Microsoft is extending the GDPR’s rights to all of its customers across the world.
That’s why today we are announcing that we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide. Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else. Our privacy dashboard gives users the tools they need to take control of their data.
Good move, but these controls and options should’ve been there from the start. Goes to show that corporations are terrible at self-regulation – something everybody should know by now. In any event, I’ll be spending some time this weekend digging through all the data Google, Apple, and Microsoft have on me.
Again the only regulation is really the market. You choose to give your information to these companies.
If privacy and security was a big market driving force, we would have seen it by now.
GDPR won’t change anything. It will be like the Cookie regulation. It will make someone feel warm and fuzzy in brussels and won’t do jack all else.
Edited 2018-05-23 23:01 UTC
Tons of companies are adding easy-to-use privacy dashboards and new functionality and options to view, alter, and delete your data in direct response to the GDPR, and yet, you still say:
^A\_(~af")_/^A
If you think that will you are an idiot.
If they can produce a valid reason for having your information they can keep it.
If they really want to store the data, the will make sure it is outside of the EU.
The gambling industry did this for 15 years FFS.
Edited 2018-05-24 00:10 UTC
The level of discourse on this site is generally higher than most other sites, which is why it has lasted this long.
We all have strong opinions sometimes, and aren’t afraid to share them here, but please try to be civil.
LOL, nothing has been civil on this site.
There has been a pretence of it.
Also for someone that is extolling that virtue you haven’t added anything.
Also nothing I said was harsh.
Edited 2018-05-24 00:16 UTC
You are so interested in being right. You never look at the bigger picture.
Yes and no. If somebody who has my name and phone number uses Facebook to store contacts, Facebook is going to have that information without me directly giving it to them. Same/same for Google and the rest.
You will also likely not know they will have it.
They can just keep it, or make sure they only capture the data once outside of the EU.
Heh, the market doesn’t solve shit.
The only way to get things done is to beat these fuckers into submission with strong legislation.
The market is driving us all madly to a wall (ecological situation).
Regulation is our utopian chance of survival.
From what I can gather, the GDPR does seem a little bit on the extreme side, and the extraterritoriality provisions are bizarre and somewhat offensive (If I run a website in Australia and *one* European citizen happens to visit that site, I’m now apparently bound by a European law? Get lost).
It will almost certainly get refined and whittled down eventually. A messy step in right direction, though.
Makes me wonder how the EU courts would see a *chan board which disabled custom nicks (everyone is “Anonymous”) and has a logging policy in the vein of “We retain server logs for 48 hours. It typically takes us 72 hours to sober up enough to respond to unexpected messages.”
Where do you get the idea that merely visiting your website makes you bound by GDPR?
If you create a website where, merely by visiting, you gather so much data on someone, that would suggest something really wrong with it.
Exactly! That guy seems to be running a very shady website that probably should be shut down.
I think the concern in that case is how it will interact with various European precedents that “IP addresses are personal information” that got set during various copyright trolling cases.
(ie. Concern that the “get what they have on you provision” will require admins in such a case to grep through their HTTP access logs.)
In the case of Australia, I hope it does conflict with our data retention laws that no one really wanted.
That’s actually something I’m really quite concerned about. The data types a multi-service ISP are required to retain are quite wide reaching. One component of the law is that those doing the retention aren’t even supposed to reveal details of what they’re retaining nor are they permitted to delete it. The (“official”) people to whom they can hand the data over to are kinda fuzzy too – the AG’s office seems to have adopted a “if someone asks hand it over and we’ll catch it when we do an audit” approach.
None of these things are very compatible with the GDPR.
Edited 2018-05-24 09:28 UTC
So any one of username, real name, IP address, gender, age (even just “18+” status), anything may qualify as Personal Data. So Apache logs? Check. Username on a forum? Check. “Are you over 18?” interstitial? Check. Anything that does a geolocation for any reason? Check.
Admittedly, you do need to be operating as a business or for financial gain so individuals and communities etc are exempt. But it’s still insanely wide reach.
Edited 2018-05-24 09:49 UTC
Why, as a business, would you want to ask for that data in the first place, or log people’s IP address? If you don’t ask for that data, then you would not be bound by it. Otherwise, I’m pretty sure you’re not forbidden from not offering your business to the EU. If you want to make money out of any jurisdiction, of course you have to abide by that jurisdiction’s laws.
You’re not forbidden, no.
If you make money at all, not just out of the service, and you provide a product or service that an EU citizen happens to access, according to the current text of the GDPR you’re ostensibly subject to it.
Historically, merely having someone from another jurisdiction come to you to use your service or purchase your products didn’t bind you to that jurisdiction – on the contrary, it bound the customer to your jurisdiction (for the scope of that transaction). You had to have a degree of explicit connection to another jurisdiction to be subject to it. The GDPR is turning that on its head, which is a dangerous precedent.
I find it amazing that because this is a privacy-enhancing law, everyone’s scepticism goes out the window. A law can do a generally good thing but be written in a bad way. The GDPR tries to do a good thing but is written in a horrifically flawed way.
Edited 2018-05-24 10:18 UTC
Totally false idea. This is one of the totally bogus ideas people have with no legal standing.
Modchips are legal under in many cases in Australia. Now Australian company shipped those to the USA due to shipping those to the USA had to face court in the USA. Claiming the jurisdiction was Australia did not work. If you did around you will find case after case like the above one.
Reality is when you cross boarders physically or electronically doing a transaction you are bound to-do it legal on both sides unless a speciality law on your side overrides meaning you cannot be extradited for the offence or punished in your own country for the offence.
Internet does not magically change the rules of trade.
Please note the GDPR is different because its not only enforceable by GDPR law its also enforceable by copyright.
I’d genuinely appreciate a citation/reference here. Happy to be proven wrong but I suspect the jurisdiction argument here was a bit more complex than just “they had jurisdiction over an Australian company because they shipped a single package to a private customer in the US”.
And traditionally, merely sending data packets across international borders has not invoked extraterritorial jurisdiction, no.
Australia and USA have a trade agreement. This is what got modchip company. Part of that agreement is not to break the countries law on the other side. Agreements are common like this.
https://en.wikipedia.org/wiki/Megaupload_legal_case
This is why the founder of Megaupload ends up sent to the USA.
Problem is this not just sending data across the boarder. It storing information that you may not have the legal licence to store.
Generally copyright infringement is without boarders. Its like you sign a NDA(nondisclosure agreement) online and it does not magically only apply in the country you agreed to it with. Also it does not magically mean the party on the other end has absolutely rule.
Copyright cases have show a few times issues. Just look at pirate bay as well for where they were prosecuted and where they were operating. Yes pirate bay was prosecuted in countries they were sending data to but it was legal in the country they were operating in and there was no extradition treaty.
Trade is trade like it or not.
Most of the pirate bay cases have focused on the users in a local jurisdiction using it. This isn’t the example you think it is
Unfortunately all of your arguments seem to imply you dont have the grasp of the laws and cases you think you do.
First off, that’s part of the standard data logged by pretty much every network service in existence (not just web servers, but literally almost everything). m A lot of people don’t change the default logging format, so there’s a lot of people who may not care about logging them but are.
As far as why people care at all, the biggest thing is so that you can trace abusive traffic back to its source, and to help support stateful DoS protection.
The User Agent is also PII (just like the IP address, because just like the IP it’s actually usually reasonably unique), and that’s commonly logged too, as it’s kind of important for web developers to know what technologies their users are using so they can make sure everything works properly.
Beyond that, you get into really complicated territory though. If you’ve got multiple translations, than hit counts for each page are technically personal data when combined with the User Agent or IP addresses, as they identify the user’s language preference.
I was asking in the context of a small time web business that the person was concerned about. Those who provide the network backbone will be big enough to handle the legal ramifications, and other bigger businesses will have already moved their e-commerce to some cloud provider or other hosting provider that will take care of all that.
I see no reason, not even in the quoted articles of the legislation, that says anything close to what is being accused – that you will come under GDPR merely by being visited by an EU resident.
Then I hope you’re never responsible for running an internet business system or you’ll probably run afoul of it.
Don’t worry. I’ll make sure to never visit your web businesses, where the slightest visit will record lots of identifying data about me.
You seem to forget taht this law is to protect customers from the likes of you. If you actually respect your customer’s data and treat it with care, you have nothing to worry about by being “bound by European law”. If you do worry about that, well, it just shows you’re an asshole with hidden agenda.
I can’t tell you how glad I as a customer am about GDPR: all those sneaky little bastards that kept my e-mail, phone number etc. to sporadically send SPAM or sell to other SPAMmers are now forced to actually ask me if I want that SPAM to be sent or my information sold.
This law should be made global and effective through entire world.
No, it absolutely shouldn’t, at least not on your say so.
Every nation has the absolute and uncontestible right to make their own decisions on their own laws. For you to say otherwise paints you as someone fundamentally opposed to the concepts of democracy and sovereignty.
Are you denying that protecting rights of regular citizens should be a global incentive? GDPR is part of democracy principles and it’s all about protecting regular people from powerful corporations. And from what you’ve said here it looks more and more like you are very biased in favor of those corporations. Maybe representing one?..
Edited 2018-05-24 11:46 UTC
The rights of citizens are a concern for the nation-state they’re citizens *of*, but if those citizens choose to access stuff from another country it should be at their own risk.
Nothing should be a “global incentive” unless the people involved consent to it through their proper channels.
GDPR is nothing to do with democratic principles in the slightest. Privacy of data when handled by private companies has nothing to do with expressing ones political will to the apparatus of the state.
Corporations are an institution created by the state, and their regulation should be handled by the state that incorporates them.
The EU only has the ability and the right to affect what those in its borders do. If it doesn’t want its citizens data to be handled “improperly” overseas then the proper approach it to prohibit EU citizens from using foreign services, not trying to control those foreign services.
As a foreigner with no real connection to the EU, except perhaps some visitors to my website, they should have absolutely NO control over what I do.
Let me just ask: did you actually check and confirm that GDPR applies outside of EU? Or just blowing hot smoke for no reason?
Yes, I have, and that’s what scares me. The broad scope that includes necessary technical data, the fact that it explicitly spells out that it applies to foreign “data controllers” wherever an EU citizen is involved, the fact that the local legal obligations of “data collectors” only apply where the local authority is the “Union or Member State”, etc.
It is a badly written law.
It is a good idea, but it should be heavily revised. And it should have its extraterritoriality severely curtailed.
Awesome! That’s all I wanted to hear. You see, in the internet there is no such thing as borders. You can never know if that Facebook server you are currently connected to resides in USA or EU or Australia or Antarctica… Thus all the laws regarding internet should be concerned purely with citizens involved and NOT geography.
Then tell me this
Why did the EU not choose to require any company resident in the EU to provide GDPR rights to *any* customer, regardless of the origin of said customer? It would certainly make more sense to apply the law this way, and would be more “universal”, and be more clearly legal. Why did they also choose to make only EU or member state law a valid excuse for failing to comply, rather than the local law of any relevant regime?
This is meant as a “fuck you” to foreign companies, the privacy aspect is window dressing to make folks like you guys support it to the hilt, regardless of the actual wording of the law.
Read the damn thing with a critical eye for goodness sake!
You seem to object to complying with the GDPR yet you are thanks to your Government subject to whole troves of US law.
Do you have something against a sensible policy on how you handle the data for people who use your site?
Do you object to them being able to see what data you have on them and being able to correct it if it is wrong?
Do you have objections to them telling you to ‘get lost’ and delete their accounts and all the data you have on them?
If you do, please give us the URL’s of your sites so that we can add them to out ‘block this site’ lists?
I actually dont have one, I’m discussing this in principle.
As for blocking – you dont block a site, you block yourself from accessing it. Also – who is “we”? If you mean individuals choosing to restrict their own activities sure. If you mean restricting other people’s browsing then that’s not cool.
A trivial semantic difference, given how many consent-assumed 3rd-party requests whitelists/blacklists are meant to control.
“Add it to my HOSTS file” and/or “Blacklist it in uMatrix”, if you prefer.
Okay fair enough.
My point was more that its an individual choosing not to access something rather than preventing that something from doing anything. It’s a self imposed limitation on oneself.
Self imposed exile?
Possibly but I prefer it as controlling where my internet fingerprint goes and who has things like my email address and other stuff.
Put enough of that together, and you can get a good picture of who someone is and all sorts of other data on them.
This is one of the things that the GDPR is adressing. IF you operate a site and I’m signed up to it you have control of data that relates to me. It is in your best interest to ensure that the data you hold on me is correct and if I want to sever my relationship with you I should be allowed to do that.
IMHO, there is nothing fundamentally wrong with that and I should be allowed to delete the data that you hold on me.
@Tom: let us know about the data that Google, Apple and Android collect. (GDPR) I would really like to read an article about it!
Also, what data OSAlert stores that qualifies under the GDPR and whether OSAlert is in a position to be able to provide the data removal provisions of Article 17?
EDIT:
(Yes, I’m aware I have no rights – only potentially responsibilities – under the GDPR but others may find it useful)
Edited 2018-05-24 10:02 UTC
Anyone wonder about the WHOIS information, where if you have a domain registered you’re basically supposed to have your address/name in there? I mean there are some extra costs you can throw to your registrar to hide that, but it should fall under the GDPR too, one would think.
Most of the European ccTLD domains have this covered. For example look at the dot IE whois output
Basically no personally identifiable data in it etc.
https://www.iedr.ie/whois-result/?whois=google
ICANN basically got a rude awakening when they tried to crack down on some of the European registrars who were limiting whois output. The Registrars basically said ‘that section of our contract is illegal under GDPR and thus null & void’
Nice to have but there is a catch to it. You can only access once the data that a company has from you. There is nothing in the law that prohibits them from asking money the second time you will do that.
I don’t like MS, but I like this move.
I read all the comment talk above, lots of BS in there.
Personally, I don’t care if a website I agreed to use retains data about me. However, and I expect GDPR to help with this, I am against that website selling my data to everyone who’s willing to buy it, and without me knowing who gets it, since before GDPR they were not required to get consent – except the usual generic and broad terms that you accepted. Terms that could change with the weather, especially in the US (but not only).
There are some good signs. E.g., yesterday I could opt out from a gazillion idiotic 3rd party data sharing options at a service I’ve been using, and I find that good. And it wasn’t the only one.
I understand some of this can be hard, especially in countries where data protection regulations have been practically non-existent and companies needed to make big changes. However, in many EU countries some level of data protection laws have already existed, GDPR just modifies/extends things.
My opinion is, we should collect the biggest complainers, always good to know whom to avoid
I have a question when it comes to using cookie/domain blockers such as Privacy Badger, now that you are able to manage cookie consent to some extent through the webpages themselves.
If you use Privacy Badger to block a webpage cookie consent dialogue, cookiebots, domains etc. are you blocking data collecting more effectively or have you indirectly given your consent to some data collection, since you have “skipped” the webpage consent dialogue where you were able to manage cookie options?