undefined | Better HN

0 pointsjacquesm7y ago0 comments

Thank you for making a coherent argument. You are missing one point I think: if not for those regulations those companies would love to do business. They are forbidden from doing business, this guy sees the law and runs off without even trying to become compliant. That's a different thing. There is no way that Kinder could be compliant with US law in such a way that they would not be exposed to what - to EU sensibilities - amount to exorbitant damage claims.

Similar arguments apply to the other examples you use, I see your point and there are valid reasons to not enter a certain market because of the legal climate there but the point I am trying to make is that the OP has not raise any valid point at all other than 'I don't want to comply'. And that's fine by me but then don't bother dressing it up in a bunch of made up requirements.

0 comments

kingofhdds7y ago

>this guy sees the law and runs off without even trying to become compliant

This guy quite clearly states that he doesn't have resources to become compliant, while it is too risky to make a mistake here.

There are fans of GDPR on this website, who prefer to ignore the fact that the compliance has its cost, and added to that still unknown risks of practical interpretation of legislation which also have their cost. But these are real life things.

Angostura7y ago

I respect his right to do whatever he would like with his own hobby, but we should be clear that the guy is stating he doesn’t have the resources, based on a series of misunderstandings.

So, for example, he says he is required to appoint a DPO.

The U.K. Information Commissioner has this to say:

>Do we need to appoint a Data Protection Officer?

A> Under the GDPR, you must appoint a DPO if:

> you are a public authority (except for courts acting in their judicial capacity);

your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking);

> * or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

caffeine51507y ago

You are correct as to a DPO, but if he is, say in the US, and subject to GDPR, he must have an EU Representative, who by all indications would be liable for his violations. That's a significant burden if not a practical impossibility for most in his position. Also, if he's transferring personal data from the EU to the US directly from individuals, his only practical way of making that transfer compliant is likely to be privacy shield certified which is not cost free (although he could maybe rely on consent as a derogation, but relying on that has risk). I can think of many things like this that have, if not a hard cost, then a definite cost in time and resources to comply including keeping up with compliance. Could easily be not worth the effort for a single individual.

kingofhdds7y ago

And "large scale" means how many records in DB? How many users? Or records per day?

Angostura7y ago

Why have you isolated one element from a multiple element sentence:

* core activities * require * large scale * regular * systematic

If you tick all those other boxes, but are concerned that your processing may be teetering on the boundary of 'large scale', I would be cautious and assume your liable.

1 more reply

peteretep7y ago

These are excellent questions that you will have to have shown you've considered if you get audited. If there's disagreement with the regulator, you'll come together to resolve it, and then may need to appoint one.

1 more reply

pgeorgi7y ago

Monal is an XMPP client running on user's iOS devices. Is that person even running an XMPP server for those users?

caffeine51507y ago

A UK privacy attorney I know considered 20k records (individuals) to be large scale. I haven't seen much helpful guidance. The WP29 guidance I've read only gives examples at the very extremes of large and small so not too helpful. Practical guidelines will evolve over time.

scotty797y ago

I guess if you have to ask that question you are not a large scale.

1 more reply

e12e7y ago

Perhaps more important, dpo is just another hat - if he's ceo,cfo,cto - he can be dpo too?

krfsm7y ago

There are limitations, namely:

"There must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any."

Specifically they recommend against also being the data controller. I.e. you shouldn't be responsible both for handling personal data and verifying compliance of said handling.

johnchristopher7y ago

No, because you wouldn't be independent enough. A CFO or a CTO would tell its board things are okay because it isn't in its interest to do otherwise.

That's why some independent DPO jobs are appearing.

But the DPO is a small cog in the machine. Updating the processes is the most time and resource consuming regarding the GDPR.

aembleton7y ago

That's the UK's interpretation of GDPR. What about France or Poland, or any of the other countries?

I suppose it depends where in Europe he would like to visit

poizan427y ago

I'm not seeing any interpretation being done here, but judge for yourself. Here is what the GDPR actually says (Art. 37 Designation of the data protection officer):

> (1) The controller and the processor shall designate a data protection officer in any case where:

> a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

> b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

> c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Angostura7y ago

That's the UK's straight-forward unequivocal explanation of the rules. Where there is room for interpretation or uncertainty, the ICO is very good at pointing this out. It doesn't here.

As poisan42 points out - it echoes the words in the actual article, directly.

Bottom line, he doesn't need a DPO.

raverbashing7y ago

There's no "UK Interpretation", this is the whole point of the EU. The rules apply across the block.

1 more reply

number67y ago

GDPR compliance takes resources. I would say for a small business it takes about 1 or 2 days. Not hard work but tedious. In the end you will have around 5 documents that will show your processes, what you do to keep data save, a plan how you deal with questions from customers and regulators, that you trained your employees and that you choose your subs carefully.

Essentially that's it.

I am no lawyer but I am a CPO.

Pro tip: Speak with the regulators they are on your side.

kingofhdds7y ago

I guess you are EU-based, unlike the guy whose text we are debating here.

number67y ago

Yes - I guess having an EU contact is something not easy to come by on the other hand there might soon be a service for it.

I guess an XMPP Server could be considered a communication service an could be subject not to the GDPR but to regulations concerning ISPs and Phone companies.

wiz21c7y ago

Well many of us find it completely normal to spend days on having a good security, setting up HTTPS, encrypting content to protect privacy. I wonder why GDPR seems so different, it's just more of the same, just less technical.

askmike7y ago

Exactly. It will take a while before standards and best practices form, but they will.

bryanrasmussen7y ago

I guess I am a fan of GDPR, certainly compliance to anything has a cost. I personally don't find the costs of GDPR compliance onerous unless you have already built up lots of non compliant systems that now need to be fixed, in which case the free ride is over. Anyway, this guy is pulling out of the EU but if he allows anyone from the EU to use his service from a non-EU location anyway he would be risking non-compliance.

jiveturkey7y ago

no. gdpr applies only to people in the eu. if you are an eu person in canada it does not apply to you.

bryanrasmussen7y ago

you're right, it seems a few people have been making the same mistake about eu citizens that I've made.

subway7y ago

Kinder is an amusing example, since they decided to offer a compliant variant of their product in the US.

https://www.today.com/food/kinder-joy-chocolate-eggs-are-com...

Sylos7y ago

They did that in a rather smart way, too, by diverging it enough from the original that they could sell it elsewhere as a new thing.

I mean, it never really took off here, very few people prefer it over the original, but better than not being able to sell it outside of the US at all.

fcbrooklyn7y ago

Yes. Rather a step back from the original offering isn't it? If I'm being honest, I couldn't give a damn about the kinder eggs prohibition, as I am not a child, and I do not have children. The Bovril issue is by far my biggest personal concern, although I'd really like to be able to buy raw milk cheese.

jkaplowitz7y ago

There are states in the US where you can buy raw milk cheese legally. You just can't do it through interstate commerce, but for example it can be done in person at farmer's markets with cash. New York is one such state, I dunno about the other major tech hub states.

fcbrooklyn7y ago

Bovril could easily comply. They would simply have to open a manufacturing facility that did not use UK beef. The French cheese makers could sort of comply, by pasteurizing their milk. Kinder, I admit, has a more difficult problem, and has, in fact attempted to comply, by creating a completely different product with the same name.

CaptainZapp7y ago

"The French cheese makers could sort of comply, by pasteurizing their milk"

And why should the French cripple a delicious and traditional product, which is gladly gobbled up by millions of happy consumers to sell their product in the US?

tinus_hn7y ago

Because otherwise they can’t sell it there. Their country, their rules. A French cheese maker doesn’t get to dictate the rules abroad. Take it or leave it.

CaptainZapp7y ago

It seems to me that French and other European cheese makers are much more interested in protecting the integrity of their product than opening up the US market for it.

C4stor7y ago

You mean, exactly what we are doing right now, causing all kind of outrage in France ? Funny you should bring that up, because it's a very hot topic currently :-D

dogecoinbase7y ago

Ah yes, "simply" open a manufacturing facility.

fcbrooklyn7y ago

There will be a cost involved. And presumably there will be some benefits that result. Those are precisely the parameters of OP's decision.

tokyodude7y ago

I'm not following your distinction. The only difference seems to be timing.

Case 1: CompanyA is already doing business in CountryB. CountryB changes regulations. CompanyA pulls out of CountryB because of regulations

Case 2: CountryB has regulations. CompanyA choose not to do business in CountryB because of regulations

am I missing something?

Moru7y ago

Except EU has always (well, Sweden since 1973) had regulation, if you would gave followed that, you would not have to change much in most cases. Just write some documents and smaller changes.

llcoolv7y ago

But in this case this is not even a business. It is a zero-revenue open-source project. It seems to me that only very well-funded charities are allowed to run web services now.

P.S. I sincerely hope my country gets out of this ASAP.

kerng7y ago

Kinder is a great example actually on how a company adjusted their product. Now I believe in all markets (even beyond USA) the product is safer and less dangerous for kids to get injured.

Sylos7y ago

I really don't think, it got safer.

It takes some special talent, even as an adult, to take such a big bite off of a classic Kinder egg that you'd have any chance of accidentally swallowing the plastic capsule or somehow else hurting yourself on it.

And with the new egg, I'd be concerned that my kids swallowed that plastic spoon. Like, that's something they actively have to put into their mouth and it's not as interesting as the toy for them to be motivated to not swallow it.

It's also small enough for them to realistically pull this off.

qz37y ago

Is safety a real concern here? I would have never viewed Kinder Eggs as dangerous in any way.

I haven't found a single case of a child getting hurt in Germany. Only news reports about them being unhealthy (big surprise).

fcbrooklyn7y ago

Actually, I'm pretty sure they still stick the toys inside the eggs everywhere except the US. Perhaps a European can correct me on this assumption.

EDIT: Turns out the US-style kinder eggs are indeed available outside the US.

mast7y ago

In Canada they definitely still put toys in the eggs. http://www.ferrero.ca/our-brands/kinder-surprise/moments-of-...

kerng7y ago

http://fortune.com/2017/05/22/kinder-egg-usa-debut/

Toy is also in US version but different design

1 more reply

Some_Degenerate7y ago

I've seen this variety sold in Poland

https://www.candywarehouse.com/assets/item/regular/kinder-jo...

But I'm not sure it's typical.

kerng7y ago

Yeah. That's the US version also, not sure how common it is outside US.

Sylos7y ago

They marketed it as a new thing beside the original here in Germany.

Most people seem to prefer the original, though. They lost a lot of charm by going from toy+edible+tinfoil to plastic+toy+plastic+edible+plastic spoon+plastic.

dspig7y ago

The new one is even more sweet and rich than the eggs (more like a dessert than a snack) and harder to eat for a young child, so not surprising.

kerng7y ago

Looks like this now http://fortune.com/2017/05/22/kinder-egg-usa-debut/

I have seen this outside of US also (pretty sure it was doing a Europe trip)

riffraff7y ago

it's just a different product, which shares almost nothing with the original, and is simply sold besides it outside the US.

youngtaff7y ago

Yup, Kinder Eggs have toys inside in the UK

Karlozkiller7y ago

They're not forbidden to so business, they're forbidden to so business unless they adapt their product or practices. I'd say that is pretty much the same as this case?

j / k navigate · click thread line to collapse

0 comments

kingofhdds7y ago

>this guy sees the law and runs off without even trying to become compliant

This guy quite clearly states that he doesn't have resources to become compliant, while it is too risky to make a mistake here.

Angostura7y ago

I respect his right to do whatever he would like with his own hobby, but we should be clear that the guy is stating he doesn’t have the resources, based on a series of misunderstandings.

So, for example, he says he is required to appoint a DPO.

The U.K. Information Commissioner has this to say:

>Do we need to appoint a Data Protection Officer?

A> Under the GDPR, you must appoint a DPO if:

> you are a public authority (except for courts acting in their judicial capacity);

your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking);

> * or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

caffeine51507y ago

kingofhdds7y ago

And "large scale" means how many records in DB? How many users? Or records per day?

Angostura7y ago

Why have you isolated one element from a multiple element sentence:

* core activities * require * large scale * regular * systematic

If you tick all those other boxes, but are concerned that your processing may be teetering on the boundary of 'large scale', I would be cautious and assume your liable.

1 more reply

peteretep7y ago

1 more reply

pgeorgi7y ago

Monal is an XMPP client running on user's iOS devices. Is that person even running an XMPP server for those users?

caffeine51507y ago

scotty797y ago

I guess if you have to ask that question you are not a large scale.

1 more reply

e12e7y ago

Perhaps more important, dpo is just another hat - if he's ceo,cfo,cto - he can be dpo too?

krfsm7y ago

There are limitations, namely:

"There must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any."

Specifically they recommend against also being the data controller. I.e. you shouldn't be responsible both for handling personal data and verifying compliance of said handling.

johnchristopher7y ago

No, because you wouldn't be independent enough. A CFO or a CTO would tell its board things are okay because it isn't in its interest to do otherwise.

That's why some independent DPO jobs are appearing.

But the DPO is a small cog in the machine. Updating the processes is the most time and resource consuming regarding the GDPR.

aembleton7y ago

That's the UK's interpretation of GDPR. What about France or Poland, or any of the other countries?

I suppose it depends where in Europe he would like to visit

poizan427y ago

I'm not seeing any interpretation being done here, but judge for yourself. Here is what the GDPR actually says (Art. 37 Designation of the data protection officer):

> (1) The controller and the processor shall designate a data protection officer in any case where:

> a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

Angostura7y ago

That's the UK's straight-forward unequivocal explanation of the rules. Where there is room for interpretation or uncertainty, the ICO is very good at pointing this out. It doesn't here.

As poisan42 points out - it echoes the words in the actual article, directly.

Bottom line, he doesn't need a DPO.

raverbashing7y ago

There's no "UK Interpretation", this is the whole point of the EU. The rules apply across the block.

1 more reply

number67y ago

Essentially that's it.

I am no lawyer but I am a CPO.

Pro tip: Speak with the regulators they are on your side.

kingofhdds7y ago

I guess you are EU-based, unlike the guy whose text we are debating here.

number67y ago

Yes - I guess having an EU contact is something not easy to come by on the other hand there might soon be a service for it.

I guess an XMPP Server could be considered a communication service an could be subject not to the GDPR but to regulations concerning ISPs and Phone companies.

wiz21c7y ago

askmike7y ago

Exactly. It will take a while before standards and best practices form, but they will.

bryanrasmussen7y ago

jiveturkey7y ago

no. gdpr applies only to people in the eu. if you are an eu person in canada it does not apply to you.

bryanrasmussen7y ago

you're right, it seems a few people have been making the same mistake about eu citizens that I've made.

subway7y ago

Kinder is an amusing example, since they decided to offer a compliant variant of their product in the US.

https://www.today.com/food/kinder-joy-chocolate-eggs-are-com...

Sylos7y ago

They did that in a rather smart way, too, by diverging it enough from the original that they could sell it elsewhere as a new thing.

I mean, it never really took off here, very few people prefer it over the original, but better than not being able to sell it outside of the US at all.

fcbrooklyn7y ago

jkaplowitz7y ago

fcbrooklyn7y ago

CaptainZapp7y ago

"The French cheese makers could sort of comply, by pasteurizing their milk"

And why should the French cripple a delicious and traditional product, which is gladly gobbled up by millions of happy consumers to sell their product in the US?

tinus_hn7y ago

Because otherwise they can’t sell it there. Their country, their rules. A French cheese maker doesn’t get to dictate the rules abroad. Take it or leave it.

CaptainZapp7y ago

It seems to me that French and other European cheese makers are much more interested in protecting the integrity of their product than opening up the US market for it.

C4stor7y ago

You mean, exactly what we are doing right now, causing all kind of outrage in France ? Funny you should bring that up, because it's a very hot topic currently :-D

dogecoinbase7y ago

Ah yes, "simply" open a manufacturing facility.

fcbrooklyn7y ago

There will be a cost involved. And presumably there will be some benefits that result. Those are precisely the parameters of OP's decision.

tokyodude7y ago

I'm not following your distinction. The only difference seems to be timing.

Case 1: CompanyA is already doing business in CountryB. CountryB changes regulations. CompanyA pulls out of CountryB because of regulations

Case 2: CountryB has regulations. CompanyA choose not to do business in CountryB because of regulations

am I missing something?

Moru7y ago

Except EU has always (well, Sweden since 1973) had regulation, if you would gave followed that, you would not have to change much in most cases. Just write some documents and smaller changes.

llcoolv7y ago

But in this case this is not even a business. It is a zero-revenue open-source project. It seems to me that only very well-funded charities are allowed to run web services now.

P.S. I sincerely hope my country gets out of this ASAP.

kerng7y ago

Kinder is a great example actually on how a company adjusted their product. Now I believe in all markets (even beyond USA) the product is safer and less dangerous for kids to get injured.

Sylos7y ago

I really don't think, it got safer.

It's also small enough for them to realistically pull this off.

qz37y ago

Is safety a real concern here? I would have never viewed Kinder Eggs as dangerous in any way.

I haven't found a single case of a child getting hurt in Germany. Only news reports about them being unhealthy (big surprise).

fcbrooklyn7y ago

Actually, I'm pretty sure they still stick the toys inside the eggs everywhere except the US. Perhaps a European can correct me on this assumption.

EDIT: Turns out the US-style kinder eggs are indeed available outside the US.

mast7y ago

In Canada they definitely still put toys in the eggs. http://www.ferrero.ca/our-brands/kinder-surprise/moments-of-...

kerng7y ago

http://fortune.com/2017/05/22/kinder-egg-usa-debut/

Toy is also in US version but different design

1 more reply

Some_Degenerate7y ago

I've seen this variety sold in Poland

https://www.candywarehouse.com/assets/item/regular/kinder-jo...

But I'm not sure it's typical.

kerng7y ago

Yeah. That's the US version also, not sure how common it is outside US.

Sylos7y ago

They marketed it as a new thing beside the original here in Germany.

Most people seem to prefer the original, though. They lost a lot of charm by going from toy+edible+tinfoil to plastic+toy+plastic+edible+plastic spoon+plastic.

dspig7y ago

The new one is even more sweet and rich than the eggs (more like a dessert than a snack) and harder to eat for a young child, so not surprising.

kerng7y ago

Looks like this now http://fortune.com/2017/05/22/kinder-egg-usa-debut/

I have seen this outside of US also (pretty sure it was doing a Europe trip)

riffraff7y ago

it's just a different product, which shares almost nothing with the original, and is simply sold besides it outside the US.

youngtaff7y ago

Yup, Kinder Eggs have toys inside in the UK

Karlozkiller7y ago

They're not forbidden to so business, they're forbidden to so business unless they adapt their product or practices. I'd say that is pretty much the same as this case?

j / k navigate · click thread line to collapse