[someguy2018]

The fact that there's so much confusion suggests that it is not that easy to understand.

I've read it and I'm still confused. Without caselaw and a lawyer how am I to determine which data processing are considered "legitimate interest" in Article 6? Recital 47 is supposed to clarify this, but it's still pretty vague and it says legitimate interests may provide a legal basis for processing. May? How do I know if they do or do not?

[Silhouette]

It's disappointing to see comments like the parent being downvoted. Evidently the situation still isn't clear, because if it were then we wouldn't be having GDPR-related discussions on HN almost daily now where people who are currently dealing with these issues professionally have reached very different conclusions and/or received very different advice.

I think the biggest problem for many of us is still the uncertainty. For all the mountains of "guidance" now being generated by the EU and the national regulators at five to midnight, there is still very little advice provided that is unambiguous and actionable when it comes to some of the most fundamental questions. What does or doesn't constitute a legitimate interest basis for processing data? When is such an interest is or isn't overridden by the subject's own interests? How long would be considered a reasonable period to retain data for common purposes? Answers like "as short a time as possible, but that might be 20 years" simply aren't useful.

[guitarbill]

It's really hard to tell. Between the people who haven't read the GDPR, the people who are trolling, the people who are willfully misrepresenting the GDPR because they politically oppose it, the people who don't understand privacy or nuance, and the people who are trying to interpret the GDPR into an American legal system, there's so much low-quality discussion.

Meanwhile, I don't know of any Europeans who don't support it (on an individual level) or who finds it confusing. The hardest part seems to be putting processes in place for the right to erasure, but then we've had similar provisions in EU countries for a while, so it's not a big deal.

As for "reasonable period to retain data", unless required by law, you won't get into trouble for deleting data more quickly. So what's the minimum period you absolutely need that data/those logs/those backups for?

There's no one-size-fits-all approach, so the law isn't written like that. We just assume most people will be decent/"reasonable" in implementing it, and if not, there's the sanctions.

[0[ https://ico.org.uk/for-organisations/guide-to-the-general-da...

[Silhouette]

Meanwhile, I don't know of any Europeans who don't support it (on an individual level) or who finds it confusing.

Hi, I'm a European who doesn't support it and who does find it confusing.

To be more precise, while I'm generally in favour of better privacy protections in law, I don't support this poorly implemented attempt, because I think it will have all sorts of unintended consequences that may not be in individuals' best interests, while also imposing a disproportionate burden on controllers and processors who weren't abusing that data for unsavoury purposes anyway, particularly smaller organisations.

And maybe "confusing" isn't quite the right word, but in my view it's far too ambiguous in its treatment of some of the most fundamental issues to provide a good platform for future data protection. Much of the official guidance is confusing, often to the point of being misleading and counterproductive, however.

we've had similar provisions in EU countries for a while, so it's not a big deal.

All regulation is a big deal if you're running a microbusiness and don't have dedicated staff to deal with it. In any case, there are several new or significantly extended rights introduced by the GDPR that certainly weren't there before in my country (the UK).

So what's the minimum period you absolutely need that data/those logs/those backups for?

Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that. I can, however, state as fact that we have had to rely on detailed log records from several years ago when threatened with actual action by someone who was clearly trying to take advantage of the situation and hadn't expected us to still have evidence that undermined their claims, so any claim that we can just cycle these things out after a few days is demonstrably false. Given that we're not doing anything particularly unusual either legally or in processing data for everyday business purposes, I have to assume we are far from alone in having these experiences and the concerns they raise.

There's no one-size-fits-all approach, so the law isn't written like that.

While that may be true, it is entirely useless to someone well-intentioned and acting in good faith who is trying to work out what they actually have to do to comply with the new regulations.

[guitarbill]

> Hi, I'm a European [...] (the UK)

Not for much longer :D But seriously, the British government and the various police forces don't have a great track record with regards to privacy (e.g. Investigatory Powers Act), so it's no wonder the ICO is underfunded and has had a very limited mandate.

> Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that.

Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us! Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.

The GDPR is maybe a bit heavy-handed compared to a gradual approach, because EU countries have previously had a hard time getting companies to comply with their data protection laws.

[Silhouette]

the British government and the various police forces don't have a great track record with regards to privacy (e.g. Investigatory Powers Act)

I'd be the first to agree, and I'm generally in favour of stronger privacy protections in law, particularly around government behaviour. But of course governments get a pass on many things that are otherwise restricted anyway, because they just have to whisper the magic words (usually something like "national security") and the carefully written exemptions in almost every piece of privacy and data protection legislation ever written are activated.

Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us!

That's the problem, though, isn't it? These needs are vague and you can't predict when they will arise. Nevertheless, they do happen. In fact, the example I mentioned before happened just this week.

Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.

In my experience, having spoken now to several different people who are consulting on the GDPR including some who are lawyers, even they don't know the answers here. They have no crystal ball, and the language is so open to interpretation, and the regulators are so late at providing any guidance, and what guidance they have provided is often so poor that no-one really knows how this is going to play out yet. This of course creates uncertainty that is damaging in itself.

[someguy2018]

I think very few people here are trolling. I'm certainly not. And I think it's unkind to attribute malice to those who are confused or merely disagree.

> We just assume most people will be decent/"reasonable" in implementing it, and if not, there's the sanctions.

My definition of "reasonable" isn't the same as that of European regulators. I know this because I don't consider IP Address to be PII. Luckily for me on this particular point the GDPR is explicit in saying that it is. If I were left to define PII myself though, I could well have opened myself to regulatory action as IP Addresses were logged and shared incidentally with third parties in many places.

I think this style of writing laws gives way, way too much power to regulators. Particularly for companies with no physical EU presence and thus no way to vote or have any say in how the regulators work.

I think very few online businesses will be fully 100% compliant with every provision of the GDPR and all it's current and future interpretations. So we need to just hope and trust that all the regulators in all the Union countries won't punish anyone who doesn't really deserve it. That's not a good situation.

> So what's the minimum period you absolutely need that data/those logs/those backups for?

There is no answer to this question. Strictly speaking I don't need any backups or logs. I've also, rarely, encountered subtle data corruption bugs in the wild where having backups that go back months was critical and the more the better.

[grabeh]

Legitimate interests and consent should be the two processing grounds that you rely on as a last resort here.

As to your point, legitimate interests requires a balancing act between your interests and others' interests and so is by its nature going to be uncertain.

If you are looking to rely on legitimate interests, you should look to document your interests that you think are being served through the processing, and also check to see if any other processing bases may be more suitable to achieve your objective. The aim is to at least have a defensible position behind your use of legitimate interests.

Here an example of Facebook listing out their legitimate interests in making use of data:

https://www.facebook.com/about/privacy/legal_bases