depriving them if that value, whether or not you personally use it to make a profit.
The problem is that I can't afford the services of a lawyer, or a data protection officer, for a non-profit project. Especially not to satisfy regulations made in a foreign land far away from my own. So the only option left on the table is to block the EU.
> you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I hate to break it to you but yes I do: by doing business within the EU market you're accepting that. In fact you're accepting that the very same way that you're accepting that you can't store all your clients' credit card/cvv numbers that are used on your store.
See, to me, that looks like an intolerable imposition onto my basic humanity. It's legal for me to remember you, but not to write down anything about you in my diary? Does that not seem unsound to you? Does it not seem to trample all over common decency and common sense, to in some way cause harm to older people who can't just rely on their grey matter?
I freely admit that keeping a diary is not the same as keeping customer details, but that's the point here: why are they treated the same?
There is a qualitative difference between degrees of data collection. What you can see and remember is a different category from what you can write down; what you can write down is a different category from recorded audio/video; what you can record with conventional equipment is a different category from what you may capture and store using all available technology e.g. DNA sequencing. In general, the more powerful the technological aid, the stronger the regulation.
Even just the first two, seeing and writing down, are legally distinct. Supermarket checkout staff handle hundreds of credit cards a day. How do you think the law would react to such an employee writing all of them down?
It's not discriminatory against old people, because even a completely amnesiac person armed with a notepad can permanently capture vastly more information than all but a photographic memory.
They are treated the same because you are collecting data about others and GDPR regulates how this should happen.
If you want to collect the data, then it must relevant for your business and that warrants you should treat it properly.
Upon request to erasure you should go use reasonable measure to remove it. Wiping your memory is absurd and is never considered reasonable – no need for a lawyer to rule that out.
The problem is not the work that the GDPR requires, the problem is the work I'll have to put into understanding the GDPR.
I think it's mainly a difference in viewpoint: this is my data for me. Not yours.
This is the part that I don't understand. If I own a shop, and you come in and buy something, you have absolutely no right to demand that I forget your face and your purchase. In the real world, it's not your data, it's my memory. If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I don't understand the concept of data ownership, because it does not align with how I understand the real world to work.