On May 23, 2018, at 7:18 PM, K. Scott Helms <kscott.helms@gmail.com> wrote:
Anything that can tie back to an individual data subject is PII, that means email addresses, names in combination with addresses or phone numbers, finger prints, or even insufficiently abstracted internal ID numbers/codes.
Don't forget IP addresses, as part of the wonderfully vague "online identifiers".
Notice I didn't say EU citizen there, that's because the law and regulations (GDPR consists of both) intentionally cover any natural person in any of the 28 EU nations including the citizens of non-EU nations. I don't go as far as I think Anne was suggesting, in that someone in EU airspace who sent an email or made a purchase is now suddenly an EU data subject.
You may accuse me of being a lawyer here (and rightly so :-) ), but "in", as in "in the Union" (which is the actual language) is very much open to interpretation. In a judicial system where lawsuits have turned on - I kid you not - the interpretation of what a comma meant, I can almost guarantee you that "in the Union" is going to get interpreted through lawsuits, and it is absolutely not outside the realm of possibility that a U.S. citizen visiting in the EU will bring a lawsuit based on something happening with their PII while they were "in the Union".
Any company that is covered by the GDPR must be extremely careful that any company they do business with is also compliant if that company will have access or act as a data processor. That means that if you are a US company that has US only customers, but some of your customers have employees that are US citizens but who live in an EU nation then they are bound to only use providers that are GDPR compliant. Now, this will result in contractual disputes and/or loss of business rather than having EU regulators fine your company directly. The end result is that many many many companies that don't sell or market to the EU are finding themselves needing to comply in the same way that companies that sell services to medical companies often have to follow HIPAA (and be audited) even though they provide medical services themselves.
Actually, GDPR specifically requires processors to include statements of compliance right in their contracts; we also strongly recommend that controllers insist on indemnification clauses in their contracts with processors, because if the processor screws up and there is a breach, the _controller_ can also be held liable, and the financial penalties in GDPR are very stiff. Anne Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance GDPR Compliance Consultant GDPR Compliance Certification http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Available for consultations by special arrangement. amitchell@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
Anne, While I was re-reading some of the emails last night I realized that I mischaracterized your description here, *"You may accuse me of being a lawyer here (and rightly so :-) ), but "in", as in "in the Union" (which is the actual language) is very much open to interpretation. In a judicial system where lawsuits have turned on - I kid you not - the interpretation of what a comma meant, I can almost guarantee you that "in the Union" is going to get interpreted through lawsuits, and it is absolutely not outside the realm of possibility that a U.S. citizen visiting in the EU will bring a lawsuit based on something happening with their PII while they were "in the Union".* I didn't make it clear that you were suggesting that some would make this claim rather than you making that claim. Mea culpa :) Our counselors made it clear (as did the regulators I was able to ask) that short term visits weren't intended to be covered *in their opinion.* There are and will be many questions that won't be fully answered until adjudicated or more precise language is used to make the meaning clear. Juhan Lepassaar (Head of VP Ansip Cabinet, European Commission) was one of the speakers and we were able to ask questions of him. It looks like the video of one of the presentations I was at is now publicly available and I encourage those with questions to watch it. https://www.rsaconference.com/speakers/juhan-lepassaar *" Actually, GDPR specifically requires processors to include statements of compliance right in their contracts; we also strongly recommend that controllers insist on indemnification clauses in their contracts with processors, because if the processor screws up and there is a breach, the _controller_ can also be held liable, and the financial penalties in GDPR are very stiff."* Yep, this is better (clearer) wording than what I used and is absolutely correct. On Thu, May 24, 2018 at 10:21 AM Anne P. Mitchell Esq. <amitchell@isipp.com> wrote:
On May 23, 2018, at 7:18 PM, K. Scott Helms <kscott.helms@gmail.com> wrote:
Anything that can tie back to an individual data subject is PII, that means email addresses, names in combination with addresses or phone numbers, finger prints, or even insufficiently abstracted internal ID numbers/codes.
Don't forget IP addresses, as part of the wonderfully vague "online identifiers".
Notice I didn't say EU citizen there, that's because the law and regulations (GDPR consists of both) intentionally cover any natural person in any of the 28 EU nations including the citizens of non-EU nations. I don't go as far as I think Anne was suggesting, in that someone in EU airspace who sent an email or made a purchase is now suddenly an EU data subject.
You may accuse me of being a lawyer here (and rightly so :-) ), but "in", as in "in the Union" (which is the actual language) is very much open to interpretation. In a judicial system where lawsuits have turned on - I kid you not - the interpretation of what a comma meant, I can almost guarantee you that "in the Union" is going to get interpreted through lawsuits, and it is absolutely not outside the realm of possibility that a U.S. citizen visiting in the EU will bring a lawsuit based on something happening with their PII while they were "in the Union".
Any company that is covered by the GDPR must be extremely careful that any company they do business with is also compliant if that company will have access or act as a data processor. That means that if you are a US company that has US only customers, but some of your customers have employees that are US citizens but who live in an EU nation then they are bound to only use providers that are GDPR compliant. Now, this will result in contractual disputes and/or loss of business rather than having EU regulators fine your company directly. The end result is that many many many companies that don't sell or market to the EU are finding themselves needing to comply in the same way that companies that sell services to medical companies often have to follow HIPAA (and be audited) even though they provide medical services themselves.
Actually, GDPR specifically requires processors to include statements of compliance right in their contracts; we also strongly recommend that controllers insist on indemnification clauses in their contracts with processors, because if the processor screws up and there is a breach, the _controller_ can also be held liable, and the financial penalties in GDPR are very stiff.
Anne
Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance GDPR Compliance Consultant GDPR Compliance Certification http://www.SuretyMail.com/ http://www.SuretyMail.eu/
Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose
Available for consultations by special arrangement. amitchell@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
On 5/24/18 4:21 PM, Anne P. Mitchell Esq. wrote:
Actually, GDPR specifically requires processors to include statements of compliance right in their contracts; we also strongly recommend that controllers insist on indemnification clauses in their contracts with processors, because if the processor screws up and there is a breach, the_controller_ can also be held liable, and the financial penalties in GDPR are very stiff.
Good luck getting multiple millions worth of fines out of small businesses that never even touch a million a year in revenue, let alone the added expenses of trying to do all the crap GDPR thinks everyone can suddenly afford out of nowhere. ~Seth
Seth Mattinen wrote on 26/05/2018 08:41:
Good luck getting multiple millions worth of fines out of small businesses that never even touch a million a year in revenue, let alone the added expenses of trying to do all the crap GDPR thinks everyone can suddenly afford out of nowhere.
You can put the straw man away - Europe isn't the US. No Data Protection Authority in Europe is going to sue a mom & pop business in the US for millions because they haven't clarified their cookies policy. The upper limits of the fines are aimed at the robber barons of the world. The DPAs in Europe are for the most part lawsuit-averse and engage with companies to build alignment rather than taking the punitive approach and liberally dishing out lawsuits and fines. The emphasis on GDPR compliance is aiming at reasonable steps rather than pretending that every organisation is going to end up redesigning their entire existence around GDPR on may 25. Nick
I don't think, in general the DPAs need to use lawsuits. If they discover (by their own, or by means of a customer claim) that a company (never mind is from the EU or outside) is not following the GDPR, they will just fine it and the corresponding government authorities are the responsible to cash the fine, even with "bank account embargos". If the company is outside the EU, but there are agreements with that country, they can proceed to that via the third country authorities. Same as when you don't pay a traffic fine in the EU and you are from non-EU countries (some allow the embargo, others not). This has been happening, in most of the EU countries for a while. In recent months, the Spanish DPA has ordered fines of 600.000 euros (with the previous law, LOPD), to companies such as Facebook, Google, Whatsapp, and many others ... Regards, Jordi -----Mensaje original----- De: NANOG <nanog-bounces@nanog.org> en nombre de Nick Hilliard <nick@foobar.org> Fecha: sábado, 26 de mayo de 2018, 11:29 Para: Seth Mattinen <sethm@rollernet.us> CC: <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news Seth Mattinen wrote on 26/05/2018 08:41: > Good luck getting multiple millions worth of fines out of small > businesses that never even touch a million a year in revenue, let alone > the added expenses of trying to do all the crap GDPR thinks everyone can > suddenly afford out of nowhere. You can put the straw man away - Europe isn't the US. No Data Protection Authority in Europe is going to sue a mom & pop business in the US for millions because they haven't clarified their cookies policy. The upper limits of the fines are aimed at the robber barons of the world. The DPAs in Europe are for the most part lawsuit-averse and engage with companies to build alignment rather than taking the punitive approach and liberally dishing out lawsuits and fines. The emphasis on GDPR compliance is aiming at reasonable steps rather than pretending that every organisation is going to end up redesigning their entire existence around GDPR on may 25. Nick ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote:
I don't think, in general the DPAs need to use lawsuits.
If they discover (by their own, or by means of a customer claim) that a company (never mind is from the EU or outside) is not following the GDPR, they will just fine it and the corresponding government authorities are the responsible to cash the fine, even with "bank account embargos". If the company is outside the EU, but there are agreements with that country, they can proceed to that via the third country authorities.
If someone were to show up and issue me a 10 or 20 million euro fine (more in USD), I'd just laugh since I'll never see that much money at one time in my whole life. I'm not convinced they will limit reach to the Facebooks and Googles of the world until a lower limit is codified. I suspect that won't happen until enough small guys are fined 10-20 million euros who could never hope to repay it in a lifetime. ~Seth
I don't recall right now the exact details about how they calculate the fine, which is appropriate for each case, but the 4% of turnover or 20 million Euros is just the maximum amount (per case). I'm sure there is something already documented, about that, or may be is each country DPA the one responsible to define the exact fine for each case. For example, up to now (with the previous law, LOPD for Spain), the maximum fine was 600.000 euros, and the "starting" fine was 1.500 euros. So, depending on the number of people affected, the degree of infringement, if it is the first time or if the company has been warned or fined before, you can get a fine in the "middle" of those figures. I'm sure it will be the same way for the GDPR. Regards, Jordi -----Mensaje original----- De: NANOG <nanog-bounces@nanog.org> en nombre de Seth Mattinen <sethm@rollernet.us> Fecha: sábado, 26 de mayo de 2018, 16:00 Para: <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote: > I don't think, in general the DPAs need to use lawsuits. > > If they discover (by their own, or by means of a customer claim) that a company (never mind is from the EU or outside) is not following the GDPR, they will just fine it and the corresponding government authorities are the responsible to cash the fine, even with "bank account embargos". If the company is outside the EU, but there are agreements with that country, they can proceed to that via the third country authorities. If someone were to show up and issue me a 10 or 20 million euro fine (more in USD), I'd just laugh since I'll never see that much money at one time in my whole life. I'm not convinced they will limit reach to the Facebooks and Googles of the world until a lower limit is codified. I suspect that won't happen until enough small guys are fined 10-20 million euros who could never hope to repay it in a lifetime. ~Seth ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
I’m not sure that’s true. I think that the notice is sufficient to indicate that I have no intention to have EU persons visiting my web site and thus should not be subject to their extraterritorial overreach. Obviously time will tell what happens. Owen
On May 26, 2018, at 09:29 , JORDI PALET MARTINEZ via NANOG <nanog@nanog.org> wrote:
I don't recall right now the exact details about how they calculate the fine, which is appropriate for each case, but the 4% of turnover or 20 million Euros is just the maximum amount (per case). I'm sure there is something already documented, about that, or may be is each country DPA the one responsible to define the exact fine for each case.
For example, up to now (with the previous law, LOPD for Spain), the maximum fine was 600.000 euros, and the "starting" fine was 1.500 euros. So, depending on the number of people affected, the degree of infringement, if it is the first time or if the company has been warned or fined before, you can get a fine in the "middle" of those figures.
I'm sure it will be the same way for the GDPR.
Regards, Jordi
-----Mensaje original----- De: NANOG <nanog-bounces@nanog.org> en nombre de Seth Mattinen <sethm@rollernet.us> Fecha: sábado, 26 de mayo de 2018, 16:00 Para: <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news
On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote:
I don't think, in general the DPAs need to use lawsuits.
If they discover (by their own, or by means of a customer claim) that a company (never mind is from the EU or outside) is not following the GDPR, they will just fine it and the corresponding government authorities are the responsible to cash the fine, even with "bank account embargos". If the company is outside the EU, but there are agreements with that country, they can proceed to that via the third country authorities.
If someone were to show up and issue me a 10 or 20 million euro fine (more in USD), I'd just laugh since I'll never see that much money at one time in my whole life.
I'm not convinced they will limit reach to the Facebooks and Googles of the world until a lower limit is codified. I suspect that won't happen until enough small guys are fined 10-20 million euros who could never hope to repay it in a lifetime.
~Seth
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 5/26/2018 12:29 PM, JORDI PALET MARTINEZ via NANOG wrote:
I don't recall right now the exact details about how they calculate the fine
The *MINIMUM* fine is 10M euros. SEE: https://www.gdpreu.org/compliance/fines-and-penalties/ This is true no matter how small the business, and (potentially) even if there was just one minor incident. And the law is so vague and expansive - and with such massive minimum fines - that I wonder if this might be exploited to target political rivals/enemies? Or those who donate to such? It certainly could easily be weaponized! And before it even gets nearly to that point, it could also turn into the equivalent of the tiny city of Waldo, Florida (USA) (population 1K)... who turned their police force into a speeding-ticket revenue factory for some time before the State of FL shut them down. Certainly, the Euro bureaucrats are incentivized. -- Rob McEwen https://www.invaluement.com
On 26 May 2018, at 19:37, Rob McEwen <rob@invaluement.com> wrote:
The *MINIMUM* fine is 10M euros.
SEE: https://www.gdpreu.org/compliance/fines-and-penalties/ <https://www.gdpreu.org/compliance/fines-and-penalties/> The two levels depend on the nature of the infringement, but it says clearly “up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the “less serious” infringements. So no, there is no minimum fine actually.
On 5/26/18 8:15 PM, Michel 'ic' Luczak wrote:
The two levels depend on the nature of the infringement, but it says clearly “up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the “less serious” infringements. So no, there is no minimum fine actually.
To me that says the fine is 10M if your 2% is lower than 10M. Or it wasn't originally written in English and the translation is flawed.
On 26 May 2018, at 20:28, Seth Mattinen <sethm@rollernet.us> wrote:
On 5/26/18 8:15 PM, Michel 'ic' Luczak wrote:
The two levels depend on the nature of the infringement, but it says clearly “up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the “less serious” infringements. So no, there is no minimum fine actually.
To me that says the fine is 10M if your 2% is lower than 10M. Or it wasn't originally written in English and the translation is flawed.
Original text from EU Commission: "Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher” -> Administrative fines _up to_ 10M (or 2% if your 2% is higher than 10M). It’s a cap, not a minimum.
On 5/26/2018 2:36 PM, Michel 'ic' Luczak wrote:
Original text from EU Commission: "Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”
-> Administrative fines_up to_ 10M (or 2% if your 2% is higher than 10M).
It’s a cap, not a minimum.
Thanks for the clarification. But whether that fine will be less than 10M is extremely vague and (I guess?) left up to the opinions or whims of a Euro bureaucrat or judge panel, or something like that... based on very vague and subjective criteria. I've searched and nobody can seem to find any more specifics or assurances. Therefore, there is NOTHING that a very small business with a very small data breach or mistake, could point to... to give them confidence than their fine will be any less than 10M Euros, other than that "up to" wording - that is in the same sentence where it also clarifies "whichever is larger". All these people in this discussion who are expressing opinions that penalties in such situations won't be nearly so bad - are expressing what may very with be "wishful thinking" that isn't rooted in reality. -- Rob McEwen https://www.invaluement.com
Talking from the experience because the previous laws in Spain, LOPD and LSSI (which basically was the same across the different EU countries). They had "maximum" fines (it was 600.000 Euros). They start for small law infringement with 600 euros, 1.500 euros, unless is something very severe, then it come to something like 30.000 euros, etc. If you keep repeating the law infringement, then the 2nd time it may become 150.000 Euros. If it is massive infringement (for example massive spam), then it comes to 300.000 or even 600.000 euros. Here there is an explanation for the LOPD fines, is in Spanish, but a translator should work: http://www.cuidatusdatos.com/infracciones/ My guess is that the GDPR maximum fines are there just as maximum, and there will be agreements among the EU DPAs, to better define how much is the fine, in a similar way they are doing now. Regards, Jordi -----Mensaje original----- De: NANOG <nanog-bounces+jordi.palet=consulintel.es@nanog.org> en nombre de Rob McEwen <rob@invaluement.com> Fecha: sábado, 26 de mayo de 2018, 21:06 Para: <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news On 5/26/2018 2:36 PM, Michel 'ic' Luczak wrote: > Original text from EU Commission: > "Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher” > > -> Administrative fines_up to_ 10M (or 2% if your 2% is higher than 10M). > > It’s a cap, not a minimum. Thanks for the clarification. But whether that fine will be less than 10M is extremely vague and (I guess?) left up to the opinions or whims of a Euro bureaucrat or judge panel, or something like that... based on very vague and subjective criteria. I've searched and nobody can seem to find any more specifics or assurances. Therefore, there is NOTHING that a very small business with a very small data breach or mistake, could point to... to give them confidence than their fine will be any less than 10M Euros, other than that "up to" wording - that is in the same sentence where it also clarifies "whichever is larger". All these people in this discussion who are expressing opinions that penalties in such situations won't be nearly so bad - are expressing what may very with be "wishful thinking" that isn't rooted in reality. -- Rob McEwen https://www.invaluement.com ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 5/26/2018 3:36 PM, JORDI PALET MARTINEZ via NANOG wrote:
Talking from the experience because the previous laws in Spain, LOPD and LSSI
Jordi, LOPD/LSSI does not = GDPR But even if there was a probability that GDPR would operate like they do: (1) it is alarming that the fines mentioned on GDPR are 10-20X higher than even LOPD/LSSI's higher fines -AND- regarding LOPD/LSSI's relatively low minimum fine of 600 EUROs that you mentioned - it was explicated mentioned on the page you referenced - HOWEVER there is NOT any similar official (relatively) low-cost fines mentioned for GDPR anywhere.... there is only that NOT-reassuring "up to" phrase. For someone hit with a GDPR fine, I don't think telling them, "JORDI PALET MARTINEZ claimed that the fine will be more reasonable for a smaller business that had a less egregious offense" - is going to necessarily make it so. Believe me, I WANT you to be my GDPR fairy. I really really do. But I have to operate my business more realistically. -- Rob McEwen https://www.invaluement.com
I know that LOPD and LSSI is not the same as GDPR. However, each country in the EU need to modify its own LOPD in order to adapt it to the GDPR. *I've done some further reading and according to the 1st and 2nd paragraphs of GDPR Art. 83 each DPA will establish the fines, which should respect what is said in 4, 5 and 6 (including the maximum fines, so clearly 10 and 20 MEuros or 2% and 4% of the previous year turnover). So after that, I found what is going on and in the case of Spain, the council of Ministers approved the law 24th Nov. 2017 (http://www.congreso.es/docu/docum/ddocum/dosieres/sleg/legislatura_12/spl_13...) and it was expected to be sanctioned by the Parliament last week, after some discussion and some changes. However seems to be delayed as the parliament asked for some amendments. In this document, again, it is indicated that the DPA will follow what is being said in GDPR (see * above) and doesn't mention the amount of each fine, because "Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive." See also the text in p. 2 of the GDPR. This facilitates the DPAs to take in consideration *each* individual case, or even to change the fines in the future. However, the Spanish law, talks about some specific fine amounts in the article 78, referred to the prescription of the infringements depending on the fine amount. For example, for fines up to 40.000 Euros, 300.000 euros and over 300.000 euros. What that means? Each DPA have to modify the "actual" LOPD and associated tables of fines, and the GDPR only stablishes the maximum amounts. Other countries already have done that: Italy: LEGGE 20 novembre 2017, n. 167 Germany: Bundesdatenschutzgesetz France: looks like a similar situation as Spain So, for the countries that have not yet finalized the approval of the "new LOPD", the fines are still the same as the ones defined in the "actual LOPD". So, I think I was right in my assertion, and the minimum fines in Spain, will be for sure lower than 40.000 euros, and my guess is that will start as today with 600 or so ... at the end in will depend on the "individual decision" (based in a categorization table, which the Spanish DPA for sure has already prepared, but will not make public until the new LOPD is approved by the parliament). Of course I'm not saying that you should ignore the GDPR because the fines are low. I think everybody really need to adapt their data protection procedures to it. Regards, Jordi PD: An informal document that I've found say that the new fines are in the ranges of 900-40.000, 40.001-300.000 and 300.000-600.000. -----Mensaje original----- De: NANOG <nanog-bounces@nanog.org> en nombre de Rob McEwen <rob@invaluement.com> Fecha: domingo, 27 de mayo de 2018, 0:16 Para: <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news On 5/26/2018 3:36 PM, JORDI PALET MARTINEZ via NANOG wrote: > Talking from the experience because the previous laws in Spain, LOPD and LSSI Jordi, LOPD/LSSI does not = GDPR But even if there was a probability that GDPR would operate like they do: (1) it is alarming that the fines mentioned on GDPR are 10-20X higher than even LOPD/LSSI's higher fines -AND- regarding LOPD/LSSI's relatively low minimum fine of 600 EUROs that you mentioned - it was explicated mentioned on the page you referenced - HOWEVER there is NOT any similar official (relatively) low-cost fines mentioned for GDPR anywhere.... there is only that NOT-reassuring "up to" phrase. For someone hit with a GDPR fine, I don't think telling them, "JORDI PALET MARTINEZ claimed that the fine will be more reasonable for a smaller business that had a less egregious offense" - is going to necessarily make it so. Believe me, I WANT you to be my GDPR fairy. I really really do. But I have to operate my business more realistically. -- Rob McEwen https://www.invaluement.com ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 26 May 2018, at 21:04, Rob McEwen <rob@invaluement.com> wrote:
Thanks for the clarification. But whether that fine will be less than 10M is extremely vague and (I guess?) left up to the opinions or whims of a Euro bureaucrat or judge panel, or something like that... based on very vague and subjective criteria. I've searched and nobody can seem to find any more specifics or assurances. Therefore, there is NOTHING that a very small business with a very small data breach or mistake, could point to... to give them confidence than their fine will be any less than 10M Euros, other than that "up to" wording - that is in the same sentence where it also clarifies "whichever is larger".
All these people in this discussion who are expressing opinions that penalties in such situations won't be nearly so bad - are expressing what may very with be "wishful thinking" that isn't rooted in reality.
Still on ec.europa.eu <http://ec.europa.eu/> they seem to try to reassure SMEs that the penalties will be “proportionate” both to the nature of the infringement and to the size to the company. It also seem to largely be related to whether you infringed the regulation in good faith or not. At least in France where I live the climate is pro-SMEs so I guess small mistakes will be forgiven. The head of our DPA also gave an interview recently saying that there will be no sanctions in the coming months and that they’re available to answer questions when in doubt about what to do. Lastly, our law firm told us that basically we have to wait until the first settlements to see what will be done… Regards, Michel
Hi,
Thanks for the clarification. But whether that fine will be less than 10M is extremely vague and (I guess?) left up to the opinions or whims of a Euro bureaucrat or judge panel, or something like that... based on very vague and subjective criteria. I've searched and nobody can seem to find any more specifics or assurances. Therefore, there is NOTHING that a very small business with a very small data breach or mistake, could point to... to give them confidence than their fine will be any less than 10M Euros, other than that "up to" wording - that is in the same sentence where it also clarifies "whichever is larger".
All these people in this discussion who are expressing opinions that penalties in such situations won't be nearly so bad - are expressing what may very with be "wishful thinking" that isn't rooted in reality.
Still on ec.europa.eu <http://ec.europa.eu/> they seem to try to reassure SMEs that the penalties will be “proportionate” both to the nature of the infringement and to the size to the company. It also seem to largely be related to whether you infringed the regulation in good faith or not. At least in France where I live the climate is pro-SMEs so I guess small mistakes will be forgiven. The head of our DPA also gave an interview recently saying that there will be no sanctions in the coming months and that they’re available to answer questions when in doubt about what to do.
That is also what I see in the Netherlands.
Lastly, our law firm told us that basically we have to wait until the first settlements to see what will be done…
True. Considering that GDPR is an EU regulation and that in general European culture is a lot less litigious than in the US I don't expect massive fines unless the infractions are malignant + persistent + performed by a large corporation. Smaller companies (or people) that make mistakes will not get fines that would bankrupt them. That's just not the way the justice system works on this side of the pond :) Cheers, Sander
On May 27, 2018, at 3:19 AM, Michel 'ic' Luczak <lists@benappy.com> wrote:
Still on ec.europa.eu <http://ec.europa.eu/> they seem to try to reassure SMEs that the penalties will be “proportionate” both to the nature of the infringement and to the size to the company. It also seem to largely be related to whether you infringed the regulation in good faith or not. At least in France where I live the climate is pro-SMEs so I guess small mistakes will be forgiven. The head of our DPA also gave an interview recently saying that there will be no sanctions in the coming months and that they’re available to answer questions when in doubt about what to do.
Here's the thing...unless the EU is vastly different from the US in terms of legislative construction, what any third-party says - even those involved in developing the law - is almost (not completely, but almost) immaterial to how the law will be applied. The law *is the law*, and nothing anybody says about it will have much impact on how it will be construed by a court of law. Which is why:
Lastly, our law firm told us that basically we have to wait until the first settlements to see what will be done…
..exactly. The law will have to be construed and refined by lawsuits (unless a newer law clarifies or supersedes it). And this is why we take a strict, conservative view of what one has to do to get into compliance. Because our job is to keep the entities with whom we consult on GDPR from becoming those test cases. Anne Anne P. Mitchell, Attorney at Law GDPR Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Association Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
On Sat, 26 May 2018, Seth Mattinen wrote:
Actually, GDPR specifically requires processors to include statements of compliance right in their contracts; we also strongly recommend that controllers insist on indemnification clauses in their contracts with processors, because if the processor screws up and there is a breach, the_controller_ can also be held liable, and the financial penalties in GDPR are very stiff. Good luck getting multiple millions worth of fines out of small businesses
On 5/24/18 4:21 PM, Anne P. Mitchell Esq. wrote: that never even touch a million a year in revenue, let alone the added expenses of trying to do all the crap GDPR thinks everyone can suddenly afford out of nowhere.
I imagine small businesses who do a small percentage of revenue to EU citizens will simply decide to do zero percentage of revenue to EU citizens. The risk is simply too great. -Dan
On Sat, May 26, 2018 at 4:57 PM Dan Hollis <goemon@sasami.anime.net> wrote:
I imagine small businesses who do a small percentage of revenue to EU citizens will simply decide to do zero percentage of revenue to EU citizens. The risk is simply too great.
That would be a shame. I would expect the level of effort to be roughly commensurate with A) the size of the org, and B) the risk inherent in what data is being collected, processed, stored, etc. I would also expect compliance to at least partially derive from vendor/cloud/outsource/whatever partners, many of whom should be scaled/scaling up to minimally comply. I would also not be surprised if laws of similar scope start to emerge in other countries. If so, taking your ball and going home won't be sustainable. If small, vulnerable orgs panic and can't realistically engage the risk, they may be selecting themselves out of the market - an "I encourage my competitors to do this" variant. Naively ... to counter potential panic, it would be awesome to crowdsource some kind of CC-licensed GDPR toolkit for small orgs. Something like a boilerplate privacy policy (perhaps generated by answers to questions), plus some simplified checklists, could go a long way - towards both compliance and actual security benefit. In a larger sense ... can any org - regardless of size - afford to not know their data, understand (at least at a high level) how it could be abused, know who is accessing it, manage it so that it can be verifiably purged, and enable their customers to self-manage their portion of it?? I'm personally a big fan of undue diligence and all, but we need to advocate for some ... realistic scaling of response. Royce
On Sat, 26 May 2018, Royce Williams wrote:
Naively ... to counter potential panic, it would be awesome to crowdsource some kind of CC-licensed GDPR toolkit for small orgs. Something like a boilerplate privacy policy (perhaps generated by answers to questions), plus some simplified checklists, could go a long way - towards both compliance and actual security benefit.
who is willing to accept the risk of being involved in creation of such a thing? would you? if someone uses it and ends up being hit by eu regulators, you can bet the toolkit creators will be sued. who would be willing to use a crowdsourced legal toolkit given the risks of a violation? would you? -Dan
You mean something like this? https://certikit.com/products/gdpr-toolkit/ While not CC licensed it might get you where you need to go. On Sat, May 26, 2018, 7:06 PM Dan Hollis <goemon@sasami.anime.net> wrote:
On Sat, 26 May 2018, Royce Williams wrote:
Naively ... to counter potential panic, it would be awesome to crowdsource some kind of CC-licensed GDPR toolkit for small orgs. Something like a boilerplate privacy policy (perhaps generated by answers to questions), plus some simplified checklists, could go a long way - towards both compliance and actual security benefit.
who is willing to accept the risk of being involved in creation of such a thing? would you?
if someone uses it and ends up being hit by eu regulators, you can bet the toolkit creators will be sued.
who would be willing to use a crowdsourced legal toolkit given the risks of a violation? would you?
-Dan
On May 26, 2018, at 18:42 , Royce Williams <royce@techsolvency.com> wrote:
On Sat, May 26, 2018 at 4:57 PM Dan Hollis <goemon@sasami.anime.net> wrote:
I imagine small businesses who do a small percentage of revenue to EU citizens will simply decide to do zero percentage of revenue to EU citizens. The risk is simply too great.
That would be a shame. I would expect the level of effort to be roughly commensurate with A) the size of the org, and B) the risk inherent in what data is being collected, processed, stored, etc. I would also expect compliance to at least partially derive from vendor/cloud/outsource/whatever partners, many of whom should be scaled/scaling up to minimally comply.
Here’s the problem… The way GDPR is written, if you want to collect (and store) so much as the IP address of the potential customer who visited your website, you need their informed consent and you can’t require that they consent as a condition of providing service. Basically, the regulation is so poorly written that it is utterly nonsensical and I wonder how business in Europe intend to function when they can’t make collecting someone’s address a condition of allowing them to order something online.
I would also not be surprised if laws of similar scope start to emerge in other countries. If so, taking your ball and going home won't be sustainable. If small, vulnerable orgs panic and can't realistically engage the risk, they may be selecting themselves out of the market - an "I encourage my competitors to do this" variant.
Let’s hope that if enough businesses take their ball and go home, the EU and other regulators will wake up and smell the hydrogen-sulfide and write better laws. I’m not opposed to privacy protection, but GDPR contains way too much overreach and way too little logic or common sense.
Naively ... to counter potential panic, it would be awesome to crowdsource some kind of CC-licensed GDPR toolkit for small orgs. Something like a boilerplate privacy policy (perhaps generated by answers to questions), plus some simplified checklists, could go a long way - towards both compliance and actual security benefit.
The first word does a pretty good job of describing the rest of that paragraph as mentioned by others.
In a larger sense ... can any org - regardless of size - afford to not know their data, understand (at least at a high level) how it could be abused, know who is accessing it, manage it so that it can be verifiably purged, and enable their customers to self-manage their portion of it??
Yes. But even if an org does all of that, there are still significant problems with GDPR. Owen
* owen@delong.com (Owen DeLong) [Sun 27 May 2018, 21:42 CEST]:
The way GDPR is written, if you want to collect (and store) so much as the IP address of the potential customer who visited your website, you need their informed consent and you can’t require that they consent as a condition of providing service.
You have this the wrong way around. You'll need permission to store their IP address in logs that you keep and to inform third parties about their visits to your site. And that is because that information belongs to the visitor, not to you.
Basically, the regulation is so poorly written that it is utterly nonsensical and I wonder how business in Europe intend to function when they can’t make collecting someone’s address a condition of allowing them to order something online.
Basically, this example is so bad that it's not even wrong. -- Niels.
On 05/27/2018 12:54 PM, niels=nanog@bakker.net wrote:
You have this the wrong way around. You'll need permission to store their IP address in logs that you keep and to inform third parties about their visits to your site. And that is because that information belongs to the visitor, not to you.
This is going to run afoul of some data retention laws currently on the books in some places. You *have* to keep logs, WITH IP addresses...
* list@satchell.net (Stephen Satchell) [Sun 27 May 2018, 23:17 CEST]:
On 05/27/2018 12:54 PM, niels=nanog@bakker.net wrote:
You have this the wrong way around. You'll need permission to store their IP address in logs that you keep and to inform third parties about their visits to your site. And that is because that information belongs to the visitor, not to you.
This is going to run afoul of some data retention laws currently on the books in some places. You *have* to keep logs, WITH IP addresses...
Owen doesn't. -- Niels.
On 27 May 2018, at 21:41, Owen DeLong <owen@delong.com> wrote:
The way GDPR is written, if you want to collect (and store) so much as the IP address of the potential customer who visited your website, you need their informed consent and you can’t require that they consent as a condition of providing service.
What we were told is that since security > GDPR, storing IPs in logs is obviously OK since it’s a legal requirement. Storing them in a database for targeting / marketing is not. What is a gray area so far is any use of IDS/IPS… +
Hi,
The way GDPR is written, if you want to collect (and store) so much as the IP address of the potential customer who visited your website, you need their informed consent and you can’t require that they consent as a condition of providing service.
What we were told is that since security > GDPR, storing IPs in logs is obviously OK since it’s a legal requirement.
GDPR article 6.1c (legal obligation) and 6.1f (legitimate interests) would probably both qualify for logging HTTP requests. In this context it's also not likely that the IP address is considered personal data at all. Personal data is defined as data related to "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, [...]". If you have no way to determine who an IP address belongs to then it's not personal data to you. This can actually be a tricky point: the ISP who provides connectivity to a customer obviously knows which IP address they provided, so to that ISP the IP address is definitely personal data. If you ask for someone's name on your website and you log the IP address together with answers then you suddenly turn that IP address into personal data, even regarding you web server logs. To be safe, adding something like the following to the privacy notice on the website would be fine for this case: "In order to comply with law enforcement requirements and to be able to detect and investigate abuse of our website we log all requests in including the IP addresses of the requester. If our systems detect abuse they may block access to our services from that IP address. This data will be stored for up to 2 weeks and will then automatically be deleted.". Add boilerplate text for contact information etc and that should cover article 13.
Storing them in a database for targeting / marketing is not.
What is a gray area so far is any use of IDS/IPS…
Sounds like legitimate interests to me :) But it really depends on what is done with that information. Just protecting your servers should be fine. The big change with the GDPR is that you have to tell your users that you do this. Hmmm. It might be a good idea to write some boilerplate privacy policy text for common components like IDP/IDS, load balancers, web server logs, DDOS protection etc. Cheers, Sander
participants (14)
-
Anne P. Mitchell Esq.
-
Dan Hollis
-
JORDI PALET MARTINEZ
-
K. Scott Helms
-
Matt Baldwin
-
Michel 'ic' Luczak
-
Nick Hilliard
-
niels=nanog@bakker.net
-
Owen DeLong
-
Rob McEwen
-
Royce Williams
-
Sander Steffann
-
Seth Mattinen
-
Stephen Satchell