We’ve got a great privacy policy, and don’t abuse our customers data in any way. However compliance would be very expensive for us, largely due to some of our early architecture decisions. The liability is also insane, and we don’t want anything to do with it. When we looked at how little our EU customers were worth to us, it was a very easy decision to simply abandon them.
so you say. if you don’t have strong processes to make sure that is true, it isn’t true. gdpr is mostly about ensuring you have such processes. if
you can’t do things such as tell the user what data you have, and delete it, you do not have a great policy.
methinks you need some advice from better counsel. i bet that you are closer to compliant than you think.
Do you actually think the only way to respect users privacy is to comply with GDPR? That is an absurd and narrow minded opinion. Do you also actually believe that the entire regulation is reflected in your two line comment?
Listen, you’ve said higher up the thread that you are plan to spread FUD about all companies that don’t comply with GDPR as a marketing strategy for your own product. I don’t see how anybody here could possibly take you seriously. GDPR is going to have a lot of unintended consequences, and people aren’t going to be happy with all of them. One of them is that small to medium sized companies will reconsidering doing business in the EU, another is that the scope of the legislation is especially anti-competitive for small EU based businesses. There’s been a lot of FUD going around HN recently that the only reasons a company would plan to pull out of the EU are hysteria and malevolence. That’s not true, and for many companies this is just a simple business decision.
> That’s not true, and for many companies this is just a simple business decision.
But likely based on incorrect advice.
You haven't said why you think your company isn't compliant with GDPR, and it's possible your company is compliant with GDPR, or would require only minor tweaks to privacy policies to make it compliant.
If you ask US-trained lawyers (especially those with exposure to the tech or financial sectors) to perform an impact assessment of a European regulation, don't be surprised to receive a full-on Chicken Little response.
The reality is that the law is not a programming language and compliance is about alignment with principles, not blindly following a set of rules.
Sounds like he analyzed if very closely, so probably not base on incorrect advice.
And I’m guessing he can’t share too much about why since he has said its based on architectural decisions, which might reveal business secrets.
The biggest reason I don’t like complying with GDPR is the IP address situation- I’m going to continue to track them and I’m not going delete them because somebody requested.
> I’m not going delete them because somebody requested.
Why do you think you need to delete them when requested to do so? Can you point me to the bit of the regulation that makes you think that's a requirement?
When I read it, I see that the "The data subject shall have the right to ... erasure of personal data ... where one of the following grounds applies: ... the data subject withdraws consent...."
I imagine that HTTP logs associating URLs and IPs are personal data because they associate users with activity, so they would have to be removed.
It's pretty hard to destroy individual log lines (they're often aggregated in zipped files, for instance), and logs show up in lots of places: your load balancer may log, your web server may log, your application may log, those logs may be backed up to tape, you might have debug logs captured for analysis from any of these systems, and those debug logs might be present on developer machines, not on servers or long-term storage.
That basically means that if any user asks to have their data erased, you have to figure out whether they owned that IP address at that time (so they can't ask for others' information to be removed), then delete all those logs, potentially rewriting your whole tape archive(!), potentially having developers destroy the debugging info they were using to track down a memory leak or whatever (on laptops, or in the ticketing system, or in heap dumps, or wherever it might be).
It's pretty easy to say "don't keep logs of IP addresses", but that's one of the major ways people detect malicious traffic, e.g. spam, denial-of-service attacks, and break-in attempts. It's hard to live without that.
Am I reading something wrong? Is there something I missed in that section that makes it easier?
Is "so we can look for malicious traffic" enough of a legal ground for processing to keep personal information around indefinitely even if the user asked for it to be removed? I can't imagine that's so, as that would be a pretty big loophole.
> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
There are several justifications for procesing user data. One of them is consent. But there are others. One is "legitimate need". You're not using user consent to process this log data, you're using a legitimate need justification.
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interest doesn't let you gather everything and keep it forever, but standard practice log rotation seems like it's compliant.
The proper way to deal with this is to rotate out the logs after a finite amount of time (you are doing that anyway, right?) and then to delete the logs after yet another period of time, once they have outlived their useful life. That's good practice anyway so I really don't see the problem.
Looking for malicious traffic is not a loophole that allows you to keep data indefinitely - even if nobody asks you to remove it - you don't need to keep it indefinitely.
I'm not the person you're asking this from, but any regulation tends to require extra work to be done. Just the fact that you need to know that you're compliant requires work. Then you have requirements such as being able to prove that users gave you this consent, being able to prove that you did delete all the user data in all the possible places (including back ups, VMs, crash dumps on developer machines etc) when requested etc.
You also have to take into account the risk of the fines. The fines are enormous and there are no guarantees that the regulators will not slap you with the highest fines "to make an example of you" or because you just rubbed them the wrong way. Even if you try your hardest to comply and think you have all the bases covered, it could very well be that you are not compliant because something was overlooked or there's a bug somewhere or something else entirely. You can never be certain about this.
Now you add up all of these costs and compare it to how much the EU market offers you. If the costs to comply exceed the income, and there's no near-future opportunities for large growth, then it would make a lot of sense to just pull out of the market.
If you are already compliant with your great privacy policy, what are some specific things that you find too expensive to be worth it? All I read from GDPR detractors are vague hand wavey claims of “compliance stuff” being expensive. I’m obv not a professional compliance expert so ELI5.
