[jacquesm]

I'm sorry, I don't buy it.

(1) you still hold the data, you are still required to comply with the law and cutting off access does not change that one bit.

(2) the period for a response is long enough that once you would receive requests you could handle them in time even if you processed them manually.

(3) you have been - or should have been - aware of all this for a very long time, either you failed at estimating the impact of the law or you do not know what you have or you changed strategies internally recently and now you're not going to be ready in time because you started way too late.

So in all, all you've managed to achieve with this action is to get the spotlight on you, and it is a 100% certainty that at least Instapaper will be solidly violating the GDPR come tomorrow.

If I were in your shoes I would use my designated representative to contact the authorities for guidance after explaining in detail what the problem is before I would let my end users pay the price for my own incompetence.

[pembrook]

Last I heard Instapaper has 3 employees.

Some smaller companies and lower-profile groups within big companies are going to need more time to sort this out, and some may decide it's not worth the risk of the massive fines no matter how compliant they think they are and will block European users. Nobody knows how aggressive regulators will be in enforcing this so far, nor is their any precedent for how the law will be interpreted by actual courts. Calling people incompetent isn't going to change that.

This is one of the negative consequences of enacting complex regulation targeted mostly at giants like Facebook and Google and then applying it to every side project and business in the entire world no matter how big or small. Sorry.

[jacquesm]

Nonsense. Instapaper was acquired by Pinterest.

[pembrook]

And how much revenue does the Instapaper service generate for Pinterest?

Lower profile groups within big companies are probably most likely to shut off their services to European users because they have the cautious legal departments of the large company without the important profit center designation which would make compliance a priority.

[jacquesm]

> And how much revenue does the Instapaper service generate for Pinterest?

Who cares? That's not a factor in whether or not you should comply with the law.

> Lower profile groups within big companies are probably most likely to shut off their services to European users because they have the cautious legal departments of the large company without the important profit center designation which would make compliance a priority.

Well, that may be their strategy but it won't work because it is the company that is violating the law, not the lower profile group.

[LoSboccacc]

> That's not a factor in whether or not you should comply with the law.

speaking generally here, you know laws aren't always right? we had plenty bad laws to draw from to challenge this particular point, from racial to abortion laws.

gdpr isn't as draconian as these but still has plenty trash in it between the vague wording, the moving target 'state of the art' represents and the weird requirements and absurd implications of the 'right to be forgotten'.

[jacquesm]

What's that got to do with it?

It's the law, it was created by a democratically elected body. Racial and abortion laws are on a different plane altogether, and are not typically the playground of globally acting corporations.

[Kiro]

> it is the company that is violating the law, not the lower profile group.

I work in a company that was acquired and we're still our own legal entity. Would our owner be affected if we violate GDPR?

[jimnotgym]

That would depend on what kind of ownership structure you have. Do they exercise management control, have seats on the board etc?

[jacquesm]

No, in that case the owner is just a shareholder. But if the original legal entity no longer exists (which I believe is the case with Instapaper) then it doesn't matter that you've been acquired, you are now part of the mothership.

[product50]

Weren't you the one previously saying that don't panic (https://jacquesmattheij.com/gdpr-hysteria) because of GDPR back in the day? And now you are advocating that they should have already complied with GDPR given its impact!

Make up your mind.

And this is exactly why this is such a shitshow. Stop attacking people who haven't complied because small developers have other things rather than trying to figure out whether they have to redo their logs if a user asks their data to be deleted. This is almost bullying behavior.

[jacquesm]

> Weren't you the one previously saying that don't panic (https://jacquesmattheij.com/gdpr-hysteria) because of GDPR back in the day?

Yep.

> And now you are advocating that they should have already complied with GDPR given its impact!

Obviously yes, because today the law becomes enforceable. Not having done the required work is just plain dumb.

> Make up your mind.

I made up my mind well over a year ago, spent the time required to be compliant (a couple of days) and that was that. Instapaper being as small as it is would not have had to spend more time than that unless they are doing something they shouldn't be doing, are unable to plan or changed tactics in the last 2 days. After all, if they weren't going to make the deadline they had a very long time to announce that, instead they announce it the day before the law becomes enforceable. That's just not ok. At a minimum they should have had their export facility up and running.

> Stop attacking people who haven't complied because small developers have other things rather than trying to figure out whether they have to redo their logs if a user asks their data to be deleted.

I suspect you are in the same boat?

> This is almost bullying behavior.

Right. Well, sorry, it really isn't, it's the perspective of someone who has been in business for a very long time and who feels that the GDPR addresses some fairly urgent matters. Companies have been running roughshod over users' privacy rights for decades and it is one of the worst things to come out of the internet. The level of tracking and data brokering that is going on is utterly disgusting.

If you weren't doing anything you shouldn't be doing the GDPR is going to be a pretty simple affair if you're a small company. Larger companies will have some more work but have more resources.

[always_good]

He's also the same guy who said, and I quote, "compliance is easy, just read the law."

It surprises me how much this community tolerates such combative cluelessness.

[jacquesm]

Have you read the law?

Did you start working on compliance in a timely manner or did you become aware of this a few weeks ago?

Does your company have a clue about what it is doing in general?

Do you take a user centric approach to data ownership?

If those are all 'yes' then compliance is easy. If you don't care, do illegal stuff, are clueless or don't care about your users then compliance is going to be hard, that's what the law intends because those companies should change their ways.

[nickpp]

His posts were clearly politically motivated, zealot-type propaganda. Either self-interest or useful-idiot.

For some reason he is such a fan of this legislation that he is willing to overlook its glaring problems. No objectivity there, I am afraid.

[jacquesm]

> His posts were clearly politically motivated, zealot-type propaganda.

Oh my. Terribly sorry for putting up a political manifesto.

> Either self-interest or useful-idiot.

Take your pick. No third options? Such as a genuine desire to take some of the heat off for SMEs, of which I own several and participate in several others?

> For some reason he is such a fan of this legislation that he is willing to overlook its glaring problems.

Yes, I'm a fan of this legislation. I also was a fan of its predecessor and it's a joy to see companies that don't have their house in order make all kinds of panicked moves. I have a pretty good behind the scenes view of what goes on with respect to privacy abuse by corporations due to the nature of my work. Those companies that do illegal stuff, don't give a damn about their users and that in general are clueless (and which in turn increases the chances of their online properties being compromised) will be the ones that run into the 'glaring problems' The only thing that I see as troublesome with the law is the lack of reciprocity and enforcement across borders. The EU picked a complex and for really small companies expensive way to resolve that and that's something that I see as a real issue.

> No objectivity there, I am afraid.

I think you mean to say you don't agree with me.

[guelo]

I don't know if (1) is true but the data was collected under previous laws. In my opinion laws like this should not be retroactive. Retroactive laws, especially when affecting billions of dollars of commerce, are unfair and draconian.

[317070]

It is not retroactive, the law has been there for 2 years, becoming _active_ in 40 minutes. Secondly, it is not the collection of data, it is the storing of data. So if you store the data without user confirmation in 40 minutes, there might be a problem. The action which is the problem is the storing of private data.

There is nothing retroactive here.

[freeone3000]

Is three year old data covered? Sounds retroactive to me.

[317070]

If you bought designer drugs 10 years ago, the act of buying was legal, even though storing it today no longer is. Same here, collecting it or using it 10 years ago might have been legal. Storing it today is not. You might be confused which action is covered by the law, and that action is "storing". You can decide to stop doing that action today, so it is not retroactive at all.

I don't really see where the age of the data you store comes into play.

[jacquesm]

Yes, three year old data was already covered by the DPD.

[jacquesm]

The law has been on the books for two years, it just wasn't enforced and for a long time before that there was another law with much the same effect. So even if the data was collected under previous laws there is not much that would convince me that denying the users access to their data or to the legally mandated data life-cycle features is the right thing to do.

In fact that attitude goes exactly against what the law is trying to achieve in the first place.

[fiter]

> In fact that attitude goes exactly against what the law is trying to achieve in the first place.

I think this is an important realization for any regulator.

[mikeklaas]

The law doesn't make it illegal to have collected the data in the past. However, it introduces new rights for people for which you have collected data. I don't think this is unfair

[outside2344]

The general global legal principal here is that you can't charge someone for something that happened before the law came into effect.

So you are not correct on #1.

[jacquesm]

The law has been in effect for two years. And before that one there was another one.

[nickodell]

>The law has been in effect for two years.

"It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018."

Source: https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

>And before that one there was another one.

Yes, but that was a different law. It required different things.

[jacquesm]

The law came into effect on the 14th of April. The 'enforceable' does not mean it comes into a effect, it means that regulators have their powers unlocked to go after offenders.

> Yes, but that was a different law. It required different things.

It actually required a lot of the same things, but because companies decided to ignore it it was revised.

[Hamuko]

The regulation came into effect two years ago and I don't really believe that Instapaper hasn't been processing data for the past two years.

[davidgould]

By that standard, if you had purchased a child porn magazine in the 1970s when it was legal to do so, you would be in the clear if the police searched your house and found it. I am not a lawyer, but that doesn’t seem likely.

[zerostar07]

> will be solidly violating the GDPR come tomorrow

how do you know that? i mean technically he says they re violating it today, just like we all did the past 2 years because it wasnt enforceable. what changes with their ban tomorrow?

[jacquesm]

That they are still violating it tomorrow and they are giving their users an excellent excuse to contact the regulators because they cut off communications. This is about as dumb as it comes.

[kodablah]

I was under the impression that of you don't do business with EU users, you are not subject to the rules. This seems like the only reasonable way to not do business with EU customers. Other thoughts aside, if they wanted to stop doing business in the EU, how should they?

[jacquesm]

> Other thoughts aside, if they wanted to stop doing business in the EU, how should they?

Erase everything.

[kodablah]

I suppose for most thinking rationally, it seems like "stop doing business in the EU" is different than "make it like you've never done business in the EU". Taken to its conclusion, which Instapaper surely won't, it's not going to be easy to punish a business that has cut ties with the EU because of what they collected before. Granted it appears that with the law, like its predecessors, practicality of reasonable enforcement takes a backseat to intent.

[jacquesm]

The rational approach to legislation is to make a (timely) effort to comply.

When you're told the highway near your house has a new speedlimit you can either obey the speed limit, use a detour (which will still be slower on account of it being longer) or you can take your car off the road in huff.

The first one is the only solution that makes sense.

[zerostar07]

sounds like a technical reason to me. what provision of gdpr does it break? contact the regulator about what?

[jacquesm]

The ability of users to access their data, to edit their data, to delete their data and to export their data.

[zerostar07]

is there a requirement that this ability is 24/7/365?

I mean , knowing GDPR , i would guess at best the provision would be something like "a reasonably long amount of time but not long enough to be unreasonable based on appropriate considerations of data subject's patience"

[jacquesm]

It certainly isn't a provision in the law that if you feel that you won't be able to deal with your users legitimate requests that you have the option to lock them out entirely.

I can imagine something to the effect of stopping further gathering of data (to stop digging the hole deeper), to give your users the option to request what is their right through some kind of form and to park those requests until you're done with the implementation and in the meantime give them continued access.

After all, the law already has a provision in it that you have 30 days to respond, and another 2 months after that if you are for some reason technically incapable and need an extension.