Hadn't heard of unroll.me prior to this, but it looks like nothing of value was lost. GDPR doing its job and it hasn't even come into (en)force(ment) yet!
Do they do anything that a quick grep for "Unsubscribe" can't? I guess the digests are somewhat niche
> This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
"This Regulation" referring to the General Data Protection Regulation. The date on the journal is 4 May 2016, so GDPR entered into force on 20 May 2016.
Article 99
Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that
of its publication in the Official Journal of the European Union.
2. It shall apply from 25 May 2018.
This Regulation shall be binding in its entirety and directly
applicable in all Member States.
Done at Brussels, 27 April 2016.
I guess you're arguing about a fine point and being downvoted for pedantry, then?
It was enacted at the EU (err: thingie) level in 2016 and required that all EU member states enact local legislation within two years, deadline 25 May 2018.
The EU is pretty complicated. Oh and by the way, the UK will 99.99999% maintain GDPR related statutes on the books, post Brexit. Either that or we are madder than I thought.
You did, because what you described is a directive. GDPR is not a directive. It does not require EU member states to do anything. Only country that needs to do something is the UK, since they're leaving the EU and want to convince the other member states that they're not naughty and they want to play in the same digital ballpark as the rest.
I don't mean this sarcastically, but why? It sounds like this impacts users that willingly signed up for this service. Why would you VPN/forward mail through Europe to be locked out of services that you signed up for?
Good grief, we are now considered a safe haven, before anything has actually happened 8)
It does seem a bit odd that EU legislation is being seen as a talisman of protection by some North Americans to protect themselves from their own Silicon Valley multi billionaire disruptives.
Perhaps charitably minded EU citizens could donate a VPN connection to needy US citizens? We could cover the whole lot (1:1) and still have capacity for a few million more.
Well GDPR is a god send to the world when every Silicon Valley billionaire is trying to sell your data to the highest bidder to increase their valuation.
It’s a relief in the madness that we consider normal.
I want a chrome plugin that GDPRs the shit out of websites and enforces maximum privacy on any website I visit.
It's an enforcement of individual decision, not a decision replacing users' ones. If I want to use Facebook to some extent but stop them from selling all my data to everyone, I may need something more than just their word to make sure they respect my decision.
> If I want to use Facebook to some extent but stop them from selling all my data to everyone
This is an unrealistic expectation. You signed a legal contract when you signed up for an account stating that you're a-okay with them using your data.
Because a company being unable to comply with GDPR is a red flag for how they treat user data. GDPR is written in such a way that you as a company are given freedom to use data if its for business reasons. But you need you need to keep track of it.
Enhanced data protections are a good reason to (by default) be a European.
Same with the cookiewall, by the way: if you need a cookie wall, that means you do more than aggregated statistics such as building profiles of individuals. Even if you have accounts, you don't need a cookie wall for a login system. Only if you do tracking. People see it as "govt doesn't understand tech again" but I think in reality, it's the people that completely missed the point here.
I think the point is that this would be a good reason to go elsewhere. However, if you have already signed up, it is a silly way to lock yourself out of something you have signed up for.
Which is to reveal the point of the VPN idea. Instead of having to do a lot of extra research on all companies you deal with to know who can comply with the style of rules that GDPR requires, being VPN'd might force them to reveal themselves to you.
At least, that is my guess on what each of those posts was getting at.
I think the GP is assuming that there will be services that don’t close to the EU; nor become 100% GDPR compliant for every user; but rather become GDPR-compliant for EU users while continuing to sell the data of non-EU users.
Using EU-lockout as a red flag for the GDPR non-compliant. So if they try to use something and get a "nope, not for EU" their thought would be "must have overlooked how that offer is scam-y, better not use"
You are not the only source of information about you. Information that you have wittingly or unwittingly given out is freely bought and sold. Your friends and family are constantly feeding information about you to Facebook. Your colleagues are feeding information about you to LinkedIn. Outside of the EU, there's nothing you can do about this stealthy collection and aggregation of personal information. There's a ratcheting loss of privacy, because once your information has been given away, it can't be taken back.
Under the GDPR, a business needs my explicit consent to share my data with third parties. They can't bury it in the T&Cs or refuse to do business with me if I decline to tick the "do what you want with my data" box.
That consent is granular and revocable. I can ask any business to delete every piece of information they hold about me, a broad category of data or a specific piece of information. Unless they're obliged by some other legislation to keep that data, then they're obliged to delete it.
The GDPR isn't about protecting individuals from their own stupid choices, it's about protecting them from predatory business practices. We've become resigned to the fact that many businesses operate like a surveillance state, but that doesn't make it right or proper. We shouldn't have to live like the Amish just to keep control of our personal information.
a.) Voluntarily giving information in exchange for a discount (Rewards cards, sales, kickbacks, etc.)
b.) Voluntarily using a service that is known to collect data about you (Facebook, LinkedIn, Twitter, your ISPs DNS, etc.)
c.) Voluntarily sending some kind of descriptor that says "track me with this number" (advertising)
I'm not disputing that there is some data collected about people that they never consented to, but the bulk of the problem is data that is taken voluntarily because people are apathetic.
Now your entire phone/email book is out there. Your Mum and Dad's phone number is in the hands of several shysters along with all the other stuff you store in your Contacts. I wonder how many bank PINs encoded as part of fake phone numbers are out there along with other extra data? Its no accident that most Contact lists actively encourage gathering more data eg birthdays and much, much more.
That's just your bloody phone book. >30 years ago I had a little black address book stuffed with lots of people's address and phone numbers (and a lot of happy memories). OK it also had my bank PIN but that was carefully disguised in a way more complicated to reconstruct than needed to memorise the actual digits. You would need to put me in dire danger to obtain that data - I still have the little book and Google does not (fuck 'em). Nowadays you only have to claim that your mapping app can't work without it.
Your contacts example is great. I recall a company who initially offered a contact list backup app, and now they pivoted to phone number search / caller ID app.
FB and LinkedIn ask for contacts (or at least used to). That's dozens of people's data, with at least one unique identifier for each, who did not provide informed consent in any way.
So you are as safe as the most apathetic or technically ignorant of your acquaintances, and FB's shadow profile grows again.
I guess it could help answer the "should I give this website any information?" question, unless you're advocating never giving any information to any website.
The NSA looks at everything. As a military agency, they do not consider themselves subject to civilian law. If for no other reason, because the US is always at war. But really, because they can.
"UnrollMe does not adequately disclose its true business model to users. Instead, UnrollMe disguises itself as an email-management service to mislead users to sign up for the service so that it (and Slice) can access their data."
I prodded unroll.me a couple of years ago about their data retention policy. Their answer was sketchy so I ended up not using the service. Unroll.me users irreversibly hand over all of their emails to an unknown entity -- it's crazy to subscribe.
>Put on your best unsurprised face: Unroll.me, a company that has, for years, used the premise of ‘free’ but not very useful ’email management’ services to gain access to people’s email inboxes in order to data-mine the contents for competitive intelligence — and controversially flog the gleaned commercial insights to the likes of Uber — is to stop serving users in Europe ahead of a new data protection enforcement regime incoming under GDPR, which applies from May 25.
[...]
>"We may share personal information we collect with our parent company, other affiliated companies, and trusted business partners. We also will share personal information with service providers that perform services on our behalf. Our non-affiliated business partners and service providers are not authorized by us to use or disclose the information except as necessary to perform services on our behalf or comply with legal requirements".
If that's going to be the sort of business that the GDPR makes unprofitable and unworkable then I'm very proud to be a European citizen.
Exactly! On their website you have to go to 'FAQ' on the bottom of the page and then to the bottom of that to find:
>When you sign up for Unroll.Me, Unroll.Me uses your data to provide you email management services, and for other purposes described in Unroll.Me’s Privacy Policy and Terms of Service. Unroll.Me is a part of Slice Technologies, whose market research organization Slice Intelligence provides the world’s leading brands, retailers, and marketers e-commerce insights to help them better understand market and consumer trends. In accordance with Unroll.Me’s Privacy Policy and Terms of Service, Unroll.Me shares information from your commercial and transactional emails with Slice. Slice’s technology automatically extracts purchase information from these emails and uses that information to build anonymized market research products for its clients. Slice’s market research products do not include your personal information.
I think it is safe to say that 99% of the users using unroll.me have no idea how much data they are handing over.
If your business model is incompatible with GDPR then your business model in not compatible with how we want (our data) to be treated.
Companies complaining about GDPR goes into the same category as companies complaining about minimum wage for me.
> Companies complaining about GDPR goes into the same category as companies complaining about minimum wage for me.
It's more like complaining about any other compliance cost. Consultancies are making probably billions of dollars off of the General Electrics of the world preparing them for gdpr compliance. Then you've got the legal fees. And in the end it feels like you have just burned all that money, because in most cases, regulation doesn't actually accomplish anything. But hopefully it is all worth it for the cases where it actually improves people's lives.
I think you're probably right - the nice thing about Unroll.Me though is that it works really well and the people that need to use it are probably in a bad situation with their data anyway.
I ended up using it to clean up my mom's email inbox because she was subscribed to nearly a thousand marketing emails and it was the only service I found that could actually fix that without at least a day's worth of manual effort.
Out of curiosity: Was your mother fully informed of how much data about her you were giving to Unroll.me, and did she understand the implications of it?
<sarcasm>Of course: the time gained by using Untoll.Me - "at least a day's worth of manual effort" - can be used for reading their Privacy Policy and Terms of Service, for analysing, understanding and explaining all the implications...</sarcasm>
This was prior to their bad press so it was not obvious to me at the time. I think I saw they used anonymized data from commercial emails which seemed like a reasonable tradeoff given the state of things. My mom does not use email for personal data - it's primarily just subscriptions and the account had become unusable.
If that's going to be the sort of business that the GDPR makes unprofitable and unworkable then I'm very proud to be a European citizen.
This is the sort of business that GDPR makes unprofitable and unworkable - but unfortunately it's not the only sort. Normal, everyday services - sites that you might use and enjoy - will also have to close to EU traffic simply to avoid the liability.
At my company, we do nothing nefarious with user data. We have a combined total of a few million visitors per month across a handful of sites. After consultation with experts, we had to make the decision to either spend high six/low seven figures to hopefully comply and buy special liability insurance that would help pay any fines (this law is subject to unique interpretations in 28 distinct countries, so nobody can actually know what "full" compliance is), or simply block EU traffic. We chose the latter, and many thousands of other sites that have no intention of doing anything nefarious with your data will as well.
I've heard this sentiment being expressed by at least one person in all of these threads, but you're one of the first that actually mentions having consulted with a lawyer. The thing I keep asking is: what is new? I have yet to hear anything non-trivial which a company suddenly has to do, which wasn't required by any EU country before.
The only new thing seems to be higher fines and aligning laws in all EU countries, rather than having different implementations of roughly the same thing. But if you don't comply with GDPR, odds are that you should never have been able to do business with a lot of European countries. To the best of my knowledge, you should have geoblocked the Netherlands long ago (the only country I know the laws well enough of, to say that there is truly only a small difference between the 2002 WBP and the new GDPR) if you have to close to the EU for GDPR.
The biggest 2 issues (at least for non-EU companies) are the extraterritorial reach, and the absurd maximum fines that can indeed be assessed for a first, single violation. Whether or not that is the public's understanding of the law, that is how it is written, and when it comes to enforcement, the letter of the law is the only thing that matters.
So we have a foreign government (to us) that has asserted authority to reach beyond its borders and into our pockets with an absurdly complex regulation, where a single violation would financially destroy the company. Since I don't have $20 million to give to them, and the families of my employees depend on their income for things like food and housing, I have to either carry expensive liability insurance to protect against that, or block EU traffic. For us, and I suspect most other sites on the planet, that's an easy decision to make. I'll take a 5%-10% hit in revenue from the loss of EU traffic and be able to sleep at night knowing that someone in a country I've never been to isn't out there filing documents that have the ability to destroy my and my employees' livelihoods.
I won't go into the minutiae of why it's so easy to violate and why most of the experts we have spoken to agree that being compliant is an uncertain endeavor at best, even if you want to comply, because that would be a very long winded comment. But if you do a Google search, you'll see the gist of the problems.
> a single violation would financially destroy the company
If you refer to the flowchart on how enforcement is to be handled (notably including referring to "proportionate"), the FAQs on regulator sites, and even the track record of penalties under DPA you'll find this is not the case.
Why there are some who keep wanting to catastrophise this is beyond me.
I’ve said this repeatedly throughout this thread, and hopefully this will be the last time I have to. So I’ll try to be extremely clear here. There is nothing written in the GDPR limiting the ability of regulators to issue maximum fines for any violation - even the first, minor violation. Not a single sentence. The limits are $10 million for less serious violations and $20 million for more serious ones. If I’m wrong, show me the clause. It simply doesn’t exist. If there were meant to be safeguards, those would have been written into it. They are not.
The section you are referring to that uses the word “proportionate” gives a brief list of suggestions of the kinds of things that regulators should consider when issuing fines. But it no way limits their legal ability to issue maximum or multimillion dollar fines for minor violations, and doesn’t even define “proportionate”. A hardline country like Germany may easily decide that because they so value their privacy, “proportionate” is a maximum fine for a single violation.
No, Germany could not issue such a fine for a minor single violation. "Proportionate" is a so-called indeterminate legal term that is open to full judicial review with no interpretative power left to the administration. Our law is littered with clauses stating "fines up to 50 Mio. €" and courts have developed a system of how to make sure everyone gets treated fairly. Other European countries have the same. This is simply a difference in legal traditions between Europe and the US. We don't simply cling onto the exact text of a law and call it a day. Interpretation of laws goes far beyond that. It may be scary to someone not used to such clauses but I can assure you companies around here do business just fine even though they have to comply with a long list of such laws threatening fines this high.
Anyway, "proportionate" isn't as ill-defined as you claim. It's a term of art used in many laws and we (and the courts) know pretty well what the legislator meant with it. Heck, they even list some criteria. If those aren't fulfilled a maximum fine isn't possible. Also, "proportionate" implies that a more severe violation must have a higher fine meaning the maximum can hardly ever be reached.
No, Germany could not issue such a fine for a minor single violation
Yes, they could, as is clearly stated within the text of the GDPR. Regardless, most websites outside the EU aren't going to want to put up with the headache, and will block EU traffic. Who wants the risk?
The text of the GDPR is not the whole body of law. It exists within an old and large legal framework. You can't take just the GDPR and ignore all context around it. And yes, it's much different that what people from other legal traditions are used to. If you don't want to learn about our laws that regulate enforcement of the GDPR – fine. But in that case please stop spreading unwarranted FUD.
For example, "due regard shall be given to" has a very specific meaning with decades of precedent and does not mean whatever pops into a layman's head when reading the text.
Thanks for responding! I was hoping someone would finally bring up concrete points after talking to a lawyer, and you have. It still doesn't sound like a big deal to me (you don't mention anything in-depth, only that the law can now actually harm you both in terms of jurisdiction and non-trivial fines), but I see where you're coming from.
> the extraterritorial reach, and the absurd maximum fines that can indeed be assessed for a first, single violation
As I said in my comment, I don't think those are big issues if you comply with the law (and 99% of the law is common sense or was already in place in most countries), but they are points that a lawyer might indeed have brought up.
According to the people we have spoken to, it's reasonably possible that judgments for GDPR fines can be domesticated in the US. Once domesticated, they carry the same force and effect as a judgment issued by a US court. The legal processes for this generally already exist, although there are no GDPR-specific treaties, and it isn't guaranteed that this would occur for GDPR fines - it would be up to the US court system. Like many other aspects of GDPR, it is uncertain at this time. However, I don't want to be the first test case.
And then also say goodbye to any chance of European expansion, ever.
That's a big risk, given the size of Europe and the fact that it the US is your current target demographic, it's not a far stretch to think Europe might be, too.
> And then also say goodbye to any chance of European expansion, ever.
Blocking the EU effectively means the same thing, though, because it's announcing to everybody that you're ignoring that market and leaving the door open for companies who can copy your business model but are willing to respect user's privacy. Not to mention the reputation damage from snubbing their privacy laws. The door's still technically open, but it's going to be much more difficult.
I also wonder if this kind of announcement will backfire a bit for these companies. When I see a "We're dropping the EU over GDPR," article, I don't think about how bad the GDPR must be, but instead I wonder what shady activities these companies are doing that makes them unable to comply, and that makes me avoid them.
The general public are pretty clueless on these things (look at the surprise around Facebook lately), but I do feel it'll cost them some users.
I don't think big companies will back out of the EU at all. In fact, they now have a big more of a competitive advantage because they have the money and time needed to get GDPR right over a smaller company. And transparency about how they use data will isolate less users, now that they already built their name. I think it will affect smaller companies more whose new innovative product will be tested on the US market first before demand is recognized and then adapted to the EU. Of course it really depends on the regulatory reach of this law.
The whole concept that people have ownership of any information about themselves is new. If I take a picture of my friend Bob, or write an article about him, and upload it to your website, you now have an obligation to Bob.
Re: geoblocking — that’s the problem with this law. Shouldn’t individuals be allowed to consent to their data being used? Shouldn’t individuals be allowed to choose what services they use? What about VPN? A Dutch citizen is still Dutch regardless of their IP address and thus they are still “protected” regardless of IP. Also discrimination based on citizenship or national origin is illegal, but to comply with GDPR, we’re going to be forced to discriminate. Europeans are going to become second class digital citizens because compliance risk is simply too high except for the Facebooks and Googles of the world.
The law has a bunch of unintended consequences that are about to be unleashed. Or maybe, they are consequences that are fully indended: a de facto trade barrier against non-European companies who’s own laws conflict with GDPR.
> Shouldn’t individuals be allowed to consent to their data being used?
They are. You just need to tell them what you want to do with their data, and then do what you told them you were going to do. And not something additional ("oh hey look at all these IP addresses stored for security purposes, I bet we could make funny graphs about Bob's sleeping schedule too!") That is apparently too hard for many companies, so now this is codified in law and can actually be enforced.
There are some additional clauses like right to view your data, correct it if incorrect, and remove it if there is no longer a need for it... but that has existed in Dutch law since 2002 and few people ever exercise it. I recently did for the first time when I found out someone was doing WiFi tracking based on MAC addresses (I didn't remember giving consent), and I got an email from them (which looked like it took 15 minutes to look my data up and type it out), so it's not such a big deal.
I can’t comply with HIPPA and GDPR and since HIPPA applies to any US based medical practitioners, that essentially cuts off all Europeans from using our services — so people in Europe who have a US based therapist — we can’t legally allow that anymore — assuming we want to be GDPR compliant.
How can we be required to delete IP addresses in our logs yet also be required to keep access audit logs for 7 years.
A bullshit law written by people that assume everyone is Facebook and data mining.
> How can we be required to delete IP addresses in our logs yet also be required to keep access audit logs for 7 years.
I don't know where you got this idea, but I strongly suggest you find someone who has experience with the GDPR and discuss this with them. These two things are not even remotely close to any grey areas that could land someone in hot water.
>How can we be required to delete IP addresses in our logs yet also be required to keep access audit logs for 7 years.
Then you may well be able to rely on the Legal Obligation basis for processing, namely that “processing is necessary for compliance with a legal obligation to which the controller is subject.”
> I can’t comply with HIPPA and GDPR and since HIPPA applies to any US based medical practitioners, that essentially cuts off all Europeans from using our services — so people in Europe who have a US based therapist — we can’t legally allow that anymore — assuming we want to be GDPR compliant.
To be honest, for better or worse I kinda tuned out your indignation at the intricacies of maintaining compliance the moment I saw "HIPPA". HIPAA - the Health Insurance Portability and Accountability Act.
Just how many Europeans would you have with US therapists? Besides, the GDPR specifically mentions data that is already covered under other privacy mandates.
> How can we be required to delete IP addresses in our logs yet also be required to keep access audit logs for 7 years.
IANAL but from what I read and heard (indirectly) from lawyers at work this is not a problem. GDPR doesn't apply to data that you are required to keep for other legal reasons.
I do understand that it might also hit legitimate business models that many users enjoy and that it can be stressful for businesses who deal with userdata in best interests, but on the other hand there really is no way to overhaul important regulation like this without any kind of friction.
The laws need to be broad enough to apply to everyone and have the intended effect, which means that especially in the early stages with a lack of clarity and guidelines it's goig to be a little messy.
But I look at it like I'd look at a 20th century environmental regulation. Yes, it might impact genuinely good businesses, but at some point you have to do it if you want to advance user interests. I don't really see a better point than now.
What will happen is that the EU will just have access to a dramatically smaller array of sites on the Internet - like a self-imposed Great Firewall. The only services that can even afford to attempt to comply and have the necessary liability insurance against fines are massive companies - think Facebook and Google. The problem with that is that if your data is in the hands of a few large players, and you have limited choices for the services they offer, the whole concept of "affirmative consent" is pointless because you have few choices about whom you give that consent to.
So it isn't businesses that GDPR hurts (except for those that rely on EU traffic, who will make up for GDPR costs somehow - at your expense), it's actually the EU itself. Consumer choice is a good thing, and this law will dramatically limit it.
>What will happen is that the EU will just have access to a dramatically smaller array of sites on the Internet
Let's be real here for a second, what's your definition of dramatic? I don't foresee the EU losing access to more than a handful of services, many of which as in the case above provide questionable products.
I'm very much doubting that we'll be talking here in a year and the EU somehow finds itself behind the great-GDPRwall. That's just arbitrary panic.
>Consumer choice is a good thing, and this law will dramatically limit it.
You're neglecting the fact that consumers can make collective choices about the things they do not want to put up with. Abuse of private data is one such domain. There is no iron law of the business world that consumers need to accept every product of any kind on every market. That's up for societies to decide. The law seems to be quite popular from what I can see, so any cost that we European consumers do actually incur, we are apparently happy to endure.
>> There is no iron law of the business world that consumers need to accept every product of any kind on every market.
My understanding is that "consumer choice" is a code for radical deregulation of the markets until all the "choices" that the consumer is left with are each as bad as the other. "Sure, you can go to our competitor, but they hoover up your data just like we do".
Let's be real here for a second, what's your definition of dramatic? I don't foresee the EU losing access to more than a handful of services, many of which as in the case above provide questionable products.
As horror stories come out and geoblocking tools become easy to use, I'd say that over the next few years, the vast majority of non-EU sites will have blocked EU traffic. Nobody wants the liability unless they make a large percentage of their revenue from EU countries. Accepting such traffic means exposing your business to instant financial annihilation at the whim of a foreign government.
I'm sorry, but that last phrase "instant financial annihilation at the whim of a foreign government" is so hyperbolic as to border on FUD.
Here is a fact. If your business complied with EU data protection laws, GDPR is only an incremental step. And, here is another fact. The EU is nowhere near as litigious as the United States. GDPR may levy some intense fines at repeat offenders, particularly those who haven't been in compliance with any data security/protection law from the last twenty years. But to claim "financial annihilation at the whim of a foreign government"?? That's just poor taste.
I think that's why you hear more concern about this from the US, than you do from the EU. They're not contrasting the two legal cultures, and just expecting the EU to act like the US would.
> But to claim "financial annihilation at the whim of a foreign government"?? That's just poor taste.
Then let's say "financial annihilation at the discretion of a foreign government"? I don't see how you can deny that the GDPR gives them that discretion, unconstrained by statute (though constrained by a judge's fuzzy standards of reasonableness).
You're saying that they will use that discretion reasonably. You're probably right; but why do they need it in the first place? Like, why is 20M EUR the right number here? Why not 10M or 40M?
Or are you sufficiently confident in your regulators' discretion that you don't think the numbers matter? That's great, but it's not the rule of law.
I think two classes of business will block the EU: those with business models fundamentally incompatible with the GDPR (like unroll.me, I suspect), and those with compatible models that consider their EU business too small to justify the risk. I feel no sadness for the former, but the latter seems to me like real damage. It could easily have been avoided with proportionate fines. Why do you think they didn't do that?
You're right about the 20M euros. I can't imagine where that number comes from and I don't like anything arbitrary about law.
However, I still don't agree that foreign governments can operate unconstrained by statute. Again, I'll point you to article 83 of the GDPR. It starts off with some vague statement about how supervising authorities need to make sure that fines are effective, proportionate and dissuasive. That's bullshit, but if you read further, they add quite a bit more substance to the argument.
I've just been linking to article 83, but it's likely worth quoting once in this thread. Part of it reads:
---
When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Also, consider that GDPR isn't a huge change over existing EU privacy legislation. The scariest change in GDPR is that it gives the European Union tools to force non-European companies to comply. While that is scary, if a non-European company has been showing a good faith effort to comply with existing EU privacy protections, they shouldn't have much to fear unless something fucked up happens.
To summarize my position, if a company is already complying with EU privacy law, they don't have much to fear. If a company is not complying with EU privacy law, they have a problem, but seeing as how the first draft of GDPR came out almost six years ago I don't feel particularly bad for them. And finally, if a company was found not to be in compliance, it would be hard to justify the maximum fines if they were showing a good faith effort to become compliant.
The wildcard here would be what would happen if a popular company suffered a massive data breach. Consider for example, the time that LinkedIn accidentally lost a whole bunch of unhashed passwords. On one hand, that's a massive breach, LinkedIn did a very poor job as data stewards and it's a perfect opportunity for a maximum fine. On the other hand, what would be the political ramifications? And where would liability flow?
I think most Americans (including me) would still put Article 83 in the "fuzzy standards of reasonableness" category. I agree that it probably works in practice, but I wouldn't see it as much of a constraint. Like, how closely would you expect the rulings of two independent judges each assessing a fine according to these guidelines to match? I wouldn't bet with even odds that they'd be closer than within a factor of ten. (Fines in typical situations would probably agree better, if there's precedent to follow; but that's the precedent working, not the statute, and in a situation like your LinkedIn breach there is likely no close precedent.) That level of unpredictability doesn't seem like law to me.
Also: Doesn't the extraterritoriality bother you? There are roughly 200 countries in the world. Do you really want to argue that each of them can impose a burden on a website operated outside its borders, just because its people might happen to visit it? That seems like an incredibly dangerous precedent to me. Can the UK enforce a super-injunction against all websites available to its nationals? What's the difference between the GDPR and that super-injunction? It can't just be that "one is good and the other bad"--what law determines that?
Thanks for engaging with me. This has been a fun thread!
> I think most Americans (including me) would still put Article 83 in the "fuzzy standards of reasonableness" category
Is it valid to say that you're not wrong, but I disagree? :)
I agree that article 83 will be hard to interpret if people act in bad faith. But, it provides a good framework for how to act in good faith.
I would argue that if you genuinely care about your users and their data, you'll likely be okay unless something fucked up happens. And when something fucked up happens, as long as you're transparent, respectful and helpful, you'll still likely be okay unless something really fucked up happens. And then, you'll have bigger things to worry about anyways, so fuck the GDPR. :)
> I agree that it probably works in practice, but I wouldn't see it as much of a constraint. Like, how closely would you expect the rulings of two independent judges each assessing a fine according to these guidelines to match?
I completely agree with you. Unfortunately, vast parts of the American/Canadian justice systems would also fail this test.
> Also: Doesn't the extraterritoriality bother you?
It sure does. The extraterritoriality is first class bullshit. But, if current European data protection laws are any guide, it will mostly be used as a tool to gently encourage compliance and actual punishments will be very rare.
I appreciate the chance to get (what I presume is) a European perspective on this. I think Americans are just generally less trustful of government, domestic or foreign, and therefore less trustful of regulatory discretion. There are vague American laws too, like "honest services fraud"; but
1. We complain about those too.
2. The dangers of extraterritoriality and vagueness seem synergistic. A major check on regulators' discretion is political will, and screwing foreigners tends to be a lot more popular than screwing your own citizens. The ideal tax is one on foreigners living abroad...
I think the GDPR will probably be fine, and have net positive effects even as it pushes small, essentially-compliant but risk-averse operators out of the EU. I find its legal basis troubling.
Actually, I'm Canadian and I don't consider myself very trusting of government. I've always seen the EU as a natural place for my startups, so I've made a point of learning as much about EU economic policy as I can. At first, I found the glut of it to be incredibly scary, but then I was lucky to have a series of European roommates when I was in business school.
One time, I was afraid of some anti-corruption laws because it seemed like basic parts of doing business here would result in severe penalties there. My roommate at the time thought I was being certifiably insane, because the EU just doesn't work like that. He couldn't imagine what transgression I could possibly commit to warrant more than a strongly worded letter (on better stationery than I'd get from the Canadian government).
From there, I started learning more about how open the EU is.
I mentioned this in another comment, but I'll also encourage you to read about the International Procurement Instrument. The EU (like many other economic bodies) has trouble with non-EU companies bidding on EU public contracts and winning because the playing fields just aren't level. I don't want to give too much of the story away, but as you read about the IPI meandering its way through European politics, you can see an EU bending over backwards to make sure that foreign companies have open access to EU markets.
If you read about the IPI with North American eyes, it seems absolutely bizarre. But it's a good primer to the EU's difficulty with protectionism. I'm from western Canada and seriouslu, if the Canadian government felt this way about protectionism, I could get a western independent movement off the ground in a matter of months...not that I would or would even want to, but it would be so egregiously opposite how we do things that radicalism would ensue.
Sorry for droning on and on, but I don't think I can really debate you. I agree with you and everything you're saying is logical. My only response is that Europe is so incredibly different and that response is honestly starting to wear thin.
Besides, I'm being a shitty entrepreneur. The more people are afraid of GDPR, the more opportunity I'll get!! :)
(I've enjoyed this talk with you. Thanks for engaging with me!)
As I understand it the penalty is assessed and levied by the regulator. Just like DPA penalties where the number of people receiving any fine at all has been minuscule. The proportionality of instances where fines have been given seems good. I think most EU citizens would feel too few, and too low fines have been the norm.
> That level of unpredictability doesn't seem like law to me
That is how most UK and EU law has worked for, well, forever. Most offences have a maximum penalty yet it is the US that regularly makes headlines for extreme penalties or length of incarceration.
Plenty of people get small fines in the hundreds, or just a caution, or their business gets a letter for offences that have fines running far into the thousands.
Talking of extraterritoriality, doesn't that also apply, along with the burden to 200 nations you criticise, to the US DMCA for sites with user content?
I said "judges" because I understand them to be the final authority, since the regulator's number can be appealed. If that's wrong, then substitute whatever party does make the final decision.
My question isn't whether the fines are frequent or high enough. It's whether they're predictable enough--whether the law is described in enough detail that two people interpreting it independently would reach something close to the same number given the same facts. I don't think it is. (Do you?) The usual answer is "but don't worry, the people interpreting it make good decisions". I think that's probably true; but when the maximum penalty is indeed financial annihilation, that doesn't seem too comforting.
The USA has indeed pushed the extraterritorial limits. I think that's bad, and I don't see how it makes the EU's reach any better. And to emphasize, my concern isn't the burden to ~200 nations--it's the burden from ~200 nations. Should the UK be able to enforce that super-injunction? If not, why not? Iran, a prohibition on the Satanic Diaries?
I'm used to the law going easy for a first offence, or an accidental breach. Occasionally we have separated offences (murder and manslaughter for example), but most of the time there's just a maximum that is reserved for the most wilful, or repeat or extreme cases. No one has ever been bankrupted by our unlimited fine for cannabis possession (most get a caution or trivial fine).
Apart from anything else means are assessed before any fine is levied. If you're on minimum wage a £100 fine is going to hurt rather more than to a millionaire. So means are assessed first to try and remain proportionate.
So how is it done in the US? I only have what I've gleaned from the media. Does the judge or regulator enforcing really have no discretion of penalty or always seek the maximum? I find it very difficult to believe that the entire range of penalties and when they apply are spelt out in every law and judges or regulators have no discretion or common sense. Movie "experience" seems to indicate a lot more horse trading goes on.
Do our legal systems diverge so much that US citizens completely distrust theirs to do anything but bankrupt them for minutiae whilst we remain certain they can and will be proportionate?
> ...extraterritorial limits. I think that's bad, and I don't see how it makes the EU's reach any better
I'm somewhat uncomfortable with some of the global precedents myself. On the other hand I'm not sure how it is avoided in a world that is so globalised and so many internet services have essentially ignored EU privacy and data protection. So what's the alternative?
We're not enthusiastic to adopt the US model of privacy and many internet services aren't even paying lip service to our (too) limited protections. How else to fix it? EU wide Facebook blocks seem like a fine way to start a trade war!
> Do our legal systems diverge so much that US citizens completely distrust theirs to do anything but bankrupt them for minutiae whilst we remain certain they can and will be proportionate?
I think...maybe? It's a continuum, and a legal system with zero judicial discretion would either require impossibly detailed law or yield obviously unjust results. I don't think the model in the USA is strictly adversarial--like, it's not entirely that the regulators are supposed to punish you to the maximum extent of the law as written, and if that's unjust then blame the legislators. It's closer, though. This has advantages (less opportunity for selective enforcement) and disadvantages (increased complexity of law, greater opportunity for loopholes).
> I'm somewhat uncomfortable with some of the global precedents myself. On the other hand I'm not sure how it is avoided in a world that is so globalised and so many internet services have essentially ignored EU privacy and data protection. So what's the alternative?
Any large player has operations within the EU, making the extraterritorial reach unnecessary. For smaller players, I see lots of unexplored opportunity to regulate indirectly through ad networks, payment processors, etc.
> I said "judges" because I understand them to be the final authority, since the regulator's number can be appealed. If that's wrong, then substitute whatever party does make the final decision.
The precise mechanism isn't defined in the GDPR, but I suspect it'll operate similar to judicial review - a court can determine that a reasonable decision was made by the authority, and thus allow the fine as is, or they can determine the authority acted unreasonably or did not take into account the proper factors, and thus quash the decision and order it to be remade. I'd be somewhat surprised if the courts were directly setting fines.
That's what I'd understood, and I'd then still consider the court's judgment to be what matters--if I pick the number, but you can tell me to pick again until you're happy, then the power to pick the number lies with you. I guess "impose" would have been better than "assess".
Aside: What's with all the downvotes? Your comment seems fine to me, as do many others in this thread. It seems like any discussion of the mechanics of enforcement gets a nasty response here, as if the only people who should care about that are criminals. The GDPR might be the perfect legislation with which to erode civil liberties, since the people who would normally jump on such arguments will be on your side... Or is there another reason?
Relying on the personal whims of regulators over how hard they get to smack you does not immediately seem to me like a good way to run a business. The only thing that matters here at the end of the day is what the law actually provides for, and it provides for some scariness.
You hope. Any proof in the text of the law to back that up? From a risk management perspective, doing any business in the EU is dangerous because even if you are doing it right, the potential exists that you’ll have to defend GDPR claims. That’s a real liability. Of course, as I have said before, that’s probably by design since Europe, especially France, has a real inferiority complex with foreign tech.
Examples: France suing Apple over developer fees. France blocking the sale of DailyMotion to Yahoo. The war against Uber with the simultaneous promotion of BlaBlaCar, the attacks against Apple for taxes on income that wasn’t even earned in France, the collective freak-out over AirBnB while subsidizing Gites de France.
My point is that exposing yourself to the risk of a European money-grab is too high. Besides, who benefits from collected fines? Governments. Those fines don’t get paid to the aggrieved party, they get paid to the government. Governments have an incentive to levy fines on foreign companies, with very little downside — European jobs aren’t at risk.
The attack surface is just too great to be using “hope” as a strategy.
What will happen is that the EU will just have access to a dramatically smaller array of sites on the Internet
Bollocks.
I run a small (IT) business in the UK. I will have just as much internet as you post 25 May. The difference may be that my company and others in the EU might automatically be perceived as more trustworthy than those that do not comply with GDPR and hence we may benefit.
I also have small businesses in the UK, so we also have no choice about complying. The abundance of caution described by downandout here seems excessive, even to me as a confirmed GDPR critic, but to good actors of the kind mentioned, the GDPR is basically just an exercise in bureaucracy, cost overheads, and uncertainty. Things might be different for B2B service providers, but if we make a single extra penny from anything to do with this whole mess in B2C world, I'll be amazed.
but if we make a single extra penny from anything to do with this whole mess in B2C world, I'll be amazed.
GDPR is not a money making exercise.
My company has a wiki page called "Risks and Opportunities". GDPR is definitively under Opp. these days - for us and our customers. I also quite like it as a person - a private individual.
It's too early to tell. My feeling is that you will be right on May 25th, 2018. Nothing significant will change in the short term. But my feeling is also that the parent will be right on May 25th, 2021, if the EU chooses to enforce the GDPR vigorously and if the experience doesn't force the EU to revise - or at least "interpret" - the GDPR.
Let's first be totally clear: GAFA isn't suspending their EU operations, nor is any other company that 1) has already an established EU base and 2) can afford the cost of compliance. What I think will happen is that new players will stay out of the EU, because of the perceived risk (accurate or not) and the cost of compliance. So I do agree with the parent that the GDPR will eventually lead to a slow pauperization of the internet in the EU, the only difference with China being that it is self-inflicted rather than self-imposed.
Note that there are very few regulations out there (EU or US) that have actually helped the internet. Most of the regulation that was drafted in good faith turned out to bring more harm than good to the internet, the recent FOSTA bill being a prime example. At this time, I have no indication to believe that the GDPR will succeed where most other bills have failed. But if it turns out otherwise, I'll be the first to admit that I was wrong.
I will generally indeed be more inclined to interact with EU sites since I know they are GDPR compliant. I'd honestly be really tempted to VPN to Europe so that US companies think I'm an EU citizen too.
The most interesting thing to me about this whole ordeal is which companies only comply in Europe, where they're legally required, and those who have gone ahead and made sure they are compliant globally: It defines the difference between people ensuring your privacy rights because they have to, where they have to, and those ensuring your privacy rights globally because it's the right thing to do.
Google's AMP project just introduced a whole set of new features not just to mark whether or not an EU user has consented to tracking, but also a new feature to geolocate users, specifically for the purpose of determining if they're legally required to get that consent. Which is sad to me; they should be getting user consent everywhere.
> The only services that can even afford to attempt to comply and have the necessary liability insurance
Liability for what? You're not going to get sued. At worst you're going to get fined for negligence, probably after after repeated warnings. I don't think you can find insurance against willful repeated misconduct.
It's only if your service can't possibly comply without losing your bottom line that you have to worry, in which case the GDPR is working as intended.
Find a better business model for EU costumers, or cease your presence there. It's a win-win for EU consumers either way.
> Liability for what? You're not going to get sued.
Yes, this is the most confusing thing - a lot of posters talk about "being sued because of GDPR" but that's not how it works. And it's always people with the same arguments - small companies, getting sued, crazy money for lawyers, etc.
If I was paranoid, I would think this is some kind of organized campaign to spread FUD and have as many people be against GDPR as possible, perhaps as a way to make sure something similar won't happen in the US.
And it's always people with the same arguments - small companies, getting sued, crazy money for lawyers, etc.
One of those things is not like the others.
I have no idea where the meme about exploitative lawyers looking for minor non-compliance came from, because the primary means of enforcement under the GDPR is regulatory action. The whole strategy of threatening legal action to prompt a profitable out of court settlement is much less viable under typical EU legal systems than in the US anyway.
However, GDPR definitely can cause significant compliance overheads for small organisations, including those who have done nothing wrong. The official guidance is still terrible, and just the uncertainty around several key points is a problem for reasons we've previously discussed at length on HN.
Trusting in regulators to do the right thing is also a risky strategy. I write this as someone whose business really did receive a crippling demand for monies never owed direct from an EU government tax office after the VAT changes, with very scary accompanying threats and impossibly short timescales to respond, and there were many thousands of other small businesses similarly attacked just in the incidents I'm personally aware of.
From a pragmatic point of view, the regulator in my country is well known to be under-funded and under-staffed, but even that doesn't necessarily help because as with other issues within their remit, it makes smaller organisations easier targets than those with big legal departments to fight back.
Probably. There seems to be a real disconnect between US and EU perception of legal and business landscapes here, with the US worrying about the EU legislation more than those based in the EU, who would be far more affected by it (after all, they can't "shut out" Europe).
It wouldn't be a win-win if it results in less services being available in the EU - maybe services that are niche, that don't have the time to adapt to regulations, but would otherwise be useful to some of the people in the EU. Is there a way for a person in the EU to opt out?
Also FWIW, it’s extremely common for UK recruitment agencies to suggest that contractors opt out of the Agency Workers Regulation. Which many do. Most, if I were to guess.
> It wouldn't be a win-win if it results in less services being available in the EU
I don't think that's necessarily true. If a company does not provide the service in the EU but there is demand for it, someone else will fill the spot.
$20 million in fines that - despite the protestations of everyone that has ever commented in these threads - can be imposed for a first, single violation, without any warnings. If they meant for there to be any safeguards for companies, that language would have been built into the GDPR. But it wasn't. There are no limits, other than $10/$20 million.
European courts and regulatory agencies are not run by gibbering morons. They do not levy multimillion dollar fines against small businesses for making honest mistakes. Art. 83(1) of the GDPR explicitly states that fines must be proportionate. Art. 83(2) states that fines must take into account the number of subjects affected, the level of damage suffered, the intentional or negligent character of the infringement, action taken to mitigate the breach, previous breaches and any other aggravating or mitigating factors.
The GDPR replaces the Data Protection Directive, which left the levels of penalty to the discretion of individual member states. In the UK, the maximum fine for a breach of the Data Protection Act (the British implementation of the DPD) is £500,000. You can see a full list of enforcement action taken by the Information Commissioner's Office at the link below. I defy you to find a single example of a monetary penalty that was disproportionate.
People have tried to have insurance against speeding tickets in my part of the world (Scandinavia), and those have been deemed illegal and stopped from paying out. I would expect a GDPR insurance would end up getting the same treatment. I can't guarantee that this would happen in all of Europe, but I do expect it would.
When it comes to getting the max fine at first strike. The GDPR is not the first law in the EU with teeth. There are strict laws about corruption, pollution and antitrust here as well.
Do companies get dinged with max penalty from the start violating these laws, not that I've seen. Why should enforcement of the GDPR be different from the current laws?
Do yourself a favour. Spend some time and read other EU laws with teeth. Look at the theoretical maximum versus the practical. Then come back and try these same arguments.
I don't care what the regulators might assess as a fine out of the goodness of their heart or how annoyed they are or how late they ate lunch that day[1]. I care what the law says and provides for.
Then, you should give articles 58 and 83 a read. 58 details EU powers under GDPR. 83 details the factors that should be taken into account before levying administrative fines. In 83, you'll notice that the character of the infringement and any acts to mitigate the damage of the infringement are relevant.
GDPR has strong language around the purpose of fines and the kinds of considerations that should be made before imposing them. Being overly punitive, especially if a company shows good faith effort to comply, would only welcome judicial oversight. What would the EU gain in such a scenario? And what could the EU lose in such a scenario?
What would the EU gain in such a scenario? And what could the EU lose in such a scenario?
It gains the millions of dollars from the fines, in addition to aiding local EU competitors by bankrupting or hobbling their international foes. It loses nothing.
You can’t see why that’s an incentive and indeed an invitation to abuse GDPR?
First, I have significant trouble believing that the entire European Union would collude to attack international companies in favour of local companies. For a perfect example of this, do some research into the International Procurement Instrument. The IPI is an example of when the EU as a whole has bent over backwards to make sure that non-EU companies have fair access to EU public contracts, even if the playing fields are not level and EU companies don't have equivalent access to the non-EU markets. I assume that you're North American (I am too), so reading about the IPI will seem like comedy hour at Bizarro world, particularly when you see how difficult protectionism is in the EU.
Second, it's worth noting that your scenario as described gets uncomfortably close to a definition of passive corruption. Again, I have significant trouble believing that you could get so many people to agree to do something so potentially explosive.
And third, the EU currently has a very strong tool in its arsenal to enhance data security. The GDPR is very strong because it's ambiguous and people like you are scared of it. The moment that GDPR starts to face legal challenges, that ambiguity will get chipped away.
Why can't databases and DBMS systems come out with GDPR-compliant integrations that automatically provide the required data-wipe services? Surely it won't be so difficult to have built-in triggers/scripts that delete data etc automatically? And if the entire ecosystem uses these tools, it'll be better for everyone, and the onboarding/integration even for startups can be easy as well - maybe as easy as simply installing an NPM package.
The more difficult part is deletion from backups, which is also a requirement.
IMO, the best solution is per-row encryption with the keys stored in a second database. This second database can still be backed up, with backups that have a maximum lifespan, eg: 30 days. When a user deletes their account, their decryption key is deleted, and is unrecoverable after the backup max life.
> The more difficult part is deletion from backups, which is also a requirement.
How long do you keep your backups? If you just store them for, say, 30 days, that's fine. The EU regulators aren't going to come after you for a 30-day lag for all traces of data to be deleted, as long as that process is documented.
There's still one annoyance left: you do need to keep track of accounts/users who have deleted data, so if you have to restore from a backup, you can't restore any data belonging to users who have deleted their data within that window.
Otherwise, this is frankly not such a big deal. If you're storing backups for longer than 30 days, why? Where I work, if we had to restore from a 30-day-old backup, it'd be catastrophic for the business given how much data would be lost.
Most backup systems allow restoring only specific files. It could happen that some random document in an archive was accidentally erased or overwritten, and nobody noticed for a year until they need to reference last year's document. You wouldn't overwrite your whole archive by restoring a 365 days old snapshot to fix it.
> There's still one annoyance left: you do need to keep track of accounts/users who have deleted data, so if you have to restore from a backup, you can't restore any data belonging to users who have deleted their data within that window.
That seems like a big annoyance. The only way around it is a 2nd database that removes certain data in case a backup is ever restored. Ironically, keeping data on the data you need to delete.
In the very worst case, let the customers know you had to recover with the backup and tell them to delete again. How often do you really need to recover from back-up anyway?
> The only services that can even afford to attempt to comply and have the necessary liability insurance against fines are massive companies - think Facebook and Google.
This is a gross exaggeration. I agree that truly small companies may have issues, but companies way smaller than FB and Google can and are spending the time to comply.
The biggest issue for me is the punitive fines: 4% of revenue or €20 million whichever is greater. That just punishes small companies disproportionately.
This is a maximum fine. You would not be fined that for a first, unintended offence. You would be warned.
You don't know that. Show me where, written in the GDPR, it says that warnings must be issued or that there are any circumstances under which the maximum fine must not be imposed.
> When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to [...] the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement.
That doesn't limit their ability to impose the maximum fine for a first, single violation. It says they should consider some things. But it does not limit their statutory ability to impose the maximum without warning.
Look, their goal here is compliance. They don't want to fine a company into oblivion, because that just encourages companies to be fearful and do what you're doing: cut ties with the EU entirely. And that's not a win for them either.
I get that it's hard to trust governments, but remember that they're still made up of people. If you deal with the regulators in a straightforward way, and cooperate to the best of your ability, they're not going to stick it to you. No, I don't know that for every single instance. But I also don't know a lot of other things that can add risk to a business, but that doesn't stop me from doing business in general.
But sure, if you've done the math, and the cost of compliance isn't worth the EU revenue you'd otherwise get to keep, that's your call. I'm just getting a little tired of all the FUD getting spread around GDPR.
Sure there is. Their government will be the direct beneficiary of the money. Why would they care if they bankrupt a foreign company? In fact, they may use it for this explicit purpose. They win by collecting the money, and they win by decimating foreign competitors of local businesses.
I get that you're incredibly cynical about this process (and probably any government process), but I really don't see it as dire as you do. I don't think any further discussion will be productive, though, since we seem to be operating under some vastly different base assumptions about human behavior.
They have to be citizens of the given country, do they not? They probably wouldn’t mind their government collecting a few extra million from foreign businesses. It still goes to their benefit.
Fines must be "effective, proportionate and dissuasive", taking into consideration those factors. A maximal fine for a first, single violation (unless it is a willing and gross violation) is just asking for judicial review.
When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
the intentional or negligent character of the infringement;
any action taken by the controller or processor to mitigate the damage suffered by data subjects;
the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
any relevant previous infringements by the controller or processor;
the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
the categories of personal data affected by the infringement;
the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
You should DEFINITELY look for a better lawyer. Pro tip: one not looking to sell mitigation services.
Show me where, either in your pasted text, or in the rest of the GDPR, it says that there are circumstances or mitigating factors that MUST result in a fine less than maximum. There is no such clause.
In terms of liability insurance, which is the claim here though, the reality is the insurer knows that the EU isn't going to dump 20 million fines on every small company making a first offence. The idea that they are going to treat it like that's the likely outcome is insane.
When my state first imposed mandatory use of seat belts in cars, the public was assured that "this will not be enforced as a primary offense, only secondary if you are already violating some other law e.g. speeding, expired plates, etc."
Well that caveat was not actually written in the law, and enforcement changed later. Now you can be pulled over and fined for nothing other than not wearing a seat belt.
So whatever "they say" about enforcement is meaningless. You can only consider what is actually written in the law.
It's the maximum fine to show that EU means business. That's also why they can go up to 4% of a company's global revenue: to show Google and Facebook that they can't bankroll through violations.
4% would obviously be a hit to Google or Facebook, but it wouldn't put them out of business. €20 million would certainly put the company I work for out of business. Of course, it's quite unlikely to be fined that, but I wouldn't be surprised to see more and more companies folding purely because of the threat.
How much is Google's (Alphabet's) and Facebook's revenue income? And how many times can they get fined for violations before they stop making a profit?
> At my company, we do nothing nefarious with user data.
Then why do you need millions of dollars to make it reasonable and transparent?
This is no different to environmental regulation or something like this. Yes, making you stop pour acid into river will make your business more difficult. No, it does not matter.
You say "we don't do bad stuff to environment but complying with 'stop pouring acid into rivers' legislation will cost us spend high six/low seven figures"? That kind of seems like you're not exactly telling us the truth, doesn't it?
Thinking about this, we should probably compile a list of companies that do this, so we can name and shame them.
Then why do you need millions of dollars to make it reasonable and transparent?
Reasonable and transparent would be fine. That may be the spirit of GDPR, and I'm sure it's been sold to the EU public like this. But the wording is anything but reasonable. You are talking about things you obviously haven't personally evaluated.
I'm not going to get into a long discussion about the fine points of the GDPR. I've engaged in several, and they go on for countless comments with self proclaimed HN GDPR experts saying how each thing is easily overcome, followed by a deluge of downvotes for every comment saying that they are (legitimately) wrong. But here's just one place to get you started:
Which makes zero difference, because the statute does not define "proportionate" and does not otherwise constrain the fines. Who is "we" btw? Are you teaming up with others to defend GDPR on HN?
> After consultation with experts, we had to make the decision to either spend high six/low seven figures to hopefully comply and buy insurance
Change your experts. If you really aren't doing anything nefarious with the data as you say, the adjustments are relatively easy to understand, and very often also to implement. In fact, many subregulations of the GDPR were already implemented in many companies in Europe, so what's happening it's shocking much more to American companies, not so much the European ones.
People who say this quite simply haven't looked at the law or tried to comply themselves. There was someone else in another thread spouting something about how easy the law was to comply with, having helped implement GDPR for his employer. When I visited his employer's site - through an EU proxy no less - I found an undisclosed Google Analytics and Facebook pixel automatically loaded on the page. In 20 days, that 1 visit could mean a $20 million fine for them.
> People who say this quite simply haven't looked at the law or tried to comply themselves.
I have, and it's things you should have been doing anyway. I'm curious what your business is that complying is too onerous.
There are some parts that are inexact, like how must a company protect data and exactly what data is considered PII. Thing is, if you treat any data that could identify a person as PII and
a) Protect it as such
b) Keep a living document on your site listing the data you capture and why
c) Get and store consent
d) Allow a user to 'be forgotten' and/or export their data
e) If you change the data you capture or what you do with it, you must get consent again
If you follow those steps you have complied with the spirit of the law [1]. Too many companies today capture more data than they need to provide the service the user signed up for, and then sell that data later when the service can't support itself.
The high end of the fines are high, but that is the only way to get companies like FB and Google to fully comply. Hopefully spammers who I never gave consent to email me will also get put out of business, but they are like cockroaches and impossible to kill.
[1] There are other points like you can't force consent, i.e. download this white paper only after you consent to accept marketing emails.
If you follow those steps you have complied with the spirit of the law
The spirit of the law is not the letter of the law. And as we all know, a single violation of the letter of the law can result in fines of up to $20 million.
No, this is not how the law works, at least not in Europe.
While doing business in Europe I sometimes got some things wrong, for example with taxes. I wasn't really punished even once - I just had to pay what was missing and correct the documents, even if the maximum punishment for what I did (or failed to do) was some years in jail.
> I found an undisclosed Google Analytics and Facebook pixel automatically loaded on the page. In 20 days, that 1 visit could mean a $20 million fine for them.
You will not be fined 20 million for that. This argument is beyond absurd.
The GDPR is pretty restrictive, and if it's a law, the risk of a high fine is real and companies will think twice before doing business in the EU. Good for those who can comply, terrible for the rest...
I'm a UK (IT) business owner, you insensitive clod 8)
I like the GDPR. It's a lot easier than ISO9001/27001 and actually nearly falls out if you have those.
How many times have we whined and opined about a lack of responsibility displayed towards our personal data? Now a major bloc in the world is trying to get to grips with that issue with some pretty decent legislation (IMNSHO.) Do you have any idea how difficult it is to get something like this ratified by the EU? Do you have any idea how diverse the EU actually is? Getting this thing out is a massive feat.
In the EU, we all have to comply with GDPR by default - all of us from cobblers to rocket scientists. I'm sure you'll manage.
Wait a minute, you're not in the EU anymore! Shouldn't you be railing against the self-serving protectionist agenda of those horrible bureaucrats of Brussels?!!
We (UKoGBnNI) are still in the EU for now - next year we sort of leave (ish!!)
I've always whinged about those self serving bureaucrats in Bruxelles. Some of them are our own home brewed UKIP lot. It says a lot about democracy that UKIP or the SDP (int al) can even exist.
We'll see what happens to the little old UK post Brexit - it will be written up as both a triumph and a disaster and yet I suspect life will tick on, much as before.
GDPR on the other hand: that is important and worth paying attention to.
Not so much fun living there in some ways (on both sides of the border)
Bear in mind the UK use Sterling and the RoI use Euros. A NI person could work in RoI and be paid in EUR but pay rent etc in GBP. Obviously the reverse is true a RoI citizen might work in NI and be paid in GBP but needs EUR to live on. All a bit of a pain and of course the bank's exchange rate doesn't help.
It is easy to poke fun at those at the edges but I think on balance a bit of sensitivity might be warranted here. Little Britain might think that they (we) have some problems to deal with wrt Brexit.
I would suggest that we might look at NI and RoI and at least try to understand that the really important issues are right there - those issues and our responses to them are the ones that really define what sort of people we are now and will be in the future.
Show me where it is written in the GDPR that this could not possibly be the result of a single violation. It's not there. Yes, it says they should consider some things when determining the fine amount. But they still have the statutory authority to impose the maximum at their discretion regardless of any other considerations.
It's not FUD when that's what the law says in black and white.
Honestly: what banana republic do you assume the EU is? No way a 20 million euro fine for a first infringement of a small company would be seen as reasonable. Scaremongering neither helps you nor anyone else here.
I'm sure technically you are right on the written wording of the law, but you can be technically right on many subjects and make the wrong business calls. Avoiding a vanishingly small regulatory risk by making real damage to your company seems like a bad call.
You could totally eliminate the risk of meteorite impact on your business by relocating down a mineshaft...
A 20€ million fine for that would not be proportionate, nor would they have taken into account the relevant factors ("the nature, gravity and duration of the infringement [...] as well as [...] and the level of damage suffered by them").
I wonder what kind of lawyer your company consulted with. Are you sure they are experience with EU law? If they where American lawyers with no international law experience. Asking them would probably be as helpful as asking a Common Lisp expert about help with your Java application, if you are lucky it might work out, but probably not. In the same way not all programing languages are the same, nor is all law the same.
The irony is is that that’s is exactly one fo the manor problems with the GDPR.
And the GP sounds like a large business a small business that maybe has 50 orders a month form EU customers won’t be able to afford a top tier international firm, hire a mandatory local representative and open themselves to this level of liability.
The irony is that the companies that can both comply and abuse the GDPR to their benefit are the ones that regulation such as the GDPR was supposed to protect us from.
>> (this law is subject to unique interpretations in 28 distinct countries, so nobody can actually know what "full" compliance is)
As has been discussed before, the GDPR is an EU regulation and as such does not require national governments to pass any enabling legislation and is directly binding and applicable, therefore it is is not subject to "unique interpretation" of any kind. In fact, that was the whole point of making it a regulation, rather than a directive (like the previous Data Protection Directive).
Furthermore, the regulation establishes a European Data Protection Board, tasked with ensuring the consistent application of the GDPR. Articles 55 to 63 of the regulation are devoted to cooperation and consistency, with procedures for multiple Data Protection Authoritiess to coordinate investigations and promote consistent decisions and policies reviewed by the Board and reported to the European Commission.
Now, can we please stop it with the entirely unsubstantiated statements about how everyone will interpret the GDPR as they please?
Seeing as the EU passes retroactive laws which make things that used to be perfectly legal all of a sudden illegal and subject to huge fines - I would say your viewpoint of one unifying interpretation of GDPR that companies can rely on is extremely naive.
Whatever public education campaign they are running over there must be incredibly misleading. Read it. It doesn’t just say “hey guys, stop doing nefarious things with people’s data*. That may be how it was sold (and is now apparently being explained) to the public, but that’s not how it was implemented.
Your argument would be much more convincing if you shared with us what your company is doing with its users’ data. The fact that you’ve failed to do so suggests that your use case might not be that innocent, in which case it’s a good thing that GDPR makes you cease it.
>If that's going to be the sort of business that the GDPR makes unprofitable and unworkable then I'm very proud to be a European citizen.
You would you be equally proud if we sprayed weed-killer chemicals everywhere to wipe out dangerous plants ("If Water Hemlock is the type of plant that RoundUp kills, then I'm very proud to be a Monsanto stock owner") while killing scores of non-harmful plants? Your scope is narrowly framed and misses the big picture.
The big picture is that OP doesn't discuss or realize the policy iatrogenics. It's equivalent of saying: "If we surveil everyone's communications, we can catch all murders and child abusers!" without addressing the fact that oppressive regimes' capabilities are now super charged to kill and oppress dissidents.
Any business model that has any interaction with anything that the GDPR specified as personal data.
Here is an example:
I’m a ukulele maker from Argentina I sell 50 ukulele‘s a month to the EU via my webshop and I use PayPal as my payment processor.
I collect the following information from you that is considered PII under the GDPR.
IP address.
Name and Address.
Phone number.
EMail address.
I don’t need to do anything nefarious with that information to have a huge headache and a potentially huge liability under the GDPR if my data leaks or I don’t comply with a request by a EU customer.
I’m also out of luck if my local legislation contradicts the GDPR since unlike EU member states I don’t have a DPA and my local laws mean squat to the EU.
Leaking data is generally considered shit so quite right - get a grip on your security.
Complying with a request to be forgotten is surely not too hard and also you still have a right to hold on to probably all Ukelele sales related data for your reasonable accounting purposes. IP address - maybe not unless you use an IPSEC VPN for support 8)
It really is not as bad as you imply. Bear in mind these regs are designed to be complied with by EVERY SINGLE BUSINESS (BIG OR SMALL, TECHNICALLY SOPHISTICATED OR NOT) IN THE ENTIRETY OF THE EU. You are a HN commentator with ~9500 karma - you are probably not stupid and will cope fine.
Its not really a bad idea to take a long look at the data you hold and consider its lifecycle in your org. If it helps, I (UK IT business owner) am not frantically removing IP addresses from logs. I am however enjoying the thought that some bloody stupidly large email accounts will become indefensible, post 25 May. Also the stupid "archives" of old customer docs can damn well get deleted, rather than cluttering up my file servers.
Have you mapped all the processes through which you collect data?
Have you identified the lawful basis for each type processing? Remember consent while required is not a legal basis for processing or collecting information.
Have you verified that there are no ways for you to provide a service without collecting / processing a specific set of information (this also includes switching to a different provider within the same domain).
Did you check with all your suppliers, business partners etc. about their compliance status?
>It really is not as bad as you imply. Bear in mind these regs are designed to be complied with by EVERY SINGLE BUSINESS (BIG OR SMALL, TECHNICALLY SOPHISTICATED OR NOT) IN THE ENTIRETY OF THE EU. You are a HN commentator with ~9500 karma - you are probably not stupid and will cope fine.
It actually is I think many individuals as well as small and medium organizations don't realize the full extent yet and the nuances of switching from the DPA to the GDPR.
I work for a very large global financial exchange and I've seen estimates from multiple sources of it's impact I've also seen the estimates that LSEG did. And oh boy it will have a much more substantial impact than what most people here predict.
In fact will guarantee that if you were to be audited on the 26th of May (well the ICO won't do it on a Sat) by the ICO you would be found in violation of the GDPR in one form or another.
I think the GDPR is overreaching and there should be exemptions for small businesses.
I think the GDPR needs to have provisions for blockchain and current cryptocurrencies.
I think that fact that the EU wants to apply it extrajudicially to non-EU entities and organizations is terrifying and amounts to sheer tyranny since they have no say in how the law is enforced or interpreted nor do they have any representation.
And it's clear that you and me think about this on completely different levels, you were making jokes about wiping IP addresses from your logs about using VPN.
If we go back to my specific example then how much do you think it would cost me to get a lawyer that could advise me on GDPR in say San Juan vs London or Amsterdam?
How much would it cost me to have a mandatory local representative in the EU?
In the UK if I need help I'll talk to the ICO, I'll talk to my MP, I'll take to my EU MP, who the hell do I talk to about GDPR as a ukulele maker from San Juan.
Do you still not see a problem here?
It's terrifying to me that there is already ongoing strong arming to force certain service providers in payment, ecommerce and hosting industries to ensure that all their non EU customers to comply with the GDPR or to face non-compliance which will force businesses to stop offering services to EU residents and or consolidate the already heavily monopolized industry even further by allowing a few companies to dominate the market by providing "GDPR certified" walled gardens.
I suggest you read the GDPR or even go through the ICO guided tools first.
The anecdotal examples are you bring are irrelevant.
If anything than because you can actually do that under the GDPR: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
The problem that this has to be evaluated against "the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller."
This is more or less going to be open to the interpretation of the DPA and your local EU memberstate laws, the problem is that non-EU entities don't get a DPA, their legal system isn't part of the decision making and they are now open to 28 different interpretations byu 28 different regulators (DPA in each EUMS) and 28 different legal systems.
Judging from the other comments I guess I’m in the vast minority, but I think the fine structure is really bad for small businesses. I’m not a GDPR fan.
I think you're making the mistake of thinking the fines mentioned are the minimum fines, when they're the maximum possible fines for the worst repeat deliberate violations.
EU regulators tend not to apply fines for companies making simple mistakes. They do want the companies to come back into compliance.
If small businesses don't have manpower or money to handle user's information transparently, they should not collect those information in the first place. That's why I like GDPR.
For SMBs that probably is really bad. Just the fact that a small website you’ve just heard about requires a lot of your data would be negative for their customer acquisition, while other people would continue trust major companies.
I feel like we’re living in the golden age of free personal financial apps - shocking to me how much we care when it comes to protecting our likes but so careless we are to giving third parties logins to our online banking and all balance and transactional data that comes with it
I’m no GDPR expert, but wouldn’t it apply to data of European citizens even if they’re not the customer? Since unroll.me slurps up email, don’t they still have to comply with all the rules for data because presumably some of that email data originates from the EU?
I am not an expert myself. But how should the EU enforce anything against a company that doesn't do business with EU citizens? They can't restrict any market access and they have no jurisdiction outside the EU.
If there's one good thing that's coming out of stories like this, it's that I (as a non-EU citizen) can avoid companies like this that clearly don't care enough about being good stewards of my personal data.
It is also a bit of a bugger to prepare for (I own a small UK based IT business) but it is a good thing in my opinion.
There are ~0.5 billion EU citizens and GDP is roughly 22% of the world. So it has some clout. The EU as a whole has decided that people's data is important and have come up with some rules about the same. Bear in mind the EU is a very diverse place and getting 28 states to agree on something is akin to cat herding.
I am still in shock about it. I am also very happy about it but it is only a start. Getting FB and Co into line will take a lot longer as will the world getting a decently diversified and mutually compatible, healthy social presence environment working.
Unroll.me's ToS was one of the first I checked in detail and it shocked me how invasive it is. I noped the f* out before I granted access to all my mail.
I hope so too. Countries that try to regulate Internet don't deserve Internet. I wish more websites had the balls to not give in to every ridiculous law passed around the globe (e.g. Github removing perfectly normal files because Roskomnadzor asked them too [1]).
This is a basic protection that should have been passed a long time ago, don't try to frame it as "censorship", it was created to give you control over your own personal information.
Everytime you see news of a company" not being able to operate due to" or "shutting down because of" GDPR, the only actual reason is "our business model is unsolicited unrestricted access to, processing of, and selling of personal data."
> Or they are not actually doing anything shady, but the revenue coming in from the EU is not sufficient to justify the increased costs and liabilities.
Refusing to protect your users from your own predatory use of their personal data because the ROI isn't there is still shady.
Thanks. Interesting that some folks in the comments say "actually, this site was abusing your data to make money" - but I don't have a good sense of whether a similar site that didn't use Amazon ads, and either took a small membership fee or was run out of the founder's pocket as a side project, would have things to worry about from GDPR.
On the flip side, does anyone know of side projects or community projects that have said "We chatted with a European lawyer, who said we don't have anything to worry about, and we'll keep doing our thing"? I know Debian is having that chat (https://lists.debian.org/debian-devel-announce/2018/04/msg00... - and there are some privacy things I think Debian should change, like not keeping people's support emails from years ago public) but I'm curious about projects that are smaller in scope and are basically not trying to hold personal data at all.
Exactly, the GDPR regulations are completely reasonable and it's actually quite odd to see them being put into practice so late. The user data selling wild west had to be regulated at some point to curb predatory practices of Google, Facebook, and many others. If your business model isn't based on exploitation and profiling, it isn't hard at all to comply with GDPR.
Yeah, I've wondered why everyone has been so late to the party. I mean, we have lived in a world with GDPR for two years now. Companies should have already been complying with it for two years. There was just a transitional period during which there was no enforcement.
Then there's all the GDPR expert blog posts, blasting the EU for not giving any leeway or transition periods. You were in it!
Some of us running small businesses don’t spend our free time studying up on the latest in EU regulations. I only found out about it through a random comment on HN in March.
Actually, I do. They represent 30% to 40% of my business (depending on the month). GDPR compliance has cost me a ton of time and money. Wish someone could have notified me somehow before I randomly found out in March because it completely derailed our development roadmap.
Or it's a free pass to cut out a less profitable market segment. Or it's an excuse for bad developers. Or its an excuse to shift blame from your already failing business.
> collects an email address as part of the registration [..] they may well be shut out of the EU now
Why would that be?
I think there's a lot of misunderstanding and/or uncertainty about the scope of the GDPR. The fact itself that you know, for a fact, there is no malicious intent, means that the GPDR will have little to no bearing on you.
If you're having a simple free e-mail raffle of goodies for a list of players that signed up for that, there's nothing that prevents you from doing that. What would change is that if someone asks you what you have on them, you have to mail back "we have your email address in a list of email addresses", and you have to really delete it if they request it.
These are things any decent company would normally comply with regardless. It's only problematic if you would be harvesting data for non-transparent purposes, but that's not something that could reasonable be included with "zero malicious intent".
Why would you think that? Collecting email addresses for an optional contest is a legitimate use case. The company just needs to ensure that these addresses are stored securely and must give users the option to get their data deleted.
I don't think they have to enforce that very strictly. If the user incorrectly answers "No" to being a resident of EU, I doubt the company could be sued for violating the rights of "dishonest" EU users.
As a matter of fact I wonder how a company without physical presence in the EU could ever be fined for any violations. And even if they can be fined on paper, I doubt many non-EU countries will cooperate collecting the fines.
Score one for GDPR. Between this and the umpteen services forced to purge my address unless I "resubscribe" (when of course I never subscribed in the first place), it has already achieved concrete results. If only the EU could also fix the mess with cookies and VAT, we could say we're finally entering an era of decent lawmaking over the digital space.
I suspect this strategy will fail. I'm currently using a VPN with an exit in Germany. But through some sort of geolocation glitch, it's being identified as UAE. So unroll.me doesn't display the warning for EU residents.
Given the chaos around IPv4 assignments, I doubt that only VPN services are affected.
Selling your privacy / data is 100% of their business. The service they provide is 'free' as in a 'free toolbar' that then steals data off your system.
That's amazing. I hope more and more companies will forbid the entrance of european users. If at the moment you put your feet on my company you're already making unreasonable demands the most decent thing to do is to put you out and refuse to serve you.
I hope GDPR defenders will understand that if more and more companies adopt this strategy.
Excellent. The GDPR is working as intended. Let's see how many other unscrupulous actors will try to pin the blame for their own malicious behavior on the new legislation.
Just like Uber circumventing labour laws to beat taxi firms. "EU not good for innovation".
Ehm, no. These laws represent how we want (our data) to be treated. If you're business model can't exist within that legal realm than your business model is one we don't want.
This is fantastic news, if a company can't behave responsibly with user data, it deserves to go bankrupt. It's like a restaurant saying it can't comply with health regulations. Absolutely unacceptable. If the business model is to exploit and sell personal information, then the world is better off without that company.
So, everyone seems to be celebrating the blow stricken against this seemingly unscrupulous company. Fair enough.
But doesn't anybody else think this has at least some worrying optics of censorship?
Are we going to end up with another great firewall around Europe? And are you sure that only companies which enjoy a consensus as evil will be clawing the outside?
Won't the internet interpret this as damage and route around it?
I just don't have a great deal of confidence in my own ability to tell the difference between an arbiter who is making good judgments about which medicines are real and someone who is censoring a competitor by adjudicating their medicine as "fake."
In fact, I think I have better instincts about detecting fake medicine than I do about detecting the fake arbiter.
Since I like torturing metaphors, let's say that the GDPR was instead a law prohibiting the sale of fake medicine.
What happened in this case is that the Unroll me pill manufacturer announced that they'd not be selling their pills in the EU anymore due to the GDPR.
So, though your concerns remain valid in the general case, in this particular case there could be no shifty arbiter. Unroll me self-assessed and decided that their own pills are fake.
...but what if you were selling a medicine that you knew worked, that you really believed in, but that you knew was going to be labeled fake by an arbiter in the employ of your competitor (and I think it's not unfair to say that the FDA is, at times, exactly this)?
Might you decide not to spend the money to attempt to achieve compliance?
Don't you think that some well-meaning organizations, knowing that they have powerful, well-connected beasts who wish failure for them, might opt to just stay out of Europe (either initially or always) instead of facing the costs of assuring compliance?
Complying with the law that prevents certain business practices and using user data for your own ends isn't censorship, just as not being able to sell water labelled as vodka isn't censorship.
Do they do anything that a quick grep for "Unsubscribe" can't? I guess the digests are somewhat niche