Gravity Forms Stop Entries Plugin Aims to Help Sites Comply with the EU’s GDPR

photo credit: AJ Montpetit

Wider Gravity Forms Stop Entries is a new plugin that helps website owners protect the privacy of form submissions by preventing entries from being stored in the database. The plugin was created by UK-based web developer Jonny Allbut for internal use at Wider, a company he set up for handling WordPress clients’ needs.

One aspect of complying with the EU’s General Data Protection Regulation (GDPR) is ensuring that contact forms do not store any personally identifiable data on the server. The regulation becomes enforceable in May 2018 and sites that serve EU citizens are preparing for the deadline with audits and changes to how they handle privacy.

Gravity Forms doesn’t offer a built-in option to stop entries from being stored on the server but GF co-founder Carl Hancock says there are a variety of ways to accomplish this.

“If all you want to do is simply email the contents of the form and not store the data in the database as part of the route you’d like to take for GDPR compliance, this plugin would be one method of doing so,” Hancock said. He also referenced Gravity Wiz’s commercial Disable Entry Creation plugin. Developers can also delete entry data after submission via a hook.

“However, the GDPR doesn’t preclude storing form entries in a database and is entirely dependent on the type of data you are storing and the other safeguards and functionality you have put in place,” Hancock said. “It’s a complex issue and I’m not entirely sure the EU fully understands the burden and implications that may come with it.”

Ultimately, the requirement of compliance falls upon website administrators who are the ones collecting the data. It is their responsibility to select tools that will protect their users’ privacy.

“While it won’t provide GDPR compliance on its own, Jonny’s extension is a much-needed step in the right direction,” digital law specialist Heather Burns said. Burns consults with companies that need assistance in getting their sites GDPR compliant. “GDPR requires adherence to the principles of privacy by design and part of that is data minimization and deletion.”

WordPress has dozens of popular contact form plugins, both free and commercial. Many of them store entries in the database in case the recipient’s email has problems, preventing the communication from becoming lost. Site administrators who are concerned about GDPR compliance will want to examine the solution they have selected for forms. Burns advised that contact form plugins need to do the following three things:

  • Ensure that personal and sensitive personal data from form entries is not stored in the database;
  • Provide configuration options to allow contact form entries to be automatically deleted after a certain period of time;
  • Ensure that all contact form data is deleted when the plugin is deactivated or deleted.

“Unfortunately the direction of travel has been the exact opposite: contact form entries tend to be stored in perpetuity on the database regardless of content or necessity,” Burns said. “Contact form plugins with options to automatically delete form submissions after a certain period of time are rare. I’ve even seen contact form extensions which duplicate entries to a separate table, which, all things considered, is madness. We need to be developing towards data minimization and deletion, not retention and duplication.”

Last month JJ Jay published an analysis of how and where popular WordPress contact forms plugins store data. This is a useful reference for site administrators who are not sure how their chosen solution handles data collection and storage. She suggested a few questions for users to ask when examining contact forms:

  • Can the option to store data be turned on and off?
  • At what granularity?
  • Can the data be deleted when the plugin is deleted?
  • What personally identifiable data, other than the data from each form, is stored? (i.e. a user’s IP address)
  • Is it possible to delete the submissions on an ad-hoc or scheduled basis?

If you’re not sure what could be leftover in your database from other plugins, Jay has also created a “What’s in my database?” plugin that administrators can install and access under the Tools menu. It is read-only and lists every table and its columns, so users can see if there are any surprises.

British Pregnancy Advice Service (BPAS) Hack Highlights the Danger of Storing Contact Form Entries in the Database

In educating website owners about the dangers of storing sensitive personal data, Heather Burns often cites the 2012 British Pregnancy Advice Service (BPAS) hack as one of the worst examples of the consequences of storing contact form entries in databases. The hacker, who was later jailed, stole thousands of records from the charity, which was running on an unknown outdated CMS with weak passwords. The site had not undergone a privacy impact assessment on its personal data collection and storage methods.

“One of the services BPAS offers is access to abortions,” Burns said. “Many of their service users come over from Ireland, where abortion is banned under nearly all circumstances. The site had a contact form where women could enquire about abortions. BPAS thought that messages were merely passing through the site; no one within the organization had any clue that a copy of each contact form submission was stored on the database. Somewhat inevitably, the site was easily hacked by an anti-abortion activist who downloaded the database. He found himself in possession over 5,000 contact form submissions going back over five years containing women’s names, email addresses, phone numbers, and the fact that they were enquiring about abortions. He then announced his intention to publish the womens’ data on an anti-abortion forum.”

The hacker was caught and arrested before he had the opportunity to publish the list. He received 32 months of jail time and BPAS was fined £200k for the data protection breaches.

“As well as criticizing the charity for their technical failures, the regulator called attention to the fact that no one on the staff had thought to ask the proper questions about the tools they were using; they were also angry that the site had a legalistic privacy policy which was clearly not worth the pixels it was printed on,” Burns said. “All of these failures were deemed inadmissible and inexcusable by the data protection regulator. It is no exaggeration to say that women could have been killed because of a contact form.”

Auditing contact forms is just one piece of the puzzle for those working towards GDPR compliance. Burns recommends that site administrators conduct a privacy impact assessment of personal and sensitive data that is submitted through forms. Privacy notices should also be clear about how this data is handled and how long it is retained before it is deleted.

The GDPR was written to be extraterritorial and states that the regulations apply to any site or service that has European users. These sites are expected to protect EU users’ data according to European regulations. Many American company owners are not yet convinced that this is enforceable outside of EU borders and have not invested in getting their online entities to be compliant.

“GDPR provides a very useful framework for user protection, which is now more important than ever,” Burns said. “I’m encouraging Americans to work to GDPR because it’s a constructive accountable framework that’s a hell of a lot better than nothing.”

Wider Gravity Forms Stop Entries is currently the only plugin in the official WordPress directory that addresses GDPR concerns for a specific contact form plugin. Others may become available as the May 2018 deadline approaches. Jonny Allbut warns users in the FAQ to test the plugin with third-party GF extensions before adding it to a live site, as some extensions may rely on referencing data entries stored in form submissions.

I asked Carl Hancock if Gravity Forms might make storing form entries in the database an optional feature and he confirmed they are considering it.

“Yes, this is certainly possible,” Hancock said. “We try to avoid conflicts with available 3rd party add-ons for Gravity Forms to encourage their development,” Hancock said. “But unfortunately it is not always avoidable. It is a feature that has been requested numerous times in the past and I suspect with the GDPR it will be a feature that will be requested even more going forward.”

37 Comments


  1. Assuming content is stored in the database for only a limited period of time, the advice to delete on deactivation is madness, because people frequently deactivate plugin when trying to diagnose a problem. In that case, the person trying to figure out why a page would not format correctly, for example, would cause the site owner to loose all their recent submissions!

    Report


    1. Delete on deactivation is indeed madness.

      Gravity Forms has an uninstall feature that is found in the main plugin settings that allows you to delete all of its data.

      This is a much safer way to handle it. Doing so in deactivation would lead to all kinds of accidental data loss due to the nature of WordPress. Testing plugin conflicts, etc. regardless of GDRP requirements.

      Report


    2. I think “delete upon plugin deletion” should be opt-in with the default to leave the data. It’s a hard one because once a plugin is deleted, how is a non-technical person going to delete the data or even know what data is still there?

      So it’ll make life more difficult in that respect. I still think it’s completely on the site owners and rightfully so. They need to have a plan in place for managing personally identifiable information from the start. However this is a solvable problem, it’s WordPress — I’m pretty sure if the demand for form entry management were there, the supply would follow. 😊

      Report


  2. By emailing the contents of the form it means that the form entries will be stored in your email provider’s database anyway.
    So does storing personally identifiable data on Google’s servers make the data more secure? Am I missing something here?

    Report


    1. Nope. You aren’t missing anything. You are absolutely correct. Not to mention individual users email clients.

      As I mentioned when answering questions in this article I do not think the EU has fully thought out the implications of the GDRP because they are vast.

      The burden they’ll put on small businesses could be over the top extreme.

      It wouldn’t surprise me if the EU has to make changes to the law after it comes into effect precisely for these reasons.

      Report


    2. But GDPR doesn’t say that you should send yourself an email instead of storing data on your site’s server. Just because a plugin developer has come up with a particular idea doesn’t mean that’s what the law says or requires. So there won’t be any need to change this at all.

      If you did email yourself such data, you’d still be a data processor with all the same legal obligations, but would now probably be lacking the proper means to discharge those obligations.

      I know it’s much easier to comment on soundbites and poor suggestions from non-lawyers. But you’d do much better to actually read the law before commenting on it.

      Report


  3. This law is well outdated before it comes into force by 20 years.

    Report


  4. Hancock said. “It’s a complex issue and I’m not entirely sure the EU fully understands the burden and implications that may come with it.”

    No, I’m sure the EU does fully understand what it’s doing here. It’s been regulating data protection for rather a long time now.

    In fact, the GDPR imposes arguably much less of a burden than its predecessor in that data controllers will no longer be under any obligation to register data processing activities. Instead, they will need to keep a proper record (audit trail) of those activities, which is just as it should be.

    The advice to delete short-term information on deactivation of a plugin is, as Mike Schinkel rightly says, just madness. But it’s just poor advice and nothing to do with the GDPR itself.

    Actually, addressing the requirements of the GDPR just involves best practice. Every site owner, and every developer, should already be asking themselves questions like these:

    1. “What data do I actually need?” If you don’t need it, you shouldn’t be storing it.

    2. “Of the data I need, does that need expire at some point?” If so, you shouldn’t be storing it beyond that point. (Honestly, this is hardly rocket science. Logs are routinely deleted after x days.)

    3. “Have I made it clear to those providing the data what happens to that data, and have I obtained their consent by asking in clear and plain language?”

    4. “Have I provided a means for those providing that data to withdraw their consent to store and/or use it?”

    There’s nothing terribly complex or burdensome about any of that. Some people may need to abandon bad habits, of course, and may moan and groan while doing so. But it’s time they caught up.

    Report


    1. I disagree.

      While many aspects of the GDRP are straightforward to say there is not a burden on small businesses is simply wrong.

      There will indeed be a burden due to the very nature of WordPress ease of use and low barrier to entry for small businesses and individuals. Do you think these types of users can afford to hire or consult with EU legal experts to make sure that what they do with WordPress is OK by the GDRP. Do you think WordPress users outside of the EU, let alone inside the EU, even know about or understand the GDRP?

      I’ll use form solutions as an example. Gravity Forms is a tool much like a desktop publishing app is a tool. It’s a blank canvas. I can’t tell you what type of data a user is going to capture with it because they can use it to create whatever type of form they want. It doesn’t create default forms or force them to use a specific set of forms. It’s a blank slate.

      Because of that blank slate nature it can’t take into account every scenario in which they could be used because just like a desktop publishing app we don’t know what they are going to build. It’s not merely a contact form builder it’s used for all kinds of th He’s such as code generators , product configurators and custom applications built on top of it that may have nothing to do with sensitive personal data. If you want a contact form use Contact Form 7. Gravity Forms is far more than a mere contact form solution which means it can’t simply force all of the GDRP rules out of the box because you may not even fall into that box.

      What this does is out the onus of being GDRP compliance on the site owner. And the way the GDRP law was written this doesn’t just mean EU site owners either. Do you think users in Brazil will have any clue what the GDRP? Or site owners in practically any international market outside of the EU? Or even small business and individual site owners in the EU that are not technical savvy… of which there are a ridiculously high number? Do you think they read legal blogs or WordPress sites such as WPTavern? Or even the Gravity Forms blog if they are a Gravity Forms user? The simply fact is the vast majority do not, yet they can easily be exposed because of the EU regulation.

      Thankfully because of the open source nature of WordPress and how plugins work this means it most definitely allows you to implement things in a way that is GDRP compliant. Gravity Forms included. It can do whatever you want it to do. But it may require using additional plugins/add-one/extensions or even custom code to accomplish implementing something that would be compliant depending on what exactly it is you are trying to accomplish and what type of data you are dealing with. It means the site owner needs to know what it is you need to do and what tools you’d need to do it.

      I have no issues with the GDRP from a data protection standpoint. I also have no issue helping educate people on what it is they need to do. But we only have so much reach (we being the WordPress community) because the vast majority use WordPress but are outside of our little bubble. With this in mind, to say it doesn’t add a burden to site owners is not true.

      Most WordPress site owners won’t even know the GDRP exists, let alone how to make sure they are compliant.

      Apologies for any typos or autocorrect snafus in this one… it’s a long comment and I’m typing it out on my iPad.

      Report


      1. You are confusing lack of knowledge with being burdensome.

        Whether someone in Brazil who processes data on someone in the EU knows of his or her obligations is a completely different issue from whether, armed with such knowledge, the obligations imposed are burdensome. They are not.

        Report


      2. Amen.

        But I find it hard to say that “whatever regulation” adds burden to site owners. This is the equivalent of saying that following the changes in traffic laws is a “burden” on people that drive. Following the regulation, even if you need to hire a consultant/lawyer once a year, it is just the cost of doing business, and businesses have a lot of regulation all around.

        The elephant in the room is actually comments, not contact forms. since comment are on by default while contact form plugins needs to be deliberately installed and configured. Some people will regard the IP addresses collected by wordpress as sensitive private info …. And this brings us to akismet which no one knows what it stores and where.

        Report


      3. I would say given the fact the EU could attempt to fine the site owner in Brazil for not even knowing what the GDRP is in order to be able to configure his site to be GDRP compliant in that scenario, that it would indeed be burdensome.

        Look, I have no issue with data privacy. I have no issue with doing what we can to provide tools to help with GDRP compliance. We will most definitely do more in this area. BUT just like I think it’s burdensome to citizens in other countries when my own country (U.S.) tries to apply U.S. laws to citizens outside of the U.S. when something is not obviously illegal (ex. cocaine trafficking is obviously illegal no matter the country), I think it’s crazy for the EU to do the same.

        It becomes very dicey to attempt to enforce it internationally and introduces a burden on citizens of other jurisdictions to be up to date with EU laws or risk being exposed to legal action for something they wouldn’t even know existed.

        If the EU GDRP rules were not being applied internationally and only applied to EU based businesses and site owners I would have a different opinion on this. But that is not the case.

        Ultimately my opinion doesn’t matter. As I mentioned we will do what we can to provide tools for site owners to help mitigate this risk. These tools actually already exist via existing plugins, hooks/filters, documentation, etc. That is one of the beautiful things about open source. But ultimately the onus is on the site owners to actually implement them. Good luck with that one.

        Report


      4. @carlhancock

        “I would say given the fact the EU could attempt to fine the site owner in Brazil for not even knowing what the GDRP is in order ”

        That is not how the compliance process works, and it’s certainly not how the enforcement process works.

        What would happen is that (say) an Austrian using a SAAS from Brazil would have a concern about how that company is using, processing, and sharing their data. The Austrian would examine the Brazilian company’s privacy notice and subject access request process to learn what they are doing. The Austrian either doesn’t find what they’re looking for or learns that the Brazilian company is noncompliant. The Austrian can get in touch with the company personally to have their concerns addressed. If the Austrian is still not happy, they can raise a concern with their national data protection regulator (in this case, Austria’s) who will liaise with the Brazilian company.

        Anything after that is a four stage process between the Austrian DP and the Brazilian company with a view towards bringing the latter into proper compliance with the personal data they hold and process about Austrian citizens. The process is constructive and supportive, not threatening and adversarial.

        Under GDPR, fines are only imposed on companies which outright refuse to comply, repeat their mistakes, or have committed a truly egrigious violation of data protection such as we saw with the BPAS hack. Fines are imposed by national regulators, not the EU. The fines you’ve seen the EU impose centrally onto Apple et al are for tax trickery, not data protection.

        There’s a lot of #GDPRubbish going around and one unfortunate myth is that the EU is some central government monolith that’s going to be stomping around throwing giantic fines on non-EU companies. That simply is not how it works. The purpose of GDPR compliance is not supposed to be about avoiding fines in any case: it’s about protecting user privacy. It’s the price of doing business in Europe.

        Report


      5. @Heather Burns

        AFAIK, the idea that a company that has no physical presence (employees, incorporation, servers) in the EU is carrying out an action in the EU (e.g. transacting business, when someone carries out an ecommerce transaction), when someone in the EU does something on its non-EU hosted website is, at this point, an untested theory, not a legal fact. The EU cannot abolish the existence of other sovereign nations states, and declare its own worldwide jurisdiction, simply by arbitrary fiat.

        Report


      6. I can see both sides of the argument but don’t forget the EU person and the foreign business makes use of EU infrastructure in terms of internet carriage, data over EU fibre etc.

        I don’t think the EU would do so, but it could just block foreign traffic/data unless you submit to their laws.

        After all this is no real difference to foreign aeroplanes flying over a country and being subject to that countries permission and airspace rules even without any business presence there.

        Dale.

        Dale Reardon

        Founder, My Disability Matters

        The new social network for the Disability Community

        Friends, family, carers and businesses welcome

        Phone: 03 6286 7305 | 0420 277 457 | Skype: dale.reardon

        Twitter: @audisability | Linkedin | Facebook

        Report


      7. I can see both sides of the argument but don’t forget the EU person and the foreign business makes use of EU infrastructure in terms of internet carriage, data over EU fibre etc.

        I don’t think the EU would do so, but it could just block foreign traffic/data unless you submit to their laws.

        After all this is no real difference to foreign aeroplanes flying over a country and being subject to that countries permission and airspace rules even without any business presence there.

        Dale.

        Dale Reardon

        Founder, My Disability Matters

        The new social network for the Disability Community

        Friends, family, carers and businesses welcome

        Phone: 03 6286 7305 | 0420 277 457 | Skype: dale.reardon

        Twitter: @audisability | Linkedin | Facebook

        Report


      8. @David Anderson,

        Actually, it is not just “untested theory.” Nations and organizations of nations have been making and enforcing laws with extra-territorial implications for a very long time. The USA does it a great deal.

        The idea that such laws just “abolish the existence of other sovereign nations states” is a bit silly. It’s perfectly possible to have a physical space to which laws apply from several different jurisdictions. An aircraft is a good example. No-one claims that the USA/EU/NAFTA etc is “abolish[ing] the existence of other sovereign nations states” because they (among others) regulate the operation of an aircraft.

        Report


      9. @davidanderson

        Two things in one comment as this comments thread is getting complex.

        First, GDPR is not a new “arbitrary fiat” that “abolishes the existence of other soverign nations states”. The European data protection framework has been in place since 1995. If you’re in the US you know it as the Privacy Shield framework, previously Safe Harbor. GDPR is an upgrade and modernisation of the 1995 structure.

        As I said in a previous comment, enforcement is through member states, not “the EU” ravenous anti-sovereign monolith the red tops would have you believe. The third step in the enforcement process in the case of a data breach or a refusal to come into compliance, before a fine, can be a member state’s DPA ordering a non-EU company to stop processing data – essentially, to cease operations – in that member state. That would be, to use the earlier example, Austria ordering the Brazilian SAAS to cease doing business in Austria. That is absolutely within their legal right to do so.

        The only companies which are going to be dealt with by the EU as a whole can be counted on one hand. Facebook, Google, etc.

        For everyone else, the non-EU companies that have the most to worry about in their GDPR compliance processes are the ones that were not in compliance with the 1995 legal framework to begin with. Methinks some of them doth protest too much.

        Second, on the obligations of non-EU companies engaging in consistent or high-volume data processing in the EU despite not having a physical or legal presence within it: suggest you read up on GDPR Chapter 1, Article 3; Chapter IV, Article 27, and all of Chapters V and VII, particularly pertaining to DPOs and lead supervisory authorities.

        Report


      10. @Carl Hancock,

        If the EU GDRP rules were not being applied internationally and only applied to EU based businesses and site owners I would have a different opinion on this.

        I believe you. But (even apart from the mechanism for information and enforcement which Heather Burns has already explained) you’d be wrong to distinguish such laws based on such a criterion. Why? It’s simple.

        Really, your whole argument boils down to this one point: people shouldn’t be at “risk [of] being exposed to legal action for something they wouldn’t even know existed.” The trouble with that point, though, is that it applies to every single bit of law ever created.

        No law has ever been known and understood by everyone to whom it applied. And the person doesn’t exist who knows all the law that applies to them. The source of the law is irrelevant. So to bring it up about the GDPR specifically is a complete red herring.

        Report


  5. Hi,
    Does anyone know if this new privacy law applies only to EU companies, websites hosted within the EU, or to any business worldwide that is servicing a person resident in the EU?

    Report


    1. GDPR applies to the personal and sensitive personal data about anyone in Europe regardless of citizenship or nationality.

      Anyone collecting, using, or obtaining this data needs to comply with GDPR regardless of their location.

      Any non-EU business which does not think it’s obliged to follow these rules should not be doing business with European customers.

      Report


      1. We need to distinguish between what the EU finds it convenient to imply, and what is actually enforceable legal fact.

        EU law can only apply to actors domiciled in territories outside of the EU, by virtue of international treaties with the governments of those territories. Are you aware of any such treaties / territories?

        Report


      2. Hi,

        Its been a long time since I studied International Law but can’t it be argued that international companies are voluntarily submitting to the EU law by dealing with an EU resident or person physically within the EU?

        The EU has the nexus by virtue of you contracting with one of its residents.

        Dale.

        Dale Reardon

        Founder, My Disability Matters

        The new social network for the Disability Community

        Friends, family, carers and businesses welcome

        Phone: 03 6286 7305 | 0420 277 457 | Skype: dale.reardon

        Twitter: @audisability | Linkedin | Facebook

        Report


      3. Hi,

        Its been a long time since I studied International Law but can’t it be argued that international companies are voluntarily submitting to the EU law by dealing with an EU resident or person physically within the EU?

        The EU has the nexus by virtue of you contracting with one of its residents.

        Dale.

        Dale Reardon

        Founder, My Disability Matters

        The new social network for the Disability Community

        Friends, family, carers and businesses welcome

        Phone: 03 6286 7305 | 0420 277 457 | Skype: dale.reardon

        Twitter: @audisability | Linkedin | Facebook

        Report


      4. Apologies – in the last paragraph the word “domiciled” is too strong. I should say something like “only apply to actors whose only presence is in”. Think of sellers of digital goods, for example.

        Report


  6. Just a minor correction: under GDPR it’s not necessary to ensure that contact forms do not store “any” personally identifiable data on the server. What is necessary is a documented PIA/PBD process, appropriate technical and security measures, data minimisation, and a retention and deletion policy,

    Report


  7. Use Gravity forms to store entries, then use this plugin to stop doing it sounds crazy.

    Report


    1. Personally, I don’t see this as ‘crazy’ – it’s perfectly logical to store form entries on server – and indeed this should continue to be default behaviour – and this is what makes the codebase of Gravity Forms so awesome… it’s built to be extended like this ;) This plugin joins a ‘family’ of add-on plugins that extend Gravity Forms in ways that suit certain people…

      From a backup point of view – who wants a client crying because they have lost potential leads due to a junk email server (not us thanks!), but also maybe more importantly – a number of third-party Gravity Forms plugins actually rely on this stored data for analysis and other purposes – so removing it from the plugin core would actually ‘break’ a-lot of installs on update if users didn’t understand what they were doing… and cause more tears.

      Finally – as the author of this plugin I’d like to thank WPT for featuring it – and hope people find it as useful as we do at Wider ;)

      Report


    2. The entry has to exist to process the data, send it to 3rd party integrations, interact with payment processors such as PayPal, etc.

      For example with PayPal Standard the user leaves the form to go to PayPals site to complete the payment. They then return to the form via redirect by PayPal and then PayPal’s IPN communicates back that the payment was made. The entry has to exist for this to occur. Email notifications would then be sent at this point. When all processing that is necessary has been completed. THEN the entry can be deleted if it is necessary to do so.

      Deleting the entry after the fact is only necessary in situations where you simply want to email the information and not store the entry beyond the processing OR you simply want to process the form through integrations (MailChimp, a CRM, etc.) and discard the entry in the database afterwards. But the entry needs to exist for the processing to occur because some of the processing occurs asynchronously.

      And let’s be clear… it is not necessary to do this simply because of the GDPR. That is only one way to handle GDPR compliance and it is a bit of a sledge hammer when simply a knock may all you actually need. It depends entirely on the use case in question.

      Report


    3. Use Gravity forms to store entries, then use this plugin to stop doing it sounds crazy.

      Agreed. Which is both why the GDPR doesn’t say you should, and why you shouldn’t contemplate taking legal advice from a report on a website about a new WordPress plugin.

      Report


  8. @Dale Reardon

    can’t it be argued that international companies are voluntarily submitting to the EU law by dealing with an EU resident or person physically within the EU?

    My point is that all kinds of people can argue all kinds of things. But that’s quite different from actual legal weight and ability to enforce. The EU, the government of Belgium, the city of Naples, or Bob from Newcastle could all argue that the moon is made of cheese, but that doesn’t mean that anyone else has to care, unless it is also established that they can and will enforce consequences for disagreeing with them.

    @Heather Burns’ reply to me has not touched on this key point. She’s talked about the legalities of who would enforce, in what sense GDPR is new, and other things. But the heart of my question to her is about whether any EU entity (and whether it’s the EU itself, or one of its members, is irrelevant) has ever successfully enforced against a non-EU entity (i.e. one without an EU company or sister company, servers or employees), and upon what grounds, and whether they assert the ability to do so with this law, and upon what grounds (i.e. not just hand-waving with the hope of persuading people to do what there’s no legal basis for forcing them to do).

    Heather seems to confuse my point about sovereign nation states, which (from reading her various comments) appears to be because she feels strongly about the nature of the EU itself, which is irrelevant. The point is not whether the enforcement is centralised or devolved. Its about the inability of *any* entity to enforce law within the boundaries of a foreign, sovereign nation state. For such enforcement to happen, it has to be covered specifically by treaties between the parties involved. I believe that Privacy Shield is only relevant to entities with EU presence – it covers how they exfiltrate data out of the EU, and is enforceable because of their presence in EU. But for companies with no such presence, it is not established that they are subject to it, or upon what basis.

    Witness the EU VAT digital VAT law of 2015. This declares that, when digital goods are sold to an EU consumer, then the transaction is deemed by the EU to take place at the location of the consumer (whereas before then, they deemed that it took place at the location of the seller). That’s something that you have to care about if you have EU presence. But if you have no EU presence, then it’s not necessarily any more interesting or relevant than an EU declaration that Julius Caesar was German.

    Report


    1. @David Anderson,

      You seem to have a very narrow conception of what law is. You seem essentially to view it as simply a body of rules backed by threats of sanctions for disobedience or non-compliance. Sure, some law is like that. But there is a huge amount of law that isn’t.

      Some laws are about granting powers (e.g. to contract, get married, etc).

      Other laws are much more about changing practices through information and education. When laws were passed mandating the wearing of seatbelts in cars, for example, some people said that these laws were pointless because they could not really be enforced. They were right that the laws could not generally be enforced — but those laws turned out to be very much on point. They have completely changed the practices of most people riding in cars.

      The GDPR should be seen in the same light. The EU isn’t really expecting every non-EU person who processes EU data to immediately comply. Heather Burns has already explained that, even when non-compliance comes to light, there’s a process to be gone through before any possibility of sanctions arises.

      But what the EU is expecting is something like this. Large businesses and government departments will be expected to comply immediately, and there will be plenty of audits to check that they do. Ideally, from the EU’s perspective, one of these organizations will make a pig’s ear of the whole thing (but without causing harm to anyone) and they can be named and shamed to make a point.

      Such publicity will help get smaller businesses to comply, but so will a whole raft of other factors. Big businesses do business with smaller organizations, and they will likely require compliance from those smaller businesses (who will then require it of others, etc.) Similarly, insurance companies will make compliance a condition of coverage, while organizations with an active regulator (such as charities that come under the Charities Commission in the UK, for example) will receive detailed directions on what they have to do. Trades organizations will do much the same thing for their members.

      After a while, this will just become the new normal. And it won’t make any difference where those businesses or organizations are based. In fact, it will likely become so well known that many people will want to comply even though they are not dealing with EU-based data at all.

      This is, in practice, how many laws get “enforced.” Now you might ask, to use Carl Hancock’s example, what about the small business in Brazil who still doesn’t know and doesn’t comply. The answer to that is pretty straightforward so far as the EU (or, indeed, any lawmaking body) is concerned. No-one expects perfect compliance. No law receives that. When the police contemplate setting speed traps, they don’t give up on the idea just because they won’t catch everyone who speeds. And, as noted already, the GDPR really isn’t about “catching” anyone; it’s about changing behavior through information and education.

      Report


  9. GDPR looks like a really big change that we should all treat very seriously and look for solutions. If there’s one thing we learned from VAT, it’s that the EU is quite serious about those things. They keep introducing more and more regulations and then put new mechanisms in place to enforce them. Those 4% fines aren’t looking good.

    Report


  10. I’ve made it real simple for my business.

    I’m in Canada and I have exactly ZERO intention to comply with this BS.

    I’ll be damned if the EU is going to have ANY control of what MY Canadian business does on the Internet. Period.

    End. Of. Discussion.

    Report


  11. Most of the GDPR only applies to large enterprises and public sector bodies. Article 30 of the regulation says that organisations with less than 250 employees will not be bound by GDPR.

    Report


    1. @Common Sense

      Your reading is incorrect – Article 30, Section 5 pertains to the obligation to document records of processing activities, which is roughly 1/12th of what GDPR comprises.

      Early drafts of GDPR proposed derogations for small businesses but these were removed from the final draft. Quite right too: why should, say, a 10 person app development studio conducting highly intrusive data collection and sharing about individuals be exempt from privacy protections based solely on their headcount?

      Report

Comments are closed.