We already received one of these for Riot.im; kinda depressing that despite all the GDPR work we’ve done for Matrix (https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix... etc) folks think it’s worth burning yet more of our time in proving it to them (but just to them). So much for writing software and actually making Matrix better...
Woke up to my second one today from a user who literally only had their name and email address in one entry in our system.
And now, they still have their name and email in one entry in our system, but it's the record that we deleted the first entry at their request. Thanks for wasting half an hour of my day checking our systems, jerk.
Why don't you just delete all their data and not record it? Then you can legitimately respond that you don't have any of their personally identifiable information.
Also, you're going to either need to suck up the admin time, script it, or block the EU. Take your pick, there's not much point slinging names around. Chances are it's going to happen again and you may as well be ready.
You had two years to sort out a quick procedure for doing this process, and it still took an hour and a half. Didn't you have a script to do that semi-automatically?
It’s the most self-inflicted wound in history, as an industry. Abusive practices, constant leaks, intrusive marketing, have all been building to a hefty backlash. It’s a shame that you’ve been caught up in the riptide, through no particular fault of your own, but this was inevitable. A whole industry can’t dick over the world’s population without blowback. The time for reasonable negotiations and slow change was probably a decade ago, not twenty years of abuse in. At this point nobody outside of the industry cares if people in the industry are hurting, they just want some privacy back.
Really? Most of what I've seen from outside the industry is akin to "GET THIS ING DIALOG OFF MY SCREEN I HATE IT WHEN THE FIRST THING AN APP DOES IS SHOW A ING POINTLESS DIALOG WHEN I JUST WANT TO USE THE APP"
The letters aren't even smart FUD. This sort of stuff gets made up by dumb people to validate the fears of other dumb people. It's a kind of self-propaganda. The idea that rando customers can ask for arbitrary information like backup policies and safe-guards or the location of your servers is just silly. The SARs have clear, well-defined limits [1] and the response can and should be automated (once identity has been verified).
Would you kindly elaborate on which part of that link is relevant to this kind of letter? The PDF there only relates to what a citizen can do when you don't answer the letter.
How does that make the letter irrelevant? Responding to the letter rather seems to be the first countermeasure against the authorities' involvement...
Then automate the process or hire an administrator to deal with stuff like this. It's not the requester's fault that you can't handle compliance with a law efficiently.
I think the ridiculous thing is every mom and pop site and blog and website needs to be gdpr compliant? insane. If the true intent was to make sure large players have their system in check then they should have simply said if you have 50,000 or more users giving you data a month or something to protect anyone interested in software from being afraid of having 2 users because now they need to read every international law. I know someone will fire back at this but what stop the United States from coming up with some law as well on the internet against how logins should be and then filing a lawsuit against every other country company that doesn’t comply. A business should follow the laws of based on the owners location and if other countries don’t like it then that’s for allies to group up and ask that minority country for change. gdpr to me is of reaching on the internet in a scary way.
So how exactly it's O.K. for customers if their privacy is breached by mom&pop businesses but not O.K. if it's breached by businesses that have 50K or more users?
It's common theme here on HN to think that users are just some kind of resource and the regulations are anti-climactic things that slows down the party.
Seriosly, As a user, I don't want my information to be sold to random people that I have no information about even if the seller is a tiny business because my feelings are not against the business but against the practice. The size of the violator is irrelevant to me.
If not breaching my privacy and my rights makes your business unprofitable, then simply you don't have a business.
Users are people, not just pageviews or hits or goals - despite what your analytcs software says.
It's not just small businesses. The serious effort to fullfil this legislation and the constant threat that you still don't is simply too much for small non-profit organizations and personal websites. A lot of one person blogs that are inactive but a valueable source of information have been taken down because of that.
I also stopped hosting demos of my side-projects (just for github or cv links), because following this law for this kind of service is just unreasonable. And I do not even have to cause any kind of harm to be fineable in Germany.
> So how exactly it's O.K. for customers if their privacy is breached by mom&pop businesses but not O.K. if it's breached by businesses that have 50K or more users?
One of these has systemic effects, the other does not.
(I don't think small businesses should be totally unregulated. But the administrative burden should be considered, to prevent discouraging new entrants and promoting incumbency bias. GDPR does not take this into account.)
If you die in a fire or building collapse it's equally bad whether that building was a large commerical building or a single family.
But we have two sets of building code rules because the regulatory burden is very different. The cost of complying with lots of regulation are fixed, and don't necessarily scale linearly with the size of the company. So to prevent these laws from wiping out small businesses they usually phase on these rules with increasing size.
You can respect everyone's rights and privacy and still be noncompliant, because most of the work of complying with the GDPR for most businesses is in the documentation, customer misinformation, and legal CYA work.
Okay, so add one more caveat—the business has more than 50,000 users OR it sells your data. Perhaps the vast majority of businesses affected by GDPR are not selling your data.
For me, main problem is not the compliance itself, but the legal part of it. If GDPR had clearly stated it ok to dismiss all these "nightmare letters" unless they come a set of official emails that handle it, and if/when such official letters come it would only be required from me to point to my legal pages and/or give access to the code/db to show I'm compliant, it would all be a-okay.
That is exactly the way it should be.
people should stop storing user data because they don't do anything to protect it for you.
Keeping user information just became so normal in the past few years. it is not just about ads but also security.
You have all your information all over internet. Websites without minimum security requirements store everything just because it is cheap to do it and they just believe they should store it even they don't need it because maybe they need it in the future.
Hackers can do way more than you can imagine with your data if they want.
Storing user data should be expensive. Companies should only store it, if they accept and understand the responsibility and they must feel accountable for it.
I think the issue here is that GDPR is really broad.
We have had our legal team review it to perform a cost/benefit analysis on whether we should comply with GDPR or block the EU region for the time being.
At the end, while we all agreed that the idea behind this law is reasonable, it would benefit us to ignore the EU region. (We reviewed our database to ensure we don't have any EU users currently on the system before doing this)
That being said, we branched out and started to slowly implement some GDPR requirements that can benefit our existing users privacy and we will certainly remove the EU blockage when the scope of this law becomes more apparent to our legal team.
I strongly believe software is due for some serious regulation, just like all other branches of engineering, we need to take responsibility for the systems we create and I feel like this is a sign that our industry is maturing from it's infancy stage.
Kudos to EU for making an attempt to keep Europeans safe.
>I think the ridiculous thing is every mom and pop site and blog and website needs to be gdpr compliant? insane.
The even more ridiculous thing in my opinion is that these mom and pop sites are not already GDPR compliant. What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?
> The even more ridiculous thing in my opinion is that these mom and pop sites are not already GDPR compliant. What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?
You are writing as though not abusing people's privacy is all that is necessary to comply with GDPR. This is incorrect. GDPR has specific requirements for any company handling certain types of data, and extra requirements if it's handling this data "at scale" (though it doesn't actually define what this means). Any data revealing any of the following is considered protected by GDPR:
> racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
So, basically any user uploaded images or text can be argued to fall under this category since users might reveal their political, religious, or philosophical beliefs in this text. How about something as innocuous as a heart rate monitor? Well, apparently people have correlated 15-30 minute spikes in heart rates in the evenings to figure out people's sex lives so that's restricted by GDPR.
I could go on. The point is, it's not enough to just not abuse your user's data and cross your fingers to be GDPR compliant.
> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?
Nothing. Doesn't mean they have nothing better to do than respond to letters and regulatory enquiries. (To be clear, I'm not disparaging regulators asking questions. I'm simply observing that such questioning-and-answering has a cost. That cost is reasonable for a large company. It may not balance favorably for something smaller.)
GDPR impose a few things to do as soon as you have a single PII, as well as doing this a certain way (opt-out are a no-go, you must be able to prove consent, you probably need a DPO and a DPA), and things that were just not done in practice until now (right to be forgotten for example is not exercised, and thus there is no tool to exercise it).
Just because you absolutely respect the spirit of the law (don't do shitty things with PII) doesn't mean you are GDPR compliant, unfortunately.
I very much agree with GP that small business should have more relaxed obligations, and more proportional fines (the minimum fine exceed the total revenue of non-negligible percent of small business).
The even more ridiculous thing in my opinion is comments like this that conflate a truth and proof of that truth. It’s the difference between saying that every even number greater than 5 is the sum of two primes, and being able to prove it.
> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?
Storing their HTTP logs on archived CD-ROMS would be a violation of the GDPR, unless that same mom-and-pop operation offered users a way to request that CDs be replaced with new versions at will.
I don't think that counts as an abuse of privacy, but it is a violation of the GDPR, which makes immutable logs which contain IP addresses illegal.
> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?
Perhaps they're busy running their business and don't have time to comply with baroque EU regulations, regardless of whether they're actually "abusing their user's privacy" or not.
Regulatory costs are a thing. Even if you're not violating the regulation, filing the forms or whatever to assure some bureaucrat that you're not violating it takes time and energy.
There's a reason why the startup scene in Europe is onlly a fraction of what it is in the U.S.
The intent is to give people a way to control the information which will be used to influence their lives instead of being at the mercy of every corporation, start-up or mom & pop operation which is trying to make a buck.
Private life is such an essential part of human nature and our societies, no matter what the "nothing to hide" camp will say. There will be collateral damage and that's unfortunate yet tolerable, given the extensive abuses.
> A business should follow the laws of based on the owners location
This cuts against centuries of sovereign tradition and precedent. GDPR's constraint to users in Europe is reasonable. (As is refusing to do business in Europe by blocking the continent.)
I also think the requirement to provide the same service 'without detriment' if a user doesn't want personalized ads - should only apply to companies over 500,000 users. It should only apply to companies that are ubiquitous that people feel they can't live without.
We as the collective tech community brought this onto ourselves. We did not self regulate ourselves. We did not take out customer's privacy serious enough. Therefore, big government stepped in and regulated us.
In software, if you want to skirt the law, its easy to do so with small team/companies. Just spin up shell companies under the limit and use that to skirt the law.
It certainly defeats the spirit, but this is capitalism.. No holds barred, and do illegal moves till you get caught.
I updated my web service (solo dev, side project) with a GDPR compliant terms and privacy policy, got this form letter already from a few of my users. I have to tell, it's seriously depressing and I was contemplating shutting the whole side project down over the weekend.
I have a tiny project in closed beta right now I've been working on in my spare time for 7 years I'm considering closing to the EU. The idea is even entirely privacy minded with all data save email address being client side encrypted so we never see it unencrypted.
I never intended to make real money off it except maybe covering server costs if I'm lucky, but the time it would take dealing with requests like this it enough to scare anyone off.
Broadly speaking, and noting that IANAL, etc, etc, ...
I'm not sure what the problem is.
Your obligation is to keep the data secure, and only keep data that you need. Then you need to respond to requests to (a) tell a person what data you hold on them, (b) tell them what you do with the data, and (c) delete it if asked, unless you have a legitimate reason to keep it.
So if someone has given you data for the purpose of you providing a service then all you need to do is treat that data with care, don't do anything your customer doesn't expect you to do, and be able to provide and/or delete it.
Fair do, someone disagrees and has down-voted me. Please, having read the actual regulations[0] several times, including the recitals[1], I'd be pleased to see what's missing from that outline, so I can improve my understanding.
Can you not just have a checkbox that says "I agree not to use this service from within the EU." or something like that? Like, I don't even track IP addresses for my dumb side projects. I wouldn't know where to start with this.
Please don't! GDPR letters are FUD. The only authority that can enforce GDPR is the DPA of your country or your user's country. And then after thoroughly investigation the DPA can implement different measures and the fines are just for the stronger actors and breaks.
I think the GDPR is well intentioned and has provoked some important and useful conversations about how we make use of users’ data.
But reading stuff like this makes me that much more inclined to use that Cloudflare option of IP blocking the whole continent. This feels like a very slippery and dangerous can of worms that’s not worth opening.
There's already a tonne of laws every company has to comply with. The GDPR isn't any more onerous than any of those, it's just new. Even the "nightmare letter" doesn't have anything unreasonable in it and the only reason why it might be difficult for a company to comply with would be that their internal systems and processes were already horrifying - something which we have now collectively deemed that permitting is causing more harm than good.
What other laws do I have to comply with right now that are so vaguely defined and carry such horrifyingly punitive fees? I guess we'll have to wait and see how it's actually enforced but no other legal obligations I've had to consider so far when building products feel this threatening to smaller online businesses.
It's bad enough we have to deal with patent trolls. I'm not inclined to add this to my risk profile.
> The GDPR isn't any more onerous than any of those, it's just new
It’s different. “Complain and investigate” regulatory regimes are expensive to comply with. That is irrespective of whether one is doing anything wrong.
These regimes aren’t inherently faulty. They’re quite good in the American securities business. But they create a palpable incumbency bias, as well as one towards those who can afford lawyers and make a useful phone call.
Such a regime would have been ideal if constrained to large companies. Rolling it out for everyone means anyone mis-interpreting something could trigger a regulatory investigation. Even if found innocent at the end, that process is harrowing, expensive and distracting.
Every jurisdiction has its costs and benefits. Europe is still a huge market. But if one doesn’t see enough revenues to justify a dedicated compliance person, it’s a market which may now make sense to delay going into.
>Even the "nightmare letter" doesn't have anything unreasonable in it and the only reason why it might be difficult
How about another reason: it simply increases administrative costs. If you have enough users firing these letters off then you could end up spending a significant amount of time simply responding to these letters. Something has to pay for all of that, and it's not like this cost is going to go away at some point, so the entire business model has to be set up in a way where it can just eat this cost.
The problem is that there is a lower floor of a $20m fine. Big corps can risk a 4% hit, but for anyone struggling to get a small startup off the ground the fine is too onerous.
As far as I'm concerned the process should be like this:
1. EU issues warning and cuts off traffic to the domain after 30 days.
2. Startup fixes GDPR compliance.
3. EU unblocks startup.
Only after the company breaks GDPR after getting unblocked should they be hit with this massive fine. For those of us that don't give a shit about Europe it's so frustrating having to worry about how we have to comply.
And before someone says something about "it's only for companies targeting the EU" that isn't as clear as people make it out to be. An errant ad, or a single conference talk, or even engagement on social media can be construed into requiring GDPR compliance.
But of course the reason the EU didn't want to block corporations flouting the GDPR technically is because they saw the arms race happening in China and decided that they didn't want a second firewall. So instead they went the lazy route and they pushed the whole mess on small startups that aren't the problem in the first place. Large corporations are the problem. The fundamental design of the internet and web is the problem.
Note, I think, you also need to be GDPR compliant for EU users when they are not in the EU. So I don't think IP blocking actually works for 100% of cases.
I would suggest not getting too hung up on this, it is showing you the worst outcome and assuming you have made a good effort to be compliant I should think things would be fine even then. No doubt you have Ts and Cs, that document is full of clauses put in place because of things like this, and any of them could probably result in a worse letter from a customer wanting to sue you over something. But I image also that hasn't happened to you yet either?
What worries me most is how little is being said about private-operated sites. I am little Joe running internet forum about space battles with maybe 5 active users right now and no more than 100 active members historically. Should I sign data processing agreement with Google because I am using Gmail to send E-mails? Should I hire DPO? Am I risking my house being taken from me to cover multimilion fine because user posted their photo or e-mail 5 years ago and I’ve missed it because I don’t delete user-posted content together with their account?
> What worries me most is how little is being said about private-operated sites.
If you want I can research the matter in more detail, someone else came up with federated sites like Mastodon nodes and that's another pretty gray area.
> I am little Joe running internet forum about space battles with maybe 5 active users right now and no more than 100 active members historically.
Ok.
> Should I sign data processing agreement with Google because I am using Gmail to send E-mails?
No. You could try to stretch the law to include that particular example but from my reading of it this is perfectly acceptable.
> Should I hire DPO?
No, but you are the de-facto DPO, so if you receive a DSAR then you probably should answer it, though with your user counts I think the chances of that are very small.
> Am I risking my house being taken from me to cover multimilion fine because user posted their photo or e-mail 5 years ago and I’ve missed it because I don’t delete user-posted content together with their account?
No.
But if a regulator should tell you that you should remove a users data (because you refused to for some reason or other) you probably should. The EU does not 'fine first and ask questions later', they will investigate first, warn and then when ignored they will fine. And for a small entity like yours which is more of a hobby than anything else I highly doubt regulators would even bother but you can't rule it out completely. Better increase you comet insurance as well if that's your main worry :)
> You could try to stretch the law to include that particular example but from my reading of it this is perfectly acceptable.
But I should still note about the fact in my privacy policy, shouldn't I?
Couple other things I've noted when working on GDPR compliance for my forum:
- It may be good idea to write in your forum rules that you don't allow users to embed their data outside of forum profile.
- Forums accumulate tons of lurker accounts (users that register account but don't post or browse anything) that could be automatically deleted
- Forums like to log IP's used by users when they, say, post messages. Those could be overwritten to 0.0.0.0 for items older than X days.
I've also been working on privacy policy template for people in my position that I have on GitHub and would love to have any feedback:
>No, but you are the de-facto DPO, so if you receive a DSAR then you probably should answer it, though with your user counts I think the chances of that are very small.
I think that we might have this view about it right now, but I could easily see a scenario, where somebody targets you for "harassment" through something like this. Maybe you say something somebody else doesn't like on Twitter and they do that to you.
I have to confess, it's a guilty pleasure of mine to respond with a variant of the Nightmare GDPR letter to SOME companies who sent me the classic "we're sure that you want to access all the amazing benefits of our data processing so if you REALLY want to opt-out you'll need to click on this link and manually remove consent from a couple hundred 3rd party providers" email.
I'd never do that to any company (big or small) with whom I have legitimately interacted, but a lot of this drivel has come from random recruitment companies that must have scraped my details from my CV or Linkedin or wherever.
If you're not legitimately concerned then you are actually devaluing the GDPR by abusing it. If you have a legitimate concern with a particular company I'd send them a custom letter rather than a form letter and I'd try to work with them in order to achieve the desired effect (for instance: for them to delete my data once and for all) rather than to get a bunch of information that I have no further use for.
Anywhere that has made my acceptance an "opt in" I have then sent a polite email asking for my details to be removed. I'm happy to continue to use any services that follow GDPR and use them with the minimum of fuss; but anywhere that feels like they're trying to worm their way around the law feels like the kind of organisation the GDPR is designed to protect us against.
Thankfully the responses I've had thus far have been equally amicable.
Any company I didn't give my data to directly and have never heard of is a concern. Many companies sending out GDPR emails need to learn that processing data is a liability they should avoid if possible.
We may wish for spherical users in a vacuum, but there are a lot of people out there looking to fuck their enemies over and who care little about the collateral damage to the commons.
Alright, let me rephrase: I am interested in such companies that somehow have my details on record despite me never contacting them, and who show no understanding of the principles of GDPR; in particular I want to know what they hold about me and what the source of their data is, which is why I send the letter (which I have modified to remove the stuff I am not concerned about).
Some of them have since replied with "we've gone ahead and deleted all your data", which could be interpreted in many ways I guess
It seems like a lot of the comments are about one issue:
- do you believe generally, even for an “upstanding” company you’ve done business with for a while, that commercial entities can be trusted with your data?
If yes, you’ll see the template as overbearing and needlessly aggressive outside the context of some specific incident when a company proved to be untrustworthy. Especially if you operate a side project or business of your own, and believe you personally would not abuse consumer data collection, you’ll see it as rude in the best case, trollish resource wasting in the worst case.
If you’re a consumer with a general mistrust of all commercial entities, even “upstanding” ones, when it comes to data practices, or if you just happen to believe that the potential risks for data abuse or harm are too high to be offset by anyone’s good intentions or past good behavior, then you’ll see this as a reasonable template, perhaps needing a few modifications for differing contexts, and that jumping straight away to legalese boilerplate just has to be assumed necessary when dealing with self-interested commercial entities.
Sending boilerplate almost guarantees that a regulator will put your request at the bottom of the pile if you decide to take it to the next level unless the company responds in a way that shows their contempt for the law.
I think that will depend on how seriously GDPR non-compliance is treated.
I’m hopeful some big corps will be heavily fined to set precedent and to ease concerns that GDPR is a mild form of regulatory capture intended to be misused (regardless of its wording) to asymmetrically inhibit new entrants and small firms.
I just want to note how non-obvious compliance with GDPR is. Two experts on GDPR and privacy in this thread (Jacquesm and Ainiriand) have been disagreeing throughout the thread on just the basis of whether one should reply to GDPR complaints like this. Imagine how much up for interpretation the more gritty parts of the law will be.
And Jacquesm is saying don't be alarmed in some comments while in other comments he admits there could be problems with people trolling with this letter. So I'm even more skeptical of allowing any EU users.
It's a very consistent position: no need to be alarmed, yes you will have to answer a letter like this, even if it is trolling. But if a letter like this alarms you then you probably have bigger problems.
I think it would be best if people like you would just go ahead and block all EU users. There's so much "well I might just block them then!" going around these days, when you should just do it if you think it's the best approach.
There are no experts on the law, even lawyers arent. The only one who can authoritatively produce interpretations of the law is the european Court of Justice. For that to happen a country's Supreme court must refer a case to them for consultation which is then binding throughout the EU. In the meanwhile, 28 different privacy regulatots can independently try to interpret it. Most of the regulators are not staffed yet and not up to the task.
Readit News
And now, they still have their name and email in one entry in our system, but it's the record that we deleted the first entry at their request. Thanks for wasting half an hour of my day checking our systems, jerk.
Also, you're going to either need to suck up the admin time, script it, or block the EU. Take your pick, there's not much point slinging names around. Chances are it's going to happen again and you may as well be ready.
https://ec.europa.eu/commission/sites/beta-political/files/d...
https://news.ycombinator.com/item?id=17178562
[1] https://ico.org.uk/media/for-organisations/documents/2014223....
How does that make the letter irrelevant? Responding to the letter rather seems to be the first countermeasure against the authorities' involvement...
No, it's not: it's the government's fault for passing an over-large law.
You're right, it's the EU's.
It's common theme here on HN to think that users are just some kind of resource and the regulations are anti-climactic things that slows down the party.
Seriosly, As a user, I don't want my information to be sold to random people that I have no information about even if the seller is a tiny business because my feelings are not against the business but against the practice. The size of the violator is irrelevant to me.
If not breaching my privacy and my rights makes your business unprofitable, then simply you don't have a business.
Users are people, not just pageviews or hits or goals - despite what your analytcs software says.
I also stopped hosting demos of my side-projects (just for github or cv links), because following this law for this kind of service is just unreasonable. And I do not even have to cause any kind of harm to be fineable in Germany.
One of these has systemic effects, the other does not.
(I don't think small businesses should be totally unregulated. But the administrative burden should be considered, to prevent discouraging new entrants and promoting incumbency bias. GDPR does not take this into account.)
But we have two sets of building code rules because the regulatory burden is very different. The cost of complying with lots of regulation are fixed, and don't necessarily scale linearly with the size of the company. So to prevent these laws from wiping out small businesses they usually phase on these rules with increasing size.
You can respect everyone's rights and privacy and still be noncompliant, because most of the work of complying with the GDPR for most businesses is in the documentation, customer misinformation, and legal CYA work.
Keeping user information just became so normal in the past few years. it is not just about ads but also security.
You have all your information all over internet. Websites without minimum security requirements store everything just because it is cheap to do it and they just believe they should store it even they don't need it because maybe they need it in the future.
Hackers can do way more than you can imagine with your data if they want.
Storing user data should be expensive. Companies should only store it, if they accept and understand the responsibility and they must feel accountable for it.
Deleted Comment
We have had our legal team review it to perform a cost/benefit analysis on whether we should comply with GDPR or block the EU region for the time being.
At the end, while we all agreed that the idea behind this law is reasonable, it would benefit us to ignore the EU region. (We reviewed our database to ensure we don't have any EU users currently on the system before doing this)
That being said, we branched out and started to slowly implement some GDPR requirements that can benefit our existing users privacy and we will certainly remove the EU blockage when the scope of this law becomes more apparent to our legal team.
I strongly believe software is due for some serious regulation, just like all other branches of engineering, we need to take responsibility for the systems we create and I feel like this is a sign that our industry is maturing from it's infancy stage.
Kudos to EU for making an attempt to keep Europeans safe.
The even more ridiculous thing in my opinion is that these mom and pop sites are not already GDPR compliant. What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?
You are writing as though not abusing people's privacy is all that is necessary to comply with GDPR. This is incorrect. GDPR has specific requirements for any company handling certain types of data, and extra requirements if it's handling this data "at scale" (though it doesn't actually define what this means). Any data revealing any of the following is considered protected by GDPR:
> racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
So, basically any user uploaded images or text can be argued to fall under this category since users might reveal their political, religious, or philosophical beliefs in this text. How about something as innocuous as a heart rate monitor? Well, apparently people have correlated 15-30 minute spikes in heart rates in the evenings to figure out people's sex lives so that's restricted by GDPR.
I could go on. The point is, it's not enough to just not abuse your user's data and cross your fingers to be GDPR compliant.
Nothing. Doesn't mean they have nothing better to do than respond to letters and regulatory enquiries. (To be clear, I'm not disparaging regulators asking questions. I'm simply observing that such questioning-and-answering has a cost. That cost is reasonable for a large company. It may not balance favorably for something smaller.)
Just because you absolutely respect the spirit of the law (don't do shitty things with PII) doesn't mean you are GDPR compliant, unfortunately.
I very much agree with GP that small business should have more relaxed obligations, and more proportional fines (the minimum fine exceed the total revenue of non-negligible percent of small business).
Storing their HTTP logs on archived CD-ROMS would be a violation of the GDPR, unless that same mom-and-pop operation offered users a way to request that CDs be replaced with new versions at will.
I don't think that counts as an abuse of privacy, but it is a violation of the GDPR, which makes immutable logs which contain IP addresses illegal.
Perhaps they're busy running their business and don't have time to comply with baroque EU regulations, regardless of whether they're actually "abusing their user's privacy" or not.
Regulatory costs are a thing. Even if you're not violating the regulation, filing the forms or whatever to assure some bureaucrat that you're not violating it takes time and energy.
There's a reason why the startup scene in Europe is onlly a fraction of what it is in the U.S.
Private life is such an essential part of human nature and our societies, no matter what the "nothing to hide" camp will say. There will be collateral damage and that's unfortunate yet tolerable, given the extensive abuses.
This cuts against centuries of sovereign tradition and precedent. GDPR's constraint to users in Europe is reasonable. (As is refusing to do business in Europe by blocking the continent.)
Dead Comment
This Regulation does not apply to the processing of personal data ... by a natural person in the course of a purely personal or household activity
In software, if you want to skirt the law, its easy to do so with small team/companies. Just spin up shell companies under the limit and use that to skirt the law.
It certainly defeats the spirit, but this is capitalism.. No holds barred, and do illegal moves till you get caught.
Deleted Comment
I never intended to make real money off it except maybe covering server costs if I'm lucky, but the time it would take dealing with requests like this it enough to scare anyone off.
I'm not sure what the problem is.
Your obligation is to keep the data secure, and only keep data that you need. Then you need to respond to requests to (a) tell a person what data you hold on them, (b) tell them what you do with the data, and (c) delete it if asked, unless you have a legitimate reason to keep it.
So if someone has given you data for the purpose of you providing a service then all you need to do is treat that data with care, don't do anything your customer doesn't expect you to do, and be able to provide and/or delete it.
Fair do, someone disagrees and has down-voted me. Please, having read the actual regulations[0] several times, including the recitals[1], I'd be pleased to see what's missing from that outline, so I can improve my understanding.
[0] https://gdpr-info.eu/
[1] https://gdpr-info.eu/recitals/
Can you not just have a checkbox that says "I agree not to use this service from within the EU." or something like that? Like, I don't even track IP addresses for my dumb side projects. I wouldn't know where to start with this.
If its client side encrypted its not Personaly identifiable information.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
Is a good starting point. Yes, you can refuse a request if it does not qualify but in this case there is more than enough meat to take it serious.
But reading stuff like this makes me that much more inclined to use that Cloudflare option of IP blocking the whole continent. This feels like a very slippery and dangerous can of worms that’s not worth opening.
It's bad enough we have to deal with patent trolls. I'm not inclined to add this to my risk profile.
It’s different. “Complain and investigate” regulatory regimes are expensive to comply with. That is irrespective of whether one is doing anything wrong.
These regimes aren’t inherently faulty. They’re quite good in the American securities business. But they create a palpable incumbency bias, as well as one towards those who can afford lawyers and make a useful phone call.
Such a regime would have been ideal if constrained to large companies. Rolling it out for everyone means anyone mis-interpreting something could trigger a regulatory investigation. Even if found innocent at the end, that process is harrowing, expensive and distracting.
Every jurisdiction has its costs and benefits. Europe is still a huge market. But if one doesn’t see enough revenues to justify a dedicated compliance person, it’s a market which may now make sense to delay going into.
How about another reason: it simply increases administrative costs. If you have enough users firing these letters off then you could end up spending a significant amount of time simply responding to these letters. Something has to pay for all of that, and it's not like this cost is going to go away at some point, so the entire business model has to be set up in a way where it can just eat this cost.
As far as I'm concerned the process should be like this:
1. EU issues warning and cuts off traffic to the domain after 30 days.
2. Startup fixes GDPR compliance.
3. EU unblocks startup.
Only after the company breaks GDPR after getting unblocked should they be hit with this massive fine. For those of us that don't give a shit about Europe it's so frustrating having to worry about how we have to comply.
And before someone says something about "it's only for companies targeting the EU" that isn't as clear as people make it out to be. An errant ad, or a single conference talk, or even engagement on social media can be construed into requiring GDPR compliance.
But of course the reason the EU didn't want to block corporations flouting the GDPR technically is because they saw the arms race happening in China and decided that they didn't want a second firewall. So instead they went the lazy route and they pushed the whole mess on small startups that aren't the problem in the first place. Large corporations are the problem. The fundamental design of the internet and web is the problem.
Excellent. Then maybe some competitors will arise with products that are built with privacy in mind from the ground up.
established companies have no issues with fees, or legal requests.
gdpr is to protect the established companies from competition.
it is basically a reverse china ban. because china-style banning of competition is still considered bad in the eu.
I would suggest not getting too hung up on this, it is showing you the worst outcome and assuming you have made a good effort to be compliant I should think things would be fine even then. No doubt you have Ts and Cs, that document is full of clauses put in place because of things like this, and any of them could probably result in a worse letter from a customer wanting to sue you over something. But I image also that hasn't happened to you yet either?
What you think does not align with my understanding of the GDPR, what makes you say this?
No, location is what matters. Of course one could argue if IP is a reliable indicator of location, given VPNs, potentially faulty GeoIP databases, ...
If you want I can research the matter in more detail, someone else came up with federated sites like Mastodon nodes and that's another pretty gray area.
> I am little Joe running internet forum about space battles with maybe 5 active users right now and no more than 100 active members historically.
Ok.
> Should I sign data processing agreement with Google because I am using Gmail to send E-mails?
No. You could try to stretch the law to include that particular example but from my reading of it this is perfectly acceptable.
> Should I hire DPO?
No, but you are the de-facto DPO, so if you receive a DSAR then you probably should answer it, though with your user counts I think the chances of that are very small.
> Am I risking my house being taken from me to cover multimilion fine because user posted their photo or e-mail 5 years ago and I’ve missed it because I don’t delete user-posted content together with their account?
No.
But if a regulator should tell you that you should remove a users data (because you refused to for some reason or other) you probably should. The EU does not 'fine first and ask questions later', they will investigate first, warn and then when ignored they will fine. And for a small entity like yours which is more of a hobby than anything else I highly doubt regulators would even bother but you can't rule it out completely. Better increase you comet insurance as well if that's your main worry :)
> You could try to stretch the law to include that particular example but from my reading of it this is perfectly acceptable.
But I should still note about the fact in my privacy policy, shouldn't I?
Couple other things I've noted when working on GDPR compliance for my forum:
- It may be good idea to write in your forum rules that you don't allow users to embed their data outside of forum profile. - Forums accumulate tons of lurker accounts (users that register account but don't post or browse anything) that could be automatically deleted - Forums like to log IP's used by users when they, say, post messages. Those could be overwritten to 0.0.0.0 for items older than X days.
I've also been working on privacy policy template for people in my position that I have on GitHub and would love to have any feedback:
https://github.com/rafalp/misago-privacy-policy-examples/blo...
I think that we might have this view about it right now, but I could easily see a scenario, where somebody targets you for "harassment" through something like this. Maybe you say something somebody else doesn't like on Twitter and they do that to you.
The GDPR requires that the DPO must be independent from the organisation, so you can't be 'your own DPO'.
On the other hand the DPO is only required when sensitive or large quantities of data are concerned.
Thankfully the responses I've had thus far have been equally amicable.
- do you believe generally, even for an “upstanding” company you’ve done business with for a while, that commercial entities can be trusted with your data?
If yes, you’ll see the template as overbearing and needlessly aggressive outside the context of some specific incident when a company proved to be untrustworthy. Especially if you operate a side project or business of your own, and believe you personally would not abuse consumer data collection, you’ll see it as rude in the best case, trollish resource wasting in the worst case.
If you’re a consumer with a general mistrust of all commercial entities, even “upstanding” ones, when it comes to data practices, or if you just happen to believe that the potential risks for data abuse or harm are too high to be offset by anyone’s good intentions or past good behavior, then you’ll see this as a reasonable template, perhaps needing a few modifications for differing contexts, and that jumping straight away to legalese boilerplate just has to be assumed necessary when dealing with self-interested commercial entities.
I’m hopeful some big corps will be heavily fined to set precedent and to ease concerns that GDPR is a mild form of regulatory capture intended to be misused (regardless of its wording) to asymmetrically inhibit new entrants and small firms.
At the monent the law is unenforceable