"If you know anyone in Europe, please tell them we're cool"

« previous post | next post »

As the Washington Post explains ("Europe, not the U.S., is now the most powerful regulator of Silicon Valley", 5/25/2018):

Europe implemented a sweeping overhaul of digital-privacy laws on Friday that has reshaped how technology companies handle customer data, creating a de-facto global standard that gives Americans new protections and the nation’s technology companies new headaches.

It's also unleashed a flood of email notifications, typically consisting of long unreadable lists of legal weaseling. (Though I've gotten a few more entertaining instances, like the one in the image on the right, from a company that I was unaware of having any relationship with…)

Today's xkcd satirizes these notifications brilliantly:

Mouseover title: "By clicking anywhere, scrolling, or closing this notification, you agree to be legally bound by the witch Sycorax within a cloven pine."

The source of all of this is a regulation, passed back in the spring of 2016 and coming into effect yesterday, "on the protection of natural persons with regard to the processing of personal data and on the free movement of such data […] (General Data Protection Regulation)", or GDPR for short. (The GDPR itself is 260 pages of legalese, so if you're actually interested in its content, you might want to start with the eugdpr.org information portal.

The Guardian lists some other GDPR-related creativity (Chloe Watson, "Last-minute frenzy of GDPR emails unleashes 'torrent' of spam – and memes", 5/23/2018), like this one:

More seriously, the GDPR was extensively discussed at the recent LREC conference in Japan, for example in Pawel Kamocki et al., "Data Management Plan (DMP) for Language Data under the New General Data Protection Regulation (GDPR)". Among the less important things that (I think) I learned was that the regulation's restriction to "the protection of natural persons with regard to the processing of personal data" means not only that non-natural legal persons (like corporations) are outside the regulation's scope, but also that the regulation's protections go away when you die, since dead people are apparently not "natural persons" in this context.

One GDPR provision that puzzled me until I looked into it is the "Right to be Forgotten" — as eugdpr.org explains:

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.

On the face of it, this seems to create some implausible scenarios, for instance requiring all data about your debts to be erased. So unsurprisingly there are all sorts of take-backs on the Right to be Forgotten, laid out in Article 17 on pp. 140-142 of the regulation:

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;


(e) for the establishment, exercise or defence of legal claims.

I've put clause (d) in boldface because it's especially relevant for people interested in linguistic datasets. Implementing the Right to be Forgotten in such cases would be difficult, and more importantly would make it impossible to compare processing results across time. The details in Article 89 (pp. 252-253) are suitably vague, but seem to provide reasonable protection in all directions.

Meanwhile, I wonder whether there's any other law or regulation in recent years that has occasioned the billing of as many lawyers' hours.

Update — Of course there's a WordPress GDPR plugin

Update #2 — This link to an apparently genuine GDPR email, referenced by Yuval in the comments, is the best that I've seen:


  1. cliff arroyo said,

    May 26, 2018 @ 7:27 am

    Isn't this just all security theater? I live in Europe and all it means so far is having to click on a bunch of stuff I don't read before getting into sites.

    European lawmakers are slow and reactive and have no understanding of how people or things work outside of centralized European institutions.

    I dont' feel one whit more secure and anyone who does is dreaming.

    [(myl) Lawyers and IT professionals in certain industries certainly have genuine reasons to feel more secure, at least as far as their employment prospects are concerned. As for the rest of us, I think it's too soon to tell — the responsible parties that I've spoken to about this all say some variant of "we're still scrambling to figure out what this means".]

  2. AntC said,

    May 26, 2018 @ 7:38 am

    "Right to be forgotten"/all data about your debts to be erased

    If you've ever had your identity stolen (or even your credit card); somebody will be running up debts under your name.

    If your name happens to be the same as somebody who's committed heinous acts, your social media presence will get besmirched quicker than you can tweet 'that's not me'.

    Facebook has moved all their data for 1.5bn users (even the accounts of European 'natural persons') to servers outside of Europe. I can't see how that means the EDPR regulates Siicon Valley.

  3. L said,

    May 26, 2018 @ 8:17 am

    >Isn't this just all security theater?

    No. This has real positive effects. I work in IT, and pretty much all companies I work for were forced to provide new services to clients that they previously did not provide, such as the ability to get your own data out of a service you use.

  4. Philip Taylor said,

    May 26, 2018 @ 8:20 am

    I for one (a European) welcome the GDPR. I have lost count of the number of irrelevant and near-spam mailing lists of which I am now (thanks to the GDPR) no longer a member, having quite deliberately ignored all but one of these GDPR reminders.

  5. Jim Breen said,

    May 26, 2018 @ 8:28 am

    Thanks for including the xkcd spoof. One of the funniest things I've read in years.

  6. CL Thornett said,

    May 26, 2018 @ 9:46 am

    Voluntary organisations like clubs and churches also have to go through this exercise, often undertaken without pay by volunteer officers. That's several hours of my life I won't get back, with a few more to come when I record the results (in a password-protected document, of course). We had to ask about keeping records for elderly people no longer able to give meaningful consent; at least the commonsense answer is that we have to keep them to carry out our duty of pastoral care to those people.

    Like many others, I have used this as an opportunity to reduce what comes into my inbox.

  7. raempftl said,

    May 26, 2018 @ 1:04 pm

    "Facebook has moved all their data for 1.5bn users (even the accounts of European 'natural persons') to servers outside of Europe. I can't see how that means the EDPR regulates Siicon Valley."

    I don't see how this has any bearing on the applicability of the law.

    Facebook are offering a product in EU member states and of course their product and the terms and conditions in relation to that product need to comply with the applicable law in those states regardless of where it is produced.

  8. MattF said,

    May 26, 2018 @ 4:01 pm

    Insofar as GDPR shifts things to 'opt in', it's non-trivial and a good thing. I I think it's actually OK to ignore these notices if you -don't- want the various services to have your data. What's very unclear is whether or how much of the opting-in applies to US users. We shall see.

    It's interesting that I -haven't- gotten a notice from the company that manufactured and installed my heat pump– which monitors my home environment and (I assume) sends information about my home environment out to servers in ComputerLand. This (I assume) is because the manufacturer doesn't do business in Europe.

  9. Brett said,

    May 26, 2018 @ 4:25 pm

    According to the previous xkcd, European royalty are also exempt.

    [(myl) Brett is referring to the mouseover title ""Our customers keep sending us their personal information, even though we've repeatedly asked them to stop. The EU told me I'm the heir to some ancient European throne that makes me exempt from the GDPR, but we should probably still try to fix that." ]

  10. Yuval said,

    May 26, 2018 @ 5:31 pm

    Loved this one much more than the xkcd.

    [(myl) Untruncated version here — it's apparently an authentic GDPR notice:


  11. Elochi said,

    May 26, 2018 @ 9:38 pm

    Well, I don't have much to say here but considering the fact that GDPR has made things to look like this then let it be so

    Its a good thing anyway, time to get all my site Privacy Policy updated aswell

    Thanks for sharing this, this' actually my first visit to your site.

  12. Rodger C said,

    May 27, 2018 @ 11:35 am

    Having just read the adjacent post with its discussion of age differences in interpreting initialisms, I wonder how many Americans look at "GDPR" and keep thinking "German Democratic People's Republic"?

  13. KB said,

    May 27, 2018 @ 4:29 pm

    The official name of East Germany was the German Democratic Republic (Deutsche Demokratische Republik), so GDR (or DDR). In short, no "People's".

  14. Gregory Kusnick said,

    May 27, 2018 @ 10:15 pm

    KB: Knowing that fact didn't stop my brain from trying to interpret GDPR along the lines Rodger suggests.

  15. RP said,

    May 29, 2018 @ 5:24 am

    "European royalty are also exempt."

    That is probably a joke. (In any case, "the EU" wouldn't inform someone of their exemption. The EU is far too busy. You'd have to hire a lawyer if you wanted to know whether you were exempt.)

    The details of the exemption (and many details of the application, including whether children are defined as under-16 or under-13) are up to member-states to define. When the EU promulgates a regulation, each individual EU state has to pass a bill putting it into their domestic law. Many things not fleshed out in the original regulation get clarified at national level, so some of the detail will then differ from country to country. Whether national law is compliant could ultimately be tested in the European courts.

    ExplainXkcd.com thinks the joke is a reference to sovereign immunity. But generally such immunity, which isn't the same thing as exemption, only applies to the monarch in person. For example, the British monarch as an individual can't be prosecuted or sued, but her government can and her servants and secretaries can, and if she ran a company then the company could be prosecuted. So in practice, unless she was running a website as a sole proprietor with no assistance from anyone else, then some entity or some individuals would be subject to prosecution for any breaches.

RSS feed for comments on this post