I really hope nothing remotely similar to gdpr is written into legislation in the US. I do not even know how I would get started writing a website that would adhere to GDPR requirements
So, on the one hand, I really would like a GDPR equivalent law in the US.
OTOH, anyone who says they clearly understand the implications of GDPR for their site has either spent a lot of money on lawyers or is lying. Let alone someone who has implemented it. Privacy by design requires deletion of data after legitimate interests and/or consent have expired, probably (!!!) in 3rd party systems. How, precisely, do you implement that?
Can you shadow-delete accounts for some period of time to allow users to change their minds? If no, what UI do you put on a "delete my account" button that has absolutely no undo, even in the 24h regrets period?
Do people have GDPR privacy rights over eg comments on YC that may mention them by nym?
Given the GDPR covers EU residents (not just citizens), as an American can I buy a plane ticket to Dublin and start requesting full data dumps? What rules are those provided to me under, and how do you make software that can do that?
There are plain english guidelines available for the GDPR, in the UK they are published by the ICO which is the government agency tasked with enforcing the law. I'm sure there are edge cases which aren't fully documented but as long as you're not pushing the edges of the law and are trying to stay within the spirit you will be fine. Probably.
0. You require the third party you passed the data on to delete data when you tell them. The third parties should tell the person that they now have their data, where they got it from, how they will process it and how to get in touch with their data protection officer.
1. You can but you must also allow someone to delete in full (assuming none of the many reasons to reject removal requests apply or you don't wish to exercise them).
2. This is murky, but probably not. There's a right of freedom of expression and information.
3. No, you have to be a resident not a visitor. You'd have to see how Eire define residency.
> OTOH, anyone who says they clearly understand the implications of GDPR for their site has either spent a lot of money on lawyers or is lying. Let alone someone who has implemented it.
It's long but the language is far easier than American legalese. The implications depend on your site/service behaviors. An RSS reader is pretty trivial, interactive social media... less so.
> Privacy by design requires deletion of data after legitimate interests and/or consent have expired, probably (!!!) in 3rd party systems. How, precisely, do you implement that?
Privacy by design is a design philosophy, it might be a pain to refactor into an existing system but the design constraints aren't onerous.
If your "3rd party system" is something like AWS, just delete the data. If you're sending it off to some other service, they do need to be GDPR complaint (the law covers this situation).
re: legitimate interests, we partitioned our data. Access logs, for example: one stream gets anonymized for simple analytics, another gets dumped into in-depth weekly analytics jobs, and the final log stream outputs encrypted auto-expiring S3 files with strong access control for infosec purposes. When a user withdraws consent, we just stop logging new information. Truly anonymized data is OK, our in-depth analytics data is purged within 14 days, and InfoSec is a justifiable legitimate interest.
> Can you shadow-delete accounts for some period of time to allow users to change their minds?
Yes. GDPR does not require instant response. You should be transparent about what will be kept and how long, a clearly communicated 24h shadow-delete is completely reasonable.
> Do people have GDPR privacy rights over eg comments on YC that may mention them by nym?
This is a good question, I'm also curious about quotes. The recent Google case suggests both fall under GDPR.
> Given the GDPR covers EU residents (not just citizens), as an American can I buy a plane ticket to Dublin and start requesting full data dumps? What rules are those provided to me under, and how do you make software that can do that?
> It's long but the language is far easier than American legalese. The implications depend on your site/service behaviors. An RSS reader is pretty trivial, interactive social media... less so.
Except the GDPR is full of hand-wavy stuff. Who needs a DPO? What is "large scale" in that context? How exactly do you conduct a legitimate interest balancing test? Who is your lead regulator and under what criteria as an American company can you decide?
Also, people have a lot more 3rd party systems than most think. Think transactional mailers, marketing mailers, billing systems, payroll, zendesk, etc.
And even an RSS reader is scary. What if someone follows a series of blogs about HIV treatments, or internal trade union politics? If that means you could infer the person is poz or is a member of that trade union, you now have heightened scrutiny data in your possession.
GDPR has explicit provisions for all of these legitimate interests (notifications, clients, employees, customers). Most of these services are aware of and planning for GDPR, I wouldn't want to work with any that aren't.
> And even an RSS reader is scary. What if someone follows a series of blogs about HIV treatments, or internal trade union politics? If that means you could infer the person is poz or is a member of that trade union, you now have heightened scrutiny data in your possession.
Right, and I like that! Attempting to derive sensitive information should require consent, transparency, right to rectification, and stringent data handling requirements. It sounds like overkill for an RSS reader, but why the heck does an RSS reader need to do that kind of profiling in the first place? Maybe that's the right level of scrutiny and prior applications were unwarranted?
On the other hand, there are no concerns with simply storing the followed blogs.
> Except the GDPR is full of hand-wavy stuff.
Can't win, legislation is either micromanaged or hand-wavy... it's worth noting that some of the hand-waving is actually business friendly.
I'm not saying these laws are perfect. There is definitely room for improvement, but this is still a consumer win over the pre-GDPR wild west.
3rd party: the fact remains that doing deletions, both as a consent withdrawal and a privacy by design, is extremely complex. Particularly when privacy is withdrawn before a LI expires. You can hand wave it away as gdpr provides for this -- which isn't at all responsive to what I said -- but it's difficult to do nonetheless.
I never said the RSS reader is profiling. They don't have to be. Does the mere presence of the inescapable user data -- ie what feeds they monitor -- create heightened scrutiny, because someone else could infer with that data, were it to be leaked. It well may. I would seriously consider blocking EU users until this is sorted out.
Worse, the RSS reader could offer suggested feeds, and accidentally find themselves in possession of such data, entirely accidentally. Even if users were clearly asked if they wanted to see suggested data, or allow their data to be used to suggest feeds. They may not intend to derive sensitive data to possess it.
Or suggest you have a site like YC, and someone puts "hi, I'm poz" in their description. Tada, sensitive data.
The GDPR should have defined when a DPO is required, what a LI balancing test is, etc. Alternatively, the orgs could have pretended to be competent and issued guidance before -- oh right, they haven't issued final guidance yet. I'm sure 6 weeks is plenty of time.
Thank you for showing me the supposedly trivial guide to understanding GDPR. The only thing that website has shown me is that no globally competitive tech company will ever grow out of the EU for the next hundred years or so.
So? Perhaps one of the facets of the GDPR is the EU’s willingness to accept that fostering “globally competitive tech companies” may not be in the best interests of itself or its citizens.
Meth labs also create products with mass appeal and briefly high-paying jobs. Considering how social media is eroding American political discourse, Europe may be better-off in the long run even GDPR is as bad as you imagine.
If people were educated with how the internet works they would know that the second you load some piece of content from someone else's servers they have your information as well.
> If people were educated with how the internet works they would now that the second you load some piece of content from someone else's servers they have your information as well
People aren't. That's why we have laws like Lemon laws [1]--so everyone doesn't have to be a specialist.
Yes, clearly every website user should have an in-depth understanding of how DOM elements are generated on the browser. Seriously, how can one know how a button is produced on a page without inspecting the underlying source code, or looking at the network traffic on the developer console? Even then, this behavior can be obsfucated in the code, and in order to produce the page to generate the content to inspect, you've already generated the remote ping.
Oh I completely understand that. What I meant to really say is that at least in some realms we already do consider IP addresses as personal information that should be protected.
Do you not understand how platform apis work? If you sign up for a third party app using Facebook and give them permission to access all your data you should expect them to capture all of your data
Are you sure everybody who clicked "ok" was aware of the distinction?
Pointing the finger at their contractors is an easy way for Facebook to shift blame. They knew what was going on. And they eagerly participated on their side of the deal.
Shift blame? Facebook created an API that would allow people to create genuinely useful apps provided that users allowed them to access their data. I can think of a thousand interesting use cases for the data Facebook provided through their api.
One bad actor screwed everyone.
I'm surprised at how few people on hackernews have ever built or worked with apis.
Facebook essentially built an open platform and now they are being punished for it because people are too stupid to understand what they are signing up for.
I may deplore that people are falling for a fraud, but I will still hold the fraudster in contempt. Not the people. So please don't call people stupid. They're up against something they are not prepared to understand.
The Facebook API needs special quarantine whenever I work with it. To protect my users.
Relying on cognitive limitations of your subjects to get agreement you wouldn't get if the subjects were fully-informed is fraudsters' domain.
And since the article is called "What Data Does Facebook Collect When I’m Not Using Facebook?" I'd like to point out that I never agreed to Facebook tracking my browsing habits. I couldn't say they were clear and forthcoming about their tracking because we never met. Are you saying they wouldn't do it without my explicit permission? Because that would be news.
Against all my instincts, even though this post is unconstructive and snarky and flame bait, and even though I am European (or perhaps because of it), I have to upvote this. European people, those voting for representatives voting for representatives (!) making the laws, need to start feeling the negative feedback of the regulations. I’m not saying there are no benefits to consumer protection; there are, I am a massive GDPR fan, but we are too unaware of the opportunity price we pay for this.
Be aware, fellow Europeans: there is a cost to all regulation. If you feel like a constant afterthought, maybe it’s because you are.
(I know these are not necessarily specifically related to this Stripe product. It’s more of a cultural undertone. What I’m trying to say is: the parent comment has a point.)
As a fellow European living in the US I feel divided about this: while the opportunity cost is high and the business environment is definitely stifled by regulation, the quality of life and health consequences of the lack of regulation in the USA are massive and there's very little recourse for the little people against the criminal misbehavior of corporations.
There must be a happy medium between the two positions, I don't know that a country has gotten it right yet but the US is no paradise.
There is no lack of regulation in the USA, it's just the USA has some wrong regulations that creates horrible results you see sometimes. Most of it is from a lack of single payer healthcare and a public culture of infrastructure neglect with high amounts of waste compared to pretty much everywhere else in the world.
I really think it comes down to legislation philosophy. In the english speaking countries, cost of compliance is something that is thought about for small businesses, so many regulations are small business exempt until you get to certain employee counts or revenue numbers.
In the EU, that concept doesn't seem to exist and businesses of 1 are assumed to be $100M revenue businesses that can afford to do things like GDPR properly.
If you are a 1 man show, how about not collecting data you most likely don't need anyway? And the 4% global revenue fine the GDPR is famous for does exactly what you want -- scales with the means of the business.
Last I saw there was a minimum fine of x million Euros.
Edit: had to verify. It seems a bit more reasonable: """Article 83 of the General Data Protection Regulation provides details of the administrative fines. There are two tiers of fines. The first is up to €10 million or 2% of annual global turnover of the previous year, whichever is higher. The second is up to €20 million or 4% of annual turnover of the previous year, whichever is higher.""" - https://www.gdpr.associates/what-is-gdpr/understanding-gdpr-...
Yes, because a minimum fine of $10 million for a 1 person business is totally reasonable, unless by the grace of the bureaucracy, they decide to give you a warning instead. /s
Also the GP post, there is more than 'avoiding collecting data'. If you have text field comments form and a 3rd party puts 'personal data' in that, then that is GDPR liable! You also need audit logs and and list of other requirements that needs multi engineer teams to implement properly.
As a result, most small businesses with email are probably not going to be properly compliant on some level and you can prosecute anyone. Just like the new-ish VAT laws, large stores are going to be compliant because they can afford it, while some petty bureaucrat will prosecute the small online shops instead.
I don’t see your logic. Of course new features of a US company are going to be focussed on their home market first.
And claiming that regulation in EU is stifling business is a bit naive. Regulation is everywhere. Have you ever tried to sell an app that uses encryption (like TLS or SSH) on the app store? The stuff you need to do in the US for „export compliance“ is ridiculous (even if it‘s an app that wasn‘t written in the US in the first place)
I doubt that EU regulations are more onerous than their US counterparts. And, obviously, the EU is mostly just replacing country-specific regulations, making it about 16x easier to enter the European market.
I'd also like people to name specific regulations they disagree with, yet any time I challenge s/o they slink away.
In this case, a stripe rep in this thread posted a list of their todos for the EU. Note that literally "putting VAT ID numbers on invoices" makes their top 5! Can't be that bad after all:
"localize the invoices, add EU specific payment methods to invoices, improve tax support, make default invoice templates EU compliant with VAT ID"
US requirements around what we put on invoices: 0
EU requirements around what we put on invoices: Still figuring it out
The technical implementation is not difficult. It's dealing with all the lawyers and accountants who have to understand regulations of 27 different countries.
There is a significant difference between "not regulated" and "regulated at all". The burden of understanding the regulation itself is a cost, even if the actual compliance turns out to be simple.
His opinion "I wonder why the EU is an afterthought when you need to spend millions on compliance for every new feature" is not backed up by any facts.
If he had said that meeting the legal requirements in 28 different independent and sovereign countries adds too much cost then he would be correct.
Remember the EU Single Market and Custom Union does not cover every aspect of commerce and industry across all 28 member states.
Having said that, the Payment Services Directive 2 (PSD2) which applies to Stripe, will remove any remaining barriers and costs that still exist between member states when applied to the provision of electronic payments. If one was to add in the eIDAS directive then meeting compliance for identity, fraud, etc will soon be irrelevant.
The EU has been moving towards more standardization for quite a while now. The most prominent example is the euro coin. And although the GDPR may seem to many like another regulation to comply to, it's actually a unifying regulation because now you don't have to deal with separate privacy laws for each member state.
From a tax point of view, EU is a lot easier to deal with than the US if you have to collect sales tax in the US.
There are two big differences.
Let's say I'm selling some digital good online. Consider three purchasers, one in the US in the state of Washington, one in Germany, and one in France.
First, how much tax do I have to collect from each?
For the German customer, that is easy. It is 19% VAT. I don't have to care where in Germany they live.
For the French customer, that is easy. It is 20$ VAT. I don't have to care where in France they live.
For the US customer in Washington...it is not easy. There is a state wide 6.5% sales tax, but there are also county, city, and other sales taxes that I have to collect. For example, if the customer is in the city of Seattle, I'm supposed to collect the 6.5% state tax, plus a 2.7% city tax, plus a 0.4% for something called the "Regional Transit Authority"...that's 9.6%. If that person is over in Bellevue instead of in Seattle, it would have been 10% (6.5% state, 3.5% Bellevue).
For the US customer, I have to care where in their state they live. Also, tax boundaries are not guaranteed to line up with postal code boundaries, so to do that tax accurately I really would need to collect their full postal address (which since I'm selling a digital good I have no use for except for calculating taxes).
Second, what do I do with the tax I collect?
For the EU, I sign up for the VAT MOSS system in a single EU country. Then each quarter I have to file a simple form with the tax authorities in that single EU country that simply lists each EU country, what my total taxable sales were in that country, the VAT rate I used, and the amount of VAT collected. I turn the collected VAT over to that single country's tax authorities. Then they deal with distributing it to all the other countries.
For the US...I have to deal with each state I collect tax for separately. Each has its own forms. Each has its own place to file them. Each has its own place to pay.
If you have to deal with more than just your own state and maybe a handful of others in the US, you pretty much have to use a third party service that specialized in handling all of this. For companies in lines of business that are only barely profitable, this could be prohibitively expensive.
If Congress ever decides to require online companies to collect tax for all states, instead of just those that they have a presence in, and they do not require that the states use something like the VAT MOSS system, and they do not require that each state has a single rate for out-of-state non-present sellers, it's going to be nightmare for small companies, and possibly drive many out of business.
The situation wouldn’t be nearly as bad if the federal government offered some sort of API or search service to which all states would have to report, but this is currently only being addressed by the private sector. And at kind of a prohibitive price for very small businesses, in some cases.
Fortunately, there’s almost no enforcement at all with respect to small- to medium-sized businesses collecting and reporting interstate sales tax. Do the best you can with it.
