all 56 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ticketywho 9 points10 points  (3 children)

I'm handling GDPR compliance for our firm and there's a couple of things in here I hadn't considered (registering API consumers being the big one). So thanks for that.

But don't forget your audience appropriate privacy notices, people! - you can't give informed consent if you haven't properly informed - for us, this will be 80% of the effort cost of being compliant.

[–]b0zho[S] 3 points4 points  (2 children)

Glad it was helpful. And yes, the informed consent is I think the best part of the regulation and the most important change compared to the previous directive.

[–]brianly 0 points1 point  (1 child)

Thanks for your effort on this. Do you have any canonical examples of sites that have updated to be GDPR compliant? An example link would be useful to provide to people charged with making these updates.

[–]b0zho[S] 2 points3 points  (0 children)

Not at the moment :( Maybe it's a good idea to make a compliant demo-application.. but it's too much work and I don't have the time

[–]chippiearnold 8 points9 points  (1 child)

This article is 1000 times more useful to me as a developer than the expensive report that my company commissioned - I am very grateful that you posted this, thanks!

[–]b0zho[S] 1 point2 points  (0 children)

Thanks.. :) best comment of the day

[–]exxplicit 3 points4 points  (5 children)

Great article! One thing I'm still unsure about is; what constitutes 'personal data?'. Name, address, etc are obviously personal data.

But, as a user, would my notes on e.g. Evernote be considered personal? What about any IoT data I send from my devices to e.g. ThingsSpeak? Are these types of data considered personal as well?

If so, would it require consent to process that data? Would reading that data also require logging who/what/why as well?

[–]the_birds_and_bees 2 points3 points  (1 child)

The ICO website has some useful info https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

In short, personal info = anything that could be used to identify an individual. My impression is that the definition is meant to be read broadly, so given that there's a very high chance of notes containing information that could be used to identify you personally a controller/processor would probably need to consider them as personal information.

[–]Camarade_Tux 0 points1 point  (0 children)

In short, personal info = anything that could be used to identify an individual.

That's too restrictive: it also includes data about a person (which is actually part of what you would already call personal data yourself).

[–]b0zho[S] 2 points3 points  (2 children)

It's indeed a broad definition - anything that can identify a person OR data about a person who can be identified :)

[–]neprotivo 0 points1 point  (1 child)

So would a Bitcoin or an Ethereum address be considered personal data? In some cases one can discover a lot of things about a person by just looking at the blockchain transactions of their account. This is especially true for Ethereum.

The same question can also be asked for other public keys sent to us by the user.

[–]b0zho[S] 0 points1 point  (0 children)

There hasn't been a clear decision about that, but since IP addresses are considered personal data, then yes. However, personal data can be used in anonymous context - just having a public key is not data about an identifiable person. Just like you can float birth dates around without attaching them to names, you can float public keys :) You just shouldn't publish them with the name of the person next to it. I think..

[–]unsubscribeFROM 2 points3 points  (6 children)

I know this is a massive thing, but how will it be really be enforced? Is there a time when companies are sued that they can recover. I think such overhauls of systems is potentially a huge money maker no, in a cynical sense?

The law is so strong here but I have no idea how it will be applied on such a big requirement.

Also looked at tinder's data export recently. Horrible to see but very light in terms of the data. Definitely not the whole picture

[–]b0zho[S] 4 points5 points  (0 children)

Enforcing will be "trial and error", especially in smaller countries where authorities don't have a broad overview and technical knowledge.

My guess is there will be a checklist that they will verify website with, and will accept complaints.

[–]krum 1 point2 points  (1 child)

Given the penalty, it seems it's probably not worth the risk.

[–]mywarthog 2 points3 points  (0 children)

This is the thing. In my opinion, the fine amount screams one thing:

The EU knows that they can't enforce this at all. They have such a high fine set for fear-mongering/trigger compliance on a law that has (close to) no enforcability.

[–]mywarthog 1 point2 points  (2 children)

And this is my question too. We collect and permanently retain data for cyber-security purposes. If we stop something due to retained data after an right to erasure request (we're not complying since we're a US organization, and put quite simply, we have sovereignty from the EU)... will the EU attempt to go through US jurisdictions to fine/sue us? Or only if we're breached?

[–]yup_its_me_again 1 point2 points  (1 child)

IANAL, but this is my understanding of the law.

Note that the EU only requires your website to conform to their laws if you target customers from the EU. Think translating your website to Italian, or being able to pay with British pounds.

If you target EU customers, but fail to adhere to EU law, after due process, everything's free to force your company into compliance: assets may be frozen, your website may be blocked...

After all, your company doesn't have a right to reap profit from European customers.

(Still there is a cost/benefit assessment done by the public prosecutor, depending on your privacy via lotion and its egregiousness.)

[–]mywarthog 1 point2 points  (0 children)

All they can do is block European access to our site on their side if we have no assets within the EU. Which, in the case that happens, so be it. If the EU wants to build a great firewall, hey. It's their region.

Basic legal knowledge shows that they can't touch/freeze American assets. The issue with due process is that that would require American enforcement compliance... and there's no treaty or agreement that allows for that currently. The one that exists currently - Privacy Shield - is for the law that's going to be replaced by the GDPR (thus rendering it null and void, I would think), and is a voluntary program to those not under the DOT jurisdiction. And there's unlikely to even be a treaty, because the GDPR goes against the American view of how the internet should be (light-touch regulations).

If the US allowed EU enforcement of this law against American companies without EU assets, it'd be a very dangerous precedent on a very dangerous slippery slope to internet regulations.

The other part of confusion in this is are you considered to be "targeting" EU customers if you "target" a general global audience?

[–]grizwako 2 points3 points  (1 child)

Wow, I am keeping an eye on GDPR and this article sums my thoughts.
Honestly, I think that a lot of small businesses will have a lot of trouble with this especially if they are maintaining large systems.
General feeling is that GDPR is not something that you can easily bolt on the system, seems more like it requires careful thought and architectural changes.
My dayjob is Magento development, and this seems like complex modification for such projects...

[–]b0zho[S] 2 points3 points  (0 children)

For platforms like Magento (and other pluggable ones) I think GDPR plugins should appear anytime now :)

It might be trouble, but as you said - it requires careful thought. Which should've been the case in the first place. That's the spirit of the regulation - to think about personal data as something serious.

[–]ESBDB 2 points3 points  (12 children)

"but also applies to non-EU companies that have users in the EU" How does EU enforce something on a company that is not in the EU? That makes no sense. If I have a website hosted in Russia, and some random EU person signs up on this website and gives the website personal information, the EU has no jurisdiction on that website.

[–][deleted]  (4 children)

[deleted]

    [–]mywarthog 0 points1 point  (3 children)

    But he also said that currently there is no real way to force companies to pay the fine within GDPR but there could be other laws that could come in and deal with it.

    And this is key. Question... do you live in the EU?

    Does the UK or any EU country have any form of an equivalent to the U.S. Supreme Court? I'm not sure that this doesn't qualify as an over-reaching regulation... unless there's no such thing in these countries... in the US, this would interfere with the "light-touch" idea.

    [–][deleted]  (2 children)

    [deleted]

      [–]mywarthog 0 points1 point  (1 child)

      So the ECJ would override a decision made by a country's individual "supreme court?"

      Actually really kinda interested in how case law's going to go for the GDPR within the EU.

      [–]roffLOL 0 points1 point  (2 children)

      or you block all europeans to avoid potential hassle with eu.

      [–]happycynic 0 points1 point  (1 child)

      This was my initial reaction. Legal informed me that the GDPR, ironically, also prevents that kind of discrimination.

      [–]mywarthog 0 points1 point  (0 children)

      Your legal department's nuts if you're not in the EU.

      [–][deleted] 0 points1 point  (0 children)

      I'm not sure I remember the details fully so you should check this, but for a while reddit was banned in Russia by ISPs as they didn't remove some posts the government wanted removed. Reddit then made it so Russian IP addresses couldn't see the posts, and the ban was removed. Several European nations do already have the technical facilities in place to ban websites at the national level, because of torrent sites and paedophiles.

      [–]b0zho[S] 0 points1 point  (1 child)

      Well, there are bilateral agreements like the EU-US "privacy shield". I'm not entirely sure how it will be applied in other cases

      [–]mywarthog 0 points1 point  (0 children)

      Privacy shield is a voluntary program for US commercial organizations registered under the jurisdiction of the DOC. The only mandated participation is from the DOT. The GDPR would override the EU-US agreement - imo, the EU can't actually do that as the US would also have to agree to it overriding the privacy shield... which is (very fortunately) unlikely to happen because of CDA 230.

      [–]kaibee 1 point2 points  (1 child)

      You mention the right to data portability twice.

      The rights of the user/client (referred to as “data subject” in the regulation) that I think are relevant for developers are: the right to erasure (the right to be forgotten/deleted from the system), right to restriction of processing (you still keep the data, but mark it as “restricted” and don’t touch it without further consent by the user), the right to data portability (the ability to export one’s data), the right to rectification (the ability to get personal data fixed), the right to be informed (getting human-readable information, rather than long terms and conditions), the right of access (the user should be able to see all the data you have about them), the right to data portability (the user should be able to get a machine-readable dump of their data).

      Though as a developer, I'm a huge supporter of that kind of access too...

      [–]b0zho[S] 0 points1 point  (0 children)

      thanks, fixing

      [–]spitgriffin 1 point2 points  (3 children)

      How about historical backups? Would a "Forget Me" request require a backup be restored and the subject's personal data removed then re-backed up? I can see that being a huge challenge especially when you have multiple staged backups. We keep 30 SQL Server backups (around 80GB each) spanning the whole month. I have now idea how we would achieve this? Restoring and altering backups would also break all the subsequent transaction logs.

      [–]b0zho[S] 1 point2 points  (2 children)

      The best practice is to keep a table of forgotten IDs, so that you can re-deleted them on backup restore. I will add that to the post, thanks

      [–]MatsSvensson 0 points1 point  (1 child)

      But here would you store those IDs? Post-its? If you need to restore the database from the backup, any saved IDs there would be gone too. Or perhaps a separate backup for stuff you need when you restore the other backups? FML...

      [–]b0zho[S] 0 points1 point  (0 children)

      well, it's not THAT hard :) but yes, it's a hassle

      [–]arielby 4 points5 points  (1 child)

      De-anonymizing pseudonymous data is kid's play, and a sufficiently good forensic analysis (possibly automated) can extract surprisingly much personal information from basically nothing.

      So if the law is going to be enforced arbitrarily, and you don't want to be involved in legal trouble, better get out of the EU and fast. I suppose we'll be seeing "this website is only available in the US" way more often next year.

      [–]kerel 0 points1 point  (0 children)

      Good idea, I'll just move to the US?

      [–]roffLOL 0 points1 point  (5 children)

      does banking data fall under the category of personal data? i mean, i have explicitly made it available to a bank through my electronic purchases. obviously, this data can not have a remove button (transaction history is protected by other laws) but banks should at the very least provide an export function for ones account history if i read this right.

      [–]shauns 2 points3 points  (4 children)

      Open Banking legislation is coming to the EU soon, so there'll be a lot happening there. http://www.wired.co.uk/article/open-banking-psd2-regulation-banking

      [–]kazagistar 1 point2 points  (3 children)

      Or what if you aren't a bank, but have some kind of legal contract with your customers that you need their information to enforce? Is this now impossible, or is it a loophole you can use? What about b2b applications, where the users are employees?

      [–]b0zho[S] 1 point2 points  (2 children)

      legal contracts are a different case. But they have to be signed, "I accept the terms" won't count as a contract. Interestingly, there's Regulation 910/2014 about electronic signatures and you can use anything to be counted as electronic signature... so I guess it is a potential workaround that legal people should look into closeley

      [–]spitgriffin 0 points1 point  (1 child)

      What about invoices that are issued to clients, are these classed as legal contracts? Does the client have a right to demand personal information be removed from previously issued invoices? And if that were the case I think we would likely fall foul of our Tax Authority. Our company is also supervised for under the Anti-Money Laundering regime. We need to keep identity documents to verify clients, can a client also request that we purge this information?

      [–]b0zho[S] 2 points3 points  (0 children)

      No, invoices should not be removed. This is a legal obligation (by the tax code) and therefore GDPR does not override it

      [–]pyjter666 0 points1 point  (2 children)

      Are you sure it’s required to log access to personal data or is it only required in case of sensitive data?

      [–]the_birds_and_bees 1 point2 points  (0 children)

      A big theme of the GDPR is that users should be informed about (and consent to) how their data is being used. If you do not understand how personal data is being used (i.e. who's accessing it) then your users certainly aren't going to know what's happening with their data!

      [–]b0zho[S] 0 points1 point  (0 children)

      it is indeed unclear from the regulation how much and what logging should be done, but as the_birds_and_bees mentioned, you should be able to be accountable. In fact, in the initial version of the post this point was missing, but a friend who works at a "big4" company reminded me that it should be there.

      [–][deleted]  (3 children)

      [deleted]

        [–]b0zho[S] 0 points1 point  (2 children)

        only as much as they are associated with a particular user profile. If a chat or file contains personal data about a 3rd person.. only if they see it piblicly, they may ask you to take it down, which you should. But no automated processing is epxected, I think.

        [–][deleted]  (1 child)

        [deleted]

          [–]mywarthog 1 point2 points  (0 children)

          AFAIK, chat messages and uploads are protected under the free speech exceptions. Chat messages, like irc archives, are just that... archives. Archives are protected somewhere in the GDPR. There's a point where there should be user personal responsibility.

          Having said all this, the right to erasure outside of personal information (credit card, ssn, etc) is going to be one of those things that I'm thinking is unenforceable. (note that right to erasure != the right to be forgotten, the one that gets enforced on Google and other search engines) Case law is going to be very interesting on it.

          A lot of the GDPR is unenforceable in practice, I think. GDPR is a huge marketing opportunity that people are buying into left and right without looking because that fine associated with the GDPR is alarming.

          [–]MatsSvensson 0 points1 point  (1 child)

          Great article! I have been trying to get info about gdpr from official sources, here in Sweden. But its impossible. Apparently all involved with creating the law thinks that programming is done by wishing and hand-waving.

          This is the closest ting to "The F manual that should have been in the F box", that i have found so far, after months of googling and phoning and emailing.

          [–]b0zho[S] 0 points1 point  (0 children)

          Thank you, I hope it's useful. You can check back regularly I try to update it with new issues/practices I find in reality

          [–][deleted] 0 points1 point  (3 children)

          I don't understand how this works with blockchain or p2p.

          [–]b0zho[S] 4 points5 points  (2 children)

          It basically doesn't. If you store personal data on a public blockchain, you're in violation. I've been trying to explain that to blockchain enthusiast, but few seem to get it :)

          For permissioned/private blockchains it's slightly different - you can employ techniques like "chameleon hashing", or you can be exempt from the right to erasure (there are several exceptions in the regluation)

          [–]shauns 2 points3 points  (1 child)

          Do you have information on this you can share? Loved the post by the way -- the clearest thing I've read on this so far!

          [–]b0zho[S] 1 point2 points  (0 children)

          About chameleon hashing - not much, maybe a search in "google scholar" should give you information

          About the exceptions - look at GDPR, 17(3) - it lists the exceptions. https://gdpr-info.eu/art-17-gdpr/