You know that you're still liable for European customer's data, even if you're offline, right? Going offline won't change anything. You can't effectively grab the database and run away.
It still seems like the safest option given the massive risk this legislation is exposing companies. Especially low margin per user businesses like Instapaper. From The Verge:
> because it’s not entirely clear right now what information residents will request, what format that information needs to be in, how to locate it and package it, and whether new infrastructure needs to be created to manage this request pipeline.
So in the meantime they can at least stop the flow of new data from the EU into their system until they are 'compliant' and have systems in place to deal with the existing large amount of EU users/data they already have.
It makes sense to me to be cautious here, plus it has the dual benefit of drawing attention to the real costs/risks the bill has on smaller firms without teams of lawyers and internal human resources (developers, CSRs) to deal with the new obligations imposed on them.
>It still seems like the safest option given the massive risk this legislation is exposing companies.
The safest option was actually to comply with the GDPR during the two years it has been in force now. I refuse to believe that the changes required were impossible to perform in two years.
I'd love to know when exactly did Instapaper start looking into the GDPR.
The founder has said that he underestimated the amount of work it was going to take. Anyone who has ever worked on software knows how this stuff happens. You don't truly know how long something is going to take until you dig into the hairy details of implementation.
Plus there are still tons of unknown variables at play with GDPR... even among companies who did spend sufficient time beforehand, as I quoted from the article above. So additionally, the non-obvious requirements further makes the underestimation make sense.
The requirements are clear enough to figure out a solution in the last couple of years. What takes time is if you're trying to skate as close as you possibly can to the legal line and not go over it.
If there is so much ambiguity and interpretations what kind of manager would risk getting into doing such project if a risk of failure is equal to not doing it at all?
Courts are not black/white in interpretations of law. Demonstrating you put significant effort into being compliant is not for nothing. Plus you can't really figure it out until you try. Especially with something as complex as this and how the implications of the law will be different for different companies.
I don't think that makes a difference, perhaps it depends on the country. Some EU countries are hostile towards entrepreneurs and wrong action or inaction would get the same treatment.
But that is one part which is confusing to me, from the UK ICO:
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Additionally, the GDPR does not apply to actions taken before and during the transition period (which ends now).
In this case, Instapaper does not offer goods or services to individuals in the EU. It actively blocks any user inside the EU.
Does that mean that Instapaper is no longer subject in any way to the GDPR?
In other words, if you had a company that had operations in the EU, but left the continent 2 years ago, and no longer has any activities with any EU individuals, does the GDPR suddenly apply to you?
If you continue to hold data from EU residents, it’s somewhat likely that the GDPR applies, or that a court will decide it does some way down the line. If you employed a competent lawyer for about an hour they’d ask you why you’re storing that data if you’re never going to use it again, given the risks.
Holding the data or not is irrelevant, the tricky part is compliance.
If the GDPR applies to you, you need to hire a DPO based in Europe, as well as having a EU contact that will be responsible for any fees that you incur.
If you did business in the EU but no longer does, do you now have to hire a DPO in the EU and have a local contact responsible for any liabilities?
You didn't read GDPR. Deleting isn't enough, if GDPR applies to you, you need to follow all the compliance requirements, including hiring people, providing proof of deletion if investigated, etc.
This is a good point I haven't run into before (which is itself frightening). So what could they do instead? Could they retain the actual 'read later' content, associated with their EU users, but delete all of their own personal data for now?
Not much. If you're not compliant, you're not compliant. However, that's not the end of the world right there. GDPR takes ill-intent into account, and it also requires warnings before any punishment is applied. They should instead have started working on compliance before they actually did.
Just because a law is written to apply to effectively the whole planet, doesn't mean it can be enforced as such. I just don't see the current US administration complying with a EU charge against one of its companies that did go the blocking route, let alone any of the shadier countries that host companies in violation
based on my understanding, i think if you're not marketing to eu visitors, data doesn't fall under the gdpr. does the gdpr retroactively apply to data from the past?
> because it’s not entirely clear right now what information residents will request, what format that information needs to be in, how to locate it and package it, and whether new infrastructure needs to be created to manage this request pipeline.
So in the meantime they can at least stop the flow of new data from the EU into their system until they are 'compliant' and have systems in place to deal with the existing large amount of EU users/data they already have.
It makes sense to me to be cautious here, plus it has the dual benefit of drawing attention to the real costs/risks the bill has on smaller firms without teams of lawyers and internal human resources (developers, CSRs) to deal with the new obligations imposed on them.