Yes. Maybe. We step on a lot of toes at times. Without giving enough details to derail this thread lets say the point of this blog is to open doors where powerful people have tried to hide various things that would threaten them.
Is there nothing that you collect, keep, and/or process that the user does not have access to. Can the user delete her own posts? Are you not a company making money?
If you answer yes to all of these, GDPR does not apply to your web board/blog.
Someone posting their real name or email address or street address or phone number isnât youâre problem unless you are collecting that information and storing it in a way that is beyond the userâs control and access.
The âprivacyâ info provided by Google for someone who views my Blogger blog as of today is 20 pages in pdf format.
Isnât a requirement of GDPR that policies be clear, concise, easy to read, and short?
I took a closer look at GDPR penalties:
**What are the penalties for non-compliance?**Organizations can be fined up to 4% of annual global turnover for breaching GDPR or âŹ20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
https://www.eugdpr.org/gdpr-faqs.html
You have said the blog has not been involved any financial transactions or any exchange or any exchange of data for commercial Even if the site did net $100 in 2014, the most it would be liable for is $4. I doubt that the EU will go after that when there are literally billions more sites raking in bigger bucks. If you are worried about political repercussions in comments, probably the worst that could happen would be good publicly for you and horrible publicity for the EU. And the managers of the blog might even get a book contract and a lot of speaking gigs out of it; maybe even a movie.
Marilyn
Just what everybody wants: to be the center of a controversy thatâs such a mess and so big that it makes for compelling drama on TV. And thus, this is a good law, because the worst that could happen to somebody is that their life is destroyed, and they might get some money out of other people being entertained by watching the misery.
Doesnât seem like much of a consolation to me.
I thought these articles were interesting:
âNo oneâs ready for GDPRâ: https://www.theverge.com/2018/5/22/17378688/gdpr-general-data-protection-regulation-eu
which makes the whole thing seem like a disorganized mess with no way to enforce the rules and nobody sure what the rules even are.
and
âFacebook and Google hit with $8.8 billion in lawsuits on day one of GDPRâ: https://www.theverge.com/2018/5/25/17393766/facebook-google-gdpr-lawsuit-max-schrems-europe
which feeds into the idea that the big rich companies are going to be the most impacted. Why go after mom and pop websites when you can go after Google and Facebook?
I couldnât easily find a link to woosh detector, but I the link to this sarcasm detector instead:
⌠which makes the whole thing seem like a disorganized mess with no way to enforce the rules and nobody sure what the rules even are.
Of course it is Itâs the EU. Act first, think later. The EU, urged by the press, is very fond of âSomething must be done. This is something. Therefore we must do itâ.
âFacebook and Google hit with $8.8 billion in lawsuits on day one of GDPRâ: https://www.theverge.com/2018/5/25/17393766/facebook-google-gdpr-lawsuit-max-schrems-europe
which feeds into the idea that the big rich companies are going to be the most impacted. Why go after mom and pop websites when you can go after Google and Facebook?
Itâs a little hard to know whatâs going on there. GDPR does not confer rights to sue for large amounts of money.
Jeremy
related to blocking EU visitors or customers, hereâs an explanation of how the law makes doing so illegal.
http://www.gettingemaildelivered.com/why-you-cant-just-block-eu-visitors-eu-customers-or-any-eu-traffic-under-gdpr
U.S. News Outlets Block European Readers Over New Privacy Rules
https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html
Blocking 500 Million Users Easier Than Complying With GDPR
GDPR: Tech firms struggle with EUâs new privacy rules
http://www.bbc.com/news/technology-44239126
The interpretation of the law thatâs quoted in the link you posted is incorrect and takes it totally out of context. It deals with âautomated processing of personal dataâ and "a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based." Itâs about compiling various data points and building profiles that would be be sold or exchanged. It does not forbid collecting addresses, or blocking particular domains from whatever country you want. It doesnât even prohibit gathering or compiling and selling targeted ads to specific profiles, exchanging data with third parties, setting persistent cookies, etc., etc., as long as permission is granted from clearly explained terms and subjects are given the right to access and delete their personal information at any time.
Blocking services have sprung up that are doing quite well. This article focuses on one that uses a snippet of JavaScript and costs $9 a month. Iâve also read that itâs not so difficult for anyone whoâs adept at scripting and coding to roll his or her own:
Marilyn
Are you a lawyer? I think Iâd rather be on the safe side, personally. The law, as quoted on that page, seems to definitely allow for the interpretation the article gives. It all depends on a judge somewhere deciding whether or not cutting off access to a particular site could cause harm. I could easily see a judge saying that, depending on the site.
Iâm not trying to spread FUD. But just because you can pay somebody to do something doesnât make it legal or effective.
More importantly, itâs self-evidently not effective. If a European uses a VPN to access your site in order to get around the block does that mean they forfeit their rights under GDPR? If they travel to the US and visit your site have they given up their rights? If you have the data of a European, you are liable under this law. Thatâs the whole point. Ignorance that somebody is a European is no excuse under the law.
There is no technical way to just not allow Europeans on your site, so blocking âEuropeanâ visitors accomplishes nothing in terms of legal protection or compliance.
I am not a lawyer, but I have worked in advertising sales, strategy, direct marketing and development for over 40 years. I have been hands-on with both sides of the media desk, with and for US and global companies, large and small. Itâs my day job to know about this stuff.
Putting my qualifications aside, there is no way the major companies mentioned (A&E, which is owned by Disney and Hearst, Gannet, Tronc) in the articles I quoted would be risking billions of dollars in fines, as well as a huge drop in their stock prices, if there was a chance theyâd be fined for blocking EU visitors from their US based sites. They all employ battalions of highly qualified attorneys in the US, EU and other areas of interest to scrupulously vet the legal ramifications of every move they make.
BTW, thereâs a secondary battle looming over machine-to-machine communications multiplayer gaming, video chatting, etc. from a sister act to the GDPR, the ePrivacy Act. Iâm hoping it might curb robocalls here in the US:
Marilyn
Then the whole law is a sham.
Either they will go after companies that have EU citizen data or they wonât. Whether or not the company intended to prevent EU citizen data from being collected is irrelevant.
I notice that the articles now being shared talk about how hard it is to comply rather than how easy it is to comply like was being claimed earlier in the thread. Odd that.
Despite this thread dying down, Iâve still been following GDPR news.
Like
https://www.wsj.com/articles/marketers-push-agencies-to-shoulder-more-liability-for-data-breaches-1541701666?mod=djemCMOToday
New data privacy rules are pushing marketers to unload millions of dollars in liability on the agencies that help them buy their media, forcing the shops to take on new levels of financial risks and adding a layer of tension in client-agency relationships.
At one large global brand, a marketing executive limited a review for its account to agencies that agreed to pay more than $15 million in fines if they were involved in a data breach or violation. The mandate was less about avoiding potential fines than making sure the brandâs agency took data privacy seriously, the executive said.
Hereâs another story that also just popped up:
And one more tangentially related to GDPR (and why I strongly wish the US also had some sort of consumer-level version of it)
Another interesting data point: a Dutch government reports Microsoft Office telemetry represents âlarge scale and covert collection of personal dataâ through Officeâs built-in telemetry collection capabilities" in violation of GDPR.
(I believe this is a summary of the report, albeit in Dutch. I canât find a copy in English offhand that isnât at The Register. https://www.privacycompany.eu/dpia-toont-privacyrisicos-zakelijke-microsoft-office-software/ )
If anyone is curious, weâre now one year on and reports are beginning to appear from the marketing industry about the impact of GDPR. Bottom line: it wasnât Armageddon for them, and many sectors have employed a broad range of strategies to ârecaptureâ data lost under GDPR:
And two years in, the New York Times reports that there has been almost no enforcement of GDPR, although some cases are in the pipeline.