It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
GDPR Compliance which come into effect on the 28th of May 2018?
page: 3share:
originally posted by: EvillerBob
It's not "personal data" in the way that most people think, it's "data about an identified or identifiable person, either directly or indirectly".
When I said "personal data" I was thinking about data that shows something related to the person, that's why they talk about "unique identifiers".
If the cookie doesn't have any data that can be directly connected with the person then it's not affected by the GDPR.
i.e., arguably, websites may not be able to restrict access to only those who consent to the use of cookies, etc
Some cookies are used for the original purpose which is to create somewhat of a state for a stateless protocol such as HTTP.
For some websites, parts of the site cannot function properly without cookies. Hopefully such a thing would be considered.
Of course, many cookies are used just to track for marketing. Those are a different situation.
originally posted by: ArMaP
originally posted by: EvillerBob
It's not "personal data" in the way that most people think, it's "data about an identified or identifiable person, either directly or indirectly".
When I said "personal data" I was thinking about data that shows something related to the person, that's why they talk about "unique identifiers".
If the cookie doesn't have any data that can be directly connected with the person then it's not affected by the GDPR.
If the data is capable of being used to identify the person - directly or indirectly, so if it can be used in conjunction with other information that is gathered - it is covered. Different rules might come into play depending on whether direct or indirect, but still under GDRP.
Your username, for instance is a good example. "ArMaP" doesn't identify you, but ATS record a link between that unique username and your unique email address, which would be considered capable of identifying you. Cookies are a bit more complex, but can fall within the same bracket.
The magic word is "pseudonymisation". There has been quite a bit written about anonymisation versus pseudonymisation under the GDPR if you have too much spare time on your hands and want to get very bored very quickly...
originally posted by: roadgravel
For some websites, parts of the site cannot function properly without cookies. Hopefully such a thing would be considered.
This is one of the concerns. A site can be made to function without cookies, so there comes the question of whether cookies are a matter of convenience or necessity. Is avoiding the need to replace/rewrite the website software a sufficient reason for the purposes of GDPR?
Things might all work out fine, or it might become a big complicated mess. Not knowing is what makes life fun!
a reply to: EvillerBob
How would it maintain the state between pages? Have the user enter his name and password on each page?
edit:
i suppose it could be done with only page data although it might be easier to defeat security and less efficient.
A site can be made to function without cookies, so there comes the question of whether cookies are a matter of convenience or necessity.
How would it maintain the state between pages? Have the user enter his name and password on each page?
edit:
i suppose it could be done with only page data although it might be easier to defeat security and less efficient.
edit on 2/22/2018 by
roadgravel because: (no reason given)
originally posted by: roadgravel
a reply to: EvillerBob
A site can be made to function without cookies, so there comes the question of whether cookies are a matter of convenience or necessity.
How would it maintain the state between pages? Have the user enter his name and password on each page?
edit:
i suppose it could be done with only page data although it might be easier to defeat security and less efficient.
That's the thing - making out the case for it to be used. I'm not saying it can't be done, I'm saying that we're being forced to start asking these questions and need to work out the answers.
Well, GDPR is here,
But where are our UK friends?
Is ATS non compliant or can our UK members log in?
But where are our UK friends?
Is ATS non compliant or can our UK members log in?
originally posted by: Elostone
Well, GDPR is here,
But where are our UK friends?
GDPR applies to all EU citizens, not just UK citizens.
As a Portuguese it also applies to me.
Is ATS non compliant or can our UK members log in?
Non compliance doesn't mean we cannot log in, it means that the site may be the target of some penalty.
I have been studying this law in depth for a long time now, as part of my job, and I still learn new things every day. This law is complicated, and I
have seen various parts interpreted different ways, even by attorneys.
This law is a HUGE headache for US companies. This is why many companies choose to block EU from their products and services instead of facing the risks. The penalties are scary as heck. I can see the penalties alone putting companies out of business.
From my interpretation, I would say that the GDPR does apply to ATS. ATS offers a service and stores personally identifying data.
And yes, US companies will face penalties. There are agreements in place between the regulatory authorities in other countries and the US government.
This law is a HUGE headache for US companies. This is why many companies choose to block EU from their products and services instead of facing the risks. The penalties are scary as heck. I can see the penalties alone putting companies out of business.
From my interpretation, I would say that the GDPR does apply to ATS. ATS offers a service and stores personally identifying data.
And yes, US companies will face penalties. There are agreements in place between the regulatory authorities in other countries and the US government.
edit on 5/25/18 by BlueAjah because: eta
Well, the GDPR legislation has finally been implemented today in Europe.
In fact, many US sites including news outlets have simply chosen to ban or restrict EU members.
Source
In fact, according to the above article, a number of complaints have already been filed against US companies that have not yet complied with GDPR regulations. With potential fines running into millions, the GDPR should not be neglected.
In fact, many US sites including news outlets have simply chosen to ban or restrict EU members.
Some high-profile US news websites are temporarily unavailable in Europe after new EU data protection rules came into effect. The Chicago Tribune and LA Times were among those saying they were currently unavailable in most European countries. Meanwhile complaints were filed against US tech giants within hours of the General Data Protection Regulation (GDPR) taking effect. GDPR gives EU citizens more rights over how their information is used. It is an effort by EU lawmakers to limit tech firms' powers. Under the rules, companies working in the EU - or any association or club in the bloc - must show they have a lawful basis for processing personal data, or face hefty fines.
Source
In fact, according to the above article, a number of complaints have already been filed against US companies that have not yet complied with GDPR regulations. With potential fines running into millions, the GDPR should not be neglected.
So to play Devil's advocate here:
I'm a disgruntled ATS forum member and I'm upset that one of my posts has been removed and replaced with a moderators comment that I have taken exception to.
In retaliation, I have PM'd the Mod concerned and insisted that I wish to exercise my right to be forgotten here on ATS. I insist that I want all information that ATS holds about me to be removed and further to this, I want all information that I have ever posted or written on this site to be removed also, as it is personal data that I longer wish ATS to hold or display.
( As per gdpr-info.eu... )
Feeling particularly nasty, I also wish to exercise my right to transport my personal data prior to deletion. I therefore expect this data to be delivered to me in a clear, computer readable form.
(as per details )
And to add further insult to injury, because I am so wound up and angry with ATS, I also threaten to take full legal action if my demands are not met in full, and within the timescale set by the GDPR legislation.
All hypothetical of course, and obviously before a user potentially submits any one of a far wider number of data requests that are available under the GDPR.
I personally have a post count of only 890. This could potentially leave a lot of holes in a lot of threads. Plus of course, I would also want my personal PM's to be removed too.
So my question to ATS is, based on the hypothetical request above..... How are you going to deal with my request?
I must emphasise, that this is an exercise GDPR scenario.
I do not expect a reply from management in respect to this scenario. I simply pose these question to management for consideration.
It is surely only a matter of time before someone posts a genuine request either through genuinely wanting to be forgotten or purely out of malice.
There are a number of rules that apply under the right to be forgotten, where some data in some circumstances can legally be retained but in the majority of cases, it cannot be kept. Knowing what can and can't be held is also important.
I hope this spoof request may assist the team, before a real request is received.
Just for info, here's a link to a pretty good right to erasure article.
www.mycustomer.com... ting/data/gdpr-and-the-right-to-be-forgotten-how-to-process-requests-for-erasure
I'm a disgruntled ATS forum member and I'm upset that one of my posts has been removed and replaced with a moderators comment that I have taken exception to.
In retaliation, I have PM'd the Mod concerned and insisted that I wish to exercise my right to be forgotten here on ATS. I insist that I want all information that ATS holds about me to be removed and further to this, I want all information that I have ever posted or written on this site to be removed also, as it is personal data that I longer wish ATS to hold or display.
( As per gdpr-info.eu... )
Feeling particularly nasty, I also wish to exercise my right to transport my personal data prior to deletion. I therefore expect this data to be delivered to me in a clear, computer readable form.
(as per details )
And to add further insult to injury, because I am so wound up and angry with ATS, I also threaten to take full legal action if my demands are not met in full, and within the timescale set by the GDPR legislation.
All hypothetical of course, and obviously before a user potentially submits any one of a far wider number of data requests that are available under the GDPR.
I personally have a post count of only 890. This could potentially leave a lot of holes in a lot of threads. Plus of course, I would also want my personal PM's to be removed too.
So my question to ATS is, based on the hypothetical request above..... How are you going to deal with my request?
I must emphasise, that this is an exercise GDPR scenario.
I do not expect a reply from management in respect to this scenario. I simply pose these question to management for consideration.
It is surely only a matter of time before someone posts a genuine request either through genuinely wanting to be forgotten or purely out of malice.
There are a number of rules that apply under the right to be forgotten, where some data in some circumstances can legally be retained but in the majority of cases, it cannot be kept. Knowing what can and can't be held is also important.
I hope this spoof request may assist the team, before a real request is received.
Just for info, here's a link to a pretty good right to erasure article.
www.mycustomer.com... ting/data/gdpr-and-the-right-to-be-forgotten-how-to-process-requests-for-erasure
edit on 25-5-2018 by studio500 because: link
addition
We (ATS) do not "track" any personal data, nor is any personal data that has been consentually offered when creating an account ever shared with any
third party, or used internally for anything other than associating your post with your ATS username and IP addressed used at the time of posting.
In anticipation of GDPR, we consolidated to a single-source ad provider who stated compliance. We do not share data with them, they do not share data with us.
Since the founding of ATS, user privacy has been the most important thing to us, we've acted as if GDPR was already a thing since the beginning. We've never shared user data, nor have we ever collected any data other than the credentials used to create your account. In fact, we don't even keep server logs beyond two days (a necessary window in the event triage is required for troubleshooting issues).
Posting is voluntary. When you post, you agree to the rules of the site and that a post may be removed at any time for any reason.
I hope this helps.
In anticipation of GDPR, we consolidated to a single-source ad provider who stated compliance. We do not share data with them, they do not share data with us.
Since the founding of ATS, user privacy has been the most important thing to us, we've acted as if GDPR was already a thing since the beginning. We've never shared user data, nor have we ever collected any data other than the credentials used to create your account. In fact, we don't even keep server logs beyond two days (a necessary window in the event triage is required for troubleshooting issues).
Posting is voluntary. When you post, you agree to the rules of the site and that a post may be removed at any time for any reason.
I hope this helps.
edit on 25-5-2018 by SkepticOverlord because: (no reason given)
What S.O. said...
So everyone relax and rejoice in the fact there is one site that has ALWAYS BEEN privacy focused, and always will be as long as we own it.
So everyone relax and rejoice in the fact there is one site that has ALWAYS BEEN privacy focused, and always will be as long as we own it.
Thank you for your replies, although I must point out that 'Tracking data' is only a tiny fraction within the remit of the GDPR.
The largest portion relates to the holding and processing of data from EU nationals and the rights afforded to them.
Under the GDPR legislation Nothing Is Consensual unless the user ''Opts In', providing their explicit consent.
This consent can also be withdrawn at any time requiring the removal of the users personal data. The right to erasure request scenario posted above, is just one example of this.
Prior to this, one could safely assume that all data posted on a website was consensual due to the user accepting the Terms and Conditions of the said website. That form of consent is no longer valid and baseless in respect to EU nationals data. This is perhaps one reason why some news outlets are currently choosing to block EU access until they can be sure they are compliant.
I have no doubt that over time, all US entities including community forums who hold or process data relating to EU nationals will be realized and eventually complied with to avoid possible litigation as it only takes one disgruntled user to start the process.
Many websites assume that they comply with GDPR or that because they are not strictly a business or not selling goods, that the GDPR does not apply to them, when in fact it does.
This is a sensitive issue to discuss and my reasons for doing so are only to assist a community that I am a member of and nothing more.
Whilst I respect and appreciate your response, they are not what I expected to hear at all but thank you for stating your position.
The largest portion relates to the holding and processing of data from EU nationals and the rights afforded to them.
Under the GDPR legislation Nothing Is Consensual unless the user ''Opts In', providing their explicit consent.
This consent can also be withdrawn at any time requiring the removal of the users personal data. The right to erasure request scenario posted above, is just one example of this.
Prior to this, one could safely assume that all data posted on a website was consensual due to the user accepting the Terms and Conditions of the said website. That form of consent is no longer valid and baseless in respect to EU nationals data. This is perhaps one reason why some news outlets are currently choosing to block EU access until they can be sure they are compliant.
I have no doubt that over time, all US entities including community forums who hold or process data relating to EU nationals will be realized and eventually complied with to avoid possible litigation as it only takes one disgruntled user to start the process.
Many websites assume that they comply with GDPR or that because they are not strictly a business or not selling goods, that the GDPR does not apply to them, when in fact it does.
This is a sensitive issue to discuss and my reasons for doing so are only to assist a community that I am a member of and nothing more.
Whilst I respect and appreciate your response, they are not what I expected to hear at all but thank you for stating your position.
originally posted by: studio500
That form of consent is no longer valid and baseless in respect to EU nationals data. This is perhaps one reason why some news outlets are currently choosing to block EU access until they can be sure they are compliant.
I have access to people who have worked with large companies on this. The intent of the GDPR is to give people control over how their collected PI is used. Large news organizations are often deeply integrated with several vendors (Adobe, Axciom, DoubleClick, etc.) who share the PI in real time to squeeze every possible ad penny.
The opinion of the experts in our case of a free-to-use website with no commerce is; that if the PI we collect is under our control and never leaves our server, we're compliant enough. To be fully compliant would be to have server instances in every EU country where we have members and store their PI on those servers. That's a financial burden beyond the means of sites like us, and we'd get a pass.
a reply to: studio500
I believe that when we first created our profiles we accepted the Terms and Conditions as part of the sign up process. It was a long time ago when I signed up, but I am pretty sure that counts as a legal opt-in.
From SO's explanation above, and viewing ATS Privacy Policy, I am confident they are doing what they need to do.
Your scenario above about removing all posts is not actually something that would be required under GDPR. Posted material is not personally identifying information as defined by the law. However, UserIDs or identifiers are considered personal information. So, if a user requested that their personal information be removed, I think perhaps ATS could get around that by removing all info in the profile and changing the UserID to something random.
I believe that when we first created our profiles we accepted the Terms and Conditions as part of the sign up process. It was a long time ago when I signed up, but I am pretty sure that counts as a legal opt-in.
From SO's explanation above, and viewing ATS Privacy Policy, I am confident they are doing what they need to do.
Your scenario above about removing all posts is not actually something that would be required under GDPR. Posted material is not personally identifying information as defined by the law. However, UserIDs or identifiers are considered personal information. So, if a user requested that their personal information be removed, I think perhaps ATS could get around that by removing all info in the profile and changing the UserID to something random.
new topics
-
Bobiverse
Fantasy & Science Fiction: 2 hours ago -
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 2 hours ago -
Former Labour minister Frank Field dies aged 81
People: 4 hours ago -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs: 6 hours ago -
This is our Story
General Entertainment: 8 hours ago -
President BIDEN Vows to Make Americans Pay More Federal Taxes in 2025 - Political Suicide.
2024 Elections: 11 hours ago
top topics
-
President BIDEN Vows to Make Americans Pay More Federal Taxes in 2025 - Political Suicide.
2024 Elections: 11 hours ago, 14 flags -
Should Biden Replace Harris With AOC On the 2024 Democrat Ticket?
2024 Elections: 17 hours ago, 6 flags -
One Flame Throwing Robot Dog for Christmas Please!
Weaponry: 15 hours ago, 6 flags -
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 2 hours ago, 5 flags -
Don't take advantage of people just because it seems easy it will backfire
Rant: 15 hours ago, 4 flags -
Ditching physical money
History: 15 hours ago, 4 flags -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs: 6 hours ago, 4 flags -
Former Labour minister Frank Field dies aged 81
People: 4 hours ago, 4 flags -
Ode to Artemis
General Chit Chat: 12 hours ago, 3 flags -
This is our Story
General Entertainment: 8 hours ago, 3 flags
active topics
-
VirginOfGrand says hello
Introductions • 3 • : F2d5thCavv2 -
President BIDEN Vows to Make Americans Pay More Federal Taxes in 2025 - Political Suicide.
2024 Elections • 53 • : Bluntone22 -
"We're All Hamas" Heard at Columbia University Protests
Social Issues and Civil Unrest • 272 • : WeMustCare -
The Acronym Game .. Pt.3
General Chit Chat • 7743 • : F2d5thCavv2 -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs • 25 • : Cvastar -
Suspended Nigerian Poverty Minister had $24M in her Bank Accounts
Political Issues • 11 • : malamarabi -
Should Biden Replace Harris With AOC On the 2024 Democrat Ticket?
2024 Elections • 47 • : Cvastar -
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest • 2 • : mysterioustranger -
Post A Funny (T&C Friendly) Pic Part IV: The LOL awakens!
General Chit Chat • 7133 • : underpass61 -
Thousands Of Young Ukrainian Men Trying To Flee The Country To Avoid Conscription And The War
Other Current Events • 128 • : twistedpuppy