I really hope nothing remotely similar to gdpr is written into legislation in the US. I do not even know how I would get started writing a website that would adhere to GDPR requirements
So, on the one hand, I really would like a GDPR equivalent law in the US.
OTOH, anyone who says they clearly understand the implications of GDPR for their site has either spent a lot of money on lawyers or is lying. Let alone someone who has implemented it. Privacy by design requires deletion of data after legitimate interests and/or consent have expired, probably (!!!) in 3rd party systems. How, precisely, do you implement that?
Can you shadow-delete accounts for some period of time to allow users to change their minds? If no, what UI do you put on a "delete my account" button that has absolutely no undo, even in the 24h regrets period?
Do people have GDPR privacy rights over eg comments on YC that may mention them by nym?
Given the GDPR covers EU residents (not just citizens), as an American can I buy a plane ticket to Dublin and start requesting full data dumps? What rules are those provided to me under, and how do you make software that can do that?
There are plain english guidelines available for the GDPR, in the UK they are published by the ICO which is the government agency tasked with enforcing the law. I'm sure there are edge cases which aren't fully documented but as long as you're not pushing the edges of the law and are trying to stay within the spirit you will be fine. Probably.
0. You require the third party you passed the data on to delete data when you tell them. The third parties should tell the person that they now have their data, where they got it from, how they will process it and how to get in touch with their data protection officer.
1. You can but you must also allow someone to delete in full (assuming none of the many reasons to reject removal requests apply or you don't wish to exercise them).
2. This is murky, but probably not. There's a right of freedom of expression and information.
3. No, you have to be a resident not a visitor. You'd have to see how Eire define residency.
> OTOH, anyone who says they clearly understand the implications of GDPR for their site has either spent a lot of money on lawyers or is lying. Let alone someone who has implemented it.
It's long but the language is far easier than American legalese. The implications depend on your site/service behaviors. An RSS reader is pretty trivial, interactive social media... less so.
> Privacy by design requires deletion of data after legitimate interests and/or consent have expired, probably (!!!) in 3rd party systems. How, precisely, do you implement that?
Privacy by design is a design philosophy, it might be a pain to refactor into an existing system but the design constraints aren't onerous.
If your "3rd party system" is something like AWS, just delete the data. If you're sending it off to some other service, they do need to be GDPR complaint (the law covers this situation).
re: legitimate interests, we partitioned our data. Access logs, for example: one stream gets anonymized for simple analytics, another gets dumped into in-depth weekly analytics jobs, and the final log stream outputs encrypted auto-expiring S3 files with strong access control for infosec purposes. When a user withdraws consent, we just stop logging new information. Truly anonymized data is OK, our in-depth analytics data is purged within 14 days, and InfoSec is a justifiable legitimate interest.
> Can you shadow-delete accounts for some period of time to allow users to change their minds?
Yes. GDPR does not require instant response. You should be transparent about what will be kept and how long, a clearly communicated 24h shadow-delete is completely reasonable.
> Do people have GDPR privacy rights over eg comments on YC that may mention them by nym?
This is a good question, I'm also curious about quotes. The recent Google case suggests both fall under GDPR.
> Given the GDPR covers EU residents (not just citizens), as an American can I buy a plane ticket to Dublin and start requesting full data dumps? What rules are those provided to me under, and how do you make software that can do that?
> It's long but the language is far easier than American legalese. The implications depend on your site/service behaviors. An RSS reader is pretty trivial, interactive social media... less so.
Except the GDPR is full of hand-wavy stuff. Who needs a DPO? What is "large scale" in that context? How exactly do you conduct a legitimate interest balancing test? Who is your lead regulator and under what criteria as an American company can you decide?
Also, people have a lot more 3rd party systems than most think. Think transactional mailers, marketing mailers, billing systems, payroll, zendesk, etc.
And even an RSS reader is scary. What if someone follows a series of blogs about HIV treatments, or internal trade union politics? If that means you could infer the person is poz or is a member of that trade union, you now have heightened scrutiny data in your possession.
GDPR has explicit provisions for all of these legitimate interests (notifications, clients, employees, customers). Most of these services are aware of and planning for GDPR, I wouldn't want to work with any that aren't.
> And even an RSS reader is scary. What if someone follows a series of blogs about HIV treatments, or internal trade union politics? If that means you could infer the person is poz or is a member of that trade union, you now have heightened scrutiny data in your possession.
Right, and I like that! Attempting to derive sensitive information should require consent, transparency, right to rectification, and stringent data handling requirements. It sounds like overkill for an RSS reader, but why the heck does an RSS reader need to do that kind of profiling in the first place? Maybe that's the right level of scrutiny and prior applications were unwarranted?
On the other hand, there are no concerns with simply storing the followed blogs.
> Except the GDPR is full of hand-wavy stuff.
Can't win, legislation is either micromanaged or hand-wavy... it's worth noting that some of the hand-waving is actually business friendly.
I'm not saying these laws are perfect. There is definitely room for improvement, but this is still a consumer win over the pre-GDPR wild west.
3rd party: the fact remains that doing deletions, both as a consent withdrawal and a privacy by design, is extremely complex. Particularly when privacy is withdrawn before a LI expires. You can hand wave it away as gdpr provides for this -- which isn't at all responsive to what I said -- but it's difficult to do nonetheless.
I never said the RSS reader is profiling. They don't have to be. Does the mere presence of the inescapable user data -- ie what feeds they monitor -- create heightened scrutiny, because someone else could infer with that data, were it to be leaked. It well may. I would seriously consider blocking EU users until this is sorted out.
Worse, the RSS reader could offer suggested feeds, and accidentally find themselves in possession of such data, entirely accidentally. Even if users were clearly asked if they wanted to see suggested data, or allow their data to be used to suggest feeds. They may not intend to derive sensitive data to possess it.
Or suggest you have a site like YC, and someone puts "hi, I'm poz" in their description. Tada, sensitive data.
The GDPR should have defined when a DPO is required, what a LI balancing test is, etc. Alternatively, the orgs could have pretended to be competent and issued guidance before -- oh right, they haven't issued final guidance yet. I'm sure 6 weeks is plenty of time.
Thank you for showing me the supposedly trivial guide to understanding GDPR. The only thing that website has shown me is that no globally competitive tech company will ever grow out of the EU for the next hundred years or so.
So? Perhaps one of the facets of the GDPR is the EU’s willingness to accept that fostering “globally competitive tech companies” may not be in the best interests of itself or its citizens.
Meth labs also create products with mass appeal and briefly high-paying jobs. Considering how social media is eroding American political discourse, Europe may be better-off in the long run even GDPR is as bad as you imagine.
