As much as I like the idea of "right to be forgotten", it seems to me that an unintended consequence is that non-technical people hosting forums/blogs etc. will be at risk of GDPR requests that they cannot comply with due to lack of technical skills. This will have a silencing effect for people wanting to operate non-profit sites as they won't be able to afford to comply with such requests. They will be forced to either shutdown, or be in breach of law.
Perhaps some people will say "good, if you cannot run a site conforming to all laws of the land then you should shutdown". If you think that, consider this: as these laws pile up it will get more and more difficult to operate, leaving only the very tech/law savvy, and big business.
This is not the democratization of information that the web promised oh so many years ago.
On a semi-related note: if you are a small SASS operator wanting to comply with such requests, what are you meant to do about your DB backups that contain data that is meant to be forgotten?
I think most of the larger forum software providers have implemented functions to comply with GDPR (i.e. delete, restrict and extract user data).
Concerning backups: If you have a short turnaround time (e.g. 14 days) it shouldn’t be a problem, the legislation acknowledges the fact that deleting data and ensuring data integrity (also in accordance with GDPR) are sometimes mutually exclusive from a practical point of view. You need to make sure that deletion requests also get honored when restoring from backup though, so ideally you want to store the requests in a third system and check them when you restore backups.
Concerning the democratic aspect of participating in the online world I think GDPR actually helps, as before it was not possible to reliably get your own data deleted, rectified or transferred, which is not very democratic either IMHO.
>Concerning the democratic aspect of participating in the online world I think GDPR actually helps, as before it was not possible to reliably get your own data deleted, rectified or transferred, which is not very democratic either IMHO
This is where the GDPR has really helped me. I posted a comment on a blog critical of a government data sharing initiative. Nothing illegal, or questionable - it was a simple two sentence opinion comment which I posted under my real name. I didn't stop to think for a minute that it would cause me any problems.
It did. I discovered that I couldn't get to work on any government projects because when a background check was carried out on me, the above comment was found and according to Revenue (the gov agency responsible for such checks) it indicated that I was hostile to the governments IT plans.
I asked the blog owner (same country as me) to please remove the comment, they refused. So I submitted a right to be forgotten request to Google to stop the blog post appearing in searches for my name.
Ireland? In Ireland, civil servants are not allowed to express political affiliation or opinion, so rather than it being a case of "we don't like what you said", it would be a case of "you said something political, and it persists."
I'm not sure if the contract for Revenue is exactly the same as the civil service, but I would presume on this front it is very similar.
There have been three occasions where the IT contracting firm I was working for sent me to work on government IT projects as a contractor. None of them were for Revenue, but it is Revenue who do these checks for all other departments. On one occasion my employer managed to pull a few strings to get me on the project (DSP), on the other two I was told no government work for me (HSE and DoT).
On one of the three three occasions I was forwarded an email from Revenue that said "he expresses a desire for personal privacy that indicates he would be unwilling to fully embrace the governments data sharing strategy".
I did write to a few news outlets about this, none were interested. Even the ICCL wasn't interested, which really surprised me.
> I discovered that I couldn't get to work on any government projects because when a background check was carried out on me, the above comment was found
Thank you for your thoughtful response and information. I need time to digest this information to see how it affects my opinions, which might take longer than the half life of this discussion, so my apologies in advance for probably not responding :-)
> Lots of software has functionality most users can't use
If you are using software to process my personal data, and you don't know how to do that while protecting my personal data, then I'd like you to stop using that software right away.
> On a semi-related note: if you are a small SASS operator wanting to comply with such requests, what are you meant to do about your DB backups that contain data that is meant to be forgotten?
You record that these people need to be scrubbed if you restore backups, and you delete old backups.
The ICO has excellent guidance on this and other subjects:
> This will have a silencing effect for people wanting to operate non-profit sites as they won't be able to afford to comply with such requests
I can't understand what your question is.
There's absolutely no reason someone can delete spam from their public forum, but can't delete people's phone numbers from items that are pointed out to them.
If they have no search capabilities, and don't use a search capability, they're not required to create one.
The GDPR is extremely easy to comply with- European companies have been doing it for a long time (before it gained the force it has now) because it's largely a unification of existing data protection laws.
> [...] it seems to me that an unintended consequence is that non-technical people hosting forums/blogs etc. will be at risk of GDPR requests that they cannot comply with due to lack of technical skills [...]
If it's only due to technical skills then this problem can be solved technically.
The forum software needs to enable people to be GDPR compliant.
> On a semi-related note: if you are a small SASS operator wanting to comply with such requests, what are you meant to do about your DB backups that contain data that is meant to be forgotten?
This hasn't been tested in court, yet. But there are several possible approaches. Like delete on restoration or backing up in slices, so that the personal data becomes anonymous unless you have all the parts.
Don't forget that the "right to be forgotten" is not an absolute right. It doesn't trump everything else. Nobody would expect somebody to sue ESA for their "right to be forgotten" for a public message that they could send to ESA to put on a CD on a probe they sent into space and win.
First of all, it forces everybody involved with personal data to think about how they handle personal data and inform the users about that.
If you state "due to technical limitations, your personal data in backups can't be erased at the time of the request but will be deleted on restoration" up front during the signup of the user, this is already an improvement over the past where nobody knew what happened with their data.
>> Fuck the GDPR, they have no more authority over me than China or North Korea does.
You are probably not trading with North Korea, so ignoring their laws has zero impact on anything. China is already getting more tricky though, although they are not choosing to throw their entire weight behind enforcing their demands abroad(yet).
But ignoring the demands of the largest trading block on the planet? That's not going to go well if you do any sort of business with the EU. Unless you can just afford to ignore all EU customers entirely.
And no, thank fuck for the GDPR, it's a great legislation.
The EU is not a single trading block; it's many many individual trading blocks all different cultures and languages; the US is the single largest trading block in the world. And no, the GDPR is awful legislation, the notion that every foreign country can simply declare jurisdiction over other countries citizens violates national sovereignty is and flat out disgusting and will not stand.
2) I don't think you understand how GDPR works at all. GDPR says how data about EU citizens has to be processed in a certain way. If you want to do business with EU, you have to comply. If you don't want to comply, you don't get to trade with EU. No one is claiming jurisdiction over other countries - it's simply a matter of agreements. Just like EU respects certain American laws just because it wants to trade with USA and it was requested. It's a mutual thing.
I was quite clear what I meant by trading block, I wasn't aware that was a specific term of art, but that's not what I meant regardless and that's clear from my response.
I understand it just fine, perhaps you don't understand what I'm saying. No, if an EU citizen comes to my US website, that does not grant the EU authority over me no matter what they claim. I live under US law, not EU law, not Chinese law, not North Korean law. Those countries are free to pass laws claiming they have jurisdiction over me when I do business with their citizens, but claiming it doesn't make it true. No I do not have to comply, the EU has zero authority over me no matter who I do business with _unless_ I'm in the EU where they can do something about it. They can attempt to stop their citizens from using my website, but it is not upon me to do so.
There is no agreement between the US and the EU to respect the GDPR, it's an untested assertion of global authority that cannot stand. The world cannot function if every country can assert every citizen in the world must comply with its laws because their citizens came to my US website. That's a violation of national sovereignty and it will fail when the EU tries to assert that authority and the US courts say, sorry, but no, you don't have jurisdiction over our citizens which is what's going to happen.
The EU can and will enforce the GDPR within its borders, that's expected; outside its borders, it has no jurisdiction and no teeth; I don't have to give a damn about EU law while operating my US business in the US. That a visitor comes from someone outside the US does not change that my business is in the US. I do not have to obey other countries laws.
>>No, if an EU citizen comes to my US website, that does not grant the EU authority over me no matter what they claim.
You have it backwards. It's not an EU citizen coming to your US website - it's your US website choosing, willingly, to serve EU citizens. You can also choose to not serve them - that's fine. And yes, EU cannot fine you in any way, there's no legal possibility to do that. However, if your operation was detrimental to EU citizens in any way, EU could ask US to cooperate in asking you to stop. Obviously US has the jurisdiction to do something about it, there's no question about that.
To maybe give a different example - if you were selling something that is legal in US but not legal in EU, advertising it, selling it and shipping it to EU customers could still get you in trouble, because at a certain point EU will ask US authorities to stop you from sending illegal products to their territory. You are not breaking US law, but countries do cooperate in this manner. Same would happen in the other direction - if someone was sending drugs that are completely legal in EU over to US, they wouldn't be braking EU law - but US definitely and absolutely would ask local authorities to find you and politely ask you to stop. Does that mean US suddenly has jurisdiction in the EU? No - but EU would most likely comply with such a request as a matter of international cooperation.
And yes, the same request sent from North Korea or from China would likely be ignored - that boils down to what I said earlier about negotiating power and international respect. EU countries are very likely to comply with requests like these coming from US, and EU can and does request things from US. It has nothing to do with the issue of jurisdiction that you are so very keen on.
>> I don't have to give a damn about EU law while operating my US business in the US.
Again, if your US business does serve EU customers, then you kind of have to give a damn. Just like an EU business has to give a damn about US laws when doing business with US customers. It's really not a difficult concept to grasp.
The US will generally not cooperate unless said thing is also illegal in the US. The EU can ask, they cannot enforce, and the US doesn't make a habit of enforcing laws of foreign nations on citizens when said thing is perfectly legal in the US. If what I'm doing is legal under US law, the EU request will be denied. Only when the thing is illegal in both countries are such requests generally conceded to.
> It's not an EU citizen coming to your US website - it's your US website choosing, willingly, to serve EU citizens.
Wrong, they're coming to my site; I have no way to know they're EU citizens or not, there's a thousand reasons I wouldn't know, it's not like IP is a reliable means. People use vpn's, or EU citizens travel. The burden is not and cannot logically be on me to know where my customers come from. It's impossible to know the citizenship of your customers.
Perfect example, according to the GDPR, an EU citizen travelling in the US who uses my site from the US is still protected by the GDPR; that's horseshit and a technical impossibility; I can't know they're an EU citizen. This law was written by technically illiterate morons.
If your business wants to collect my data without providing the safety measures GDPR provides, then fuck your business, I don't want to deal with it or you.
Of course if your business doesn't collect our data, there is no issue either way.
And others would say it is unreasonable for businesses to store user data without consent and with no way to remove it. Please explain why any arbitrary site should have the ability to store user data without consent and then refuse to delete sensitive information. Are you going to accept liability if that data is leaked?
If I walk into a store, can they copy my drivers license and phone number without asking me, and then refuse to wipe my personal data from their systems?
I sincerely fail to see the downside with GDPR unless you think you have some assumed right to personal user information. Why does a site need info from me if I do not even have an account? Why do so many sites now insist that simply by visiting I agree to let them store cookies on my device?
I can store anything you give me; that you exposed me to it is consent, it's not your data unless you keep it to yourself. When you walk around a public space, you don't get to control who looks at you and logs it. The products of my labor are mine, and that includes whatever I log in public spaces.
Even in the US which is hardly a bastion of consumer privacy that’s not true. If you as a hotel owner stick cameras in every shower you should expect a set of lawsuits, even though that’s your property and the people have knowingly bought a service from you.
Neither is a store or a website, which were the examples used. But we can translate the same example given to public spaces easily: you install a hidden camera in a grating in a public square and take upskirt shots of women walking over. That’s illegal at a federal level in the US so people absolutely have a legal right to control your ability to do that.
Wrong, a store is a public place, they have cameras, more to the point I can take a photo of you in a store and you can't stop me nor do you own it.
> take upskirt shots of women walking over. That’s illegal at a federal level in the US
Only since 2004, and that's a specific exception that was made and only applies when there is a clear expectation of privacy, i.e. wearing clothes to cover your privates is a clear indication you expect that to be private. That doesn't stop anyone from taking pictures of you you don't like though and it only makes the area under your clothes a private space, it doesn't make the public space your in a private place.
Responding to myself: Of course, this could have been the intention all along. It has long been recognized that big business loves difficult to conform with regulations (regardless of their protestations otherwise) because it is hard for smaller competitors to breach the effective moat that heavy/complex regulations provide incumbents.
- store as little data as needed
- protect the data in state of the art ways
- make transparent what you store and process and why
- establish a process to delete data once it's not needed anymore
It is only complicated if you want to build a company around the abuse of data, as common in the ad world.
How about "data accuracy" - you are obliged to make sure that data you store are accurate and be able to prove that you've asked users to confirm that data are accurate.
How about the duty to export user data on request?
How about player consent management? Consent updates, etc.
Those are not simple thing neither to implement nor to manage, especially if someone will accuse you and you need to prove that you are compliant.
> Perhaps some people will say "good, if you cannot run a site conforming to all laws of the land then you should shutdown". If you think that, consider this: as these laws pile up it will get more and more difficult to operate, leaving only the very tech/law savvy, and big business.
Some things are too dangerous to the public to allow part-time hobbyists to do. We don't allow part-time hobby doctors, or lawyers, or banks, or toxic waste disposal services, and most of us think that's the correct tradeoff. GDPR puts processing people's personal data in the same category; given how much damage a careless processor of personal data can cause, that seems appropriate.
You realise this is equivalent to "the decentralised social web cannot be allowed to exist", and heading in the direction of "the public cannot be allowed general purpose computers"?
Like with almost every other Directive, the EU has made a huge mistake by not including de minimis exemptions in the regulation. In practice this isn't a problem in most countries because there isn't enforcement against tiny operators either, but the fear and confusion it creates is very real.
(On the other hand, without this kind of thing you get phone companies selling your real-time location to criminals. If only there were such a thing as a sense of proportion)
>Like with almost every other Directive, the EU has made a huge mistake by not including de minimis exemptions in the regulation.
Proportionality in the GDPR is based on the scale and sensitivity of your data activities. The size of your organisation or your technical capability is irrelevant; if you're not competent to safeguard the data you handle in accordance with the law, the EU doesn't want you to handle it. It's exactly the same principle we'd apply to toxic waste - you're not allowed to dump it in the woods just because you're a small business or a hobbyist.
Some examples of why there is no de minimis exemption:
A small charity accidentally sent a newsletter using "to" rather than "bcc". In doing so, it accidentally revealed the identities of 56 people who are HIV positive. It was fined £250 by the Information Commissioner's Office, because of the small size of the organisation and because the ICO was satisfied with steps taken to prevent further breaches.
A non-profit trade organisation with a single employee worked to facilitate information sharing between construction companies. That information consisted of files on trade unionists, political activists and advocates for health and safety, constituting an effective blacklist of "known troublemakers". The organisation's files were seized by the Information Commissioner's Office, leading to enforcement notices against 14 construction businesses; settlements under the Data Protection Act totalled over £50m.
I feel like it's only easy if the organization has no clue what they're doing... If a standard email interface allows easy slipups of sensitive data in that manner, you definitely shouldn't be using an unmodified interface.
> You realise this is equivalent to "the decentralised social web cannot be allowed to exist"
I'd put it as: the decentralised social web cannot be allowed to exist unless and until a way to do robust privacy enforcement on it can be found.
> and heading in the direction of "the public cannot be allowed general purpose computers"
Slippery slope fallacy. GDPR exists not out of some abstract desire to regulate but as a response to the massive privacy breaches that have directly affected the general public. If and when general purpose computers are shown to have a similar negative effect on society, we can have a conversation about whether regulating them is appropriate given the costs and benefits of doing so.
Rolling backups, e.g daily and weekly, are fairly common. When the request comes in, just acknowledge there will be a time period before the deletion is fully purged from system backups - as is still legal post-GDPR. The user data will still be removed from production data, which is of primary concern.
I don't want my private info be gathered by people who have no idea what they're doing.
I understand that there's forums/websites run by people who have no idea what they're doing. And regulations like GDPR make sure that services they are using have baseline encryption and guarantees. Like, it should encrypt passwords and private data, don't store it if not necessary and have functionality to delete users.
It is not about people running the websites/forums, it is about software they are choosing to use. Baseline should not be "it works", but it should be "it works and provide reasonable level of security". I know it is some work on part of people who have no idea what they're doing, but ultimately it is up to developers to set up CMS and forum engines to comply.
Backups has many potential exceptions, some being security and archiving for the public, but there is also language like reasonable steps and to not have the data influence any future decisions.
But backups has to be stored securely, and the data within can't naturally be used if restored beyond exceptions.
It should be noted that the right of access to personal data held about new is not new to GDPR and has been law in Europe for years.
Likewise, existing law requires personal data are not to be kept longer than necessary.
For example, in the UK both of the above are law since 1998. And that only implements an EU Directive from 1995.
Sometimes I feel that the main effect of the publicity around the GDPR has been for many people to discover existing laws...
I don’t understand where’s the difficulty in answering this request? If the person doesn’t have a user account anymore on the site there shouldn’t be much data of him/her left anyway. If there is data left just collect it, send it to the person and delete it afterwards (surely there’s a way to search posts by author in their forum software). I can understand that such requests are difficult to answer for companies that run many different IT services, but this case seems pretty trivial to me.
> ThePhysicist: I don’t understand where’s the difficulty in answering this request? If the person doesn’t have a user account anymore on the site there shouldn’t be much data of him/her left anyway.
Deleting all posts in a forum by a certain user will not delete all posts in a forum by other users that quoted the user who desires to have their data deleted.
I'm not software expert by any means, but couldn't the deletion script also do a search for quoted text, at least sufficient to comply with the reasonable steps language of the legislation?
> TheSpiceIsLife
> I'm not software expert by any means, but couldn't the deletion script also do a search for quoted text, at least sufficient to comply with the reasonable steps language of the legislation?
By that argument google's index of data isn't the user's data it's google's but the right to be forgotten is specifically about deleting other people's copies of data about a person.
In particular the NYTimes reports on Joe Baddy doing something bad. That article arguably belongs to the NYTimes. Google indexes that article with permission from NYTimes. Right to be forgotten requires Google remove the link to NYTimes even though neither Google's index nor the article at NYTimes belong to user.
I would assume so, but are you confident that the law unambiguously permits this? This isn't a rhetorical question, as I don't know a ton about the GDPR, but uncertainty is one of the worst forms of regulatory costs, so it's not really something you can wave off without knowing how it will be interpreted.
The hobbyists may not have access to do so. Perhaps their site is on a VPS or worse, a SAAS product?
And why should a Canadian running a site on American servers have to fear EU law? Why isn't it the EU citizen's responsibility to know, understand and abide by the rules and regulations of the countries they're visiting online?
Unfortunately, it's not that clear. Per Recital 23, the service must intend to have EU users, and merely being accessible in the EU is not enough to ascertain that. It must have some signs, such as accepting European currency or mentioning advantages to European users. Thankfully most sites clearly want to accept money from all currencies, but if this corp didn't charge, it might be difficult to show that they envisaged having EU users.
If you offer your services on the Internet, and someone chooses to use them from the EU, that does not mean you "offer your services in the EU".
Or do you plan to make all of your web services "respect" the laws of 200+ countries in the world, and for that matter all the sub-jurisdictions of those countries (such as states or provinces or cities) that have their own laws? The EU is not special in that regard, they're just one more jurisdiction that the service isn't hosted in.
It is context based. In the case at hand, I think it is fairly clear that the Eve corp wants users from Europe, since otherwise other corps which take users from Europe would out compete them. I'm not an Eve player, but my understanding is that you want your corp to be as large as possible to produce certain ships/stations? Other contexts, like a company offering investments to US based startups is unlikely to be seen as offering services to European residents even if Europeans can create accounts there.
As to jurisdiction, you can always sit in your home country and ignore any rulings against you from other countries so long as you are sure that your own country will not extradite you for such a thing (I am confident that Canada would not extradite a Canadian residence for such a thing). Just don't ever try to cross the border into a European country.
> America set the precedent with arresting foreign nationals for breaching US laws while on foreign territory with Dmitry Sklyarov
It set the precedent for arresting foreign national for breaching US laws while on foreign territory considerably before Sklyarov's arrest in 2001; some notable prior examples include Humberto Alvarez Machain (1985) and Manuel Noriega (1989), though they weren't the earliest, either.
Insofar as Sklyarov's case was notable, it was more because the charged offenses were completely legal where they occurred, not because they were allegedly committed by a foreign national outside of the US.
In which case Americans who haven't broken American law by ignoring GDPR requests from their EU clients should not be surprised if they are arrested if they ever go to Europe.
AFAIK, GDPR is a regulation with civil financial penalties, and not a criminal law, so, yes, anyone should be surprised if they are arrested for violating it.
There is no simple answer without more context, but if they are not doing any business from those users then the answer is likely no. There are several exceptions for normal operation of running a public website on the Internet.
If you offer a Czech or Polish translation, probably: yes
If you offer a French or Spanish translation: maybe
If you run ads in Germany: certainly
If you advertise accepting Euro: most likely
If you embedded ads from an ad network which sends localised ads to Europeans: most likely
When having a site reporting news on local events in an African municipality most likely not.
There is no clear line, as writing that down is impossible and always requires judgement. Also the question is whether EU can enforce it. If you have no European subsidiary and live abroad there is little they can do.
Are they? I don’t mean to be fussy, well maybe a little, but when you ask for something from Atlantis, and Atlantis responds, is that interaction at your place? Is it in Atlantis? Some weird combination of the two?
I don’t outright disagree, I don’t think it’s settled or even established yet.
Mail is probably going to be a big precedent. Everything from play by mail chess to ordering from Sears will have to be considered.
Since this is still a bit relevant, here's a new radical idea: Every service provider should respect its users' desires for and rights to privacy and just handle erasure requests (as far as possible) regardless of legal requirements. And if it can't handle that, it's a toxic business and shouldn't exist.
If I, as the prince of Princeton, was to pass a law that each time one of my subjects visits your website, you must pay me $1, you'd think that's mad. And you'd be right - since you're not bound by Princeton laws.
The EU is claiming that sites in other countries are bound by EU laws - and that's just as wrong as if Princeton passed the laws.
The US as a ban on banks to do business with Iran. This also affect bank that are not US-based but do business with US (see [1]).
The banks are free to do business with Iran, but they will then get ban from doing business in the US.
The GDPR is exactly the same. EU says that you have to comply with the GDPR if you process EU-citizen data. So company have the same choice: Comply with the EU GDPR or don't do business with the EU. I don't think it happen yet, and I think that the framework for this is not even ready yet, but nothing would prevent EU from banning your service in the EU if you don't want to comply with the EU GDPR.
I honestly don't understand why there is such an outcry about it. It always worked like this: you want to do business with a country, you apply the law of the country. Internet is not a magical international space with no regulation.
You can argue that this kind of laws, that is a form of protectionism in a way, is bad. But it has been this way for a very long time and GDPR is absolutely not the first time such a law was put in place.
Just another example, if you are a US citizen creating a bank account in the EU, the bank (even if it is a EU bank), will have to declare it to US authorities (apparently due to your tax system that also apply if you are resident abroad).
Countries (or conglomerates of them) applying their laws world-wide has long been what the US does on the internet. It's a bit too late to put that genie back in the bottle.
Which is why I added rarely; personally I was thinking of thepiratebay trials in Sweden. I do believe both Mega and TPB are as a result of breaking US law but TPB was at least tried in Sweden and found to be breaking Swedish law, not sure if the same goes/went for Kim.
The question is: Are you breaking the Swedish law while targeting Swedish people?
For isntance: Germany has laws around limiting usage of Nazi symbolism. If you create a web page glorifying Nazis and their symbols this is illegal under German law. If you run such a site targeting Americans no German state attorney or Court will take the case (exceptions exist for stupidity or ego or power play reasons) however if you host a page in the U.S. aiming at German Nazis that way (for example by commenting on German politics and German language) they will try to go after you. (Which might not lead far, as the site is probably protected by US freedom of speech, thus US authorities won't assist, but you might want to avoid travelling to Germany and countries which might cooperate with Germany)
P.S. I don't want to imply that you have any such plans for such a site, but it's a specific example working fully virtual
Legally, the EU is claiming that if you do certain things which affect EU residents, then it will declare a judgment against you regardless of where you were when you did those things.
This idea is not new and certainly is not seen as unequivocally wrong in law.
If you produce libel against someone from another country, that person may sue you in their home country. That you performed the libel in another country is not generally seen as problematic to the libel laws of most countries. The US may refuse to recognize the judgment and you are fine as long as you do not travel to said country or a country with extradition agreements.
They shouldn't, UNLESS they are physically in said country, do business in said country, or use services based in said country.
Re: GDPR, if a US or Canada based company does business in Europe, or has data for European users, they have to comply to European laws. Just like European online services have to comply with e.g. DMCA takedown requests if they want to do business in the US, or online services have to comply with Chinese censorship laws if they want to do business in China.
It is very doubtful there is any need to search posts. The data are still necessary for the purpose they were originally collected, and there is also a archiving exception which may apply.
If I was them I would just send the person their login profile and delete that from the site. Everything else is excepted, including backups which are kept for security.
A good community example to look at is Wikipedia. I will star to worry if and when I see them start deleting profiles and articles. Until then I see this kind of articles like a bit of scared interpretation of how nations might implement and apply GDPR.
Person B describes person A without mentioning a name, eg by describing person A in a way which is recognizable. (eg the pilot that shot down the death star.)
But neither are in scope. The GDPR makes exceptions for journalistic use cases (An encyclopedia certainly counts; see Article 85 and 89), and it does not require that you link a person (e.g. in your second case; see Recital 26) if you have no other reason to do. If someone persists, Article 11 makes it possible to put the onus on the person to identify any data in this category.
It seems like the AggregateIQ case shows the problem with this - by obeying the request, they admit that the EU has jurisdiction over them. That's probably the wrong thing to do when they have no connection to the EU, other than people from the EU choosing to connect to a server hosted elsewhere.
It's probably the same reason why Hacker News does nothing to comply with the GDPR.
Hacker News can comply with GDPR today and choose not to comply the next day. They forfeit nothing in the process of selectively abandoning GDPR, in regards to being governed by US law and not EU law.
If my company is located in the US and only governed by US jurisdiction (eg I do not operate in the EU in any manner), there's no such concept as admitting the EU has jurisdiction over my company and granting the EU new global powers (such that I can provide the EU jurisdictional reach into the US so that it overrules or competes with US law). That isn't my decision to make if I operate inside the US jurisdiction. The US solely decides jurisdiction within its zone of political control. That is, the US has the final say legally in all regards in that case. I could choose to voluntarily comply with GDPR, however the EU has zero power to force me to. I can flip flop back and forth a thousand times, or not, it makes no difference.
If you ever find yourself wondering about these concepts, change the scenario to China. Under what scenario does the EU or US have power to dictate laws within China? None. It provides a perfect clarification every time. Nobody could possibly be confused about who is in charge of law within China.
> If you ever find yourself wondering about these concepts, change the scenario to China. Under what scenario does the EU or US have power to dictate laws within China?
> The global chief financial officer of Chinese phone firm Huawei is facing extradition to the US after being arrested in Canada.
> Meng Wanzhou, who is the daughter of company founder Ren Zhengfei, has been detained in Vancouver in relation to suspected violations by Huawei of US sanctions placed on Iran.
So not only do people have to avoid the U.S. to avoid being subject to U.S. laws, they have to avoid U.S. friendly countries too.
I think we mostly agree, especially when you bring China into it.
However, isn't the idea of forfeiting the personal jurisdiction defense? I am not a lawyer, but from what I understand, once you start debating the merits of the case, you waive the ability to claim that the court doesn't have jurisdiction.
It seems like there's a bit of a chance of that here - once you admit the EU or Chinese legal system is the appropriate place to redress things, you've given up lack of jurisdiction as a defense.
A GDPR Deletion Request is not a court case, it's a non-formal notification that you want someone to delete data about you.
If someone follows that request and if the EU has jurisdiction are orthogonal issues; plenty of services offered deletion before the GDPR.
The question of jurisdiction will come up if you ignore requests or otherwise violate the GDPR and a national agency that is responsible for handling violations contacts you.
In which case you can still choose to ignore them, if you're not on EU soil, then it's up to the extradition or similar laws on what happens; the agency will likely file a court case (or you file), then the court will handle out the details with your national legal system; in most cases this means nationalizing any punishment. Ie, the court case will be handled and if you don't show up after being invited, will be ruled upon in your absence. Then the fine will be forwarded to your country where the courts in your country with your countries jursdiction will then collect it, probably take a fee and then forward the remainder back to the EU. An alternative outcome would be that the entire court case is moved into your country.
Either way, complying to GDPR-related requests doesn't mean admitting jurisdiction of the EU; disagreeing the responsible government agencies involved is a good way to test if those have jurisdiction.
Who has 'jurisdiction' in international law? According to your narrow definition of 'jurisdiction', nobody. Are you saying 'international law' doesn't exist? I mean, it wouldn't be wholly unreasonable; there are scholars of international law who essentially hold that position. Yet there are many other who don't. It's not as clear cut as you make it out to be.
Jurisdiction is a tricky concept in cases like these where we are dealing with digital content.
AggregateIQ could have ignored the GDPR-request, ignored any rulings and keep chugging along as long as they stuck to Canada (assuming Canada was not going to side with the EU).
In short, if you're not in the EU, do not care about EU and never will, you can largely ignore the GDPR. Same as if some banana republic dictator declares you persona non grata - if you never intend to visit and otherwise have no business in that country, who cares?
The difference is that the EU is not a banana republic (opinions may vary), and so many choose to respect and accept this their judgement in cases like this to stay on good terms.
>In short, if you're not in the EU, do not care about EU and never will, you can largely ignore the GDPR.
That's not entirely true. You can go to a Canadian court to enforce an EU judgement against assets in Canada. So for example, if you cause a car accident in Germany, the plaintiff can sue you in Germany to get a judgement and then sue you in Canada to enforce that judgement. How Canadian (or US or otherwise) courts will treat a GDPR judgement remains to be seen, but it's not a guarantee that it won't be enforced.
The subtitle is "[d]isgruntled ex-guildie effectively invents new way to grief in EVE" but it sounds like the request in question was sent to a website outside of EVE. This could happen with other games or, you know, websites unrelated to games at all...
Corp (guild) forums are an important part of EVE and preferred over posting news and operations on Discord for example since you can set it up to serve unique texts to each user, making it easier to find them if they leak to other corps, and hidden changes in the website that will give it away in case the corp news leak by screenshot.
I've tried playing Eve quite a few times, and it just isn't my thing. Reading about Eve, however, has always been an absolute joy.
Even comments like this (which makes complete sense in hindsight) shows me how much (for better or worse) people put into a "sandbox" or game like Eve.
I swear some of the stories are much better than the stuff they toss in theatres.
Indeed. This is a protection we should all really have, and there's no real reason you should be unwilling to tell a person what information you are storing on them.
I wonder if there's business in GDPR trolling websites. Does it count as extortion if you give someone personal data and then say they must delete it or pay you money to not kick up a fuss.
Honestly, it sounds like it should be legal. Like the way ADA or CEQA trolling is. After all, that provides a valuable function.
Yes. And I think there's an astroturfing movement from large data warehouses in the US that attempt to add confusion by talking about weird cases that don't really exist.
The GDPR is actually quite simple to comply with for most people: European businesses have been doing it for years since the GDPR is largely the unification of various data protection regulations.
I suspect as more people learn that, that trolling business will fall by the wayside...
Guys think about the ranking lists.. you want your data deleted and you kind of also have to delete all related data to that account like everything. I can imagine already some people hacking top 100 ranking list accounts and deleting them to remove them from the ranking to get elevated themselves.
You don't have to delete everything. In case of ranking lists, it would sufficient to tombstone the data; replace the name with "[deleted account]" and link it to a page that explains the account data was requested to be deleted.
GDPR Deletion Requests only cover data for which's processing you either used consent, used the legitimate interest clause or is part of a protected category (sexuality, religion, etc.). Some parts of "legitimate interest" that continue to be legitimate interest (like for example, billing information for tax and fraud prevention) you may continue to keep it around as well.
There's no way to identify that the person making the request is who he/she says he/she is. The irony is that for services like Facebook, Facebook could ask for a scan of your id/passport to confirm it's you, (and would it also have to keep that scan saved somewhere in case it later needs to prove that it "authenticated" the gdpr request correctly?)
But in this case, how to determine it's really the user? Should "Bob" identifies himself by disclosing his password, and have the admin test of the login works?!
This right of access to your personal data has existed in the EU for 20 years. This is not new.
And yes, there is a need to verify IDs. Most companies don't have online forms for this so the way has always been to send an email and enquire, or to write on paper with a copy of a valid ID.
This is not new.
The question is whether data submitted under a pseudonym (e.g. forum activity) are actually personal information by law since the individual cannot be identified.
> But in this case, how to determine it's really the user? Should "Bob" identifies himself by disclosing his password, and have the admin test of the login works?!
That's one way to do it.
Another way would be to ask them to log in and set some preference (change their info field or name to "DELETE ME") or something like that.
Isn't this solved by making "Delete My Account" a self-service button on the user account page?
It really should be automated anyway. PII for billing and contractual reasons isn't covered by the right to be forgotten (as I read the regulations) because they're required for other legal reasons.
Storing it on an immutable blockchain probably violates the GDPR in the first place, at least if you have no method to render the data unreadable.
To wit, Article 25 of the GDPR ("Data protection by design and by default"):
> 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
> 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
So the GDPR is only about personal data? What are my responsibilities if I run a chan, i.e., I store no personal data about my posts other than the IP address where they originated? What if I use some tracking technology such as a cookie or localStorage to identify unique browsers regardless of their IP address?
"Personal data" is defined differently in the GDPR than in most US legislation.
>‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
An IP address or tracking cookie is an identifier. It is not, in isolation, personal data. The other stuff you store like posts and access logs become personal data if those identifiers allow you to associate that stuff with a natural person. If you strip the data of identifiers to the extent that it can no longer be connected to anyone, then it ceases to be personal data within the scope of the GDPR.
You have to make it clear to people that you're using these technologies and how long you keep their data. You should also explain how you keep this data safe.
If you suffer a data breach you have to disclose this, and you are potentially liable for it if you could've protected users from that breach by technological means (applying patches, salting passwords, encryption, and so on). If your breach includes too much personal data() this could be serious.
If you think you want to keep data forever, then your liabilities for that data extend forever. You should consider if this is really what you want, or if you might want to simply delete old backups and scrub identifying information after some time.
() The regulator will evaluate this by considering how the people that personal data is about will be affected. This is a difficult question to ask -- a chan user might at worst suffer potential embarrassment being linked to posts, so I suspect the regulator will view loss lightly, unless it could easily and reasonably be prevented.
The ICO has really good guidance about this on their website:
I understand your point, but this isn't a special risk introduced by the GDPR, and from the perspective of a regulator, I don't think they are going to consider the linking someone to illegal behaviour to be additional liabilities for the company suffering the breach.
That being said, if your "chan" provides a safe haven for illegal behaviour, you might have other non-GDPR problems as well.
Then you couldn't comply with takedown requests (and thus can safely disregard them) because you don't know what content belongs to what user, and you can't even be sure that the person making the request is actually the one that posted the information on your chan.
Probably because it's a single guy running a small forum for a 70 man guild in a spaceship MMO. Why would anybody in that situation expect to get a GDPR request? Especially when it's clear the person in question is just bullying the forum owner.
Keep in mind "corp" is just a guild in this particular video game. Likely they just have a free/low cost forum page with some minimal aethetic modifications.
Perhaps some people will say "good, if you cannot run a site conforming to all laws of the land then you should shutdown". If you think that, consider this: as these laws pile up it will get more and more difficult to operate, leaving only the very tech/law savvy, and big business.
This is not the democratization of information that the web promised oh so many years ago.
On a semi-related note: if you are a small SASS operator wanting to comply with such requests, what are you meant to do about your DB backups that contain data that is meant to be forgotten?
[edits: punctuation/grammar]