> Part of the issue, experts say, is the vague regulation has been interpreted in wildly different ways. GDPR consent-request messages vary wildly across sites
What experts? I found the law to be pretty clear and there are plenty of summarized versions out there. What some companies find confusing is that the law has made their core business model illegal and no consent form can save them. You cannot get your users to opt out via a consent form, how many times do people have to repeat this? This is nothing like the cookie law.
The only vague part of the law is the fining system which was done on purpose. If you have explicit fines then companies will have to make more money from your private data to cover the explicitly priced fine leading to a worse situation.
I can't honestly agree. (re: ambiguity of interpretation, and cost being limited only to privacy-violating business models) Two reasons.
1. HN discussions themselves. Literally EVERY TIME this comes up, you see a massive back and forth from various crowds of GDPR; some of whom swear that it's perfectly comprehensible even as significant portions of the conversation are interpreting the same points in a variety of ways. (Are IPs PII? What exceptions can be allowed? What falls under "security requirement"? What forms of data are associated PII? What sort of deanonymization is sufficient? IS it sufficient? are some common questions I saw in the past, not even getting into the wonderful world of third party data processors.) This seems like enough pragmatic evidence that a (to give the benefit of the doubt) educated and professional community hasn't reached consensus, so to say there's a variety of interpretation seems very fair.
2. I implemented GDPR for a small corner of a notable BigCo. I do not consider myself an expert, but I certainly got my marching orders from experts, (The legal teams who interpreted the document and evaluated the implementation methods) and the sheer amount of horsepower put behind finding an interpretation we believed and were confident in was staggering. Granted this is something where we _really wanted to get it right_ but if it were really trivial to interpret I question if the process would have been as intensive as it was. (To preempt the inevitable; our (my team's) business model has _literally nothing_ to do with your data, but we had many of the same confusions/questions that I saw from companies who did, so I'd be hesitant to say that the burden isn't somewhat widespread.)
> The legal teams...and the sheer amount of horsepower put behind finding an interpretation we believed and were confident in was staggering
You shouldn't be getting down voted. I just went through a GDPR compliance review. We have a service model which is incredibly serious about customer confidentiality. We don't sell ads and, to my recollection, have never even bought them. Still required an army of lawyers. Two top London law firms ended up agreeing to disagree on major points, ultimately concluding the Polish data regulator would probably rule one way and the French the other.
Complying with the spirit of a law doesn't mean complying with the statue of it. With GDPR, it's the latter that's a pain in the ass.
>ultimately concluding the Polish data regulator would probably rule one way and the French the other
Wait, this is being handled on the national level??? I thought you guys had some singular EU court thing for this, not a clusterF of the different countries' justice systems.
Yup, each of the EU's twenty-eight member states have a national data regular who is responsible for interpreting the law. One can appeal to EU courts. But the local context must be considered.
it's worse.
in germany the dsvgo (german gdpr) will be regulated by the states of germany, i.e. every state has his own regulation administration.
which means that there will be even more room for interpretation.
in the end the gdpr is more about opening new jobs.
also sites like:
http://www.spiegel.de/
or
https://www.bild.de/
do not care about the gdpr/dsvgo... so it won't happen that there will be many groundbreaking changes on how the governments will see privacy issues. at the end they just wanted to scare of the silicion valley.
These companies were in violation of the Bundesdatenschutzgesetz. It mandates information minimization which many fail to adhere to. The problem is more with enforcement, which was (is) weak. GDPR in fact is seen more lax (by our privacy prtection authorities) than the Bundesdatenschutzgesetz but it has more teeth.
A business that operate in, say, Germany, reports to the German authority.
A business that operates in 10 EU countries, can declare which one is the major country for them, and they have to deal only with the authority in that one country.
That's not how my lawyer explained it to me. They said that I was liable for violating privacy laws, or the opinion of the regulator, in any German state, even though I am a US company. And it doesn't matter if I have an EU subsidiary and I declare a major country. Maybe your lawyer has a different opinion, but they tell me I shouldn't go hire the lawyer that says what I want to hear.
And in some countries that agency employs a dozen to two dozen people total. In other words, it's entirely possible to get screwed because somebody doesn't like you.
The whole point of EU is to garner trade advantage by negotiating as a block instead of as small countries when they saw large countries like US, USSR and China get negotiating power. It is also to not have any tarrifs and free movement of labor internally. Everything else has been iffy at best. EU is not a federal nation like US or India
There is a EU law(such GDRP) that all member states must transpose into their state legislation. A citizen of a "foreign" member state enjoys the same rights as the "local" citizen.
The point if EU is/was to achieve an "ever closer union" so that war between European states would never happen again. It's not just an economic bloc.
Btw the immigration is the main issue which has nothing to do with trading.
The GDPR does remove variation between countries, before the GDPR each of the 28 member states would have had their own data protection laws and while you wouldn't have had to comply with all of them the only law you generally have to comply with under the GDPR is... the GDPR, plus or minus some minor opt-in or opt-outs that some member states may choose. It's one piece of legislation that is a hell of a lot more navigable and accessible than 28 different pieces of legislation.
What the poster above is lamenting over is that each member state is in charge of their own investigatory authority, and this makes a lot of sense, if you have a data leak that affects only Spanish citizens you wouldn't want the investigation being carried out by a country like Sweden or even by the EU itself. However if a data leak affects multiple member state citizens each of those member states are invited to and can enter a joint investigation. The issue they believe is that France may have a stricter interpretation of the law than a country like Poland which may make cooperating with the law more difficult as you don't know how strict to be, and while this certainly is going to be the case it's not so different from any other facet of life - In the US you may favour a certain state to be prosecuted in, you may prefer to have a different prosecutor or judge, etc.
The European Court of Justice has the final say. As far as I know the local(supreme) courts ask the ECJ for an opinion if they think their local law could be incompatible the the EU law. The EU laws such GDRP must be transposed by the menber states but they may have slight variations(i.e. the amount of fines)
The EU court sets binding precedents across the Union, but the law is still enforced at a national level and discrepancies can arise and take time to be cleared up. There's also the fact that Union law is not perfectly uniform in any case, there are national differences where they go beyond the minimum requirements of Union law.
HN as a community is so defensive about the wisdom and necessity of the spirit of the law (which isn't an unreasonably position) that a lot of commenters reflexively reject any claim that the implementation may leave something to be desired (just see the top comment in this thread). It's entirely unsurprising to me that the EU implemented this sloppily, for the simple reason that legislators all over the world are shitty at understanding tech, and sweeping changes have a high prior likelihood of being poorly implemented.
> Complying with the spirit of a law doesn't mean complying with the statue of it. With GDPR, it's the latter that's a pain in the ass.
I've never understood why people try to comply with the text of a new law that doesn't have case-law under it yet, rather than the spirit.
Surely, the first time anyone gets sued for noncompliance of the text of GDPR, when they are compliant with the spirit under which GDPR was issued, case-law will be created that "bends" the interpretation of the text more toward the spirit?
> I've never understood why people try to comply with the text of a new law that doesn't have case-law under it yet
Continental Europe uses civil law [1]. Case law is less relevant than it is in the U.K. or United States.
More broadly, people try to "comply with the text of a new law" to avoid becoming the precedent. (Even if you prevail, it's distracting and expensive.)
> Surely, the first time anyone gets sued for noncompliance of the text of GDPR, when they are compliant with the spirit under which GDPR was issued, case-law will be created that "bends" the interpretation of the text more toward the spirit?
Surely? Based on what? For anyone with material revenue, that basis will be legal advice.
We're all over Europe and the U.S. It was pretty painless. Our business does not rely on the ignorance of users or the abuse of their privacy. What "army of lawyers" did you have and why was the spirit of the law not enough? We had several different business units get through compliance without any problems.
This isn't a hard thing to address at the end of the day (so long as your entire business doesn't depend on it). I just can't help but feel a few ways A) You didn't understand what the law says B) what your lawyers were actually worried about or C) this story is just made up.
What specifically were the discrepancies in the interpretation of the law between various countries that caused two "top" tier law firms to be unable to come to a clean consensus?
why was this downvoted? as far as I can see the claims of excessive burden have been equally vage, I don't see how this comment will lead into trolling
I'm pro GDPR, but I get tired of the immense amounts of shade some pro GDPR people throw the way of some who complain about it.
These arguments tend to be very circular. It goes something like this: GDPR is reasonable and easy to understand; if you're having trouble with it you are probably user hostile/don't understand it; you're having trouble with it which means you are user hostile/don't understand it; therefore your complaints are not legitimate; therefore GDPR is reasonable and easy to understand.
Let me just respond to this in short: No. They're not circular.
The same vague claims keep getting repeated, with absolutely nothing to back them up. Not even a "here's the problem with the law in our case" super fuzzy high level overview. It's always about the effort of adhering to the law without any discussion about why these companies are facing difficulties in the first place. Not the actual difficulty with implementing the law, just the vague effort they've put up with.
Hundreds of thousands of businesses have not had issue with the law. Suddenly some guy on HN with two "top tier" law firms at his back faces this unimaginably heavy burden and extreme obstacles when trying to adhere to the law. Sounds like a nightmare, in the sense that it never happened.
OP's post and the many others like it are just typical American business favoritism against any kind of regulation masquerading as a personal True Story (TM). I still remember when cookie warnings were "hard" to do and businesses actively implemented them in obviously shit ways, in bad faith with the regulations. It's so obviously contrived for a particular audience it's kind of absurd it immediately doesn't get flagged.
Are you basically asking "Why does no one want to share specific details of their company's difficulty complying with a giant new regulatory framework?"?
Surely the issue is harmless, and has nothing to do with the stuff GDPR is legislating against, right? Why not just share a general, fuzzy overview?
I am pretty sure that's what they're asking for. I didn't see a request for specific details. Just some high level details, rather than "we've had to spend so much money/time => clearly bad".
We’re told not to talk about any details (even high level) of this sort by legal because anything we put on the internet could be used against the company in court even if it seems harmless to us. If you want to find out about the difficulties just find an engineer working at a major company and ask them about it in person.
Maybe because some subset of the audience on HN seems to have a habit of downvoting facts they don't like, or data points that counter their narratives.
I can't count the number of times I've posted factual, verifiable information — with sources — and been downvoted (or, often enough, downvoted, then voted back up, then down again, and so on) for my troubles, or the number of times I've seen such comments from others treated the same.
The most plausible explanation I can come up with is, "Your facts dispute my narrative, and we can't have that!"
EDIT: I'm not saying that's what's happening here, and I'm certainly not saying there's brigading or shilling going on (indeed, I think it's purely individual action), but this is a clear pattern, which I've reliably observed happening for years.
It doesn't even have to be on a controversial topic; I once linked to an explanation of a nuance of copyright law, of which the other participants in the thread were demonstrably ignorant. The extent of the response? Downvotes.
Oh lord speaking of copyright law, trying to rationally discuss Copyright law during the Oracle vs Google case on this site was basically an exercise in how much mental pain you were wiling to take. Comments that only contained direct quotes from the case to negate what the OP was stating were downvoted. The Google fanaticism was insane.
I'm going to guess what's happening here is a good amount of developers work for companies where GDPR would directly impact their revenue directly or indirectly (and most likely jobs as a whole). This is especially true for smaller "middle man" analytic firms and general web agencies. It pays to be anti-GDPR.
Never underestimate the kind of mess lawyers can think up. I know of a big organisation providing all kinds of services. I was involved from the sidelines in GDPRing a small part of a very unimportant and almost forgotten service of them.
My personal guess was they wouldn't need consent, as it was a clear-cut case where all requested data was clearly needed to provide the service. And asking for consent to use the data a customer just typed in the site for requesting the service seems a sure-fire way to annoy them without any upside.
Then the GDPR lawyers came.
It turns out, if you interpret the company charter in a very nasty but still legal way, there might be a very rare edge cases where a service was provided to someone who was not strictly 100% a customer. Yeah, I'm a bit vague here, sorry about that.
To be clear: No real-life example was found now or in the 10+ year history records of the service, both the almost-but-not-quite customer and the company would have to do insane things, and service delivered in the case was almost non-existant, but theoretically, on paper, it was possible. I'm pretty sure nobody would care if it happened, either.
People keep going to consent, but I'm pretty sure in many cases they're wrong to do so.
> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
and the ICO guidance is
> Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
Even when consent is given, the users interests still have to be considered during processing, so it's not like it's a do-whatever-you-like card. Just because a user says they consent to you doing something with their data, doesn't necessarily mean you can if that thing is obviously not in their interests.
I wish the fact that consent is only a weak basis under GDPR were made more clear, since if we just end up with an internet that requires consent on every site then the law has just made things worse and made nothing better.
This sort of thing seems to happen a lot. Legal departments are responsible for making sure the company doesn't get sued, and are not really responsible for working towards company success. So Legal's arse gets covered by denying absolutely everything that they don't believe is guaranteed legal, and the company loses business because things become unreasonable. I think legal should instead be more risk management, working for the benefit of the company to manage the legal risk rather than minimize it, and stay within ethical boundaries. It already is risk management, since all legal departments have to work with are their opinions and not facts about how future rulings will go, so it is just a case of accepting it. In the above example, it seems like that didn't happen, with lawyers creating a wall of red tape costing money and annoying customers, instead of realizing the risk was minimal, and if they were at all competent they could easily argue their case even if the low risk event occurred.
And it is even more insane blindly accepting this sort of advice with GDPR, worrying about getting sued for for theoretical edge cases when the first round of warnings haven't even gone out to the worst offenders yet.
It doesn't matter if you need the data to provide the service, you still need to ask for consent for any personal data - and personal data is defined extremely broadly.
To understand that, I think you'd need to be a lawyer who worked in european law. The point is that each country has their own regulators who often enforce the laws differently. So what might be "perfectly clear" to you, could be interpreted completely differently where a different body of law and precedent has been set.
GDPR is not a prohibition on selling personal data. It’s a prohibition on having and using personal data, unless the specific data and usage can be justified under one of the lawful bases. An army of lawyers is required to assess whether each code path and business process is truly covered under one of those bases, given how specific regulators are likely to interpret the subjective judgement calls embedded in the definitions of those bases (necessary, legitimate, reasonable, balanced, etc).
Defining what those simple statements like "customer data is secure" means in the context of hundreds or thousands of use cases throughout a complex organization.
Speaking as somebody who actually has - was teaching computer security last term - I found it relatively easy to read (as legal documents go) - but it still took a weekend. I will guarantee you, that not all of the high powered lawyers whose job it is to read it, have done that.
True story: back in the days when libraries still stamped your book with the date it was due back, I took out a copy of Keynes General Theory from the main library where I lived. It's not that thick of a book, and according to the date stamps it had been borrowed at least 20 or so times. About half way through the pages hadn't been cut.
It was a few years before the significance of that finally dawned on me. As in many things in life, HN discussions on the GDPR are a wonderful example of nobody actually reading it, and everybody having an opinion of it.
I am just seeing a couple of scrolls worth of text---definitely not weekend-long reading material. Am I reading the right thing, or is your link mis-pointed?
Yeah, I’m willing to bet the people that think this is easy and clear are not trying to implement it. I have not met anyone working at a large internet company (these companies have high likelyhood of being sued so it’s very important the law is followed as accurately as possible) that thinks the law is clear.
99% of the people screaming here that it's incomprehensible either very clearly haven't read the source material or just don't understand how the law works in the EU (I guess they are from somewhere else and didn't bother to look anything up before forming an opinion).
Regarding your point about consensus, that's fair - however this has not been my experience. Most parties that you would ask for advice on the matter have a pretty good handle on what the different terms mean.
Your second point is mostly evidence (to my mind) of large corporations trying to get away with as much malicious compliance as they can possibly manage. You really do have to put a lot of effort in that, as you cannot assume the agency checking you will see good faith (which is, as far as I understand it, one of the requirements for not being slapped with fines very quickly).
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"
The law is pretty clear (not 100% clear, obviously, there is going to be loophole and unclear things), and it's easy to decide about unclear spots by following the spirit of the law, and by understanding that any unclear technical requirements really means "what a sane engineer would do, that you could defend against a jury of your peer".
To answer a few of your questions (obvisouly IANAL):
- are IPs PII? Yes, there are legal case about that, your lawyer should have a more detailed answer.
- what exceptions can be allowed? When you have a case you could defend that doesn't go against the spirit of the law
- what falls under "security requirements"? You should be able to defend your choices securiy-wise against a jury of your peer, using your internal documentation. If you have unsalted passwords hashs for example, you are in trouble
- what sort of deanonymization is sufficient? Best practices at the current date.
Technical details aren't going to be in the law, because the goal of a law is to not be outdated every year.
Laws are enforced by humans, not by computers. Your company should be prepared to defend its interpretation of the law (that's your lawyer job) and your technical choices (that's your job).
Edit: obviously, that's a simplified vision, and you should always consult your lawyer. The biggest your company is, the more important it is to try your best to be compliant.
You've had sizeable replies and I've yet to read them, so forgive if I'm reiterating something here.
But as for 1):
IPs are distinctly /not/ PII (AKA: PD). They're identified /by name/ in the regulation, unless you sell that info. Anyone who brings this up as a topic has not actually read the regulations.. or they have and are trying to create uncertainty for some objective.
It sounds like you've done enough of reading the regulation to actually know this, it's part of your job and you've spoken to legal experts (as I have).
> IPs are distinctly /not/ PII. They're identified /by name/ in the regulation. Anyone who brings this up as a topic has not actually read the regulations.. or they have and are trying to create uncertainty for some objective.
Have you yourself read the regulation? You are wrong.
The regulation makes a single reference (by name) to IP addresses. In recital 30. In that recital, it specifically declares IP address to be PD (GDPR doesn't use the term PII at all).
Not to confuse the matter, but if you stopped there, and decided IP addresses were PD, you would have stopped short. It requires deeper analysis. Here are two good ones:
Sorry, was going on the case of "if you're not an ISP"
IP, when tied to other data becomes the scope of personal data.
However, removing the other data renders it no longer personal data.
This firmly puts it in the "it's not personal data" camp. Since it's the other data that is personally identifiable that gives it context.
It's only relevant for ISPs really, but really good job on proving my "creating confusion for no reason" point.
In the context of online accounts (in video games, where I work) it can't be used to identify real world people because we don't ever link to a real world identity. In cases where you log details about people individually (as in- a bank) you just don't log user details beside access logs and you're set. IP on it's own is not personally identifiable, and is out of scope for GDPR.
I have taken the same stance. Have had lawyers tell me that I am wrong. Have had other lawyers telle the opposite. -shrug- when it specifically lists IP address as an example of PD in one section, the fact that another says things are only PD if you can identify a person doesn't NECESSARILY over rule that.
I think a lot of this is a red herring. If you are gathering the IP address under the contract lawful basis, then it doesn't matter if it's personally identifying or not. Where it get's tricky is when you are not gathering the IP address under contract lawful basis.
The tricky thing about GDPR is choosing the correct lawful basis. I think people reach for the legitimate interest card too quickly because they see it as a "get out of jail free" card. But then it ends up complicating things enormously -- especially since legitimate interest can be objected to. I've seen people agonising in public about what to do because the personally identifying information is necessary to provide the service they are offering. If you're in the situation where if someone objects to the use of their data, then it breaks the whole service -- well you're in contract lawful basis territory.
IP addresses are potentially complicated, though. I'm not sure what's supposed to happen when you receive personally identifying information from someone that you don't have a contract with. The law does seem to be vague on what constitutes a "contract", because in some cases it seems to imply something different than what contract law says (i.e. if there is no consideration, it seems I can still use contract lawful basis). In this situation, if I have a P2P network and I need your IP address to fulfil my side of the protocol, then I should be able to use it under contract basis. However, I'm unclear about the actual legality of it -- especially when the information is sent to you by an intermediate node.
To me, that's what needs to be cleared up. I expect it will be over a period of time. I don't think the law was written with that kind of stuff in mind. It's kind of interesting, though. I imagine it is a violation of the GDPR to track what individuals are downloading in bittorrent without giving them a legitimate interest notice, though (and allowing them to object! and be forgotten!). It will be interesting to see if anybody complains about that kind of thing.
That case literally does not support the claim you make. The court decided that:
* dynamic IPs can be considered personal info if the entity collecting them has legals means to get additional information related to that IP (these legal means exist in Germany, if the entity believes they are being cyberattacked)
* according to the less restrictive law though, "The operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks"
* note then that: this issue is no longer an issue (since GDPR is in play now) and that GDPR actually allows the collection of dynamic IPs if the entity needs to do this to protect from cyberattack
It's kind of funny. You say "case literally does not support the claim" I make then continue to say what I said in a different way.
I was responding to a person that was claiming that essentially IP addresses are only personal data for ISPs or ISP like businesses. Which is simply not the case.
I didn't say IP addresses were always considered personal data, I simply said it can be personal data, which you also stated in your post. That it's not cut and dry. The person I was responding to was posting that IP addresses are definitively NOT personal data.
The point is, context for IPs matters. The person I was replying to was way over simplifying.
I'm not entirely sure what claim you think I made that the case doesn't back up as you essentially stated what I did just with more specificity. In any case I totally agree with your post since it's the same point I was making :)
Cool. If it's so clear, then are you willing to be held liable if my company is found in violation of it due to your misreading?
I'm guessing not. People who are willing to put their reputation on the line, who are paid four figures per hour to understand this stuff, disagree with eachother on interpretations of GDPR.
> be held liable if my company is found in violation
Forget about violations. Even if you're in perfect compliance, any EU resident can complain to their data authorities if they think you're non-compliant. That then prompts a regulatory inquiry, which requires lawyers to competently respond to, which is distracting and expensive.
Which is different from other civil law in what ways? Anyone can sue you over any civil law. Then teh courts decides. GDPR is not magically different. This is a straw man.
The flurry of activities is only driven by companies who keep data about their users. Of course "legitimate" will be defined by the courts. That's the price you have to pay now for all the abuses that have been going on for the past two or three decades. History has shown that to define "legitimate" the text of the law is to open the doors to avoidance. Sorry mate, we can't trust you to be honest. It's too late now.
That's true. That's why in my most recent dispute with insurance in Washington state, I filed a complaint to Washington State Insurance Commission. The Commission sent then a formal request to the insurance company in question, which suddenly made the insurance company much more eager to pay me what I think they owed me.
Of course, just as you mentioned above, responding to complaints is distracting and expensive, which is why all insurance companies folded up the business up here, and there's no more insurance to be bought in Washington.
(I'm kidding of course, insurance companies work here just fine.)
> The Commission sent then a formal request to the insurance company in question, which suddenly made the insurance company much more eager to pay me what I think they owed me
I'm a huge fan of complain-and-respond frameworks. I have complained to my state Attorney General when my cable company change pricing on me mid-contract. I complained to my state Department of Financial Services when a rebate issuer sent me a card instead of a cheque. I complained, the other night, when a construction company decided to run jackhammers on 26th Street at 1:30 in the morning.
Complain-and-respond regimes work. They're also expensive, and cause known incumbency biases. Deploying them should be carefully considered. For insurance and financial services, the tradeoff makes sense. For literally every business that might ever touch a European's data, it's a bit overblown.
Deploying them should be carefully considered. For insurance and financial services, the tradeoff makes sense. For literally every business that might ever touch a European's data, it's a bit overblown.
That's a fair argument to make. The counterpoint is that before GDPR we had so many problems with companies mishandling data that "a bit overblown" is not something that everyone would agree with. Additionally, some countries (e.g. above-mentioned Poland) had GDPR-like laws (Ustawa z dnia 29 sierpnia 1997 r. o ochronie danych osobowych) for over two decades now, with a corresponding regulatory office (Generalny Inspektor Ochrony Danych Osobowych) that regularly looked into complaints. In practice it turned out to work great, local businesses easily complied with the law, and nobody saw this as a huge hassle in the two decades of the application of the law. I find it hard to believe that it's going to get much worse than that with GDPR. Many companies are just overreacting here really.
> before GDPR we had so many problems with companies mishandling data that "a bit overblown" is not something that everyone would agree with
GDPR should have had a minimum revenue threshold for the bulk of its requirements. Enforcement should have also been centralized in a single EU enforcer. A simple process for obtaining non-compulsory affirmative compliance certificates, for businesses at or below the revenue threshold, would have also been nice.
> I find it hard to believe that it's going to get much worse than that with GDPR
I see Facebook and Google gaining market share and failing to change their behavior. In addition, Europe is no longer a market one launches in simultaneously with the U.S. and Asia for most foreign businesses.
This whole episode is deeply frustrating as I'm strongly anti-Facebook and pro-privacy rights. The degree to which the EU turned an opportunity to lead into a wholesale boondoggle is jaw-dropping.
I’ve had discussions with people working in ads at Google that are basically, “so GDPR is the EU’s attempt to kill off all our competition and presently entrench us in the marketplace.”
> In addition, Europe is no longer a market one launches in simultaneously with the U.S. and Asia for most foreign businesses.
Since that's a broad statement, would you care to back it up?
> I see Facebook and Google gaining market share and failing to change their behavior. In addition, Europe is no longer a market one launches in simultaneously with the U.S. and Asia for most foreign businesses.
Are you saying that Facebook and Google are not GDPR compliant, and that furthermore, the EU doesn't care that they are not GDPR compliant?
Facebook is dramatically noncompliant, and people on my privacy professionals listserv have been debating parts of Google. I assume the EU cares, but it's also a massive fight to pick, and Facebook and Google are well-suited to handling it.
>>Anyone can sue you over any civil law. Then teh courts decides. GDPR is not magically different. This is a straw man.
Yeah, but in this case that "anyone" is not spending a dime of his own, instead the limitless resources of EU will be coming after you. By the time the court decides, virtually any small company will bankrupt.
Why the assumption that the EU won't side with you, and will definitely only side with the person making the claim? Certainly, if you're compliant, there's a very good chance that you'll get off the complaint, yeah?
The limitless resources of the government is never applied to all laws. Regulatory institutions are budget constrained like the rest of us, and will prioritize what it considers to be the worst cases.
> which requires lawyers to competently respond to
No, it doesn't. It requires you to answer the questions the regulator asks, and to see if you're currently following the guidance the regulator gives you.
> No, it doesn't. It requires you to answer the questions the regulator asks
Most companies would--and do--retain lawyers to answer regulators' questions. Particularly when in respect of a new law, and doubly so given the political uncertainty currently present across the Continent. Naturally, one is free to self represent with regulators as one is in a court.
In practice, the small companies you’re so worried about regularly can and do interface with Governments - even e.g. the tax offices - and are regularly given some leniency so long as they’re not obviously trying to avoid complying with the law. “Fix the thing you’re doing wrong” is always going to be the first response of the regulator.
This is not America. We do not regularly put people/companies into bankruptcy just because we can.
GDPR doesn't specifically state that though. If a country in the EU choose to make an example of my company for whatever reason would would be preventing them from doing that?
Except that this has never happened before, especially to small businesses that are obviously trying to comply with the law.
You have much, much bigger things to worry about as a small company. You could have your bank cut you off because you’re suddenly deemed too risky - happens every day. You could run into a contractual dispute that drags out for years and costs you tens of thousands of euros. You could violate a patent you never knew about. Your supplier goes bust just after you’ve spent weeks negotiating a large order, and now you don’t have enough inventory. You could perform some action or inaction that results in injury to someone, and your insurance could refuse to pay out. It turns out that one of the products you sell kills people, and the Government decides to take you to court over it. Your customers might fail to make good on any credit you give them. One of your key employees could develop a chronic, life-changing illness. You didn’t realise that some tax or other applied to you, and now you’re not making enough money to stay afloat. As a business owner, have you worried about any of these things as much as the GDPR?
Heres what the UK ICO says: "The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business." [1]
Isn't that a little vague? It seems to imply that if a business can show that collecting your personal information will grow their business, they do not need to provide a way for you to 'opt out'.
Yes, it is a little bit vague. It's intentionally vague. The abuse of LI is designed to be like porn: I'll know it when I see it.
It's totally fine for it to be vague. I very much doubt we'll see any cases where the general public disagrees with a DPA ruling of LI applicability. As a business owner, it means you need to strongly justify it and consider if a "reasonable person" would consider your use of LI to be justified. If you have doubt, you should seek consent instead.
Do keep in mind, that growing your business by using PD for marketing purposes is explicitly excepted from LI.
> If you have doubt, you should seek consent instead.
Consent may not apply:
> Consent is presumed not to be freely given if... the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
If it is easy to follow the law, then the cost of a compliance expert on this topic would be low. It is not low. Compliance is expensive, even for companies who don't make their money from data. Therefore, I don't think it's that easy.
That doesn't follow. It's easy to follow the law, but because a lot of companies were doing things that were against the law, and given that a lot of companies put things off til the last minute, it took a lot of work to come into compliance.
What I've found to be "confusing" is that some GDPR consultants say that when a single person cannot be identified in a blob of data, then it's not personal data.
While others say the opposite, any data derived from a single individual is still considered personal data.
That's a good thing. It means the regulator can't issue instant fines for non-compliance except in the very worst most obvious cases. Because of this planet sized gap they need to ask everyone else to come into compliance before issuing the fine.
> It means the regulator can't issue instant fines for non-compliance
The regulator interprets the gap. "Planet-sized gap" means the regulator can choose to be lenient or capricious based on their own preferences. That kind of uncertainty is anathema for modern businesses. (It's also beneficial to those who pay to build relationships with said regulators.)
> The regulator interprets the gap. "Planet-sized gap" means the regulator can choose to be lenient or capricious based on their own preferences. That kind of uncertainty is anathema for modern businesses. (It's also beneficial to those who pay to build relationships with said regulators.)
This is classic anti-regulation BS. I would like to see a regulation which did not have this issue brought up against it. Heck, isn't this the core of the anti-regulation camp? Clearly though, regulations have not destroyed the world...
Technically, it will be the courts who (ultimately) interpret the gap, and it's worked so far for other standards like 'beyond reasonable doubt'. Courts have a tendency to be less capricious than a regulator.
I'd even go so far as to argue that "reason" is one of those things where specific examples can illustrate, but no more. Especially with regards to technology -- what is reasonable today, can be unreasonable tomorrow (eg: SHA1).
In the meantime, I'm positive that as of right now, 99% of the interpretation is performed by the data processors, and in most cases to their own benefit.
What is a reasonable mean? Imaginr you can take 100 blobs of data, and for each blob it's really hard to get a fix on a particular person, but combined through a magic probabilistic heuristic yields predictions that are "good enough" to extract value from. Does the mere existence of this "join" trick make your individual blobs personal data? Or only once your company actually implements the join?
Dynamic IPs were considered as possibly being personal info, since a law existed which could allow an entity to connect dynamic IPs they have connected to other information (from an ISP), if they believe that connections from the dynamic IP are undertaking cyberattacks against them. Proto-GDPR actually considered collecting dynamic IPs in this case reasonable, and it was a specific German law that was more restrictive. The main question thus became: should proto-GDPR be used, or the existing more restrictive German law? Going off topic though. Point is that "reasonable" is used not as a mathematically precise definition, but in a human language sense of "reasonable". If you don't get what reasonable means, then I am sorry to say that in the case of law, you will generally have to suffer what most people consider to be reasonable in spirit.
In other words, you have a problem with all laws in general, since they are not nearly precise enough for you.
Be reasonable! Just as even interpreted software must eventually appeal to hardware actions to give them meaning, laws must eventually appeal to human-judged concepts, including reasonabless.
A definition like the one above actually strikes a good balance. It leaves it up to courts faced with real situations to evolve rules about what constitutes "reasonable"; while giving those courts a definite thing to judge the reasonableness of.
There are so many ambiguities and confusing situations. Eg: legitimate business use and free accounts. What do you define as the free account user to still be a customer? What if you nuke their account after some inactivity and then they come back? They're going to be pissed.
Server log retention, message queues, etc and ip addresses (which may or may not be problematic depending on how they're stored and with what). Not fun.
Third party vendors. Omg third party vendors. Many of them have no idea wtf they're doing. Ive seen some vendors swear up and down they didn't store any PII, just to realize eventually that they did and they didn't even know. Hope those DPAs are signed and in order! Hope you have good lawyers!
It's insanely hard for any non-trivial systems. It gets even worse when american laws and GDPR conflict (eg: finance data retention laws. The definition of legitimate business need gets REAAAAALY fuzzy...)
>There are so many ambiguities and confusing situations. Eg: legitimate business use and free accounts. What do you define as the free account user to still be a customer? What if you nuke their account after some inactivity and then they come back? They're going to be pissed.
Processing of data is legitimate so long as you still have a reason to process that data, as well as if you have a contractual obligation with the subject to process that data. If that contract involves keeping an account registered indefinitely, until deletion is requested, then so be it. State it clearly and plainly when the user registers an account, and if you're that concerned about the ambiguity of the situation then the solution seems a simple one, no? Allow the user to choose to have their account deleted after a certain period of inactivity, or email users that their accounts will be deleted after lengthy periods of inactivity. It should be noted that 'inactivity' is industry specific, for something like free services online it could be industry standard to keep accounts for years, it's hard to imagine that a user would be upset about having an account they haven't used in 4 years be deleted, and really, do you need to keep that account after 1 year of inactivity? 3 Years? 5 Years?
I realise the law is purposely ambiguous here especially when applied to things like user accounts, but it helps to understand that storage limitations and retention plans apply less to things like accounts and more to things like metadata that you may be collecting. It's perfectly reasonable to keep user accounts registered for years even after inactivity for example, it's less reasonable to collect data for marketing campaigns and keep that data for years. Retention limits are also far more relevant to processors of data rather than for controllers of data, if you're a third party service you shouldn't need to keep data for longer than your contract with the controller specifies, however controllers have far more of a legitimate need to process data for longer. The push to have retention limits may as well be seen as a push to anonymise data that no longer needs to be tied to an identified person rather than a need to delete everything that hasn't been touched in 90 days.
>Server log retention, message queues, etc and ip addresses (which may or may not be problematic depending on how they're stored and with what). Not fun.
IP addresses become problematic when you can tie them to an identified person, i.e., you're linking user accounts and IP addresses. As far as generic logs go, if the only personal information you're collecting is IP addresses then you shouldn't need to worry too much, treat the logs with some care as they still do contain personal information but don't sweat it too much. Make sure that if your logs are leaked that you inform users (i.e., through a blog post) that logs were leaked and the only personal information contained is IP addresses. IP addresses are one of the easiest things to justify needing to keep as a legitimate interest as well as needing keeping indefinitely, and if only IP addresses are leaked it's not really a big deal. If you have other personal information in your logs, especially if it's linked with more information, i.e., 'ip address 1.2.3.4 who has username asdf searched for jkl; [etc]', you should take steps to justify why you need to keep that extra information and maybe look at implementing a retention limit, or better yet, anonymise some of the extra data after you are finished processing it. If the metadata you're collecting is kept to a minimum and/or anonymised as much as possible, the need for a retention limit drops almost entirely, not that retention limits are entirely needed.
>Third party vendors. Omg third party vendors. Many of them have no idea wtf they're doing. Ive seen some vendors swear up and down they didn't store any PII, just to realize eventually that they did and they didn't even know. Hope those DPAs are signed and in order! Hope you have good lawyers!
In every other industry you are responsible for when you choose a shoddy third party vendor who makes a mistake, I fail to see why the tech industry should be any different. I realise there is going to be a lot of teething issues on this particular issue, but part of the reason GDPR has as much scope as it does is because of these clueless third party vendors who misuse and abuse data. Maybe look into using European third party vendors in the future, as they would be just as culpable for their mistakes as you would be and they would be liable for fines too. :-)
>It's insanely hard for any non-trivial systems. It gets even worse when american laws and GDPR conflict (eg: finance data retention laws. The definition of legitimate business need gets REAAAAALY fuzzy...)
For what it's worth, the GDPR makes explicit exemptions allowing for processing data where you have a legal obligation to do so. There is absolutely no conflict between financial laws and the GDPR in this respect.
Your explanations are great (thanks for making the effort of writing all of that, really!), though my point wasn't so much that I didn't know the answers (I have dealt with lawyers over all of this both at work and outside of work, helping friends at other companies, etc), so much that it DOES require explanation. As some people mentioned, it might even differ (significantly!) based on which European country you're dealing with. Things like the legal obligation stuff is still tricky when you deal with american law vs European law conflicting, and even if the law itself wasn't problematic, convincing lawyers can be.
You're totally right about the 3rd party vendor thing, and this will get better with time, but it doesn't change much that right now, it's a problem. Even vendors who take security seriously and have awesome engineering teams might have garbage lawyers and you have to deal with them. At the end of the day, no amount of security is perfect and you need DPAs. Getting rid of a vendor over this might be hard.
Basically, the whole point is: no, this isn't easy: large companies can have insanely complex problems. Small companies may not have access to the proper lawyer (or even have an IT department!). It's painful. What's worse is having to deal with European laws when you don't have a European presence (foreign lawyers can be tricky or expensive!). And companies who just decide to just avoid dealing with EU customers as a workaround (even small ones who might simply no longer be able to deal with this) get burnt at the stake.
You cannot, part of the reasoning will be that the footage may need to be used in court therefore the integrity of the information needs to be maintained, another reason will be that it would be incredibly impractical and a burden for businesses to erase the faces of everyone that requests it. You cannot request that a business deletes CCTV footage of you either, probably for similar reasons. You can request a copy or to view that footage though.
In another comment you posted:
>I'm still not sure that recording everyone who walks past your store 24/7 is legitimate interest.
Stores and businesses need to display signs for when they are recording in the areas they're recording, inside a store it may be obvious that the store is recording, so a sign may only be needed on a door. Outside of a store you may need more prominent signs. If it's not obvious that the area area is being recorded then even more signs need to be posted still. The degree to which stores and businesses can record outside of their businesses will vary by country, but for the UK the ICO provides information for consumers [0], and businesses [1].
Security camera footage is overwritten and recycled on a regular basis.
As a matter of fact: If you operate secutrity cameras in a public -, or semi public place you need a written procedure why something is captured, what is captured, how long it's kept, who can see the footage and under which conditions the footage is retained.
"If not, why?"
Because this is not a reasonable request if the footage is anyway deleted after, say, 72 hours.
The document is 88 pages long. There are 31 mentions of 'legitimate interests'. I'm still not sure that recording everyone who walks past your store 24/7 is legitimate interest.
> I found the law to be pretty clear and there are plenty of summarized versions out there. What some companies find confusing is that the law has made their core business model illegal and no consent form can save them.
What about Article 27? It's unclear, and you don't have to have a shady business model in order to have no idea how you are supposed to deal with it. All it takes is that your business is not established in the Union.
This is the article that requires companies who are not in the Union but are subject to GDPR due to Article 3(2) to appoint a representative in the Union. The representative serves as a contact point that regulators and persons can communicate with instead of the company on all GDPR matters concerning the company. The representative is also required to keep a bunch of metadata about the company's data processing, according t Article 30.
According to the recital for this article, "The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor".
What does that mean?
Some people claim it means that your representative in the Union will be liable for any fines you incur from EU regulators or any damages a plaintiff wins in a private lawsuit over GDPR if the regulator or plaintiff is not able to force you to pay up.
Others think it just means that if regulators or plaintiffs serve notice on the representative, that legally counts as if you were served, meaning that if you do not show up at the hearing or trial and lose by default, you cannot try to weasel out by claiming you had no notice of the hearing or trial. In other words, these people think that the representative is very similar to the "registered agent" that many jurisdictions require foreign businesses to have in order to do business in that jurisdiction.
Personally, I was leaning toward the latter, as the idea of making the representative liable seemed pretty absurd...but it has been pointed out that in earlier drafts of Article 27 and the recitals, it did in fact actually clearly do so. That language was taken out before the final draft, but was that change because they wanted to remove that aspect, or because they decided "subject to enforcement proceedings" already implied it and they were just tightening the language?
This is important because if representatives are actually liable for fines and damages, it is going to be a lot more expensive to hire people to be representatives than it will be if all they have to do is be a contact point and a repository of metadata.
For small businesses outside the Union this could be a major expense if they must have a representative, perhaps a big enough expense that it will be worthwhile to just stop doing business in the EU.
So we must ask, "Who needs a representative?". The answer, it turns out, involves still more vagueness.
Basically, you are excused from needing a representative if you meet three conditions. Two of them most small businesses easily meet as long as they are not doing high volumes of certain particularly sensitive data, and their processing does not result in a risk to "the rights and freedoms of natural persons" (more vagueness!).
The third condition is that your processing "is occasional". What is "occasional"? No one seems to know.
>Some people claim it means that your representative in the Union will be liable for any fines you incur from EU regulators or any damages a plaintiff wins in a private lawsuit over GDPR if the regulator or plaintiff is not able to force you to pay up.
I very much doubt this for a few reasons, the first being that it would be completely out of scope for the GDPR to have any say on what happens or who should be sued in a private lawsuit. The recital itself would also be contradictory, immediately before it says that the representative 'should be subject to enforcement proceedings' it says,
>Recital 80(4), The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation.
Additionally,
>Article 27(5), The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
The wording of these two alone make it clear, to me, that the responsibility or liability lies solely on the controller/processor. The term prejudice also has a very specific meaning in Civil Law, and while it may have different meanings in Common Law (UK) I'm sure the more specific Civil Law version is intended and relevant. The wording of recital 80(6) as well as (5) '[the representative should cooperate] with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.' also tie in with other areas of the GDPR, particularly article 31 and 58(1)(a) which essentially state that supervisory authorities have the power to order the controller/processor as well as the representative to provide information that is required for the authority to perform its tasks. I think recital 80(6) with this context is basically just confirming that representatives need to to be present when supervisory authorities undergo enforcement of legislation.
If it were such a legal headache for representatives, it is concerning that no law firm has put forward an analysis of the situation. As far as I can tell from a brief search it is only amateurs interpreting the GDPR that have come to the conclusion that representatives may be liable for fines. With DPOs, who have many more responsibilities and requirements, there was much analysis by the legal community on what those responsibilities would include and whether DPOs could share liability. The WP29 even put out guidelines for DPOs[0] stating plainly that DPOs are not responsible for non-complaince, only the controllers/processors are responsible for non-complaince. It just seems odd to me that representatives who receive almost no mention in the legislation may be responsible for non-complaince where DPOs aren't responsible.
Yeah, especially since we live in countries where corruption is rampant, along with unjust enforcement of regulations that completely violate their spirit.
Are you assuming only European companies do business in Europe? EU prosecutors have a history of going after American tech companies much like US has a history of going after foreign companies - especially Chinese and now European (eg. Volkswagen). This is not about a moral stance, just business risk management.
No law is clear until it's been argued a few times in court and an army of legal professionals have duked it out. This is why - at least in the US - the branch of government that writes the law is separate from the one that interprets it.
> What some companies find confusing is that the law has made their core business model illegal and no consent form can save them.
Exactly this. Even the big reputable publishers (who wouldn't <em>dream</em> of breaking the law, oh no) accept money from companies directly targeted by the GDPR, who collect copious amounts of data on visitors across multiple sites.
Do users on site A consent to company B collecting data through ads, even if they tick a box? Probably not.
I'm quite happay, my phone number and addresses slowly disappeared from the google/bing/duckduckgo/... searchable internet over the past month. Often times without my involvement.
Searches for my real name now vs prior to GDPR enforcement are like day/night. Prior, it was all topped by aggressive (SEO wise) companies who clone public registries and republish them en-masse without adding any value whatsoever. They just use this as a trick to drive people searching for various people's names to their online magazines and whatever. They basically parasite on other people's names to prop up their revenue at those people's expense.
Now the searches are actually starting to return relevant things near the top, like my past OSS contributions, etc.
For me, this side of GDPR compliance is working fine, and almost all comapnies are pretty good at responding to requests. That is a law working pretty well from the side of the data subject.
> Now the searches are actually starting to return relevant things near the top
How were the prior top search results not relevant before? Either google and others are lousy or relevance means something different to you than most other people when searching for your name.
Top 10 or so results just contained the same info repeated over and over on different websites. Half of the time outdated (old addresses, etc.). Yes, google is lousy sometimes.
It was the result of name squatting, as I described earlier.
I was onsite at a client's retail location and got chatting to a customer. They learned I was in IT and said "I hope you're all set for GDPR!" and I said "it doesn't affect us". "Oh yes it does! There's a lot of people living in this area (in the US) who are European citizens - this affects you right here!" I tried to argue back politely that it didn't affect us, and she started getting a bit... agitated, and the voice started to raise a bit. I tried to de-escalate - other customers in the store would have started paying attention once the raised voice went on. But... man on man... my comeback question I was ready to put back - then stopped short - was "Do you think a 20 person brick and mortar in the middle of Spain is required to abide by US laws? They're not, even when serving customers who happen to be US citizens." I would have hoped it would have made it clear, but... stopped short of getting in to a shouting match with my client's customers. :)
I hate to be the one to break it to you but just being in another country and being small doesn't automatically exempt you from other countries' laws. Some examples:
- Australia has laws that about child sex tourism aimed at those that go to Asian countries with lax laws or enforcement. These crimes are committed in other countries [1]
- Foreign financial institutions are subject to FATCA when serving US customers, an issue that has made it difficult for US expats to even open bank accounts in some jurisdictions [2]
- Australia has some pretty strict insider trading laws such that two foreigners who trade in inside information about an ASX listed company while they're on foreign soil (may) have commited a crime in Australia
- Sanctions on the likes of Iran and North Korea prevent US companies or persons from trading with entities from sanctioned states even if such transactions take place entirely on foreign soil.
- US citizens living in other countries are required to file taxes with the IRS even though during the tax year the citizen may never have stepped foot on US soil and any income is earned and paid entirely in foreign jurisdictions.
So I'm not saying GDPR applies or doesn't. I honestly don't know. I'm just saying not being in Europe and being small aren't the automatic defenses you seem to think they are.
> US citizens living in other countries are required to file taxes with the IRS
that's part of being a us citizen, and complying with your own law. you can renounce citizenship if you prefer to not comply with IRS.
> Australia has laws that about child sex tourism aimed at those that go to Asian countries with lax laws or enforcement. These crimes are committed in other countries
So if a US citizen violates Australian laws in Thailand, are they guilty and punishable by Australia? The example above is still against Australians, even if the crime is committed overseas. But... it's only against people who've been convicted, and it's basically just shutting down their ability to leave the country.
The customer in question was stating that simply someone being a citizen of a European country, then visiting my client's shop somehow subjected my client to European law. I don't find any examples you've cited above to be remotely comparable to this situation.
No, I take it back, your banking situation is sort of similar, except the banks in question are likely directly or indirectly connected with US banks. If they want to continue to enjoy whatever status that gives them, they're probably going to comply with those regulations. I also suspect that it's really their own government's financial regulators which have an agreement with US regulators (the wikipedia page seems to jive with that). Those FFIs are voluntarily(?) agreeing to the terms of FACTA because they enjoy some level of benefit (not being shut down by their own govt regulators, perhaps).
There are laws about heresy and apostasy in middle eastern regions - I'm probably violating their laws on a regular basis. Beyond a highly unlikely fatwa that may get issues against me, I'm not sure what they can really do (or indeed, that I would really be 'liable' in any real sense of the word)
A bit of topic, but one cannot simply renounce us citizenship. It is a costly and time consuming process. And if the process of renouncing ones citizenship is not done perfectly, then the us could rejected the request.
What can EU potentially do to you? I have no plans to comply with my website that gets only 5% traffic from EU. I would rather block access to those users based on trade off.
I hope a Firefox extension comes out to automatically block visiting any website that blocks EU users in general, regardless of whether you are in the EU. I would use it.
fine; but it’s also a red flag for companies that do some pretty terrible things with your data... id prefer not to use a service that gives off those red flags than to chance it. we all have choices, and if a company chooses to represent itself in a shady looking way, i’ll choose to take my business elsewhere.
What if a EU sitizen uses a VPN to use a non GDPR conform service?
What's with the California Online Privacy Protection Act? You have to comply to that. And from there it's not such a big step to comply to GDPR. Not?
Yes, as websites are censored in China due to laws meant to protect consumers from the collection of personal information. I want some of that corrupt, totalitarian, and unjust "protection" too!
People like me are the sort who think about Stalin and sigh: "oh, things were so good back then!". That's why we love regulation.
I am unable to see the point of such extension. Why would it matter to you as a user whether the service is available in EU or not ? It is like penalising a website for being complaint with the law. (Not serving EU users is a cheaper alternative for non-EU focused websites).
I expect it's more or less the same thing that the US can do to you: Depends on what assets you have now (or may have later) in the EU, whether you ever plan to visit the EU, and what treaties are ratified now (or later, been bitten by this one) by the US and EU countries.
Ignoring the laws of foreign countries is possible if you're willing to put in the resources, it's much cheaper and less risky just to comply. The general idea of being forced (literally or practically) to comply with the regulations of other governments is completely fucked up in my personal opinion[1], but until your government decides to do something about it, there's not much you can do. At least, you get the option to expand in a foreign county market as a consolation prize.
In the end, this is just a comment on some internet board. I'd recommend asking a lawyer that specializes in these matters if you really want to know about the risks involved.
1: I'll state that I'm not against the GDPR in general and think it's introduction is long, long overdue. What I object to is having some foreign entity I have no connection to forcing me to comply to their will. That's a can of worms governments will regret opening.
Thanks. I operate the business from India and Indian government is unlikely to play with EU rules. Yes, hiring a lawyer is the correct thing to do but given my business does not make enough money from EU users I think it best to ask my EU users to use a VPN.
Recital 23 [1] of the GDPR exempts you from it anyway. Unless you “envisage” serving EU users/customers, it doesn’t apply to you (even if you happen to have some incidental EU users).
Gdpr is very straightforward to comply with. Yes there are fines but you pretty much only get them at the end of an escalation process with plenty of opportunity to fix things. If your business was breaking the pre gdpr laws by doing things that were dodgy already, then, yes, this is now more likely to happen. That's a good thing.
As for legislation and jurisdiction, doing business internationally has always been complicated. Many big corporations have legal entities across the world and funneling revenue via the eu is a popular way to dodge taxes in the us. If you do business with such companies, that makes gdpr relevant for you even if you have no direct eu ties as these companies may be forced to reconsider their relationship with you otherwise. Think anything involving ad based revenue, e-commerce, and other sectors involving non trivial revenue from the EU.
Anyway, read the law text. It's surprisingly easy to find and digest and it puts all the idiots interpreting each other's interpretations a bit in perspective. Good summaries are available.
Speaking of opting out... as a non-EU citizen, is there any way I can opt out of the EU's internet regulation? Like some flag my browser can send so I don't have to deal with the meaningless cookie/privacy popups?
For some reason people can't get into agreement to use one library that provides consistent way of dealing with this consent. Then you could just automatically close it with some extension, or not even load it at all.
I'm an EU citizen and I've hoped for something similar since the cookie "law". Maybe a callback that gets fired when the consent popup appears and then a browser extension could hook into that and automatically accept.
Edit: replied to an out of date tab, another poster commented the same idea.
I know. Yet this is a very common pattern. So obviously people are either uninformed, or they believe there will be no actions against violators. Taking action solves that problem.
Not every country in the EU has precedent based law, also what could be considered bad in one EU country not necessarily could be considered bad in another given how vague GDPR is.
It's possible that the poster above isn't talking about legal precedents and instead talking about practical precedents. After spending about a month building a GDPR consent tool and now seeing many other "compliance" efforts on various sits around the web, it's become clear to me that most businesses are taking a wait-and-see approach.
They're doing the minimum necessary to claim they tried to comply while changing absolutely nothing about the way they do business. They're waiting to see how serious enforcement of the law is before making changes that negatively impact their business. It's not about whether they'd lose in court or have a regulatory judgment against them, it's about the likelihood that non-compliance will get them in trouble.
If EU regulators show a willingness to do the legwork to fine smaller companies, you'll start to see a lot of these site become much more compliant. But those companies are not going to spend all that time and money proactively only to see that the EU doesn't have the teeth to enforce the rules, so they need practical precedents of companies being hit with huge non-compliance fines to scare them into making the necessary changes.
Precedents matter everywhere. In countries where precedents are not law, decisions from higher-level courts are still guiding the decisions of lower-level courts – so the effect is somewhat similar.
A lot of people are _not_ breaking their locals laws and "Confusion will continue to reign" because there is a disproportionate amount of people that think that EU laws apply to the entire world.
I'm curious about this aspect. If you run and operate a website outside of Europe, if a European then uses that site, you aren't breaking local laws.
What does the GDPR mean for these people? The europeans will still believe you have broken their laws and try to use whatever international agreements they have to go after you? Or if you enter europe they will hold you to account?
Google / Facebook have operations in Europe, so I can understand why they are concerned, but what does it mean if you don't operate in Europe but have Europeans using your site?
> but what does it mean if you don't operate in Europe but have Europeans using your site?
My limited understanding is that generally, it doesn't mean much. However, if you are actively targeting/marketing to Europeans, then you might fall afoul of this, but probably won't be affected legally without hitting some sort of moderate commercial size.
If your site is intended for Europeans, then you need to comply. It's not clear what test is used to determine this. My guess is, if you include translations, or region drop-down in a signup form, or is selling goods/services that only apply to Europe, then you'd have to comply.
See lawsuits against Google, Facebook, Microsoft, Amazon, and other large tech companies going back the last 20-30 years. This is the type of basic fact that doesn't need a citation in a discussion about GDPR.
In e.g. Belgium, privacy law is very strict and enforced for local corporation. When I read on hacker news how e.g. USA Healthcare providers dig up the old history of their clients to find a reason not to pay, I am horrified. Any West-European privacy regulator would have ended that kind of behavior long before things got this far. Probably just sending a strong 'We dont like this' message without actually starting a lawsuit would do the job.
Don't forget how history hammered into the population how people died and suffered because powerful groups managed to built lists of facts. Think WWII and the jews. Or the Napoleonitic conscription lists.
So if people with this background get confronted with the American Way, they don't like this. Here is a wrong that should be righted is the opinion.
For now, there are no lawsuits I am aware of. If both the large tech companies and the USA government behave reasonably well, I don't expect a big one either. The governmental regulators are simply not ready for them yet, as the GDPR had a big impact on them as well. And they never like having to pay for a drawn-out legal battle.
Maybe they mostly go after American companies because mostly American companies are in violation?
And it's not as if EU companies go without scrutiny. Due to the still-fractured market, most are small enough so their antitrust matters are localized to one country, but if you check the EU website there are still plenty of cases, they're just not sexy enough to make the news - like the a recent case "Commission fines maritime car carriers and car parts suppliers a total of €546 million".
In for instance the "state aid" tax preference cases cited in your link, the EU has also launched investivations into European companies like IKEA and Fiat cars.
I'm sympathetic to the dangerous of discretionary enforcement, but if you're making a dramatic change like this, it's pretty hard to avoid an awkward period while people get compliant or get shut down.
Without any real court cases showing how GDPR will be actually enforced, this 'introductory period' was useless. It could last 4 years instead of 2, and it would not make any difference.
There should have been a phase of mock suits. "Here's what you're doing that's against the new rules, and you have two years to knock it off or lawyer up."
I'd like to see some sort of browser request header that can set or deny permissions on a global basis, dealt with by an options page in the web browser.
Then sites only need to serve up the annoying dialogs if they need a permission you haven't set, otherwise clearing cookies periodically means being plagued by the dreaded things. >;-(
I feel US companies should have protection against badly implemented laws from forgein governments. Regardless of treaties.
I'd love to see someone quantify loss of innovation, added cost of operation, and total delays cost by GDPR to companies he re
The whole thing was a shambles, there was no reference design that you could just implement for your ecommerce store/blog/software service or anything else that required it.
Instead we had people running around like headless chickens rushing to put in place some extra tick-box on their website.
The funny thing was how people sent out those emails to their newsletter subscribers and I do wonder how decimated those lists became. People got GDPR fatigue and could not be bothered with the emails after a while. This particularly affected smaller businesses who had legitimate reasons to email customers.
Does anyone here have any anecdotal data on how badly some of these email lists were purged?
As I mentioned in another thread, the biggest winners from this entire GDPR saga are Google and Facebook.
Email is control. You get someone's email once, you get to control how often you contact them. You can send them hundreds of messages for next to no cost - as long as they don't hit 'unsubscribe'
But if you can't rely on email, what do you turn to? Ads, of course!
I get that there are some nasty actors that abuse your privacy. But as a consumer, I've never felt that spam was that big an issue to begin with, at least not big enough to warrant small businesses ceding control and having to rely on Google and Facebook to reach their audiences.
> The funny thing was how people sent out those emails to their newsletter subscribers and I do wonder how decimated those lists became. People got GDPR fatigue and could not be bothered with the emails after a while. This particularly affected smaller businesses who had legitimate reasons to email customers.
We've had data protection laws for 20 years. Those companies were already breaking the law if they didn't have permission to send email, and if they had a legitimate need to send email they don't need consent under GDPR.
That was entirely the intent! If everyone is breaking the law, you can pick and choose whom to enforce against, for a variety of reasons, including political convenience, shakedowns, etc
I believe it was largely a way to try and unify the EU to combat recent turmoil. By taking a stand against the evil American tech innovators, the EU can look to its populace and say they accomplished something that a single nation could not have
I've yet to hear any complaints from anyone I've been talking too; it's been universally regarded as a good thing. I'd have to agree, and I'm not a particular fan of the EU.
It's never been portrayed as "anti-US", and it isn't. It's pro-privacy, and that's an entirely different thing. While I think certain US companies have aggressively persued certain business strategies which are very much anti-privacy, so have many companies around the world, and this legislation is long overdue pushback against some very dubious business practices many people are very, very uncomfortable with.
Well I'd like to complain. It's not that there's no need for improvement, but EU rules often end up imposing poor implementations, consequently with no scope for better solutions.
just another reason why mass surveillance is not a good thing; there is too many laws and no one can know them all... even attorneys have to pick a specific field. I know that dangs love it but still...
see parent comment of the comment that you replied to... but either way, I was not saying that it leads to mass surveillance... mass surveillance is already here.
Was a big media workup (like y2k) leading up to it and now it has faded from memory. It's like everything else that is the issue of the day and then ceases to matter at least in any way as much as whatever you read seem to make it before hand 'sky is falling comply comply' so typical. After you have been through similar things you know the way this type of thing is overhyped (I mean by what will actually happen and who it will happen to way overblow ie 'shut down my shitty little website for fear' mode.)
It seems that "Y2K was much ado about nothing" is becoming an increasingly popular school of thought. There was certainly lots of hype at the time. But a huge amount of money and time went into mitigating problems. I don't know if there would have been widespread power grid, etc. collapses or not if everyone had taken the attitude of "Eh, we'll fix things if they break" but I'm pretty convinced people would have been missing paychecks, bank account statements would be wrong, and that sort of thing at least.
> The Y2K issue did actually require a significant amount of patching
I am referring mainly to the media hype and how it becomes the issue de jure and then ceases to matter. The media jumps on it and amplifies anyone who chimes or confirms the fear. Why? So they can run a 'if it bleeds it leads' type headline. While there could have been stories after the fact of problems for unpatched systems I don't remember any of those stories. And it is not because everyone patched their systems either.
I mean there were posts online about GDPR where some small insignificant company just folded up for fear of what would happen as if the EU was really going to go after that type of target. Anyone who has been in business for a long time knows that is not what is ever done.
To your point you are right because this isn't even (for US companies) a US regulation and if they have no customers in the EU then it is a stretch to be concerned about it (at least relative which is my point to the attention given to it by the media).
There were definitely publishers who had to block EU traffic while working on compliance. Additionally, people at companies like mine had to rush out features to allow users to view all of their saved data retained by us and optionally save or delete it. Additionally there are lawsuits out already for non-compliance, which cost money to deal with even if you win. So it had a big impact to companies' bottom lines and was worth the press in my opinion. Definitely penalizes startups who couldn't throw a couple engineers at GDPR compliance for a couple months as well like we did.
They would not need to block access. They needed to set up a time-plan on how they would get compliant to show in case they get a complaint. This is not US law, it's EU :)
Seriously, that is my impression of all conversations here, US companies trying to understand a law written in EU. I imagine this to be very hard.
> They would not need to block access. They needed to set up a time-plan
Exactly. And that is part of my point. Everyone acting as if something dreadful would happen if the timeline was not met RIGHT AWAY!!!. It would not. The EU might bring an action after initial outreach to the companies legal department. The legal dept would do a dance and explain why they need more time. The EU would then agree to the time line. Any any case would go to some court and would also involve appeals and some form of due process. During that time lawyers would work back and forth. Any fine would almost certainty not approach the worse case scenario. Not going to happen. And certainly not to a small fish or anything close to that.
Isn't the intent of the law quite easy to understand?
Do not track/store anything by default. And your site works perfectly and without questions.
If you then have a legitimate need for some data, without which your site doesnät work (eg. gps location data for a map), then you ask for it.
And if you need to use ads, then have some opt in button somewhere deep in the settings where the user can go and click "please track me aggressively" if he so chooses.
Any kind of regulation will harm small businesses and create monopolies of large companies who have teams of lawyers to del with this kind of situation
What experts? I found the law to be pretty clear and there are plenty of summarized versions out there. What some companies find confusing is that the law has made their core business model illegal and no consent form can save them. You cannot get your users to opt out via a consent form, how many times do people have to repeat this? This is nothing like the cookie law.
The only vague part of the law is the fining system which was done on purpose. If you have explicit fines then companies will have to make more money from your private data to cover the explicitly priced fine leading to a worse situation.