Linked by Thom Holwerda on Wed 23rd May 2018 22:54 UTC
Microsoft

Microsoft is extending the GDPR's rights to all of its customers across the world.

That's why today we are announcing that we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide. Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else. Our privacy dashboard gives users the tools they need to take control of their data.

Good move, but these controls and options should've been there from the start. Goes to show that corporations are terrible at self-regulation - something everybody should know by now. In any event, I'll be spending some time this weekend digging through all the data Google, Apple, and Microsoft have on me.

Order by: Score:
v Comment by coherence
by coherence on Wed 23rd May 2018 22:59 UTC
RE: Comment by coherence
by Thom_Holwerda on Wed 23rd May 2018 23:15 UTC in reply to "Comment by coherence"
Thom_Holwerda Member since:
2005-06-29

Tons of companies are adding easy-to-use privacy dashboards and new functionality and options to view, alter, and delete your data in direct response to the GDPR, and yet, you still say:

GDPR won't change anything.


¯\_(ツ)_/¯

Reply Score: 3

v RE[2]: Comment by coherence
by coherence on Thu 24th May 2018 00:03 UTC in reply to "RE: Comment by coherence"
RE[3]: Comment by coherence
by Pro-Competition on Thu 24th May 2018 00:11 UTC in reply to "RE[2]: Comment by coherence"
Pro-Competition Member since:
2007-08-20

The level of discourse on this site is generally higher than most other sites, which is why it has lasted this long.

We all have strong opinions sometimes, and aren't afraid to share them here, but please try to be civil.

Reply Score: 6

v RE[4]: Comment by coherence
by coherence on Thu 24th May 2018 00:13 UTC in reply to "RE[3]: Comment by coherence"
RE[2]: Comment by coherence
by coherence on Thu 24th May 2018 00:12 UTC in reply to "RE: Comment by coherence"
coherence Member since:
2018-02-04

You are so interested in being right. You never look at the bigger picture.

Reply Score: 0

RE: Comment by coherence
by WorknMan on Wed 23rd May 2018 23:44 UTC in reply to "Comment by coherence"
WorknMan Member since:
2005-11-13

Again the only regulation is really the market. You choose to give your information to these companies.


Yes and no. If somebody who has my name and phone number uses Facebook to store contacts, Facebook is going to have that information without me directly giving it to them. Same/same for Google and the rest.

Reply Score: 3

RE[2]: Comment by coherence
by coherence on Thu 24th May 2018 00:19 UTC in reply to "RE: Comment by coherence"
coherence Member since:
2018-02-04

You will also likely not know they will have it.

They can just keep it, or make sure they only capture the data once outside of the EU.

Reply Score: 0

RE: Comment by coherence
by woegjiub on Thu 24th May 2018 02:06 UTC in reply to "Comment by coherence"
woegjiub Member since:
2008-11-25

Heh, the market doesn't solve shit.

The only way to get things done is to beat these fuckers into submission with strong legislation.

Reply Score: 6

RE[2]: Comment by coherence
by benoitb on Thu 24th May 2018 07:15 UTC in reply to "RE: Comment by coherence"
benoitb Member since:
2010-06-29

The market is driving us all madly to a wall (ecological situation).
Regulation is our utopian chance of survival.

Reply Score: 3

Comment by The1stImmortal
by The1stImmortal on Wed 23rd May 2018 23:28 UTC
The1stImmortal
Member since:
2005-10-20

From what I can gather, the GDPR does seem a little bit on the extreme side, and the extraterritoriality provisions are bizarre and somewhat offensive (If I run a website in Australia and *one* European citizen happens to visit that site, I'm now apparently bound by a European law? Get lost).

It will almost certainly get refined and whittled down eventually. A messy step in right direction, though.

Reply Score: 1

RE: Comment by The1stImmortal
by ssokolow on Wed 23rd May 2018 23:43 UTC in reply to "Comment by The1stImmortal"
ssokolow Member since:
2010-01-21

Makes me wonder how the EU courts would see a *chan board which disabled custom nicks (everyone is "Anonymous") and has a logging policy in the vein of "We retain server logs for 48 hours. It typically takes us 72 hours to sober up enough to respond to unexpected messages."

Reply Score: 2

RE: Comment by The1stImmortal
by kwan_e on Thu 24th May 2018 04:37 UTC in reply to "Comment by The1stImmortal"
kwan_e Member since:
2007-02-18

(If I run a website in Australia and *one* European citizen happens to visit that site, I'm now apparently bound by a European law? Get lost).


Where do you get the idea that merely visiting your website makes you bound by GDPR?

If you create a website where, merely by visiting, you gather so much data on someone, that would suggest something really wrong with it.

Reply Score: 3

RE[2]: Comment by The1stImmortal
by Duke on Thu 24th May 2018 05:34 UTC in reply to "RE: Comment by The1stImmortal"
Duke Member since:
2018-05-22

If you create a website where, merely by visiting, you gather so much data on someone, that would suggest something really wrong with it.

Exactly! That guy seems to be running a very shady website that probably should be shut down.

Reply Score: 2

RE[2]: Comment by The1stImmortal
by ssokolow on Thu 24th May 2018 07:13 UTC in reply to "RE: Comment by The1stImmortal"
ssokolow Member since:
2010-01-21

If you create a website where, merely by visiting, you gather so much data on someone, that would suggest something really wrong with it.


I think the concern in that case is how it will interact with various European precedents that "IP addresses are personal information" that got set during various copyright trolling cases.

(ie. Concern that the "get what they have on you provision" will require admins in such a case to grep through their HTTP access logs.)

Reply Score: 2

RE[3]: Comment by The1stImmortal
by kwan_e on Thu 24th May 2018 07:33 UTC in reply to "RE[2]: Comment by The1stImmortal"
kwan_e Member since:
2007-02-18

I think the concern in that case is how it will interact with various European precedents that "IP addresses are personal information" that got set during various copyright trolling cases.


In the case of Australia, I hope it does conflict with our data retention laws that no one really wanted.

Reply Score: 3

The1stImmortal Member since:
2005-10-20

In the case of Australia, I hope it does conflict with our data retention laws that no one really wanted.

That's actually something I'm really quite concerned about. The data types a multi-service ISP are required to retain are quite wide reaching. One component of the law is that those doing the retention aren't even supposed to reveal details of what they're retaining nor are they permitted to delete it. The ("official") people to whom they can hand the data over to are kinda fuzzy too - the AG's office seems to have adopted a "if someone asks hand it over and we'll catch it when we do an audit" approach.
None of these things are very compatible with the GDPR.

Edited 2018-05-24 09:28 UTC

Reply Score: 1

The1stImmortal Member since:
2005-10-20


Where do you get the idea that merely visiting your website makes you bound by GDPR?

I get the idea from the GDPR.
If you are a business, and you provide a service over the internet that is accessible by European citizens, you're bound by the GDPR. Merely logging IP addresses or letting them create an account with a real name or date of birth in it would be enough to qualify as personal data. At least in theory. Actually applying that might prove difficult in practice.

EDIT:
Article 3:
(2)This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b)the monitoring of their behaviour as far as their behaviour takes place within the Union.

And definition of "Personal Data"
Article 4:

(1)‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

So any one of username, real name, IP address, gender, age (even just "18+" status), anything may qualify as Personal Data. So Apache logs? Check. Username on a forum? Check. "Are you over 18?" interstitial? Check. Anything that does a geolocation for any reason? Check.
Admittedly, you do need to be operating as a business or for financial gain so individuals and communities etc are exempt. But it's still insanely wide reach.

Edited 2018-05-24 09:49 UTC

Reply Score: 1

RE[3]: Comment by The1stImmortal
by kwan_e on Thu 24th May 2018 10:07 UTC in reply to "RE[2]: Comment by The1stImmortal"
kwan_e Member since:
2007-02-18

If you are a business, and you provide a service over the internet that is accessible by European citizens, you're bound by the GDPR. Merely logging IP addresses or letting them create an account with a real name or date of birth in it would be enough to qualify as personal data. At least in theory. Actually applying that might prove difficult in practice.


Why, as a business, would you want to ask for that data in the first place, or log people's IP address? If you don't ask for that data, then you would not be bound by it. Otherwise, I'm pretty sure you're not forbidden from not offering your business to the EU. If you want to make money out of any jurisdiction, of course you have to abide by that jurisdiction's laws.

Reply Score: 3

The1stImmortal Member since:
2005-10-20

Why, as a business, would you want to ask for that data in the first place, or log people's IP address? If you don't ask for that data, then you would not be bound by it.


You realize that it's very difficult to run a webserver if you dont have at least rudimentary log files (including IP addresses) to work out what's going on when something breaks or you get attacked or a host of other things right?

And there's a host of reasons you might need additional data, depending on what your service does.

If your site presents different pages depending on detected browser language, the log files indicating that user accessed that language is now private data.

If your site is 18+ only, logs indicating a user accessed those pages are now private data.

Not to mention as I said things like user accounts etc. The username *itself* is private data!



Otherwise, I'm pretty sure you're not forbidden from not offering your business to the EU. If you want to make money out of any jurisdiction, of course you have to abide by that jurisdiction's laws.


You're not forbidden, no.
If you make money at all, not just out of the service, and you provide a product or service that an EU citizen happens to access, according to the current text of the GDPR you're ostensibly subject to it.

Historically, merely having someone from another jurisdiction come to you to use your service or purchase your products didn't bind you to that jurisdiction - on the contrary, it bound the customer to your jurisdiction (for the scope of that transaction). You had to have a degree of explicit connection to another jurisdiction to be subject to it. The GDPR is turning that on its head, which is a dangerous precedent.



I find it amazing that because this is a privacy-enhancing law, everyone's scepticism goes out the window. A law can do a generally good thing but be written in a bad way. The GDPR tries to do a good thing but is written in a horrifically flawed way.

Edited 2018-05-24 10:18 UTC

Reply Score: 0

RE[5]: Comment by The1stImmortal
by oiaohm on Thu 24th May 2018 11:31 UTC in reply to "RE[4]: Comment by The1stImmortal"
oiaohm Member since:
2009-05-30

Historically, merely having someone from another jurisdiction come to you to use your service or purchase your products didn't bind you to that jurisdiction - on the contrary, it bound the customer to your jurisdiction (for the scope of that transaction). You had to have a degree of explicit connection to another jurisdiction to be subject to it. The GDPR is turning that on its head, which is a dangerous precedent.


Totally false idea. This is one of the totally bogus ideas people have with no legal standing.

Modchips are legal under in many cases in Australia. Now Australian company shipped those to the USA due to shipping those to the USA had to face court in the USA. Claiming the jurisdiction was Australia did not work. If you did around you will find case after case like the above one.

Reality is when you cross boarders physically or electronically doing a transaction you are bound to-do it legal on both sides unless a speciality law on your side overrides meaning you cannot be extradited for the offence or punished in your own country for the offence.

Internet does not magically change the rules of trade.

Please note the GDPR is different because its not only enforceable by GDPR law its also enforceable by copyright.

Reply Score: 2

The1stImmortal Member since:
2005-10-20

Totally false idea. This is one of the totally bogus ideas people have with no legal standing.

Modchips are legal under in many cases in Australia. Now Australian company shipped those to the USA due to shipping those to the USA had to face court in the USA. Claiming the jurisdiction was Australia did not work. If you did around you will find case after case like the above one.

Reality is when you cross boarders physically or electronically doing a transaction you are bound to-do it legal on both sides unless a speciality law on your side overrides meaning you cannot be extradited for the offence or punished in your own country for the offence.

Internet does not magically change the rules of trade.

Please note the GDPR is different because its not only enforceable by GDPR law its also enforceable by copyright.


I'd genuinely appreciate a citation/reference here. Happy to be proven wrong but I suspect the jurisdiction argument here was a bit more complex than just "they had jurisdiction over an Australian company because they shipped a single package to a private customer in the US".

And traditionally, merely sending data packets across international borders has not invoked extraterritorial jurisdiction, no.

Reply Score: 1

RE[7]: Comment by The1stImmortal
by oiaohm on Thu 24th May 2018 14:15 UTC in reply to "RE[6]: Comment by The1stImmortal"
oiaohm Member since:
2009-05-30

I'd genuinely appreciate a citation/reference here. Happy to be proven wrong but I suspect the jurisdiction argument here was a bit more complex than just "they had jurisdiction over an Australian company because they shipped a single package to a private customer in the US".

And traditionally, merely sending data packets across international borders has not invoked extraterritorial jurisdiction, no.


Australia and USA have a trade agreement. This is what got modchip company. Part of that agreement is not to break the countries law on the other side. Agreements are common like this.

https://en.wikipedia.org/wiki/Megaupload_legal_case
This is why the founder of Megaupload ends up sent to the USA.

Problem is this not just sending data across the boarder. It storing information that you may not have the legal licence to store.

Generally copyright infringement is without boarders. Its like you sign a NDA(nondisclosure agreement) online and it does not magically only apply in the country you agreed to it with. Also it does not magically mean the party on the other end has absolutely rule.

Copyright cases have show a few times issues. Just look at pirate bay as well for where they were prosecuted and where they were operating. Yes pirate bay was prosecuted in countries they were sending data to but it was legal in the country they were operating in and there was no extradition treaty.

Trade is trade like it or not.

Reply Score: 3

ahferroin7 Member since:
2015-10-30

Why log people's IP address?

First off, that's part of the standard data logged by pretty much every network service in existence (not just web servers, but literally almost everything). m A lot of people don't change the default logging format, so there's a lot of people who may not care about logging them but are.

As far as why people care at all, the biggest thing is so that you can trace abusive traffic back to its source, and to help support stateful DoS protection.

The User Agent is also PII (just like the IP address, because just like the IP it's actually usually reasonably unique), and that's commonly logged too, as it's kind of important for web developers to know what technologies their users are using so they can make sure everything works properly.

Beyond that, you get into really complicated territory though. If you've got multiple translations, than hit counts for each page are technically personal data when combined with the User Agent or IP addresses, as they identify the user's language preference.

Reply Score: 4

RE[5]: Comment by The1stImmortal
by kwan_e on Thu 24th May 2018 14:00 UTC in reply to "RE[4]: Comment by The1stImmortal"
kwan_e Member since:
2007-02-18

"Why log people's IP address?

First off, that's part of the standard data logged by pretty much every network service in existence (not just web servers, but literally almost everything).
"

I was asking in the context of a small time web business that the person was concerned about. Those who provide the network backbone will be big enough to handle the legal ramifications, and other bigger businesses will have already moved their e-commerce to some cloud provider or other hosting provider that will take care of all that.

I see no reason, not even in the quoted articles of the legislation, that says anything close to what is being accused - that you will come under GDPR merely by being visited by an EU resident.

Reply Score: 3

The1stImmortal Member since:
2005-10-20

I was asking in the context of a small time web business that the person was concerned about. Those who provide the network backbone will be big enough to handle the legal ramifications, and other bigger businesses will have already moved their e-commerce to some cloud provider or other hosting provider that will take care of all that.


You dont seem to know how web hosting works in practice. There are plenty of people running their own web server on a vps or on a vm or dedicated host. There are plenty of people running routers in front of services. Plenty of very small businesses. Plenty of big businesses.


[/q]I see no reason, not even in the quoted articles of the legislation, that says anything close to what is being accused - that you will come under GDPR merely by being visited by an EU resident. [/q]
Then I hope you're never responsible for running an internet business system or you'll probably run afoul of it.

Reply Score: 0

RE[7]: Comment by The1stImmortal
by kwan_e on Fri 25th May 2018 05:06 UTC in reply to "RE[6]: Comment by The1stImmortal"
kwan_e Member since:
2007-02-18

Then I hope you're never responsible for running an internet business system or you'll probably run afoul of it.


Don't worry. I'll make sure to never visit your web businesses, where the slightest visit will record lots of identifying data about me.

Reply Score: 3

RE: Comment by The1stImmortal
by Duke on Thu 24th May 2018 05:32 UTC in reply to "Comment by The1stImmortal"
Duke Member since:
2018-05-22

From what I can gather, the GDPR does seem a little bit on the extreme side, and the extraterritoriality provisions are bizarre and somewhat offensive (If I run a website in Australia and *one* European citizen happens to visit that site, I'm now apparently bound by a European law? Get lost).

You seem to forget taht this law is to protect customers from the likes of you. If you actually respect your customer's data and treat it with care, you have nothing to worry about by being "bound by European law". If you do worry about that, well, it just shows you're an asshole with hidden agenda.
I can't tell you how glad I as a customer am about GDPR: all those sneaky little bastards that kept my e-mail, phone number etc. to sporadically send SPAM or sell to other SPAMmers are now forced to actually ask me if I want that SPAM to be sent or my information sold.
This law should be made global and effective through entire world.

Reply Score: 3

The1stImmortal Member since:
2005-10-20

You seem to forget taht this law is to protect customers from the likes of you. If you actually respect your customer's data and treat it with care, you have nothing to worry about by being "bound by European law".

No, as a non EU citizen not directly having a business presence in the EU (but perhaps dealing with EU citizens who approach me) there is no circumstances under which EU law should ever apply to me. I am not an EU citizen, I do not have a say in their lawmaking, I am not bound by their laws. End of story.
However, I do applaud generally tightening privacy restrictions. I'm not sure about the exact details of this particular law is all. If it wasn't trying to apply to people outside its jurisdiction, I wouldn't even care - EU citizens can worry about their own laws.
If you do worry about that, well, it just shows you're an asshole with hidden agenda.

You wont mind sharing everything if you've nothing to hide.
Dumb argument is dumb argument.

I can't tell you how glad I as a customer am about GDPR: all those sneaky little bastards that kept my e-mail, phone number etc. to sporadically send SPAM or sell to other SPAMmers are now forced to actually ask me if I want that SPAM to be sent or my information sold.

Look I've always been uncomfortable about the sheer amount of data companies tend to keep. However, is that really private information anyway? A few years ago, unless you went to the trouble to opt out, your name, address and phone number was in most places published in a big book and sent to everyone (phone directories). And for all the risk, internet companies do use customer data to tune and customize the internet services they use. Without that data the world we have probably wouldn't exist. That "personal data" also has allowed a lot of services to be built "for free" (without a monetary fee) - that gets more people using technology and the internet and leads to more jobs and business opportunities for everyone.
It's not a black and white, clear cut thing.

This law should be made global and effective through entire world.

No, it absolutely shouldn't, at least not on your say so.
Every nation has the absolute and uncontestible right to make their own decisions on their own laws. For you to say otherwise paints you as someone fundamentally opposed to the concepts of democracy and sovereignty.

Reply Score: 0

RE[3]: Comment by The1stImmortal
by Duke on Thu 24th May 2018 11:45 UTC in reply to "RE[2]: Comment by The1stImmortal"
Duke Member since:
2018-05-22

You wont mind sharing everything if you've nothing to hide.

So you wouldn't mind installing internet-connected webcam in your bedroom and sharing your sex life with all of us? Since you have nothing to hide...
"You wont mind sharing everything if you've nothing to hide" is most retarded thing to say and is usually used by the very same asssholes from whom GDPR is trying to protect us. Be it large corporations or sneaky little bastards selling customer data to marketers and spammers.

Look I've always been uncomfortable about the sheer amount of data companies tend to keep. However, is that really private information anyway? A few years ago, unless you went to the trouble to opt out, your name, address and phone number was in most places published in a big book and sent to everyone (phone directories). And for all the risk, internet companies do use customer data to tune and customize the internet services they use. Without that data the world we have probably wouldn't exist. That "personal data" also has allowed a lot of services to be built "for free" (without a monetary fee) - that gets more people using technology and the internet and leads to more jobs and business opportunities for everyone.
It's not a black and white, clear cut thing.

You sure do sound like one of those companies whose management I would like to see in prison.

No, it absolutely shouldn't, at least not on your say so.
Every nation has the absolute and uncontestible right to make their own decisions on their own laws. For you to say otherwise paints you as someone fundamentally opposed to the concepts of democracy and sovereignty.

Are you denying that protecting rights of regular citizens should be a global incentive? GDPR is part of democracy principles and it's all about protecting regular people from powerful corporations. And from what you've said here it looks more and more like you are very biased in favor of those corporations. Maybe representing one?..

Edited 2018-05-24 11:46 UTC

Reply Score: 2

The1stImmortal Member since:
2005-10-20

So you wouldn't mind installing internet-connected webcam in your bedroom and sharing your sex life with all of us? Since you have nothing to hide...
"You wont mind sharing everything if you've nothing to hide" is most retarded thing to say and is usually used by the very same asssholes from whom GDPR is trying to protect us. Be it large corporations or sneaky little bastards selling customer data to marketers and spammers.

That was my point.
I was comparing the quoted portion to another outrageous argument, then saying they were both dumb arguments.

You sure do sound like one of those companies whose management I would like to see in prison.


I'm not a company. I'm a private citizen. I dont even own a company. All this is hypothetical for me. I'm just very concerned about these things being imposed without any real understanding of the technical and practical concerns underlying technologies.
And why on earth would you want to see anyone in prison? The GDPR doesn't even involve prison as a possible punishment!

Are you denying that protecting rights of regular citizens should be a global incentive? GDPR is part of democracy principles and it's all about protecting regular people from powerful corporations. And from what you've said here it looks more and more like you are very biased in favor of those corporations. Maybe representing one?..

The rights of citizens are a concern for the nation-state they're citizens *of*, but if those citizens choose to access stuff from another country it should be at their own risk.
Nothing should be a "global incentive" unless the people involved consent to it through their proper channels.

GDPR is nothing to do with democratic principles in the slightest. Privacy of data when handled by private companies has nothing to do with expressing ones political will to the apparatus of the state.

Corporations are an institution created by the state, and their regulation should be handled by the state that incorporates them.

The EU only has the ability and the right to affect what those in its borders do. If it doesn't want its citizens data to be handled "improperly" overseas then the proper approach it to prohibit EU citizens from using foreign services, not trying to control those foreign services.

As a foreigner with no real connection to the EU, except perhaps some visitors to my website, they should have absolutely NO control over what I do.

Reply Score: 1

RE[5]: Comment by The1stImmortal
by Duke on Fri 25th May 2018 07:56 UTC in reply to "RE[4]: Comment by The1stImmortal"
Duke Member since:
2018-05-22

That was my point.
I was comparing the quoted portion to another outrageous argument, then saying they were both dumb arguments.

Understood. Though these two are not really comparable. In fact, they are the very opposite points.

I'm not a company. I'm a private citizen. I dont even own a company. All this is hypothetical for me. I'm just very concerned about these things being imposed without any real understanding of the technical and practical concerns underlying technologies.
And why on earth would you want to see anyone in prison? The GDPR doesn't even involve prison as a possible punishment!

I never said GDPR involves prison time. I said I would like to see management of certain companies in prison. Why? For disrespecting and abusing their customers by means of spying and monetizing personal information.

The rights of citizens are a concern for the nation-state they're citizens *of*, but if those citizens choose to access stuff from another country it should be at their own risk.
Nothing should be a "global incentive" unless the people involved consent to it through their proper channels.

And yet murder is outlawed universally throughout the world. Torture and slavery isn't really left for local governments to decide upon, either. Certain human rights are universal and are seen as "mandatory" by all the civilized world. GDPR deals with precisely such rights.

GDPR is nothing to do with democratic principles in the slightest. Privacy of data when handled by private companies has nothing to do with expressing ones political will to the apparatus of the state.

You still don't get the point. It's all about basic human rights and freedoms.

Corporations are an institution created by the state, and their regulation should be handled by the state that incorporates them.

See my point about slavery and torture.

The EU only has the ability and the right to affect what those in its borders do. If it doesn't want its citizens data to be handled "improperly" overseas then the proper approach it to prohibit EU citizens from using foreign services, not trying to control those foreign services.

Yes.

As a foreigner with no real connection to the EU, except perhaps some visitors to my website, they should have absolutely NO control over what I do.

Let me just ask: did you actually check and confirm that GDPR applies outside of EU? Or just blowing hot smoke for no reason?

Reply Score: 2

The1stImmortal Member since:
2005-10-20

Understood. Though these two are not really comparable. In fact, they are the very opposite points.

I know they were opposite, but they were equally extreme and equally dumb.

I never said GDPR involves prison time. I said I would like to see management of certain companies in prison. Why? For disrespecting and abusing their customers by means of spying and monetizing personal information.

That's an extreme view. I'd generally say prison should be reserved for those who are unsafe to be allowed to participate physically in society at large. Corporate policymaking on IP addresses and dates of birth hardly meets that standard.

And yet murder is outlawed universally throughout the world. Torture and slavery isn't really left for local governments to decide upon, either. Certain human rights are universal and are seen as "mandatory" by all the civilized world. GDPR deals with precisely such rights.

No. Murder is defined differently depending on the jurisdiction. In some jurisdictions, some forms of what we might consider are perfectly legal. Same with torture - there are regimes that practice what I would consider torture on their citizens or those under its control but they are allowed to continue on the basis of sovereignty rights. Public condemnation happens sometimes sure but that's something entirely different.
Same thing applies to slavery, though there are treaties which put a strong dent on that and give a more common base definition.

You still don't get the point. It's all about basic human rights and freedoms.

I disagree about that.
I think when it comes to collation of information, there are no natural rights or freedoms save the ones we invent. It's something that only recently in history has even been a consideration.

See my point about slavery and torture.

I dont see the applicability.

Let me just ask: did you actually check and confirm that GDPR applies outside of EU? Or just blowing hot smoke for no reason?

Yes, I have, and that's what scares me. The broad scope that includes necessary technical data, the fact that it explicitly spells out that it applies to foreign "data controllers" wherever an EU citizen is involved, the fact that the local legal obligations of "data collectors" only apply where the local authority is the "Union or Member State", etc.
It is a badly written law.
It is a good idea, but it should be heavily revised. And it should have its extraterritoriality severely curtailed.

Reply Score: 1

RE[7]: Comment by The1stImmortal
by Duke on Fri 25th May 2018 09:53 UTC in reply to "RE[6]: Comment by The1stImmortal"
Duke Member since:
2018-05-22

That's an extreme view. I'd generally say prison should be reserved for those who are unsafe to be allowed to participate physically in society at large. Corporate policymaking on IP addresses and dates of birth hardly meets that standard.

What about cases like Equifax? Where careless handling of personal information resulted in a situation where millions of people are at risk of having their lives completely ruined (if malicious actor wanted, he could using leaked information)?

No. Murder is defined differently depending on the jurisdiction. In some jurisdictions, some forms of what we might consider are perfectly legal. Same with torture - there are regimes that practice what I would consider torture on their citizens or those under its control but they are allowed to continue on the basis of sovereignty rights.

And your position is that this is totally fine?..

I disagree about that.
I think when it comes to collation of information, there are no natural rights or freedoms save the ones we invent. It's something that only recently in history has even been a consideration.

Well of course. Rights and freedoms are something invented by humans, obviously. Does not mean we can disregard them, though. We live in the age of information and information is as important as "real" assets, such as a house or a car.

I dont see the applicability.

Well, that's your problem.

Yes, I have, and that's what scares me. The broad scope that includes necessary technical data, the fact that it explicitly spells out that it applies to foreign "data controllers" wherever an EU citizen is involved...

Awesome! That's all I wanted to hear. You see, in the internet there is no such thing as borders. You can never know if that Facebook server you are currently connected to resides in USA or EU or Australia or Antarctica... Thus all the laws regarding internet should be concerned purely with citizens involved and NOT geography.

Reply Score: 2

RE: Comment by The1stImmortal
by shotsman on Thu 24th May 2018 05:34 UTC in reply to "Comment by The1stImmortal"
shotsman Member since:
2005-07-22

You seem to object to complying with the GDPR yet you are thanks to your Government subject to whole troves of US law.
Do you have something against a sensible policy on how you handle the data for people who use your site?
Do you object to them being able to see what data you have on them and being able to correct it if it is wrong?
Do you have objections to them telling you to 'get lost' and delete their accounts and all the data you have on them?

If you do, please give us the URL's of your sites so that we can add them to out 'block this site' lists?

Reply Score: 3

The1stImmortal Member since:
2005-10-20

You seem to object to complying with the GDPR yet you are thanks to your Government subject to whole troves of US law.

The US has a tendency towards extraterritoriality too - I detest where that happens.

Also bear in mind there's a difference between something adopted via treaty or local legislation, and something that a foreign power simply decides applies to people normally outside it's control.

Do you have something against a sensible policy on how you handle the data for people who use your site?


What I or the Australian Government might decide is a sensible policy shouldn't be dictated by the EU.

Do you object to them being able to see what data you have on them and being able to correct it if it is wrong?


Possibly. If I collect data, there's an argument that that data once processed and collated and put into a useable form is now my data, not theirs. It just happens to tangentially involve them. To what extent that's true isn't the EU's decision to enforce upon me.

There's also data "collected" as part of the technical process of making the site accessible. If I provide something to other people, why should I be required to implement processes to erase lines in web logs etc that just happened to be created as part of them accessing the site?

Finally, there are cases where there are statutory limitations from local laws that may conflict with the EU's requirements. For example, Australia has some rather severe data retention laws that require some kinds of internet services and business to retain some data involving users, without the option to remove it, and possibly (the law here is unclear and untested) without the ability to even clearly report what that data is.

Do you have objections to them telling you to 'get lost' and delete their accounts and all the data you have on them?


If they access my site, then I am entitled to gather what data Australian law permits me to and their connection allows. They can certainly tell me to 'get lost' and not use my site. That's their decision.

If you do, please give us the URL's of your sites so that we can add them to out 'block this site' lists?


I actually dont have one, I'm discussing this in principle.

As for blocking - you dont block a site, you block yourself from accessing it. Also - who is "we"? If you mean individuals choosing to restrict their own activities sure. If you mean restricting other people's browsing then that's not cool.

Reply Score: 1

RE[3]: Comment by The1stImmortal
by ssokolow on Thu 24th May 2018 09:31 UTC in reply to "RE[2]: Comment by The1stImmortal"
ssokolow Member since:
2010-01-21

As for blocking - you dont block a site, you block yourself from accessing it. Also - who is "we"? If you mean individuals choosing to restrict their own activities sure. If you mean restricting other people's browsing then that's not cool.


A trivial semantic difference, given how many consent-assumed 3rd-party requests whitelists/blacklists are meant to control.

"Add it to my HOSTS file" and/or "Blacklist it in uMatrix", if you prefer.

Reply Score: 2

The1stImmortal Member since:
2005-10-20

A trivial semantic difference, given how many consent-assumed 3rd-party requests whitelists/blacklists are meant to control.

"Add it to my HOSTS file" and/or "Blacklist it in uMatrix", if you prefer.

Okay fair enough.
My point was more that its an individual choosing not to access something rather than preventing that something from doing anything. It's a self imposed limitation on oneself.

:)

Reply Score: 1

RE[5]: Comment by The1stImmortal
by shotsman on Thu 24th May 2018 18:52 UTC in reply to "RE[4]: Comment by The1stImmortal"
shotsman Member since:
2005-07-22

Self imposed exile?
Possibly but I prefer it as controlling where my internet fingerprint goes and who has things like my email address and other stuff.
Put enough of that together, and you can get a good picture of who someone is and all sorts of other data on them.
This is one of the things that the GDPR is adressing. IF you operate a site and I'm signed up to it you have control of data that relates to me. It is in your best interest to ensure that the data you hold on me is correct and if I want to sever my relationship with you I should be allowed to do that.
IMHO, there is nothing fundamentally wrong with that and I should be allowed to delete the data that you hold on me.

Reply Score: 3

Digging through all the data
by danielbeck-neosearch on Thu 24th May 2018 06:01 UTC
danielbeck-neosearch
Member since:
2018-05-24

@Tom: let us know about the data that Google, Apple and Android collect. (GDPR) I would really like to read an article about it!

Reply Score: 2

The1stImmortal Member since:
2005-10-20

@Tom: let us know about the data that Google, Apple and Android collect. (GDPR) I would really like to read an article about it!

Also, what data OSNews stores that qualifies under the GDPR and whether OSNews is in a position to be able to provide the data removal provisions of Article 17?
EDIT:
(Yes, I'm aware I have no rights - only potentially responsibilities - under the GDPR but others may find it useful)

Edited 2018-05-24 10:02 UTC

Reply Score: 1

WHOIS information.
by leech on Thu 24th May 2018 08:58 UTC
leech
Member since:
2006-01-10

Anyone wonder about the WHOIS information, where if you have a domain registered you're basically supposed to have your address/name in there? I mean there are some extra costs you can throw to your registrar to hide that, but it should fall under the GDPR too, one would think.

Reply Score: 3

RE: WHOIS information.
by Dubhthach on Thu 24th May 2018 15:01 UTC in reply to "WHOIS information."
Dubhthach Member since:
2006-01-12

Most of the European ccTLD domains have this covered. For example look at the dot IE whois output


% Rights restricted by copyright; http://iedr.ie/index.php/mnudomregs/mnudnssearch/96
% Do not remove this notice

Domain: google.ie
Domain Holder: Google, Inc
Admin-c: AAV410-IEDR
Tech-c: CCA7-IEDR
Account Name: Markmonitor Inc
Registrar Abuse Contact: Service not supported currently
Registration Date: 21-March-2002
Renewal Date: 21-March-2019
Holder-type: Billable
Locked status: YES
Renewal status: Active
In-zone: 1
Nserver: ns1.google.com
Nserver: ns2.google.com
Nserver: ns3.google.com


Basically no personally identifiable data in it etc.
https://www.iedr.ie/whois-result/?whois=google

ICANN basically got a rude awakening when they tried to crack down on some of the European registrars who were limiting whois output. The Registrars basically said 'that section of our contract is illegal under GDPR and thus null & void'

Reply Score: 2

Comment by Sidux
by Sidux on Thu 24th May 2018 10:50 UTC
Sidux
Member since:
2015-03-10

Nice to have but there is a catch to it. You can only access once the data that a company has from you. There is nothing in the law that prohibits them from asking money the second time you will do that.

Reply Score: 2

gdpr
by l3v1 on Fri 25th May 2018 08:38 UTC
l3v1
Member since:
2005-07-06

I don't like MS, but I like this move.

I read all the comment talk above, lots of BS in there.

Personally, I don't care if a website I agreed to use retains data about me. However, and I expect GDPR to help with this, I am against that website selling my data to everyone who's willing to buy it, and without me knowing who gets it, since before GDPR they were not required to get consent - except the usual generic and broad terms that you accepted. Terms that could change with the weather, especially in the US (but not only).

There are some good signs. E.g., yesterday I could opt out from a gazillion idiotic 3rd party data sharing options at a service I've been using, and I find that good. And it wasn't the only one.

I understand some of this can be hard, especially in countries where data protection regulations have been practically non-existent and companies needed to make big changes. However, in many EU countries some level of data protection laws have already existed, GDPR just modifies/extends things.

My opinion is, we should collect the biggest complainers, always good to know whom to avoid ;)

Reply Score: 1

tomchr
Member since:
2009-02-01

I have a question when it comes to using cookie/domain blockers such as Privacy Badger, now that you are able to manage cookie consent to some extent through the webpages themselves.

If you use Privacy Badger to block a webpage cookie consent dialogue, cookiebots, domains etc. are you blocking data collecting more effectively or have you indirectly given your consent to some data collection, since you have "skipped" the webpage consent dialogue where you were able to manage cookie options?

Reply Score: 1