Hey all – Brian from Instapaper here. We worked really hard to try to avoid a service interruption in the EU, but unfortunately we were unable to. We continue to work hard to ensure that the service interruption is as brief as possible.
I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.
From what I can tell from various legal advice that I’ve read, as long as you’re working on implementing the changes, and have been following security best practices, nothing really changes on May 25th, and you’ll be able to take your time to become fully compliant, as long as you can demonstrate that’s what’s happening. In other words, good faith and best practice will get you far.
Your current reaction seems like a huge and unnecessary over reaction that is just harming your users, and unlikely to have any material impact to your legal risk.
Instapaper is owned by Pinterest. Pinterest is a large high profile company with millions of European users and would be a potential target of regulators looking to establish precedents of enforcement with a big name.
I highly doubt this decision was made lightly and was probably informed by actual legal professionals with knowledge of the regulators in question and not the 3rd party opinion of some guy on the internet who "feels like its not that big of a deal."
But he's spot on about contacting the regulators because they already know they won't be in compliance.
Now would be a good time to do just that, and if the actual legal professionals thought it was a good idea to ban EU citizens but keep their data then maybe they should get better lawyers because that certainly won't work.
If I had an instapaper account it would be interesting to submit a GDPR request tomorrow, and see what kind of reply I got. Now I don't, but I'm sure there are plenty of other interested people around.
In all likelihood, the answer from most companies would be "sorry we don't yet have the ability to provide that data, it's on the roadmap, you'll have to wait".
At which point the data subject can report them to the regulator. Hopefully everyone receiving such a response will do so. Companies have had 2 years warning.
For most small business and startups this is no big deal as 1 or 2 reports to the regulator isn't going to trigger anything. For those companies of a certain size, the regulator might take note of 1,000 reports in the first week. I imagine some of those will have the regulator check if they have had a self-report from the company for non-compliance. Maybe then an email to colleagues at other ICOs across Europe.
I keep reading the "two years warning" notion on HN. While that might be technically correct, the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators) and so to this day, its practical implementation will to no small part depend on the iterative conclusions and learning various implementors (eg. companies) made in an arduous process since.
In other words, the first to think they were GDPR compliant might have had to redo a ton of work to adjust to more recent interpretations.
And let's not forget, for large orgs with complex infrastructure, this is a behemoth of an effort. There's been year long projects in the two large tech companies I've had insight to since.
And while I'm at it, let me comment on the frequently expressed notion of "if you've respected your users in the past, you'll be fine!". Just to pick one counter argument: the right to be forgotten. That can only be implemented thoroughly and in the way the users expect it to work (ie. delete everything but what you're legally required to retain) by finding a way to connect all user data so you know what to drop if need be. That is exactly the kind of action that's caused public outrage at big tech to begin with and it's not only potentially a huge effort, it also increases risk of abuse.
This all being said, I still think GDPR is a good idea at least in principle. And believe it or not, while everyone around me is really of compliance work, GDPR seems widely considered a good idea in principle across engineering in big tech.
> the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators
There we have to disagree. It's not like this is something new and untried.
GDPR is a development from long-standing, and now very well understood, Data Protection. The legislation seems mainly intended to modernise some of the definitions and scope (eg adding biometrics to PII), catch some newer practices, and make very plain and explicit that it doesn't just apply to EU companies.
In 1996 and 97 in the run up to the 1998 Data Protection Directive I recall a couple of common confusions and misunderstandings. Nothing like the ridiculously poor and simply incorrect reporting we have for this.
Any large org should have been fully compliant with DPA for years. They have to add extra mechanisms for explicit opt-in or deletion and get a little less time to retrieve full data and can't charge. That doesn't seem to need a "behemoth of effort", but not to say it's necessarily entirely trivial.
In other words they survived DPA with no apparent effect, yet it's >80% of GDPR with the same definitions. No one should be iteratively fumbling toward an unclear target at all. Even reading the UK ICO's old guide to 1998 Data Protection from a few years ago gets you most of the way there including understanding personal data.
But there are not massive differences between the laws we've had for many years - for a UK example PECR and DPA implement EU regulations and contain many of the same principles around lawful basis, limiting the amount of data that's held and the length of time it's held for, etc.
Anything that doesn't say "We will do just that! It might take up to 30 days" and asks for up to two extensions afterwards is not compliant, so this would be an exceptionally dumb response.
But that's the reality. At least they're working on it and the fact that a lot of companies massively overreact means they at least take data protection serious now.
You don't ignore a law for 2 years and then just after it comes into force say "at least we're working on it". Honestly I thought the GDPR was a bit of an over reaction when it came out 2 years ago but seeing how little respect companies have for our data over the last few weeks I've been convinced it was necessary.
As an engineer, with as much else is going on on a day to day basis it's not surprising. A lot of the vagueness around the GDPR still hasn't been resolved, nobody wanted to get a head start just to be told "oops, we actually meant this" and have wasted countless engineering/lawyer hours as a result.
You would only take that liberty if you didn't have much respect for the law and its ability to touch you. I suspect companies are a lot more careful with each years new IRS rules even though they don't yet have case law and are often issued on much shorter notice.
Companies directly lobby the laws that affect the IRS on a year-to-year basis and have a lot more knowledge about it. It is hardly as vague as this was. I very much do respect the laws when I can, but I'm a US citizen, and my projects don't make enough money for me to ultimately care about the GDPR/EU. I just blocked them for .. ever, probably. You're really targeting people here, sorry I disagree?
I am not speaking of you specifically because this is about the behavior of companies and not personal projects.
There are companies, OP being one (a subsidiary of Pinterest) that have presence in the EU and are essentially playing chicken with the regulators. Blocking users but keeping their data is not compliance, nor are dialogs telling users you plan to carry on as normal. Companies do not do this with the IRS because they would be afraid of the consequences.
This is increasingly my suspicion. I'd expect that they could have solved any technical issues around disabling tracking or letting users opt-in/out by now, which leads me to suspect that they have their business model based on being able to share certain data. It's very possible that they've A/B tested GDPR compliant flows/messaging, and found that their metrics/revenue dropped enough that they feel they have to do something more drastic. Although the argument against that is the fact they have literally just disabled access for European users.
GDPR has basically turned the lights on all of the companies doing questionable things with user data. Shutting down or turning off the EU is a huge red flag.
No it’s not. The way big companies are dealing with the GDPR is to ask their lawyers what to do. The lawyers define compliance very expansively since they’re not the ones doing the work and they are the ones who will be blamed if the EU comes after the company. So they say, “every single trace of anything related to user data must be purged.” So the company asks every engineering team to fill out a 200 point checklist about what they are doing with user data.
So, unless you’re saying that “Pinterest’s site reliability team can’t answer question 192 about how user data is deleted from the incident management system logs when an event is traced” is a “huge red flag” then you are exaggerating the issue.
EU agencies would prefer compliance over fines and would work with businesses to help them. As the article suggests, prosecution/fines will come when all other avenues are exhausted not the starting point.
Says some random dude on the Internet that seems to be a tremendous fan of GDPR. I prefer to base my understanding of laws on the text of the law. This one says that no warnings are required and that fines can be up to 20M EUR.
>> Says some random dude on the Internet that seems to be a tremendous fan of GDPR.
Let's be a little self-conscious here, shall we?
Of all the articles on HN that discuss the GDPR that I've read, I've found one that you didn't contribute to and your contributions never show an "understanding of laws based on the text of the law". For instance, you have consistently claimed that there will be 28 (btw, not 27) different interpretations of the law, completely disregarding entire articles devoted to the consistent application of the Regulation- which, as a regulation, does not need to be made into local law and is applicable across the bloc.
You are clearly on a warpath against the GDPR, which is perfectly fine of course; yet at the same time you accuse jacquesm of being a "tremendous fan of the GDPR". If you can express your opinion despite having an agenda, so can he - and he seems to be much better informed of the law than you are.
Edit: Just to clarify, I don't have some axe to grind against you. You're one of the few users whose handle I recognise because your comments in GDPR threads stand out so much in their fervour and because there are so many of them.
I’m not on the warpath, but I will consistently dispute rosy predictions about the “good natured enforcers” (a direct quote from Jacques) of GDPR. No law or regulation this easy to violate, with fines this large, that claims extraterritorial powers, has ever not been abused, and this will be no exception.
With regard to your claim that it will not be subject to unique interpretations in each country within the EU, that simply isn’t true. Each country will have its own enforcement agencies. They’ll enforce it in different ways, and to different degrees. Since this regulation is so vague, it simply isn’t possible that they will all interpret and enforce it in the same way.
You seem to be in Jacque’s corner, claiming that our new self-appointed privacy overlords will be perfectly coordinated and “good natured”. As someone with quite a bit of experience dealing with government agencies, I can tell you that few of those that seek out relatively low-paying government jobs where the primary perk is having power over other people are “good natured”. There will be abuses.
The good news is that D-Day is here, and now we can all stop arguing and watch to see whose predictions come true.
Neither of you are right. The EU is not going to go out guns blazing with $20m fines for small companies. They’re also not going to host a drum circle for companies to harmoniously join the movement towards better user privacy. They’re going to get some big fines out there on big companies (who doesn’t love free money) and also go after smaller companies actively doing bad things with user data. Yes, they could, but in the same way that the person standing at the bus with you could punch you in the face. It might happen, but realistically, it probably won’t, and you’re probably not actively prepping for it.
As Jacques and me as well have said; that simply means panic and it is not needed. You maybe do not live in the EU but the letter of the law is not such a thing here as it might be in the US (and although punishment is harsher and often far harsher than it is here, US also looks at intent). The EU is not going to punish any company that has the intent to offer its users privacy under this law, but made some mistakes or forgot things. They made this especially vague simply because a) we know they are not going to blanket destroy all violators anyway (we have many crazy vague laws for many decades; no one cares) b) if someone is clearly violating (and I am looking at you, obfuscating user tracking ad companies who, until now, got around pervious regulations by moving servers to other countries and other tricks) they want to be able to enforce, no matter what. This is all very clearly based on user intent, not letter of the law. It might be incredibly hard for litigious country citizens to understand, but we have been living all our lives (and it differs per country as well) with this.
That's the recipe for political enforcement of draconian laws. It's especially dangerous for big foreign american companies which are perfect for politicians to demagogue about. I would not bet the business on any extra-legal grace from their beuracracy.
"political enforcement of draconian laws"... like: how the US use their extra-territorial law to fine US Business's competitors (banks, industry...) ? ;-)
It's funny to see how the US way of mixing law and business is terrifying when others may use it too, no?
Anyway: it hasn't been how Europe worked until now, so relax. French Regulator said, for example, that it won't enforce strictly the regulation ... because... well... EU companies aren't more ready than US ones. And they'll have to.
The US paving the way for such practices is not exactly reassurance. If the laws are so complex nobody is capable of operating within them, the result is a police state. Being subject to arrest at any time because the law of the land explicitly gives the government that power or because it is so byzantine that nobody can know all of it works out to the same thing in the end.
Your argument seems to be that a police state where the authorities have a lighter touch is preferable. That's obviously true compared to a draconian police state, but it's a police state either way.
Under existing law companies can be fined somewhat ridiculous amounts for data breaches and essentially never are, so why exactly would the enforcement strategy change for the GDPR? Maximum sentences just aren’t an EU thing, nobody gets them unless they’re wilfully causing damage to people and this isn’t their first time. I don’t know if America does things differently, but based on what I know, it doesn’t - maximum fines and sentences are essentially never passed out there either.
Article 58 says that fines can be issued along with, or in place of, other enforcement action. That isn't "no warnings". Plus if you read the text of the law you would note that it is very clear that the size of the fine is dependent on 11 factors, many of which revolve around future compliance and efforts made by the business to resolve the breach and showing willingness to conply.
My "feels like its not that big of a deal" is based on my own companies approach, legal advice I've seen, and internal training.
I realise that Pinterest is large and I'm sure they have sought legal advice, but that doesn't stop this coming across as an overreaction, if one assumes that they _aren't_ using the data in ways that explicitly violate the rights granted by the GDPR.
Now if they are explicitly violating those rights, that's another story! I'd rather attribute it to ignorance than malice though.
In such a world, it would make more sense to limit the scope of the law until enforcement can catch up. Minimally enforced laws that are enforced subjectively are problematic regardless of why.
It's a union, not a country and it definitely won't go after big players with any kind of prejudice. It will go after those who flaunt the regulation, big and small.
Regulators only have so many hours in the day. Prioritizing high visibility infringers can persuade lower visibility infringers to get into compliance.
No one said "they won't go after small timers". Hitting the big players hard makes everyone wary of violating and they will absolutely catch some small fish as well.
It's just silly to expect any enforcement body to go after everyone equally. It doesn't even make sense; company A has data on 1.5B people, company B has data on 27 people and the owner's mother. Why would you go after B before A?
a) they have said they don't want to punish companies for the sake of it, they want to use it as an incentive to fundamentally change the approach to the handling of user data. This means not suing tiny companies for more money than they are worth.
b) they have said that the standards will roughly increase with the size of the company and resources it has. A company with 27 users (and few employees) would not be expected to have a data protection officer, or many of the control processes that a company with data on 1.5B people.
I think everyone is talking about the UK 's ICO, which is just 1 of the 28. We have heard nothing from others and its best not to make assumptions - the ICO may be following different rules in a year.
I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.
Seeing this completely false sentiment repeated over and over again is getting exhausting. Only a tiny fraction of the companies avoiding EU traffic due to GDPR have any intention of “doing shady stuff with your data”.
GDPR is highly complex, and as of tomorrow, allowing EU traffic invites massive liabilities that most companies outside the EU won’t be willing to take on. While Instapaper likely will eventually relaunch in the EU because of its footprint there, the reality is that EU residents are going to be blocked from a large percentage of the world’s websites. The liability is just too great and the rewards too small for most companies outside the EU. You guys chose to make your traffic radioactive. These are the consequences.
>I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.
This sentiment and the hilariously large fines (regardless of company size, even) on relatively-ill-defined requirements make the whole GDPR process feel like it was designed to bully businesses into compliance.
Some pieces of GDPR are definitely for the benefit of the end-user (at the expense of companies, who happen to be providing those users other benefits). It all feels really heavy-handed, though.
Not to mention a little reminiscent of the problems that occur with other "bans" (which, this effectively is). When you put heavy legal restrictions on doing X (where, in this case, X is storing and processing data that you assumedly use to provide a service for users), you're effectively hurting the legitimate businesses most (_especially_ small ones) while the real "bad guys" that are actually doing bad things with our data are going to continue ignoring the law. There might be some value in-between, but I doubt there's much.
>This sentiment and the hilariously large fines (regardless of company size, even) on relatively-ill-defined requirements make the whole GDPR process feel like it was designed to bully businesses into compliance.
>Some pieces of GDPR are definitely for the benefit of the end-user (at the expense of companies, who happen to be providing those users other benefits). It all feels really heavy-handed, though.
The GDPR isn't vastly different to the old Data Protection Directive, which has been in force since 1997. The panic over GDPR suggests that a lot of companies had simply been ignoring the DPD. If a bit of bullying is required to get businesses to obey the law, then so be it.
> while the real "bad guys" that are actually doing bad things with our data are going to continue ignoring the law.
This is already happening without the GDPR (carders, dumps, etc), so I don't buy it. The black-market analogy (e.g. illegal drugs) also doesn't hold when applied to companies.
> the hilariously large fines (regardless of company size, even)
Oh no, proportional fines! How socialist!
The whole point is to make it somewhat independent of the company size, so bigger companies won't just swallow the fines. This is typically what Google et al do, they just factor it in to the cost of business. The GDPR wasn't written in a vacuum.
Er. I vote in an EU country, but I don't feel like I "chose" anything. GDPR was mostly developed by institutions (Council of Europe, European Commission) formed of people that were not directly elected by European voters. In any case, given that personal data management issues are not a prominent part of the political discourse (even in the EU), I'd be surprised if any of the people in charge were elected because of their position on data protection.
It so happens that European institutions have come up with GDPR, but I don't think it is fair to see it as a conscious choice from EU voters.
> the reality is that EU residents are going to be blocked from a large percentage of the world’s websites
I'd be interested in seeing supporting evidence for this rather surprising claim. I'd conjecture that the "vast majority" is the long tail of small websites who haven't heard about GDPR or don't care about it; so I'm not too worried.
Let's stop peddling the misconception that the EU operates significantly differently than any other Western democracy. The civil servants answer ultimately to the MEPs, who are elected. Most people either do not vote or do not engage, as is the case to a lesser extent in their national elections. You can still lobby your MEP when an issue was not part of their platform.
Says anyone with common sense. What percentage of sites do you think employ data scientists or would even know where to go to sell your data? Most sites do nothing more than throw GA on their website, and maybe some Adsense. You people decided to paint that as something evil.
That’s your decision to make, but just understand that most of the rest of the world wants no part of $20M potential fines and will simply take their ball and go home. This law will have the net effect of creating two Internets - one for the EU and one for the rest of us.
Well, Instapaper is owned by Pinterest. Pinterest strikes me as a company of such a size that they'd have no problem finding some way to monetize the data gathered from their users.
Have you seen some of the lists of where your data goes that some sites have posted? It's frankly frightening how far your data gets dispersed after signing up for just one website.
If you get a request today, you've got a month to comply, so in a way you're right. However, it really depends on how big your company is and how little you have prepared. Your absolute minimum is to have a statement that says that you are going to use the data you gather for contract purposes and to list the 3rd parties that you need to send that data to for contract purposes.
But then, if you are using data for other purposes, it's a bit complicated because you'll have to refrain from doing so until you are compliant. It doesn't necessarily have to be shady stuff. Even if you aren't sure if what you are doing is contract basis or not, it can be a pain. It's not necessarily massively difficult, but if you woke up yesterday and thought "OMG! We haven't done GDPR! What are we going to do?", then I can see this.
I've written earlier about how the company I'm working for now has changed what it is doing with data, even though I don't think they were doing anything shady previously. But it's more like, "Do we really want to list a lot of things and piss off the customer?" So now there are heated discussions of what 3 (or whatever other small number) of things we might collect data for because we believe that's the kind of limit that the customer will tolerate.
All of these discussions take time -- especially in a large organisation. And you can see in discussions on HN, there is going to be a large backlash of "Why do we have to do this anyway? Can't we just ignore it?" which wastes a lot more time.
Sounds like they want to be compliant, but are just not ready yet. A miss on their part, but hopefully they will get things in order quickly.
You know that you're still liable for European customer's data, even if you're offline, right? Going offline won't change anything. You can't effectively grab the database and run away.
It still seems like the safest option given the massive risk this legislation is exposing companies. Especially low margin per user businesses like Instapaper. From The Verge:
> because it’s not entirely clear right now what information residents will request, what format that information needs to be in, how to locate it and package it, and whether new infrastructure needs to be created to manage this request pipeline.
So in the meantime they can at least stop the flow of new data from the EU into their system until they are 'compliant' and have systems in place to deal with the existing large amount of EU users/data they already have.
It makes sense to me to be cautious here, plus it has the dual benefit of drawing attention to the real costs/risks the bill has on smaller firms without teams of lawyers and internal human resources (developers, CSRs) to deal with the new obligations imposed on them.
>It still seems like the safest option given the massive risk this legislation is exposing companies.
The safest option was actually to comply with the GDPR during the two years it has been in force now. I refuse to believe that the changes required were impossible to perform in two years.
I'd love to know when exactly did Instapaper start looking into the GDPR.
The founder has said that he underestimated the amount of work it was going to take. Anyone who has ever worked on software knows how this stuff happens. You don't truly know how long something is going to take until you dig into the hairy details of implementation.
Plus there are still tons of unknown variables at play with GDPR... even among companies who did spend sufficient time beforehand, as I quoted from the article above. So additionally, the non-obvious requirements further makes the underestimation make sense.
The requirements are clear enough to figure out a solution in the last couple of years. What takes time is if you're trying to skate as close as you possibly can to the legal line and not go over it.
If there is so much ambiguity and interpretations what kind of manager would risk getting into doing such project if a risk of failure is equal to not doing it at all?
Courts are not black/white in interpretations of law. Demonstrating you put significant effort into being compliant is not for nothing. Plus you can't really figure it out until you try. Especially with something as complex as this and how the implications of the law will be different for different companies.
I don't think that makes a difference, perhaps it depends on the country. Some EU countries are hostile towards entrepreneurs and wrong action or inaction would get the same treatment.
But that is one part which is confusing to me, from the UK ICO:
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Additionally, the GDPR does not apply to actions taken before and during the transition period (which ends now).
In this case, Instapaper does not offer goods or services to individuals in the EU. It actively blocks any user inside the EU.
Does that mean that Instapaper is no longer subject in any way to the GDPR?
In other words, if you had a company that had operations in the EU, but left the continent 2 years ago, and no longer has any activities with any EU individuals, does the GDPR suddenly apply to you?
If you continue to hold data from EU residents, it’s somewhat likely that the GDPR applies, or that a court will decide it does some way down the line. If you employed a competent lawyer for about an hour they’d ask you why you’re storing that data if you’re never going to use it again, given the risks.
Holding the data or not is irrelevant, the tricky part is compliance.
If the GDPR applies to you, you need to hire a DPO based in Europe, as well as having a EU contact that will be responsible for any fees that you incur.
If you did business in the EU but no longer does, do you now have to hire a DPO in the EU and have a local contact responsible for any liabilities?
You didn't read GDPR. Deleting isn't enough, if GDPR applies to you, you need to follow all the compliance requirements, including hiring people, providing proof of deletion if investigated, etc.
This is a good point I haven't run into before (which is itself frightening). So what could they do instead? Could they retain the actual 'read later' content, associated with their EU users, but delete all of their own personal data for now?
Not much. If you're not compliant, you're not compliant. However, that's not the end of the world right there. GDPR takes ill-intent into account, and it also requires warnings before any punishment is applied. They should instead have started working on compliance before they actually did.
Just because a law is written to apply to effectively the whole planet, doesn't mean it can be enforced as such. I just don't see the current US administration complying with a EU charge against one of its companies that did go the blocking route, let alone any of the shadier countries that host companies in violation
based on my understanding, i think if you're not marketing to eu visitors, data doesn't fall under the gdpr. does the gdpr retroactively apply to data from the past?
Which parts of GDPR do you think you're in violation of?
Why do you think removing access for users currently in the EU puts you in the clear legally?
What are you doing with European users data currently, have you deleted it all?
A lot of other companies have navigated the changes to the law without significant changes to their service or privacy policy, just by tightening up how they hold data, and making sure they are clear on permissions with users.
Answering those questions in a public forum would be extremely foolish
Perhaps asking for questions was foolish?
And how many of them are actually in compliance?
If you're not in the business of selling customer data to third parties, it's not very hard to comply, just requires some discipline on how data is stored and who it is shared with, and a point of contact for enquiries about data.
GDPR applies if (1) the Controller or a Processor is “established” in the EU, or if (2) the Subject is in the EU. Citizenship doesn't matter, and geoblocking is the legally correct solution. As an example: U.S. tourists on a trip to Paris are protected by the GDPR, but a Polish expat in California is not. (See Art. 3 GDPR https://gdpr-info.eu/art-3-gdpr/)
> US tourists on a trip to Paris are protected by the GDPR
That’s not entirely correct. They’d fall under GDPR if they do business with a company doing business in the EU (eg by buying something off of amazon and sending it to their Paris hotel address. They would however not benefit from GDPR if they were to order something from amazon but sending it to their US address instead.
"If the Data Subject, moves out of the EU border [...], or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless the organisation is “established” in the EU"
I'm sure that's what the policy makers originally wanted (protecting the rights of all EU citizens). That being said, it would be nigh-on-impossible to implement.
Websites would run into the same situation as banks: anytime you open an account at most banks in Europe and probably around the world, they specifically make sure that you're not American, because then they have to comply with American laws if they don't want to get blacklisted.
How is geoblocking a solution? How does it absolve the company of their compliance obligations? Does using a VPN mean that Data Subjects in the EU are not covered by GDPR?
Is geoblocking sufficient on its own to show that the Controller/Processor is not doing business in the EU? Even when the Controller/Processor still provides localization to EU languages?
Don't feel bad. The law is ridiculous and most startups cannot even afford salary for another programmer not to mention GDPR-law compliance officer. Hopefully if enough services get interrupted, bureaucrats at EU will rethink the law.
If you believe GDPR requires you to hire a dedicated compliance officer then you don't understand or have not read the law you're so vehemently against.
So which part of the law is ridiculous?
Disclaimer: I believe the principles that are applied within the law, data autonomy, data ownership, usage-binding of data etc., are sound. And just because people have aggregated any data on people that they could get to better manipulate them into buying crap for so long that it‘s hard to change track today, doesn‘t mean it‘s wrong for lawmakers to enforce parting ways with the past.
"- You need opt-in consent for all (ad) cookies, including non-tracking ones. Basically, advertising is optional in EU sites as of today."
Wrong. You need opt-in consent for non personalized ads, but this can be the "soft consent" type where you only present the "Accept" button. Advertising is no more optional tomorrow than it was today.
"- I could argue the right to download your data is superfluous, mostly because it creates potential holes for data leaks/phishing etc."
Knowing what you have on me is not superfluous; it's my data.
Seriously, the FUD around this law is getting tiresome.
The personal information here is the IP-Bob tuple, not the IP on its own. Bob might as well be assigned a new address from DHCP on a daily basis. His friends might be using his address. He might have used the address of some public network in the first place. All or these are pretty likely scenarios. The IP is only interesting given the context of who uses it and when, so as to separate Bob from Alice, and Bob's favorite cafe and Bob's workplace from Bob's home, and to figure out if Bob is ever visiting Alice.
So if Bob asks for his personal information to be cleared and the system leaves Bob-IP tuples behind, it clearly didn't do what he told it to do.
That is playing dice while dealing with potentially personal information though right?
It depends on Bob using DHCP, that his DHCP switches often enough, and there are enough people on the same network that the link can not be made.
The above is not always true, other mitigating factors are not always true. Which seems to make some of IP logs personal information. Or at least you are safest if you treat it that way.
Where, to my understanding, IP address are considered personal information only if you can link it to some other identifying info.
I think a regulator is unlikely to go after a company for not deleting IP logs in the current climate. As far as I can tell GDPR gives them the power to however.
Until there is some case/enforcement history it is understandable if people are cautious.
- Ips in general are not bound to some specific person. It's only because laws require that ISPs keep PII allocation data that they become personally identifying. Perhaps it would be easier to plug that leak right there.
- ah, well google suggests you ask consent even for content-based ads
- 99% of the sites show you what they have on you when you use them. The provision could be to have a separate download page when that is not the case. If every business must have an unauthenticated download page, it becomes easier to get other people's data via phishing.
its not fud. this is the internet. lets talk again in a few months.
Then you'll have all sorts of disputes for example someone could claim their cat stepped on a touchscreen and consented without the user knowledge or someone consented whilst being completely drunk - such consent is not valid. That means potentially companies are keeping the data illegally thinking they comply.
i don't follow, do you mean that's a possible scenario? That's the last thing you need to worry about yet. I expect first random emails from hackers demanding coins for 'not reporting you' in the first awkward month.
email is not covered by GDPR but by the local communications acts. It will be some new EU laws in the next 2 or 3 years... So there's no problem in THAT case.
But if this email is copy/pasted in a reservation system THEN it might be covered by GDPR.
There is also a thing when user closes consent popup and the site won't redirect to invalid ip address. I have seen plenty of sites where you can close the consent popup and continue to use the site - that means they collect your data without your consent. Grotesque.
You don't need a new employee, just someone who is assigned the task to deal with queries that come in. For a small start-up this is not likely to amount to many requests, and even then the requests from the public first go through the regulator. So many requests will be weeded out at that stage with the aim of reducing the burden on businesses, only requiring them to act when the regulator has identified a breach. At this point they have to fix it, if they don't fix it, or don't try to fix it (fizimg it is usually by deleting the customer data) then they are open to prosecution. If they fix it the regulator isn't then going to seek huge fines, they are aimed at non-compliance firms who have no intention of complying (e.g because it is their entire business model).
It sounds as if you're unwilling to talk about the issues that you're facing. So what can you say? The only reason I can think of that you can't say is that are trying to get some infrastructure suppliers to be compliant and those talks are confidential. Correct?
The email we sent to EU users (quoted in linked article) has the important details regarding the service interruption in the EU.
Additionally, I can say that our privacy policy is concise, clear, and accurate with respect to the types of information we collect and how the data is used: https://www.instapaper.com/privacy
If you have other specific questions, I will do my best to answer them.
Well, as The Verge says in the article: 'While we don’t know exactly what’s holding up Instapaper'
I'm naturally curious as to what's holding up Instapaper.
As you say, your Privacy Policy is very good, other than the disclaimer that says 'we may pass your personal data to others - who knows what they do with it eh?'. I imagine that this is the issue which is holding you up.
The scope of work for GDPR was underestimated by me, we were not able to complete that work for the deadline on Friday, and this was the required alternative.
We are working very hard to minimize the service interruption.
Have you received genuine legal advice that recommended that you shut down business instead of continuing to work towards compliance?
The agencies that can enforce the GPDR want you to be compliant, not to fine you... If you're actually working towards compliance past evidence shows they won't fine you.
I've heard this line a lot, but even as a government loving liberal it doesn't sound very compelling to me. The law says, comply or face fines up to 4% of global revenue. It doesn't say, "make a best effort to comply, or face fines up to 4% of global revenue." I'm very reluctant to trust people who can fine me for that much money that they won't do so. This is especially the case because it appears to some of us foreigners that the EU particularly loves to fine foreign companies for large amounts despite what appears, from our perspective, to be a good faith attempt that to comply with the law.
>2When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
> any action taken by the controller or processor to mitigate the damage suffered by data subjects;
>the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
>the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
>where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
>any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
So, a whole bunch of very explicit things that are to be used when deciding if whether to impose a fine (at all).
True that the text doesn’t say this, but several of the privacy authorities in the different jurisdictions in Europe have been stating this publicly in interviews. The last one I saw was the ICO in the UK today on BBC Click saying exactly this...
I would be interested in seeing examples of large fines that have been handed out to business by the EU that don't first of all meet the general conditions mentioned in this article.
Shutting down means you're probably not gathering any further data but what if one of your EU users sends you mail now asking for all the data you have about him/her? How does the shut down protects you about that?
The law says you need to work toward a solution, it isn't a cliff edge thing where you are immediately legally liable. Are you just not wanting to risk it or do you not read the law in this way?
Me too. And I can see I am definitely subscribed to "account update" emails. I'm not sure how they would decide if I was European or not, can't see a tick box for that in the profile page.
(1) you still hold the data, you are still required to comply with the law and cutting off access does not change that one bit.
(2) the period for a response is long enough that once you would receive requests you could handle them in time even if you processed them manually.
(3) you have been - or should have been - aware of all this for a very long time, either you failed at estimating the impact of the law or you do not know what you have or you changed strategies internally recently and now you're not going to be ready in time because you started way too late.
So in all, all you've managed to achieve with this action is to get the spotlight on you, and it is a 100% certainty that at least Instapaper will be solidly violating the GDPR come tomorrow.
If I were in your shoes I would use my designated representative to contact the authorities for guidance after explaining in detail what the problem is before I would let my end users pay the price for my own incompetence.
Some smaller companies and lower-profile groups within big companies are going to need more time to sort this out, and some may decide it's not worth the risk of the massive fines no matter how compliant they think they are and will block European users. Nobody knows how aggressive regulators will be in enforcing this so far, nor is their any precedent for how the law will be interpreted by actual courts. Calling people incompetent isn't going to change that.
This is one of the negative consequences of enacting complex regulation targeted mostly at giants like Facebook and Google and then applying it to every side project and business in the entire world no matter how big or small. Sorry.
And how much revenue does the Instapaper service generate for Pinterest?
Lower profile groups within big companies are probably most likely to shut off their services to European users because they have the cautious legal departments of the large company without the important profit center designation which would make compliance a priority.
> And how much revenue does the Instapaper service generate for Pinterest?
Who cares? That's not a factor in whether or not you should comply with the law.
> Lower profile groups within big companies are probably most likely to shut off their services to European users because they have the cautious legal departments of the large company without the important profit center designation which would make compliance a priority.
Well, that may be their strategy but it won't work because it is the company that is violating the law, not the lower profile group.
> That's not a factor in whether or not you should comply with the law.
speaking generally here, you know laws aren't always right? we had plenty bad laws to draw from to challenge this particular point, from racial to abortion laws.
gdpr isn't as draconian as these but still has plenty trash in it between the vague wording, the moving target 'state of the art' represents and the weird requirements and absurd implications of the 'right to be forgotten'.
It's the law, it was created by a democratically elected body. Racial and abortion laws are on a different plane altogether, and are not typically the playground of globally acting corporations.
No, in that case the owner is just a shareholder. But if the original legal entity no longer exists (which I believe is the case with Instapaper) then it doesn't matter that you've been acquired, you are now part of the mothership.
Weren't you the one previously saying that don't panic (https://jacquesmattheij.com/gdpr-hysteria) because of GDPR back in the day? And now you are advocating that they should have already complied with GDPR given its impact!
Make up your mind.
And this is exactly why this is such a shitshow. Stop attacking people who haven't complied because small developers have other things rather than trying to figure out whether they have to redo their logs if a user asks their data to be deleted. This is almost bullying behavior.
> And now you are advocating that they should have already complied with GDPR given its impact!
Obviously yes, because today the law becomes enforceable. Not having done the required work is just plain dumb.
> Make up your mind.
I made up my mind well over a year ago, spent the time required to be compliant (a couple of days) and that was that. Instapaper being as small as it is would not have had to spend more time than that unless they are doing something they shouldn't be doing, are unable to plan or changed tactics in the last 2 days. After all, if they weren't going to make the deadline they had a very long time to announce that, instead they announce it the day before the law becomes enforceable. That's just not ok. At a minimum they should have had their export facility up and running.
> Stop attacking people who haven't complied because small developers have other things rather than trying to figure out whether they have to redo their logs if a user asks their data to be deleted.
I suspect you are in the same boat?
> This is almost bullying behavior.
Right. Well, sorry, it really isn't, it's the perspective of someone who has been in business for a very long time and who feels that the GDPR addresses some fairly urgent matters. Companies have been running roughshod over users' privacy rights for decades and it is one of the worst things to come out of the internet. The level of tracking and data brokering that is going on is utterly disgusting.
If you weren't doing anything you shouldn't be doing the GDPR is going to be a pretty simple affair if you're a small company. Larger companies will have some more work but have more resources.
Did you start working on compliance in a timely manner or did you become aware of this a few weeks ago?
Does your company have a clue about what it is doing in general?
Do you take a user centric approach to data ownership?
If those are all 'yes' then compliance is easy. If you don't care, do illegal stuff, are clueless or don't care about your users then compliance is going to be hard, that's what the law intends because those companies should change their ways.
> His posts were clearly politically motivated, zealot-type propaganda.
Oh my. Terribly sorry for putting up a political manifesto.
> Either self-interest or useful-idiot.
Take your pick. No third options? Such as a genuine desire to take some of the heat off for SMEs, of which I own several and participate in several others?
> For some reason he is such a fan of this legislation that he is willing to overlook its glaring problems.
Yes, I'm a fan of this legislation. I also was a fan of its predecessor and it's a joy to see companies that don't have their house in order make all kinds of panicked moves. I have a pretty good behind the scenes view of what goes on with respect to privacy abuse by corporations due to the nature of my work. Those companies that do illegal stuff, don't give a damn about their users and that in general are clueless (and which in turn increases the chances of their online properties being compromised) will be the ones that run into the 'glaring problems' The only thing that I see as troublesome with the law is the lack of reciprocity and enforcement across borders. The EU picked a complex and for really small companies expensive way to resolve that and that's something that I see as a real issue.
I don't know if (1) is true but the data was collected under previous laws. In my opinion laws like this should not be retroactive. Retroactive laws, especially when affecting billions of dollars of commerce, are unfair and draconian.
It is not retroactive, the law has been there for 2 years, becoming _active_ in 40 minutes. Secondly, it is not the collection of data, it is the storing of data. So if you store the data without user confirmation in 40 minutes, there might be a problem. The action which is the problem is the storing of private data.
If you bought designer drugs 10 years ago, the act of buying was legal, even though storing it today no longer is. Same here, collecting it or using it 10 years ago might have been legal. Storing it today is not. You might be confused which action is covered by the law, and that action is "storing". You can decide to stop doing that action today, so it is not retroactive at all.
I don't really see where the age of the data you store comes into play.
The law has been on the books for two years, it just wasn't enforced and for a long time before that there was another law with much the same effect. So even if the data was collected under previous laws there is not much that would convince me that denying the users access to their data or to the legally mandated data life-cycle features is the right thing to do.
In fact that attitude goes exactly against what the law is trying to achieve in the first place.
The law doesn't make it illegal to have collected the data in the past. However, it introduces new rights for people for which you have collected data. I don't think this is unfair
The law came into effect on the 14th of April. The 'enforceable' does not mean it comes into a effect, it means that regulators have their powers unlocked to go after offenders.
> Yes, but that was a different law. It required different things.
It actually required a lot of the same things, but because companies decided to ignore it it was revised.
By that standard, if you had purchased a child porn magazine in the 1970s when it was legal to do so, you would be in the clear if the police searched your house and found it. I am not a lawyer, but that doesn’t seem likely.
> will be solidly violating the GDPR come tomorrow
how do you know that? i mean technically he says they re violating it today, just like we all did the past 2 years because it wasnt enforceable. what changes with their ban tomorrow?
That they are still violating it tomorrow and they are giving their users an excellent excuse to contact the regulators because they cut off communications. This is about as dumb as it comes.
I was under the impression that of you don't do business with EU users, you are not subject to the rules. This seems like the only reasonable way to not do business with EU customers. Other thoughts aside, if they wanted to stop doing business in the EU, how should they?
I suppose for most thinking rationally, it seems like "stop doing business in the EU" is different than "make it like you've never done business in the EU". Taken to its conclusion, which Instapaper surely won't, it's not going to be easy to punish a business that has cut ties with the EU because of what they collected before. Granted it appears that with the law, like its predecessors, practicality of reasonable enforcement takes a backseat to intent.
The rational approach to legislation is to make a (timely) effort to comply.
When you're told the highway near your house has a new speedlimit you can either obey the speed limit, use a detour (which will still be slower on account of it being longer) or you can take your car off the road in huff.
The first one is the only solution that makes sense.
If we're going with these analogies, there are other approaches if you disagree with the speed limit. You might protest the speed limit if you lived there (hopefully without being berated while you do so) or if you don't live there you might avoid the place with unreasonable speed limits.
is there a requirement that this ability is 24/7/365?
I mean , knowing GDPR , i would guess at best the provision would be something like "a reasonably long amount of time but not long enough to be unreasonable based on appropriate considerations of data subject's patience"
It certainly isn't a provision in the law that if you feel that you won't be able to deal with your users legitimate requests that you have the option to lock them out entirely.
I can imagine something to the effect of stopping further gathering of data (to stop digging the hole deeper), to give your users the option to request what is their right through some kind of form and to park those requests until you're done with the implementation and in the meantime give them continued access.
After all, the law already has a provision in it that you have 30 days to respond, and another 2 months after that if you are for some reason technically incapable and need an extension.
Obviously, IANAL, but my company talked to a few over the past week.
This move is, in my opinion, a bad read on the odds and European culture.
First, culture. The goal (at least in France, but that's probably the same in other countries) is to get you in compliance, NOT to fine you. What this means is that before you get lawsuit and fines, someone will talk to you and work with you to see how you can get compliant.
Second, the odds. Unless you are a big company that thrives on GDPR violations (doesn't seem to me Instapaper is one, but I could be mistaken as I never used the service), you aren't likely to be targeted before a while, at least until a big case is done and over (let's take the odds Facebook is first).
Third, the delay. While the GDPR takes effect tomorrow, you have a grace period of a year for part of it (for example, getting consent for newsletter). I would really be surprised if enforcement start tomorrow.
Well, at least that's my read on the situation. And that's how I intend to do it: pro-actively work into getting in compliance without rushing it too much, and handle things properly as they come.
As far as I understand the grace period was the last two years. Tomorrow is the big day.
But whether or not that it is true, I believe that if Europeans have used Instapaper and they now temporarily shut off access they still are not compliant and in violation of the law. Because they did serve Europeans, so they have their data.
To further that point, this is a quote [0] from the UK's ICO on that:
> It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.
> That said, there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.
> But we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR, as I set out in my first myth busting blog. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.
The law doesn’t actually target Europeans, but anyone in Europe. Since it is based on geolocation rather than nationality, not being in Europe might be relevant legally (IANAL).
'European' - e.g., EU - culture is still quite new in this regard, and plenty of companies have gotten very large fines for gross non compliance of other regulations/directives.
Since GDPR compliance is enforced by EU members, many small companies are exposed to (have customers in) most or all EU jurisdictions, and the EU is very heterogeneous when it comes to regulatory enforcement by member states, I think that they're correct to be worried about the ambiguity around the GDPR.
I'm not arguing against the GDPR - I'm in favor of data protection - but the if/ands/and buts (e.g., speculation) about who is going to get fined, and for how much, is uncomfortable.
> plenty of companies have gotten very large fines for gross non compliance of other regulations/directives
Gross, wilful, intentional, deceptive non-compliance. To be honest you have to put quite a lot of effort into managing to get fined for non-compliance with EU regs/dirs.
I don't know why people think this. The European Commission Directorate General for Competition lists around 35 thousand cases in their Antitrust and General Registry alone.
EU directives are transposed to member states, who are the ones who enforce EU policy. If you're talking about EU members getting hit for non compliance with directive implementation - sure. If you're talking about private sector non compliance with transposed EU directives, that's largely up to how individual member states enforce EU requirements, since EU directives effectively become separate laws once they're transposed by each EU member.
As far as I'm aware, there's little aggregated data on how individual member states enforce (as in, number of cases and total amount of fines per year) EU directives. The EU takes in ~4-5 billion Euros per year in assessed fines, but the total amount should be significantly higher once you account for all of the cases/fines that are assessed on private companies, by individual member states, for non compliance with individual state laws implemented to enforce EU directives.
>Well, at least that's my read on the situation. And that's how I intend to do it: pro-actively work into getting in compliance without rushing it too much, and handle things properly as they come.
A lot of the responses to the GDPR shutdowns have been like this - "you don't need to shutdown, because you won't be fined yet."
But I have to ask, isn't shutting down a better alternative to knowingly breaking the law? Weather the fine is $2 or $20M, shouldn't following the law be most important?
Problem is - a shutdown doesn't really make any difference. Dropping the data would make a difference, but just shutting down access could potentially (very unlikely though) mean additional infractions - the customers' requests for data access, corrections, removals etc. still need to be handled, and this could be seen as an attempt to skirt those rights.
I would say that a shutdown essentially freezes the data and prevents it from being used internally, hacked, misused, disseminated, etc. For all intents and purposes, at the moment it doesn't exist. Once they believe they are back in compliance with the law, it will be "unfrozen" and users will be able to retrieve their data or opt-out completely by cancelling their accounts.
And who's to say that Instapaper did not contact the authorities and discuss a plan such as this to mitigate the problem temporarily?
Does GDPR make it illegal to shut a site down for a period of time? While they are shut down, what could be noticeable that they are not complying with?
GDPR doesn't care about your site, it cares about user data.
The big thing with shutting the site down is it might make it impossible for users to request information about their data and/or request to have it deleted. That would violate the GDPR and could land the site in trouble.
More or less everyone has given up on following the letter of the law on copyright and has resorted to all sorts of "fair use" ideas that probably wouldn't stand up in court.
Instapaper makes copies of web pages. Does it have permission from the copyright holders for every copy of every web page? No. Are they going to enforce this? Almost certainly not.
Shutting down is not the better alternative because you still are breaking the law, as siblings explained.
Working into getting compliant and have a paper trail to demonstrate how you are progressing in case of control is the only realistic way to do it. That's exactly what a lawyer (in my country of course, perhaps not applicable to other countries) advised me to do. And this lawyer works closely with the public institution doing the enforcing in my country.
From my understanding, I'd be surprised if even 1% of companies were fully compliant today. Yeah, even big ones like Google (I actually spotted something I'm almost certain is non-compliant yesterday on their TestMySite service).
Don't be mistaken, the mails everyone receive about changes of terms for the GDPR and validating consent to receive newsletter are just the tip of the iceberg, they are the easy cosmetic changes.
If I understand correctly what law is, I would say that lawmakers make some laws to express what is moral and what's not (according to them), but not always it's true that our moral standards are completely different from the lawmakers'. If the objective is to be moral, then we should ditch contradicting laws.
Wikipedia disagrees on the enforcement start and claims that is tomorrow.
But I agree with you, the way most interpret the regulation and its sanction is not how Europeans do laws. The "administrative fines up to ..." as you can read in the text http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE...
Those high fines are meant for large ill-meaning companies, but the small 2-ppl-SaaS that doesn't report or act on a data breach will get a slap on the wrist and a fine proportionally to their size.
Actual quote of the GDPR:
(171) Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. [...]
I can't say for sure what's the scope, but I stand by my point that PART of it have a delay to get into conformity.
As mentioned, GDPR has been in force for 2 years - Friday is the end of the grace period. But, as I referenced in another comment, it doesn't just "end" tomorrow, the expectation is that you have a plan in place to address future privacy issues and that you're acting in good faith.
If you're not compliant, but aren't deliberately not compliant, and are active in trying to address that, and report anything you might be breaching, then they're not going to go after you like hounds (in the UK at least).
The ICO seems to be a fair and reasonable body, they just now have some extra teeth.
I agree with you, fines will happen in extreme cases, based in my experience with similar laws.
Currently GDPR is news and there's a lot of hype around it and Instapaper is getting some attention because they failed to prepare AND, by the looks of it, decided to implement some unnecessary measures.
I'm sorry to say that this looks like a PR stunt. Are they going to block EU users for months? I think any legal action against them was very unlikely, they could have solved the situation quietly.
I can't, since I'm pretty sure it's not in the legislation.
The law is enforced by humans, not robots, and those persons have a culture and habits.
Of course I could be wrong and they could start enforcing heavily on everyone on day one.
But they just don't have the manpower to do that, for starter. And that's just not in the culture either. Law is enforced differently in different part of the world. The US is known for punishment. Other parts are focused on redemption.
So, if that is the real intention of the EU, why they didn't write that in the law instead of threatening everyone with a 20M fine ?
Because for how the law is written now you could in theory get a 20M fine for the smallest violation, and it's obvious that a lot of companies will be scared of that and will simply cut out European users, especially small companies that don't have money to spend in lawyers and other stuff.
The EU should clarify the situation, put limits on fines based on the company size (it's foolish that a person that has a blog that doesn't generate any revenue risks a 20M fine!), and give a transition period (yes, the law was approved 2 years ago, but what did the Europe to inform companies of that law and so permit them to be compliant in time ? Nothing, given the fact that everyone began to know about it some weeks ago)
As an European citizen I'm really concerned about this law, it risks to cut out a lot of internet services, and that is bad, also now I'm scared to even put Google Analytics on my personal website, because well you know a 20M fine is not a good thing, sure it's unlikely to get it, but in theory you can, and I don't want to risk.
It is not the same in all the countries - for example in Poland the goal is to get you to pay fine and if you go bankrupt then civil servants get special points. There is a culture of hatred towards private businesses coming back from the communist times.
Second, you don't know that - bored civil servants eager to hit targets and get bonuses for scoring big fines could have gone for a low hanging fruit that is small companies without legal teams scared and paying instantly.
Third, as its current state GDPR doesn't feel like ready "for production", so why would companies want to implement something with so many unknowns?
Risk management is part of every decision a business faces, legal or compliance risks aren't any different. Can we risk the CEO and chairman travelling on the same airplane? Can we risk having our disaster recovery site in the same city as our main? Same country? Same continent? Can we risk buying all this trends-sensitive inventory? Etc.
(Potential savings or revenue) - (Somewhat easy to calculate cost) * (Difficult to assess risk) = Profit. More or less.
That's not what I was referring to at all. I mean that the sentiment of 'probably'/'likely' from a random stranger online, to a business which might have EU users but never interacted with EU regulators doesn't mean much.
Of course Instapaper shouldn't take advise from me, a random stranger online, but from lawyers.
But from my shoes (someone that run a business in the EU, is not compliant right now and is talking to a lawyer), Instapaper decision is a bad risk-management decision.
Isn't it? We're in talks with lawyers right now about some stuff (not GDPR) and they've used both those phrases. We have to assess a risk and do what seems like the best risk/reward assessment, and the lawyers can only give us advice and guidance not 100% solid answers. With GDPR not having a single enforcement action yet I can imagine the guidance there being even more vague.
Asked a lawyer: If Instapaper doesn't delete the data from its EU users tomorrow, all the rules of the GDPR might still fall on their head. Most likely, they are then storing EU user data without given consent and have to follow all the requests about data storage, use, deletion and so on. Denying service without data deletion is not an option.
Indeed, it is not service to EU users which is governed by GDPR, it is data processing of data subjects in the EU. Obviously the data processing as defined by the GDPR doesn't stop simply because the service stops since storage is considered processing.
Seems to me Instapaper painted a big target on their chest: "We're not compliant, and we're going to give EU users the middle finger in the meanwhile." Whereas, their size and business model may have staved off the data protection authorities attention, now a bunch of angry users may well be issuing complaints.
So if someone traveling in the EU gets GDPR protections, does someone traveling in the US lose GDPR protections? Are the GDPR protections only for the data that was collected while someone was in the EU or for all data once they've traveled to the EU once?
> So if someone traveling in the EU gets GDPR protections, does someone traveling in the US lose GDPR protections? Are the GDPR protections only for the data that was collected while someone was in the EU [...]?
Roughly speaking, yes. E.g. a Brazilian business not specifically targeting transactions within the EU or EU nationals doesn't come under the GDPR. Conversely, an EU business basically has to apply the GDPR to any data collected inside the Union, regardless of the individual's nationality. (Obviously, this gets messier online, but if the currency was e.g. Euros and the company is in Belgium, probably covered.)
Having said that, you might have trouble as a non-EU resident to get the data protection agencies to care for trivial, individual cases. (My opinion as a European, not a fact.)
It seems that once you are in the EU, the GDPR applies to you. So you could move to Europe for a year and demand that Facebook provide you with all the benefits of the GDPR. Residency is probably a practical requirement but is not a written legal requirement since you will need to complain to the data authorities, and if you leave after complaining they will likely not follow up on your complaint.
Travel is probably one of the hairier issues. For companies which are big enough and do have an EU legal presence, they might get pushed to comply. Obviously, while someone is in the EU, EU laws regarding the treatment of that person apply. If you (as a data controller) are in the EU, of course you should comply, even if the basis of your legal relationship was formed outside of the EU.
They probably won't be using consent as their legal basis for most of their work, but all of the rest of it will still be on their heads by the sounds of it.
do you have to have an account to receive service on instapaper? personal data can be used without the consent if falls under article 6 comma b) or c) as long as the user signed up willingly and the personal data is necessary to erogate the service itself - say you need to store the user email to confirm his identity to avoid fraud associated with using multiple anonymous accounts to work around trial limitations.
It might be not. But those falls into weird space and we will see how things are going to be played out in practice. I still think they have to conform GDPR, especially having prior data on EU users and involvement of parent company.
There are many unclear things in the GDPR, but the relevance of citizenship is not among them: Nothing in the text of the GDPR or any official guidance mentions citizenship or nationality.
The only sources which do mention those are informal and imprecise third-party summaries. But yes, this mistake has been spread widely.
The more precise compliance guides from, say, European law firms don't mention citizenship or nationality either.
It would be MUCH easier to legally argue against the retroactiveness of the GDPR while coming into compliance than to risk being active during the actual deadline while coming into compliance.
I strongly suspect that the GDPR applying retroactively will get litigated and will have a very difficult time legally.
My impression is that Instapaper team is terribly understaffed and probably lost control over it's code base. They had changed hands twice over the years (Betaworks (Digg) 2013 and Pinterest 2016) with practically zero changes in code or the app. Zero progress, zero updates. That says something.
And the instapaper.com when downloading is sharing data with third parties like there is no tomorrow. Simply it is downloading a lot of crap from original sites (images etc.) which could be used for tracking - no way they could be compliant with GDPR and let user decide which third parties to share data with.
Hey – Brian from Instapaper here. I've been at Instapaper since the betaworks acquisition in 2013, so I have a lot of context here.
We've made tons of progress since I joined, redesigning the apps, websites, launching highlights, rebooting our business model, text-to-speech, speed reading, re-writing our parser, re-building our full-text search engine. The list goes on.
We currently don't have an image proxy for Instapaper, so yes when you visit the site we load the original images. We have discussed adding an image proxy but felt it would be a lot of overhead in server costs and maintenance for minimal value.
Additionally, I'm not sure it's fair to represent that fetching images from the original sources that a user saved is tantamount to sharing data with third parties, which has a different set of implications.
Of course, that was just my impression and not really an accusation based on facts. I apologize if I got it wrong.
I actually liked it that way, that Instapaper stays the same and reliable while other feels the urge to 'innovate' giving it's loyal users only trouble. Scripts that I have written years ago for uploading articles still work and Instapaper is still my Read-It-Later of choice.
As for images - I had to accept that Instapaper works that way - but always had been little annoyed that it is possible to turn off images but that's not persistent option.
Hi Brian! I was worried when Instapaper was acquired, but so far it's been working fine for the most part. I did get the impression that the whole thing became a lot slower. Is that possible, or is it just my end of things (connecting from NL)?
That said, speed isn't all that important considering that I do most of my reading on my iOS devices and they have that stuff locally. Still!
> But because the fines are so steep — violating GDPR will cost a company 4 percent of its global turnover or $20 million, whichever is larger — no one really wants to be caught non-compliant.
Can everyone just stop repeating this, pretty please? That is the maximum penalty. You'd have to try really, really hard to get that kind of penalty. For minor transgressions, you're likely to get away with a reprimand.
I’m sorry, but blind trust in the benevolence of regulators in a country you’re not even a citizen of is no way to run a business. I don’t blame US companies unwilling to deal with GDPR uncertainty any more than I blame EU banks unwilling to deal with American customers because of our insane FATCA regulations.
I'm pretty sure even in the US, sentences for breaking the law vary depending on the case. And what's the point living in civilisation if you can't trust the judiciary?
There are options to appeal, so you're not at the mercy of one regulator/judge/<x>. Europe and the GDPR are no different.
EU banks not dealing with Americans/FATCA is simply down to it not being worth the effort. Luckily, the GDPR wasn't written in such an absolute way. It doesn't apply to non-EU companies doing business outside the EU, even if they might get the occasional European using their services (unless they specifically go after EU subjects). For example, a Japanese company selling specialty arcade joysticks and I, as a UK resident buy one using yen, not pound sterling. Even though they might ship to the UK, as they ship to loads of places, they aren't doing business in the Union, and they don't have to follow the GDPR.
I don't think 'likely' is enough to stop concern. You have to act under the assumption that you will get the worst, not just hope that you will get the best.
> Can everyone just stop repeating this, pretty please? That is the maximum penalty. You'd have to try really, really hard to get that kind of penalty. For minor transgressions, you're likely to get away with a reprimand.
I find this really ridiculous as well. To run a business, there's lots of rules you have to follow which can result in fines and even jail time if you make mistakes (taxes for example where the rules are complex). If every small transgression for every rule was hit with the maximum penalty, nobody would be able to risk doing anything.
The large GDPR fines to me seem to be aimed at big companies so more than a slap on the wrist can be issued for abusing vast amounts of personal information. I don't think small companies need to be blocking EU users because they're worried they might make a mistake in how they implement their newsletter consent checkbox for example.
Here are some cases. The first is a company that was processing sensitive data (health data) who had to register with the ICO in the UK. They didn't register. They were not fined at all, because they were asked to register and did so. (Last paragraph). https://www.bloomberg.com/news/articles/2018-04-26/u-k-healt...
Here's an organisation that had video interviews with children who were the victims of sexual abuse. The organisation put these videos on DVDs with no encryption, and sent them through regular mail. The DVDs were lost. This is a repeat of a previous data loss from this organsition. Despite the severity of this breach, and the repeat, and the lack of protective action, the organisation was not fined the maximum available fine. https://ico.org.uk/action-weve-taken/enforcement/crown-prose...
There is no caselaw on the GDPR and no way to predict how fines will be levied. You can speculate how it will be enforced (as you have), but businesses tend to avoid speculation when assessing risk.
The parent post is entirely speculation. It is speculation about how a new law will be enforced. It’s not even very robust speculation since after March 2019, the GDPR will not be enforced by any organisation in the UK.
Blocking access to EU citizens while keeping their data in violation of GDPR sounds like a case for this maximum penalty. It doesn't seem the company is showing good faith in data protection.
Because the regulation is meant to enforce lawful behavior, not make the government richer. If they break out the maximum penalty for a minor violation, it will obviously stifle business and cause economic harm to the EU.
But they do need a credible threat to really punish wilful disregard of the law, for companies that profit from breaking the rules. We see how well it works when the fine costs less than the profits from breaking the rules. The EU is making sure that this will not be the case for the GDPR.
Fines must be "effective, proportionate and dissuasive", and there are various factors that the authorities must take into consideration. If you feel they _haven't_ taking the relevant factors into account, you can take it to the courts (especially if there is a history of fining non-EU companies more, as that would suggest they are taking irrelevant factors into consideration.
Really? "effective" = large amount, so company won't do it again, "proportionate" = relative to revenue, "dissuasive" = make them an example so no one else will dare.
I bet you are going to tell me proportionate somehow makes it all better, but for companies that make money this way, the amount of money they make this way in proportion to their income is basically all of it.
So you can bet regulators will go for the full amount.
No company in their right mind is going to rely on the mercy of an EU court toward a non-EU company.
> "effective" = large amount, so company won't do it again
Generally true, but it should be read with proportionate as meaning as large as necessary to be effective -- if a warning is sufficient to ensure compliance, then the effective clause suggests a fine is NOT warranted.
> "proportionate" = relative to revenue
_Absolutely_ not - proportionate to the _infringement_. There is no other reading that makes sense here.
> "dissuasive" = make them an example so no one else will dare.
Dissuasive also encompasses encouraging companies to cooperate with regulators and make a best effort to comply. If they are going to get the maximum fine for a minor breach, even if they made a full effort to comply and merely overlooked something, they are _not_ dissuaded from ignoring the GDPR in its entirety.
> So you can bet regulators will go for the full amount.
Certainly not. Going for the full amount, regardless of the circumstances and ignoring the factors they MUST consider, is going to result in the fines being overturned by the courts, which undermines their position, doesn't fulfill the purpose of the fine (if the company successfully challenges it), and doesn't fulfill the aims of the GDPR. Ignoring the law to go for the maximum fine would be a terrible decision for a regulator to make, and you can look at the history of enforcement of the DPD to see that regulators _don't_ generally go for the maximum fine.
> Why would a government impose anything other than the maximum?
Because it's bound to apply a bunch of other rules in setting penalties by the same regulation that set the maximum cited. Saying that every offense will get the maximum is saying that the government will ignore the regulation, in which case you can just as justifiably say that any behavior, even if it isn't a violation of the rules, will get a fine of €1.337 quintillion, or 1,000% of global combined GDP, whichever is greater.
Heck, even ignoring the casd-by-case factors that must be considered, the 4% or €20 million maximum is much greater than the maximum for many violations, there are only certain GDPR violations that have that maximum.
Article 49 of the EU Charter of Fundamental Rights. All penalties under EU law must be proportionate. As a result there is already considerable case law, from multiple individual laws and countries, at the CJEU to define the extent of proportionate.
Why doesn’t petty theft carry the death penalty? Penalties for any crime must be, in a democracy, be reasonable to the general population (which of course contains a lot of people who both are data subjects and data controllers via owning smaller and larger businesses) - otherwise the legislative body will be voted out, laws changed, etc. Equilibrium. Yes, EU laws might have more red tape around them, but we still vote for our representatives.
I'm still struggling with the fact that the EU can compel me to add what will be a funnel shattering dialog to my onboarding.
I've shelved a bunch of side projects that I was excited to work on because I have no interest in dealing with any of this ambiguous law. Implementing it would most likely cause a large percentage of users to uninstall my app, because who wants to be greeted with a scary sounding dialog as their first experience in an app. I know many folks here are privacy oriented, but unless this tiny slice of the population is willing to fund my app, I have 0 interest in pandering to them vs the majority of users that would get scared away by it.
I know that there's an almost 0% chance of any repercussion for not being compliant in a tiny app that'll probably never get anywhere, but I'm just so sickened by this whole thing that I don't want to deal with any of it.
I think it's pretty easy to argue that such an intent could be described as "stifling innovation", if it's preventing people from trying new things because of the overhead associated with an impact analysis and continued maintenance of e.g. responding to data requests indefinitely.
I agree, we should also get rid of copyright and property laws in the name of not "stifling innovation". It is absolutely ridiculous that I can't just walk into a peoples homes and install my 'adtreckr' eye tracking cameras on their TVs, even though that has the potential to revolutionise the amount of engagement and make sure that they only receive the most engaging, most relevant ads for their tastes./s
Less satirically, you are free to innovate by coming up with new tech, then selling to people who care enough to deal with regulations. The 'stifling innovation' copout is so utterly overused by people who want to ignore negative externalities like pollution or the surveillance state we are building up. I am starting to think of it as a type of rent seeking: "I am currently in the privileged situation of having the technology and network effect necessary to exploit this unguarded treasure of X without dealing with the fallout. Please don't pass any regulation requiring me to actually pay my dues"
I think there's a very specific motivator behind people who build tech with the intent to sell, and that motivator doesn't cover every reason behind other people who build tech. If I want to start a project and think, "cool, if this works out, i'll sell it 6 months from now so it can actually do cool stuff", I'm just not going to work on that project at all.
Honestly though, I would _love_ to live in a world where you could walk into my home and install your 'adtreckr' eye tracking cameras on my TV. What you're describing is "trust", and I think the amount of it that each person has (for people in general, but also for companies) is a big influence in how they view GDPR (and other regulations that some might argue are unnecessary). Obviously, we're very far away from that world, so this isn't consent for you to come waltzing into my home in the near future. :)
In my eyes, the satirical representation of what's happening here (from a consumer's point of view) is me placing an order for your awesome new eye tracking cameras, looking forward to the delivery and installation, and then seeing delays and delays as you repeatedly come back with, "well, are you sure you want this? are you sure I can enter your home? are you sure I can touch your TV? are you sure I can modify your TV?" I signed up, I paid for it, I told you I want it, just do whatever you need to do to give me it.
From a business POV, I already treat user data with utmost regard, and my users know that. Similarly, I trust that the companies I willingly give my data to do the same. There are probably some bad actors in the mix, but I doubt they're going to bother with compliance anyway. Having to go out of my way to prove that data trust is there to a third party completely uninvolved with the contract I have with my users, and to spend hours and hours implementing new workflows and pipelines for out of scope functionality that needs to be maintained indefinitely -- this is not good for a business. It's bad for small businesses because it sucks up time, money, and other resources, and it's bad for big businesses because it opens up such a huge area for litigating non-issues. It might have some value to users, as I said elsewhere, but it's a heavy-handed regulation that is too overreaching in its implementation, in my personal opinion.
> Honestly though, I would _love_ to live in a world where you could walk into my home and install your 'adtreckr' eye tracking cameras on my TV. What you're describing is "trust", and I think the amount of it that each person has (for people in general, but also for companies) is a big influence in how they view GDPR (and other regulations that some might argue are unnecessary). Obviously, we're very far away from that world, so this isn't consent for you to come waltzing into my home in the near future. :)
Anarchy is always ruined by all those people! (I'm a big fan of trust, and not a big fan of Hayek,but Hayek had an insight when he talked about the micro and the macro cosma. People are to diverse that we can rely on "trust" to solve things, we need agreed on official rules)
> In my eyes, the satirical representation of what's happening here (from a consumer's point of view) is me placing an order for your awesome new eye tracking cameras, looking forward to the delivery and installation, and then seeing delays and delays as you repeatedly come back with, "well, are you sure you want this? are you sure I can enter your home? are you sure I can touch your TV? are you sure I can modify your TV?" I signed up, I paid for it, I told you I want it, just do whatever you need to do to give me it.
No. If you opt into buying my camera, since it is explicitly necessary to do all of that stuff, the consent is given as part of the buying contract. I just need to clearly state and explain that. If you had to gain access Facebook or instapaper via a huge opt in order form (let's say a pop-up detailing exactly what happens to your data), then it is equivalent...and that is exactly what GDPR requires
> From a business POV, I already treat user data with utmost regard, and my users know that. Similarly, I trust that the companies I willingly give my data to do the same. There are probably some bad actors in the mix, but I doubt they're going to bother with compliance anyway. Having to go out of my way to prove that data trust is there to a third party completely uninvolved with the contract I have with my users, and to spend hours and hours implementing new workflows and pipelines for out of scope functionality that needs to be maintained indefinitely -- this is not good for a business. It's bad for small businesses because it sucks up time, money, and other resources, and it's bad for big businesses because it opens up such a huge area for litigating non-issues. It might have some value to users, as I said elsewhere, but it's a heavy-handed regulation that is too overreaching in its implementation, in my personal opinion.
If you already do everything that is commonsense data protection, which is the bulk of what is required by GDPR, then all you have to do is documen that. If you cannot guarantee that the data is not shared, then the third party isn't uninvolved in the contract you do with your users.
Honestly, think of my data as something I own, like my house or my car, and GDPR becomes easy. Think of it as something you "create" by tracking me on your site, and your point of view becomes easier. I like my world better
I have a hard time seeing any justification for your view. Why would you own data about yourself? Do you own your name? Do you own the fact that you went to taco bell for dinner last night? Can you sue someone else for knowing you went to taco bell last night? Should it be a crime for someone who knows your name to tell someone else your name? What if they do it for money?
"Owning" data about yourself is a very strange concept to me.
GDPR could have safeguarded data by demanding more transparency, still allowing apps to accept data as a form of payment through personalized ads. It's not obvious why they are requiring apps to provide the same service for free 'without detriment'. That destroys a number of business models. Why not just allow they give an option to not give their data if they are willing to pay?
> GDPR could have safeguarded data by demanding more transparency
That would be a toothless regulation. It would just cause businesses to add more crap to their privacy policies, which nobody reads anyway, and doesn't impact user behavior.
> It's not obvious why they are requiring apps to provide the same service for free 'without detriment'
So that users can opt-out of having unnecessary data collected. You should only be collecting the data needed to run the service. If your business collapses when users opt-out, your business model was nothing but data harvesting to begin with, and probably doesn't deserve to exist.
> That destroys a number of business models
A number of exploitative business models that harm society and democracy. Works for me!
> Why not just allow they give an option to not give their data if they are willing to pay?
You can do that now. Stop collecting data that isn't necessary to run your service, and charge people money.
If they were smart about how transparent a business needed to be, I don't think it would be toothless at all. It would have given users more information about what is happening behind the scenes and allowed them to make their own decisions.
> So that users can opt-out of having unnecessary data collected. You should only be collecting the data needed to run the service. If your business collapses when users opt-out, your business model was nothing but data harvesting to begin with, and probably doesn't deserve to exist.
This is a really rosy view of things. The reality is that there are tons of apps / games / sites that people use and enjoy but would not pay for. And there are people who could not otherwise afford to pay for them but are able to enjoy them because personalized ads can be used as a form of payment. I would argue most of these things make the world a better place not a worse place. And that people should be able to choose how they want to pay for those services.
I don't agree, but at least I understand where you're coming from. Here is the stasis of our dispute:
> I would argue most of these things make the world a better place not a worse place. And that people should be able to choose how they want to pay for those services.
I'm not convinced any of the apps we pay for in data really improve our lives. The price we pay in control over our identity and our information usually outweighs the benefits. And in some cases, like in many distracting social apps or pay-to-win games, there is no benefit. The app is just designed to addict us, keep us occupied, and make our lives worse.
Furthermore, I don't think "allowing users to decide for themselves" is going to make a difference. That's like allowing poison in food, because everyone can scan the ingredients on the label for known poisons. It's unreasonable to expect the average person to do due diligence on every service they use online.
I'm not convinced any of the apps we pay for in data really improve our lives. The price we pay in control over our identity and our information usually outweighs the benefits.
Hundreds of millions of Google and Facebook users disagree. If you ask people what Google does with the data they collect, a large percentage both incorrectly believe that they directly sell it to advertisers (rather than just using it for ad targeting) and don't have a problem with that.
I'm not saying that you're wrong, but I am saying that you aren't so clearly right that your preferences should be forcibly imposed on everyone.
That's fine, the problem is there was no choice before. OK, Google Analytics is somewhat easier to block, but e.g. Facebook with their shadow profiles? How do you block that? Is it feasible to expect teenagers to not use FB/Snapchat/Instagram when all their friends are just to protect their privacy?
My point is, I have no clue what's collecting data in an improper way, and I'm not going to hire a lawyer for a hobby app.
The amount of conflicting information about whether I do or don't need consent based on what services I use is just stupid. And I wouldn't even be showing ads.
Part of the apps function is related to location, do I need consent? Maybe.
It will use Firebase, do I need consent? Maybe.
It will collect crash data so I can debug the stupid thing, do I need consent? Maybe.
Welcome to the real world. If your little hobby project leaks the personal information of a real person, then they don't care how much of an unimportant side project it was to you.
For purely personal use "hey guys, this is just a hobby use at your own risk" you won't get hit with gdpr
Imagine if you were building cars for a hobby then selling them. Would you complain about all of those onerous regulations like seatbelts, crunch zones etc when all zou really want to do is tinker with some cool engine tech?
I don't see what leaking personal information has to do with collecting crash data, or using Google's infrastructure to store my data. Why should I have to be on the hook for what is most definitely much safer than trying to safeguard the data myself?
Like I said, all it will accomplish is discouraging projects like mine that aim to provide utility to some people. One of my released hobby apps is no great commercial success (I don't show ads or collect revenue), but it's one of the top rated apps in its category on the Play Store, and I have about 20k DAU.
If the GDPR ever came after me for it, I'd just take the app down. Bam, 20k people a day affected because of over regulation.
Also, I wouldn't equate personalized ads with the life and death regulations involved in the auto industry.
I think if your app isn't available in European regional Play/App Stores, you aren't considered to be targeting EU residents and you can safely ignore the GDPR.
Because AFAIK there's no standard way to identify them because each website comes up with its own design...
This is all rather silly, given that the choice to allow/refuse cookies, and the prompt, could have been better implemented at the level of the Web browser...
The cookie warnings are about refusing cookies, which is something that is completely up to the Web browser.
Specifically, Web browsers could warn when a website sets a cookie and ask for user consent before storing it (and if the user does not consent then the website becomes unavailable).
It doesn't. But if you notice you might be doing something illegal, it's a great first step towards compliance to stop doing _more_ of it.
Here, Instapaper is likely not misusing user data, but has to catch up on compliance documentation and small details (e.g. signing data processing agreements with services they use, raising the age limit from 13 to 16, …)
Um, no - The GDPR treats the simple act of storing personal data as 'processing', so turning off the service while still keeping the data resolves nothing. It doesn't even matter if you take the data offline, or temporarily obfuscate it.
You are completely correct that simply blocking access does not make them compliant while they are still storing that data.
But compliance isn't binary. I'm sure the data protection authorities understand the difference between “LOL I'm already noncompliant so I'll just continue business as usual” versus “Working hard to fix this – in the meanwhile, let's prevent covered Subjects from sending us more data until we are prepared to handle it compliantly.”
But what would you be violating exactly? How could those violations be detected? It seems if the EU is so generous in not wanting to fine and you and walking you through the process, then shutting down would look like a reasonable thing to do if you are still attempting to comply.
I'm sad to see that as I am an avid Instapaper user living in EU. The whole GDPR issue caused a lot of changes and friction, but hopefully that's a good thing on the long term
A general question for the GDPR experts: If user A does a request of their data and user B added a page their Instapaper account that had user A listed, does that page have to be included in the response to user A?
There's Wallabag [1], which you can host your own instance of.
I'm the creator of BeeLine Reader [2], which has a reading list feature. The app is free to download and if you want to use it as a reading list app that's totally free. There are some IAPs that hook into Kindle or provide other functionalities, but they're unnecessary if you just want a read-later app.
So? Profit maximization of the developer is not the only thing that matters, users deserve to be protected as well.
Applications have become terrible in this respect. I use Little Snitch and see many paid applications report to Google Analytics. I don’t want the developer to know how often and how I use the application, let alone Google.
Technical users know how to use an application firewall, uBlock or uMatrix. But the average user was robbed of their privacy without them even knowing, let alone having any choice. The GDPR finally corrects this.
One motivation for doing analytics/telemetry is being able to set optimal price points, etc.
For example, i f 80% of your user population uses your app daily, it is more attractive to switch to a subscription model than if most people use it very irregularly.
"Somebody" has created plenty of new apps, they just happen to get acquired as you say. If you want one that will last forever, you need to code it yourself and keep it as a personal tool.
Theoretical Question, If I am a startup now and has an global audience, does that means I need to enforce GDPR from the get go? Or are there time limit before I have to comply?
This is a terrible move. They had effectively years to prepare for the GDPR and they already have some sort of rudimentary export and delete options.
This step removes all the trust in Instapaper that I had in the past: They either are mismanaged or are not willing to tell the users what data they are collecting and how they use and monetize this data. And it should worry all users, not only users from the EU.
> They either are mismanaged or are not willing to tell the users what data they are collecting and how they use and monetize this data. And it should worry all users, not only users from the EU.
I don't know a ton about GDPR, but the article makes it look like it has less to do with Instapaper (aside from risk tolerance) and more to do with the ambiguity of the law. Some relevant quotes:
> it’s more than likely to be the GDPR’s data subject access request, which allows any EU resident to request any and all data collected and stored about them. As The Verge reported yesterday, that’s causing companies trouble because it’s not entirely clear right now what information residents will request, what format that information needs to be in, how to locate it and package it, and whether new infrastructure needs to be created to manage this request pipeline. Personal info is a somewhat nebulous concept, and the fact that experts are describing the GDPR as “staggeringly complex” is not making it easy to cover all the bases.
> It’s clear that few companies, if any, will be 100 percent compliant when the law goes into effect. But because the fines are so steep — violating GDPR will cost a company 4 percent of its global turnover or $20 million, whichever is larger — no one really wants to be caught non-compliant. So that’s why companies are rushing and, in the case of Instapaper, literally shutting down.
> it’s not entirely clear right now what information residents will request,
If they ask for something specific in an informal way, that can be provided
But from the GDPRs data portability point of view, it's everything that's linked to the account. Export your Facebook data for a good example of this.
HN example: it would be the information in your profile, the links/text you submitted (but not the content of the link itself), the comments (the comment IDs) you upvoted, stories flagged/upvoted (for the lenght of time this is kept, for example, if after a while user ids that upvoted a comment are erased and only the score is kept, that's fine) and maybe some other background information (for example: password hashes/access logs/etc)
> what format that information needs to be in,
Machine readable format. HTML/XML/JSON is fine.
> how to locate it and package it, and whether new infrastructure needs to be created to manage this request pipeline.
Well that's not the problem of the law, is it?
You know your data scheme. You know whether you can run this in your existing infrastructure or not.
for TABLE in YOUR_TABLES
SELECT * from TABLE where UserID == $user_id;
end for
From the HN example, does this include other comments that referenced my username? What about comments that might have linked to my GitHub profile? What if there are server logs that include my IP and a time which can correlate to when I posted a comment or something? What about this information on Algolia, must I contact them separately? Also, I wasn't aware...I can ask for my password hash? Can I request all of this information be deleted? (genuine questions btw assuming I were in the EU, not trolling)
> Can I request all of this information be deleted?
Yes, the ones that are on HN. I'm not sure how it works for 3rd parties that obtain your data
> does this include other comments that referenced my username?
I don't think so, this is unlikely, especially as you didn't create it and HN doesn't link this (as opposed to reddit)
> What about comments that might have linked to my GitHub profile?
I'd say that being required is even less likely as HN has no way of knowing what's your GH profile
GDPR is what they know about you. If they're actively trying to link pasted GH profiles and usernames then this would apply, otherwise no.
> What if there are server logs that include my IP and a time which can correlate to when I posted a comment or something?
That thing with IPs being PII I'd say this would apply, but then again, this doesn't bring any new information.
So if they keep track of users access times then yes, but if this information is rotated, sent to /dev/null then no.
You're not obligated to connect all the dots, or track user login times. That being said, IP (especially + times) are PII so better anonymize it and discard once not needed.
An email-address to send requests to and someone setting up a process for those requests along with a definition of which data to be returned to the user, all that isn't hard to implement. GDPR has caused some panic that's unnecessary.
The violations won't be fined with 4%/€20m (€ not $) right away, there's more steps before that, starting with "a warning in writing in cases of first and non-intentional noncompliance"
Maybe some companies have overreacted, but dismissing them feels a bit like blaming the user for bad UX.
Couldn't you argue that a law that causes a panicked overreaction was a poorly written law in at least one respect, given that laws have a communicative function?
Especially if all these complaints were raised well in advance of the passage of the law, so that the drafters had plenty of warning that several groups were struggling to understand the text?
It's a site that pins articles people have saved, the only piece of user data they should hold would be email address and maybe IP address? Simple to put in policies to expire the IP address data after a reasonable amount of time.
There are various lower levels. It's "up to". Many of the things GDPR requires have been law in various parts of Europe for a long time (e.g. Germany), sometimes in all of Europe. But the fines were so low that most companies said "eh, who cares" - now enforcement has teeth and it's panic all around.
Not quite. LITERALLY years. Two of them. A bit more if they were keeping an eye on the matter while the regulation was being drafted (though I doubt very many were, I know I wasn't).
It could also just be liability concerns -- I know I personally considered turning off a (free & gdpr-compliant) side project I maintain out of concern around what might happen to my bank account were a security incident were to occur affecting EU citizens.
that’s causing companies trouble because it’s not entirely clear right now what information residents will request, what format that information needs to be in, how to locate it and package it, and whether new infrastructure needs to be created to manage this request pipeline. Personal info is a somewhat nebulous concept, and the fact that experts are describing the GDPR as “staggeringly complex” is not making it easy to cover all the bases. (Granted, companies have had two years to prepare for this.)
That is bollocks. The most stupid excuse I have ever read.
Let me know if you have any questions...