←back to thread

332 points vegasbrianc | 10 comments | | HN request time: 1.049s | source | bottom
Show context
diggan ◴[] No.42141994[source]
Correct URL: https://legiscope.com/blog/hidden-productivity-drain-cookie-...

> This situation calls for an urgent revision of the ePrivacy Directive

Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".

You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.

replies(5): >>42142003 #>>42142011 #>>42142019 #>>42142081 #>>42142098 #
1. r3trohack3r ◴[] No.42142098[source]
> You know the best way of not having to care about GDPR? Don't store PII.

I hear this a lot. As an American that hosts casual personal websites, I can't help but worry that I'm in violation of the GDPR.

For example, my router logs connections for debugging. And my NGinx server maintains server logs for debugging.

These contain IP addresses. I'm pretty sure those are considered PII under GDPR. And there are a lot of things I think that follow from that, things I haven't bothered to look into or implement. Like whatever policies, disclaimers, notifications, request handling processes, etc. that need to be in place to gather those logs.

Whether or not I need a registered agent in the EU to host my website seems to be rather fuzzy too. It seems to come down to how "sensitive" the data I store in my logs are?

Its also not clear to me whether my home router is subject to GDPR if it receives and logs a packet that was sent to it by an EU citizen, regardless of whether there was a public internet service hosted on that router or not.

I mostly choose to not think about these things - but that nagging concern that my entire self-hosted digital presence violates European law does linger.

replies(4): >>42142122 #>>42142320 #>>42145660 #>>42145952 #
2. dijit ◴[] No.42142122[source]
I get it, but you’re not in violation if you never pass those logs to anyone.

GDPR is intentionally obfuscated and made scary by people who have an interest in others thinking the regulation is onerous and silly (so that it is eventually changed/removed).

The regulation is not very hard to read, I would recommend you do it if you haven’t and boils down to: “don’t pass on (process) information without informed consent, if someone requests that you remove their account you should do so- and also don’t keep records around, and do your best not to let anyone access personal information”, the last one is technically unenforceable, but exists to prevent people leaving open access to data processors and bypassing consent more than anything else. A secondary benefit is that people take access controls a little more seriously by forcing breach disclosures.

Even the cookie banners are not needed unless you’re setting cookies for data collection, especially for third-parties!

There is a distinct irony in that all the online simplifications (“gdpr for dummies”, “the 7 things to comply with for gdpr”) are misleading and harder to read than the actual text of the regulation.

EDIT; I was foolish to post this during the peak time for US people. It feels like the Americans want the GDPR to be perceived as a pain.

replies(2): >>42142393 #>>42144612 #
3. etaweb ◴[] No.42142320[source]
Actually, all the cases you mentioned does not necessitate any consent from European users as long as you don't send these data to any third party. The only thing is, if you plan to store logs over time, it should be anonymized after 25 months. It's not that bad.
replies(1): >>42142461 #
4. chris_pie ◴[] No.42142393[source]
Huh? You're still a personal data processor.
replies(1): >>42142573 #
5. r3trohack3r ◴[] No.42142461[source]
> it should be anonymized after 25 months

Unless traffic volume causes truncation, turns out I’m not compliant!

6. dijit ◴[] No.42142573{3}[source]
For a start: Section 18 directly indemnifies the GP because they’re not a commercial entity.

Section 49 gives, additionally, specific carve outs for logging even if they were a commercial entity.

Consent is needed to pass logging data to third parties or to process it beyond end user functionality.

Its easier to just read the regulation: https://eur-lex.europa.eu/eli/reg/2016/679/oj

replies(1): >>42143211 #
7. ◴[] No.42143211{4}[source]
8. porker ◴[] No.42144612[source]
Agree with you. My only addition is to remember to read PECR (https://ico.org.uk/for-organisations/direct-marketing-and-pr...) alongside GDPR.
9. BlackFly ◴[] No.42145660[source]
You are not EU based, you are not a processor/controller operating in the union, public international law doesn't grant EU law jurisdiction: the GDPR has no direct effect on you.

It could be that you are running ads and your ad provider is a processor in the EU and because they cannot handle jurisdictional consent well they attempt to pawn that off onto you in your terms and conditions. EU law has already decided that they cannot turn a blind eye however, if you aren't collecting consent then your processor has to assume that consent isn't given.

So yeah, worry about your contracts with third parties that might try to sneak in liability transfers and how your own jurisdiction would deal with that. If your provider is transferring that kind of liability maybe they are trying to also make you liable in the case that their ad installs a virus, so I hope you are already aware of such third party liability transfers in your contracts if your jurisdiction allows for such things.

10. GJim ◴[] No.42145952[source]
OP should not be downvoted for asking genuine questions and concerns.

This type of downvoting on HN is getting silly and needs to stop.

(And a thanks to those who did respond to OP with the advice he is not in GDPR violation. Frankly, a worrying number of HN readers are clueless about legislation that directly affects them, whether they like it or not.)