f13.net

The GDPR email storm is going strong today.

As are the phone/tablet app updates.

Mild interest in a GDPR thread, but this may suffice:
https://gdprhallofshame.com/

US Capitalism crashes against the wall of EU do-goodery.

The funny part to me is that almost none of them are mentioning that it's because of GDPR.  It's like they think if they hide what's going on, they won't get frivolously sued for a large chunk of their net income.

As a US citizen, I assume my options are limited.

What's ironic is that most of those emails are not necessary. If there is customer relationship with the recipient - ie. you bought a product, use their service, etc - than an opt-in is NOT required. Opt-in for a newsletter is only mandatory for non-customers.

Hard to understand so many companies aren't aware of it. I know it and I neither have a business nor am I some super genius.

They might be just using it as an excuse to try and get people to sign up for stuff.

That's not correct. You don't need to "re-consent" if your original consent meets GDPR requirements, which basically none of them did cause they were all opt-out not opt-in. There are also other requirements like having the consent be separate from other things like Terms and Conditions which were probably not followed as well.

So this (quote from wired) is wrong?


Directive 2002/58/EC  (Directive on privacy and electronic communications)

I believe so. My understanding is GDPR consent requirements are a superset of the earlier EU requirements. So even if you met the earlier requirements that doesn't mean you meet the current requirements and you have to re-consent.

https://www.compliancejunction.com/gdpr-require-new-consent-existing-clients/

I.e. there's no "grandfathered" clause for the previous consent requirements.

Hmmm. I'll have to ask around then before I repeat any misinformation. Will report back.

Edit: Wait, this politico article that is quoting a Belgian official says the same:


https://www.politico.eu/article/those-gdpr-emails-you-got-all-for-nothing-general-data-protection-regulation/

I haven’t been following this too much.  How exactly are they enforcing this?  Does it only effect countries that have a physical footprint in the EU?  It would be pretty fucked up to have a web site that’s entirely based in the US to have to comply with any EU regs for their citizens who visit it, so I imagine not.  But I’m seeing things about all sorts of US news sites blocking EU people.

Because the internet has removed the "physical location" of the business from the equation, it is for anywhere.

It is written as spplying to EU residents, not citizens.

It has not been litigated yet so there is really no information on how the enforcement will work.

If you have a "resaonably valid business reason" for keeping data (or a separate legal/regulatory requirement to keep the data) then you do not have to "delete" people. What you, as an organization, DO need to do is stop collecting additional data on the person and refrain from using the data in marketing purposes or disseminating it to other parties.

I sat through a couple of sessions at a conference last week where the chief legal counsel for a major software company talked about how they went about their GDPR compliance. It was pretty interesting.

(https://i.imgur.com/jV96dU3.jpg)

(https://pbs.twimg.com/media/Dd_Bpo-VwAAop9V.jpg:large)

(https://i.imgur.com/g4T4LeP.png)

And:

(https://i.imgur.com/4KezUSy.png)
https://www.cnet.com/news/microsoft-says-its-extending-gdpr-rights-to-consumers-worldwide/

You're welcome, don't mention it!  :wink:

You have no idea how much money Microsoft are making over GDPR.  Trust me on this.

It's no wonder they're throwing it worldwide.

OK, I'll bite.  I'm going to guess "consulting" since that's usually the answer of how someone makes money in IT.

Cloud.

Partly, but mostly in the screamingly large upturn in sales of Azure Information Protection, E3 and E5 Sku's.  You know;  the ones that have encryption and the compliance and security features ?

We've been selling all that shit since last August and even this week I have 3 more large orders for it.   

Upselling.  It's a thing.

You're saying some of their licensing ISN'T GDPR compliant?

It doesn't sound like he's saying that at all. It sounds like he's saying they know how to make money.

Which is fine.

Quite a few sectors have.....overreacted to the requirements.  I'm not going to tell them they don't have to buy my shit, now, am I ?

That’s at least partially because a lot of organizations didn’t pay attention to GDPR at all until the last couple months so they didn’t do the legwork to do data classification and tagging which is the cornerstone of any good data protection strategy. Of course, if data protection were easy I would probably be out of a job.

Which is the shit that Azure will actually do for you.  So.  Sale. 

But you don't have to tell me.  I've been presenting workshops, as I say, since August and I'm utterly sick of one useless fucking organisation after another coming in and basically being low information dickholes.

Charities are the only chaps that have it all sorted in my opinion.

I was just concerned because he mentioned E3s specifically and we have one client who insists on using Business Premium licenses instead.  Wanted to make sure they weren't screwing themselves over by being picky in the wrong way.  Seems to just be the built-in encryption option, though, which is available with a separate license.

Except it's not because it doesn't work with the Business Premium version of Office terribly well.  But this is getting boring to everyone, so feel free to PM me if you have concerns.

Who do you work for again, Ironwood?

Even standalone Wordpress blog installs got handed a pile of requirements in the last couple of days. New tools for wiping users, new checkboxes on contact forms, turns out the spam detection plugins need consents, need to have a "show me my data" form... and if you use certain plugins, you actually have to hand-code stuff to let people opt out cookie by cookie or something.

Number one thing to remember when talking about GDPR: don’t trust anyone who says “use our product and be 100% GDPR compliant.”

No piece of software is a magic bullet, and being “compliant” today doesn’t mean you are good tomorrow as the whole thing requires a constant process to evaluate and act on requests and to ensure your data classification continues to be valid. As much as becoming GDPR compliant will suck fora lot of organizations, ones who go through an honest evaluation of how they deal with digital information will be stronger for it. Of course, a lot of organizations will fuck it up royally but those are likely the ones who will come running to Ironwood for help so is that really a bad thing?  :why_so_serious:

I’m still not seeing how this is going to be enforceable to a number of companies responding to it.  There really is a massive overreaction as Ironwood said.  Unless that company has a physical footprint in Europe (and a lot of small American places I’m sure don’t, seem to be responding to this) the EU can’t do anything to them, nor should the EU expect they can apply their laws to them in the first place. 

The fact multi-billion dollar law suits were rolled out against Google and Facebook the day this came into effect makes this seem far more like trade protectionism for EU tech companies against dominate US players than anything.  If any major US company see massive fines due to this, its going to prompt a trade response. 

I think the fact Google and Facebook got hit with massive fines surprises exactly no one. Thinking of them as specifically US tech companies also misses those guys' global status, they have offices and employ a shit load of people in Europe and pay about as much in taxes here as they do in the US. This is not aimed at protectionism but is a reaction to the wild west nature of the data market at the moment.

The basic principle of the GDPR is pretty simple: People have a right to how data about them is used and businesses that want to use it need a clear business reason that the customer would expect or affirmative (opt-in) consent. They also need to be clear and understandable for their customers in terms of what that data is being used for.

If I sell you a widget and need to know your address to send you said widget and to send you updated safety or product information for said widget, you buying that widget gives me a valid reason to hold on to your name and address, I can't supply you this service without knowing that. If my widget has a use life of 2 years, I'd probably need to get rid of your info after those 2 years or desperately try to resell you another widget.

If I'm required to verify your age, I can collect your date of birth to show regulatory agencies that all my customers are over 18. I have a legal obligation to collect and keep that data.

If I want to send you marketing information about my widgets+1 and other items, that isn't something that you as a customer would expect from just buying the widget. That's using your data in a way that benefits me and so I need your consent saying you're happy with getting info on other products.

If I have a sister company that sells fast food and often people who buy widgets buy fast food, giving them your info is 100% not something you'd expect as part of the widget buying. Likewise if you give me your permission to use your info for marketing because you just fucking love widgets, you probably wouldn't expect me to send all your personal data in a plain text email to a different company selling a different product. This would require a separate opt-in option to get your consent.

That's just the usage/consent side of things though. It's also required to inform people what data you hold and what you do with it in plain English/*insert language of choice*. Internally you need a list of what data you collect, how its stored, who has access, etc. as well as how long it should be kept for. As others have mentioned you also need a public process in place for people to get copies of their data and to request data be amended/deleted. You don't necessarily have to do this (in particular any legal or regulatory requirements supersede an individual's right to their data) but you need to give people a way to ask. That of course means actually having an audit of what data you keep on people and why you keep it (to distinguish between contractual ones, legal requirements and the more marketing oriented ones).

Back to the lawsuits, the ICO in the UK and other EU agencies have been quite clear that they don't really expect companies to be fully compliant. What they do expect is companies to be actually working towards compliance. These lawsuits are likely picking up things FB or Google have missed and will probably result in them getting audited and having to show that this is something that they had plans to fix/implement or it's an oversight that they do actually rectify.  Where it gets a bit complex is things like whether you are a processor of sensitive data. In some cases this is obvious, hospitals, etc. have sensitive data. But it also includes biometric data, so is facebook a processor/controller of sensitive data?

I'm not surprised that charities are the most compliant, they're probably the organisations most used to dealing with sensitive data and generally staffed by people who take their legal obligations pretty seriously.

I'm a Cloud Architect for a Microsoft Gold Partner in the UK.  It's truly exciting.  Somedays I can barely help myself from contemplating the sweet release of death.

So are you technically stll even a European?  :awesome_for_real:

Shittalking aside, where does Britain fall in all this with Brexit?

Not that this will help Americans.  The government is one of the worst offenders. Some f*ing state Driver's License Offices (and I think the U.S. Post Office?) happily sell address info to any and every one who is willing to pay a few pennies per for it. As do some grocery/department store loyalty programs, etc. Sheeple gotta remember, if you aren't paying for it or are getting something for nothing, then guaranteed *you* (usually your attention/eyeballs) are the product.

I do wonder where the line is between a phone book and unreasonable use and distribution of your personal information though. It's there somewhere, but how do you define it?

Serious talk? The UK has been presented the options of:

1) Falling exactly in line with EU data laws with no say in how they are formulated or what gets included or
2) Losing all automatic data sharing and UK companies and organisations having to go through a full separate accreditation/inspections process from a European institution.

I mean it's not exactly surprising, we're no longer members of the EU and the suggestion that we should just get to keep a voice in the councils formulating these laws because it would be beneficial to the UK and it was continuing the status quo was pure 'doesn't ask doesn't get so might as well try' from the civil servants at the ICO and reality denying idiocy from the politicians who are now outraged about it. So the UK is almost certainly going to be beholden to actual foreign laws crafted by European bureaucrats without the interests of the UK considered instead of before where they just said they were.

Oddly, I'm a full Italian Citizen now also.  So everything is really, really odd for me.  I also can't wait to get the fuck out of here to Australia or Canada or Barsoom Mars.

In terms of Brexit, we have to obey unless we don't want to, in which case we set ourselves on fire.  Again.  NowhereMan kinda covered it.

I know it when I see it.

The GDPR is fairly clear: If you give up your information to someone as part of purchasing a product or service, is that use of the information something you'd reasonably expect to be part of delivering that service/product? Has that usage been made clear to you? Can you easily find out? If it's not required for delivery of the product or service, have you been informed and given consent?

Signing up for the phone company and having your number listed publicly, pre-internet, made sense as part of your phone service since otherwise people generally weren't able to contact you. People were certainly aware that their number would be published. If you're handing over information to get a driver's licence you expect that information to be shared with other governmental bodies for purposes of checking ID or issuing fines, etc. Giving your data to a washing machine manufacturer to sell you shit is not necessary for you to drive or use your licence as ID. That's a pretty fucking clear difference.

LOL at this industry propaganda cartoon:


(https://pbs.twimg.com/media/DgGPrHrV4AASUVs.jpg)


"Marketoonist is the thought bubble of Tom Fishburne, a veteran marketer and cartoonist."

Yeah, that's one of those 'Said No-One Ever' type deals.

As a marketing person, I'm absolutely convinced that very very few shoppers really give a shit about a personalized shopping experience that requires giving up as much data as the marketing people want.

You should be because nobody gives a shit online about a personalized shopping experience. That's why we have the ability to search products we want instead of having a bunch of shit we don't want crowd our search engines.

What they mean by "personalized shopping experience" is actually "we will fill your screen with every add-on purchase we can think of, plus definitely some you don't give a flying fuck about" and "Oh yes, we will also pester you endlessly in emails about products we want to sell you that tangentially someone else with your profile bought five years ago."

"Also, we remember that one time you looked up a funny review on Amazon and now *niche product* is all we're ever going to show you."

I bet we're at the point where people are willing to pay for a non-personalized shopping experience.

Algorithms will never replace hand-curated experiences - and by never I mean within our lifetime.

One day it won't matter because we'll either all be dead, as a species, or it'll be a socialist utopia.

Humans have been the same for many thousands of years and will continue to be so, despite the trappings we dress ourselves in.

Very, very occasionally Amazon's personalised shopping experience is a positive. Usually it's a nice shortcut suggesting some product I need to buy semi-regularly through it that is front and centre.

Most of the time though it's alternate choices for shit I've already bought and no longer have a need for. Or crappy accessories for things I've bought. The 'frequently bought together' type suggestions are good and Amazon's automated comparison feature is good. The targeted marketing stuff has never been something I've really liked or that has (directly) caused me to make a purchase.

Ditto. The "Also Bought" or the "Bought after viewing this" are good for finding accessories or cheaper equivalents, but the front page recommendations are uniformly useless.

--Dave

literally never look at what's on the frontpage

I wouldn't through the web page, but I mostly use the tablet version of the app (I have the security for the web version set so tight it's a PITA to actually use), so it's constantly reverting to the front page stuff. Which is generally a mix of things I looked at and didn't buy, or different versions of the things I just ordered.

--Dave

Uff we just digitally dogged a bullet (or dodged a digital bullet?).

The proposed re-vamp of the EU copyright legislation was just defeated in the EU parliament. The basic goal seems sensible - modernize and harmonize - but two parts of it, Article 11 and Article 13, drew a lot of ire.

(https://i.imgur.com/Qgj4sbS.jpg)


The finer details of copyright are really something I am not well versed in, so maybe a resident expert can chime in? *puppy eyes*

So with the disclaimer to the best of my understanding, the contentions issues are:

Article 11 ("link tax")

Member States shall provide publishers of press publications established in a Member State
with the rights provided for in Article 2 and Article 3(2) of Directive 2001/29/EC for the
online use of their press publications by information society service providers.

This would include short summaries or teasers of an article, as for example in the search results. My interpretation is that is an attempt of "classic media" to be able to cash in services like Google News. At least this was the drift when Germany introduced a similar law some years ago. Edit: Also confirmiing that is who is on which side on the battle here. Google: AGAINST. Major local content providers: FOR.

Article 13 "Outlaw memes"

Member States shall provide that an online content sharing service provider performs an act
of communication to the public or an act of making available to the public when it gives the
public access to copyright protected works or other protected subject matter uploaded by its
users.
An online content sharing service provider shall obtain an authorisation from the rightholders
referred to in Article 3(1) and (2) of Directive 2001/29/EC in order to communicate or make
available to the public works or other subject matter.

So instead of having to take uploaded content down when the author/copyright-holder complains this now requires to hoster to check on the point of upload. Since that would be far too much to do manually this would result into automated "upload filters".The fear here is that they would (likely) be overly broad and block copyrighted material in cases their uses is allowed - for example a private person using it in a non-profit way. >> Memes

My impression is that the public debate over this was overy hyperbolic, which makes it hard to form an opinion, but basic criticism is well founded. So good that this didn't go through.

Secondly it's interesting the "EU Council" (air quotes because there is the European Council and the Council of the European Union and they work in the same building but are not quite the same and it's complicated...Edit: See 2 posts down)) which represents the member states voted and approved this exact text as their so called "negotiation position". (A bit like you have a Senate and House version of a bill and then they need to agree...?...I think?) Anyways, this confirms a trend I noticed, in which the parliamentarians are more in tune with interests of the common citizen than to their national governments, despite belonging to the same party.

I think the reason for this is, that for example here with copyright, the lobbying power of big cooperate publishers like the German Springer are much bigger in Berlin than they are in Brussels. Second is that the grip of parties over their parliamentarians to exert"party discipline" in voting is stronger on their national MPs than those sitting in Brussels. This might be a happy situation that doesn't last, but for the moment I take it gladly.

Edit: This doesn't mean the Directive, which consists of 24 articles not just the hot button 11 & 13, is totally dead of course. But it's going back to legal drawing board.

Also for the lulz, I love the spin the British Express puts on this. They are that tabloid that HATES the EU and LOVES capitalisation:


(https://i.imgur.com/FoXbkQJ.png)
(https://i.imgur.com/Puzpz1w.png)

To clear up that European Council vs Council of the European Union (and all their presidents) once and for all and so I have something to link to later:

Both have in common that they represent the members states ie. national governments. That being said:

European Council

Meeting of the head of governments. May + Macron + Merkel + 25 others.

Normally meets every 6 months in Brussels to decide the "big agenda" issue and sort of set up a task list for the Commision (which handles the day-to-day stuff).

Also meets extraordinary on a) special events or b) when the Council of the European Union (=ministers) feels an issue is above their pay-grade and passes the buck to their bosses.

Examples of Extraordinary: 2014-Sanctions on Russia, 2015-Refugee crisis, 2017-Brexit. The Greece-debt meetings would also fall in that category, but those were Euro-meetings. Meaning only with those governments that use Euro.

Decisions are generally made in consensus. To the degree that aren't most of the time actually any formal votes held because talking happens until everyone is "sort of" happy. Making that happen is the job of the President of the Council (currently: Donald Tusk, previously head-of-government of Poland, "our Donald") which usually sits down with member states before the actual meetings, stakes out out positions and so. Most drastic example of this was the Greece-Debt-Euro meeting, which went all night and was dead-locked, until Tusk announced a break, then took Merkel and Tsipras aside for a 6-eye meeting and (if press lore is to believed) said "we don't leave here until we have agreement")

 (Anecdote: Because he is not from their party the current polish PiS-ers hate him so much they tried to block his second term because they rather have a non-pole president then a party-opponent. :oh_i_see: Got overvoted 27 to 1 though.  :grin:)


Council of the European Union

First thing: It's not 1 council, but 10 of them.  :uhrr: :grin: :ye_gods:

It (they?) consist of the national ministers for a specific agenda. Example: "Economic and Financial Affairs Council" has all the national finance ministers in it. "Justice and Home Affairs Council" has all the national Justice ministers. Each council "version" meets every three months. (So in total lot of meetings).

Except: The 3 really important ones meet every month: General Affairs Council, Economic and Financial Affairs Council and, most important, Agriculture and Fisheries Council. (Farmers stronk!)

The Council of the European Union also has it own (of course!)  president. Except it's not a president, but presidency, because it's held not by person but by government. Which government that is rotates every 6 months. Since last Sunday this the Glorious Federal Republic of Austria.

The Council of the European Union meets in Brussels. Except (you didn't think it was that easy, no?) in April, June and October, when it meets in Luxembourg.

Question: So when I said in the previous post "The Council" agreed on the Copyright Reform text, which of the two was it?

I'm not certain whether following European politics requires me to drink a lot more, or a lot less....

We just received a single sheet of paper via FedEx from IBM which outlines their GDPR compliance.  :why_so_serious:

Lucky you!  I had to take a class. :oh_i_see:

Wallstreet Journal:

(https://i.imgur.com/8evJ6ed.png)



Good idea, bad idea? Discuss!




Just kidding.... Fucking Facebook.  :ye_gods:

Nice, just avoiding FB is no longer an option.

How is that shit legal ?

In the US, even if it was illegal (and very little that corporations do now is considered illegal) the consequences are minimal.

The risks are all very low and the (monetary) rewards ar sky high.

Peak capitalism baby, woo!

(Yes I know the question was rhetorical)

Well, I mean, as long as they put it in the terms of service you agree to......   :why_so_serious:

Regulators are explicitly encouraging it. Especially in Europe.

'Open Banking'

The idea is that regulators think you want your bank account to be more 'innovative' and that the reason it isn't more 'innovative' is that fuddy duddy banks won't build interoperative systems for sexy new tech companies.


What Facebook is asking for is banks to build an api that enables users to link bank and Facebook accounts and then authorise the bank to send the data. Facebook want to be able to let you send money directly to friends and scammers, and to manage your account directly in their webpage/app - as well as steal etsy and ebay's respective lunch. And of course all the while using data to 'personalise' your advertising 'service'.

Especially PSD2 is a nightmare for the Banks in Europe.
All campaigns about not giving away your "nick and password" are going to shit, cause companies (TPP) will now log to your account and do the transaction in Your name. Looks secure.