back to article EU bods up GDPR ante: Threatens legislative laggards with ‘infringement procedure’

The European Commission has admitted readiness for incoming data protection rules is very varied across the bloc, with just two countries having adapted their national laws. With just four months to go before the General Data Protection Regulation comes into effect, the Commission has pushed out a mass of information, online …

  1. anonymous boring coward Silver badge

    At least, after Brexit, we won't have any more of this protection nonsense.

    1. Anonymous Coward
      Anonymous Coward

      No, we can look forward to being subjects again, capital punishment and the world leader in exporting sofa's

      1. Stu Mac

        Rather hoping that Brexit will lubricate the return of capital punishment. A referendum should be forthcoming.

        Murderers, sex offenders, Traitors and (especially) 3 Time Losers.

        1. Dodgy Geezer Silver badge

          You forgot politicians....

          1. Stu Mac

            I said traitors....

    2. anothercynic Silver badge

      @anon boring coward

      That's where you're wrong. Any EU citizens within your purview? SURPRISE! You get to comply with GDPR or you'll enjoy a fine of €20 million (or a percentage of your turnover, whichever is greater).

      1. FidotheFrightful

        Re: @anon boring coward

        The €20 million fine only applies to entities that have an office [embassy?] in the EU. As after BREXIT its the office [embassy?] that gets clobbered with the fine

      2. FidotheFrightful

        Re: @anon boring coward

        The €20 million fine only applies to entities that have an office [embassy?] in the EU, such as US Companies. As after BREXIT its the office [embassy?] that gets clobbered with the fine

    3. codejunky Silver badge

      @ anonymous boring coward

      If we are lucky but thats unlikely for now. The good news being as the EU adds more and more restrictions and enforces them on the member states we will be a country which has an elected government instead of puppets. Anyone wanting to deal with the EU (@anothercynic) will need to follow EU rules but the rest of us wont be bound by them. Kinda like how we trade with countries outside the EU but dont have to adopt their laws locally.

      1. Warm Braw

        Re: @ anonymous boring coward

        the rest of us wont be bound by them

        I don't think it's a leap forward to move from a position in which our trade with the EU is governed by EU rules and our trade with non-EU countries is governed by their rules to one in which our trade with the EU is governed by EU rules, our trade with non-EU countries is governed by their rules and we have different rules for doing business inside Britain.

        There is no such thing as "free" trade as will be underlined once more when the citizens of the countries whose leaders have agreed the revised TPP are finally allowed to know what trade rules they have been signed up to without their consent. I'm afraid that's how it works: there is no great shining upland of democratic accountability out there.

        1. codejunky Silver badge

          Re: @ anonymous boring coward

          @ Warm Braw

          "I don't think it's a leap forward to move from a position in which our trade with the EU is governed by EU rules and our trade with non-EU countries is governed by their rules to one in which our trade with the EU is governed by EU rules, our trade with non-EU countries is governed by their rules and we have different rules for doing business inside Britain."

          Really? So you think if we trade with China, the US or anywhere else in the world they should make laws to govern our country and how we do business even if it is only domestic? What do you suggest for the many conflicting restrictions/standards that each individual country has? How will we let them dictate to us how to do things?

          The dumb idea that the EU must dictate our local rules even for trade with nothing to do with them is a dumb idea. Just as we dont do it for any other country in the world.

          "There is no such thing as "free" trade as will be underlined once more when the citizens of the countries whose leaders have agreed the revised TPP are finally allowed to know what trade rules they have been signed up to without their consent. I'm afraid that's how it works: there is no great shining upland of democratic accountability out there."

          Signed up by who? A democratically elected government or a supranational gov? A supranational government with a bad track record of dealing with crisis. With a record of creating crisis. One that is openly hostile to a member who is choosing to leave. One that is so unpopular that it is giving votes to non-mainstream parties as they are often the only alternative to pro-EU. Hell even the French president admitted the French would probably vote to leave the EU if they were allowed to choose. That sounds like we have already had more shining light of democracy than some other members.

          1. Warm Braw

            Re: @ anonymous boring coward

            So you think if we trade with China, the US or anywhere else in the world they should make laws to govern our country and how we do business even if it is only domestic?

            Have you even any idea what a trade treaty consists of? They are legally binding, take precedence over national laws and of course they govern "how we do business even if it is only domestic" because they prohibit us from doing things that would prevent trade partners from other countries being disadvantaged in the supply of goods and services to the domestic market. That includes things like standards for safety and animal welfare and financial support to domestic industry.

            And if you're really concerned about "supranational governments", I suggest you read up on Investor-state dispute settlement.

            All trade agreements result in a loss of sovereignty over domestic policy. Some are better/worse than others in that respect (depending on whether you believe in free trade or protectionism) but none offers "having your cake and eating it".

            1. codejunky Silver badge

              Re: @ anonymous boring coward

              @ Warm Braw

              "Have you even any idea what a trade treaty consists of?"

              Again, so you are saying the EU cannot be making trade deals because it would require the other country to dictate the laws of the trading countries? I look forward to seeing the EU dictate their free movement and ever closer union to Canada or Japan.

              "And if you're really concerned about "supranational governments", I suggest you read up on Investor-state dispute settlement."

              ISDS and supranational gov. Apples and oranges? You might want to explain your point. Supranational gov is about consolidating power, ISDS is about protecting people from governments. Something I believe the EU had issue with in their dealings with Japan who wanted ISDS but the EU wanted to be backward and host gov/private disputes in the accused country.

              "All trade agreements result in a loss of sovereignty over domestic policy. Some are better/worse than others in that respect (depending on whether you believe in free trade or protectionism) but none offers "having your cake and eating it"."

              Ok, that still doesnt explain the EU ruling us as a supranational gov in order to trade with them. Does Canada have the right to make their own deals or is the EU making theirs now? If Canada want to sell jam to the EU it must fit the EU specs but if they want to sell jam domestically it isnt restricted to what the EU dictates is jam.

      2. Anonymous Coward
        Anonymous Coward

        Re: @ anonymous boring coward

        ... we will be a country which has an elected government instead of puppets.

        I am not sure that is such a good thing. The entire performance of the Tory party over Brexit does not inspire confidence and God only know what happens under Corbyn.

        In my native country, Denmark, my "elected" government has taken it upon itself to reinterpret GDPR to: "We will slurp all of your data, store it forever, wherever we like, and use it for whatever purpose some random* minister deem appropriate - and we won't tell you about this, nor do we need any consent - except there will probably be a consequence for you if any of that data is wrong and then it is up to you to fix it".

        If those scumbags get nailed to the table by the EU over this and get a good caning on top, I will like the EU quite a lot more.

        *) Ministers does not have to be elected, they are appointed by the Prime Minister!

        1. codejunky Silver badge

          Re: @ anonymous boring coward

          @AC

          "I am not sure that is such a good thing. The entire performance of the Tory party over Brexit does not inspire confidence and God only know what happens under Corbyn."

          That is very true. Blair won successive victories by lying his arse off and selling out the country. Yet he did plenty in his attempt to become EU president. As bad as the political offerings can be in a country these are the same slime who are in the EU politics and even worse- they elect each other, we dont get to elect anything! So think of the worst example of leader and ask yourself if your happy for them to rule your country through a supranational gov you have no influence over. Be aware nothing is stopping them in the EU while in your country they need to be elected by the electorate.

          "If those scumbags get nailed to the table by the EU over this and get a good caning on top, I will like the EU quite a lot more."

          If and only if. This is the EU remember, and look at how effective they have been over Spain. France can break the financial restrictions of the EU and it is accepted. Greece can be sacrificed just to save the rich Euro countries. The EU exists to improve trade yet for petty politics the EU is screwing up a trade deal with the UK who's exporting businesses already follow EU standards and rules. The scum bags are politicians (I know this shocks few people) but people seem to forget the EU is a political union aka more politicians further removed from the people.

    4. anonymous boring coward Silver badge

      So I said: "At least, after Brexit, we won't have any more of this protection nonsense."

      Hard to know if the many downvotes was because the sarcasm wasn't picked up on, or if people actually think EU is too protective of people's rights and safety?

  2. Anonymous Coward
    Anonymous Coward

    This will be law before the UK leaves the EU and if UK companies and the UK goverment want to hold data on EU citizens and do business in the EU, we'll need to toe the line without having any say on where that line is.

    1. Anonymous Coward
      Anonymous Coward

      "hold data and do busines in the EU" .... unless you are China, the US or ..... well anywhere not in the EU

      1. Anonymous Coward
        Anonymous Coward

        Not necessarily. If you have a presence within the EU (i.e. a regional office) and hold data on EU citizens, you must comply with the GDPR. Therefore it applies to most multinationals.

    2. streaky

      "the UK goverment want to hold data on EU citizens"

      This is utterly untrue. That being said if you're a business doing business in the EU you'd arguably need to follow the regs for that data.

      1. Cynical Pie

        No arguably about it, your processing is illegal if you don't comply with the law and are processing the data of EU Citizens plus the new DP Bill currently going through parliament will implement the Regulation in full so the same principles will apply for the processing of UK only personal data.

    3. Dodgy Geezer Silver badge

      Actually, before this, we had 1/28th of a say in where the line should be. You will not be surprised to hear that we have been outvoted more and more often in recent years. Initially we used to be in full agreement with the EU - now we disagree around 30% of the time. See http://www.votewatch.eu/blog/special-report-would-brexit-matter-the-uks-voting-record-in-the-council-and-the-european-parliament/

      1. Paul 5
        Stop

        I checked the link. It says, "[the UK] has supported more than 97% of the EU laws adopted in the last 12 years," and adds that "the UK seems to have diminished its influence in the European Parliament in recent years, as a result of self-distancing of some of its own party delegations from the EU’s mainstream political families, as well as due to the results of the latest EU elections in the UK."

        So there you go. We hardly ever (3%) get EU rules the government don't want (the working time directive would be one of those exceptions, and a good thing it was too). Even recently, we still "won" 86.7% of the time in the 2009-15 period. And the recent (but hardly catastrophic) loss of influence is down to UK actions and choices.

        Of course it will get worse in about 18 months.

  3. Neil Barnes Silver badge

    It looks as if

    it will also apply to things you wouldn't immediately expect it to - car owners clubs for one. Even for a small one with only a few members, there will be a lot of old data to sort out (names and addresses, etc).

    Not that I've been able yet to find an authoritative guide to 'you are a small club, here's what to do'...

    1. Giles C Silver badge

      Re: It looks as if

      I have just gone through with this as I run a car club.

      Basically we culled all the old data we held.

      Sent out renewal forms stating what we used data for and why will hold it.

      Defined a data retention period (membership + 3 months)

      You can see more at https://www.eatoc.org.uk/privacy.shtml

      There is also a guide for football clubs (same principles) except car clubs are less physically active at https://www.muckle-llp.com/enews/gdpr-mean-grassroots-clubs/

      We used that to sort out the details for us.

      1. Neil Barnes Silver badge

        Re: It looks as if

        Thanks Giles - that's very useful. I too help to run a car club: FCCUK in my case.

        1. Giles C Silver badge

          Re: It looks as if

          Looks like your Club is a bit bigger than mine, still never know we may meet at an event one day.

          If you want to know more, email me through the website look under about the club, and then contacts for details.

          Giles

  4. Pete4000uk

    Does anyone really know

    what it covers, or will it be made up as the authorities see fit?

    1. Anonymous Coward
      Anonymous Coward

      Re: Does anyone really know

      > what it covers,

      Yes.

      https://www.eugdpr.org/.

      PS: we have been ready since last year. In fact, aside from adding the word "portability" here and there, it turns out that we were already compliant. Then again, we've always made a point of treating personal data sensibly.

      1. Doctor Syntax Silver badge

        Re: Does anyone really know

        "Then again, we've always made a point of treating personal data sensibly."

        Good for you. In the long run it pays to do things right.

    2. Doctor Syntax Silver badge

      Re: Does anyone really know

      Oh for crying out loud! GDPR is published. You can go and read it at the EU's site.

      It has to be implemented in each jurisdiction. Th UK's version is going through Parliament and you read about it at https://services.parliament.uk/bills/2017-19/dataprotection.html In its progress through Parliament it's called a Bill. When it receives Royal Assent it'll become the new Data Protection Act.

      You can read here what it currently looks like https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf and that will be the finished article give or take any amendments made in the Commons.

      All these surveys seem to be right. Lots of people just aren't paying attention.

  5. MatsSvensson

    Here in Sweden there is a complete blackout on information for us who actually is supposed to write the code for systems.

    Q: What should I do to make my code GPDR-compliant?

    A: Oh simple, just think about ordering the register, specify your tasks, and remember to assign plenty of time for the job, and bibetybop.

    .... yeah yeah, thanks for the fucking advice!

    1. UriGagarin

      This seems to be the general approach - lots of talk about abstract descriptions of processes without any "here's what needs to be done".

      Think most people/companies are waiting for the first ruling to work out what the fuck we are actually meant to do.

      1. Doctor Syntax Silver badge

        This seems to be the general approach - lots of talk about abstract descriptions of processes without any "here's what needs to be done".

        And why would it be different. People who are writing such descriptions don't work for you. They don't know your business. They don't know what data you hold. They don't even know if, to coin a phrase, you're holding it right. So how can they tell you how it specifically applies to you.

        You're going to have to work that out with your knowledge of your own situation. (I'm going all Bob with italics here but the emphasis really is needed.)

        The text was published long ago. The various legislatures are, presumably, at some stage of rolling out the local implementations; the UK Parliament certainly is. Sitting on your hands waiting for someone to come along and shout "Go!" isn't going to help you. You need to be up and running by now.

        1. Nick Ryan Silver badge

          Doctor Syntax: You're going to have to work that out with your knowledge of your own situation.

          No, no, no. You have it all wrong. The best way is to run around screaming that the sky is going to fall in, that you have to contact everybody you may have possibly every contacted in the entire lifetime of your organisation and regularly check that you have explicit consent to do something or other but have yet to work out what it actually is that you do in order to check it or gain explicit consent for some reason. Then you need to throw lots of money at "training" companies who can kill you through death-by-powerpoint sessions and award certificates if you can remember utterly pointless bits of trivia about the GDPR (because we all try to do such things from memory) and didn't sometime slip into a coma during the training day. When this is complete you then waste more money employing external consultants for gap analysis reports which tell you nothing because they don't actually know how your organisation works. When you finally realise that this still does nothing you start throwing money at lawyers in the hope that a differrent external consultant will be able to get a more defintive answer despite still not actually knowing what your organisation does. This carries on getting more panicked and fever pitched the close to the 25th May 2018 that you get. The most examplary practicers of this then start giving advice to other organisations about how they may also run around and scream in the most appropriate, and expensive, and utterly pointless, manner.

          /sarcasm

    2. Adam 52 Silver badge

      Err, who else are you expecting to write your code other than you?

      1. Doctor Syntax Silver badge

        "Err, who else are you expecting to write your code other than you?"

        Quite. But coding - if any only follows a decision as to what to do. I wonder if this is what Agile has brought us to. The specification (GDPR) exists. The first step is surely to start with that and then do some analysis of how it fits the situation. Then specify any changes and then get coding. It's Waterfall. And out there that seems to be so unfamiliar that people are gazing at it and seeing nothing.

    3. Anonymous Coward
      Anonymous Coward

      Not sure if this’ll help: Guide to the GDPR.

      From same site: “A Government Official Report covering the proposal of new national data protection legislation in Sweden was published on 12 May 2017 (SOU 2017:39). The new legislation, known as 'dataskyddslagen', will replace the existing data protection act and supplement the GDPR. According to the report, the aim of the new legislation will be to permit the processing of personal data to the same extent as is currently permitted under national law so as not to broaden or restrict current practices“

      If the actual Swedish rules haven’t been published yet, guess the best anyone can do is familiarise themselves with GDPR itself, and wait for the national implementation to come into force.

      1. Doctor Syntax Silver badge

        "the best anyone can do is familiarise themselves with GDPR itself, and wait for the national implementation to come into force."

        That's going to be too late. Look at the GDPR itself and start acting on it. The local legislation is going to have to be an implementation of what's already available give or take a bit of gold-plating so it's not as if there should be any surprises.

    4. Doctor Syntax Silver badge

      "Here in Sweden there is a complete blackout on information for us who actually is supposed to write the code for systems."

      How's that? Has the EU site been firewalled?

      "Q: What should I do to make my code GPDR-compliant?"

      Wrong question. The question should be "How does my business handle data compliantly and what might I need to code to help that?"

      A big hint as to how far off the mark you are: data held on paper in filing cabinets and in little black books is still governed if it contains personally identifiable information. Code won't help you with that.

      Your best starting point is to get a business analyst looking at how you hold and process data and compare that with what the GDPR says - someone already posted a link to help you find out.

    5. Destroy All Monsters Silver badge

      It's not about code, it's about process.

    6. Anonymous Coward
      Anonymous Coward

      Security by Design and default

      Q. What should I do to my code GDPR compliant?

      A. Your code should be based on a Software Design, that Software Design should be have been created with "Security by Design and default" as per GDPR. Coding is a function of translating the Software Design into a computer language which when executed meets the software design.

      If you are providing Internet of Things code where devices connect to Internet servers, ensure that the connection is one direction so the IoT device polls the server only, no incoming Internet connection to IoT device is required. Secure the communication with unique certificates + unique identifiers using a minimum number of well defined ports (to simplify firewall administration) for control and data. Don't hardcode admin passwords, force password complexity.

      Good programming would require you to make sure arrays with N elements are not referenced with N+Y indices. If you are using third party libraries, do they provide insurance if it causes a breach in your application and results in Data Loss. Has the third party library been interdependently tested for programming vulnerabilities

  6. Anonymous Coward
    Anonymous Coward

    The IAPP reported that Nikolay told a conference in Brussels: "It’s not that homogenous in the EU yet. In some member states, the awareness for data protection is much more developed than in other member states."

    Commissioners are expected to go on a GDPR-awareness campaign trail around some of the newer states, including Croatia, Bulgaria and the Czech Republic.

    At least two of those three countries count amongst the most privacy conscious in the continent and in fact some aspects of the GDPR were inspired by national legislation of one of those countries.

    Also, both Bulgaria and the Czech Republic¹ (as well as Romania. Croatia sort of arrived late to the party as it didn't join the EU until 2013) got into pretty hot water back in the day due to their constitutional courts striking down the implementing laws of the EU's glorious data retention directive. Which was itself eventually invalidated by the courts.

    And now they want to go around teaching lessons?

    ¹ In the Czech case, it was the very same legislators who voted the implementing laws that, on the same day those were approved, challenged their own laws before the constitutional court. Successfully.

    1. Anonymous Coward
      Anonymous Coward

      "EU's glorious data retention directive. "

      To be fair it was Blair's glorious data retention directive that we, the UK, forced on to the EU. So much so that when it was ruled illegal we promptly introduced the same thing again as emergency legislation, when that was ruled illegal, we ignored that ruling, then pushed in yet more illegal legislation when the emergency legislation hit its expiry date.

  7. streaky

    2 Countries.

    "just two countries having adapted their national laws"

    The "R" in "GDPR" stands for "Regulation". Those 2 countries are ijuts because regulations don't require changing national law, they automatically apply and are supreme. If they wanted countries to change their own laws they should have made it a directive.

    FML people are dopey. This is absurd on so many levels I don't even know where to start.

    Nice to see people confusing directives and regulations - especially when it's the EU itself - it's always good for a laugh.

    1. Sir Runcible Spoon

      Re: 2 Countries.

      Yeah, because European politics and machinations are so transparent, after all.

      1. streaky

        Re: 2 Countries.

        because European politics and machinations are so transparent

        I'm regularly downvoted on 'reg for speaking truth about the EU but this is one of the few areas of clarity. Regulations automatically apply and don't need transposing into national law, states *can* if they chose to but they don't have to, it just supersedes any law in conflict.

  8. Naselus

    In the words of Sir Humphrey

    The Germans will love it, the French will ignore it, the Italians and Irish will be too chaotic to enforce it, and the British will resent it.

    1. streaky

      Re: In the words of Sir Humphrey

      Couple of fixes: the Germans will continue to pretend their courts are supreme to EU law they don't agree with (protip: they're not), the Irish can't afford to enforce it despite being the state where it matters most, the Italians are too busy drinking espresso to notice it and we (the British) are off. That said it's going into national law anyway - and we resent it because it's half-baked, like most things that come from the EU.

      1. streaky

        Re: In the words of Sir Humphrey

        Just in case nobody gets that quip about the Germans, I direct your attention here. The last time it came up the German courts backed down to avoid being ruled against; but still uphold their belief that the German courts have primacy when they don't. Basically the German courts don't understand that the rules apply to them too, which is why they [Germans] enjoy being in the EU so much when other states that are around their GDP/Capita don't.

  9. EnviableOne

    Get with the Program

    GDPR was finallised and published on 28th May 2016 and enforcement was suspended for two years.

    as of 28th May 2018 (one year and a bit before Brexit in March 2019) GDPR Comes into force and anyone holding Data on ANY EU CITIZEN must comply with the regulation.

    The main changes between the two from an IT point of view are not really about controlls, because if you're doing the DPA stuff right, you probably do it all already.

    The issue with GDPR is you need the monitoring and reporting to prove it.

  10. ngpsaki4

    My question from this side of the Pond is this:

    I see the regulation, have read it, and understand that it makes certain mandates.

    I see that the mandates will be enforced by Data Protection Authorities.

    What I seem to lack, still, is the standards that will allow us to ensure we comply with the mandates. We can't seem to find "What 'right' looks like."

    Example: The U.S. Federal Information Security Modernization Act of 2014 makes numerous updated mandates in law, appoints the Secretary of Commerce to over see implementation, and the Commerce Secretary directed the National Institute of Standards and Technology to develop the standards for implementation. This tells us how to comply with the law, and on what criteria we may be audited for that compliance.

    I cannot seem to find the standards documentation to ensure compliance with the GDPR, which seems to leave it at the potentially arbitrary hands of the DPA to determine compliance. Subjective vs. objective criteria (eye of the beholder) is a great way to ensure the EU starts to reap some significant windfall to the tune of potentially 4% gross revenue.

    1. Anonymous Coward
      Anonymous Coward

      You will not face a fine at all if you demonstrate you are taking data protection seriously, you will receive a warning informing you what is wrong and needs fixing, unless of course you were doing sod all to start with. The maximum fine will most likely never be applied, not even close to it, not even for Experian style cock ups.

  11. Anonymous Coward
    Anonymous Coward

    GDPR and Intel

    Given that GDPR mandates "Security by Design and default". Is it possible to build a cloud platform on servers with known CPU flaws, particularly where the vendors are not recommending the patches supposed to fix the issue should not be applied!

    For organisations using these cloud services now in the light of the cpu disclosures reported in The Register are now in the position that continued use opens up the organisations and decision makers to financial penalties. The organisation while patching their systems is a requirement who have completed a security review and shown that continued use meets the GDPR "Security by Design and default" requirement.

    If AMD patched Ryzen/Epyc CPUS are not vulnerable to any Spectre variant as been reported, then continued use of flawed Intel CPUs fail both Meltdown/Spectre then failure to meet GDPR's "Security by Design and default" is a problem for every European organisation or organisation that provides services to Europe.

    So unless you can show that continued use of Intel CPUs does no effect on security which some appliance vendors can because their appliance only runs their own code and does not permit external software to execute on the CPU then you have a problem.

  12. FidotheFrightful

    GDPR

    I'm afraid someone is sadly mistaken, look at the number of Irish living in the in the UK. Add into that Brits with Irish grandparents ho can claim Irish/EU citizenship.. The GDPR applies to all EU citizens wherever they may be living. Read the GDPR, also the forthcoming Data Protection bill which incorporates quite a lot of the GDPR. See :

    https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/644634/2017-09-13_Factsheet01_Bill_overview.pdf

    for the HMG overview

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like