Announcement

Collapse
No announcement yet.

What is this EU privacy law GDPR ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • What is this EU privacy law GDPR ?

    Hi

    EU's privacy law General Data Protection Regulation or GDPR is another can of worms for us software developers.
    What would be its implications or impact to us ( to north America software manufacturers or publishers ) ?

    Must our data be encrypted to a certain extent and what are the regulations in regards to transmission of data via internet?



  • #2
    This sums it up fairly well...

    https://en.wikipedia.org/wiki/Genera...ion_Regulation
    I am legally blind. Please forgive any typos. I do try and catch as many as I can.

    Comment


    • #3
      Thanks so much, Brice

      Very vague defined regulations and are open to wild interpretations, best to avoid selling software to EU

      Comment


      • #4
        You are very welcome, Anne.
        I am legally blind. Please forgive any typos. I do try and catch as many as I can.

        Comment


        • #5
          Originally posted by Anne Wilson View Post
          Very vague defined regulations and are open to wild interpretations, best to avoid selling software to EU
          That might work! The difficulty arises in changing your systems if you are already collecting personal information about individuals in the EU, because you need to ask them for permission to hold that information.

          At a wild guess, the US government (maybe the FTC?) has been offering advice on this topic to businesses for a couple of years.

          Comment


          • #6
            Originally posted by Anne Wilson View Post
            Very vague defined regulations and are open to wild interpretations, best to avoid selling software to EU
            This regulation only manifests what should really be common sense:

            - don't store anything that isn't necessary to fulfill the business at hand
            - after fulfillment, delete information that isn't mandatory to be kept (e.g. invoice/payment data due to tax legislation)

            And if you think about it for a bit, it not only protects your customers, but your business too. Because data that isn't stored anywhere, can't be stolen by a data breach occuring at your side.

            Originally posted by Chris Holbrook
            The difficulty arises in changing your systems if you are already collecting personal information about individuals in the EU, because you need to ask them for permission to hold that information.
            There's this absurd (and welcomed, from a customer's POV) situation that although it was a legal requirement (at least in Germany) for more than a decade to provide a working "Unsubscribe" option in any newsletter, that seldom did work. Fast forward to GDPR and all of a sudden I get spammed form those very entities that were more than happy to ignore the unsubscribe attempts before, with "please allow us to continue to communicate with you" emails, begging me to grant the permission to use my personal data or risk to get fined. Which I ofc ignore. And all of a sudden I automagically get unsubscribed from all those pesky emails...

            Comment


            • #7
              - don't store anything that isn't necessary to fulfill the business at hand
              - after fulfillment, delete information that isn't mandatory to be kept (e.g. invoice/payment data due to tax legislation)
              The biggest issue, is the link I provided in the other thread. You can do all of the above, but it will have no bearing on protecting you. If an advertiser on your site (ala Google's shoddy ad service) is not in compliance, or your hosting service keeps any type of logs of traffic IPs, YOU will be held accountable if they are in violation.

              Based on what we have seen so far, and the people who were immediately filing suit against USA-based companies the day the law came into effect, people are not really interested in the protection the law provides, they are only interested in the financial gains the law can provide for them.

              I am in an odd position... I had been with the same host for over 10 years. Unfortunately, they were bought out by Square a month or so back. I immediately started shopping for a new host and found one I love, even though it costs me a LOT more. My new host does NOT provide the option to block IPs and the way ordering is set up, I can't block specific countries (at least not that I have found yet).

              I think what I am going to do is just specify in my "terms" (which is clickable on my index page), is the #1 term will be residents of the EU are NOT allowed to visit (or otherwise utilize) my site and anybody doing so is in violation of my TOS. I will also make clear that all residents from the EU are not allowed to download anything from my site or purchase anything from my site and doing so is a violation of my TOS.

              That is the best I can do.



              I am legally blind. Please forgive any typos. I do try and catch as many as I can.

              Comment


              • #8
                Forbes had an insightful article on GDPR which discussed 'Territorial Scope'.

                Originally posted by Anne Wilson View Post
                best to avoid selling software to EU
                Anne, this might be a workable solution if you can implement it completely in your business model. Although I've seen a ton of discussion suggesting being very explicit about EU prohibitions in web/contracts/etc. In May I had to sit through two different legal teams hashing this out, and even they couldn't agree on measures and effect. So my take-away from the meetings was "Nobody knows with absolute certainty!"

                Knuth, you said it best:
                Originally posted by Knuth Konrad View Post
                This regulation only manifests what should really be common sense:
                I personally like a lot of the intentions put forth in GDPR and others. But, as the saying goes: The road to hell is paved with good intentions, Its some of the ramifications of those intentions that will remain unknown until this is well-tested in the courts (EU and domestic).

                Comment


                • #9
                  From GDPR -
                  Organisations based outside the EU must also appoint an EU-based person as a representative and point of contact for their GDPR obligations (Article 27). This is a distinct role from a DPO, although there is overlap in responsibilities that suggest that this role can also be held by the designated DPO.[31]
                  PB last updated 2012, PBForms 2010. Seriously, do you think they're selling enough copies to hire someone?

                  Regarding statement in other thread - the forum has names given by users and does not sell anything. The main site does support sales, so gets real names (reletive to credit cards) and credit cards numbers; so is subject to GDPR.

                  added- When new versions come out, I'd find a reseller in the EU and let them worry about GPDR. (They might already have a DPO.)
                  Dale

                  Comment


                  • #10
                    Originally posted by Dale Yarker View Post
                    Regarding statement in other thread - the forum has names given by users and does not sell anything. The main site does support sales, so gets real names (reletive to credit cards) and credit cards numbers; so is subject to GDPR.
                    In my case, although I do sell digital & physical goods, I use PayPal for order processing. I do not ever have possession of credit card data. All I get are names, addresses and an email address.

                    Yet, based on that other link, I would be held liable if PayPal was breached or otherwise in violation of the GDPR.

                    I am legally blind. Please forgive any typos. I do try and catch as many as I can.

                    Comment


                    • #11
                      Brice, names and addresses would count, maybe they just didn't get around to blocking you yet. (Have you had anyone in EU test your site lately?)
                      Dale

                      Comment


                      • #12
                        "Nobody knows with absolute certainty!"
                        Wow, thanks Raymond , even legal experts do not know about its legal implications, I think we better stay out of EU
                        Don't swim with the sharks, as you can be eaten alive.

                        As you see our software not only collects names, addresses we also collect our customer's computer information such as hard disk and
                        main board serial numbers so that the programs can only be run on the designated customer's machine and not else where.
                        This is part of our copy protection scheme for our software.

                        It would be liability if the EU user could claim that their privacy have been harmed or infringed as we have collected customer's computer
                        information even with their consent ? They could also claim that their computer identity has been stolen, if the software was hacked
                        and then use by another company ?

                        It is a huge can of worms.




                        Comment


                        • #13
                          Originally posted by Anne Wilson View Post
                          It would be liability if the EU user could claim that their privacy have been harmed or infringed as we have collected customer's computer
                          information even with their consent ?
                          That's pretty easy: send out a request to all of your EU customers, stating what informaiton you collect and have them renew their agreement = you're good.

                          The hard part is to provide all collected data upon request, together with information what it is used for, whom it's shared with, and what they did with it. But then again that is only new for this digital/virtual "properties". If you create yourself a physical copy example, things turn out to be pretty obvious: Bob hands you over his passport (=personal data). You take it and give it to me to store it (=I'm a 3rd party like PayPal or a cloud data provider). Now Bob asks you

                          "BTW, where's my passport?"
                          "I gave it to Knuth to store it, he's specialized in doing so."
                          "So, does he still have it?"

                          Now imagine for a second Bob's reaction if your answer to that would be "I don't know, I have no way to verify that, and oh - I also don't care."

                          This is basically what happened up until now with digital data. Now you're forced to take the same precautions and responsibility for digital data as you'd do with physical objects.

                          Contracts between business as yours and cloud providers, payment processors, etc. will change so that you can hold them liable for this. Out of own experience: the "big ones" will even proactively contact you (as an existing customer) and send you an updated contract/agreement themselves. Those who refuse, will sooner or later go out of business, because there's always going to be the one which takes advantage of that opportunity and use that as a unique selling point.

                          And again - this has always been the sane and common sense thing to do.

                          Comment


                          • #14
                            Originally posted by Anne Wilson View Post
                            It would be liability if the EU user could claim that their privacy have been harmed or infringed as we have collected customer's computer
                            information even with their consent ? They could also claim that their computer identity has been stolen, if the software was hacked
                            and then use by another company ?

                            It is a huge can of worms.
                            Right, and you are already in that can if you have "live" customers in the EU. You may as well just present yourself in handcuffs to EU HQ in Brussels.

                            Or you can just find out what your competitors are doing, improve on it, and help yourself to a market of 510 million people. Scary isn't it?

                            Comment


                            • #15
                              Originally posted by Knuth Konrad View Post

                              That's pretty easy: send out a request to all of your EU customers, stating what informaiton you collect and have them renew their agreement = you're good. [etc]
                              Nicely explained Knuth.

                              Comment


                              • #16
                                Originally posted by Anne Wilson View Post

                                Wow, thanks Raymond , even legal experts do not know about its legal implications, I think we better stay out of EU
                                Don't swim with the sharks, as you can be eaten alive.

                                As you see our software not only collects names, addresses we also collect our customer's computer information such as hard disk and
                                main board serial numbers so that the programs can only be run on the designated customer's machine and not else where.
                                This is part of our copy protection scheme for our software.

                                It would be liability if the EU user could claim that their privacy have been harmed or infringed as we have collected customer's computer
                                information even with their consent ? They could also claim that their computer identity has been stolen, if the software was hacked
                                and then use by another company ?

                                It is a huge can of worms.
                                Are you holding that information in a repository or is it just stored on the users machine as a validation check. If it is not being forwarded to a central repository, you are not "collecting it" and it is a non-issue.

                                Comment


                                • #17
                                  Originally posted by Chris Holbrook View Post
                                  Nicely explained Knuth.
                                  AND ensure you keep their response stating they acknowledge AND accept.
                                  <b>George W. Bleck</b>
                                  <img src='http://www.blecktech.com/myemail.gif'>

                                  Comment


                                  • #18
                                    Are you holding that information in a repository or is it just stored on the users machine as a validation check.
                                    Hi Stuart

                                    These data are stored in a central repository -- on a remote server. It is used to check whether users have activated the software
                                    on the same machine or a different machine.

                                    If on the same machine as was in the first installation,software activation is accepted as it means that the user is just reinstalling
                                    the software on the same machine.

                                    However, it will deny activation if the user attempt to install it on a different machine (other than the first installation). User would be
                                    prompted to purchase a new software license.

                                    Therefore, It is best NOT to sell it to EU users to save us the trouble. Such regulations which can be open to wild interpretations would be
                                    a liability for software publishers like us. Users can potentially put up a claim to extract monetary benefits from us and/or to sabotage
                                    competitors businesses. It is difficult to defend ourselves as the internet goes through several third parties networks ( global ISP routers ) which
                                    are vulnerable to hacking and that data can be stolen from any of these links.




                                    Comment


                                    • #19
                                      Anne. I believe the congress passed laws, a few years ago, that made it where you would not be held responsible for theft of data traveling over the internet.
                                      Basically where you don't have any control.
                                      There are already privacy laws that exist.
                                      There are laws also against stealing intellectual data that even goes so far as somebody even trying to type a password or login into a system that has any form signin. I would think any theft of most electronic devices could be considered intellectual data theft including a phone.
                                      I bought a shirt at a basketball game. When they processed by credit card it was declined because the credit card was processed overseas. I really disliked that my information was processed overseas where I did not have any legal protection outside USA and I did not know it was going to be processed overseas. I had an abused card used in Australia where they say it was physically swiped twice and I was in USA using the card the same day.
                                      I had put a stop on any international transactions after the theft and that it s why the shirt purchase by card was declined but I had to find out why it was declined at my banking source.
                                      One of the requirements for our company to process cards is to not keep any card info. Which we don't. The gateway we use redacts most of the card info on reports.
                                      One of my cards was swiped in Texas at a Sam's club for about 1000 dollars. Sams said it was an error.
                                      But I know there was no error. They just did not want to go to court and spend the effort. I am pretty sure the info was stolen at a restaurant.
                                      I personally don't think another country can enforce their laws on another entity in another country if two entities agree to make a transaction.
                                      p purvis

                                      Comment


                                      • #20
                                        Originally posted by Anne Wilson View Post
                                        Therefore, It is best NOT to sell it to EU users to save us the trouble. Such regulations which can be open to wild interpretations would be
                                        a liability for software publishers like us. Users can potentially put up a claim to extract monetary benefits from us and/or to sabotage
                                        competitors businesses. It is difficult to defend ourselves as the internet goes through several third parties networks ( global ISP routers ) which
                                        are vulnerable to hacking and that data can be stolen from any of these links.
                                        "Who Dares, Wins". Just saying.


                                        Comment

                                        Working...
                                        X