GDPR: Removing Monal from the EU

This is a ridiculous over-reaction based on an extremely shallow interpretation of the GDPR.<p>If you are running a small business and you feel that you won&#x27;t be able to operate your business because of the GDPR consider all those other laws that you have to be in compliance with as well. If that&#x27;s your attitude towards legal compliance then you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go away.<p>Legal compliance is a requirement for <i>any</i> business, and privacy law is just one more thing to take into account and for a small business that does not process super sensitive data (such as medical information or financial information) the costs of compliance are negligible. They&#x27;re not &#x27;0&#x27;, but then again it is a business and costs of doing business are the norm.

There is so much misconception about GDPR. It is cleary directed at large data-tracking corps, not single person IM apps. Even if someone tries to &quot;sue&quot; you (which he can&#x27;t, only report you to authorities), it first needs to go through many iterations where you can make your case.<p>At the very least read this: <a href="https:&#x2F;&#x2F;privacylawblog.fieldfisher.com&#x2F;2016&#x2F;what-you-think-you-know-about-the-gdpr-and-why-you-may-be-wrong" rel="nofollow">https:&#x2F;&#x2F;privacylawblog.fieldfisher.com&#x2F;2016&#x2F;what-you-think-y...</a>

<i>While Monal is privacy focused, it is also free, open source and run by a single person — me. I simply do not have the resources or the time to jump through the regulatory hoops required by the EU.</i><p>As a new and small construction company we simply don&#x27;t have the resources to comply with all the building codes and the related paperwork. I just can&#x27;t afford to meet all food safety requirements, I just want to provide free meals for homeless people in my spare time. I just built this car from scratch for myself and now they tell me I can not drive it on public roads just because I don&#x27;t have the time and money to meet the required standards?

Why not give the user control and have things such as crash reporting be opt-in?<p>We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it&#x27;s great that the EU GDPR is making people wake up to the scale of it.<p>Suggesting that XMPP federation isn&#x27;t compatible with GDPR seems like an over-reaction, isn&#x27;t that like saying that SMTP isn&#x27;t compatible?

&gt;I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.<p>&gt;1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and&#x2F;or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.<p>I thought this guy was a single person who put something on Github. How is he required to appoint a DPO? What kind of large-scale processing of personal information is he doing?

I keep telling people - the thing that changes with GDPR is that personal data you handle is now still owned by the person and only in your custody as long as they explicitly allow it.<p>All of our infrastucture has to change to honour that. If you cannot honour that change, maybe you shouldn&#x27;t have been handling personal data.<p>I don&#x27;t have any knowledge about monal.im (don&#x27;t know what it is - some kind of im client?), but this person is making some claims:<p>- he needs a data-protection officer: no, only larger orgs handling lots of personal data need this. If he&#x27;s making an im-client and not servers that store data he certainly doesn&#x27;t, but I don&#x27;t know what his setup is.<p>- crash analytics: This can be handled by telling the users clearly that you&#x27;ll be gathering the data (and defaulting to not gathering if they don&#x27;t actively approve). As long as you have a proper PURPOSE for gathering and storing the data and don&#x27;t use it for anything else you&#x27;re golden. You do have to document this, in case of a review (hyper-unlikely).<p>- Push: he&#x27;s getting a message and storing the device&#x2F;ip combination. This seems to be central to the service he&#x27;s providing. Therefore he can and should put that in the description&#x2F;terms of his service (as he cannot deliver the service without this). As long as it is clearly explained to the end-user this is fine, and he can keep doing it. If he stores it and does anything with this data other than the central purpose that he informed the end-user of he&#x27;s in violation. I&#x27;d suggest putting it in clear text in front of the end-user and deleting the data as soon as it&#x27;s no longer needed. Don&#x27;t do any non-approved analysis on it. If you want to analyse - ask for permission.<p>XMPP federation may be a problem, I agree with that. The problemer here (as I see it) is that each service getting the personal data must only process it for the purposes explicitly agreed to by the end-user and honour any subsequent notifications of rectification and deletion. This is a hard nut to crack indeed.

<i>&gt;... I frequent Europe and do not want to get into legal trouble on vacation.</i><p>Does the author seriously believe this could happen? Enforcement of GDPR is similar to antitrust law. A regular police officer isn&#x27;t going to fine you for that.<p>The author&#x27;s anxiety makes as much sense as not traveling to the United States because you&#x27;re worried that your one-person pottery business might be considered a monopoly under the Sherman Act.

I&#x27;m both surprised that people react so strongly and... mostly ok with it. Majority of GDPR is pretty reasonable - know what data you have and make sure your users know it as well. Allow removing it, make sure you don&#x27;t share with parties who don&#x27;t need it. For normal services it doesn&#x27;t appear to be a tough retirement.<p>You certainly don&#x27;t need to hire extra people like author suggests and federation should be just fine. (it&#x27;s essential to what the service does)

This project is completely out of scope for GDPR, not having any presence whatsoever in the EU. You aren&#x27;t going to be arrested when going on holiday. You wouldn&#x27;t be breaking the law at all, even if it was possible to enforce anything.<p>Even if it was in the EU, it wouldn&#x27;t require a DPO, and your use of IP addresses is very reasonable and within the standard allowances which don&#x27;t require user consent.<p>Maybe bother reading _anything_ from an official source before coming to this conclusion? This reads to me more as something you want to have a rant about because you don&#x27;t like it - rather than as any kind of pragmatic decision.

Honestly, most small USA businesses take one look at &quot;Up to €20 million, or 4% annual global turnover – whichever is higher.&quot; and just run. There&#x27;s no point in even trying to salvage the situation.<p>&gt; For the 3.7 million small businesses with 1 to 4 employees, the Census Bureau figures show average annual sales in 2007 were $387,200.<p>Given that, who wants to risk a 20M fine? All this advice in this thread to do this, run it through a lawyer (lawyers are expensive especially international ones), makes no sense to the majority of the businesses in the USA: there are less than 8M employers in the USA and a very small percentage has a yearly turnover of even a mil not to mention the ~600M USD where the fine changes from a constant to a percentage.<p>To give you another idea of how much money this is, about a quarter of public companies have less than 25M USD market cap.<p>As a dual Canadian-EU citizen I am stupefied by this law.

The overreaction to GDPR from US tech startups in particular surprised me at first. But my partner is a lawyer working on GDPR compliance for a variety of tech firms, and he explained that there&#x27;s almost a <i>historical cultural difference</i> in terms of attitudes to ownership of personal data.<p>European regulation typically treats personal data as being the property of the person being identified; US tradition considers data generated by a company to the be the property of that company, not of the person.<p>This made the whole massive unnecessary panic by primarily US-based small companies much more understandable to me.

While this developer may be overreacting (he probably doesn&#x27;t need a DPO), i understand why it might just be easier to block it , at least until there are precedents about how to comply and more info on how the regulation will be enforced.<p>GDPR can be scary for developers, because nobody actually knows how a website or app is supposed to work (I have yet to see a single example), and it requires a series of steps that are not trivial on the administrative side. The Right to be forgotten is the easy part. Having to document everything you do and introduce data-dumping mechanisms that are both anonymous and secure is administrative burden. Having to do that for every little project that you release, even if it has 10 users, is a bit too much. Many developers cast a wide net, releasing products often, and this is practically unnecessary work unless you have a significant amount of users.<p>Introducing opt-in forms everywhere is also not great. It didn&#x27;t work for Windows Vista so why do we expect this to work on the web? Opt-ins for things like cookies should be implemented on the browser. What&#x27;s the point of warning a person before sharing their email? What&#x27;s the point of warning them even you &#x27;ll install a cookie? IP addresses and cookies etc are integral parts of the HTTP protocol and the browser so why not introduce anti-tracking regulation that targets browser vendors and telcos instead of introducing regulation that targets every developer on the planet? It doesn&#x27;t seem like an optimal plan imho. The example of the cookie law (for which it&#x27;s hard to argue that it has not utterly failed) should act as a bad precedent, not a good one.<p>It&#x27;s easy for US developers to be positive of GDPR because they can avoid the overreaching parts, but for us in the EU its something we have to abide by 100% of the time. I &#x27;d like to hear what other people think about those, because otherwise i hear a lot of emotional praise for GDPR which is blind to how problematic it is at day 0.

Please be nice to the developer. I didn&#x27;t post it to shame him. I&#x27;m just very sad about the post because I was hoping to establish XMPP as the group chat in my family, of which half are iPhone users.

You don&#x27;t need a DPO. I work with healthcare businesses and some of them don&#x27;t even need a DPO.<p>You only need a DPO if you are a public authority, if you do large scale processing or large scale processing of sensitive data (ambiguous in the GDPR).<p>If you collect some data, all you need is a privacy policy outlining such, stating what you collect in general and that your legal basis for doing so is to provide the user a service and to monitor for app crashes &#x2F; bugs - both within your legitimate interests.<p>Many people have interpreted GDPR to be stricter than it is. In fact, those who have to do the most work are those that cause incredible damage to individuals when they lose data - especially those that have had recent, massive data breaches e.g Equifax.

I&#x27;m convinced this is the start where EU citizens become second class Internet users. Many businesses just don&#x27;t want to go through the troubles of GDPR regulatory hoops. For most businesses, there&#x27;s enough customers to sustain their business in the US, Canada, rest of the world that they can ignore all EU customers.

Many of the comments here are rebutting - saying that a DPO isn&#x27;t needed or that this guy gave up unnecessarily. But the fact that he had to spend who knows how much of his time to even discover whether he needs to do anything (or what sort of trouble he could get into) is too much of a barrier for many people and their hobby side projects. This is unfortunate and not surprising collateral damage of the GDPR.

&gt; I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.<p>A DPO is most certainly not required by all organisations[0], and I would be suprised if it applied to this project. I know lots of blogs are saying it is, but it is simply untrue. I&#x27;m not saying that this totally relieves the burden however.<p>[0]:<a href="https:&#x2F;&#x2F;ico.org.uk&#x2F;for-organisations&#x2F;guide-to-the-general-data-protection-regulation-gdpr&#x2F;accountability-and-governance&#x2F;data-protection-officers&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ico.org.uk&#x2F;for-organisations&#x2F;guide-to-the-general-da...</a>

&gt; I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.<p>Lots of people are responding to the DPO side of this sentence, saying that it&#x27;s not as onerous as the author of this article is making it sound, but as someone who&#x27;s also not based in the EU it&#x27;s the &quot;EU Representative&quot; part that I&#x27;m more worried about myself.<p>Article 27 says:<p>&gt; (1) Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.<p>Article 3(2) is the bit that says the GDPR applies to processing outside the EU of EU citizens&#x27; data etc.<p>&gt; (2) The obligation laid down in paragraph 1 of this Article shall not apply to: &gt; a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or &gt; b) a public authority or body.<p>It&#x27;s clear here that not everyone outside the EU needs to have an EU representative, but 2a is wordy and confusing enough that it&#x27;s real hard for a non-EU non-lawyer to figure out with certainty whether or not they need one. The ambiguous combination of &#x27;and&#x27;s and &#x27;or&#x27;s don&#x27;t help, but &#x27;unlikely to result in a risk to the rights and freedoms of natural persons&#x27; sounds like something that&#x27;s ambiguous enough on its own that you might need an EU lawyer to actually interpret it.

You do not necessarily need to hire a DPO.<p>Read the law or, at least, read the official FAQ. Your evaluation of the impact of the law on your project is lazy.

Hugo (static blog generator) is spending non-insignificant efforts to comply: <a href="https:&#x2F;&#x2F;github.com&#x2F;gohugoio&#x2F;hugo&#x2F;issues&#x2F;4616" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gohugoio&#x2F;hugo&#x2F;issues&#x2F;4616</a>.<p>It looks like a simple thing like embedding a Youtube video in your blog post is no longer so simple. As well as loading any external JS dependencies.

This is going to sound crazy, but I spun up an instance of a simple open-source comments system[1] for a blog that I write, and I chickened out of deploying it because I wasn&#x27;t sure if it complied with GDPR. I distrust Disqus over their ad-driven model and deep tracking of users, so for now I’m just doing without comments.<p>Is it possible to self-host something that handles user data (name, comment, IP address) and comply with this regulation? What if there&#x27;s more data, federated data? Can one just spin up an instance of Friendica, for example, or are there additional steps required for compliance? I&#x27;m honestly not sure anymore.<p>[1]: <a href="https:&#x2F;&#x2F;posativ.org&#x2F;isso&#x2F;" rel="nofollow">https:&#x2F;&#x2F;posativ.org&#x2F;isso&#x2F;</a>

Two questions come to mind:<p>1. Isn&#x27;t this person allowed to be the Data Protection Officer themselves? 2. Is APNS inherently not compliant or if there something unique about this use-case?<p>What&#x27;s kind of great about this new regulation is that we get a clear view on businesses that can&#x27;t adequately protect user&#x27;s privacy. It&#x27;s painful for businesses such as these, but ultimately it seems that consumers would come ahead of it.<p>If the weak link in this case may not have been the developer themselves, but external factors but it&#x27;s still a pretty interesting data point.

This makes little sense. There is nothing in the GDPR that you shouldn&#x27;t already have done. Besides, even if you don&#x27;t operate in the EU, it makes sense to have a basic privacy setup anyway, and GDPR compliance is just that...<p><a href="https:&#x2F;&#x2F;gdprchecklist.io" rel="nofollow">https:&#x2F;&#x2F;gdprchecklist.io</a> (was on HN a few days ago IIRC)<p>On top of that, this isn&#x27;t american lawyering. If you make a mistake or are simply trying but not having a good time at it, you&#x27;re not automatically destroyed, put in jail, fined for billions of euros etc.<p>The GDPR is beneficial to everyone, except people with bad intentions or bad practises (like having big budgets for PR, Ads and the CEO but not for tech).<p>The GDPR for basic FOSS and other single-person software boils down to:<p>- Don&#x27;t capture data and not ask first - Don&#x27;t capture data and not tell - Don&#x27;t capture data and now show - Don&#x27;t capture data and not say where it is - Don&#x27;t capture data and not say who can access it - Generally, users should be able to CRUD their data - Delete data on request - Export data on request<p>Most of that is common sense and in most non-commercial services this is available anyway. You can make it even simpler:<p>- Only CRUD when a user CRUDS and tell them that is what they are doing while they are doing it - Make sure the delete&#x2F;opt-out&#x2F;close account button actually works - Have a line somewhere saying &quot;i&#x27;m hosting this on platform XYZ in country ABC&quot;<p>Since you are likely going to build CRUD + delete account anyway, that&#x27;s a solved problem. Unsubscribe&#x2F;Delete account usually already exists, no problems there either. That leaves writing a few lines telling users where you are storing stuff and how to contact for issues.<p>Don&#x27;t forget: laws comparable to the GDPR were already in effect long before the EU came up with a EU-wide version. In the UK for example, you could ask a business to send an export of all the data they have on you via mail, and they were bound by law to comply. In the netherlands, if you store PII of people who are not your clients and send them mail&#x2F;spam&#x2F;offers, you get fined. Hell, they even had a more universal version where you aren&#x27;t allowed to put mail in someone&#x27;s mailbox unless it was addressed specifically to them, and there was one where you weren&#x27;t allowed to put any ads in if the mailbox was marked for that. And you have a system where cold-calling was not allowed, same for fax-ads.

I don&#x27;t really get it. So what&#x27;s the burden for the developer here - he argues that the IP is PII (personally identifiable information), which is true, but I don&#x27;t think it means you can&#x27;t log IPs in general anymore?<p>So is now every standard apache2 installation a non-compliant (illegal?) service, as it logs GETs?<p>I don&#x27;t think that&#x27;s the case.<p>&#x2F;&#x2F;edit: It seems to be the case that you are ok if you do log-rotation and delete old ones - which makes sense, so you can still use them for debugging.

I like the GDPR panic. People should think twice before handling our data. If they don&#x27;t think they can handle it, I&#x27;m fine with them gone.

A &quot;society&quot; is all about building up information about the people around you and knowing about them. Complete anonymity often leads to the breaking down of people filters and behaviours, they think they can do whatever they want without consequences.<p>Many countries outlaw face coverings as they imply correlation with lawlessness.<p>The direct linking of IP address as PII flies in the face of that. If I am logging IP addresses for security and to monitor against abuse, and I in fact determine that an IP address is abusive, it behooves me to have any&#x2F;all data that ip address used in my system to try to identify them.<p>The right to be forgotten .. why just online? Why just digital?<p>What if a shop owner or waiter in small town notes which customer like what, or what client tips well. Which local has annoying kids that she lets wander an vandalize the store.<p>If that owner&#x2F;waiter writes that down in a log, and shares with co-worker on next shift ... is that in violation. What if they don&#x27;t write it down and just have a really good memory ... what if they just &#x27;organically&#x27; get a reputation and word gets around.<p>Is old wives gossip illegal under GDPR , or the &quot;sterotypical&quot; Italians mothers who keep an eye out on all the kids in street and report to each other who is doing what.<p>Plenty of stores and bars will have a list &quot;don&#x27;t take personal checks from these people&quot; ... are those types of lists not allowed anymore?<p>If the GDPR was JUST limited to &quot;customers&quot; or people who have explicitly created accounts that might be one thing, but over reaching to say ANY apache webserver that automatically logs IP addresses had to be GDPR compliant is absurd.<p>If I post a tech blog with how-tos , personal ramblings, or even example code projects I release as open source that you are completely free to use or not use ... why do I have now have some obligation to you? You chose to walk up to my storefront and look inside ... I&#x27;m free to remember whatever I want about you while you looked around.<p>The US passed pretty broad overreaching Computer Fraud and Abuse Act [<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Computer_Fraud_and_Abuse_Act" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Computer_Fraud_and_Abuse_Act</a>] that many have argued is so broad that a violation of TOS could be considered abuse&#x2F;hacking. If you view my site without agreeing to my TOS, should I be able to have you prosecuted?

I&#x27;m pretty sure lawyers and &quot;consultants&quot; are the only ones super happy about GDPR. Companies will still harvest user data with updated T&amp;Cs and more buttons for the user to click, because all services will be useless without accepting. Governments will also continue gathering users&#x27; data for &quot;the common good&quot;.

&gt; I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.<p>Is there any actual requirement within the GDPR that this needs to be a dedicated person, or does being a DPO just need to be someone&#x27;s responsibility, e.g. in the case of a one-man open source project the guy who runs the project?

If this is the sort of enforcement we can expect, this could suck: <a href="https:&#x2F;&#x2F;ico.org.uk&#x2F;action-weve-taken&#x2F;enforcement&#x2F;sse-energy-supply-ltd&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ico.org.uk&#x2F;action-weve-taken&#x2F;enforcement&#x2F;sse-energy-...</a> (there are several others, this one is just interesting because it&#x27;s a very simple mistake with very minimal PII)<p>Also, my understanding is Germany allows for whistle-blowers to take a cut of fines. Language in the GDPR calls for over-estimating damages for loss of PII when compensating individuals as well.<p>Generally, I appreciate the GDPR. That said, it&#x27;s a huge burden trying to go through many dozens of workflows, technical or otherwise, where (typically minimal) PII is recorded, catalog them, limit (and purge) intake of data to bare minimums, create documentation supporting said workflows to be able to provide the SA&#x27;s, create a plan for being able to search ALL those workflows&#x2F;databases&#x2F;spreadsheets&#x2F;apps that have PII to supply that data upon request, and then be able to delete all cases of such data upon request.<p>Turns out that&#x27;s actually a mountain of work. It will probably force us to significantly improve workflows and combine data repositories moving forward but it&#x27;s a large burden up front. Likely many hundreds, if not thousands, of hours for our fairly small enterprise.

The GDPR is by most accounts and interpretations aimed at &quot;the big players&quot; ... but it is not SPECIFICALLY written to be limited to them.<p>Two view points to this:<p>1) If make to specific, big players will find a way to slip through the exceptions and game&#x2F;lawyer the system<p>2) So vague , that only the &quot;big players&quot; will have the infrastructure&#x2F;legal approval to actually guarantee 100% compliance. Smaller fish that the reward just doesn&#x27;t justify the risk&#x2F;uncertainty will certainly pull out of the market.<p>If the law is about &quot;supercookies&quot; and targeting an individual throughout the entire internet ... it should say that.<p>If its about the transfer&#x2F;monetization of the aggregation of data ... PII being sold for money or some other in-kind transaction ... say that.<p>If a single entity uses a cookie and retains data for one single domain and that is ok ... say that.<p>If retaining logs that contain an IP Address and the logged in credentials are ok to keep for security auditing. .... say that ... if its only ok to store them for a year(??), 6 months(??) , 1 month(??) ... say fucking that!<p>If a company&#x2F;site is aggregating PII of over a million unique users is troubling and should be specifically bound by these restrictions and need a DPO ... say that.<p>If a site only has a few 1,000 - 10,000 Unique PII records&#x2F;users of note , and is not the focus of these regulations .... say that.<p>Give concrete examples, lawyer the shit out of it ... leave open for amendments so when abused can be modified.<p>It&#x27;s just a shitty law trying to fix an already shitty situation.

Long story short: Monal developer doesn&#x27;t understand GDPR, makes a bunch of incorrect claims about it, doesn&#x27;t want to understand it, and so removes his software from the EU.<p>That&#x27;s his right, go him.<p>He didn&#x27;t have to write a ton of incorrect nonsense about the GDPR though. He could have just skipped to the last step.<p>GDPR compliance is not actually that hard - I&#x27;m in the middle of doing it for a very large company - as long as you&#x27;re not storing information about users it&#x27;s almost trivial tbh, but there are a lot of unfortunate vague terms in the law (the intent is rather clear however).<p>The reaction to this law in the US is rather funny because the rest of the world has been dealing with strange US laws for decades on the web... finally something bites the other direction and people freak out.

&gt; registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance. APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person.<p>Article 6, Paragraph 1, seems to cover those two parts of data collection. Logging a user&#x27;s IP for security is acceptable, as is logging for a legitimate interests of the user (or operator) as long as it do not conflict with the interest of the data subject in regard to their need for data protection. APNS push tokens seems to fit that description quite well.

You don’t need a DPO if you’re a one man company, or your revenue is under a certain amount of which I can’t remember, because it hasn’t been relevant at our 10.000 employee municipality.<p>You’re allowed to track ips in your log, if there is a reason for it and you only keep them for a reasonable amount of time.<p>You do need to gather consent for push messages. But you can do so by simply asking your users, and frankly, you should always ask your users before you spam them, but it’s obviously going to be a little work to implement.<p>This is an overreaction, especially because no one knows how the GDPR plays out until it’s been tested in the courts.

&gt; Obviously, this is needed for a notification to be delivered to the right person.<p>This seems pretty clearly a case of &#x27;Legitimate Interest&#x27;. Filling in a couple of page word document (a LIA) and keeping it somewhere on the off-chance that someone queries you, is likely sufficient from my understanding. (This is not legal advice).

Another one bites the dust<p>&#x2F;Where dust == blocking EU

&gt; Data Protection Officer<p>He doesn&#x27;t need one<p>&gt; Crashes<p>So don&#x27;t send the users IP with the crash report?<p>&gt; Push<p>I don&#x27;t know enough about this, but:<p>&quot;APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server.&quot;<p>I didn&#x27;t think monal ran their own XMPP servers? If they don&#x27;t then is there really a danger of someone combining the data from the two services?<p>&gt; Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.<p>I have no idea, but if the monal developer isn&#x27;t running any XMPP servers then is this even an issue?<p>This all seems like someone who doesn&#x27;t like GDPR having a bit of a tantrum and interpreting the laws in a way that makes it seem like they are in a worse position than they actually are.

How can I be non-compliant with GDPR? If I could care less about it, is it enough for me to do nothing? Should I expect that European users should find out themselves that they my website is not GDPR-compliant? Or I must actively ban EU IPs?

&quot;Data Protection Officer<p>I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR. I do not have designated EU contacts.&quot;<p>What? Where does it say in the law that:<p>a, you need one<p>b, it cannot be you<p>I mean come on, this is just a very ignorant post from the author.

I think the part about rather big enforcement penalties made it easy for various consultants to scare companies and sadly also some individual developers.<p>I already had to fend off implementing some ridiculous features. I&#x27;ve pushed against misconceptions and use of non-existent terminology that&#x27;s not even in the law. People are taking info from all kinds of sources, some of them sketchier than others, despite the existence of official EU guides, and the law itself.<p>But I bet it will be easy to comply for most non-adtech&#x2F;tracking businesses. And as an internet user, I&#x27;m looking forward to better data exports, data removal and more transparency.

If you find yourself in this same situation, maybe you&#x27;ll want to take a look at <a href="https:&#x2F;&#x2F;euroshield.xyz&#x2F;" rel="nofollow">https:&#x2F;&#x2F;euroshield.xyz&#x2F;</a> (direct EU IP blocks coming soon).

My understanding of GDPR, if the logs remain anonymized... i.e. the IP addresses are not correlated with user records, then the solution is compliant. The IP addresses are not considered PII.

One thing I see missing from these discussions is budget - specifically the budgets for the regulatory agencies responsible for enforcing GDPR. Lack of enforcement budget will, I think, make GDPR a non-issue for the vast majority of organizations. And as the EU ramps up its infighting over the new budget, there will be LESS budget allocated for something like this that has no vested constituents who will be helped or harmed by such allocation.

Every time something like this comes up, we see similar objections. They normally take one of three forms:<p>1) You are overreacting. The EU isn&#x27;t going to come after some small fry operation, or some non-business entity.<p>This is an easy thing to say when you&#x27;re not personally exposed to the risk. Would advocates of this position be willing to personally indemnify open source projects &#x2F; side projects against GDPR enforcement? I suspect not, but perhaps there&#x27;s a business opportunity in giving them the opportunity to do so. Sort of a GoFundMe for peer-to-peer insurance.<p>2) The GDPR is all about not being a jerk with your users&#x27; data. As long as you don&#x27;t do that, and do relatively minor things X, Y and Z, you&#x27;re totally fine.<p>This flavor of argument might actually be true, but if I&#x27;m assuming the risk I&#x27;m probably going to want to hear it from someone with skin in the game, like a lawyer, who I can point to if it turns out to be false. Even if I had the desire to read through the law (I don&#x27;t) and understand the specific implications for my project (I wouldn&#x27;t), the very act of doing this represents a cost that I could more simply avoid by excluding EU residents from my service. I&#x27;d choose the latter path every time, and put &quot;support EU residents, check into the legal implications of GDPR&quot; on the roadmap, for &quot;someday&quot;.<p>3) You&#x27;re exposed to millions of risks anytime you do anything. This is just one more and you&#x27;re making a big deal of it.<p>Often this accusation comes with a subtext that you&#x27;re trying to prove some political point, suggesting that you&#x27;re making a decision in bad faith to &quot;punish&quot; the EU. Well, I personally think something like the GDPR is needed, and have no particular axe to grind, but I also have no idea if the legal exposure is serious, and no particular desire to put in the work to find out.<p>Yes, business, or really any activity, involves legal risk. In this case though, the risk is pretty serious, first of all because the penalties (20M Euros max) are serious, and secondly because it will be very difficult to claim that you&#x27;ve never heard of the GDPR. If Tonga creates some law impacting side hustles on the internet, at a minimum I can credibly claim to be unaware of that law. The GDPR on the other hand has been all over the news for weeks. I&#x27;ve clearly heard of it (especially now that I&#x27;ve commented on a discussion of it on HN).<p>My feeling is there&#x27;s a real risk that this law will lead to a general practice of non-EU individuals, and non-EU startups launching MVPs to at least temporarily block the EU to avoid unnecessary risk. That&#x27;s not the intended purpose of the law, but laws have unintended consequences all the time. If the EU wants to avoid this unintended consequence they should provide a clear, objective, and cheap (in terms of both time and money), set of instructions that will allow projects like monal to continue operating there. If such a set of instructions exists, I haven&#x27;t seen it.

Just block all EU users. EU only makes 15% of the world population and after Brexit even much less than 15%, so they are not that important.

If I continue to maintain mail and web server syslogd logs and Europeans access one of the swervers do I risk getting nailed under the GDPR?

It seems to me like he&#x27;s overreacting a bit<p>I get that the GDPR regulations seem quite complex and daunting but his usecase seems pretty simple to me.

&gt; I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.<p>Harsh words but I feel they&#x27;re warranted: If you don&#x27;t want to treat my private data with the due diligence you should, then we&#x27;re better off not using your service.

Does GDPR have any non-monetary enforcement? For a site with no revenue, can they take any action other than a $0 fine?

If a similar law to GDPR was introduced in other countries such as the US, complying now would probably cost considerably less than dumping business in every country that does it and complying with all the laws only once you can&#x27;t operate sustainably as a business anymore.

You CANNOT, by any means, consider an IP address to be &quot;personal data&quot;. You cannot say &quot;I don&#x27;t want my IP to lay around in a database somewhere&quot; because ... IT IS NOT YOUR IP. An IP address is used to uniquely identify a device on a network, not a person. This device can be (and usually is) a router, a proxy, a server of some kind, a corporate computer, a public computer and so on. Not to mention the fact that a device can also have multiple IP addresses at the same time. So, an IP address CANNOT be used to uniquely identify a person and it really shouldn&#x27;t be considered in the context of GDPR. Ah, an IP address + some other identification data, that&#x27;s another discussion. Depending on the combination, it might be considered personal data.

If you sell hardware, you have to deal with CE&#x2F;FCC&#x2F;RoHS and -worst of all- WEEE compliance, to name just a few. In comparison, GPDR is a piece of cake. Just sayin.

I started ComplianceChaos.com to sell my Policy Writing Services. I specialize in ISO 27001, HIPAA, and PCI-DSS.<p>I’d love the opportunity to add GDPR to my current list of specialities.

&gt; Do you know a good GDPR consultant?<p>&gt;&gt; Yes.<p>&gt; Can you tell me their email address?<p>&gt;&gt; No.

Super over reaction. &quot;End of an era&quot;

Again, an absolutely uninformed opinion on GDPR. Shame that you can&#x27;t be bothered to care about your users.

&gt; I get the impression that it is an end of an era for the internet.<p>This is an era many of us won&#x27;t regret.

this is the natural reaction to a business model such as Facebook. they are making billions from everyones private data and the result is an overreaction that hurts mostly small companies

How would they even enforce GDPR? Can&#x27;t companies just claim to clear your data?

Probably a good reason to not use this product, even outside the EU.

See ya!

Goodbye to bad rubbish.

Never heard of Monal. We won‘t miss it.

Comments here only show how terrible this law is, as nobody has a clue how to interpret the requirements. EU direction is simple - cripple the internet so that only handful of companies could afford to navigate regulational hurdles and that way it will be easier for bureaucrats to control it. Any small initiative kill with fines. In few years internet will be under full control of socialist regime and people are sleep walking into new reality with the help of do-gooders.