General Data Protection Regulation
May 25, 2018 5:53 AM   Subscribe

The EU's General Data Protection Regulation has gone live today. Some American newspapers have decided that it's easier to block European users than comply. Having had two years to prepare, they say that they continue to identify technical compliance solutions that will provide all readers with our award-winning journalism. What is the goal of the GDPR, and what impact will it have?

No-one's ready for the GDPR:
“For many years it’s been, ‘How much data can we trick people into giving us?’ and ‘We’ll figure out how to use it later!’ That is not going to be an acceptable way to operate anymore under GDPR,” says Straight.

“There are some companies we’ve talked to, where they say, ‘Are you kidding? If we told them how we were using their data, they’d never give it to us in the first place,’” Straight says. “I’m kind of like, ‘Yeah, that’s sort of the point.’”
What it’s like to use the web in Europe after the arrival of GDPR:
The penalty for breaking the law can run up to 4% of global revenue, which would be a significant sum for advertising-funded firms like Google and Facebook. In fact, the first GDPR-based lawsuits have already been filed against both tech giants, arguing that the consent they require from customers to continue using their services is not “freely given.”
What the GDPR means for Facebook, the EU and you:
In his testimony during a joint hearing of the Senate's Judiciary and Commerce Committees on April 10, Zuckerberg stated his support "in principle" for a GDPR-like opt-in standard for users before they give up their data -- but he didn't commit, adding "details matter." (Zuckerberg's notes, which he left open during a short break, included a warning: "Don't say we already do what GDPR requires.")
posted by clawsoon (128 comments total) 48 users marked this as a favorite
 
(Apologies in advance if any of these links are unreachable in the EU.)
posted by clawsoon at 5:55 AM on May 25 [9 favorites]


lol of course TRONC is one of the sites unwilling to get its act together for GDPR. honestly, the current model for US journalism is so advertising-dependent, and advertising is so dependent on data-harvesting, that i don't imagine these sites will ever be able to meet GDPR standards while still clinging to profitability.
posted by halation at 6:02 AM on May 25 [6 favorites]


Related discussions have come up on Hackernews, and many believe that blocking users merely prevents additional infractions. It doesn't mitigate the fact that you're still storing the data from users that have not consented to their data being stored.
posted by Jpfed at 6:03 AM on May 25 [15 favorites]


I wonder what this means for metafilter comment history.
posted by nikaspark at 6:03 AM on May 25 [10 favorites]


Oh, and a deliciously ironic link that I didn't see the first time around: Most of the emails being sent to EU users asking to renew consent are either unnecessary or illegal:
What’s more, Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”
posted by clawsoon at 6:06 AM on May 25 [39 favorites]


It’s been great recently to get a long series of emails saying that because of GDPR, if I don’t positively opt in they’re going to have to stop sending me streams of promotional crap. Some of them sent staged emails beginning with ‘Hey, let’s stay friends’ and gradually moving on to desperate whining and begging.

The only one I’ve said ‘yes’ to is Fuller’s brewery, who sent me a voucher for a free pint in gratitude.
posted by Segundus at 6:11 AM on May 25 [37 favorites]


It's been interesting to get GDPR emails from every web service I've ever signed up for over the last few weeks. It's like calling your exes to tell them you have an STD, only they're calling you? Need to workshop this.
posted by Cash4Lead at 6:12 AM on May 25 [42 favorites]


nikaspark: I wonder what this means for metafilter comment history.

Not to mention the infodump.
posted by clawsoon at 6:15 AM on May 25 [3 favorites]


Seems like a giant ass-covering action, to irritate for a few weeks and then go away like a bad rash. I'm not clicking on 99.9% of the emails I'm getting and am in no way optimistic that this will lead to me being removed from those mailing lists. It seems viable & fair to increase the robustness of the opt-in going forward, but this effort to reverse-engineer marks on to/off of spam lists is doomed to not really work as advertised.
posted by chavenet at 6:16 AM on May 25 [1 favorite]




One particular website has sent me at least one email a day over the last five days, each one begging me to opt in. A more counterproductive strategy I have never seen.
posted by inconstant at 6:22 AM on May 25 [11 favorites]


Apologies in advance if any of these links are unreachable in the EU.

I've found myself unable to read stories on Tucson newspaper sites and the like today, thanks to geoblocking. Googling "tunneling site" did the trick.
posted by rory at 6:27 AM on May 25


Medium sent me the GDPR verbiage by e-mail, which was odd 'cos I never signed up with them. When I queried them, I got the reply "Your Medium account has been deleted. We're sorry to see you go, and wish you well on your travels! "
posted by scruss at 6:28 AM on May 25 [4 favorites]




What I don't understand is why the LA Times are (and they are) blocking european users while sites like the NYT continue as before, while other sites (say CNN or the Verge) show cards that ask you to accept their cookie policy - and BTW hey, we've got a new privacy policy that goes along, check it out? Do they do different things with user data? Do they have more careful lawyers, what?
posted by talos at 6:40 AM on May 25




goddammit the ONE PLACE i haven't read anything about GDPR and it had to show up HERE

(signed, an infosec person)
posted by XtinaS at 6:46 AM on May 25 [24 favorites]


The first complaints have already been filed about accept-our-terms-or-no-access consent policies. The European Data Protection Supervisor has suggested that take-it-or-leave-it terms are "blackmail".
posted by clawsoon at 6:46 AM on May 25 [15 favorites]


The past month has been a parade of odd messages much from organizations I've never heard of. So... I guess they had my email address, and who knows what else?
posted by lagomorphius at 6:52 AM on May 25 [5 favorites]


There are at least two or three video games that have been forced to shut down by GDPR, which is one of those things that really gives me pause. Like, what the fuck were those games doing?
posted by tobascodagama at 6:55 AM on May 25 [28 favorites]


I guess I shouldn't be surprised that given two years to prepare, most companies did nothing.
posted by jcreigh at 6:56 AM on May 25 [30 favorites]


I am annoyed because I can’t work out how to cancel my now useless subscription to the LA times thanks to their go away Europeans page.
posted by lesbiassparrow at 6:58 AM on May 25 [11 favorites]


“There are some companies we’ve talked to, where they say, ‘Are you kidding? If we told them how we were using their data, they’d never give it to us in the first place,’” Straight says. “I’m kind of like, ‘Yeah, that’s sort of the point.’”

The assumption that people will read your privacy policy seems rather pessimistic on the part of these companies.
posted by Going To Maine at 6:59 AM on May 25 [5 favorites]


If someone in the EU uses a VPN to access a site that does not have adequate data protections and then their data is hacked, do they have standing to file a complaint? I'm not advocating this, but I'm curious if this could have further implications beyond simple blocking or alterting data caching by websites. Also, does this apply to EU citizens outside of the EU? If someone from France visits LA, looks up the LA Times on their hotel wifi and then heads back to Europe, can they file a complaint?
posted by Hactar at 6:59 AM on May 25 [4 favorites]


I've had a couple of those geolocked news articles come up recently. I, like Hactar, wonder what would happen if I used a VPN then started throwing GDPR around. I guess I have to understand it better, first.
posted by Leon at 7:10 AM on May 25


If someone in the EU uses a VPN to access a site that does not have adequate data protections and then their data is hacked, do they have standing to file a complaint?

Yep! Legal and infosec types have been pointing out that geoblocking does nothing to absolve non-EU sites of their duty of care for the EU citizens' data that they hold, so it's pretty pointless.
posted by rory at 7:11 AM on May 25 [21 favorites]


I, like Hactar, wonder what would happen if I used a VPN then started throwing GDPR around.

I had no qualms about tunneling to Tucson just to read a news article. I'm already blocking cookies, and the tunneling site itself obscures my origins, so they won't be getting much data from this data subject.
posted by rory at 7:16 AM on May 25


don't forget the GDPR jokes
posted by BungaDunga at 7:17 AM on May 25 [3 favorites]


Check this out: http://eu.usatoday.com: It's like what the Internet could be without so much data harvesting!

Anyway, I heard a panel of five Irish GDPR specialists back in March who happened to be in the U.S. for something else, and who the organizers of a conference grabbed and pressed into service. One of them pointed out that getting compliant would probably help a lot of businesses who accumulate extra data out of sheer habit: don't collect it in the first place, and you don't have to pay to store & process it, and you can't lose it in a breach. Even though he was a consultant selling engagements to do this stuff, it struck me as actually pretty sensible.
posted by wenestvedt at 7:19 AM on May 25 [13 favorites]


#GDPR is a gold mine
posted by BungaDunga at 7:19 AM on May 25 [2 favorites]


Check this out: http://eu.usatoday.com: It's like what the Internet could be without so much data harvesting!

Helpfully redirected back to //usatoday.com for this American. So kind of them to know I wanted them to keep my data!
posted by BungaDunga at 7:21 AM on May 25 [5 favorites]


It didn't when I tried it earlier (here in thegood ol' U.-S.-of-A.). Hunh.
posted by wenestvedt at 7:24 AM on May 25


I'm surprised some of these smaller sites even bothered to do anything; with no nexus in Europe can't they simply ignore any GDPR complaint/judgement? The US is pretty unlikely to enforce a European ruling these days...

I mean, sure, Google had to, they have substantial operations in Europe, but some of these sites I've never even heard of?
posted by aramaic at 7:28 AM on May 25 [2 favorites]


don't forget the GDPR jokes

Zero Wing updated to be GDPR compliant
posted by Jpfed at 7:29 AM on May 25 [6 favorites]


As a former data protection professional, it is very nice to have reached the day when I can truly say that no, I can't just answer your quick data protection question. HAHA. I shall drink to DPA1998's demise later.
posted by threetwentytwo at 7:34 AM on May 25 [5 favorites]


Check this out: http://eu.usatoday.com: It's like what the Internet could be without so much data harvesting!

Helpfully redirected back to //usatoday.com for this American. So kind of them to know I wanted them to keep my data!


Looked at both using VPNs.

The USA site according to ScriptSafe has 21 trackers, 10 of which it blocked automatically. Privacy Badger blocked 6 cookies.

The EU site had 0 trackers and 0 blocked cookies.
posted by vacapinta at 7:34 AM on May 25 [30 favorites]


Rather intriguingly, Twitter forced my Firefox browser entry to their site to go mobile only while Chrome/Opera still allow the original webversion
posted by infini at 7:37 AM on May 25


There are at least two or three video games that have been forced to shut down by GDPR, which is one of those things that really gives me pause. Like, what the fuck were those games doing?

Not justifying the expense of the re-engineering to be compliant, from what I understand. Most of them are games that were essentially free to run but not getting updates.
posted by Merus at 7:43 AM on May 25 [3 favorites]


Actually, I do know one thing about the new GDPR, which is that the subject access regime is going to be a HUGE headache for Data Protection Officers. 28 days instead of 40, no fees, verbal requests made to any employee.... dear me.
posted by threetwentytwo at 7:44 AM on May 25


Yeah, from a software engineer perspective it's been pretty annoying seeing all the "so what is this GDPR thing anyway?" articles in the last few days. I barely had to do anything myself but it would have been impossible to avoid learning about it, as it's taken over the lives of many of my colleagues for months.

That said, I'm super curious what mefi has done for it. If nobody posts a meta I'll do it the next time I'm not on mobile.
posted by potrzebie at 7:50 AM on May 25 [2 favorites]


GDPR Hall of Shame is a blog collecting stories and screencaps of various compliance assholery, including "we're shutting off the accounts of all our [identified] European users" and "oh hey oops we accidentally sent out that privacy notice update in an email titled 'Order Confirmation'" along with the now-common "we've temporarily suspended your account while we figure out how to comply with GDPR."
posted by ErisLordFreedom at 7:51 AM on May 25 [5 favorites]


One of them pointed out that getting compliant would probably help a lot of businesses who accumulate extra data out of sheer habit: don't collect it in the first place, and you don't have to pay to store & process it, and you can't lose it in a breach. Even though he was a consultant selling engagements to do this stuff, it struck me as actually pretty sensible.

From the Verge link:
an oblique reference, like the tall bald guy who lives on East 18th Street. If someone said that in an email, that would be information you’d need to provide me with access to under the GDPR,
This kind of jibes with experience so far. We're not a web-based company so discussions have included things not too different than this. I was figuring we were just being bureaucratic and dumb in our reviews but that seems to be the literal meaning of the rule?

Consultants, who make money off of implementing these solutions and aren't liable for non-compliance, of course like these regulations and say things like yours did. I'd bet they aren't strictly in 100% compliance either.
Because much of GDPR is ambiguous, how it will work in practice is up to what regulators do with it.
Given the situation and broadness I'm pretty sympathetic to companies that decide not to deal with it by just shutting down. Admittedly those *are* probably exactly who should be changing their practices and things need to get better. But this open-ended mandate is always so frustrating.

verbal requests made to any employee

Seriously?

I'm picturing various paths at large companies that end with a request for privacy leading to an e-mail with to 100,000 employees saying if you have any information about John Smith's case of herpes in your personal files, please delete it.
posted by mark k at 8:00 AM on May 25 [4 favorites]


"I wonder what this means for metafilter comment history."

I emailed the staff here a few hours ago about GDPR.
Part of my question was this:
"As I understand it you could leave the posts/comments but just delete the actual user data? "

The reply I got was "That's right, we wouldn't normally delete the posts and comments. I'm not aware that this is about to change, however we're still reviewing what GDPR means for Metafilter."

So comments stay. It's your name / IP / email address / profile which I assume would be nuked.
posted by episodic at 8:06 AM on May 25 [2 favorites]


Many people somewhat (and sometimes deeply) familiar with GDPR speculate that these laws will detrimentally affect businesses small, medium, and large for any retention of EU citizen data and that penalties will be levied with little regard to corporate intent.

While no one can accurately predict future enforcement of the EU and its member states, one thing to keep in mind is that the EU and its member states enforce legislation according to a protocol that is more principles-based than rules-based. In the US, enforcement is often rules-based and so often produces rulings and judgements that penalize and exculpate individuals and corporations based on technicalities. As a result of rules-based enforcement in the US, people often develop justifiably cynical and defeatist attitudes regarding the effects of even well-intentioned legislation in the US.

The case is often different in the EU and its member states (including, for now, the UK).

A useful gloss regarding GDPR and the EU's subscription to/adherence of principles-based legislation and enforcement was written up by user meredydd on Hacker News, which I quote in full here:
I think you and everyone making similar points in this thread are getting tripped up by the difference between rules-based regulation and principles-based regulation. This is unsurprising, given that the US is so heavily rules-based, but the EU (certainly the UK) has a long history of principles-based regulation.

In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set. In principles-based regulation, the rules are extensive rather than complete and you expect the regulator to have some lattitude (and, if the system is well designed, a mechanism of recourse if they do something stupid).

An advocate of rules-based regulation would say this can make regulators unpredictable and capricious. An advocate of principles-based regulation would say it is an important safeguard against "rules-lawyering" and regulatory capture (especially the kind that ties new entrants up in check-box compliance that doesn't actually affect your business because all the rules have been worked around).

A classic example would be the time PayPal tried to tell the UK regulators they shouldn't be regulated like a financial institution (which is a claim they successfully made in the US). They pointed to chapter and verse of the relevant law, and said that according to subparagraph 2.b.c(iii)... and the relevant regulator essentially told them "shut up, you keep consumers' money for them and will be treated accordingly". As a result, the worst "PayPal took all my money and I can't get it back" stories generally do not come from the UK. (And when they do, they are accompanied by referrals to the Financial Conduct Authority, who have teeth.)

You can approve of this way of working or not, but the GDPR is a principles-based regulation, and you'll have to engage with it on those terms.
posted by mistersquid at 8:08 AM on May 25 [43 favorites]


Just been to a workshop and a few people were complaining about all the GDPR emails. My general feeling has been pleasure at recognising each generator of spam that I will hopefully never hear from again.
posted by biffa at 8:38 AM on May 25 [5 favorites]


I work support for a domain registar and GDPR is definitely something we've been aware of for the last couple of months. Not only is it impacting the way that WHOIS information and privacy are handled. It's impacting how we communicate in our office.

We use Slack as a support tool. You call in, I have my training and my resources and my knowledge base. When there are things that I need clarification on, I post in "Open Chat" a common thread where we can all ask questions and answers and provide feedback to group-think and problem solve/trouble shoot issues.

If a question is about a specific account or issue, we have to post it in our email ticketing system as an internal note and then share that ticket number in Slack. Our seniors then see our vague questions in slack with the linked internal ticket #. They go there to see the actual account and issue, then they respond in a vague way back in slack or post another internal note in our email ticketing system.

We're adapting but it's definitely impacting things at the moment and leading to increased call volumes and it's just generally slower in getting an answer to a specific question. It's getting better, but it's just something we're having to wrap our brains around.
posted by Fizz at 8:41 AM on May 25 [1 favorite]


This thread is teaching me that many people have subscribed to a lot of emails in the past.
posted by Going To Maine at 8:42 AM on May 25 [2 favorites]


Or else maybe I'm confused? The only emails asking me to not unsubscribe are things that I remember signing up for. So maybe I am just being exposed to usage habits outside of my particular niche.
posted by Going To Maine at 8:45 AM on May 25 [1 favorite]


This thread is teaching me that many people have subscribed to a lot of emails in the past.
What it should be teaching you is that many websites autosubscribe people to email lists just for creating an account or buying one item.
posted by inconstant at 8:45 AM on May 25 [42 favorites]


potrzebie: That said, I'm super curious what mefi has done for it. If nobody posts a meta I'll do it the next time I'm not on mobile.

MetaTalk thread
posted by clawsoon at 8:47 AM on May 25 [2 favorites]


What it should be teaching you is that many websites autosubscribe people to email lists just for creating an account or buying one item.

I mean, what it's really teaching me is that other peoples' expected norms are fundamentally different from my own, which is fine too.
posted by Going To Maine at 8:56 AM on May 25 [2 favorites]


Every site autosubscribes you when you buy a thing. You opt out with the first spam email. You buy another thing. This new interaction allows them to sign you back up, every single time. The worst part is that you're specifically buying from these smaller sites in order to avoid giving business to amazon, and now you end up with 100x the amount of junk mail than you would if you'd just bought everything from amazon.
posted by poffin boffin at 9:04 AM on May 25 [10 favorites]


This thread is teaching me that many people have subscribed to a lot of emails in the past.

I have been subscribed to a lot of email lists, not least because subscribing to an email list rarely involves any more verification that I, personally, want email delivered to that address than "is this an email address". I got on earlyish with a gmail address that I no longer use for much of anything but which is very, very easy for someone to "invent" while filling out a form, so I get even more random subscription bullshit than the average webgoing person, even though I've probably subscribed to all of four lists on purpose in my life and try to avoid providing an email to a web vendor whenever not strictly necessary.
posted by cortex at 9:04 AM on May 25 [2 favorites]


And these are specifically sites that have a ticky box on the order page saying "Yes! I want to receive garbage spam from this site always!" and it's autofilled for you, and even if you unmark the box, you still get spam, because of reasons.
posted by poffin boffin at 9:05 AM on May 25 [9 favorites]


I had no qualms about tunneling to Tucson just to read a news article.

"Looks like I took a wrong toin at Al-buh-koi-kee!" /bugs bunny
posted by notsnot at 9:08 AM on May 25 [8 favorites]


What it should be teaching you is that many websites autosubscribe people to email lists just for creating an account or buying one item.

Or if you bought an item from some completely different shop that shared its user info, or some other damn thing.

I've gotten several "we're updating our privacy policy" emails from companies I have never, and would never, do business with. There were a few more that have been spamming me once per month and who have an unsubscribe option I can't use because I don't actually have an account with them.
posted by Foosnark at 9:08 AM on May 25 [10 favorites]


I mean, what it's really teaching me is that other peoples' expected norms are fundamentally different from my own, which is fine too.

Indeed. I didn't know that I was supposed to get angry at getting legitimate emails from a place I did business with, because since I did business with them I might not mind knowing what they're up to, and I have the option of unsubscribing if I don't want them. At least we're saving trees.
posted by Melismata at 9:13 AM on May 25 [5 favorites]


Microsoft is the largest corporation I've heard doing this and I'd love to hear about other companies doing this: they decided to expand GDPR protection to users worldwide as well as the US. (src)

Microsoft GDPR center
posted by fragmede at 9:14 AM on May 25 [5 favorites]


I've tried multiple times to unsubscribe from PhysicsWorld, another site whose emails I never actively subscribed to in the first place, and I still get emails from them despite the unsubscription attempts. I'm not even a physicist! Go away!
posted by inconstant at 9:15 AM on May 25 [5 favorites]


The other one that comes to mind is Mozilla, authors of Firefox who claim they've been GDPR compliant since they were founded, long before GDPR was even passed.
posted by fragmede at 9:17 AM on May 25 [5 favorites]


There are at least two or three video games that have been forced to shut down by GDPR, which is one of those things that really gives me pause. Like, what the fuck were those games doing?

Making money collecting information and selling it to anyone and everyone. That's still profitable. Games are a dime a dozen.

You have all these newspapers also shut down in Europe -- and you know they are doing the same thing because that's still their only revenue stream left -- and then they rant about Facebook and Google doing the same thing.

This new law is really making it plain that there a very dark business going on that, should it be exposed, would cause serious problems, let alone a scandal.
posted by Alexandra Kitty at 9:25 AM on May 25 [7 favorites]


While we're all rightfully celebrating GDPR day, don't forget this is the neoliberal dystopia timeline, and true to form, EU trolls are busy working on GDPR's evil cousin: copyright reform, now with upload censorship and hyperlink taxes!
posted by Bangaioh at 9:40 AM on May 25 [10 favorites]


This thread is teaching me that many people have subscribed to a lot of emails in the past.

I have one of those first initial/last name email combos, so not only have I been getting emails for every single thing *I've* signed up for, I've gotten emails for all the things others have signed up for using my email address - which is a lot. (The amount of personal information I have about other people is truly scary.*) And oh, what a joy that's been, all this week and last to receive all these goddamn emails and have to do something with them.

*There's a fireman in New York that I kind of want to have a talk with because I know exactly which ones are his and Dude - get help but after you fix your cable bill email address.
posted by barchan at 9:44 AM on May 25 [9 favorites]


Barchan, you have my partner's sympathies. One of his American namesakes is signed up to every alt-Right mailing list going and because they hand round data like sweets, he's ended up on every sort of anti-Vaxx, conspiracy, NRA and MRA list possible. It was sort of fun for a while, before it became completely unmanageable.
posted by threetwentytwo at 9:52 AM on May 25 [6 favorites]


I received an email from a Nigerian prince this week. He had no big fortune for me, but wanted my permission to keep me updated on that.
posted by DreamerFi at 10:12 AM on May 25 [24 favorites]


Bonus compliance issue that the "no service in the EU" companies aren't dealing with: The law is about European citizens' rights, not European IP addresses. A European citizen living in the US has the same data rights that they do in Europe.

It seems likely that it also applies to residents in Europe who aren't citizens, but the point is, "we block contact from European IP addresses" does not make them compliant. They have to allow European citizens to control their data, no matter where they reside or what internet service they're using.
posted by ErisLordFreedom at 10:24 AM on May 25 [17 favorites]


As an American, I can confirm I received only one email that was "we're going GDPR compliant for everyone, please opt in" instead of "happy GDPR, here's a link to our updated privacy policy" (got dozens of the latter). Sounds like a lot of companies would rather keep their shady collection practices in place instead of the legally simpler GDPR-for-everyone approach.
posted by mosst at 10:44 AM on May 25 [3 favorites]


So I’ve been living and breathing GDPR for the past several months as my company is a data processor with clients all over the world. I ended up inheriting our compliance package that we offer to our clients and have been going the rounds with several of them for weeks now, helping them figure out how to catalog their data, create SOPs to delete or anonymize data, create security policies, etc.

The big plus for my clients is that they are in an industry that is already regulated and they all already have explicit consent processes. And the data they process through my company is (generally) very easy find and provide reasonable justifications for having in the first place under GDPR.

The biggest takeaway for me has been, as others already said, this is a principles-based regulation. When my clients ask me for the “definitive list” of dos and don’ts I always tell them: THERE IS NO LIST. YOU HAVE TO LOOK AT EVERY PIECE OF DATA TIED TO A PERSON, HAVE A VALID, DEFENSIBLE REASON FOR HAVING IT, AND TRANSPARENT, CONSISTENT WAYS FOR PROVIDING BACK TO THE AFFECTED PERSON AND EXPUNGING FROM YOUR SYSTEM IF THEY NO LONGER CONSENT TO YOU HAVING IT.*

It’s simple in principle but difficult in practice.

*IANAL/IANYL, also I am not a DPO/I am not your DPO
posted by Doleful Creature at 11:06 AM on May 25 [17 favorites]


There are at least two or three video games that have been forced to shut down by GDPR, which is one of those things that really gives me pause. Like, what the fuck were those games doing?

Ever heard of Evony?
posted by Quackles at 11:06 AM on May 25


I work in ecommerce services and the higher-ups totally dropped the ball on this (despite us asking constantly, where is our roadmap for GDPR? we need a solution!) and for the last week the support frontline has been nothing but "What's your plan for GDPR" messages from freaked out customers. Apparently our plan is like everyone else's: update the privacy policy and hope that's enough. *sigh*
posted by dis_integration at 11:28 AM on May 25 [3 favorites]


THERE IS NO LIST. YOU HAVE TO LOOK AT EVERY PIECE OF DATA TIED TO A PERSON, HAVE A VALID, DEFENSIBLE REASON FOR HAVING IT, AND TRANSPARENT, CONSISTENT WAYS FOR PROVIDING BACK TO THE AFFECTED PERSON AND EXPUNGING FROM YOUR SYSTEM IF THEY NO LONGER CONSENT TO YOU HAVING IT.*

That is so ridiculous and maddening.

I mean I get it, I support it, but really the answer here is to create zero-data systems and use things like JWT and JWE to create huge state tables on client machines and store nothing ever at all on your data systems and when someone want to be forgotten they just revoke their client token and all the data goes *poof*.
posted by nikaspark at 11:36 AM on May 25 [3 favorites]


I’ve seen a few of the sites blocking EU access also changing their terms of service, essentially to say “we won’t provide services to EU citizens or residents, you’re not welcome here, go away”.

I’m curious to know whether that covers them, or whether it’s just hopeful handwaving.
posted by fencerjimmy at 12:15 PM on May 25


THERE IS NO LIST. YOU HAVE TO LOOK AT EVERY PIECE OF DATA TIED TO A PERSON, HAVE A VALID, DEFENSIBLE REASON FOR HAVING IT, AND TRANSPARENT, CONSISTENT WAYS FOR PROVIDING BACK TO THE AFFECTED PERSON AND EXPUNGING FROM YOUR SYSTEM IF THEY NO LONGER CONSENT TO YOU HAVING IT.*
That is so ridiculous and maddening.

Not at all. It's just American laziness and unwilllingness to do anything that doesn't directly contribute to share prices that makes this complicated. It just means that you can no longer just gobble up all data that you can get from your customers/users, have to actually think about the minimum you really needed to provide the service you're offering and how you are ensuring it's safe, correct and can be properly forgotten once it has served its purpose or the customer requests to.

It's not rocket science.
posted by MartinWisse at 12:51 PM on May 25 [20 favorites]


Well one danger is that GDPR compliance can become in a way a justification for an expansion of data correlation surveillance, because the most extreme interpretation of the regulations requires you to have total knowledge of all the data you touch. If I ask Google to excise me from every public photo it has, to do so it has to have identified every person in every public photo! Textual mentions are even worse: to use the example of "the tall bald guy who lives on East 18th Street", to protect this bald man's privacy Google must first totally compromise it by linking every such oblique reference to an actual person. Google can plausibly argue that its skynet-style automatic tagging of every person in every photo it sees is in fact a legal requirement, in case any of them ask to be forgotten.

To use another example, I have seen it seriously suggested that, to comply with the age-restrictions on data collection, you should request scans of people's passports to verify their ages.
posted by Pyry at 1:33 PM on May 25 [2 favorites]


What if I have a bunch of old email and files from some forgotten project I worked on years ago, that was touched by someone in the EU and is tagged with whatever invisible info MS Word saves? I know there is info about the user who created/edited the document, in hidden areas of the document, in a lot of file types. Do I need to clean out all my old file folders?
posted by elizilla at 1:42 PM on May 25


Jiminy Christmas, I started diving into my Yahoo account (I only have -soon 'had') it for Flickr access) to check my privacy settings...they've got opt-outs buried seriously deep, and made the page hard to find on top of that, and make the actual opt-out controls themselves hard to find on top of that!
posted by Greg_Ace at 1:42 PM on May 25 [2 favorites]


Oh - and then make the actual opt-out steps as difficult as they can manage on top of that!!
posted by Greg_Ace at 1:44 PM on May 25


It's not rocket science, no, but the actual tangible effect for users right now, like cookie banners, is to make the web worse in tangible ways without doing much about actual privacy violations happening today.

Emailing people subscribed to opt-in consensual email lists to say "hey we have your email address because you subscribed to our mailing list; if you don't want that, you should unsubscribe. Did we mention every email we send you already has an unsubscribe link?" is a net negative on the world. Pop-ups that say "we've updated our privacy policy; would you like to read through our legalese (which, per-regulation, is now somewhat more readable) or would you just like to click this button to get on with your life?" are not solving any problems.

More importantly, Facebook and Google still have tracking pixels on millions of sites that track you across the web. Facebook has worked around that by asking you to click a blue accept button to continue using their services. You can't request to download that data There might be years worth of litigation here, but nothing is actually changing that stops these privacy violations anytime soon. For example:
Here, Facebook lets you block it from targeting you with ads based on data about your browsing behavior on sites that show its Like and share buttons, conversion Pixel or Audience Network ads. The issue is that there’s no way to stop Facebook from using that data from personalizing your News Feed or optimizing other parts of its service.
So Facebook is still collecting and storing the data; it's hardly meaningful that you can control whether it can be used for ad targeting too, since it's the tracking that's the privacy violation, not the ad targeting. The conversation has come down to "hi, we're still going to be compiling a dossier of all your activities no matter what, but if you don't want us to use it to send you coupons, just let us know." Instead, the burden has been shifted to the website owner, and some random person is going to get slapped with fines because they put a Facebook like button on their site without the proper consent language somewhere. Facebook will bear no responsibility for their own tracking, but the sucker who went to Facebook's developer site and copy/pasted the helpfully provided code (which includes no GDPR-related disclaimer on that page) will. How is this actually improving privacy on the web?

And effectively banning 15-year-olds, at least nominally since it can't practically be enforced, from using most services on the internet is not a productive use of anyone's time any more than most of COPPA was.
posted by zachlipton at 1:50 PM on May 25 [4 favorites]


How is this actually improving privacy on the web?

Website owners scared of GDPR realizing they can't put Facebook embeds on their page, and removing them, would be an improvement. It's not great to put the burden on smaller players than Facebook, but if it's your website, it's not that weird to be held accountable for what code you intentionally embed in your site.
posted by BungaDunga at 2:03 PM on May 25 [7 favorites]


The internet as we know it is largely funded by ads. Can websites that remove Facebook ads still pay for themselves? Probably not.

I know that the big companies have been working on GDPR for two years. They have enough revenue, lawyers, etc. to survive. I'm not certain that anybody else does. I think we may find out that it is rocket science.

Might be easier for many companies to ban EU visitors and then let them VPN.
posted by pdoege at 2:16 PM on May 25 [1 favorite]


Website owners scared of GDPR realizing they can't put Facebook embeds on their page, and removing them, would be an improvement.

Is that actually happening though? Are European sites abandoning retargeting en masse? Or are website owners doing the same thing they've always one, adding some language to their new privacy policies, and putting up a new cookie banner with a button rather than assuming consent? Is what we're actually seeing, stuff like this crap, an improvement?

It's far from clear that such practices actually constitute freely-given consent (or maybe we should say that it's pretty clear they don't), and I'm sure there will be years worth of litigation to argue that out. In the meantime, we're two years past the adoption of GDPR, and there's nothing resembling definitive guidance as to how it applies to incredibly common practices on the web today.

That's the failure here: it's a recipe for years of court cases that could eventually set the contours of how websites work rather than meaningful privacy improvements today.
posted by zachlipton at 2:35 PM on May 25 [1 favorite]


Not at all. It's just American laziness and unwilllingness to do anything that doesn't directly contribute to share prices that makes this complicated.

As someone who spent many months working on this I'm breathing deeply and not taking it personally.

Do you even ever deal with the actual reality of what GDPR means for your day to day job? I do.
posted by nikaspark at 2:37 PM on May 25 [13 favorites]


I’m curious to know whether that covers them, or whether it’s just hopeful handwaving.

It's handwaving; however, for small companies, it's probably enough. It's been mentioned that, while any company that gathers data about European citizens or residents without their consent is breaking the law, the EU's reach doesn't extend to demanding extradition nor assigning enforceable financial penalties to US-only companies. US companies that cut ties with their European customers aren't 100% in compliance (especially if they won't remove their existing data on request), but they're unlikely to face consequences.

As long as they never care to do business with an EU customer or service provider, they'll be fine!

Might be easier for many companies to ban EU visitors and then let them VPN.

EU visitors who use VPN are still covered by the law; I suspect this is going to bite companies that try to block all EU visitors after the first wave of lawsuits gets going. The law doesn't specify, "companies may not gather data from people with European IP addresses." Using IP addresses to identify Europeans is not a long-term solution.

I can see that it's a total mess and very disruptive to any business that has legit reasons to collect user data. (It's disruptive to others too, but fuck them.) But, given the current political climate, I am happier with drastic changes in favor of treating customers with decency, rather than gradual, small shifts in the right direction that will be ignored because "it's only a small violation and nobody really cares about these details."
posted by ErisLordFreedom at 2:44 PM on May 25 [3 favorites]


Example of potential problem:

Amazon does business in Europe. It has some customer accounts flagged for fraud . Some of those are people who've bought things, used them for two days, declared they are broken, and sent them back... repeatedly. Or people who buy a nice outfit just before the prom, wear it once, and return it, claiming it doesn't fit. Once or twice, not a problem; do this with too many high-ticket items, and your account gets frozen.

Fraud customer contacts Amazon to demand that their user data be erased. But if Amazon erases the account history, they're vulnerable to fraud from the same person again. Amazon may well be able to argue a need to keep some personal data around for exactly this reason--but currently, that data isn't separated from their advertising code base. So before they start scrubbing accounts on request, they have to build a "suspicious/fraud behavior" database, and save over the details associated with those accounts. (Do they also save the details of other people at the same address? What if the address is a dorm room or short-term rental; how do they tell who's living with the fraud person?)

This is an entirely fixable problem; it just takes some discussion of what the law requires and how to set up the code to track the info that's legal. Amazon has the resources to do this. (Smaller bushinesses may not.) But I can see how the combination of edge cases that actually affect the business, and the desire to keep as much data as is legal (i.e. everything related to US customers), resulted in just hoping the problem would go away until it was too late to do anything but shut things down and hope they're not caught in the first wave of lawsuits.
posted by ErisLordFreedom at 2:58 PM on May 25 [3 favorites]


This is an entirely fixable problem; it just takes some discussion of what the law requires and how to set up the code to track the info that's legal.

See the DPO saying above:

THERE IS NO LIST. YOU HAVE TO LOOK AT EVERY PIECE OF DATA TIED TO A PERSON, HAVE A VALID, DEFENSIBLE REASON FOR HAVING IT, AND TRANSPARENT, CONSISTENT WAYS FOR PROVIDING BACK TO THE AFFECTED PERSON AND EXPUNGING FROM YOUR SYSTEM IF THEY NO LONGER CONSENT TO YOU HAVING IT.

"Valid, Defensible" is not well defined, it's dependent on the mood of the DPO that day. Basically this will be settled in EU courts and that's that.

It's seriously easier to build a zero-data system and require your customers to use Keybase Filesystem to store all their state data than it is to read the tea leaves of what GDPR actually covers.
posted by nikaspark at 3:20 PM on May 25 [1 favorite]


Over in the MeTa thread, cortex said that Metafilter is minimally affected because "much of the focus of the new GDPR requirements are on business practices that we steered away from to begin with."

Metafilter isn't exactly rolling in cash, and yet it hasn't had a problem complying, mostly by deciding years ago not to do shitty things with our data.
posted by clawsoon at 3:24 PM on May 25 [11 favorites]


Because metafilter offloads their payment system to PayPal and engages in nothing that even approaches transacting money or facilitating anything that requires people in the real world to actually know anything about each other.
posted by nikaspark at 3:27 PM on May 25 [5 favorites]


nikaspark, isn't storing data about people for payment purposes under GDPR a legitimate case, even without their consent?

Is it that you think a regulator examining a company's reasons for storing data on a case-by-case basis is bad in itself? ("tea leaves") Or is it that you're stuck between a company that will only implement a privacy policy if it's rules-based and therefore minimally expensive, and a regulator that wants your company to spend money on people to handle privacy instead of rules to handle privacy?
posted by clawsoon at 3:51 PM on May 25 [1 favorite]


It's seriously easier to build a zero-data system

Sounds like the law is working as intended, then.
posted by tobascodagama at 3:54 PM on May 25 [7 favorites]


I agree tabascodama, contrary to my what my comments may portray, I’m actually a huge supporter of the spirit of GDPR and I believe in the intent 100%. it’s just the implementation and enumeration of the data it covers is...lacking clarity and creating a lot of work that to me doesn’t address the actual data privacy risks and is instead just creating confusion and churn while the actual risks remain.
posted by nikaspark at 4:04 PM on May 25 [2 favorites]


Metafilter isn't exactly rolling in cash, and yet it hasn't had a problem complying, mostly by deciding years ago not to do shitty things with our data.

And even there, Metafilter uses Google Analytics. Some people may call that a "shitty thing with our data," and that's fine if that's your opinion, but what does that actually mean for the site? Is Google Analytics compliant with GDPR?

Google sent out an email to site owners that says they have to comply with the new EU user consent policy (which basically says you need "end users’ legally valid consent" and that's your problem now) and that everyone should "consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics."

Thanks. That's very helpful. Google, the $750B corporation with an army of lawyers, says we should all go ask our own lawyers what to do if we want to keep using its extremely popular product. Some people say you're supposed to set Google Analytics to zero out the last octet of IP addresses to be compliant. Other people say to update your privacy policy. Other people say you need to add a banner that asks consent from everyone that visits your website first (and that needs to be opt-in, still allow the website to work even if you ignore or close it, not set the cookies anyway unless you agree, etc...).

Tens of millions of websites use Google Analytics. It's not acceptable that we're here today, two years after GDPR was enacted and on the day it takes effect, and there's nothing resembling a straightforward authoritative answer as to whether and how you can use this absurdly popular tool.
posted by zachlipton at 4:15 PM on May 25 [10 favorites]


I guess, here’s how I will sum it up:

GDPR will have as much real world impact on data privacy being violated about as much as PCI has had on preventing credit card breaches and Sarbanes Oxley has had on preventing financial improprieties.

I believe GDPR will shape our world in it’s image but the actual effectiveness of it seems impossible to measure and in the end it will become just another compliance program that gets incorporated into the IT security theater program your company is most likely running.
posted by nikaspark at 5:37 PM on May 25


If you think users having a say in their online privacy and the way their data is handled, and companies retaining the minimum necessary user data to run their services is a "IT security theater program" then you're probably in the wrong line of work.
posted by urbanwhaleshark at 6:16 PM on May 25 [2 favorites]


I would ask you to listen to what I am saying and believe me that GDPR is not accomplishing what it portends to.

But hey you can throw missives at me, you don't know anything about me so I get it.
posted by nikaspark at 6:35 PM on May 25 [2 favorites]


and also read my comments where I say "I support what GDPR is trying to achieve" before you imagine that I believe that users shouldn't have a say, please. Kthxbai.
posted by nikaspark at 6:36 PM on May 25


GDPR is barely accomplishing anything it's intended to do, as it just went live like literally today.

Having gone through several years of PCI compliance audits (and Safe Harbor, when that was a thing), and now having to incorporate GDPR into our compliance suite, and knowing that nothing can ever be 100% secure, I'm real curious where "IT security theater program" is coming from.
posted by XtinaS at 6:41 PM on May 25 [2 favorites]


Wait, MetaF is "minimally affected" by GDPR and uses Google? Google just got hit by a $Billion lawsuit.

Can MF absorb a $20M fine? All it takes is one EU resident reporting this site to the EU and then everybody will know what the financial blast radius is. That's what "minimally affected" seems to mean.
posted by pdoege at 6:45 PM on May 25 [2 favorites]


I'm real curious where "IT security theater program" is coming from.

My comment really depends on where the GRC (governance, risk and compliance team) is situated in your organization. A whole lot of GDPR is implemented outside the IT Security organization, but in many cases there are GRC programs which are under the same reporting structure and and are tightly aligned with IT Security Organizations. In those cases what tends to end up happening with government and industry compliance regulations is that many of the policies are managed outside of the IT Organization (for SOX it usually mostly lives with finance) but the policy control structure is mostly owned by the IT Security team with the GRC team "taking the lead" and the rest of IT Security doing their part to make sure the tooling, etc is operational and whatnot.

In these cases you end up with a sprawling set of compliance policies that are dictated down, not aligned to the actual risks the organization is trying to address, which ends up with security controls being enforced by IT security that don't actually align to your business model or risk, but instead serve to show that a policy is being followed. This is to me the definition of IT security theater, a security compliance program that cannot align to policies actual risk and must instead adhere to murky letters of law whose effectiveness is difficult to measure outside the policy framework itself.

Like, I deal with this shit day in and day out and "risk based IT security" and "risk based GRC" is IMO the way to go with these things (and is what I push for in everything I do!) What this means is that you can take a set of policies and argue which policies and controls are meaningful to your organization, focus on those, and then operationalize tooling and automation around those parts of your business, then work to exceed the policy because you have an actual use case and risk that is identified and can be effectively measured.
posted by nikaspark at 7:00 PM on May 25 [1 favorite]


It's an execution problem, not a principles one. "Privacy theater program" doesn't seem like a bad descriptor for a state of affairs where Facebook continues to track millions of people across the web, but a small website doesn't know how or if they can legally use a popular web analytics service.

Another example. Disqus is a popular commenting platform for websites. If you're running a blog or a news site (in my experience, anything from local neighborhood blogs to major international news sites), you might use it to enable comments. Since it works as a third-party component on websites, it can cookie you (you have a common login across all Disqus-enabled sites) and track you. And they do, indeed, share that tracking data with a half-dozen data brokers and ad networks, as their website explains. One of those is their parent company, Zeta Global. As usual, you're paying for it, you're the product, etc...

So Disqus is this thing that's on lots of websites, provides commenting, and tracks you across the web, using those profiles for advertising. They do honor the Do Not Track header (DNT) (except on Safari where it's on by default), so that's swell, and made a better opt-out as part of their GDPR efforts. They now disclose that they work with 13 ad partners that could also put cookies on your browser to track you. But the main change is consent, so they've added this consent box.

If that means they don't cookie and track anonymous users who haven't consented, there's a privacy improvement there, absolutely. I applaud that. But it also means that if you, just once, want to read comments or post a comment, you have to check the boxes and agree. (Does requiring consent to read comments comply with the regulation? That seems to be how they've implemented it now anyway.) Do that once, anywhere, and Disqus continues to track you around the web. You've officially consented to their privacy policy, which does explain in plain English that they use "information about the websites you’ve viewed" to target ads to you.

That's privacy theater. It's still the same company tracking you across the web; you just had to click a thing before they start tracking and you can do what you want, which is read or write a comment. Asking for consent is a good thing, but how does this new state of affairs give users meaningful control over their online privacy? I'm far from an expert here, and by all means tell me if I've radically misunderstood the situation, but as I see it, however noble the principles, there's no real control when the actual implementation boils down to "click this button to let us track you all over the web, and in exchange, we'll let you get on with commenting on the neighborhood news blog."
posted by zachlipton at 7:14 PM on May 25 [4 favorites]



It's an execution problem, not a principles one.


THAT yes. I am one thousand percent aligned on the principles of GDPR.
posted by nikaspark at 7:20 PM on May 25


Asking for consent is a good thing, but how does this new state of affairs give users meaningful control over their online privacy?

They're allowed to opt out later. They're allowed to go back to the Disqus site and say "remove my info and stop tracking me." They can turn it back on in order to read or comment.

Also, they're allowed to demand to be told who, exactly, is being given what data about them. That part doesn't matter today - everyone's just scrambling to catch up with the "must give consent to be monitored" part (that went into effect quite a while ago etc etc), but over time, the "tell me what data you're collecting and how you're sharing it" parts of the law will become important.
posted by ErisLordFreedom at 7:28 PM on May 25 [4 favorites]


I have a feeling this is going to be the EU's version of Prop 65; something done initially with good intentions but that ends up with significant negative knock-on effects.
posted by MikeKD at 9:45 PM on May 25


And they do, indeed, share that tracking data with a half-dozen data brokers and ad networks, as their website explains. One of those is their parent company, Zeta Global. As usual, you're paying for it, you're the product, etc...

...

If that means they don't cookie and track anonymous users who haven't consented, there's a privacy improvement there, absolutely. I applaud that. But it also means that if you, just once, want to read comments or post a comment, you have to check the boxes and agree. (Does requiring consent to read comments comply with the regulation? That seems to be how they've implemented it now anyway.) Do that once, anywhere, and Disqus continues to track you around the web. You've officially consented to their privacy policy, which does explain in plain English that they use "information about the websites you’ve viewed" to target ads to you.
My understanding is that this is probably not compliant, because of this bit from Article 7:
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
What Disqus could do is to collect only the minimum amount of information required to keep their logins across multiple sites, and then only use that information for the purposes of allowing users to keep their logins across multiple sites. Not sell it, not use it to target advertising, not transfer it to other entities in its corporate group for them to do who knows what with it. Also, allow users to opt out of multi-site logins without preventing them from reading or posting comments on single sites. If it did this it probably wouldn't even require consent.

I've been reading Hacker News GDPR threads (mostly for the amusement value of reading people complaining about how it makes their scammy business models untenable) and someone there put it well: GDPR requires you to treat user data as a liability, not an asset. Treat it like a toxic chemical; collect and use as little of it as you can, and don't put it anywhere it doesn't absolutely need to be.
posted by A Thousand Baited Hooks at 10:04 PM on May 25 [12 favorites]


So I quoted this from the Verge article this morning:
an oblique reference, like the tall bald guy who lives on East 18th Street. If someone said that in an email, that would be information you’d need to provide me with access to under the GDPR
and believed it since it matched the sort of questions I was discussing with our compliance guys. I read parts of the reg at work today and I don't think it's true though--it focuses on "automated collection" or things that go in "filing." I don't think e-mails with someone's name actually counts. A single employee's Rolodex would, at least read literally.

Also thanks to mistersquid for the comment on European vs American approach to regs.

Metafilter isn't exactly rolling in cash, and yet it hasn't had a problem complying, mostly by deciding years ago not to do shitty things with our data.

The stuff cortex describes in that thread would seem quite blase and non-compliant to the reps I was dealing with at my company. MetaFilter is storing more personal information (e-mails, usernames, real names and locations) than I do and I couldn't get away with an answer like that.

No, I don't think MeFi is going to have problems but the low cost of compliance flows from both being small and being able to do a back of the envelope risk/impact assessment. I would not be surprised if literally every employee had full access to all data they have, which would be a horrible strategy at a company with 5000 employees.

One factor in the equation is that American lawyers and compliance types are (at least in my experience) exceedingly risk averse personalities. A company hiring some people to tell them what to do to ensure compliance and avoid liability is going to get a huge list, which probably includes being an intrusive asshole to your employees. One employee losing their collection of vendor business cards is a violation. I think people dealing with this in practice is definitely coloring people's tone (including mine.)

I'm not actually arguing against the regulation. I'm even a bit bemused by my own reaction to the compliance burden, since I generally favor it and it's not the first regulation I've dealt with.

But it's not like this only covers data that people intended to collect and sell for profit, which seems to be collecting 99% of the attention from people who seem to think this is obviously good.
posted by mark k at 11:24 PM on May 25 [5 favorites]


No, I don't think MeFi is going to have problems but the low cost of compliance flows from both being small and being able to do a back of the envelope risk/impact assessment. I would not be surprised if literally every employee had full access to all data they have, which would be a horrible strategy at a company with 5000 employees.

As with most privacy regulations, the GDPR is principles based. It requires you to take reasonable security steps to protect personal data. What is reasonable for a non-profit with under ten staff is not going to be reasonable for a private sector business with 5000 staff.
posted by His thoughts were red thoughts at 2:50 AM on May 26 [2 favorites]


pdoege: Can MF absorb a $20M fine?

From what I've seen, the fines are up to 4% of revenue. Does Metafilter really have $500 million in revenue?
posted by clawsoon at 4:34 AM on May 26 [2 favorites]


Clawsoon, it only takes 10 users in a given year setting up 10 million sockpuppets each to reach that number.
posted by chappell, ambrose at 6:17 AM on May 26 [3 favorites]


From what I've seen, the fines are up to 4% of revenue. Does Metafilter really have $500 million in revenue?

Maximum fines are 4% of global revenue or 20 million Euro, whichever is greater.
posted by His thoughts were red thoughts at 6:46 AM on May 26 [6 favorites]


Former CIA analyst Cindy Otis shares how the NYT's GDPR e-mail to their freelancers turned into a "reply all" digital farce:
The NYT sent an email about their privacy policy to everyone who has written for them, but they forgot to put us all on bcc. I'm now on a non-stop loop of people replying with questions and 10 more replying asking everyone to stop hitting "Reply All." My Friday night's complete.

I now have the personal email addresses of world famous historians, artists, an ambassador, musicians, and more. Who should I start spamming first?

UPDATE: Someone made the obvious joke about the email vs. privacy and someone hit "Reply All" to inform us that the joke made them "chortle." So we're at that stage of Reply All Hell.

Someone just suggested everyone on the email meet up for a drink. Not sure how this is going to happen since we all appear to be in different parts of the world, but I'm pretty sure this is the start of a Rom Com plot line.

Oh my gosh! It's going to happen! Two people in Dallas are going to meet up! I need to get to Dallas immediately to observe this.

Can confirm: @peterjukes hit "Reply All" to tell everyone who has hit "Reply All" that he will prosecute everyone for invading his privacy. I'm not a lawyer, but since I have yet to reply, does that mean I can prosecute him for invading my privacy with threats of prosecution?[...]

Missed this gem earlier from one angry email group member advising others not to reply as he was. "Let this be the last message we need to get annoying mail notifications for."

NARRATOR: It was not the last message we got.
posted by Doktor Zed at 9:08 AM on May 26 [5 favorites]


it only takes 10 users in a given year setting up 10 million sockpuppets each to reach that number

Assuming it takes five minutes to set up a sockpuppet (including finding your credit card, thinking up a name, and submitting the form) it would take a person 34,722.222 days to set up 10 million sockpuppets.

Even if it only took 1 minute to sign up that's still 6,944.444 days.

Two hundred people each signing up for ten million socks would only take a much more manageable 34.722 days each.
posted by bendy at 2:43 PM on May 26


Even if it only took 1 minute to sign up that's still 6,944.444 days.
You're not thinking with multi-threaded automation!
posted by XtinaS at 2:48 PM on May 26


Xkcd: GDPR (be sure to hover over the graphic too!)
posted by cynical pinnacle at 3:54 PM on May 26


Look, I'm willing to automate it server-side and process a bulk payment. Someone just find the $500M, I'll do the rest of the work.
posted by cortex at 7:36 PM on May 26 [1 favorite]


You're not thinking with multi-threaded automation!

Sez you, buddy!!
posted by Greg_Ace at 7:38 PM on May 26 [1 favorite]


Just sent this out to a site that's geo-blocking;



GDPR contains a prohibition against 'profiling', which GDPR defines as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, LOCATION or movements.”
Therefore, identifying people within the EU and refusing them access to your site or service based on the geolocation of their IP address - is actually specifically prohibited by GDPR.

You can consider this email to be a complaint about your practises as defined by the GDPR.

I will give your data protection officer seven days to respond before I file a complaint with the DPA. As you no doubt are aware, you may face a hefty fine of up to 4% of your annual (global) turnover.
posted by DreamerFi at 1:23 AM on May 27 [8 favorites]


GDPR contains a prohibition against 'profiling',

I don’t think that’s true, actually. GDPR prohibits automated “decisions” based on profiling without consent. It’s the decision making that matters, not the profiling. These decisions have to be ones that have significant effects on the person. Does not allowing access to services for eu locations count as a decision in this case? I’m not sure but I suspect it doesn’t for a large range of services.
posted by dis_integration at 5:21 AM on May 27


Therefore, identifying people within the EU and refusing them access to your site or service based on the geolocation of their IP address - is actually specifically prohibited by GDPR.

I guess this means my BGP ASN block on OVH and a few other WAF rules I’ve got blocking some mega bad shit out of the Netherlands and all those other things like Spam blocking feeds and reputation services that help security programs keep threat actors from doing bad shit are also in violation of GDPR.
posted by nikaspark at 5:24 AM on May 27 [1 favorite]


GDPR contains a prohibition against 'profiling', which GDPR defines as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, LOCATION or movements.”
Therefore, identifying people within the EU and refusing them access to your site or service based on the geolocation of their IP address - is actually specifically prohibited by GDPR.


I don't think, though, that the country/trading bloc you are location would be considered personal data ("...any information relating to an identified or identifiable natural person...", Article 4). ...Since that seems to be what the profiling prohibition concerns itself with.
posted by MikeKD at 5:25 AM on May 27


IP addresses are absolutely considered identifying information, the question is if that extends to BGP country codes. If BGP is not covered by GDPR location data principles (and you’re lucky enough to take full BGP tables from your peers, or better yet have your own BGP AS) then it’s trivial to write a BGP filter on the EU country codes and just refuse to route that traffic.

Where I work the EU is a huuuuuge market for us so we can’t do that, and it will be interesting to see how Infosec threat reasearch and IPS/WAF signature writing and reputation feeds are impacted by the interpretations of GDPR.
posted by nikaspark at 5:33 AM on May 27 [1 favorite]


something done initially with good intentions but that ends up with significant negative knock-on effects.

Second-order effects are a fact of life; the GDPR will cause unanticipated negative knock-on effects that will have to be corrected, because basically any change, positive or negative, does. The EU would be well aware of this.

My favourite example of this is how preventing cholera by improving sanitation caused polio.

(Did not realise how much principle-based legislation would freak out the Americans in the audience. The whims of the regulators aren't really relevant, because the regulators aren't able to bring charges without an investigation because you might, after all, have a good reason for vacuuming up everyone's location when they use your app.)
posted by Merus at 7:14 PM on May 27 [1 favorite]


Did not realise how much principle-based legislation would freak out the Americans in the audience.

Coming from this as a developer, I think some of the freak out is 1) that if software is required to handle some of this (and, it is), there needs to be well-defined, explicit rules for us (devs) to even have a chance of getting it right; and 2) not getting it right is expensive. And, relying on what sounds like an equivalent of prosecutorial discretion can make some Americans (myself, included) uncomfortable.
posted by MikeKD at 8:31 PM on May 27


if software is required to handle some of this (and, it is), there needs to be well-defined, explicit rules for us (devs) to even have a chance of getting it right

It seems to me that a lot of the confusion about the GDPR comes from businesses treating it as a solely technical problem, as if they can just tell their IT people and developers to make their systems GDPR compliant and it should be obvious how to do so without making any other changes to the way the business works.

That's why discussions about it tend to be full of technical people asking things like "are IP addresses covered by the GDPR?" Of course, the answer is "it depends" - on how they're collected, how they're stored, how they're related to other information in the system, how they're used etc. etc. The regulators will never be able to give clear answers to questions like this because (a) everything depends so much on context, and (b) as soon as they gave a clear answer people would start working out how to use it to design around the intent of the regulation.
posted by A Thousand Baited Hooks at 9:56 PM on May 27 [4 favorites]


Absolutely. Most of these issues are ultimately business decisions, not technical ones, and they cut to the core business models of many companies.

But at a straightforward practical level, if you're MetaFilter and you use Google Analytics, as tens of millions of sites do, you need to know whether you can keep doing that and whether you need to change anything to comply with the regulation. And even if you're astonishingly unlikely to face legal trouble in that situation no matter what you do, I really don't think it's unreasonable to want an answer to that question backed with reasonable certainty. Is there one? (Random blog posts by people who heard about the GDPR last week do not count.) Google telling 30+ million websites to ask their lawyers isn't it.

Principles-based regulation isn't inherently bad, but there are millions and millions of websites that do really common things like use popular analytics services or embed YouTube videos. Some clear answers are necessary if you want millions of people to take action here. GDPR is not a technical problem at all, but at the far end of the stick, there is a developer somewhere who has to change or not change things. If the regulator can't begin to apply the principles to super-common situations and provide guidance, why should anybody be expected to do so?
posted by zachlipton at 10:54 PM on May 27 [1 favorite]


But at a straightforward practical level, if you're MetaFilter and you use Google Analytics, as tens of millions of sites do, you need to know whether you can keep doing that and whether you need to change anything to comply with the regulation. And even if you're astonishingly unlikely to face legal trouble in that situation no matter what you do, I really don't think it's unreasonable to want an answer to that question backed with reasonable certainty. Is there one?

The problem with this is that different websites use Google Analytics in different ways, and then use information from it to do all kinds of different things. There isn't a single answer that anyone can give that will apply to all of them, other than "don't gather or store any information at all". (That said, the regulators have tried - here's a long list of guidance materials, in various languages.)

It seems to me that this is the GDPR working as intended. Website operators shouldn't be putting things like Google Analytics on their sites unless they have sound technical reasons for doing so, and even then they should be using them in the least intrusive way that's reasonably possible.

The alternative to principles-based regulation here would be a list of specific rules that have to be followed. But the rules would be tremendously difficult to get right, and as soon as they were published there would be thousands of clever people looking for loopholes that would let them go back to business as usual.
posted by A Thousand Baited Hooks at 12:28 AM on May 28 [1 favorite]


This whole discussion around rules-based vs principles-based legislation has explained so many of the debates about moderation that we have here.
posted by Helga-woo at 1:13 AM on May 28 [3 favorites]


Compliance with the full GDPR is not merely about consent, and it really has been in effect since 2016 (the May 25th date was the official “enforcement begins now” date; in other words, by putting an enforcement deadline out 2 years after the regulation was published is a very public way of removing any excuses from offending organizations that they still need time to prepare). Other things you have to do to be compliant:

Create and follow internal security protection policies and procedures.

Have a documented plan (and training) for dealing with a data breach if it ever occurs.

Have a way to provide people with a copy of their data.

Have a way to let people be “forgotten” by your organization.

Have proper consent for the data you process.

Have regular GDPR awareness trainings with your staff.

Understand that this legislation absolutely has teeth, and most answers to every question you have about it probably begin with “it depends” which is maddening...and also kind of the point.
posted by Doleful Creature at 7:08 AM on May 28 [5 favorites]


The EU's Copyright Proposal is Extremely Bad News for Everyone
Under Article 13 of the proposal, sites that allow users to post text, sounds, code, still or moving images, or other copyrighted works for public consumption will have to filter all their users' submissions against a database of copyrighted works. Sites will have to pay to license the technology to match submissions to the database, and to identify near matches as well as exact ones. Sites will be required to have a process to allow rightsholders to update this list with more copyrighted works.

What’s really behind the EU law that would “ban memes” – and how to stop it before June 20
It currently looks like there is a razor-thin majority in favor of Article 13. The negotiators for the EPP (conservatives), ALDE (liberals), ECR (eurosceptic conservatives) and ENF (anti-EU far right) in the Legal Affairs Committee recently expressed their support for the latest version of Article 13.

Together, these groups have 13 votes on the Legal Affairs Committee – one more than the opposition

It will come down to every single vote. Our mission until June 20: Make it clear to at least one MEP who’s currently undecided or in favour that their constituents want them to reject these plans. The NGO EDRi has made a list of key swing votes.
posted by Bangaioh at 4:48 PM on June 9


MeFi thread on EU's copyright reform.
posted by Bangaioh at 1:38 PM on June 20


« Older Brexit bites   |   Wrong sport! Newer »


This thread has been archived and is closed to new comments