Isn't this the sort of thing people accuse the US of? The rest of the world makes ugly jokes about "Be careful what you say about the US or they might come liberate you too." The EU is now in the protection racket. When the mob says you should give us a few bucks because it would be a shame if something happened to your business, people recognize that is not nice behavior. But the EU can do the same on the web and some people laud it is a good thing for individuals in the name of personal privacy.
If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.
(Yes, I am guilty of having this opinion without having actually read it. I blogged previously about my opinion this would do bad things to forums. I am shocked to see negative fallout happening so very soon.)
The GDPR is probably not what you think is, because it barely introduces new stuff, it only enforces what already existed but was ignored because it was based on self-regulation.
There are a number a publications about RGPD explaining that there really nothing to panic about (unless you're a giant conglomerate), it's not going to kill your business unless your business is based on violating privacy and things you should not be doing in the first place because it's been illegal for a while and you had 2 years since the announcement to respect the law.
> If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.
Does not work that way, actually thanks to RGPD it's now: if you don't want to deal with RGPD requests don't collect or process personal data.
(I wonder why this is contestable? DMCA is an afterthought, GDPR requires a lot of actual work to implement even if you process minimal data like IPs)
Now if you collect and track you may want to inform the users and let them opt-out.
GDPR is similar in a way with the Don't spam me laws, I assume you had to write code to respect this law and I did not see people complaining that they need to write code to respect that law. Or you can not do business with EU citizens.
If you have a very strong right to anonymity, a right to be forgotten is less important because it's easier to separate yourself from your online identity. In fact, forgetting information is pretty harmful because anonymous systems need better tools for building and validating reputation.
If you have a strong right to be forgotten, anonymity is less important because you can just delete information you regret sharing. And similarly, anonymity is kind of harmful because you now need ways to validate who owns information and ways to control how it's spread.
EU seems to be less concerned with anonymity, and more concerned with managing and regulating information after it's already been created and shared. This also kind of rubs the anonymity crowd the wrong way because they've advocated for a while that information isn't necessarily something that you can own like property, and that the Internet should actually be far more immutable than it already is.
Exactly. Privacy also doesnt mean being invisble when interacting with people or machines. It's not a well-defined right, and the limits can often be fuzzy (e.g. a problem that kids often have with parents). Pseudonymity / anonymity can also be subject to gradation.
It is not difficult to be compliant. Most people don’t bother because they are drama queens or hiding what their business is really based on and the latter is usually not ethical by any manor and deserve to be shoved off a cliff.
People will have to do some real innovation instead of selling off data and working out how to attract people into a product that exists only to do that really.
And you're very likely using the services of one of the big players, like Google, the very ones you're suggesting should be explicitly targeted in another message below.
Like I said before, including to you: the EU does not owe companies a business model, especially when the costs of that business are externalized to citizens of the EU and of the world.
Your so-called alternative at the end is just more of the arrogant snubbing typical of the advertising industry.
There are tons of companies processing my personal data that are not web companies. GDPR isn't about "data being on the web", it's about all handling of personal data.
Public records are potentially more harmful than anything Facebook has. For example, I just shipped a 20 foot container of household goods to the US from France — that manifest, including my personal information is public record — I have to explicitly send a letter and request privacy for that shipment — and then remember to renew that request each year or else details of my entire shipment, including my address and contact information are available publicly. Thanks government. I can’t simply use another shipping company — it’s a government rule. When GDPR applies to governments, then I might become a fan, but as it is now, I am being “protected” from my Facebook likes or web history but what protections do I have from governments who traffic in my information. There is zero reason my shipment manifest needs to be known beyond Customs or the shipping company moving the goods, yet, here we are. Facebook never committed mass murder — but governments certainly have. Google Analytics data doesn’t have a realistic chance of causing harm — but someone with my address and a manifest of a shipment of expensive stuff results in a potential for real harm — that stuff is literally public record with absolutely no controls over who can buy that information.
First it allows to record and keep the relevant data for sales and legal requirements. Second it applies to government.
Comparing facebook vs government is really a dumb fallacy, why would government be unable to use facebook for whatever ? and facebook to cooperate to that ? it is already happening, look at what happened in the Philippines with Rodrigo Duterte[1].
That you are unhappy with the US legal requirement to be able to ship cargo to their country[2] is unrelated to GDPR, maybe take your complaint to the relevant governement or regulation body.
[1]: https://www.bloomberg.com/news/features/2017-12-07/how-rodri...
[2]: excerpt from world shipping council to US customs
II. Cargo Manifests: General Today a cargo manifest is the document that states what a carrier has loaded aboard a vessel for delivery to the United States. The creation, submission, and retention on board of the manifest are tasks that are the responsibility of the vessel carrier and are regulated by law and regulations. Proper manifesting is a requirement for allowing the entry of inbound vessels and for the issuance of a permit to unlade.
We recognize that the cargo manifest has become a document that is used by the government to prescreen cargo for national security reasons. It was not designed for this purpose and has some limitations in this regard.
https://ico.org.uk/for-organisations/guide-to-the-general-da... See “when does [it] not apply?”
GDPR already applies to governments. What makes you think it is not?
https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-in-...
> Starting May 25th 2018, all organisations, including those in the public sector, need to comply with the GDPR.
Government agencies have been working their asses off to become GDPR compliant. If you have a problem with the way your shipping info is handled, file a complaint against that government agency at the French data protection authority.
Please stop the FUD. The right to be forgotten has never been absolute and applies to both companies and government.
I can visit site A and B, not put any of my data intentionally on them but still my data get be funneled to 25 third parties that know what I visited.
So your point is don't use internet or turn of javascript and open each link in private windows and maybe use some proxyes or Tor
Now everything loads in an instant, no more shenanigans that jump around the screen as I scroll, no Facebook/Twitter/Google buttons (that nobody even uses), no pop-up/in/out/over adverts, and even those asinine cookie warnings are gone by default!
I cannot recommend it well enough.
Ever try running traceroute?
sensible regulation that defines workable limits of what personal information can be collected, combined with requirements for anonymization when needed is a better solution.
In this case the operator's usage of the word troll to describe what happened is telling. Anyone can send any kind of threatening letter they want, and they are free to report you for non-compliance, but that doesn't mean any action will be taken against you, let alone actual fines.
IANAL, but IMHO the chances of any solo forum operator being sanctioned by EU regulators is effectively nil—the purpose of the law is specifically to address usage of personal data, not old-school off-the-shelf forums and other one-off websites where the scope of the data is essentially the core of the service itself.
You can argue the only thing that matters is the end result, but I'm not sure there's any way to write meaningful privacy regulation that will not generate a huge wave of FUD, especially with the traditional SV stance that we ought by default to have carte blanche to monetize user data in any way that's effective.
GDPR is also quite weak in this regard as it has few new additions: explicit consent (thanks to snowden exposing prism and despite the largest lobbying campaign against it orchestrated by silicon valley[1]), max possible fine increased so actor like google and facebook would stop paying 150,000€ fines right and left while laughing in the face of European laws, and class actions.
Again it's only thanks to snowden revelations that the GDPR weakening personal data protection was overturned.
The real change that matters is that now the law can and will apply.
Google, Facebook, Twitter, etc. got websites to implement their like buttons everywhere. The information gathered by them is collected and everybody is being tracked wherever they go.
If we aren't as a world terrified of what is being done by small groups like the open source organization announcing it is shutting down in the very post under discussion, why are you defending the GDPR on the idea that it somehow reins in the abuses of FB, Google, etc? Do you have evidence that it is, in fact, reining them in? Or are they just getting with their lawyers, finding cute ways around the problem and carrying on while entire organizations smaller than them suddenly shut down and die because the EU wrote words somewhere that these mega corps likely care relatively little about?
Then again what you say is a misrepresentation and biased idea, what proof do you have that GDPR will disproportionately impact small organizations ?
Have you read the actual annoucement posted here ? asking because it does not say that it is shutting down but that it is moving its community discussion from a self hosted discourse forum to a third party hosted subreddit because discourse lacks the ability to properly address GDPR request and lack of time to do so.
Of course GDPR also applies to FB, Google, etc. Have you followed the discussions 5 years ago when GDPR was in the making and witnessed the intense lobbying from silicon valley against strong protection ? Probably not.
Are you aware of the noyb.eu[1] initiative, Max Schrems again, currently targeting google, facebook, whatsapp and instagram for their "forced consent" (more to come) ? La Quadrature du Net a french internet rights organization is currently working on 12 class actions targeting google, facebook, amazon, apple and microsoft, etc.
> Do you have evidence that it is, in fact, reining them in?
We will see what happens. The first complaints against Facebook and Google have already been filed.
People clueless about privacy and privacy abusers are no longer welcome to the data of EU citizens.
If you don't want to get robbed, don't leave your home.
Precedent? It's hardly the first time one powerful body politic has enforced its own standards on others. A very, very, very long way from the first time.
Facebook and other data aggregators build profiles of you even if you don't participate directly in those services. The web is different now than it was in 1996.
It's the path currently explored in a class action against facebook for forced consent and we'll see what happens.
I suggest using the identifier you received at birth to make the request plus your e-mail.
They do have jurisdiction, because the laws apply to companies that want to reach Europeans.
It's up to companies whether they think it's worth the effort to reach this market.
Companies do some crazy stuff on the other end of the spectrum to have a presence in China, right..?
This law will only make things (even) more expensive and cumbersome for EU companies wrt. the rest of the world. This is going to be the asinine Cookie Warning all over again, times a hundred.
As if he read all laws of his own country that apply to him. Raise your hand if you actually read and comprehend all laws that apply to you. I'm willing to bet there's not a single person on this planet who really reads and comprehends all laws completely.
Usually you just go with common sense and reading a blog post or two when it seems relevant: that usually makes compliant and in the worst case it will get you a warning from the regulator (they give warnings for unintentional first-time violations, so they'll tell you if you're doing wrong and it bothers them enough (usually you're too small anyway), and you get a chance to improve).
Lawsuits are used in a lost of western and eastern countries to try and right wrongs. Many of them use lawsuits to troll and money grab as well. It's not unique to the US.
Just act in good faith and GDPR will not bite.
Now if I was legally required to act on every request in 30 days or face potential litigation, that's a totally different story. I'm doing something that's a fun hobby of mine for free that will benefit others with similar interests. The line is drawn when it can have real world consequences and take up a substantial amount of personal time in order to comply with frivolous requests. That's when it stops being fun and definitely not worth risking legal headaches.
That's not what happens though. You get a request, you have 30 days to respond to it (and for the vast majority the privacy policy is ok as a response) and if the requester isn't happy they report it to the regulator who writes for more information. In that situation you again send off your privacy policy, maybe with a bit more detail.
The regulator either tells you that you're wrong, and explains why, and gives you advice to come back into compliance, or agrees with you and tells the requestor that they've misunderstood the law.
And all of this has provisions for proportionality. The regulators will recognise that small forums run for small projects will not have resources to respond to many requests.
1: https://www.linkedin.com/pulse/nightmare-letter-subject-acce... 2: https://jacquesmattheij.com/so-your-start-up-receive-the-nig...
It would destroy the usefulness of a forum.
> It would destroy the usefulness of a forum.
Couldn't you just anonymize their posts, for instance by updating their username to something like "Deleted User"? Wouldn't you be fine as long as there wasn't anything left to link them to their real identity?
Those are easily handled but still if you are a hobbist it’s just too much hassle.
If a user publishes on your forum he has disabilities, congratulations, under gdpr you just leaked user personal data of the worst kind.
Why do you think GDPR forces forum owners to delete posts? Which bit of GDPR do you think introduces this requirement?
That by itself is way too much hassle.
Erm, asking for a friend.
(a) you are processing data of data subjects who are in the union related to the offering of goods or services to such data subjects, or
(b) you are processing data of data subjects who are in the union related to monitoring of their behavior as far as their behavior takes place within the Union.
If you can avoid both of these, then I believe you can pretty much ignore GDPR.
If you have "no interest in doing business in Europe", it should be easy to avoid falling under (a). Recital 23 [2] discusses what it means to be "related to the offering of goods or services" to data subjects in the Union.
It means that you have to envisage offering services to such people. The mere accessibility of your website to EU people, or having an email or other contact details in the EU, is insufficient to show such intent. If you offer your website in EU languages that are not generally used in your non-EU country, accept EU currencies, mention your EU customers on your site, and things like that, will strongly suggest you are offering them goods and services.
What monitoring of their behavior means is discussed in Recital 24 [3]. It basically means tracking a person for profiling or analyzing or predicting their personal preferences, behaviors and attitudes.
Most sites selling things to end users probably don't need to do any such behavioral monitoring. If you do, just do a geoip check and exclude EU IPs. If you aren't trying to do business in Europe you probably want to do that anyway, because EU visitors are just noise in your data.
[1] https://gdpr-info.eu/art-3-gdpr/
I imagine visiting an EU member would be unwise as well.
Does that also mean then that quoted content counts? What if another user merely copies/pastes text someone said into their own reply (like you have to do on HN)?
Phrases like this just sound weird to me. If there's a risk that someone could sue you over something, from a business perspective I have always been taught that you avoid it, period, until you get a lawyer.
I wonder if this is a cultural difference between the US and EU? Might explain some of the different reactions people have had to the legislation.
It's like you're driving too fast on the highway, but if it's just you mom complaining and not a police officer you won't get fined :)
- that said, we should all respect the speed limit, they are there for a reason.
That seems like a pretty broad policy... someone could all the time for any reason no matter how good a reason.
It's sort of like the "never roll your own security" advice that gets brought out when people ask questions about crypto. To a certain extent, yeah, we do have to roll our own security. Of course developers need to roll their own stuff, at least at the integration level.
But as soon as it gets even slightly dangerous, I'm not going to be doing, say, my own XSS filtering. I need a vetted library at that point.
I've been taught to think of the law the same way - you don't roll your own legal advice.
I don't know if it's a social thing or a legal thing or some combination or what, but apparently it's harder to sue in other parts of the world.
> Phrases like this just sound weird to me.
Are you from the USA? Because my best guess is that that's why it sounds weird to you. I almost sued a company (they paid just in time) and even then wouldn't have looked for representation, let alone for issues like these. Just read a blog post or two about GDPR. No lawyers required.
Bigger companies do have legal teams, but smaller one can operate without ever needing a lawyer.
Which bit of GDPR introduces that risk?
I'm being told that the EU would never pursue that with a small business and they'd just tell you what you need to fix.
That also sounds weird to me as an American. I'm not saying it isn't true, just that it's not the way I'm used to thinking about laws.
Bad news: If you have a business, people can attempt to sue your business for whatever they want, and you might have to defend against it. There is nothing on the books that says lawsuits have to be reasonable before they can be filed, only that people who abuse the legal system get punished AFTER a court decides they're a moron.
And in fact even filing a frivolous case can result in fines or jail time for contempt.
So no, you can’t in practice sue someone for anything.
[1]: https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
It gave 2 year to get conformity to something which has been effective since 1995 through a European directive. The forum owner decided to ignore this a do nothing, now he's confronted with the consequences of his choices.
But again his reaction is akin to a knee jerk reaction as he is probably in capacity to answer the request while outsourcing to a third party does remove his responsibility and obligation to answer GDPR requests just now it's gonna get a bit more complicated as he has a third party into the loop which is probably not complying either.
Those requests can be:
- Please give me all my data
- Please delete all my data
- Please stop doing things (processing) my data
Or some mix of all the above. A site owner (controller) has 30 days from receiving such a request to respond or the person making the request can report them to their Supervisory Authority (ICO is the UK Supervisory Authority, each country in the EU has their own).
For example, if you told the user why you collected the data, and you're still using it for that purpose, and you have a legitimate need to continue to do so then you don't need to delete the data. And there's an extra exemption for "exercising the right of freedom of expression and information".
If you can completely distill a binder of a legal framework down to an "if this then that else this" sentence, you don't understand it, and your hubris is going to kill your company. If you think the correct response is "don't respond, wait until it escalates", you don't understand it and your hubris is going to kill your company. If you're doing anything worthwhile you're going to be bumping up against some law or another, and you can't just ignore it and you can't afford to not understand it. That's why you pay lawyers.
It seems like he has no time only for legislation from EU.
I don't think I support an unlimited right for people to delete everything they've posted to the internet. Previous law did not recognize one; the primary mechanism for attempting to assert one would likely be copyright, and a clickwrap user agreement would usually offer sufficient protection for the forum operator.
And more generally, prior to GDPR, a person could casually put up a forum on a website and not have a meaningful legal compliance workload. GDPR changes that.
GDPR is capped at $20+ million, no one knows what a typical fine looks like, the law is much harder to read, and everyone is afraid to be made an example of.
The EU has had data protection law for twenty years. The EU has enshrined proportionality of penalty in all EU law as a fundamental right. There is plenty of case law at the CJEU defining this.
All you need do is read the FAQs that EU ICO's have been putting up. The UK has never, in 20 years, applied the full penalty of the previous DPD, and under 0.1% of all reports got any fine at all.
A "typical" penalty will be help to comply. Perhaps a strongly worded letter.
Didn't a data subject sue Google and Facebook for billions on day one of enforcement?
Completely unrelated. Not only are DMCA requests easier to handle than data access requests, the fines for not complying with GDPR are disproportionately larger for violating DMCA.
Work required for complying with a DMCA request: delete the offending material, a basic feature implemented on every single piece of forum software
Work required for complying with a data access request: Search every single service you potentially could have stored user data in and provide it to the user. A non basic feature that requires custom development.
Additionally any malevolent user (as is shown in this case) is incentivized to send a GDPR data access request while this is not true for DMCA.
I agree however that they are both horrible laws. So if your argument was to show that GDPR is just as bad as the DMCA I agree. GDPR is a horrible law and it is not obvious to me that the law wasn't created specifically to target non European business.
The only way this targets non-European businesses is because the litigious nature of US culture seems to lead to this sort of overreaction.
I'm also not sure how a malevolent user is any more incentivised to abuse this than DMCA. The DMCA lets them issue actual legal threats and action. This just allows requests.
The DMCA helps big business at the expense of the general public. This does the reverse. It's no wonder there's been so much noise and scaremongering.
People send fake DCMA takedowns all the time.
If someone sends you a GDPR data request, you can ask for administrative costs. You can even ask it to be mailed to you via post. If someone sends you a bogus and unreasonable GDPR data request, you can ask them to pay you a further reasonable fee.
This can almost be an auto-response. Trolls will get bored.
> Work required for complying with a data access request: Search every single service you potentially could have stored user data in and provide it to the user. A non basic feature that requires custom development.
This is not true. Recital 62[1] says you don't have to give them any data they already have, and Recital 57[2] says you aren't obliged to determine which of your data identifies them if you aren't going to do it anyway.
[1]: http://www.privacy-regulation.eu/en/recital-62-GDPR.htm
[2]: http://www.privacy-regulation.eu/en/recital-57-GDPR.htm
> I agree however that they are both horrible laws.
I like the GDPR a great deal, and I think it'll be good for companies big and small in the long run. Disclaimer though: I'm doing some GDPR consulting, so you might prefer to think I'm getting paid to like the GDPR.
The scary bit seems to be for companies that approach compliance from the point-of-view of centralising understanding, and minimising the impact and costs of that compliance. They're looking for someone to tell them "this is enough effort", but the point is that Europeans don't want people playing chicken with their data[3].
As soon as companies realise that embracing the spirit of the GDPR is cheaper, it starts becoming a real opportunity for them.
[3]: https://www.sec.gov/Archives/edgar/data/33185/00011931251815...
GDPR however requires that you actively set up data auditing and security policies and practices which may break or otherwise require re-architecture of parts of your company. In fact that is it's purpose. If the company or organization is small enough, then it might be easier to abandon the project instead of being compliant.
In this guy's case he had an easy offramp to reddit, so he took it. Simple. However it does offer now at least one data point to show that GDPR has decreased diversity in data ownership and risk. The question is, are drone.io users better off now that they will be utilizing reddit?
Court orders take a comparative mountain of effort before they land on someone’s doorstep. They require someone to determine that there is a legitimate cause of action against the site, consult their attorneys/legal department as to the best course of action, research the case and produce enough evidence of their claims to hopefully convince a judge to give them the order they seek, then prepare and file the legal paperwork. In most cases, by the time such an order is issued, several people have invested dozens or hundreds of hours in the effort.
By contrast, sending a “nightmare letter” is a matter of copying and pasting, which can be done by anyone in just a few seconds. Even a small site like the one at issue here could easily receive hundreds or thousands of such requests per year that the owner is obligated to produce detailed responses to, under the threat of enormous fines.
This regulation was written in a way that made it ripe for abuse. We are seeing real-world abuse now, and we are barely a week into it. Shutting down and/or at least blocking EU traffic is entirely reasonable in light of the situation that GDPR has created.
Yes, that is the entirely correct mindset to have for someone who does not live in the EU.
</sarcasm>
People apparently have a hard enough time understanding invisible things such as privacy, but this goes double for those whose income depends on violating the privacy of everyone.
I'm sure we'll get a separate thread for each site that's closing, to emphasize how the (advertising) world is ending, one just needs to wait.
https://www.polygon.com/2018/4/28/17295498/super-monday-nigh...
https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying...
http://money.cnn.com/2018/05/25/media/gdpr-news-websites-la-...
https://www.theguardian.com/technology/2018/may/24/sites-blo...
Try doing some basic research before asking leading questions that you don't expect responses to.
-- Anatole France (I might have edited that quote slightly)
Is it also unfair that both small and large companies aren't allowed to pour acid into rivers? Should they get an exception?
Should only large restaurants be forbidden from serving rotten food? Should small car makers have exceptions to car safety and emission standards?
Few rich people have any inclination to sleep rough, whereas many wealthy tech companies have been happily selling their users' data as the law allowed it.
And a data access request. This has always existed, but it was a directive which was implemented in each local law, and local legislators could give (more mild) fines but almost never did.
GDPR is not new. And I'm not talking about 2016, I'm talking about the previous law from 1995 which is 95% the same for 99% of the companies.
You can probably ignore them anyway if you aren't a big company. With millions of these troll letters going around (and probably getting ignored), odds of any corrective action against you seem very low.
In any case, the corrective demands of the EU give you time to comply after they declare that you've violated something? Could probably wait for that point even if you're in the EU.
Maybe I put a notice up and geofence EU IP addresses but it seems that would just raise my visibility and suggest that I think I'm doing something wrong (whether or not I am).
At the least I'd wait for some indication that a random US ecommerce site (or whatever) actually has something to worry about.
If you don't make money from EU users and don't want to be GDPR compliant you should probably just shut them off if you ever want to operate in the EU in the future
Then his/her last point is that they’ll give you a chance to correct things.
Your post doesn’t seem to cover that either.
But this is not a given every time and not everyone goes the nice route, some go directly to court. So when you are a small fish, you are better off doing your best to follow the GDPR in the first place than scrambling to avoid sanction in a limited time later. it is not that complicated to not collect data you don't need, ask before collecting it and informing about what you do with it.
How will they do that, and on what legal basis?
If the regulatory agency decides to fine you, and you don't successfully defend yourself against that in court, then you'll have to pay that fine. If you fail to pay the fine on time, any entities within the juristiction that owe you can be ordered to pay the fine instead (i.e., your payment processor will be ordered to redirect funds arriving for you to the state, which also, as far as their juristiction is concerned, fulfills their debt towards you--as far as their legal system is concerned, the payment processor has paid you and you have paid the fine).
The 4% of worldwide revenue fine potential is exclusively targeted at the US tech giants. By my last count, the US has roughly 100 tech companies worth over $10 billion each (with trillions of dollars in worldwide revenue). Nobody taxes revenue, that's about the most moronic thing you can possibly do - unless you're doing it to try to harm / punish companies. Very few EU tech companies have meaningful worldwide revenue to tax.
GDPR is only a regulation stating more explicitly what you're required (and were always required) to do for compliance with EU privacy laws. It obviously was needed since privacy violation has become so blatant. The GDPR legislation has been a long time in the making. It might be the case that privacy in Europe is being valued more than elsewhere in the world, I don't really know, but it's nothing new at all. For example, in Switzerland (not in EU but certainly with humanist and very old democratic and civil rights traditions) privacy in the form of banking secrecy is held in even higher esteem.
Yes, as a collateral effect, some business models might not work in EU any longer, or not to the extent they used to (though ads and affiliation links had been on a race to the bottom anyway). But I'd say that's a win, or can be turned into a net benefit. Think about what the Web has become in the last 10-15 years. We still don't have reasonable micropayments, and nobody wants paywalls anyway, etc. The result has been the rise of "platforms" and monopolies where the user's data and attention is the product, with publishers of quality, nuanced content struggling or going out of business. While you of course don't owe dead-tree publishers anything, an economic model for content creation working for more people than it is now is still very much desired.
If you're perceiving GDPR as trading barrier (even though it's just a privacy law), please also consider the US's total and utter failure to get their antitrust regulations in gear: Facebook buying WhatsApp, Google buying DoubleClick and YouTube, etc. At a certain point, others will have to react to that kind of government-sanctioned monopolization to protect their markets.
The internet at it's base abstraction is a borderless medium without regard to locality. Imposing legislation by user region is a dangerous precedent as each region can now impose fee-seeking legislation on internet companies.
As demonstrated by the troll in this very situation, right now (assuming the filer is actually a troll).
Who do you think can take advantage here?
The bad actors are still going to be bad and lie about it, the honest actors just got burdened with some of the worst legislation in recent history without it even coming from our elected officials.
It's dangerous and I don't care for having to backtrack through years worth of projects in use and figure out how they can each be GDPR compliant. It's a tax on creators time and is imo one of the worst possible things legislators can do to an emerging space (as all software is).
The commission proposes legislation, the council & parliament pass it
I don't think it would be hard for the person in the post to comply, it would just be time consuming. Say for example that a user requests a data transcript. Well he will have to collect all the post etc from that user and send it somehow. Now this is probably just a simple SQL query but it takes a bit of time, time that many people don't have.
Another issue seems to be that he is afraid of repercussions and is conditioned in the US system where everyone seems to be suing everyone all the time.
I strongly suspect this sufficient. Maybe it would be ideal to offer a "delete account" and "download account" button.
But there is no reason you should be processing letters from people.
I'm not even sure you need to offer removal of public information. But allowing deletions of accounts is hardly controversial.
How? I can only delete for a small amount of time after posting. I cannot delete any of my past comments. If there is an option to remove old(er) comments I would sure like to know about it, seems to be hidden pretty well.
Technically, I suspect, this would be true. The GDPR and the right to be forgotten are subtle on this. If a user chooses, unprompted, to share PII it's not clear that collection has taken place. Imagine a user, out of the blue, uploads her bank account information to a forum and others take the credentials and steal or her money. Would anybody seriously believe that the business should be liable for failing to secure the PII data? The other question is whether such data can be said to be processed. Clearly the forum is not processing the PII data as PII data. It's likely the case that the business doesn't know that any given forum contains PII data.
The GDPR also gives businesses a lot of lee way here. Erasure requests can be rejected under "freedom of information", if they cause undue burden a fee can be demanded, or if they're just frivolous they can be outright refused [1].
Admittedly this is speculation. European regulation is rules-based and a lot of leeway is given to regulators. The right to be forgotten is probably the least concrete aspect of the law. It's not clear how it intersects with user-generated content because it's not clear that PII is even being collected here. In the end, I suspect the regulators and the courts would probably be open to good faith efforts towards compliance. This might take the form of removing account data (username, emails, profile pictures) but leaving the forum posts up. If a specific forum post is believed to contain PII the business might ask the user to explain how the data in the post could be used to personally identify them as a data subject.
[1] https://ico.org.uk/for-organisations/guide-to-the-general-da...
Why are US companies/citizens overreacting so much? I haven't seen any company or sideproject from a different country react this way. (please let me know if I'm wrong)
GDPR is about personal information, not private information. Personal information is anything relating to an identified or identifiable person. Your forum account username, password, posts, private messages, votes, etc. are all in GDPR scope. If it's possible to use the same username, password, and writing style, etc. across the internet then at least some forum users are "identifiable" whether or not they have provided a real name, phone number, or anything like that.
"I am a customer of yours."
Not until you pay me, you're not. Yes, Mr. Well Actually, I know that the law says otherwise, and that's exactly why the law is FUBAR.
If you collect data from me when I visit your website, even without me buying anything, you have now collected data and you need to comply.
The use of the word "customer" in this context is incorrect.
It's ok if the privacy law only gone against stuff like analytics or horrible facebook buttons that even collected stuffs from people who clearly weren't users. i.e. tracking especially tracking outside their "domain"
however GDPR goes against all and anything. I mean if I go to a supermarkt I can't just tell the supermarkt owner to shut down all his cameras until I leave the store, he would basically just kick me off his market (which actually is his right in the EU). However the EU somehow made a solution that actually even goes against their own market principles just to have extreme amount of Privacy in the internet (only in the internet, their own institutions can still collect data, i.e. in germany the ard has tons of data about everybody) and this is my problem with the GDPR, it's a law from people who actually just want to hurt the big us internet companies. The law also was made by a lot of people without any clear technical background (there were some, but they were a minority)
https://gdpr-info.eu/art-2-gdpr/
> This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Your name, address, move-in date, and whether you paid them. Additionally – if you don't to pay twice – who you live with. Am I missing anything? In any case, they are still bound by the same GDPR as we all are.
(A small nitpick: The ARD does not hold any data but their members do.)
Your example is deeply misrepresenting the GDPR, seems like FUD to me. GDPR applies outside the internet, GDPR is very limited in scope as it kept the "legitimate interests" exemption from the 1995 directive.
Can you substantiate your claim that GDPR was made by people who do not understand what they do ?
In any case it's the wrong way to address the problem, and its ill effects are seen in cases like this. It's actually easier for "free services like Facebook" to comply because they can hire full-time compliance staff. The worst effects fall on smaller sites and individuals, making them less able to compete - individually or collectively - with the entrenched big sites. Some have even painted it as a form of regulatory capture, though I think that's a bit of a stretch.
No, it really doesn't.
In Europe action for civil torts is limited to what you've actually lost. There are no punitive civil claims. Courts are a method to get back to how you were, they're not a route to betterment.
And GDPR is not enforced by each victim of a breach taking civil action through the courts, but by victims reporting to the regulator and allowing the regulator to take action.
The reason people in Europe seem so blasé about this is because we've had decades of experience with regulation, and we know that they don't have many teeth, and tend not to use the teeth they do have.
GDPR isn't changing this.
https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
thing is if you require people to register to be able to buy from you they can be customer before actually paying anything.
Why don't more technical people become politicians, or at least form lobbying groups or think tanks?
GDPR requires you to only gather the data you need; only keep it for as long as you need it; tell people what you're doing with it; and allow them to correct it if it's wrong. How is that too hard?
There's plenty more, but you get the idea. Anyone who says implementing this law is simple isn't implementing this law in a business of normal size and complication.
But only if that's proportionate.
https://gdpr-info.eu/art-24-gdpr/
> Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary.
> Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
Either you are against any laws at all and believe that corporations could provide physical security and wage wars, or you are misinformed.
If you gossip about me behind my back, is it wrong of me to ask what you told others about me? If you are a company sharing my data with other companies, should I not be allowed to demand to know with whom you're sharing my data?
If you process personal data of millions of people, wouldn't it make sense that you have to have someone in charge of watching out for their data?
If you want to track people to create profiles of them, should you not ask them whether they're actually okay with that, rather than doing it secretly?
If you accidentally lose my data and hackers could be stealing my identity or using my password, should I not be told?
These are the things covered by GDPR, or previously, the data protection directive, cookie law and the data leak reporting laws. For example, the previous cookie law was also deemed a stupid idea by a tech-illiterate government, because lots of websites started popping up cookie walls and everyone got annoyed. But the truth is, the websites with cookie walls are the ones who want to do extensive profiling beyond any normal visitor count trackers or login systems or whatever. Of course they should inform you about that.
GDPR is not much more than common sense should already tell you to do. But since corporations are not people and do not have a collective conscience, it has to be codified in laws.
Technical fields pay a lot more and you control most of your destiny.
Politics pays nothing and you deal with bureaucracy.
Hmm.
(guys, I'm being sarcastic)
I have my doubts.
I've got a handful of sites (ultimately for portfolio / coding practice type stuff) out there. Honestly it wouldn't take me too much to respond to someone's letter considering the simplicity of the site(s), not that anyone uses them.
I also really wouldn't expect any EU official to throw down the hammer on me. Personally I wouldn't panic, and I'd at least wait for the EU official to weigh in before panicking.
Nothing to worry about for people like the open source project in question. This is way overblown paranoia, but unferstandable given the current hype.
Instead they are being forwarded to a service that does monetize their service.
No, it is because of an overreaction to a request. If they are acting in good faith then just reply
OP could have waited for the regulator's letter before doing anything.
1: https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
These aren't their natural right. Some laws are just bad independent of whether most people support or agreed to them. This is most obvious in dictatorships, but dysfunction strikes all systems.
links to what he thinks has been used to craft the letter he received.
Underlying issue is that guy does not have time to deal with GDPR and discourse does not offer the proper tools, so he went the easy route of outsourcing, but he overlooked that he's still probably still liable under GDPR.
They should definitely name and shame them.
Then again, my remote impression is that Silicon Valley isn't that much different nowadays.
Can he not extract all that user's data and delete if that is what is being requested?
It says this right in the posting. >>
> In case anyone is interested, this basically described what has been happening to me: https://jacquesmattheij.com/so-your-start-up-receive-the-nig... 1.2k
> The sad thing is that one email came from the co-founder of a Startup out of Germany.
It is a request for a lot of information.
It's also not clear to me that anyone getting that letter must do what that letter says to the letter else face consequences. We haven't seen that situation tested yet (although I can get why someone might not want to test it them self) all we've seen are letters being sent from individuals to individuals. Now how any enforcement would actual play out IRL.
[edit]: @jcastro, I totally didn't realize that was already there, my bad.
There is an open question whether posts would need to be deleted are just anonymized from the user account. Safer to delete of course.
But they’d never do that, because their citizens still want to use the sites, so it’d be unpopular. And ineffective since people would just work around it. Apparently these pesky humans don’t care about their privacy like they should!
Plus then the EU can’t levy billions in fines.
So I sent the company a letter asking what data they have on me. It's going to be interesting to see what happens.
1: https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
While it is nice to have total control, now I need to be using my laptop to post new blog posts, and I miss having readers comment. I also feel badly that the interesting things that readers have posted are lost to the Internet.
Even with all that, as a US citizen, I approve of GDPR and I wish it were universal. As much as I miss user comments, I am fortunate to have many readers engage with me directly via email discussions.
If it was personal the GDPR doesn't apply.
It's more accurate to say that when an industry doesn't self-regulate, the EU over-regulates and shoots themselves in the face. The US and China will race even further out ahead accordingly.
In the US I can easily unleash a large user data hungry AI at will, experimenting all day long with anything and everything I can come up with. I can screw with people's data in countless ways, without their permission. While this haven exists, I can rapidly learn and come up with technology and services that tech companies in the EU can't risk attempting and won't bother to contemplate.
To the point: you can still push every edge of the AI revolution in the US and China, to see what's there. That revolution is heavily built on user data. In the EU, you're in a straight-jacket at the very beginning of the revolution (one that is guaranteed to only get tighter), many years before we've even seriously begun experimenting with the fertile soil. They're fucked, the world will be dominated by AI that comes out of either the US or China, or both.
Your anxiety appears to be about American AI companies' competiveness in the face of even worse abuse of users' privacy in China than in USA.
In a race to the bottom do you really want to be the winner, no matter what?
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE...
I'm pretty sure you can.
> Can you send a GDPR letter to a public body
You can, for PII. One would hope they store their data anonymized.
> Should they comply or are they waived from GDPR compliance?
I think they'd need to make a pretty strong case for why they cannot anonymize your data for their work to get an exception.
Yes. They don't store personal data. All their data is strongly anonymised.
> Can you ask them to delete your data?
You can ask. GDPR does not introduce a blanket right to have your data deleted. There are a bunch of limitations to that right.
https://gdpr-info.eu/art-17-gdpr/
> Should they comply
They don't have to comply with deletion requests. i) they're not storing PII ii) if they're processing data for the reasons they've told you they do it then they don't need to delete upon request.
> or are they waived from GDPR compliance?
This isn't them being waived from GDPR compliance, this is the GDPR working the same for them as it would for any other processor.
Having said all this, "Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes"
That's not just government statistical departments, but includes university or history archives.
Of course, he probably is collecting PII, because he's using discourse. But since he says he doesn't have time to answer GDPR requests you can be pretty sure he doesn't take the time to ensure his infrastructure hasn't been owned. I'd wager he doesn't even know what PII the system he runs is collecting, so how can he be securing it on his users behalf?
It's totally reasonable for his users to ask how he's protecting their personal data. If he wants to flip tables and storm out when they ask, that's up to him. From my perspective, the system works. He wasn't making the effort his users deserve to securely store their PII, and so now he isn't storing it at all. No one had to sue anyone, no one had to go to court, and he made the sensible decision to get out of the PII game he had no business being in. Success if ever I heard it.
If you're a startup competing against an open-source project, then this is potentially a great (not good) way to get a leg up. You get the benefit of access to the code until you don't need it anymore, then get the project shut down and reap the benefit of being the last man standing.
Sure, you might eventually run up against the license on the software you just lifted, but open-source projects can't afford the same protections that a well-funded startup has.
And if you somehow get sued for license violations, the penalties are usually more a slap on the wrist than an effective notice to knock that shit off.
I really hate the way my mind works some days.
Doesn't have to be a startup. I expect many small businesses will use it to damage competitors. It's not like it's unheard of .
Looks like a knee jerk reaction and missing the point that you can evade RGPD by outsourcing to a third party, one can still send RGPD requests to drone.io and owner is still responsible for answering those but now has to deal with getting the relevant data from reddit.
What I wonder: this is an Open Source project, so why not ask the community for help instead?
Being a long-time (very happy) Drone user, I would have happily helped to produce the necessary documents for the project if that had been asked before the final deadline.
Well, probably would even do that now.
After that, I request them to delete it all :)
I thought it was going to be another stupid thing like a "cookie law" (which, I hope, is going to be canceled now as we''ve got the GDPR), the recent US FOSTA or a "store all my data in my country on a government-certified server with a police backdoor" law but fortunately it absolutely is not.
I really hope non-EU countries are going to clone this law, it seems to be the second (the first being the US net neutrality policy) law I love.
>> So, there you go, that should take the sting out of answering the ‘nightmare letter’, even if not all the questions are appropriate (or appropriately worded) you can answer the bulk of them in relatively short order and with automation you can take the sting out. If this is the worst you can expect under the GDPR then that’s not so bad, and the effect might actually be positive:
- we get to know about a lot of undisclosed breaches
- it will be clear who has their house in order and who hasn’t
- if you don’t have your house in order just answering the letter will help you to get there <<
The only benefit here is that there’s one fewer system to keep track of when it comes to tracking/deleting personal data - the need to respond to subject access requests, right to be forgotten, form letters etc remains.