Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

Photo by TheDigitalArtist


Europe’s General Data Protection Regulation Makes Privacy Global

If you’re like many Internet users, in the last few weeks you’ve been inundated with vague, weirdly upbeat notices from companies announcing changes to their terms and privacy policies. Whether they say so or not, most of these updates are to comply with the European Union’s General Data Protection Regulation, or GDPR. The GDPR is a complex policy and regulatory regime that aims to give European citizens “digital rights” over their personal data: who holds it, what they hold, and how it is used.

The GDPR goes into effect on 25 May 2018, and—unlike previous data protection efforts in the EU—it applies uniformly across all EU nations and to any organization anywhere in the world holding or processing the data of EU citizens. That’s a vast swath of the Internet, and, indeed, the entire world economy. Given that the EU typically leads the way on digital consumer privacy, the GDPR will directly or indirectly raise the bar for how companies handle users’ personal data in much of the world.

So how does the GDPR work, and how will it impact you?

Who’s Covered?

In broad terms, the GDPR applies to any EU citizen—data subjects, in the parlance of the regulations—and two broad, overlapping classes of organizations: data controllers and data processors. Data controllers collect and use information, while data processors store, manage, or act upon that information on behalf of data controllers.

Data controllers are everywhere and include any person or organization that collects personal information about EU citizens. Common examples include Internet titans (think Apple, Google, Facebook, Amazon, and Microsoft) and those shadowy “data brokers” that assemble information from public sources and track Internet use. But it also includes governments, public sector agencies, banks, health care providers, and virtually all employers.

Moreover, it covers retailers, restaurants, hotels, venues, and any business with customer records, as well as schools, museums, non-profits, charities, volunteer organizations—even sports leagues. TidBITS has European subscribers and contributors, so TidBITS is a data controller under the GDPR. Maybe you run a mailing list or a site for a hobby: if anyone from the EU is on your list or uses your site, guess what? You are a data controller. Data controllers bear the main responsibility for complying with the GDPR.

Data processors are typically one step removed from individuals: they handle personal information they didn’t collect themselves. Many service providers are data processors—Salesforce, Google Cloud, Microsoft Azure, and Amazon AWS all qualify. If you have a mailing list that you send to the postal service to have addresses standardized and verified, the postal service is a data processor. But the lines get blurred fast: let’s say you have a business that uses a payroll service. Your business would be a data controller, and the payroll service would be a data processor. However, if that payroll service uses data to, say, offer a service comparing salaries to industry averages, they are also a data controller.

What’s Covered?

Under the GDPR, personal information includes most data related to an identifiable person, regardless of whether that connection is made directly (say by name, government-issued identification, or banking information) or indirectly using factors like physical appearance, location, physiology, online identifiers, or economic, cultural, or social identities.

Email addresses, location data, smartphone device identifiers, and IP addresses—even dynamically assigned IP addresses—are all considered personal data. Technically, that means virtually every Internet site and Internet-connected app is subject to the GDPR once accessed by EU residents, since nearly all log users’ IP addresses by default.

Moreover, data regarding ethnicity, race, genetics, biometric data, health information, sex life, religious/philosophical beliefs, or trade union membership is deemed “sensitive” personal data subject to additional protections. And the GDPR doesn’t just apply to data collected on or after 25 May 2018: all previously collected data is covered as well.

These definitions have significant implications for Internet companies— particularly data brokers and advertisers—since nearly all log IP numbers, many collect email addresses, and most of them use cookies and other trackers that constitute online identifiers. That’s one reason you’re seeing so many notices from Internet companies about updated privacy policies and terms of service.

What’s Allowed?

Under the GDPR, there are only six lawful reasons for processing personal data:

  1. Legal contracts
  2. Legal requirements
  3. Vital interests (protecting life)
  4. Public tasks (public interest or official functions)
  5. So-called “legitimate interests”
  6. Consent

Legitimate interests are a somewhat subjective but seemingly narrow category where processing personal data is the only means to meet an end. Common cases would be businesses working with customers to fulfill orders or provide services. If I want a company to deliver a pizza, they have a legitimate need to know where to take it.

For advertisers, the GDPR leaves consent as the primary legal avenue for processing personal data—and the GDPR substantially raises the bar. Consent must be “freely given, specific, informed, and unambiguous,” and be given via a “clear affirmative action.” Silence, inaction, and scrolling through screens of legalese do not qualify as consent. All those “soft opt-in” pre-checked boxes won’t cut it anymore, and companies must present terms in an “intelligible and easily accessible form, using clear and plain language.”

Data controllers must also specify how personal information is used as part of the consent process, whether it be serving up ads, profiling by matching up with third-party databases, sharing it with partners, or other functions. However, companies won’t necessarily name with whom they’re sharing personal data unless a user makes a specific request.

These new rules are another reason you’re seeing so many privacy and policy updates: companies that have not previously satisfied these requirements must obtain their users’ specific, informed, and unambiguous consent before the GDPR goes into effect. Expect many firms to do a hard sell extolling the benefits of consenting, or—as in the case of Facebook—presenting affirmative consent as the fastest way to get annoying screens out of your way. If users don’t consent, the only option may be to stop using a particular app or service—but the GDPR requires that it must be as easy to withdraw consent as to give it.

Some companies may enable users to consent to some types of data use but not others: maybe an email address is required, but consenting to use of location or photos would be optional. However, many outfits will require all-or-nothing consent because that’s the least amount of work.

What Rights Do Individuals Have?

First off, any data subject—remember, that’s a resident of the European Union—must be able to withdraw their consent to use of personal data as easily as they gave it. Withdrawing consent probably means someone won’t be able to keep using a site, app, or service, but it does mean the company must stop using data if there is no other legal basis to process it (like a legal requirement). For instance, if you pre-order a book from a company and later withdraw consent regarding your personal data, the company can still use your personal info to fulfill your order—assuming you didn’t cancel it—without violating GDPR. Similarly, if the company is subject to a court order to retain personal data for auditing purposes, it isn’t violating GDPR if it keeps data for that audit after consent has been withdrawn.

Subjects also have a right to demand data controllers disclose whether their information is being processed. If it is, individuals have a right to access that data (for free!) along with details of why it’s being processed, who is processing it, and for how long. Generally, controllers must fulfill these requests within one month. Digital rights advocates are expected to make broad use of this right to map out the activities of firms like Facebook, Google, Apple, and Amazon, so companies that make broad use of personal data are gearing up for a torrent of requests once the GDPR goes into effect.

Subjects have the right to have information about them corrected under the GDPR. This right isn’t aimed so much at the Facebooks and Googles of the world as it is at agencies that report on credit, perform background checks, and determine eligibility for things like housing, employment, benefits, and medical care. Individuals have a right not to be subjected to decisions made by automated profiling if they have a significant legal impact on them, such as eligibility for housing or a job.

The GDPR also enshrines a “right to be forgotten,” meaning individuals can request all personal data about them be erased—again, barring any legal reason the controller must keep it. As with access requests, many Internet companies are expecting a flood of deletion demands once the GDPR goes into effect. EU residents unhappy with the likes of Google and Facebook may see deletion requests as a way to get back at them.

The GDPR also has a right to data portability—if subjects don’t like the way a controller is handling their data, they can request it be made available to them or another controller in a “commonly used” machine-readable format. Unfortunately, data portability will be pretty limited in the real world, at least initially. Most companies will be able to dump data to formats like JSON or XML, but it’s unlikely other controllers will be able to make much use of it. The European Commission seems to have intended data portability to apply to social networks, but there aren’t many meaningful ways to (say) transition a Facebook account to Twitter, Pinterest, or LinkedIn.

Controller Responsibilities

Data controllers and processors have a number of other specific obligations under the GDPR. Here are some highlights:

  • Companies must report data breaches to their nation’s supervisory authority within 72 hours of discovery. If the breach is “high risk”—e.g., could result in identity theft—then impacted individuals must be informed “without undue delay.” This might be a public announcement for a large breach or individualized notifications. Remember when companies like Uber and Yahoo sat on massive data breaches for a year or more? That would violate GDPR.
  • Controllers must document users’ consent to use personal data: that’s more than recording a simple yes or no, but more akin to a timestamped record including the version of the forms or screens used to collect it, along with all relevant documents like phone scripts, complete terms of service, and policies. If there is a dispute, controllers have to be able to prove consent was legitimately granted.
  • Controllers can retain identifiable personal data “no longer than is necessary,” which is tremendously vague but follows a principle of data minimization and provides legal ammunition if controllers misuse or mishandle data they had no reason to keep. The GDPR encourages anonymization and pseudonymization to protect personal data.
  • Controllers whose core activities include personal or sensitive data on a “large scale” must appoint a data protection officer. The GDPR does not define “large scale,” but there are no minimum thresholds. Some EU countries—most notably Germany—have stricter requirements for appointing a data protection officer.

I’m Small-Time: Do I Need to Worry About the GDPR?

Some people who run Internet sites, apps, podcasts, or small businesses—particularly outside Europe—may assume (or hope) that the GDPR will have no real impact on them. That might be true in some cases, but many small online endeavors will have to make some adjustments. Even small businesses are data controllers, and data controllers bear most of the responsibility for complying with the GDPR.

I cannot offer legal advice, and every activity impacted by the GDPR will have different concerns. But here are a few things to consider:

  • A purchase or contribution is not consent to marketing or further contact. If an EU resident buys something from your Etsy shop or makes a donation to your podcast, you cannot just add them to your marketing list as an existing customer. Consent to additional contact must be separate, clear, unambiguous, and affirmative. A pre-ticked checkbox on a checkout page won’t cut it.
  • If you think you have some magic way of using an IP address, phone number, billing address, or other data to infer whether someone is an EU resident (so you can tell if the GDPR applies to them): you don’t. You would need to ask users directly if they’re EU citizens, and, if not, offer less privacy protection. That may not be a message you want to send. For small shops, applying GDPR protections to everybody is usually the shortest path.
  • Only collect necessary information. If you run a mailing list, you have a legitimate need for a subscriber’s email address, but you don’t need their birthday, phone number, location, or even their name. Sure, some of that info is great for personalizing communications, but do you need it? Can it be optional? (And do you think automated personalization is fooling anyone?)
  • Be ready to disclose all third-party businesses that process your customers’ information, whether payment processors (like PayPal or Square), shippers (like the USPS and DHL), cloud service providers (like Apple, Amazon, Google, or Microsoft), and many more. Does your site tie in directly with Facebook or Twitter? What about a mailing service like MailChimp or SendGrid? How about advertising networks? Analytics services? Under the GDPR users have a right to ask for this information directly; for many small businesses, it makes sense to include the information up front in privacy policies and terms of service.
  • Only keep necessary information. Sure, you want to analyze your sales records to manage seasonal inventory, but you don’t need customers’ personal details to do that. Delete customers’ personal information when you no longer need it for any reasonable business purpose, unless you’re required by law to hang on to it. If you must keep it, anonymize the data (so individuals can’t be identified, even by you) or at least pseudonymize it: if your business records are compromised, there’s less risk to both you and your customers.
  • Consider how you will respond to a customer who requests to view all the personal data you have about them. How will you verify this person is who they claim to be? How will you collate the data? How will you (securely!) make it available? Even for small businesses, this can become complicated. And you have only 30 days from when you receive your first request.
  • Think about how you will respond to a customer who requests you delete all personal data about them. How will you ensure any data processors you use also delete that data?
  • Users must be able to withdraw their consent to use of their data as easily as they gave it. This may mean changing your site or app to make withdrawal of consent easier and more apparent. You may also have to tell data processors to remove that person’s information.

How Will Enforcement Work?

If EU residents believe their personal data is being unlawfully processed or misused, they can file complaints with supervisory authorities in their own countries. If that authority rules against an individual—or simply doesn’t respond to the complaint in 3 months—that person can take the matter to court. Both data controllers and data processors can be liable for any damage caused by their actions. Individual member states are responsible for establishing rules and penalties for infringements.

Failure to comply with the GDPR could be very expensive: fines can be up to 4% of a company’s worldwide revenue or €20 million—whichever is greater. However, such penalties are likely only if companies engage in egregious, willful violations of the GDPR—and would likely only apply after a lengthy court battle and appeals process. Most national authorities won’t expect perfect compliance and will be unlikely to levy heavy penalties if organizations generally try to do the right thing. National authorities will be primarily concerned with large-scale data processors and organizations handling high-risk data.

What about Brexit?

The United Kingdom is leaving the European Union on 20 March 2019, but it won’t be leaving the principles of the GDPR behind. The UK will comply with the GDPR when it takes effect this May, and under the proposed “Great Repeal Bill” the GDPR would be incorporated into UK law after Brexit. UK law will then be amended with a proposed Data Protection Bill, which is unlikely to diverge significantly from the GDPR.

However, Brexit may have some immediate data protection implications, since the UK will no longer be part of the US-EU Privacy Shield (the current framework for exchanging personal data for commercial purposes between the United States and EU) or the US-EU Umbrella Agreement (a framework for law enforcement cooperation). The UK wants its own separate replacements with both the United States and the European Union, but nothing has been agreed upon yet.

Will the GDPR Matter?

Internet users are increasingly aware their personal information can be sensitive, and we live in an era of massive data breaches. In bulk, our data is being leveraged to sow discord and influence elections. At a personal level, its misuse can have many consequences: identify theft, loss of a job, altered credit ratings, higher insurance rates, increased health care costs, and more. And, of course, our personal data is worth very real money to many of the world’s most valuable corporations.

With the GDPR, the United States will drop further behind the European Union in terms of data protection regulation. Soft “opt-ins” and pre-checked boxes are still permissible in the United States. Although there is a limited exception for credit reporting, individuals still have no real right to see data collected about them or have it corrected or forgotten. Although some U.S. states have enacted data breach laws, there is no national requirement that individuals be informed if their data is compromised. And companies can essentially use any personal data they have for whatever they like, for as long as they like.

However, the GDPR will have indirect benefits for Americans and many non-European Internet users—and the evidence is all those notices you’re receiving about new terms and privacy policies. Companies are feeling pressure to extend GDPR benefits to users outside of Europe. While some (like Google) are notably silent, Apple has already announced it is extending GDPR rules to customers in the United States and other markets, including giving users the ability to view and correct information Apple processes. Even Facebook says it will extend the “spirit” of GDPR to users outside Europe, although it won’t extend GDPR protections worldwide.

The GDPR should be viewed as an attempt to bring regulation up to date with the reality of the digital world. It won’t fix everything or solve every problem, but it’s a big reason why momentum is currently shifting toward better data protection, rather than away from it.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Europe’s General Data Protection Regulation Makes Privacy Global

Notable Replies

  1. This article implies that small companies with only a US presence are somehow going to be held to EU laws and fines.

    The EU may claim that it applies to them, but the reality can’t be that absurd.

  2. I’m not so sure it’s absurd in this day and age. Your presence is one thing, who you do business with another that’s becoming less and less related to the former.

    The EU says that the law applies to whoever does business with its citizens. A small US company is of course free to deny business to EU citizens. But if the do enter business relations with EU citizens, they have to abide by EU law. Doesn’t sound outrageous to me.

    That said, I hope the GDPR will increase pressure so we finally take digital privacy more seriously in the US. You’d think with identity fraud increasing, we’d already be motivated, but obviously lobbying powers in Congress are mightier.

  3. I’m not anything resembling a legal scholar, and my reading of this is that if any company outside the EU collects targeted data from EU residents for commercial use, if they violate the privacy protections of the law, then they could be liable.

    Personally, I’m 100% OK with this. I wish the US would pass a law at least as strong as this, but unfortunately the chances are most likely zero.


  4. Actually, this has very little to do per se with doing business. Putting a simple website online is enough for them to claim that you have to comply. In other words, they are claiming authority and control of the practices of everybody in the world.

    No, you do not have to follow the rules of another country just because you sell a product to somebody there. They might start rejecting your product at customs if you refuse, but laws only apply to the domain you control. I can demand that anybody who wants to look at my art exhibit has to pay $20, but I cannot put that exhibit in my front lawn and expect to be able to enforce it.

    This is a power grab by the EU. But in the end, it’s all going to come down to a question of whether the USA will enforce an EU law FOR the EU against a US citizen. The EU courts have no jurisdiction here.

    Are there trade and legal agreements between the countries? Sure.

    But let’s be clear. Nobody knows whether the US would step in to help the EU prosecute somebody over this, and their claim that it applies to everybody in the world is absurd. Many countries would simply laugh at them.

  5. jtbayly

        May 3

    Actually, this has very little to do per se with doing business. Putting a simple website online is enough for them to claim that you have to comply. In other words, they are claiming authority and control of the practices of everybody in the world.

    The law requires that if a company collects data about an online user in the EU, then that user has to have the right to opt out and/or obtain a copy of the information. If a small company finds this onerous, then they don’t have to collect data. Nobody is forcing them to collect data.

    In the US, the low tech HIPPA laws require privacy, security and portability of medical information. Yes, is a PITA to repeatedly fill out the forms for patients and practitioners, but the law ultimately benefits the human beings whose records are collected. One of the many reasons the law was passed was that info was being sold to data collection agencies for commercial and non commercial services.

    No, you do not have to follow the rules of another country just because you sell a product to somebody there.

    Google and Facebook have had to make big payouts to the EU on information they collected from the EU to use for the US sales of advertising and to third parties. Apple had to part with a few billions of their mega stash for other reasons.

    But let’s be clear. Nobody knows whether the US would step in to help the EU prosecute somebody over this, and their claim that it applies to everybody in the world is absurd. Many countries would simply laugh at them.

    If they do go after a US Company, it they won’t make an example of Joe Schmoe or Jane Schmane and their little online companies. But recent events add more proof that if personal information of a human being is the product, then that person deserves the right to make a choice about it.

    BTW, maybe this whole shebang has something to do with Apple News not being available yet in EU countries though news from EU publishers is served in the US. They do split revenue now with publishers, but I don’t know who sells what. They are negotiating with Google owned Doubleclick, who would be the one to handle revenue.


  6. Ha! My cynical take on this is that under the Trump administration, the US would be more likely to step in to help Russia prosecute a US citizen than it would be to help the EU prosecute a US citizen.

  7. This is not a question about whether privacy and data protection are good. They are.

    This is a question of whether the EU has the right to enforce laws on US companies that are not under their jurisdiction.

    Apple and Google do business and even have incorporated businesses in those countries. If they want to keep doing business in those countries they must follow the laws of those countries.

    This is just like taxes. Ohio can’t even force a small business in Virginia to collect taxes and pay them across state lines. Only Ohio or a federal law can force that.

    The EU can claim all they want that they have jurisdiction over every company in the whole world, but unless the USA decides to enforce their law, it simply doesn’t apply to businesses that are solely in the US.

    Has the USA made clear in their trade or tax laws that this kind of law will be enforced? I have no idea, but I doubt it. And I wouldn’t want to be the test case.

    But let’s be entirely clear on one thing. The EU cannot claim jurisdiction outside its borders. And advocating that they do so simply because they claim to on a law we like is asking for serious problems.

    What if the law said that anybody in possession of personal data of an EU citizen had to be armed with a gun during the duration of the possession for the protection of the data? You’d laugh at them. Why? Because they don’t have jurisdiction.

  8. You’re right…but it really depends on the definition of “under their jurisdiction”. If a company has a business presence in the EU…then I can see a valid court case to allow a decision as to whether the EU privacy laws apply…but even then will other countries in the world enforce their decision?

    It’s also a political issue…google and MS and whoever else has agreed to pay fines may have simply decided that it was easier, cheaper, and more politically expedient to just pay the fine than it was to either fight it or change their business practices…and again, eventually it comes down to whether the US would enforce an EU court decision.

    For a small company based in the US with no presence in the EU…then I would argue that the EU should’t have jurisdiction…if EU citizens choose to do business with that company then does the company really have a legal requirement to do what the EU says…or have the EU citizens granted permission by doing business with the company.

    The EU will continue to claim they have jurisdiction…and large multinationals will likely abide because they have business interests in the EU…but as I see it…I’m not a lawyer, but it seems like common sense to me…then the EU has no jurisdiction in the US…just like we have no jurisdiction to state that drugs or prostitution which are legal in certain areas of the EU are against the law if a US citizen partakes.

  9. Yep, except Apple and Google etc. all have business presences or enough income in that country that they don’t want to be prevented from doing business there.

    That’s the main recourse for the EU. They can say, “Fine. You don’t want to follow our laws regarding data? Then you can’t send physical products into our country.” I’m having a hard time figuring out any recourse for them with digital products except for making it against the law for their consumers to purchase from you. (Or convincing the original court of jurisdiction to take action.)

  10. It is an open question whether EU data authorities or individuals will attempt to bring a suit against US-based organizations over the GDPR: if it happens, it’s almost certainly going to be a “big data” case, not a mom-and-pop operation using cookies to identify forum users. In big data cases, the legal foundation for action would be granted by the (contested) US-EU Privacy Shield. The Privacy Shield has a complicated background (it’s the replacement for a “Safe Harbor” agreement that was nullified by the European Court of Justice in 2015), but requires the United States cooperate with European data authorities. So, at a very basic level, the US has entered into a treaty with the European Union regarding data privacy, and some of the terms are transparency and redress of complaints brought by EU individuals or data authorities.

    The US-EU Privacy Shield (and a corresponding agreement with Switzerland, and probably a corresponding agreement with the UK once Brexit happens) basically requires companies to self-certify that they meet the regulatory requirements; if they’re found not to be complying, the FTC can bring action against them in the United States. Again, whether or not that will actually happen is an open question.

    Also, size does matter (a bit). The GDPR requires data controllers outside the EU selling goods or services to consumers in the EU (or profiling them) designate a representative in the EU to respond to any privacy inquiries or complains from data protection authorities or individuals. (It’s in Article 25 if anyone wants to look.) There are three notable categories of exception: firms with fewer than 250 people, firms which “only occasionally” offer goods or services to EU residents, or countries deemed to offer “adequate” levels of legal protection for personal data. The United States’ current protections do not qualify as “adequate” under the terms of EU law. The UK says it’s aiming for better-than-adequate in its final data protection agreement with the EU.

  11. That’s great info. Thanks.

  12. I think these issues of who has jurisdiction are a bit more complicated in a digital world. Sure, in dealing with traditional goods that have to actually cross a border the EU can have their customs enforce their laws as @jtbayly pointed out. They can seize goods, the can refuse entry, etc. Along those lines it’s easy to think of jurisdiction as being solely based on territory. In that world it’s no surprise you would expect jurisdiction to stop at the border and hence the US doesn’t get to enforce its prostitution laws for US citizens in the EU as @neil1 points out. (*)

    However, this is no longer the world of 1880 where trade consists of actual goods that cross actual borders. In today’s digital economy goods can be personal data (eg. Facebook mining your data to sell to their advertisers). Now where do you block those goods from crossing which border? How do you enforce your laws, especially those designed to protect your citizens from bad market actors?

    Sure, the EU could attempt to set up their digital “customs” like the Chinese do with the Great Firewall. Sniff all IP traffic, block IPs and ports, all that nonsense. But who wants that? The only reason China gets away with it is because the Communist Party of China is running an unopposed brutal dictatorship that we in the western world have simply chosen to do business with, human rights be damned. No sane person would want to have the physical border and customs of the 1880s economy implemented in this technical fashion in today’s global economy.

    Another approach would be that the US simply tells the EU to get lost with their GDPR. Then how would the EU deal with that if they wish to enforce their citizens’ protection through the GDPR? Well they can do what the US does in such cases. Seize all assets, have managers arrested as soon as they travel abroad into countries with extradition treaties, shutter any local business presence, start prosecuting any other businesses who have business relations with the extraterritorial entity in question, etc. Sounds familiar? Yeah, that’s how the US enforces its laws in other countries (if you’re still having trouble remembering, try these cues: Cuba, Swiss bankers and Nazi gold, VW). The EU could take a page from that same playbook and make life as difficult as possible for any US company that does business with EU citizens but doesn’t want to abide by laws protecting said EU citizens. Sure you can say, so what I’m not in the EU. Doesn’t matter. Your business partners are. Sure, that’s extreme. But it has all been done before, by the US itself actually. So would you really want Google fined in the EU because they do business with you and you chose to give the EU the finger? How long do you think Google will keep your gmail account open then? Or do you want to get arrested next time you fly to Cabo? Do you want your IPs blocked in all of the EU? Probably not. Probably its better to either stick to the GDPR when doing business with EU citizens, or simply chose not to do business with EU citizens. US companies always have this choice regardless of how the US decides to react to GDPR.

    That all said, it will be interesting to see how the US reacts when the EU decides to go after a US company that has violated GPDR while doing business with EU citizens. Because of the above concerns, the US will definitely not chose to just say “jurisdiction” and act as if can ignore the issue. There is far too much trade involved for any kind of knee-jerk simplifications and it will be interesting to see what solution the government comes up with.

    *) This by the way is not such a clear cut issue. There are countries that do indeed prosecute their citizens for things illegal in country that these citizens have committed abroad - even when it was legal in the country the citizen was at the time. A recent example is Sweden convicting a Swedish citizen for solicitation for an act committed while on vacation in Thailand. Prostitution is illegal in Sweden, but perfectly fine in Thailand. On return to country the citizen was charged and convicted.

  13. I agree with much of what you said above, but this is untrue. Read the “Can you avoid GDPR Compliance by blocking EU visitors from your website?” Section on this page. Some salient quotes:

    it covers any and all personal data, even that which you collected prior to GDPR going into effect

    under the language of GDPR, if Joe Smith who is a U.S. citizen is signing up for your U.S.-based service, or placing an order through your U.S.-based website - while on an airplane flying over an EU country - by the language of GDPR, the data that Joe provides to you is covered by GDPR.

  14. Interesting issues.

    But in that case, you could terminate business relations with EU citizens and discard their old data.

    This I simply don’t believe is correct. And I don’t imagine the EU is going to battle the US over something which involves somebody who isn’t even an EU citizen doing business in no relationship with the EU. But just to play devil’s advocate, fine then. You refuse to do business with EU citizens and then in your ToS you require of your customers (those from outside the EU who you are doing business with) to confirm that they will not do business with you from within the EU. If they still do so (let’s say on a plane over the EU) they have violated the terms of contract, you stop doing business with them, you delete their data.

    In these cases I would assume you’d only be getting yourself into trouble if you refused to delete their data. But why would you do that? You already ended your business relationship. And with no data, no GDPR issues, right?

    I have to admit, I’m a bit skeptical of the doom & gloom coming from “compliance specialists”. Compliance lawyers need business. This is a business opportunity. What can actually happen to you legally as a small time business in Godknowswhere, USA is not necessarily the same as the big black picture some of these people now paint. Not saying they’re wrong, I’m just a bit cautious when things sound super urgent and super dangerous.

  15. You’re right…but it really depends on the definition of “under their jurisdiction”. If a company has a business presence in the EU…then I can see a valid court case to allow a decision as to whether the EU privacy laws apply…but even then will other countries in the world enforce their decision?

    If a website based in the EU wants to collect data from a visitor in a non EU country they have to give that person the right to approve or not approve. If they do approve, they also have the right to opt out and have the data that was accumulated deleted, and while people remain in the system they must have the ability to easily review any information that was collected. If they don’t approve, the site can block access to the site, or they can allow the visitor to access the site without being tracked. Sites are also required to report any security breeches to the EU within either 2 or 3 days.

    It doesn’t matter if the site is selling anything or not. The US Courts ruled that a US based company used information collected in the US serve targeted information in the EU or visa versa, the US gets to collect on the sale of the data. I do wish the US went the extra miles the EU did to ensure privacy, data security and the ability to determine and makes decisions about what can be sold about me.

    It’s also a political issue…google and MS and whoever else has agreed to pay fines may have simply decided that it was easier, cheaper, and more politically expedient to just pay the fine than it was to either fight it or change their business practices

    Nope, Google and Facebook fought tooth and nail all the way to the US Supreme Court over the tax issue and spent fortunes in attorneys. And Apple fought tooth and nail and probably even made a little dent in their big cash pile to protect its privacy policy. I think MS currently has a privacy case before the Supreme Court, but the one I was referring to was the Netscape monopoly case.

    It’s not the way the corporate world works. If a big corporation doesn’t fight a particular battle of this magnitude and settle instead, it it most likely to cause an epidemic of suits that would either bankrupt the company or eventually end up in the Supreme Court anyway.

    and again, eventually it comes down to whether the US would enforce an EU court decision.

    The EU can enforce rules in the US the same way the US enforces litigation in other countries. They garnish the revenues they collect, or the holdings companies have, within their boundaries. If I remember correctly, the new EU law requires a % of annual income. They can freeze bank accounts and assets while in litigation.

    For a small company based in the US with no presence in the EU…then I would argue that the EU should’t have jurisdiction

    Whether or not they do or don’t, the government is unlikely to go after some sweet little grandma’s site about knitting and crocheting. But if millions of grandmas and grandpas are signed up with a second or third party ad network, then the network could possibly be sued. If they lost, grannies and grampies might not collect the few dollars from ads served on their site. But Facebook and Google would have to pay up.


  16. The problem is with the persistence of data. Unless it can be confirmed that data was actually deleted and will remain deleted, it can, and probably will be sold and sold and sold ad infinitum.


  17. And there is no way to confirm that every copy of a piece of data has been deleted.

  18. It is absolutely not absurd. The law applies to any company that holds data on/for/about EU citizens, regardless of where that company is. Sure, some Chinese company might ignore it, but if it’s anything of any consequence the EU has a large array of tools for dealing with it, including blacklisting the company’s Internet addresses.

    As for whether the EU has the right to enforce its laws outside the EU, that ship has sailed long ago with the US having a multi-decade tack record of doing this exact thing. The EU routinely, and successfully, claims jurisdiction over its citizens regardless of where they physically are.

    If you do business with the EU in anyway (even if you don’t know it), you better comply with GDPR.

    And it’s honestly pretty easy to comply and the regulations are surprisingly sensible for something that came out of a committee.

  19. Of course not. Persistent data is when data is passed on to other parties, and at the moment there is no solution I know of for this problem.


  20. Practical reality for most companies? Comply. Simply the easier and simpler thing to do. And the public, no matter where, benefit.

  21. It’s easy? Really?!

    Are you aware that this very forum is running on software that is not compliant?

    Go ahead, go read that post and tell me again how easy it is.

  22. I’d love for somebody to explain how I can easily and simply keep backups for a website that will allow me to recover from a disaster by restoring to a previous state, and at the same time guarantee that if somebody asks to be “forgotten” that none of their data remains in my backups.

    Uh. Yeah. It’s um… deleted.

    If that’s what everybody means by “comply” then I guess I’d agree that the EU has “jurisdiction.”

  23. All change is hard, without question. And we’ll be looking at all the stuff TidBITS does to see if it’s compliant, or how we’d deal with the possible requests. Luckily, things like Discourse will likely just solve some of those problems with updates.

    That said, many businesses have long understood the need to abide by foreign regulations. For instance, when we owned Take Control, one of the reasons we worked with eSellerate on the sales was because eSellerate had an entire team of people who dealt with collecting and remitting VAT to European countries. Ebooks are subject to VAT in the EU and a number of other countries around the world. It was a cost of doing business.

    Would anything bad have happened to us had we ignored the need to remit VAT for sales into those countries? We had no way of knowing, but the potential cost of being dragged into court as a result of ignoring VAT, or worrying if we wanted to travel to one of those countries, or even the effect on authors who lived in those countries, was enough to ensure that we collected and paid the taxes.

  24. Didn’t say it was easy… easier than court, that was all.

  25. I was responding to this comment:

    Anyway, I agree that it’s easier than being a test case in court. What I think is going to happen is the same thing that happened with PCI compliance. A lot of small business will make a couple of changes and claim that they are compliant, when they aren’t really, because nobody really knows what it looks like to truly be compliant. But with PCI, you had to at least claim you were compliant to do any credit card business. My guess is that greater than 50% of the businesses in the US do nothing to become compliant because the risk/reward tradeoff is too unbalanced, and nobody is forcing them to do anything to keep accepting money online.

    In other words, the chances are so small that you’ll be a test case in court that a lot of people will just cross their fingers and proceed with business as usual.

  26. The solution is the massive fines the EU will impose if you’re caught not complying. They are based on revenue (not profits) and a maximum fine would severely impact any company. this is no case of Corporation deciding it is cheaper to deal with lawsuits than fix the exploding products.

  27. It really is pretty easy to comply, since what you need to be able to do in order to comply is delete a customer’s data when they request it be deleted.

    Now, how complicated that specific task is depends a lot on how you store it, back it up, and how good your tools are, If you can restore a particular user’s files/data from backup, then removing them should not be difficult.

    If you’ve settled on a backup scheme that makes this difficult (all your backups are drive images to physical media that are then stored individually) then it’s not going to be hard, but it’s going to be exceedingly tedious. If it’s exceedingly tedious, then it’s probably time to look at how you backup data.

    And as for Discourse not being compliant, I am not at all surprised. But they will be if they want to survive.

  28. It strikes me that you’re not very familiar with the way the vast majority of small businesses run. I guarantee that there are many thousands of businesses that will never even hear that the EU has declared they need to change the way they do business.

  29. I’m guessing that your website wasn’t built to do data collection, analytics or content assembly, sophisticated e-commerce, or distribution. Your site probably is not being geard up for facial recognition or AI. If it was you would know that user data is stored and maintained separately from content. And the data crunching, storing and serving isn’t done on Macs or PCs. It’s done on heavy iron at mega server farms.

    Smaller companies or individuals that do any of the above typically farm less sophisticated stuff than above out to a third party and it resides on their server farm. Or they participate in Google AdSense or Doubleclick, sell stuff or buy ads on Amazon, Esty, etc.


  30. Correct. I don’t.

    Incorrect. For the vast majority of businesses, the comments on their blog, which often include a name and an IP address, which are personal information, or a simple e-store that sells a couple of products, all have the user data mixed in the same database that their content is in. And yes, that might be hosted on a third party server, but all that does is make the process of getting compliant more confusing, not less.

    I could be wrong on the details, but as I understand it, if you have a blog with comments, you now need to hire a lawyer to write you up some terms and conditions or you’re “breaking the law.” Oh, and you have to modify the comment form to have an opt-in checkbox explaining how you’re compliant with GDPR, and keep track of which version(s) of your policies that particular user has opted in to since you will probably have to make changes to them at some point, either because of a typo in your policies or because you need to make some changes because you’re moving from Mailchimp to Aweber.

    This really reminds of the PCI compliance stuff. I remember everybody saying it was no big deal and that you just had to hire or whoever and you’d be compliant. But no. Sorry. It’s just not that easy.

  31. Wonderful. So now every. Single. Stinking. Website. In. The. World. I’m going to have to click to dismiss a stupid pop up box before i can see the whole page. And this is for my protection.

    Thanks EU. For making the usability of the web so much worse.

    Tell me in 3 years whether you’re being tracked less online, everybody, or if you still get tracked just as much but you’re constantly forced to take extra, meaningless actions by a beauracracy, confirming that you want them to track you like this.

    Peace out. I’m done with this.

    P.S. You know what I would pay for? A GDPR blocking plugin on my browser.

  32. This has nothing to do with GDPR.

  33. Aha. So there will be a new and more elaborate notice coming?

  34. For the vast majority of businesses, the comments on their blog, which often include a name and an IP address, which are personal information, or a simple e-store that sells a couple of products, all have the user data mixed in the same database that their content is in. And yes, that might be hosted on a third party server, but all that does is make the process of getting compliant more confusing, not less.

    Basically, all the EU is requiring any website to do is to give visitors the opportunity to opt out of having their data collected, and if requested, to have and data that was collected permanently deleted. If data is compromised, it must be reported in 2 or 3 days.

    I could be wrong on the details, but as I understand it, if you have a blog with comments, you now need to hire a lawyer to write you up some terms and conditions or you’re “breaking the law.”

    There is no requirement to hire a lawyer. If a site does collect data, there are procedures they must follow that could be accomplished without a lawyer, though they are a big PITA.

    Because I thought of Wordpress, and because there are millions of small Wordpress sites across the globe, and there are lots of paywall and subscription tools available for small sites, I checked out their site and they have good explanations about what needs to be done. The summary is:

    • "it applies to any website that deals with personal information of EU users,
    • it gives the user the right to control the flow of their personal information,
    • there are defined processes to monitor compliance and huge fines are in place for non-compliance.
      In a nutshell, to make your WordPress GDPR compliant, you should (1) look into all the different ways in which you’re collecting visitor data. Next, (2) put mechanisms in place to make sure that users can control their data. Additionally, (3) it’s probably a good idea to avoid collecting user data where it’s not necessary (like the contact form example from above). And most importantly of all, (4) even if you’re using third-party tools and solutions, you still need to make sure that those are GDPR compliant as well.

    If you don’t have all of the above taken care of by May 2018, trouble."

    The Complete WordPress GDPR Guide: What Does the New Data Regulation Mean for Your Website, Business and Data?

    , and you have to modify the comment form to have an opt-in checkbox explaining how you’re compliant with GDPR, and keep track of which version(s) of your policies that particular user has opted in to since you will probably have to make changes to them at some point, either because of a typo in your policies or because you need to make some changes because you’re moving from Mailchimp to Aweber.

    Like I said, it’s a PITA, but it’s doable. Who or whatever doesn’t want to go through the rigmarole can block people. IMHO, and I’m very concerned about privacy, I wish there were data regulations as strict as this in the US.

    This really reminds of the PCI compliance stuff. I remember everybody saying it was no big deal and that you just had to hire or whoever and you’d be compliant. But no. Sorry. It’s just not that easy.

    I had a problems from the Target hack, and I ended up jumping through hoops after the Equifax shebang. So I wish the credit card regulations were stronger.


  35. I know I said I was done, but I can’t help myself.

    You keep saying that you can block people. That’s explicitly and intentionally made not possible by the rules. The link I posted above that nobody has bothered to click explains this in detail.

    Re: PCI: 1. That had nothing to do with Equifax. 2. My whole point is that it’s security theater, not actual security.

    And as to this:

    You sure? Because this site says that cookie popups are going to be heavily affected by GDPR.

    This is like trying to explain that the TSA isn’t there to make you secure, it’s there to make you feel secure. It’s the same with this law.

  36. The cookie popup has nothing to do with GDPR. That was an entirely separate (and entirely misguided and stupid) regulation.

  37. Won’t GDPR require a similar but more robust popup that gives the viewer an opportunity to act before any cookies are set on a first visit to the page?

  38. jtbayly

        May 6

    I know I said I was done, but I can’t help myself.

    I had made the same resolution, but I do feel very strongly that users deserve control of their personal information, and all this law does is make this easier for individuals. And I am someone who has been working extensively with market research data longer than I care to admit I am old, even before the Interwebs were a gleam in Tim Bernese-Lee’s eye.

    Basically all the law requires is that a site gives people the right to decide if they want to be tracked or not, the right to be able to access the data, and delete data that has been accumulated about them, and to receive timely notification if their data might have been breached. Everything has to be in plain easy to understand language, and information easy to monitor and control.

    You keep saying that you can block people. That’s explicitly and intentionally made not possible by the rules. The link I posted above that nobody has bothered to click explains this in detail.

    I have read a ton of information otherwise. There are probably billions and billions of firewalled and walled garden pages being served in the EU every minute.

    Re: PCI: 1. That had nothing to do with Equifax. 2. My whole point is that it’s security theater, not actual security.

    Not even remotely true, and the Equifax data leaks was one of the many reasons why the law got off the ground. It’s also Facebook, Tinder, etc., etc., etc. It is 100% about security and privacy.

    And as to this:

    This has nothing to do with GDPR.

    You sure? Because this site says that cookie popups are going to be heavily affected by GDPR.

    This is like trying to explain that the TSA isn’t there to make you secure, it’s there to make you feel secure. It’s the same with this law.

    Even if it saved stopped one incident, I think the TSA is worth it. I was on my way to work in Manhattan when 9/11 hit and I know people whose lives were dramatically affected. And I am eternally grateful for the TSA whenever I don’t have to remove my shoes, etc. before entering a gate. Hallelujah.


  39. Kreme is correct, another law that preceded the GDPR covered cookies.

  40. I agree. We don’t need those Brussels bureaucrats trying to tell U.S. citizens what to do within the borders of these United States. The U.S. Constitution is the supreme law here, not the E.U. regulations. Kudos to the U.K. for wising up and telling the E.U. goodbye.

  41. Hah! We routinely hear about how TSA screeners miss obvious firearms, and other proscribed items.

  42. If you read the link I posted, it might be good if you pointed out what they got wrong, rather than simply denying it.

    Everybody knows that there was a former law that made a bunch of sites put up a bunch of irritating cookie notifications. Now they are saying that GDPR is making even more changes.

  43. An excellent and well written overview about the GDPR. As an EU citizen, plus an Apple, Amazon, Google, Facebook, Twitter and TidBits user or subscriber, I have a right to know that my personal data is being correctly stored and used only for the reasons that I agree to.

    As Adam has commented already, these basic personal data rights will be positive also for U.S. and other none EU citizens.

    Businesses of all sizes who make money from me and/or my data must ensure that I give this data with my knowledge and explicit agreement.

    Non-profits, charities and similar only need to show that individuals have explicitly given permission for such groups to keep basic contact details for just that - an email list (say) for an emailed newsletter.

    Well done TidBits!

  44. Well, “those Brussels bureaucrats” have jurisdiction on EU citizens, and protect their rights. If an internet US-based company deals with EU customers, then it should be prepared to be sued if it does not respect the rules of the customers’ country. It has always been this way. This is why Adam had to pay VAT according to the rules of the customers’ country; this applies even across US states.


  45. You are aware that countries enforce their laws in foreign territories (and on foreign citizens) all the time, right? It obviously requires cooperation of the foreign territory, but given the interconnected nature of the world these days, there are many reasons why countries cooperate or are coerced into cooperation. This is obviously sometimes good, sometimes bad, and we could argue from a philosophical standpoint whether it’s right at all, but in practical terms it’s the reality we live in.

  46. Jolin, since I lived in Germany for 12 years, I’m well aware of non-citizens being subject to the laws of the country they are physically in. However, the EU is trying to enforce their regulations on UNITED STATES CITIZENS who are PHYSICALLY in these United States! Now this is not the same as for serious crimes like murder, kidnapping, and so on where the country where the crime was committed can ask the country where the suspect is living for extradition of said suspect.

  47. Could someone please tell me how to quote a poster on this new system? I’ve tried to find a Quote button in posts but must be looking in the wrong place(s). Thanks in advance.

  48. jbayly](Profile - jtbayly - TidBITS Talk)

    May 8

    This is why Adam had to pay VAT according to the rules of the customers’ country; this applies even across US states.

    Nope. It doesn’t.

    It seems to me that the link you provides states the opposite:

    What sales tax rate should you use when selling online or out-of-state?

    This is the tricky part. If you’ve determined that your business must add on a sales tax charge for transactions in certain states (and the customer does not have tax exempt status), you’ll need to determine which sales tax rate to charge.

    Sound overwhelming? Yes, it can be. With thousands of sales tax jurisdictions in the U.S., determining which sales tax rate to charge can be a challenge. If you operate an online business, it’s worth investing in online shopping cart services to handle sales transactions, many of which will automatically calculate sales tax rates for you. More comprehensive online sales tax solutions can also take care of the end-to-end process of calculating, collecting and filing sales tax return on your behalf.



  49. As I understand it, the EU is enforcing these regulations on US businesses/organisations who are serving EU citizens. It’s entirely within their right to do this, just like the US government could (and does) enforce regulations on European organisations doing business with US citizens (e.g. financial reporting regulations), even if the organisation has no presence in the US.

    Obviously, enforcement can be an issue, but as Simon describes, there are pretty well established mechanisms for this between the EU and US given the highly interconnected nature of trade and relationships between the regions.

  50. Ummm. Nope. Notice the “if you’ve determined” in what you quoted. How do you determine?

    Here’s what you need to know:

    • If your business has a physical presence in a state (also known as a “nexus”), whether it’s a store, office, warehouse, employees, or other criteria established by your state, then you MUST collect sales tax from customers in that state.
    • If you don’t have a presence in a state , then you are NOT required to collect sales taxes.

    (Emphasis is in the original, so… it should have stood out.)

  51. Just select the text you want to quote and a little gray quote button will show that you can click.

  52. By the way, this tax issue is well known.

    You, as a consumer in your state, owe taxes on purchases that you’ve made even when the business you bought it from did not collect taxes, (not being required to obey the laws of your state.)

    Most states ask you a question when you file your taxes about purchases that you made out of state or online. Then they calculate the additional tax you owe based on those purchases. Of course, most people lie and claim they didn’t buy anything, so the state is never able to collect it. So there is a big push among the states and even Congress to come to some sort of agreement on how to make up for this loss of revenue from out of state online purchases.

    In the meantime, that question on your tax return is the only way your state can collect that tax, because you are the only party to the transaction that they have any right to tell what to do.

  53. Here in California, an out-of-state business does NOT have to charge the CA sales tax (but nothing says they can’t do it voluntarily) UNLESS they have a PHYSICAL presence in California, like a store, warehouse, etc. However, it is up to the recipient to pay a “Use Tax” equal to the sales tax as part of their Income Tax filing.

  54. It depends what the cookies contain and how they’re used. There are many ways of using cookies that would need to be changed to comply with the GDPR; similarly, there are many ways of using cookies that do not require changes to comply with the GDPR. There is no absolute line that “if you use cookies, the GDPR automatically impacts you.” Evaluating these cases is some of what companies and organizations have been doing to prepare for the GDPR.

  55. I think it’s easy to miss the forest for the trees here. Personal privacy is one of those resources that is just sitting there, waiting to be exploited, and it seems clear that market forces aren’t sufficient to prevent abuses. Yes, the GDPR is going to be a pain for a lot of businesses, and particularly for us small businesses who have no desire or plans to exploit our users’ personal data. But you know what? Many larger businesses spend a huge amount of time, effort, and money on ever “better” ways of using hoovered-up personal data. That’s why I think things like the GDPR are a good first step, and a model that other governments can look to. Otherwise, it will be all Facebook, ad-trackers, and security breaches for the rest of time.

  56. Then how about we pass laws that are decent privacy protections, starting with abolishing the Patriot Act.

    All this talk about how this is going to protect privacy is just a sad joke.

  57. Legislation needs support from a lot of different places, and individuals learning more about how it could be if they were EU citizens can only help. And as Geoff noted, small businesses will just put GDPR protections into place for everyone since it won’t be worth doing things different for EU and non-EU users. So GDPR likely will improve privacy for everyone, at least in small ways.

    Here’s the latest example from today’s email. Companies are taking GDPR seriously.

  58. I’m with you on the Patriot Act for sure, but I don’t see these things as exclusive. I believe the GDPR is a good thing for privacy and I hope it will also benefit me even as a US citizen. Sure, getting rid fo the PA might do more for me, but hey, I’ll take whatever I can get. The EU is acting and I get the GDPR. I’m not holding my breath for a repeal of the PA. At the very least by the current administration, they for sure couldn’t care less about my privacy.

  59. That’s indeed good news, though not actually required by GDPR. Still, I think it’s fair to say that part of the impetus for this move is the attention on privacy being caused by GDPR right now.

    Still, Apple has been making a lot of hay in distinguishing themselves as a privacy focused company recently, presumably in part because they think the market will reward them.

    Good for them, even if it doesn’t.

  60. Although I really did intend to disengage from this conversation, I don’t understand how a law that enables individuals to personally determine what data is collected about themselves and manage the data that has to do with a bill intended to prevent terrorism and money laundering that requires documentation and subpoenas? Public security and individual privacy are very distinct and separate issues, and whether or not I agree with the Patriot Act is irrelevant here.

  61. The Patriot Act is the law the government uses to collect insane amounts of personal data about you. You have no right to object to it, and you have no right to know what they have collected or what they are doing with it. You have no right to request a copy of that data and no way to request that they delete it.

    I suppose some people simply think that anything that governments do is ipso facto good and justified. Or perhaps they believe that the government never misuses data to the harm of citizens, such as creating extra-judicial no-fly lists with no appeal process.

    Those are the only ways I can think of that would make sense of somebody trying to defend both GDPR and the Patriot Act, even though they are completely at odds with each other. (By the way, I’m not trying to imply that you’re doing that.)

  62. The Patriot Act is the law the government uses to collect insane amounts of personal data about you. You have no right to object to it, and you have no right to know what they have collected or what they are doing with it. You have no right to request a copy of that data and no way to request that they delete it.

    Under very limited circumstances, this used to be true, but they never collected anything resembling “insane amounts of personal data about you.” The very limited circumstances were narrowed even further after the FBI executed a little over 24,000 requests in 2010, which is a lot less than the amount of information Facebook, Google, Snap, internet service providers, etc., etc., collect from billions and billions of individuals every second.

    Any information gathered via the Patriot Act information limited an is also sealed from unauthorized personnel until it is released by a court. Until then, it is not shared with third parties outside the US intelligence and law enforcement services, and probably would not be unless requested by the Freedom Of Information act.

    "After the Patriot Act expanded the scope of NSLs as described above, their use began to rise. The Department of Justice reported to Congress that in 2010 the FBI made 24,287 NSL requests (excluding requests for subscriber information only).

    NSLs give rise to privacy concerns and, according to critics, the potential for abuse, for several reasons. First, the FBI may issue NSLs on its own initiative, without the authorization of any court. (This was true even before the Patriot Act.) Nothing in the Patriot Act provides for any judicial review of the FBI’s decision to issue an NSL. Second, the NSL statutes impose a gag requirement on persons receiving an NSL. In addition, the Attorney General Guidelines and various information sharing agreements require the FBI to share NSL information with other federal agencies and the US intelligence community.

    The Reauthorization Act tried to redress some of these concerns. It provided a right to judicial review of NSLs and a right to petition a court to lift the gag order. The Reauthorization Act also provided criminal penalties for violating gag obligations with the intent to obstruct an investigation.

    So where does this complex statutory scheme leave cloud users? While the use of NSLs is not uncommon, the types of data that US authorities can gather from cloud service providers via an NSL is limited. In particular, the FBI cannot properly insist via a NSL that Internet service providers share the content of communications or other underlying data. Rather, as set forth above, the statutory provisions authorizing NSLs allow the FBI to obtain “envelope” information from Internet service providers. Indeed, the information that is specifically listed in the relevant statute is limited to customers’ name, address, and length of service.

    The FBI often seeks more, such as who sent and received emails and what websites customers visited. But, more recently, many service providers receiving NSLs have limited the information they give to customers’ names, addresses, length of service and phone billing records. “Beginning in late 2009, certain electronic communications service providers no longer honored” more expansive requests, FBI officials wrote in August 2011, in response to questions from the Senate Judiciary Committee.

    Although cloud users should expect their service providers that have a US presence to comply with US law, users also can reasonably ask that their cloud service providers limit what they share in response to an NSL to the minimum required by law. If cloud service providers do so, then their customers’ data should typically face only minimal exposure due to NSLs."

    I suppose some people simply think that anything that governments do is ipso facto good and justified. Or perhaps they believe that the government never misuses data to the harm of citizens, such as creating extra-judicial no-fly lists with no appeal process.

    I am definitely not one of those people at all. And I am not one of those people who wears a tinfoil hat or believes in conspiracy theories.


  63. The NSA’s authorization doesn’t come from the Patriot Act.

    The problems with data collected by governments are distinct from the problems with data collection by businesses meant to be addressed by the GDPR.

  64. Of course they are distinct. But the relationship between them is obvious.

    And the connection of government surveillance to the Patriot Act (as well as several other laws) is acknowledged by all:

  65. NSA data is not collected under the Patriot Act, it’s a whole separate shebang. And years ago I did read “The Puzzle Palace.” 95-99% of what the NSA collects is metadata, and if they detect a pattern they think is suspicious, they have to get a warrant or some kind of clearance to dig deeper.

    I remember reading a few years ago that Facebook and a Google turned down a request to turn over info, but I don’t remember if became a big legal and political issue like Apple unlocking the iPhone. Maybe if the NSA wanted to buy the records and info, including the phone numbers, addresses and notes from their contact lists they would have sold it to them like they did to Cambridge Analytica.

    About a year or so ago the US President signed a bill allowing internet service providers to sell any or all information they can collect about you without your permission. And net neutrality rules went bye-bye last year. AT&T had been selling ads even before they acquired Yahoo and AdWorks, and all the other big ISPs had also, but this made it possible to deliver more granular and targeted audiences for ads possible, as well the ability to sell the data itself.

    The NSA, FBI and whatever else probably isn’t finding out near as much about you or me without a warrant or clearance as so many ad supported internet and phone companies already know or are learning. A big difference is that the NSA doesn’t keep the information for more than a week or two unless it’s suspicious. And if they listened to me talking on my phone to my BFF since Junior High today about why her lava cakes pancaked when she was baking them, I hope they will like my recipe that I sent her.


  66. OK, folks, let’s stay focused on the GDPR.

  67. Sorry about that. I deleted my previous post.

  68. Seems like anyone with a mailing-list will have the member count reduced by 90% now as everyone has to ask people already on their lists to consent actively … . (Think I will skip it for my small lists myself, but see many now trying to deal with the problem and they fail.)

  69. Sounds rather reasonable to me. If somebody doesn’t consent to getting mailing list posts, why should they be on that list and get spammed? OTOH if I want to get mailing list posts, sending my consent is certainly no big deal.

  70. Well, it will apply to all mailing-lists whether or not the members on them have given consent or not earlier. It is both for good and bad: people won’t have to actively unsubscribe to lists they have gotten tired of & only need not to react, but “bad senders”(spammers) likely will not take them off their lists anyway. Less good for good e-mail list senders like TidBits who need to get renewed approval to send messages even if people have actively signed up on the list before - it might be easy to do the re-consenting, but in practise only a minor % will do so, but they might get back later on.

  71. Yes, undoubtedly it’s a good thing for the EU to force me to resubscribe to every email list I’m on because they decided that my previous consent wasn’t good enough.

  72. Well I guess we can’t have it both ways. If I can’t be bothered to consent to TidBITS I have only myself to blame when I don’t get a new issue.

  73. I teach at a College here and we had staff training on GDPR.

    Quite a thing to consider, when you hold data on students from grades to notes to disciplinary decisions and outcomes of meetings. Boils down to

    • data is gathered for a purpose and usage cannot vary from that purpose without explicit clear consent.
    • Data which is sensitive has to have particular consideration.
    • Data should not be held beyond needed purpose’s timeframe.
    • Data breaches have to be acknowledged within 72 hours
    • Data requests (from users) have to be made available within a month.

    Sounds good to me as a start. Quite common-sense.

  74. Correct. And Tidbits has GDPR to blame for the loss of subscribers and subsequent loss of income.

  75. Yes, so it is, but was not thinking of you but the sender here.

  76. This isn’t true for several reasons.

    First, as this article notes, one of the lawful reasons to contact people on a list you own is for “legitimate interests,” and it’s at least arguable that we have a legitimate interest in fulfilling the desires of our subscribers by sending them the free publication that they signed up for.

    Second, if you have an existing mailing list, you would only have to ask subscribers to opt-in again if you had subscribed them in “soft” ways before (such as by a checkbox that was pre-filled on some form, or by subscribing them and then sending email giving them the opportunity to opt-out). Since everyone who subscribed to TidBITS did so completely intentionally and without any deceptive practices, we don’t have to ask everyone to resubscribe.

    The main thing that could trip up a company is that the GDPR also wants a record of that consent, and for any list that’s been around for a long time, it may be hard or even impossible to provide that information.

    All that said, I do believe that people who are running a mailing list that isn’t trying to market to its members are probably in a much better position than your standard direct marketer.

  77. Good article! Still puzzled a bit by this as see seemingly fine mailing-lists send out messages asking for renewed consent, even when I have signed up intentionally for them, but it could be they are also puzzled. Was also thinking that many send out the re-consent e-mails just because they could not prove previous given consent in every case.

    Also for my own mailing-lists it has always been a mixture of people signing up intentionally and me adding them because I think them may be interested (usually because they have bought something or shown an interest without directly asking for being added to a list). Never added any people to a list without good reason though. So for “legitimate interests" for sure (mostly the legitimate interest of the recipient rather than the sender, but both), but also occasionally “by subscribing them and then sending email giving them the opportunity to opt-out” (or rather a note at the end how they unsubscribe or a note telling them I have added them).

    But good to see you know how to deal with this!

  78. Oh I’m considering the sender as well. No sender has the right to bombard people with stuff they don’t consent to. If somebody doesn’t tell you he/she wants your stuff, you shall not send them your stuff. It’s their call. If they’re too lazy, well then that’s their choice too and you shall respect that. This right hasn’t been respected well in the past at all - not even in the analog world (junk mail). If in the digital world the EU’s GDPR is the instrument that changes that, more power to them. :thumbsup:

    I think Adam’s above post shows quite nicely how a legitimate content distributor like TidBITS has nothing to fear from GDPR.

  79. My strong suspicion is that any small player who’s trying to do the right thing will probably be OK in the long run.

  80. As @ace said, this is probably the reason. I know I used to run mailing lists and the ‘confirm subscription’ emails were never something that I kept (or even saw). A request to join the list generated a single email to the address asking for confirmation. If the user confirmed, that message was automatically handled by the mailing list and discarded.

    So, under that system, a list would need to, I guess, ask for confirmation again and this time keep it.

    I assume that GDPR also mandates some way for a list to remove a user’s posts? I haven’t thought about that, but that would be quite a problem if there is.

    Actually, that would be largely impossible, since you would need to be able to remove their quoted content as well.

    Hmm, glad I’m not running a mailing list, but maybe someone has looked into this.

    OTOH, mailing list are fast becoming the next USENET. Sure, some people still use them, but far fewer than there used to be.

  81. Me too, just that one get a bit nervous trying to figure out if it will be up to people’s decisions or the law so to speak. One wonders if the regulation will save money or be a loss – either way there are big costs. Also not totally sure the guy in the article is totally correct. (“Legitimate interests” might be up to different interpretations … .)

  82. But this is essentially a new sort of mailing list. I know that the software has a method to anonymize posts, but I wonder how successful it would actually be at catching all instances of somebody’s name in quotes, as you mention…

  83. Yes, that’s the “right to be forgotten.” Here in Discourse, that’s easy with new users because of how it’s architected, but I can’t even begin to imagine how you’d erase someone from a traditional mailing list archive. Realistically, I suspect that (a) this won’t happen to hardly any traditional discussion lists and (b) if it does, and the list admin perceives a real threat, they’ll just kill access to the archive since it won’t be worth the manual effort. That’s what I’d do anyway. :slight_smile:

  84. Art. 17 GDPR Right to erasure (‘right to be forgotten’)

    Assuming an email or web forum post counts as “personal data,” when is it “no longer necessary in relation to the purposes for which they were collected or otherwise processed?” One could argue it will always be necessary as it is part of the record of the discussion (their name could be removed from the posts though).

    I think removing or editing my messages or posts in which I quote or talk about someone who wishes to be deleted would violate my rights. As a matter of copyright, quotations should be protected on fair use/ fair dealing principles but I admit I don’t really understand the degree to which some Europeans think attempts to control information about oneself should supersede other interests.

    The language of the GDPR is clearly much more about non-public data organizations have, not information freely provided by users to the public or to others outside the organization (e.g. members of a private mailing list or forum). I have seen mentions of “reasonableness” in the regulation. A web forum removing a user’s name, email address, and alias from a Users table (but leaving the row in place with a random or anonymous id) is likely reasonable in most system. Doing a large search and replace for their name as a string in text archives or in the body of messages is probably not reasonable. I’m hoping reasonableness will prevail and this will be a minor issue for web fora.

  85. I am pretty sure that he GDPR considers email address to be personal. Also, many people have signatures that have other information that would be classified as personal.

    But I don’t know that mailing lists posts wold be part of GDPR at all.

  86. I meant the content of the message. Discourse doesn’t need to expose sender email addresses. I don’t know if a bare bones Mailman archive can but that’s the kind of thing that I think should fail a reasonableness test. Ditto for whatever one chooses to share in their .sig file.

  87. I am not a lawyer, but my general assessment is that a great deal will depend on the nature of the mailing list and the specific consent given. If a user subscribes to the mailing list and is explicitly informed their posts will be available to list members/the public for the foreseeable future, then that consent is probably valid. If the nature of the mailing list and/or access to its contents changes, consent may need to be explicitly re-acquired.

    If a user withdraws their consent and wishes their information to be removed under the “right to be forgotten,” then mailing list/archive maintainers may have an obligation to attempt to anonymize the material, and it probably extends not just to public services but to backups/archives as well. I have seen some assessments that this should also extend to the content of that users’ messages and and threads/messages that quoted them. However, this creates a minefield for trolls: imagine someone going through every thread in a forum, tacking on a smiley or “me too!” post, then demanding all those threads be deleted in their entirety under GDPR rules? Certainly not the intention of the regulations.

    I have also seen some GDPR assessments that mailing lists and forums that that are not used for commercial/marketing purposes (for instance, not for commercial activity, do not conduct user profiling, do not share data with third parties, etc) will have little or no liability under GDPR, so long as they take reasonable steps to protect users’ personal information.

    I think the specifics will vary quite a lot by mailing list/forum: there’s not going to be a single one-size-fits-all way to cope with the issues. But I am no more a lawyer now than I was when I started this reply.

  88. Here’s a slightly different situation. A blog that is run by 2 persons with me as tech support. 5% or less of the visitors are from EU countries. Nothing is sold. This is not even a company. Literally run from a kitchen table 99% of the time. (At times from a porch at a beach.) But they do cover controversial subjects and at times blog posts can be about situations in EU countries.

    This blog runs on WordPress. But we DO NOT require or even allow people to create accounts.

    So talk about just factoring the GDPR CODB into our pricing is absurd. We have no pricing. We don’t take ads. We do have Twitter and Facebook buttons with appropriate pages for each. And we are running Google analytics so we can see where we are popular look at things like how big to assume a minimal screen size for both desktops and mobile.

    And while once in our past we did remove all the comments from a person at their request it created such a mess that we said no more. Suddenly dozens of comment made no sense. 100s.

    After 9 years we’re up to over 300K commments. Typically 4000 to 5000 unique visitors per day with occasional peaks lately of 10K to 20K.

    To me this is going to be a very large PITA. Sigh.

  89. I’m not sure that you have to do anything? You don’t have accounts and it doesn’t sound like you’re collecting personal information, so why would GDPR be an issue for you?

  90. Per what I’ve read here and other places, IP addresses count. So do email addresses. And maybe handles. And for sure their names if they give it like at the end of their comment as a signature. Plus our posts and the comments may reference real people who really don’t want some things public about them.

    Most commentors use their real email address. We tell them if they want us to get in touch with them due to an issue with their comments we need a real email. (We wind up with a non trivial number of moderated comments due to the subject matter some days.)

  91. If they want to be removed could you just mark all of thier comments as removed by request. Then it won’t mess up the heirarchy.

  92. Most of the comments refer to previous comments. Many quote part of or all of a previous comment.

    A few months back a semi-regular went a bit nuts and I spent 3 to 4 hours cleaning up after purging his way over the edge comments. As I also got to go find all the links to his comments which included quotes from him and/or arguments about what he said that also had to be “purged”.

    Also the standard Wordpress tools are not really geared to dealing with people who’ve commented 1000+ times. Or even 100+. And editing all their comments to remove what they said and replace it with “Comment removed” would get to be tedious at best.

    And we have issues of future legal issues where people might have to explain why they said what they did about some person or topic but if they comments they were referring to are gone, then what? I wonder how this plays out in the EU in courts?

  93. The GDPR only applies to enterprises, “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.” Presumably a web site having ads is sufficient to count as economic activity but since the blog in question doesn’t even have that, I don’t think it applies. GDPR would still apply to the blog, even without economic activity taking place on it, if the blog is run by an “enterprise” engaged in economic activity; e.g. I don’t think there’s any economic activity in the TidBITS Talk forum but TidBITS is an enterprise engaged in economic activity.

  94. I checked the EU site, and there could potentially be a problem if this site is processing data, not simply collecting it:

    “SMEs only have to keep records if data processing is regular”

    IMHO, the chances of the EU going after this blog are the lowest end of minimal. Google, Amazon or Facebook it ain’t. Complaints need to be filed before any action is taken.


  95. Yes. Maybe. We step on a lot of toes at times. Without giving enough details to derail this thread lets say the point of this blog is to open doors where powerful people have tried to hide various things that would threaten them.

Join the discussion in the TidBITS Discourse forum

24 more replies


Avatar for ace Avatar for kreme Avatar for Simon Avatar for tommy Avatar for cwilcox Avatar for romad Avatar for seth Avatar for tom3 Avatar for franconi Avatar for appleget Avatar for jbr Avatar for jzw Avatar for neil1 Avatar for fritz Avatar for eyeless Avatar for raleighthings Avatar for jtbayly Avatar for xdev Avatar for fearghas Avatar for MMTalker Avatar for geoffduncan Avatar for people.influencers