Server logs are allowed as "technically necessary" as long as you show "good will" (I'd call it that way) in keeping the saved data to a minimum. 14 days of log keeping? Fine, that's cool for technical reasons. 14 weeks of log keeping? That's excessive and could get you in trouble.
Different reasons would entail different retention times.
But we may observe that some practices are easy to justify, while others are more challenging. Some attempts at justification have been rejected, which means that trying to rely on them in the future is a bad plan.
Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.
The vague, uncodified "intent" is my biggest problem with GDPR and GDPR-like laws, especially when it comes to small businesses. Even with the best intent, I've seen startups in my community get into "real" trouble trying to comply with mixed results. Not every company can afford to allocate the time/money necessary to comply with sudden deadlines and/or new technical requirements. Not every company can afford to take the risk of "I think this PII is absolutely necessary, but... could I prove it in court? Can I even afford the lawyers to try?" If I didn't read HN, I doubt I'd even know laws like this new French one even existed; I can't afford to dedicate someone to monitor changing laws around the world.
Saying "it's important for businesses to allocate sufficient resources toward researching evolving law in every country they might do business in, and it's okay if businesses fail if they can't afford to do so" is reasonable.
Saying "if you're trying to do the right thing, you'll be fine" is, quite frankly, the complete opposite experience I've seen from most well-meaning companies in my sphere trying to accomodate GDPR rules with limited budgets.
Of course, I am located in the US so maybe this is the intended result.
To make this more obvious, the EU is essentially saying that you can create a post service that routes all their letters through the US where they can be opened by the FBI, without any legal recourse.
I'm always amazed how people (even very technical) argue that things are perfectly fine for electronic data when they would completely oppose the same thing for physical things, e.g. letters. I guess years of propaganda have worked
I fundamentally disagree. You can't come to my house with a red hat then demand I never tell anybody you have a red hat and forget I saw it. That's absurd.
