Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday May 28 2018, @11:58PM   Printer-friendly
from the nothing-of-value-was-lost dept.

This is the exact quote, folks. No games!

It's anything but a happy General Data Protection Regulation (GDPR) day for several major U.S. news organizations as their websites are temporarily blocked in Europe as a new data privacy law goes into effect today.

Websites such as the LA Times, NY Daily News and Chicago Tribune are all temporarily blocked this morning, saying their content is unavailable in most European countries.

Anyone trying to access the sites, which also include those owned by Tronc and Lee Enterprises (examples include Orlando Sentinel [Tronc], Arizona Daily Sun and the St. Louis Dispatch [Lee Entperises]) see a message explaining that the website is working with European authorities on trying to get access back as quickly as possible.

Source: foxnews.com/tech/2018/05/25/various-us-news-websites-blocked-as-europe-s-gdpr-data-privacy-law-goes-into-effect.html


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Pino P on Tuesday May 29 2018, @05:53PM (3 children)

    by Pino P (4721) on Tuesday May 29 2018, @05:53PM (#685754) Journal

    If you only collect occasional data - such as a delivery address etc then there is also another clause saying that you do not have to comply the local representative requirement

    Then it hinges on the precise definition of "occasional". I couldn't find such a definition in the text of article 27 [gdpr-info.eu] or its associated recital 80 [gdpr-info.eu]. What other guidance does the text of the GDPR give with respect to how judges are expected to interpret "occasional" when applying the GDPR?

    Three pieces of personal data that a privacy-respecting website would commonly need are the user's billing address, the user's shipping address, and the user's email address when logging in or requesting a password reset. Can the use of all three of these when someone logs in and makes a purchase be proven to be "occasional"?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by janrinok on Tuesday May 29 2018, @07:20PM (2 children)

    by janrinok (52) Subscriber Badge on Tuesday May 29 2018, @07:20PM (#685811) Journal
    Doesn't matter what occasional means - read it again to see if the data that you hold is in any way restricted by the GDPR. I think that you'll find it isn't as long as you take reasonable precautions to protect it.
    • (Score: 2) by Pino P on Wednesday May 30 2018, @12:36AM (1 child)

      by Pino P (4721) on Wednesday May 30 2018, @12:36AM (#686017) Journal

      read it again to see if the data that you hold is in any way restricted by the GDPR.

      In order to be entirely exempt from this requirement, if the processing is not "occasional", data must not be "personal data". Article 4 [gdpr-info.eu] defines "personal data" roughly as any data whose foreign key uniquely identifies a natural person. The billing address of an individual, the shipping address of an individual, or the email address of an individual uniquely identifies a natural person.

      Every single time I reread article 27, I come to the following conclusion. To be exempt under 27(2)(a), processing of personal data by an entity outside the Union offering goods or services to data subjects in the Union must meet all four of the following criteria:

      1. only "occasional" processing of any personal data, AND
      2. not mass processing of personal data in an article 9 "special category", AND
      3. not mass processing of personal data about a criminal conviction, AND
      4. processing is unlikely to threaten the subject's rights.

      The uses we're talking about (use of billing address for billing, use of shipping address for shipping, and use of email address for password reset) clearly meet 2, 3, and 4, but not necessarily 1 unless and until a court interprets the "occasional" criterion.

      • (Score: 3, Informative) by janrinok on Wednesday May 30 2018, @06:37AM

        by janrinok (52) Subscriber Badge on Wednesday May 30 2018, @06:37AM (#686138) Journal

        I am not your lawyer. Seek legal advice if you remain concerned.

        As long as the data that you collect is given to you willingly and knowingly, is essential for the operation of your business, and you use it only to carry out the task for which the individual gave you the information, then your holding of that data would appear to be legitimate and does not contravene the intent of the GDPR.

        You are still obligated to take all reasonable precautions to protect that data from accidental loss (which results in compromise) or against malicious actors (e.g. hackers). Reasonable precautions cannot be defined in a simple sentence because it depends entirely on the nature of the data and the quantity of data that is being held. I would suggest that as long as you take precautions to protect the data (e.g. the data is kept in a secure location (locked business) and if the data is particularly sensitive (yours isn't!) then consider encrypting the hard drive in which event you will have exceeded the requirements of the GDPR.

        Unlike some countries, the EU is NOT looking to trap those accessing data in order to sue them for huge sums of money. If a compromise of personal data takes place then it will be viewed on each individual case's merits. In minor cases - and the data that you hold is minor! - then you would likely receive nothing more than a written warning and advice on how to improve the protection of the data in future. If however, you were found to have been negligent and/or had taken no precautions whatsoever then a small fine might be imposed. If you are running a business well then I believe that you already take reasonable precautions and that the likelihood of you committing an offence is extremely unlikely. However, the EU policy is to first educate before punishment unless, as I stated earlier, negligence is clearly present.

        Fines might have a huge maximum but that is not the minimum level. Normally fines, if levied at all, will be much smaller. Fines will increase for repeated and persistent offenders. However the larger maximum sum is necessary because a fine of $1000 to MyFaceTwit will not make such a company take remedial action. We have all had 2 years since warning was given that the legislation was coming into force and here in Europe many companies have been 'complying' for some time. It is not a difficult task, in fact most do not notice it in their day-to-day workings. Why US companies are only now looking at this is viewed here as amazing ignorance of anything outside of the USA.

        I stress that I am not your lawyer. Ask your company lawyer for his advice. Alternatively, simply cease trading with Europe - there are plenty of European companies that are not at all intimidated by the GDPR and they will gladly take your customers on. The purpose of the legislation is to protect an individual's data, not to penalise companies conducting their day-to-day operations.