I'm quite enjoying the weird interstitial pages from a variety of US-based sites that block EU users. It's like a massive billboard saying "WE ARE USING YOUR DATA IN WAYS THAT YOU DON'T CONTROL", and is a reminder to use other services elsewhere.
GDPR is relatively straightforward to comply with, particularly for the simpler kind of sites that don't seem to have bothered. It basically codifies the sort of best practice that should have been in place already, and I'm sure many of us are happy to see that there is movement towards regulating the disastrous dumpster fire of personal data in this way.
It’s not at all simple for ad supported publishers who are the most prominent
users of the blocking.
It maybe a case where this is the intended consequence of the law but it wasn’t sold that way ahead of time.
European publications are being even more impacted by this as they can’t resort to blocking. It will be very interesting how this impacts the publishers in the next few years.
Here's the kicker - most European online publications were already in compliance. GPDR is only slightly more stringent, than most EU privacy laws on file.
The biggest complaints come from foreigners, if you haven't noticed.
No one knows if they are in compliance or not yet. For instance https://www.bankinfosecurity.com/fresh-gdpr-complaints-take-... outlines a complaint that all of real time bidding that is compliant with the IAB compliance framework is not compliant with GDPR.
> GDPR is relatively straightforward to comply with, particularly for the simpler kind of sites that don't seem to have bothered.
For a small site, having to appoint a representative in the Union might not be straightforward. See Article 27. They might be excused from this requirement by meeting the three conditions given in Article 27(2)(a), but that is vague.
My company is over and above compliant with the requirements of the GDPR - not because we bothered to give a crap about the EU, but because we did it on our own years in advance, of our own volition and the need for heavy data protection.
As an American, I'm suprised you aren't skeptical of a foreign government trying to control what you do.
You jest, but this is exactly what at least one of my businesses is about to do. We are in the UK, so Brexit uncertainty dominates any sort of EU-related planning for the next few months. The EU VAT rules for digital sales were already full of complication and red tape, and right now we don't even know whether the existing UK government systems will still be operating after the end of the current quarter on 31 March because it might all disappear with Brexit on 29 March.
When we took professional advice on how to prepare for this as well as we can under the circumstances, no-one in the room had any confidence in what little formal guidance exists so far or that the official positions currently set out by either the UK or EU governments will be realistic when the time comes. The consensus (by which I mean "view strongly advocated by literally every professional advisor in the room") was to suspend sales to rEU states until the dust has settled, and just redirect our efforts and finite budgets towards customers elsewhere in the meantime. That will inevitably involve some short term financial cost, but then so would making major changes in our technical systems and accounting practices at short notice to comply with all foreseeable possibilities at the start of April.
I don't find it inconceivable that lawyers in places like the US might give similar advice to some clients regarding the GDPR for similar reasons. If the clients are primarily dealing with data subjects outside the EU as well, avoiding the entire area as much as possible might be a reasonable position to take, even if again it's only temporarily until there is more known about the real implications of the GDPR as guidance and the first enforcement actions start to resolve the uncertainties.
Thanks for staying away! If you’re not interested in caring about our privacy and personal data concerns, you‘re very welcome to shove your products up to where the sun doesn’t shine...
These kinds of responses are unhelpful. Yes, data protection is incredibly important. That doesn't mean that GDPR as written is a well-done regulation - in point of fact its insanely complicated and its pretty much impossible to know whether or not you comply, even if you store zero data about users. It also doesn't mean that people who don't want to deal with GDPR don't care about privacy. Tarring and feathering someone for such things is lazy and unfair.
I disagree. I'm not sure what you've read about GPDR, but see the link I posted above. If you read the ICO guidance and still think it's insanely complicated, I'm not sure what to suggest because by that yardstick any legal matter is going to be insanely complicated and you'd be saying the same about any legislation. Do you have an example of any legislation that you'd say is better?
If you read the ICO guidance and still think it's insanely complicated
Just the scale of the ICO's guidance -- which still primarily covers only general principles without getting much into specific practices and concrete examples -- tells us that this is a complicated issue.
I didn't mean to imply that it wasn't complicated - any legislation is going to need careful consideration because the wording is paramount. I was objecting more to the rather overheated phrase "insanely complicated," particularly when a counter-example of legislation that isn't "insanely" complicated wasn't given. Insanely complicated compared to what?
I'd suggest that one obvious comparison is with not having the GDPR.
I know my own businesses spent considerable time and money understanding the implications and updating our documentation to comply with the new requirements. However, that was basically all we changed in the end, because we weren't doing anything particularly unusual or dodgy in the first place. In other words, for us, the whole thing was basically an expensive box-ticking exercise with no real benefit to anyone.
I imagine there are many other small businesses that could tell a similar story. The most likely alternative for those that can't is probably that they're not compliant, either deliberately or through ignorance of their new legal obligations, so that still doesn't benefit data subjects in any useful way.
It seems realistic to estimate that several billion pounds has been spent on this sort of paper-pushing exercise in the UK alone, which does suggest some level of rhetorical insanity here if it hasn't really benefited anyone in any measurable way. Perhaps time will tell and regulators will be more effective in curbing the excesses of the big data crunchers that these rules were presumably aimed at, but until we start seeing evidence of real benefits for the average person in the street, I for one will remain sceptical about whether all the extra red tape and complexity was justified.
>its pretty much impossible to know whether or not you comply, even if you store zero data about users.
Can you explain how you store Zero data but you are not sure? Are you referring at the fact that you include third party code or use third party services?
The fact that the laws are not simple is because they need to define things very specifically to make it impossible for "clever" people to interpret them different then the "spirit oft he law"
Servers have logs, which can have a lot of personal data in them. Not all of that logging is under your control, especially if you rely on 3rd party services like AWS. This is a simple example but there are many more.
I get what you're saying here, but if those [for example] logs contain personal information, and those logs are exposed (or have the possibility of being exposed) then that information should be redacted. Sure it's often not trivially simple, but it's your responsibility (AWS seems a wired example to use as well, given that any logging facilities actually provided by them offer redaction).
What logs are you thinking of? There are none that I can think of that require a lot of personal data. IP address storage is explicitly covered provided you log them for security etc.
an exception stack trace containing the data of a customer object could put in a name by accident, for example. And then you're in trouble. The third parties you use could be storing data, even if they tell you they don't. If they do you need to get a DPA signed up. You might still need a DPO, and so on and so forth. It's a massive undertaking for any org of a reasonable size.
Worth it in the long run, as once we're used to it and tweaks to the law happen to make it easier/better? Sure. Easy? Heck no.
Obviously, the number of people who think that GDPR and its rollout has gone perfectly is probably zero.
I think the reason there's so much defensiveness about GDPR is because it is legitimately a rare and valuable victory of data privacy advocates. From that perspective, the smug "just don't do business in the EU" meme might seems like a sentiment that ignores that victory so much that many probably assume it was born out of hostility to data privacy advocacy.
Frankly, I think that GDPR was rolled out quite well. And I think there was way more fear mongering and intentional confusion by the "no regulations should exist ever and all are badly horrible" then actual problems with legislations or its rollout.
I did seen institutions doing unnecessary crazy things or waking up a day before it went valid etc. There is no way this was avoidable entirely and given people trying to lobby against it by essentially lying, all in all it went quite well.
So the post i replied to was helpful/constructive?
I am not even thinking that GDPR is implemented/written very greatly, and i was fearing too that it will mainly help to put small businesses out of any product category where storing even just an Email address is necessary(eg have an login and want to enable users to restoa forgotten password) while big companies have their lawyers to allow them keep abusing our data on the edge of legal possibilities and not to our favour...
So Im not yet sure if having no GDPR is better or worse than having none...
Just, simply saying if you have data protection laws i avoid your market without any detailed reason or proposal how to improve doesn’t bring us forward...
Not explicitly - nor did I, you know, the sun don’t shine in many places - but implicitly it was saying i should do just that with my privacy expectations and our laws about them.
Yes!
There you can let yourself get sued for a few millions because you didn’t mark a coffee cup as containing hot stuff or didn’t write in the usage instructions of a microwave oven that it’s unsuited to dry a cat after bathing... much simpler, clearer, and safer market there...
I'm quite enjoying the weird interstitial pages from a variety of US-based sites that block EU users. It's like a massive billboard saying "WE ARE USING YOUR DATA IN WAYS THAT YOU DON'T CONTROL", and is a reminder to use other services elsewhere.
GDPR is relatively straightforward to comply with, particularly for the simpler kind of sites that don't seem to have bothered. It basically codifies the sort of best practice that should have been in place already, and I'm sure many of us are happy to see that there is movement towards regulating the disastrous dumpster fire of personal data in this way.