The GDPR applies as much to a startup or side business as it does to Facebook and Google.
A letter like this would be a hugely disproportionate burden to a small business like that. It would take many hours, if not days, to reply properly to all of those points, even for a business that is doing nothing shady or unusual.
You can't just write "automate it" as if that has no cost.
What's an example of a start-up collecting personal information, using it in a complex way that can't be summarized in a few paragraphs, but being unfairly burdened by this?
If a start-up is doing things with personal data so that answering those questions takes more than a few paragraphs, isn't the start-up pretty much a personal-information-processing business, and doesn't it deserve to have the burden? Doubly so because start-ups often leave security considerations for later; any personal information they collect or share may not even meet the minimal industry standards and expectations of larger companies (not that such informal standards are adequate—those larger companies are often incompetent themselves).
What's an example of a start-up collecting personal information, using it in a complex way that can't be summarized in a few paragraphs, but being unfairly burdened by this?
It doesn't have to be doing any of that. Just the time and money to have a lawyer review this letter and identify the actual obligations is already a significant burden. For example, notice that just replying with everything requested here would in itself potentially breach data protection law.
Perhaps, but making sure a company isn't screwing you over by throwing your personal information around willy-nilly doesn't require opening with a direct threat and then listing 40 or so different demands for information, several of which are technicalities which have little relevance to determining whether or not the data is really being handled safely and responsibly anyway.
A normal person who really was worried about how their data was being used would probably write a polite letter asking what data was being stored, how it was being used, and maybe a couple of supplementary points if they had particular concerns or perhaps had heard a warning about some specific practice that could be dangerous.
Because it's hard to correctly understand. That's the point of the letter, it's called nightmare letter because it was specifically crafted to be as confusing and hard to understand as possible.
It's not hard to understand. It's only hard to understand if you've built your business around slurping people's data and using it without consent - something that's already mostly illegal in the EU.
A lot of GDPR is not new. It's just clarification of existing law.
I think it's very clear written. It's a nightmare letter because it ticks all the boxes, so to speak -- author asks all possible GDPR-related questions he can ask and business is legally required to respond to.
Yes. That's the policy goal. Don't start businesses that are inevitably going to hurt people.
There are lots of other profitable businesses you're not allowed to start, like "an agile, disruptive restaurant that cuts costs by never cleaning" or "an investment advisor that front-runs their own customers" or "a healthcare startup that runs on unpatched Windows XP" or "a company that helps you get work visas for nonexistent jobs" or whatever.
No, they say that you can either run a fly-by-the-seat-of-your-pants startup, or handle private data, but not both at the same time.
If you want to be entrusted with people's private data, then the table stakes are much higher than simply starting a business, and you have to be prepared to invest the time and resources to do it properly, or you're not allowed to do it at all.
Don't start certain kinds of businesses without being willing to deal with the reasonable requirements of starting businesses of that kind.
If I start a biotech startup, then I need to make sure I'm keeping all health data I encounter well protected. This _does_ mean it's harder to start a business in this space—but not impossible
If you're not willing to make that tradeoff, then don't start that kind of business.
I certainly respect your desire for no businesses to have certain pieces of of your personal data, but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".
And beside that, regulations that effectively result in prohibiting certain kinds of businesses even though they don't explicitly do so are bad regulations IMO.
> but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".
There are companies tracking the SSID of my phone with wifi beacons to find out which stores I was physically visiting. How do I opt-out of that?
Sorry to bring the tired "you're not the customer, you're the product" line, but the way the industry is set up today, I'm starting to doubt there is so much difference between the two options.
Tracking and data collection is baked into so many services nowadays that you'd have to be extremely attentive as a consumer to avoid any tracking - also be prepared to face a lot of inconveniences and restrictions. If possible at all.
I understand your sentiment, but we’ve swung so far towards the unrelenting abuse of consumer data, I’m supportive of regulation through any means necessary.
To your point, if a business is not explicitly banned, but banned because of regulation about what that business can do, that’s exactly the sort of regulation we want. We don’t dictate your business specifically, just what you can and can’t do with the data. If you can operate within those regulations, congrats!
If you don't have basic infosec when starting a business... Don't start a business. It's 2018. Companies get hacked for a ton of reasons, it's redicolous how badly companies exploit customer data and then fail to protect it. Companies need to be held liable for that
GPDR does not, and government checklists can not, ever, cause companies to have acceptable infosec. Any attempt at security-by-bureaucracy is inherently doomed to failure. This is why business consulting groups’ “security” divisions are the butt of countless jokes among security researchers. No bureaucrat, executive, or politician can ever make enough forms and flow charts to secure data.
The GDPR is an EU regulation, but you appear to be adopting some US(?) based conventions and terminology, and then posting a string of buzzwords that have little if any connection to the subject at hand.
Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?
You probably need a lawyer to help you write the document the first time, and to update it when you make new partnerships or develop major new pipelines for data. You probably don't need a lawyer every time you receive such a letter.
You probably don't need a lawyer every time you receive such a letter.
For routine enquiries, maybe not. For a letter like this, from someone who is clearly intending to trip you up and cause trouble, our lawyer is the first call I'm making, every time.
And that initial conversation is already going to cost me hundreds of pounds and a half-day of work, even if I already have reasonable answers to anything we are actually required to respond with under the GDPR here.
> For a letter like this . . . our lawyer is the first call I'm making
/shrug It's your money. You could do that, or you could even light it on fire if you wish. It's no skin off my back. If your company is profitable enough to eat this self-imposed overhead, then its owners will just make less money. If it's not, then leaner competitors will replace it. I'm fine with either outcome.
In this area, we have no idea which overheads are actually going to prove justified and which are just throwing money away. That's one of my main points here. As I've argued several times on HN recently, a big part of the problem is that if you're running a small business that isn't handling large amounts of personal data but obviously is going to be subject to the GDPR like everyone else, there is no clear indication of what you have to do to be considered reasonably compliant.
The GDPR itself is very heavy and has little in the way of moderation for small-scale data controllers/processors, so in practice it's going to come down to interpretation by regulators (and potentially anyone who has rights under the GDPR and wants to make trouble, as in the example we're discussing). If you don't do enough, you potentially face even greater overheads due to formal audits, financial penalties, etc. If you do too much, then as you rightly point out, you leave yourself at a disadvantage compared to competition who don't do as much (and this remains the case even if that competition is knowingly breaking the law as a result, and that in turn doesn't matter if they face no meaningful penalties for it).
> we have no idea which overheads are actually going to prove justified and which are just throwing money away
Life is risk. I contend that if you make a good faith effort to comply with this law (i.e. consult with a lawyer, once, to develop those eight documents you mentioned in another part of this thread) and generally practice good private information hygiene (wipe out old data, don't log private info, don't retain logs or emails too long, etc.), you're probably going to be fine. This is probably not going to be in the "inner loop" of risks your small business faces.
In every regulation, there are winners and losers. Some of the losers didn't do anything wrong, but are just losing because that's the nature of designing laws that factor in disparate interests. At this point, it's the law, and your only choice is how you're going to handle it. And my contention is that, if your small business is receiving letters like this with any regularity, calling a lawyer and spending half a day on it each time is not among the reasonable spectrum of risk-mitigating responses.
To be fair, the EU introduced a two-year transition period with the express purpose that businesses should update their processes and basically identify and prepare for potential problems such as this one.
This transition period is ending this summer. Why is this discussion taking place now?
I'm involved in GDPR-compliance taskforce in our company, and I can answer this question.
GDPR is very broad and open to interpretations, which will happen only when someone got caught, i.e. during first legal battles.
So, transition period does not really help, be that 2 years or 4. We need to see how this law gonna be enforced by regulators, and which common IT practices constitute breaking the law and which are not.
This transition period is ending this summer. Why is this discussion taking place now?
Because no-one thought to inform most of the businesses affected by it before, and awareness has only grown in recent weeks (and even then probably only among business people who frequent forums like HN where the subject has come up).
> (and even then probably only among business people who frequent forums like HN where the subject has come up).
Every business I've worked with over the last couple of years of consulting have had sessions on GDPR entirely without any technically minded people having to bring it up.
I'm sure there will be people caught by surprise, by what I've seen has been very promising.
Every business I've worked with over the last couple of years of consulting
OK, but if you're going into a business and consulting, that already suggests both a certain scale and a degree of awareness within those businesses, so this isn't likely to be a representative sample.
I'm not consulting on the GDPR, and my clients range from 2-person companies to 2000 people with most of them being much closer to the low end than the high, so while it certainly will be a biased selection in other respects (e.g. they're companies with a certain degree of technical complexity) I don't think it says much about awareness (other than already having more tech staff) or scale.
Additionally, most companies without much technical infrastructure are less likely to be affected much in the first place.
Unfortunately, that guidance still doesn't provide specific, actionable advice in even a lot of everyday areas, as we've seen in just about every HN discussion on the GDPR in recent weeks when recurring themes like backups or log files or payment processing services come up.
Also, having "fucking reams of advice" is not a good thing. To be practically useful for the kind of organisation we're talking about, advice needs to be clear and concise. A starting point that will take days just to read through and understand isn't very helpful.
> Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?
You don't need a lawyer to reply to GDPR letters. You do need to comply with the law when you collect personal data. What you're saying is "I should be free to ignore the law until someone writes to ask about my compliance, and when they do it's burdensome for me to get legal advice to respond to that letter".
I'm saying no such thing, and it's neither courteous nor constructive to twist words like that.
You keep asserting that it's not necessarily to have a lawyer review a letter, despite the letter being legal in nature and in this case clearly coming from someone who is looking to cause trouble. Clearly you and I have very different attitudes to risk in this respect.
In any case, an obligation to comply with the law is self-evident. My objection is that the law itself is poorly implemented and that what is necessary to comply is ambiguous.
Everything you do with customers is legal in nature
But most interactions with my customers do not begin with a multi-page letter that literally opens with a direct threat and then proceeds to demand a response on 40 different points.
Your repeated scare mongering around GDPR is fucking tedious
I run small businesses, and we have been dealing with GDPR issues. The ambiguity and overheads I have been talking about in this discussion are costing us time and money right now. Dealing with a letter like they one we're discussing would cost us more time and money. Apparently we aren't alone in these respects.
Some of the GDPR's supporters have argued that the lack of proportionality in the actual regulations is not a problem because the regulators will enforce it pragmatically. I have personally heard such arguments made about onerous EU rules before, and through my own businesses I have been on the receiving end of government mistakes and their rather unpleasant consequences. And again, that wasn't some freak unlucky event: thousands of other businesses are known to have been subject to similar problems, in more than one incident, involving more than one government authority.
A few people have suggested that involving lawyers in response to a letter like this is unnecessary. Clearly it's going to be a matter of risk assessment, but I don't think it's unreasonable. Once again, I have personally seen (at a former employer in this case) how much time can be wasted if a company gets caught up in formal legal proceedings even having done nothing wrong.
In short, there are people out there dealing with the issues you call "scare mongering" every day. These are not just hypothetical problems. Maybe you've never been caught up in them yourself, but sadly not everyone is that lucky.
especially since almost everything you've said about it is false.
If you're going to call me a liar, please at least tell me what I've written anywhere in this discussion that was false so I can set the record straight.
Aren't those letters already pretty standard anyway? I was sending those to various places > 10 years ago using the existing privacy/data protection laws in the country I was a resident in.
(you get fun stuff back, I got all the logs from my public transit card that way)
Well yes, if you've built a business around illegally using personal data you may need to get a lawyer involved.
It would be better to get the lawyer involved when you start your business so you know you're complying with the law.
And almost everything in GDPR comes from existing laws (IN UK the data protection act and PECR), so if your breaking the law under GDPR you're probably breaking the laws that exist now too.
>Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
Data Classification
>a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
Data Classification
>b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
Asset Inventory
>2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
Privacy Impact Assessment
>3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Privacy Impact Assessment
>a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
Privacy Impact Assessment
>b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
Asset Inventory
>c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
Access Control
>4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
Data Retention
>5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
Data Collection
>6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
>7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
Breach Escalation
>a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
Backup
>a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
Log Review
>c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
Security Awareness Training
>8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security.
I'm sorry, but this comment reads like something written by an academic with no real world experience of data protection issues and running businesses at all.
You should be able to provide this from a SQL query.
Please tell us all what that query should be, then, and how it's going to cover the relevant data stored in log files, emails, remote services used for payment processing, off-site backups, etc.
That's just a very minimal set of other places that almost any new online business is likely to be working with on day one.
Data Classification Plan
Asset Inventory Plan
Privacy Impact Analysis
Privacy Impact Assessment
Access Control Plan
Data Retention Plan
Data Collection Plan
Breach Escalation Plan
You're suggesting that in order to handle this kind of request -- which none of my businesses has ever received from anyone in many years of trading -- we should write up 8 different formal policies? These businesses probably don't have 8 different formal written policies in total at the moment. This is just totally detached from the realities of running small businesses, though it does reinforce my point about disproportionate burdens.
[The parent comment appears to have been edited after I wrote this. The terms above were in the original.]
You're making the parent's point. This is disproportionately burdensome to companies that don't have people dedicated to writing policies or lawyers dedicated to reviewing them.
How is that a useful solution to anything? Almost any business will handle some form of personal data, and as such will have some degree of compliance overhead.
More overheads are generally bad for business. In the run up to Brexit, and given figures from the Chancellor's statement just this week showing relatively low productivity and growth in the UK economy, it's remarkable how many people don't seem to have a problem with increasing those overheads and thus negatively affecting the creation and growth of businesses.
There is a balance to be struck here. Protecting privacy is important, but not regulating in a way that introduces excessive burdens is also important.
An ISO audit takes how long and costs how much? Do you expect every company that handles email addresses (that's PII) to perform an ISO or SOC2 audit before accepting customers?
A) You are using personal data in good faith as part of and don't need a lawyer. Just reply. I work for an organisation at the larger end of the SME scale and wont be using a lawyer. Like I don't use a lawyer for routine contractual disputes like debt collection until the debtor refuses to pay.
B) You are walking a fine line and relying on the exact wording rather than the spirit of the law. You are not acting in good faith and trying to make money out of customer data. You need a consultancy firm and lawyers and you wont get any sympathy from me.
I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette. I find it OT and I hope the moderators do to.
Option C is that the letter was written in bad faith, and the sender intends to "rely on the exact wording rather than the spirit of the law" in order to get me in legal trouble.
That's why the regulator can, must and will exercise judgement. They can't sue you for $bignum after getting your response, they can point the regulator towards you and claim that they've been abused, but if they are the abuser, then that's not going to fly.
Being the target of a government investigation is in and of itself an expensive process. You have to spend a bunch of time preparing your side of the story in exacting detail. You probably need to put a freeze on any changes which might make the regulator think you're trying to cover up previous misconduct.
And of course, if people find out out you're under investigation, a lot of people are going to just assume you did something wrong. You won't be able to fix that no matter what the regulators conclude.
I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette.
To the extent that I am anti-EU in some respects, particularly around the areas of small businesses and excessive regulation, that is born of experience. As I have mentioned in previous comments, which apparently you might have seen, I have been on the wrong side of EU rules being over-zealously applied before, and I have been on the wrong side of a government regulator that is for most practical purposes above the law making a mistake before. Some things that some commenters tend to dismiss as hypothetical, I know from direct personal experience to be real threats, and I will challenge bad laws that allow scope for such threats to exist.
I find it OT and I hope the moderators do to.
I'm sorry that you feel censorship is a useful response to someone with different experience and views to your own. I like to think that HN is a forum where people can discuss such differences of opinion openly and intelligently.
No, the threat is having rules that are ambiguous and subject to interpretation by regulators with the power to at minimum cause serious disruption through a formal audit and at maximum impose fines that pose an existential threat to a small business.
And as I said elsewhere, if you think that threat is imaginary, please look at how many different national tax authorities have started large numbers of incorrect claims procedures against small businesses who had done nothing wrong just because the officials made mistakes with the new VAT rules and got their own records in a mess.
Take the simple and common case of a startup storing personal data on an AWS-hosted service. Can you account for who at Amazon has access to that AWS instance, how many physical copies of the data may exist in Amazon's data centers, how you can assure that deleted data is really deleted, and so on?
The company is the controller of the data, and Amazon is the processor.
Here's Amazon's declaration and stance, stating they are GDPR-compliant both as a company (when they are the controller - of their direct customers' data), as well as then they are a processor (infra for use by others who control private data): https://aws.amazon.com/compliance/gdpr-center/
There's generally no need for a controller who relays data to a processor to understand the intricacies of the implementation on the processor's side (is deleted data really deleted ?) - what's more important is the processor's self-declaration for GDPR compliance.
The above is my personal $0.02 as I've been spending quite some time getting into GDPR recently. IANAL
If you're using AWS for your business/startup to store customer information and you don't have good answers for this already, then you aren't doing your due diligence.
To be clear, many businesses may not have good answers right now. Their response should not be "this is too much of a burden" but instead "wow, we really need to find this out ASAP".
I just read through this "Nightmare Letter" and while the cost is definitely non-zero, a conscientious startup will have the same answer for each user for almost every single point and can have a boilerplate response ready to go in those cases.
Where it gets complicated, i.e. where they buy your data from 3rd parties, I don't have a lot of sympathy for any of the complications involved. Most of the rest can be automated, not for a non-zero cost, but for a relatively low one if a startup goes in with these questions in mind, prepared to answer them when they come up.
a conscientious startup ... can have a boilerplate response ready to go in those cases
I have businesses that don't do anything shady at all with personal data, and I'd like to think we're conscientious about handling what we do have. We follow general good practice in terms of encryption, hashing passwords, and so on. We've never had any sort of request for information under existing data protection rules, nor complaints under any other regulatory regime for that matter.
So, how much time and money should we spend putting together that boilerplate, just to tick a legal box? How much of the documentation formally required under the GDPR should we actually write, given that on the evidence of several years of trading so far it has literally no value to anyone? How much should we spend on things like getting lawyers to review the contracts we have with the small number of outside services we do use, which might have access to some personal data in connection with the services they provide for us, and how often?
If you actually follow the letter of the law here, the costs of compliance would be astronomical by small business standards. There is little proportionately built into the GDPR itself, so we are reliant on regulators to introduce it, and that's not a good position to be in either legally or practically.
Depends on who you ask. Those who trust government will tell you that you can count on the subjective enforcement not to go after you as much, and of course the good ol "don't break the law and you have nothing to worry about". The rest of us that understand government incompetence/corruption and risk mitigation would tell you that you have to weigh whether these risks are real enough to you. I would tell a non-growth-focused early stage company uninterested in locale variety with limited resources (e.g. bootstrapped company in beta) to avoid EU customers since there are only downsides.
If anyone from the EU visits your website, and you're collecting server logs or analytics with IP addresses in them, you're now processing personal data of EU citizens and subject to the GDPR. They've written this regulation such that pretty much everything on the internet is subject to it.
How about email? If someone from the EU sends me an email, their IP address will likely be in one of the received-from headers, and will be in my SMTP logs.
Note that even if I don't have an email server, relying on my ISP to handle that, desktop email clients download the headers from the server.
A lot of small businesses have no idea that they are storing that information.
Well geo IP blocks are much easier than fetching those logs by user on request. This will happen if EU citizens overly burden companies with these letters... but not until then probably. I definitely wouldn't want to jeopardize my future EU prospects by ignoring the requests for info.
It may be a bit of an unlikely scenario, but people should remember their opinions on region-specific content blocking even if they think their region has enough leverage to make everyone bend to their will.
If I don't need an adblocker because all the adtech companies already preemptively block me, I personally could live with that and would consider the GDPR to be working as intended.
It doesn't have to come to this, at least from adtech's side.
Generally, your device is instructed via a publisher's site/app to reach out to ad tech servers either directly (firstparty), or indirectly (firstparty->thirdparty, firstparty->RTB exchange->thirdparty).
Due to the "chaining", GDPR is particularly onerous on the adtech industry. Granted all the data is keyed by semi-anonymous IDs (cookies, IDFAs, IPs), the concerns for consent, retrievals, deletions, in a cascading manner, are an industry-wide problem requiring collective action. The IAB proposed something for the RTB side, the publishers don't like it, and it'll be tense until and through May 25th :)
Having said that, nobody wants to shut-the-whole-thing-down. While all these servers may refuse service based on fuzzing the request as originating from the EU, they may also decide to serve as-best-as-possible and minimize logging of the sensitive fields - it may be better, for example, to lose some functionality for European devices (behavioural targeting, for example, the idea of showing you an ad for the Widget you just looked at over and over), than to serve nothing at all.
Um, nope. Go ahead, try applying EU law to a US website. I run a few, by all means, knock yourself out. It's hilarious and baffling at the same time that you think the EU can write laws for other countries.
If you are selling things to people in country X, you have to be very careful if you decide to ignore X's laws for such sales. You and your company may be beyond the legal reach of X, but your suppliers and service providers might not be.
For example, if you decide to ignore tax laws in X, X might put pressure on your credit card processors to stop aiding your tax evasion. If the credit card processors respond by cutting off your ability to processes card, they might not bother just cutting you off from accepting payments from country X. They might cut you off completely. That would be pretty annoying.
By your logic, you should be allowed to go to Ladbrokes.com and put some cash on tonight's NBA games. I could if I wanted to, and I'm sure Ladbrokes would love to take your bets if they could. But you can't, because countries can make laws about selling to their residents. Ladbrokes blocks you, because US law says they must.
I'm sure you can rely on your site being too small for EU regulators to bother with, and I'm sure it would be hard for them to enforce if you have no operations in the EU, but the fact you ignore the laws doesn't mean they lack jurisdiction.
Irrelevant. Ladbrokes is not a US firm, I don't know, need to know, or care what their legal system is. It's entirely possible their laws require them to comply with US law, or that they have assets in the US.
A website hosted in the US, owned by a US citizen, residing in the US, is not subject to laws written in other countries.
The reason I used the example of a gambling website is precisely because the US has history of prosecuting the operators of non-US websites for allowing US residents to join. There's nothing in UK law that says they can't let Americans bet. Didn't stop US authorities arresting several bosses of EU gambling websites. If you do a bit more research you'll learn that the US uses extra-territorial jurisdiction more than anyone.
Sure, that's true. It's a different subject. If one's country allows a foreign system to operate outside of it's own legal system, it's about as strong of a sign as I can think of that the people do not actually control their government.
As a US citizen, I am strongly against our interference in other countries, but even if/when we fix that, it wont matter if the root problem is not fixed, since another outside power could do the same thing.
I'm sorry but no, it's the exact same subject. It's country A prosecuting a website in country B because they did something that's illegal in country A but legal in country B. The US does the same for copyright laws. Or is it OK if it's team America thats acting as world police?
I live in the US, _good luck_ enforcing foreign law on me.
It's a sign that the people here have the most fundamental control over their legal system. It's not my problem if country B cant do that, but I would REALLY like country B to have the same power over their legal system.
I could go into the real tests and what it means to have a legal system where the individual has so much power, and how to achieve that, but you are ignoring the distinction between enforcing foreign laws on a US citizen and a citizen of country B.
You are implicitly admitting the asymmetry, but instead of fixing country B, do you want country A to weaken it's system so that it has the same foreign influence bug as country B?
Like I said, your argument boils down to "we're American: we'll enforce our laws on everyone in the world, but if you think you can tell us to obey your laws when we sell to your country, you can F off." Which is fine: you're welcome to say that because a law is hard to enforce you won't obey it. Just don't pretend you're not breaking the same principle that your government relies upon: that if you're serving a country's residents, you must obey that country's laws.
They can't enforce them on other countries but they can:
- Have their ISPs block access to your network
- Have their banks not process payments to you
And if you really want to generalize it to "laws" they can emit an arrest warrant: good luck ever travelling to another country that has an extradition treaty with any EU country.
They can't prevent a business in another jurisdiction from operating but they sure can prevent your business from being conducted with any EEA entities.
Yes, so what? Did you know that as an individual, you can literally be imprisoned for decades for violating the law? Why is it so shocking that a company that violates the law can be forced into bankruptcy?
The key term there, of course, is "up to". You don't get fined the maximum amount for the smallest violation. It's a range, depending on the severity of the violation, and probably whether there was gross negligence and/or maliciousness.
There are sentence maximums for different crimes for a reason, and often people are unjustly sentenced to the maximum level. With your analogy we should just have the option to sentence everyone to life for any transgression and then just tell everyone "but they won't".
I don't understand why this is constantly handwaved away with statements that claim to tell the future. If you are correct that the violations aren't as large in some cases, that can codify it a bit better than "trust us".
To reverse your argument: without data protection laws we're just trusting corporations that they won't commit any transgression. Your "worst case" description is exactly the current scenario that we have in place being practiced by corporations who have your private data: all you have from them is "trust us".
How much personal info that you have, do you actually need? I don't know your business, and I don't particularly want to, but this is a good opportunity to review how much of the data you retain you even should be retaining.
If the amount is anything substantial, more than contact information and whatever data customers might choose to be hosting with you, then you are exactly the right target for GDPR and you should be spending whatever amount you deem necessary to avoid the fines.
It's harsh, but it is true that software and service companies in general, maybe not you, maybe not your company, are far too lax with personal info, and so now legislative bodies like the EU are choosing to address that issue, and the easiest way to be in compliance is to not have anymore customer data than you actually need so when you do get hit with a letter like the one linked here, you have a much easier time responding.
Will this strangle some businesses? Even prevent some from even getting started? Undoubtedly, but that is a trade-off I'm willing to accept in this world where every incentive is stacked against the integrity of my privacy.
Well, speaking just for my own businesses, we've always minimised how much personal data we use, and all the processing we do is for good reasons that are directly related to what we're offering as a service. This wasn't due to any legal obligations, just basic good practice in terms of security and what I consider an ethical stance regarding the privacy of our customers.
I suppose this is why I'm so frustrated by this whole issue. I have a lot of sympathy for your argument that some businesses exploit personal data in ways we might well agree are abusive, and that something needed to be done to curb that. But as someone who does try to do the right thing both ethically and legally, this is just another set of regulations that is going to cause compliance overheads for my own businesses while offering little if any real benefit to anyone in our case.
Meanwhile, if the risk of significant enforcement action against smaller businesses really is low, the door is open for competitors to take their chances and gain an advantage over us, particularly if they're not in the EU themselves. So it also seems to be a case of no good deed going unpunished.
I'm sympathetic if your practices are already good, but the balance of power between an individual and a corporation is too far on the side of corporations as things stand. This levels things out for individuals who otherwise have to depend entirely on the goodwill of corporations.
That includes you, the individual as well, and I hope it works out for you the corporation.
If you can't already answer these questions you're probably already breaking EU law.
There's been a round of companies "reconfiming" email lists "because GDPR" - but if those companies can't show clear opt-in before sending email they're already in breach of PECR.
A conscientious startup would probably not start up under these conditions. Every regulation that creates risk reduces the number of people willing to invest and enter the market.
You could say that having to follow tax regulations also reduces the number of people willing to enter any market. Should we also drop requirements for pharmaceutical companies to do their thing? I'm 100% certain we'd have thousands of new "pharmas" popping up within a short amount of time.
Obviously this is a silly simile but the point remains: certain types of business have certain regulations, in this case if a business relies on keeping your private data then they have to follow the appropriate regulations, like most other fields.
How many cures have not been discovered because of the cost of regulation? Does every regulation save lives? Please. There is a balance between serving the public interest (safety and feel good theatrics like GDPR) and what is actually the public's interest (cure to cancer, the internet, etc...).
We had bad pharmaceuticals despite regulation. As well, there are many promising (tested on few individuals) pharmaceuticals which did not survive broad clinical trials.
I don't know, would it really be so complicated for most businesses? Taking my former SaaS business as an exmaple, I would have needed to gather the required information from two sources basically:
- Our database (containing user data like login, e-mail etc.)
- Our third-party SaaS providers such as Mailchimp (e-mail address and name), Mailjet (no personal data stored directly there) and Stripe (transaction history).
Automatically pulling together the necessary information from these sources and sending it to the user seems totally doable and not overly complex.
In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.
BTW I'd be very interested to hear from people running startups how they process user data and how many different data stores / services they use to manage that data!
In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.
That in itself is reasonable, but it lacks the proportionality aspect that is so important. My own objections to the GDPR aren't about the spirit in which it's intended; while you might not guess it from my comments on HN today, I'm generally a very strong advocate of privacy safeguards. Instead, my concern is the amount of additional red tape and ambiguous obligations that the GDPR appears to be introducing for what ought to come down to simple questions like whether you are using personal data only for legitimate purposes and you are storing it safely, which plenty of us already were anyway.
I'm kinda in your boat. IMHO, GDPR needed something for small businesses. If you're doing reasonable, expected stuff with your small businesses and you reply as such to the example letter, there should be no need to use a lawyer. And it should be codified in the law, rather than relying on prosecutorial discretion.
There should be a distinct "If you adopt these reasonable policies, you are legally in compliance with GDPR".
We do have control mechanisms, but they are practical measures. Data of a given type is kept in one primary location with systematic backups. Processing of that data is typically done by programs that all use a specific related module in the code to access the data so they're easy to review, except for things like email where the nature of the processing is obvious anyway. Only a limited number of people have access to the relevant code or data at all, and everyone involved knows everything that is going on and could immediately describe exactly what data we store and how it is used. The privacy policy discloses our practices accordingly. What we don't currently have is a lot of the formalities that may (or may not) be required once the GDPR comes into effect.
I commend your organization: by following some good practices when it comes to data collection and storage it's already very far into the process of being GDPR compliant, it looks like all you all are missing is the documenting it part of it where the processes are clearly defined and nominating someone to be the data protection officer.
He was asking in general however, without a mechanism to control that corporations are doing what yours is already doing, how would we verify compliance?
I imagine most small companies would have you as a single joining key in a MySQL database somewhere. Most of those answers would be the same for every customer anyway.
I actually started thinking about this and have tested an idea for answering data portability requests (https://www.dpkit.com) for the German market, so far there's not much interest though.
Which aspects do you think would be interesting to automate or are particularly painful from your perspective?
I’d pay for a browser plugin that sent this to every company that attempted to set a third party cookie on my browser, but I don’t live in Europe and doubt that’s what you meant. ;-)
After this whole process of ineffectual, burdensome regulation followed by inconvenient, expensive, mediocre regulatory automation, how much better off is society?
We should ask that to the dozens of millions of Americans who have their private data for sale even as I type this after the Equifax breach. Bonus: we can literally buy it and use that data to contact them directly and ask :)
A letter like this would be a hugely disproportionate burden to a small business like that. It would take many hours, if not days, to reply properly to all of those points, even for a business that is doing nothing shady or unusual.
You can't just write "automate it" as if that has no cost.