[datamingle]

How do you handle developer computers with possible client data on them, even semi-anonymized? Or when communicating issues on the live server, you might transfer client information to other stake holders to debug issue. Are you tracking that communication. Where does the communication data reside, perhaps on a server outside of the EU?

There is a lot of complications that arise if you think about the second order/third order consequences of the law.

[Spooky23]

I don’t know GDPR inside and out, but I have worked at places (not military) where I could be held criminally liable for misuse or negligent disclosure of PII.

The answer to “How do you handle...” is that you get your shit together. Separation of duties, build and configuration standards, no customer data on random laptops.

When I was in high school, I worked at a sandwich/coffee shop. The precious commodity in that store was cash. We didn’t leave cash on a counter, or on a roll in our pockets it was in a locked register. When there was more than $500, we withdrew down to $250 and put the cash in a safe. At the end of the night, we put the cash in a locked pouch and two of us walked to the bank and put it in a dropbox.

Data is no different, just more complex.

[fanzhang]

And if getting your "act together" is a substantial cost for small companies, no matter?

The word choice almost presumes the conclusion, that data privacy rules are obvious, and cheap, and akin to just washing hands after using the toilet.

Every regulation has costs and benefits. I also would love to have better worldwide privacy at no or little cost, but the fact that people are blocking the EU shows that some companies just don't see this to be the case. And they're voting with their feet.

EU citizens should accept the fact that if they support the law, they will further data privacy protections, which are good, and they will face the music if some innovation leaves or whatever compliance costs may come with it.

[TeMPOraL]

> And if getting your "act together" is a substantial cost for small companies, no matter?

Yes, no matter. Should small companies also get free pass on food safety laws? Health inspections are a PITA for restaurants too.

This reaction is pretty much textbook psychological reactance[0]. People doing business had some freedoms wrt. user data, but it turned out in practice that they should never have them in the first place. Now that those excess freedoms are being removed, businesses cry foul.

--

[0] - https://en.wikipedia.org/wiki/Reactance_(psychology)

[dTal]

Exactly. It's very sad that reasonable privacy measures present such a technical challenge, but nobody promised being responsible was easy. That's why we have regulations - to force businesses to place the common good ahead of profits, where applicable.

[Mirioron]

>Should small companies also get free pass on food safety laws? Health inspections are a PITA for restaurants too.

But if you look at how reality works, then you'll see that small companies often do not implement the proper food safety standards. This causes all sorts of problems, because if a company already does one shady thing, then doing one more isn't as much of a problem anymore.

[pjmlp]

And then they get closed down when a food inspection takes place.

[Mirioron]

Yep, that's exactly the case, but another one of these opens up somewhere else at the same time. We've had inspections like this happen for many years, but it's still happening. And these companies that don't adhere to the law could outcompete those that do by saving in some costs.

[Spooky23]

Data privacy isn’t trivial, but the core concepts are pretty straightforward. Like cash, data is both an asset and liability. The business model of tech insulates the investors completely from liability, so there is no incentive to self-police.

The contempt shown for us collectively as users and people is what triggered the regulatory backlash.

The 2016 electron demonstrated that better than anything why this is important.

[closeparen]

The internet's role in the 2016 election was primarily its ability to connect like-minded people and capture their attention in a venue where advertising can be purchased cheaply and casually. Data may have helped with ad targeting, but was basically incidental. The insufficiently regulated thing there was speech, not data, and there are good reasons we don't really regulate speech.

[fanzhang]

I agree that the Facebook/Cambridge Analytica debacle should have been prevented. I'm not totally sure what's the best legislation to have helped that while having the minimum side effects.

As mentioned before, size limits is probably good for compliance costs; if the problem is political influence, make that a key part of the law. Making part of the law liability per privacy breach can be useful too (to deter companies from lax security that end up with them hacked).

[sequoia]

> I'm not totally sure what's the best legislation to have helped that while having the minimum side effects.

Legislators don't have the luxury of saying "I'm not totally sure what's the best legislation" to fix this issue; they are forced to propose an actual fix. If you don't have a better alternative on hand, I'd urge you to consider that which legislators have arrived upon after months or years of consideration.

[ethbro]

The problem with carving out exceptions for small companies is that larger ones would simply subcontract out all their data handling.

Like encryption, data privacy is either all or nothing.

And personally? I'd rather live in a world without tracking-enabled Google and Facebook business models than the one we're currently in.

Holding personally identifiable data is a toxic externality: Experian simply exposed a clear case.

If you want to do so, you should have to bear that cost. Or design your business model differently so that you don't.

[fanzhang]

For size limits, as logicians, we would think that companies would just split infinitely but that doesn't seem to be the case.

For example ACA 2012 (Obamacare) applies the most onerous terms on companies greater than 50, but not a lot of 100 person companies split into two groups of 50 to dodge it.

I think privacy is indeed along a spectrum and not binary. I certainly think that EU citizens are more concerned with Facebook and the vast trove of data they have and political irresponsibility with it than with GarethsFirstApp in the Android store handling user data well.

[ethbro]

Splitting core business functionality and siloing data handling to a contractor are apples and oranges.

And I'd point out that the latest Facebook media privacy outrage was caused by a smaller (1 person?) third party company.

GarethsFirstApp isn't so innocent when it's providing Facebook with data they can no longer collect themselves (given a hypothetical "You're small, so we'll let you get away with it" GDPR).

[_o_]

Let me shed some light into this: I am having my own mail server and I am using a separate mail address (and now it will be close to 10 years of doing that) for every registration to any website, lets say domain_url@mydomain.com. As you can imagine, I can track who sent me the email and where it got my address from. 99% of addresses that I get spam on came from registering to small bussinesses, never from large sites. Get it?

So based on that some might argue, that the small bussinesses should be regulated more as majority of violations are comming from them, not well established bussinesses. It is probably not true, but it might also be.

So... binary only is a right way to go.

[gerdesj]

"The answer to “How do you handle...” is that you get your shit together."

Yes it is

[gerdesj]

I have keyed in and deleted so many efforts at an answer to your question that I have given up and find myself merely asking: "Have you actually read the regs?"

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

My reading of them finds no second/third order anything. The regs are surprisingly clear.

I forgot to mention that unless you are trying to abuse EU citizens in some way then you have no problems. A useful side effect of the internet is that deciding whether someone is an EU citizen or not is tricky. That means that most companies have decided to treat all citizens in nearly the same way:

For you as a private individual, a foreign power now provides you (indirectly) with way more "rights" than you might have had in the past on the internet. Have a read of the regs, please. The first few paras are a bit "we the people" but then, that is what is required. Then go through the articles. Read them as a person first and then consider them as a company or whatever you do later.

[closeparen]

>I forgot to mention that unless you are trying to abuse EU citizens in some way then you have no problems.

Half of commenters are making this assertion; the other half are asserting it's a damn good thing that small companies will be eviscerated for insufficient seriousness, whether or not they are doing anything abusive. Some of you are necessarily wrong.

[matwood]

I could argue that not protecting my data constitutes abuse.

[sebleon]

> surprisingly clear

This is an 88 page document with extremely dry language. Just confirming your assertion will be time consuming. No wonder many American services would rather shut out EU users than comply.

[bardworx]

This is a silly and downright crude comment. My mortgage contract was 56 “dry” pages and I found time to read/understand it, to the best of my ability.

If you own a business, the cost of reading this document is about 2 days (with consideration for googling terms). To disenfranchise a whole continent because you are inconvenienced is ridiculous.

Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?

American services are just busy because they are doing their best to keep the lights on. Within a week, the handful of companies will comply. They’re just cautious because they have to pay folks and don’t want to make a silly mistake that will shut down their business.

Edit: structure

[shados]

> If you own a business, the cost of reading this document is about 2 days

I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

If you make any amount of reasonable money, you need a lawyer to work with your devs (hope you didn't outsource the work!) on a lot of this. And your usual lawyer, if in the US, might not be qualified to deal with EU laws. It's a tough situation. For businesses that don't even target EU markets on purpose, well...

If you're a medium to large international business, then this is just business as usual: dealing with new laws popping up, small or large, is just something you do. It sucks, but hey: it increases the barrier for entry of your next competitor!!

Disclaimer: I think GDPR is fine, and in a few years when every new startup or mom and pop company and 3rd parties are all setup for it, it will be a no brainer, just like email (not many people running their own email servers these days!). But the transition is hard, especially on smaller players.

[Boulth]

> For businesses that don't even target EU markets on purpose, well...

See https://ec.europa.eu/info/law/law-topic/data-protection/refo...

> When the regulation does not apply

> ...

> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

[JumpCrisscross]

This boils down to relying on each of the EU's twenty-eight data regulators interpreting "specifically target" favorably into perpetuity. One of them takes an unusual view, once, at any time in the future, and you lose 4% of your global revenues.

[bardworx]

> I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

I totally agree with you. But like you said, "It sucks, but hey...". That's totally the approach.

Yeah, it sucks, and what's new? There is always something that sucks. Within the next two months, there is: TLS1.2, new PCI guidelines, and GDPR that go live.

GDPR has more nuance then most other situations but just like PCI, you just deal with it.

What I imagine is this situation is like a bunch of stores stop taking credit cards because the new PCI guidelines require TLS1.2, anonymized customer data, and all customer data stored at rest to be encrypted or hashed.

Would folks have same reaction if their neighborhood deli said "fuck it!" I ain't protecting the CC data cause its tough and requires too much work?

[closeparen]

The cost of PCI compliance is baked into the transaction fee, and yes, businesses are sometimes cash only; particularly if the business is small and its products are affordable, customers understand and appreciate the owner's unwillingness to pay those fees.

[manigandham]

PCI is well defined. It's a lot of process, but nobody is confused on what the process is.

[Matticus_Rex]

Wow, the entitlement.

The GDPR is most of my job right now, and I have a relevant background. To say that the cost of reading the document is two days clearly shows that you have very little idea of what the law means. I've been arguing with other privacy professionals about the details of this law and how to implement it likely for longer than you've known about it, and on a number of those questions there is still no consensus.

This is an incredibly expensive regulation to comply for most small and medium companies not because they're doing villainous things with the data, but because learning this law and then documenting your compliance for this law is ridiculously expensive for many types of businesses.

[bardworx]

Your comment came off a bit combative against me vs. the idea I'm trying to argue. Perhaps I didn't make my point very well.

Lets swap GDPR for PCI compliance, which has a new standard (or fully implemented standard, if you may) coming soon. PCI deals with credit card information.

My relevant background allows me to make a few assumptions: 1. If you are in the US.

2. AND you have visited a Quick Service restaurant in the last five years (think Subways, Chipotle, etc.)

3. AND they use one of the major POS (point of sale) providers.

That your credit card, name, expiration date, and CVV is in plain text.

You may know the GPDR very well, as it is your job and you are most likely very qualified for it. And yes, there are probably lots of nuances to this law. However, thats every single law there is, every standard, guidelines, etc.

I'm not entitled. I am, however, a realist that understands that you just have to comply. Taking two days to read the 88 page PDF will make you more familiar then most. It might not make you an expert but for a small to medium sized business, it would give you the necessary tools to comply with majority of the law.

Quite frankly, I don't have a bunch of lawyers and I do have to implement GDPR. Will there be an official review? YES. There will be folks who know more then I and are professionals to double check my work. But I can't tell my stakeholders "Sorry, We can't do that because its just too tough". That seems entitled...

[jeremyt]

Complying with the majority of the law isn’t good enough when you can be sued for not complying with a small part of the law.

It’s like complying with 99% of securities laws and forgetting to comply with the insider trading laws. That’s not a defense.

[Semiapies]

To disenfranchise a whole continent because you are inconvenienced is ridiculous

Oh, please. To not offer a service or website or whatever to people half a world away is not to "disenfranchise" them. I don't think you have room to call anyone else's comments "silly".

[andygates]

It's making your company's products and services irrelevant, as we'll just shrug and move on. That's got to hit the bottom line.

[Semiapies]

No, not really. Not to be shocking or anything, but Europe is not a target market for every company.

[wlll]

Half a world, but only 100ms.

[bardworx]

I would like to share an anecdote with you, which might highlights the difference in mindset some folks have.

When I was 20/21, I worked at PJ Clarke's on the Hudson, a restaurant in downtown Manhattan. Back then, the Merc was still staffed by traders on all floors (they switched to computerized trade desks, I believe, and there were less people there).

During one shift, I had a party of 10+ people and had to grab extra tables from other area. The tables had tops made from granite and heavy. As I was moving the table, the majority owner Phil Scotti jumped in and started helping me. I said something like "I got it" and he looked me in the eye and said "Anything for a buck".

That quote might not be popular but I what I realized is that work is work and money is money. If a multi-millionaire could move tables and his wife (in custom, expensive, suits) can bus tables, then yes...Disenfranchising, or not servicing a bunch of folks, because you don't feel like it is fucking stupid.

I apologize for calling it silly.

[jholman]

I dunno what the point of this anecdote was, but the parent poster was right to mock the word "disenfranchise". If the American business doesn't want the buck, they don't want the buck. If they do want the buck, they do want the buck. Their call, not disenfranchising anyone.

[sebleon]

Ha, I actually thought the comment was relevant for an article on blocking EU users with Cloudflare.

This regulation calls for legal expertise, trusting google to save on fees seems risky for a business. In all seriousness, biz owners should shell out for expert advice for compliance, or stop doing business in the EU.

Google and Fb have already seen litigious groups claim $9.3B in fines on the first day[1]. There will certainly be a cottage industry of lawyers going after online businesses that have erred with GDPR.

[1] https://www.cnet.com/news/gdpr-google-and-facebook-face-up-t...

[lovich]

Those groups don't get to keep the fine money? What is with all the disinformation about people sueing companies for GPDR violations like it's a civil court issue and one side gets damages?

People can refer an issue to the regulators claiming that the GPDR has been violated. The regulators will determine if they believe the regulations have been violated and whether it's a large enough violation to enforce. If fines are levied they go to the government and are intended to be punitive, hence the percentage of revenue as the max fine so that you can't just ignore the regulation by being rich.

No individual or group other than the government is going to make money off of this, and the government has to balance the loss in taxes and cost to enforce against any gain from a fine.

This whole kerfuffle about the GPDR has just shown that american companies will lose their fucking mind if they have to follow anyone else's rules and can't just lobby the US government to force their laws on everyone else.

[sfifs]

Irrespective of who gets to keep the fine money, it will cost money and time (and likely lawyers) to handle any regulator inquiries. These complaints barely a day after the law came into force clearly shows that this law has come as a bonanza invitation for "activists" to impose legal costs on whatever target catches their fancy. I wouldn't be surprised with anti competitive targeting. Large corporations will write off the risk and the cost. Small business will choose not to do business and avoid the risk.

[usr1106]

> litigious groups claim $9.3B

Incorrect. They are civil right groups, which filed complaints with the authorities. Even if the complaints were fully accepted and the offenders fined to the maximum possible amount the groups would not "earn" a cent.

[gerdesj]

"This is a silly and downright crude comment" - easy mate. My ISO 27001 docs are a bit dry as well and I wrote the bloody things as well as the sob ISO 9001 ones.

In my opinion you absolutely hit the nail on the head with this:

"If you own a business, the cost of reading this document is about 2 days"

[stale2002]

> Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?

Umm, no, I won't read them?

I seriously cannot remember the past time so ever went and read all the official docs for a new tech.

Instead I learning by doing, and reading stack overflow.

If I have to read through 50 pages of docs to use something, I seriously am just going to use something else.

[lovich]

That's fine when you only hurt yourself but when you are dealing with personal data you can hurt others because you want to take the quickest path.

These same arguments could be applied to just dumping waste from manufacturing in the rivers. Does "If I have to spend 50 days disposing of my waste in a way that doesn't harm others I'm not gonna do it. I'm just gonna dump it somewhere else" sound acceptable?

Modern society has mostly decided it's not

[stale2002]

I am not advocating that people break privacy laws. I am instead advocating that US internet businesses simply stop doing business with EU customers.

If the EU doesn't wants these services, then hopefully these services will decide to leave, and the EU citizens can decide if it was all worth it.

I am certainly going to block EU customers on all my future side projects. It really isn't worth the bother for something that I just made for fun, and isn't making many money. Easier to just block this small market wholesale.

I even found a way to block them with a single line of frontend code!

[franciscop]

Small sidenote here. I'm the creator of https://documentation.agency/ and I've seen quite a few devs actually choose their tech/libraries based on the quality of the documentation.

I agree with you in everything though, everyone should be reading and following the law!

[gerdesj]

"This is an 88 page document with extremely dry language"

It starts along these lines after the usual intro:

"The processing of personal data should be designed to serve mankind The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality"

I'll grant you that lacks a certain something but the language is compatible with another well respected charter of rights that you should be more familiar with.

FFS, do you not notice the similarities!

[mcguire]

Don't forget the brilliant and deeply meaningful paragraph 37:

"A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings."

[Marazan]

Even without any context that seems pretty clear.

[bcoates]

I'm guessing you're hinting at the Universal Declaration of Human Rights? It's not well-known or well-regarded in the US.

[sebleon]

Sadly, this is true.

[anonymouz]

Are there no laws in the US?

[lovich]

Not if you are rich, and a many small business owners labor under the delusion that they will be the next Gates or Zuckerberg

[CaptainZapp]

"No wonder many American services would rather shut out EU users than comply."

Good bye and good riddance. And I don't really care if the door hits you in the ass.

If Instapaper, to name an example, wouldn't do shady shit with user data, there would be no reason at all to forgo the European market.

[jholman]

If you have developer computers with client data on it, semi-anonymized or not, I want you fined until you stop. What the hell is wrong with that hypothetical business?

It's like restaurants putting the toilet in the kitchen. Shut the business down!