Why don't you tell us how you really feel?
The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...
In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
1. Many people (even "rational hacker-types" ha-ha!) do not take the time to research, analyze or understand the regulations and laws that affect them.
2. Many people, even though they don't understand said regulations, will have an extreme negative reaction to the new regulation especially when they see big scary numbers like numbers like "$20M Euro". This is true even of regulations like the GDPR which most anybody should be able to read and understand in a couple of hours.
3. Many people don't understand where regulations come from or how they work. They have no understanding of scope, process, judegement criteria or enforcement vectors. This leads to terrifying visions of "EU cops" waiting at airports to arrest people the moment they get off the plane.
Frankly, the whole situation speaks to the profound ignorance and fear that lies at the heart of the modern nation state. Citizens do not understand the government, they have no understanding of how or why it does what it does, all they really understand is that the government can and will completely ruin them should they violate one the tens of thousands of laws and rules and regulations and decrees that modern governments impose on their domains.
This ignorance has real consequences and costs. You can see this now particularly in Britain where many people are now learning how their country actually works after voting to tear down their current regulatory and economic framework. But you can also see it in all the fear and the moaning and the teeth gnashing every time some new regulation is proposed. (The funny thing here is that even the most hardcore libertarian economists are coming to understand that regulation does not impede economic growth [1]. Indeed there's ample evidence that regulation, by imposing best practices on firms and increasing trust within the market, is a significant driver of economic growth.)
The reason I point this out on HN is because I think, at the end of the day, being an entrepreneur or an investor is all about learning how the world really works and then changing the world to work for you. And while most people can perhaps afford to plod along with all sorts of misguided notions about how the world works because their jobs do not require them to have any real understanding of the big picture, entrepeneurs and investors absolutely cannot. Buffet says it best: "Risk is not knowing what you're doing." The sites shutting down in the face of the GDPR out of fear and ignorance are making the most basic mistake, they literally do not know what they're doing.
[1] https://marginalrevolution.com/marginalrevolution/2018/02/fe...
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
If an authority did not go this way any fine could be voided by an appeal.
[0] http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...
The US did it recently: https://www.theguardian.com/business/2017/dec/06/oliver-schm...
https://ico.org.uk/for-organisations/guide-to-data-protectio...
Another link from 2012 describing how to handle data protection in the 1998 framework: http://www.shoosmiths.co.uk/client-resources/legal-updates/D...
And even (1) isn't always needed. There are several justifications for processing personal data, and permission is only one of them. (Although for compliance it is the easiest)
https://gdpr-info.eu/art-6-gdpr/
And (5) has a bunch of caveats. You don't always need to delete data.
Right to Erasure: https://gdpr-info.eu/art-17-gdpr/
https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
Bottom line, DONT store/sell/mangle with personal data of your users unless you are able to fulfill this. I was thinking a bit about having an online store:
- make login as it is on Hacker News, you dont need email
- once user has selected and payed the goods, request sending address and contact (phone/email/whatever)
- ship it, print the requested / store into cold store (it is not that hard, you do it for bitcoins, right?), delete everything except username and password (and maybe the attached goods) from server
The described process will pass the GDPR Nightmare Letter in 10 minutes (to write a general reply) that you sent to everyone requesting.
This is what traditional "physical" stores do, not the large chains, the traditional, one employee, family store. And it works.
For everything else require consent, including tracking, but think very hard if you need anything else as it will complicate your business progressively.
I really dont understand all the fuss about the GDPR, if you explain (and prove) this to ICO, I would really like to see who will punish you for that.
My take on GDPR compliance from a solo developer perspective without a legal team to back him up.
> I have argued above that I legitimately need interview notes for the operation of my business.
That's the point. You're keeping data to comply with a law (Equality laws) or for legitimate reasons, and so you don't need permission and you don't need to delete it when asked.
https://gdpr-info.eu/art-6-gdpr/
> Processing shall be lawful only if and to the extent that at least one of the following applies:
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> processing is necessary in order to protect the vital interests of the data subject or of another natural person;
> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Any of these would suit.
This isn't right. Consent is just one of six legal bases through which you can lawfully process data under GDPR.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
No-one can sue you now, that couldn't before. I'm baffled that so many people believe this. I could complain about you to my country's regulation body. Then they could decide to audit you, and for a first offense issue a warning.
If you need the address data for marketing only, and you didn't get an explicit (opt-in) yes to receive marketing, then sorry. Get that explicit opt-in yes in the next week, or delete the data.
If you need the address data for other reasons, for example fullfilling your contract with the customer, or tax records, then keep it. But _only use it for those real reasons_. No free marketing lists. Sorry.
Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
Google seems to think you can still use Fonts. They also seem to think like they will be the data controller, and not data processor, for any user data they scoop up [1]. This seems a bit weird to me. This is the only one of your questions that I'm really not sure about. If it was me, I would just host the font locally so I was sure.
1: https://github.com/google/fonts/issues/1495#issuecomment-382...
This isn't true; there's a list of reasons you can keep information and "with consent" is one of them, "legitimate business need" another: https://ico.org.uk/for-organisations/guide-to-the-general-da...
But: "However, an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies."
So: you can store IP addresses as part of your information security needs, but not turn round and use them for direct marketing. (I'm not sure if web advertising counts as "direct marketing" here)
From https://gdpr-info.eu/art-12-gdpr/:
"Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: "
The quoted bit is about one person, not multiple so not directly applicable. I assume if someone organizes a coordinated flood of requests from multiple persons you can still argue that it is excessive.
I agree that the amount of requests is very uncertain. Within my company I'm planning to make one request (data regarding me as an employee). This to see if they're prepared.
You'd have to be a consistant repeat offender, with no effort made at remediation, with no cooperation with the regulator, and probably handling sensitive or financial data.
Here's a list of recent actions taken. I think the current maximum fine is £500,000. Have a look through a few of these hopefully it's somewhat reassuring.
https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889
It is therefore simply not possible for a data protection authority to impose arbitrary or ridiculously high fines as they would never hold up in court.
Q: Does my business need to appoint a Data Protection Officer (DPO)?
A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Ip are personal data https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Without conditions. Even hashing them doesn’t make them ‘irreversibly anonimized’ because the ip space is too small for hashing to be irreversible. A rainbow table can be built with all ips and use to deanonimize the ip.
Now it says:
http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...
>The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Basically small firm that is just holding minimum amount of customer/user information and data and where the business model is not centered around profiling and processing user data.
No it isn't. Read Article 83.
Other countries have already had to deal with the US on this front. If you are a US national you may find it extremely hard to get a bank account in a non-US country, for example; non-US gambling services also have to be very careful about US users (PokerStars et al) https://en.wikipedia.org/wiki/United_States_v._Scheinberg
There are also things like the Magnitsky Act and various other bits of human rights law that allow extremely serious crime and crimes against humanity to be pursued internationally.
The one we'll have to watch out for are Chinese censorship laws going global. There's already some weird side effects of "One China".
These so called cookie layers are not necessary for tracking. They are not even necessary for first party on site advertising. For that you also do not need consent if you read the GDPR/DSGVO (German version).
In the DSGVO it is §6.1f [1] you would want to read about. There is even an elaborate explanation from the German legistlation [2] what "Berechtiges Interesse" ( legitimate interest) exactly means.
So to make this short: direct marketing as well as tracking is totally fine even without consent. Give an option to opt out, explain why you need the data, what you do with it and how long you store it as well as a point of contact (for people wishing for their data to be deleted) and you are fine.
As long as you do not do profiling or stuff like that. A personal blog/website is then totally fine with GDPR. Btw. you would need to add all of this to your privacy page even if you had no web tracking installed, as your webserver probably would have logging activated. Having an IP address in there make this data fall under the GDPR (at least in Germany). So you would need to explain all that stuff because of the log files non the less.
[0]: https://schriftrolle.de/datenschutz [1]: https://dsgvo-gesetz.de/art-6-dsgvo/ [2]: https://dsgvo-gesetz.de/erwaegungsgruende/nr-47/
[Edit:] Ordered the footnotes
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...
>Staff headcount and financial ceilings determining enterprise categories
> 1. The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.
[0] https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889
https://ec.europa.eu/commission/sites/beta-political/files/d...
The successor of the working party is a new body called the "European Data Protection Board" (or sometimes supervisor). It will issue binding decisions but only on the matter of cross-border transfer disputes, not any other aspect of the new rules:
> The European Data Protection Board will not only issue guidelines on how to interpret core concepts of the Regulation but will also be called on to issue binding decisions on disputes regarding cross-border processing.
So the EU will issue "guidance", but so will local regulators, however, it's ultimately the EU itself via the ECJ that decides what the law actually means in the end:
> It is important to recall that, where questions regarding the interpretation and application of the Regulation arise, it will be for courts at national and EU level to provide the final interpretation of the Regulation
That is, if the EDPB or a local regulator states that something is legal, that doesn't stop them later taking you to court over it and winning because ultimately their own advice is not legally binding (except, perhaps, in the cross-border case which is a special exception for some reason).
> The data protection authorities are the natural interlocutors and first point of contact for the general public, businesses and public administrations for questions regarding the Regulation. The data protection authorities' role includes informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing.
In other words local regulators are now essentially advocacy organisations that will be the first point of contact, but have no special powers to actually specify what is or is not allowed.
Not true.
https://www.legislation.gov.uk/ukpga/1971/38/section/25
> The fourth, fifth and sixth columns show respectively the punishments which may be imposed on a person convicted of the offence in the way specified in relation thereto in the third column (that is to say, summarily or on indictment) according to whether the controlled drug in relation to which the offence was committed was a Class A drug, a Class B drug or a Class C drug; and
https://www.legislation.gov.uk/ukpga/1971/38/schedule/4
Cannabis is currently class B, thus
> [F8 3 months or [F4 £2,500], or both].
I'd cynically add:
> and to prevent people from killing and robbing each other each day
There's a reason we have Wikipedia articles like this one:
Have you seen this? It seems to say that GDPR allows you to do what you're doing.
https://gdpr-info.eu/art-6-gdpr/
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
How long is necessary? What does limited mean? Does a regulator now get to determine what sort of algorithms I can use to protect my assets? Advanced persistent threats (https://en.m.wikipedia.org/wiki/Advanced_persistent_threat) can exist over a very extended--and arbitrary time period! I'm in the security software industry, and we and our customers need to detect and react to these threats. That requires data which you simply cannot obtain an opt-in for. Sure, you put that in a posted privacy policy, but if you can only keep the data for 30 days, this means actual evidence of a crime might need to be thrown out.
https://ico.org.uk/for-organisations/resources-and-support/d...
It captures the compliance with a checklist which is shorter than the original 88 page law.
The courts must follow the sentencing council guidelines unless it's in the public interest not to do so.
https://www.sentencingcouncil.org.uk/wp-content/uploads/Drug...
The starting point is 100% of weekly income; the range is 75% to 125% of weekly income.
> Band B 100% of relevant weekly income 75–125% of relevant weekly income
The tendency of people to follow laws has shown little relation to blunt enforcement. It has to do with peoples tendency to follow norms.
1. In the same article[1] that you reference, the following paragraph might apply to your business: >27.2 The obligation laid down in paragraph 1 of this Article shall not apply to: >processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) I would ignore it for now. If any supervising authorities would contact you regarding compliance issues, talk to an expert.
2. This is if you use Consent as the legal basis for collecting the data. I have seen a few business use 6.1.f [2] (legitimate interests) as their legal basis, which has other issues like the weight test of interests not being tested in court, yet. The Article 29 Data Protection Working Party have released opinions on how 'legitimate interests' should be used [3]. However, there are other laws about marketing that could apply on a country per country basis. If you select the consent route, a double opt in with possibility to opt out at anytime that should be sufficient as long as you document the text for the opt-in's and record it together with the date&time of the opt-in. Oh, and you don't make the consent conditional on getting your goods/services. I can recommend the Article 29 WP guidelines on consent[4] for extended reading. It sounds like your current process is enough or requires very little tweaking, I would keep it as is.
3. I have not run a consent campaign. I have run information campaigns about our users rights with links to required documentation and they have been appreciated. I would not run a consent campaign as I believe your consent should be good enough based on the process mentioned above.
Hope this helps! - [1] https://gdpr-info.eu/art-27-gdpr/ [2] https://gdpr-info.eu/art-6-gdpr/ [3] http://ec.europa.eu/justice/article-29/documentation/opinion... [4] https://iapp.org/media/pdf/resource_center/20180416_Article2...
Enjoy.
And that's what Cloudflare chose to do. We are treating all customers the same regardless of location.
"Of the companies I spoke with for this story, both Cloudflare and Mozilla will be GDPR compliant no matter where their customers are located." https://www.fastcodesign.com/90171699/what-is-gdpr-and-why-s...
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union
> factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union
https://gdpr-info.eu/recitals/no-23/
So you need to "offer" services, not "supply" them, and "to data subjects in the EU", not "within the EU".
So you can't just run your business from Canada with no special emphasis on EU and call it a day.
Or if you're advocating blocking European IPs, well that's exactly the "hysteria" the article argues against.
I just found another article however with another solution which may be better. The article suggests instead of saying "Get this free ebook! And p.s. we will send you information and marketing emails about our product." you should say "Sign up for our newsletter to receive information and marketing emails about our product. Also we will send you a free e-book as a gift." It's not as good of a call-to-action, but changing the order does turn into explicit consent for marketing. Source: https://blog.mailrelay.com/en/2017/12/28/new-gdpr#_What_abou...
Secondly, why is the EU technically bankrupt? Or is this a theoretical organization?
Because its liabilities are greater than its assets, or put another way, it spends more than it receives and does so structurally.
http://bruegel.org/wp-content/uploads/2018/03/PB-2018_01_cor...
EU budget commitments exceed payments by about €10 billion a year, leading to an ever-rising volume of outstanding commitments, known as reste à liquider (RAL). RAL is expected to exceed €250 billion by 2020.
The EU is not a company, it's effectively a government, and so it simply doesn't allow itself to go bankrupt in a legal sense. It can violate contracts at will because it ultimately controls the courts. So when it doesn't have enough money to make payments it has committed to, it simply delays those payments. This results in an ever growing backlog of delayed payments that can't be made because the EU doesn't have sufficient funds.
Note that this behaviour is illegal under the treaties. The EU is not allowed to spend more than it receives. It does so anyway because it correctly believes the member states are too weak to enforce the rules. Also, the EU controls the ECB and ultimately the ECB is keeping many member states afloat via massive bond purchases. Whilst the EU Commission cannot legally just print money to fund its own operations, in practice that's what it's doing - the ECB prints money and uses them to buy the bonds of insolvent member states, which then turn around and hand some of that money back to the EU as part of its budget.
In Europe, because of classification systems surrounding IBM and Nazis, have chosen to be very proactive about the dangers of having too much data. It may be used right now in a good way, but the data can easily be used for very evil things.
The GDPR reminds me of a Target (chain retailer) advertisement where a 17 year old girl was being profiled and send pregnancy, maternity, and baby ads. The father was angry at Target sending his daughter this, until the daughter fessed up that she was indeed pregnant. How did they determine this? Shopping purchase records. The GDPR may not have stopped the first occurrence, but would have provided sufficient "bite" to ever stop this from ever happening again.
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...
https://gdpr-info.eu/recitals/no-23/
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
By blocking EU IPs the service is very clearly, unambiguously, not targetting EU residents.
https://gdpr-info.eu/art-6-gdpr/
> Processing shall be lawful only if and to the extent that at least one of the following applies:
Consent is one:
> the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Here are all the others (see especially the last one):
> processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> processing is necessary in order to protect the vital interests of the data subject or of another natural person;
> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The ruling was that this was a hate crime, because it was "menacing, anti-Semitic and racist". I have trouble seeing how a Nazi pug that responds to "gas the jews" is anything other than silly bit of absurd comedy. I can't realistically see this video actually advancing any legitimate hatred, or having any negative consequences other than some people laughing at how silly it is, and some people just thinking it's kind of stupid.
The EU’s digital commissioner said in 2015 that the EU should use regulation to "replace today’s Web search engines, operating systems and social networks" with EU companies.[1]
And they've passed or proposed ridiculous laws like cookie warnings and link taxes. We have reason to be suspicious of their intentions.
1: https://www.wsj.com/articles/eu-digital-chief-urges-regulati...
Source: https://ec.europa.eu/info/law/law-topic/data-protection/refo...
https://www.sentencingcouncil.org.uk/about-us/
> The primary role of the Council is to issue guidelines on sentencing which the courts must follow unless it is in the interests of justice not to do so.
> The Sentencing Council is an independent, non-departmental public body of the Ministry of Justice and replaced the Sentencing Guidelines Council and the Sentencing Advisory Panel in April 2010.
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.