GDPR Feels Useless
medium.comDon't read this. There's so much misunderstanding in this article, I'd be surprised if any good discussion came from it. And refuting it would take ages.
For example:
> And apparently typing your name, age and other information is not consent. How is this supposed to work by the way? I give you my name but I don’t consent to you using it or remember it?
The way it's phrased is misleading. If you need the data and are going to use it in the obvious way, e.g. for shipping a parcel to my address, legitimate interests works fine. If you're a scumbag marketer or data broker/reseller (etc), then yeah, it's going to impact you. That was the idea.
So instead of bikeshedding arbitrary scenarios, let's do something more productive with our day.
The better response to "typing is consent" is that, okay, you gave our address, now we're creating adverts with your house, making it look like you're selling it, soliciting offers in your name, and so on. Even though you just ordered a bumper sticker from us.
So, consent is given for a purpose, and you can't really do that with just an input box. Hence the fancy opt-in modal dialog wizard thingies, and the checkboxes at registration/payment time, and so on.
Couldn't agree with you more. Just another Medium post, presented as factual news, steadily leading me to just... Never read posts from Medium.
You can't refute a "feeling" anyway as it is subjective.
I saw the headline and thought I'd verify my suspicion here in the comments (Confirmation Bias!) before spending my time on the article.
It's worth reading. It will remind you of the rule of law; that we all should follow the laws because it makes society better. You can speed your car down the road and there is no mechanism to prevent you from breaking the limit, but most people don't do this because they respect speeding laws and why they were created.
Same thing here. Yes GDPR has no mechanism to enforce these things. It's up to everyone to respect the law and enforce it upon themselves. If you don't respect laws, then you don't respect 'em, simple as that. Eventually, you will get caught.
This is just a weird article.
> But do you know what data I have access to when you come on my website ? Well only your IP and some information about your computer and browser. That’s all.
It's pretty well known by now that that's often more than enough to identify a specific user. "That's all" really undersells it.
> It’s true I can create an ID and save it on your browser (I can do much more but we will stay focus). Your browser, not your computer.
That's effectively the same thing -- the vast vast majority of users don't use more than one browser per device, and I'd be willing to be that the few who do use more than one mostly use them for different websites.
> So the very first thing you need to understand about data privacy is that YOU protect your own data by not giving it away without thinking.
And here it is. This article is basically just victim blaming. "You didn't want this website to identify you based on the unique combination of user agent, viewport, and feature detection? Then you shouldn't have visited this website with that user agent, screen size, and set of features enabled in your browser."
I’d ask similarly, when you enter the public sphere, does that give me the right to collect DNA samples you’ve “voluntarily” dropped on the floor, like in police shows? You abandon your privacy when you voluntarily expose yourself to the public, right?
I think the public is divided on the issue and have no consensus nor common language for matters of privacy.
I don't view GDPR to be quite as useless as the author does, but the point about the user having to protect their data themselves is spot on. GDPR only protects you against good actors that are under EU jurisdiction. Everyone else could very well be doing whatever they want with the data you leak. The EU can't fine a Chinese company if the Chinese company has no presence in the EU.
Another thing the author doesn't mention is that GDPR sets a minimum amount of cost/effort to run a website that's way beyond the actual hardware cost and the cost of making the website itself. It requires every website operator to be familiar with how GDPR works, because you need to know whether you're collecting personal data (you probably are) and how you need to handle it. Furthermore, if you are collecting personal data then you must respond to emails of users who request to know what data you know about them within a set amount of time. In the case of a small website, such as a forum or blog, I would consider the cost imposed by GDPR to be greater than the cost of making the website itself and renting hardware to run it. I think it disproportionately impacts smaller sites. It essentially leads to small sites simply breaking the law and hoping that nobody complains about them.
That's the general issue with regulation, it protects the existing large players in a space by adding a higher barrier to entry for competitors. So now instead of hosting your own forum or website you'll use Squarespace or Discord or Disqus instead.
You can host your own forum. And if you do it as purely personal activity, then GDPR does not apply.
Is running a forum a purely personal activity? I'm not so sure. It certainly won't be if you have any third party services running on it.
Why not? You can set up a family forum, to share stories, pictures, etc. That's household-y and personal. Fits the definition from the law pretty well.
There's some thinking about what constitutes purely personal activity ( https://ec.europa.eu/justice/article-29/documentation/other-... ) usually the test is whether it can potentially reach anyone in the public, is some financial/professional gain for the operator, etc.
> I'm not so sure. It certainly won't be if you have any third party services running on it.
Those are handled in the text too. Basically the controller / provider / operator of said 3rd party service has to be GDPR compliant, not the user. (So if you fire up a WordPress blog, you probably don't have to worry about it.)
As I read it specifically doesn't cover things which are not economic activities and not professional activities. You running a website yourself and not as business may or may not fall into that. It is not necessarily the colloquial definition of personal.
A personal website may have donations, may have ads, may act as advertising for your professional career, may be used to find jobs for yourself, may be used by people to trade items to each other, etc, etc. Those may be covered by GDPR and without a lawyer (ie: money) I have no idea.
First of all, GDPR does not apply to personal sites. ( https://law.stackexchange.com/a/28086 - see current "in force" version of the directive: https://eur-lex.europa.eu/eli/reg/2016/679/oj see recital 18)
> [...] GDPR sets a minimum amount of cost/effort to run a website [...]
This is simply false. If you want to post something on the 'net, nothing changes. You want to count page downloads? (You know those old school CGI counters.) Nothing changes. You want to know how many individual visits you got? Well, you need to try to distinguish between new and returning visitors, hence you might put a cookie on the visitor's browser/client/useragent, now you need to ask nicely, because it's eerily easy to use that cookie for a lot of other purposes. (Similarly if you would try to use something else, like IP address, and/or browser fingerprinting.)
And so on. Yes, I like pretty graphs about visitors (browser screen size distribution, fancy geoip charts, etc), but so do the people that live off the not so innocent usage of this kind of data.
And yes, if you collect personal data, then you should be able to protect it. This was always the case, GDPR simply states this and tries to create a mechanism that forces data holders to act accordingly (via the mandatory data breach reporting). Again, similarly, if you handle a lot of data you should be able to accurately take a stock of what kind of data you have about whom, hence the requirement to respond to these inquiries.
> I think it disproportionately impacts smaller sites.
Agreed. But small sites were always at the mercy of random script kiddies. They always lacked resources to properly handle updates/upgrades, security, data, end-of-life termination, etc.
GDPR at least makes WordPress, discourse, and random blog and forum engines able to deal with the reality of how much value their databases represent nowadays.
I'd say that medium sized sites are more troublesome in that regard. Once a site has grown big enough to become cumbersome for one person to manage, but not large enough for most to justify staff, then you have an issue. There shouldn't be any excuse for a small site to fall behind with updates, etc... It's simple.
Absolutely. This is the typical problem of small-medium sized shops everywhere around the world. If you're just a really small one-man army, big companies don't really care. If you are getting bigger, suddenly you will find competition and a lot of regulatory burden. (Most startups usually fail at this point as far as I know.)
>First of all, GDPR does not apply to personal sites
No, as I read it excludes sites that do not engage in economic or professional activity. It is specific about what personal means and it's definition is not necessarily the colloquial definition of personal.
So, as a layman, by my reading getting donations makes your site covered, running ads make it covered, allowing people to sell things makes it covered, people connecting for jobs makes it covered, using it as advertising for your professional career (ie: blog post that says you're looking for a job) makes it covered, etc.
Or maybe it doesn't cover those but then I'd need (and thus need to pay) a lawyer to know wouldn't I? Layers aren't cheap compared to the cost of modern web hosting.
>First of all, GDPR does not apply to personal sites.
And next to no websites actually fall under this exemption. Furthermore, simply to know that your website falls under this exemption comes with the cost. You must know that your website falls under this exemption, requiring you to know GDPR and/or requiring a lawyer to look it over (high cost).
>This is simply false. If you want to post something on the 'net, nothing changes.
Simply having to know what GDPR is, what it covers, and whether you fall under it has a cost. So the statement that nothing changes is patently false.
Also, I'm pretty sure that by default most software that serves websites would already put you under GDPR, because it collects IP addresses and they're considered personal data.
>Agreed. But small sites were always at the mercy of random script kiddies. They always lacked resources to properly handle updates/upgrades, security, data, end-of-life termination, etc.
So, because there were other limiting factors for them we might as well make it illegal to run such websites? I guess I can understand why the EU's tech sector is doing so poorly.
>Again, similarly, if you handle a lot of data you should be able to accurately take a stock of what kind of data you have about whom, hence the requirement to respond to these inquiries.
But it's not about that. It's "if you handle any data then you must constantly be available to tell users what data you have about them". This, ironically, puts people's data at risk, because suddenly you forced website owners to reply to phishing requests. What's the chance that every single website owner everywhere never gives out personal data to the wrong person? I would say that that chance is effectively zero.
Of course, just as with any piece of regulation, some might affect you without you ever knowing it.
Furthermore, you seem to be mixing things up with outright falsehoods. If you are a user, and you want to use a service that provides publishing, let's say tumblr/medium, you don't have to worry anything. If you are a - let's say - power user, and you want to set up a website, then you set up - again, let's say - WordPress, then you don't have to worry about it, because it's a purely personal activity and the providers of the trackers have the burden of compliance here.
I'm not saying "yaay, it's the best thing ever", and it'll surely change as courts and data protection authorities of member states interpret and apply the regulation (and then cases against those go through the courts), but it's certainly a serious attempt at some sort of ideology about personal data. And the tracking and cookies is completely irrelevant most of the time. (After all almost all sites really don't know and gather more than your IP address and your user-agent.) However. Malicious users can inject all kinds of CSS-based history-leaking nasty stuff, and big players like FB and G can naturally feel that building a universal profile based on your activity and data and visits of others sites (where G or FB is embedded), and that's what this is about. That now there's a decision that you have a right to know what G/FB/etc does with your data. How that profile looks like and what happens to it, who has access to it, and who does what with it.
> What's the chance that every single website owner everywhere never gives out personal data to the wrong person? I would say that that chance is effectively zero.
Great point. It leads to a very important discussion about security. Sites are very lousy when it comes to social engineering. (And this is somewhat covered already: https://gdpr-info.eu/recitals/no-64/ )
GDPR is a fundamental step towards controls of data as a basic human right. It does not define clicking on banners or cookie disclaimers. He's mad that the world hasn't already matured their adherence and that's reasonable but don't throw the baby out with the bathwater.
GDPR is a great step towards empowering consumers. Give the industry and regulators more than 1 year to change it's behaviors and set new standards.
All I see is a lot of websites with a cookie notice that I agree to.
maybe ... just a thought .. but, don't agree to them?
it should be just as easy to agree as to decline. if not, then they are likely not adhering to the regulation, and eventually someone will/could alert them or whatever authority.
Do you mean that if I declined I should still be able to see the content?
Yes.
And the whole practice of huge scary obtrusive modal-like dialogs (that tint the background so you can't even read it normally) are the cheap tricks used by sites to incentivize you to consent to tracking. So, it's almost certain that those are not compliant. They replace the fundamental function and purpose of the site with a fake choice.
Correct, to a certain degree.
Specific things that require data and/or cookies to function (e.g. providing a shipping address so that your package can arrive) are exempted, obviously. But everything else is supposed to work, regardless of consent or not.
This is due to Art. 7, Paragraph 4[0,1] regarding "Freely given consent". If your only option is to consent, or not use the website, your consent is not freely given.
[0]"When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
Interesting perspective and I can see some of the intent here, but it takes an odd slant to the issue. There are a few failures in logic here (random number becoming PII, only tracking on one browser, laws protecting you from getting robbed) that detract from the goal of GDPR which is to outline the user's digital rights, not define how data can be collected. GDPR does not define the technological methods because those will always be evolving, much like our understanding and expectations of data privacy will evolve. I agree that users need to educate themselves on how to protect their own data, but there is a ton of technology that they either aren't aware is being used, or simply don't understand. GDPR isn't perfect but it will help in the long run. Here is a summary of some of the details and how it will impact what developers need do as they architect software. Some companies will take it seriously, others won't. Then consumers may decide who to do business with. https://fusionauth.io/blog/2019/01/29/white-paper-developers...
Here's an issue we ran into when implementing GDPR: marketing software keeps a database of people who have opted out, so even if that email address shows up again, we don't risk spamming them. But if they opt out now, under GDPR we have to delete them completely, even from the opt-out list. So we can't remember not to email or track you.
The author also points out the double set of cookies, which is how most sites deal with tracking. One set of cookies that do not collect PII, that just tell the other set of cookies to turn on or off.
I respect that the writers of GDPR did not confer with the industry insiders beforehand. However, with how poorly some of it understands the technology (implementation of cookies is a great example), I wish they would have had a bit more understanding and drafted a better bill.
Uh? Couldn't a hash be used for that?
According to our council, even encrypted or hashed data was still counted as PII as those are security measures, not privacy measures.
I mean, trust your council over some random guy on the internet (me), but I would seek a second opinion on this from a technilogically savvy lawyer.
There are absolutely implementations available that will allow you to have a hash, not tied to other data, sitting in your opt-out list that you than check other hashes against. No PII in the mix.
If I got the hash database I could absolutely test whether specific people were in it, and I could probably reverse a large number of them with dictionary based attacks.
There are no completely robust options where you can claim that this data cannot compromise personal privacy, so I guess from a legal perspective it doesn't stop it being PII.
A law is only as effective as it is enforced
>This is so broad and vague that basically if I generate a random number to identify you on my website it becomes your personal data.
That's cool. If something can identify me uniquely then it's personal data.
Totally agree! Especially, if you keep the link between the number and user, which is very often the case. But even without that direct link one would have to demonstrate a certain level of k-anonymity. Maybe GDPR wasn't detailed enough to describe k-anonymity