I’d love the opportunity to add GDPR to my current list of specialities.

>> Yes.

> Can you tell me their email address?

>> No.

This is an era many of us won't regret.

Many countries outlaw face coverings as they imply correlation with lawlessness.

The direct linking of IP address as PII flies in the face of that. If I am logging IP addresses for security and to monitor against abuse, and I in fact determine that an IP address is abusive, it behooves me to have any/all data that ip address used in my system to try to identify them.

The right to be forgotten .. why just online? Why just digital?

What if a shop owner or waiter in small town notes which customer like what, or what client tips well. Which local has annoying kids that she lets wander an vandalize the store.

If that owner/waiter writes that down in a log, and shares with co-worker on next shift ... is that in violation. What if they don't write it down and just have a really good memory ... what if they just 'organically' get a reputation and word gets around.

Is old wives gossip illegal under GDPR , or the "sterotypical" Italians mothers who keep an eye out on all the kids in street and report to each other who is doing what.

Plenty of stores and bars will have a list "don't take personal checks from these people" ... are those types of lists not allowed anymore?

If the GDPR was JUST limited to "customers" or people who have explicitly created accounts that might be one thing, but over reaching to say ANY apache webserver that automatically logs IP addresses had to be GDPR compliant is absurd.

If I post a tech blog with how-tos , personal ramblings, or even example code projects I release as open source that you are completely free to use or not use ... why do I have now have some obligation to you? You chose to walk up to my storefront and look inside ... I'm free to remember whatever I want about you while you looked around.

The US passed pretty broad overreaching Computer Fraud and Abuse Act [https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act] that many have argued is so broad that a violation of TOS could be considered abuse/hacking. If you view my site without agreeing to my TOS, should I be able to have you prosecuted?

Is there any actual requirement within the GDPR that this needs to be a dedicated person, or does being a DPO just need to be someone's responsibility, e.g. in the case of a one-man open source project the guy who runs the project?

Also, my understanding is Germany allows for whistle-blowers to take a cut of fines. Language in the GDPR calls for over-estimating damages for loss of PII when compensating individuals as well.

Generally, I appreciate the GDPR. That said, it's a huge burden trying to go through many dozens of workflows, technical or otherwise, where (typically minimal) PII is recorded, catalog them, limit (and purge) intake of data to bare minimums, create documentation supporting said workflows to be able to provide the SA's, create a plan for being able to search ALL those workflows/databases/spreadsheets/apps that have PII to supply that data upon request, and then be able to delete all cases of such data upon request.

Turns out that's actually a mountain of work. It will probably force us to significantly improve workflows and combine data repositories moving forward but it's a large burden up front. Likely many hundreds, if not thousands, of hours for our fairly small enterprise.

Two view points to this:

1) If make to specific, big players will find a way to slip through the exceptions and game/lawyer the system

2) So vague , that only the "big players" will have the infrastructure/legal approval to actually guarantee 100% compliance. Smaller fish that the reward just doesn't justify the risk/uncertainty will certainly pull out of the market.

If the law is about "supercookies" and targeting an individual throughout the entire internet ... it should say that.

If its about the transfer/monetization of the aggregation of data ... PII being sold for money or some other in-kind transaction ... say that.

If a single entity uses a cookie and retains data for one single domain and that is ok ... say that.

If retaining logs that contain an IP Address and the logged in credentials are ok to keep for security auditing. .... say that ... if its only ok to store them for a year(??), 6 months(??) , 1 month(??) ... say fucking that!

If a company/site is aggregating PII of over a million unique users is troubling and should be specifically bound by these restrictions and need a DPO ... say that.

If a site only has a few 1,000 - 10,000 Unique PII records/users of note , and is not the focus of these regulations .... say that.

Give concrete examples, lawyer the shit out of it ... leave open for amendments so when abused can be modified.

It's just a shitty law trying to fix an already shitty situation.

That's his right, go him.

He didn't have to write a ton of incorrect nonsense about the GDPR though. He could have just skipped to the last step.

GDPR compliance is not actually that hard - I'm in the middle of doing it for a very large company - as long as you're not storing information about users it's almost trivial tbh, but there are a lot of unfortunate vague terms in the law (the intent is rather clear however).

The reaction to this law in the US is rather funny because the rest of the world has been dealing with strange US laws for decades on the web... finally something bites the other direction and people freak out.

Article 6, Paragraph 1, seems to cover those two parts of data collection. Logging a user's IP for security is acceptable, as is logging for a legitimate interests of the user (or operator) as long as it do not conflict with the interest of the data subject in regard to their need for data protection. APNS push tokens seems to fit that description quite well.

You’re allowed to track ips in your log, if there is a reason for it and you only keep them for a reasonable amount of time.

You do need to gather consent for push messages. But you can do so by simply asking your users, and frankly, you should always ask your users before you spam them, but it’s obviously going to be a little work to implement.

This is an overreaction, especially because no one knows how the GDPR plays out until it’s been tested in the courts.

This seems pretty clearly a case of 'Legitimate Interest'. Filling in a couple of page word document (a LIA) and keeping it somewhere on the off-chance that someone queries you, is likely sufficient from my understanding. (This is not legal advice).

/Where dust == blocking EU

He doesn't need one

> Crashes

So don't send the users IP with the crash report?

> Push

I don't know enough about this, but:

"APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server."

I didn't think monal ran their own XMPP servers? If they don't then is there really a danger of someone combining the data from the two services?

> Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.

I have no idea, but if the monal developer isn't running any XMPP servers then is this even an issue?

This all seems like someone who doesn't like GDPR having a bit of a tantrum and interpreting the laws in a way that makes it seem like they are in a worse position than they actually are.

I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR. I do not have designated EU contacts."

What? Where does it say in the law that:

a, you need one

b, it cannot be you

I mean come on, this is just a very ignorant post from the author.

I already had to fend off implementing some ridiculous features. I've pushed against misconceptions and use of non-existent terminology that's not even in the law. People are taking info from all kinds of sources, some of them sketchier than others, despite the existence of official EU guides, and the law itself.

But I bet it will be easy to comply for most non-adtech/tracking businesses. And as an internet user, I'm looking forward to better data exports, data removal and more transparency.

1) You are overreacting. The EU isn't going to come after some small fry operation, or some non-business entity.

This is an easy thing to say when you're not personally exposed to the risk. Would advocates of this position be willing to personally indemnify open source projects / side projects against GDPR enforcement? I suspect not, but perhaps there's a business opportunity in giving them the opportunity to do so. Sort of a GoFundMe for peer-to-peer insurance.

2) The GDPR is all about not being a jerk with your users' data. As long as you don't do that, and do relatively minor things X, Y and Z, you're totally fine.

This flavor of argument might actually be true, but if I'm assuming the risk I'm probably going to want to hear it from someone with skin in the game, like a lawyer, who I can point to if it turns out to be false. Even if I had the desire to read through the law (I don't) and understand the specific implications for my project (I wouldn't), the very act of doing this represents a cost that I could more simply avoid by excluding EU residents from my service. I'd choose the latter path every time, and put "support EU residents, check into the legal implications of GDPR" on the roadmap, for "someday".

3) You're exposed to millions of risks anytime you do anything. This is just one more and you're making a big deal of it.

Often this accusation comes with a subtext that you're trying to prove some political point, suggesting that you're making a decision in bad faith to "punish" the EU. Well, I personally think something like the GDPR is needed, and have no particular axe to grind, but I also have no idea if the legal exposure is serious, and no particular desire to put in the work to find out.

Yes, business, or really any activity, involves legal risk. In this case though, the risk is pretty serious, first of all because the penalties (20M Euros max) are serious, and secondly because it will be very difficult to claim that you've never heard of the GDPR. If Tonga creates some law impacting side hustles on the internet, at a minimum I can credibly claim to be unaware of that law. The GDPR on the other hand has been all over the news for weeks. I've clearly heard of it (especially now that I've commented on a discussion of it on HN).

My feeling is there's a real risk that this law will lead to a general practice of non-EU individuals, and non-EU startups launching MVPs to at least temporarily block the EU to avoid unnecessary risk. That's not the intended purpose of the law, but laws have unintended consequences all the time. If the EU wants to avoid this unintended consequence they should provide a clear, objective, and cheap (in terms of both time and money), set of instructions that will allow projects like monal to continue operating there. If such a set of instructions exists, I haven't seen it.

I get that the GDPR regulations seem quite complex and daunting but his usecase seems pretty simple to me.

Harsh words but I feel they're warranted: If you don't want to treat my private data with the due diligence you should, then we're better off not using your service.

https://en.wikipedia.org/wiki/Hazard_analysis_and_critical_c...

> The ICO said in a statement that it would only consider “enforcement action” if a company failed to register despite ICO advice.

And they keep saying this.

"Second class citizens" might not be the right term, but would "segregation" be an appropriate term?

This is free market with 550 mil potential users/citizens, void will be filled pretty quickly by other companies/developers that actually spent some time reading about what GDPR is.

Being a first class citizen means being tracked like an animal with an implanted chip.

And let's face it, 99% of web sites and tools aren't really needed, more like a waste of time.

But as I said in another reply to the parent poster, there are states which allow raw milk products in intrastate (but not interstate) commerce.

[Edit: Wow my text got mangled by autocorrect. Fixed so that it makes sense now!]

This really isn't a burden.

The comment I replied to seemed to reference far more than chat.

1. you're a public authority (NHS practices are an example)

2. Large scale processing

3. Large scale processing of sensitive data

They don't specify what large scale means. They also haven't specified how sensitive data qualifies the third statement. One can assume the threshold is lower but the GDPR doesn't specify any thresholds with regards to this.

Even ICO says legitimate interests might be okay for some marketing.

https://ico.org.uk/for-organisations/guide-to-the-general-da...

I think the majority of users on HN are from the US. And going by the GDPR related comments over the past few months, it seems the litigious US stereotype really is true - a lot of people seem to be prepared to "lawyer up" at the drop of a hat!

The EU is not the USA.

The authorities have limited resources, and are only interested in large-scale privacy abuses.

Agree, that's why I never implied that.

Not exactly an ironclad source, but better than nothing, hopefully.

The GDPR has really made me think about minimising the collection of data that I don't need - absolutely a good thing.

Anyone whose software logs IPs by default should stop, so that the admins who choose to log IPs must voluntarily choose to log protected information and handle it appropriately.

i think you are being a bit naive and dismissive. the law could easily be interpreted as his endeavor requiring a Data Protection Officer. the guidelines (http://ec.europa.eu/newsroom/document.cfm?doc_id=44100) for the DPO require that processing "special categories of data" needs a DPO. those categories include tings as benign as "trade union membership."

so if his chat app has someone in the EU chatting about trade union membership while this chat service then "processes" that data, they might be held liable to the DPO requirement.

This is the other kind of free, where it genuinely is being done out of interests sake as a public service, like guerilla gardeners. In this case, it's perfectly reasonable to say that you got into this because you're interested in solving the technical challenges, not because you enjoy wading through bureaucratic rules, and decide to stop offering that free service in the EU because the fun has gone out of it.

Probably you're completely right about how easy complying would actually be, and in that case you could certainly take this code and run your own push server that serves EU clients.

You don't need a privacy person either (I suspect you mean DPO), but you do need to know what you are doing.

> I am all for fair taxation and privacy, but the EU should start creating the mechanisms that make it easy and automatic for startups to comply with stringent requirements instead of leaving the burden upon them.

That I agree with, it can still be better. But VAT/MOSS took the sting out of the VAT reporting and the privacy law is entering a shake out period now and will also end up to be manageable.

That rather makes the anti GDPR arguement sound like "yes I know that is the law, but I was breaking it over the internet so that doesn't count"

Also, i think the DPAs can fine any company in the EU, not just the companies of the country the DPA is in.

Compliance. It doesn't matter if you delete your logs, if you had them in the first place you're subject to compliance.

Like the example in the article. Not sure why people are still thinking this doesn't happen, this is exactly what is happening in the article.

FWIW, dmv.org is not an official government site.

See: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#se... (starting at "Howewer, some cookies are exempt …")

As far as I know the GDPR doesn't change these requirements here. So even if you're a company of 5 people and just handling some email addresses or similar data you certainly don't need a DPO.

What makes you believe that the "large scale" refers to the size of the organisation and not on the amount of processed data.

Think about. A person doesn't own the random bits (data) about them that goes through and is stored on various systems they interact with. Under the GDPR in the EU, they might have a right to know what is stored about them on various systems, but they don't "own" that data.

That's impossible and doesn't make sense.

Do you have a source for this?

From some quick googling that doesn't appear to be true.

https://www.orsgroup.com/news/compliance/how-the-gdpr-affect... https://www.winterhawkconsulting.com/4946-2/ https://www.p4p.uk.com/gdpr-compliance-paper-documents/

https://ico.org.uk/for-organisations/guide-to-the-general-da...

Recording IP addresses in a web server log does not qualify as "regular and systematic monitoring of data subjects on a large scale" by any stretch of any definition.

And that's besides the fact that they don't have any presence in the EU. GDPR's scope only includes companies with at least some presence in the EU. That's not just because it'd be unenforceable - the laws make no attempt to include a wider scope than that.

Almost no restaurants score a perfect 100% during food inspections.

Many regulations understand that real life works on a gradient. That is why cars have varying safety standards that they have to meet based on their size and class, and why consumers can pay more for cars with a higher safety rating.

The 'federal crimes', were precisely enabling US customers to gamble over their phone lines. That was enough to get a publicly traded company in a friendly nation categorised as 'organised crime'.

The other thing you mention about how it's not a criminal offense is something important a lot of people seem to be missing. If you're violating the GDPR and someone notices, the first thing that happens is that they work with you to try to correct the problem, not that they hit you with huge fines and laugh while twirling their mustaches.

This feels dishonest. If, for example, I wish to ban certain people by IP Address, your solution is to take my entire service offline?

I know the "logging by default" comes from a different age of the internet, and I'm absolutely for minimizing data collected - but I'm sticking to my opinion that as long as the default of every internet-facing package is logging IP addresses by default, it's not good that private owners have to face problems or a lot of work because of that.

It doesn't matter if European law has a history of being "principle based", if it can fuck you then someday it just might. Europeans might be fine with this, but I think most Americans would not be. If I was in OP's position I would do the same thing, by simply blocking an IP range all possibility of being made an example of by some people from another continent is flushed down the drain. I'm absolutely baffled why people think this is absurd, if you're not even making any income off of it, why would you ever open yourself up to such expensive potential liability?

If owned or controlled by big-co in an non arms length manner, then it wont be considered a 'small company' in terms of the GDPR.

Edit: These corporate control laws have teeth, otherwise every small & large business owner would do something similar by making all of their corps 'offshore' in some zero tax jurisdiction and pay 0 tax locally except for business done actually in the territory itself.

In fact the construction sector is a very bad example here, because old buildings are usually covered by separate regulations , thats not true for software.

And even if such a conflict does arise, as it surely will somewhere, the text linked states that the controller and processor shall ensure that such a conflict does not exist. It does not say that "You can't do this because 'conflict of interest'", it just says those two roles will ensure there will be no conflict of interest. If you read all the guidance, you will see that the DPO is the most protected role. It has the least liability. The data controller and processor have their own responsibilities, from a liability pov.

Unless you are the business owner/executive, DPO, data controller and data processor...I can't see this being a conflict of interest. Ever.

When instead it is up for interpretation, that comes with issues. The first is selective enforcement, there is also the chilling effect on both sides. Those who ought to be protected worry about the slack given to their potential predators. Meanwhile those who are 'potential predators' need to worry about the slightest move that is illegal under some interpretation.

The end result of this chilling effect is fewer willing customers, fever willing companies, and less mutual trust. Notably, this lack of trust persists even if you presume everyone still follows the law. At that point it seems to me a law has failed.

citation needed

> if you do not collect data that you have no use for you are 95% there.

I have always been respectful and even never required emails on signups. I am not 95% there because there is a ton more to do. In fact i am at 5% because i have a lot of small scale past projects. Not everyone is a VC-funded startup.

That's the kind of emotional reaction that everyone has to GDPR. Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.

That would have been a wonderful thing to see. The DMCA has had a chilling effect on speech worldwide, and has created difficult barriers for small businesses to deal with if they want to host user-created content.

I think you unintentionally made your opponent's point!

AFAIK, most of the "safety committee" regulations usually have waivers for small companies.

I’m fairly left leaning for a US citizen & find the idea that the default should be big companies abhorrent.

But I recognize my bias & am not st all convinced it’s in any way objectively correct.

For many reasons indeed, this is broad topic and GDPR doesn't change anything if we are talking about big US players and their domination. None of them is getting out of EU.

> And I am afraid GDPR has just added another one.

I disagree, it's the other way around. Small single person companies/developers that will get out from EU market will could only strengthen local market. Any other US/EU/outside EU startup/developer can fill that void.

[1] http://bosshoss.com/supersport-bike/

Wouldn't a better alternative be to design a messenger that complies with GDPR? Simple user accounts that can be deleted at the request of the user, peer-to-peer encryption (and where possible, communication), a "storage cabinet" for each user where encrypted data end in when the user is offline (with an encryption/decryption key that is generated client-side and transmitted while both users communicate) and can easily be deleted and i think this covers most uses.

This is just an idea that i came up with right now, but if you start your design with the goal to store as little data as possible and anything you store needs to be both encrypted and easy to delete, then i believe you can come up with several ideas for most issues.

It also helps to see this as respecting the users' privacy and giving them control, as opposed to a development burden :-P.

Can you hint me to one of those German laws which do require one of the above?

So all he's done is save himself the time and effort of dealing with the GDPR and cost himself nothing.

I'm sure another free and open source product will seriously impact his profit.

Every business owner here who would complain about how the GPDR is taking their rights to their personally earned data away would be the same people who launch a lawsuit because one of their competitior's products had a typeface that was vaguely similar to theirs

There are regular people here, they just don't go starting businesses that have abusing their customers as a business model because they couldn't sleep at night if they did that

Edit: DPO Network says this which I think is a pretty good summary (though it's not part of the explicit legal policy, it's someone's opinion)

> CAN WE ASSIGN ONE OF OUR EMPLOYEES AS OUR DPO?​​​

> Yes. However, you must ensure that other professional duties of this employee must be compatible with his/her new duties as DPO and do not result in a conflict of interests.

https://www.dponetwork.eu/faqs.html

Anyway, how should the ICO be able to be more concrete then the GDPR?

The problem is that there's no justification for having the right to coerce other people just because they have information you gave them. If users enter names into your website, you're not allowed to run a statistical analysis of what names are most common on your website without asking. If people named Jane are more likely to eat ice cream, you can't target ice cream ads at them and help keep your site free, without asking them. Worse than just this kind of coercion of what you're not allowed to do, users can coerce you into taking time out of your day to expunge records about them. It's all entirely backwards.

I feel like your statement here is basically "you are a business, therefore it is impossible for you to run out of money", which -- superficially -- seems very naive.

"As GDPR approaches, I get the impression that it is an end of an era for the internet. The days of someone making something, putting it on the internet and offering it to the world seem to be over. "

And this particular thing GDPR ruins pretty goddamn well.

Mind you Belgium us 1/30 the size of the US

Article 83 states that any penalties must be proportionate to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, action taken to prevent or mitigate an infringement and the degree of cooperation with the supervisory authority.

https://gdpr-info.eu/

I think you can also log the ip, you just have to get your user's explicit consent.

I will also remove Google Analytics, and switch AdSense to contextual ads. I am a bit worried about the latter step, but if the losses are too great I can still try to get consent from my visitors and switch to personalized ads again. As for Google Analytics, I never did get that much out of it, but perhaps I should have used it more. I never activated the "deep personalization" options in GA to begin with.

It bothers me to pester my visitors with consent popups. On the other hand, looking at what Google proposes for compliant AdSense, it also bothers me that apparently multiple companies get to track my users if I enable personalized ads. I wasn't really aware of that, and just accepted Google as tracking because they know everything anyway.

So much as I dislike the new privacy laws, at least the made me reconsider my AdSense settings.

Also the section of the GDPR that talks about pseudonymization using a token how should my user DB table be GDPR compliant? Contains ID (primary key), username, password hash, email, etc and the ID is also in other DB tables for obvious reasons (such as user posts/actions).

I'm not arguing for or against it, just pointing that the resulting unintended consequence is protecting large companies. Exactly the opposite of the original intent.

The regulator is the effective judicial remedy.

In the UK there's also a First Tier Tribunal and probably an upper tribunal. These are when the regulator has made an error in law.

Regulators. "Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation".

So, 28 countries, each with 1+ organizations. So you could find yourself having to deal with multiple parties in different languages.

However, if you do that, good luck ever getting a mortgage, credit card or other post-paid services ever again if all credit report requests come back with the reponse "no data available". So I wouldn't recommend that.

https://www.gov.im/about-the-government/data-protection-gdpr...

So he wants the funky TLD from Europe but he doesn't want European law 'hassle'. Hypocritical.

If I want to put an open source app in the App Store, that’s not a business model for me. It’s more just personal expression.

So don't hold IPs if you can't be bothered to know where the might end up and if you don't want to update your privacy policy. Why would you?

> My point is that having negligible private data is no less compliance burden than having a lot of private data.

And no data means no compliance burden.

Note that holding data already has costs associated with it no matter what you do: you need to secure that data, you need to back it up, you need to process it and eventually you will need to get rid of it. All of those cost money and effort.

> You mean i ve had 2 years to attempt to interpret a vaguely written law.

As laws come the GDPR is surprisingly clear. I was quite skeptical until I actually got a copy of the draft and I was positively surprised. They actually got it mostly right, there are some minor things that I would have liked to see different but on the whole I am not complaining.

> Actionable information is just now coming out, and even that is contradictory (cue this topic).

The hysteria is ridiculous. Anybody that has spent even so much as a couple of hours on this subject - and from a somewhat serious point of view rather than the ridiculous fear mongering - knows enough to not have written a silly blog post like the one on display here.

> Even the EU parliament's website does not comply yet.

That article was not exactly enlightened to put it mildly.

> First, that is a directive, not a law and compliance can vary widely.

Yes, but if you did take it serious then you are well underway.

> Second, gdpr requires new procedures which means it requires amendments anyway

Yes, there is some overhead. But this is mostly to ensure that the law will not be ignored like what happened with the DPD. As you say 'it was a directive' which many companies interpreted as 'can be ignored'. What they failed to realize is that if you don't self regulate after a directive is issued that there will be a version of the directive with teeth that has the strength of law. Congratulations, we are there.

No. This is the myth that "consent is always required". There are several justifications for processing personal data, and consent is just one of them. There are others.

https://ico.org.uk/for-organisations/guide-to-the-general-da...

Anyway, it is not the act of having the information about other people that is problematic, it is the act of collecting, using, or sharing it. Do you think I should be able to follow you around and write down every step you make? Should I be able to use that information in every way I want? Do you want me to tell your significant other what you actually did on that »business« trip, tell your coworkers what you got from the sex shop? Should your doctor be able to tell everyone about your health status, your bank about your financial status?

It is just naive to pretend that handling information is inherently without any concerns and therefore no rules should apply at all. And it is just silly to pretend that writing down an observation you made in the park in a notebook is the same and should be treated in the same way as systematically collecting information about every website visitor.

Even if you had a business that was whiter than white in terms of compliance with previous data protection laws and had perfect documentation of all its data collection and processing activities, it would surely cost far more than that just for the time to write some basic notes on the extra things you now have to tell data subjects and/or your regulator, get them reviewed by a lawyer, incorporate them into the relevant policies, and send notifications to anyone affected about your updated privacy policy.

What about your salary?

Even if it would all be a net benefit, why is it ok for all of these companies to be so misleading about it. No one out a simple EULA, for what is happening with the data. Hell half the agreements just say that the companies can do whatever with the data, but an average person does not have the ability to parse the output of the legal teams of every company they interact with every day. The only way this could get even close to an equal footing between users and companies is if every single person was a lawyer

Yes, but then again: if you don't implement them society as a whole will end up holding the bag. Polluter pays is a very good principle.

> All regulation costs money to implement.

Yes. But that's called the cost of doing business. And most software based businesses have insane margins anyway because of their ability to scale.

> Even if each regulation by itself is cheap, these things add up -- it's death by a thousand cuts.

That's one way of looking at it. Another way of looking at it is that it levels the playing field between those that ride roughshot over their users rights and those that try to be nice.

The mere act of pulling all my database backups from glacier at once would cost enough to force me to just shut down my personal projects.

Months later, I discover that I can sell my stock of credit card information on the darknet for some nice extra income.

Should I be allowed to do that? What if it weren't credit card details but just postal addresses?

No its not as they now have regulations in place to prevent that, before GDPR you could. You can only be sued to the poor house from it if you do something like leave your patients health information on the bus.

What you're describing is a good thing. If you're going to treat my data like an almost stale slice of pie selling it off cheap to anyone who will buy it - Please do block my access!

For example, my business model might be to ask you for your login and password information for your bank so that I can help myself to the contents of your bank account. In return I'll send you a newsletter on how to get rich quick :-)

I doubt you are asking seriously, but in case you are, the distinction is: if I need the information to complete the contract, then it is under contract basis and I'm allowed to use it for that purpose. If it's not needed for completing the contract, but I have a legitimate reason for using the data anyway (kind of vague, but includes marketing -- basically all the stuff that was legal before GDPR) I can do so, but I need to tell you I'm doing it. You can object and then I have to stop. If I have no legitimate reason for using the data, but I want to anyway, I can still do it. I need to ask for your consent (which has to be opt in). My service can't depend on you opting in (because I have no legitimate reason for needing the data). I can't deny service just because you opt out. You can also withdraw your consent at any time.

So in my silly example at the top, I could literally ask for consent to use your login details for you bank. If you agreed, I could use them. However, since I have no legitimate interest in your bank login details (other than I wanna look at your bank balance), I can't make my service depend on that.

If your business model is based on making money from data that you have no legitimate interest in and you have no consent for... well, I really, truly have no sympathy at all. I understand that some people may have a different opinion, but I don't think mine is really that unreasonable.

Vs to package and resell the subject.

It is a matter of making subjects of data collection in control of their data being sold without their consent to the real customer, someone else.

You're out of touch.

Compliance just isn't as simple as you think it is no matter how much you double down in these comments. Laws aren't black and white. Do you not use an accountant, either?

Frankly, your advice is terrible.

You might be from Europe and to you it may just seem sensible but 1-5 person companies often have to make tradeoffs like this. It is not right to say just comply with the law - it is so easy! The company, here, has decided that the cost is too high and that they are out.

All the laws, worldwide?

Are you in compliance with anti-blasphemy laws? Laws that forbid insulting the monarch? The tax regime of every country in the world?

The creator of Monal has decided the easiest way to be compliant with another country's laws is simply not to do business there, and I think you're underestimating the difficulty of the alternative (trying to comply with every country's laws).

There are professionals who spend their entire careers just "knowing" very specific parts of the law, and who are still frequently found to have misinterpreted it when tested in court.

Is doing your company's annual financial returns also stupidly easy, because you just have to know accountancy?

What about security? Just write all the software you use yourself based on your expert knowledge of cracking and cryptography?

Incidentally: not knowing you are breaking a law is no excuse for breaking the law, ignorance is not a valid defense.

This is possibly the greatest conceit in the history of legal systems. No human being in any Western nation could even read every word of law that applies to them in an entire lifetime, never mind fully understand the implications and the motivations behind those words that might be relevant to interpretation. Ignorance may not be a legal defence, but not being magically aware of the sum of all human knowledge about every legal system that you interact with is certainly a reasonable excuse for doing something illegal but otherwise apparently ethical and sensible.

Maybe you have huge assumptions that people reading what you say will add all kinds of limitations to what you say? I don't. It leads to terrible discussions, like this one.

Similarly we sometimes get asked to incorporate silly things into our service because the marketing people think that it will create engagement. Again, these are free SaaS businesses that are scooping up data and selling it. Although I made up the cat emoji thing, it's not that far off what we sometimes get asked to incorporate. With GDPR, those businesses are going to have to charge for their services and that's going to have to come out of our budget. We don't have to argue "We're not shipping our whole customer database over to a SaaS just so we can have cat emojis on the the system". Similarly, it makes our systems simpler because if they really want cat emojis, we can implement them -- it's just not "free" (it never was, but it's hard to have that conversation sometimes).

I probably should have left the SaaS thing out of my explanation because it's confusing and only slightly related to what I was talking about :-). Like I said, we use some great services for marketing and will continue to do so under GDPR.

There are varying degrees to which people see laws as affecting them. Small business tech owners, when a law says they have work to do, are going to feel affected. If there was a securities or accounting law that felt similarly overreaching one could expect a similar reaction. This is especially true if there is an alternative (locking out markets) that is easier. It's not helpful to try and compare the situations. It's also not fair to consider people weighing the costs of these laws as doomsayers. They aren't closing down their business, they're just restricting it to more business-friendly environments in their view.

https://gdpr-info.eu/chapter-7/

Because by default any web site has, in the past, been open to people from any country that doesn't censor the web.

Regulations like GDPR are making doing business in more than one country more difficult and encouraging a Balkanized web.

Prove that.

Because that's not how "the law" works. I am Canadian, my business exists only in Canada, and there are only two types of laws that apply to me. Canadian laws, and treaties that Canada has signed on to comply with.

No other country in the world can just make some "arbitrary" law that affects me. Unless my country agrees. And to my knowledge, Canada has not signed a treaty with the EU regarding enforcement of the GDPR.

The EU is primarily leveraging the fact that most everyone wants to travel to the EU eventually.

While you in your home country you have no need to comply with the GDPR unless a treaty between your home country and the EU exists to mandate it.

The EU is also leveraging their trade agreements.

What they don’t understand is that China is next and they have totally diametrically opposed views on consumer privacy. But when has the EU ever been farsighted?

For example, with small numbers for the argument's sake, say in 2000 there were 5 good webpages and 4 bad webpages added to the internet every day. Now there are 10 good webpages and 50 bad webpages added every day. That would mean we're getting more good information per day than before, but the signal to noise ratio has gotten worse, as you said.

A point is that often statements of a law are defined not by the language but by the ruling of lawsuits that occur around those statements and that is what most companies and lawyers are waiting for, what do courts rule when these lawsuits happen.

The biggest issue that I have heard of (Im no expert) is what does the right to be forgotten actually mean ? Does that mean all your backups are now illegal as you are retaining the customers information after they asked you to remove their records?

I think some of the fear that smaller business have is that this will encourage lawsuits until people understand how the courts will rule on each item.

forgive my frank language, but too fucking bad.

edit: my right always outweigh your profits. Sorry.

The data collected under the former is simply the IP and a timestamp in webserver and app logs, usually purged within 7 days and then any user data included in backups, purged after 3 months.

"better user experience" is not really personal data but I included it anyways; browser type (mozilla/edge/etc.), viewport resolution, pageload time, OS. And not stored in a way that allows correlating them.

For analytics that is really all I need.

Consider adventured's sibling post - it quite astutely points out that GDPR discussions are much more vitriolic than you'd expect for discussions of the minutiae of data handling. People who say that GDPR compliance is hard are being attacked on a personal level. He explains it as 'emotional investment' in GDPR but I don't think that's a good explanation; the people arguing most strongly for it are also those saying it's not much work, so that seems backwards. You'd expect people who put in the most effort to be most emotionally invested in it.

There's a much better explanation available: your view on GDPR is a direct consequence of your assumptions about human nature. If you believe in the existence of benign and enlightened technocrats then GDPR seems like excellent progress towards building a better world - it's extreme vagueness and severe penalties are exactly what's needed to foster obedience to technocratic elites. People who complain about this are just being unnecessarily awkward ... just be reasonable after all, and you'll be fine! The EU are reasonable so if you're reasonable too, you have nothing to fear! From this perspective, anyone who objects to GDPR or actually decides compliance is impossible must - almost by definition - be being unreasonable. What are they hiding? Why can't they just get on board; the only answer available is that they have flawed characters and any points they make about gray-area debatable things like cost:benefit ratios must be some sort of obfuscation.

If on the other hand you believe the whole idea of wise and beneficent bureaucrats is naive, then GDPR looks like a hell of a lot like a power grab by the very sort of people who shouldn't be able to grab power. Vagueness is of deep concern because it's in the shadows of vagueness that abuse can be found, and when a law is nothing but vagueness, it even makes sense to question to motives of those who created it - that's a problem because lots of self-styled Europeans have bought into the EU's utopian rhetoric and can't separate criticism of the EU from criticism of themselves and their desired future.

There's no real scientific way to prove whose assumptions about human nature are right. The USSR was a rare example of a real-life experiment in who was right and for a long time it proved the American style, conservative, small weak government is better mentality to have superior results. But that was decades ago and many have forgotten or weren't alive back then, so now rule by technocratic dictatorship seems attractive again.

As a consequence GDPR discussions will always have the same flavour as Clinton v Trump debates, or Brexit debates, or whether to restrict spending on political campaigning. They are ultimately about the same issues.

This is also why in all cases you'll see the GDPR supporters go after the character of the site/service owner (including always questioning their motives to muddy the waters). It's an attempt to short-circuit any reasoned debate, to destroy the credibility of the opponent. This has happened numerous times on HN in the last month or two.

Are you expecting GDPR (or any law for that matter) to define an exhaustive list of every definition, that holds true now as well as for the future? Have a rethink about that statement...

Article 63 of the GDPR specifically covers consistency of enforcement across the regulatory agencies.

You keep daily backups for 1 week, and after one week the users data is gone from all backups.

The only possible window for restoring deleted user data is the time window from deletion to backup. To "solve" this you need to make more backups, ideally live backup and replication with really frequent snapshotting. And this is something you would want even without the new law, because you don't want to lose user data in case of a server failure. Why would you restore from an old backup? (And if you really need to restore from an old backup you most likely want to merge this backup with the newest one to reduce data loss. In this case you can reapply all deletes.)

The new laws don't change anything. For me at least. Also my lawyer is totally fine with "only" minimizing the problematic time window. We both know that it will never be zero.

Unless you want to business with another country, in which case you need to follow the laws of that country when you conduct that business. Which is what I've been saying the whole time.

> Just think of what China would do to the Internet if it could.

If you want to provide a service to China you need to follow Chinese laws or they will block you using their firewall. China is a (not very nice) example of how a country has the right to decide who it does business with -- if you won't help them conduct surveillance of their citizens then they won't do business with you and will block you from doing business with their people. You might not agree with their laws or how they act, but it is their right as a sovereign nation to create their own laws.

I never said you need to follow the laws of every country in the world, and I really don't understand how so many people are reading that out of what I said (and keep saying). If you want to do business with a country you will have to obey the laws of that country. That's the way international trade has always worked.

And as others have pointed out, no the users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do with personal information about their users. But feel free to argue that it is your moral right to sell user's e-mail addresses to some spammer or whatever.

I absolutely agree. If you feel a law is wrong, it is your absolute right to say so and demand change. This is the basis of all law and civilisation. The consensus of what is right-or-wrong is what makes a society.

Go for it.

What? Because you just decided that it does?

It's people like you why we need GDPR-like laws. I'm curious, what's your stance on the Equifax data breach? They had data that belongs to them and they could do with and treat it as they pleased, right?