Home > Legal > GDPR hysteria

GDPR hysteria

Legal 22 Comments

In another week the GDPR, or the General Data Protection Regulation will become enforceable and it appears that unlike any other law to date this particular one has the interesting side effect of causing mass hysteria in the otherwise rational tech sector.

This post is an attempt to calm the nerves of those that feel that the(ir) world is about to come to an end, the important first principle when it comes to dealing with any laws, including this one is Don’t Panic. I’m aiming this post squarely at the owners of SME’s that are active on the world wide web and that feel overwhelmed by this development. A bit of background about myself: I’ve been involved in the M&A scene for about a decade, do technical due diligence for a living (together with a team of 8). This practice and my feeling that the battle for privacy on the web is one worth winning which has led me to study online privacy in some detail puts me in an excellent position to see the impact of this legislation first hand as well as how companies tend to deal with it.

The GDRP is not nearly as draconian or complex as people are scared into believing (mostly by people who conveniently also sell GDRP compliance services). Over the past few weeks and months, I’ve translated countless internal and external corporate documents about the GDPR from companies both big and small, for all kinds of sectors, many of which you know, and none of them are freaking out and none of them find this particularly difficult or complicated. Even a legal simpleton like me understands it just fine, and all I need to do is translate texts about it.

About The Author

Thom Holwerda

Follow me on Mastodon @[email protected]

22 Comments

  1. 2018-05-18 10:07 pm
    MichalKJP

    anyway I think that these regulations are needed. gdpr is IMO well aimed weapon against large IT companies that gathers a lot of data about users of it’s services and later uses this data for profiling users.

    if you don’t know what these companies are doing with this data just take a basic data science online course.

  2. 2018-05-18 10:39 pm
    ssokolow (Hey, OSNews, U2F/WebAuthn is broken on Firefox!)

    I think most of the hysteria comes from the unfortunate “any information relating to an identified or identifiable natural person” phrasing of the definition of “personal data”, which could theoretically be interpreted by a judge as requiring that anything the personal has ever produced (even anonymized ‘me too!’ post content) must be deleted on request and factored out of things like anti-spam training corpuses.

    (Thankfully, companies who can afford to consult lawyers seem to be confident that, if you remove all records of who made it, a blog comment or forum post does not inherently count as personal data.)

    For example, here’s what someone from Automattic told someone who wanted their posts deleted from the WordPress forums as “personal data”:

    https://wordpress.org/support/topic/gdpr-and-the-forum-of-wordpress-

    Beyond that, there are exceptions.

    For example, Paragraph 3 of Article 17 (Right to erasure (‘right to be forgotten’)) is entirely about situations where paragraphs 1 and 2 don’t apply.

    https://gdpr-info.eu/art-17-gdpr/

    (In short, an unfortunate phrasing combined with a law that’s intended to prevent exploitative companies from language-lawyering their way into continuing with business as usual.)

    Edited 2018-05-18 22:46 UTC

  3. 2018-05-18 11:12 pm
    Licaon_Kter

    Yup, overreactions, eg: https://monal.im/blog/gdpr-removing-monal-from-the-eu/

  4. 2018-05-19 1:44 am
    grat

    … has the interesting side effect of causing mass hysteria in the otherwise rational tech sector.

    Riiight. The “rational” tech sector that brought us such things as:

    The .com bubble. TPM will destroy Linux. SecureBoot will destroy Linux. *BSD is dead. The year of the Linux Desktop.

    20 Years of Internet Explorer. ActiveX. DIVX. Blink tags. AOL. (MP/RI)AA math.

    Mac vs PC, Windows vs. the world, Google does no Evil…

    I’d better stop, I hear Billy Joel winding up in the background.

    I’ve never thought the tech sector has ever been “rational”– more akin to a sinking boat with the crew rushing madly from one side to the other, in the hopes of finding another sinking boat to jump onto before they drown.

    That’s, of course, when they’re not shooting each other, themselves, or the terminal full of potential customers.

    …. I think I need a vacation. ;)

  5. 2018-05-19 7:00 am
    Carewolf

    It is only turning an old directive into law. A directive that was already law in Germany and many Scandinavian countries. If you did business in Germany you have already had to follow the equivalent of the GDPR for the last 25 years.

  6. 2018-05-19 11:28 am
    asgerms

    Hmm.. If everything is easy-street for the author, good for him. But then why bother writing an “I’m a hero” article. It would be much more productive if practical solutions were given to all the problems people struggle with. Not vague ideas, but real bulletproof implementable solutions.

    * How do you actually verify child-age in relation to consent?

    * How do you actually verify that your data processor is itself compliant?

    * How do you actually “just automate” everything, when you run a 3 person woodshop?

    …tons of similar questions, cannot possibly summarize, wish the author had…

  7. 2018-05-19 12:40 pm
    joshv

    Please, tell me how a US company figures out if it even applies to them? We spent days reading the darned thing. It’s think with vague language open to broad interpretation, clearly designed to make you think that if the vaguest trace of an EU citizen’s data touches your US server, you need to re-architect your entire system.

    Also, it’s clearly designed for B2C (Google, Facebook et al.) but leaves B2B very ambiguous. Does it apply to a user of your software who uses it in a business context only as part of a corporate license, only to do their job? A simple reading says ‘yes’ – and their corporate email address, and even their user ID (known only to your system) is ‘personal’ data.

    Then we talked to our lawyer, who said ‘nope, doesn’t apply!’. Which seems simplistic on the other end of things.

    What is clear is that there are going to have to be some lawsuits before we see how this thing is enforced in practice. Is it going to be used to extract billion dollar payments from the big guys, or is it going to be used to run small and midlevel non-EU application providers out of Europe.

    You may think compliance with the GDPR is ‘simple’. I don’t. New privacy policy. Great our contracts aren’t with users. So now I have to walk hundreds of businesses through a new contract rider. That should be easy, for something they couldn’t care less about, for a law designed to protect private EU citizens. I’ve got to be able to delete all history of an EU user if they ask for it – even if the company that owns that data doesn’t want us to (maybe, who knows, again this is a poor B2B fit). Does that include emails a user sent me? Information they sent in on a bug request? The ‘right to be forgotten’ was clearly aimed at search engines and marketers, but it’s written so broadly it could be interpreted to require a massive re-architecting of your system.

    Let’s hope our lawyer was right.

    • 2018-05-19 5:25 pm
      Alfman verbose=1

      joshv,

      Please, tell me how a US company figures out if it even applies to them? We spent days reading the darned thing. It’s think with vague language open to broad interpretation, clearly designed to make you think that if the vaguest trace of an EU citizen’s data touches your US server, you need to re-architect your entire system.

      Also, it’s clearly designed for B2C (Google, Facebook et al.) but leaves B2B very ambiguous. Does it apply to a user of your software who uses it in a business context only as part of a corporate license, only to do their job? A simple reading says ‘yes’ – and their corporate email address, and even their user ID (known only to your system) is ‘personal’ data.

      Then we talked to our lawyer, who said ‘nope, doesn’t apply!’. Which seems simplistic on the other end of things.

      IANAL, but he’s right ;)

      As the owner of a US company, I would accommodate user requests as best I can. But I’m not at all concerned about GDPR because I’m not in a jurisdiction where it is enforceable. Not that my company is important to anyone, but that’s my take on the subject.

      osnews is covered though right? Thom, are we going to get a privacy notice? Haha.

      Edited 2018-05-19 17:41 UTC

      • 2018-05-20 2:00 am
        oiaohm

        As the owner of a US company, I would accommodate user requests as best I can. But I’m not at all concerned about GDPR because I’m not in a jurisdiction where it is enforceable. Not that my company is important to anyone, but that’s my take on the subject.

        You need to rethink a little. Remember pirate bay set up in a jurisdiction that copyright laws were not enforceable. This did not prevent areas where the law was enforceable blocking their traffic.

        Also the idea that GDPR does not apply in the USA is kind of wrong. Large percentage of GDPR is covered by the globally agreed copyright laws.

        GDPR makes it in the EU cost effective for individuals to enforce their copyright on what they have provided to you.

        GDPR in the EU provides a clear set of rules for companies to follow when handling personal data not to end up charged with copyright infringement or other forms of infringement while making a cost effective legal process for both sides to deal with issues.

        GDPR also caps the damages claim if personal data is miss handled.

        Of course most people are not thinking that GDPR issues are copyright infringement and that we have already seen how the EU responds groups doing that operating outside their legal reach.

        Also the reality is being inside the USA is inside the legal reach of copyright enforcement and copyright enforcement has no legal cap on fines in the USA.

        So in some ways it may be better for a USA company with a large GDPR problem willing enter the EU process than make the EU lawyers come to the USA and use the USA laws to enforce GDPR with laws that have no cost limits.

        Of course the issues GDPR does open questions for people using cloud services where they don’t control the servers can cannot ensure that data is deleted when it legally required to be.

        Edited 2018-05-20 02:00 UTC

        • 2018-05-20 5:35 am
          Alfman verbose=1

          oiaohm,

          You need to rethink a little. Remember pirate bay set up in a jurisdiction that copyright laws were not enforceable. This did not prevent areas where the law was enforceable blocking their traffic. [/q]

          I’m really not that bothered and don’t that imagine many domestic companies are either. I think it would be sad for the EU to start blocking international websites, but even if they do I think the censorship consequences would be worse for people within the EU than for those of us outside of it.

          It also feels like a bit of friendly fire, since I’d endorse something similar in the US, I think companies collect way too much data without our permission. But legislation should not pretend that jurisdictions don’t exist.

          [q]Also the idea that GDPR does not apply in the USA is kind of wrong. Large percentage of GDPR is covered by the globally agreed copyright laws.

          Not the privacy parts that I care about, unfortunately ;)

          Also, I’d say copyright laws were pushed the other way around, from the US to the rest of the world, thanks to his highness, mickey mouse.

          • 2018-05-20 7:34 am
            oiaohm

            Not the privacy parts that I care about, unfortunately ;)

            Read the GDPR (General Data Protection Regulation) as if it a copyright license. You will find most of the privacy parts are enforceable that way.

            Over 90 percent of it will be enforceable under copyright law if you have taken copyright protect-able data from a EU person.

            EU has basically set a default copyright license. Like home and student MS Office saying not for commercial usage. The way it written means the processes to protect EU users of a site will have to be applied to all users of a site.

            This is kind of the worst case but we will not know if it is the worst case until after the first test case.

            Every country that has signed off on copyright conventions covering copyright licenses could have their citizens bound by the GDPR terms if they use data from the EU. Please note from the EU this could include at worst of worst data transferred though the EU data cables.

            The bureaucrat who has done the GDPR has been very good on the wording to make it close enough to a copyright license that it would pass as one for most of the terms and conditions.

          • 2018-05-20 9:41 am
            Alfman verbose=1

            oiaohm,

            Read the GDPR (General Data Protection Regulation) as if it a copyright license. You will find most of the privacy parts are enforceable that way.

            Over 90 percent of it will be enforceable under copyright law if you have taken copyright protect-able data from a EU person.

            If the user took his own logs, then those logs would logically be property of the user, but not the company’s logs that were never in the user possession to begin with, that would be illogical. If anything, the server logs that track you are actually property of the website owner who created the logs. Who do you think created those cookies that track us? The website owners. The urls you click on? Website owners created those too. The ads that are displayed and you don’t click on it at all? Well they’ll track that too. All of it is property of the website owners.

            Now with user submitted text, photos, and videos, I’ll agree that those are reasonably considered our creative property, at least until we agree to terms and conditions that grant a company rights to use our data.

            Note that if your interpretations were valid, then 90% of GDPR would be redundant and wouldn’t be necessary in the first place. What’s more likely, legislators wrote mostly redundant GDPR laws for the sake of it, or they wrote GDPR laws to grant users new privacy rights they didn’t previously have?

            (It’s a rhetorical question)

            Edited 2018-05-20 09:47 UTC

          • 2018-05-21 2:18 am
            oiaohm

            oiaohm,

            Read the GDPR (General Data Protection Regulation) as if it a copyright license. You will find most of the privacy parts are enforceable that way.

            Over 90 percent of it will be enforceable under copyright law if you have taken copyright protect-able data from a EU person.

            If the user took his own logs, then those logs would logically be property of the user, but not the company’s logs that were never in the user possession to begin with, that would be illogical. If anything, the server logs that track you are actually property of the website owner who created the logs. Who do you think created those cookies that track us? The website owners. The urls you click on? Website owners created those too. The ads that are displayed and you don’t click on it at all? Well they’ll track that too. All of it is property of the website owners. [/q]

            You need to look at the precedents with authors submit works to publication companies with draft/confidential and private printed on them. Even that the publication house would have had recorded the fact they received the work on their received items log they were not allowed to give that log to anyone else. If the work was scrapped and condition between author and publication house said all records of work had to be destroyed this include all collected logs.

            You possession idea forgets you cannot damage the copyright holders reputation. Just because you are the owner of something under copyright law does not mean you have the right to give it to anyone else.

            Now with user submitted text, photos, and videos, I’ll agree that those are reasonably considered our creative property, at least until we agree to terms and conditions that grant a company rights to use our data.

            The problem here is a lot of terms and conditions are not forced to be agreed to before they submit data to sites. And if they are they are too complex for the courts to accept in most cases. So the default rules defined in the GDPR will in most cases over rule the sites terms and conditions.

            So sites do need to fix up how they do terms and conditions this is something they should have done anyhow.

            [q]Note that if your interpretations were valid, then 90% of GDPR would be redundant and wouldn’t be necessary in the first place. What’s more likely, legislators wrote mostly redundant GDPR laws for the sake of it, or they wrote GDPR laws to grant users new privacy rights they didn’t previously have?

            90% of GDPR is enforceable by copyright does not make it existence invalid or not required. Without GDPR existing the conditions inside GDPR would have disputed in court on a case by case base.

            GDPR basically documents the public expect data usage conditions for those in the EU this means the judge hearing case can take direct guidance from so removing months/years of debate from the cases over it. It not like the EU is not doing decent advertising of the new rules.

            Basically GDPR simplify copyright cases over personally created content and logs/records around the content created by interacting with the existence of the personally created content.

            Internet Metadata quite a bit of it falls under the same rules as document receive logs at publication houses and package/postal tracking data(reason why tracking is opt in) the usage of this data is controlled by copyright case precedents. If you notice if you access package tracking on-line you cannot see the final address it has been anonymised to a point.

            Of course before GDPR everything posted on the internet has been able to be treated as if it was a post card with no direct protection requirements from being shared. GDPR changes that define and that is the big change. For sites that care about their users privacy they should only have minor real changes to-do.

            GDPR is basically another step in the rule less internet ending.

            Reality here we need to stop thinking of internet as different to the conditions that applied in the prior paper based world.

            Lot of things web sites think they own and have free usage of is not has never really been the legal reality.

          • 2018-05-21 4:01 am
            Alfman verbose=1

            oiaohm,

            You need to look at the precedents with authors submit works to publication companies with draft/confidential and private printed on them. Even that the publication house would have had recorded the fact they received the work on their received items log they were not allowed to give that log to anyone else. If the work was scrapped and condition between author and publication house said all records of work had to be destroyed this include all collected logs. [/q]

            The scenario you are describing isn’t copyright law at all but rather contract law. If you have a contract that stipulates the other party wont talk about you or your creative work, that’s one thing. Otherwise no, copyright law does not prevent other parties from talking about you. And the fact that you are voluntarily uploading data to a website who’s terms and conditions explicitly give them the right to use your data makes the privacy argument even weaker.

            [q]90% of GDPR is enforceable by copyright does not make it existence invalid or not required. Without GDPR existing the conditions inside GDPR would have disputed in court on a case by case base.

            Daveak is right, copyright law doesn’t work the way you think it does. If you want to continue to say that GDPR privacy rights are enforcable in the US through copyright law, well then we’ll have to agree to disagree.

            Edited 2018-05-21 04:20 UTC

          • 2018-05-20 10:14 am
            daveak

            I don’t know where you got the idea that copyright has anything to do with privacy, but you are way way off. Copyright applies to substantive creative works, not to information.

          • 2018-05-21 2:34 am
            oiaohm

            I don’t know where you got the idea that copyright has anything to do with privacy, but you are way way off. Copyright applies to substantive creative works, not to information.

            You are forgetting a section of copyright. The USA wording is kind of deceptive.

            Effect of the use upon the potential market for or value of the copyrighted work: Here, courts review whether, and to what extent, the unlicensed use harms the existing or future market for the copyright owner’s original work. In assessing this factor, courts consider whether the use is hurting the current market for the original work (for example, by displacing sales of the original) and/or whether the use could cause substantial harm if it were to become widespread.

            Privacy and Copyright are not totally independent. Breaching the privacy of author can damage their current and future works value. When taking content from people privacy is something you should take very serous-ally or you will end up using their work illegally because you can be damaging their reputation/future works.

            So someone does a stupid post a long time ago and they tell you to take it down you don’t and they don’t get a job because of that post you have damaged their future works right so you have done damage in a copyright sense. Because that notice to take the work down was revoke of copyright usage permission. Reason why you got away with this up until now is that site could argue fair usage that would be way to costly for any individual to consider fighting. GDPR defines this as not fair usage so its pure copyright infringement and user has the right to come after you for damages.

            Privacy and Copyright are related like it or not. The fact Privacy and Copyright are related is why GDPR as bit more reach than where it was passed as law.

            Edited 2018-05-21 02:53 UTC

    • 2018-05-20 10:09 am
      daveak

      the vaguest trace of an EU citizen’s data touches your US server, you need to re-architect your entire system.

      Bad news for you I’m afraid, it isn’t limited to EU citizens, but anyone who is resident in the EU.

    • 2018-05-20 10:11 am
      daveak

      Your lawyer may or may not be correct. If the email address of the person involved contains their name then yes, it is personal information, even if that is a work email address.

  8. 2018-05-19 1:30 pm
    laffer1

    The largest issue with the law is the ambiguity with respect to data mining and similar problem sets. When you train a data set with personal data and later get a request to delete the data, does that make the model generated from the training set invalid?

    Here’s why that’s a problem. Say that you try to build a system that can detect social security numbers so that they can be scrubbed from data. If the training set is somewhat limited, you may have partial social security numbers end up in the model.

    The law is not clear for this case.

    • 2018-05-19 1:58 pm
      qbast

      The law is clear: aggregated data cannot be linked to original user so it is not covered. So you need to delete the original records you used to build your model (since that data is linked to specific person), but you don’t need to invalidate your aggregated model.

  9. 2018-05-19 2:56 pm
    NotGoingDumb

    “Even a legal simpleton like me understands it just fine, and all I need to do is translate texts about it.”

    You do realise OSnews in not even complying with the cookie requirement. Where is the button to delete my profile from this website?

    I can’t wait to report OSnews for GDPR violations :-))

    • 2018-05-19 5:16 pm
      qbast

      There is no legal requirement for a “button” or any other automatic process.