[elephant0xffff]

I don't really get it. So what's the burden for the developer here - he argues that the IP is PII (personally identifiable information), which is true, but I don't think it means you can't log IPs in general anymore?

So is now every standard apache2 installation a non-compliant (illegal?) service, as it logs GETs?

I don't think that's the case.

//edit: It seems to be the case that you are ok if you do log-rotation and delete old ones - which makes sense, so you can still use them for debugging.

[crysin]

The burden is if the EU does investigate him, for whatever reason whatsoever, even if he is 100% compliant he needs to spend money to prove he is compliant and deal with the EU.

[rawfan]

Why would you think that? If he wanted to be compliant he only needs two things:

1. Some procedure that allows him to answer users privacy requests ("what information about me do you have?", "Please delete my personal data from your servers.")

2. A so called "directory of procedures" which states what data you collect and who's responsible for it.

If your fail to comply with 1. the user can call upon their local data protection agency who will contact you and request the contents of 2..

At no point would he need a lawyer or spend money, even if he were based in the EU. That's not saying it's a bad idea to ask a lawyer for advice if you do handle lots of user data.

Most of this stuff has been law in Germany for years, I've dealt with the German data protection agencies many times (from both sides of the aisle).

- They helped me force my university remove personal information about me from the public uni website (by constructively explaining to them why it's a bad idea to have this information about student online in the first place).

- When someone trolled me by registering me to a dating platform which refused to delete the fake profile and spammed me for a year, one mail to the agency was enough to stop these idiots.

- When I worked with social workers, the data protection agency (after a client accused us of mishandling their data) helped us go through our communication procedures and identified some point where client privacy could easily be improved.

As a US company, if you don't want to deal with this, just don't. If you do handle user data you should, though.

[GordonS]

> Why would you think that?

I think the majority of users on HN are from the US. And going by the GDPR related comments over the past few months, it seems the litigious US stereotype really is true - a lot of people seem to be prepared to "lawyer up" at the drop of a hat!

[ricardobeat]

As a North-American with no legal presence in the EU, how would he be 'investigated'?

[GordonS]

Realistically, he wouldn't be.

The EU is not the USA.

The authorities have limited resources, and are only interested in large-scale privacy abuses.

[slackoverflower]

Pretty sure that is exactly the case. GDPR went all out on user privacy that is simply a burden for small businesses to deal with EU citizens, it's financially more sensible to just block the entire EU from their services.

[jash123]

Essentially: yes, that is the case. (Source: I am a privacy lawyer with >10yrs experience.)

[GordonS]

Might I hazard a guess that you are operating in the USA?

[ThePhysicist]

Which article, recital or guideline do you base that assertion on?

[ucaetano]

Regardless of what you log, here is a minimum cost of compliance, from the article:

> I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR. I do not have designated EU contacts.

If a single user decides to send him/her the letter (https://www.linkedin.com/pulse/nightmare-letter-subject-acce...), he/she would either have to spend an enormous amount of resources to reply, or be non-compliant and risk him/herself.

[orf]

Implying that every company operating in the EU needs to hire someone to be a DPO is as ridiculous as it is completely false.

[ucaetano]

> is as ridiculous as it is completely false

Agree, that's why I never implied that.

[floatingatoll]

That makes a valid point: You should open a bug with Apache to remove IP address and User-Agent from the default log formats, as they should not be logged by default or else GDPR issues arise.

[Hamuko]

You can log IP addresses if there is a legitimate use for them. You just need to ensure that they are protected and that you do not keep them for any longer than is necessary (= use logrotate).

[GordonS]

As someone who both owns a small business and is a consumer, this seems completely reasonable to me.

The GDPR has really made me think about minimising the collection of data that I don't need - absolutely a good thing.

[floatingatoll]

Logging them by default is a silent opt-in to a scenario where you are legally obligated to protect data you may not even know exists.

Anyone whose software logs IPs by default should stop, so that the admins who choose to log IPs must voluntarily choose to log protected information and handle it appropriately.