For those of you understandably intimidated by the GDPR regulations themselves, here's a good summary in plain English: <a href="https://blog.varonis.com/gdpr-requirements-list-in-plain-english/" rel="nofollow">https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...</a><p>The UK's ICO also has a good structured summary: <a href="https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/" rel="nofollow">https://ico.org.uk/for-organisations/guide-to-the-general-da...</a><p>In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.
Here in UK I have been receiving about 5-10 emails a day from various companies - most of whom I don't remember - telling me I need to sign up again so they can keep my details and keep spamming me.<p>Fantastic.
Constantly trying to whitewash over the fact that GPDR is a huge pain in the ass and will involve a lot of work for a lot of companies is what I don't understand, but Mr. Mattheij has been doing it for months, so that's evidently very important to him for some reason.<p>It's chewed up a few weeks of active development time putting in features for purging and exporting anything that looks like it might be personal information, plus a considerable magnitude more hemming and hawing and trying to figure out if, how and to what extent the regulations apply to us, and how the customers that we sell our products interpret the regulations and what features they require for their interpretation of compliance. It's a big headache, especially where we are also dealing in industries that have conflicting data retention requirements.<p>If we didn't have EU-based customers with sufficient sales to justify the effort, there are a thousand and one other things that we could have better spent that time and energy on.
There's certainly no need to panic. The article doesn't address that apart from mindless hysteria there are some very real issues with GDPR. It doesn't have to of course because as the title suggests it's more about dispelling panic than about giving concrete advice.<p>However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:<p>- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.<p>- How exactly does a privacy policy have to be worded so I don't get sued on day 1?<p>- In which way will I still be able to store address data for contacting my existing customers?<p>- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.<p>- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?
This doesn't consider some factors that dictate how strong any company will experience their firehose of GDPR requests to be:<p>- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)<p>- how easy it is for them to make requests (entirely manual vs. online service)<p>- wildcard factors (internet flash mobs bent on vengeance against a corporate)<p>There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.<p>For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.<p>Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
There's currently no case law surrounding GDPR. Moreover, some elements of the GDPR are up for interpretation. People are rightfully concerned.<p>> "This post is an attempt to calm the nerves of those that feel that the(ir) world is about to come to an end"<p>This post is actually a single person's viewpoint, a mere speculation of how things may or may not turn out to be. Your mileage may vary.
I was hoping for a nice respite to the anti-GDPR stuff we've seen recently, but this is just naked propaganda. In particular, the sentence:<p>"the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers ..."<p>The author seems to have the idea that bureaucratic EU systems are inherently "good" and that even if things look bad on paper, it will be fine because they are "good" people. This is not how the legal system or legal compliance works.
I'm an attorney who's spent the last year or so working on GDPR compliance for a US SaaS provider some of whose clients have EU employees. My understanding is that it's true that EU enforcement is more in the spirit of "how can we get you compliant?" before doling out fines (vs. the US where it can be more "let's make an example of this company by hitting them with a big fine" and scaring others into compliance). I also agree that the authorities aren't going to be handing out 7 figure fines like candy, both because it's not their historical approach and because they don't have the resources to fight too many of those battles. I want to say I read that the Irish authority's annual budget is around $9M. Theirs is higher than most and Ireland is where most of the US tech giants are established due to tax laws. That said, I think to say that GDPR compliance is simple because it's text is fairly readable or that EU data protection law is simply a matter of transparently respecting people's personal data and not being a bad actor as to privacy is an overstatement. For example, the ePrivacy Directive, most known for prompting all those cookie consent banners, can be incredibly complex to comply with. Each member state has implemented that Directive in different ways. Look at this example <a href="https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-honda-europe-20170320.pdf" rel="nofollow">https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-...</a> where Honda sent out emails to its 350k database simply trying to confirm continued interest in being on their list and got a 13k euro fine for their troubles. I don't know all the facts, but from the document, it doesn't appear that Honda got the fine because they were recalcitrant or being terrible actors. And if the fine is proportionate to the offense (not to the size of the violator), then 13k euro might be levied against a small company for whom it is a significant penalty (not to mention costs, legal fees, etc. in dealing with it).
It's like if a new law were introduced requiring a license in order to ride a bike, to make sure people don't hit pedestrians or bike dangerously in the road. The license is free, it just takes a weekend to go take a written test and demonstrate that you can safely ride a bike. Some people <i>who would pass</i> but can't be bothered to give up a weekend would instead choose to just stop biking. It's an unavoidable consequence of introducing a friction where there wasn't one, and there's no way to carefully target or wordsmith the requirement so that this doesn't happen.<p>I think people miss that there is a very large qualitative difference between "no law" and "law". Even a very carefully targeted law will still have the effect, on the margin, of preventing or stopping compliant activities. But in the case of something like privacy, or control of data about you, maybe that's worth it in order to stop the noncompliant activities.<p>On a non-hypothetical topic: does anyone have a good resource on the requirements with regard to backups? That's one of the larger technical sticking points for me - do we have to delete from our backups as well on such a request?
Clearly an emotional topic. The fact remains, GDPR is a well-meaning but fuzzy law, with implications that cannot be foreseen at this point in time.<p>To remove <i>some</i> of the uncertainty and automate <i>some</i> of the compliance steps, we built a data discovery AI tech that scans corporate data to answer:<p>* "Do we even store personal information?"<p>* "Where do we keep it?"<p>* "How do we make sure PII is consistently stored only in the designated places?"<p>This may seem trivial to a micro-business that runs on a handful of database tables, which I think is where the author is coming from. But for larger companies, even understanding what's where and why (backups? emails? cloud storages?) is a highly non-trivial—if ultimately rewarding—endeavour.
The problem of multiple ambiguities in GDPR hasn't really been addressed here.<p>Also, must be nice to live in a country where the regulator is as benevolent and reasonable as is described in this article.<p>I think it's ok for foreigners to be skeptical of this promise, as the article implies that this reasonableness is not encoded in law.
> The GDPR will require me to hire people and my entity is too small to be able to afford this<p>Q: Does my business need to appoint a Data Protection Officer (DPO)?<p>A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.<p>source: <a href="https://www.eugdpr.org/gdpr-faqs.html" rel="nofollow">https://www.eugdpr.org/gdpr-faqs.html</a>
> I don’t want to end up being arrested for GDPR violations when I go on a holiday in Europe (yes, I really saw that one)<p>The US did it recently:
<a href="https://www.theguardian.com/business/2017/dec/06/oliver-schmidt-jailed-volkswagen-emissions-scam-seven-years" rel="nofollow">https://www.theguardian.com/business/2017/dec/06/oliver-schm...</a>
> • The GDPR will enable anybody to be able to sue me, even from abroad<p>> The GDPR does not have this effect, but you may be interested to know that anybody can sue you or your business for whatever reason strikes their fancy. This is a direct consequence of doing business and has nothing to do with a particular law. What the GDPR allows private individuals to do is to contact their regulators and to complain if you decide to ignore their requests.<p>That's not exactly correct. Art. 79 of the GDPR allows people to sue directly for violations of GDPR although it's very non-specific.
This article actually points out my philosophical problem with GDPR. In one point he says you have to be compliant if you want to do business in the EU. In another he observed that it is difficult (maybe impossible) to block EU folks from coming to a web presence. It’s the expansive reach that bugs me.<p>I’ll note that for real businesses this is just a thought excercise, but it’s one I keep coming back to. What if some less reasonable entity attempted to regulate in this way?
> I was actually surprised by how easy it is to read it<p>there's a whole two hundred post debate around here whether ip are or aren't pii on their own, with the wast majority holding the wrong position.<p>there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar). you also need a privacy policy if you are receiving phone calls. did you know that?<p>there's a whole bunch of implication on how liable you are about holding unwanted personal information, including unwanted medical personal information i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am unable to walk due a permanent disability and requiring a ramp is present to access your gazebo, is that so?"<p>there is a huge surface area for uncertainty, up and including 'best practices' that are a constantly shifting target.<p>edit: to clarify the calendar part: if you have a meeting with someone, that links an identity with a location. that's why it's an issue, even without considering the address book, which is another issue by itself.
Dont panic. Panic when you get something like this.<p><a href="https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis" rel="nofollow">https://www.linkedin.com/pulse/nightmare-letter-subject-acce...</a><p>Bottom line, DONT store/sell/mangle with personal data of your users unless you are able to fulfill this. I was thinking a bit about having an online store:<p>- make login as it is on Hacker News, you dont need email<p>- once user has selected and payed the goods, request sending address and contact (phone/email/whatever)<p>- ship it, print the requested / store into cold store (it is not that hard, you do it for bitcoins, right?), delete everything except username and password (and maybe the attached goods) from server<p>The described process will pass the GDPR Nightmare Letter in 10 minutes (to write a general reply) that you sent to everyone requesting.<p>This is what traditional "physical" stores do, not the large chains, the traditional, one employee, family store. And it works.<p>For everything else require consent, including tracking, but think very hard if you need anything else as it will complicate your business progressively.<p>I really dont understand all the fuss about the GDPR, if you explain (and prove) this to ICO, I would really like to see who will punish you for that.
My (EU) clients fall into two camps. Those who haven't had to do a single thing to be GDPR compliant because they were already following the various data protection and privacy laws, and the ones panicking.<p>The latter group say things like "this is ridiculous, they're making us change so much" but never have an answer to the fact that they're already violating PECR or the Data Protection Act.
Whatever one thinks about the subject matter, the writing in this piece is awful. You can get the substance of what the writer is saying by skipping 90% of the content. Moreover, the tone is talking down at the audience - unless that audience is already excited about gdpr. This comes across as not being interested in convincing anyone but in cheerleading their position.
It ain't hysteria if you're in Germany, and a private individual or a nonprofit (e.V.). Due to specialities of German law third parties can serve you legal writs for hundreds or thousands of EURos.<p>Which is why I'm shutting down these 20 domains running HTTP/SMTP services I'm hosting in less than a week, and wait until the smoke clears.
As a solo business owner based in the US, I’ve been spending the last couple weeks learning about GDPR and getting compliant. While it has not been a fun process, I do think in general the regulation is quite reasonable and overall good for the world in general. So far, GDPR compliance has not cost me any money, only time.<p>There are three problems however that I have with GDPR and I’d love to hear how other small non-EU businesses are dealing with this.<p>First is the requirement to have EU representation (Art. 27). Since I don’t have any physical presence in the EU, GDPR requires the appointment of a representative. It would appear that a new industry has been created selling non-EU businesses GDPR representation in the EU which in my brief Google searching can cost $1000 per year or more. Are other small businesses owner out there paying for this? Or how else to deal with this requirement? Not a lawyer but this is the only part of GDPR I am tempted to ignore.<p>Second is the common practice of using lead magnets to collect emails for marketing. My email signup forms are very clear about marketing use, and are double opt in, and subscribers can opt out with a single click. But my research suggests that this is still not GDPR compliant unless there is an explicit consent, which I believe will reduce email signup rates. Also, while Mailchimp has a GDPR form, but it is quite large and doesn’t work embedded in web page headers, sidebars or popups. I’ve only seen one of these Mailchimp GDPR signups in the wild and they opened a new browser tab to present the hosted Mailchimp GDPR form which to me isn’t ideal. How are others handling email marketing signups? Disclosure and checkbox for consent seems a reasonable compromise but I haven’t seen this very often in the wild, at least not yet, that may change come May 25. Not a lawyer but I’m tempted to keep my current forms until I see more websites make changes.<p>Third, I have a medium sized mailing list (less than 10,000) mostly US based emails which is important for my business. Are people running consent campaigns (as suggested by Mailchimp?) I’m concerned that I will lose a substantial part of my list due to non-response. Again, the list is double opt in and I am very reasonable with my marketing emails. (Not a lawyer) but my thought is to segment my list into EU and non-EU customers and run a consent campaign only on EU emails. Has anyone run a consent campaign and how did it work out for you?<p>Any thoughts or suggestions from other small and solo business owners would be much appreciated.
This is no hysteria.
Depending on where your company is located the sueing risk is really high. E.g. in countries like Germany there is a whole industry which lives from sueing companies and people and I can imagine that GDPR will open a whole new sueing market there.
In other countries like Austria you get first warned and then sued on big GDPR violations which is a much better solution.<p>So it all depends.
There's no hysteria. There's just FUD disinformation campaign - businesses who make a lot of money thanks to privacy violations are very unhappy with this and they have a lot of voices.
I can tell you that GDPR is going to cause issues with block based backups. Many hosting providers don't separate customers on different block devices. When you back up a block device you have snapshots that have many different organizations data on them.<p>Part of making good backups is knowing that the backup can't change. The only solution now is to add paths to go back and modify those backups to remove customer data when asked too.<p>That is my plight anyways.
> this particular one has the interesting side effect of causing mass hysteria in the otherwise rational tech sector.<p>* Y2K<p>* Dot Com hysteria<p>* Dot Com crash hysteria<p>* AWS outages<p>* Will robots replace us ?<p>* Will Microsoft crush me ?<p>* Will Google crush me ?<p>* I just raised £30M series A, where my Aeron at<p>* Nosql means I can throw away everything I knew about databases<p>* Web first<p>* Mobile first<p>* XML everywhere<p>* OO everywhere<p>* Javascript everywhere<p>* AI everywhere<p>Where is the evidence for rational behaviour ?
One question that I have thought about is how are foreigners supposed to learn about the GDPR's existence? If it wasn't for the fact that I spend more time on HN that I should I would never have heard of it. I doubt there are many businesses here in Australia that know about it.
Is the system of warnings and increasing fines described in the post a part of the law, or does one need to rely on the "spirit of the good natured enforcers" if they are unable (or unwilling) to immediately comply fully?
I don't think it's really that simple. especially the deletion requirements. There are just so many IT systems that really don't support deletion. An absolute worst case I can imagine is GitHub being asked to delete an account which had commits in multiple large projects. Are they going to alter those projects source code?
I'm not sure about the point regarding the DPD. EU Directives themselves don't have teeth, but they're supposed to be transposed into national laws - e.g. the DPA in the UK - and would be enforced nationally. A regulation comes into law across the EU, but is still often transposed, and the enforcement mechanism (to begin with) is still basically the same.<p>He's right that the DPD was not well-adhered to, though.
I've been doing a bit of consulting work on the GDPR and for the most part small sites aren't going to have a lot of headache dealing with the GDPR requirements.<p>Typical, simplified, workflow (varies):<p>1) Review what data you collect and why<p>2) Document these in an updated privacy policy along with third parties you share data with and why<p>3) Update all forms on your site collecting personal information<p>4) Update your cookie policy and the way you handle cookies, for some of these you might need consent, for some there might be exemptions<p>5) If you expect this to be an issue, set up automated means of handling requests pertaining to data subject rights, otherwise process them as they come via email<p>While some smaller sites are getting around the need for an EU rep by claiming that they are only processing data occasionally and not on a large scale (whatever that means, as it's not defined by the GDPR) there is a big problem with getting an EU rep, because as opposed to a DPO, which doesn't have liability, your EU representative "should be subject to enforcement proceedings in the event of non-compliance by the controller or processor." making that natural or legal person liable, so you won't be able to easily outsource this.<p>If you have set up shop in the EU, then it's pretty easy to handle the aspect of an EU rep. Also, if you're transferring data between your EU and US offices/datacenters, you can self-certify under the privacy shield, starting from ~$250 per year to not have to deal with binding corporate rules or standard contractual causes, so that you can effectively make these transfers "safe" under the GDPR, along with various technical safeguards, of course.
I think much of this probably comes down to cultural and ideological differences between the US and the EU. It certainly seems that almost all of the rabidly pro-GDPR crowd is from the EU.<p>Interesting: I have a number of anti-GDPR comments here and on last night’s GDPR thread that got upvotes last night US-time, heavily downvoted throughout the night, and are now going back up :)
> As soon as you do business abroad you will have to comply with the laws of those countries.<p>But are you doing business abroad, just because you're on the internet?<p>Is it not the customer who is coming to you to to do <i>their</i> business abroad, while you do your business in the country you live in?
This is just an author wishlist and not the reality. I especially find the "clearing house" fantasy amusing. How he thinks this house of bureaucrats will be able to judge that John Does complaint has any merit?
Do what I say do not do what I do.<p>Today I've been asked by a library of "Junta de Anadalucia - Spain" to accept it's terms and conditions to use the wifi internet connection provided for it's users and it's a clear violation of the GDPR by a government body, basically they're asking for a blank check to do whatever they want without boring to ask/inform the user.<p>Translation by translate.google:<p>====<p>The Telecommunications Corporate Network of the Junta de Andalucía reserves the right to monitor and collect information while the user is connected to the Service. This information can be used at the discretion of the Telecommunications Corporate Network of the Junta de Andalucía and can even be shared with the State Security Bodies, their associates or suppliers.<p>Likewise, the Telecommunications Corporate Network of the Junta de Andalucía reserves the right to revise this agreement at any time.<p>The user must accept the General Conditions of Access each time they use the service and, it is your responsibility to review it each time the Service is accessed in case there has been any change.<p>The Telecommunications Corporate Network of the Junta de Andalucía, reserves the right to withdraw the Service, modify the specifications or forms of use thereof, as well as change access codes, users, passwords and other security elements necessary to access the Service . IF YOU DO NOT AGREE TO THESE TERMS, INCLUDING ANY MODIFICATIONS, DO NOT ACCESS OR USE THIS SERVICE.<p>====
As someone more on the hysterical side, good post, thanks. Can you clarify one part for me? Take this bullet:<p>> <i>The GDPR is going to expose me to fines of up to 20 million Euros for even the slightest transgression</i><p>> <i>No, the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers at the various data protection agencies in Europe they will first warn you with a notice that you are not in compliance with the law, give you some period of time to become compliant and will - if you ignore them - fine you. That fine will be proportional to the transgression. You can of course ignore the fine and then ‘all bets are off’ but if you pay the fine and become compliant you can consider the matter closed.</i><p>What if you get warned and <i>decide at that point</i> to just shut the site/app/business/project down?<p>Or is it the case that once you begin operating under the GDPR era, you'll have to handle those "good natured" enforcement warnings, delete data, etc?<p>I get that I'm <i>probably</i> compliant, and <i>probably</i> wouldn't have any complaints against me. I just don't know if it's worth waiting it out to see if there's an issue, or if <i>now</i> is my only chance to easily not deal with it by just blocking EU users.
<a href="https://pawelurbanek.com/gdpr-compliance-blog-rails" rel="nofollow">https://pawelurbanek.com/gdpr-compliance-blog-rails</a><p>My take on GDPR compliance from a solo developer perspective without a legal team to back him up.
I find this confusing:<p>> Note that the 20 million Euros or 4% of global turnover is the maximum fine, the specific language is ‘a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater’, so that’s the maximum of the fine that’s being set by the 20 million or the 4%, and this bit is there to ensure that even the likes of Facebook and Google will not simply ignore the law and pay the fine to be able to continue as they have so far. This in no way should be read as you, the small business operator will face a fine of 20 million for each and every infraction that could be found.<p>Saying that this is intended to be aimed at the Facebooks and Googles is all well and good, but that's covered by the "4%" criterion. The €20 million figure is aimed at companies that have a global turnover of less than €500M, not the Googles and Facebooks. That's why it's scary.
Does anybody know if it's required to remove CDN links (such for Google fonts, cdnjs, etc.) and host all assets locally instead unless consent is given? Assets from CDNs are required for a site to function; what's not required is to send `Referer:` so maybe it's sufficient to set a referrer-policy.
>Don’t Panic<p>That's thoroughly good advice. Panic reduces efficiency and the capability to react rationally.<p>>Becoming compliant with this law will cause my business to go under<p>>If becoming compliant with the law will cause your business to go under that is more or less the same as saying that your business is built on gross privacy violations. So if that’s your busines model then good riddance to you and your company<p>Hmm, I would nitpick on that, Google Adsense has been ass about getting GDPR compliant, they don't offer any method of serving ads without storing consent including their tracking-free ads. This is not something that affects me personally but I know people running larger websites that rely entirely on ad revenue (premium model is hard since they drive visitors with UGC, most people don't have an account, they don't want to paywall anything or ask money from the people that drive traffic). The site itself is already fully compliant and with exception of very minor changes (minimum age 13 -> 16, adding a "download everything" button) was compliant in the past.<p>I blame Adsense on that one, not GDPR though. The ad industry has to adapt, pushing the work on the website operators won't help and is not appropriate. IMO Adsense should either offer a fully consent-free ad experience in compliance with the GDPR or operate the consent dialog for the website owner in a non-intrusive manner.<p>Maybe this means there will be an opening for a GDPR-compliant adnetwork in Europe
This is how I understand the GDPR:<p><pre><code> You cannot store a users personal data like IP
or cookie id unless you have consent from the user.
</code></pre>
I expect that <i>nobody</i> will comply with this.<p>Smaller companies seem to think GDPR is something they can fix by changing the legalese in their impressum and privacy policy. "Yet another trip to the impressum generator".<p>Bigger companies seem to pretend they misunderstand the GDPR. I got emails and popups from Facebook, Twitter, Instagram etc informing me about all kinds of nonsense about how they changed their policies and asking me all kinds of unrelated questions about what kind of ads I want to see.<p>Not a single company asked me for permission to store my personal data.
How can I be non-compliant with GDPR? If I could care less about it, is it enough for me to do nothing? Should I expect that European users should find out themselves that they my website is not GDPR-compliant? Or I must actively ban EU IPs?
> There are several reasons for that, the major ones being: webservers only log IP addresses if you configure them to do so.<p>That’s not true. Apache and Nginx default logs IPs. Maybe OP should check his Nginx logs.
> This in no way should be read as you, the small business operator will face a fine of 20 million for each and every infraction that could be found.<p>Thank you, random stranger on the Internet! However, that is not the law. And even if you are right? As I posted yesterday, half of the employers in the USA has 1-4 employees and make $387,200 on average yearly. Even if they get fined to 1% of the maximum, they are completely wiped out. So no, it's not hysteria, it's plain business sense for them to slap an IP ban on it and move on.
I'm a citizen of the United States, which is a sovereign nation.<p>I will never pay the EU "internet transgression fees", no matter how well intentioned they are. Full Stop.
Hi thanks for his very interesting,<p>What I think is a big problem this stuff about requiring consent. This is a big issue at the moment for website owners and app developers who have on line advertising from vendors such as Google (Admob/Adsense) and use e.g. Google Analytics for development support. These guys do not record individual user details and have no interest in doing so.<p>Specifically for such people there is an issue where personalised advertising (according to to Google and others) needs an opt in, fine but for app developers and web site owners they don't have any user details other that maybe ip address so if they put up a pop-up and record consent how do they know who the user is if they don’t have any other users info.<p>This is leading to absurd discussions re for example Google Analytics used by millions of websites and apps. There is something called client id which GA uses to identify unique "users” or website visitors. Now apparently as it is unique this is personal data so should require consent according to some experts I have read. But as it anonymous how can it be identified who it “is”. If a user demands to know what data a website/app has and mentions the client id info well who knows for sure what any client id represents in the real world ?<p>More to the point what is the likely legal/financial consequence if a user claims that the website id did not ask for consent for this client id to be recorded (how would they be able to prove which one it was that was theirs anyway) ?<p>Would they be able to sue ? I presume not. So is the IC going to be interested in this apparent breach ? And if the developer/website owner had a data breach where they GA account was compromised would they have to inform all the Client ID individuals ? Again obviously not but you see how these discussions are going !
> So if that’s your business model then good riddance to you and your company.<p>That’s the best way to ensure EU will never have a decent startup scene.
I spent two hours today at our campsite working on my web sites to make them reasonably compliant. One problem area is that I serve my blog on Google Blogger. With pained reluctance I turned off comments and stopped showing my followers. I also linked to Google’s own GDPR info page. I used to use Jekyll and maybe I should go back to doing that.<p>Any suggestions?
Not sure what "it will ensure that the public will not be able to use the GDPR to harass businesses" as GDPR explicitly empowers individuals to seek compensation. <a href="https://gdpr-info.eu/art-82-gdpr/" rel="nofollow">https://gdpr-info.eu/art-82-gdpr/</a>
GDPR puts into jeopardy the business model that almost every consumer internet business has run on, post internet bubble: advertising.<p>That's what is at jeopardy here and nobody is willing to just say it.<p>Don't agree with the concept of tracking users to serve them ads? Great, make the case that GDPR ends the scourge of advertising subsidized applications as services.<p>Let's not ignore it though. The reality is, a lot of internet companies that consumers use and like, rely on either selling advertisers access to their market or sell user contact data outright, because there is no other way to make money.<p>If the argument is that this is an unethical and harmful way to keep services alive then we need to agree that the bulk of the last 20 years of startups business models are broken and what the implications for future internet business models are.
> ... it may not be possible for you to lock Europeans out reliably enough...<p>Here's a fun little example of this: If one of your parents was a British citizen, then you're a British citizen 'by descent'—not merely eligible to become a British citizen after you fill out a form, you're an automatic British citizen by default unless you renounce your citizenship. (This has caught out at least one member of the Australian parliament, where dual citizens aren't allowed to serve.) This means that you can have someone who's an EU citizen (for the time being, at least), who doesn't live in the EU, has never set foot on EU soil, and maybe isn't even aware that they're an EU citizen themselves.
> The EU regulators see their job as ensuring compliance, not as creating a source of income.<p>I thought one of the objective of EU is to make US social media pay their fair share. Citing same article:<p>> European holdings or that use the EU to avoid paying taxes rightly worry about this particular aspect<p>So, what is it?
This is what pisses me off the most about all the hysteria and whining:<p>"<i>The law has been in effect for over two years at this point, and the DPD, the European Data Protection Directive has been in effect for over two decades. So no, this law was not sprung on anybody, though it is very well possible that you only became aware of it a few weeks or months (or days?) ago. If that’s the case do not panic, you too will most likely be fine.</i>"<p>Nevermind the fact that the underlying privacy laws are much older, and so many practices were already essentially illegal but went unchallenged so far.
> in the spirit of the good natured enforcers at the various data protection agencies in Europe<p>Is this serious? Why would we assume enforcers to be good natured if they benefit from fines. Or to assume they would stay good natured, even if you have the most perfect humans there now.<p>It's far more likely that the EU is creating tools to prevent disruption and manipulate markets. The template will likely be followed elsewhere, effectively elevating the state's data collection abilities over all other organizations.<p>Note, Bitcoin does not seem compatible with their laws.
What really annoys me about GDPR is that, given all the confusion surrounding the law, a lot of GDPR professionals are popping up everywhere.<p>There are a lot of people making money by providing GDPR-compliant-solutions. To avoid this, all that had to be done was to write a clear text with everything everyone had to do to be compliant, instead of pilling up some big and dubious words that no one really knows what they mean.<p>Concerning the law itself, it's a lot of fireworks. Give it a few months and no one will care about it again.
For a lighter take on a Friday, read how Site-Lokd™ brewery technology solves GDPR crisis: <a href="https://www.inversoft.com/blog/2018/05/16/site-lokd-brewery-technology-solves-gdpr-crisis/" rel="nofollow">https://www.inversoft.com/blog/2018/05/16/site-lokd-brewery-...</a><p>Enjoy.
> If you’re Mark Zuckerberg however I would definitely advise not to ignore this, however the chances of Mark reading this blog post are nil.<p>As this is top of HN, perhaps there is a good chance he <i>will</i> read this because of the his FB staff who read this and can't resist telling him? :)
I'm a EU citizen and proud of EU actually, something I don't feel very often btw, for being in the forefront in law-making that protects the privacy of individuals.<p>My vocabulary has been enriched with a new word: PII. I like it. It simplifies when thinking about GDPR. I expect one or two years from now I'll know the important parts of GDPR like the back of my hand.<p>But right now every person in the world running a multinational company needs to understand a new piece of legislature that threatens 4% of their annual revenue. You have better things to do and so I understand everyone's anger.<p>But is it wrong to force business-runners to learn about GDPR, stuff that's pretty close to human rights, like "don't track any of my PII without telling me exactly what you plan to do with it"? Is it wrong to now have to learn this, as a web/app developer?<p>I'm sooooo sick of being tracked. It has definitely made me exit the social media world all together, six months ago. Even though it is detrimental to my career I even asked Linkedin to erase my data. I truly hope my career isn't screwed just because I refused to give Microsoft a detailed description of 30% of my person, my whole work life that they can connect to an email address (some people even give them their phone number), IP, tracking cookie, thus a Facebook profile, real or shadow, thus to the most detailed graph of PII there is, probably in the whole universe. Hopefully in the whole universe otherwise civilizations on other planets took a wrong step somewhere.<p>I hope GDPR leads to PII being treated as gold by the market because it's so rare. Because isnt' it better to skip all this tracking-business that having to deal withstuff like GDPR?<p>No cookies for me please. Ans I'm also sick of having to run javascript.
Remember guys, while you are stressing over how to work with GDPR, Facebook literally listed all their existing data collection items and forced everyone to consent. Total increase in privacy: 0
> The GDPR is going to expose me to fines of up to 20 million Euros for even the slightest transgression
> No, the GDPR has the potential to escalate to those levels but in spirit<p>So, yes, but maybe no?
You missed a key question here. As a business owner, what on earth do I need to do next?? Do I need to email all my users giving them an opt-out option?!
> If becoming compliant with the law will cause your business to go under that is more or less the same as saying that your business is built on gross privacy violations. So if that’s your business model then good riddance to you and your company.<p>Hear hear!
Exactly. People try to explain to me how it is impossible to comply and usually it turns out that it would be easy. I think the problem most of time that people misunderstanding the requirements or not reading GDPR (not even TLDR versions).
>Every company and every project or hobby ever has to be compliant with the law.<p>wrong.<p>if everyone always followed the laws, earth would still be considered flat (at least until more recently).
I can't help but love the turmoil GDPR is causing in the adtech "industry". Like wasps buzzing around the exterminator who's about to destroy their nest.
The GDPR hysteria demonstrates that:<p>1. Many people (even "rational hacker-types" ha-ha!) do not take the time to research, analyze or understand the regulations and laws that affect them.<p>2. Many people, even though they don't understand said regulations, will have an extreme negative reaction to the new regulation especially when they see big scary numbers like numbers like "$20M Euro". This is true even of regulations like the GDPR which most anybody should be able to read and understand in a couple of hours.<p>3. Many people don't understand where regulations come from or how they work. They have no understanding of scope, process, judegement criteria or enforcement vectors. This leads to terrifying visions of "EU cops" waiting at airports to arrest people the moment they get off the plane.<p>Frankly, the whole situation speaks to the profound ignorance and fear that lies at the heart of the modern nation state. Citizens do not understand the government, they have no understanding of how or why it does what it does, all they really understand is that the government can and will completely ruin them should they violate one the tens of thousands of laws and rules and regulations and decrees that modern governments impose on their domains.<p>This ignorance has real consequences and costs. You can see this now particularly in Britain where many people are now learning how their country actually works <i>after</i> voting to tear down their current regulatory and economic framework. But you can also see it in all the fear and the moaning and the teeth gnashing every time some new regulation is proposed. (The funny thing here is that even the most hardcore libertarian economists are coming to understand that regulation does not impede economic growth [1]. Indeed there's ample evidence that regulation, by imposing best practices on firms and increasing trust within the market, is a significant <i>driver</i> of economic growth.)<p>The reason I point this out on HN is because I think, at the end of the day, being an entrepreneur or an investor is all about learning how the world really works and then changing the world to work for you. And while most people can perhaps afford to plod along with all sorts of misguided notions about how the world works because their jobs do not require them to have any real understanding of the big picture, entrepeneurs and investors absolutely cannot. Buffet says it best: <i>"Risk is not knowing what you're doing."</i> The sites shutting down in the face of the GDPR out of fear and ignorance are making the most basic mistake, they literally do not know what they're doing.<p>[1] <a href="https://marginalrevolution.com/marginalrevolution/2018/02/federal-regulation-not-cause-declining-dynamism.html" rel="nofollow">https://marginalrevolution.com/marginalrevolution/2018/02/fe...</a>
I personally am not hysterical about any of this, I just am concerned for the citizens of the EU while living under this law. My main issue with the GDPR is that articles and supporters are constantly thinking in terms of "business" and not in terms of other services, and also not thinking in terms of long term impact.<p>For instance, I run a small community website (~30 people). I receive no income, and I know everyone involved. Everyone is in the United States. Is it open to the world? Yes, technically. What happens when an EU resident signs up? Well, I'll continue to do exactly the way things are currently set up.<p>How does this situation play out long term? First, I'll tell whomever contacts me that I am in compliance with US law, and I'm a US citizen. I do not have to follow their laws because it's not within my jurisdiction. Second, they will order me to block EU citizens from my site, which I will not do because it's a mandate of work on me for no reason by a foreign country.<p>So what happens in this situation? The only recourse for the EU is the internet version of "sanctions", to block my website from the EU.<p>Now they've set a really interesting precedent. How do they now enforce these blocks? Technical issues aside, are they going to do a whitelist or a blacklist? Regardless, they are setting up the equivalent of the Great Firewall for the purposes of maintaining the GDPR.<p>So why does this matter? It's only an isolated incident that will likely never occur, right?<p>Wrong. One community website like mine with one EU citizen that decides to file a GDPR complaint means that somehow this situation occurs. It can even be an intentional, "sign up, file complaint" immediately to trigger this legal situation. Think there aren't any foreign governments that wouldn't flood a system like this to censor the EU citizens in various mild ways? Think some random anarchist activist will not decide to monkey with the system by finding and reporting all the small violators?<p>The end product is a curation of the internet for EU citizens by EU government. Hopefully your leaders are benevolent, and nothing crazy happens in the democratic process. I remember being told during the Bush and Obama administrations that my views against government surveillance due to potential for abuse were unjustified because we could never have a horrible president and that our presidents will always be benevolent, so the policy would never change toward the worse. How did that play out? How do people think democracy functions, honestly?<p>Again, I really don't care too much. They can self censor if they want, but it really seems like GDPR is a win for Russian and Chinese meddling.