[CyberThijs]

Another big recent achievement of the European Parliament is the "General Data Protection Regulation" (GDPR) [1], which comes into effect in May 2018 and stipulates that companies can be fined up to 4% of their worldwide turnover when they fail to protect/process the data of EU-based customers in a proper manner.

For example: say that LinkedIn was to experience a new data breach, and they fail to inform the authorities or their customers in time, then they can be fined for up to 120 million USD (based on a revenue of 5 billion USD)!

I'm surprised that it's so little known here, as the impact will be massive.

[1] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

[halflings]

Yep, and it does much more than that: it forces companies to actually wipeout your data when you ask them to (not just flip some bit and still keep that data, like facebook infamously does), and also set strict TTLs (Time To Live) for any derivative data that the user cannot explicitly delete.

[3pt14159]

How do I follow conflicting laws? One country says "keep all data for 90 days to aid law enforcement" the other says "delete it immediately" which is it?

[kbart]

"How do I follow conflicting laws? One country says "keep all data for 90 days to aid law enforcement" the other says "delete it immediately" which is it?"

GDPR is EU wide regulation that trumps national privacy laws. It doesn't even need to be approved by individual members, so when it goes into effect on 25 May 2018, it will be working EU-wide on the same day. Furthermore, it affects companies all over the world that serves EU citizens. There's much skepticism on how EU will enforce this law worldwide, but for now it was quite successful dealing with big companies, remember: Microsoft vs EU (paid €561 million fine), multiple cases of Google vs EU (right to be forgotten, Ireland tax rulling, ongoing case vs Android), Facebook/WhatsApp vs EU (€110 million fine) etc. To answer your question: no, there will be no conflicting laws - if you serve EU citizens, you must follow GDPR. From my personal perspective, GDPR is one of those not-so-often moments that I'm proud of EU.

[wav-part]

> Furthermore, it affects companies all over the world that serves EU citizens.

No gdpr applies if companies target EU citizens [1][2]. My personal opinion of the law is that its as useless as cookie law but way more costly and unpredictable.

[1] (122), Pg 22, https://docs.google.com/viewer?url=http%3A%2F%2Fec.europa.eu...

[2] Pg 13, https://docs.google.com/viewer?url=http%3A%2F%2Fwww.linklate...

The mere accessibility of your website by individuals in the Union or use of the languages of one of the Member States in the Union (if the same as the language of your home state) should not by itself make you subject to the Regulation. However, the following factors are a strong indication that you are offering goods or services to individuals in the Union and so are subject to the Regulation:

> Language - You are using the language of a Member State and that language is not relevant to customers in your home state (e.g. the use of Hungarian by a US website).

> Currency - You are using the currency of a Member State, and that currency is not generally used in your home state (e.g. showing prices in Euros).

> Domain name - Your website has a top level domain name of a Member State (e.g. use of the .de top level domain).

> Delivery to the Union - You will deliver your physical goods to a Member State (e.g. sending products to a postal address in Spain).

> Reference to citizens - You use references to individuals in a Member State to promote your goods and services (e.g. if your website talks about Swedish customers who use your products).

> Customer base - You have a large proportion of customers based in the Union.

> Targeted advertising - You are targeting advertising at individuals in a Member State (e.g. paying for adverts in a newspaper).

[halflings]

All the big (and smaller) players in tech are working hard to implement all the requirements of this law (control over what data is stored, TTLs, encryption).

How is this useless for end-users? It forces companies to encrypt this data at rest, and allow users to delete it when they want.

[an27]

I can't really envision Facebook or Google removing all EU-only language options and doing away with targeted advertisements, so how come you think these criteria won't work?

[tajen]

Microsoft vs EU yielded €2bn fines. I had made the calculations myself in 2013, I can't find the source, but here's most of the details: https://www.neowin.net/news/since-2004-the-eu-has-fined-micr...

[rattray]

I think they meant eg; US vs EU.

EU law does not subsume US law.

[Tuna-Fish]

It is possible for there to be a situation where to offer some service, you have to either break the laws of one country or the other. In this situation, you simply cannot offer that service without exposing yourself to legal consequences.

[k__]

Well, nothing stops a company to implement different stuff for different countries.

Companies did this before the internet and even with internet they did it for China regulations.

I mean, even translation to different languages is basically "special implementation" for different countries...

[harperlee]

I would guess that one solution is to keep EU citizens' data in the EU to avoid it being subject to other laws. And possibly having separate companies by country.

As an analogy, if I recall correctly banks have very stringent laws to follow regarding data export and money export to other countries. The solution they choose is to have a bank per country, not a global bank.

[strictnein]

> I would guess that one solution is to keep EU citizens' data in the EU to avoid it being subject to other laws.

This is exactly what is being done by the large corporations that can afford to do it. European datacenters staffed by Europeans. Americans are not allowed to view any PII for any European (at least with the company I work at).

Russia requires the same thing, although they just want the servers in their country so they can put a SORM-3 alongside it and intercept whatever data they want.

https://en.wikipedia.org/wiki/SORM

[dmoy]

Ah yeah 242-FZ, definitely a different purpose in Russia

[AndyMcConachie]

There is no easy answer to this question.

For example, what happens if US courts demand data you have stored on Irish servers,[1] but an EU citizen asks that you destroy this data?

Do you destroy the data and risk being charged with destruction of evidence in the US? Or do you keep it and risk being non-compliant with the GDPR?

[1] https://www.theguardian.com/technology/2014/apr/29/us-court-...

[throwawaymanbot]

I would imagine, since the EU is where the Data resides, and the EU is the legal jurisdiction, that the EU would take precedence. Its monumental nationalistic and legal hubris to think that American law takes precedence anywhere in the world, let alone with an ally as large as the EU.

[luma]

Be that as it may, there is nothing to stop US authorities from charging US companies with crimes if they were to comply with EU laws. They are in direct conflict, and any internet-based company operating on nearly any scale is in danger of running afoul of these sorts of issues. This isn't a Google/Facebook only problem, this is a problem for any web service that might store user data.

[throwawaymanbot]

This is a US Govt overreach problem. Not an EU directive problem.

[k-mcgrady]

Maybe the EU/US Privacy Shield will help handle situations like the above.

[ryanlol]

>there is nothing to stop US authorities from charging US companies with crimes if they were to comply with EU laws

There is nothing stopping you from shooting yourself in the foot either. (Or stabbing I guess in case you don't have access to firearms)

[alexeldeib]

Just FYI, this case was reversed on appeal (i.e., against the government). I recall there being some buzz with the government potentially pushing for further court action, but as far as I know that's the current status.

[ryanlol]

>There is no easy answer to this question.

Of course there is. You comply with both laws or suffer the consequences. If you can't comply with both, you choose the cheaper law to break. If that's too expensive, your business sucks.

[CyberThijs]

One of the goals of the GDPR is to consolidate all the data protection laws of the EU member states. So within the EU this shouldn't pose a problem. For the US, I assume this is covered by the EU-US data shield. I assume a similar construct will be necessary for GB once it leaves the EU.

[kough]

You ask your team of lawyers who can make a good decision for your company based on your business goals and the relative values of complying with each of the competing laws, along with the relative risks associated with failing to do so.

[louhike]

Company may have to treat the data differently according to where the user lives (yes, it can be a mess). For EU countries, the EU law has priority (except for the constitution).

[hamilyon2]

Encrypt it with key that only the law enforcement has. Keep actual encrypted data on a medium outside of coutry where it is illegal.

[s_dev]

There won't be conflicting laws -- the GDPR is a EU wide policy and supersedes any laws on the books in that nation.

[yammajr]

Except that not every country belongs to the EU. If you have customers globally, you'll still have to deal with conflicting requirements.

[abandonliberty]

Until we have One World Government we'll have to respect the laws of the countries we do business in.

This is an example of why some local services are winning out against global competitors. Respect for and knowledge of their specific niche.

[kodablah]

So on my ad-supported site that does not ask users where they are from, I will have to put a geo-ip filter to keep EU people off in order to avoid fines? Otherwise, do we accept that statements like "we'll have to respect the laws of the countries we do business in" is a bit generic and over-reaching in a global medium? I have not read the proposed law and I trust this situation is covered, but I am still annoyed at every region having so many of it's own internet rules (not EU specific, goes with them all). Granted explicit business w/ explicit customers giving explicit monies in nation-backed currencies does make it easy to follow this law, but not everyone's business is like this.

[s_dev]

If they aren't part of the EU or strongly associated with EU institutions why would the GDPR apply to them?

What the EU is trying to do is make it so countries outside the EU only have to think of the EU as a single country. This is why theres a single market and single currency.

[dordoka]

You just need to have different requirements per country, I honestly don´t see any conflict there.

[tpush]

So follow EU laws regarding EU customers and US laws regarding US customers.

[yellow_postit]

Do smaller companies get less onerous requirements? This is achievable for mid and large companies to comply with but may further stifle EU innovation.

I think this is a good set of data protections and hope there are ways to make compliance incredibly low friction.

[Piskvorrr]

Nope. This is an upcoming requirements nightmare that people seem to ignore in the vain hope that it will ignore them.

[jessah]

Why is the GDPR an requirements nightmare? It's one ruleset for the whole EU instead one ruleset for each EU state. And the GDPR seem to be not more complicate than the individuel laws where before.

[Piskvorrr]

"This ruleset you have? Oh, just merge it with the old ruleset; the old laws are not being repealed. Merging is easy, right?"

In other words, it's not a replacement: it is an additional set of rules to keep (although most of it would be a superset of various national laws).

[lokedhs]

It isn't? Are we talking about a different regulation?

I quote from the title of 2017/0003/COD COM (2017) 10:

    Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT
    AND OF THE COUNCIL concerning the respect for private
    life and the protection of personal data in electronic
    communications and repealing Directive 2002/58/EC
    (Regulation on Privacy and Electronic Communications)

Note the word "repealing".

[sqeaky]

If it just then 4% of revenue fine could well be 0 for startups. I presume they have some provision to prevent 0 euro fines, does anyone know about that provision?

[jdcarter]

From the wikipedia page: "fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater"

So yea, a 20M EUR fine could destroy a startup.

[BearGoesChirp]

Will it also have to be removed from backups?

[dmoy]

Almost certainly yes. Otherwise it's not actually removed.

[BearGoesChirp]

I've seen court ordered removal before and no one even considered backups and the impact on backup integrity had it been removed from backups. Especially when considering off site backups that the company will often not have immediate access to.

[em3rgent0rdr]

Seems like it will be extremely difficult and expensive to guarantee all copies are deleted. Also, replication is necessary for caching and reliability. I worry about how such seemingly well-intentioned laws can have adverse unintended consequences.

[athenot]

Think of it in terms of infosec: in a similar way, one could complain that having to sanitize secrets from RAM is harmful to performance (why can't we cache the result of decryption)… Yes it's an overhead but at the end of the day, we build technology to serve human goals, not the other way around.

(To be pedantic, we build technology to serve business goals, which are fulfilled within the larger context of serving human goals. Laws like these are to prevent shortcuts that would serve business goals while at the same time be detrimental to human goals.)

[splouk]

If I ask Facebook to delete my data, it should be deleted. Why does caching or reliability have anything to do with that?

[dsp1234]

or reliability

If our company had to delete all customer data for a particular customer, then I would need to:

restore 6 months of database backups individually, remove the data, then run then take and store each backup again.

have 3 years worth of tape backups shipped back to us from our data protection company. Restore the databases off of them, delete the data, store them back on tape, and have them shipped back to the long term storage facility.

[estebank]

Backup users' data encrypted with a recovery key. Delete the key, presto, the users' data is no longer accesible.

[Spivak]

Would you be satisfied with, "this data will be deleted once the deletion filters though the caches and backups?"

[calcifer]

If "once" is a reasonable time (as defined by the regulation) then yes, I'd be satisfied.

[em3rgent0rdr]

but I doubt the average user will be comfortable with such an experience.

[closeparen]

If you have backups, you might unintentionally restore an EU citizen's data. Pretty sure it's a crime to make backups (of user data) under this law.

[usgroup]

Agreed. I was initially reluctant about the GDPR thinking it'll be more rubbish to have to take into account but was really pleasantly surprised. It actually and seriously implies better rights over collected data and privacy.

I think soon enough, privacy is going to become a serious competitive advantage for Europe because it'll translate into consumer confidence and business confidence .

[k-mcgrady]

I wish we had more European based alternative services that I could switch to. With email the standard response to dumping Gmail seems to be FastMail (non-EU) and I haven't seen anything high-quality within the EU. Same goes for lots of other services.

If anyone reading has some suggestions for EU based alternatives to popular websites/apps I'd love to hear.

[Propen]

ProtonMail for mail. ProtonVPN just launched, too.

[k-mcgrady]

Being Swiss is it subject to the same EU privacy protections?

[tomp]

It's good that this idea (fine as a percentage of revenue) is finally becoming mainstream, but it's sad that the percentage is so low... 4% is just cost of business, like taxes etc. It should be about 30% if we really wanted to incentivise the companies (or their CEOs/shareholders).

[wildmusings]

Four percent of revenue is a massive fine. That can easily wipe out a company's profit margin.

[withholding]

Massive until you look at how people are treated when someone leaks company data: 4% income fine? No. Prison.

[wildmusings]

No one goes to prison for accidentally leaking company data through negligence.

[sqeaky]

We could "fix" that.

[jcmoscon]

That's what you do when you hate capitalism and hate the power to destroy it.

[AndyMcConachie]

It's called regulators with teeth, and it's what makes the EU livable for its citizens. As an EU and US citizen this is exactly why I choose to live in the EU.

[vsl]

That's not how I'd put it, as a citizen of an EU country. The overregulation is suffocating for both business and individuals (who lived in socialism and value liberty, anyway).

Just this year, EU regulations destroyed my LTE data plans, hugely increased my cost of Swiss travel (the same) and ruined my hobby because terrorism.

[stass]

It is sad that EU is slowly moving back towards the over-regulated and bureaucratic regimes of the past. This will further push the EU economy down the drain and prevent people from innovating. I just hope it does not lead to jail sentences and labor camps for people accidentally leaking the data as some in this thread are arguing for. The history does not provide much hope here unfortunately.

I don't see how this law benefits anybody except filling up the EU budget by collecting fines. The companies are already careful with their data as any leak would affect their image extremely negatively.

If one needs a good example of why Brexit happened, here it is.

[prodmerc]

It will prevent people from innovating in profiling, ad serving and keeping peoples data private. What a shame! Really wish the EU would see how great it is in the UK where they want to be able to access anything ever posted online, which can only lead to innovation of the highest caliber. /s

[stass]

Do you think this law will prevent the government from accessing the data somehow? The way it's written it's primary goal seems to be extracting fees from successful business and not protecting user privacy. Ideally you would not want government intervention in these matters at all as you can bet it will end up with special provisions for government to have an access.

[vsl]

Did you ever wonder why there are so few EU startups? Why the alternative to Gmail is Australian FastMail and nothing comparable even exists in EU?

Less sarcasm, more thinking. Shocking as it may be to you, even people you politicially disagree with may have a point or two.

[BearGoesChirp]

It should be over 100%. The ideal goal is that a company that has a massive date breach due to their incompetence (such as refusal to hire experts at market value) should cease to exist. I still think we need prison time for those making the poor decisions. Even if they didn't intend to hurt anyone, should we tolerate recklessness of that nature?

[CyberThijs]

To come back on my example: LinkedIn reported a net income of 166 million USD. The potential fine is thus more than 70% of their profit!

The fine is also based on the revenue of the parent company. Say that Nest would be fined, then the revenue of Alphabet Inc. would be used as a reference point! A good enough incentive to make sure that all parts of your operations are covered :-)

[newzzy]

in LinkedIn's case it's Microsoft...

[CyberThijs]

My bad. I looked up the figures on Wikipedia, where the latest figures were from 2015. Should have read the article more carefully.

[amarant]

in both cases: ouch!

[wheaties]

No, many companies have net profit margin from revenue of less than 10%. So 4% of revenue is not the same as 4% of earnings.

[ust]

For my work, I'm working on the impact of the GDPR on the research, and how will the GDPR work in scientific communities. I'm not a lawyer, of course, so my interpretation might be a bit off (so disclaimer, IANAL, this is not a legal advice, and etc.). Anyway, these are just some of my thoughts on the subject.

Well, GDPR is a big topic, and it not yet clear how all the provisions will be implemented. It is not that different from the (currently valid) Directive, but it does clarify certain points, and makes much more stringent penalties, as mentioned in parent post (the fine is actually 4% of the global revenue, or 20M Euro, whichever is greater). The changes in respect to the Directive are, in short:

  • GDPR applies to the processing of personal data by controllers and processors in the EU, regardless
    where it takes place

  • Penalties – up to 4% of annual global turnover or 20M€ (whichever is greater)

  • Consent – conditions are strengthened (clear and plain language, explicitly related to the
    processing, easy to withdraw)

  • Breach notification

  • Privacy by design

  • Right to be forgotten

  • Data Protection Officers

  • Right to access

Now, as mentioned in another comment, the right to be forgotten and erasure of data is not really wipeout, the data controller and data processor are supposed to do it using "industry standards" and "reasonable effort" (controller, e.g. should flag that the processing the data should be restricted). Also, there are exceptions (legal claims, public authorities, free speech, etc.).

Different comment points out that the Regulation, unlike Directive, makes GDPR valid in all EU countries, and this is true. However, the EU states are free to implement their own data privacy laws, which of course, need to be in line with the GDRP. This may potentially introduce legal inconsistencies across the EU for certain points.

Also, one should not underestimate the legitimate interest of the service provider, or controller, to retain the data, even if the user has asked for the data to be removed. The data may also be retained by the request of relevant public authorities, etc. One comment has suggested what will happen if the EU citizen requests the removal of it's data, while the US public authorities asks for access to this data. In this case, the relevant EU public authorities may request for the data to be kept (or not, I guess this will be decided on case by case, also the provider may have a legitimate reason to keep the data..).

And of course, the biggest problem, the transfer of data to non-EU countries. For this, there are several ways to do it, one is mentioned already, i.e. user consent (which must be clear and unambiguously given, and can be revoked at any time). Then, of course, there are contracts, binding corporate rules, etc. For EU-US transfer, there is Privacy Shield for transfer of data to US (which is a replacement for the Safe Harbor, stricken by EJC), but this is mostly for commercial services (so it does not work for academic environments..).

There are some other interesting aspects to GDPR, but this post is already getting a bit long. For more info, these links are interesting:

[1] https://aarc-project.eu/aarc-infoshare/ -- for academic environments..

[2] https://iapp.org/resources/article/top-10-operational-impact...

[3] https://www.whitecase.com/publications/article/unlocking-eu-...

There are multiple WP29 interpretations on various points (some of them are actually human readable, not just legal talk..), etc. In any case, it will be interesting to see all these developments in the future.

[Edited for mistakes..]

[shakna]

> "industry standards" and "reasonable effort" (controller, e.g. should flag that the processing the data should be restricted).

Not quite. That sort of fits the current model, such as Facebook not deleting data, just restricting access. In this case, data should be marked for deletion, "within a reasonable time frame". Data controllers may not retain the data indefinitely, no matter how much they want to.

In practical terms, the implementation of that will probably be influenced by the fact a user should be able to download all their data without hindrance, (Data Portability).

[ust]

That is correct, user will have access to the data, e.g. the images/videos user uploaded to Facebook, and I presume the Facebook will have to delete (successfully) these data upon request. However, personal data are not just images, or similar. It is also IP addresses, logs containing user's actions, etc. everything and anything that may identify a person. So, e.g. if some logs somewhere may contain IPs of a user, or some actions of the user were recorded in logs that are scattered throughout the system, the controller may argue that it "reasonably" tried to remove also these data for the user, but it can't guarantee that. However, GDRP now stipulates Privacy by design, which means some of these scenarios might have to be taken into account before creating and providing a service, so the removal of (all) user data should be more feasible.

[oulipo]

This is for those reasons that EU companies are innovating in the privacy, for instance doing AI assistants which are private by design with https://snips.ai

[hellbanner]

Yes, but important will be how selective they are enforcing.