GDPRmageddon: They think it's all over! Protip, it has only just begun The big day has finally arrived, Europe's General Data Protection Regulation is now in force – but as the calendar flicked over last night, those breathing a sigh of relief will be sorely disappointed. For a start, it is a naive company that has treated 25 May as a deadline, thinking it won't have to worry about data …
I received my first GDPR-era cold-call sales call today, the first day of GDPR ! It was from an online backup company.
Boy are they in for a surprise. I am going to exercise every single one of my rights under GDPR.
Plus, added bonus ... they rang a number listed on TPS !
Having spent the last few years getting various company systems and procedures ready for GDPR, I'm certainly not going to "let it go" when some slimy greasy scum calls me up. Especially when they are ignorant of not one, but two pieces of legislation, the first of which was introduced in 1999 !!!
> Good luck with that, got to find them first.
Not difficult.
In my case, 99.99999% of time, it is some company I've never heard of.
But the person on the phone normally has the courtesy of giving their name and company name on the phone to introduce themselves, and normally I am infront of my computer and hence $insert_name_of_favourite_search_engine takes about three seconds of typing.
If their details don't come up on the search, then before slamming down the phone on them, I make sure they give me their website address which I validate.
Once I have a validated company name and/or website, I slam the phone down on them (sometimes accompanied by a few "wise words of advice") and the rest, as they say, is history.....
Can we assume that this is going to be one of those situations where begin exempt from the rules means you have to prove you're exempt? In other words, even if you run even the most harmless and non-data-gathering business, you still have to jump through hoops to prove your right not to be hauled up before the beak?
Nobody is exempt from the rules. Nobody at all.
Every business and every organisation holds private data that is covered by GDPR.
That's because every business has customers and every organisation has members.
You need a data controller and you need to justify holding the personal data that you hold.
That's trivial to do if you're sensible - you need employee names and bank details so you can pay them, and you need supplier contact details so you can contact them about the stuff you buy.
But your marketing dept really needs to look at what they do and store, and if you have a "Big Data" dept... Close it down, quick.
"Due to new regulations coming into force in the EU on May 25, we will no longer be able to contact you without explicit consent. We'd hate to lose touch with you, which is why we ask you opt-in to our email campaigns ... based on your activity ... special promotions and deals from our partners."
The last part is what this is really about... They'd hate the lose the referral revenue! Of course the 'Unsubcribe-URL' is broken. Takes you to a link that fails and just redirects back to the main webpage. In a word: Feeble! They probably left everything 'ticked-on'! -GDPR-? Nah, slurp'em to death!
"Of course the 'Unsubcribe-URL' is broken."
They've admitted they don't have your explicit consent, therefore the only thing they can offer is a "subscribe me" function, and if that's broken they've just shot themselves in the foot if they send you anything more.
A broken unsubscribe is serious in its own way (can't remove previously given consent)
Make sure you _keep_ all those GDPR missives as they're effective admissions that the outfits in question been ignoring marketing laws and ASA rules for the last however long. The laws just got teeth and such emails are "evidence" in a court case.
Personally I like the fact that websites are in region lockdown and are breaking. It signals the new laws are having an immediate impact. The worst outcome would have been that firms failed to act and just tried to keep stalling fines (like Facebook / Google appeals that last years etc).
It also shines a spotlight on the source of data that might get a few internet 'dumb fucks' to wake up and look at where the source of their favorite shinny is coming from. Pinterest being a high profile example!
Lastly, it might foster more support for EU based services and sites. But the problem is, no one fully knows what designates EU Citizen / Location. This all has to be legally tested... Fingers-crossed there are no 'Swiss holes' in the implementation. Some interesting fringe cases covered here:
------------------
https://www.securitynow.com/author.asp?section_id=613&doc_id=740638
There seems to be so much confusion about what is required, that waiting a while and seeing what gets a pass by the courts and what gets a company in hot water is probably the safest strategy for now.
I doubt the Chicago Tribune, for example, has a lot of readership in the EU, and expats who really want to see it will just use a VPN to get around it and therefore absolve the Tribune of their GDPR burden. I mean, if they don't know you are in the EU, and take active measures to block use in the EU, they can hardly be held to account for violating the GDPR!
"I mean, if they don't know you are in the EU, and take active measures to block use in the EU, they can hardly be held to account for violating the GDPR!"
Actually it means that they're blocking EU data subjects' attempts to find out how much information is being held about them - which is a criminal matter. The only safe way to proceed would be to purge the marketing databases and start over.
It's 19:39 Uk time, and I've just received my first post GDPR spam, from Blizzard asking me to install and play Overwatch because it's free this weekend. I haven't consented to them sending me marketing emails about free gaming weekends, so they must have opted me in.
The first email I'm forwarding to the ICO!
This post has been deleted by its author
It looks like the ICO has fallen over on the first day of GDPR! I guess there's a lot of naughty people ignoring the rules out there!
"We are currently experiencing an unprecedented number of visitors to our website and calls to our helpline. Because of this, the reporting tool is currently unavailable. We apologies for any inconvenience. Please check back later today."
https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/
> It looks like the ICO has fallen over on the first day of GDPR!
First day, and by the looks of their Twitter feed, first hour ... their first post about "unprecedented volumes" was made 10 hours ago.
Looks like they're going to be busy.
But hey, like the rest of us, they've had two years to prepare !
" like the rest of us, they've had two years to prepare"
Yup - according to several ex-staffers I've spoken to that meant slashing salaries and cuttting staffing numbers.
The ICO has always been the UK's smoke-and-mirrors version of compliance with EU requirements. Underfunding it and restricting its powers were deliberate acts to prevent it actually being useful.
One of the more ironic results of Brexit is that the government will be _forced_ to properly fund and support the ICO in order to maintain trading relations with the EU.
Let me count the ways:
- If you don't accept GDPR T&Cs which are already legally rightfully yours within a certain time they close the account.
- Huge list of opt-out ad tracking buried behind three clicks.
- Opt-out email offers.
- Ah, that's why you need to accept the T&Cs...
- Click through OK button is large, button to manage the slurp is small.
- Their privacy dashboard is an avalanche of unreadable crap with links which go round in circles.
- I haven't actually managed to find the opt-out page which appeared on first login within the depths of the dashboard.
Who the hell are they paying to advise them?
not to mention using 3rd party mailers to send all those queries
no effing wonder ICO website is down; of the 20 emails I received in just last two days begging me to agree to receive "offers from our partners", probably 3 or 4 were actually what I'd call GDPR compliant
"... who still operate under the default opt-in box basis on their web forms."
I brought this very subject up with the ICO a few weeks ago.
The response was that they regard this behaviour as perfectly fine - it gives you an opportunity to opt out before you click through.
I await the first legal challenge to that determination.
It's particularly annoying as I effectively pay for that service anyway, through my Sky broadband subscription (Yes, I have plenty of other addresses, so wouldn't miss it anyway).
The appropriateness of the name of their parent company, "Oath", continues to amuse me.
"I found it, and got RSI from opting out individually from all the data-sharing things."
Not having signed into my Yahoo account in some months I thought on seeing the comments here I'd better go have a look. All the ad stuff was off by default with both per site opt-in toggles and global opt-in toggle.
I wonder why I'm seeing something different to you?
"Not having signed into my Yahoo account in some months I thought on seeing the comments here I'd better go have a look. All the ad stuff was off by default with both per site opt-in toggles and global opt-in toggle.
I wonder why I'm seeing something different to you?"
Call me cynical but maybe management backtracked on the threat to close accounts when they saw how many hadn't responded at all.
The success of services like this are judged by the number of accounts (as a proxy for the number of users). Would you want to be the Yahoo exec responsible for tanking what remains of the share price by owning up that half your "users" aren't really? Its (probably) just as easy to bulk reset privacy options as to batch delete accounts...
Is RegAuth down? Every comment here so far is AC. (OK test done and "no"). So wtf is going on? Am I really going to have to ditch my Private Eye sub?
On balance I think that a set of regs with aims like this might be useful:
This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
The EU hasn't stopped data flows to the US with FISA, secret executive orders and congress in the US not recognising the right of privacy (or any constitutional measures for that matter) for non-US citizens outside the US. Germany also has similar legal fabrications in their legal system, which FWIW the UK does not have - a UK court treats a Philippine person in the Philippines the same legally as a British person in the UK.
If the EU has a problem with UK data protection they can fuck right off even more than they already can honestly. At least what we do is basically out on the table. The same can't be said for the French or German security services.
If the EU has a problem with UK data protection they can fuck right off ...
Ahh, but there's a difference between Privacy FigleafShield and any future EU-UK arrangement. With the EU, they desperately need to not kill transatlantic data traffic - and regardless of what anyone might say, to kill off transatlantic data traffic would have caused massive hurt all round.
With the UK, the high up people will be keen to "make it painful" for us (some have publicly said they would, to discourage any other countries from trying to leave) - so I suspect we can look forward to being forced to jump through lots of hoops and play much much better than everyone else.
"At least what we do is basically out on the table. The same can't be said for the French or German security services."
Sooo...what you are saying in the French and German security services are better at keeping secrets?
Saying publically: 'We are going to do this questionable moral activity in the name of (insert catchy soundbite here)', doesn't make it any less questionable.
Human nature at work. It won't improve. The game will stay the same but the goals will shift.
It has ever been so, it will ever be so. Start with your own personal moral compass and work from there.
Many companies already operate under stringent personal information requirements such HIPPA (US law protecting patient data and privacy) and the like. Basically, they have written procedures in place as to who, what, where, and why for accessing this information. And these procedures have been in place for many, many years. All GPDR really does is extend this to basically all companies operating in the EU to have similar procedures in place or potentially face some very significant fines.
I suspect much of the hype is coming marketing PHBs who are now finding themselves actually having to worry about protecting privileged information for the first time and not abusing it. Since many of these weasels (insulting weasels) have no ethics at all this is a real shock to them that someone actually cares. As someone who works in an industry with these requirements in place, welcome to the real world. An aside, when I was being interviewed I was basically asked if I had enough sense to keep my mouth shut when I needed to see live personal information.
I've already made my first GDPR data portability request, to HSBC - requesting nothing more than all the readily available transaction data from my current account. The GDPR requires them to supply this in a 'structured, commonly used and machine readable format' - I suggested csv.
They've replied saying I have to either sent the request via snail mail to their DPO or make the request whilst physically in a branch - whilst the ICO is quite clear you can make your request in any fashion (including via social media!), and other than verifying your identity a company must accept requests made in pretty much any fashion. (I made my request via secure messaging after logging into HSBC's online banking portal including 2FA, so my identity is in no way in doubt.)
I've replied pointing out that their attempt to delay my request is contrary to the law, and eagerly await they next delaying tactic.
All I want is my transactions in a way I can put them into Excel so I can search/filter them, as that makes it simpler to complete my tax return. If the banks hadn't insisted on almost completely crippling midata then I'd have been able to get this data without a battle. There's so many different ways that banks could have easily make customers data accessible that they just have themselves to blame if they receive many GDPR related fines over the coming months.
"eagerly await they next delaying tactic"
The clock is still ticking from when you made the first valid request, delaying tactics shouldn't work.
Lloyds are trying the same thing. In fact the banks seem to be taking a remarkably coordinated approach.
Barclays online banking already offers a 'download CSV' feature.
Although to be fair, it only offers the past few weeks of transactions. If I want everything from the day I opened my account with them they'd probably have to retrieve paper archives.
Although, now that I've had that idea..
@Giovani Tapini - I am no expert either but I understand the main emphasis is explaining what, where, why, and who for one's data collection in the appropriate local language not shyster with several stipulations. One is the user opts in, two the user has access to all the information you have about them on demand, three the user can opt out at any time, four the user can demand all the information you have about them is deleted, five data breaches must be reported within 72 hours. The implications of GDPR is make companies more careful about what they collect and how they handle it. One cardinal rule information security is: 'you can not blab what you do not know'. But this one too many ignore by hoovering up much more than they need.
>Can I, even if I wanted to, consent to this within the rules?
The point is its all about explicit and granular consent.
Explicit in that they need to spell it out succinctly, not hidden in waffle.
Granular in that they need to provide you with break-out of options, they can't bundle a whole bunch of consents into one or two options.
So, in your scenario, if a website had a box saying "I consent to behaviour tracking" and you tick it. Then that's absolutely fine. They spelt it out, they gave you a granular option and you took the action of ticking the box, hence giving your explicit consent. There must also be a mechanism for you to opt-out at any time.
What they could not, for example, do is have something like "I consent you to passing my details to the card company for payment, to the delivery company for delivery and to behaviour tracking" . That would not be acceptable.
> What they could not, for example, do is have something like "I consent you to passing my details to the card company for payment, to the delivery company for delivery and to behaviour tracking" . That would not be acceptable.
And yet this is exactly what many of them are doing.
I foresee much gnashing of teeth in the next few months.
I own a phpBB-based discussion group. Hosting, registration and the owner himself are in the U.S. But I have users in Europe. I could sift through the member list looking for EU IPs and request they opt-in, but I lack motivation. I mostly use PMs to contact users, and most of the time, users initiate contact with me, to complain about something over which I have no control. So I posted a Privacy Notice and let it go at that. I mean, really, what are my risks? Will the EU send a hit team after me? Now, extradition to Paris I could handle. There are a lot of non-commercial phpBB boards over here. I'd be interested in knowing what others are doing to comply, or if they even care.
> I lack motivation
Wishing to keep this conversation polite and civil, I will just put this out there :
You have had two years to find the motivation to implement GDPR measures in your systems.
The clue is in the name: "The General Data Protection Regulation (GDPR) (EU) 2016/679"
Wishing to keep this conversation polite and civil, I will just put this out there :I appreciate your courtesy. People in Europe justifiably get angry when they think the U.S. is sticking its nose into their affairs. As a money-losing, U.S.-centric site that extends the courtesy of association to people all over the world, I fail to see why I must exert myself to track down EU users to comply with the EU's declaration. I don't get to vote in Europe.You have had two years to find the motivation to implement GDPR measures in your systems.
The site costs me something like $100 a year plus time spent installing updates, approving new members and fixing broken links in posts, and I get nothing from it but the pleasure of providing a place for like-minded hobbyists to hang out and compare notes. I never asked anyone from Europe to sign up anyway. Worst case, I click the little check-box that shuts down the board and go do something else with my time. Requiring non-commercial, non-EU-based sites to comply is BS.
@Florida1920
Doesn't feel nice the US getting a taste of its own medicine does it ?
At least the Europeans don't bully you into submission in relation to GDPR, unlike the yanks and FACTA and other BS they insist on imposing on the other side of the pond where the US are such bullies that European banks, for example, just prefer not to do business with anyone who has any sort of ties to the US.
If your website delivers data to Europe, then you must comply with GDPR. Its not difficult and its not expensive.
<quote>
"I get nothing from it but the pleasure of providing a place for like-minded hobbyists to hang out and compare notes. I never asked anyone from Europe to sign up anyway."
</quote>
@Florida1920
Subject to the usual IANAL disclaimer, I would say you are over-thinking this. Unless you have misappropriated email addresses to add users without their knowledge & consent (unlikely) then European members have already elected to "opt-in" to your BB by explicitly signing up to join. As such, there is no special requirement to re-request subscription or suchlike as you already have the user's consent to the existing relationship.
Henceforth, provided you take all practical measures to:
1. secure European users personal data from unauthorised access or misappropriation (including on-selling details to third parties)
2. provide a clear way for European users to request access to such information as you hold on them and,
3. provide a clear way for European users to unsubscribe from your BB and be assured that all their personal data is expunged
you will be complying with the spirit of the GDPR. In your case this could be simply catered for by a prominent sticky giving a way for users to contact you with their requests if you haven't already incorporated this.
To be honest, anyone worth their salt handling personal information in such circumstances should be applying these principles no matter the user's location.
My non-shyster understanding of the key points of GPDR is you should have a written document, readily accessible describing what you collect, why you collect, what you do with it, and who has access to the information. Also, users have explicit opt in, opt out, know what you have on them, data deletion rights, and data breach notification rights. Depending on what your site does and how it is done you may have very little to do in reality. This particularly true for a site that collects minimal information from users. From what it sounds like your site may have a login requiring a username, contact email, and password to post on the BB as well as storing user posts.
The primary target of the legislation is not small hobby sites but semi-criminal outfits like Failbook and Twatter who abuse the information they collect. Also, the notification rules requirement, which sounds scary, means that what Equisuck did when sitting on the breach for several weeks/months is now illegal. There is a lot of hype over the law without understanding why it was done and who the real targets are: Silly Valley idiots who abuse their users to squeeze out a few more pennies.
From someone in an already privacy regulated industry, this is mostly an extension of what is already done in many industries even in the US. Other than the fines, I have not seen any thing in it that is much different than what I already must obey. In some respects it is less demanding than what my industry already must do.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
