[joering2]

Don't feel bad. The law is ridiculous and most startups cannot even afford salary for another programmer not to mention GDPR-law compliance officer. Hopefully if enough services get interrupted, bureaucrats at EU will rethink the law.

[orf]

If you believe GDPR requires you to hire a dedicated compliance officer then you don't understand or have not read the law you're so vehemently against.

[sveme]

So which part of the law is ridiculous? Disclaimer: I believe the principles that are applied within the law, data autonomy, data ownership, usage-binding of data etc., are sound. And just because people have aggregated any data on people that they could get to better manipulate them into buying crap for so long that it‘s hard to change track today, doesn‘t mean it‘s wrong for lawmakers to enforce parting ways with the past.

[zerostar07]

- IPs are personal private infromation

- You need opt-in consent for all (ad) cookies, including non-tracking ones. Basically,advertising is optional in EU sites as of today.

- I could argue the right to download your data is superfluous, mostly because it creates potential holes for data leaks/phishing etc.

The law is confusing "privacy" with "invisibility".

[s73v3r_]

"- IPs are personal private infromation"

IPs combined with other user data could be PII.

"- You need opt-in consent for all (ad) cookies, including non-tracking ones. Basically, advertising is optional in EU sites as of today."

Wrong. You need opt-in consent for non personalized ads, but this can be the "soft consent" type where you only present the "Accept" button. Advertising is no more optional tomorrow than it was today.

"- I could argue the right to download your data is superfluous, mostly because it creates potential holes for data leaks/phishing etc."

Knowing what you have on me is not superfluous; it's my data.

Seriously, the FUD around this law is getting tiresome.

[davorak]

> IPs combined with other user data could be PII.

1) Bob signs up for a service and is logged

2) Bob than asks for his account to be deleted. Account details are deleted, but the ip logs are retained.

3) Bob signs back up for a new account allowing the data processor to make the link from his new account to his ip old logs with the first account.

This seems like a likely violation, if so you would have to treat ip address like personal information.

[boomlinde]

The personal information here is the IP-Bob tuple, not the IP on its own. Bob might as well be assigned a new address from DHCP on a daily basis. His friends might be using his address. He might have used the address of some public network in the first place. All or these are pretty likely scenarios. The IP is only interesting given the context of who uses it and when, so as to separate Bob from Alice, and Bob's favorite cafe and Bob's workplace from Bob's home, and to figure out if Bob is ever visiting Alice.

So if Bob asks for his personal information to be cleared and the system leaves Bob-IP tuples behind, it clearly didn't do what he told it to do.

[davorak]

That is playing dice while dealing with potentially personal information though right?

It depends on Bob using DHCP, that his DHCP switches often enough, and there are enough people on the same network that the link can not be made.

The above is not always true, other mitigating factors are not always true. Which seems to make some of IP logs personal information. Or at least you are safest if you treat it that way.

I am basing some of my reasoning off an article that I was pointed to earlier: https://www.whitecase.com/publications/alert/court-confirms-...

Where, to my understanding, IP address are considered personal information only if you can link it to some other identifying info.

I think a regulator is unlikely to go after a company for not deleting IP logs in the current climate. As far as I can tell GDPR gives them the power to however.

Until there is some case/enforcement history it is understandable if people are cautious.

[zerostar07]

- Ips in general are not bound to some specific person. It's only because laws require that ISPs keep PII allocation data that they become personally identifying. Perhaps it would be easier to plug that leak right there.

- ah, well google suggests you ask consent even for content-based ads

- 99% of the sites show you what they have on you when you use them. The provision could be to have a separate download page when that is not the case. If every business must have an unauthenticated download page, it becomes easier to get other people's data via phishing.

its not fud. this is the internet. lets talk again in a few months.

[Tomte]

Advertising can be done without cookies. It‘s a simple <img> tag.

Unless you mean user-tracking advertising.

[zerostar07]

i mean content-based (still requires cookies)

[merinowool]

Then you'll have all sorts of disputes for example someone could claim their cat stepped on a touchscreen and consented without the user knowledge or someone consented whilst being completely drunk - such consent is not valid. That means potentially companies are keeping the data illegally thinking they comply.

[zerostar07]

i don't follow, do you mean that's a possible scenario? That's the last thing you need to worry about yet. I expect first random emails from hackers demanding coins for 'not reporting you' in the first awkward month.

[LoSboccacc]

the weirdest scenario is if people inadvertently leak medical data on a unsolicited email.

"I've a motor impairment do your hotel have accessible rooms?"

say you have your hosted email system, now you're in a huge mess.

people downvoting this should really hear a lawyer about gdpr.

[olivierduval]

email is not covered by GDPR but by the local communications acts. It will be some new EU laws in the next 2 or 3 years... So there's no problem in THAT case. But if this email is copy/pasted in a reservation system THEN it might be covered by GDPR.

[merinowool]

There is also a thing when user closes consent popup and the site won't redirect to invalid ip address. I have seen plenty of sites where you can close the consent popup and continue to use the site - that means they collect your data without your consent. Grotesque.

[zerostar07]

how do you know they collect your data?

[celticninja]

You don't need a new employee, just someone who is assigned the task to deal with queries that come in. For a small start-up this is not likely to amount to many requests, and even then the requests from the public first go through the regulator. So many requests will be weeded out at that stage with the aim of reducing the burden on businesses, only requiring them to act when the regulator has identified a breach. At this point they have to fix it, if they don't fix it, or don't try to fix it (fizimg it is usually by deleting the customer data) then they are open to prosecution. If they fix it the regulator isn't then going to seek huge fines, they are aimed at non-compliance firms who have no intention of complying (e.g because it is their entire business model).

[s73v3r_]

If that's the case, then perhaps that startup shouldn't be sucking up all the user data it can.