I really need better generics support before ty becomes useful. Currently decorators just make all return types unknown. I need something this to work:
This product brings back fond memories to one of those early-internet gems: the "Star Wars mosquito defence system" gag infomercial that was launched 18 years (!) ago: https://youtu.be/wSIWpFPkYrk
Using the PKCS11 certificates on a Belgian eID is cumbersome because the whole 'client certificate' workflow has always been a pain in the butt UX-wise. Many workarounds have been implemented to improve on this, making it less platform-independent than theoretically possible.
The itsme app works totally fine for me, and my less tech-literate family members. It strikes a good balance in UX and security.
All in all, I think that the Belgian government is doing a good job in this. It needs to work well for the average user, which it does! I don't expect my government to spend time and money to support all fringe cases like smartphones that don't run iOS or Android.
> I don't expect my government to spend time and money to support all fringe cases like smartphones that don't run iOS or Android.
I expect my government to create solutions that work for everyone. Including "fringe cases". Including people in poverty. The marginalised. The contrarians. The smartphoneless. Everyone.
Edit: and I especially expect them not to further the de-facto duopoly of Google & Apple.
Note that itsme is not a requirement for anything, so the smartphoneless still have alternatives available. To file your taxes in Belgium, you have the option to file on paper, or online by logging in through one of: eID reader, itsme, 2FA using an app (e.g. Google Auth, Authy), e-mail, text message, or a EU-wide ID system. Who exactly is being excluded here? Also, which other smartphone OSes do you expect them to support?
Another big recent achievement of the European Parliament is the "General Data Protection Regulation" (GDPR) [1], which comes into effect in May 2018 and stipulates that companies can be fined up to 4% of their worldwide turnover when they fail to protect/process the data of EU-based customers in a proper manner.
For example: say that LinkedIn was to experience a new data breach, and they fail to inform the authorities or their customers in time, then they can be fined for up to 120 million USD (based on a revenue of 5 billion USD)!
I'm surprised that it's so little known here, as the impact will be massive.
Yep, and it does much more than that: it forces companies to actually wipeout your data when you ask them to (not just flip some bit and still keep that data, like facebook infamously does), and also set strict TTLs (Time To Live) for any derivative data that the user cannot explicitly delete.
How do I follow conflicting laws? One country says "keep all data for 90 days to aid law enforcement" the other says "delete it immediately" which is it?
"How do I follow conflicting laws? One country says "keep all data for 90 days to aid law enforcement" the other says "delete it immediately" which is it?"
GDPR is EU wide regulation that trumps national privacy laws. It doesn't even need to be approved by individual members, so when it goes into effect on 25 May 2018, it will be working EU-wide on the same day. Furthermore, it affects companies all over the world that serves EU citizens. There's much skepticism on how EU will enforce this law worldwide, but for now it was quite successful dealing with big companies, remember: Microsoft vs EU (paid €561 million fine), multiple cases of Google vs EU (right to be forgotten, Ireland tax rulling, ongoing case vs Android), Facebook/WhatsApp vs EU (€110 million fine) etc. To answer your question: no, there will be no conflicting laws - if you serve EU citizens, you must follow GDPR. From my personal perspective, GDPR is one of those not-so-often moments that I'm proud of EU.
> Furthermore, it affects companies all over the world that serves EU citizens.
No gdpr applies if companies target EU citizens [1][2]. My personal opinion of the law is that its as useless as cookie law but way more costly and unpredictable.
The mere accessibility of your website by individuals in the Union or use of the languages of one of the Member States in the Union (if the same as the language of your home state) should not by itself make you subject to the Regulation. However, the following factors are a strong indication that you are offering goods or services to individuals in the Union and so are subject to the Regulation:
> Language - You are using the language of a Member State and that language is not relevant to customers in your home state (e.g. the use of Hungarian by a US website).
> Currency - You are using the currency of a Member State, and that currency is not generally used in your home state (e.g. showing prices in Euros).
> Domain name - Your website has a top level domain name of a Member State (e.g. use of the .de top level domain).
> Delivery to the Union - You will deliver your physical goods to a Member State (e.g. sending products to a postal address in Spain).
> Reference to citizens - You use references to individuals in a Member State to promote your goods and services (e.g. if your website talks about Swedish customers who use your products).
> Customer base - You have a large proportion of customers based in the Union.
> Targeted advertising - You are targeting advertising at individuals in a Member State (e.g. paying for adverts in a newspaper).
All the big (and smaller) players in tech are working hard to implement all the requirements of this law (control over what data is stored, TTLs, encryption).
How is this useless for end-users? It forces companies to encrypt this data at rest, and allow users to delete it when they want.
I can't really envision Facebook or Google removing all EU-only language options and doing away with targeted advertisements, so how come you think these criteria won't work?
It is possible for there to be a situation where to offer some service, you have to either break the laws of one country or the other. In this situation, you simply cannot offer that service without exposing yourself to legal consequences.
That's not always sufficient. You can end up in a situation where an American court demands records that concern European customers. In that situation, handing them over gets you penalized in an European court, and not handing them over gets you penalized in an American court. Both will have the ability to really hurt you, and "the other court tells me not to" is not a defense at either of them.
I would guess that one solution is to keep EU citizens' data in the EU to avoid it being subject to other laws. And possibly having separate companies by country.
As an analogy, if I recall correctly banks have very stringent laws to follow regarding data export and money export to other countries. The solution they choose is to have a bank per country, not a global bank.
> I would guess that one solution is to keep EU citizens' data in the EU to avoid it being subject to other laws.
This is exactly what is being done by the large corporations that can afford to do it. European datacenters staffed by Europeans. Americans are not allowed to view any PII for any European (at least with the company I work at).
Russia requires the same thing, although they just want the servers in their country so they can put a SORM-3 alongside it and intercept whatever data they want.
I would imagine, since the EU is where the Data resides, and the EU is the legal jurisdiction, that the EU would take precedence. Its monumental nationalistic and legal hubris to think that American law takes precedence anywhere in the world, let alone with an ally as large as the EU.
Be that as it may, there is nothing to stop US authorities from charging US companies with crimes if they were to comply with EU laws. They are in direct conflict, and any internet-based company operating on nearly any scale is in danger of running afoul of these sorts of issues. This isn't a Google/Facebook only problem, this is a problem for any web service that might store user data.
Just FYI, this case was reversed on appeal (i.e., against the government). I recall there being some buzz with the government potentially pushing for further court action, but as far as I know that's the current status.
Of course there is. You comply with both laws or suffer the consequences. If you can't comply with both, you choose the cheaper law to break. If that's too expensive, your business sucks.
One of the goals of the GDPR is to consolidate all the data protection laws of the EU member states. So within the EU this shouldn't pose a problem. For the US, I assume this is covered by the EU-US data shield. I assume a similar construct will be necessary for GB once it leaves the EU.
You ask your team of lawyers who can make a good decision for your company based on your business goals and the relative values of complying with each of the competing laws, along with the relative risks associated with failing to do so.
Company may have to treat the data differently according to where the user lives (yes, it can be a mess). For EU countries, the EU law has priority (except for the constitution).
So on my ad-supported site that does not ask users where they are from, I will have to put a geo-ip filter to keep EU people off in order to avoid fines? Otherwise, do we accept that statements like "we'll have to respect the laws of the countries we do business in" is a bit generic and over-reaching in a global medium? I have not read the proposed law and I trust this situation is covered, but I am still annoyed at every region having so many of it's own internet rules (not EU specific, goes with them all). Granted explicit business w/ explicit customers giving explicit monies in nation-backed currencies does make it easy to follow this law, but not everyone's business is like this.
This is a hypothetical, so let's say yes. So, do I need to filter out my users to avoid fines? That may seem noble and great in this particular case, but it's a slippery slope. The more regionally-specific regulations that are introduced causing more work for companies, the more the ROI per customer in that region may reduce. Once it gets below 0 with the threat of fines for a company, the users might be cut off.
It seems all good for this specific policy because most of us agree with it globally. But data protectionism and/or extreme regional deviations/regulations in law will reduce the globalism everyone shares. Other options (such as educating the populace or encouraging competition) can be more effective than restrictions.
This is something to think about as the EU grows smaller, not larger. Even today, small companies with fewer EU users may stop and think about providing access at the cost of, e.g., building a portal for them to manage cookie settings.
> This is something to think about as the EU grows smaller, not larger.
I guess we'll see what happens with Brexit, but I would argue that the EU is growing in global importance and leadership. With the USA's recent NSA scandals, isolationist rhetoric, and backing out of international environmental agreements, I think we're going to see the EU increasingly set the tone for international trade.
I'm sure there will be plenty of tech firms that choose to serve only US customers (in the same way that there are Chinese-only and Russian-only companies today), but competing "globally" will mean following the EU's lead.
I understand your concern; if restrictions become overly complex and regional compliance may start to limit innovation (e.g. EU VAT based on destination country).
That's a different type of restriction than respecting user privacy because you can't apply the same approach everywhere. A company could easily extend the same rights to all their users. If your offering needs to violate user privacy to exist, maybe it shouldn't.
>Other options (such as educating the populace or encouraging competition) can be more effective than restrictions.
This appears disingenuous.
1. Competition: In your example above respecting user rights nets <0 ROI. There can be no competition here that respects user rights, so how would this help the situation? Conversely, restrictions will encourage competition by protecting less profitable and wealthy ventures from predatory global competition solely focused on maximizing profit.
2. Educating: You're seeking to shift responsibility from experts to laypeople, then blame the laypeople for their lack of education. It's like suggesting we should eliminate building codes then educate people on proper construction. Basically you are advocating for schools and high-rises that collapse.
If they aren't part of the EU or strongly associated with EU institutions why would the GDPR apply to them?
What the EU is trying to do is make it so countries outside the EU only have to think of the EU as a single country. This is why theres a single market and single currency.
Do smaller companies get less onerous requirements? This is achievable for mid and large companies to comply with but may further stifle EU innovation.
I think this is a good set of data protections and hope there are ways to make compliance incredibly low friction.
Why is the GDPR an requirements nightmare? It's one ruleset for the whole EU instead one ruleset for each EU state. And the GDPR seem to be not more complicate than the individuel laws where before.
It isn't? Are we talking about a different regulation?
I quote from the title of 2017/0003/COD
COM (2017) 10:
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL concerning the respect for private
life and the protection of personal data in electronic
communications and repealing Directive 2002/58/EC
(Regulation on Privacy and Electronic Communications)
See, there's this thing called context: the meaning of the word changes through the surrounding words. If there is a word "repealing" in text, this does not usually mean "everything that's related is repealed" - it means exactly what it says on the tin: "repealing Directive 2002/58/EC" - nothing about repealing the existing state-level legislation (to repeat previous context, "It's one ruleset for the whole EU instead one ruleset for each EU state.")
My point still stands - you still need to conform to both GDPR and the state-specific legislation.
It may be that I am the one who is misinformed here. My understanding was that 2017/0003/COD was about creating a replacement for 2002/58/EC. I haven't read all the documents, so I could very well be wrong.
But assuming that I am right, then a replacement directive would simply cause the states to update their laws and nothing would really change in terms of complexity compared to the situation before.
If it just then 4% of revenue fine could well be 0 for startups. I presume they have some provision to prevent 0 euro fines, does anyone know about that provision?
From the wikipedia page: "fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater"
I've seen court ordered removal before and no one even considered backups and the impact on backup integrity had it been removed from backups. Especially when considering off site backups that the company will often not have immediate access to.
Seems like it will be extremely difficult and expensive to guarantee all copies are deleted. Also, replication is necessary for caching and reliability. I worry about how such seemingly well-intentioned laws can have adverse unintended consequences.
Think of it in terms of infosec: in a similar way, one could complain that having to sanitize secrets from RAM is harmful to performance (why can't we cache the result of decryption)… Yes it's an overhead but at the end of the day, we build technology to serve human goals, not the other way around.
(To be pedantic, we build technology to serve business goals, which are fulfilled within the larger context of serving human goals. Laws like these are to prevent shortcuts that would serve business goals while at the same time be detrimental to human goals.)
If our company had to delete all customer data for a particular customer, then I would need to:
restore 6 months of database backups individually, remove the data, then run then take and store each backup again.
have 3 years worth of tape backups shipped back to us from our data protection company. Restore the databases off of them, delete the data, store them back on tape, and have them shipped back to the long term storage facility.
It is not just the deletion when closing your account. It is the keeping track of all the copies that have to be made during regular operation (including packets in temporary buffers, periodic backups, cached version, redundant copies to hedge against data loss) just incase one day the user decides to delete.
Agreed. I was initially reluctant about the GDPR thinking it'll be more rubbish to have to take into account but was really pleasantly surprised. It actually and seriously implies better rights over collected data and privacy.
I think soon enough, privacy is going to become a serious competitive advantage for Europe because it'll translate into consumer confidence and business confidence .
I wish we had more European based alternative services that I could switch to. With email the standard response to dumping Gmail seems to be FastMail (non-EU) and I haven't seen anything high-quality within the EU. Same goes for lots of other services.
If anyone reading has some suggestions for EU based alternatives to popular websites/apps I'd love to hear.
It's good that this idea (fine as a percentage of revenue) is finally becoming mainstream, but it's sad that the percentage is so low... 4% is just cost of business, like taxes etc. It should be about 30% if we really wanted to incentivise the companies (or their CEOs/shareholders).
It's called regulators with teeth, and it's what makes the EU livable for its citizens. As an EU and US citizen this is exactly why I choose to live in the EU.
That's not how I'd put it, as a citizen of an EU country. The overregulation is suffocating for both business and individuals (who lived in socialism and value liberty, anyway).
Just this year, EU regulations destroyed my LTE data plans, hugely increased my cost of Swiss travel (the same) and ruined my hobby because terrorism.
It is sad that EU is slowly moving back towards the over-regulated and bureaucratic regimes of the past. This will further push the EU economy down the drain and prevent people from innovating. I just hope it does not lead to jail sentences and labor camps for people accidentally leaking the data as some in this thread are arguing for. The history does not provide much hope here unfortunately.
I don't see how this law benefits anybody except filling up the EU budget by collecting fines. The companies are already careful with their data as any leak would affect their image extremely negatively.
If one needs a good example of why Brexit happened, here it is.
It will prevent people from innovating in profiling, ad serving and keeping peoples data private. What a shame! Really wish the EU would see how great it is in the UK where they want to be able to access anything ever posted online, which can only lead to innovation of the highest caliber. /s
Do you think this law will prevent the government from accessing the data somehow? The way it's written it's primary goal seems to be extracting fees from successful business and not protecting user privacy. Ideally you would not want government intervention in these matters at all as you can bet it will end up with special provisions for government to have an access.
There's so "few" of them because they're in a dozen different languages.
And they're not startups, just small businesses, the difference being mostly the funding. Investing a million for some people to burn through and say "yah, that didn't work" is very much unacceptable.
It should be over 100%. The ideal goal is that a company that has a massive date breach due to their incompetence (such as refusal to hire experts at market value) should cease to exist. I still think we need prison time for those making the poor decisions. Even if they didn't intend to hurt anyone, should we tolerate recklessness of that nature?
To come back on my example: LinkedIn reported a net income of 166 million USD. The potential fine is thus more than 70% of their profit!
The fine is also based on the revenue of the parent company. Say that Nest would be fined, then the revenue of Alphabet Inc. would be used as a reference point! A good enough incentive to make sure that all parts of your operations are covered :-)
For my work, I'm working on the impact of the GDPR on the research, and how will the GDPR work in scientific communities. I'm not a lawyer, of course, so my interpretation might be a bit off (so disclaimer, IANAL, this is not a legal advice, and etc.). Anyway, these are just some of my thoughts on the subject.
Well, GDPR is a big topic, and it not yet clear how all the provisions will be implemented. It is not that different from the (currently valid) Directive, but it does clarify certain points, and makes much more stringent penalties, as mentioned in parent post (the fine is actually 4% of the global revenue, or 20M Euro, whichever is greater).
The changes in respect to the Directive are, in short:
• GDPR applies to the processing of personal data by controllers and processors in the EU, regardless
where it takes place
• Penalties – up to 4% of annual global turnover or 20M€ (whichever is greater)
• Consent – conditions are strengthened (clear and plain language, explicitly related to the
processing, easy to withdraw)
• Breach notification
• Privacy by design
• Right to be forgotten
• Data Protection Officers
• Right to access
Now, as mentioned in another comment, the right to be forgotten and erasure of data is not really wipeout, the data controller and data processor are supposed to do it using "industry standards" and "reasonable effort" (controller, e.g. should flag that the processing the data should be restricted). Also, there are exceptions (legal claims, public authorities, free speech, etc.).
Different comment points out that the Regulation, unlike Directive, makes GDPR valid in all EU countries, and this is true. However, the EU states are free to implement their own data privacy laws, which of course, need to be in line with the GDRP. This may potentially introduce legal inconsistencies across the EU for certain points.
Also, one should not underestimate the legitimate interest of the service provider, or controller, to retain the data, even if the user has asked for the data to be removed. The data may also be retained by the request of relevant public authorities, etc. One comment has suggested what will happen if the EU citizen requests the removal of it's data, while the US public authorities asks for access to this data. In this case, the relevant EU public authorities may request for the data to be kept (or not, I guess this will be decided on case by case, also the provider may have a legitimate reason to keep the data..).
And of course, the biggest problem, the transfer of data to non-EU countries. For this, there are several ways to do it, one is mentioned already, i.e. user consent (which must be clear and unambiguously given, and can be revoked at any time). Then, of course, there are contracts, binding corporate rules, etc. For EU-US transfer, there is Privacy Shield for transfer of data to US (which is a replacement for the Safe Harbor, stricken by EJC), but this is mostly for commercial services (so it does not work for academic environments..).
There are some other interesting aspects to GDPR, but this post is already getting a bit long. For more info, these links are interesting:
There are multiple WP29 interpretations on various points (some of them are actually human readable, not just legal talk..), etc. In any case, it will be interesting to see all these developments in the future.
> "industry standards" and "reasonable effort" (controller, e.g. should flag that the processing the data should be restricted).
Not quite. That sort of fits the current model, such as Facebook not deleting data, just restricting access. In this case, data should be marked for deletion, "within a reasonable time frame". Data controllers may not retain the data indefinitely, no matter how much they want to.
In practical terms, the implementation of that will probably be influenced by the fact a user should be able to download all their data without hindrance, (Data Portability).
That is correct, user will have access to the data, e.g. the images/videos user uploaded to Facebook, and I presume the Facebook will have to delete (successfully) these data upon request. However, personal data are not just images, or similar. It is also IP addresses, logs containing user's actions, etc. everything and anything that may identify a person. So, e.g. if some logs somewhere may contain IPs of a user, or some actions of the user were recorded in logs that are scattered throughout the system, the controller may argue that it "reasonably" tried to remove also these data for the user, but it can't guarantee that. However, GDRP now stipulates Privacy by design, which means some of these scenarios might have to be taken into account before creating and providing a service, so the removal of (all) user data should be more feasible.
This is for those reasons that EU companies are innovating in the privacy, for instance doing AI assistants which are private by design with https://snips.ai
Here in Belgium 3D-Secure is also commonplace, and the experience provided by my bank has significantly improved throughout the years. I also don't think it hurts the conversion of webshops around here because everybody is used to performing these extra steps.
It works as follows:
- Merchant redirects me to his payment provider
- I enter my debit/credit card number into the payment provider screen
- I am redirected to my bank website, and am able to verify the URL (no iframes anymore!)
- My bank has two methods of verification: scanning a QR-code with the mobile banking app on my phone, or logging into the online banking website (with a Vasco DIGIPASS 836, which requires a debit card+pin to generate a OTP)
- I verify the amount and creditor in the mobile/online banking app, and sign the transaction with my mobile pin/digipass.
- I am redirected back to the merchant.
All in all, I think it costs me 30 seconds to complete the extra 3D-Secure steps when using my mobile banking app.
Any hints on how I can process datetimes with non-standard formatting properly? I've got mails where the date is formatted as dd/mm/yyyy, which causes Google Calendar to create an event on the 3rd of January instead of the 1st of March.
If you can, try setting each portion of the date as a different field for the parser to split out. Then in a zap you could re-assemble the date in the right order so GCal can understand it.
Has anyone tried the new Glacier-clone of OVH [0] yet? At 0.008 EUR/GBP it seems to be priced very reasonable, and there are no crazy retrieval price structures (altrough retrieval has a 4 hour lead time, just like Glacier).
I'd like to be able to set a minimum quality for torrents that appear in the RSS of my watchlist. This allows me to add it to the watchlist when it's widely promoted when it launches, and watch it when eventually a good torrent appears of the movie.
I've been looking for an aggregator that does this for a long time, but still haven't found it.
https://htmlpreview.github.io/?https://github.com/SimonSchic...