News:

SimuTranslator
Make Simutrans speak your language.

GDPR

Started by An_dz, June 02, 2018, 02:57:03 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

An_dz


(Topic split from: https://forum.simutrans.com/index.php/topic,687.msg173293.html#msg173293)

The GDPR applies only to organisations and companies, we are neither.

@An_dz, I just put a note to tell where this topic was split from. Feel free to remove this mod note.
~IgorEliezer

Isaac Eiland-Hall

Are we a Disorganization? :)


An_dz

Well, I like your company :D

Quote from: IgorEliezer on June 02, 2018, 05:01:51 AM
Perhaps a Nopany?
There are propanies and conpanies.

IgorEliezer

Quote from: An_dz on June 02, 2018, 05:46:25 AM
There are propanies and conpanies.
I preferred "nopany" because "company" comes from "com+panis" (Latin "with bread"). Since our forum is not a bakery: non panis. :)

Quote from: An_dz on June 02, 2018, 05:46:25 AM
Well, I like your company
hats off :hat:

Ters

Quote from: An_dz on June 02, 2018, 02:57:03 AM
The GDPR applies only to organisations and companies, we are neither.
That is an interesting loophole. Just transfer ownership of the user database to the CEO.

jamespetts

Quote from: An_dz on June 02, 2018, 02:57:03 AM
The GDPR applies only to organisations and companies, we are neither.

Actually, that is not quite right. It applies to everyone except

Quote
by a natural person in the course of a purely personal or household activity

as provided by Article 2(2)(c) of the Regulation. The German version of the same part of the Regulation reads,

Quote
durch natürliche Personen zur Ausübung ausschließlich persönlicher oder familiärer Tätigkeiten

which Google Translate translates as,

Quote
by natural persons to perform exclusively personal or family activities

(For reference, the translation into German of the English version by Google Translate is:

Quotedurch eine natürliche Person im Rahmen einer rein persönlichen oder haushaltsmäßigen Tätigkeit

What counts as a "purely personal" activity is not anywhere defined, although Recital 18, which is not itself a part of the regulation, but which influences (to an uncertain extent in any given case) the interpretation of the Regulation provides (in English):

Quote
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

The German version provides as follows:

Quote
Diese Verordnung gilt nicht für die Verarbeitung von personenbezogenen Daten, die von einer natürlichen Person zur Ausübung ausschließlich persönlicher oder familiärer Tätigkeiten und somit ohne Bezug zu einer beruflichen oder wirtschaftlichen Tätigkeit vorgenommen wird. Als persönliche oder familiäre Tätigkeiten könnte auch das Führen eines Schriftverkehrs oder von Anschriftenverzeichnissen oder die Nutzung sozialer Netze und Online-Tätigkeiten im Rahmen solcher Tätigkeiten gelten. Diese Verordnung gilt jedoch für die Verantwortlichen oder Auftragsverarbeiter, die die Instrumente für die Verarbeitung personenbezogener Daten für solche persönlichen oder familiären Tätigkeiten bereitstellen.

It is not at all clear either from the definition or the recital whether an individual running a non-commercial, non-professional website for the pursuit of a personal hobby but which is accessible to the world at large falls within the definition of "personal or household". Arguably, it may well so fall: it is not commercial or professional, and the world at large may access data relating to "social networking and online activity undertaken within the context of such activities".

However, the Regulation is excessively vague and deeply authoritarian (and the two are intimately - and probably deliberately - connected with one another: the vagueness is likely to be intended to maximise the power of the authorities by undermining the rule of law), so it is highly uncertain whether anything other than the exact paradigm cases identified in Recital 18 will be considered exempt by the authorities at an unknown point in the future.
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

Frank

#7
please split the topic


Admin note: Done by An_dz.
~IgorEliezer

Leartin

Quote from: jamespetts on June 02, 2018, 10:33:01 AM
It is not at all clear either from the definition or the recital whether an individual running a non-commercial, non-professional website for the pursuit of a personal hobby but which is accessible to the world at large falls within the definition of "personal or household". Arguably, it may well so fall: it is not commercial or professional, and the world at large may access data relating to "social networking and online activity undertaken within the context of such activities".
The question to ask in case of private websites is not whether it's a personal hobby, nor whether it's accessible to the world. The question is who it is aimed at. Similar to how it applies to those living in Non-EU-Members who aim their offers to EU-citizen (eg. this forum, which not only claims to be international, but also provides subsections in swedish and czech, both only official languages in EU members - as opposed to dutch and italian, which is at least second language somewhere else- and allows the user to pick EU members as their nationality), you'd need to ask if the private website is just for friends and family, or has offers aimed at strangers. Eg. if you make a website/forum for your gaming clan, the intended audience is people from that clan - friends you already know through other means - and not total strangers. On the other hand, if you make a fansite for the game as a whole, the intended audience would be everyone who plays the game, and unless the game itself has some kind of restriction to it (eg. it's your game you made for friends), that means the site needs to comply with the GDPR. While this still leaves room for corner-cases and debate who the intended audience is, it's a lot clearer then asking whether it is a "hobby" or "commercial/professional", since those pretty much don't matter at all for GDPR. (Eg. to consider whether this website falls under GDPR, you don't need to question whether Simutrans is a hobby to Isaac, nor if he hosts because he is a professional host. Both are irrelevant. Is it aimed at a group of friends and family or total strangers? Yes it is. Since it's not hosted in the EU, is it targeted at EU members? As said before, yes it is. Technically, even the international Simutrans Forum would require all the GDPR ***star***.

In practice? Well, Germans seem to be especially endangered due to their "Abmahnung", a written warning they can receive if they don't comply, not from the government but by lawyers. If your country does not have such laws, you don't need to worry much (Especially in Austria, here even if a company does not comply, they only get a warning). Anyone outside the EU would need to question whether they gave a thought on other countries laws before, because the EU can't really do more than the saudi government, and who ever thought of censoring their content according to saudi law? (yeah, yeah, hyperbole...)

prissi

Yes and no. "Abmahung" is "Wettbewerbsrecht", i.e. limited to practices which disturbs other peoples buissness or is connected with commercial activities. None of this is remotely true for SImutrans sites, they are all ad free and nonßcommercial (and teh steam forum is not our worry). If you are not competiting with a company, you cannot be a target. Also teh fines are connected with commercial activity ...

An_dz

Here's the privacy policy of Isaac's stuff:

Data Collected

We don't collect any data except the non-private data automatically sent by your browser (HTTP Headers) for statistics, performance and security reasons.

Data Collected by Forum

The only private data required is your email address, all other personally identifiable information that can be added is optional and it's only available if you deliberately want to share such information.

Cookies and Tracking

We don't track you. Most of our sites don't use cookies, some don't even use JavaScript, our forum uses cookies to keep you logged in.

Security

We maintain security steps to secure all data, but as hobbyists we can't ensure that unauthorised access, alteration, or destruction of data will ever occur. We may also not notice such breaches and if we ever end up noticing we may not be able to define what data has been tampered. As such we highly recommend that you don't use a password you already use in other services, most especially don't use passwords from highly private services. It's recommended to use a password manager and generate a unique password for our forum.

Account Deletion

If you want to have your account deleted just create a new thread in our forums and we will eventually delete it. We can't promise any time-frame but that will probably take at maximum one week to be done. Your replies and threads won't be removed and instead will be shown as made by a Guest. If a post contains personal information that you wish to be removed, you can either edit it yourself before requesting account deletion or ask us in the account removal request thread.

Data Sharing

We don't share data with anyone, the providers of our server structure may need to see our information if that's necessary for the performance or security of the system, though that's highly unlikely. As a company they must follow the GDPR.

prissi

Very reasonable and nicely worded ...

jamespetts

Quote from: Leartin on June 02, 2018, 01:05:02 PM
The question to ask in case of private websites is not whether it's a personal hobby, nor whether it's accessible to the world. The question is who it is aimed at. Similar to how it applies to those living in Non-EU-Members who aim their offers to EU-citizen (eg. this forum, which not only claims to be international, but also provides subsections in swedish and czech, both only official languages in EU members - as opposed to dutch and italian, which is at least second language somewhere else- and allows the user to pick EU members as their nationality), you'd need to ask if the private website is just for friends and family, or has offers aimed at strangers. Eg. if you make a website/forum for your gaming clan, the intended audience is people from that clan - friends you already know through other means - and not total strangers. On the other hand, if you make a fansite for the game as a whole, the intended audience would be everyone who plays the game, and unless the game itself has some kind of restriction to it (eg. it's your game you made for friends), that means the site needs to comply with the GDPR. While this still leaves room for corner-cases and debate who the intended audience is, it's a lot clearer then asking whether it is a "hobby" or "commercial/professional", since those pretty much don't matter at all for GDPR. (Eg. to consider whether this website falls under GDPR, you don't need to question whether Simutrans is a hobby to Isaac, nor if he hosts because he is a professional host. Both are irrelevant. Is it aimed at a group of friends and family or total strangers? Yes it is. Since it's not hosted in the EU, is it targeted at EU members? As said before, yes it is. Technically, even the international Simutrans Forum would require all the GDPR ***star***.

May I ask what in the text of the GDPR itself supports that specific construction of "purely personal or household activity" (i.e., that a purely personal or household activity is one that is exclusively aimed at the person's personal friends and family)? That would seem to suggest that a 1990s style "personal home page" with a guest book would not be exempt, which does not seem entirely consistent with the wording of article 2(2) nor recital 18.
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

Frank

Sticking point is the IP. This is at least in Germany under the personal data.

And since the IP is practically always transferred and stored, the GDPR also applies to everyone.

Ters

I don't think a 1990s style online guest book counts as personal or household as it is usable (read and write access) by the entire (online) world. However, an old fashioned physical guest book might, as long as the guests are limited to friends and family. GDPR is as far as I understand not limited to data stored and processed electromagnetically. The exemptions are likely aimed at the kind of casual personal information collection taking place in everyday life. Such as your collection of names, phone numbers and maybe birth dates, whether on a piece of paper pinned to the wall next to the rotary phone in the hall, or stored in your personal cloud for use on your smartphone. Or the log of SMS messages received from various people.

jamespetts

Quote from: Ters on June 03, 2018, 09:01:10 AM
I don't think a 1990s style online guest book counts as personal or household as it is usable (read and write access) by the entire (online) world. However, an old fashioned physical guest book might, as long as the guests are limited to friends and family. GDPR is as far as I understand not limited to data stored and processed electromagnetically. The exemptions are likely aimed at the kind of casual personal information collection taking place in everyday life. Such as your collection of names, phone numbers and maybe birth dates, whether on a piece of paper pinned to the wall next to the rotary phone in the hall, or stored in your personal cloud for use on your smartphone. Or the log of SMS messages received from various people.

But what in the text supports this specific interpretation that "purely personal or household" is confined only to interactions with friends and family?

Quote from: Frank
Sticking point is the IP. This is at least in Germany under the personal data.

And since the IP is practically always transferred and stored, the GDPR also applies to everyone.

Again, may I ask: where is this in the text?
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

Leartin

Quote from: jamespetts on June 03, 2018, 08:28:26 AM
May I ask what in the text of the GDPR itself supports that specific construction of "purely personal or household activity" (i.e., that a purely personal or household activity is one that is exclusively aimed at the person's personal friends and family)? That would seem to suggest that a 1990s style "personal home page" with a guest book would not be exempt, which does not seem entirely consistent with the wording of article 2(2) nor recital 18.

Whenever anything is on the internet, it can pretty much be accessed by anyone from anywhere. A 1990s style 'personal home page' in my eyes is one that says "Hi, I'm Steve, this is my cat Mr. Mink, look at pictures of my back yard". So basically, an old school facebook profile. It's like a garden party: It's a private thing, no need to get approval from some government. The friends you invited may come with their friends who you don't know, but that does not make it public, and you are not forced to get a bouncer (after all, as long as they bring beer, you won't care either way). Even perfect strangers that just happen to walk along the road might join, and it still wouldn't change the status of the party.

But no, I can't tell you what in the GDPR supports that. For one, because I never read the english version, and even though the spirit is the same, the specific words used could indicate different things. For example, "professional" in the english version is "beruflich" in German. "beruflich" means "as a job" (Beruf=Job), while professional could also mean "with a high degree of skill/knowledge" (unless it's defined in context of laws differently, I wouldn't know). In this regard, you ask who says friends and family - the German version says family, and friends are personal. On the other hand, the German version never says household. This is interesting: If you live in a household shared with a stranger (eg. student accomodations) this could have relevance.
Second, because it's not my opinnion, what I'm telling here is how an expert of the Austrian Wirtschaftskammer (Chamber of Business) explained it to me. To be fair, he also said that it's not perfectly clear yet and could change once courts make decisions, and jokingly, I found out that the best way to deal with personal information is to kill everyone, since dead people have no right to privacy. Still, it makes perfect sense to me, so I'm inclined to believe it.

Quote from: jamespetts on June 03, 2018, 09:05:29 AM
Again, may I ask: where is this in the text?

Art.4 (1). An IP is data that can be used to identify a natural person. It is already established, since law enforcement uses IPs to track down natural people, so we know it's possible.

Ters

Quote from: jamespetts on June 03, 2018, 09:05:29 AM
But what in the text supports this specific interpretation that "purely personal or household" is confined only to interactions with friends and family?

I didn't say it was confined to interactions with friends and family. The SMS log certainly isn't. "Personal and household" has to to with purpose. Information you collect to function as a person or household is likely fine, as enforcing GDPR at that level would not be practical, but once you offer some service to a greater circle of people, GDPR likely kicks in. Offering a service is a choice one makes, and therefore the first opportunity to start enforcement. Defining a later cut-off point is difficult, and personal information is clearly so valuable (that is what made Facebook one of the major companies, and why identity theft is big business) that it needs protection from the earliest opportunity.

Friends are a bit of a gray area, as there is no legal definition of what counts as a friend as far as I know.

jamespetts

Article 4(1) is the definition of "personal data": this does not tell us whether the exemption to the whole regulation in article 2(2)(c) applies, as clearly, where that exemption applies, it applies to all sorts of personal data, including IP addresses, as it is an exemption from the application of the entire regulation.

As to "purely personal and household" or "purely personal and family", although friends are in some sense personal, this does not mean that a reasonable construction of article 2(2)(c) applies only to data about and/or shared with friends - the word "friend" is not used in the English version, nor, so far as I can make out from the translation, in the German version (has anyone checked the French version?). Things relating to friends constitute a subset of the personal.

The critical wording in 2(2)(c) other than "purely personal and family" is "in the course of an... activity". It is the activity that must be "purely personal or household", and recital 18 referring to holding addresses and social networking makes it clear that "purely personal" can include things that relate to other people and things that are made public over the internet. Therefore, it would seem that that the activity (1) involves other people; and (2) is made public over the internet does not by itself or in combination with each other prevent the activity in question being "purely personal or household". Is the activity of running a hobby website for a non-commercial computer game personal or is it in some character professional or commercial?

As to views expressed by leaders of chambers of commerce and the like: there are a large number of contradictory interpretations by people who claim to be knowledgeable about the Regulation. The reality is that nobody is particularly knowledgeable about the Regulation as it only came into force just over a week ago. Unless an interpretation can be supported from the wording of the text itself or a decision of a court interpreting it, it carries very little weight.
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

DrSuperGood

QuoteAn IP is data that can be used to identify a natural person
Not entirely true. One requires access to personal information of the IP owner to be able to resolve it to an individual. John Doe's ISP can map John Doe's current IP to ownership by John Doe, however no one else can. Other people can map John Doe's IP to John Doe's ISP and infer that whoever is using it is a customer of John Doe's ISP but they cannot tell who that customer is, or even if it is the same customer as when the IP was recorded previously.

Law enforcement can get around this by forcing John Doe's ISP to look up who owned an IP at a certain time. In that case if they logged John Doe's IP then they could force the ISP to reveal John Doe.

Additionally IP addresses are often shared with many people, possibly even at an ISP level. In such a case someone can be assigned responsibility over the IP but resolving an individual who did something may well be impossible.

That said I find such legal documents to be a real pain when it comes to programming. It is very easy for some lawyers to be paid £300,000 a year to write such nonsense. But good luck being a software engineer in industry and having the time to read and understand it all! I would like to see those lawyers write code to implement what they wrote... I do understand that such laws are good and necessary, but that does not make them any less painful to comply with.

Leartin

I'm not claiming that an IP has anything to do with whether the GDPR applies or not, It just seemed as if you doubted an IP being personal data.

"Friend" is not used, and could not be used, since it wouldn't be defined anyway, and get even more confusing since Facebook, one of the main reasons the GDPR exists, uses the word for all contacts. It's a casual word, since people usually agree on what a friend is, to explain the implications to everyday people, not a lawyers term aiming for highest possible precision.

Maybe it's a misunderstanding, but I'm not disagreeing with you. You can do something that involves other people, even over the internet, and it could still be personal or household/family.
However, I disagree that recital 18 implies that anything is either personal/household/family OR professional/commercial, because of clubs. Clubs are not nessecarily professional nor commercial, especially local amateur clubs. They are so easy to form anybody with a friend could do it. Riddle me this: You have a group of friends interested in Simutrans, have all their phone numbers, photoes etc. - now, you legally form a club. What changes?
Either you now have to comply to the GDPR in anything club related, meaning you'd have to secure those phone numbers and photoes and everything, write documentation about how you use it and when - or you say YOU as a natural person can still do everything as before, just the CLUB can't. See where I'm going at? If club activities are personal, the clubs themself wouldn't need to fall under the GDPR, but if they are not, there is something other than professional and commercial that's not personal, club activities.
My point is that the activity of running a hobby website for a non-commercial computer game can well be personal, but if you are aiming that website at strangers, you reach out of your personal bubble, so it's not personal anymore, even though it's still neither professional nor commercial. I'm very sure that it not only depends on your activity as well. Just like in Germany, a YouTuber had to gain a broadcasting license for his youtube- and twitch channels because he grew too big, once you do your hobby in front of a large audience it's not personal anymore. No, I can't tell you where this would be in the GDPR, and sure, you could say unless there is a ruling you don't believe it. Thing is, though, if you ONLY go by the text stated, any picture of a person with glasses is sensible, since it contains information about that person's health. I doubt anybody would ever rule it that way in the near future, but there is no proof.


DrSuperGood: You don't need to be able to identify a single person by one piece of data, it's enough if it could combine with other data. You are probably right about it being impossible to find out JUST by the IP adress, even law enforcement needs at least a time stamp. But then again, there are also people who share the same name. Like me and my dad. There is rarely a type of information that, by it's own, could identify somebody without a doubt, but ANY information that helps you find out someones Identity is personal. Read "mental, economic, cultural or social identity of that natural person" I doubt there is any statement one could make about anybodies mental state that would identify them perfectly. Likewise, telling if someone rich or not does not really mean much. Say "The crazy rich Mexican in Llanfairpwllgwyngyll" and chances are there isn't a second one.

Ters

The purpose of GDPR is to protect personal information. If something leads to a situation where personal information is not well protected, then that can not be what GDPR intends. That is, you can't put up a personal web site which gather all kinds of personal information and stores it in a world accessible database with no password, just because your doing it as a personal hobby. What is considered "personal and household" must therefore be quite restricted, probably limited to things we were doing before home computers came along, pluss very direct analogues (storing e-mail addresses as opposed to street addresses), as some form of grandfather clause.

jamespetts

The GDPR is dangerously vague and ill-defined, lending itself (quite deliberately) to authoritarianism, so there is no certainty in any of the interpretations (including whether there can be something that is both non-personal and non-professional/commercial; clubs may be said to be non-personal because they are an organisation of multiple persons, hence the activities of the club are not personal to any one of its members). However, I do not follow the logic in this passage:

Quote
the activity of running a hobby website for a non-commercial computer game can well be personal, but if you are aiming that website at strangers, you reach out of your personal bubble, so it's not personal anymore

Whether something is "aimed at strangers" does not seem to be entirely consistent with the notion of a "purely personal activity" in article 2(2)(c) and expounded upon by recital 18 - one might have a purely personal activity aimed at strangers (as in posting photographs to one's Facebook account with the privacy set to public, for example, or posting photographs to Flickr, assuming in both cases that the photographs are just a personal hobby and not commercial). A good example of a purely personal activity aimed at strangers is online dating: although the companies running the websites are not exempt because their activity is commercial, those who use online dating websites clearly gather and process others' personal data in an activity that is very specifically aimed at strangers, yet it would be odd if that activity were one that is not "purely personal".

The ultimate point is that the scope of the exception is very uncertain (and this is likely to be deliberate to give state authorities dangerously excessive power), but whether something is "aimed at strangers" cannot be a complete description of what falls outside the concept of "purely personal or household".
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

Ters

I think the vagueness is because technology is moving way faster that legislation. The large changes since the 1990s, and the huge problems with identity theft and other malicious use of personal information, has scared the legislators. Many lives have been ruined. They needed laws that can be applied to things we can not yet foresee, because when they arrive, we don't have time to discuss things in a committee. Scary, but so is the alternative. Unfortunately, the threat of being hacked has not been enough to encourage people to take security seriously. When you have personal information about others, you may not even be the greatest victim of the theft.

Leartin

Quote from: jamespetts on June 03, 2018, 12:12:56 PM
Whether something is "aimed at strangers" does not seem to be entirely consistent with the notion of a "purely personal activity" in article 2(2)(c) and expounded upon by recital 18 - one might have a purely personal activity aimed at strangers (as in posting photographs to one's Facebook account with the privacy set to public, for example, or posting photographs to Flickr, assuming in both cases that the photographs are just a personal hobby and not commercial). A good example of a purely personal activity aimed at strangers is online dating: although the companies running the websites are not exempt because their activity is commercial, those who use online dating websites clearly gather and process others' personal data in an activity that is very specifically aimed at strangers, yet it would be odd if that activity were one that is not "purely personal".
Whether something is aimed at strangers is only relevant if you also collect their data, since you need to make sure such a data collection would comply to the GDPR, unless the GDPR does not apply. If you are on a dating website, you would trust the provider of that service to handle all the GDPR-things, show a form to every user, let them sign that they are okay with sharing their data etc. - in the end, the user only sees data they are allowed to see under the GDPR anyway, because the service provider needs to make sure that's the case. It's no different from looking for a number in a phone book, or even asking for a number in person.

Same is true for sharing photos on Facebook: You are fine, since Facebook mostly deals with GDPR-related shenanigans. But once you create your own website and share the photoes there, YOU are the one collecting Information first hand (eg. IP adresses, guestbook data, comments,...) - so now we must decide whether that data collection is "personal-household" or not. As you said, just because it's accessible by everyone does not mean it's not personal. Which criteria would you use to decide, if not the target audience (or in this case: What's on the fotos, and who could be interested in them?).

prissi

Quote from: Leartin on June 03, 2018, 09:48:33 AM
I found out that the best way to deal with personal information is to kill everyone, since dead people have no right to privacy. Still, it makes perfect sense to me, so I'm inclined to believe it.
That seems untrue for Germany at least. Ten years ago I searched the grave of a friend. I phoned the graveyard administration, but they replied that they cannot tell me the grave location due to privacy. (Putting the reason of grave stone into a strange context, and would require non-named stones ... )

Leartin

https://de.wikipedia.org/wiki/Postmortales_Pers%C3%B6nlichkeitsrecht
It's the same in Germany. I actually asked specifically for the German Simutrans Forum, since there are still some threads concerning Dirk and his health. Such things would be hard to keep (sensible data, much worse than normal data), but a shame to delete (forum, ney, simutrans history), so I asked about it.

Ters

Dead people seem to have no rights here. Whatever remains restricted seems to be due to its relevance for surviving kin. The gave site does not belong to the dead, but to the living visiting it. Church death records are not available for many decades afterwards since it lists widows, which may be many years younger and therefore still alive.

ACarlotti

Quote from: Ters on June 03, 2018, 12:46:52 PMI think the vagueness is because technology is moving way faster that legislation.
Yep, and also it's written by lawyers rather than people who actually develop and (maybe) understand the technology. I've heard this issue discussed between a lawyer and some mathematicians at a workshop I recently attended.

Ters

Well, laws shouldn't really be technology specific. And GDPR addresses problems that developers probably didn't foresee or care about. However, marketing realized what the devs had created, and went wild with it. As did various malicious groups.

jamespetts

Quote from: Leartin on June 03, 2018, 01:24:22 PM
Whether something is aimed at strangers is only relevant if you also collect their data, since you need to make sure such a data collection would comply to the GDPR, unless the GDPR does not apply. If you are on a dating website, you would trust the provider of that service to handle all the GDPR-things, show a form to every user, let them sign that they are okay with sharing their data etc. - in the end, the user only sees data they are allowed to see under the GDPR anyway, because the service provider needs to make sure that's the case. It's no different from looking for a number in a phone book, or even asking for a number in person.

That is not a good analogy, as the users would then be data processors rather than exempt, and they would be obliged to handle the data that they see in accordance with the Regulation (and the website providers would have to audit each and every one of their users to demonstrate compliance); but the users do not process data on behalf of the site - they process the data for their own use, and so would be data controllers unless exempt, and thus obliged to have detailed written policies and serve Article 14 notices on each and every person whose profile that they visit (unless they can demonstrate that this would involve "disproportionate effort").

QuoteSame is true for sharing photos on Facebook: You are fine, since Facebook mostly deals with GDPR-related shenanigans. But once you create your own website and share the photoes there, YOU are the one collecting Information first hand (eg. IP adresses, guestbook data, comments,...) - so now we must decide whether that data collection is "personal-household" or not. As you said, just because it's accessible by everyone does not mean it's not personal. Which criteria would you use to decide, if not the target audience (or in this case: What's on the fotos, and who could be interested in them?).

I would suggest that a sensible interpretation of an activity that is "purely personal or household" is one that is undertaken by a singular individual or a family/household that is not commercial/professional in character. That would be consistent with, e.g., clubs being required to comply with the Regulation but individuals' websites being not so required.




The vagueness of the Regulation, incidentally, is not a necessary incident of being technology unspecific. The vagueness is not in respect of specific technologies, but in respect of the scope of the Regulation's applicability and the nature of the duties that it imposes (vague duties to take "adequate measures", for example). The whole thing is deeply authoritarian and really very, very sinister.
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

An_dz

Sinister is the law that makes websites responsible for the content other websites they link to hosts.

Ters

Quote from: jamespetts on June 03, 2018, 06:10:53 PM
The whole thing is deeply authoritarian and really very, very sinister.

Well, I consider those the law is against more sinister. Companies are collecting more information about people than Gestapo, Stasi or KGB ever did. They don't want my money anymore, they want my life. And they handle it rather carelessly.

GDPR also restricts what governments can do with personal information. (Although I guess they have some ability to make exceptions for themselves, especially if they play the national security card.)

Leartin

Quote from: jamespetts on June 03, 2018, 06:10:53 PM
That is not a good analogy, as the users would then be data processors rather than exempt, and they would be obliged to handle the data that they see in accordance with the Regulation (and the website providers would have to audit each and every one of their users to demonstrate compliance); but the users do not process data on behalf of the site - they process the data for their own use, and so would be data controllers unless exempt, and thus obliged to have detailed written policies and serve Article 14 notices on each and every person whose profile that they visit (unless they can demonstrate that this would involve "disproportionate effort").

Would you say every company that owns a phone book has to serve such an Article 14 notice to everyone who is in the phone book? If you, as employee of a company, visit a company website for some quick information, and that website happens to include personal data, would you be forced to write that Article 14 notice, or delete your browser history, or both?
The difference I wanted to highlight is that as a user of a service, you only give data away, and recieve data that was given by the data subject willingly and for that very purpose, who were informed about all the implications as required by the GDPR. While not as public as a phone book, it's as public as a companies deed (=anyone who pays a fee can get it), hence comparable.

Quote from: jamespetts on June 03, 2018, 06:10:53 PMI would suggest that a sensible interpretation of an activity that is "purely personal or household" is one that is undertaken by a singular individual or a family/household that is not commercial/professional in character. That would be consistent with, e.g., clubs being required to comply with the Regulation but individuals' websites being not so required.
But that would mean if I created my own Facebook alternative as a private individual, no matter how large it would grow, as long as I would keep it as a garage project I could own millions of users data all while the GDPR wouldn't apply to me... Yeah, I'm sure that protects user data alright...

killwater

This discussion is moot - 99% of the population will not be able to afford to defend themselves in court so they have to comply if what they publish contain anything that can be considered personal data by anyone at any time and is freely available in the internet. This is a death switch to free internet.

Quote from: Ters on June 03, 2018, 06:49:57 PM
Well, I consider those the law is against more sinister. Companies are collecting more information about people than Gestapo, Stasi or KGB ever did.
The difference is they only collect what you want to give them - do not want them to have your data then do not give it. The reality is there will be more bureaucracy, but the data collected by the big ones will be the same and still a good hacker will get the whole database from time to time.
Oh and all the small internet shops, websites and services will get additional cost and barrier to entry. You either move to big providers or slowly die off.
I already had a few places give up on me because I am from the EU. First thing that happens is turning off the private messages (they are extremely dangerous from the GDPR point of view - you can send your entire phone book with addresses etc. and it is stored on the forum server). Then they just do not want the hassle at all - like with Samsung not selling laptops in the EU any more. Prepare for more "This content is not available in the EU" messages.

Quote from: Ters on June 03, 2018, 06:49:57 PM
GDPR also restricts what governments can do with personal information. (Although I guess they have some ability to make exceptions for themselves, especially if they play the national security card.)
Governments DO NOT follow the law. See all the stuff that NSA has done in USA since like forever. Thinking that other countries are any better is well... let say naive.