Hey all – Brian from Instapaper here. We worked really hard to try to avoid a service interruption in the EU, but unfortunately we were unable to. We continue to work hard to ensure that the service interruption is as brief as possible.
I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.
From what I can tell from various legal advice that I’ve read, as long as you’re working on implementing the changes, and have been following security best practices, nothing really changes on May 25th, and you’ll be able to take your time to become fully compliant, as long as you can demonstrate that’s what’s happening. In other words, good faith and best practice will get you far.
Your current reaction seems like a huge and unnecessary over reaction that is just harming your users, and unlikely to have any material impact to your legal risk.
Instapaper is owned by Pinterest. Pinterest is a large high profile company with millions of European users and would be a potential target of regulators looking to establish precedents of enforcement with a big name.
I highly doubt this decision was made lightly and was probably informed by actual legal professionals with knowledge of the regulators in question and not the 3rd party opinion of some guy on the internet who "feels like its not that big of a deal."
But he's spot on about contacting the regulators because they already know they won't be in compliance.
Now would be a good time to do just that, and if the actual legal professionals thought it was a good idea to ban EU citizens but keep their data then maybe they should get better lawyers because that certainly won't work.
If I had an instapaper account it would be interesting to submit a GDPR request tomorrow, and see what kind of reply I got. Now I don't, but I'm sure there are plenty of other interested people around.
In all likelihood, the answer from most companies would be "sorry we don't yet have the ability to provide that data, it's on the roadmap, you'll have to wait".
At which point the data subject can report them to the regulator. Hopefully everyone receiving such a response will do so. Companies have had 2 years warning.
For most small business and startups this is no big deal as 1 or 2 reports to the regulator isn't going to trigger anything. For those companies of a certain size, the regulator might take note of 1,000 reports in the first week. I imagine some of those will have the regulator check if they have had a self-report from the company for non-compliance. Maybe then an email to colleagues at other ICOs across Europe.
I keep reading the "two years warning" notion on HN. While that might be technically correct, the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators) and so to this day, its practical implementation will to no small part depend on the iterative conclusions and learning various implementors (eg. companies) made in an arduous process since.
In other words, the first to think they were GDPR compliant might have had to redo a ton of work to adjust to more recent interpretations.
And let's not forget, for large orgs with complex infrastructure, this is a behemoth of an effort. There's been year long projects in the two large tech companies I've had insight to since.
And while I'm at it, let me comment on the frequently expressed notion of "if you've respected your users in the past, you'll be fine!". Just to pick one counter argument: the right to be forgotten. That can only be implemented thoroughly and in the way the users expect it to work (ie. delete everything but what you're legally required to retain) by finding a way to connect all user data so you know what to drop if need be. That is exactly the kind of action that's caused public outrage at big tech to begin with and it's not only potentially a huge effort, it also increases risk of abuse.
This all being said, I still think GDPR is a good idea at least in principle. And believe it or not, while everyone around me is really of compliance work, GDPR seems widely considered a good idea in principle across engineering in big tech.
> the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators
There we have to disagree. It's not like this is something new and untried.
GDPR is a development from long-standing, and now very well understood, Data Protection. The legislation seems mainly intended to modernise some of the definitions and scope (eg adding biometrics to PII), catch some newer practices, and make very plain and explicit that it doesn't just apply to EU companies.
In 1996 and 97 in the run up to the 1998 Data Protection Directive I recall a couple of common confusions and misunderstandings. Nothing like the ridiculously poor and simply incorrect reporting we have for this.
Any large org should have been fully compliant with DPA for years. They have to add extra mechanisms for explicit opt-in or deletion and get a little less time to retrieve full data and can't charge. That doesn't seem to need a "behemoth of effort", but not to say it's necessarily entirely trivial.
In other words they survived DPA with no apparent effect, yet it's >80% of GDPR with the same definitions. No one should be iteratively fumbling toward an unclear target at all. Even reading the UK ICO's old guide to 1998 Data Protection from a few years ago gets you most of the way there including understanding personal data.
But there are not massive differences between the laws we've had for many years - for a UK example PECR and DPA implement EU regulations and contain many of the same principles around lawful basis, limiting the amount of data that's held and the length of time it's held for, etc.
Anything that doesn't say "We will do just that! It might take up to 30 days" and asks for up to two extensions afterwards is not compliant, so this would be an exceptionally dumb response.
But that's the reality. At least they're working on it and the fact that a lot of companies massively overreact means they at least take data protection serious now.
You don't ignore a law for 2 years and then just after it comes into force say "at least we're working on it". Honestly I thought the GDPR was a bit of an over reaction when it came out 2 years ago but seeing how little respect companies have for our data over the last few weeks I've been convinced it was necessary.
As an engineer, with as much else is going on on a day to day basis it's not surprising. A lot of the vagueness around the GDPR still hasn't been resolved, nobody wanted to get a head start just to be told "oops, we actually meant this" and have wasted countless engineering/lawyer hours as a result.
You would only take that liberty if you didn't have much respect for the law and its ability to touch you. I suspect companies are a lot more careful with each years new IRS rules even though they don't yet have case law and are often issued on much shorter notice.
Companies directly lobby the laws that affect the IRS on a year-to-year basis and have a lot more knowledge about it. It is hardly as vague as this was. I very much do respect the laws when I can, but I'm a US citizen, and my projects don't make enough money for me to ultimately care about the GDPR/EU. I just blocked them for .. ever, probably. You're really targeting people here, sorry I disagree?
I am not speaking of you specifically because this is about the behavior of companies and not personal projects.
There are companies, OP being one (a subsidiary of Pinterest) that have presence in the EU and are essentially playing chicken with the regulators. Blocking users but keeping their data is not compliance, nor are dialogs telling users you plan to carry on as normal. Companies do not do this with the IRS because they would be afraid of the consequences.
This is increasingly my suspicion. I'd expect that they could have solved any technical issues around disabling tracking or letting users opt-in/out by now, which leads me to suspect that they have their business model based on being able to share certain data. It's very possible that they've A/B tested GDPR compliant flows/messaging, and found that their metrics/revenue dropped enough that they feel they have to do something more drastic. Although the argument against that is the fact they have literally just disabled access for European users.
GDPR has basically turned the lights on all of the companies doing questionable things with user data. Shutting down or turning off the EU is a huge red flag.
No it’s not. The way big companies are dealing with the GDPR is to ask their lawyers what to do. The lawyers define compliance very expansively since they’re not the ones doing the work and they are the ones who will be blamed if the EU comes after the company. So they say, “every single trace of anything related to user data must be purged.” So the company asks every engineering team to fill out a 200 point checklist about what they are doing with user data.
So, unless you’re saying that “Pinterest’s site reliability team can’t answer question 192 about how user data is deleted from the incident management system logs when an event is traced” is a “huge red flag” then you are exaggerating the issue.
EU agencies would prefer compliance over fines and would work with businesses to help them. As the article suggests, prosecution/fines will come when all other avenues are exhausted not the starting point.
Says some random dude on the Internet that seems to be a tremendous fan of GDPR. I prefer to base my understanding of laws on the text of the law. This one says that no warnings are required and that fines can be up to 20M EUR.
>> Says some random dude on the Internet that seems to be a tremendous fan of GDPR.
Let's be a little self-conscious here, shall we?
Of all the articles on HN that discuss the GDPR that I've read, I've found one that you didn't contribute to and your contributions never show an "understanding of laws based on the text of the law". For instance, you have consistently claimed that there will be 28 (btw, not 27) different interpretations of the law, completely disregarding entire articles devoted to the consistent application of the Regulation- which, as a regulation, does not need to be made into local law and is applicable across the bloc.
You are clearly on a warpath against the GDPR, which is perfectly fine of course; yet at the same time you accuse jacquesm of being a "tremendous fan of the GDPR". If you can express your opinion despite having an agenda, so can he - and he seems to be much better informed of the law than you are.
Edit: Just to clarify, I don't have some axe to grind against you. You're one of the few users whose handle I recognise because your comments in GDPR threads stand out so much in their fervour and because there are so many of them.
I’m not on the warpath, but I will consistently dispute rosy predictions about the “good natured enforcers” (a direct quote from Jacques) of GDPR. No law or regulation this easy to violate, with fines this large, that claims extraterritorial powers, has ever not been abused, and this will be no exception.
With regard to your claim that it will not be subject to unique interpretations in each country within the EU, that simply isn’t true. Each country will have its own enforcement agencies. They’ll enforce it in different ways, and to different degrees. Since this regulation is so vague, it simply isn’t possible that they will all interpret and enforce it in the same way.
You seem to be in Jacque’s corner, claiming that our new self-appointed privacy overlords will be perfectly coordinated and “good natured”. As someone with quite a bit of experience dealing with government agencies, I can tell you that few of those that seek out relatively low-paying government jobs where the primary perk is having power over other people are “good natured”. There will be abuses.
The good news is that D-Day is here, and now we can all stop arguing and watch to see whose predictions come true.
Neither of you are right. The EU is not going to go out guns blazing with $20m fines for small companies. They’re also not going to host a drum circle for companies to harmoniously join the movement towards better user privacy. They’re going to get some big fines out there on big companies (who doesn’t love free money) and also go after smaller companies actively doing bad things with user data. Yes, they could, but in the same way that the person standing at the bus with you could punch you in the face. It might happen, but realistically, it probably won’t, and you’re probably not actively prepping for it.
As Jacques and me as well have said; that simply means panic and it is not needed. You maybe do not live in the EU but the letter of the law is not such a thing here as it might be in the US (and although punishment is harsher and often far harsher than it is here, US also looks at intent). The EU is not going to punish any company that has the intent to offer its users privacy under this law, but made some mistakes or forgot things. They made this especially vague simply because a) we know they are not going to blanket destroy all violators anyway (we have many crazy vague laws for many decades; no one cares) b) if someone is clearly violating (and I am looking at you, obfuscating user tracking ad companies who, until now, got around pervious regulations by moving servers to other countries and other tricks) they want to be able to enforce, no matter what. This is all very clearly based on user intent, not letter of the law. It might be incredibly hard for litigious country citizens to understand, but we have been living all our lives (and it differs per country as well) with this.
That's the recipe for political enforcement of draconian laws. It's especially dangerous for big foreign american companies which are perfect for politicians to demagogue about. I would not bet the business on any extra-legal grace from their beuracracy.
"political enforcement of draconian laws"... like: how the US use their extra-territorial law to fine US Business's competitors (banks, industry...) ? ;-)
It's funny to see how the US way of mixing law and business is terrifying when others may use it too, no?
Anyway: it hasn't been how Europe worked until now, so relax. French Regulator said, for example, that it won't enforce strictly the regulation ... because... well... EU companies aren't more ready than US ones. And they'll have to.
The US paving the way for such practices is not exactly reassurance. If the laws are so complex nobody is capable of operating within them, the result is a police state. Being subject to arrest at any time because the law of the land explicitly gives the government that power or because it is so byzantine that nobody can know all of it works out to the same thing in the end.
Your argument seems to be that a police state where the authorities have a lighter touch is preferable. That's obviously true compared to a draconian police state, but it's a police state either way.
Under existing law companies can be fined somewhat ridiculous amounts for data breaches and essentially never are, so why exactly would the enforcement strategy change for the GDPR? Maximum sentences just aren’t an EU thing, nobody gets them unless they’re wilfully causing damage to people and this isn’t their first time. I don’t know if America does things differently, but based on what I know, it doesn’t - maximum fines and sentences are essentially never passed out there either.
Article 58 says that fines can be issued along with, or in place of, other enforcement action. That isn't "no warnings". Plus if you read the text of the law you would note that it is very clear that the size of the fine is dependent on 11 factors, many of which revolve around future compliance and efforts made by the business to resolve the breach and showing willingness to conply.
My "feels like its not that big of a deal" is based on my own companies approach, legal advice I've seen, and internal training.
I realise that Pinterest is large and I'm sure they have sought legal advice, but that doesn't stop this coming across as an overreaction, if one assumes that they _aren't_ using the data in ways that explicitly violate the rights granted by the GDPR.
Now if they are explicitly violating those rights, that's another story! I'd rather attribute it to ignorance than malice though.
In such a world, it would make more sense to limit the scope of the law until enforcement can catch up. Minimally enforced laws that are enforced subjectively are problematic regardless of why.
It's a union, not a country and it definitely won't go after big players with any kind of prejudice. It will go after those who flaunt the regulation, big and small.
Regulators only have so many hours in the day. Prioritizing high visibility infringers can persuade lower visibility infringers to get into compliance.
No one said "they won't go after small timers". Hitting the big players hard makes everyone wary of violating and they will absolutely catch some small fish as well.
It's just silly to expect any enforcement body to go after everyone equally. It doesn't even make sense; company A has data on 1.5B people, company B has data on 27 people and the owner's mother. Why would you go after B before A?
a) they have said they don't want to punish companies for the sake of it, they want to use it as an incentive to fundamentally change the approach to the handling of user data. This means not suing tiny companies for more money than they are worth.
b) they have said that the standards will roughly increase with the size of the company and resources it has. A company with 27 users (and few employees) would not be expected to have a data protection officer, or many of the control processes that a company with data on 1.5B people.
I think everyone is talking about the UK 's ICO, which is just 1 of the 28. We have heard nothing from others and its best not to make assumptions - the ICO may be following different rules in a year.
I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.
Seeing this completely false sentiment repeated over and over again is getting exhausting. Only a tiny fraction of the companies avoiding EU traffic due to GDPR have any intention of “doing shady stuff with your data”.
GDPR is highly complex, and as of tomorrow, allowing EU traffic invites massive liabilities that most companies outside the EU won’t be willing to take on. While Instapaper likely will eventually relaunch in the EU because of its footprint there, the reality is that EU residents are going to be blocked from a large percentage of the world’s websites. The liability is just too great and the rewards too small for most companies outside the EU. You guys chose to make your traffic radioactive. These are the consequences.
>I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.
This sentiment and the hilariously large fines (regardless of company size, even) on relatively-ill-defined requirements make the whole GDPR process feel like it was designed to bully businesses into compliance.
Some pieces of GDPR are definitely for the benefit of the end-user (at the expense of companies, who happen to be providing those users other benefits). It all feels really heavy-handed, though.
Not to mention a little reminiscent of the problems that occur with other "bans" (which, this effectively is). When you put heavy legal restrictions on doing X (where, in this case, X is storing and processing data that you assumedly use to provide a service for users), you're effectively hurting the legitimate businesses most (_especially_ small ones) while the real "bad guys" that are actually doing bad things with our data are going to continue ignoring the law. There might be some value in-between, but I doubt there's much.
>This sentiment and the hilariously large fines (regardless of company size, even) on relatively-ill-defined requirements make the whole GDPR process feel like it was designed to bully businesses into compliance.
>Some pieces of GDPR are definitely for the benefit of the end-user (at the expense of companies, who happen to be providing those users other benefits). It all feels really heavy-handed, though.
The GDPR isn't vastly different to the old Data Protection Directive, which has been in force since 1997. The panic over GDPR suggests that a lot of companies had simply been ignoring the DPD. If a bit of bullying is required to get businesses to obey the law, then so be it.
> while the real "bad guys" that are actually doing bad things with our data are going to continue ignoring the law.
This is already happening without the GDPR (carders, dumps, etc), so I don't buy it. The black-market analogy (e.g. illegal drugs) also doesn't hold when applied to companies.
> the hilariously large fines (regardless of company size, even)
Oh no, proportional fines! How socialist!
The whole point is to make it somewhat independent of the company size, so bigger companies won't just swallow the fines. This is typically what Google et al do, they just factor it in to the cost of business. The GDPR wasn't written in a vacuum.
Er. I vote in an EU country, but I don't feel like I "chose" anything. GDPR was mostly developed by institutions (Council of Europe, European Commission) formed of people that were not directly elected by European voters. In any case, given that personal data management issues are not a prominent part of the political discourse (even in the EU), I'd be surprised if any of the people in charge were elected because of their position on data protection.
It so happens that European institutions have come up with GDPR, but I don't think it is fair to see it as a conscious choice from EU voters.
> the reality is that EU residents are going to be blocked from a large percentage of the world’s websites
I'd be interested in seeing supporting evidence for this rather surprising claim. I'd conjecture that the "vast majority" is the long tail of small websites who haven't heard about GDPR or don't care about it; so I'm not too worried.
Let's stop peddling the misconception that the EU operates significantly differently than any other Western democracy. The civil servants answer ultimately to the MEPs, who are elected. Most people either do not vote or do not engage, as is the case to a lesser extent in their national elections. You can still lobby your MEP when an issue was not part of their platform.
Says anyone with common sense. What percentage of sites do you think employ data scientists or would even know where to go to sell your data? Most sites do nothing more than throw GA on their website, and maybe some Adsense. You people decided to paint that as something evil.
That’s your decision to make, but just understand that most of the rest of the world wants no part of $20M potential fines and will simply take their ball and go home. This law will have the net effect of creating two Internets - one for the EU and one for the rest of us.
Well, Instapaper is owned by Pinterest. Pinterest strikes me as a company of such a size that they'd have no problem finding some way to monetize the data gathered from their users.
Have you seen some of the lists of where your data goes that some sites have posted? It's frankly frightening how far your data gets dispersed after signing up for just one website.
If you get a request today, you've got a month to comply, so in a way you're right. However, it really depends on how big your company is and how little you have prepared. Your absolute minimum is to have a statement that says that you are going to use the data you gather for contract purposes and to list the 3rd parties that you need to send that data to for contract purposes.
But then, if you are using data for other purposes, it's a bit complicated because you'll have to refrain from doing so until you are compliant. It doesn't necessarily have to be shady stuff. Even if you aren't sure if what you are doing is contract basis or not, it can be a pain. It's not necessarily massively difficult, but if you woke up yesterday and thought "OMG! We haven't done GDPR! What are we going to do?", then I can see this.
I've written earlier about how the company I'm working for now has changed what it is doing with data, even though I don't think they were doing anything shady previously. But it's more like, "Do we really want to list a lot of things and piss off the customer?" So now there are heated discussions of what 3 (or whatever other small number) of things we might collect data for because we believe that's the kind of limit that the customer will tolerate.
All of these discussions take time -- especially in a large organisation. And you can see in discussions on HN, there is going to be a large backlash of "Why do we have to do this anyway? Can't we just ignore it?" which wastes a lot more time.
Sounds like they want to be compliant, but are just not ready yet. A miss on their part, but hopefully they will get things in order quickly.
You know that you're still liable for European customer's data, even if you're offline, right? Going offline won't change anything. You can't effectively grab the database and run away.
It still seems like the safest option given the massive risk this legislation is exposing companies. Especially low margin per user businesses like Instapaper. From The Verge:
> because it’s not entirely clear right now what information residents will request, what format that information needs to be in, how to locate it and package it, and whether new infrastructure needs to be created to manage this request pipeline.
So in the meantime they can at least stop the flow of new data from the EU into their system until they are 'compliant' and have systems in place to deal with the existing large amount of EU users/data they already have.
It makes sense to me to be cautious here, plus it has the dual benefit of drawing attention to the real costs/risks the bill has on smaller firms without teams of lawyers and internal human resources (developers, CSRs) to deal with the new obligations imposed on them.
>It still seems like the safest option given the massive risk this legislation is exposing companies.
The safest option was actually to comply with the GDPR during the two years it has been in force now. I refuse to believe that the changes required were impossible to perform in two years.
I'd love to know when exactly did Instapaper start looking into the GDPR.
The founder has said that he underestimated the amount of work it was going to take. Anyone who has ever worked on software knows how this stuff happens. You don't truly know how long something is going to take until you dig into the hairy details of implementation.
Plus there are still tons of unknown variables at play with GDPR... even among companies who did spend sufficient time beforehand, as I quoted from the article above. So additionally, the non-obvious requirements further makes the underestimation make sense.
The requirements are clear enough to figure out a solution in the last couple of years. What takes time is if you're trying to skate as close as you possibly can to the legal line and not go over it.
If there is so much ambiguity and interpretations what kind of manager would risk getting into doing such project if a risk of failure is equal to not doing it at all?
Courts are not black/white in interpretations of law. Demonstrating you put significant effort into being compliant is not for nothing. Plus you can't really figure it out until you try. Especially with something as complex as this and how the implications of the law will be different for different companies.
I don't think that makes a difference, perhaps it depends on the country. Some EU countries are hostile towards entrepreneurs and wrong action or inaction would get the same treatment.
But that is one part which is confusing to me, from the UK ICO:
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Additionally, the GDPR does not apply to actions taken before and during the transition period (which ends now).
In this case, Instapaper does not offer goods or services to individuals in the EU. It actively blocks any user inside the EU.
Does that mean that Instapaper is no longer subject in any way to the GDPR?
In other words, if you had a company that had operations in the EU, but left the continent 2 years ago, and no longer has any activities with any EU individuals, does the GDPR suddenly apply to you?
If you continue to hold data from EU residents, it’s somewhat likely that the GDPR applies, or that a court will decide it does some way down the line. If you employed a competent lawyer for about an hour they’d ask you why you’re storing that data if you’re never going to use it again, given the risks.
Holding the data or not is irrelevant, the tricky part is compliance.
If the GDPR applies to you, you need to hire a DPO based in Europe, as well as having a EU contact that will be responsible for any fees that you incur.
If you did business in the EU but no longer does, do you now have to hire a DPO in the EU and have a local contact responsible for any liabilities?
You didn't read GDPR. Deleting isn't enough, if GDPR applies to you, you need to follow all the compliance requirements, including hiring people, providing proof of deletion if investigated, etc.
This is a good point I haven't run into before (which is itself frightening). So what could they do instead? Could they retain the actual 'read later' content, associated with their EU users, but delete all of their own personal data for now?
Not much. If you're not compliant, you're not compliant. However, that's not the end of the world right there. GDPR takes ill-intent into account, and it also requires warnings before any punishment is applied. They should instead have started working on compliance before they actually did.
Just because a law is written to apply to effectively the whole planet, doesn't mean it can be enforced as such. I just don't see the current US administration complying with a EU charge against one of its companies that did go the blocking route, let alone any of the shadier countries that host companies in violation
based on my understanding, i think if you're not marketing to eu visitors, data doesn't fall under the gdpr. does the gdpr retroactively apply to data from the past?
Which parts of GDPR do you think you're in violation of?
Why do you think removing access for users currently in the EU puts you in the clear legally?
What are you doing with European users data currently, have you deleted it all?
A lot of other companies have navigated the changes to the law without significant changes to their service or privacy policy, just by tightening up how they hold data, and making sure they are clear on permissions with users.
Answering those questions in a public forum would be extremely foolish
Perhaps asking for questions was foolish?
And how many of them are actually in compliance?
If you're not in the business of selling customer data to third parties, it's not very hard to comply, just requires some discipline on how data is stored and who it is shared with, and a point of contact for enquiries about data.
GDPR applies if (1) the Controller or a Processor is “established” in the EU, or if (2) the Subject is in the EU. Citizenship doesn't matter, and geoblocking is the legally correct solution. As an example: U.S. tourists on a trip to Paris are protected by the GDPR, but a Polish expat in California is not. (See Art. 3 GDPR https://gdpr-info.eu/art-3-gdpr/)
> US tourists on a trip to Paris are protected by the GDPR
That’s not entirely correct. They’d fall under GDPR if they do business with a company doing business in the EU (eg by buying something off of amazon and sending it to their Paris hotel address. They would however not benefit from GDPR if they were to order something from amazon but sending it to their US address instead.
"If the Data Subject, moves out of the EU border [...], or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless the organisation is “established” in the EU"
I'm sure that's what the policy makers originally wanted (protecting the rights of all EU citizens). That being said, it would be nigh-on-impossible to implement.
Websites would run into the same situation as banks: anytime you open an account at most banks in Europe and probably around the world, they specifically make sure that you're not American, because then they have to comply with American laws if they don't want to get blacklisted.
How is geoblocking a solution? How does it absolve the company of their compliance obligations? Does using a VPN mean that Data Subjects in the EU are not covered by GDPR?
Is geoblocking sufficient on its own to show that the Controller/Processor is not doing business in the EU? Even when the Controller/Processor still provides localization to EU languages?
Don't feel bad. The law is ridiculous and most startups cannot even afford salary for another programmer not to mention GDPR-law compliance officer. Hopefully if enough services get interrupted, bureaucrats at EU will rethink the law.
If you believe GDPR requires you to hire a dedicated compliance officer then you don't understand or have not read the law you're so vehemently against.
So which part of the law is ridiculous?
Disclaimer: I believe the principles that are applied within the law, data autonomy, data ownership, usage-binding of data etc., are sound. And just because people have aggregated any data on people that they could get to better manipulate them into buying crap for so long that it‘s hard to change track today, doesn‘t mean it‘s wrong for lawmakers to enforce parting ways with the past.
"- You need opt-in consent for all (ad) cookies, including non-tracking ones. Basically, advertising is optional in EU sites as of today."
Wrong. You need opt-in consent for non personalized ads, but this can be the "soft consent" type where you only present the "Accept" button. Advertising is no more optional tomorrow than it was today.
"- I could argue the right to download your data is superfluous, mostly because it creates potential holes for data leaks/phishing etc."
Knowing what you have on me is not superfluous; it's my data.
Seriously, the FUD around this law is getting tiresome.
The personal information here is the IP-Bob tuple, not the IP on its own. Bob might as well be assigned a new address from DHCP on a daily basis. His friends might be using his address. He might have used the address of some public network in the first place. All or these are pretty likely scenarios. The IP is only interesting given the context of who uses it and when, so as to separate Bob from Alice, and Bob's favorite cafe and Bob's workplace from Bob's home, and to figure out if Bob is ever visiting Alice.
So if Bob asks for his personal information to be cleared and the system leaves Bob-IP tuples behind, it clearly didn't do what he told it to do.
That is playing dice while dealing with potentially personal information though right?
It depends on Bob using DHCP, that his DHCP switches often enough, and there are enough people on the same network that the link can not be made.
The above is not always true, other mitigating factors are not always true. Which seems to make some of IP logs personal information. Or at least you are safest if you treat it that way.
Where, to my understanding, IP address are considered personal information only if you can link it to some other identifying info.
I think a regulator is unlikely to go after a company for not deleting IP logs in the current climate. As far as I can tell GDPR gives them the power to however.
Until there is some case/enforcement history it is understandable if people are cautious.
- Ips in general are not bound to some specific person. It's only because laws require that ISPs keep PII allocation data that they become personally identifying. Perhaps it would be easier to plug that leak right there.
- ah, well google suggests you ask consent even for content-based ads
- 99% of the sites show you what they have on you when you use them. The provision could be to have a separate download page when that is not the case. If every business must have an unauthenticated download page, it becomes easier to get other people's data via phishing.
its not fud. this is the internet. lets talk again in a few months.
Then you'll have all sorts of disputes for example someone could claim their cat stepped on a touchscreen and consented without the user knowledge or someone consented whilst being completely drunk - such consent is not valid. That means potentially companies are keeping the data illegally thinking they comply.
i don't follow, do you mean that's a possible scenario? That's the last thing you need to worry about yet. I expect first random emails from hackers demanding coins for 'not reporting you' in the first awkward month.
email is not covered by GDPR but by the local communications acts. It will be some new EU laws in the next 2 or 3 years... So there's no problem in THAT case.
But if this email is copy/pasted in a reservation system THEN it might be covered by GDPR.
There is also a thing when user closes consent popup and the site won't redirect to invalid ip address. I have seen plenty of sites where you can close the consent popup and continue to use the site - that means they collect your data without your consent. Grotesque.
You don't need a new employee, just someone who is assigned the task to deal with queries that come in. For a small start-up this is not likely to amount to many requests, and even then the requests from the public first go through the regulator. So many requests will be weeded out at that stage with the aim of reducing the burden on businesses, only requiring them to act when the regulator has identified a breach. At this point they have to fix it, if they don't fix it, or don't try to fix it (fizimg it is usually by deleting the customer data) then they are open to prosecution. If they fix it the regulator isn't then going to seek huge fines, they are aimed at non-compliance firms who have no intention of complying (e.g because it is their entire business model).
It sounds as if you're unwilling to talk about the issues that you're facing. So what can you say? The only reason I can think of that you can't say is that are trying to get some infrastructure suppliers to be compliant and those talks are confidential. Correct?
The email we sent to EU users (quoted in linked article) has the important details regarding the service interruption in the EU.
Additionally, I can say that our privacy policy is concise, clear, and accurate with respect to the types of information we collect and how the data is used: https://www.instapaper.com/privacy
If you have other specific questions, I will do my best to answer them.
Well, as The Verge says in the article: 'While we don’t know exactly what’s holding up Instapaper'
I'm naturally curious as to what's holding up Instapaper.
As you say, your Privacy Policy is very good, other than the disclaimer that says 'we may pass your personal data to others - who knows what they do with it eh?'. I imagine that this is the issue which is holding you up.
The scope of work for GDPR was underestimated by me, we were not able to complete that work for the deadline on Friday, and this was the required alternative.
We are working very hard to minimize the service interruption.
Have you received genuine legal advice that recommended that you shut down business instead of continuing to work towards compliance?
The agencies that can enforce the GPDR want you to be compliant, not to fine you... If you're actually working towards compliance past evidence shows they won't fine you.
I've heard this line a lot, but even as a government loving liberal it doesn't sound very compelling to me. The law says, comply or face fines up to 4% of global revenue. It doesn't say, "make a best effort to comply, or face fines up to 4% of global revenue." I'm very reluctant to trust people who can fine me for that much money that they won't do so. This is especially the case because it appears to some of us foreigners that the EU particularly loves to fine foreign companies for large amounts despite what appears, from our perspective, to be a good faith attempt that to comply with the law.
>2When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
> any action taken by the controller or processor to mitigate the damage suffered by data subjects;
>the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
>the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
>where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
>any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
So, a whole bunch of very explicit things that are to be used when deciding if whether to impose a fine (at all).
True that the text doesn’t say this, but several of the privacy authorities in the different jurisdictions in Europe have been stating this publicly in interviews. The last one I saw was the ICO in the UK today on BBC Click saying exactly this...
I would be interested in seeing examples of large fines that have been handed out to business by the EU that don't first of all meet the general conditions mentioned in this article.
Shutting down means you're probably not gathering any further data but what if one of your EU users sends you mail now asking for all the data you have about him/her? How does the shut down protects you about that?
The law says you need to work toward a solution, it isn't a cliff edge thing where you are immediately legally liable. Are you just not wanting to risk it or do you not read the law in this way?
Me too. And I can see I am definitely subscribed to "account update" emails. I'm not sure how they would decide if I was European or not, can't see a tick box for that in the profile page.
(1) you still hold the data, you are still required to comply with the law and cutting off access does not change that one bit.
(2) the period for a response is long enough that once you would receive requests you could handle them in time even if you processed them manually.
(3) you have been - or should have been - aware of all this for a very long time, either you failed at estimating the impact of the law or you do not know what you have or you changed strategies internally recently and now you're not going to be ready in time because you started way too late.
So in all, all you've managed to achieve with this action is to get the spotlight on you, and it is a 100% certainty that at least Instapaper will be solidly violating the GDPR come tomorrow.
If I were in your shoes I would use my designated representative to contact the authorities for guidance after explaining in detail what the problem is before I would let my end users pay the price for my own incompetence.
Some smaller companies and lower-profile groups within big companies are going to need more time to sort this out, and some may decide it's not worth the risk of the massive fines no matter how compliant they think they are and will block European users. Nobody knows how aggressive regulators will be in enforcing this so far, nor is their any precedent for how the law will be interpreted by actual courts. Calling people incompetent isn't going to change that.
This is one of the negative consequences of enacting complex regulation targeted mostly at giants like Facebook and Google and then applying it to every side project and business in the entire world no matter how big or small. Sorry.
And how much revenue does the Instapaper service generate for Pinterest?
Lower profile groups within big companies are probably most likely to shut off their services to European users because they have the cautious legal departments of the large company without the important profit center designation which would make compliance a priority.
> And how much revenue does the Instapaper service generate for Pinterest?
Who cares? That's not a factor in whether or not you should comply with the law.
> Lower profile groups within big companies are probably most likely to shut off their services to European users because they have the cautious legal departments of the large company without the important profit center designation which would make compliance a priority.
Well, that may be their strategy but it won't work because it is the company that is violating the law, not the lower profile group.
> That's not a factor in whether or not you should comply with the law.
speaking generally here, you know laws aren't always right? we had plenty bad laws to draw from to challenge this particular point, from racial to abortion laws.
gdpr isn't as draconian as these but still has plenty trash in it between the vague wording, the moving target 'state of the art' represents and the weird requirements and absurd implications of the 'right to be forgotten'.
It's the law, it was created by a democratically elected body. Racial and abortion laws are on a different plane altogether, and are not typically the playground of globally acting corporations.
No, in that case the owner is just a shareholder. But if the original legal entity no longer exists (which I believe is the case with Instapaper) then it doesn't matter that you've been acquired, you are now part of the mothership.
Weren't you the one previously saying that don't panic (https://jacquesmattheij.com/gdpr-hysteria) because of GDPR back in the day? And now you are advocating that they should have already complied with GDPR given its impact!
Make up your mind.
And this is exactly why this is such a shitshow. Stop attacking people who haven't complied because small developers have other things rather than trying to figure out whether they have to redo their logs if a user asks their data to be deleted. This is almost bullying behavior.
> And now you are advocating that they should have already complied with GDPR given its impact!
Obviously yes, because today the law becomes enforceable. Not having done the required work is just plain dumb.
> Make up your mind.
I made up my mind well over a year ago, spent the time required to be compliant (a couple of days) and that was that. Instapaper being as small as it is would not have had to spend more time than that unless they are doing something they shouldn't be doing, are unable to plan or changed tactics in the last 2 days. After all, if they weren't going to make the deadline they had a very long time to announce that, instead they announce it the day before the law becomes enforceable. That's just not ok. At a minimum they should have had their export facility up and running.
> Stop attacking people who haven't complied because small developers have other things rather than trying to figure out whether they have to redo their logs if a user asks their data to be deleted.
I suspect you are in the same boat?
> This is almost bullying behavior.
Right. Well, sorry, it really isn't, it's the perspective of someone who has been in business for a very long time and who feels that the GDPR addresses some fairly urgent matters. Companies have been running roughshod over users' privacy rights for decades and it is one of the worst things to come out of the internet. The level of tracking and data brokering that is going on is utterly disgusting.
If you weren't doing anything you shouldn't be doing the GDPR is going to be a pretty simple affair if you're a small company. Larger companies will have some more work but have more resources.
Did you start working on compliance in a timely manner or did you become aware of this a few weeks ago?
Does your company have a clue about what it is doing in general?
Do you take a user centric approach to data ownership?
If those are all 'yes' then compliance is easy. If you don't care, do illegal stuff, are clueless or don't care about your users then compliance is going to be hard, that's what the law intends because those companies should change their ways.
> His posts were clearly politically motivated, zealot-type propaganda.
Oh my. Terribly sorry for putting up a political manifesto.
> Either self-interest or useful-idiot.
Take your pick. No third options? Such as a genuine desire to take some of the heat off for SMEs, of which I own several and participate in several others?
> For some reason he is such a fan of this legislation that he is willing to overlook its glaring problems.
Yes, I'm a fan of this legislation. I also was a fan of its predecessor and it's a joy to see companies that don't have their house in order make all kinds of panicked moves. I have a pretty good behind the scenes view of what goes on with respect to privacy abuse by corporations due to the nature of my work. Those companies that do illegal stuff, don't give a damn about their users and that in general are clueless (and which in turn increases the chances of their online properties being compromised) will be the ones that run into the 'glaring problems' The only thing that I see as troublesome with the law is the lack of reciprocity and enforcement across borders. The EU picked a complex and for really small companies expensive way to resolve that and that's something that I see as a real issue.
I don't know if (1) is true but the data was collected under previous laws. In my opinion laws like this should not be retroactive. Retroactive laws, especially when affecting billions of dollars of commerce, are unfair and draconian.
It is not retroactive, the law has been there for 2 years, becoming _active_ in 40 minutes. Secondly, it is not the collection of data, it is the storing of data. So if you store the data without user confirmation in 40 minutes, there might be a problem. The action which is the problem is the storing of private data.
If you bought designer drugs 10 years ago, the act of buying was legal, even though storing it today no longer is. Same here, collecting it or using it 10 years ago might have been legal. Storing it today is not. You might be confused which action is covered by the law, and that action is "storing". You can decide to stop doing that action today, so it is not retroactive at all.
I don't really see where the age of the data you store comes into play.
The law has been on the books for two years, it just wasn't enforced and for a long time before that there was another law with much the same effect. So even if the data was collected under previous laws there is not much that would convince me that denying the users access to their data or to the legally mandated data life-cycle features is the right thing to do.
In fact that attitude goes exactly against what the law is trying to achieve in the first place.
The law doesn't make it illegal to have collected the data in the past. However, it introduces new rights for people for which you have collected data. I don't think this is unfair
The law came into effect on the 14th of April. The 'enforceable' does not mean it comes into a effect, it means that regulators have their powers unlocked to go after offenders.
> Yes, but that was a different law. It required different things.
It actually required a lot of the same things, but because companies decided to ignore it it was revised.
By that standard, if you had purchased a child porn magazine in the 1970s when it was legal to do so, you would be in the clear if the police searched your house and found it. I am not a lawyer, but that doesn’t seem likely.
> will be solidly violating the GDPR come tomorrow
how do you know that? i mean technically he says they re violating it today, just like we all did the past 2 years because it wasnt enforceable. what changes with their ban tomorrow?
That they are still violating it tomorrow and they are giving their users an excellent excuse to contact the regulators because they cut off communications. This is about as dumb as it comes.
I was under the impression that of you don't do business with EU users, you are not subject to the rules. This seems like the only reasonable way to not do business with EU customers. Other thoughts aside, if they wanted to stop doing business in the EU, how should they?
I suppose for most thinking rationally, it seems like "stop doing business in the EU" is different than "make it like you've never done business in the EU". Taken to its conclusion, which Instapaper surely won't, it's not going to be easy to punish a business that has cut ties with the EU because of what they collected before. Granted it appears that with the law, like its predecessors, practicality of reasonable enforcement takes a backseat to intent.
The rational approach to legislation is to make a (timely) effort to comply.
When you're told the highway near your house has a new speedlimit you can either obey the speed limit, use a detour (which will still be slower on account of it being longer) or you can take your car off the road in huff.
The first one is the only solution that makes sense.
If we're going with these analogies, there are other approaches if you disagree with the speed limit. You might protest the speed limit if you lived there (hopefully without being berated while you do so) or if you don't live there you might avoid the place with unreasonable speed limits.
is there a requirement that this ability is 24/7/365?
I mean , knowing GDPR , i would guess at best the provision would be something like "a reasonably long amount of time but not long enough to be unreasonable based on appropriate considerations of data subject's patience"
It certainly isn't a provision in the law that if you feel that you won't be able to deal with your users legitimate requests that you have the option to lock them out entirely.
I can imagine something to the effect of stopping further gathering of data (to stop digging the hole deeper), to give your users the option to request what is their right through some kind of form and to park those requests until you're done with the implementation and in the meantime give them continued access.
After all, the law already has a provision in it that you have 30 days to respond, and another 2 months after that if you are for some reason technically incapable and need an extension.
Brian from Instapaper here, we originally wrote it that way, but it felt really weird and disjointed, especially if you weren't familiar with the entire history. Just wanted to keep it consistent, not really take credit for Marco's accomplishments.
Brian from Instapaper here. We have no plans to shut the app down, and a big part of the value the app provides (parser improvements, aggregate information on links) requires the ongoing operation of the service.
Hello, Brian! I hope you will take my skepticism in good humor. While I would delight in Instapaper's prolonged availability, I trust you are aware of the widespread perception that acquisition is where startups go to die [0], to say nothing of the fact that some of Instapaper's competitors have also fallen to the wayside [1]. The final red-light comes from the tendency to make services free right before they shut down, #1 as a last-ditch growth mechanism, and #2 as a means to eliminate any legal recourse should the service suddenly shut down.
I understand and appreciate the skepticism, however, the reason we're making this change is because we want to provide the best experience for our users.
Pinterest receives value from the ongoing operation of Instapaper in the form of continued parsing improvements and aggregate information about links on the web, and that value is enough to justify our relatively small operating costs.
For me one part of "growing up" in sw engineering has been that I have started to want to pay reasonable amounts for things I use actively.
I see it as an insurance for us users: as long as a significant amount of users are paying keeping the service as-is is a valid alternative for the owners.
When it becomes free I fear that someone suddenly starts looking at it as a cost center, I mean: all the benefits you mention seems to be possible without operating an end-user service.
Disclaimer: not a paying Instapaper customer, but I am a paying lastpass customer and a paying google docs customer etc etc.
I don't have a statistical survey, but I have anecdotal evidence of paid services going away, increasing in price dramatically, or remaining the same. Same with free services.
I can't honestly say that the paid-for services I use are more likely to remain available than my non-paid services.
The key factor appears to be a viable business model, but that's impossible to evaluate from the outside (and sometimes from the inside).
Would you mind elaborating on how Pinterest derives value from your "aggregate information about links on the web"? What types of data do you/they glean through Instapaper?
That's quite interesting, are you using Instapaper to allow you to get more expansive testing on the parsing technology before rolling in the main product or are they reasonably lockstep?
How I wish Pinterest saw some value in keeping Fleksy - the keyboard app they acquired, updated. It is/was one of the best 3rd party keyboards out there, but has gotten buggy with newer iOS.
Hi Brian, I currently use pocket, why should I use Instapaper instead, is there any differentiation? I also receive the Instapaper weekly emails, which I love for the curation of top stories. Thanks.
This is a pretty empty claim without a minimum time frame. It would also be more convincing if it came from Ben Silbermann...
Hope you forgive the skepticism but I've seen too many start ups being acquired and happily singing the "Our buyer has full confidence in us and will let us operate with 100% independence" cliché quickly followed a few months later by "We are sorry to announce that we're shutting down".
"Hi I just got something for free and I'd like the opportunity to complain about it now." I mean he said there are no plans to shut it down. What timeframe? You want a promise that for X years you'll continue to receive this service for free, unchanged? They're extending the value. There's literally nothing to be grumpy about.
Except you literally just stated what there is to be grumpy about.
> "..I just got something for free and .."
What you're saying is now that they got it for free they have no right to complain about the fear of it being unstable. Which is EXACTLY why people are having an issue here. They are fearing that the fact that it is free means it also won't be able to be relied upon and you just proved why they are saying that. If you pay for something you have some recourse. If it's 100% free for everyone and shuts down, well shit. Guess all of your stuff is gone and you have to go elsewhere.
There are a lot of those questions in the blog post. Perhaps an explanation of how Instapaper development helps Pinterest as a whole would assuage some fears?
Hi Brian. OT question if I may:
I have a rooted B&N Nook that I would love to install Instapaper on, but the device does not have access to Google Play. The lack of an available .apk file is what led me away from Instapaper, even though I was already a paying Premium member. How can I get my hands on the official .apk?
Thanks so much for dropping into this thread. Would Pinterest be willing to open source non-competitive pieces of Instapaper's tooling, considering the user base is what is of value (monitoring parser and link quality)?
Hi Brian, would you PLEASE consider increasing the maximum read speed in Instapaper. Pocket's much speedier maximum read speeds (with iOS' great Alex voice) are a huge pull that I can't leave behind.
Brian from Instapaper here. We will not be serving advertisements in your Instapaper queue. The value Instapaper provides to Pinterest in terms of parser capabilities and aggregate information about links is enough to justify the small operation cost of running the service.
I paid for Instapaper so that it could run in the interest of its users. If it's fully supported by Pinterest, then its value to users is secondary to the value of its data and technology to Pinterest.
Why can't I keep giving you money? I don't want any special features, just your undying loyalty.
I'm looking forward to features like finding related articles, a https://longreads.com/ like portal or more customizable weekly digests (lately it's all US politics which I don't care about). That said the usual 'click on read later, read article on the train' use-case works very well for me, no complains.
As part of my computer science program in college, we studied the ACM's Software Engineering Code of Ethics and Professional Practice, which in effect is what you describe. http://www.acm.org/about/se-code
Let me know if you have any questions...