Slashdot Mirror

4% of total global revenue?

It's a *dating* site, and they operate in the EU. If you have an account there that's not just for lulz, then they are almost certainly going to have more of your sensitive PII than pretty much anyone other than the likes Facebook and Google - a compromise as a result of negligence and subsequent coverup would be an ICO's wet dream. Most people with a clue have now woken up to the need to secure accounts that have financial links, but a similar awareness over PII is still some way behind, or you'd see a lot more use of 2FA on sites like this.

You don't understand the internet, how laws work, or both. GDPR is not a US law and therefore doesn't apply in the US.

You shouldn't make declarative statements about things you know nothing about. Wait, this is slashdot, carry on.

If you decide to learn something start with the GDPR FAQS:
From https://eugdpr.org/the-regulat...

"The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location."

From the GDPR:

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).

Here's a great opportunity to set a precedent. Isn't Shazam owned by Apple, the company which prides itself on not selling user data, with a global turnover over 250B?

But the EU is AT LEAST equal in how terrible it is.

Again, GDPR. If you see anything detrimental to the end user in this, you're probably working for FB (...).

Indeed. And GDPR is another good example at that.

If only the Spanish could read English they could follow their own laws: https://www.eugdpr.org/

Someone watching your half-ass game for free is nott "lost profits". Ever.. It's so stupid these copyright clowns think everyone who waches for free would have paid full retail for their crappy third rate game.

smdh

M

There is a reasson I can not do what they ask : GDPR. And they are lucky. I just saved them 20.000.000 EUR in fines. And if you say that by then Brexit will have been completed and/or the GDPR will not apply, just you wait and see what happens. You are clearly not one of us.
Also do not ask to change the past. We did that once. Now Trump is POSTUS. Well, could have been worse. No, not Clinton. We change history, not politics.

The law should be ignored by all non-EU web sites.

That law can be ignored by non-EU web sites that are not doing any business with EU citizens or companies.

But if you are doing business with the EU, then you have to comply (as with many other laws that apply to international business, so this is not unique to the EU). Of course if you break the law it will be a bit more difficult for your victims to sue you if you do not have any presence in the EU, but it will still be possible.

As the FAQ says (italics mine):

Who does the GDPR affect? The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

That canard again. IP address logging for the purposes of site operation has never fallen under EU privacy guidelines, unless that data is kept for longer than its intended purpose and used for data mining.

Which is exactly the point of the GDPR: it says 'Don't do that and you'll be fine'. If you look at the FAQ you see that the GDPR does not cover this use of data.

It comes down to the tradeoff of lost revenue vs. potential compliance costs and / or fines of unknown magnitude. It's simply easier to say "EU nationals not welcome here" if yo are located outside of the EU than comply if the revenue hit is small.

Of course, there is the whole extra territorial issue: if an EU national vests my non-EU located site I should not be expected to follow EU rules. If you think that I should then you have to allow the US government to tell companies to hand over data held anywhere in the world if there is even teh slightest nexus, as well or face fines.

Per the GDPR FAQ, your name and e-mail address - basics kind of needed to ship you another product and notify you of shipment - are all they need to store. It's not all your personal data, just your name and e-mail address.

If you look at the FAQ you see that the GDPR does not cover this use of data.

Oh, let me just look at that...

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from ... a computer IP address.

Well, crap. Maybe I don't need to worry if it's just a log?

Unfortunately, the actual text doesn't mention logs at all. Neither does it make any exemption for temporary storage, and it also doesn't actually define boundaries for what's "data mining", since it includes no mention of data mining at all. In fact, most of its restrictions are on the "processing" of personal data. Let's look at what that is:

'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

In other words, running grep on a log is processing. Looking at Article 6(1) and 6(4), the processing of an IP address (as any other personal data) requires either consent or official authorization... unless the personal data belongs to a child, in which case only official authorization will suffice, but there's very little I see here about what that actually entails.

Now, the GDPR doesn't actually enact law itself; that's up to the Member States. Those laws could be better-written to allow reasonable things like a traffic log where the identifiable information is never intended to be resolved, but under the text of the GDPR, the laws could also be broad enough to forbid such things.

The way I see it as a European, it will mean that they where selling my data anyway, so that means they won't do that anymore. It also means they will not be able to do that for any of the other 350+MM Europeans.

LOL I went to the European unions own website.
https://europa.eu/

It can't even stop itself from calling home to Google. Even the website dedicated to explaining GDPR

https://www.eugdpr.org/
Connects to twitter, facebook, google.

But of course your right none of these companies actually "sell" your data. They just exploit it directly to enrich themselves.

This was also the intended reason for the law. It is as if Europe is saying "You are not allowed to take our data"

Yea right. Let me know when that actually happens in Europe.

RTFFAQ, this is not covered under "large scale systematic monitoring" or "large scale processing of sensitive personal data"

RTFFAQ, this is not covered under "large scale systematic monitoring" or "large scale processing of sensitive personal data"

RTFFAQ

That canard again. IP address logging for the purposes of site operation has never fallen under EU privacy guidelines, unless that data is kept for longer than its intended purpose and used for data mining.

Which is exactly the point of the GDPR: it says 'Don't do that and you'll be fine'. If you look at the FAQ you see that the GDPR does not cover this use of data.

A one person shop does not need a DPO:

Does my business need to appoint a Data Protection Officer (DPO)?

DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesnâ(TM)t fall into one of these categories, then you do not need to appoint a DPO.

(Source: GDPR FAQ)

Unless that one person shop does engage in large scale processing of sensitive personal data, of course, but then they either have enough revenue to afford a DPO, or they are a shady 'ethicul biznizman' (aka spammer).

ICANN now has a little over a month to come up with a replacement

After having been given almost three years of notice to do something about it. Look, it was never a point about if ICANN could or could not fix it. ICANN made it quite clear from their actions that they were not ever going to fix it. This whole thing shows that the most recent round of directors at ICANN are commercial focused buffoons that lack any real understanding of law or technology. It's a shit show right now at ICANN so this entire thing like, "Oh No! WHOIS will break!" is crap. Have idiots running an organization, watch idiotic results flow from that organization. It's that simple.

That was the intend of the law. Side effect is that other businesses are affected also. More info on https://en.wikipedia.org/wiki/... and https://www.eugdpr.org/

The idea was to protect EU people. This is a law for the people, by the people. (Yes, I wen there)

It will also help the site comply with the upcoming European GDPR privacy law that requires data portability, assuming the feature launches before May 25th.

What happenend is that they needed to be ready for the law and therefore you are able to do what they say you can do.

Complying with the GDPR is the cause, not the result. If not, they risk 10.000.000 EUR or 4% of their worldwide turnover. Not profit in one EU country. Not profit in the EU. Not turnover in the EU. Worldwide. Estimated for 2018 that is between a lot and a shitload.
Some websites that are a must read https://en.wikipedia.org/wiki/...
https://www.eugdpr.org/
Read them as more of this will be discussed on /.

All please read about GDPR : https://en.wikipedia.org/wiki/... and the official site https://www.eugdpr.org/

Both if you ARE living in the EU and if you are not. Because this will come up a LOT in future /. discussions.

This is why multinational companies has to be regulated.
Once GDPR is in place (25th of May) it will be illegal for Google to keep your data once you have requested that your account is to be deleted.
The fines are based on global turnover to prevent the regular tax evasion schemes to work for getting away form the punishment.
IE: The fines are steep enough to hurt regardless of the size of your company. You aren't going to write them off as cost of operation so you'd better comply.
The law requires that if the data is transferred to a company outside of EU a contract has to be written so that the other company is bound by the same requirements.

This probably doesn't protect you if you aren't based in EU.
Facebook can probably keep doing business as usual considering that their terms and conditions already says that they are going to screw you over.
The only big difference seems to be that you now have the right to know what information they have about you and can tell them to delete everything they have about you when you delete your account.
As long as you keep your account they can keep the data they have about you.

What are the penalties for non-compliance? Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement

... sued for a bazillion dollars once the EU GDPR goes live on May 25th 2018.

FTFY.

Facebook could probably just wait for the Cambridge Analytics thing to blow over - which it probably will. The CA thing and FBs encroachment on privacy arent't exactly news even though most of the world seems to think so today. Most will probably have forgotten again in 2 weeks time. FB however can not afford to get pissy with the EU GDPR, as it's clearly designed to bar off some of the worst privacy issues with FB, Google and the likes. Including fines that *really* hurt - unlike the laughable stuff courts have fined to date.

The geeks were too slow, so we got our law makers on the case instead: https://www.eugdpr.org/

This sort of crap is exactly why 1. I'm really glad that legislation like the GDPR in the EU is coming along to begin to allow us to take control of our data. Might not be perfect but a good start. As I read it, this wouldn't be allowed without explicit consent between the owner of the car and whatever advertising company ran this (burying it in an EULA doesn't count)

but simultaneously I'm 2. really annoyed that my dipshit government and uninformed co-citizens voted to take my country out of the EU :-( at least we'll get a few years of the GDPR to see how that works out.

But how about their revenue in Belgium where this is an issue right now?

The next step is the EU GDPR directive, that one is going to be a royal pain in the butt for Facebook and similar services. At the EU level the fines would be higher.

Lawful Basis For Processing
Data can only be processed if there is at least one lawful basis to do so[15]. The lawful bases for processing data are:

        the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
        processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
        processing is necessary for compliance with a legal obligation to which the controller is subject.
        processing is necessary in order to protect the vital interests of the data subject or of another natural person.
        processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
        processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Consent
Where consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data are used for (Article 7; defined in Article 4). Consent for children[16] must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.[17]

https://en.wikipedia.org/wiki/...

The up coming General Data Protection Regulation says, amongst many other things, that data must only be used for the purpose that it is obtained and can only be used with the explicit permission of the individual. Hopefully scum-bags like facebook will change once they have had a few fines of 2% of the annual worldwide turnover.

Before you post, do a 5 second Google search and locate this nice, easy to parse GDPR Key Changes document

The Europeans look to be making quite some inroads into this sort of thing with GDPR and the like.

In May comes the GDPR in Europe. This impacts not just of organisations within Europe, but "it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location". It includes the right to be forgotten. I can see many people asking Google to forget them -- that will be a really interesting battle, although even if the EU 'wins' it will be impossible to verify.

Read about it ... and google will know — one off the links of the EU GDPR page is to fonts.googleapis.com

The EU seems perfectly willing to fine these nice big US companies when they break EU regulations, and they tend to make the fines a nice percentage of their gross income:

http://www.eugdpr.org/

Terje

With GDPR, most things are off-limits:

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Source: http://www.eugdpr.org/gdpr-faq...

You are wrong. 20 M Euro is not a ceiling, it's a floor. A lot of other arm-chair advocates here are also wrong. This legislation, as written, has quite a bit of teeth in it and is extremely hostile to big business. Outsourcing only works if you do your due diligence very thoroughly and then there shouldn't be a breach, should there. It will be very interesting to see some of the pilot cases come through the legal system over the next two years. I assume Google, Microsoft Apple and Amazon will all be targeted early on. The site below has a lot of information. http://www.eugdpr.org/key-chan... ” Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.”