[shawa_a_a]

What aspects of the law are disastrous for startups? What startups might see as a "massive regulatory burden", I see it as, at long last, a means of finally holding irresponsible companies to account.

The spirit of the law is really quite simple; my personal data is an extension of me, and if you want to store or process it, you need a legal basis for doing so, and need to be able to demonstrate this legal basis to me. If your startup is at odds with this, well then perhaps you're not the kind of company the EU wants to be doing business with.

[morgante]

The scope of personal data is disastrously large and the guidance is fuzzy at best.

Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics.

No part of my "business model" is attempting to profit from personal data yet I have to jump through a bunch of new hoops.

My likely solution for projects is to simply block EU traffic going forward.

[pbhjpbhj]

IP addresses aren't PII. If you're capturing IP + real name, or similar (email + real name) then AIUI you'll need to tell people on request who you sell that info to and allow removal.

Assuming it's a personal blog then just don't capture any PII. Don't sell it, be prepared to delete a user's comments on request. Don't capture PII without informed consent.

Easy, no?

[morgante]

> IP addresses aren't PII.

I personally think so, but everything I've read about GDPR says they usually now are considered in scope.

Deleting comments is non-trivial. How do I verify that the person requesting deletion is the original commenter? How do I then wipe out every mention of their IP address from all my logs?

These are easily solvable questions for large companies, but overheard for small startups and personal projects.

[hartator]

> be prepared to delete a user's comments on request.

Or, just block users from EU from commenting. I can see the win for the Internet here.

[rplnt]

IP by itself is not considered private. It's only when you attach it to other identifying data. Anonymous comments are not covered with GDPR.

[deepbreath]

> Anonymous comments

Wordpress asks for your name and e-mail to post a comment, doesn't it?

I guess the tuple (ip,name,email,comment_text) is PII?

[whostolemyhat]

Name is, email is, IP combined with either (or both) is.

[wastedhours]

However, is it not thought that because the ISP keeps a log of dynamic IP addresses, these could (in theory) be matched to the IP address of anonymous comments, thus de-anonymise them?

[DanBC]

No, because you need to take into account the effort needed to de-anonymise the IP address.

> > (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

[wastedhours]

This article makes a compelling argument that it could be: http://privacylawblog.fieldfisher.com/2016/can-a-dynamic-ip-...

IANAL, but I'd be wary of saying that you'll be fine storing dynamic IP addresses. You'll probably need to have a rationale as to why you don't consider it.

[morgante]

> Anonymous comments are not covered with GDPR.

There is no guarantee that comments stay anonymous. Commenters can, and do, enter their real name as their display name.

[damontal]

For Apache can't you just change LogFormat to exclude IPs and delete the old logs?

[s73v3r_]

Yet, you're still collecting it, and it doesn't seem like you're taking steps to protect it.

[morgante]

Because I fundamentally don't think a random foreign entity should dictate how I manage logs on my personal blog. It's challenging enough to debug issues without having IP issues.

I don't even consider a random IP to be PII.

[hartator]

> my personal data is an extension of me, and if you want to store or process it, you need a legal basis for doing so, and need to be able to demonstrate this legal basis to me.

In the U.S., freedom of speech usually trumps privacy rights. It will be very damageable if the supreme court ruled that any EU citizen can limit US speeches based on their laws.

[rahkiin]

I am not sure I follow you here:

When I store your personal data, I should be allowed to do so under the 1st amendment that is about speech?

[hartator]

Yes. Like I can’t retroactively ask you to remove what I said from your blog post.

[the_mitsuhiko]

> Yes. Like I can’t retroactively ask you to remove what I said from your blog post.

No. But I can ask you to remove my name and personal information from it.

[morgante]

That's precisely the problem and is a clear example of how Europeans value privacy differently.

Personally, I think it is a fundamentally important right that I be able to post a blog about how "the_mitsuhiko wronged me" in some way and have that information publicly accessible. European courts think you should be able to suppress such information—even if it is true.

[s73v3r_]

That's.. that's not at all true. If it's a news story, then the GDPR isn't applicable.

[Arwill]

Isn't it like more that the state itself can't ask/force you to remove something, but i as a natural person can?

[hartator]

> If your startup is at odds with this, well then perhaps you're not the kind of company the EU wants to be doing business with.

The EU is not a single entity. It’s dozen of nations, more than 300M individuals.

[rmc]

> What aspects of the law are disastrous for startups?

Any law that gives power to users instead of companies harms companies.

To me, it's an acceptable trade off

[weddpros]

"perhaps you're not the kind of company the EU wants to be doing business with"

Europeans want Facebook and Google and the rest, the EU doesn't. The EU != the europeans.

So international startups must now care more about what the EU wants than what european customers want. That's wrong.

In the meantime, european governments take measures that jeopardise private life, like putting black boxes at ISPs in France to watch everyone (aka. fight terror...).

GDPR is ideology. Not private life protection.

[pbhjpbhj]

People living in the EU absolutely want control of the gathering of their PII.

The only complaints I've seen about it are concerning people responsible for administrating data in companies.

GDPR represents an ideology of not giving corporations free reign to make profits at any human/social cost, but to reign them in and give people chance to consent rather than be data-raped.

Could you expand on how you think it's (solely?) ideology? What's bad about informed consent wrt PII?

[weddpros]

"The only complaints I've seen about it are concerning people responsible for administrating data in companies": now that we're sure some people are annoyed... how many truly benefit from it? I do understand you think it's a good thing. How many in your FB friends share your point of view? How many even know? How many will benefit?

"GDPR represents an ideology": one point we agree on.... "at any human/social cost": what cost? Can't I sue Facebook in a civil court if I suffer any prejudice just like I can sue any company?

Is there any "data-rape": if your data is processed only to choose which ad you will see, does it count as a "data-rape" for you? The ad you're seeing is the only thing of value on Facebook: your data has no value except to show you this ad.

Can you tell me where I can buy data from Facebook? I'd love to buy the friend-list of influencers who have set their privacy settings so that data doesn't leak. What? I can't? Doesn't FB sell people's data? ;-) What about famous artists private pictures then?

That's what people think of when they hear "Facebook is selling your data". They don't hear "Facebook is using your data to show you better ads which pay for the whole service".

Informed consent isn't bad. Have you read FB Terms&Conditions? Have you read the paragraph that says you're OK that FB has the right to use and reproduce the content you're posting on FB? You have already given your informed consent. Now you're trying to take it back.

[hartator]

> What's bad about informed consent wrt PII?

The cookie pop-up is an example of EU overeach. Doesn’t help privacy, doesn’t UI, and now everyone is just dismissing them.

[gpderetta]

One of the reasons GDPR was enacted is because the cookie law wasn't taken seriously. Companies used technical means (removing any meaningful opt out) to render the law moot in practice; as the industry failed to self regulate, the EU took the nuclear option.

[weddpros]

I truly believe GDPR will have a similar impact as cookie pop-ups: extravagant annoyance for 0 benefit.

[deepbreath]

> People living in the EU absolutely want control of the gathering of their PII.

I know everyone here wishes this to be true, but what data are you basing this claim on?

[weddpros]

Thank you. I for one don't care, I'm french and I live in Spain.

People SHARE their life on FB. They don't expect it to be private.

When journalists tell them Facebook is "selling" their data, they believe it because many want to believe they're victims of capitalism (that's even more true in Europe because the economy is mostly in a bad shape). Instead, they fall victim of politicians who want control (EU politicians now have POWER over american companies! how exciting), and of journalists who don't like competition (journalists work for TV stations or newspapers who sell... ads).

The only thing that has value on your Facebook page is the ad. Not your photos. Not your comments. Not your sexual or political preference. Only the ad.

We've all been fooled.