[Mirioron]

I don't view GDPR to be quite as useless as the author does, but the point about the user having to protect their data themselves is spot on. GDPR only protects you against good actors that are under EU jurisdiction. Everyone else could very well be doing whatever they want with the data you leak. The EU can't fine a Chinese company if the Chinese company has no presence in the EU.

Another thing the author doesn't mention is that GDPR sets a minimum amount of cost/effort to run a website that's way beyond the actual hardware cost and the cost of making the website itself. It requires every website operator to be familiar with how GDPR works, because you need to know whether you're collecting personal data (you probably are) and how you need to handle it. Furthermore, if you are collecting personal data then you must respond to emails of users who request to know what data you know about them within a set amount of time. In the case of a small website, such as a forum or blog, I would consider the cost imposed by GDPR to be greater than the cost of making the website itself and renting hardware to run it. I think it disproportionately impacts smaller sites. It essentially leads to small sites simply breaking the law and hoping that nobody complains about them.

[marcinzm]

That's the general issue with regulation, it protects the existing large players in a space by adding a higher barrier to entry for competitors. So now instead of hosting your own forum or website you'll use Squarespace or Discord or Disqus instead.

[pas]

You can host your own forum. And if you do it as purely personal activity, then GDPR does not apply.

[Mirioron]

Is running a forum a purely personal activity? I'm not so sure. It certainly won't be if you have any third party services running on it.

[pas]

Why not? You can set up a family forum, to share stories, pictures, etc. That's household-y and personal. Fits the definition from the law pretty well.

There's some thinking about what constitutes purely personal activity ( https://ec.europa.eu/justice/article-29/documentation/other-... ) usually the test is whether it can potentially reach anyone in the public, is some financial/professional gain for the operator, etc.

> I'm not so sure. It certainly won't be if you have any third party services running on it.

Those are handled in the text too. Basically the controller / provider / operator of said 3rd party service has to be GDPR compliant, not the user. (So if you fire up a WordPress blog, you probably don't have to worry about it.)

[marcinzm]

As I read it specifically doesn't cover things which are not economic activities and not professional activities. You running a website yourself and not as business may or may not fall into that. It is not necessarily the colloquial definition of personal.

A personal website may have donations, may have ads, may act as advertising for your professional career, may be used to find jobs for yourself, may be used by people to trade items to each other, etc, etc. Those may be covered by GDPR and without a lawyer (ie: money) I have no idea.

[pas]

First of all, GDPR does not apply to personal sites. ( https://law.stackexchange.com/a/28086 - see current "in force" version of the directive: https://eur-lex.europa.eu/eli/reg/2016/679/oj see recital 18)

> [...] GDPR sets a minimum amount of cost/effort to run a website [...]

This is simply false. If you want to post something on the 'net, nothing changes. You want to count page downloads? (You know those old school CGI counters.) Nothing changes. You want to know how many individual visits you got? Well, you need to try to distinguish between new and returning visitors, hence you might put a cookie on the visitor's browser/client/useragent, now you need to ask nicely, because it's eerily easy to use that cookie for a lot of other purposes. (Similarly if you would try to use something else, like IP address, and/or browser fingerprinting.)

And so on. Yes, I like pretty graphs about visitors (browser screen size distribution, fancy geoip charts, etc), but so do the people that live off the not so innocent usage of this kind of data.

And yes, if you collect personal data, then you should be able to protect it. This was always the case, GDPR simply states this and tries to create a mechanism that forces data holders to act accordingly (via the mandatory data breach reporting). Again, similarly, if you handle a lot of data you should be able to accurately take a stock of what kind of data you have about whom, hence the requirement to respond to these inquiries.

> I think it disproportionately impacts smaller sites.

Agreed. But small sites were always at the mercy of random script kiddies. They always lacked resources to properly handle updates/upgrades, security, data, end-of-life termination, etc.

GDPR at least makes WordPress, discourse, and random blog and forum engines able to deal with the reality of how much value their databases represent nowadays.

[samdunham]

I'd say that medium sized sites are more troublesome in that regard. Once a site has grown big enough to become cumbersome for one person to manage, but not large enough for most to justify staff, then you have an issue. There shouldn't be any excuse for a small site to fall behind with updates, etc... It's simple.

[pas]

Absolutely. This is the typical problem of small-medium sized shops everywhere around the world. If you're just a really small one-man army, big companies don't really care. If you are getting bigger, suddenly you will find competition and a lot of regulatory burden. (Most startups usually fail at this point as far as I know.)

[marcinzm]

>First of all, GDPR does not apply to personal sites

No, as I read it excludes sites that do not engage in economic or professional activity. It is specific about what personal means and it's definition is not necessarily the colloquial definition of personal.

So, as a layman, by my reading getting donations makes your site covered, running ads make it covered, allowing people to sell things makes it covered, people connecting for jobs makes it covered, using it as advertising for your professional career (ie: blog post that says you're looking for a job) makes it covered, etc.

Or maybe it doesn't cover those but then I'd need (and thus need to pay) a lawyer to know wouldn't I? Layers aren't cheap compared to the cost of modern web hosting.

[Mirioron]

>First of all, GDPR does not apply to personal sites.

And next to no websites actually fall under this exemption. Furthermore, simply to know that your website falls under this exemption comes with the cost. You must know that your website falls under this exemption, requiring you to know GDPR and/or requiring a lawyer to look it over (high cost).

>This is simply false. If you want to post something on the 'net, nothing changes.

Simply having to know what GDPR is, what it covers, and whether you fall under it has a cost. So the statement that nothing changes is patently false.

Also, I'm pretty sure that by default most software that serves websites would already put you under GDPR, because it collects IP addresses and they're considered personal data.

>Agreed. But small sites were always at the mercy of random script kiddies. They always lacked resources to properly handle updates/upgrades, security, data, end-of-life termination, etc.

So, because there were other limiting factors for them we might as well make it illegal to run such websites? I guess I can understand why the EU's tech sector is doing so poorly.

>Again, similarly, if you handle a lot of data you should be able to accurately take a stock of what kind of data you have about whom, hence the requirement to respond to these inquiries.

But it's not about that. It's "if you handle any data then you must constantly be available to tell users what data you have about them". This, ironically, puts people's data at risk, because suddenly you forced website owners to reply to phishing requests. What's the chance that every single website owner everywhere never gives out personal data to the wrong person? I would say that that chance is effectively zero.

[pas]

Of course, just as with any piece of regulation, some might affect you without you ever knowing it.

Furthermore, you seem to be mixing things up with outright falsehoods. If you are a user, and you want to use a service that provides publishing, let's say tumblr/medium, you don't have to worry anything. If you are a - let's say - power user, and you want to set up a website, then you set up - again, let's say - WordPress, then you don't have to worry about it, because it's a purely personal activity and the providers of the trackers have the burden of compliance here.

I'm not saying "yaay, it's the best thing ever", and it'll surely change as courts and data protection authorities of member states interpret and apply the regulation (and then cases against those go through the courts), but it's certainly a serious attempt at some sort of ideology about personal data. And the tracking and cookies is completely irrelevant most of the time. (After all almost all sites really don't know and gather more than your IP address and your user-agent.) However. Malicious users can inject all kinds of CSS-based history-leaking nasty stuff, and big players like FB and G can naturally feel that building a universal profile based on your activity and data and visits of others sites (where G or FB is embedded), and that's what this is about. That now there's a decision that you have a right to know what G/FB/etc does with your data. How that profile looks like and what happens to it, who has access to it, and who does what with it.

> What's the chance that every single website owner everywhere never gives out personal data to the wrong person? I would say that that chance is effectively zero.

Great point. It leads to a very important discussion about security. Sites are very lousy when it comes to social engineering. (And this is somewhat covered already: https://gdpr-info.eu/recitals/no-64/ )