If you are running a small business and you feel that you won't be able to operate your business because of the GDPR consider all those other laws that you have to be in compliance with as well. If that's your attitude towards legal compliance then you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go away.
Legal compliance is a requirement for any business, and privacy law is just one more thing to take into account and for a small business that does not process super sensitive data (such as medical information or financial information) the costs of compliance are negligible. They're not '0', but then again it is a business and costs of doing business are the norm.
Similar arguments apply to the other examples you use, I see your point and there are valid reasons to not enter a certain market because of the legal climate there but the point I am trying to make is that the OP has not raise any valid point at all other than 'I don't want to comply'. And that's fine by me but then don't bother dressing it up in a bunch of made up requirements.
I've bought plenty of raw mil cheeses (domestic and imported) in the US.
http://www.realrawmilkfacts.com/raw-milk-regulations says: "In 1987, the FDA mandated pasteurization of all milk and milk products for human consumption, effectively banning the shipment of raw milk in interstate commerce with the exception of cheese made from raw milk, provided the cheese has been aged a minimum of 60 days and is clearly labeled as unpasteurized."
As many cheeses are aged more than 60 days, the ban on "raw-milk cheeses" is basically an urban myth.
https://www.npr.org/2017/05/26/530257536/after-being-banned-...
Kinder make a different version of the Kinder Egg specifically to comply with US law.
https://www.kinder.com/us/en/kinder-joy
>Are the manufacturers of bovril overreacting by refusing to create a separate production facility that uses only beef sourced from outside the UK?
Bovril was briefly made without any beef content because of the BSE issue.
https://web.archive.org/web/20071201114613/http://www.unilev...
No, it's not, but it is legally imposible to import them, and trade them in interstate commerce (many—I think still a majority—of states allow raw milk and raw milk products, though the FDA prohibits most directly and sets standards which effectively prohibit the rest in interstate commerce, including foreign imports.)
Not that that really changes the point you are illustrating.
And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.
The article is spreading FUD and inciting others to spread it even further in the comments.
> There is a cost associated with trying to figure out GDPR regulations, finding a lawyer, vetting their feedback, acting to hire folks, changing UI to give user an opt out, implementing that in the system etc.
The GDPR is online, and has been for a long time, you don't need a lawyer but if you feel that gives you more comfort then fine, you don't need to hire anybody, that is just plain nonsense, and changing the UI to give users an opt out: that should have been done two years ago.
> All these things don't drop from the sky.
Indeed, this did not drop out of the sky. It has been in the works for years.
> And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.
That's fine with me, the way in which it is presented is not fine with me.
Opt out is illegal under the GDPR - it needs to be opt in.
This guy doesn't like regulation and is playing to the crowd for sympathy.
I've been in continuous operation with my businesses since 1986 and I guarantee you that I've been compliant with the laws as much as I'm aware of them. The major transgressions involving business assets were parking tickets, speeding tickets (< 10 km/h excess by an employee of the company in a company vehicle). Other than that not so much as a copied piece of software. Oh, and we were once late with a tax filing because the bookkeeper messed up, they absorbed the fine.
Running a small business in a way that is compliant with the law is stupidly easy: know the law.
Now, there is one thing that I did that I know full well was against the law and that came about as a result of me getting very angry about some stuff that happened to a friend of mine. In that particular case I saw my actions as akin to civil disobedience. In the end it got superseded by others doing the same thing much better and at a much larger scale but I would have fully accepted the consequence of breaking the law in that case. But it would have been a conscious decision to break the law.
Incidentally: not knowing you are breaking a law is no excuse for breaking the law, ignorance is not a valid defense.
This is just ridiculous, patently false and making an excuse for reckless behaviour. Only specific laws apply to your business domain and if you aren't complying with them then you are wilfully breaking the law and putting your customers and the general public at risk.
Own a cafe ? You should be cooking in a safe manner. Sell a car ? It shouldn't kill people. Run a website ? Make sure your user's privacy is respected.
If you want to criticize local laws applied internationally, abolish the US.
> Legal compliance is a requirement for any business
You are required to comply with the laws of your country, not those of other countries.
No, you are required to comply with the laws of any country you do business with. This applies to any type of business, and I don't see why "it's on the internet" appears to be the main counter-argument.
If I buy something from you (via snail-mail or on the internet) and it doesn't follow the requirements of the consumer law in my country, I can ask you to comply with the laws of my country. If you refuse, I can report you and you will be fined (if you don't pay, then you can have your right to do business in my country revoked). In practice most cases won't escalate that far, but the principle is the same.
If you are respectful of other people's privacy then there is very little chance that you will be found afoul of the law and even if you should be then you will be warned to become compliant long before you will be fined.
This whole discussion is beyond ridiculous.
Imagine the rest of the world reacting to the DMCA this way which has far wider scope and effect.
- Appoint a data protection officer (himself)
- Write down the processes of how he stores data (we keep it on this database, hosted at x provider; that provider is called the data processor) and how he deletes data whenever the subject of the data requires it.
That's it.
https://itunes.apple.com/us/app/monal-free-xmpp-chat/id31771...
He is not running a business but an open-source project!!!!
Does a cost become acceptable because it's the norm?
Please elaborate. I was unable to perceive the legal depth of interpretation.
> you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go away
Businesses limit liability and legal exposure all the time.
It's a tradeoff, as all things are.
As you wish:
> I frequent Europe and do not want to get into legal trouble on vacation.
There is no precedent for violators of EU law regarding privacy to cause people to be harassed on their vacation (yes, there are examples of this on the US side but that's not what we are discussing here).
Worst case you would be warned to become compliant, then if you persist in not being compliant you might be fined, then if all that fails there might be a request for extradition but I highly doubt it would even get that far. Time will tell. What will definitely not happen is that out of the blue you will be yanked from your bed in Paris or Barcelona because you decided to refuse a request for deletion.
> The days of someone making something, putting it on the internet and offering it to the world seem to be over.
No, the days of harvesting data and building profiles without consent are over. You can make something just like you did last week and you can offer it to the world just fine. Do take care of your users data, be a good steward and try to do your best not to get hacked.
> do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
The GDPR does not have this requirement for the kind of business the article writer has. No need to hire anybody. Pure nonsense.
> Tracking crashes with Crashlytics introduces new issues because it is posted to Fabric from a user’s device, IP addresses are in the logs this is personally identifiable information (PII). Crashlytics is GDPR compliant but the burden is on me to show regulators that I am compliant points back to the need for DPO.
Having a DPA in place with Crashlytics takes care of this, that's all the burden there is, in fact, Crashlytics most likely has a standard form for this because they will be entering into DPA's with a lot of companies in the next couple of weeks/months.
> Even though no message traffic passes through Monal’s sever, registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance.
Everything you do requires GDPR compliance but not everything is impacted by the GDPR. In this case logging the IP is fine, and then when you're done with the data you can get rid of it. No need to keep it indefinitely. And that simple trick: remove data that you no longer need is going to go a long way towards establishing GDPR compliance.
> APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person. However,the fact that it can be combined to identify a person makes it PII.
So do not keep it longer than you need it.
> I believe in privacy but I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.
But he does have the time to write blog posts complaining about having to meet the letter of the law. That time would have been better spent actually reading the law and figuring out the impact.
> Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.
Of course it is.
> EU user data is sent out of Europe constantly.
Indeed. And that won't stop because of the GDPR.
> GDPR is written such that a user cannot agree to a user agreement that gives up GDPR requirements it’s not a matter of saying you agree to X by using this service.
Yes, that's the whole point. You can't blackmail your users to opt-out of the law by virtue of withholding your product, which is a very very nasty way of trying to deal with a legal issue, rather than to face it head on and simply attempting to try to comply.
> GDPR compliance is something the XSF is talking about right now.
Good to see not everybody has the same attitude.
The way I read it this person is not trying to limit their liability, they're simply trying to pretend the law doesn't exist, have come to the conclusion that that won't fly and now blame the law for their laziness and negative attitude towards the privacy of their users in general.
If he really cared about the users privacy then he'd at least make a serious attempt. This blog post does not indicate a serious attempt was made, it reads like someone looking for excuses.
I am all for fair taxation and privacy, but the EU should start creating the mechanisms that make it easy and automatic for startups to comply with stringent requirements instead of leaving the burden upon them.
This is the broken window fallacy. You're not creating jobs, you're destroying wealth.
That’s illogical and not the way that any business evaluates what activities to pursue or forgo.
You’re casting aspersions on this one guy and implying that he must be up to something shady, all because he’s chosen to not serve a market that has decided to pass some horrible regulation that you happen to like. Unbelievable.
You can’t have your cake and eat it too. The EU can pass whatever laws they want, but the rest of us are still free to tell you to pound sand.
No, what we're saying is OP can't complain about the burden of this onerous regulation when the fact is that almost none of it is relevant to OP and he'll have to make only minor changes to be compliant.
Several of the claims OP made are flat wrong and it's trivial to show they're wrong by simple web searches.
At the very least read this: https://privacylawblog.fieldfisher.com/2016/what-you-think-y...
Could you be sued to the poor house from it? Maybe. But that's the risk of operating a business in the US every single day.
It introduces a fixed cost for operating with any user-related data, which effectively kills any companies operating below that cost.
It's especially funny when small to medium German companies suddenly panic because of the GDPR and when you look at their situation all you can say is "yeah, you should have implemented that 15 years ago, it's already been German law that long".
In Germany not much will change, but at least companies like Facebook can no longer just move to another country with worse privacy laws (like Ireland) and call it a day. For us the GDPR means that protecting user data will no longer be a competitve disadvantage. But if you're a small company and handling data reasonably, the GDPR won't hurt you anyway.
Any business that is shut down by GDPR is, to me, a good business to shut down.
You're required to have a fire safety officer at these companies too, but it's not a full-time position.
And then the next would be that it's inexpensive to "make your case" if you get reported.
https://iapp.org/news/a/polands-proposed-gdpr-exemptions-spa...
Can my small company be trivially bankrupted by any sociopathic gamer skid with an EU address and a grudge when DDOS attacks fail?
"You can beat the rap but you can't beat the ride."
Your dude with a grudge can only lodge a complaint with the relevant regulatory entity, they're the ones who will verify whether you complied or not with his GDRP requests and if they deem that you are in violation fine you after negotiation fails.
This isn't the US: you can't be sued by random people for anything.
(1)A random person complain to his regulator that you are not complying with GDPR. If he asked for his personal data, jump to (3)
(2) His regulator contact you, tells you that wht you're doing is bad: you have some stuff in opt-out, not clicking "opt-in" cause a degradation of service, or you are sending him 3rd party cookies he did not accept.
(3) Depending on the complexity and your ressources, you have X months to comply.
(4) You got caught again, you are fined.
Assuming you are American, the only court you need to worry about is American court. Your company is American? Your bank is American?
What's the actual liability here? Worst case?
There is no misconception on GDPR: the idea is good, the implementation is horrible and retarded and it is lead by people who do not understand a single thing about technology.
1. Enforcement is not arbitrary, but like all regulation the goal is compliance rather than punishment.
2. The idea is good, and the implementation is widely regarded as good by anybody familiar with data protection regulation.
3. Most of the panic seems to be from woefully misinformed US tech companies.
It would be entirely possible for someone to not be compliant with a side project and get fined 20M because there is nothing that explicitly forbids this it is entirely up to interpretation.
Given that US companies have already been targeted in the EU, unfairly [1], I find that law terrifying because I have to trust regulators that don’t have my best interests in mind with possible penalties that are very high.
[1] https://www.treasury.gov/resource-center/tax-policy/treaties...
What if you don't want to deal with any of that. You can no longer just create some useful, free service and make it public.Heck, I don't even like having to be familiar with software licensing just to add something in Github.
What if you don't want to deal with the rules of the road?
Then the law should say that. For instance when India implemented uniform goods and services tax processes, it explicitly excluded businesses below a certain revenue threshold and gave them a simple % of gross alternative to all the processes. GDPR doesn't make any such distinction, so such decisions to drop EU support are to be expected.
Sure, but that's not actually written anywhere.
Well that's a disappointment.
So you can profile without consent IFF you can convincingly justify said profiling via one of the other lawful bases. But those won't really let you do blanket profiling willy-nilly either and come with other strings attached.
One really can. It took me all of a few seconds to shrug of the GDPR when I first heard of it. Then, with all the scare mongering (webserver logs will be illegal!), I spent a few minutes reading up on it. It's all more than reasonable: if you're not doing anything shady, or are being negligent bordering on incompetent, you can just shrug it off and sleep soundly.
The monetary and time cost is minimal, but the mental benefit is pretty damn good.
As a new and small construction company we simply don't have the resources to comply with all the building codes and the related paperwork. I just can't afford to meet all food safety requirements, I just want to provide free meals for homeless people in my spare time. I just built this car from scratch for myself and now they tell me I can not drive it on public roads just because I don't have the time and money to meet the required standards?
To put it another way, I go to Central Park and start to juggle. I don't charge people, I just juggle because I like to juggle. Some people watch; others simply ignore me. I write observations about a couple of the people who watched me perform in my journal. One of those guys was from France. He later looks me up in a phone book and calls me to demand I give him any observations I wrote in my journal. I tell this fellow to piss off. A few months later I get a letter saying I need to pay 20 million euros because I wouldn't give away my personal observations stemming from something I did publicly and for free.
It's most certainly not a blanket "Everybody who is not in compliance with the GDPR will get a 20 million Euro fine".
Secondly and most importantly, GDPR is not about preventing people to get information, but rather about preventing people to track customer. If I use your example, GDPR would prevent you from following someone after they watched you juggling. It would prevent you from following them home, noting where they work, who are their acquaintances, what kind of food they eat and so on: it's technically legal but incredibly creepy. If someone were doing this to you you would be the one to tell them to piss off. You can perfectly write what are the observations of the passer-bys who watched you, as long as the log is anonymized. Which is easy to do and not harming for your business. You didn't want to track them anyway, did you?
No, you'll just sell it to the highest bidder. And enough people do this in such an underhanded way that the EU decides to regulate the shit out of you. So maybe you should have asked permission before recording identifiable people's behavior or otherwise earned their trust. Instead of being shady and myopic about it.
Such a car cannot be driven on the road within The Netherlands without it being validated as safe (plus some other inspections).
For US, same seems to apply. Per https://www.dmv.org/car-registration.php it mentions: "Pass a vehicle safety inspection.". So again you need to deal with paperwork and read what those safety regulations are.
They don't do safety inspections in the US?
Doesn't the vehicle need to have brakes, a means to change direction, emission checks and so on?
You could build and use a service with no regards for your personal privacy - it's your service after all, and it's your business if your data gets leaked. But could you offer such a service?
In doing that he's as equally compliant as any company who has jumped through the various GDPR hoops.
And maybe one day the USA will pass some privacy legislation...
Why would this particular regulation suddenly cause you to close your business unless you were doing something really shady?
Maybe one could argue that there is something to be gained by differentiating the rules based on the industry but, at least to me, it is not obvious that the result would be better and not just more complex. Also there are already rules and laws for specific industries and how they have to handle personal information, think for example medical or financial data.
Is your creative reuse scheme for sawdust and broken drywall bits no longer allowed?
Should any of these be banned? Now if I tell my friend, 'Hey, you can store stuff in my shed/grab a plate of food/take the gokart for a spin', should any of it be banned?
Some of my friends fought for the right to do so in Connecticut with Food Not Bombs, in fact.
That is not allowed. GDPR is only enforced for things which do not comply after in goes into effect. Further, it's not specific to the internet.
No, they fined everyone that owns homes commercially that did not upgrade the homes to comply. And then fined them again. And again, until they complied.
Some prevent loss of life.
Some are pointless or even harmful to society. HN complains constantly about insufficiently dense housing....a situation caused by none other than building codes.
When possible, build in places with good codes, not bad ones.
US law has surprising respect for the hacker ethos, so that even in highly regulated activities, there is a much less rigorous licensing regime for small-scale practitioners. . Experimental aircraft certificates, private pilot licensing, amateur radio licensing, etc. You can build yourself a car, cook food for a party, etc. without being subject to the laws about those activities under corporate mass manufacture.
We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Suggesting that XMPP federation isn't compatible with GDPR seems like an over-reaction, isn't that like saying that SMTP isn't compatible?
That said I do think there should be an expectation that your participation in crash reporting would be voluntary and explicit.
For example, IP addresses are considered personal information but what that means is you just can't blindly collect them. If the service you use relies on IP addresses as a basic point of operation then its fine.
CDNs aren't going out of business for example.
Genuinely curious, what about all of the web servers that log every request which usually by default includes the client IP? Not doing anything special with the IP, they are just there in log files and archives.
We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation (to this degree at least). Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time.
The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it.
So someone having a copy of my data that I wish be removed is trampling on a webmaster's rights? That makes no sense whatsoever.
> Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers
This isn't even true. They have _a tiny bit more_ control of what you can do _with their_ data. That's it.
Buckle up because this type of regulation is only going to happen more frequently and in large part because of your attitude that it is "your" data versus the user's data.
You are saying that's a bad thing?
Services that require you to sign up, should provide the possibility for users to look at, modify and delete their user data - that's all. Where's the problem?
In a society where the webmasters have shown that they can't uphold their duty to secure PII (or any kind of data really), as evidenced by ~monthly high-profile data leaks, they deserve to be restricted in their "rights to the fruits of their labor".
Further, the US law is based on risks of heavy punishments but few regulations, while the law in many parts of Europe is based on strict regulations but less high fines. It looks like the EU has too many rules, but that is a subject of perspective.
Problem here: The internet gives a shit about borders and society.
We still do. Nothing has changed on that front.
"Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time."
As it should have been from the beginning. Having the standard being that the company hoovers up all your data all the time without telling you what they're doing with it or why they need it was a terrible, terrible thing.
"The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it."
I highly doubt it.
Government intelligence organizations like the NSA and foreign equivalents will now have a monopoly on unsolicited data collection. Which, combined with selective enforcement to prevent disruption of gov cartels, is one of the few reasons it went through.
>1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
I thought this guy was a single person who put something on Github. How is he required to appoint a DPO? What kind of large-scale processing of personal information is he doing?
Under the GDPR, you must appoint a DPO if:
you are a public authority (except for courts acting in their judicial capacity); your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
So - no?
And I copy-pasted direct text from the regulation. Note how it says "large scale". Twice. If he is actually processing personal data on a large scale, then maybe it is not unreasonable to have a DPO.
clause a: not a public body
clause b: not systematically monitoring (eg. installing video cameras all over the streets)
clause c: not processing large scale sensitive or criminal information.
doesn't look to me like a DPO is needed based on this article?
I'm struggling to understand why that's unclear. Is it the use of "public authority or body"?
Edit: Art 30 "The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."
So, DPO is not necessarily a person with no other duties. In most smaller organizations that deal with sensitive data the DPO role will be shared with the CCO (Chief Compliance Officer), only at a certain scale of processing and with certain data would you need to budget for a dedicated DPO from day one, but presumably your business plan will also foresee in other things such as office space, computers and so on. Certain businesses come with implied costs.
All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn't have been handling personal data.
I don't have any knowledge about monal.im (don't know what it is - some kind of im client?), but this person is making some claims:
- he needs a data-protection officer: no, only larger orgs handling lots of personal data need this. If he's making an im-client and not servers that store data he certainly doesn't, but I don't know what his setup is.
- crash analytics: This can be handled by telling the users clearly that you'll be gathering the data (and defaulting to not gathering if they don't actively approve). As long as you have a proper PURPOSE for gathering and storing the data and don't use it for anything else you're golden. You do have to document this, in case of a review (hyper-unlikely).
- Push: he's getting a message and storing the device/ip combination. This seems to be central to the service he's providing. Therefore he can and should put that in the description/terms of his service (as he cannot deliver the service without this). As long as it is clearly explained to the end-user this is fine, and he can keep doing it. If he stores it and does anything with this data other than the central purpose that he informed the end-user of he's in violation. I'd suggest putting it in clear text in front of the end-user and deleting the data as soon as it's no longer needed. Don't do any non-approved analysis on it. If you want to analyse - ask for permission.
XMPP federation may be a problem, I agree with that. The problemer here (as I see it) is that each service getting the personal data must only process it for the purposes explicitly agreed to by the end-user and honour any subsequent notifications of rectification and deletion. This is a hard nut to crack indeed.
> I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it. > All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn't have been handling personal data.
What if I didn't want you to visit my website. Sure, by the letter of the law I am collecting PII (your IP address) but I think I can reasonably argue that it's quite a technical feat for a private layperson to go from "sudo apt-get install apache2" to "removing IP addresses from log files".
Sure, this is tongue in cheek - but most of that panicking I read was people concerned about their personal websites, especially with the "might be taken as professional work stuff just because of ads or you're blogging about tech as a tech freelancer.." - didn't really hear anyone with a company panic.
I am assuming the answer is no, but would a startup be able to build a SMTP or NNPT like system today? It would be a shame for the GDPR to be yet another force moving the Internet from its historical decentralization reinforcing the current centralization trend.
That person doesn't own those bits on that hard drive.
I can't find any exemption for small companies in Article 37 of the GDPR. Can you give me a hint what part do you interpret this way?
Does the author seriously believe this could happen? Enforcement of GDPR is similar to antitrust law. A regular police officer isn't going to fine you for that.
The author's anxiety makes as much sense as not traveling to the United States because you're worried that your one-person pottery business might be considered a monopoly under the Sherman Act.
> In July 2006, their then-CEO, David Carruthers, was arrested while changing planes in Texas on the way to Costa Rica from the U.K. In April 2009 he pleaded guilty to federal racketeering charges, and in January 2010 was sentenced to 33 months in prison.
You certainly don't need to hire extra people like author suggests and federation should be just fine. (it's essential to what the service does)
Even if it was in the EU, it wouldn't require a DPO, and your use of IP addresses is very reasonable and within the standard allowances which don't require user consent.
Maybe bother reading _anything_ from an official source before coming to this conclusion? This reads to me more as something you want to have a rant about because you don't like it - rather than as any kind of pragmatic decision.
We’ve spent tons of money & interacted with lots of official sources trying to get opinions about what GDPR means and it just isn’t available.
Everything is a risk mitigation technique right now with no real answers in sight. If I had any personal projects serving traffic in the EU right now that weren’t profitable I’d likely shut them down.
I think it’s likely that the regulatory agencies will act with restraint and this will all be hysteria without merit, but I’ve seen enough legal opinions to know that’s not the worst case scenario.
> For the 3.7 million small businesses with 1 to 4 employees, the Census Bureau figures show average annual sales in 2007 were $387,200.
Given that, who wants to risk a 20M fine? All this advice in this thread to do this, run it through a lawyer (lawyers are expensive especially international ones), makes no sense to the majority of the businesses in the USA: there are less than 8M employers in the USA and a very small percentage has a yearly turnover of even a mil not to mention the ~600M USD where the fine changes from a constant to a percentage.
To give you another idea of how much money this is, about a quarter of public companies have less than 25M USD market cap.
As a dual Canadian-EU citizen I am stupefied by this law.
European regulation typically treats personal data as being the property of the person being identified; US tradition considers data generated by a company to the be the property of that company, not of the person.
This made the whole massive unnecessary panic by primarily US-based small companies much more understandable to me.
GDPR can be scary for developers, because nobody actually knows how a website or app is supposed to work (I have yet to see a single example), and it requires a series of steps that are not trivial on the administrative side. The Right to be forgotten is the easy part. Having to document everything you do and introduce data-dumping mechanisms that are both anonymous and secure is administrative burden. Having to do that for every little project that you release, even if it has 10 users, is a bit too much. Many developers cast a wide net, releasing products often, and this is practically unnecessary work unless you have a significant amount of users.
Introducing opt-in forms everywhere is also not great. It didn't work for Windows Vista so why do we expect this to work on the web? Opt-ins for things like cookies should be implemented on the browser. What's the point of warning a person before sharing their email? What's the point of warning them even you 'll install a cookie? IP addresses and cookies etc are integral parts of the HTTP protocol and the browser so why not introduce anti-tracking regulation that targets browser vendors and telcos instead of introducing regulation that targets every developer on the planet? It doesn't seem like an optimal plan imho. The example of the cookie law (for which it's hard to argue that it has not utterly failed) should act as a bad precedent, not a good one.
It's easy for US developers to be positive of GDPR because they can avoid the overreaching parts, but for us in the EU its something we have to abide by 100% of the time. I 'd like to hear what other people think about those, because otherwise i hear a lot of emotional praise for GDPR which is blind to how problematic it is at day 0.
It is an utter failure but mostly because services try hard to turn it into a travesty and simultaneously manage to deceive their users by attributing blame for the annoying cookie warnings to regulators.
"We are required by law to show you this stupid warning because our site uses advanced features that need cookies to work. Without them, you couldn't even login! (OK)"
Which, of course, is utter bullshit. If you can stop this deception, things might actually work out as intended. Sites may rethink their need for personal data gathering if cookie warnings would have to look more like the following.
"We'd like to analyze your site usage for ad targeting and other things that make us some more money.
Do you agree we use cookies for that? (yes/no)
NOTE: Even if you disagree, standard site functionality like logins will continue to work unharmed."
You only need a DPO if you are a public authority, if you do large scale processing or large scale processing of sensitive data (ambiguous in the GDPR).
If you collect some data, all you need is a privacy policy outlining such, stating what you collect in general and that your legal basis for doing so is to provide the user a service and to monitor for app crashes / bugs - both within your legitimate interests.
Many people have interpreted GDPR to be stricter than it is. In fact, those who have to do the most work are those that cause incredible damage to individuals when they lose data - especially those that have had recent, massive data breaches e.g Equifax.
Are 1 million IPs in my logs 'large scale'?
This is free market with 550 mil potential users/citizens, void will be filled pretty quickly by other companies/developers that actually spent some time reading about what GDPR is.
Being a first class citizen means being tracked like an animal with an implanted chip.
And let's face it, 99% of web sites and tools aren't really needed, more like a waste of time.
Then I actually spent a little time to find out more and, as someone who cares about privacy, quickly realised the positive intent behind it, and how simple it is to comply with in principle: let users know what data you collect and what you do with it, and give them the possibility to request it or request it's deleted.
TBH, if someone requested any of this, I'd do it without the GDPR.
A DPO is most certainly not required by all organisations[0], and I would be suprised if it applied to this project. I know lots of blogs are saying it is, but it is simply untrue. I'm not saying that this totally relieves the burden however.
[0]:https://ico.org.uk/for-organisations/guide-to-the-general-da...
How are they suppose to fill the positions by 25th of May?
Most certainly simply untrue?
Lots of people are responding to the DPO side of this sentence, saying that it's not as onerous as the author of this article is making it sound, but as someone who's also not based in the EU it's the "EU Representative" part that I'm more worried about myself.
Article 27 says:
> (1) Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
Article 3(2) is the bit that says the GDPR applies to processing outside the EU of EU citizens' data etc.
> (2) The obligation laid down in paragraph 1 of this Article shall not apply to: > a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or > b) a public authority or body.
It's clear here that not everyone outside the EU needs to have an EU representative, but 2a is wordy and confusing enough that it's real hard for a non-EU non-lawyer to figure out with certainty whether or not they need one. The ambiguous combination of 'and's and 'or's don't help, but 'unlikely to result in a risk to the rights and freedoms of natural persons' sounds like something that's ambiguous enough on its own that you might need an EU lawyer to actually interpret it.
Read the law or, at least, read the official FAQ. Your evaluation of the impact of the law on your project is lazy.
(1) The controller and the processor shall designate a data protection officer in any case where: ... (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or ....
Article 9 describes personal data as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, ...
I would say that messages send via IM are personal data like described in Article 9. I also would check the "large scale" checkbox. So in my interpretation he will need a DPO.
That seems a very pejorative way to describe it. You can say the same thing in terms of "you could probably keep operating if you put a lot of effort into understanding the details of the law" which kind of proves the author's point: this creates work for people and why should someone do that work for no return? Where does the presumption that people owe EU citizens these services at a higher standard than the rest of the world is content (legally) to accept?
It looks like a simple thing like embedding a Youtube video in your blog post is no longer so simple. As well as loading any external JS dependencies.
The fault lies entirely with those companies, which did the wrong thing with impunity until it was literally outlawed.
Is it possible to self-host something that handles user data (name, comment, IP address) and comply with this regulation? What if there's more data, federated data? Can one just spin up an instance of Friendica, for example, or are there additional steps required for compliance? I'm honestly not sure anymore.
DPO is required only if you really store race, religion, credit card data, health records. If you keep name and IP you do not need a DPO.
There is so much FUD about GDPR, it will pass after a year. Now compliance vendors are having part, a lot of champagne will be opened on May 25th.
In the end if you know, what data you have, why do you have it and who you share it with, it should be good enough.
https://gdpr-info.eu/recitals/no-18/
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Yes. There's something called GDPR legitimate interest (a subcategory in the "Lawful basis" someone else mentioned here), which lets you store e.g. IP addresses for security reasons, without asking for permission.
See: http://www.privacy-regulation.eu/en/recital-49-GDPR.htm
I think Talkyard ( = open source comments, no ads, no tracking) is GDPR compliant. For example, people can download their personal data and delete their accounts. (I'm developing it).
1. Isn't this person allowed to be the Data Protection Officer themselves? 2. Is APNS inherently not compliant or if there something unique about this use-case?
What's kind of great about this new regulation is that we get a clear view on businesses that can't adequately protect user's privacy. It's painful for businesses such as these, but ultimately it seems that consumers would come ahead of it.
If the weak link in this case may not have been the developer themselves, but external factors but it's still a pretty interesting data point.
https://gdprchecklist.io (was on HN a few days ago IIRC)
On top of that, this isn't american lawyering. If you make a mistake or are simply trying but not having a good time at it, you're not automatically destroyed, put in jail, fined for billions of euros etc.
The GDPR is beneficial to everyone, except people with bad intentions or bad practises (like having big budgets for PR, Ads and the CEO but not for tech).
The GDPR for basic FOSS and other single-person software boils down to:
- Don't capture data and not ask first - Don't capture data and not tell - Don't capture data and now show - Don't capture data and not say where it is - Don't capture data and not say who can access it - Generally, users should be able to CRUD their data - Delete data on request - Export data on request
Most of that is common sense and in most non-commercial services this is available anyway. You can make it even simpler:
- Only CRUD when a user CRUDS and tell them that is what they are doing while they are doing it - Make sure the delete/opt-out/close account button actually works - Have a line somewhere saying "i'm hosting this on platform XYZ in country ABC"
Since you are likely going to build CRUD + delete account anyway, that's a solved problem. Unsubscribe/Delete account usually already exists, no problems there either. That leaves writing a few lines telling users where you are storing stuff and how to contact for issues.
Don't forget: laws comparable to the GDPR were already in effect long before the EU came up with a EU-wide version. In the UK for example, you could ask a business to send an export of all the data they have on you via mail, and they were bound by law to comply. In the netherlands, if you store PII of people who are not your clients and send them mail/spam/offers, you get fined. Hell, they even had a more universal version where you aren't allowed to put mail in someone's mailbox unless it was addressed specifically to them, and there was one where you weren't allowed to put any ads in if the mailbox was marked for that. And you have a system where cold-calling was not allowed, same for fax-ads.
So is now every standard apache2 installation a non-compliant (illegal?) service, as it logs GETs?
I don't think that's the case.
//edit: It seems to be the case that you are ok if you do log-rotation and delete old ones - which makes sense, so you can still use them for debugging.
> I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR. I do not have designated EU contacts.
If a single user decides to send him/her the letter (https://www.linkedin.com/pulse/nightmare-letter-subject-acce...), he/she would either have to spend an enormous amount of resources to reply, or be non-compliant and risk him/herself.
Many countries outlaw face coverings as they imply correlation with lawlessness.
The direct linking of IP address as PII flies in the face of that. If I am logging IP addresses for security and to monitor against abuse, and I in fact determine that an IP address is abusive, it behooves me to have any/all data that ip address used in my system to try to identify them.
The right to be forgotten .. why just online? Why just digital?
What if a shop owner or waiter in small town notes which customer like what, or what client tips well. Which local has annoying kids that she lets wander an vandalize the store.
If that owner/waiter writes that down in a log, and shares with co-worker on next shift ... is that in violation. What if they don't write it down and just have a really good memory ... what if they just 'organically' get a reputation and word gets around.
Is old wives gossip illegal under GDPR , or the "sterotypical" Italians mothers who keep an eye out on all the kids in street and report to each other who is doing what.
Plenty of stores and bars will have a list "don't take personal checks from these people" ... are those types of lists not allowed anymore?
If the GDPR was JUST limited to "customers" or people who have explicitly created accounts that might be one thing, but over reaching to say ANY apache webserver that automatically logs IP addresses had to be GDPR compliant is absurd.
If I post a tech blog with how-tos , personal ramblings, or even example code projects I release as open source that you are completely free to use or not use ... why do I have now have some obligation to you? You chose to walk up to my storefront and look inside ... I'm free to remember whatever I want about you while you looked around.
The US passed pretty broad overreaching Computer Fraud and Abuse Act [https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act] that many have argued is so broad that a violation of TOS could be considered abuse/hacking. If you view my site without agreeing to my TOS, should I be able to have you prosecuted?
But despite the assurances of many here that it's not hard to comply, I'd probably have shut down the servers of my own hobby non-profitable location data gathering website as well, simply because even reading the GDPR document would be too much effort.
Is there any actual requirement within the GDPR that this needs to be a dedicated person, or does being a DPO just need to be someone's responsibility, e.g. in the case of a one-man open source project the guy who runs the project?
> The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
I guess you could say that it is literally impossible for the DPO to not have conflicts of interest if the DPO is also the owner and manager of the company.
More:
https://ico.org.uk/for-organisations/guide-to-the-general-da...
> The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
Also, my understanding is Germany allows for whistle-blowers to take a cut of fines. Language in the GDPR calls for over-estimating damages for loss of PII when compensating individuals as well.
Generally, I appreciate the GDPR. That said, it's a huge burden trying to go through many dozens of workflows, technical or otherwise, where (typically minimal) PII is recorded, catalog them, limit (and purge) intake of data to bare minimums, create documentation supporting said workflows to be able to provide the SA's, create a plan for being able to search ALL those workflows/databases/spreadsheets/apps that have PII to supply that data upon request, and then be able to delete all cases of such data upon request.
Turns out that's actually a mountain of work. It will probably force us to significantly improve workflows and combine data repositories moving forward but it's a large burden up front. Likely many hundreds, if not thousands, of hours for our fairly small enterprise.
The fine, 1000 pounds is proportionate given the size of the entity it is levied against, the resources at their disposal and the turnover of the company, if the company had been much smaller one would hope for leniency but the fine would have not been levied at all or it would have been 1000 pounds, no middle ground there.
You'd hope they learned their lesson.
Two view points to this:
1) If make to specific, big players will find a way to slip through the exceptions and game/lawyer the system
2) So vague , that only the "big players" will have the infrastructure/legal approval to actually guarantee 100% compliance. Smaller fish that the reward just doesn't justify the risk/uncertainty will certainly pull out of the market.
If the law is about "supercookies" and targeting an individual throughout the entire internet ... it should say that.
If its about the transfer/monetization of the aggregation of data ... PII being sold for money or some other in-kind transaction ... say that.
If a single entity uses a cookie and retains data for one single domain and that is ok ... say that.
If retaining logs that contain an IP Address and the logged in credentials are ok to keep for security auditing. .... say that ... if its only ok to store them for a year(??), 6 months(??) , 1 month(??) ... say fucking that!
If a company/site is aggregating PII of over a million unique users is troubling and should be specifically bound by these restrictions and need a DPO ... say that.
If a site only has a few 1,000 - 10,000 Unique PII records/users of note , and is not the focus of these regulations .... say that.
Give concrete examples, lawyer the shit out of it ... leave open for amendments so when abused can be modified.
It's just a shitty law trying to fix an already shitty situation.
That's his right, go him.
He didn't have to write a ton of incorrect nonsense about the GDPR though. He could have just skipped to the last step.
GDPR compliance is not actually that hard - I'm in the middle of doing it for a very large company - as long as you're not storing information about users it's almost trivial tbh, but there are a lot of unfortunate vague terms in the law (the intent is rather clear however).
The reaction to this law in the US is rather funny because the rest of the world has been dealing with strange US laws for decades on the web... finally something bites the other direction and people freak out.
i'm quite positive that i've seen people call for europeans to not do business with american businesses on account of said us laws (in other HN threads).
I suppose the USers would call that "aggressive marketing".
I think this guy fell for it.
This is the part that most people seem to miss.
Article 6, Paragraph 1, seems to cover those two parts of data collection. Logging a user's IP for security is acceptable, as is logging for a legitimate interests of the user (or operator) as long as it do not conflict with the interest of the data subject in regard to their need for data protection. APNS push tokens seems to fit that description quite well.
Where is the scale balanced on this ... will it be the same in each of the different countries implemeting it?
>as long as it do not conflict with the interest of the data subject in regard to their need for data protection
Article 6.1.f
>processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
So ... I can retain IP records in my logs , as long as they aren't a child?
You’re allowed to track ips in your log, if there is a reason for it and you only keep them for a reasonable amount of time.
You do need to gather consent for push messages. But you can do so by simply asking your users, and frankly, you should always ask your users before you spam them, but it’s obviously going to be a little work to implement.
This is an overreaction, especially because no one knows how the GDPR plays out until it’s been tested in the courts.
This seems pretty clearly a case of 'Legitimate Interest'. Filling in a couple of page word document (a LIA) and keeping it somewhere on the off-chance that someone queries you, is likely sufficient from my understanding. (This is not legal advice).
/Where dust == blocking EU
He doesn't need one
> Crashes
So don't send the users IP with the crash report?
> Push
I don't know enough about this, but:
"APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server."
I didn't think monal ran their own XMPP servers? If they don't then is there really a danger of someone combining the data from the two services?
> Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.
I have no idea, but if the monal developer isn't running any XMPP servers then is this even an issue?
This all seems like someone who doesn't like GDPR having a bit of a tantrum and interpreting the laws in a way that makes it seem like they are in a worse position than they actually are.
I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR. I do not have designated EU contacts."
What? Where does it say in the law that:
a, you need one
b, it cannot be you
I mean come on, this is just a very ignorant post from the author.
I already had to fend off implementing some ridiculous features. I've pushed against misconceptions and use of non-existent terminology that's not even in the law. People are taking info from all kinds of sources, some of them sketchier than others, despite the existence of official EU guides, and the law itself.
But I bet it will be easy to comply for most non-adtech/tracking businesses. And as an internet user, I'm looking forward to better data exports, data removal and more transparency.
Article 4 point 1 in the GDPR indicates this (unless you can somehow prove that the IP is not related to the person, which I think we all know it effectively is in most cases)
1) You are overreacting. The EU isn't going to come after some small fry operation, or some non-business entity.
This is an easy thing to say when you're not personally exposed to the risk. Would advocates of this position be willing to personally indemnify open source projects / side projects against GDPR enforcement? I suspect not, but perhaps there's a business opportunity in giving them the opportunity to do so. Sort of a GoFundMe for peer-to-peer insurance.
2) The GDPR is all about not being a jerk with your users' data. As long as you don't do that, and do relatively minor things X, Y and Z, you're totally fine.
This flavor of argument might actually be true, but if I'm assuming the risk I'm probably going to want to hear it from someone with skin in the game, like a lawyer, who I can point to if it turns out to be false. Even if I had the desire to read through the law (I don't) and understand the specific implications for my project (I wouldn't), the very act of doing this represents a cost that I could more simply avoid by excluding EU residents from my service. I'd choose the latter path every time, and put "support EU residents, check into the legal implications of GDPR" on the roadmap, for "someday".
3) You're exposed to millions of risks anytime you do anything. This is just one more and you're making a big deal of it.
Often this accusation comes with a subtext that you're trying to prove some political point, suggesting that you're making a decision in bad faith to "punish" the EU. Well, I personally think something like the GDPR is needed, and have no particular axe to grind, but I also have no idea if the legal exposure is serious, and no particular desire to put in the work to find out.
Yes, business, or really any activity, involves legal risk. In this case though, the risk is pretty serious, first of all because the penalties (20M Euros max) are serious, and secondly because it will be very difficult to claim that you've never heard of the GDPR. If Tonga creates some law impacting side hustles on the internet, at a minimum I can credibly claim to be unaware of that law. The GDPR on the other hand has been all over the news for weeks. I've clearly heard of it (especially now that I've commented on a discussion of it on HN).
My feeling is there's a real risk that this law will lead to a general practice of non-EU individuals, and non-EU startups launching MVPs to at least temporarily block the EU to avoid unnecessary risk. That's not the intended purpose of the law, but laws have unintended consequences all the time. If the EU wants to avoid this unintended consequence they should provide a clear, objective, and cheap (in terms of both time and money), set of instructions that will allow projects like monal to continue operating there. If such a set of instructions exists, I haven't seen it.
No, it's an easy thing to say because we have over 20 years experiences of regulation around data protection. The regulators send a letter asking you to come back into compliance unless you've been really bad. They only move to fines if you ignore them.
Here's a company that was handling sensitive personal data (medical data). They have a legal obligation to register with ICO. They didn't do so. Imagine what would happen under HIPAA. Now read what happened in EU.
https://www.bloomberg.com/news/articles/2018-04-26/u-k-healt...
People freak the fuck out about the big fines, but they don't realise they're conditioned by the pathologicaly dreadful US system which aims to over-charge and over-sentence at every opportunity.
Here's some examples: The UK Criminal Prosecution Service sent some unencrypted DVDs through the postal mail. Those DVDs got lost. They got a fine.
Some time later they did it again - this time the DVDs contained interviews with children who were the victims of sexual abuse.
Think about this for a bit: no encryption, no secure mode of delivery, a repeat offence, incredibly sensitive personal data.
Sure this requires the maximum fine, right?
https://ico.org.uk/about-the-ico/news-and-events/news-and-bl...
No. Only £325,000 out of a possible £500,000.
"If such a set of instructions exists, I haven't seen it"
Maybe for me it is easy set of instructions, for some maybe not.
I get that the GDPR regulations seem quite complex and daunting but his usecase seems pretty simple to me.
Harsh words but I feel they're warranted: If you don't want to treat my private data with the due diligence you should, then we're better off not using your service.
> we're better off not using
Just pointing out that some people may want to choose how they want their data treated case-by-case, instead of having no option to use the website because its blocked
Yes:
https://gdpr-info.eu/art-84-gdpr/
> Member States shall lay down the rules on other penalties applicable to infringements of this Regulation
So every country can create whatever penalties they want, as long as they are "effective, proportionate and dissuasive".
> [A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
I think the principle is that since an IP address could be used to identify you, it is considered personal data.
> Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person. [ECLI:EU:C:2016:779]
I’d love the opportunity to add GDPR to my current list of specialities.
>> Yes.
> Can you tell me their email address?
>> No.
This is an era many of us won't regret.
