[halflings]

Yep, and it does much more than that: it forces companies to actually wipeout your data when you ask them to (not just flip some bit and still keep that data, like facebook infamously does), and also set strict TTLs (Time To Live) for any derivative data that the user cannot explicitly delete.

[3pt14159]

How do I follow conflicting laws? One country says "keep all data for 90 days to aid law enforcement" the other says "delete it immediately" which is it?

[kbart]

"How do I follow conflicting laws? One country says "keep all data for 90 days to aid law enforcement" the other says "delete it immediately" which is it?"

GDPR is EU wide regulation that trumps national privacy laws. It doesn't even need to be approved by individual members, so when it goes into effect on 25 May 2018, it will be working EU-wide on the same day. Furthermore, it affects companies all over the world that serves EU citizens. There's much skepticism on how EU will enforce this law worldwide, but for now it was quite successful dealing with big companies, remember: Microsoft vs EU (paid €561 million fine), multiple cases of Google vs EU (right to be forgotten, Ireland tax rulling, ongoing case vs Android), Facebook/WhatsApp vs EU (€110 million fine) etc. To answer your question: no, there will be no conflicting laws - if you serve EU citizens, you must follow GDPR. From my personal perspective, GDPR is one of those not-so-often moments that I'm proud of EU.

[wav-part]

> Furthermore, it affects companies all over the world that serves EU citizens.

No gdpr applies if companies target EU citizens [1][2]. My personal opinion of the law is that its as useless as cookie law but way more costly and unpredictable.

[1] (122), Pg 22, https://docs.google.com/viewer?url=http%3A%2F%2Fec.europa.eu...

[2] Pg 13, https://docs.google.com/viewer?url=http%3A%2F%2Fwww.linklate...

The mere accessibility of your website by individuals in the Union or use of the languages of one of the Member States in the Union (if the same as the language of your home state) should not by itself make you subject to the Regulation. However, the following factors are a strong indication that you are offering goods or services to individuals in the Union and so are subject to the Regulation:

> Language - You are using the language of a Member State and that language is not relevant to customers in your home state (e.g. the use of Hungarian by a US website).

> Currency - You are using the currency of a Member State, and that currency is not generally used in your home state (e.g. showing prices in Euros).

> Domain name - Your website has a top level domain name of a Member State (e.g. use of the .de top level domain).

> Delivery to the Union - You will deliver your physical goods to a Member State (e.g. sending products to a postal address in Spain).

> Reference to citizens - You use references to individuals in a Member State to promote your goods and services (e.g. if your website talks about Swedish customers who use your products).

> Customer base - You have a large proportion of customers based in the Union.

> Targeted advertising - You are targeting advertising at individuals in a Member State (e.g. paying for adverts in a newspaper).

[halflings]

All the big (and smaller) players in tech are working hard to implement all the requirements of this law (control over what data is stored, TTLs, encryption).

How is this useless for end-users? It forces companies to encrypt this data at rest, and allow users to delete it when they want.

[an27]

I can't really envision Facebook or Google removing all EU-only language options and doing away with targeted advertisements, so how come you think these criteria won't work?

[tajen]

Microsoft vs EU yielded €2bn fines. I had made the calculations myself in 2013, I can't find the source, but here's most of the details: https://www.neowin.net/news/since-2004-the-eu-has-fined-micr...

[rattray]

I think they meant eg; US vs EU.

EU law does not subsume US law.

[Tuna-Fish]

It is possible for there to be a situation where to offer some service, you have to either break the laws of one country or the other. In this situation, you simply cannot offer that service without exposing yourself to legal consequences.

[k__]

Well, nothing stops a company to implement different stuff for different countries.

Companies did this before the internet and even with internet they did it for China regulations.

I mean, even translation to different languages is basically "special implementation" for different countries...

[Tuna-Fish]

That's not always sufficient. You can end up in a situation where an American court demands records that concern European customers. In that situation, handing them over gets you penalized in an European court, and not handing them over gets you penalized in an American court. Both will have the ability to really hurt you, and "the other court tells me not to" is not a defense at either of them.

[harperlee]

I would guess that one solution is to keep EU citizens' data in the EU to avoid it being subject to other laws. And possibly having separate companies by country.

As an analogy, if I recall correctly banks have very stringent laws to follow regarding data export and money export to other countries. The solution they choose is to have a bank per country, not a global bank.

[strictnein]

> I would guess that one solution is to keep EU citizens' data in the EU to avoid it being subject to other laws.

This is exactly what is being done by the large corporations that can afford to do it. European datacenters staffed by Europeans. Americans are not allowed to view any PII for any European (at least with the company I work at).

Russia requires the same thing, although they just want the servers in their country so they can put a SORM-3 alongside it and intercept whatever data they want.

https://en.wikipedia.org/wiki/SORM

[dmoy]

Ah yeah 242-FZ, definitely a different purpose in Russia

[AndyMcConachie]

There is no easy answer to this question.

For example, what happens if US courts demand data you have stored on Irish servers,[1] but an EU citizen asks that you destroy this data?

Do you destroy the data and risk being charged with destruction of evidence in the US? Or do you keep it and risk being non-compliant with the GDPR?

[1] https://www.theguardian.com/technology/2014/apr/29/us-court-...

[throwawaymanbot]

I would imagine, since the EU is where the Data resides, and the EU is the legal jurisdiction, that the EU would take precedence. Its monumental nationalistic and legal hubris to think that American law takes precedence anywhere in the world, let alone with an ally as large as the EU.

[luma]

Be that as it may, there is nothing to stop US authorities from charging US companies with crimes if they were to comply with EU laws. They are in direct conflict, and any internet-based company operating on nearly any scale is in danger of running afoul of these sorts of issues. This isn't a Google/Facebook only problem, this is a problem for any web service that might store user data.

[throwawaymanbot]

This is a US Govt overreach problem. Not an EU directive problem.

[k-mcgrady]

Maybe the EU/US Privacy Shield will help handle situations like the above.

[ryanlol]

>there is nothing to stop US authorities from charging US companies with crimes if they were to comply with EU laws

There is nothing stopping you from shooting yourself in the foot either. (Or stabbing I guess in case you don't have access to firearms)

[alexeldeib]

Just FYI, this case was reversed on appeal (i.e., against the government). I recall there being some buzz with the government potentially pushing for further court action, but as far as I know that's the current status.

[ryanlol]

>There is no easy answer to this question.

Of course there is. You comply with both laws or suffer the consequences. If you can't comply with both, you choose the cheaper law to break. If that's too expensive, your business sucks.

[CyberThijs]

One of the goals of the GDPR is to consolidate all the data protection laws of the EU member states. So within the EU this shouldn't pose a problem. For the US, I assume this is covered by the EU-US data shield. I assume a similar construct will be necessary for GB once it leaves the EU.

[kough]

You ask your team of lawyers who can make a good decision for your company based on your business goals and the relative values of complying with each of the competing laws, along with the relative risks associated with failing to do so.

[louhike]

Company may have to treat the data differently according to where the user lives (yes, it can be a mess). For EU countries, the EU law has priority (except for the constitution).

[hamilyon2]

Encrypt it with key that only the law enforcement has. Keep actual encrypted data on a medium outside of coutry where it is illegal.

[s_dev]

There won't be conflicting laws -- the GDPR is a EU wide policy and supersedes any laws on the books in that nation.

[yammajr]

Except that not every country belongs to the EU. If you have customers globally, you'll still have to deal with conflicting requirements.

[abandonliberty]

Until we have One World Government we'll have to respect the laws of the countries we do business in.

This is an example of why some local services are winning out against global competitors. Respect for and knowledge of their specific niche.

[kodablah]

So on my ad-supported site that does not ask users where they are from, I will have to put a geo-ip filter to keep EU people off in order to avoid fines? Otherwise, do we accept that statements like "we'll have to respect the laws of the countries we do business in" is a bit generic and over-reaching in a global medium? I have not read the proposed law and I trust this situation is covered, but I am still annoyed at every region having so many of it's own internet rules (not EU specific, goes with them all). Granted explicit business w/ explicit customers giving explicit monies in nation-backed currencies does make it easy to follow this law, but not everyone's business is like this.

[ForHackernews]

Do you collect a lot of data about your users and not offer them any way to delete it?

[s_dev]

If they aren't part of the EU or strongly associated with EU institutions why would the GDPR apply to them?

What the EU is trying to do is make it so countries outside the EU only have to think of the EU as a single country. This is why theres a single market and single currency.

[dordoka]

You just need to have different requirements per country, I honestly don´t see any conflict there.

[tpush]

So follow EU laws regarding EU customers and US laws regarding US customers.

[yellow_postit]

Do smaller companies get less onerous requirements? This is achievable for mid and large companies to comply with but may further stifle EU innovation.

I think this is a good set of data protections and hope there are ways to make compliance incredibly low friction.

[Piskvorrr]

Nope. This is an upcoming requirements nightmare that people seem to ignore in the vain hope that it will ignore them.

[jessah]

Why is the GDPR an requirements nightmare? It's one ruleset for the whole EU instead one ruleset for each EU state. And the GDPR seem to be not more complicate than the individuel laws where before.

[Piskvorrr]

"This ruleset you have? Oh, just merge it with the old ruleset; the old laws are not being repealed. Merging is easy, right?"

In other words, it's not a replacement: it is an additional set of rules to keep (although most of it would be a superset of various national laws).

[lokedhs]

It isn't? Are we talking about a different regulation?

I quote from the title of 2017/0003/COD COM (2017) 10:

    Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT
    AND OF THE COUNCIL concerning the respect for private
    life and the protection of personal data in electronic
    communications and repealing Directive 2002/58/EC
    (Regulation on Privacy and Electronic Communications)

Note the word "repealing".

[Piskvorrr]

See, there's this thing called context: the meaning of the word changes through the surrounding words. If there is a word "repealing" in text, this does not usually mean "everything that's related is repealed" - it means exactly what it says on the tin: "repealing Directive 2002/58/EC" - nothing about repealing the existing state-level legislation (to repeat previous context, "It's one ruleset for the whole EU instead one ruleset for each EU state.")

My point still stands - you still need to conform to both GDPR and the state-specific legislation.

[sqeaky]

If it just then 4% of revenue fine could well be 0 for startups. I presume they have some provision to prevent 0 euro fines, does anyone know about that provision?

[jdcarter]

From the wikipedia page: "fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater"

So yea, a 20M EUR fine could destroy a startup.

[BearGoesChirp]

Will it also have to be removed from backups?

[dmoy]

Almost certainly yes. Otherwise it's not actually removed.

[BearGoesChirp]

I've seen court ordered removal before and no one even considered backups and the impact on backup integrity had it been removed from backups. Especially when considering off site backups that the company will often not have immediate access to.

[em3rgent0rdr]

Seems like it will be extremely difficult and expensive to guarantee all copies are deleted. Also, replication is necessary for caching and reliability. I worry about how such seemingly well-intentioned laws can have adverse unintended consequences.

[athenot]

Think of it in terms of infosec: in a similar way, one could complain that having to sanitize secrets from RAM is harmful to performance (why can't we cache the result of decryption)… Yes it's an overhead but at the end of the day, we build technology to serve human goals, not the other way around.

(To be pedantic, we build technology to serve business goals, which are fulfilled within the larger context of serving human goals. Laws like these are to prevent shortcuts that would serve business goals while at the same time be detrimental to human goals.)

[splouk]

If I ask Facebook to delete my data, it should be deleted. Why does caching or reliability have anything to do with that?

[dsp1234]

or reliability

If our company had to delete all customer data for a particular customer, then I would need to:

restore 6 months of database backups individually, remove the data, then run then take and store each backup again.

have 3 years worth of tape backups shipped back to us from our data protection company. Restore the databases off of them, delete the data, store them back on tape, and have them shipped back to the long term storage facility.

[estebank]

Backup users' data encrypted with a recovery key. Delete the key, presto, the users' data is no longer accesible.

[Spivak]

Would you be satisfied with, "this data will be deleted once the deletion filters though the caches and backups?"

[calcifer]

If "once" is a reasonable time (as defined by the regulation) then yes, I'd be satisfied.

[em3rgent0rdr]

but I doubt the average user will be comfortable with such an experience.

[calcifer]

I doubt the average user needs anything more than "as per EU regulations, your data will be deleted in X days" when they delete their account.

[closeparen]

If you have backups, you might unintentionally restore an EU citizen's data. Pretty sure it's a crime to make backups (of user data) under this law.