The GDPR will probably cause a lot of headaches in the business but I’m sure it’ll help EU startups to flourish compared to US competition from the outside, especially since it’s easier to start with compliance than the retrofit it.
That’s a useful refactoring, to view it as about protectionism rather than privacy. (And I don’t mean that negatively. I’m influenced by Andy Grove that protectionism is sometimes necessary.)
Especially in the current world with national branch companies and international tax evasion schemes, I often feel the world could do with a little more protectionism.
I really can’t feel bad for companies on this. They’ve demonstrated over and over again that they can’t be trusted to do the right thing on their own.
Even the one-man companies currently just starting out that are under threat of 20M EUR fines for not complying with rules that are practically impossible to comply with?
You’re not seeing the big picture here. The EU says it wants to “protect” people with GDPR, while all governments are spying on people as much as they can.. It’s fucking ridiculous.
Even the one-man companies currently just starting out that are under threat of 20M EUR fines for not complying with rules that are practically impossible to comply with?
Especially those ones because otherwise they have no checks and balances whatsoever and the single person in charge will do whatever they feel like without telling anybody.
We don’t let small restaurants ignore food safety, or small construction companies ignore building codes, why would we let small internet companies ignore privacy regulations?
You’re not seeing the big picture here. The EU says it wants to “protect” people with GDPR, while all governments are spying on people as much as they can.. It’s fucking ridiculous.
Just because the government is spying on us doesn’t mean we should allow corporations to do it too. We don’t have to solve both problems at the same time.
Do you sincerely think that small companies need to be threatened with 20M EUR fines to keep them in check?
Another way of putting this is “do you sincerely think that small companies need to be threatened with being put out of business entirely if they disregard their customers’ safety?” and my answer is yes, absolutely.
Restaurants operate perfectly well under there threat of “if you give a noticeable quantity of customers food poisoning even once, the FSA will permanently shut you down”.
It’s perfectly sensible to me that any other business capable of ruining a whole bunch of peoples’ lives should be held to the same standard.
Another way of putting this is “do you sincerely think that small companies need to be threatened with being put out of business entirely if they disregard their customers’ safety?” and my answer is yes, absolutely.
You know you’re comparing apples to oranges, right? Someone’s e-mail address staying in a database somewhere “against his will” is not comparable to feeding people rotten/contaminated food or something.
Regardless, neither warrants a 20M EUR penalty, and in the first case, it’s just utterly insane. You also understand that just fine, so why are you arguing against me?
It’s as if EU regulators were completely oblivious to the existence of small businesses, which they’re actually not, of course, because they’re not that fucking retarded/insane.
So they’ve set MegaCorp level fines for everyone for some reason other than insanity/stupidity. But it’s not for no reason, and it’s not because it’s reasonable either.
And obvious truth is met with hostility, as always.
Privacy violations don’t happen at a rate of 1 or 2 per incident, they hit thousands of people at a time.
neither warrants a 20M EUR penalty
You won’t be paying 20M EUR. Your company will be accruing a 20M EUR debt that it will immediately fold under. You founded a limited liability company for this reason. The number could be 13.37B EUR and that outcome would be the same for small companies.
Folding your company is a perfectly fair outcome for you flagrantly violating other peoples’ privacy rights.
met with hostility
I didn’t say anything rude to you at all. You asked a question, “Do you sincerely think that small companies need to be threatened with 20M EUR fines to keep them in check?” and I gave a completely polite answer. You just read it as hostile because you don’t like that answer edit: because people downvoted you a lot, which, to be fair, probably feels hostile.
Do you sincerely think that small companies need to be threatened with 20M EUR fines to keep them in check?
I do sincerely think companies who can’t respect people’s privacy and don’t take the issue seriously should go out of business. The size of the company has nothing to do with it. The potential damage done once the info escapes into the wild is the same either way.
It’s unfortunate that it takes the threat of a 20M EUR fine and possibly going out of business to drive the point home, but asking nicely and hoping companies do the right thing hasn’t worked.
Who’s “we”? -The faceless bureaucracy of the EU that’s hoisting this pile of garbage on productive people?
If they can’t harness some of that productivity to protect the private data they collect, then good riddance.
The EU says it wants to “protect” people with GDPR, while all governments are spying on people as much as they can
States (for better or worse) need a monopoly on coercion. Some of them have realized that the breakdown of privacy is eroding that monopoly, and they’re reacting.
I’m not making a value judgement about whether it’s a good thing or not; I’m giving a reason why a self-interested state would choose this course of action.
Separating value judgement from behavioral reasoning is the only way to make sense of others behavior when they don’t share your values.
I just thought about this for 30 seconds. Somebody sends me an email. Later they demand I delete it.
First off, I store email in SQLite database. I have a “trash” function, but really deleting something requires some manual intervention and query writing. I suppose in a regulatory environment I’d automate that.
I also back things up with tarsnap. There’s no way to delete one file out of a backed up archive. I’d have to restore all relevant archives, delete the bad file, then back them all up again. I think I’d walk away at this point, too.
For your emails it depends whether it is a private or business email, if it’s a business email you can usually classify it as necessary in case of a tax audit since you’ll need to show them to prove you had business with them. Anything not falling into the “required for tax audit” category should be deleted, yes.
For backups, they are out of scope for the GDPR if it’s infeasible or impossible to delete individual records or if you have, as above, legal obligation to keep them atleast in the backups.
In practise it should be sufficient to keep track of customers who deleted their data and in case of a recovery, re-delete the records upon restore. (Covered in Art17 §2 and §3 b, d and e)
So correct me if I’m wrong, but other than the large investment of performing these audits, the only reason businesses would be upset about this is if the business is unsuspectingly selling that user’s data. It makes me believe the GDPR is actually a really good thing more countries need to implement.
If unable to comply, a business has a few options: fight it out in court, which will cost a pretty penny. Refuse to do business with the EU, which in the case of international businesses probably means a loss in revenue. You can also fork over the money, but unless you figure out a way to fix your stuff, you can be slapped again.
How on earth is stuff like this enforced when it applies to businesses with no EU presence?
Is it reasonable to expect that every person selling any product or service online must be knowledgeable about the laws of every single country on the planet?
How on earth is stuff like this enforced when it applies to businesses with no EU presence?
Easy, you’ll get a nasty letter from a court in the EU. If you don’t plan on ever visiting an EU country or a country which likes to hand over people to the EU then you can safely ignore those.
Is it reasonable to expect that every person selling any product or service online must be knowledgeable about the laws of every single country on the planet?
I don’t think extradition over this kind of case is likely.
It’s not a criminal case, so it’s largely impossible.
They don’t have to extradite you to fine you, however; they can hold the case without your co. choosing to send a lawyer, issue a fine, then chase your bank for the money. If your bank wants to keep doing business in the EU, it’ll freeze your accounts.
Is it reasonable to expect that every person selling any product or service online must be knowledgeable about the laws of every single country on the planet?
I don’t know about you, but I’m not really interested in enforcing Chinese censorship rules or Saudi / Indonesian blasphemy laws. I mean, they’re free to try, but it’s expensive to send a tank to Australia.
How on earth is stuff like this enforced when it applies to businesses with no EU presence?
Practically speaking, it isn’t.
Investigations are expensive; cases are prioritized according to ‘impact’. You’re not going to get big enough for them to notice without having an EU presence.
Some pesky EU citizen registers with his e-mail and expects his or her private data to be private. What are those pesky EU citizens even thinking, that data should be left unsecured, sold to third parties and be used in any other fashion for profit at the expense of the customer!
The fact that you’re using EU and governments interchangeably tells a lot about how much you understand how things work in the EU, especially how laws get passed.
There are two main bodies: the European Commission and the European Parliament. The European Commission is responsible for proposing legislation and implementing decisions (and other stuff but that’s not relevant right now) and the European Parliament, whose members are elected by citizens in various EU members. Those members of the European Parliament elect the members of the European Commission.
As a member of the EU, it’s true that you can’t have any kind of legislation that’s against the current EU laws but the same applies to local by-laws vs federal laws, for example. But by no means this can be translated into “a layer of rulers on top of local rulers”. The format is somewhat similar to the US Congress, which is at the federal level, and each state’s elected officials and I don’t think you can call a representative or a senator “a ruler on top of the state ruler”. The European Union is a bit more divided than the US so the dynamics are obviously quite different but it’s very helpful to have something that can minimize the impact of various far-left or far-right leaders (one example would be Hungary’s Viktor Orban, but there are others as well).
Also, what you say implies that there’s some sort of agenda that some people have and steer the EU into one direction or the other. The best argument against that is the convoluted process of passing any kind of laws: basically the European Commission proposes a law, it gets pushed to the Parliament, which can propose some changes and sends it back to the EC and the process is restarted and if they don’t agree on the second reading then a third body, the European Council, is added to the discussion for a “trilogue”. As you can well imagine, this usually takes years. For example, the proposal for GDPR was submitted on the 25th of January 2012.
you are actually right, but I think instead of “deciding that you’re fucked” it will most likely be someone who complains for unsolicited mail or something and it will point EU towards the company and they will start investigate. Then it will be 20M per infraction or worse 4% of your income.
You have to back up the keys (or risk losing everything), and those backups need to be mutable (so you’re back to square one with backups)
Generally backups are done daily and expire over time. GDPR requires that a user deleting itself is effective within 30 days, so this can be solved by expiring backups after 30 days.
Your marketing department still want a spreadsheet of unencrypted customer data
Depending on what marketing is doing, often aggregates are sufficient. I’m not sure how often marketing needs personally identifiable information.
Your fraud department need to be able to efficiently identify similar customer records (hard when they’re all encrypted with different keys)
Again, aggregates are usually sufficient here. But to do more one probably does need to build specialized data pipeline jobs that know how to decrypt the data for the job.
Your customer support department wants to use SAAS instead of a crufty in-house thing (and answer users who tweet/facebook at them)
I’m not quite sure what this means so I don’t have a response to it.
you also have to make sure re-identification is not possible… This is quite challenging and they are no guidelines to which extent this should be achieved
Generally backups are done daily and expire over time. GDPR requires that a user deleting itself is effective within 30 days, so this can be solved by expiring backups after 30 days.
Fair point - that’s really only a slight complication.
Depending on what marketing is doing, often aggregates are sufficient. I’m not sure how often marketing needs personally identifiable information.
Marketing don’t like being beholden to another team to produce their aggregates, but this is much more of an organizational problem than a technical one. Given the size of the fines I think the executive team will solve it.
Again, aggregates are usually sufficient here. But to do more one probably does need to build specialized data pipeline jobs that know how to decrypt the data for the job.
Fraud prevention is similar in difficulty to infosec, and it can hit margins pretty hard.
There are generally two phases: detecting likely targets, and gathering sufficient evidence.
For instance, I worked on a site where you could run a contest with a cash prize. Someone was laundering money through it by running lots of competitions and awarding their sockpuppets (which was bad for our community since they kept trying to enter the contests).
The first sign something was wrong came from complaints that obviously-bad entries were winning contests.
We found similarities between the contest holder accounts and sockpuppet accounts by comparing their PII.
Then, we queried everyones PII to find out how often they were doing this, and shut them down. I’m not clear how we could have done this without decrypting every record at once (I suppose we could have done it to an ephemeral DB and then shut it down after querying).
Customer support
For instance, lots of companies use (eg) ZenDesk to help keep track of their dealings with customers. This can end up holding information from emails, phone systems, twitter messages, facebook posts, letters, etc.
This stuff isn’t going to be encrypted per-user unless each of your third-party providers happen to also use the technique.
Summary: It’s not a complete technique, but you’ve gotten past my biggest objections and I could see it making the problem tractable.
Good question though: what happens if a citizen of the EU uses his right to be forgotten? Does the user have a shiny “permanently forget me” button? The account deletion feature seems to fall a bit short of that?
Actually you are wrong… as you have to make sure that user’s data is portable, meaning that it can be exported and transferred to someone else, and you cannot keep data if you do not need it… You also have to be able to show what data you have about the user… so if you cannot decrypt what you have to show the user… you are not compliant.
Those are two separate requirements of GDPR, and being able to export a user’s data in a reusable format is only required if they haven’t asked for their data to be deleted.
I think you’re missing a key part. If a user asks for their account to be deleted, you don’t need to be able to make their data portable anymore, you just need to get rid of it. If you delete the encryption key for your user’s data, you can no longer decrypt any data you have on a user - which means legally you don’t have that data. There is nothing to show the user, or make portable.
The GDPR will probably cause a lot of headaches in the business but I’m sure it’ll help EU startups to flourish compared to US competition from the outside, especially since it’s easier to start with compliance than the retrofit it.
That’s a useful refactoring, to view it as about protectionism rather than privacy. (And I don’t mean that negatively. I’m influenced by Andy Grove that protectionism is sometimes necessary.)
Especially in the current world with national branch companies and international tax evasion schemes, I often feel the world could do with a little more protectionism.
I really can’t feel bad for companies on this. They’ve demonstrated over and over again that they can’t be trusted to do the right thing on their own.
I wish the United States could enact a law like this, but who am I kidding?
Even the one-man companies currently just starting out that are under threat of 20M EUR fines for not complying with rules that are practically impossible to comply with?
You’re not seeing the big picture here. The EU says it wants to “protect” people with GDPR, while all governments are spying on people as much as they can.. It’s fucking ridiculous.
Especially those ones because otherwise they have no checks and balances whatsoever and the single person in charge will do whatever they feel like without telling anybody.
We don’t let small restaurants ignore food safety, or small construction companies ignore building codes, why would we let small internet companies ignore privacy regulations?
Just because the government is spying on us doesn’t mean we should allow corporations to do it too. We don’t have to solve both problems at the same time.
[Comment from banned user removed]
I’ve downvoted you as troll because we don’t have anything like “unnecessarily rude”.
Please try to be less abrasive with your posts.
Another way of putting this is “do you sincerely think that small companies need to be threatened with being put out of business entirely if they disregard their customers’ safety?” and my answer is yes, absolutely.
Restaurants operate perfectly well under there threat of “if you give a noticeable quantity of customers food poisoning even once, the FSA will permanently shut you down”.
It’s perfectly sensible to me that any other business capable of ruining a whole bunch of peoples’ lives should be held to the same standard.
You know you’re comparing apples to oranges, right? Someone’s e-mail address staying in a database somewhere “against his will” is not comparable to feeding people rotten/contaminated food or something.
Regardless, neither warrants a 20M EUR penalty, and in the first case, it’s just utterly insane. You also understand that just fine, so why are you arguing against me?
It’s as if EU regulators were completely oblivious to the existence of small businesses, which they’re actually not, of course, because they’re not that fucking retarded/insane.
So they’ve set MegaCorp level fines for everyone for some reason other than insanity/stupidity. But it’s not for no reason, and it’s not because it’s reasonable either.
And obvious truth is met with hostility, as always.
Privacy violations don’t happen at a rate of 1 or 2 per incident, they hit thousands of people at a time.
You won’t be paying 20M EUR. Your company will be accruing a 20M EUR debt that it will immediately fold under. You founded a limited liability company for this reason. The number could be 13.37B EUR and that outcome would be the same for small companies.
Folding your company is a perfectly fair outcome for you flagrantly violating other peoples’ privacy rights.
I didn’t say anything rude to you at all. You asked a question, “Do you sincerely think that small companies need to be threatened with 20M EUR fines to keep them in check?” and I gave a completely polite answer. You just read it as hostile
because you don’t like that answeredit: because people downvoted you a lot, which, to be fair, probably feels hostile.I do sincerely think companies who can’t respect people’s privacy and don’t take the issue seriously should go out of business. The size of the company has nothing to do with it. The potential damage done once the info escapes into the wild is the same either way.
It’s unfortunate that it takes the threat of a 20M EUR fine and possibly going out of business to drive the point home, but asking nicely and hoping companies do the right thing hasn’t worked.
If they can’t harness some of that productivity to protect the private data they collect, then good riddance.
States (for better or worse) need a monopoly on coercion. Some of them have realized that the breakdown of privacy is eroding that monopoly, and they’re reacting.
[Comment from banned user removed]
What doesn’t make sense about it?
I’m not making a value judgement about whether it’s a good thing or not; I’m giving a reason why a self-interested state would choose this course of action.
Separating value judgement from behavioral reasoning is the only way to make sense of others behavior when they don’t share your values.
Why do you think they are impossible to comply with? Germany has had laws like this for years and it works just fine.
I just thought about this for 30 seconds. Somebody sends me an email. Later they demand I delete it.
First off, I store email in SQLite database. I have a “trash” function, but really deleting something requires some manual intervention and query writing. I suppose in a regulatory environment I’d automate that.
I also back things up with tarsnap. There’s no way to delete one file out of a backed up archive. I’d have to restore all relevant archives, delete the bad file, then back them all up again. I think I’d walk away at this point, too.
For your emails it depends whether it is a private or business email, if it’s a business email you can usually classify it as necessary in case of a tax audit since you’ll need to show them to prove you had business with them. Anything not falling into the “required for tax audit” category should be deleted, yes.
For backups, they are out of scope for the GDPR if it’s infeasible or impossible to delete individual records or if you have, as above, legal obligation to keep them atleast in the backups.
In practise it should be sufficient to keep track of customers who deleted their data and in case of a recovery, re-delete the records upon restore. (Covered in Art17 §2 and §3 b, d and e)
The situation you describe was covered by 1995’s Data Protection Directive.
The right to be forgotten isn’t new?
You have the right to require the removal of data about you, except in certain circumstances in certain jurisdictions.
Also, information may remain in unallocated sectors on disk and swapped memory pages.
So correct me if I’m wrong, but other than the large investment of performing these audits, the only reason businesses would be upset about this is if the business is unsuspectingly selling that user’s data. It makes me believe the GDPR is actually a really good thing more countries need to implement.
If unable to comply, a business has a few options: fight it out in court, which will cost a pretty penny. Refuse to do business with the EU, which in the case of international businesses probably means a loss in revenue. You can also fork over the money, but unless you figure out a way to fix your stuff, you can be slapped again.
How on earth is stuff like this enforced when it applies to businesses with no EU presence?
Is it reasonable to expect that every person selling any product or service online must be knowledgeable about the laws of every single country on the planet?
Easy, you’ll get a nasty letter from a court in the EU. If you don’t plan on ever visiting an EU country or a country which likes to hand over people to the EU then you can safely ignore those.
If you plan to do business in that country, yes.
I don’t think extradition over this kind of case is likely.
IANAL
It’s not a criminal case, so it’s largely impossible.
They don’t have to extradite you to fine you, however; they can hold the case without your co. choosing to send a lawyer, issue a fine, then chase your bank for the money. If your bank wants to keep doing business in the EU, it’ll freeze your accounts.
I find it unlikely that any bank I could be with would do business in the EU – unless somehow wire transfer to EU banks count?
I mean, arguably, yes?
I don’t know about you, but I’m not really interested in enforcing Chinese censorship rules or Saudi / Indonesian blasphemy laws. I mean, they’re free to try, but it’s expensive to send a tank to Australia.
They don’t have to; they just have to convince the Australian government (or Australian banks) that you owe money for fines.
If you’re selling into China, or Saudi, then you ought be prepared to either comply or suffer the consequences of non-compliance.
Practically speaking, it isn’t.
Investigations are expensive; cases are prioritized according to ‘impact’. You’re not going to get big enough for them to notice without having an EU presence.
How exactly does the EU think it can make people not sell to EU citizens if they have no local presence?
[Comment from banned user removed]
Some pesky EU citizen registers with his e-mail and expects his or her private data to be private. What are those pesky EU citizens even thinking, that data should be left unsecured, sold to third parties and be used in any other fashion for profit at the expense of the customer!
[Comment from banned user removed]
The fact that you’re using EU and governments interchangeably tells a lot about how much you understand how things work in the EU, especially how laws get passed.
The EU is like an additional layer of rulers, on top of your local rulers.
Consider the implications. What do you think I’m missing?
Your description is wrong.
There are two main bodies: the European Commission and the European Parliament. The European Commission is responsible for proposing legislation and implementing decisions (and other stuff but that’s not relevant right now) and the European Parliament, whose members are elected by citizens in various EU members. Those members of the European Parliament elect the members of the European Commission.
As a member of the EU, it’s true that you can’t have any kind of legislation that’s against the current EU laws but the same applies to local by-laws vs federal laws, for example. But by no means this can be translated into “a layer of rulers on top of local rulers”. The format is somewhat similar to the US Congress, which is at the federal level, and each state’s elected officials and I don’t think you can call a representative or a senator “a ruler on top of the state ruler”. The European Union is a bit more divided than the US so the dynamics are obviously quite different but it’s very helpful to have something that can minimize the impact of various far-left or far-right leaders (one example would be Hungary’s Viktor Orban, but there are others as well).
Also, what you say implies that there’s some sort of agenda that some people have and steer the EU into one direction or the other. The best argument against that is the convoluted process of passing any kind of laws: basically the European Commission proposes a law, it gets pushed to the Parliament, which can propose some changes and sends it back to the EC and the process is restarted and if they don’t agree on the second reading then a third body, the European Council, is added to the discussion for a “trilogue”. As you can well imagine, this usually takes years. For example, the proposal for GDPR was submitted on the 25th of January 2012.
you are actually right, but I think instead of “deciding that you’re fucked” it will most likely be someone who complains for unsolicited mail or something and it will point EU towards the company and they will start investigate. Then it will be 20M per infraction or worse 4% of your income.
GDPR is covered by trashing encryption keys.
I’d like trashable per-customer keys to be a good answer, but:
Generally backups are done daily and expire over time. GDPR requires that a user deleting itself is effective within 30 days, so this can be solved by expiring backups after 30 days.
Depending on what marketing is doing, often aggregates are sufficient. I’m not sure how often marketing needs personally identifiable information.
Again, aggregates are usually sufficient here. But to do more one probably does need to build specialized data pipeline jobs that know how to decrypt the data for the job.
I’m not quite sure what this means so I don’t have a response to it.
you also have to make sure re-identification is not possible… This is quite challenging and they are no guidelines to which extent this should be achieved
Fair point - that’s really only a slight complication.
Marketing don’t like being beholden to another team to produce their aggregates, but this is much more of an organizational problem than a technical one. Given the size of the fines I think the executive team will solve it.
Fraud prevention is similar in difficulty to infosec, and it can hit margins pretty hard.
There are generally two phases: detecting likely targets, and gathering sufficient evidence.
For instance, I worked on a site where you could run a contest with a cash prize. Someone was laundering money through it by running lots of competitions and awarding their sockpuppets (which was bad for our community since they kept trying to enter the contests).
The first sign something was wrong came from complaints that obviously-bad entries were winning contests. We found similarities between the contest holder accounts and sockpuppet accounts by comparing their PII.
Then, we queried everyones PII to find out how often they were doing this, and shut them down. I’m not clear how we could have done this without decrypting every record at once (I suppose we could have done it to an ephemeral DB and then shut it down after querying).
For instance, lots of companies use (eg) ZenDesk to help keep track of their dealings with customers. This can end up holding information from emails, phone systems, twitter messages, facebook posts, letters, etc.
This stuff isn’t going to be encrypted per-user unless each of your third-party providers happen to also use the technique.
Summary: It’s not a complete technique, but you’ve gotten past my biggest objections and I could see it making the problem tractable.
Lobsters is open source. Anybody want to make a patch to make it use per user keys? I’m curious to see what’s involved.
Good question though: what happens if a citizen of the EU uses his right to be forgotten? Does the user have a shiny “permanently forget me” button? The account deletion feature seems to fall a bit short of that?
I suspect it’s “the site admin writes a query”.
Actually you are wrong… as you have to make sure that user’s data is portable, meaning that it can be exported and transferred to someone else, and you cannot keep data if you do not need it… You also have to be able to show what data you have about the user… so if you cannot decrypt what you have to show the user… you are not compliant.
Those are two separate requirements of GDPR, and being able to export a user’s data in a reusable format is only required if they haven’t asked for their data to be deleted.
I think you’re missing a key part. If a user asks for their account to be deleted, you don’t need to be able to make their data portable anymore, you just need to get rid of it. If you delete the encryption key for your user’s data, you can no longer decrypt any data you have on a user - which means legally you don’t have that data. There is nothing to show the user, or make portable.
I see your point and that indeed works only for deletion requests.