GDPR Resources

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

If this limitation is real and reasonable, but "targeted" is a useless term here. What does that mean or imply?

Goods or services (whether for sale or for free), that specifically attempt to market to EU citizens. An frequently cited example of this is when a site translates itself into the language of an EU member country when that language is not the native language of the originating country. The rest will probably have to be sorted out via case law.

Right, which is ridiculous. That's not targeting in any rational sense of the word. Heck, that's a built in native feature of loads of platforms.

And I have sites that do that today... but not because the work with the EU but because they work with LATAM.

So I can prove that that specific wording takes something that is specifically not for the EU, and gets caught up in their sweep.

In fact, every US site that caters to the US' secondary language would qualify. Guess what, nearly ever Texas website has a Spanish translation. So do our billboards. But it is not a native or primary language in Texas. It's just heavily used.

scottalanmiller

Using "available in their language" as a form of "targeting" is about as "non-targeting" as you could reasonably come up with as an excuse. What could be broader? Short of saying any IP address that can be pingable from Europe or something, this catches mom and pop shops in rural backwaters who don't even know where Europe is in the sweep.

JaredBusch

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

You went from zero to 60 pretty fast on that one.

I just read back what you wrote.

No you did not. You changed it. Either way, you are wrong.

scottalanmiller

Let me give an example of why this worries me...

1. Fourteen year old kid in Kansas is required to take a foreign language in school. He enjoys languages and thinks it is fun. He blogs about it on his blog, in the language he is learning. let's say Portuguese because he hopes to visit Brazil, the largest speaker of that language and a major tourist destination. Or maybe he's from Brazil and posts in his native language after moving to the US. He's now under GDPR because he used Brazil's language on a US blog, that recorded IP addresses of visitors.

2. The restaurant at the end of my street that only speaks Spanish puts their menu up online. Their menu is only in Spanish, as they only speak Spanish. They are under GDPR now.

Will the EU take time to go after these people? No, it's silly. But the point is, that essentially everyone is going to be covered by it and the courts can just enforce at will. It's essentially a "everyone is guilty of a foreign law you have no reasonable way to know about" and it covers the most insanely trivial situations.

scottalanmiller

@jaredbusch said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

I received a response from one of the lawyers who wrote a blog post warning US companies about the potential impacts of GDPR. I don't have his permission to post his response, so I will do my best to paraphrase.

GDPR will fall under cross-border assertions. What this means is that EU regulators will bring an action against a US company in the EU. While the US company could accept the jurisdiction of the EU court, it will most likely ignore it. In that case, once the regulator has a judgement from the EU court it will take the ruling to a US court and ask for it to be enforced by the US court. There is a whole body of law and set of expertise around when these get enforced, but it is likely (in his perspective) that US courts will enforce the judgement because of the desire to have the opposite (US judgements against EU citizens in the EU) to be upheld by EU courts.

He believes that because of the limitations that GDPR places upon its jurisdiction (EU citizens being provably targeted by a US company) that there is a strong potential that this will affect US (and any other non EU) companies.

So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?

This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

You went from zero to 60 pretty fast on that one.

I just read back what you wrote.

No you did not. You changed it. Either way, you are wrong.

If I'm wrong, in what way? What am I missing?

JaredBusch

@scottalanmiller said in GDPR Resources:

If I'm wrong, in what way? What am I missing?

This is all your opinion. It is your own special interpretation of US law and international law.

@scottalanmiller said in GDPR Resources:

So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?
This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

Nothing in the anything that was mentioned means this, except to you.

You are not a lawyer. You do not know all the laws on the subject.

Stop trying to act like you do.

I know that I do not know the law on the subject. Instead I read and educate myself.

scottalanmiller

Here is a real world example... this is my local Mexican restaurant. Everyone there speaks Spanish natively. But let's ignore that. Let's focus on German, French, Italian, etc.....

http://www.loslupes.com/

This was, quite literally, the first local website I checked. This just happened to be an extreme, and perfect, example. Their website, which undoubtedly collects IP info, has a widget to show it in about a hundred languages, everything that Google Translate supports. This is fully automated and just a widget that non-technical people add to a website as part of a free website builder. It's super casual, and the site is only meant for people in the city. It's just a local restaurant.

But using the example cases of EU targeting, it's not just targeting EU citizens, it's targeting all of them covering every primary and most secondary and other languages.

It feels like a law that was pushed through in a foreign country with the claimed intent of protecting citizens against abuses of large data processing companies, covers effectively every person with a web presence, commercial or not, in a country not associated with the law, potentially. The real question is who isn't at risk of it, if that logic is applied?

scottalanmiller

@jaredbusch said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

If I'm wrong, in what way? What am I missing?

This is all your opinion. It is your own special interpretation of US law and international law.

@scottalanmiller said in GDPR Resources:

So basically the US courts are expected to become ad hoc lawmakers picking and choosing when to "have" a law and when not to, at will, without any oversight from the government or the actual lawmakers?
This is one of the most unbelievable indictments of corruption in the US legal system. That's insane. Zero legal oversight, just courts doing absolutely anything that they want.

Nothing in the anything that was mentioned means this, except to you.

You are not a lawyer. You do not know all the laws on the subject.

Stop trying to act like you do.

I know that I do not know the law on the subject. Instead I read and educate myself.

I'm not acting like a lawyer, I'm acting like a citizen.

scottalanmiller

So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

scottalanmiller

This doesn't answer my question, but seems like a useful high level list to keep in mind as to when GDPR must be honored for a take down, versus when it should only be considered: https://www.lexology.com/library/detail.aspx?g=1e15fd92-3b95-4b22-8a91-abb45c99f1fd

Kelly

@scottalanmiller said in GDPR Resources:

So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

If there is no association it doesn't fall under the protections of GDPR. There is much FUD out there regarding GDPR. One of the popular ones, and thrown around frequently on IT sites is that logging an IP address that is in the EU requires GDPR protections. That is not the fullest understanding. If the IP address is associated with other data that falls under the regulation's protections then it is also protected. There are also additional requirements before protections kick in if the address is a dynamic one (not sure how you're supposed to know that one easily). Reference: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases.

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

If there is no association it doesn't fall under the protections of GDPR. There is much FUD out there regarding GDPR. One of the popular ones, and thrown around frequently on IT sites is that logging an IP address that is in the EU requires GDPR protections. That is not the fullest understanding.

Yes, that one I see very often and is definitely the most concerning of the ones that I have seen. Although I've seen and/or read it slightly differently. Not that the IP originated from the EU, but that the IP was generated by an EU user.

Example to explain what I mean: I am an EU citizen (I actually am) but am in the US (I actually am) and I go to your website - you now have an EU citizen's IP address in your logs.

Kelly

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

scottalanmiller

@kelly said in GDPR Resources:

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.

Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.

No way could any normal SMB handle SARBOX.

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.

Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.

No way could any normal SMB handle SARBOX.

This thread has gone on a long time. I am tired of trying to explain GDPR. Your questions have helped me research deeper than I might have otherwise. I am grateful for that. If you have something substantive to contribute with links so that we can all learn I would welcome your input. However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

scottalanmiller

@kelly said in GDPR Resources:

However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

That was the point of this thread. I have posted a link to every single resource I have used to learn about with the exception of this one (now that I think about it): http://www.lockelord.com/newsandevents/publications/2017/12/are-we-covered.

Obsolesce

So what's the conclusion here?

Does this only effect US companies that target goods or services to EU member populations?