[takeda]

> A College student working on a side project with no revenue are treated the same as some massive multi-national.

Am I reading this wrong? If the college student creates just a simple page, he/she is already complaint with GDPR.

If the student starts collecting personal information, then they need to know what's allowed or not. There are already things that are not legal to do, GDPR just adds private information into that.

The treatment of privacy is one of issues where it's pretty much impossible for individual protect from, GDPR tilts the scale in favor of individuals.

[manfredo]

If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data, and build a system to get user consent, etc.

I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.

[viraptor]

> they have to have a data protection officer

DPO is only needed in specific cases. Dank meme sites don't fit in any of: a) public authority b) monitoring subjects on large scale c) dealing with criminal conviction data.

> build a system to get user consent

It's called a checkbox. They likely use one to agree to TOS anyway. If you don't have that one, DMCA and COPA is what you should be worried about before GDPR. (If you're based on the US anyway)

[manfredo]

Article 37 1.a and 1.b are extremely vauge. Hiring a DPO becomes necessary once your service "requires regular and systematic monitoring of data subjects on a large scale", or processing personal info specified in article 9 "on a large scale".

However, nowhere does it actually specify what sort of scale constitutes "large". I don't see any user count threshholds or anything like that.

Also, it's possible that someone's list of authored memes is personal data. If somebody creates a lot of political memes then this could easily be covered by article 9, since political affiliation is explicitly covered there.

Additionally just saying "have a checkbox" isn't going to cut it. GDPR forbids blanket opt in or opt out schemes. You would have to build a system to track what the user has consented to and refactor all features to abide by each user's consent configuration.

I'm not saying every these tasks are hugely onerous - just that I can see the use case for blocking EU traffic to avoid having to abide by their regulations.

[viraptor]

They only apply if it's your core activity though. If dank memes are your core activity, you're not "processing personal data" on a large scale, regardless of how many memes you store.

[manfredo]

Again, only if you assume that these memes aren't covered by article 9. You might be able to infer a lot about someone from their authored or favorites memes. Article 9 doesn't just cover the personal data itself, it covers personal data revealing ethnicity, political opinion, etc. If I look at a user's list of authored memes, and it's full of pro gay rights memes have these memes revealed their political opinion? Many would argue yes, and processing memes is definitely the core activity of our hypothetical site.

[hk__2]

> If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data

No, because that website doesn’t collect personal information.

> and build a system to get user consent, etc.

You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).

[manfredo]

> No, because that website doesn’t collect personal information.

Yes it does. It a least records an email address and password to create profiles. And any features like tagging memes, marking memes as favorites, etc. could be argued to constitue personal data.

> You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).

Again, I specified a meme generator site that has at least some user specific personalization.

[nelsntk]

>they have to have a data protection officer

Themselves

> build a system to purge user data

SELECT * from users, memes, usermemes where userid = #####

[spookthesunset]

What about all the comments on those memes? Do those go too? What about the people who hot-linked to those memes? Do you just nuke the images and break all the content people linked to?

You sign up for a website and upload and share a bunch of memes.... honestly... the shit isn't really your data anymore. It is the publics. You shared it and yanking it back is kind of a dick move.

It really isn't as "simple" as a DELETE statement that some people argue it is.

[takeda]

You are just making s*it up. Meme is something you publicly posted it is not your personal info, you possibly agreed to transfer copyright to the site, if you still own it, of course you have right to delete it.

As for personal info, most meme websites don't require any accounts to create them, because it only makes the site less usable, but if the site do have accounts, you do have right to see/update your account, you have right to delete your account and be sure that if your account is deleted the data is actually gone.

[manfredo]

> Meme is something you publicly posted it is not your personal info,

Very generous assumption on your part. Article 9 specifically says that anything revealing personal info like ethnicity, political affiliation, etc. is covered by GDPR. If I look at a Adam's list of authored memes and there's a bunch of pro-Democrat memes and I look at Bob's and it's all pro-Republican memes, then it's very easy to see a court ruling that a memes reveal political affiliation.

[tchock23]

You’re not allowed to have the DPO be yourself due to potential conflicts of interest.

[strken]

I can easily see small websites just ignoring GDPR and hoping they fly under the radar.

This is my plan. What are they going to do, extradite me over claims that my access logs includes IP addresses? Claim that I do business in the EU when I don't take payments, every side project I've made is in English, and I've never set foot there?

[spullara]

Web servers are non-compliant out of the box because they all by default log and store IP addresses of visitors.

[oneplane]

There is nothing non-compliant about that. You seem to misunderstand essential vs. data hoarding for advertisement purposes. If you were to keep that data forever, sell it to third parties or profile users based on that logging data, not tell them about it, then yeah, you'd be violating the GDPR.

For normal operation system logging is pretty much a requirement for essential operation. That includes most properties of a connection like IP, UA, date, time, URI etc.

[Semiapies]

Which is the answer I see all of 50% of the time. Then, I see "Well, actually it is non-compliant because yadda yadda". My company isn't going to hire international compliance experts to review the operations of every public website we run, and we don't have any that need European visitors. So, best to just block them.

[oneplane]

But what about national compliance experts, do you hire those? Because you have a lot more national compliance on your plate than international...

[Semiapies]

That just emphasises how worthless it would be to spend effort to make sure we're compliant with GDPR. We have better things to do.

[oneplane]

And that just emphasises how much you'd rather not worry about user data or telling users about it. You have money to make off of it?

[spullara]

Without it documented why I am collecting it, how I use it and how I store and delete it, it is non-compliant that I am collecting it at all. I think that you are assuming that they know it is being collected and that they are supposed to use it for something. They don't. It is not essential at all to the operation of the service if you don't actively monitor it. Saying it could potentially be used for some kind of security function seems like a CYA if you aren't actually doing that.

Do you disagree with this TLDR of the regulation?

https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-d...

Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.

[ajuc]

So the defaults will be changed.

It's called software cause it can be changed easily.

[hk__2]

A quick Google search leads to this, for example: https://blog.flyingcircus.io/2018/02/05/new-default-truncate...

[takeda]

I'm finding this: https://law.stackexchange.com/questions/28603/how-to-satisfy...