ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    GDPR Resources

    Scheduled Pinned Locked Moved IT Discussion
    gdprregulations
    105 Posts 7 Posters 12.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Kelly
      last edited by

      @kelly said in GDPR Resources:

      He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

      If this limitation is real and reasonable, but "targeted" is a useless term here. What does that mean or imply?

      KellyK 1 Reply Last reply Reply Quote 0
      • KellyK
        Kelly @scottalanmiller
        last edited by

        @scottalanmiller said in GDPR Resources:

        @kelly said in GDPR Resources:

        He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

        If this limitation is real and reasonable, but "targeted" is a useless term here. What does that mean or imply?

        Goods or services (whether for sale or for free), that specifically attempt to market to EU citizens. An frequently cited example of this is when a site translates itself into the language of an EU member country when that language is not the native language of the originating country. The rest will probably have to be sorted out via case law.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • KellyK
          Kelly @scottalanmiller
          last edited by

          @scottalanmiller said in GDPR Resources:

          @kelly said in GDPR Resources:

          I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

          GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

          He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

          So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

          This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

          You went from zero to 60 pretty fast on that one.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Kelly
            last edited by

            @kelly said in GDPR Resources:

            @scottalanmiller said in GDPR Resources:

            @kelly said in GDPR Resources:

            I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

            GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

            He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

            So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

            This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

            You went from zero to 60 pretty fast on that one.

            I just read back what you wrote.

            JaredBuschJ 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Kelly
              last edited by

              @kelly said in GDPR Resources:

              @scottalanmiller said in GDPR Resources:

              @kelly said in GDPR Resources:

              He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

              If this limitation is real and reasonable, but "targeted" is a useless term here. What does that mean or imply?

              Goods or services (whether for sale or for free), that specifically attempt to market to EU citizens. An frequently cited example of this is when a site translates itself into the language of an EU member country when that language is not the native language of the originating country. The rest will probably have to be sorted out via case law.

              Right, which is ridiculous. That's not targeting in any rational sense of the word. Heck, that's a built in native feature of loads of platforms.

              And I have sites that do that today... but not because the work with the EU but because they work with LATAM.

              So I can prove that that specific wording takes something that is specifically not for the EU, and gets caught up in their sweep.

              In fact, every US site that caters to the US' secondary language would qualify. Guess what, nearly ever Texas website has a Spanish translation. So do our billboards. But it is not a native or primary language in Texas. It's just heavily used.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                Using "available in their language" as a form of "targeting" is about as "non-targeting" as you could reasonably come up with as an excuse. What could be broader? Short of saying any IP address that can be pingable from Europe or something, this catches mom and pop shops in rural backwaters who don't even know where Europe is in the sweep.

                1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch @scottalanmiller
                  last edited by

                  @scottalanmiller said in GDPR Resources:

                  @kelly said in GDPR Resources:

                  @scottalanmiller said in GDPR Resources:

                  @kelly said in GDPR Resources:

                  I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

                  GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

                  He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

                  So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

                  This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

                  You went from zero to 60 pretty fast on that one.

                  I just read back what you wrote.

                  No you did not. You changed it. Either way, you are wrong.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by scottalanmiller

                    Let me give an example of why this worries me...

                    1. Fourteen year old kid in Kansas is required to take a foreign language in school. He enjoys languages and thinks it is fun. He blogs about it on his blog, in the language he is learning. let's say Portuguese because he hopes to visit Brazil, the largest speaker of that language and a major tourist destination. Or maybe he's from Brazil and posts in his native language after moving to the US. He's now under GDPR because he used Brazil's language on a US blog, that recorded IP addresses of visitors.

                    2. The restaurant at the end of my street that only speaks Spanish puts their menu up online. Their menu is only in Spanish, as they only speak Spanish. They are under GDPR now.

                    Will the EU take time to go after these people? No, it's silly. But the point is, that essentially everyone is going to be covered by it and the courts can just enforce at will. It's essentially a "everyone is guilty of a foreign law you have no reasonable way to know about" and it covers the most insanely trivial situations.

                    1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @JaredBusch
                      last edited by

                      @jaredbusch said in GDPR Resources:

                      @scottalanmiller said in GDPR Resources:

                      @kelly said in GDPR Resources:

                      @scottalanmiller said in GDPR Resources:

                      @kelly said in GDPR Resources:

                      I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

                      GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

                      He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

                      So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

                      This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

                      You went from zero to 60 pretty fast on that one.

                      I just read back what you wrote.

                      No you did not. You changed it. Either way, you are wrong.

                      If I'm wrong, in what way? What am I missing?

                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @scottalanmiller
                        last edited by JaredBusch

                        @scottalanmiller said in GDPR Resources:

                        If I'm wrong, in what way? What am I missing?

                        This is all your opinion. It is your own special interpretation of US law and international law.

                        @scottalanmiller said in GDPR Resources:

                        So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?
                        This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

                        Nothing in the anything that was mentioned means this, except to you.

                        You are not a lawyer. You do not know all the laws on the subject.

                        Stop trying to act like you do.

                        I know that I do not know the law on the subject. Instead I read and educate myself.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          Here is a real world example... this is my local Mexican restaurant. Everyone there speaks Spanish natively. But let's ignore that. Let's focus on German, French, Italian, etc.....

                          http://www.loslupes.com/

                          This was, quite literally, the first local website I checked. This just happened to be an extreme, and perfect, example. Their website, which undoubtedly collects IP info, has a widget to show it in about a hundred languages, everything that Google Translate supports. This is fully automated and just a widget that non-technical people add to a website as part of a free website builder. It's super casual, and the site is only meant for people in the city. It's just a local restaurant.

                          But using the example cases of EU targeting, it's not just targeting EU citizens, it's targeting all of them covering every primary and most secondary and other languages.

                          It feels like a law that was pushed through in a foreign country with the claimed intent of protecting citizens against abuses of large data processing companies, covers effectively every person with a web presence, commercial or not, in a country not associated with the law, potentially. The real question is who isn't at risk of it, if that logic is applied?

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @JaredBusch
                            last edited by

                            @jaredbusch said in GDPR Resources:

                            @scottalanmiller said in GDPR Resources:

                            If I'm wrong, in what way? What am I missing?

                            This is all your opinion. It is your own special interpretation of US law and international law.

                            @scottalanmiller said in GDPR Resources:

                            So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?
                            This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

                            Nothing in the anything that was mentioned means this, except to you.

                            You are not a lawyer. You do not know all the laws on the subject.

                            Stop trying to act like you do.

                            I know that I do not know the law on the subject. Instead I read and educate myself.

                            I'm not acting like a lawyer, I'm acting like a citizen.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

                              How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

                              If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

                              KellyK 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller
                                last edited by

                                This doesn't answer my question, but seems like a useful high level list to keep in mind as to when GDPR must be honored for a take down, versus when it should only be considered: https://www.lexology.com/library/detail.aspx?g=1e15fd92-3b95-4b22-8a91-abb45c99f1fd

                                1 Reply Last reply Reply Quote 0
                                • KellyK
                                  Kelly @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in GDPR Resources:

                                  So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

                                  How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

                                  If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

                                  If there is no association it doesn't fall under the protections of GDPR. There is much FUD out there regarding GDPR. One of the popular ones, and thrown around frequently on IT sites is that logging an IP address that is in the EU requires GDPR protections. That is not the fullest understanding. If the IP address is associated with other data that falls under the regulation's protections then it is also protected. There are also additional requirements before protections kick in if the address is a dynamic one (not sure how you're supposed to know that one easily). Reference: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Kelly
                                    last edited by

                                    @kelly said in GDPR Resources:

                                    @scottalanmiller said in GDPR Resources:

                                    So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

                                    How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

                                    If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

                                    If there is no association it doesn't fall under the protections of GDPR. There is much FUD out there regarding GDPR. One of the popular ones, and thrown around frequently on IT sites is that logging an IP address that is in the EU requires GDPR protections. That is not the fullest understanding.

                                    Yes, that one I see very often and is definitely the most concerning of the ones that I have seen. Although I've seen and/or read it slightly differently. Not that the IP originated from the EU, but that the IP was generated by an EU user.

                                    Example to explain what I mean: I am an EU citizen (I actually am) but am in the US (I actually am) and I go to your website - you now have an EU citizen's IP address in your logs.

                                    1 Reply Last reply Reply Quote 1
                                    • KellyK
                                      Kelly
                                      last edited by

                                      Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @Kelly
                                        last edited by

                                        @kelly said in GDPR Resources:

                                        Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

                                        I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

                                        KellyK 1 Reply Last reply Reply Quote 1
                                        • KellyK
                                          Kelly @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in GDPR Resources:

                                          @kelly said in GDPR Resources:

                                          Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

                                          I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

                                          Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Kelly
                                            last edited by

                                            @kelly said in GDPR Resources:

                                            @scottalanmiller said in GDPR Resources:

                                            @kelly said in GDPR Resources:

                                            Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

                                            I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

                                            Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

                                            Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.

                                            Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.

                                            No way could any normal SMB handle SARBOX.

                                            KellyK 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 1 / 6
                                            • First post
                                              Last post