@blakeyrat said in A critical reflection on GDPR:
Except their web server logs IPs, which are personal information, so they have to write tons of custom code to prevent their website from doing that. Somehow. Because no webserver does that out-of-the-box. And odds are, Chan doesn't even know it does that, because he just hired some high school kid to set it up. Oh and the high school kid set up Google Analytics too, there's another violation. Chan likes seeing the charts, and he has no idea that the way that data is collected is illegal now.
Ok, I didn't know that ip logs had been pulled into this. That's silly and a bit of a nuisance. Based on a cursory bit of googling tonight I think that the consensus is that website logs are allowed (e.g. for business activities such as detecting malicious activity) but can't be kept for long and users need to be told about the logging on the website. (jury still seems to be out on whether logs ought to be encrypted - which would be a total pain in the arse).
If that's the extent of it then I'll need to tweak my server settings to cut down log retention time, but our hypothetical Chinese restauranteur is probably fine - he's using a typical cheap virtual web host provider who doesn't like storing log files, so already clears them after 30-days. He might need to tweak the privacy policy on his website and add some google-provided boiler plate text re. analytics (which google will already have harassed him about).
@blakeyrat said in A critical reflection on GDPR:
And that's not to say the US doesn't have crappy laws. I opposed the Washington State public smoking ban not because I necessarily disagree with banning smoking, but because the law was so poorly-written that if you were standing on a street corner with a cigarette, and a bus pulled up and opened it's doors, you were suddenly miraculously in a "public area" where smoking is banned and are suddenly in violation of the law-- even though you didn't even do anything. Badly-written laws suck, no matter how noble their intent.
And GDPR is a very badly-written law.
But just as no-one's been prosecuted for smoking near a bus, similarly the more extreme and misanthropic interpretations of GDPR are unlikely to be a reality. Right now, data protection regulators don't even pursue the major crooks who are egregiously flouting current laws and pissing-off thousands of people - that might be down to under-funding, incompetence or laziness. Data-protection agencies are not suddenly going to go after every trivial infraction by a small business (they couldn't cope with the scale even if they wanted to).
They don't really need to contemplate the small fry when there are more big fish than they can ever cope with. That even assumes they want to abusively prosecute really small technical infractions - I guess I'm just less of a pessimist than you are