GDPR articles seem to be getting some traction on HN as everyone is trying to figure out: "Do I need to do something for this? Is so, what?"
For a recent project I read (and translated to plain english) [1] every single article in the GDPR legislation and for our purposes it can be summed up as:
"Treat user data like names and emails as if they were credit card numbers"
AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
Obviously that's not the entirety of it, but as a working mental model I think it goes a long way.
I’d add: Get (documented, active) permission of users to store and use their data, understand that permission is given only for a defined cause/usage (and not indefinitely for everything you right now might not even think of), be prepared to tell users what data you store about them, why and (briefly) how it is used. Be prepared to delete user data on request. Be prepared to show documentation on how you handle the (personal) data. And delete data that is not necessary any longer in regular intervals. And: Don’t share, sell or rent personalized data to any third party without given user consent.
Be careful with hiding everything behind "consent", because consent cannot be a precondition for providing a service. Put differently: if a user does not consent, you cannot refuse them the service if the data you wanted to collect is not strictly necessary to provide the service.
The alternative is to only collect data that is strictly necessary to provide the service. In that case GDPR allows you to collect the data even without explicitly given consent – according to GDPR in that case the user can reasonably expect the data to be necessary to provide the service. (This does not apply to sensitive personal data and biometric/genetic data – then you always need consent.)
Quoting GDPR:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement." [1]
"Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." [2]
> consent cannot be a precondition for providing a service
IANAL.
This is more nuanced than it appears, as it is balanced against the firm's right to conduct business.
If you're generating leads by providing a whitepaper, then realistically you're not going to be penalised for saying "you need to consent to receive our newsletter to access this whitepaper".
On the other hand, an airline saying "you can only book a flight on our plane by consenting to us sharing everything we know about you with loads of third parties" would be frowned upon.
Our GDPR lawyer at least has advised not to ask for consent, since it is difficult to establish whether it was given, and has not been withdrawn. It's easier to rely on legitimate business use and NOT ask for consent, as long as it genuinely falls into that category.
I think we agree; it seems better to rely on legitimate interest than ask for consent for everything. (Although it does require thinking about and actually having a legitimate interest.)
It raises interesting question. What if some publisher, say, newspaper, can show highly targeted ads for $3 CPM, or generic ads for $1 CPM.
Can such publisher claim that collecting data is strictly necessary to provide the service? With threefold difference in ad revenue, that could be actually the case.
Good question. This would be an appeal to "legitimate interest" as a legal basis for collecting personal data. GDPR explicitly states that if the legitimate interest is direct marketing, then the user may always object to such processing, and this right must be clearly indicated.
IANAL, but most probably not. When thinking about "strictly necessary to provide the service", one should think in terms of technical feasibility, as in "can the service be technically provided without that data?" not in terms of profitability.
How is "strictly" defined? I'm going to guess it's define as "the magistrate knows it when it sees it", so take to be both "don't use the most egregious interpretation", and "don't be a populist punching bad that governments can make hay out of attacking".
Any data you collect that you do not unambiguously need to provide the service would be an appeal for "legitimate interest" as a legal basis for collecting it. There are a number of things GDPR writes about it and of course you cannot be sure how this will play out in practice, but the main points are:
* it must be reasonable from the user's perspective
* there must be alternative; you cannot achieve the goal (your "legitimate interest") without it
* it must be balanced with the rights of the user, and not infringe on their freedom or fundamental rights
* if your "legitimate interest" is direct marketing, the user can always object, and you are required to actively inform the user of this right
If you can provide a service strictly devoid of the PII it means there is no logical necessity for PII.
You can't provide a call-waiting service without a phone number, but you can provide a mail-redirection service without one even though it makes it easier to administer when you have a customer phone number, you can strictly provide (and bill/administer) the service when that information is absent.
Genuine question - What if the service is defined as the publisher letting you read content in exchange for being shown targeted advertising? That IS the business model of most publishers right?
Right, but that means you have to have some mix of legitimate interests and consent, and makes this whole thing an expensive exercise, both in terms of code and legal time. If you have an ad supported service, this is going to be painful.
This sounds no different to current UK data protection laws (which appear to be flaunted widely). I thought the main change was putting teeth behind the legislation?
> "Treat user data like names and emails as if they were credit card numbers"
Most sites' approach to credit card numbers is to not touch them with a barge pole, have a third party receive them instead and never let the business have any sight of them, so it's a bit of a stretch to expect the same treatment for a customer's name and email address.
Hurrah so now sites won't use their own logins and I'll be forced to let Google or Facebook know every site I want to connect to. That's an improvement?
This actually brings up a point that was made in a cambridge analytica post. If personal information is deleted after it has already trained a dimension-reducing model, is it really deleted?
If Google and Facebook see everything because of oauth, we can ask them what data they have and tell them to delete it, but they won't be deleting whatever models they've been training about us.
Most sites are incapable of receiving, storing and handling credit card numbers. This is because the staff building the service either lacks the technical knowhow or the organizational wherewithal to deal with the problem in a successful way.
Why should it be any different for emails, names, usernames or passwords (because end users re-use those).
If everyone starts acting like this data is important (it is) and valuable (it is and that might decrease with the passage of this law) - we might just get to a better place. In the absence of regulation companies will get away with whatever they can - ethics be dammed.
If I have an IRC service that shows quotes from people and has 'last seen' functionality is that covered by GDPR? Some of the users are from EU countries, does that mean those features need to be turned off or have some sort of acceptance exchange with users?
Would filtering out EU IP ranges be sufficient, or does this also apply to EU citizens traveling outside of the EU?
The referenced page says that asking users to provide a birth date isn't sufficient proof that they're over 16 years of age, how should one verify age for something like an IRC bot?
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
---- end quote ----
Based on this, it looks like for GDPR to apply to an establishment in regard to a particular person, at least one of those two parties must be in the Union. An EU citizen traveling outside the Union dealing with an establishment that is not in the Union appears to not be covered.
> 1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
So do American constitutional protections apply to Americans living in France? I am having a hard time understanding GDPR jurisdictional power. US citizens in France aren’t protected by the US Fair Credit Act with French banks, even when those French banks have US subisidiaries because a French company in France isn’t subject to US legal jurisdiction. Even FATCA doesn’t subject a French bank to US law — it subjects French assets in the US to the withholding provisions of US law, meaning, if a French bank has zero US exposure, then FATCA has zero effect.
Are Dutch citizens in Oklahoma protected by Dutch narcotics laws? Of course not. They are subject to the jurisdiction in which they are physically present.
However, a US citizen can be subject to US laws overseas, however, that’s between the American and the US government — the intermediary country has no involvement unless it’s an extradition request.
This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU. The idea that GDPR requests have to be honored by some local ecommerce company in Idaho is just nonsense and not supported by any international legal precedent.
Not the constitution, but certain laws were enacted in a similar way by US. Especially in finance and securities:
- banks all over the world have to ask their customers if they aren't American, when signing up for an account. Even a local bank in rural Poland, which couldn't care less about international markets, has to now ask people to explicitly confirm that they are not American citizens
- if you're doing a security offering, and you happen to sell to an American, even if they live in Europe, and you're blocking IPs from U.S., you have to follow the US regulations as well
And yes - it is kind of shitty, but EU wasn't the one to start a trend of applying the local laws on foreign soil.
> So do American constitutional protections apply to Americans living in France?
I'm no expert, but I thought on the whole the constitution has nothing to do with citizens -- it's a list of rules that the US government must follow. It certainly has no hold over the German government.
> This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU.
If you, as someone who breaks the conditions in the GDPR, have nothing to do with the EU, then you're fine.
However the GDPR applies to you, an American citizen in America who's never been to the EU, just as the DMCA applied to Dmitry Sklyarov, a Russian citizen who had never been to the U.S.
Charges against Sklyarov were dropped due to jurisdiction. Your example proved my point. And actually he DID visit the US; that’s where he was arrested.
So an American can be expected to be arrested on arrival in Paris on holiday because the company they work for ignores the provisions of the GDPR
Sklyarov charges were dropped in a typical american plea-bargain
"Mr. Sklyarov agreed to cooperate with the United States in its ongoing prosecution of Mr. Sklyarov’s former employer, Elcomsoft Co., Ltd. Mr. Skylarov will be required to appear at trial and testify truthfully, and he will be deposed in the matter. For its part, the United States agreed to defer prosecution of Mr. Sklyarov until the conclusion of the case against Elcomsoft or for one year, whichever is longer. Mr. Sklyarov will be permitted to return to Russia in the meantime, but will be subject to the Court’s supervision, including regularly reporting by telephone to the Pretrial Services Department"
I see nothing about jurisdiction there.
The US has pushed the world around for along time, the world is pushing back.
> The idea that GDPR requests have to be honored by some local ecommerce company in Idaho is just nonsense and not supported by any international legal precedent.
This is true. GDPR would only apply there if they were "offering goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the European Union". [1]
This is understood to mean they must be marketing to the EU, for example by offering their site in European languages (apart from English), using European currencies, or using a European domain.
European languages? That’s absurd. Your product could be targeting US Spanish speakers, African speakers of French or newly arrived German speaking US citizens. Using language as a determinant is without any legal basis. Having your website in French doesn’t mean you are selling to French citizens. Language doesn’t equal location. Language does not impart jurisdiction.
If a small hotel in California had a French language information page, that doesn’t make that hotel subject to an EU law. If I am wrong, then where is the case law? Where is the legal precedent?
> This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU.
You are the only person who has this view. EU citizens are subject to the local laws of whatever country they reside in. However if they are interacting with an EU company then GDPR applies to that company, no matter where they reside. But an EU citizen living in America and using an American service has no GDPR protections. Just like they have no EU right-to-work protections if they decide to work in America. GDPR explicitly states that it (generally) only applies to companies which do business with people who are within the EU's borders (citizenship is not a prerequisite of GDPR protection) or EU businesses.
GDPR explicitly states that it (generally) only applies to companies which do business with people who are within the EU's borders (citizenship is not a prerequisite of GDPR protection) or EU businesses.
There is no jurisdiction if those companies don't have a presence in the EU. None. Show us international law where this would be applicable. As the grandparent was pointing out, any country can now make any law where if any of their citizens access some internet service where ever in the world, somehow their laws magically apply to everybody in the world "doing business over some fiber".
> There is no jurisdiction if those companies don't have a presence in the EU. None. Show us international law where this would be applicable.
If you are doing business with people in the EU, then you have to be incorporated or otherwise have agreements (explicit or implicit) with the EU countries you are doing business with. GDPR applies to you or you will no longer be able to do business with the EU. If a company wishes to not have their ability do business with the EU revoked, they have to comply with GDPR (including its fines) as well as all other EU (and local) laws.
I really don't understand how this concept is difficult to grasp. Countries give you permission to do business with them -- if you break their laws they can revoke your ability to do business with their residents. Most large companies would probably lose much more money breaking off ties with the EU than they would complying with GDPR fines. If you continue to violate a country's laws you could be extradited and so on.
> somehow their laws magically apply to everybody in the world "doing business over some fiber".
If you are providing a service to a group of people, for money, then you are doing business with them. Pretending as though this is not the case just because the process is conducted through under-sea fiber cables rather than mail couriers is ridiculous.
While most of GDPR is common sense and shouldn't be much of a burden on companies[1], I was always confused about jurisdiction. While most larger companies have a legal presence somewhere within the EU that can be held accountable for this, I do wonder how the EU is supposed to be enforce penalties on a company outside of the EU.
[1]: well, the difficulty grows the larger your company/product is, but chances are you have more resources available to dedicate to it anyway
> I do wonder how the EU is supposed to be enforce penalties on a company outside of the EU
Realistically, they can't and won't unless it's a very large scale that's worth pursuing, for a multi-national corporation with enough money to pay a big fine. If a company is not doing business in the EU, not selling into the EU, they can of course entirely ignore the GDPR.
In the case of a large company that sells into the EU, and refuses to obey GDPR, what you'd likely see is the EU pursuing that company on its domestic turf legally. A company out of NYC for example could be pursued in a court there for fines related to GDPR violations. The larger those violations, the more likely it'd be pursued by the EU across the Atlantic. This is how it works already, there's a lot of international business precedence. The stronger the legal system in the home country you're pursuing the multi-national into, the better for the EU's case.
If I set up a business in Germany, dump large amounts of toxic waste and cause very costly environmental damage, and then (somehow) quickly flee the country leaving no assets or business behind - but back in NYC my company has vast assets, you'd find the company pursued from Germany to its home in NYC for those damages. They still have to win the case of course.
The EU fortunately wasn't dumb enough to attempt a global claim on regulating privacy. They pushed the line pretty far, but did not cross their own boundaries. I think they fully understood there was no scenario where the US and China (40% of the global economy) - or frankly most nations - were going to care about EU law projections external its jurisdiction.
It depends. When Canada's anti-spam law was introduced in 2014, the intent was to allow a private right of action effective July 1, 2017. This would theoretically mean US/foreign companies could be dragged into class-action lawsuits in Canada. This private right of action was delayed and is currently under review, but nevertheless anyone marketing to Canadians is subject to CASL laws, regardless of where their business is located. We'll see what happens, but if/when the private right of action is implemented it could potentially be a big deal.
IANAL but I can imagine a similar situation happening with GDPR.
According to art. 27 GDPR, affected data processors outside the EU have to establish a data privacy representative in the EU.
In addition, authorities could for example seize local servers in the case of non-compliance. In many EU countries including Germany, data privacy violations can also be prosecuted as criminal offenses.
But this doesn't answer my question: I'm running a little side project here in Australia but with customers who happen to be in the EU. I have nothing in the EU - no sales office or support in Ireland, no hosting anywhere in the EU. How is the EU supposed to mandate that I do anything?
The EU can (and in fact does) mandate that you comply with the GDPR. It cannot, however, enforce compliance since there is limited legal leverage. The Australian government is unlikely to help the EU to bring a case unless there'd be a treaty or an agreement (Safe Haven laws in the US for example). They could theoretically go via your revenue stream and seize your European customers payments or hold you or any officer of your company liable if you ever set foot on European soil or hold any assets that your company has in or moves via Europe. That's all very unlikely to happen over minor infractions, but some business folks already had their private jets impounded for outstanding payments as for example the Thai Prince learned the hard way: http://www.airliners.de/kronprinzen-boeing-in-muenchen-besch... (sorry, german only, but google translate should correctly translate the gist of the story)
All of this is nothing new, it's been working like that for centuries, back when business correspondence was still on old-fashioned paper.
I have the feeling nobody knows this. To me it seems this part of GDPR is particularly targeted at major companies and they can be held accountable through subsidiaries or branch offices in the EU. It doesn't seem very likely to me that small businesses that happen to sell to EU customers too will be the primary target of enforcement anytime soon.
Last seen is in the grey zone, but I'd say that it can potentially be PII if combined with other data. So I would not store that data for now, until we have some clear rulings on similar topics.
Honestly, the best thing to do if you don’t have a high percentage of EU users/customers is to simply block EU IPs. First it was the completely useless cookie notifications, now it’s GDPR, and nobody knows what the next thing will be - we only know that there will be a next thing (there always is), and that it too will be costly and burdensome to comply with. Unless you derive a significant percentage of your revenue from EU users, it just isn’t worth it to try to keep up with the increasingly demanding whims of a heavy-handed European government.
That sounds ideal. Please make sure you do this, and convince many of your colleagues and compatriots to do the same. Maybe finally give us some breathing space to grow our own popular services in the face of US dominance.
I used to think protectionism was stupid, but after seeing how The Great Firewall[1] is working out for China and their services, I’m not so sure anymore. The big problem with any inbound restrictions is retaliation, but if you can manage to make a country restrict exports themseleves, well, yes please!
I’m looking forward to seeing EU competitors flourish.
[1] Since visiting China I’m convinced TGF is about protectionism as much as it is about filtering. Internet to any non-China service is terrible and unreliable. The result is simply you can’t depend on it, so you choose a Chinese provider. This has clearly worked out very well for some of their companies!
The large US sites you’re worried about “dominating” the EU, who have significant EU traffic, will be able to comply with the GDPR and continue to compete just fine. They have the resources to hire the necessary phalanx of attorneys to advise them on how each feature and tweak to their sites interact with the GDPR, and it is a worthwhile investment for them. I was saying that smaller sites that don’t have internal legal departments and don’t need EU traffic should consider blocking EU IPs.
> Honestly, the best thing to do if you don’t have a high percentage of EU users/customers is to simply block EU IPs.
Could you please block my IP address as well: 192.117.111.61
If you feel that being responsible with my personal information and metadata is not worth the trouble, then I don't want to accidentally ever use whatever service you maintain. Thanks.
What an absurd statement. This isn’t about being able to be “irresponsible with [your] personal data”. GDPR compliance is a difficult, expensive, onerous, and uncertain endeavor. Sites that don’t rely on EU visitors for revenue don’t need to expose themselves to the additional liability that the GDPR imposes.
That doesn’t mean that sites that haven’t gone to the expensive lengths required under it are going to expose or abuse your data. If you are this big of a fan of the GDPR, I imagine that you’ll have to limit your Internet browsing only to sites run by EU-based companies that are large enough to afford scores of attorneys to advise them on how to comply.
I'm a big enough fan of the GDPR and a big enough opponent to SESTA/FOSTA/CLOUD that I have moved almost all my business into the EU. The only remaining US business I depend on my DNS provider.
Why should I trust a US business with my personal data when I can give it to a EU business that will face harsh punishment for doing bad things with my data (the US seems to have no problem with large corporations loosing millions of user data entries as long as the big CEO says "oops, sowwy!")
> If you are this big of a fan of the GDPR, I imagine that you’ll have to limit your Internet browsing only to sites run by EU-based companies
That is a terrific idea, thank you. In fact, for sites that require providing much information (email providers, etc) I'll start doing just that. Though HN does not require much data, I will review how the site intends to deal with GDPR.
>What an absurd statement. This isn’t about being able to be “irresponsible with [your] personal data”. GDPR compliance is a difficult, expensive, onerous, and uncertain endeavor.
Being responsible with someone's personal data is inherently difficult, expensive, onerous and uncertain.
The idea handling personal data wasn't already all of that is exactly the abuse that got us where we are today.
The EU has a population of over half a billion people and a GDP per capita of $41k PPP (although those numbers will shrink a little bit post-Brexit). Ignoring Europe as a potential market ignores half the western world - and it is westerners, for the most part, who have disposable income to spend money on goods and services.
Ignore Europe if you like. Just be aware that you are allowing your competitors to gain an uncontested foothold without having to fight for it. Once they are the incumbent in the European market, they will be hard to unseat, even if you change your mind later.
There are thousands of types of sites, such as geographically focused message boards, local professionals, smaller ecommerce sites, etc. who are exposed under the GDPR but for whom EU traffic is incidental and worth nothing. A US plumber doesn’t need or want appointments in London, but is technically exposed under the GDPR. So for businesses like this, blocking EU traffic should be an easy decision - there is no downside.
IANAL but I believe the GDPR is tolerant of incidental traffic. So if an European accesses a local job board in South Korea, the EU will not go after the Korean company and demand compliance. Now if said Korean company is running a job board for Berlin, in German, charging in Euros, etc. it's a different story.
That shouldn't be an issue. If you offer your services only within the US then you're out of scope. It doesn't matter if EU citizens visit your site, as long as you don't try to get any customers from the EU or target your content towards visitors from the EU you don't have to comply with GDPR.
For most American pubs - and hence producing English language content -- there's very little risk. Most of the EU won't read it anyway, and if the uk privacy regulator wants to complain, let them.
> First it was the completely useless cookie notifications
It was useless in the sense it was trying to play nice. It was a gentle call for the industry to self-regulate. The only problem with that law was how naïve it was.
Go ahead and block the whole European IP range. See if we care.
The cookie law was also largely overblown. It only require notifications for any non-essential cookies and I think the wordpress plugins for this simply put up a blanket banner because the blog author might just be using the Google Anal ytics plugin too.
And then everyone put it up "just in case" or "because the law says all cookies". (Of course some smart people figured out that local storage is not a cookie and the law only covers cookies, atleast what they gather from hearsay instead of checking the actual text)
But tbh, I'd prefer US services IP blocking European users. It'll encourage EU startups to fill the gap and they will have the privacy regulation of the EU as marketing bullet point over any US company, eg "In the US privacy is a pinky-promise, for us privacy is law".
That's because, most of the time, a service is US-only because of some bullshit reason like exclusive region-locking deals or MAFIAA copyright terrorism. I don't think that "this service is unavailable in your country because your law doesn't let us sell your private data to the highest bidder" is going to induce that much ranting.
Once blocking by US websites becomes a little more widespread there will be EU alternatives to fill the gaps. Normally I'm not a huge fan of such solutions, but if the alternative is exposing myself to the wild west of unregulated selling of my personal data that is the US I'll learn to live with it.
Ehhhh, I'd leave it as is. Unless you have business licenses in EU countries, EU laws have no legal authority over you. If you do have such licenses, then you're probably big enough to foot the bill and possibly also can't afford to not foot the bill (due to suspended licenses).
This privacy thing is, like, their option, man. Even if you and I agree with the EU.
I’ve been looking into this, as I run several sites myself, and apparently this isn’t true. They can go after you even if you have no EU presence, and US courts will domesticate any EU judgment against you for fines levied under it.
"Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed....the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR."
With regard to enforcement....
"...EU regulators rely on international law to issue fines. Written into GDPR itself is a clause, stating that any action against a company from outside the EU must be issued in accordance with international law."
Most US states have adopted the Uniform Foreign Money Judgments Recognition Act (UFMJRA), which allows for judgments issued by foreign courts to be domesticated. Once that is done, the judgment carries the same force and effect as if it were originally issued by a US court.
And since I can't reply to the parent directly, I'll just say that there is no international law that covers this. None, zilch, zero....so anybody says that you're somehow beholden to GDPR when you have 0 presence in the EU is either lying or ignorant of the reality.
It’s not about being able to “mess with [your] users”. It’s about sites that don’t need EU traffic anyway being unnecessarily exposed to fines for even accidental violations of a very complex law.
Btw. same goes the other way around: if you don’t want or need US customers, it might make sense to block people from the US based on IPs, because if you do business with US citizens, they can sue you according to US laws with their ridiculous high fines.
Reasonably protecting user data and complying with the GDPR are two entirely different things. There are many ways to accidentally run afoul of this law while still protecting user data.
I'd like to see a complete and concise list of exactly what needs to be done to comply with GDPR. Everything I've seen so far has been vague legalese open to subjective interpretation. Pretty scary when the punishment for an incorrect interpretation is a 20M EUR fine.
A lot of us who admire what the EU has the courage to do - and wish that the US had half that courage - would rather disappear from everything but European websites. What many US corporates have done, and are doing, is rotten to the core. It is demonstrably destroying the internet that so many of us spent time bringing to life, and had so much hope for.
I suspect that if someone with some balls and power suggested corraling all US trackers and data brokers - along with companies trying to turn the net into a shopping mall - into a single domain outside of which they could not operate - most Americans would applaud. The EU has done some of what it could, and cheers to them for having the courage to serve their citizens. Wish I was among them.
Better yet, comply and get your privacy/data management chops together so that you're comfortably able to navigate a world where this type of legislation is likely to become more and more common. Not to mention the fact that there's an increase in interest/awareness about these matters amongst the general public.
Take the bait? I’m not saying anything controversial. A large percentage of websites are directed at the home country of their owners anyway, and EU traffic is often incidental and worthless to them. A US dentist or doctor likely has no interest in receiving appointments from people in the EU, for example. An online store based in the US, who would have to charge outlandish shipping rates to ship to the EU, is unlikely to get orders from the EU and thus should have no interest in that traffic. An online message board where nurses in a US city talk to each other probably wouldn’t want to spend the money to comply with GDPR even if the occasional nurse from the EU might pop in with an interesting comment every now and then.
So EU traffic means nothing to any of the above example sites, yet all of them will be massively exposed under the GDPR. If I ran a web hosting company, I’d offer EU IP blocking as an optional, free service.
It's a start, but that is only the easy part, where the goal is relatively simple to figure out. You also have to explicitly get legal documents signed if you make a system for companies that "own" the user data.
You need to have new procedures for obtaining, storing, using, and delete customer data. This is known as a "code of conduct". You need sufficient logging to aid incident analysis too.
I also think a lot of companies are entering a bit of panic mode because there is no clear guideline on what is sensitive data. If you make a booking system, then everything you store is potentially sensitive if you have end user data in it. If you're making IoT devices for the home with cloud access, then you have sensitive data.
The conclusion we've reached is fairly simple. If there a even a remote chance that normal day to day use of our systems contains data that can be used to build a profile of a user, then the systems data is considered sensitive.
That's a good thought, right now it's actually a google spreadsheet that I write markdown into the individual cells export as a CSV and then run through a ruby script that turns it into HTML. Which (obviously) sounds insane, but it's significantly better than trying to edit a raw html doc of this size, get feedback, etc.
> some traction on HN as everyone is trying to figure out: "Do I need to do something for this? Is so, what?"
If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this. So it's hard to imagine how many readers of HN are getting their answers on HN (or similar). If you are small time nobody is going to come after you. Sure something could happen and you could also get a traffic ticket going 57 in a 55 zone and a host of other outlier events.
> AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
One size fits all advice doesn't make sense in this and in other similar cases. You will spend a great deal of time and effort dealing with 'maybe's' instead of the day to day.
>If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this
You'd be surprised. GDPR is vague enough and just open to interpretation enough that there are many different companies interpreting it in many different ways. I'm a consultant and I talk to many multi-nationals and all of them have their own spin on it. Especially around the "except when necessary for security purposes" section. That right there is broad enough that "security purposes" can mean almost anything as long as you make sure your security team has access to that data.
My company is one that everyone on HN has heard of, and they are interpreting it as "don't worry, we don't need to make any changes because _____". It will be interesting to see if they change their tune as May 25 approaches.
If you outside the EU, it really isn’t about “anyone coming after you”. Even within the EU the enforcement actions currently err of the side of a stern warning rather than fine (except in the most deliberate cases). Though that may change.
Either way, you shouldn’t be doing it out of fear. You should be complying for practical business reason
1. This is how you should be treating personal data.
2. In exchange for complying with GDPR, you get access to a market of >700m people. If you’re a service provider, it’s illegal for any EU business to be your customer without GDPR compliance.
I wonder if a significant amount of small businesses/startups are going to simply not do business with the EU because of GDPR. I know I'd probably rather not have to deal with it if I had a small app or something.
In general I agree with your assessment, that being said I do think that the GDPR is a decent set of guidelines for putting in place a system that respects user data in a way that clearly has not been happening.
Why not prevent personal data from leaking in first place? It's a solution applied at the wrong level, a or wrongly drawn system boundary if you will. The damage it causes is psychological, preventing many EU businesses from starting in first place. They're destroying the food chain for startups (small independent businesses).
The EU and politcians are anti UX, they have no clue about the effect of their laws on people.
> Why not prevent personal data from leaking in first place?
"The first place" would be not collecting it, an option that companies are seriously considering for nonessential data that they previously collected merely because it was convenient and accepted to do so.
This is totally awesome! Thank you, it has been sent round the office... I too second the idea of putting this onto GitHub so it can live and be updated as understanding of the requirements increases!
That's a fair analogy! I do think having a service like stripe for pii would make things easier. Why would we need first name and email address? As programmer I only need user ID!
I don't think this would be sufficient in many cases. If you store any form of user-generated content, or even a recommendation model generated from a user's past behavior, I'm pretty sure that's also considered personally identifiable information under GDPR, and since it's part of your product, you can't just outsource handling of it. It gets even stickier if that data is intertwined with data from other users, as could be the case in machine learning models or used-generated collaborative projects.
For a recent project I read (and translated to plain english) [1] every single article in the GDPR legislation and for our purposes it can be summed up as:
"Treat user data like names and emails as if they were credit card numbers"
AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
Obviously that's not the entirety of it, but as a working mental model I think it goes a long way.
1 - https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...