GDPR Compliance?

[trents]

Been getting emails about this lately from Microsoft. What's it all about anyway? Will it have any practical impact on the consumer or on 501c organizations?

 

[mackerel]

It is new European data privacy law going into effect end of next week, so most of its impact would be over here, but it can affect international companies who operate at all in Europe. At a very basic level, they have to ensure they have permission to contact you about marketing material. Also how data is stored and protected is covered, so for example there may be limitations on storing personal data in jurisdictions with weaker or no privacy laws.

However, it is causing varying degrees of pain to be in compliance with this. There is a game company that took the opposite approach. They decided it wasn't worth the pain to comply so in effect they're deleting the accounts of people in Europe. I only heard about this as they run one of the games I played a long time ago, the MMO Ragnarok Online. It's pretty much a dead game anyway. It pre-dated WoW, but still I spent many years in there and soon my characters will cease to exist at all. I think they also run some more modern games now, but again, I guess they're not big outside of their home market and I guess they decide it isn't worth it.

 

[trents]

Thanks for the info. The world is a very connected place now. Seems like it would be difficult to segregate the impact of this law such that it only impacts companies in Europe. Many large companies have a multinational presence with offices all over the world and even those who do not have facilities in Europe have patrons in Europe. I would think this would be difficult to enforce.

 

[mackerel]

I don't think it is difficult to enforce, but it may be more difficult to comply. For example, if you only keep European personal data in Europe, and do not export it outside the region, that goes a long way. That reminds me, I haven't taken the online course in my day job about how it affects us.

I think Microsoft had been between a rock and a hard place over this even before GDPR. European law forbid the transfer of data in certain ways, which conflicted with the US government view that MS had to hand over data as a US HQ company. I'm not sure how that was resolved, if it was ever resolved.

Even now, as I'm working for a US HQ company, I'm subjected to extra limits on what I'm allowed to do as part of my job that wouldn't be a factor if I was working for a European HQ company.

 

[Bill Dimwit]

However, it is causing varying degrees of pain to be in compliance with this. There is a game company that took the opposite approach. They decided it wasn't worth the pain to comply so in effect they're deleting the accounts of people in Europe. I only heard about this as they run one of the games I played a long time ago, the MMO Ragnarok Online.

What happens when they mistakenly remove an account that belongs to someone not in the EU?

 

[mackerel]

That's a different problem. It's been a very long time since I played, but paying accounts would have street address info so easy to identify that way.

 

[Bill Dimwit]

Not everyone is truthful about that, and people move.
It would suck to get your account removed just for failing to update an address

 

[mackerel]

It is your responsibility for information to be accurate and up to date. Can't blame them for acting in good faith on what they have.

 

[trents]

It is your responsibility for information to be accurate and up to date. Can't blame them for acting in good faith on what they have.

That's right. Good discussion here. Thanks guys.

 

[petteyg359]

What happens when they mistakenly remove an account that belongs to someone not in the EU?

Unless they habitually use a VPN for online gaming because they want stupidly high ping times, it's easy to tell who isn't an EU user because they won't be connecting from a RIPE address. That doesn't necessarily work the other way around (a RIPE address could be Russian or Asian), but it does significantly limit the range of false positives. And beyond just the RIR, every IP address is going to be part of some ISP's AN, which further limits location.

 

[Bill Dimwit]

It is your responsibility for information to be accurate and up to date. Can't blame them for acting in good faith on what they have.

Very true, but it should also be the responsibility of the company to make sure you have upto date info before axing your account. Say you were in the middle of a big move and never had the time to log in and change it, you get settled down only to find out your account was canned.
I know how MMO people are about there accounts, I used to play Phantasy Star Online back in the day on the Dreamcast. Id be pissed if my account was canned do to not having the time to update something like my address and I'm sure others would be to.

Anther thing to bring up, how will this be enforced and what will be the fines/punishment for failing to be complaint?
I know with PCI compliance its not hard to lie and say your doing everything right and fake a PCI compliance scan by unplugging all you networking equipment when testing. Could not the same be done here?

Also how will the EU enforce this with organizations that are outside the EU?

 

[mackerel]

Good questions, and I'm not close enough to answer them. It isn't a new problem either. The question of jurisdiction and enforcement has been a headache as the modern world gets more connected.

 

[Bill Dimwit]

Defiantly true, Jurisdiction and enforcement is a major problem online.
I seen reports of people doing 100% lawful things in there own country only to be extradited/arrested in anther country for something that's not legal there only because the site/service was available to anyone with internet.

 

[trents]

Defiantly true, Jurisdiction and enforcement is a major problem online.
I seen reports of people doing 100% lawful things in there own country only to be extradited/arrested in anther country for something that's not legal there only because the site/service was available to anyone with internet.

This was my point about enforcement earlier. The WWW defies geographical boundaries.