This article is terrible, and clearly chooses sides with advertisers and data harvesters over users – not surprising, coming from Bloomberg.
For some of America’s biggest newspapers and online services, it’s easier to block half a billion people from accessing your product than comply with Europe’s new General Data Protection Regulation.
The Los Angeles Times, the Chicago Tribune, and The New York Daily News are just some telling visitors that, “Unfortunately, our website is currently unavailable in most European countries.”
With about 500 million people living in the European Union, that’s a hard ban on one-and-a-half times the population of the U.S.
Blanket blocking EU internet connections – which will include any U.S. citizens visiting Europe – isn’t limited to newspapers. Popular read-it-later service Instapaper says on its website that it’s “temporarily unavailable for residents in Europe as we continue to make changes in light of the General Data Protection Regulation.”
Whenever a site blocks EU users, you can safely assume they got caught with their hands in the user data cookie jar. Some of these sites have dozens and dozens of trackers from dozens of different advertisement companies, so the real issue here is even these sites themselves simply have no clue to whom they’re shipping off your data – hence making it impossible to comply with the GDPR in the first place.
The GDPR is not only already forcing companies to give insight into the data they collect on you – it’s also highlighting those that simply don’t care about your privacy. It’s amazing how well GDPR is working, and it’s only been in effect for one day.
I am a little surprised that so few people are opposing this bill. I think it’s a little insulting to think that companies like Google and Facebook should publish their algorithms that they paid billions to develop. I also find it insulting that the EU thinks their laws should be enforced in the US. Furthermore, this could be the final nail in the coffin of traditional newspapers, who were struggling to come up with money before the EU said they need to spend millions on new technology. Many of those who did comply, merely shifted their activities to Google, Microsoft, and Facebook; growing their already massive monopolies on the industry. I don’t think claiming compliance indicates anything, and I’m curious how many companies just lied because they couldn’t afford to operate if they did. Who do you think will ultimately pay for these changes? Will you be happy when you have to pay to use every website?
Edited 2018-05-25 20:43 UTC
Yes?
So, the Algorithms part is related to the “right to explanation” portion, which requires companies to inform the user how the data was computed by an algorithm, this is more commonly referred to as trade secrets.
I feel the GDPR is equivalent to saying if you sell something in the US, you need to comply with EU law, or like me visiting a country in the EU and expecting them to enforce US laws. That is very weird, and ultimately why the newspapers are blocking access from EU visitors.
Well, I do not like the model of paying to access every webpage. I don’t want to think of what types of payment models would be required for this to work out.
For example, I don’t believe this site has informed me of what information is captured about me on the forum (I.E. do they log IP addresses; if so, where is my opt out button; how often do they review those logs, and what actions do they take against them; finally, how do I request all the data is removed).
Unless this forum has all of those processes clearly documented and implemented, they could be subject to billions of dollars for each infraction; that sounds like BS to me, but technically because they seem to support it, maybe they should be happy to pay it.
Update: I just noticed that Google and Facebook are facing nearly 9 billion dollars in fines because they don’t allow incremental opt-out functionality. –oops looks like it was more like 7.8 billion – the article I read was updated… https://www.theverge.com/2018/5/25/17393766/facebook-google-gdpr-law…
Edited 2018-05-25 21:11 UTC
You’re a troll. The right to explanation means the right to know why they keep the information.
If you think that Google’s or any other corporation’s algorithm’s can be explained in a couple of paragraphs, you must be the shittiest developer ever.
Go trolling with your misinformed defense of invasion of privacy and data mining elsewhere.
I’m not trolling. I am opposed to a horrible piece of legislation that makes dangerous changes to the economic structure of the Internet. I feel that many people don’t understand this, and as a result they blindly accept a false view of what this law really does.
Maybe I am wrong, and we won’t see wide spread changes to the cost structure of using web services; however calling me a troll certainly doesn’t prove anything.
— P.S. if I am wrong, please use facts to correct me. I don’t want to go around ranting about something that I’m obviously wrong about, but as I see it, this legislation is a disaster.
update: Here is a video that points out my concern over the right to explanation https://youtu.be/-D8-jcCLRDc?t=50s
Edited 2018-05-25 21:41 UTC
If you listen to what the guy say in the video he say “in theory”.
So even if he is totally right on this, this is a theoretical case.
It might become real when someone feels discriminated and goes to court. Then a company shouldn’t be able to hide behind “collected data and algorithms” to claim they are not liable.
Since it is a theoretical case we won’t know until it happens and the courts decide on how to interpret the law. This is how laws work.
So calling this “a horrible piece of legislation” is a bit far fetched.
An additional issue that popped into my head when I started thinking about the kind of data collected, most blog operators probably don’t publish detailed operational procedures related to how they deal with trolls or inappropriate content. Technically, these are multi-billion-euro violations.
Many of these bloggers might not even be aware that the software they use logs information on a web host somewhere, but they violate the GDPR because: undisclosed data is logged; the blog owner didn’t write processes and procedures regarding how that data is used; and the blogger did not document a clear process for removing that data for a given user. In many cases, service providers probably won’t have any idea they are violating the GDPR, and unless they review every line of source code used on the site, they never will.
The fines for not complying with the GDPR are based on a percentage of worldwide revenue… If you’re an individual who writes a personal blog you are not making any revenue so there would be no fine… The legislation is aimed at businesses not individuals, i’m not sure it would even apply to an individual at all.
Also if a company is based in the US, has no operations in the EU and is not specifically targeting EU based users (ie their website just happens to be reachable from the EU) then they wouldn’t need to both with the GDPR either. I doubt the big sites from china and russia like mail.ru and baidu etc will bother with GDPR compliance even tho they are reachable from EU countries.
People regularly buy goods from the US and have them shipped to the EU, or bring them over on a trip. These purchases don’t benefit from the tougher consumer protection laws present in the EU, which is one of the reasons why good are often cheaper in the US. Goods are often even cheaper in asia too, as they’re closer to the point of manufacture as well as not having to comply with so many regulations – but this can often result in inferior products.
Again, not quite. It applies against any EU citizen regardless of where the are in the world. It pays no attention to jurisdiction, etc.
The only way to be 100% in compliance is to have a legal requirement that a user validate they are not a EU citizen or block their access outright because if you’re not servicing an EU citizen then you have no obligation to be in compliance with the GDPR; but once you service an EU citizen you have to be in compliance with the GDPR and 100% compliance is impossible.
GDPR has no minimum fine, only a maximum. A maximum that is very very very unlikely to ever be applied. I doubt Equifax would have been hit with the max for instance. Fines will depend on each individual case.
I’ll defer to https://www.gdpreu.org/compliance/fines-and-penalties/ for details; but as presented in the GDPR training I’ve done, they’ve viewed the Upper Penalty (maximum 20 Million Euro or 4% of world wide annual revenue) as the penalty – probably to scare everyone into compliance…but yeah.
The advertising business can continue under this law, but they must be transparent on how they use data compiled about you. Also when the GDPR requires you have the possibility opt out. That might lead to increases in volume since targeting usually is more price efficient. But I rather have the possibility to choose between more non-targeted or fewer targeted, than not having the option at all. People talk a lot about freedom, isn’t this one form of freedom?
Up until now the field advantage has been towards the companies. Now consumers/individuals get some rights back. And this will be a divider, which companies have a sound business model that still works under a new climate?
Companies that cannot adapt to changes in the world are doomed to go under. And if you are really a pro-market capitalist, you should be in support of this. A company that only can exist if there are no regulations, they have no real obligations and everything is smooth-sailing are IMHO not worth existing.
There is no such thing as complete 100% GDPR compliance because such compliance is impossible.
The question is not are you compliant, but how non-compliant are you? Right now, folks are just trying to show a best effort towards being theoretically compliant against what is currently known; but once you introduce a third-party integration (f.e GitHub, JIRA, etc) compliance goes out the window with no hope of return.
With that comment I would like to know what kind of arrogance mentality do you like to express?
Why do people keep writing this FUD?
EU law -inkluding GDPR- covers things *in the EU*. If the data is in the EU, it is covered by EU law. If it is in the US it is covered by US law. I really isn’t that hard to understand.
There is a basic problem here. You buy a book from the EU it has a copyright license on it you place it on a US server does that copyright magically come null and void the answer? Of course not. Just like you cannot take a physical book for the EU and mass produce it in the US and avoid copyright.
A person private information does have a copyright license. If all the data is sourced from the US all the licenses to that data is from the US. You source information internationally you have international licensing to deal with.
Basically this is the same problem. If you were doing this in the physical world there was is a particular set of rules. Those operating on-line services have been ignoring these rules exist. Include when they should have Private Investigators on staff.
Those who have been ignoring this problem will have under qualified staff and find it insanely hard to implement GDPR.
Reality is all the focus on GDPR most people are failing to notice if a company is having trouble doing GDPR they are most likely braking their hosting countries laws and the country they are entity of. Most of these laws do not have fine limits.
GDPR is written around protecting the privacy of EU citizens and does not limit itself to data stored within the EU.
So if you are a US company and you have an EU citizen access your service, then the GDPR views your service as within the scope of the GDPR, regardless of whether the EU citizen accessed the service from within an EU country or if they were traveling abroad and accessing your service from another country (f.e from within the US or even Australia).
That is then the problem – how does one identify an EU citizen to differentiate them from a non-EU citizen? Since you can’t easily differentiate the GDPR has to be applied globally in order to ensure 100% compliance unless you block (or put it on the user to self-verify and then block) EU citizens.
Now some may say online companies have been ignoring various laws around the globe – but that’s not really the case. They follow the laws of where they are established. We see the hustle around the GDPR because it is so broadly scoped and tries to encompass every jurisdiction that an EU citizen may enter – thereby bringing in companies that previously ignored the EU because they had no business relationship with the EU unless an EU citizen reached out across borders to create such a relationship – f.e a company entirely hosting their site and operating within the US or Australia but having an EU citizen do business with them because they can access the site over the Internet, not because they are purposely seeking to do business with an EU citizen.
No. If the service is in the US and the person accessing it is in Australia, then neither the person or the data is covered by GDPR, no matter where the person is born. Have you even looked at GDPR? It says nothing even remotely like this.
For GDPR to cover anything “US” it has to be a service for people in the EU (like facebook.com/de) from a business that has a presence in the EU, like facebook does. It is covered because the data is *in the EU*.
At least read it before you spread FUD.
Problem is, corporate training provided by people that have dissected the GDPR *are* talking about it that way because the GDPR is centered around the EU Citizen (not birthplace, but citizenship), not where they are accessing it from or where the services are provided from.
Essentially, if you store data on an EU Citizen you are under the GDPR, regardless of how you got that data or from where. Doesn’t matter if the EU Citizen gave it to you while they were in the EU or not; doesn’t matter if you directed your services at EU citizens or not.
So if you only have a mycompany.us website (e.g TLD for US-oriented websites, though it’s almost never used) and someone from Denmark creates an account while visiting Australia or South Dakota, then you fall under the GDPR. (FWIW, this is why regional blocking IPs doesn’t really gain you compliance.)
I believe the issue is that the EU is trying to bypass the U.S. Congress in enacting legislation in the U.S. If the EU is not the market these news outlets target, they have every reason to block EU readers. You have to keep in mind that we do not understand GDPR outside of giving a reason for EU web companies to relentlessly spam our emails over the last week. We have enough to deal with in U.S. regulations as it is. You are asking us to require every web company to hire an international law lawyer. It’s cheaper to block EU IP addresses.
No, this is a lie. Big companies already have legal council like this. As already stated, if you do business somewhere you need to follow local laws. This is just another “local” (or perhaps regional) law. Big companies working on a global scale already have these resources, they do not need to hire anyone new. Small companies mostly rely on their suppliers of the systems they use, those system suppliers might need to step up their game, most already have and are compliant. If someone is claiming that every web company needs to hire an international law lawyer I would guess that claim comes from the big industry in the US that pushes the need for lots of lawyers: the legal industry.
If they block EU IP-addresses it is just as the original submission say, these companies do not fully understand their own operation. If they did and had it documented, there would most likely not be a problem. (If it still was, their business model was probably built on shady practices.)
And if US news sites wants to geo-block non-US-visitors, fine, this is what many media companies have been doing for years. For example, I cannot watch BBC programming on the web, and I am an European. Some Youtube videos are not available where I live.
The funny thing is that these newspapers had apparently a hard time adapting to the GDPR, whereas I have heard nothing from the European newspapers I use online. Sure, they had no option other than being compliant, but they haven’t forced me to read any new policies or agree to anything else. They haven’t complained so far. Nada, zip, zilch. They have been completely quiet (although I imagine they have been doing whatever needed to comply, since they cannot afford non-compliance).
Is it perhaps because they had less invasive advertising and logged much less of my personal information to begin with?
And the size of newspaper sites in my country dwarfs in comparison to the sites that is referenced in the article, so they have far less resources at their disposal.
There will be a number of EU news sites being visited by the regulators I suspect. The fact many are still loaded with trackers is proof of this. There can be no informed consent to being tracked without a complete list of the trackers and what the data is then used for. This cannot be done as they are injected from ad networks.
You could make that assumption, but it’s a bit myopic.
It might just be self-defense.
The way the GDPR is written, it’s very difficult for even an expert in international law (which I’m not) to decipher.
Some people are claiming that if as much as one bit of personally identifiable data for an EU citizen is stored on an American server, then that entire server is subject to the entirety of the GDPR law– this doesn’t actually seem to be the case, but it’s still a bit foggy.
For a user within the EU, it appears that storing personal data on a US server brings the US server into the GDPR’s domain.
If that’s the case, then the liability of trying to comply with US laws such as the Patriot Act (which can require data to be turned over without notification) and the EU GDPR is so massive that the only thing to do is block one group or the other.
Then there’s the question of what happens if an EU citizen visiting the USA has to go to a hospital in the US (Yeah, I know, they book a flight home and hope they make it….. )? Does this mean that the hospital I work for needs to update their systems to comply with GDPR (I suspect we already do, but we’re also ahead of the curve compared with most institutions)?
The way I read the wiki article (ha!), since they’re not in the EU, the answer is no– but I’m not a lawyer.
And, not being a lawyer, I don’t know how the Patriot Act, HIPAA, half a dozen other privacy laws, and the GDPR interact– and I suspect most companies don’t either, even if they *do* have lawyers on hand to answer the questions.
Just to point out the possible consequences: The law’s only been in effect for 24 hours, and Facebook has already been sued for $8.8 BILLION USD.
Believe me, I’m in favor of data privacy (I only hang out on sites like this that aren’t part of the Facebook or Google empires, as a rule), but there’s a great deal to digest in the GDPR, such as the sections on “Data protection by design and default” and “Pseudonymisation”, both of which may have dramatic impact on cloud services, for example.
Pseudonymisation, for example, requires personal data to be encrypted (or tokenized)– and specifies that the decryption key must be “kept separately” from the data– How then, do I use the decryption key? On another server? Do I have to type it in manually? Or does it just have to be in a different subdirectory? Does this mean I can’t decrypt data automatically?
Does your cloud service encrypt / decrypt your data? That’s not allowed any longer. Off-site encryption / decryption is allowed, but only if you possess the keys, not the cloud service. Good luck if you lose the decrypt key.
Finally, just out of curiousity– Thom, are you absolutely sure that OSAlert complies with all aspects of the GDPR? Since as far as I know, you derive some income from this site, I presume the GDPR applies to you, as well. Can you fulfill all the requirements of Article 15, and provide a copy of our data “in a structured and commonly used standard electronic format.”?
I’m not asking for the data, but as the veteran of many security audits and assessments, it’s a good idea to be prepared (Hey look, another Privacy policy update in my inbox! Whee!).
I see this FUD everywhere. Why do you think EU law suddenly apply in the US? It does not. If a EU citizen is hospitalized in the US they are under US law. If on the other hand a US citizen is hospitalized in the EU then their data on the hospital is covered by EU law.
What about where data is transferred from EU hospital to US hospital. Does the copyright on that data magically disappear? No right. Remember EU copyright due to treaty is valid under US Law.
This is the catch with GDPR its not just EU Law it tweaked the EU general copyright on all data sourced from the EU and copyright is recognised is most countries.
I really don’t see your point.
If data goes from X to Y there are laws (like Privacy shield) you have to uphold to do that transfer in the first place. If you don’t want to follow the laws then you can’t legally transfer the data, so unless you broke the law the data will never end up causing the situation you outline. It is no different if it is from the US to the EU or the opposite direction.
“Whenever a site blocks EU users, you can safely assume they got caught with their hands in the user data cookie jar”
Nope. You can safely assume that they understand the cost/risk of implementing GDPR, and have realized that reducing the customer base from 7 billion (entire world) to 6.5 billion (entire world, minus EU) is more viable.
(sorry, accidentally posted with wrong title)
Edited 2018-05-26 05:40 UTC
So all customers are equal? The purchasing power of each and everyone of the remaining 6.5 billion are equal to the purchasing power of those half billion they excluded?
No, you can safely assume that they do not fully understand/have documented their own operation, and now when required to do so they rather not do it and lose customers/users instead. Companies like these I call “sinking ships”. They might float now when everything is easy, but hope they don’t get caught in rough weather because even try not to be evil, they don’t know how their own ship operates and will go down sooner or later. You can only hope their salvation will be a safe pond that you allow them to play around in by enforcing as little regulation as possible and give them as much of your data as possible.
I don’t worry, most of them will turn around eventually. You see, I think these US companies rather not lose all those potential users from the UK and Belgium even though they could keep the ones in Burkina Faso or Laos.
If you want to do numbers, ask these companies how many users they had (A) in the US, (B) in the EU and (C) the rest of the world. Those numbers would be far more interesting than 7 or 6,5 billion.
“So all customers are equal? The purchasing power of each and everyone of the remaining 6.5 billion are equal to the purchasing power of those half billion they excluded?”
It is irrelevant. If you do a startup, fail on one of the many impossible requirements of GDPR (such as parental consent, for which there is 0 infrastructure, at least in Scandinavia where I live) they can fine you out of business. So 6.5 billion safe customers is much more attractive than 7 billion where you play “russian roulette”; regardless of theoretically reduced purchasing power.
Personally thinking about doing a(nother) startup (EU citizen as mentioned), have 0 intentions of scamming anyone or their data, but seriously considering going for completely non-personal-data project (limited functionality) or blocking EU (my own neighborhood, friends and family).
It is easy to blow out rage at the big corporations, thinking we’re all the same. Reality is, many of us are honest hardworking engineers/managers who after having eaten through the piles of legislation simply have realized the dire implications.
My thought was along the same lines too. The new laws are so vague that it can be difficult to know who is affected and how. So companies need to make the choice: Is it going to cost more to do business in the EU and maybe get fined, or stop doing business in the EU? Some are clearly opting for the latter.
This doesn’t mean they got caught doing something, or they are unaware of their own actions. It might meant that. But in a lot of cases (from the discussions I’ve had) it’s more a case of balancing a known cost (not doing business in the EU) with an unknown cost (potential fines from ill-defined laws).
Personally, I think more privacy laws are a good idea. But this one had a clumsy execution that is going to take a while to shake out.
Look who’s talking! When will osnews comply it GDPR? You have an astonishing number of cookies and trackers on this site.
https://imgur.com/a/YMNkeF5
https://www.techdirt.com/articles/20151028/09424232657/right-to-be-f…
Lot of the items of GDPR apply out side the EU as well just different laws and I bet a lot of these USA news sites are still breaking the laws in many countries.
https://www.qld.gov.au/law/laws-regulated-industries-and-accountabil…
Here is a fun one. Collecting personal information without permission in Australia requires a license unless you are in special exception. Please not special exception does not cover marketing.
Yes there has been a big problem of collecting data that is legal the hosting country but is technically illegal to collect without correct permission from many countries. Just at this stage the courts have not started applying this to on-line operating companies that often.
The basics of trade that it has to be legal on both sides has been forgotten by a lot operating online services.
Many US news web sites use “sponsored content” from a group of companies, the biggest being Taboola and Revcontent, that track you and serve up ads without any hint of affirmative consent.
Either they give up EU users, or they give up their revenue.
They put up scammy ads, intersperse them with content, and make money for sites.
This post sums it up well: http://www.mondo2000.com/2017/11/14/online-ad-fungus-spreads-brain-…
EU web sites do the same, and are still doing so now. Enforcement will be interesting, if it happens at all.
It’s incredible how little the people defending unlimited access to others’ information care for privacy or how information is used.
Most countries have the same laws regarding physical data acquired in paper, but they go insane when they now get applied to electronic data and companies are required to disclose what they have to people because of the breadth of data that they can acquire electronically without the user knowing.
The authoritarian nature of those people who defend corporations over people’s rights is blinding them to stepping back and thinking, that, or they think that it can’t be used for nefarious purposes if it’s still a free for all.
To be honest, for many sites it is not worth of complying with EU law. I am happy to see that many were kind enough, but I can expect that eg. many of the japanese sites I visit won’t, or many of the small sites which I visit, where 90% visitors are from US or UK won’t.
I am really looking forward for the EU version of the Great Firewall.
You call a law defending citizen’s rights “a firewall”? I say all those not willing to comply with this law are assholes exploiting their own customers and should be blocked by an actual firewall.
I like to think that the internet is an international thing, not something policed by the EU or any other superpower.
If I visit a foreign site I would expect that it operates under the law where they operate or where their server is located.
If there is an agreement made between two entities that is one thing, but the EU deciding how companies in other countries should operate their business is straight imperialism. If China does the same, everyone cries havoc.
So, basically, what you are saying, if certain country decides that it’s totally fine to serve malware such as worms and ransomware on each website in their country it should be accepted as their right to do so and no one should “police” them?
In a way like Russia is lately performing loads of cyber attacks and stays unpunished? You think this is OK? You think this is how things should be on the internet?
What you seem to ignore is that this law is not restricting, banning or forbidding ^aEUR” it is simply requiring everyone to respect their customers and their right to know and choose how their information is used.
Edited 2018-05-29 05:31 UTC
That^aEURTMs not necessarily what it means. It might mean that they do not care to put in place expensive processes and procedures to ensure compliance with regulations that don^aEURTMt apply to 99.9% of their actual customers.
That’s a bit of a stretch – and within spitting distance of being an outright False Dichotomy. While I generally agree with your interpretation of the Bloomberg article, they’re far from the only ones raising concerns about potential negative consequences of GDPR – for example, Brian Krebs has written 3 separate articles about the potential implications for/harm to independent security research:
https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-se…
https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-…
https://krebsonsecurity.com/2018/04/security-trade-offs-in-the-new-e…
I’ve personally considered blocking traffic from the EU for some of the sites I manage, not because I have any desire to use EU residents’ PI in a nefarious way, or excessively use third-party trackers – hell, I don’t even use Google analytics with most of my own sites (or AdSense, both unlike OSAlert, I’ll note), since server-side stats are almost always more useful. Rather, the precise reason I’ve considered it is because of all the uncertainty – I know (or have a fairly good idea) of what it would take to block EU traffic, but it’s substantially less-clear what GDPR compliance requires. Particularly given the evident intent to apply GDPR to any business website that receives traffic from EU citizens, even if that business is not located in the EU and doesn’t do any sales/have any customers there.
I have decidedly mixed feelings about that last part. On the “for” side, Canada has had comparable federal privacy laws since 2004 (PIPEDA, the Personal Information Protection & Electronic Documents act), which provides most of the same protections – but it’s gone largely unenforced, because many (if not most) of the organizations collecting PI on Canadians are not based in Canada. It seems that, by applying copyright protections to PI, the authors of the GDPR found a fairly clever workaround to that issue – assuming that holds up when it’s actually tested.
That said, on the “against” side, it seems like an attempt to impose EU laws on the entire world – and it’s strange to see that being praised by many of the same folks who lambast the US (rightly so) when they try to pull the same thing. E.g. that recent/ongoing attempt to claim legal jurisdiction over data on Microsoft servers located in Ireland because they’re controlled by a US company. It also seems directly contrary to the way things work offline: if I physically go to a store in the EU, they’re not required to collect & remit HST/GST or provide service in one of Canada’s official languages, etc – for the simple reason that they’re outside of Canada, meaning they’re not bound by Canadian laws (with limited exceptions provided under international law).
The GDPR also seems to overreach in terms of what it considers PI, particularly IP addresses – which seems more than a little excessive, since an IP address CAN be personally-identifiable when combined with ADDITIONAL information, but not on its own. Not to mention the fact that there are signficant, legitimate technical reasons to retain IP addresses in server logs. And I know of many businesses that have websites, but don’t have the technical resources to scrub logs of IP addresses on-request (and certainly don’t have the financial resources to pay someone to do it for them, at least with any kind of frequency).
I also think that the proponents of the GDPR are being naive about how enforceable any rulings will be against companies outside the EU & who don’t have any customers in the EU. Treating PI as a copyright matter is all well and good, but that doesn’t magically mean that all/any other legal jurisdictions will accept GDPR-related ruling as being valid copyright matters. And that’s aside from that fact that most countries are generally fairly resistant to enforcing foreign legal rulings against their own citizens (some more so than others *cough*the US*cough*), especially for actions that would not be a crime in their own country. And that’s not even getting into places like Russia & China, that are widely known as havens for actual online crime (financial fraud/theft, malicious intrusions, selling counterfeit pharmaceuticals, distributing child porn, etc) – being notorious for turning a blind eye to crimes committed by their own citizens, as long as the victims are all foreigners. Does anyone truly expect that countries like Russia & China are going to enforce GDPR rulings? SERIOUSLY?
Incidentally, if the EU actually is successful in enforcing the GDPR outside of Europe, is anyone giving odds on how long it will take for companies that commit genuine privacy abuses to just move their operations to countries that are known to ignore/not enforce GDPR rulings?
Edited 2018-05-27 20:04 UTC
Retaining IP addresses in logs? You are probably ok with doing so. The right to erasure is not absolute. You are processing IP addresses as part of the service you provide, i.e. a website, failing that you have a legitimate interest, and therefore need to see what IP accessed when so you can investigate intrusions etc. This technical basis is a good enough. If however you are taking your logs and selling on information about the pages people visit GDPR is intended to stop such abuses.
Take a look at what the UK ICO (they are the body who will take action here if there is a breach) has to say: https://ico.org.uk/for-organisations/guide-to-the-general-data-prote… you can even refuse if it will be too much work or charge for doing so, e.g. scrubbing your log files.
Reality here is a failure to think what would be the requirements if you were doing this in the physical world. In the EU and most other countries to-do in the physical world you should have a Private Investigators License at min. Private Investigator is allowed to have and use other people personal information without their approval. Private Investigator is required to handle that information with particular rules regarding privacy.
Private Investigator is not allowed to be a random person they must have a criminal background check that must at least go back 5 years with most jurisdiction with a min of 10 years.
GDPR defines what you general unlicensed person can access. The rules are different for licensed personal even in the EU. If sites administrators are correctly licensed IP address and other personal information being in a log only accessible to administrators for operational requirements like performing anti-DOS that is really a investigation.
Yes a Private Investigator is also taught how to handle evidence legally.
You are right daveak that the “right to erasure” is not absolute. But it does not mean random unlicensed people can disobey this. Reality if you are finding the task of GDPR too hard you most likely have under qualified staff who don’t have the legal permission to be handling private information without the person permission and have been breaking your own countries laws any how.
Edited 2018-05-27 23:13 UTC
Seriously? Up until that last paragraph, your post was reasonable and your points well-articulated. But then you end with a blatant bit of tautological reasoning, and a dash of the “No True Scotsman” fallacy. In other words, you’re drawing unfounded conclusions about people’s competence/qualifications, based solely on the fact that they have concerns about GDPR compliance.
Also, there are actually non-EU countries that are not the US, and even have strong privacy laws at the federal level that predate the GDPR by years (or in the case of Canada, nearly a decade and half – nice to see the EU catch up, though). Strangely, I don’t remember having or hearing about any major problems with PIPEDA compliance, probably because 1) it was written by people who actually seemed to have considered bigger-picture implications, 2) it wasn’t hopelessly-vague (nor did it fuel a torrent of spam for snake-oil “PIPEDA compliance” consulting services), and 3) it didn’t contain any absurd overreaching in terms of what it considered personal information – like IP addresses.
Edited 2018-05-28 02:01 UTC
Those older laws did not use the copyright law they don’t automatically cross boarders. This is what makes GDPR different. If those other laws update to use copyright as well things could get really interesting.
I do stand by my point if you have having trouble conforming to GDPR you most likely have under qualified personal in wrong positions.
under qualified staff who don’t have the legal permission
This here is the basic problem.
1) When you understand how many people inside an company automatically have a private investigator license to start off with. There should be enough private investigators inside the company to deal with all problems.
2) Information technology personal doing administrator of servers/read logs… should be working directly under the command of those personal who automatically get a license or the lead information technology person has Private Investigator license so the sub personal can work under that with supervision.
3) All information should be handled conforming to the requirements of Private Investigation. This covers privacy laws and exceptions to privacy laws that is in the law that Private Investigators operate under.
It really not that hard to be GDPR conforming if you personal are correctly organised with correct chain of command to be legal.
4)Problem here is a lot of third parties sites use for advertising and the like have not performed any vetting that they are conforming..
I think we may have been talking past each other somewhat/talking about two different things. I’m specifically talking about GDPR and its supposed applicability to organizations outside the EU & with no customers in the EU – Canada in particular, since that’s the country where I live/work & the country whose privacy laws I’m most familiar with.
If you mentioned previously that you were specifically talking about Australia/Australian laws, then my apologies for missing it.
– https://easydns.com/blog/2018/05/28/gdrp-why-should-any-non-euro-com…
This is forgetting that insurance is a large operator and when you contract them to insure you in case of public liability they are also required to help you to avoid public liability problems with correct direction and information.
If the small and medium businesses know where people with private investigator status are and how to exploit them there should not be any major cost. Like when you are paying for public liability insurance you have already paid for the service of advice. Yes a lot of small and medium businesses get themselves into a lot trouble because they don’t use the advice services they are paying for.
GDPR covers the physical world, it isn’t a digital thing. A PI is allowed to have personal data without their approval? So is anyone else, so long as they can show they are meeting one of the other lawful basis for processing the data. There is nothing special here with regards to data protection. Under GDPR a PI would probably claim legitimate interests as the basis. This however does not mean that interest would override that of the data subject. Depending on the investigation they may claim vital interests but that is unlikely.
GDPR defines what anyone can process. There are derogations a country can put in place in their implementation of the regulation, but that is it. The closest I can understand from a UK perspective of a license is the registration with the ICO as a data controller, which with a few exceptions, anyone handling data has to do.
I didn’t mention disobeying at all. The law states there are circumstances where the right to erasure may be overridden. The issue then is providing the evidence as to why you cannot remove the data. If you can then fine you are ok, if you can’t then the data needs to be removed.
Most places to prove this you will require someone with PI status as the one doing the statement why.
Basically this is chain of command and qualification. Those with PI status should have the education to make legally sound judgements.
Like the right to be forgotten also aligns to basic law about don’t cause deformation of character.
https://supreme.findlaw.com/legal-commentary/can-a-true-statement-fo…
Yes even if a statement is true does not mean it cannot be cannot be libel if context is lost. So lot of cases it way safer to just delete when requested.
Most of GDPR you should be considering in US and other countries. Not due to GDPR but due to legal rulings and the risk. Please note outside the EU there is no damages limit.
Thing to remember here is data may not be able to be removed but that does not mean you have the right to show it to outside third parties. So person who is PI status should also have written up risk mitigation plan for cases where the data cannot be removed.
This is like workplace health and safety you cannot be 100 percent safe all the time but you can do it as safe as possible. This is why an unqualified person should not make the judgement call that something cannot be deleted. Because declaring that you cannot delete something now means applying a operational risk mitigation plan. This is not a requirement of GDPR but general common laws around the world.
Yes a lot of people have ideas they can do a lot of things without PI status this not the legal case at all. There are crimes for collecting personal information and missing PI status or direction from someone with PI status. These crimes have been prosecuted for over a 100 years.
I’ll bow out here, the law in your country is obviously completely different to here with all your talk of private investigators, which doesn’t fit with the GDPR at all.
This is a mistake.
Private Investigator law starts in UK and is replicate fairly much everywhere.
In the UK you cannot at the moment apply for a individual Private Investigator license. So you have to work for or employee people who automatically get the license that is fully qualified accounts, Lawyers and insurance assessors in the UK. There are many states in the USA in exactly the same boat. But people there make the mistake since registration body does not exist that they can do investigation legally when that is not the case.
The reality here is GDPR is written in the EU where there is Private Investigator law with automatic assignment to particular people and depending on country sometimes ability to register for own license. So when GDPR seams impossible this is because it was design on the presume it would be overridden by Private Investigator laws.
Thanks, that’s useful info – and assuming it also applies with GDPR, that’s what I’d assume/hope is the case (in sane, reasonable world), particularly being able to charge for the time/effort if an unusual amount of effort is required for compliance. I’m thinking particularly about the aspect of GDPR where EU citizens can demand copies of all data an org/site has on them – particularly the requirement that said information be provided in “human-readable form.” I haven’t seen that last part actually defined anywhere, but I’d guess that the raw output of an SQL query probably wouldn’t cut it.
Yep, this is the problem with GDPR, so many consultants try to make money by scaring people. Again, coming from a UK perspective as stated by the ICO, common sense will be applied, if you are in breach, so long as you can demonstrate you are moving towards compliance (and the breach is small enough) you will be ok, do the same thing again and you may face a tougher response.
Spamcop is an interest example. Probably a weak argument, but I would say they are acting as a data processor, with you as the data controller so allowable, although without a contract stating this it probably wouldn’t stand up in court. You could also state that it is a requirement for the service, i.e. without it your email server could not work due to the volume of spam, or most likely to hold up, you have a legitimate interest in using Spamcop.
Simple answer is document your processes, providing evidence as to why you are processing any personal information you have, and see which of the 6 basis apply for doing so.
Subject access requests have the same caveat as the right to erasure. Under GDPR you are no longer allowed to charge an admin fee, however you are allowed to charge a fee if a large amount of work would be required, just like the right to erasure. Again, it is matter of being able to evidence why you need to charge.
Though later, the article goes on to talk about how a German subsidiary of Tucows has stopped collecting/publishing WHOIS data because they believe that’s required for GDPR compliance – which has put them in breach of the contract with ICANN, who have filed for an injunction against them:
https://domainnamewire.com/2018/05/25/icann-files-legal-action-again…
“Comedy of errors” doesn’t even begin to do justice to this mess…