GDPR as a weapon of mass destruction

Everything is under threat. Generally all

There is an opinion that writing laws that violate almost everything is an invention of our Motherland. But, as with the elephants, it's not so simple: when studying the General Data Protection Regulation (GDPR), I realized that in this we hopelessly lagged behind Europe. It’s no joke - to screw the whole world in one fell swoop! Do you think your company will not bend over the GDPR? I will dispel this dangerous delusion.

In this article, I will not describe all the squiggles of the GDPR, acquaintance with which first of all raises the question “Is it possible to just ban all Europeans?” (And this is not a joke, so they ask), but will focus on intimidating those who are still not investigated the question of the influence of the GDPR on his work, a priori assuming that they are outside the affected area.


I’m a techie (program manager), so I retell the provisions of the GDPR as applied to technical aspects, not paper design. And although I am not a lawyer with a specialization in European law, I have spent time breaking through the study of the GDPR and I fully understand what I write:
')

• read the law itself;
• participated in a seminar on it;
• read official explanations to him;
• read private opinions about;
• read judicial practice, from which some new provisions of this law have grown;
• discussed all this with our Swiss lawyer;
• etc.

In general, it took more than two months to dive into the topic.


And such a “non-core” use of a technical specialist in this situation is inevitable - no lawyer will find many dangerous places in products or infrastructure, only a technician who is at the same time well-versed in technical solutions and understands GDPR.


So why am I saying that GDPR covers almost everyone?

Three aspects:

• Expanded geography of action.
• Expanded interpretation of the concept of personal data.
• Under the blow and the "controller" and "processor". (Who is it?!)

Consider more:

Expanded geography of action

The GDPR applies to the processing of personal data carried out by organizations operating in the EU.

Who is located in Europe - those long in the know. But the wording of the GDPR spreads influence far wider:

This also applies to organizations outside the EU that offer goods or services to individuals in the EU / EU citizens (regardless of whether payment is required).

Does your free service have an English version and user registration (at least just an e-mail)? Congratulations - you are in trouble. Those who are actively selling their products and services in the European market - they already know about the GDPR, but for free projects this may be a surprise. Just a surprise lurks for those who are not active in the European market as such, but in fact often serve the citizens of the European Union (citizens, no matter where they are!). As well as those who can be accused of focusing on Europeans on formal grounds - it is enough to translate the site into one of the languages ​​of the European Union (English, for example) and accept payment in Euros (for example, through some multicurrency payment system).

This also applies to organizations outside the EU that monitor behavior occurring within the EU.

And this is the cherry on the cake - I will reveal its meanness later.

Expanded interpretation of the concept of personal data

But even if there is no user registration - do you know what exactly the GDPR now defines as personal data?

Individuals may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as Internet Protocol addresses, cookie identifiers, or other identifiers, such as RFID tags. This can leave traces, which, in particular, in combination with unique identifiers and other information obtained by servers, can be used to create profiles of individuals and their identification.

Opanki! It becomes especially interesting when you realize that the Internet Protocol (Internet Protocol) addresses in the GDPR are IP addresses that we are used to. Many interpreters of this sacred manuscript, without further ado, simply enter the IP address in the list of personal data, causing terrible fires in techies - this interpretation is not entirely correct, but quite often coincides with the correct answer.

So, in the GDPR, personal data is declared not only information that directly identifies or allows identification of an individual, but also information that, together with other available or available information, with reasonable probability can be used to identify an individual. I would not be surprised if you broke in this place - they already tried to argue with me that the law cannot use any “probabilities”, especially “reasonable” ... In fact, the GDPR says: “if your data set in conjunction with the data available to you from other sources, you allow you to identify the individual with reasonable resources, then this is personal data. ” Google has enough data to identify almost everyone - so it works with personal data.

Under the blow and the "controller" and "processor"

We proceed to the most complex combination: there is no registration, and the site is only in Russian, i.e. to provide services to citizens of the European Union is not aimed. Free? And no!

The GDPR applies to both “controllers” and “processors” - the controller indicates how and why personal data are processed, and the processor acts on behalf of the controller.

They did not understand or seemed to understand, but did not find where the ambush?

I explain:

If the “switch” of some functionality is in your hands (in the form of an explicit setting or simply the power to add functionality or not), then you are a “controller”. A “processor” is one who receives personal data through you or past you, but according to your decision.

We read above about “personal data in the aggregate” and about Google, and then we remember - is Google Analytics (or Yandex.Metrica, or something similar) on the site? Well, Google is a "processor", and you are a "controller" and you are trapped. Recently, Google clearly documented this :

If your agreement with Google includes this policy or otherwise uses a Google product that includes this policy, you must provide certain information and obtain the consent of the end users in the EU.

Now we are taking the next step - remembering “they track the behavior that happens within the EU’s borders” and think even deeper: “But do Russian-speaking tourists from the territory of the European Union roam around my exclusive website?”

Salvation of drowning people is the work of drowning people.

And for those who have already thought himself out on himself and wants to reexamine the contrived in the circle of other sufferers, we will organize a mitap. On the topic of GDPR we do not sell any products or services, we are also affected, so there will be an extremely honest conversation. The announcement of the mitap will appear at meetup.com in the Plesk-events in the near future, on the “blocked” Telegram in the NSK IT events chat , on the still-running Facebook in the NSK IT events group . For nonresident planned broadcast.

PS: And don’t believe those who promise “Buy our X - and begin to comply with the GDPR!” As well as those who offer crib-like “five simple steps to match the GDPR”. Achieving GDPR compliance is a complex task, and the solutions in each case are individual. And we will discuss this.