In another week the GDPR, or the General Data Protection Regulation will become enforceable and it appears that unlike any other law to date this particular one has the interesting side effect of causing mass hysteria in the otherwise rational tech sector.
This post is an attempt to calm the nerves of those that feel that the(ir) world is about to come to an end, the important first principle when it comes to dealing with any laws, including this one is Don’t Panic. I’m aiming this post squarely at the owners of SME’s that are active on the world wide web and that feel overwhelmed by this development. A bit of background about myself: I’ve been involved in the M&A scene for about a decade, do technical due diligence for a living (together with a team of 8). This practice and my feeling that the battle for privacy on the web is one worth winning which has led me to study online privacy in some detail puts me in an excellent position to see the impact of this legislation first hand as well as how companies tend to deal with it.
The GDRP is not nearly as draconian or complex as people are scared into believing (mostly by people who conveniently also sell GDRP compliance services). Over the past few weeks and months, I’ve translated countless internal and external corporate documents about the GDPR from companies both big and small, for all kinds of sectors, many of which you know, and none of them are freaking out and none of them find this particularly difficult or complicated. Even a legal simpleton like me understands it just fine, and all I need to do is translate texts about it.
anyway I think that these regulations are needed. gdpr is IMO well aimed weapon against large IT companies that gathers a lot of data about users of it’s services and later uses this data for profiling users.
if you don’t know what these companies are doing with this data just take a basic data science online course.
I think most of the hysteria comes from the unfortunate “any information relating to an identified or identifiable natural person” phrasing of the definition of “personal data”, which could theoretically be interpreted by a judge as requiring that anything the personal has ever produced (even anonymized ‘me too!’ post content) must be deleted on request and factored out of things like anti-spam training corpuses.
(Thankfully, companies who can afford to consult lawyers seem to be confident that, if you remove all records of who made it, a blog comment or forum post does not inherently count as personal data.)
For example, here’s what someone from Automattic told someone who wanted their posts deleted from the WordPress forums as “personal data”:
https://wordpress.org/support/topic/gdpr-and-the-forum-of-wordpress-…
Beyond that, there are exceptions.
For example, Paragraph 3 of Article 17 (Right to erasure (^aEUR~right to be forgotten^aEURTM)) is entirely about situations where paragraphs 1 and 2 don’t apply.
https://gdpr-info.eu/art-17-gdpr/
(In short, an unfortunate phrasing combined with a law that’s intended to prevent exploitative companies from language-lawyering their way into continuing with business as usual.)
Edited 2018-05-18 22:46 UTC
Yup, overreactions, eg: https://monal.im/blog/gdpr-removing-monal-from-the-eu/
Riiight. The “rational” tech sector that brought us such things as:
The .com bubble. TPM will destroy Linux. SecureBoot will destroy Linux. *BSD is dead. The year of the Linux Desktop.
20 Years of Internet Explorer. ActiveX. DIVX. Blink tags. AOL. (MP/RI)AA math.
Mac vs PC, Windows vs. the world, Google does no Evil…
I’d better stop, I hear Billy Joel winding up in the background.
I’ve never thought the tech sector has ever been “rational”– more akin to a sinking boat with the crew rushing madly from one side to the other, in the hopes of finding another sinking boat to jump onto before they drown.
That’s, of course, when they’re not shooting each other, themselves, or the terminal full of potential customers.
…. I think I need a vacation.
It is only turning an old directive into law. A directive that was already law in Germany and many Scandinavian countries. If you did business in Germany you have already had to follow the equivalent of the GDPR for the last 25 years.
Hmm.. If everything is easy-street for the author, good for him. But then why bother writing an “I’m a hero” article. It would be much more productive if practical solutions were given to all the problems people struggle with. Not vague ideas, but real bulletproof implementable solutions.
* How do you actually verify child-age in relation to consent?
* How do you actually verify that your data processor is itself compliant?
* How do you actually “just automate” everything, when you run a 3 person woodshop?
…tons of similar questions, cannot possibly summarize, wish the author had…
Please, tell me how a US company figures out if it even applies to them? We spent days reading the darned thing. It’s think with vague language open to broad interpretation, clearly designed to make you think that if the vaguest trace of an EU citizen’s data touches your US server, you need to re-architect your entire system.
Also, it’s clearly designed for B2C (Google, Facebook et al.) but leaves B2B very ambiguous. Does it apply to a user of your software who uses it in a business context only as part of a corporate license, only to do their job? A simple reading says ‘yes’ – and their corporate email address, and even their user ID (known only to your system) is ‘personal’ data.
Then we talked to our lawyer, who said ‘nope, doesn’t apply!’. Which seems simplistic on the other end of things.
What is clear is that there are going to have to be some lawsuits before we see how this thing is enforced in practice. Is it going to be used to extract billion dollar payments from the big guys, or is it going to be used to run small and midlevel non-EU application providers out of Europe.
You may think compliance with the GDPR is ‘simple’. I don’t. New privacy policy. Great our contracts aren’t with users. So now I have to walk hundreds of businesses through a new contract rider. That should be easy, for something they couldn’t care less about, for a law designed to protect private EU citizens. I’ve got to be able to delete all history of an EU user if they ask for it – even if the company that owns that data doesn’t want us to (maybe, who knows, again this is a poor B2B fit). Does that include emails a user sent me? Information they sent in on a bug request? The ‘right to be forgotten’ was clearly aimed at search engines and marketers, but it’s written so broadly it could be interpreted to require a massive re-architecting of your system.
Let’s hope our lawyer was right.
joshv,
IANAL, but he’s right
As the owner of a US company, I would accommodate user requests as best I can. But I’m not at all concerned about GDPR because I’m not in a jurisdiction where it is enforceable. Not that my company is important to anyone, but that’s my take on the subject.
osnews is covered though right? Thom, are we going to get a privacy notice? Haha.
Edited 2018-05-19 17:41 UTC
You need to rethink a little. Remember pirate bay set up in a jurisdiction that copyright laws were not enforceable. This did not prevent areas where the law was enforceable blocking their traffic.
Also the idea that GDPR does not apply in the USA is kind of wrong. Large percentage of GDPR is covered by the globally agreed copyright laws.
GDPR makes it in the EU cost effective for individuals to enforce their copyright on what they have provided to you.
GDPR in the EU provides a clear set of rules for companies to follow when handling personal data not to end up charged with copyright infringement or other forms of infringement while making a cost effective legal process for both sides to deal with issues.
GDPR also caps the damages claim if personal data is miss handled.
Of course most people are not thinking that GDPR issues are copyright infringement and that we have already seen how the EU responds groups doing that operating outside their legal reach.
Also the reality is being inside the USA is inside the legal reach of copyright enforcement and copyright enforcement has no legal cap on fines in the USA.
So in some ways it may be better for a USA company with a large GDPR problem willing enter the EU process than make the EU lawyers come to the USA and use the USA laws to enforce GDPR with laws that have no cost limits.
Of course the issues GDPR does open questions for people using cloud services where they don’t control the servers can cannot ensure that data is deleted when it legally required to be.
Edited 2018-05-20 02:00 UTC
oiaohm,
Not the privacy parts that I care about, unfortunately
Also, I’d say copyright laws were pushed the other way around, from the US to the rest of the world, thanks to his highness, mickey mouse.
Read the GDPR (General Data Protection Regulation) as if it a copyright license. You will find most of the privacy parts are enforceable that way.
Over 90 percent of it will be enforceable under copyright law if you have taken copyright protect-able data from a EU person.
EU has basically set a default copyright license. Like home and student MS Office saying not for commercial usage. The way it written means the processes to protect EU users of a site will have to be applied to all users of a site.
This is kind of the worst case but we will not know if it is the worst case until after the first test case.
Every country that has signed off on copyright conventions covering copyright licenses could have their citizens bound by the GDPR terms if they use data from the EU. Please note from the EU this could include at worst of worst data transferred though the EU data cables.
The bureaucrat who has done the GDPR has been very good on the wording to make it close enough to a copyright license that it would pass as one for most of the terms and conditions.
oiaohm,
If the user took his own logs, then those logs would logically be property of the user, but not the company’s logs that were never in the user possession to begin with, that would be illogical. If anything, the server logs that track you are actually property of the website owner who created the logs. Who do you think created those cookies that track us? The website owners. The urls you click on? Website owners created those too. The ads that are displayed and you don’t click on it at all? Well they’ll track that too. All of it is property of the website owners.
Now with user submitted text, photos, and videos, I’ll agree that those are reasonably considered our creative property, at least until we agree to terms and conditions that grant a company rights to use our data.
Note that if your interpretations were valid, then 90% of GDPR would be redundant and wouldn’t be necessary in the first place. What’s more likely, legislators wrote mostly redundant GDPR laws for the sake of it, or they wrote GDPR laws to grant users new privacy rights they didn’t previously have?
(It’s a rhetorical question)
Edited 2018-05-20 09:47 UTC
90% of GDPR is enforceable by copyright does not make it existence invalid or not required. Without GDPR existing the conditions inside GDPR would have disputed in court on a case by case base.
GDPR basically documents the public expect data usage conditions for those in the EU this means the judge hearing case can take direct guidance from so removing months/years of debate from the cases over it. It not like the EU is not doing decent advertising of the new rules.
Basically GDPR simplify copyright cases over personally created content and logs/records around the content created by interacting with the existence of the personally created content.
Internet Metadata quite a bit of it falls under the same rules as document receive logs at publication houses and package/postal tracking data(reason why tracking is opt in) the usage of this data is controlled by copyright case precedents. If you notice if you access package tracking on-line you cannot see the final address it has been anonymised to a point.
Of course before GDPR everything posted on the internet has been able to be treated as if it was a post card with no direct protection requirements from being shared. GDPR changes that define and that is the big change. For sites that care about their users privacy they should only have minor real changes to-do.
GDPR is basically another step in the rule less internet ending.
Reality here we need to stop thinking of internet as different to the conditions that applied in the prior paper based world.
Lot of things web sites think they own and have free usage of is not has never really been the legal reality.
oiaohm,
Daveak is right, copyright law doesn’t work the way you think it does. If you want to continue to say that GDPR privacy rights are enforcable in the US through copyright law, well then we’ll have to agree to disagree.
Edited 2018-05-21 04:20 UTC
I don’t know where you got the idea that copyright has anything to do with privacy, but you are way way off. Copyright applies to substantive creative works, not to information.
You are forgetting a section of copyright. The USA wording is kind of deceptive.
Effect of the use upon the potential market for or value of the copyrighted work: Here, courts review whether, and to what extent, the unlicensed use harms the existing or future market for the copyright owner^aEURTMs original work. In assessing this factor, courts consider whether the use is hurting the current market for the original work (for example, by displacing sales of the original) and/or whether the use could cause substantial harm if it were to become widespread.
Privacy and Copyright are not totally independent. Breaching the privacy of author can damage their current and future works value. When taking content from people privacy is something you should take very serous-ally or you will end up using their work illegally because you can be damaging their reputation/future works.
So someone does a stupid post a long time ago and they tell you to take it down you don’t and they don’t get a job because of that post you have damaged their future works right so you have done damage in a copyright sense. Because that notice to take the work down was revoke of copyright usage permission. Reason why you got away with this up until now is that site could argue fair usage that would be way to costly for any individual to consider fighting. GDPR defines this as not fair usage so its pure copyright infringement and user has the right to come after you for damages.
Privacy and Copyright are related like it or not. The fact Privacy and Copyright are related is why GDPR as bit more reach than where it was passed as law.
Edited 2018-05-21 02:53 UTC
Bad news for you I’m afraid, it isn’t limited to EU citizens, but anyone who is resident in the EU.
Your lawyer may or may not be correct. If the email address of the person involved contains their name then yes, it is personal information, even if that is a work email address.
The largest issue with the law is the ambiguity with respect to data mining and similar problem sets. When you train a data set with personal data and later get a request to delete the data, does that make the model generated from the training set invalid?
Here’s why that’s a problem. Say that you try to build a system that can detect social security numbers so that they can be scrubbed from data. If the training set is somewhat limited, you may have partial social security numbers end up in the model.
The law is not clear for this case.
The law is clear: aggregated data cannot be linked to original user so it is not covered. So you need to delete the original records you used to build your model (since that data is linked to specific person), but you don’t need to invalidate your aggregated model.
“Even a legal simpleton like me understands it just fine, and all I need to do is translate texts about it.”
You do realise OSAlert in not even complying with the cookie requirement. Where is the button to delete my profile from this website?
I can’t wait to report OSAlert for GDPR violations :-))
There is no legal requirement for a “button” or any other automatic process.