Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet
-
The music industry is a perfect example: the RIAA is still complaining about billions of dollars in losses due to piracy, but many don’t realize the industry has returned to growth, including a 16.5% revenue jump last year. The driver is streaming, which — just look at the name! — depends on the Internet: subscribers get access to basically all of the songs they could ever want, while the recording industry earns somewhere around $65 per individual subscriber per year with no marginal costs. It’s a fantastic value for customers and an equally fantastic revenue model for recording companies; that alignment stems from swimming with the Internet, not against it.
-
@blakeyrat I have not read most of the first part, because the way to fix the "meme ban" and "link tax" regulations are to simply scratch them, they're idiotic.
That leaves us with the GDPR part:
To that end, were I a regulator concerned about user privacy, my starting point would not be an enforcement mechanism but a transparency mechanism.
But that is what's being done. All these annoying pop-ups and emails you get are there because they now have to tell you that they're saving all this data. They're still saving / processing the data if you let them, but now they need to be more transparent about it.
For Facebook, the Cambridge Analytica scandal was akin to the Surgeon General’s report on smoking: the threat was not that regulators would act, but that users would, and nothing could be more fatal.
Which only became a "scandal" in the first place because people have been trying to bring the way data is handled to the public's attention. Without it, nobody would have known what that scandal was even about.
mechanisms to delete user-generated data, mechanisms to delete inferred data
As far as I know, being able to demand deletion of user information, or demanding a listing of what data is stored, is part of the EU regulations.
-
@blakeyrat this whole article makes me feel like the author things Google and Facebook are the evil powers that must be fought with, and also thinks that GDPR's and Copyright Directive's main goals are to hurt Google and Facebook specifically (at which they completely fail, as the author helpfully noted), not to protect privacy and copyright respectively.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
also thinks that GDPR's and Copyright Directive's main goals are to hurt Google and Facebook specifically
He's not completely wrong about the latter, but the former definitely isn't designed to target them specifically.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
also thinks that GDPR's and Copyright Directive's main goals are to hurt Google and Facebook specifically
He's not completely wrong about the latter, but the former definitely isn't designed to target them specifically.
The article rightly points out (I think, not reading it again to quote) that it will actually benefit Google / Facebook by hurting everyone more. See link tax: Google will get publishers to waive any claims, or they'll be blackholed, whereas smaller competition won't be able to do that.
-
@topspin said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The article rightly points out (I think, not reading it again to quote) that it will actually benefit Google / Facebook by hurting everyone more.
GDPR hurts everyone equally. Especially if data acquisition is part of their business, but also if it isn't. The other directives are a completely different story…
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@topspin said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The article rightly points out (I think, not reading it again to quote) that it will actually benefit Google / Facebook by hurting everyone more.
GDPR hurts everyone equally.
No - it only hurts those who recklessly collect, store, process, and share user data with hundreds of ad vendors just to squeeze these few extra cents per month.
-
@Gąska Whenever I see a site that says “no content for you, EU person” I think “so… you're admitting in public that your entire true purpose is disrespectful of the most basic data hygiene rules?” which kind of colours my whole perspective on future interactions with them.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@topspin said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The article rightly points out (I think, not reading it again to quote) that it will actually benefit Google / Facebook by hurting everyone more.
GDPR hurts everyone equally.
No - it only hurts those who recklessly collect, store, process, and share user data with hundreds of ad vendors just to squeeze these few extra cents per month.
Actually it tends to hurt those who don't have their own legal department to analyse the regulation.
-
@Bulb correct. Determining whether you're in compliance is a large compliance cost, especially for companies that don't have international council in house. And especially for arcane regulations about a field of law that is highly specialized to begin with.
If the projected costs of determining compliance are as big as the revenue from GDPR customers, it's a safe bet to just give up that revenue. It also has the least downside risk.
-
@dkf said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska Whenever I see a site that says “no content for you, EU person” I think “so… you're admitting in public that your entire true purpose is disrespectful of the most basic data hygiene rules?” which kind of colours my whole perspective on future interactions with them.
No.
First, they go far beyond "the most basic data hygiene rules." For heaven's sake, the GDPR makes the completely wrong and ridiculous assertion that an IP address is protected PII! This is problematic for two reasons: 1) US courts have repeatedly ruled this to not be the case in important copyright trolling cases, and any law stating otherwise has very bad implications, and 2) collecting and storing this information is critical for basic security of your site if nothing else.
Second, they assert universal jurisdiction on this, which is a legal abomination just on general principle. Sovereignty is very important; if they can pull a stunt like this, what's stopping China or Iran from using it as a precedent?
Third, they attempt to use this universal jurisdiction to force non-EU businesses to give money to the EU by employing a EU-based compliance service. Where I come from, we call that extortion.
The basic goals of the GDPR aren't so bad, but the execution is horrific, and I'll applaud any site that takes a principled stand against it.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@dkf said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
First, they go far beyond "the most basic data hygiene rules." For heaven's sake, the GDPR makes the completely wrong and ridiculous assertion that an IP address is protected PII! This is problematic for two reasons: 1) US courts have repeatedly ruled this to not be the case in important copyright trolling cases, and any law stating otherwise has very bad implicationsYou're conflating two different things.
An IP address, by itself, is not a conclusive proof to accuse a specific person of doing something.
But static IPs, and dynamic IPs with no NAT, can be used to track people with a pretty high level of confidence.
The standard for prosecution is higher than the standard for protection. And it makes perfect sense.
-
@Zerosquare said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
But static IPs, and dynamic IPs with no NAT, can be used to track people with a pretty high level of confidence.
Also, they can often narrow things down to a specific household; that's often enough by itself.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
First, they go far beyond "the most basic data hygiene rules." For heaven's sake, the GDPR makes the completely wrong and ridiculous assertion that an IP address is protected PII! This is problematic for two reasons: 1) US courts have repeatedly ruled this to not be the case in important copyright trolling cases, and any law stating otherwise has very bad implications, and 2) collecting and storing this information is critical for basic security of your site if nothing else.
The rest of your post is not incorrect, but in your second example above you are forgetting something.
If you have a strong reason for why you want to store IP addresses then you can for a reasonable amount of time. The GDPR has 6 legal bases on which you can build a claim that it needs to be stored, so if you're worried of your site getting DOSed then storing IP addresses for up to a day to build a "blacklist" might be seen as "serving your vital interests" because there's no other way to do it.
If you would store those IP adresses for months at a time and associate them with the user accounts coming from those IP addresses (or vice versa) then your case will be harder: if a judge finds that you could have built your security system without those months of history then they will consider you in violation of the law.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
For heaven's sake, the GDPR makes the completely wrong and ridiculous assertion that an IP address is protected PII!
First, it's not ridiculous - many people have static IP, or dynamic IP that changes only once a month, or use several devices from one IP (which, together with identification cookies, can be used to determine person's relatives). Second, IP is treated differently from other personal data since it's necessary to provide basic functionality and security of website.
- US courts
...don't apply to EU.
Second, they assert universal jurisdiction on this
If they didn't, it would become dead law since everyone would move their servers to countries where privacy laws don't exist.
Sovereignty is very important; if they can pull a stunt like this, what's stopping China or Iran from using it as a precedent?
Is it a bad thing that nothing stops China or Iran from caring for their own residents online?
Third, they attempt to use this universal jurisdiction to force non-EU businesses to give money to the EU by employing a EU-based compliance service.
Only for businesses that wish to offer services to EU citizens. I see nothing wrong with that.
-
@JBert said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
If you would store those IP adresses for months at a time and associate them with the user accounts coming from those IP addresses (or vice versa) then your case will be harder
Why? Site security encompasses more than simply DOS protection. Look at the way some sites protect the security of their users by requiring external verification if they log in from an IP address they've never used before.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
First, it's not ridiculous - many people have static IP, or dynamic IP that changes only once a month, or use several devices from one IP (which, together with identification cookies, can be used to determine person's relatives). Second, IP is treated differently from other personal data since it's necessary to provide basic functionality and security of website.
Many people also have open wireless routers, which is why an IP address, even to a residential customer, does not and cannot equal a person.
- US courts
...don't apply to EU.
Here, have a free .
Second, they assert universal jurisdiction on this
If they didn't, it would become dead law since everyone would move their servers to countries where privacy laws don't exist.
That should be the first indication that there's something inherently problematic here...
Sovereignty is very important; if they can pull a stunt like this, what's stopping China or Iran from using it as a precedent?
Is it a bad thing that nothing stops China or Iran from caring for their own residents online?
This should be read in the context of "universal jurisdiction," above. We've already had some problems with Canadian courts trying to assert universal jurisdiction against Google in Right To Be Forgotten cases, claiming that it's not enough to simply delist unwanted posts in Canada; they must be removed worldwide. What happens when China or Iran use this as a precedent to try to censor protesters or cover up human rights violations worldwide?
Third, they attempt to use this universal jurisdiction to force non-EU businesses to give money to the EU by employing a EU-based compliance service.
Only for businesses that wish to offer services to EU citizens. I see nothing wrong with that.
No, because it's the World Wide Web. If you're online, you're offering services to EU citizens by default and you have to take specific action and go out of your way to make it otherwise. Therefore, I see plenty wrong with that.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Why? Site security encompasses more than simply DOS protection. Look at the way some sites protect the security of their users by requiring external verification if they log in from an IP address they've never used before.
And that's lawful… if they state clearly that your IP address will be retained this way for that purpose and you don't do other things with it. (I think that would be an unfortunately annoying limitation nowadays, as it won't work well with mobile networks, but that's a beside the point you were making.)
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Many people also have open wireless routers, which is why an IP address, even to a residential customer, does not and cannot equal a person.
I've never met a residential user who has done that.
-
@dkf said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Many people also have open wireless routers, which is why an IP address, even to a residential customer, does not and cannot equal a person.
I've never met a residential user who has done that.
Really? It's quite common in the US, which is why we have multiple rulings on the books in copyright trolling cases that an IP address does not equal a person.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@JBert said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
If you would store those IP adresses for months at a time and associate them with the user accounts coming from those IP addresses (or vice versa) then your case will be harder
Why? Site security encompasses more than simply DOS protection. Look at the way some sites protect the security of their users by requiring external verification if they log in from an IP address they've never used before.
And that's permitted under GDPR too.
-
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
First, it's not ridiculous - many people have static IP, or dynamic IP that changes only once a month, or use several devices from one IP (which, together with identification cookies, can be used to determine person's relatives). Second, IP is treated differently from other personal data since it's necessary to provide basic functionality and security of website.
Many people also have open wireless routers, which is why an IP address, even to a residential customer, does not and cannot equal a person.
Yes, it doesn't. Home address doesn't equal a person either. Neither does SSN, credit card number, or even full name. But they're all classified as personal information, and for a very good reason.
Second, they assert universal jurisdiction on this
If they didn't, it would become dead law since everyone would move their servers to countries where privacy laws don't exist.
That should be the first indication that there's something inherently problematic here...
There is. Businesses that don't care about user privacy.
Sovereignty is very important; if they can pull a stunt like this, what's stopping China or Iran from using it as a precedent?
Is it a bad thing that nothing stops China or Iran from caring for their own residents online?
This should be read in the context of "universal jurisdiction," above.
The "universal jurisdiction" above is just EU residents. So the context is just right.
We've already had some problems with Canadian courts trying to assert universal jurisdiction against Google in Right To Be Forgotten cases, claiming that it's not enough to simply delist unwanted posts in Canada; they must be removed worldwide. What happens when China or Iran use this as a precedent to try to censor protesters or cover up human rights violations worldwide?
We tell them to fuck off? International law is more like guidelines than actual rules. And there's a huge difference between news articles and databases.
Third, they attempt to use this universal jurisdiction to force non-EU businesses to give money to the EU by employing a EU-based compliance service.
Only for businesses that wish to offer services to EU citizens. I see nothing wrong with that.
No, because it's the World Wide Web. If you're online, you're offering services to EU citizens by default and you have to take specific action and go out of your way to make it otherwise.
And if you don't collect data while doing that, GDPR doesn't apply to you. And no, server logs with IPs don't require explicit consent.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
This should be read in the context of "universal jurisdiction," above. We've already had some problems with Canadian courts trying to assert universal jurisdiction against Google in Right To Be Forgotten cases, claiming that it's not enough to simply delist unwanted posts in Canada; they must be removed worldwide. What happens when China or Iran use this as a precedent to try to censor protesters or cover up human rights violations worldwide?
Or if US courts would demand companies hand over data stored in data centers outside of the US, about people outside of the US.
Because that's never happened before.Geez, you've set these precedents yourself.
-
@topspin said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
This should be read in the context of "universal jurisdiction," above. We've already had some problems with Canadian courts trying to assert universal jurisdiction against Google in Right To Be Forgotten cases, claiming that it's not enough to simply delist unwanted posts in Canada; they must be removed worldwide. What happens when China or Iran use this as a precedent to try to censor protesters or cover up human rights violations worldwide?
Or if US courts would demand companies hand over data stored in data centers outside of the US, about people outside of the US.
Because that's never happened before.Geez, you've set these precedents yourself.
Not to mention FATCA.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Only for businesses that wish to offer services to EU citizens. I see nothing wrong with that.
Do you see a problem with, therefore, having to pay money to attempt to block traffic that might, possibly, have come from an EU citizen?
Don't forget that that's an impossible task, btw. Source IP does not correspond to the citizenship of a user, and neither does User-Agent.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
We tell them to fuck off? International law is more like guidelines than actual rules. And there's a huge difference between news articles and databases.
We didn't, though. Google just said yeah sure whatever.
-
@pie_flavor and they'll say the same to Chinese government, with or without precedent.
-
@pie_flavor No, actually. They stuck to their guns on this one, with the protection of the SHIELD law in the USA saying that this particular sort of international judgment has no validity in the USA. Unfortunately we don't have anything similar to shield US startups against the GDPR or abusive EU copyright directives.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Not to mention FATCA.
Claim: There is nearly zero cost to comply with FATCA if you do not onboard US-Persons.
- Assume that Banks have Know Your Customer requirements
- Based on the assumption, the bank is required to do research on every client to verify they are who they say they are
- Therefore the bank knows the personhood of a new client
- Therefore the bank can identify a US-Person and prevent the completion of the onboarding process.
- Therefore the cost of preventing a US-Person from opening an account is near zero compared to onboarding a non-US-Person.
Q.E.D.
-
@JazzyJosh said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Only for businesses that wish to offer services to EU citizens. I see nothing wrong with that.
Do you see a problem with, therefore, having to pay money to attempt to block traffic that might, possibly, have come from an EU citizen?
Do you see a problem with having to pay money to attempt to block gun buyers that might, possibly, be prohibited from purchasing a firearm? Do you see a problem with having to pay money to attempt to block food product batches that might, possibly, have been contaminated with a dangerous virus? Ensuring compliance with law is work, and work must be paid for. There's always going to be compliance costs with every law. Mere existence of non-zero compliance costs is not good enough argument to reject a good law.
Don't forget that that's an impossible task, btw. Source IP does not correspond to the citizenship of a user, and neither does User-Agent.
You know what else is impossible? ID check. There's no guarantee that the person holding the ID is the owner of the ID. And I've yet to hear about a court case where someone gets in trouble for not realizing the ID was stolen when they performed check.
Block traffic by IP. The only way it can fail is if someone uses VPN/proxy to mislead you about their origin. In which case you'd have a very strong defense of not realizing and not being able to know they're from Europe.
-
@JazzyJosh said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Not to mention FATCA.
Claim: There is nearly zero cost to comply with FATCA if you do not onboard US-Persons.
Who said anything about costs? We were talking about precedent. And there is precedent of USA enforcing their own laws on people who aren't citizens and never been residents of USA.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
You know what else is impossible? ID check. There's no guarantee that the person holding the ID is the owner of the ID. And I've yet to hear about a court case where someone gets in trouble for not realizing the ID was stolen when they performed check.
ID laws weren't written by people who are actively looking for an excuse to harm the businesses in question.
Block traffic by IP. The only way it can fail is if someone uses VPN/proxy to mislead you about their origin. In which case you'd have a very strong defense of not realizing and not being able to know they're from Europe.
See above, re: actively looking for an excuse to harm American businesses. Because if you don't think that's what all this is really about, you're deluding yourself.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
You know what else is impossible? ID check. There's no guarantee that the person holding the ID is the owner of the ID. And I've yet to hear about a court case where someone gets in trouble for not realizing the ID was stolen when they performed check.
ID laws weren't written by people who are actively looking for an excuse to harm the businesses in question.
Neither was GDPR.
Block traffic by IP. The only way it can fail is if someone uses VPN/proxy to mislead you about their origin. In which case you'd have a very strong defense of not realizing and not being able to know they're from Europe.
See above, re: actively looking for an excuse to harm American businesses.
All I see is a bold claim without a shred of evidence.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
actively looking for an excuse to harm American businesses
I know this might come as a shock, but not everything is about America
-
@masonwheeler And all of this was started by someone saying that if they do block by IP, it must be because they're evil people doing evil things with the data. So it's damned if you do, damned if you don't.
If you don't block, you have to comply with GDPR, which imposes large compliance costs even if you're already compliant
a) hire a EU privacy specialist
b) have him review all your code, all your dependency's code.
c) guess whether you're in compliance (non-trivial, because that's a seriously complex law)
d) take the risk of getting sued. Remember, getting sued is a cost even if you win. A big one.If you do block, well, you're giving up potential customers and you're evil.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
No - it only hurts those who recklessly collect, store, process, and share user data with hundreds of ad vendors just to squeeze these few extra cents per month.
That's a bit of an oversimplification. Literally every business that doesn't have in-house web developers had to pay extra money to make sure everything was compliant when GDPR went into effect (cookie notices, making sure there are no analytics scripts that shouldn't be there, …). In the short term, it cost a lot of people money.
I'm not trying to say I'm against it. That is absolutely not the case.
-
@Jaloopa said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
actively looking for an excuse to harm American businesses
I know this might come as a shock, but not everything is about America
True, but this is. It's about harming the competitiveness of American Internet businesses because the EU has never managed to produce their own Facebook or Google.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
You know what else is impossible? ID check. There's no guarantee that the person holding the ID is the owner of the ID. And I've yet to hear about a court case where someone gets in trouble for not realizing the ID was stolen when they performed check.
ID laws weren't written by people who are actively looking for an excuse to harm the businesses in question.
Neither was GDPR.
-
@Jaloopa said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
I know this might come as a shock, but not everything is about America
No; not everything. But pretty much the only things the EU does are standardizing the curvature of bananas and finding new ways to fine American companies.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
No - it only hurts those who recklessly collect, store, process, and share user data with hundreds of ad vendors just to squeeze these few extra cents per month.
That's a bit of an oversimplification. Literally every business that doesn't have in-house web developers had to pay extra money to make sure everything was compliant when GDPR went into effect (cookie notices, making sure there are no analytics scripts that shouldn't be there, …). In the short term, it cost a lot of people money.
How much? $2? $35? It definitely wasn't $100,000 because we'd have a huge wave of close downs, and we didn't. What's the exact amount that "a lot of people" had to pay? I'm totally okay with a billion people spending $50 extra in a one time payment if it means my personal data is now properly accounted for and (mostly) not shared without my consent.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Jaloopa said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
I know this might come as a shock, but not everything is about America
No; not everything. But pretty much the only things the EU does are standardizing the curvature of bananas and finding new ways to fine American companies.
Stop it. Your ignorance level is so high that you might soon become a president.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
How much? $2? $35?
Add two digits and you're in the right range. I don't know how you think web developers make their living if you think they'd write a bill for less than 400€. For a more complex website, they'd certainly charge four figures for any change.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Stop it. Your ignorance level is so high that you might soon become a president.
Tell me this. Has the EU ever created legislation that resulted in huge fines for an EU company and zero fines for any US companies?
-
@Benjamin-Hall said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
b) have him review all your code, all your dependency's code.
Answering the question "what data do I collect" usually doesn't include a full code review. You should already know that. The only thing you really have to check are third-party scripts that send stuff to third-party servers.
Complying with GDPR is fairly easy if collecting data is not your primary business. Just make all form fields optional unless knowing that information is essential for providing your service. Then make all analytics scripts opt-in. Then tell users what you use the information for. Voila, you're compliant.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
How much? $2? $35?
Add two digits and you're in the right range.
$2.00 and $35.00?
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
How much? $2? $35?
Add two digits and you're in the right range. I don't know how you think web developers make their living if you think they'd write a bill for less than 400€. For a more complex website, they'd certainly charge four figures for any change.
And you need to consult lawyers to understand what compliance means. So you don't just need web developers, you need lawyers (starting at hundreds/hour) to understand if you're even compliant to begin with. And then to check off on any changes against all the other regulations. And that's expensive.
So instead, what you get it cargo-cult compliance--a bunch of pop-ups with no fundamental changes (or ones that don't do what they're supposed to).
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Benjamin-Hall said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
b) have him review all your code, all your dependency's code.
Answering the question "what data do I collect" usually doesn't include a full code review. You should already know that. The only thing you really have to check are third-party scripts that send stuff to third-party servers.
Complying with GDPR is fairly easy if collecting data is not your primary business. Just make all form fields optional unless knowing that information is essential for providing your service. Then make all analytics scripts opt-in. Then tell users what you use the information for. Voila, you're compliant.
It's not that easy. Because the definition of "data" is complex and non-intuitive. Also, does information sent to analytics have to be explicitly opted-in separately? Each time someone visits? How do you inform users? All of these must be checked. How do those analytics use the data? Are they compliant? You're on the hook for them as well, after all.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
First, it's not ridiculous - many people have static IP, or dynamic IP that changes only once a month, or use several devices from one IP (which, together with identification cookies, can be used to determine person's relatives). Second, IP is treated differently from other personal data since it's necessary to provide basic functionality and security of website.
Many people also have open wireless routers, which is why an IP address, even to a residential customer, does not and cannot equal a person.
Yes, it doesn't. Home address doesn't equal a person either. Neither does SSN, credit card number, or even full name. But they're all classified as personal information, and for a very good reason.
SSN is (incorrectly) used to identify and authorize a user to do anything from opening a bank account to apply for adoption.
Credit Card Numbers are used to authorize financial transactions for purchases.
IP addresses do not have that level of security risk. You can't use an IP address to steal one's identity or make unauthorized transactions if stolen.
Second, they assert universal jurisdiction on this
If they didn't, it would become dead law since everyone would move their servers to countries where privacy laws don't exist.
That should be the first indication that there's something inherently problematic here...
There is. Businesses that don't care about user privacy.
No. If I have a business that does as much as keep customer records, I need to hire an expensive attorney to ensure I'm compliant with the law. This adds a huge financial burden on any small business that is really just doing what they need to stay in business while also being reasonably respectful of user privacy. Even if I'm fully compliant, I still have to respond to any claims that I'm not with legal representation. It just opens small businesses to harassing and frivolous litigation.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Complying with GDPR is fairly easy if collecting data is not your primary business.
If only...