GDPR Resources

scottalanmiller

@kelly said in GDPR Resources:

@jaredbusch said in GDPR Resources:

@kelly said in GDPR Resources:

@danp said in GDPR Resources:

This link was posted over on another forum just today --
https://techblog.bozho.net/gdpr-practical-guide-developers/

Thanks for actually replying to the thread topic @Danp. I'm not really sure what to do with this experience...

Hey, I was supporting you

You have been. It was more that @Danp was on topic. We've both followed @scottalanmiller into his overall derailment.

Hardly a derailment, it's the core of the conversation. Outside of the EU, how does the GDPR affect you? It's totally by what local laws (sometimes in the form of treaties) present it to you locally.

scottalanmiller

It worth noting that even if the US-EU Privacy Shield would have made the GDPR possible int he US, Executive Order 13768 may have removed it. The order appears to make the GDPR impossible to implement in the US without further action regardless of existing treaties.

https://www.theregister.co.uk/2017/01/30/trump_executive_order_public_safety_privacy_shield/

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@jaredbusch said in GDPR Resources:

@kelly said in GDPR Resources:

@danp said in GDPR Resources:

This link was posted over on another forum just today --
https://techblog.bozho.net/gdpr-practical-guide-developers/

Thanks for actually replying to the thread topic @Danp. I'm not really sure what to do with this experience...

Hey, I was supporting you

You have been. It was more that @Danp was on topic. We've both followed @scottalanmiller into his overall derailment.

Hardly a derailment, it's the core of the conversation. Outside of the EU, how does the GDPR affect you? It's totally by what local laws (sometimes in the form of treaties) present it to you locally.

It is the core of a conversation around GDPR, but not core to the question as asked. I'm not objecting to the conversation, finding it amusing how little time has been spent on the original question.

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@jaredbusch said in GDPR Resources:

@kelly said in GDPR Resources:

@danp said in GDPR Resources:

This link was posted over on another forum just today --
https://techblog.bozho.net/gdpr-practical-guide-developers/

Thanks for actually replying to the thread topic @Danp. I'm not really sure what to do with this experience...

Hey, I was supporting you

You have been. It was more that @Danp was on topic. We've both followed @scottalanmiller into his overall derailment.

Hardly a derailment, it's the core of the conversation. Outside of the EU, how does the GDPR affect you? It's totally by what local laws (sometimes in the form of treaties) present it to you locally.

It is the core of a conversation around GDPR, but not core to the question as asked. I'm not objecting to the conversation, finding it amusing how little time has been spent on the original question.

Well, I think digging into where it applies and where it doesn't is answering that in most cases. For most companies, knowing if it affects them or not is the primarily piece of preparation.

For those doing deep, intentional data processing of those resources it's way, way more complex. But that's likely to be a tiny minority of companies. Mostly, I think, that's going to fall to development departments rather than IT.

scottalanmiller

What I believe to be the intent around the GDPR really hits companies that are doing custom / bespoke applications for the data processing. Especially the US ones. EU companies aren't handing off to the US just for CPU power, but for local expertise or systems.

So the primary concerns are around database systems that can identify the points of privacy and having a means of purging them. Really, I think that having that alone covers most needs. Just the ability to "delete". Which previously, almost no one had.

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@jaredbusch said in GDPR Resources:

@kelly said in GDPR Resources:

@danp said in GDPR Resources:

This link was posted over on another forum just today --
https://techblog.bozho.net/gdpr-practical-guide-developers/

Thanks for actually replying to the thread topic @Danp. I'm not really sure what to do with this experience...

Hey, I was supporting you

You have been. It was more that @Danp was on topic. We've both followed @scottalanmiller into his overall derailment.

Hardly a derailment, it's the core of the conversation. Outside of the EU, how does the GDPR affect you? It's totally by what local laws (sometimes in the form of treaties) present it to you locally.

It is the core of a conversation around GDPR, but not core to the question as asked. I'm not objecting to the conversation, finding it amusing how little time has been spent on the original question.

Well, I think digging into where it applies and where it doesn't is answering that in most cases. For most companies, knowing if it affects them or not is the primarily piece of preparation.

For those doing deep, intentional data processing of those resources it's way, way more complex. But that's likely to be a tiny minority of companies. Mostly, I think, that's going to fall to development departments rather than IT.

The question was asking for resources that people are using for learning about GDPR. There are very few links to other resources other than ones I've (and now @Danp) provided.

scottalanmiller

Lynda has a course!

https://www.lynda.com/Business-Skills-tutorials/Learning-GDPR/693080-2.html

Kelly

@scottalanmiller said in GDPR Resources:

Lynda has a course!

https://www.lynda.com/Business-Skills-tutorials/Learning-GDPR/693080-2.html

Wow, a 13 minute "course". Lynda is setting the bar pretty low. I've spent way more time digging through materials. Even the course I linked above is several hours.

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

Lynda has a course!

https://www.lynda.com/Business-Skills-tutorials/Learning-GDPR/693080-2.html

Wow, a 13 minute "course". Lynda is setting the bar pretty low. I've spent way more time digging through materials. Even the course I linked above is several hours.

Yeah, I think anything "real" is going to be taught by lawyers and be pretty in depth. It's a painful topic.

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

Lynda has a course!

https://www.lynda.com/Business-Skills-tutorials/Learning-GDPR/693080-2.html

Wow, a 13 minute "course". Lynda is setting the bar pretty low. I've spent way more time digging through materials. Even the course I linked above is several hours.

Yeah, I think anything "real" is going to be taught by lawyers and be pretty in depth. It's a painful topic.

That is part of what attracted me to the course I linked. It is being taught by faculty at the law school the University of Groningen.

Kelly

I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

scottalanmiller

@kelly said in GDPR Resources:

I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

scottalanmiller

@kelly said in GDPR Resources:

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

If this limitation is real and reasonable, but "targeted" is a useless term here. What does that mean or imply?

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

If this limitation is real and reasonable, but "targeted" is a useless term here. What does that mean or imply?

Goods or services (whether for sale or for free), that specifically attempt to market to EU citizens. An frequently cited example of this is when a site translates itself into the language of an EU member country when that language is not the native language of the originating country. The rest will probably have to be sorted out via case law.

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

You went from zero to 60 pretty fast on that one.

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

You went from zero to 60 pretty fast on that one.

I just read back what you wrote.

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

If this limitation is real and reasonable, but "targeted" is a useless term here. What does that mean or imply?

Goods or services (whether for sale or for free), that specifically attempt to market to EU citizens. An frequently cited example of this is when a site translates itself into the language of an EU member country when that language is not the native language of the originating country. The rest will probably have to be sorted out via case law.

Right, which is ridiculous. That's not targeting in any rational sense of the word. Heck, that's a built in native feature of loads of platforms.

And I have sites that do that today... but not because the work with the EU but because they work with LATAM.

So I can prove that that specific wording takes something that is specifically not for the EU, and gets caught up in their sweep.

In fact, every US site that caters to the US' secondary language would qualify. Guess what, nearly ever Texas website has a Spanish translation. So do our billboards. But it is not a native or primary language in Texas. It's just heavily used.

scottalanmiller

Using "available in their language" as a form of "targeting" is about as "non-targeting" as you could reasonably come up with as an excuse. What could be broader? Short of saying any IP address that can be pingable from Europe or something, this catches mom and pop shops in rural backwaters who don't even know where Europe is in the sweep.

JaredBusch

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

You went from zero to 60 pretty fast on that one.

I just read back what you wrote.

No you did not. You changed it. Either way, you are wrong.

scottalanmiller

Let me give an example of why this worries me...

1. Fourteen year old kid in Kansas is required to take a foreign language in school. He enjoys languages and thinks it is fun. He blogs about it on his blog, in the language he is learning. let's say Portuguese because he hopes to visit Brazil, the largest speaker of that language and a major tourist destination. Or maybe he's from Brazil and posts in his native language after moving to the US. He's now under GDPR because he used Brazil's language on a US blog, that recorded IP addresses of visitors.

2. The restaurant at the end of my street that only speaks Spanish puts their menu up online. Their menu is only in Spanish, as they only speak Spanish. They are under GDPR now.

Will the EU take time to go after these people? No, it's silly. But the point is, that essentially everyone is going to be covered by it and the courts can just enforce at will. It's essentially a "everyone is guilty of a foreign law you have no reasonable way to know about" and it covers the most insanely trivial situations.