The Official GDPR Lawsuit thread

idzy

@Rhywden said in The Official GDPR Lawsuit thread:

A shopping cart does not contain personal information

In theory no, in practice yes. Not by our organization, but certainly Google or Facebook. Advertising scripts are downright demonic, and an innocent little copy-paste job for Google Analytics adds your site to their dragnet surveillance network, whether you like it or not.

dfdub

@Rhywden said in The Official GDPR Lawsuit thread:

I'd put it in another way: As soon as you're containing/tracking personal information with a cookie it's subject to GDPR. A shopping cart does not contain personal information on its own and thus does not need consent.

Not entirely correct. Even handling personal information is perfectly fine, as long as it's required to perform the service the user requested.

idzy

@dfdub Yeah, until they request it to be purged. Most 3rd party apps don't really support "Delete", especially if there are huge cascade implications. It's simply logical delete. So if you're DB is compromised, you're still liable.

dfdub

@idzy said in The Official GDPR Lawsuit thread:

Please describe to the court what exactly a "technical necessity" is?

Rule of thumb: Necessary to perform the action the user explicitly requested…

Is it a necessity to support your revenue stream and business model? Is it part of the over-complicated JavaScript library you are using? Perhaps an advertising affiliate program, which runs their code before your page even renders?

…so none of these, because they're the result of your own business choices.

Facebook, Google, and other players who've engineered "ever-cookie" tech that the average user isn't even aware of, let alone able to erase, which tracks you across virtually every website you visit. That "Thumbs Up" icon passes what looks like encrypted data or a GUID in the GET request.

Which is why you should use a third-party library that only loads the actual like button upon explicit consent.

dfdub

@idzy said in The Official GDPR Lawsuit thread:

Yeah, until they request it to be purged. Most 3rd party apps don't really support "Delete", especially if there are huge cascade implications. It's simply logical delete. So if you're DB is compromised, you're still liable.

That and its impact on logging are definitely the more painful implications of the regulation. But the ability to delete makes a lot of sense from the user's POV: If I request account deletion, I don't expect my password hash to be exposed by a hack 5 years later.

Nota bene: If you're legally required to only logically delete records (for example as a payment provider), then it's fine to delete only the data you're allowed to delete.

idzy

@dfdub said in The Official GDPR Lawsuit thread:

hich is why you should use a third-party library that only loads the actual like button upon explicit consent.

Our app is a paid, subscription based business app, so we don't have ads, nor social media integration. We don't have any of those issues. But our sales and marketing staff throw caution to the wind and do what they like.

To be perfectly honest, I'm really proud of our GDPR compliance, and handling of user data in general. We are independently audited for PCI DSS twice a year, and have never even had an OFI.

It's just the breadth of this company which makes things complicated, because everyone thinks they can "take the initiative" with google forms, or some WordPress page and undertake their own skunk-works pseudo IT project without telling anyone.

Furthermore, sales and marketing folks seem to keep finding these spam dissemination providers, because our own SMTP server is configured to not do retarded things and therefore "sucks" (at the moment, they're using MailGun), and copy-paste 800,000 email addresses from an ever growing text file, manually harvested from everyone they've ever contacted, or been contacted by. Totally uncontrolled and out of my sphere of influence.

dfdub

@idzy said in The Official GDPR Lawsuit thread:

copy-paste 800,000 email addresses from an ever growing text file, manually harvested from everyone they've ever contacted, or been contacted by

Somewhere in Europe, a lawyer just started salivating uncontrollably and doesn't know why.

idzy

@dfdub Hey, not my problem. I've had my objections minuted at just about every management meeting for the last 2 years. The only thing that I could do is say "I told you so"

dfdub

BTW: actually offers a pretty good explanation:

rgj

Your Discourse forum and the GDPR - Communiteq

Making your Discourse forum comply with the GDPR is not hard, but it can be a bit overwhelming. This article provides an explanation about the GDPR and a list of things you need to do.

The only questionable part is that they consider "reading time per post" and "outgoing links" important data that can be stored without explicit consent. But it wouldn't be Discourse without s, would it?

Steve_The_Cynic

@idzy said in The Official GDPR Lawsuit thread:

@Steve_The_Cynic said in The Official GDPR Lawsuit thread:

I don't say this as an insult, but as a warning. It's not that the job is bad, nor that you are bad, but simply that you and the job don't fit together.

I've been round the globe for a couple of spins now, I know how to look after myself. This role is very well remunerated, and a bit of a career advancement. Having been programming since I was 6 (AmigaBasic was my first language), and one of the 90's era "hackers" (or should I say explorers), this is my passion and no Ops droid with a Cert IV in "Information Technology" will pull the rug from beneath me. Despite my groaning, I'm actually taking this project on with as much enthusiasm as I can muster, and happy to have a relatively senior role, with a lot of visibility to senior management. I'm doing this in addition to my role as principal software engineer for a rather large scale web-app, so I'm working hard, and hoping it pays off. This company is large, but still privately owned, so I'm not yet just a "number".

OK, fair enough. Your other post makes the situation seem less in your favour. Apologies where they are due.

boomzilla

@idzy said in The Official GDPR Lawsuit thread:

The web is a freaking privacy nightmare, if people knew just how much data is being collected they'd promptly defenestrate their device (actually, no they wouldn't, the mob have already proven they don't value their privacy, Facebook have screwed up so many times, yet there is no decline in their user base). I really fear for my son's generation, who'll grow up in a world where this privacy invasion has always been there. I remember an internet before Facebook, where Google wasn't evil and ads were just that, ads. Not a dossier of your online life.

I think the amount of privacy violations devalues every privacy violation. It's like being worried about someone seeing your face in a crowd at a stadium. I guess I wish that this stuff didn't happen but I've learned to stop worrying about it so much.

Zerosquare

@boomzilla: well, you either get desensitized to it, or go insane since it's getting worse and worse and there's basically nothing you can do about it. Kinda like working for a company whose codebase is littered with WTFs everywhere. That doesn't mean it is normal.

Benjamin Hall

@boomzilla said in The Official GDPR Lawsuit thread:

@idzy said in The Official GDPR Lawsuit thread:

The web is a freaking privacy nightmare, if people knew just how much data is being collected they'd promptly defenestrate their device (actually, no they wouldn't, the mob have already proven they don't value their privacy, Facebook have screwed up so many times, yet there is no decline in their user base). I really fear for my son's generation, who'll grow up in a world where this privacy invasion has always been there. I remember an internet before Facebook, where Google wasn't evil and ads were just that, ads. Not a dossier of your online life.

I think the amount of privacy violations devalues every privacy violation. It's like being worried about someone seeing your face in a crowd at a stadium. I guess I wish that this stuff didn't happen but I've learned to stop worrying about it so much.

I'll be a contrarian. I have yet to see any examples of actual harm caused by any of this tracking cookie stuff. Poor storage of IID (leading to identity theft)? Sure. But in the main, even though theoretically you could be identified, in practice no one cares enough to do so unless you're the target of a government, in which case they're not going to pay any attention to those pesky regulations at all.

boomzilla

@Zerosquare said in The Official GDPR Lawsuit thread:

@boomzilla: well, you either get desensitized to it, or go insane since it's getting worse and worse and there's basically nothing you can do about it. Kinda like working for a company whose codebase is littered with WTFs everywhere. That doesn't mean it is normal.

Normal, shmormal. The GDPR kind of privacy stuff just doesn't seem to be a big deal, as opposed to, say, exposing passwords.

Rhywden

@dfdub said in The Official GDPR Lawsuit thread:

@Rhywden said in The Official GDPR Lawsuit thread:

I'd put it in another way: As soon as you're containing/tracking personal information with a cookie it's subject to GDPR. A shopping cart does not contain personal information on its own and thus does not need consent.

Not entirely correct. Even handling personal information is perfectly fine, as long as it's required to perform the service the user requested.

No, that's definitely wrong and will land you in a lot of hot water. There's no exception for this - you handle personal data, you bow to the GDPR. Period. If your site/app/program does not work without personal data then the whole thing is subject to GDPR.

Because if there were such an exception for "technical necessities" you'd only need to build your site in such a way that it does not function without personal data and, bang, you're not subject to GDPR anymore? Yeah. No.

Rhywden

@boomzilla said in The Official GDPR Lawsuit thread:

@Zerosquare said in The Official GDPR Lawsuit thread:

@boomzilla: well, you either get desensitized to it, or go insane since it's getting worse and worse and there's basically nothing you can do about it. Kinda like working for a company whose codebase is littered with WTFs everywhere. That doesn't mean it is normal.

Normal, shmormal. The GDPR kind of privacy stuff just doesn't seem to be a big deal, as opposed to, say, exposing passwords.

The cookies are a bit of an outlier, true. I think they didn't want to put too many exceptions into the rules and thus simply stated: "If it can be used to identify a person then it's subject to this law." Thus preventing the usual suspects from doing endruns around the law by using special snowflake scenarios.

I mean, it also necessitates companies to make data breaches public within a certain time period, for instance. Sony sitting several weeks on their credit card leak would have yielded even larger fines than the mere $400K they had to pay.

Unperverted Vixen

@Rhywden said in The Official GDPR Lawsuit thread:

That's the wonders of commercial law: If you offer a service to someone you're bound to the laws of the country the recipient resides in. You got it the wrong way around.

But that's not how the web works. Companies don't offer a service to the recipient; the recipient comes to the company (specifically, their web server) and asks for the service.

boomzilla

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Zerosquare said in The Official GDPR Lawsuit thread:

@boomzilla: well, you either get desensitized to it, or go insane since it's getting worse and worse and there's basically nothing you can do about it. Kinda like working for a company whose codebase is littered with WTFs everywhere. That doesn't mean it is normal.

Normal, shmormal. The GDPR kind of privacy stuff just doesn't seem to be a big deal, as opposed to, say, exposing passwords.

The cookies are a bit of an outlier, true. I think they didn't want to put too many exceptions into the rules and thus simply stated: "If it can be used to identify a person then it's subject to this law." Thus preventing the usual suspects from doing endruns around the law by using special snowflake scenarios.

I mean, it also necessitates companies to make data breaches public within a certain time period, for instance. Sony sitting several weeks on their credit card leak would have yielded even larger fines than the mere $400K they had to pay.

That's pretty fucking weak. Why not just do that? In short: get over yourselves.

Rhywden

@Unperverted-Vixen said in The Official GDPR Lawsuit thread:

@Rhywden said in The Official GDPR Lawsuit thread:

That's the wonders of commercial law: If you offer a service to someone you're bound to the laws of the country the recipient resides in. You got it the wrong way around.

But that's not how the web works. Companies don't offer a service to the recipient; the recipient comes to the company (specifically, their web server) and asks for the service.

Erm, what? Of course you offer a service. I don't have to send an email to Netflix, requesting to be able to stream a movie, I simply subscribe to their offering.

What do you think advertisements are? How do I know about quite a number of those sites in the first place?

Rhywden

@boomzilla said in The Official GDPR Lawsuit thread:

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Zerosquare said in The Official GDPR Lawsuit thread:

@boomzilla: well, you either get desensitized to it, or go insane since it's getting worse and worse and there's basically nothing you can do about it. Kinda like working for a company whose codebase is littered with WTFs everywhere. That doesn't mean it is normal.

Normal, shmormal. The GDPR kind of privacy stuff just doesn't seem to be a big deal, as opposed to, say, exposing passwords.

The cookies are a bit of an outlier, true. I think they didn't want to put too many exceptions into the rules and thus simply stated: "If it can be used to identify a person then it's subject to this law." Thus preventing the usual suspects from doing endruns around the law by using special snowflake scenarios.

I mean, it also necessitates companies to make data breaches public within a certain time period, for instance. Sony sitting several weeks on their credit card leak would have yielded even larger fines than the mere $400K they had to pay.

That's pretty fucking weak. Why not just do that? In short: get over yourselves.

Uh, what? This does not make an iota of sense.

boomzilla

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Zerosquare said in The Official GDPR Lawsuit thread:

@boomzilla: well, you either get desensitized to it, or go insane since it's getting worse and worse and there's basically nothing you can do about it. Kinda like working for a company whose codebase is littered with WTFs everywhere. That doesn't mean it is normal.

Normal, shmormal. The GDPR kind of privacy stuff just doesn't seem to be a big deal, as opposed to, say, exposing passwords.

The cookies are a bit of an outlier, true. I think they didn't want to put too many exceptions into the rules and thus simply stated: "If it can be used to identify a person then it's subject to this law." Thus preventing the usual suspects from doing endruns around the law by using special snowflake scenarios.

I mean, it also necessitates companies to make data breaches public within a certain time period, for instance. Sony sitting several weeks on their credit card leak would have yielded even larger fines than the mere $400K they had to pay.

That's pretty fucking weak. Why not just do that? In short: get over yourselves.

Uh, what? This does not make an iota of sense.

I was pointing out that you were defending nonsense by saying that the law also does something sensible.

Rhywden

@boomzilla said in The Official GDPR Lawsuit thread:

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Zerosquare said in The Official GDPR Lawsuit thread:

@boomzilla: well, you either get desensitized to it, or go insane since it's getting worse and worse and there's basically nothing you can do about it. Kinda like working for a company whose codebase is littered with WTFs everywhere. That doesn't mean it is normal.

Normal, shmormal. The GDPR kind of privacy stuff just doesn't seem to be a big deal, as opposed to, say, exposing passwords.

The cookies are a bit of an outlier, true. I think they didn't want to put too many exceptions into the rules and thus simply stated: "If it can be used to identify a person then it's subject to this law." Thus preventing the usual suspects from doing endruns around the law by using special snowflake scenarios.

I mean, it also necessitates companies to make data breaches public within a certain time period, for instance. Sony sitting several weeks on their credit card leak would have yielded even larger fines than the mere $400K they had to pay.

That's pretty fucking weak. Why not just do that? In short: get over yourselves.

Uh, what? This does not make an iota of sense.

I was pointing out that you were defending nonsense by saying that the law also does something sensible.

Yeah, whatever boomer.

boomzilla

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Rhywden said in The Official GDPR Lawsuit thread:

@boomzilla said in The Official GDPR Lawsuit thread:

@Zerosquare said in The Official GDPR Lawsuit thread:

@boomzilla: well, you either get desensitized to it, or go insane since it's getting worse and worse and there's basically nothing you can do about it. Kinda like working for a company whose codebase is littered with WTFs everywhere. That doesn't mean it is normal.

Normal, shmormal. The GDPR kind of privacy stuff just doesn't seem to be a big deal, as opposed to, say, exposing passwords.

The cookies are a bit of an outlier, true. I think they didn't want to put too many exceptions into the rules and thus simply stated: "If it can be used to identify a person then it's subject to this law." Thus preventing the usual suspects from doing endruns around the law by using special snowflake scenarios.

I mean, it also necessitates companies to make data breaches public within a certain time period, for instance. Sony sitting several weeks on their credit card leak would have yielded even larger fines than the mere $400K they had to pay.

That's pretty fucking weak. Why not just do that? In short: get over yourselves.

Uh, what? This does not make an iota of sense.

I was pointing out that you were defending nonsense by saying that the law also does something sensible.

Yeah, whatever boomer.

OK Ryder.

Unperverted Vixen

@Rhywden said in The Official GDPR Lawsuit thread:

Erm, what? Of course you offer a service. I don't have to send an email to Netflix, requesting to be able to stream a movie, I simply subscribe to their offering.

Yes, you make an HTTP POST request to their servers, asking to create an account and subscribe to their offerings. You make an HTTP GET request asking for the contents of a movie. You're going to where they are; they aren't coming to your device, much less your country, except as a response to your request.

What do you think advertisements are?

Something I do my best to ignore.

I haven't worked with web advertising so I don't know what sort of region controls they actually offer, or how effective/accurate they are. In general, though, I don't think that an ad on a website counts as advertising to your country, no more than bringing a newspaper home from the US would count as the companies within advertising to the EU.

topspin

@Unperverted-Vixen and at what point do I request to be tracked if I go to a site once without an account? Specifically, if I have DNT enabled which they consciously ignore, and also block ads as much as I can?
If I open a website by typing in a URL, how do I know beforehand what kind of malicious things I’m going to “request” with all the JS and other crap that’s going to be sent?

Unperverted Vixen

@topspin said in The Official GDPR Lawsuit thread:

@Unperverted-Vixen and at what point do I request to be tracked if I go to a site once without an account?

Just by sending an HTTP request to their server you're requesting to be tracked.

If I open a website by typing in a URL, how do I know beforehand what kind of malicious things I’m going to “request” with all the JS and other crap that’s going to be sent?

If you don't trust their JavaScript, turn JavaScript off.

topspin

@Unperverted-Vixen said in The Official GDPR Lawsuit thread:

@topspin said in The Official GDPR Lawsuit thread:

@Unperverted-Vixen and at what point do I request to be tracked if I go to a site once without an account?

Just by sending an HTTP request to their server you're requesting to be tracked.

A HTTP request with DNT: 1, sure sure. I guess when you walk into the supermarket, or anywhere outside, you’re requesting to be tracked, too.
You know that’s bullshit.

boomzilla

Unperverted Vixen

@topspin said in The Official GDPR Lawsuit thread:

I guess when you walk into the supermarket, or anywhere outside, you’re requesting to be tracked, too.

Any time I walk in front of a camera? Yes, I am. I wish that public spaces weren't littered with them, but that ship sailed years ago. (At least it's not quite as bad in the US as in the UK.)

dkf

@Unperverted-Vixen said in The Official GDPR Lawsuit thread:

Any time I walk in front of a camera? Yes, I am. I wish that public spaces weren't littered with them, but that ship sailed years ago. (At least it's not quite as bad in the US as in the UK.)

It really depends on where you are. City centres are thick with cameras, yes, but further out they're much thinner on the ground. In the 'burbs, there might be cameras watching problem intersections for traffic issues, but they're just doing that. (Private land may have their own cameras. Depends on the owner I guess, but I wouldn't assume that there are no security cameras in stores in the US either...)

dfdub

@Rhywden said in The Official GDPR Lawsuit thread:

Because if there were such an exception for "technical necessities" you'd only need to build your site in such a way that it does not function without personal data and, bang, you're not subject to GDPR anymore? Yeah. No.

I never meant to suggest that you weren't subject to the GDPR if you only store what's necessary. Just that the GDPR explicitly states that you don't need to ask for consent in this case, since it's one of the exceptions mentioned in Article 6 - you just need to list what you store in your terms and conditions and provide a way to delete that data. Maybe we were talking past each other; I was still referring to the original topic (cookie popups) in my reply.

And as I've already said above, I'm talking about actual necessities here, not whatever you chose to require.

Mason_Wheeler

@topspin said in The Official GDPR Lawsuit thread:

A HTTP request with DNT: 1, sure sure.

If you know enough to be aware of DNT at all, you also know enough to know that it's a completely toothless, meaningless "standard" that nobody ever truly cared about enough to respect it or enact rules forcing others to respect it.

topspin

@Mason_Wheeler said in The Official GDPR Lawsuit thread:

@topspin said in The Official GDPR Lawsuit thread:

A HTTP request with DNT: 1, sure sure.

If you know enough to be aware of DNT at all, you also know enough to know that it's a completely toothless, meaningless "standard" that nobody ever truly cared about enough to respect it or enact rules forcing others to respect it.

I know enough about it that it was born out of the industry saying "no, we can self-regulate, don’t legally enforce anything" in the hopes that self-regulation wouldn’t happen anyway. Then Mozilla came out with something that was actually technically feasible and then the industry thought “oh shit, we can’t have that.”
The point is, before that they got away with claiming that people don’t mind being tracked and after it they said “you know what, we don’t care that you explicitly opt out of being tracked, we’ll do it anyway. Fuck you.” And then they got what they fucking deserved: legal regulation and explicit opt-in.
You complain about the GDPR and all the things it makes you do? Well, cry me a river, you asked for it.

And yes, I also know enough to not trust them with anything at all anymore. I block their cookies, their ads, I browse with tracking protection enabled all the time, and I still assume that they Google et al. come up with technical measures to track me anyway. Illegally, of course.

Unperverted Vixen

@dkf said in The Official GDPR Lawsuit thread:

Private land may have their own cameras. Depends on the owner I guess, but I wouldn't assume that there are no security cameras in stores in the US either...

I’m not. I should have said “public accommodation” rather than “public space”, to make clear I was including private land that’s open to the public (e.g. stores) too.

Mason_Wheeler

@topspin said in The Official GDPR Lawsuit thread:

You complain about the GDPR and all the things it makes you do? Well, cry me a river, you asked for it.

I'm fine with most of the things. I agree fully that privacy is important and tracking needs to be reined in. But I have a specific beef with three of its points:

1. "Right" to erasure. This is an abomination that anyone could have (and many people did!) taken one look at and said "the primary use case for this is going to be bad actors abusing it to hide past misdeeds." Which is precisely what has happened.
2. The requirement for any foreign site doing business in Europe to have a Europe-based "GDPR Representative". This is nothing more than flat-out extortion. "We don't like that American businesses have figured out how to be successful on the Internet and ours haven't, so we're going to invent out of thin air a new 'right' for them to need to pay money to Europe in order to do business here." Let's call a spade a spade here: that's a protection racket!
3. "Universal jurisdiction," which defines virtually the entire Web as being subject to points 1 and 2, above. Well, no. Just no. That's not how law works. If someone comes into my country to use my product on my server hosted in my country, they're operating by the laws of my country. Period. Screw anyone who says otherwise!

Fix those three points, and I have no trouble with the GDPR. Leave them as-is, and I want it dead.

dfdub

@Mason_Wheeler said in The Official GDPR Lawsuit thread:

The requirement for any foreign site doing business in Europe to have a Europe-based "GDPR Representative". This is nothing more than flat-out extortion. "We don't like that American businesses have figured out how to be successful on the Internet and ours haven't, so we're going to invent out of thin air a new 'right' for them to need to pay money to Europe in order to do business here."

Do you really think the big, successful US internet companies didn't have subsidiaries in the EU before? They all did. But they all tried to dodge legal responsibility by claiming that only their US-based sister company was responsible for the services they provide.

This part of GDPR was specifically designed to put an end to this legal charade.

Mason_Wheeler

@dfdub Maybe that's the excuse, but it's quite poorly designed if that's what they're actually attempting to do, particularly given the way it applies to every business in the world, of any size, with an Internet presence. You know what that does? It makes it so only "the big, successful US Internet companies" -- the very people you claim you're trying to bring to heel -- have the resources to deal with the cost of compliance. It cements their dominance rather than making it easier for others to compete with them.

Much more likely is that they're trying to run a protection racket on US businesses and just didn't think about the side effects.

Benjamin Hall

@Mason_Wheeler said in The Official GDPR Lawsuit thread:

@dfdub Maybe that's the excuse, but it's quite poorly designed if that's what they're actually attempting to do, particularly given the way it applies to every business in the world, of any size, with an Internet presence. You know what that does? It makes it so only "the big, successful US Internet companies" -- the very people you claim you're trying to bring to heel -- have the resources to deal with the cost of compliance. It cements their dominance rather than making it easier for others to compete with them.

This is a common "side effect" of regulation. The big guys either already have compliance groups in place (so the incremental cost is minimal) or can soak the cost. The small guys? Especially those just starting up? Not so much. In fact, it's a key factor in corporatism--the big businesses push for (or at least steer) regulations that they can handle just fine but will cripple any attempts at competition.

dfdub

@Mason_Wheeler
Your criticism is valid, but I'd be very surprised if the documented behavior of Facebook and Google wasn't the main inspiration for this particular rule. And not literally every website needs a representative; that's an exaggeration.

Mason_Wheeler

@dfdub said in The Official GDPR Lawsuit thread:

And not literally every website needs a representative; that's an exaggeration.

From what I've heard, it's not. If you're:

1. a non-EU-based website,
2. doing business in the EU, which by Universal Jurisdiction essentially means doing business online at all,

literally all examples that meet the above two criteria are required to pay the protection racket.

Do you have an authoritative source that states otherwise?

Rhywden

@Mason_Wheeler So, let me get this straight: You want to reap the benefits of making your product available globally but don't want to deal with the consequences?

Sounds like cakeism.

Mason_Wheeler

@Rhywden So let me get this straight. You want to reap the benefits of using products offered in other countries, but don't want to deal with the consequences of stepping outside the rules of your own country to observe the relevant laws where the product is actually offered?

Never heard of "cakeism" before, but that sounds insanely entitled. Do you think you'd be able to get away with that line of "reasoning" if you visited a physical store located in New York in person? If so, you're flat-out deluded. It just doesn't work that way. If not, please explain why the rules should be fundamentally different online.

Rhywden

@Mason_Wheeler said in The Official GDPR Lawsuit thread:

@Rhywden So let me get this straight. You want to reap the benefits of using products offered in other countries, but don't want to deal with the consequences of stepping outside the rules of your own country to observe the relevant laws where the product is actually offered?

Never heard of "cakeism" before, but that sounds insanely entitled. Do you think you'd be able to get away with that line of "reasoning" if you visited a physical store located in New York in person?

I see. How exactly am I supposed to know that this web store actually resides in New York?

And what about a web store residing on Azure servers? What jurisdiction decides for those?

Mason_Wheeler

@Rhywden Generally, you can tell by looking at the TLD. And if not, you can generally tell by looking at the website itself; it's often found in the footer of the page.

PleegWat

@Mason_Wheeler said in The Official GDPR Lawsuit thread:

@Rhywden So let me get this straight. You want to reap the benefits of using products offered in other countries, but don't want to deal with the consequences of stepping outside the rules of your own country to observe the relevant laws where the product is actually offered?

Never heard of "cakeism" before, but that sounds insanely entitled. Do you think you'd be able to get away with that line of "reasoning" if you visited a physical store located in New York in person? If so, you're flat-out deluded. It just doesn't work that way. If not, please explain why the rules should be fundamentally different online.

Turning this around, do you think a US judge would consider an EU site out of their jurisdiction after they ignore a DMCA notice?

Mason_Wheeler

@PleegWat Yes. That has happened in fact. Multiple times.

Rhywden

@Mason_Wheeler said in The Official GDPR Lawsuit thread:

@Rhywden Generally, you can tell by looking at the TLD. And if not, you can generally tell by looking at the website itself; it's often found in the footer of the page.

So, I have to hunt for the information. I mean, .net is soooo specific.

Right. Yeah, no.

dfdub

@Mason_Wheeler said in The Official GDPR Lawsuit thread:

From what I've heard, it's not. If you're:

a non-EU-based website,
doing business in the EU, which by Universal Jurisdiction essentially means doing business online at all,

Then you should actually read Article 27 specifically 2 (a). If, for example, you have an average company website with a contact form, you're covered by this exception.

Rhywden

@PleegWat said in The Official GDPR Lawsuit thread:

Turning this around, do you think a US judge would consider an EU site out of their jurisdiction after they ignore a DMCA notice?

If it involves a EU citizen on a EU site on EU servers dealing with a EU company? Certainly.

That is, after all, why Microsoft has a subsidiary company in Ireland for their data centers.

Mason_Wheeler

@Rhywden said in The Official GDPR Lawsuit thread:

@Mason_Wheeler said in The Official GDPR Lawsuit thread:

@Rhywden Generally, you can tell by looking at the TLD. And if not, you can generally tell by looking at the website itself; it's often found in the footer of the page.

So, I have to hunt for the information. I mean, .net is soooo specific.

Right. Yeah, no.

So you want to have all the benefits of a World Wide web, without having to care about the rest of the whole wide world existing?