I just read through this "Nightmare Letter" and while the cost is definitely non-zero, a conscientious startup will have the same answer for each user for almost every single point and can have a boilerplate response ready to go in those cases.
Where it gets complicated, i.e. where they buy your data from 3rd parties, I don't have a lot of sympathy for any of the complications involved. Most of the rest can be automated, not for a non-zero cost, but for a relatively low one if a startup goes in with these questions in mind, prepared to answer them when they come up.
a conscientious startup ... can have a boilerplate response ready to go in those cases
I have businesses that don't do anything shady at all with personal data, and I'd like to think we're conscientious about handling what we do have. We follow general good practice in terms of encryption, hashing passwords, and so on. We've never had any sort of request for information under existing data protection rules, nor complaints under any other regulatory regime for that matter.
So, how much time and money should we spend putting together that boilerplate, just to tick a legal box? How much of the documentation formally required under the GDPR should we actually write, given that on the evidence of several years of trading so far it has literally no value to anyone? How much should we spend on things like getting lawyers to review the contracts we have with the small number of outside services we do use, which might have access to some personal data in connection with the services they provide for us, and how often?
If you actually follow the letter of the law here, the costs of compliance would be astronomical by small business standards. There is little proportionately built into the GDPR itself, so we are reliant on regulators to introduce it, and that's not a good position to be in either legally or practically.
Depends on who you ask. Those who trust government will tell you that you can count on the subjective enforcement not to go after you as much, and of course the good ol "don't break the law and you have nothing to worry about". The rest of us that understand government incompetence/corruption and risk mitigation would tell you that you have to weigh whether these risks are real enough to you. I would tell a non-growth-focused early stage company uninterested in locale variety with limited resources (e.g. bootstrapped company in beta) to avoid EU customers since there are only downsides.
If anyone from the EU visits your website, and you're collecting server logs or analytics with IP addresses in them, you're now processing personal data of EU citizens and subject to the GDPR. They've written this regulation such that pretty much everything on the internet is subject to it.
How about email? If someone from the EU sends me an email, their IP address will likely be in one of the received-from headers, and will be in my SMTP logs.
Note that even if I don't have an email server, relying on my ISP to handle that, desktop email clients download the headers from the server.
A lot of small businesses have no idea that they are storing that information.
Well geo IP blocks are much easier than fetching those logs by user on request. This will happen if EU citizens overly burden companies with these letters... but not until then probably. I definitely wouldn't want to jeopardize my future EU prospects by ignoring the requests for info.
It may be a bit of an unlikely scenario, but people should remember their opinions on region-specific content blocking even if they think their region has enough leverage to make everyone bend to their will.
If I don't need an adblocker because all the adtech companies already preemptively block me, I personally could live with that and would consider the GDPR to be working as intended.
It doesn't have to come to this, at least from adtech's side.
Generally, your device is instructed via a publisher's site/app to reach out to ad tech servers either directly (firstparty), or indirectly (firstparty->thirdparty, firstparty->RTB exchange->thirdparty).
Due to the "chaining", GDPR is particularly onerous on the adtech industry. Granted all the data is keyed by semi-anonymous IDs (cookies, IDFAs, IPs), the concerns for consent, retrievals, deletions, in a cascading manner, are an industry-wide problem requiring collective action. The IAB proposed something for the RTB side, the publishers don't like it, and it'll be tense until and through May 25th :)
Having said that, nobody wants to shut-the-whole-thing-down. While all these servers may refuse service based on fuzzing the request as originating from the EU, they may also decide to serve as-best-as-possible and minimize logging of the sensitive fields - it may be better, for example, to lose some functionality for European devices (behavioural targeting, for example, the idea of showing you an ad for the Widget you just looked at over and over), than to serve nothing at all.
Um, nope. Go ahead, try applying EU law to a US website. I run a few, by all means, knock yourself out. It's hilarious and baffling at the same time that you think the EU can write laws for other countries.
If you are selling things to people in country X, you have to be very careful if you decide to ignore X's laws for such sales. You and your company may be beyond the legal reach of X, but your suppliers and service providers might not be.
For example, if you decide to ignore tax laws in X, X might put pressure on your credit card processors to stop aiding your tax evasion. If the credit card processors respond by cutting off your ability to processes card, they might not bother just cutting you off from accepting payments from country X. They might cut you off completely. That would be pretty annoying.
By your logic, you should be allowed to go to Ladbrokes.com and put some cash on tonight's NBA games. I could if I wanted to, and I'm sure Ladbrokes would love to take your bets if they could. But you can't, because countries can make laws about selling to their residents. Ladbrokes blocks you, because US law says they must.
I'm sure you can rely on your site being too small for EU regulators to bother with, and I'm sure it would be hard for them to enforce if you have no operations in the EU, but the fact you ignore the laws doesn't mean they lack jurisdiction.
Irrelevant. Ladbrokes is not a US firm, I don't know, need to know, or care what their legal system is. It's entirely possible their laws require them to comply with US law, or that they have assets in the US.
A website hosted in the US, owned by a US citizen, residing in the US, is not subject to laws written in other countries.
The reason I used the example of a gambling website is precisely because the US has history of prosecuting the operators of non-US websites for allowing US residents to join. There's nothing in UK law that says they can't let Americans bet. Didn't stop US authorities arresting several bosses of EU gambling websites. If you do a bit more research you'll learn that the US uses extra-territorial jurisdiction more than anyone.
Sure, that's true. It's a different subject. If one's country allows a foreign system to operate outside of it's own legal system, it's about as strong of a sign as I can think of that the people do not actually control their government.
As a US citizen, I am strongly against our interference in other countries, but even if/when we fix that, it wont matter if the root problem is not fixed, since another outside power could do the same thing.
I'm sorry but no, it's the exact same subject. It's country A prosecuting a website in country B because they did something that's illegal in country A but legal in country B. The US does the same for copyright laws. Or is it OK if it's team America thats acting as world police?
I live in the US, _good luck_ enforcing foreign law on me.
It's a sign that the people here have the most fundamental control over their legal system. It's not my problem if country B cant do that, but I would REALLY like country B to have the same power over their legal system.
I could go into the real tests and what it means to have a legal system where the individual has so much power, and how to achieve that, but you are ignoring the distinction between enforcing foreign laws on a US citizen and a citizen of country B.
You are implicitly admitting the asymmetry, but instead of fixing country B, do you want country A to weaken it's system so that it has the same foreign influence bug as country B?
Like I said, your argument boils down to "we're American: we'll enforce our laws on everyone in the world, but if you think you can tell us to obey your laws when we sell to your country, you can F off." Which is fine: you're welcome to say that because a law is hard to enforce you won't obey it. Just don't pretend you're not breaking the same principle that your government relies upon: that if you're serving a country's residents, you must obey that country's laws.
They can't enforce them on other countries but they can:
- Have their ISPs block access to your network
- Have their banks not process payments to you
And if you really want to generalize it to "laws" they can emit an arrest warrant: good luck ever travelling to another country that has an extradition treaty with any EU country.
They can't prevent a business in another jurisdiction from operating but they sure can prevent your business from being conducted with any EEA entities.
Yes, so what? Did you know that as an individual, you can literally be imprisoned for decades for violating the law? Why is it so shocking that a company that violates the law can be forced into bankruptcy?
The key term there, of course, is "up to". You don't get fined the maximum amount for the smallest violation. It's a range, depending on the severity of the violation, and probably whether there was gross negligence and/or maliciousness.
There are sentence maximums for different crimes for a reason, and often people are unjustly sentenced to the maximum level. With your analogy we should just have the option to sentence everyone to life for any transgression and then just tell everyone "but they won't".
I don't understand why this is constantly handwaved away with statements that claim to tell the future. If you are correct that the violations aren't as large in some cases, that can codify it a bit better than "trust us".
To reverse your argument: without data protection laws we're just trusting corporations that they won't commit any transgression. Your "worst case" description is exactly the current scenario that we have in place being practiced by corporations who have your private data: all you have from them is "trust us".
How much personal info that you have, do you actually need? I don't know your business, and I don't particularly want to, but this is a good opportunity to review how much of the data you retain you even should be retaining.
If the amount is anything substantial, more than contact information and whatever data customers might choose to be hosting with you, then you are exactly the right target for GDPR and you should be spending whatever amount you deem necessary to avoid the fines.
It's harsh, but it is true that software and service companies in general, maybe not you, maybe not your company, are far too lax with personal info, and so now legislative bodies like the EU are choosing to address that issue, and the easiest way to be in compliance is to not have anymore customer data than you actually need so when you do get hit with a letter like the one linked here, you have a much easier time responding.
Will this strangle some businesses? Even prevent some from even getting started? Undoubtedly, but that is a trade-off I'm willing to accept in this world where every incentive is stacked against the integrity of my privacy.
Well, speaking just for my own businesses, we've always minimised how much personal data we use, and all the processing we do is for good reasons that are directly related to what we're offering as a service. This wasn't due to any legal obligations, just basic good practice in terms of security and what I consider an ethical stance regarding the privacy of our customers.
I suppose this is why I'm so frustrated by this whole issue. I have a lot of sympathy for your argument that some businesses exploit personal data in ways we might well agree are abusive, and that something needed to be done to curb that. But as someone who does try to do the right thing both ethically and legally, this is just another set of regulations that is going to cause compliance overheads for my own businesses while offering little if any real benefit to anyone in our case.
Meanwhile, if the risk of significant enforcement action against smaller businesses really is low, the door is open for competitors to take their chances and gain an advantage over us, particularly if they're not in the EU themselves. So it also seems to be a case of no good deed going unpunished.
I'm sympathetic if your practices are already good, but the balance of power between an individual and a corporation is too far on the side of corporations as things stand. This levels things out for individuals who otherwise have to depend entirely on the goodwill of corporations.
That includes you, the individual as well, and I hope it works out for you the corporation.
If you can't already answer these questions you're probably already breaking EU law.
There's been a round of companies "reconfiming" email lists "because GDPR" - but if those companies can't show clear opt-in before sending email they're already in breach of PECR.
A conscientious startup would probably not start up under these conditions. Every regulation that creates risk reduces the number of people willing to invest and enter the market.
You could say that having to follow tax regulations also reduces the number of people willing to enter any market. Should we also drop requirements for pharmaceutical companies to do their thing? I'm 100% certain we'd have thousands of new "pharmas" popping up within a short amount of time.
Obviously this is a silly simile but the point remains: certain types of business have certain regulations, in this case if a business relies on keeping your private data then they have to follow the appropriate regulations, like most other fields.
How many cures have not been discovered because of the cost of regulation? Does every regulation save lives? Please. There is a balance between serving the public interest (safety and feel good theatrics like GDPR) and what is actually the public's interest (cure to cancer, the internet, etc...).
We had bad pharmaceuticals despite regulation. As well, there are many promising (tested on few individuals) pharmaceuticals which did not survive broad clinical trials.
Where it gets complicated, i.e. where they buy your data from 3rd parties, I don't have a lot of sympathy for any of the complications involved. Most of the rest can be automated, not for a non-zero cost, but for a relatively low one if a startup goes in with these questions in mind, prepared to answer them when they come up.