Europe's General Data Protection Regulation Makes Privacy Global

(David Ross) #104

Yes. Maybe. We step on a lot of toes at times. Without giving enough details to derail this thread lets say the point of this blog is to open doors where powerful people have tried to hide various things that would threaten them.

(@lbutlr) #105

Is there nothing that you collect, keep, and/or process that the user does not have access to. Can the user delete her own posts? Are you not a company making money?

If you answer yes to all of these, GDPR does not apply to your web board/blog.

Someone posting their real name or email address or street address or phone number isn’t you’re problem unless you are collecting that information and storing it in a way that is beyond the user’s control and access.

(Tom Gewecke) #106

The “privacy” info provided by Google for someone who views my Blogger blog as of today is 20 pages in pdf format.

(@lbutlr) #107

Isn’t a requirement of GDPR that policies be clear, concise, easy to read, and short?


I took a closer look at GDPR penalties:

**What are the penalties for non-compliance?**Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

You have said the blog has not been involved any financial transactions or any exchange or any exchange of data for commercial Even if the site did net $100 in 2014, the most it would be liable for is $4. I doubt that the EU will go after that when there are literally billions more sites raking in bigger bucks. If you are worried about political repercussions in comments, probably the worst that could happen would be good publicly for you and horrible publicity for the EU. And the managers of the blog might even get a book contract and a lot of speaking gigs out of it; maybe even a movie.


(jbayly) #109

Just what everybody wants: to be the center of a controversy that’s such a mess and so big that it makes for compelling drama on TV. And thus, this is a good law, because the worst that could happen to somebody is that their life is destroyed, and they might get some money out of other people being entertained by watching the misery.

Doesn’t seem like much of a consolation to me.

(Marc Z) #110

I thought these articles were interesting:

“No one’s ready for GDPR”:

which makes the whole thing seem like a disorganized mess with no way to enforce the rules and nobody sure what the rules even are.


“Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR”:

which feeds into the idea that the big rich companies are going to be the most impacted. Why go after mom and pop websites when you can go after Google and Facebook?


I couldn’t easily find a link to woosh detector, but I the link to this sarcasm detector instead:

(Jeremy Roussak) #112

… which makes the whole thing seem like a disorganized mess with no way to enforce the rules and nobody sure what the rules even are.

Of course it is It’s the EU. Act first, think later. The EU, urged by the press, is very fond of “Something must be done. This is something. Therefore we must do it”.

“Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR”:

which feeds into the idea that the big rich companies are going to be the most impacted. Why go after mom and pop websites when you can go after Google and Facebook?

It’s a little hard to know what’s going on there. GDPR does not confer rights to sue for large amounts of money.


(jbayly) #113

related to blocking EU visitors or customers, here’s an explanation of how the law makes doing so illegal.


U.S. News Outlets Block European Readers Over New Privacy Rules

Blocking 500 Million Users Easier Than Complying With GDPR

GDPR: Tech firms struggle with EU’s new privacy rules

The interpretation of the law that’s quoted in the link you posted is incorrect and takes it totally out of context. It deals with “automated processing of personal data” and "a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based." It’s about compiling various data points and building profiles that would be be sold or exchanged. It does not forbid collecting addresses, or blocking particular domains from whatever country you want. It doesn’t even prohibit gathering or compiling and selling targeted ads to specific profiles, exchanging data with third parties, setting persistent cookies, etc., etc., as long as permission is granted from clearly explained terms and subjects are given the right to access and delete their personal information at any time.

Blocking services have sprung up that are doing quite well. This article focuses on one that uses a snippet of JavaScript and costs $9 a month. I’ve also read that it’s not so difficult for anyone who’s adept at scripting and coding to roll his or her own:


(jbayly) #115

Are you a lawyer? I think I’d rather be on the safe side, personally. The law, as quoted on that page, seems to definitely allow for the interpretation the article gives. It all depends on a judge somewhere deciding whether or not cutting off access to a particular site could cause harm. I could easily see a judge saying that, depending on the site.

I’m not trying to spread FUD. But just because you can pay somebody to do something doesn’t make it legal or effective.

More importantly, it’s self-evidently not effective. If a European uses a VPN to access your site in order to get around the block does that mean they forfeit their rights under GDPR? If they travel to the US and visit your site have they given up their rights? If you have the data of a European, you are liable under this law. That’s the whole point. Ignorance that somebody is a European is no excuse under the law.

There is no technical way to just not allow Europeans on your site, so blocking “European” visitors accomplishes nothing in terms of legal protection or compliance.


I am not a lawyer, but I have worked in advertising sales, strategy, direct marketing and development for over 40 years. I have been hands-on with both sides of the media desk, with and for US and global companies, large and small. It’s my day job to know about this stuff.

Putting my qualifications aside, there is no way the major companies mentioned (A&E, which is owned by Disney and Hearst, Gannet, Tronc) in the articles I quoted would be risking billions of dollars in fines, as well as a huge drop in their stock prices, if there was a chance they’d be fined for blocking EU visitors from their US based sites. They all employ battalions of highly qualified attorneys in the US, EU and other areas of interest to scrupulously vet the legal ramifications of every move they make.

BTW, there’s a secondary battle looming over machine-to-machine communications multiplayer gaming, video chatting, etc. from a sister act to the GDPR, the ePrivacy Act. I’m hoping it might curb robocalls here in the US:


(jbayly) #117

Then the whole law is a sham.

Either they will go after companies that have EU citizen data or they won’t. Whether or not the company intended to prevent EU citizen data from being collected is irrelevant.

I notice that the articles now being shared talk about how hard it is to comply rather than how easy it is to comply like was being claimed earlier in the thread. Odd that.