[dcosson]

When stuff like this comes up it always seems so weird to me that with all the work that regulators put into this, why can't they at least scratch the surface of providing some specific examples? Of course there are legal documents, and maybe some "for dummies" versions written up about it.

But would it be so crazy for these regulators to hire someone who knows something about commonly used open source software and building web apps, to help provide a little bit of actionable technical advice? For instance, the majority of the internet is running on Apache or Nginx, why not have an official, EU-sponsored blog post explaining "here's how to set up a LAMP stack, or nginx and rails on a linux server, that complies with GDPR". Of course they can't cover every obscure language or framework, but it would be a starting point. And it would probably end up a lot cheaper than having to investigate and/or penalize people who didn't read the fine print of the law and/or didn't understand how it translates to actually running software.

Because despite how "simple" this post is saying these laws are, there still seems to be quite a bit of confusion on this thread, among smart developers, about questions like whether or not we're allowed to keep collecting webserver logs in the default format or not.

[srrr]

As others have noted: Laws with examples would be to specific to survive fast technological changes. Laws do mostly contain the 'spirit' of the idea and are applicable to many different situations and times.

But the European Commission does gives examples: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

This is of course no nginx configuration. But the thing is.. there is no one size fits all example configuration. The situation depends on: 1) What do you use the data for? 2) How long do you really need it? 3) Can you securely handle it? 4) Has the user consented?

Saving ip adresses in log files can be fully complaint IF you only use them for legal reasons (sue an attacker, ...), have severe access restrictions on the files, delete them as fast as possible and get consent from the user prior to saving the logs.

It depends on your goal, workflow and abilities if you are allowed to store this data, and you must decide for yourself. If in doubt.. don't store it.

[octavn]

>Saving ip adresses in log files can be fully complaint IF you only use them for legal reasons (sue an attacker, ...), have severe access restrictions on the files, delete them as fast as possible and get consent from the user prior to saving the logs.

You do not need consent for saving the IP, user agent and URL (including GET values) in Apache logs because, as someone said above, you have a "legitimate interest to combat fraud and maintain information security".

Legitimate interest and consent are only 2 of the 6 legal bases under which you can collect and store (process) personal data. Art. 6 contains all 6 https://gdpr-info.eu/art-6-gdpr/ .

[FooBarWidget]

> When stuff like this comes up it always seems so weird to me that with all the work that regulators put into this, why can't they at least scratch the surface of providing some specific examples?

Technology is something which constantly changes. From the point of view of the legislator, legal text that is too concrete will stagnate innovation and progress by "locking" people into current technological assumptions. The text becomes inappropriate/outdated when the next wave of technologies come along.

Thus legislators try to document the spirit behind a legislation and try to stay away from concrete implementation details as much as possible, in order to give people maximum freedom to decide how they should implement things, and maximum freedom in technology choices.

So yes, to us implementors it is a hassle because we have no idea what we should concretely do. But we can also see this as freedom to explore how to best implement an idea.

I expect that in the next few months/years, domain experts such as us will debate and decide on implementation best practices.

[peoplewindow]

That doesn't work though. Sure, if it was some industry initiative then a broad statement of intent and people figure out the details as they go would be OK.

But this one comes with massive, company destroying fines attached.

If you and other domain experts debate and decide on a best practice, and then some EU commissioner disagrees and destroys your company with a fine you cannot pay, will you be so sure that vague laws are a good idea then? Will it seem like freedom to explore, or will it seem more like walking through a minefield?

The EU wants to regulate the precise details of data handling in software firms. It can do that. But it's trying to have its cake and eat it - micromanaging the tech industry at the same time as refusing to be precise about what it wants. It just expects everyone to intuit what they want, on pain of corporate death if you fail.

[timtas]

> company destroying fines

They are not company destroying for large companies though. By raising fixed cost (and risk) of doing business, regulations of this kind are an absolute godsend for large companies.

[LoSboccacc]

There’s more to that. Startups now exists as a constellation of services and it’s quite hard to tell what goes into a PIA document and whar not.

Say our landing web page contains an intercom chat widget and google analytics tracking.

At that point we have collected the user ip at most, which would become sensitive only if connected with data from two other businness entities.

What the heck am I supposed to write into the damn thing now?

[_o_]

Ask your chat provider if he is GDPR compliant, he will provide you the confirmations that you need to add to your page. Regarding google analytics, you are risking getting banned if you feed it with personal data (including ip).

https://gdpr.report/news/2018/02/01/gdpr-google-analytics-2/

If I were you, I would add my own chat (there is bunch of them on github) and use piwik instead of google analytics.

(By the rule of the thumb, for each 3rd party provider, ask them about gdpr compliancy and purge all the data you are not getting user consent - GDPR is retroactive)

[grabeh]

There are several grounds on which you can legally process data in addition to consent, so it is unhelpful to talk in general terms about purging data where you are not getting user consent. If you are using data to provide a service, then generally it will not a consent-based processing for example.

You have to assess each use to which you put any personal data and determine the correct processing basis for that usage. Often there are more relevant bases than consent.

I do appreciate that the definition of 'consent' in this regard is often thought of in different terms though. When I think of consent I think of the narrow data protection consent, whereas I think often in layman's terms it has a broader definition which is often linked to disclosure requirements in relation to privacy policies etc.

[timtas]

> But would it be so crazy for these regulators to hire someone...to help provide a little bit of actionable technical advice?

Didn't you know? They do. Large corporations are always happy to help regulators write laws in such a way as to benefit them to fend of those pesky innovators. [1] Raising compliance costs as high as possible is highly desired by large companies.

[1] https://en.wikipedia.org/wiki/Regulatory_capture

[walshemj]

And give up all those expensive multi year court cases for there lawyer friends :-)