Two years was not long enough, these plans were (wait for it)...
on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying
"Beware of the Leopard"
Folks trying to read the NY Daily News, say, or the Chicago Tribune – the third-biggest US daily newspaper – online from a location within the EU have been blocked from visiting the websites due to new data protection laws. Visitors in the bloc trying to load articles from the Tribune, or stablemates the Los Angeles Times – …
Not only that, but nearly all of the emails asking me for consent are doing it via MailChimp whose terms and conditions make it clear they will be taking this info for themselves, aggregating it and then using it to spam me from outside the GDPR zone.
This includes my landlord who claimed he needed consent to have a copy of my email address in order to communicate with me, and in order to allow him to email me, I would have to give my email address to this US based email marketing firm.
None of the companies who send me emails need to get consent under GDPR as they are using the data for the purpose for which it was collected, are keeping it securely, and are not passing it to others. However this GDPR consent via MailChimp is breaking all those rules and more.
MailChimp have it so spectacularly wrong - pretty much on every point, not helped by some of the, ahem, "less well informed", staff at the ICO.
One totally wrong claim that they tried making is that they are not a Data Processor, because somebody at the ICO said they were exempt, for no valid reason whatsoever. They are categorically a Data Processor, with the client organisation being the Data Controller. This isn't an uncommon arrangement and is very simple and needs nothing much more than a simple Data Processing Agreement between the two parties. On MailChimp's side they must ensure that they stick to the terms of the Data Processing Agreement and in particular do not export or the data to third countries, which is pretty much any country outside the EU - in particularly regimes like the US which have no data protection laws whatsoever (Safe Harbor was worthless, Privacy Shield is equally worthless). "All" MailChimp really needed was to implement EU servers and to restrict access to these to MailChimp EU staff, which is something that they should largely have had in place anyway.
Just one of the reasons why we recently chose a different bulk mailer...
You probably did not sign up to their sites. They probably bought a mailing list and added it.
I ran a company that closed down in 1998. I still get emails from all sorts of companies wanting to do business with the long extinct company.
Just one of the costs of .... I can't think of a reply that would not get censored.
See Icon for what I'd like to do to the people selling my old company email address on after all these years.
There seem to be a lot of businesses lingering on directory sites. Several list the Scunthorpe HMV store which closed in 2013. So you search for a business, Google connects you to a directory site, and you are targeted by several adverts. It doesn't matter to any of them that they're handling false data.
When they're so obviously getting data wrong, I can't really expect them to stay within the law on personal data.
Oh, you used to hear about a "Chattels Auctioneers", and it looked like a defunct business, with part of the sign remaining. Problem is, "goods and chattels" is a term of art in the auctioneering trade, the sort of general auctioneering business associated with house clearance. I found an older picture showing the complete sign, with a business name and that phrase.
The GDPR isn't going to do anything to stop that sort of bad data.
But that's the point. The plans were NOT on display in the bottom of a locked filing cabinet... They WERE on display wide in the open, with people megaphoning that something was going to happen.
It took less than five seconds to find this:
Two years was not long enough, these plans were (wait for it)...
No amount of years may be enough if what you are doing with the users private parts is not legal to start off with.
Goodbye and thank you for admitting to be utter scum. You will not be missed. Can we have a bit more of that please.
I am still wondering what this GDPR is supposed to do for me. I live in the EU zone but ... I still get spam from US companies all the fecking time. Also, I have a US number and you would not believe the amount of calls I get coming from spoofed euro numbers. Once I called them back and it was a German company and they are like.... what are you talking about we never called you, because their number was used by spoofing to call me and I cannot get it to stop. It makes me mad I can't stop them because it is a US number but I mean. I am located in Europe.
"There's no point in acting surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years, so you've had plenty of time to lodge any formal complaint and it's far too late to start making a fuss about it now…"
no they were not, this is been public knowledge for a long time, sites has been posting articles about it for a long time, bloggers have been blogging about it for a long time.
But in typical fashion, lazy companies stuck their heads in the sand and ignored the issue and left it until the minute to take action, so we all get a billion emails in the last couple of weeks about new privacy policies.
I'm in the UK. I fully expect EU sites to comply to EU regulations. If I choose to visit a site in a different jurisdiction I fail to see why the EU should have anything to do with that. I know that the EU says it is so, therefore it is, but still it sticks in the craw.
This feels like the thin end of a very wide wedge. Possibly, the end of the world (wide web) as we know it.
I am discombobulated by this.
>> but you have to take into account the purpose of the legislation
Oh, puh-lease! Think of the children. We only did it to protect you. It's in your own best interests. The EU knows best. Along with patriotism, the restrictions for the greater good, are the last refuge of a tyrant. What I'm seeing here is tyranny writ large. Why should a US corp have to jump through hoops to satisfy the megalomaniac leanings of whoever it is who drafts and passes these EU laws?
I was getting on pretty well with my ad-blockers thank you very much. If a site required them to be disabled to enable me to view its content then I could make my own decision as to whether that was a trade I was prepared to make. If a site required registration, again, I could decide for myself.
Now, I have no choice. Except being of a technical bent I could always subvert the ban. But why should I have to?
If they have no physical infrastructure, advertising/marketing/sales operations, tax obligations, etc, etc, etc within the EU then they don't. My credit card lets me make purchases in any currency (and charges for the 'service',) anywhere in the world. So there's no difficulty buying huhkl-flendlegroodlers from a one-man-band in Finknottlestan, whose entire operation is run out of a self-hosted website in his outside toilet. In such a scenario the vendor has no GDPR obligations.
This answer is spot on.
No idea why some political commissars in the Polit Bureau in Brussels think that whenever a citizen of an EU wants to hand personal data to an US based company, using an US website, European laws apply to this transaction.
Nobody sane would think it is. But maybe the idea behind GDPR is to bar Europeans from US sites, why would they otherwise accept a law which conflicts with US regulations like the CLOUD act.
"...that whenever a citizen of an EU wants to hand personal data to an US based company..."
The "wants" part is meaningless without informed consent, and that's just what the GDPR provides. What data is being taken, whith whom it's shared and for which uses. Doing otherwise would be similar to allowing people to sell themselves into slavery by signing an obscure/incomplete contract.
>political commissars in the Polit Bureau in Brussels
I'm going to do something I rarely do and respond to a troll.
@naive - You sir or madam, are an arsehole. Pure and unmitigated. Your post is absent of any logic, thought, basis in reality or fact. Not only do you fail to understand the whole purpose of GDPR, you fail to understand how the EU works.
>political commissars in the Polit Bureau in Brussels
I'm going to do something I rarely do and respond to a troll.
@naive - You sir or madam, are an arsehole. Pure and unmitigated. Your post is absent of any logic, thought, basis in reality or fact. Not only do you fail to understand the whole purpose of GDPR, you fail to understand how the EU works.
You may also want to note that it is one word, spelt Politburo, comes from the Russian, and refers to the main decision-making body of a communist party. The merits or otherwise of communism as a political system aside (there are many long books on the subject), to imply that the EU Parliament is a manifestation of communism is so mind-bogglingly ignorant and stupid that I can only assume that the OP was repeatedly dropped on their head at some point in their early childhood, but miraculously survived the head-injuries.
"Why should a US corp have to jump through hoops to satisfy the megalomaniac leanings of whoever it is who drafts and passes these EU laws?"
For the same reason a company based somewhere in the world has to "satisfy the megalomaniac leanings of whoever it is who drafts and passes these USA laws" if it wants to trade in the US.
you have to take into account the purpose of the legislation
The road to hell is paved with good intentions. Purpose is not an excuse for idiotic implementation. "Right to be forgotten", please! If I committed your personal data to memory, will I have to undergo brain surgery when you request to be forgotten? The very idea is mind-bogglingly stupid.
The road to hell is paved with good intentions. Purpose is not an excuse for idiotic implementation. "Right to be forgotten", please! If I committed your personal data to memory, will I have to undergo brain surgery when you request to be forgotten? The very idea is mind-bogglingly stupid.
Hardly, though your apparent understanding of it seems to be... suboptimal. Unless you work for Facebook or something?
If you really want to subvert GDPR, please feel free to post all your personal details, bank statements, life story, movements and contacts for the past year and diary appointments online. Make sure to sign up with every dodgy injury lawyer call centre so they can phone you regularly to check you haven't been in an accident that wasn't your fault yet. It's still entirely your right to do that. However, bafflingly, not everyone chooses to. And companies that want to do business in Europe now have to respect that choice.
As for US sites crying "woe is us, GDPR doesn't let us serve you pages", they're basically saying they can't serve a page without collecting *identifiable* information on you. That's astonishing given the basic requirement to serve up a news story and a few ads. If you popped into the newsagents to buy a paper and got into a conversation about what you'd been up to that morning and where you were going on holiday, that might seem a normal human interaction. If they started writing it down you might get worried. If they asked to inspect your phone you'd think things were getting weird. If during that conversation a stranger enters the shop and gives a report on your movements over the last 24 hours because they've been following you on behalf of the local shopkeepers you'd leave and consider calling the police.
There should be no problem deleting a person's record from current data. Soon after that, the record should disappear from backup areas.
Archives are another matter. Yes, archives are different from backups. It may be difficult in practice to delete from an archive; but it is also morally wrong.
Readers of the novel 1984 may remember Winston's day job: editing archived newspapers to harmonise old stories with modern political requirements. (Only the government was permitted to keep archived newspapers, of course.) Most of us will, I hope, feel uncomfortable with that.
I thought they were doing business on the web? Is the EU now the governing body for the "internet". Last I remember the US invented the thing. If anyone should be doing anything it should be the EU ISPs that should be putting out warnings that you could go to big bad USA sites and "opt in".
Second the end user initiates this business transaction. You never had to go to american site and see their ads. Go to whatever European equivalent there is. You don't have to be on Facebook to survive. Can you name one American website where there is not something hosted in Europe? If you can that is pretty sad...and also an opportunity for you to start a business...but i realize how hard that is in Europe these days.
If you want to pay for your content there are options for that, but it sounds like you are just an entitled child that somehow thinks even this very site can exist without some sort of revenue. You probably have an ad blocker on and then complain about the "web".
The real issue here is about jurisdiction. If i'm running a brick and mortar company in the US and a European visits my shop I don't have to abide by any laws that the EU creates. But somehow my website does?
American's get a bad taste in their mouth when they start getting governed by a foreign power, many miles away without a vote in the system.
My guess is the courts will nullify the power of most of GDPR outside of the EU when the rubber hits the road and some company has to pay big bucks and not just update privacy policies.
If this is all about get tracked on the web, then start paying for things because you know dang well you where paying with your personal info...and now you are mad at the obvious consequences you where too mentally lazy to predict.
"Last I remember the US invented the thing.""
Not really, no, yes, sorta. The US assembled bits and pieces to make the internet, some they invented, some they expanded on, some they "stole". The WWW was invented by Tim Berners Lee if anyone. Packet switching originated in the UK too.
I agree. If the EU start trying to impose rules and levy fines on websites outside the EU, it's likely to quickly degenerate into a situation where the EU internet is firewalled off from the rest of the world's internet, and we have a similar situation to what they have in China.
In fact, it wouldn't surprise me in the slightest if that is the real intent. Western Europe has a major ongoing problem where its governments are importing large numbers of Third World migrants and providing them with free housing and other benefits, all against the wishes of the majority of its indigenous citizens. They've also been systematically hiding high levels of serious crimes committed by the migrants. It's fast reaching boiling point in the UK, and probably a number of other countries too. If they can find a pretext to firewall the EU's internet off from the rest of the world, it'll make it easier for them to shut down online discussion of politically sensitive topics. I can't help but wonder whether that's what's really going on with GDPR, and with the planned Article 13 copyright restrictions, and I can't believe how the majority of commenters appear to be cheerleading the whole thing. Maybe the EU has paid stooges commenting and liking posts, apparently they've been caught doing that in the past!
There's no right answer here though. The principle of an EU citizen owning their data is a solid base. Applying that to EU companies only would make the whole thing pointless.
Applying that to all companies sets unfortunate precedents. (Precedence? Not sure which is correct)
In my mind, the relevant thing is that the data is about an EU citizen and if you want to hold data on that citizen, you need to follow the jurisdiction of the governing body.
But on the other hand, we all came down on the US like a ton of bricks with the data held on Irish servers (I think that was an American's data), and certain countries with even more questionable attitudes to personal freedom than the Land of the Free and the UK could push this further.
But on the other other hand, as mentioned above, only applying this to EU companies would make it pointless.
In the case of the US vs Microsoft, it wasn't a matter of whether or not the US could get that data, it was data held for a US citizen and the US justice department, FBI, etc. definitely had a right to get a court order to get it.
The problem was that they tried to enforce a US court order against a US company for data held by a subsidiary in Ireland, with which the US has agreements on how to handle this kind of thing.
On a related point, all of those websites now shuttered to EU people? If any EU people EVER visited them and they hold data on them from that visit, they are subject to GDPR anyways. Shuttering the website because you're not compliant just makes you look like a target because you're admitting non-compliance.
The principle of an EU citizen owning their data is a solid base.
The principle of an EU citizen owning their data means an EU citizen has the right decide what to do with their data. Including shipping it wholesale to any evil US or Chinese megacorp.
In this case however, the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data". Not cool.
Nonsense - you can ship your data abroad under GDPR still for whatever you like to be done with it. You just have to give informed consent to do so, with a really clear UX. That's fair and reasonable.
Also going back to the original comment in this thread - no it isn't over reach. Every other industry that exports things to Europe is regulated. Think, for example, about food safety regulation or car safety regulation.
This is absolutely standard stuff in every industry. It's only new for the internet because it is a new industry.
Basically, a bunch of whiners who don't understand that global capitalism only functions because of regulations. Like they just don't know that there are regulations that make the products they use every day actually any good.
the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data"
The EU doesn't decide what you can do with your data, but what the companies can do with your data once you've shared it with them:
- they need to inform your clearly of what they'll do with it, who they'll share it with, and you have the right to refuse (opt-out must be the default)
- they need to give you the right to access, rectify and delete your data
- they need to keep it secure and notify you as soon as they detect a breach
It's basically more rights for you, more obligations for them.
It's basically more rights for you, more obligations for them.
Your rights are worthless when they decide that it's easier to withdraw that to fulfil their obligations.
Informed consent is actually a good part, I have nothing against it.
But the "right to be forgotten" means the companies are back to the 90's w.r.t. data storage technologies: no (true) event sourcing, no blockchain. Data has to be mutable, and as a consequence, less reliable. All for the goal of "unlearning" information, that is theoretically unachievable.
"
Data has to be mutable, and as a consequence, less reliable.
"
Data must certainly be mutable, but it does not follow that it is thereby rendered less reliable (the opposite is true). Because *people* are mutable. Thus personal data on an individual becomes less reliable over time because the *person* has changed. The fact that you stole 5p from your mum's purse when you were 6 years old does not mean that you should be forever branded as a thief and thus barred from holding any position of trust.
If you move house, databases must be updated to reflect your new address, and unless there is a very good reason to hold onto your old address, that should be deleted. After all, you'd be miffed if the police kept raiding your house because a drug dealer used to live there 25 years ago and the police have not changed the data on the PNC because they think as you do, that deleting or changing data makes it unreliable.
If you move house, databases must be updated to reflect your new address, and unless there is a very good reason to hold onto your old address, that should be deleted.<br>
Mr. Cynic. Can you prove to the home office that you have been continuously resident in the UK for the last 25 years?
the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data". Not cool.
Not so. The GDPR is UK legislation (and will be in place post-Brexit). You, as a data subject, are free to give someone consent to use your data for any purpose.
What it doesn't allow is for someone to take PI about you, sell it and/or use it for marketing *without your consent*.
Which is entirely different from your (somewhat slanted - the "EU Parliament" bit gives it away) view.
The principle of an EU citizen owning their data means an EU citizen has the right decide what to do with their data. Including shipping it wholesale to any evil US or Chinese megacorp.
In this case however, the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data". Not cool.
I'm sorry, but that's Total Bollocks™.
What the GDPR says is that if those vil US or Chinese megacorps want to process your data, they must get your informed consent to do so. There is nothing in GDPR that prevents you from saying, "hey evil megacorp, here's my data, process away!" That would be known as consent.
"
In this case however, the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data". Not cool.
"
Your argument is similar to the idea that making it illegal for people to rape you while you are asleep means that you are not permitted to have consensual sex.
Dear Eugene,
I do apologise if you were born retarded or if you otherwise acquired an intellectual disability along the way. Otherwise I do not really understand how you can be so stupid.
> The principle of an EU citizen owning their data means [ blah blah blah more nonsense blah ]
For your information, the territorial scope of the GDPR is:
* processing of personal data in the EU (regardless of where you are);
* processing of personal data related to people in the EU for marketing, business or tracking purposes (regardless of where the processing is being done);
* processing of personal data in a place where Member State law applies (e.g., diplomatic missions, territorial waters, vessels and aircraft, Antarctic bases)
The word 'citizen' does not appear once in the entire Regulation. Indeed, if you are are logging into your Google account from within the EU and you are:
* an American holidaying in Rome;
* a third-country migrant in an irregular situation;
* a Japanese heroin trafficker in detention in Amsterdam;
then the GDPR applies to the processing of your personal data.
A passing familiarity with whatever it is you are going to talk about doesn't always hurt, you know?
I am in the US. If I use a VPN hosted in the EU, is data collected and stored subject to GDPR? Does it matter if the site that collects the data is in the EU or not? Does the GDPR cover other data collected and stored by the same site at earlier or later times when I am using my US based ISP directly? And the same questions for someone resident or present on travel in the EU who, however daftly, uses a US hosted VPN?
Are these cases, and others fairly easy to imagine, covered in enough detail that one could be reasonably sure how to handle each? I will confess to being an American in the mountain west and not having paid a lot of attention to the GDPR, but the number of differently nuanced assertions and explanations about it in this thread suggests quite a bit of uncertainty. I also assume that in the EU case law fleshes these general laws out as it does here, but there certainly is none of that yet.
In the US, lawyers and risk analysts are paid large hourly rates for asking and trying to answer questions like these, and they may tend to emphasize what could happen over what they think will happen, especially when it is not possible to assign probabilities of the various contingencies with much confidence. Until courts (and juries) render decision and the appeals are completed, there often is a wide range of disagreement. That translates into uncertainty, uncertainty translates into risk, and established businesses tend to be quite risk averse, which may lead to the kind of behavior reported here.
As time passes, complaints will be made and adjudicated and the legal environment will become more settled. In the near term I would expect to see fair amount of this sort of behavior.
"In this case however, the EU parliament says: "No, it up to us to decide what you can and what you cannot do with your personal data". Not cool."
No. The EU just declared itself the sheriff and is enforcing the peoples rights in the World Wild West. Unlike the US where it's still the Wild West full of outlaws and robber barons and the people have to attempt to defend themselves if they can afford to.
It is getting closer to where we should be.
There will be lots of kicking and screaming, much like when my parents told me it was bedtime when I wanted to stay up and watch The Sweeney (UK reference, non-UK peeps may need to google it).
But it seems we have at last made a start, if the work is kept up we might have a better WWW.
Hopefully in time companies will realise that giving some respect to their readers privacy will reward them,
Not sure I even believe that previous statement myself, but I'm an idealist dreamer.
Government mass spying on innocent civilians and other shenanigans will of course carry on unperturbed.
im shocked that these sites are trawling so much data on you. Afterall if they didnt then they wouldn need to do anything short of a privacy notice of "we dont have any data on you so we dont need to tell you". That is effectively what "moodle" did - we only have data needed to run your service. we dont market so dont need consent. if you dont want the service then tell us and we will erase.
The fact these websites are blocking means they are doing shitty things with your data. Probably best to keep avoiding them.
I do not agree that the blocking described was started because the website operators were in violation. I suspect, instead, that they were told by their attorneys, and perhaps their risk analysts if they employed such, that the possibility they were could expose them to legal actions in jurisdictions in which they did little or no business, in which there is little or no case law on which to base actions or terms of service, and where the penalty for missteps may have appeared frighteningly large.
The media outlets mentioned probably derive very little of their income from subscribers outside the US, and my guess is that they, like the New York Times and Washington Post, are not major sellers of personal data. Like many news organizations, they operate in an environment of declining revenue for print editions and difficulty covering costs with paywalls. They may simply have decided that the perceived risk outweighed the benefit of availability in the EU, at least until the actual operation of GDPR, as against the combined conjectures of the regulation's administrators and the practicing lawyers who will be involved in both sides of the litigation that surely will not end with the complaints Max Schrem filed within hours after it took effect.
"I feel obliged to point out yet again, that if a US company has no presence in the EU (i.e. an office) then it can feel free to ignore the GDPR and stick it's middle finger up at the ICO."
Correct. And if they, as a non-EU entity with no EU presence choose to abuse EU citizens data, the EU also has the right to stick two fingers to said US entity and block them from access to the EU.
ISTR a UK citizen not so many years ago who ran a legal gambling website. But US citizens were using it, so he was arrested when he visited your "land of the free".
" if a US company has no presence in the EU (i.e. an office) then it can feel free to ignore the GDPR and stick it's middle finger up at the ICO."
Sure, but it also wont be able to sell to the EU or complete any financial transactions with EU or the funds will be liable to be seized, and if necessary imports banned, websites adverts and search results blocked and EU credit cards could be forced to blacklist it, etc. etc.
"I feel obliged to point out yet again, that if a US company has no presence in the EU (i.e. an office) then it can feel free to ignore the GDPR and stick it's middle finger up at the ICO.
The GDPR is a law that only applies to entities within EU borders."
Utter bollocks. #GDPR applies to anybody providing services to individuals or businesses in the EU - whether or not they themselves are.
Its a little different, you are not visiting a site in a different jurisdiction, rather, that site is entering the EU and doing its business in it, subtle but big difference.
It doesn't have to enter the EU, it could be restricted to US only if it wanted to. An example here would be netflix and streaming sites who limit content in different regions depending on licencing agreements.
Its like a US site selling guns to folk, completely legal and ok in the US, but then it makes itself available in the EU, just because its in a different jurisdiction doesn't mean it can start selling guns to EU citizens, local law applies.
EU gun laws make it illegal for people to sell us guns, EU GPDR laws make it illegal for people to abuse our personal information.
I feel like that 'doing business' rule or method of governance is too broad a brush to be used effectively. It seems like if a website which is listed on google can be accessed from anywhere in the world, anyone who runs a website has to keep track of more than a hundred different codes for operating their website. For something like GDPR, which has generally overwhelming support, and makes sense on paper, it seems silly to worry about such a thing. After all, any company that doesn't comply with the rules is probably shady anyhow, and you don't lose much by losing its business. Lets say, for arguments sake that a certain country finds pictures of women's bare hands to be pornographic in nature, and the country has a blanket ban on pornography of any kind. Also, your companies website uses female models using the product in its promotional material. It seems unfair to me that such a company should have to pay a fine if anyone in that country stumbles across the website, and it seems not in the spirit of the modern age, almost isolationist, to block people from that country from accessing the website at all. What about human rights? If china dislikes mentions of the tiananmen square, under this system do websites making mention do the blocking for them? Any answer other than yes is hypocritical.
Its a little different, you are not visiting a site in a different jurisdiction, rather, that site is entering the EU and doing its business in it, subtle but big difference.
Actually, you have that a bit backwards. The site is NOT entering the EU. People are using the Internet to leave the EU and enter into wherever that site is hosted, and the site's legal compliance begins and ends with the jurisdiction where it is hosted.
If the operator of the site doesn't have a presence or assets in the EU, then the EU Laws (including GPDR) do *not* apply to them, regardless of whether the site users are from the EU or not. Just like the laws of Saudi Arabia or Iran do not apply to a company based solely in the EU or US.
Now, if the company does have a presence in the EU, even a minor one, or actively solicits business in the EU then the EU laws DO apply. The key is "actively". Just having a website that is accessible from the EU is not enough. Even having a multilingual site isn't enough. However, initiating a call to solicit business from someone inside the EU *IS* enough, no matter where they may be based, as is placing an advertisement in an EU publication.
There are many contradictory laws between different countries, and it is impossible to comply with all of them. As such, you only need to comply with the laws of the countries where you are based and do business. If you need to do business in a country that has laws that contradict your own, you set up a separate affiliate company that handles all of the business in that country, and you make sure that company follows all of the laws in the country in which you based it. Similarly, want to do something that is illegal in your home country then you just have to set up a company in a country in which that "something" is legal -- just make sure that any profits from that never make it back to your home country...
As for the news sites in this article, my guess is that they thought that they didn't need to worry about changing things because they weren't in the EU, until someone pointed out that they have correspondents in the EU and as such they need to comply with the EU laws...
Actually, you have that a bit backwards. The site is NOT entering the EU. People are using the Internet to leave the EU and enter into wherever that site is hosted, and the site's legal compliance begins and ends with the jurisdiction where it is hosted.
If that is genuinely the case then GDPR would not apply. However in that case the motivation for tracking also disappears: if you as a US based website want to serve me an ad for some random coffee shop in Tennessee when I am in Europe I have no problems with that. On the other hand, why would they want to pay for that if they knew I would in all probability never be within 500 miles of the shop? They wouldn't, so you contract your advertising out to e.g. Google who in turn find an advertiser would will pay, most likely, one in Europe.
If you employ contractors and subcontractors in performance of a contract you have with me you are responsible for their acts as if they were your own. If they do business in Europe directly then by extension so are you: that's the price you pay for taking their schilling. This is all established contract law.
I have very limited sympathy for the howls of anguish coming from the States in any case given the "imaginative" jurisdiction often used over there. There are too many to list but one that comes to mind was that the US claim jurisdiction over any transaction priced in dollars: a British oil company can sell to a French petrochemical company and the bill eventually settled in pounds or euros without so much as an electron crossing the Pond. The US reserve the "right" to stick their oar in.
Explain that to me BEFORE I explain why Europe has the right to regulate how Europe has the right to regulate how entities actively trading in and with a physical presence in Europe, directly or otherwise, and making money from and in Europe from EU citizens fall within the jurisdiction of EU law.
yeah, there's the "has a presence in the EU" problem, as well as an advertising model that's incompatible. So just like those viewers who happen to be running ad blockers and/or script blockers, anyone affected by GDPR is now in "the ghetto" as far as they're concerned.
My opinion: if they're gonna be like THAT about it, I don't WANT their damned content!
"I like the idea that GDPR is protecting us and it's amusing how the spammers have reacted. However the attempt to over reach outside EU jurisdiction is chilling. What if that actually happens? It's already happened on a temporary basis with some websites."
I was just listening to an old episode on Inside Science the other day. Part of what they were talking about was the ethics of carrying out experiments on people without their knowledge. The current best practice is not only that this is wrong, but it's an accepted principle across much of the world. It was drafted by US military lawyers in the aftermath of the Nuremberg Trials. But the US Supreme Court has never allowed it to become law in the USA. Sometimes, imposing laws for the greater good, ie protecting people rights is a good thing, even when it's the US which does it. It's just such a shame the US doesn't practice what it preaches. I'm sure the good people of the US would like some of those protections too.
Down vote me all you want but it's still a legit question. If have PDFs on website that is only about a products that are only sold in Canada would I still have abide by the GDPR if I have people looking at my web stie from the EU, even if my web site was not intend to do business in the EU?
That is an interesting question. If the answer is 'yes', then I, for one, would be geoblocking all inbound connections from the EU; we already geoblock China and most of Latin America, mostly to kill spam, so extending the blocking to the EU would not be a problem. My operation simply does not do enough business with EU residents (we don't do much business with people from out of _state_ much less out of the US) to justify the time and expense of complying with the regulations, and I have no intention of opening myself to the level of fines which can be imposed. It's simpler to just block access. I expect that a lot of small-time companies will do exactly that. So we lose 0.1% of our yearly business, if that... we balance that against the cost of complying, and the size of the fine for not complying. And, of course, as we will no longer be doing business with anyone in the EU, we would delete all records pertaining to past business; EU residents can't get in contact over the Internet with us, anyway. As a courtesy we would inform the ex-customers of the change by postal mail, we wouldn't retain so much as an email address or any past emails. Once the postal mail goes out, the names and postal addresses will also be deleted from the main database. There's going to be a meeting on this point later today. I expect that we'll be sending out mail to ex-customers by close of business.
If the answer is 'no', then the new regs have a massive hole in them, which _will_ be exploited.
Anyone from the EU who wants to do business with us will have to figure a way to contact us without getting blocked by the geoblocking, and will have to explicitly and completely consent to whatever we want, or they can bloody well fuck off.
Anyone from the EU who wants to do business with us will have to figure a way to contact us without getting blocked by the geoblocking, and will have to explicitly and completely consent to whatever we want, or they can bloody well fuck off.
Thank-you. If anyone ever doubted the need for GDPR, just reading your post will put them straight.
You'd find it far easier to just learn the basics of GDPR.
Are you collecting information and sharing it without asking for consent? No? You don't need to do anything. You're already compliant.
Are you collecting contact info vital to you business, ie email address and name to contact a customer? That's covered by the "legal basis" as you can't perform business without it and your customers would expect as much.
Guess what, you're covered, nothing to do.
The only time when this would be an issue is if your collecting and sharing information with others without your customers explicit consent.
Are you collecting information and sharing it without asking for consent? No? You don't need to do anything. You're already compliant.
Don't do that. I figure that we're compliant. We don't want to risk being wrong.
Are you collecting contact info vital to you business, ie email address and name to contact a customer? That's covered by the "legal basis" as you can't perform business without it and your customers would expect as much.
Pretty much that's it. There's a reason why we don't do medical stuff, either. We'd probably be compliant, but the downside to being wrong is really far down, so we don't do medical stuff. We think that we're compliant. We have no desire whatsoever to find out otherwise the hard way. Easier to just block the possibility.
Guess what, you're covered, nothing to do.
The only time when this would be an issue is if your collecting and sharing information with others without your customers explicit consent.
We think we're good. We don't want to get burned. Simpler to say bye.
"That is an interesting question. "
It is, and the answer is, if the only personal data you collect is what is required to do business with the customer and you delete it when you no longer require it and comply with legit requests to stop emailing said customer, then you are complying. Now, unless part of your business model is collecting extra data and selling it on, all you need to do is act like a white hat and your fine to continue your tiny bit of EU business.
GDPR is primarily aimed at those whose business model is scraping all the data they can and selling it or the "intelligence" created by having, on. Those US newspaper sites currently blocking the entire EU are scaremongering and I have no doubt that this is part of their marketing plan. To comply, all they have to do is stop scraping all the extra data and settle for non-targetted ads. They are obviously already capable of detecting EU users so it's not really a huge stretch to imagine they could then treat those users differently. In fact, I'm sure they already do so anyway since there's little point in showing US exclusive ads to non-US site visitors.
Geoblocking is meaningless, unless you're somehow magically blocking EU citizens in your own country through voodoo. If you store any data on an EU citizen in an identifiable (to that citizen) manner, GDPR applies.
We have received legal advice that this is not the case. GDPR applies to inbound data from the EU, including to non-EU citizens sending data from inside the EU. EU citizens outside the EU are not covered, or at least so I'm told. In any case, should an EU citizen contact us from a non-EU location and make a request about data, we will apply the law as exists in that non-EU location. Should anyone, including the EU, object, they are free to take action with respect to any assets we may have in EU locations. Which is zero.
Down vote me all you want but it's still a legit question. If have PDFs on website that is only about a products that are only sold in Canada would I still have abide by the GDPR if I have people looking at my web stie from the EU, even if my web site was not intend to do business in the EU?
As lonng as you don't process personal data of EU citizens you don't have to comply with GDPR.
Disclaimer:IANAL
Do you ask for personal details just to allow viewing?
Can Europeans create accounts & purchase things?
Do you keep and/or sell the detailed logs of IPs that have visited your site? (IP+timestamp will identify a ISPs user account)
Any 'yes' to the above and you should probably start thinking about it, the Euro data authorities will be very busy with internal enforcement and chasing the big players for quite a while and extradition seems unlikely at the moment.
Several big US site are geo-fencing European IPs from today, so their lawyers obviously think its important.
GDPR is only interested in the storing & use of personal information, once the original valid reason for obtaining personal data has lapsed the data has to go.
Keeping everything forever 'because I can' = naughty
Doing anything else with any personal data = naughty
GDPR compliance WILL be appearing as a requirement in business insurance policies because it's another excuse not to pay out.
The BBC policy looks a good example of being honest with data usage.
https://www.bbc.co.uk/usingthebbc/privacy-policy/
I just don't get pininterest.. It inevitably appears in search listings on google search, and when you click on the link you get nothing more relevent than the picture on the thumbnail.
Click on a picture for more info, it just takes you to another bunch of stupid photos... WTF?
"Yup never worked out the point of that waste of pixels site!"
AFAIK it's a sort of mashup of photobucket and a scrap book. Sometimes the photos have a link that take you to the original site it was taken from. It looks like a huge copyright infringement to me but then IANACL ;-)
Two years to pick one of these-
1 - Stop slurping european data and continue operation.
2 - Pull plug on europe because the data gathered was worth more than the content handed out.
3 - Ignore GDPR and see what happens
So these companies (News outlets included) have self identified as primarily data gatherers?
They've self-identified as companies who have no idea WTF they have done with your data, or what the selected third parties they've sold it to have done with it, or even the third parties of the third parties. They don't know who has it, what it is, or where it is. So they can all fuck off with their 'evil GDPR' type notices.
"They've self-identified as companies who have no idea WTF they have done with your data, or what the selected third parties they've sold it to have done with it, or even the third parties of the third parties. They don't know who has it, what it is, or where it is. So they can all fuck off with their 'evil GDPR' type notices."
Although I agree with your final sentiment, I don't think GDPR can be applied to sell-offs to 3rd parties prior to the law coming into force.
This post has been deleted by its author
@Tigra07. Wow, that was you on TV last night, that man in the 5th scene at the back on the right saying "Durrrr..... Durr..... Durr....". Now what was that film called... ah yes Idiocracy.
You have to be the first person to post they use a privacy enhancing technology to do the oposite and assist a third party to exploit there own personal data!
Whay to go... Tigra07 for President, Tigra07 for President, We've got this guy Tigra07 he's going to fix EVERYTHING.
... is wisconsingazette.com
I think it is good that these names should be listed in public. If they are unavailable to EU because of GDPR that means that either 1) they are collecting PII data they have no business knowing or 2) they have no idea what GDPR is, and act out of fear. Either way, it is good that these sites should be publicly known.
Disappointingly, the Virginian Pilot seems to have embraced the spirit of the Battle of Yorktown with respect to GDPR. My Virginian news is being denied.
"Even a simple enabling of VPN in Opera allows me to view the Virginian Pilot from Blighty."
I have the exact opposite situation. I'm outside EU, using a VPN that's in EU. I've never been to any of the sites listed here so far, but checked one just now, and got told it's not available to EU people. VPN working fine. B-)
I was amused today to read that pornhub is offering a free vpn. I am guessing that is to help bypass the stupid age restriction ideas floating in the little brains in gov but I expect it will help with the GDPR problem.
I am amused at people complaining at the companies for not complying with the little EU. Regardless of if people think GDPR good or bad it is an interference which both business and people have to be willing to accept for it to work. If those businesses dont want to comply with the EU and disable access for the EU (or revert the EU to the old days of text. Thats genius) the people can go off and find somewhere that does comply, or the people can bypass the EU regs (personally choosing to opt out by VPN).
The mistake some people seem to make is thinking these businesses have cut themselves off. It is the EU that is cutting its people off from services that dont meet the EU's standards.
@ Chris G
"@ codejunky hmm a basement dwelling yankcentric who needs to get out more.
Come and visit the Little EU market of a half billion people."
I am in the UK thanks.
@ Peter2
"Well, the businesses have cut themselves off. If you want to sell to people in the EU then you have to follow the EU laws. If you prevent those people from accessing your website then you lose them as customers."
They did comply with the law. They provided what people wanted. People are now noticing they cannot access what they want because the EU has created new laws. The business may or may not make changes to appease the EU, it is their choice to be cut off by these new rules or to abide by them. And it is up to the people if they wish to accept being cut off by the EU or to use a VPN to access what they want. It is cost benefit to both parties (people/business) for the barrier placed by the EU.
"American companies like newspapers/radio stations which do not operate in Europe could simply ignore the entire thing as they aren't doing anything in a jurisdiction where the courts could do anything to them."
But yet the EU is trying to make demands on the world so to save hassle these businesses have obviously opted to allow the EU to wall itself off. Additional regulation is additional cost and some businesses are not willing to take on the cost when it isnt worth it to them. When I said the little EU I refer to there being a whole world and the EU is only a part of it and so the view of the little EU may not matter in the view of the business outside it.
My sincere apologies.
So you're a UKcentric Europhobe who is neverthe less benefitting from the GDPR in terms of your privacy being protected for you.
There are many Brexiteers who have sensible logical reasons for wishing to leave the EU and often I can see their points, however for everyone of those , there are dozens of xenophobic jingoists who just want to leave without any real idea of why or what the consequences are likely to be.
Then when consequences happen, they chant "See? that's why we're leaving!"
Which are you?
@ Chris G
"So you're a UKcentric Europhobe who is neverthe less benefitting from the GDPR in terms of your privacy being protected for you."
Can you translate Europhobe? It can be translated as disliking the EU or Europe. I have no problem with Europe. I actually feel sorry for what they are going through.
"There are many Brexiteers who have sensible logical reasons for wishing to leave the EU and often I can see their points"
Thats good. Being able to see other points of view is a good thing. Makes these discussions worth having.
"however for everyone of those , there are dozens of xenophobic jingoists who just want to leave without any real idea of why or what the consequences are likely to be."
The view isnt much different from this side. For every thinking remainer there seems to be dozens of xenophobic jingoists who just want to remain without any real idea of why or what the consequences are likely to be.
"Then when consequences happen, they chant "See? that's why we're leaving!""
I am often the one explaining the good consequences to remainers shouting "see! its a sign of doom and we need to remain now!". I dont even claim credit for some of the (good) consequences of voting leave although some remainers pin it to me as if its a bad thing.
"Which are you?"
I dont think thats for me to decide. As with the Euro debate it didnt matter how wrong they were and how right we 'eurosceptics' were, we were the villain until proven correct. Not because we cant be wrong but because of taking a position based on facts and discussing them.
@ Loyal Commenter
"he's a rabid quitling."
Oh please tell me this is the new name for us! Brexiter is so boring it doesnt have the same sparkle as the good old eurosceptic from the Euro debate when of course us Eurosceptics were proved right. I can now hold the eurosceptic title high as a badge of honour for not being suckered into believing.
If we actually get to leave the EU I want a trophy better than brexiter to put you guys back in your box next time you guys try to push us into the EU. Rabid quitling sounds pretty good, now go spread it around the rabid remainers and let me have my new trophy.
The mistake some people seem to make is thinking these businesses have cut themselves off. It is the EU that is cutting its people off from services that dont meet the EU's standards.
Well, the businesses have cut themselves off. If you want to sell to people in the EU then you have to follow the EU laws. If you prevent those people from accessing your website then you lose them as customers.
The irony is that most companies outside of ones that actively trade in peoples personal details are already pretty compliant anyway. American companies like newspapers/radio stations which do not operate in Europe could simply ignore the entire thing as they aren't doing anything in a jurisdiction where the courts could do anything to them.
Companies selling goods simply need to say "we do not provide your details to any third party companies that are not required to provide you the service; ie delivery companies" and they are already substantially compliant. The only real change is that they have to opt into spamming lists about the greatest offers ever instead of opting out of them.
Transferring people to a plain text site is funny, but if you are pulling the content of the HTTP GET request to get a fingerprint from the IP, web browser, screes resolution and then track pages visited etc etc etc through the webserver logs and then sell that data then it's still not GDPR compliant. If your not selling or otherwise transferring the data to a third party then you are probably pretty compliant anyway.
"Well, the businesses have cut themselves off. If you want to sell to people in the EU then you have to follow the EU laws. If you prevent those people from accessing your website then you lose them as customers."
It's all quite ironic really. US businesses who want to trade in the EU need to comply with EU law and some are up in arms over a piddling little bit of data protection which any good upstanding business really ought to be applying anyway. And yet so many US businesses are happy to go off and trade (with a presence) in China at the cost of being legally required to have a Chinese partner company who gets access to all the relevant IP and after years and years of this are only now just waking up to to long term costs of doing so.
Not only that, but they fully abide to Chinese censorship laws as well. So the problem is just the money, you implement Chinese censorship in exchange for money, while abiding to GDPR means you lose an easy revenues stream.
This is what happens when politics and technocratic 'solutions' are combined.
"All these free services keep showing me unwanted ads! The horror!"
[stops ads]
"All these free services have stopped!"
There is of course a good case to be made for ensuring data security, and transparency in collection. Less so the calls for Statist intervention and the overthrow of all those nasty American companies.
Again, the problem is not ads. In no way the GDPR forbids ads or anything alike.
The problem is personal data collection without consent, in this case for marketing purposes like showing ads.
Anybody can simply show on its sites ads which don't collect and store any personal information and that doesn't fall under GDPR in any way.
Ads businesses need to start to offer non-tracking ads - they will be displayed, but won't return any information about who saw them. Just like the ads you saw on any magazine you bought. They worked anyway.
Thanks for the downvotes, folks.
What did I say? Oh yes, there is a good case for data security and transparency. Seems we all agree on that one.
I then went on to say that there might be some politics involved from people who want to stop those nasty American companies... and two hours later we have the Register news article on the legal challenges to Facebook, Instagram, Google et. al.
Yeah, sucks to be right. ;) If you genuinely believe that every last campaigner for "personal privacy" has your best interests at heart and isn't politically motivated, I have a bridge to sell you. Just tick this checkbox here ----> [ ]
Maybe because this personal data hoarding business was introduced - and made a big issue - by American companies? And as I explained, the ads business and the personal data collection business are two separate ones that companies like Google and Facebook decide to merge and exploit fully.
I guess VKontakte or the Chinese equivalent of Facebook have a large amount of personal data, but are niche services in EU - and I can't foresee EU equivalents rise and replace the incumbents. Just, the Data Far West is over.
Also I guess the inaction of the US governments is because the lobby money are so green... so what is better? A government who protect citizens' rights, or one that protect a few large companies and their billionaire owners only?
@LDS: Spot on.
I also think that many Americans are so used to government making laws for corporations that they automatically assume all other places in the world are the same.
There's a knee-jerk reaction I'm seeing: facist EU removing our freedoms.. stupid bureaucracy, government control etc.
They seem to think suddenly we are restricted in what *we* want to do with our personal information, whilst in reality, the only "freedoms" being removed are the freedoms of the corporations to expoit our data without permission.
It's also saddenning to see that so many seem to think it's no big deal. It's no wonder the culture of facebook, google, and android ad-brokers flurish in such conditions.
Oh but no! In reality, we are just jealous of American companies, and want to destroy them *rollseyes*
Some Americans deserve the corporate-overlords they get... I feel sympathy for the rest of them (and we'l be heading that way too once UK.GOV gets us out of the EU)
Hello? Hello?
Are we still here?
Funny, we appear to be.. On a website that contains adverts, and hasn't needed us to fill in opt-in/opt-out/opt-shake-it-all-about forms or anything.
The sky hasn't fallen in. If other online newspapers have shut you out, it should make you wonder what the hell they were doing in the first place.
Anyone blocking the EU is either dodgy/stupid/having a hissy fit - or a combination of them
"All these free services keep showing me unwanted ads! The horror!"
[stops ads]
"All these free services have stopped!"
Turns out those services weren't free; they were subsiding the 'free' content by acquiring and selling personal data about you. You might not realise the implications of that until someone takes that data they acquired from you and uses it to get a loan in your name.
I think it's childish and petty of them.
They could have removed tracked ads, tracking cookies, and left the rest as it is.
This way they are saying "look at the crap site your evil EU has forced us to give you."
Why don't they throttle the bandwidth too whilst they're at it?
"Why don't they throttle the bandwidth too whilst they're at it?"
Ah, but if they show a plain text site, with no tracking JavaScript, no graphic / video adverts, AND throttle bandwidth as well, you'll likely still end up with a much faster download of their web site.
I thought GDPR applied to all EU citizens regardless of where they live. Therefore an American company dealing with an EU citizen living in USA still must comply with GDPR regardless of the fact their customers are not living in the EU. Thus blocking people who are in Europe doesn't fix the problem.
"Also, they often are still holding data about EU citizens, so blocking them off from new traffic doesn't help at all - in fact it is worse, as they might not be offering info on how to make GDPR requests, or how data is processed about them."
That's true to an extent, but the treasure trove decreases in value with age. Personal data needs to be current to have any real value.
That's actually the other way round: it applies to all people on EU territory, whatever their nationality. So if you're an American visiting Europe and need to go to the hospital, that hospital will have to process your medical records in compliance with GDPR, at least as long as you're residing in the EU.
It applies to all businesses processing EU citizens data.
So in the EU every organisation will be GDPR complaint, even for the US visitor.
Outside the EU I guess few will bother about checking everyone's nationality, but if they want business from EU citizens in the EU they will become GDPR compliant for everyone everywhere.
I thought GDPR applied to all EU citizens regardless of where they live.
As far as I can see GDPR makes no reference to citizenship. Everything is worded in terms of "data subjects" which are natural persons who are present in the EU.
That raises an interesting question. If an EU citizen, in the EU, uses a VPN to access US services, will GDPR apply, even if the controller of that service doesn't know where that person is? Will the derogation where "the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers" apply to this, using a VPN being seen as informed consent? For a non-EU citizen doing this the waters seem even murkier.
I can only imagine that the lawyers for Microsoft, Google, Facebook etc. will be salivating and perusing Mercedes catalogues this weekend.
It's like ANY law.
It's a law 'made by the EU', so it applies to companies under the EU jurisdiction. And it applies to companies who process personal data.
So, if you're an American company based in America, you can collect all the personal data on Europeans that you want. But the minute you have an interest or asset in the EU then you need to worry about it,
"if you're an American company based in America, you can collect all the personal data on Europeans that you want" as long as you do it in compliance with GDPR
FTFY
"But the minute you have an interest or asset in the EU then you need to worry about it"
You have an interest in the EU the minute you enter in a relationship with an EU resident.
So that means the moment any EU residents visits a web site the web site have to abide by the GDPR
Which is why many are blocking inbound connections from the EU. In the case of my company, we simply do not want to take the risk of massive fines for non-compliance. We think that we'd probably be in compliance. We have no intention whatsoever to risk major fines, especially when less than 0.1% of our business is with EU citizens. We have kissed those customers goodbye, purged our systems, except for current backups, of all EU citizen data, and as backups are rotated we'll get rid of the EU citizen data there, too. We have written to our EU customers, via postal mail, saying what we have done and why. If they wish to continue to have a relationship of any kind with us, then it is up to them to figure a way to get in contact with us which does not include using Internet connections from the EU of any kind, and they would have to explicitly agree to our terms of service. We have not suggested a method for them to contact us; that might be construed as some kind of offer of service, which we are not making. They do not even have to contact us to request that their data be deleted; it has been deleted from the active systems already, and will be gone from the backups in fairly short order. We are in the process of modifying our web site to ensure that all, including EU citizens who connect from non-EU locations, are directed to a page stating our terms of service and requiring you to actively opt in to said ToS. Failure to opt in results in your being directed to a page reading, basically, 'Goodbye, don't let the door hit you on the ass as you leave', in English, Creole, Spanish, and Portuguese, as we mostly deal with the US (mostly our state, in fact) and with other parts of the Western Hemisphere. For purposes of geoblocking, places like Aruba and Martinique would be considered to be parts of the EU, because officially they are parts of the Netherlands and France respectively. This means that we won't need to include Dutch; we may add French, depending on how the current review of how much business we do with the French parts of Canada goes.
We're not risking massive fines to keep less than 0.1% of our business. That's just not going to happen. If this be 'scaremongering', so be it. Fines of up to 4% of our annual turnover are scary. We are not asking that the EU change its regulations. We merely see no reason whatsoever to expose the company to potentially crippling fines should we be incorrect in our assessment that we are in compliance. If we did more business with EU citizens we might have a different view; less than 0.1% of our revenue is far too little to justify taking even the smallest risk of being hit with a fine of 4% of that revenue.
Trust me... you're not missing much from that fishwrap. I have pressed littering charges to stop those bastards from throwing their trash in my yard. And to add insult to injury, they then mail a card asking if I enjoyed their complimentary copies.
Anyway, I think the Tribune bunch have realized if you block cookies, you get infinite free views, instead of just 5 articles before the paywall slams shut. Thus the "you can always block cookies in your browser" workaround to comply with GDPR doesn't fly.
Sounds like the people who are running these US based sites have no idea on how to run a business (well we know that Yahoo are loosing money faster than the mint cant print it)
Blocking one of the worlds largest economic areas from access your website because you failed to get your house in order before the deadline is an epic fail.
Americans view Europe as a lost cause. You're not that big, you're in decline, you're being overrun by totalitarians and socialists and migrants, you disrespect us, and your regulations suck. You're not worth the trouble for the average American company whose EU sales are a rounding error.
Nobody wants to do business with a pain-in-the-ass customer.
You mis-spelled "we" and "our".
Seriously, though, the number of companies in *any* jurisdiction that have significant overseas sales is problably very small, and most of them are probably making an entirely sensible business decision just to block foreign visitors to their web-sites. It won't cost them anything and if the worst happens then they can stand up in court and show that they made a reasonable effort to avoid ever dealing with a customer where different laws applied. We should not be surprised that very many US companies are now using geo-IP to avoid EU visitors.
That doesn't make GDPR unreasonable. It doesn't mean that *no* US companies need to make an effort to comply (hello, Google). But local newspapers? Really? Are these the best examples you can find? Sounds like a non-story.
"Americans view Europe as a lost cause. You're not that big, you're in decline, you're being overrun by totalitarians and socialists and migrants, you disrespect us, and your regulations suck. You're not worth the trouble for the average American company whose EU sales are a rounding error."
You want to hear something funny? I saw a similar, almost word for word, rant just yesterday but about the US. Hows that wall going?
I had one yesterday afternoon from a National Sporting Governing Body - 4.30pm the day before compliance FFS. They published their advice to clubs about 6 weeks ago. This e-mail to members asked me to reply with my name, membership number and e-mail address to consent to receiving competition information and event marketing.
Reply. By E-Mail. They're going to have (potentially) 7500 emails landing in the membership department's generic (membership@) mailbox - this isn't a special address where a script is going to parse carefully formatted mails. It's insane. Some poor bastard is going through each of these individually.
It would be easier to just set up a new mailing list, stick a sign-up form on their website and say "We're scrapping our old mailing list, please sign up to this new one if you consent to receiving future messages".
Mind you, the wording is problematic. They say they need my consent to "continue managing my membership". They bloody don't that's fulfilling a contractual obligation. No consent required. They only need my consent to market to me. Which I don't mind - I do want to know about events and competitions - but I don't feel confident in their grasp on it.
"Mind you, the wording is problematic. They say they need my consent to "continue managing my membership". They bloody don't that's fulfilling a contractual obligation. No consent required. They only need my consent to market to me."
I've seen quite a few emails like that. I'm not sure if they simply don't understand what they are doing or they are trying to frighten and worry gullible punters into signing up for marketing emails in fear of not getting the emails they do require.
Do the US newspapers derive enough revenue from web site visit or located in the EU to make GDPR compliance profitable? If not, then just block the EU from access and carry on.
The EU can make decrees for their subjects. The rest of the world can do the cost benefit analysis and make their own decisions.
I'm off to the USA in a few weeks so thought I'd have a little browse on the Golf Galaxy website, lest I am able to persuade the Mrs to let me buy something whilst we're there.
But no. Great big message saying "Because of GDPR, visitors from your location are not allowed to browse the web store".
WTF? I only want to look at some gear online, not even to buy it!
I assume I'll be denied physical entry to the actual store as well if I look like a shifty European.
what is interesting are the begging letter to stay in touch from companies which I've never ever had anything to do with or in many cases never even heard of.
Thanks for the heads up, now kindly fuck off.
GDPR is lots of work for businesses but in general a very good thing for citizens. Those businesses that were playing nice with the DPA for 20yr won't have found it all that tough. IT's the shits that have found their dodgy dealings and evasiveness come back to get them.
Yep.
One of the reasons I deal in unique emails for each company.
Buy cheap domain with blanket email forwarding.
Never advertise the underlying forwarding address.
Give each company a variation of "company_name@yourdomain.com".
Then sit back and see who they've sold your email to and, if necessary, block JUST that email thereby ending your dealings with them and anyone who bought their email list.
Yep, was "fun" yesterday to receive a text from a take-away/delivery restaurant I had used in the past, asking me to opt-in to continue receiving offers (those they give to any client anyway).
Followed by a dozen similar texts from other companies I had never heard of. Now, who may have given them my phone number and will never have me as a customer again?
In my case it's my fucking bank leaking my email address (I have a unique one just for the bank).
They also say that due to GDPR they won't be able to transfer money from another bank by direct debit, which was a fairly common way of doing it in Spain as it sidestepped tranfer fees from the other bank. I guess it was fine when they were growing as they needed the customers but now they're king of the hill it's just another costly service they wanted to get rid of and "because GDPR" was a nice excuse.
Go to another bank, you say? There really is no choice, they're all as shit as Sabadell.
"I had no idea I was actually signed up to all these ML services - an excellent way to get myself removed!!!"
Most of the emails I have gotten from companies about this I have read, and figured I can just ignore them, they are not actually asking me to do anything. One reminded me about a site I had joined years ago and forgotten entirely about. Forgotten so much I had to look them up to remind me what it is that they do. So I logged on, deleted my data, and deleted the account.
The odd one out is the Australian web site, that is for Australian citizens like me, mostly living in Australia, telling me all about how this new European law might be something we should worry about.
Being old, and sill in possession of a Yahoo! email account, I was forced yesterday to log in and deselect all the 'advertising partners'.
I thought that under GDPR, default opt-ins were a big no-no (consent has to be explicit and default opt-out IIRC). How does one go about referring Yahoo! to the ICO for this misdemeanour?
I just visited Yahoo and had to go through a long-winded process of opting out before my cookie could be set. Surely I should be able to visit Yahoo and accept a cookie that is by default opt-out.
Sounds like they think GDPR is a joke and will pass if they continue to ignore it.
This would've been easier on US companies if we had our own GDPR-equivalent, which we desperately need. It could've been more sensible, yet strict enough to obtain a new safe-harbor agreement with Europe so that US companies need only comply with US law. And they would have taken it seriously before the eleventh hour.
Oh well. Interesting times! *gets popcorn*
As far as I can tell this morning, all of the outraged comments posted here can be distilled down to:
"Hi, I'm that American guy that posts endlessly about how Google, Facebook, Twitter, and Microsoft are SLURPING my information, and I'm outraged that the EU refuses to allow Google, Facebook, Twitter, and Microsoft to SLURP my information."
(With a smattering of UKIP types of course.)
Correct me if I'm mistaken, but I seem to recall at one point (back in the old old days of the web) there was a question about websites that were veiwable in France having to be in French, or have a French language choice. It was a legal question related to French law, and I think was eventually deemed applicable to products sold in France (stereo instructions and such) but was found to be inapplicable to websites.
Ahh the good old days when everyone could agree that the French were insane.
I think the market will pretty much adjust to the lack of salable data from EU visitors by trending back to subscription fees before they remember that doesn't work either. Then they will just demand that you comply by handing over salable data or no product in the terms of service. There is no free lunch.
As for not being prepared, business never does anything until it has to. If you didn't expect this kind of outcome, if you were even a bit surprised about it, I would suggest you don't know very much about how the average business actually functions.
"That thing went into effect today? Ahh hell, well shutter it until we have the IT dept hack some crap into place."
"Then they will just demand that you comply by handing over salable data or no product in the terms of service. "
Unless the data is required for providing the service, under GDPR they can't insist on it, they can still ask, but you don't have to provide it, and the service must still be provided if the extra data isn't given.
i.e.
Also no Terms of Service can allow a service provider to break the law, irrespective of what it might have written in it.
Recruiters are often the worst for this anyway - most of them were barely compliant with the old laws.
I had one email me today (of all days!) - a recruiter I've never spoken to, signed up for emails to or had any interaction with whatsoever. Trying to hook me up to some crappy job on the other side of the country.
Pretty shady, but whatever. There's an unsubscribe link in the (7pt, light grey font) legal fluff at the bottom. Except it didn't seem to do anything.
A quick look at the HTML showed it wasn't a link at all - just regular text with underline and blue color HTML tags around it so it looked like one.
Scrotes. I replied to their email with a legal request for all my data, just to annoy them.
How are these OS's not compliant?
What personal info do they ask for, that isn't either optional, or needed to provide the service?
I've installed probably 100's of copies of Windows (from Win 95, through to Win 10) and various Linux distro's over the years, and none of those ask for anything personal that isn't either optional (like your real name, or an email address), or isn't needed by the system (like a username and password so you can use the thing). Same goes for Ubuntu and Android.
It's all either required for the service, or optional.
Can't comment on MacOS/iOS, as I don't use those.
"What personal info do they ask for, that isn't either optional, or needed to provide the service?"
I suppose it depends on how well it "fingerprints" your computer in the data it sends back with your IP address and where that data then ends up and what it's merged with. Not to mention that most average users saw the Microsoft Account set up and assume that they must have one to be able to use Windows and most average users still use some version of the real names for things like that.
No, not at all, I am fairly sure the majority of Americans would like the GDPR enforced in the US too regarding how their personal data is used.
And we have Microsoft who tells us that they will extend GDPR to the whole world. Applying a higher standard is quite normal in industry.
"GDPR for everyone, cries Microsoft: We'll extend Europe's privacy rights worldwide".
https://www.theregister.co.uk/2018/05/22/microsoft_promises_to_extend_new_european_privacy_rights_worldwide/
So lets hope the "Brussels effect" sets in:
"The combination of market size, market importance and relatively stringent standards of the European Union can have the effect that firms trading internationally find that it is not legally or technically feasible, or economically viable, to maintain lower standards in non-EU markets. Non-EU companies exporting globally can find that it is beneficial to adopt standards set in Brussels uniformly throughout their business."
https://en.wikipedia.org/wiki/Brussels_effect
There is no reason at all to believe Americans are less interested in privacy matters.
This is why I switched to Posteo email several years ago. They didn't request personal information when I signed up and they even allow cash payments at their premises to negate the need for bank details.
If everyone acted this responsibly then I'd have no problem providing the minimal personal information in order to receive a service, and I'd also be happy to receive monthly (or whatever timescale I specified) promotional emails.
If Google, Facebook and other abusers of personal data disappear under a mountain of Subject Access Requests, mine included, I will not miss them one fucking bit. The Internet will be a better place for it.
From what I have been reading, GDPR applies to people in EU, not to EU citizens outside of EU?
I'm eligible for adding German citizenship to my Australian citizenship. If it applies to citizens, I'd be inclined to keep a close eye on how this all pans out over the next year or two, and maybe take up that German citizenship.
Yep, dad was fully a German citizen at my birth, I was born in Australia, my mother had always been an Aussie. Dad got his Australian citizenship after my birth.
I'll go back to waiting for the GDPR dust to settle to see if becoming a dual citizen is possible and useful.
How much revenue we get from Europe: Zero.
How much we're willing to spend to comply with GPDR: Exactly how much revenue we get from Europe. I.e., zero.
The hilarious thing is that we probably comply with GPDR if we bothered to do an audit. We sell a service and maintain data relevant to what we sold you, and that's it. But with $0 in revenue coming from Europe, why bother?
This is more or less our position. Less than 0.1% of our revenue is from EU citizens. We are probably GPDR compliant, but really don't want to take the risk of fines of up to 4% in return for less than 0.1%. So those customers are now ex-customers.
I note that you have, at the time of writing, two downvotes for stating simple fact. No doubt this post will also attract downvotes. So be it.
Yeah, Europeans get upset when you mention they're not the center of the universe. They don't like buying things from outside of Europe in the first place, and their companies are so bureaucratic that getting purchase orders out of the European companies who've inquired about our services has been a lost cause, the paperwork they require costs more than the product we want to sell them. GPDR is just the last straw. We sell millions of dollars to the Arabs and Chinese and South Asians, but Europe has always been this insular place that doesn't like buying from anywhere else, and they just put up a wall as tall as Donald Trump's to keep people like us out. Okay, I can take a hint...
I suspect a lot of the downvotes result from such risk-averse businesses making such a big deal. I don't know what you sell, but, if there is a market, it can grow. You seem to be throwing all that away out of fear. In all likelihood, you are compliant, and it is highly unlikely that a) you would get prosecuted anyway, and b) you seem to have missed the "up to" in the clause "up to 4%". This would be for the most egregious cases. You no doubt comply with much more stringent laws with a greater chance of significant fines every day of the week with no concern - but because there is something new, you are running scared.
A serious question - if one of the countries in which you do significant business brought in similar laws, would you cut them adrift? What about your state (I think you have said that most of you customers are local in previous posts)? Would you shut up shop because you don't want to comply with basic respect for people's data?
I suspect a lot of the downvotes result from such risk-averse businesses making such a big deal. I don't know what you sell, but, if there is a market, it can grow. You seem to be throwing all that away out of fear.
We see no reason to have to spend money to be maybe compliant, maybe not, depending on the view of someone in Brussels. We see no reason to expose ourselves to the risk of massive fines when it's so much easier to just not deal with any customers from the EU.
In all likelihood, you are compliant, and it is highly unlikely that a) you would get prosecuted anyway, and b) you seem to have missed the "up to" in the clause "up to 4%". This would be for the most egregious cases.
We see the 'up to'. We just don't see what could limit it and we see no reason to take the risk. And we see even less reason to risk being considered an 'egregious case'. We have less than 0.1% of our business with the EU. It wasn't likely to grow before GDPR. It's much less likely to grow now.
You no doubt comply with much more stringent laws with a greater chance of significant fines every day of the week with no concern - but because there is something new, you are running scared.
We comply with stricter regulations as necessary for our business. Keeping compliance with them was built into our business plan. We deliberately did not seek out business in certain sectors (health, for example) precisely because we did not wish to be forced to comply with certain regulations. GDPR changes the regulations. We feel that we can no longer do business with EU citizens.
A serious question - if one of the countries in which you do significant business brought in similar laws, would you cut them adrift?
Yes
What about your state (I think you have said that most of you customers are local in previous posts)? Would you shut up shop because you don't want to comply with basic respect for people's data?
If the kind of fines which are part of GDPR came into being here, we would close up shop.
For some companies it was a purely business decision (money) to shut down their websites or block access from the EU. I think for many it's a logistic decision. Too expensive to update their sites to comply. Perhaps "down the road" certain amendments will be made to the new rules but for now, it's just "wait and see". It all depends on how loudly folks in the EU scream at their representatives when the problems start coming to light.
If your business is running US-centric, that's perfectly fine. However, you might be surprised when looking at market sizes. The EU market is significantly larger than the US market.
Still wanting to avoid the extra effort ? Again, that's perfectly fine. But don't complain afterwards ...
I worked overseas for many years, sometimes with other nationalities. One day we went to see one of our US 'partners', he looked really pleased to see us (unusual in itself) and we were greeted with 'hey guys, I know why you call us 'septics' - it's rhyming slang, 'septic tanks' means 'Yanks', he was really pleased with himself until I replied "Nah, it's 'cos you're all full of shit'.
Which to me, pretty much sums up their attitude to 'privacy' and lack of understanding that 'personal' means 'it's mine' - which is how we ended up with GDPR being needed anyway.
It shows how irresponsible companies have been whilst trying to make a buck from selling every scrap (or scrape) of information about its customers to anyone willing to pay they have been up until now
Any company whose business practices mean that closing their doors is the best way they can comply well, can someone hand me the worlds smallest violin? Good riddance and don't let the door hit your big fat wallet on the way out
As for US news organisations same applies there too, for years they have restricted "news" based on geographical location no matter how trivial and irrelevant that might be and were doing it long before this legislation was on the horizon so again I couldn't really give the pretence of caring less whether or not I can watch their fake news and fantasy stories or not
Other than that this is one awesome way of getting rid of a huge chunk of the unwanted junk mail I get from sites I have never signed up to but whom contact me because a site I did sign up to sold my details to them without having to lift a finger but by merely ignoring their request for me to agree to have my privacy violated by them in the future
So once again, good riddance to them and the horse they rode in on
Obviously this wont stop the abhorrent behaviour with peoples data that goes on by large companies like facebook, google and the like or by government bodies. But its a start......
"As for US news organisations same applies there too, for years they have restricted "news" based on geographical location no matter how trivial and irrelevant that might be and were doing it long before this legislation was on the horizon so again I couldn't really give the pretence of caring less whether or not I can watch their fake news and fantasy stories or not..."
The BBC also blocks access to some audio and video to those outside the UK and they did this way before the enactment of GDPR.
Websites such as mitosearch.org and ysearch.org have had to shut down because of the EU rule.
"Mitosearch, the free, public genetic-genealogy database, is no longer accessible as a result of the EU General Data Protection Regulation (GDPR) that went into effect on May 25th 2018.
We encourage you to continue your journey of discovery with us on FamilyTreeDNA.com, and we thank you for your participation in citizen science over the years. "
"Ysearch, the free, public genetic-genealogy database, is no longer accessible as a result of the EU General Data Protection Regulation (GDPR) that went into effect on May 25th 2018.
We encourage you to continue your journey of discovery with us on FamilyTreeDNA.com, and we thank you for your participation in citizen science over the years. "
I am a familytreeDNA member and every member received an email advising of the shutdown. The company consulted with numerous attorneys over the GDPR and the fact that the data at mitosearch and ysearch are PUBLIC, encompassed DNA samples from all around the world (not just the EU) and therefore the decision was made to shut down both sites. Perhaps in the future, once the EU, in some instances, realize how draconian the GDPR can be, they may issue amendments but at this point in time, the best decision familytreeDNA was able to make was shut down both sites.
The EU announced new rules to be put in place in 2 years -- and companies waited for the EU to provide the funding needed for the conversion. It never came. The EU had 2 years to supply the funds needed to convert websites for compliance and to provide future funding plans to those websites that needed the private info to continue their business model.
You'd think 2 years would be enough for the EU to come through with the funds to implement their new rule. But...
Guess not.
It seems more than a little disingenuous to put the blame on websites for not implementing a special solution for the EU that has to cost money, at least to implement and maintain, not to mention a special solution that may substantially impact the ability of some sites to stay in business.
Anyone who thinks that some regulations and some check boxes will keep the spies and internet barons from getting your data is just ...... That is the sole reason for their existence. Do you really think that they will just give all that up and play nice? You need a reality check.
... which means that decent people should also not accept free lunches from strangers unless they are fully willing to align to the profit-oriented goals of those strangers. In the last century, there was an utterly stupid misconception that everything that is available via the Internet has to be avalable for free. That was of course complete nonsense, but to a surprisingly large degree such crank ideas do still persist today.
GDPR is a good attempt for killing such stupid myths. Everyone who dedicates work should be entitled to get financial rewards for that, and it is up to the market to establish how much value (if any) such work is worth. I think the ISP's should increase their tarrif's to also cover the cost of search engines, Wikipedia, social networks etc. and in exchange, all data snooping done by the likes of Google, Cambridge Analytica and others should be banned unless users do expressively declare that they are willing to accept any abuse that is done with their personal data. I for myself am deply desgusted when a result of my recent searches shows up on any website I'm opening in a new session. I might be opening that new session together with somebody else to show that person something on the Internet, and it is part of my computer privacy that this other person does not get indications about any of my previous Internet activities.
I am willing to pay a higher ISP charge to maintain computer privacy, but applaude to GDPR if that set of regulatuons drives Google and other data slurpers out of their most profitable parts of their business. Just a reminder - these are civilian rights and part of our constitution, and are certainly more important than the right to buy and carry deadly weapons kiling tens of thousands of innocent victims every year ...