This is part of why I think GDPR is a disaster for startups. It's a massive regulatory burden which big companies will be able to comply with but small startups don't have the legal horsepower to handle.
Typical EU regulatory overreach.
The spirit of the law is really quite simple; my personal data is an extension of me, and if you want to store or process it, you need a legal basis for doing so, and need to be able to demonstrate this legal basis to me. If your startup is at odds with this, well then perhaps you're not the kind of company the EU wants to be doing business with.
Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics.
No part of my "business model" is attempting to profit from personal data yet I have to jump through a bunch of new hoops.
My likely solution for projects is to simply block EU traffic going forward.
Assuming it's a personal blog then just don't capture any PII. Don't sell it, be prepared to delete a user's comments on request. Don't capture PII without informed consent.
Easy, no?
In the U.S., freedom of speech usually trumps privacy rights. It will be very damageable if the supreme court ruled that any EU citizen can limit US speeches based on their laws.
When I store your personal data, I should be allowed to do so under the 1st amendment that is about speech?
The EU is not a single entity. It’s dozen of nations, more than 300M individuals.
Any law that gives power to users instead of companies harms companies.
To me, it's an acceptable trade off
Europeans want Facebook and Google and the rest, the EU doesn't. The EU != the europeans.
So international startups must now care more about what the EU wants than what european customers want. That's wrong.
In the meantime, european governments take measures that jeopardise private life, like putting black boxes at ISPs in France to watch everyone (aka. fight terror...).
GDPR is ideology. Not private life protection.
The only complaints I've seen about it are concerning people responsible for administrating data in companies.
GDPR represents an ideology of not giving corporations free reign to make profits at any human/social cost, but to reign them in and give people chance to consent rather than be data-raped.
Could you expand on how you think it's (solely?) ideology? What's bad about informed consent wrt PII?
But that's just business as usual, businesses are allowed to do things we consider morally wrong because that's just how things work.
And the second a law springs up that helps out the little guy, it's a massive governmental overreach. How dare government actually try to help people, think of all the businesses they are hurting!
This helps massive corporations (who can afford to comply) and hurts small businesses which cannot.
It doesn't help your argument when you misrepresent the truth like this.
There's absolutely no requirement for every individual who accidentally has an IP address in their logs to comply with GDPR.
I'm strongly considering simply taking down all my old blogs/sites because it's far too much work to deal with GDPR for anything less than a medium-sized business.
I imagine most CMS will have the option to do that at update?
My approach is one very much based on risk - how likely am I to receive requests from data subjects requesting deletion of their data? How likely am I to be subject to a targeted attack where people try to remove information from my server? How likely am I to be the subject to enforcement action if my server is hacked and data is leaked?
On one argument operating a blog is a purely personal activity and so out of scope of GDPR in any event. If you're outside the EU, GDPR will only apply if you are actually offering goods/services to those in the Union, or are monitoring them. I take the point about analytics in the second place, but in the absence of analytics, I don't see that making available a blog constitutes the offering of goods/services?
GDPR outside of the EU (for purely non-EU entities) is a non sequitur there are zero internal processes to make it work.
Lets take the most basic example the GDPR does not apply in a vacuum it's enforced and supported by Data Protection Agencies (DPA) in each member state which are responsible to ensure that companies in those member states comply with EU regulation like the GDPR within the context of local laws and regulations.
The DPA is responsible for the application of the GDPR within it's member state (and it's power is limited to that member state only but the GDPR does have a few venues for applying a local DPA directive across member state lines) it's also responsible for handling complaints in that state and it provides directives and advice to both law makers and the industry.
If I'm a UK company and need to deal with the GDPR (till Brexit do us part) I work with the ICO which is the UK Data Protection Agency. While other DPA might affect me the ICO is my primary source of both advice and enforcement and any issues that might originate in another DPA would still pass through the ICO.
Now I am a company in don't know where lets take Argentina I want to sell to EU customers which DPA do I answer too? which DPA to I ask for advice? How do I arbitrate complaints filed against me and to which DPA do I prove I handled data disclosure requests in a manner compliant with the GDPR? which DPA would know my local laws to ensure if my application with the GDPR was complaint with local data retention and lawful access laws? In fact other than going through my own state/trade department and organizations what venue do I have as a non-EU resident and a non-EU entity to any EU services and resources.
The question to all of this is none as a non-EU company there is fuck all you can do even if you want to comply with the GDPR.
To a developer used to systems thinking this should not be rocket science. Most of it is just good practice. Kim Cameron came up with the laws of identity many years ago, which the GDPR is surprisingly similar to.
What court do you use to appeal a complaint or a fine?
There are no processes at all for a non-EU entity to function within the GDPR and saying it’s not rocket science isn’t going to change that.
Brexit will make little or no difference unless you refuse to deal with EU citizens in any way the involves you having access to their PII or storing any information about them (including traces of their activity in your product/app/site.
GDPR will be carried over post-brexit, and even if it is later revoked by act of parliament and not replaced by something equivalent you'll still need to deal with it if you want to trade with EU citizens. If the UK refused to play ball and somehow blocked us from the punishments for non-compliance we will face inconvenient sanction by other means.
GDPR isn't perfect (is any regulation?) and their are certainly significant questions to be answered from the PoV of people operating outside the EU, and even some issues that may still require more clarity for those entirely operating here, but I wholeheartedly welcome it (UK citizen here, FWIW) despite being a data specialist and therefore having a bad nervous-twitch reaction to any idea of a non-soft delete operation!
The GDPR isn't perfect it's just none workable for companies that are not in the EU.
1. You have a subsidiary in EU, in which case that is who will get fined or will have to deal with the DPA where it is registered 2. You don't, in which case the EU can not fine you?
The logic dictates is that it won’t apply to companies that simply dont have any legal presence in the EU.
But that is not defined because again there are no exceptions.
However PayPal might enforce it on you in fear of the EU going after PayPal because it’s expected that all EU companies would require GDPR compliance from their business partners overseas that perform any data processing for them or are exposed to EU PII.
However how this compliance to be achieved, validated and arbitrated isn’t defined either.
In practice, I doubt that they'd get the US to enforce judgements. But it might mean that I can never risk going to Europe again lest I risk having a default judgement enforced against me for one of my businesses.
PayPal could tell you you must comply to accept payments form the EU and likely in the same manner they handle everything which means no guidance, benchmarks or clear directions and it would be up to you to figure it out.
By PayPal I don’t mean just PayPal but any other payment processor or service provider which you are dependent on.
Where's the burden? Only collect the data you need; tell people what you're collecting and why; only keep it for as long as you need; keep it safe.
These are not burdens.
"Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics."
If it is a company. Yes, it will require more work. That is the nature of regulation, but the demands placed on companies are not unreasonable in any way. I would place it on the same level as stores being required to provide receipts, or restaurants being required to clean the kitchen. It certainly was easier when they didn't need to do that, but don't we agree it's an reasonable burden to place on businesses to guarantee an acceptable level of service?
If the blog is purely personal the GDPR does not apply.
https://ico.org.uk/media/for-organisations/data-protection-r...
> The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
And if GDPR does apply you only have to do the extra work if the IP addresses can be used to identify a natural person. Note here "can be", not "is".
> Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...
> (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
And article 4
1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
