1. European

    Jeff, note that this is EU (European Union) regulation and EU is not whole of Europe, there are countries outside of it. Which means that for some European countries and some European citizens EU rules don’t apply, and thus GDPR.

    I am not surprised that this EU regulation sounds complicated and hard to understand. Most (if not every) EU regulation (not just for digital) are like that. Problem is that EU has become to big, bureaucratic, out of touch with real life, that doesn’t solve but introduces new problems and has way to many regulations. While in some cases intentions might sound noble, execution is poor and awful. Take for example two well known cases for digital: cookie law and VAT MOSS.

    My bet is that this is how it will end with GDPR. Privacy would be improved only on paper, not in real life.


    • Matt

      Which means that for some European countries and some European citizens EU rules don’t apply, and thus GDPR.

      That’s not the case if a non-EU entity transacts with or manages data for EU entities, i.e. GDPR will apply. You can choose not to adhere to GDPR, but if your EU footprint is large enough then expect enforcement. The EU has messed up before, both the cookie law and VAT MOSS, but GDPR is well thought-through and already law in all EU countries; it’s just enforcement that starts this year.

      IMO this should be viewed as an opportunity to review how you treat your users and deal with their data.


  2. Heather Burns

    It’s worth noting that both VATMOSS and the cookie law have been substantially overhauled and reformed for the better thanks to positive, evidence-based, and cooperative engagement from the public and from organised advocacy groups.

    So that’s the nice thing about the GDPR compliance project: it has drawn people following those examples who want to be positive, constructive, and engaged, and just get on with the task ahead. Another lesson learnt from the previously mentioned issues is the importance of getting it right in good time rather than scrambling to retrofit fixes after the compliance deadline has passed, and that’s what we’re working on now.

    People who want to spin political grievances, victim narratives, and conspiracy theories are entitled to their opinions but at the end of the day, as Jeff said, this work is about raising the standards by which we protect the people in our data, ensuring that the WordPress project itself is one that people can trust, and providing the tools that everyday site administrators need to be able to protect their users and themselves too. I can’t think of any effort more worthwhile than that.


  3. Lee

    There is a €10 million minimum fine for non compliance — €20 million for tier 2 offenders — but there is scope for (internal) regional variation in GDPR’s application so there is some wiggle room.

    As @Matt rightly says, GDPR affects any person or business that collects data about anyone in the EU at the time of data collection.

    GDPR defines Data Subject to be anyone who happens to be within an EU jurisdiction at the time their data is collected as well as persons normally resident within the EU (EU citizens). This Data Subject could be an EU citizen travelling in the US or an Australian citizen in transit across EU airspace. Data Controllers and Data Processors are equally tightly defined as those who collect, store and crunch data collected on EU Data Subjects.

    Further, GDPR requires that those who own or manage properties where data is collected ensure the security of that data, record where that data is shared, notify Data Subjects of any data sharing or changes to the basis of any data collection and provide a route for data to be viewed by Data Subjects or deleted (including shared data — see next).

    Furthermore, GDPR puts the onus on Data Controllers to ensure those who might access that data are also GDPR compliant.

    Are the horrors of this regulation beginning to reveal themselves to you?

    How about this: what data is collected by your web server (stats and error logs), web host (data backups) and payment processors (e.g. Stripe and PayPal)?

    When an EU Data Subject purchases a service or plugin, the vendor needs to be GDPR compliant whether that vendor is in the EU or not.

    GDPR is too well written. This regulation will affect more people than most could have imagined when the documentation was finalised. In my opinion, GDPR will cause non EU businesses and website owners to reconsider their openness to persons covered by EU jurisdiction.

    Myself, and I am in the UK, as soon the UK leaves the EU, I will review whether to geoblock Data Subjects within the EU. So little of my traffic and business is conducted in the EU I won’t miss it and the costs of compliance are too high to warrant EU business.

    GDPR is going to cause bigger headaches than many yet realise.


  4. Heather Burns

    Complete rubbish about the fines. Monetary penalty fines – as I explained in the Tavern podcast – are only applied as the fourth stage of an exhaustive cooperative engagement process between the regulator and the organisation, or in the cases of genuinely egregious data breaches. The fines are proportionate and necessary, not maximum and destructive. (As a word of advice to readers, the most blatant sign of GDPRubbish is anything discussing fines whatsoever.)

    As a UK business, you’ll know that very little of what’s in GDPR is new. All of its basic principles have been around since 1995, incorporated domestically as the DPA of 1998. You also know that GDPR will continue to apply within the UK through the new domestic implementation, the Data Protection Bill, after the UK leaves the EU and for several years beyond that.

    The only horror to consider is that your data protection obligations for both your domestic and foreign customers – including the ones you describe above as “GDPR requires” – seem to be new to you after twenty three years of being on the books.

    PS On Tuesday geoblocking became illegal within Europe.


    • Lee

      GDPR is different to the UK’s long-standing DPA. They are different in breadth of reach and application:

      1) GDPR has global reach, DPA did not
      2) GDPR covers persons in EU territory however temporary their stay in the EU,
      3) GDPR makes the original collector (and agent of) responsible for actions committed by 3rd parties all the way down the chain so who A shares with (e.g. B), who AB share with and who ABC share with etc..,
      4) GDPR makes any data collection entirely opt-in, DPA did not
      5) GDPR requires a data processor or data holder to provide a method for a Data Subject to have data held about them erased or transferred to another data processor/controller upon request,
      6) GDPR allows for group law suits or for others to sue on behalf of those affected by non compliance
      7) There are many other differences between GDPR and the DPA.

      Here are 2 brief summaries of some of those differences:

      1) https://www.atg-it.co.uk/gdpr/dpa-vs-gdpr/
      2) https://www.ebuyer.com/blog/2017/03/the-difference-between-gdpr-and-dpa/.

      The UK’s ICO has this to say:

      1) https://ico.org.uk/for-organisations/data-protection-bill/

      GDPR is a tortuous beast compared to DPA. So much so that even ICANN is in the process of changing its domain registration privacy policies, and we all know how arrogant ICANN is.

      You are correct about the fines. The Tier 1 fine scale is between 4% of global turnover and €20 million. The Tier 2 fine scale is between 2% of global turnover and €10 million. I am happy you corrected me there. Thank you for pointing out this error in my knowledge.

      Many conversations and reports about the possible fines add ‘whichever is greater’ to their statements about them, which I suspect is due to mistranslation of earlier information put out by the EU Commission, or misproduction by the Commission’s website authors. It is mentioned too often for it to be made up out of nowhere by each author. The authors could be parroting each other though I do recall reading that statement on the Commission’s website too. The page about GDPR that I bookmarked appears to have been edited since my last visit (I know I saw it. Promise). I visit the Commission’s site more often than I would prefer to need to do. I am accustomed to its pages being moved and to page content being edited or entirely replaced between visits.

      The following (current) official texts are enlightening:

      1) https://ec.europa.eu/info/law/law-topic/data-protection_en
      2) http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679

      GDPR and the UK

      GDPR will be brought into UK law and will remain in UK law after the UK leaves the EU. I understand that how it is applied will be down to UK law, which is different in basis and process to EU law. The latter being based on the Napoleonic Code of ‘you have the right to do…’ and the former being based on the English Common Law premise ‘You have freedom from…’

      GDPR will not necessarily escape change when reviewed by UK Ministers and the ICO post Brexit. GDPR’s post Brexit continued relevance to domestic UK law is not a done deal. Reading the updated DPA (details linked to above), it is very likely UK GDPR will be rewritten.


      Geoblocking with regards to digital service provision has been illegal in the EU for some time. Europe and the EU are different entities. The EU is a legal construct. Europe is a physical landmass i.e a continent. Once the UK leaves the EU, UK citizens will not be bound by EU law. I will be legally able to geoblock EU traffic when the UK leaves the EU. I am not alone in this reverie. I certainly will not allow EU law to prevent me geoblocking whichever regions I choose to block — I control my data ;)


    • Rick Gregory

      “.. geoblocking became illegal within Europe.”

      Uh… what? For EU servers, yes? Because if I have a US client who doesn’t at all care about EU customers, they can and may block eu originated visitors. I fail to see how the EU has any say over that.


  5. Peter

    Cool, maybe I will be able some time to delete my sleeping .org and .com accounts.


Comments are closed.

%d bloggers like this: