Linked by Thom Holwerda on Fri 25th May 2018 20:23 UTC
Legal

This article is terrible, and clearly chooses sides with advertisers and data harvesters over users - not surprising, coming from Bloomberg.

For some of America's biggest newspapers and online services, it's easier to block half a billion people from accessing your product than comply with Europe's new General Data Protection Regulation.

The Los Angeles Times, the Chicago Tribune, and The New York Daily News are just some telling visitors that, "Unfortunately, our website is currently unavailable in most European countries."

With about 500 million people living in the European Union, that's a hard ban on one-and-a-half times the population of the U.S.

Blanket blocking EU internet connections - which will include any U.S. citizens visiting Europe - isn't limited to newspapers. Popular read-it-later service Instapaper says on its website that it's "temporarily unavailable for residents in Europe as we continue to make changes in light of the General Data Protection Regulation."

Whenever a site blocks EU users, you can safely assume they got caught with their hands in the user data cookie jar. Some of these sites have dozens and dozens of trackers from dozens of different advertisement companies, so the real issue here is even these sites themselves simply have no clue to whom they're shipping off your data - hence making it impossible to comply with the GDPR in the first place.

The GDPR is not only already forcing companies to give insight into the data they collect on you - it's also highlighting those that simply don't care about your privacy. It's amazing how well GDPR is working, and it's only been in effect for one day.

Thread beginning with comment 657497
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Reality Check
by daveak on Mon 28th May 2018 09:35 UTC in reply to "RE[2]: Reality Check"
daveak
Member since:
2008-12-29

Yep, this is the problem with GDPR, so many consultants try to make money by scaring people. Again, coming from a UK perspective as stated by the ICO, common sense will be applied, if you are in breach, so long as you can demonstrate you are moving towards compliance (and the breach is small enough) you will be ok, do the same thing again and you may face a tougher response.

Spamcop is an interest example. Probably a weak argument, but I would say they are acting as a data processor, with you as the data controller so allowable, although without a contract stating this it probably wouldn't stand up in court. You could also state that it is a requirement for the service, i.e. without it your email server could not work due to the volume of spam, or most likely to hold up, you have a legitimate interest in using Spamcop.

Simple answer is document your processes, providing evidence as to why you are processing any personal information you have, and see which of the 6 basis apply for doing so.

Subject access requests have the same caveat as the right to erasure. Under GDPR you are no longer allowed to charge an admin fee, however you are allowed to charge a fee if a large amount of work would be required, just like the right to erasure. Again, it is matter of being able to evidence why you need to charge.

Reply Parent Score: 2

RE[4]: Reality Check
by StephenBeDoper on Mon 28th May 2018 16:53 in reply to "RE[3]: Reality Check"
StephenBeDoper Member since:
2005-07-06

Yep, this is the problem with GDPR, so many consultants try to make money by scaring people. Again, coming from a UK perspective as stated by the ICO, common sense will be applied, if you are in breach, so long as you can demonstrate you are moving towards compliance (and the breach is small enough) you will be ok, do the same thing again and you may face a tougher response.


I believe it's largely the same here, based on the details you mentioned - and that Canadian law tends to follow the UK's lead. That said, I'm not concerned about breaches so much as I am about the potential for things that I've been doing intentionally for years with no problem (sharing IP addresses & other details with third-parties for technical/security/non-marketing purposes) to suddenly run afoul of GDPR.

Spamcop is an interest example. Probably a weak argument, but I would say they are acting as a data processor, with you as the data controller so allowable, although without a contract stating this it probably wouldn't stand up in court. You could also state that it is a requirement for the service, i.e. without it your email server could not work due to the volume of spam, or most likely to hold up, you have a legitimate interest in using Spamcop.


Yeah, that was mostly my thinking as well. Though I see another potential grey-area, in that Spamcop reports are publicly-accessible (at least to anyone with a Spamcop), so I could some interpreting that as not only unauthorized disclosure - but unauthorized public disclosure of PI.

Simple answer is document your processes, providing evidence as to why you are processing any personal information you have, and see which of the 6 basis apply for doing so.


Yep, seems to be a fair bit of wait-and-see required to find out how/when GDPR will be enforced/enforceable. Just this morning, I came across an article by the CEO of EasyDNS (a domain registrar based in Canada) which included this bit:

We consulted with our external counsel who handled our positioning for the Canadian Anti Spam Legislation (CASL) who told us, in effect, “we don’t know what you should do either, just do what Tucows does”.


Though later, the article goes on to talk about how a German subsidiary of Tucows has stopped collecting/publishing WHOIS data because they believe that's required for GDPR compliance - which has put them in breach of the contract with ICANN, who have filed for an injunction against them:

https://domainnamewire.com/2018/05/25/icann-files-legal-action-again...

"Comedy of errors" doesn't even begin to do justice to this mess...

Reply Parent Score: 2