Money doesn't have to change hands to create a GDPR obligation. And if you mean "HTTP transactions," it's a fundamental shift in the nature of the internet to block countries by default and enable them only after studying and complying with local regulations. Maybe it's an inevitable or even healthy shift, but it's certainly not a "usual" dynamic today.
It's certainly not a recent development to require compliance with law even for products or services that are free.
Transactions do not have to involve money and in fact, the very topic of this entry on HN is about a website that was free, with transactions that did not involve money.
Really? If it's a currently established practice, what are some prior examples of countries punishing foreigners on foreign soil over websites with no payments component?
Maybe each jurisdiction should be the business of regulating locally-accessible websites, not just locally-hosted ones, but that's a fundamental shift in the nature of the internet. "Not available in your country" is currently an anachronism. In that world, a prudent web publisher would start out local and enable specific countries for cross-border traffic only as its legal team expands. Internet communities like this one would splinter as people get tired of clicking links they can't follow.
The countries currently regulating available web content do so with network blocks, not extraterritorial enforcement actions against publishers.
The end of the sentence was "not a recent development to require compliance with law even for products or services that are free".
Free doesn't mean you are exempt from complying with law, that is all I'm saying. I did not comment on how this one applies to EU citizens even for foreign services.
In this regard though, it is similar to US law requiring foreign banks to go through special steps when they are dealing with US citizens so that's not anything new either. Money being involved or not in my opinion is not really significant (I actually think that private data is more important and needs more protection than money) but that was not the point of my comment.
I was just clarifying that the Internet’s new Dear Leader will be trying to reach outside its borders to enforce this law. It doesn’t just apply to companies in the EU.
All websites provide services to users in all countries unless they take positive steps not to. Framing this as a conditional, or a counterpoint to parent's claim about enforcement outside EU borders, is bizarre.
People that say this have not actually read the law, talked to “experts” about how to comply, or attempted to comply themselves. I have, and you’re just flat wrong.
I have read the law, read the guidance, been through the GDPR compliance process for a data-heavy product, have talked to lawyers about the same, and my partner has drafted GDPR policies for several large tech firms. I don’t know everything, but I’m reasonably well-informed.
I’m confident that compliance is:
- Straightforward for any non-tech firm;
- More complex but not that hard for most tech firms that handle data;
- Far more complex for large organisations than small ones;
- Basically only a real problem for fly-by-night tech companies that want to operate by reselling personal data.
I’m not sure what your motivations are it making it seem disproportionately burdensome to comply with, but I don’t think they’re good.
One thing is completely curious to me. All around the thread there are some people saying that they will block EU users.
I wonder how people from other parts of the world are understanding this and how do they look to the site like that? I mean, this legislation that is designed to protect people and their data is making them such a problem to rather block roughly 500 milion people. I personally would have a huge trust issue, but this is not about me, what do non EU, who don't run any site (conflict of interest) guys think?
I would for instance rather put a huge mark on all pages "GDPR compliant, protecting data even for non EU visitors" or something like that and try to get some money out of that. But that is just me.
@matthewmacleod GDPR in spirit is good for users as it tries to ensure that companies are following good practices wrt user data and users have control over data. But implementing it completely is not easy for small projects and startups.
I completely disagree. Implementing GDPR compliance should be straightforward for most startups and small businesses. Much easier, in my experience, than doing so at a large company.
As a small business owner, I disagree - I was essentially compliant already, with the policy changes required taking an evening to implement. (OK, there was some time spend reading before then, but still).
Ok, I will take a stab here to see how you ended up doing it in one evening.
- What did you do about logs? Things like request logs will at least contain ip address which is PII. Now logs can be cleared after a fix interval but the time for honoring the data delete request is a month I guess. If you want to keep logs for a period more than that, what do you do? If you anonymize IP , it makes other analysis on top of those logs useless.
- What did you do about data backups?
- What did you do about external error reporting services?
- What did you do about analytics services?