How are you dealing with the GDPR?

[Webdongle]

You have been told by mandville it makes no difference where the company is located.

[sozzled]

@Webdongle, so you really don't know, right?

@mandville wasn't answering the question I asked of you.

Here's a case in point: a website that I don't own, a website owned and managed by volunteers, a website that I assist in managing located in Australia (primarily focused on Australian interests) accessible to residents of the EU. Have a look at the privacy policy: http://joomla.org.au/privacy-policy

In your opinion, is that adequate?

[Webdongle]

According to https://ec.europa.eu/info/law/law-topic ... w-apply_en the gdpr applies to sites outside the eu if it sells goods or services

a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.

As for if it actually complies (when it needs to) is a matter for the site owner.

[sozzled]

@Webdongle: what is preventing you from answering my question. I will repeat the question one last time:

In your opinion (not someone else's opinion, not quoting from text, but your own personal considered opinion):

• is a website (I'm not talking about an information gathering facility, or a business that is involved in trading personal details about people with other business for the intentions of targeting sales or whatever they may be dealing in) ...
• a website that is not based in the EU (I'm not talking about businesses based within the EU) ...
• that may—by design, intent or accident of good fortune—conduct business (however you want to construe that term) with people
• people who are resident of, or travelling through the EU

is the website (not the owner of the website)

is the website subject to the GDPR?

Is your answer (a) yes, (b) no, or (c) I don't know? Can you give me a straight-out, no beating-around-the-bush, simple yes, no or you-don't-know answer. It will save a lot of time if I get a simple answer.

[Webdongle]

I have told you my opinion. The gdpr will apply to some sites that are based outside the eu but it is up to the legal system to determine which ones will need to and if they actually do. The quotes and links that I have posted are references to support my opinion. Where are the links to support your opinion that gdpr only applies to companies that are in eu countries?

[sozzled]

Actually, the quotes and links you've used have nothing to do with website compliance. Read the full article/opinion that @mandville quoted from: the word "website" or "site" is not mentioned. In the pending cases before the courts, websites are not mentioned there, either.

The GDPR, to save people the trouble of arguing something they know nothing about, is concerned with protecting the privacy of people "in the EU". I have no quarrel with that. I have no dispute about the obligations on people within the EU who store information about other people; I have no problems with the regulatory framework that controls how this stored data may (or may not) be used.

I do, however, have a problem with the EU's increased territorial scope, by (potentially) requiring me to

... designate a representative in the EU who will “act on behalf of the controller or processor and may be addressed by any Data Protection Authority (DPA)”.

And, to really rub salt into the wound, not only that, but that

... representative can be subject to enforcement proceedings in the event of non-compliance by a non-EU controller or processor.

There's the catch-22. Businesses outside the EU need to appoint an EU-based representative but the representative can also be enjoined in "enforcement proceedings". So, when you "comply" you can still be done over.

Anyway, it's good that @Webdongle finally admitted that he doesn't know the answer, either.

[Webdongle]

I never claimed to know the answer for individual websites. I only refuted your claims that it only applied to companies in the eu. You are the one who made claims that were incorrect and you still do it.

You also try and justify your mistakes by using misleading comments that are design to misdirect.

Actually, the quotes and links you've used have nothing to do with website compliance. Read the full article/opinion that @mandville quoted from: the word "website" or "site" is not mentioned. In the pending cases before the courts, websites are not mentioned there, either.
...

Websites are not mention in the quotes but they are used to collect that data so (by implication) they are subject to the gdpr. So yet again the thread is taken off topic because you make a false statement and try and justify it by waffle.

[sozzled]

@Webdongle: the language of law is very precise (that's why we have lawyers and judges to interpret the language). If something is not explicitly stated in the language of law a meaning cannot be "implied" simply because a few words were omitted from the text of the statute. The law doesn't infer a meaning; it interprets a meaning and when courts rule on the interpretation of a law's meaning, the interpretation becomes new law. (Good thing I studied a bit of law in my university days.)

The GDPR is about protecting the privacy of people who are in the EU. Where, in any of what I wrote, did I take this thread "off topic" or make false statements, or misrepresent logic with "waffle" about this first principle of the GDPR? Please feel free to point out where I have stated, implied or otherwise misrepresented the GDPR in respect of its fundamental privacy protection provisions. Characterising my entire behaviour, that I have done something—taken this topic off-topic, made false statements, write waffle—involves "facts" not yet introduced in evidence . Making these kinds of characterisations exposes those who make them equally accountable for going off-topic, making false statements and writing waffle.

The GDPR is secondarily involved in regulating the safeguards for the storage and disposition of information about people in the EU and, in particular, the responsibilities on individuals, businesses and organisations that have commerce with people in the EU. Again, I have never written any opposite opinion about this aspect of the GDPR. I have not claimed that the GDPR is something exclusively about organisations, business and individuals based in the EU or that the GDPR extends to, and regulate, organisations, business and individuals that are not based in the EU.

These are the two main purposes of the GDPR. They are not the only purposes of the GDPR.

The mechanics of where, when, why, how much and how this information is stored, used and/or distributed are less certain. For example, a website owner who never asks people for their real name (or other personally identifying inormation) but stores the IP address (and, by inference from that) their geographical location where they last accessed the website from, would not fall foul of the GDPR whether the website, or the business connected with it, operated in the EU or not.

The territorial scope of the GDPR allows the EU to flex its muscle—to forbid foreign businesses from working with people living in, or travelling within, the EU—by simply preventing trade with those businesses. Put into practical terms for website operators, if someone in the EU doesn't like how your outside-EU business operates, they may be able to have your website blocked from being accessible to people within the EU. That's an example of the pervasiness of the GDPR; that's just one of many examples.

The imputation that I, personally, will have to "pay thousands of €", (without knowing anything about my business) was an unwarranted one. I note that no-one (other than me) challenged that imputation. On the other hand, nearly all contributions I've made to this topic have been sliced, diced and [* spam *]. I think that's a little unfair, don't you?

I also think that some of @Webdongle's characterisations about me, about my style of writing and my personal views (or my ability to express those views)—waffle?—have sailed closed to the limits of respectable debate. In interests of having a respectful debate, a conversation, I try to not make personal characterisations. I may argue counter-views about the substance of the conversation—it's called "free speech"—but free speech does not mean labelling something as waffle or tolerating someone abusing someone else's fundamental right to hold a different view.

I accept that where my business may be affected by the GDPR I will give those matters due consideration; I have never claimed to do otherwise. In general terms, however, in addressing the original question—"How am I (and how are others) dealing with the GDPR?"—I claim that my business is unaffected by the GDPR. If someone can prove that my business is affected by the GDPR, be my guest—in court (not here). By the same token, I don't have to prove [here] that my business is not impacted by the GDPR ... so there!

[Webdongle]

@Webdongle: the language of law is very precise (that's why we have lawyers and judges to interpret the language). If something is not explicitly stated in the language of law a meaning cannot be "implied" simply because a few words were omitted from the text of the statute. The law doesn't infer a meaning; it interprets a meaning and when courts rule on the interpretation of a law's meaning, the interpretation becomes new law. ...

@sozzled
You are getting confused. I did not say the legal wording of the gdpr implied websites ... I was speaking of the quote. As the quote applied to the gdpr in general then it implies that it also applies to websites because websites are mentioned in the gdpr wording. Mentioned in several places here is one https://gdpr-info.eu/recitals/no-67/

You also try and tie my use of the word "infer" with legal terms. I was speaking of what you infer not the legal definition of the word.

The rest of your post (as with many of your posts) twists what was said and associates it with a different concept.

I accept that where my business may be affected by the GDPR I will give those matters due consideration; I have never claimed to do otherwise....

Yes you have on several occasions said the gdpr only applies to the eu.

The GDPR applies to individuals in the EU just as it applies to corporate entitities in the EU.

I am bound by the Australian Privacy Principles. If I was operating within the EU then I would be bound by the GDPR.

if they're conducting business with people in the EU, do you think the operators of the website are required to comply with the GDPR? I contend that a foreign-owned and operated business—outside the EU—is not exposed to those requirements.

Nobody has said your site has to comply nor have they said that you have to prove that it doesn't. All that has been said is that the gdpr applies to some non eu companies.

[sozzled]

You're rewiting what I've written (and you've done so by characterising the way I've phrased things); you're rewriting history. I haven't written the things you've written about me and this is not how I would like to conduct a courteous conversation.

I am not "confused" by what you've written about me. I think your intentions have been to misdirect this discussion and, in doing so (especially by labelling my contribution as "waffle", by asserting that I've written untruths, by claiming that I've "wasted" your time, and by suggesting that I'm ignorant of how laws work differently in different parts of the world), I don't think you've assisted us with your opinions on the matter.

I've actually struggled to obtain a simple, concise understanding of your views.

I have, on several occasions, taken your side and defended you where I thought you were unjustly treated. On other occasions, where I felt you may have overstepped the mark, I'm left matters alone. On some other occasions, where I didn't feel it was worth the effort to debate the matter, I'm quietly allowed you to take the "win" in order to maintain the peace.

On this, occasion, I'm calling you out for intentionally stirring up trouble and I won't tolerate it.

It's possible that you may not have implied the things I've concluded; it's possible that it's simply my [mis-]interpretation in reading what you've written here. However, the undeniable fact is that you've roundly criticised me, on nearly every occasion, without making any concessions, simply because you think I'm wrong (or ignorant) and you aren't willing to help.

Are we done?

[Webdongle]

You're rewiting what I've written (and you've done so by characterising the way I've phrased things); you're rewriting history. I haven't written the things you've written about me and this is not how I would like to conduct a courteous conversation....

I have also defended you when I thought you are right. I have not misquoted you. You have written it. Those are direct quotes ... I have not altered your words at all. Here is proof, a screen shot showing that I have quoted you accurately and not altered the words.

quote 01.JPG

[sozzled]

Did you read the news? Apparently Europeans aren't doing a thing about the European Union cookie policies. Now we have the GDPR (General Data Protection Regulation), what's even worse than a simple cookie consent and I'm seriously thinking about blocking traffic from Europe.

What are your approaches on this? Is there any extension that can solve the rules part? Or any extension that can block traffic from that continent?

From what I've read, it appears that the claim about Europeans "not doing a thing about the cookie policy" is in the ballpark. The GDPR is even more complicated than businesses simply having a tick-and-flick checkbox.

According to reports that I've read, some US companies are spending over $1 million to achieve GDPR compliance. In one report (dated 13 July this year) only one in five (20 percent) companies surveyed believe it is GDPR compliant, while 53 percent are in the implementation phase and 27 percent have not yet started their implementation. EU companies, excluding the UK, are further along, with 27 percent reporting they are compliant, versus 12 percent in the US and 21 percent in the UK.

So the situation outlined by the OP is reasonable; most people (including most people contributing to this conversation) have done nothing about complying with the EU cookie policy or GDPR compliance. That's just confirming what I, too, have read. I don't think joomla.org is "GDPR-compliant".

As @spikespiegel wrote at the beginning, we are faced with a dilemma: either we accept the consequences that someone in the EU decides that our non-EU-based businesses should be exposed to the fury of EU law or we take matters into our own hands—we "deal with the GDPR"—by blocking access to our businesses from people in the EU. It could be that simple.

I already try to prevent block—to varying degrees of success—parts of the world from accessing some of my websites. I could, if I wanted to, extend the geography to include all countries within the EU (as @spikespiegel has suggested). There are extensions in the JED that will do these things: Akeeba Admin Tools has a feature to do that (as an example).

I don't think any of us can provide a simple solution that "deals with" regulations that take a quarter of a million words written in dense legalese to define. I think most of us are "dealing with the GDPR" by hoping that we won't be dragged into this regulatory net. Perhaps the expected changes in J! 3.9 will address some of these issues but, as far as keeping ourselves fully compliant, a simple tick-and-flick just won't work.

[Webdongle]

Found this about data protection

The UK was one of the most active regions for regulatory enforcement action in Europe last year, along with Italy (€3.3m). But whereas the European pattern has seen comparatively low volumes of regulatory enforcement actions, with low level financial penalties, this is in stark contrast to the US where fines of approximately $250 million were served.

https://www.information-age.com/uk-data ... 123466562/ not sure if the US prosecute under the same law or a different one.

[spikespiegel]

To discuss the GDPR we have to consider both political, ideological and technical sides, as they're all tied to each other.

Now personally talking about regulations: I can offer proof, based on facts, that regulations only affect small businesses or anyone doing business by their own, they do not affect big companies (AKA as corporatists), as they're hands given with the State (Wrongly called "The government"). So despite what arguments anyone here may use to defend the GDPR, please read this:

Government Regulation

The antagonism between the two methods available for the transformation of the capitalistic market economy into a socialist system dominates present-day economic discussion. There is practically no longer any political party that would stand for the unhampered market economy. What the politicians nowadays call economic freedom is a system in which the government “regulates” the conduct of business by innumerable decrees and administrative orders and prohibitions. The Western nations do not endorse the Soviet methods of all-round nationalization of all enterprises and farms. But they no less reject the market economy which they smear as Manchesterism [the theory of nineteenth-century advocates of free markets], laissez-faire system, or economic royalism. They give to their own system various names such as New Deal, Fair Deal, or New Frontier in the United States, and “soziale Marktwirtschaft” in Germany. The authorities credit their own activities that in manifold ways paralyze the entrepreneurial initiative to introduce improvements in the methods of production and to improve the people’s standard of living, and they blame business for all the mischiefs resulting from their own interference with it.

Not only the politicians and bureaucrats committed to these policies of progressively restricting the sphere of private business, but also the authors of books and essays dealing with these problems fail to realize [247] that their program leads no less to integral socialism than to the nationalization program. If it is within the jurisdiction of the authorities to determine which prices, wage rates, interest rates, and profits are to be considered as fair and legal and which not, and if the police and the penal courts are called upon to enforce these decisions, the essential functions of business are transferred to the government. There is no longer any market and no longer a market economy. It is obvious that the countries this side of the Iron Curtain are more and more approaching this state of affairs. The businessmen, threatened by the menace of such controls, are well aware of the fact that they can escape the enactment of “controls,” i.e., full government control of all prices, only if they avoid asking prices of which public opinion does not approve. They have long since virtually lost any influence upon the determination of wage rates. Moreover there cannot prevail any doubt about the fact that the bulk of the funds required for financing the ambitious plans for additional government projects will be collected by taxing away what is still left of the “unearned income” of the shareholders. Even with the present height of the rates of income and inheritance taxation, the greater part of the capital invested in business will in a few decades be expropriated and government-owned.
What the advocates of planning and of social control of business consider as a fair arrangement of economic conditions is a state of affairs in which the various enterprises do precisely what the authorities want them to do and every individual’s income after taxes is determined by the government. Although all political parties again and again protest their abhorrence of the Hitler regime, they are eager to duplicate Hitler’s economic methods. This is what they have in mind when talking about “discipline.” They do not realize that discipline and control are incompatible with freedom. Obsessed with the idea that the entrepreneurs and capitalists are irresponsible autocrats and profits are an unfair lucre, they want to deprive the consumers of the power to determine, by their buying and abstention from buying, the course of all production activities, and to entrust this power to the government.
The political corollary of the supremacy of the consumers in the market economy is the supremacy of the voters under the system of representative government. Where the individuals qua consumers become wards of the government, representative government gives way to the despotism of a dictator.

Ludwig von Mises, Economic Freedom and Interventionism [Page 248]

Who is Ludwig von Mises?

In this episode, Guido Hülsmann, author of Mises’s biography The Last Knight of Liberalism, highlights the life and work of Ludwig von Mises (1881–1973), arguably the greatest economist of all time. Very early in his career, Mises was influenced by Carl Menger and Eugen von Böhm-Bawerk to turn away from the Historicist approach and to pursue studies in economic theory.

Among Mises's many contributions, Hülsmann discusses the socialist calculation debate, Mises’s battle against inflation, and the argument that economics is part of a larger science called Praxelogy. Mises revolutionized the theory of money, developing a full explanation of money prices and the consequences of money production.

Source: mises.org/library/who-ludwig-von-mises-0
More info here: thefamouspeople.com/profiles/ludwig-von-mises-3983.php

Now let us talk about who's affected by this law.

Anyone who collects data on Europeans (And I don't believe this *** that it is only about collecting data of people from the EU), despite where this "Everyone" is located, so if you're an Alien living on Pluto and collecting Europeans data, this law also applies to you, but the thing is: What if Europeans are traveling abroad? What if European Traffic is blocked, then they access the site using a proxy, the cookies will then be saved on their computer, what will happen? There's a whole lot of questions and loopholes, meaning that on a long-term basis this law will only turn the internet into ashes, but after all, isn't that what a government regulation is supposed to do?

Someone said the GDPR first started as an educational thing and then turned into a weapon: Well, that's pretty much how every government regulation starts. Would Hitler have gotten into power if he first has said, "All I want is to ***** off with your germanic lives while you follow me without questioning my orders"? No, he said "We have a huge problem and I know how to fix it, cause I'm a good intentioned fella, and you're all a flock of sheep, oops, decent people who deserve to be saved from the evil Jews", after all, he was a politician.

How many Jews died because of Nazism oppression? Also, how many Germans died because of Nazism regulations and also nazism oppression?

So, tell me, how come is Nazism different from the GDPR? It follows the same logic of Nazism, just a different context, and it also kills (Indirectly, but it kills, as it makes money small businesses go bankrupt).

So whether this law was created with good intentions or not: It is still a bad thing by the end of the day.

Now to the technical side:

What is it that we, as a community, can do to develop a solution to Joomla users, that will make them not only GDPR "compliant" (I highly doubt it is possible, but it's better to take action than doing nothing), something that will be almost a magic bullet?

And again I say "To discuss the GDPR we have to consider both political, ideological and technical sides, as they're all tied to each other.", so to develop a solution we shouldn't just look at the technical side.

[sozzled]

Thanks @spikespiegel for your input. I won't comment on commentary about the contest between different political ideologies although I see three potential outcomes:

1. the GDPR will successfully transform businesses around the world w.r.t. the protection of privacy for people who live in the EU;
2. businesses around the world will adapt, will find sanctuaries/safe havens that are beyond the reach of the GDPR, and people in the EU will have to adapt to these changes; or
3. the GDPR will morph into a model for how businesses should handle data privacy everywhere resulting, perhaps, in a World Privacy Organisation "thingy"

What is it that we, as a community, can do to develop a solution to Joomla users, that will make them not only GDPR "compliant" (I highly doubt it is possible, but it's better to take action than doing nothing), something that will be almost a magic bullet?

I do not believe that we, as a community, can develop any solution for Joomla (or any other CMS) users—businesses, organisations and individuals—that will make anyone or anything GDPR compliant.

The GDPR contains nearly 100 separate and nuanced articles that can be difficult to understand even for data privacy experts. I found this outline about some of the key elements of the GDPR:

First of all, a checklist of the types of personal information within the ambit of the GDPR:

• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

It's a fairly comprehensive list and involves most of the things that websites normally process. So, from that viewpoint, we are potentially all impacted unless the reach of your websites doesn't extend beyond the front door of your house or office.

Secondly, a checklist of the businesses that are impacted by the GDPR:

• Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
  • A presence in an EU country.
  • No presence in the EU, but it processes personal data of European residents.
  • More than 250 employees.
  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.

This effectively means almost all companies but this begs the question whether the GDPR only relates to the dealings between companies, other companies and private individuals? Are all organisations treated as companies? Are all businesses treated as companies? Are we, as small businesses, to be treated in the same manner as the big multinationals?

This leaves us with perhaps a few choices:

1. if we want to achieve full GDPR compliance, we undertake the risk management process and spend the estimated $1 million to $20 million;
2. we accommodate minimal consumer rights provisions that require a person's consent to use personal information for “no longer than is necessary for the purposes for which the personal data are processed” and the right to be forgotten and hope this gives us some breathing space; this is what I'm considering for myself;
3. we ban people within the EU from having any transactions with companies located outside the EU;
4. we do nothing more than what we're required by law to do at home (and pray that we're not going to savaged by Belgian malcontents);
5. we do nothing at all and hope that J! 3.9 takes care of things.

I dunno ...

[fcoulter]

So, tell me, how come is Nazism different from the GDPR?

In almost every way imaginable. There is an unwritten law of the internet that no discussion is improved by bringing Hitler into it, so let's no go down that route. Also I have to say that I think that making such a fatuous comparison is deeply insulting to the terrible suffering undergone by many many millions of people in the 1930s and 40s.

Like it or not regulation of some sort is a part of any modern society. The only practical questions seem to me whether the regulations are well-written, and whose interests do they serve?

I don't think that there are many people who would dispute the contention that GDPR is very heavy handed, apparently ill thought out by people who have little idea of how the internet and internet businesses actually work, over-reaching, and over-complicated.

As to whose interests does GDPR serve? I think like most laws, mostly lawyers. Also the snake oil salesmen who will try to convince you that they know exactly what it requires and have a solution which they will happily sell you so that you can become GDPR "compliant".


Nevertheless it seems to me that it is a response to a real issue, of some businesses that have been playing fast and loose with our personal data for years.

I think that Sozzled missed out one possibility, we stop worrying so much about the letter of the law, and instead think about the spirit: make sure that we treat anyone who trusts us with their personal data as we might hope to be treated. We don't sell it or use it to spam them, we ask them for their consent for any use we do make of it, and if they ask for it to be removed, we do so. Just a thought.

[sozzled]

Yep, @fcoulter: another illustration of Godwin's Law.

Nevertheless it seems to me that it is a response to a real issue, of some businesses that have been playing fast and loose with our personal data for years.

I totally agree!

I think that Sozzled missed out one possibility: we stop worrying ... about the letter of the law, and instead think about the spirit: make sure that we treat anyone who trusts us with their personal data as we might hope to be treated.

Yeah, I was trying to make that point somewhere but there was this "he-said/he-didn't-say racket" making too much noise ...

Well said!

[mjonutz]

So to answer to your question, none at all, because i don't store any client info