It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.
There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.
> It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.
If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights
> There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.
I think it's mainly a difference in viewpoint: this is my data for me. Not yours. GDPR makes it easier for me to enforce that. From my perspective I don't care about you violating my rights "in good faith", just like most people don't cares if you trespass on my property and steal something "in good faith".
The problem is not the work that the GDPR requires, the problem is the work I'll have to put into understanding the GDPR.
I think it's mainly a difference in viewpoint: this is my data for me. Not yours.
This is the part that I don't understand. If I own a shop, and you come in and buy something, you have absolutely no right to demand that I forget your face and your purchase. In the real world, it's not your data, it's my memory. If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I don't understand the concept of data ownership, because it does not align with how I understand the real world to work.
This is where there's been a divergence on thought. In the real world you have limited capabilities to collect and store the data that is currently being collected. You're physically limited in how much you can retain and retrieve. In your old timey example I assume the diary to be sitting there in the back of the shop just being a record of my name and what I bought, but that's not how a lot of data is being used or being collected online.
The equivalent would be you making the diary automatically write down a potential unlimited amount of data on me and then using it to sell advertising the moment I enter the shop.
If I went past your store and it automatically retrieved physical details about myself, what I'm wearing, my interests, hobbies, location and you then built a profile and then sold this information to advertisers there absolutely would be regulations regarding this in the real world.
A better example:
http://www.bbc.com/news/technology-23425297
Privacy limits As retailers trial such tech they are well aware there is a risk of a privacy backlash.
Clothes store Nordstrom recently cancelled a scheme which tracked customers' movements through its stores using their phones' wi-fi signals after complaints.
"Are we willing to accept our everyday movements being monitored and analysed, not to keep us safe but purely to allow advertisers to target us? I think people will start to say no, our privacy is worth more than a few advertising dollars."
--
You say shop with a diary to present the most innocent of examples but for every shop with a diary there's billions of stalkers following people everywhere they go to learn as much about them as possible in order to sell them products and influence how they think which they never agreed to.
I asked this question in a comment [1] here on HN a few weeks ago. There were affirmative responses that yes, the shopkeeper should in fact be held to account for keeping notes on who came into his store.
You might call it poaching, but that only became a crime when society made it one, and that's what the GPDR is doing now with personal data
I hate to break it to you but yes I do: by doing business within the EU market you're accepting that. In fact you're accepting that the very same way that you're accepting that you can't store all your clients' credit card/cvv numbers that are used on your store.
A server 'processing' (which seems to include using it in any way, not just storing [1]) your IP address appears to fall under the GDPR[1], and said server would be in violation of the law unless its processing falls under one of the exemptions.
The main exemption appears to be getting the user's explicit consent, though there's also this super vague exemption: "for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted." [2]
In general, it seems very hard to avoid the GDPR because what is considered 'personal data' is extremely broad.
Maybe I'm misunderstanding something.
---
[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...
[2] https://ec.europa.eu/info/law/law-topic/data-protection/refo...
I used "legitimate interest" as my lawful basis for logging IP addresses and website usage information. From the UK ICO's guidelines [1]:
"It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing."
There's a three part test:
1. Identify the legitimate interest: ensure the security and stability of my systems.
2. Show that processing is necessary to achieve it: need to know when and how the site is used in order to troubleshoot problems and detect abuse
3. Balanced against individuals' interests: We pseudonymize logins so usage information is not obviously related to specific individuals. There is no sensitive data on the site that can be revealed by usage data. The retention period is short which further limits what can be revealed.
Now, people here on HN might nitpick my logic, but fortunately they're not the regulators. I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.
[1] https://ico.org.uk/for-organisations/guide-to-the-general-da...
GDPR has no concept of PII. Personal data is anything relating to a natural person. It's not just an identifier like an address or phone number.
1. I have been using Google analytics for their entertainment value. I assume that's verboten now.
2. I assume the IP addresses in my logs are PII. Should I shut off logging?
1. yeah, probably.
2. There's a comment elsewhere in the thread to this effect, but short-term logging for the usual purposes of managing stability/security of a system almost certainly qualifies as legitimate interest. Don't keep the logs indefinitely, but I figure nginx's defaults with a week's retention period is quite reasonable.
The relevant authorities also have a track record of giving people warnings and time to fix things, so especially for something so trivial, I'd basically just make a good faith effort and not stress about it.
2. You can simply exclude IP addresses from logging.
You don't give a damn; neither do those computer illiterate people who use the same email address and password for everything, and one leak of some shitty inconsequential website may obliterate their entire online presence.
