Charles,
Even if the regulation says:
"Non-Eu businesses processing the data of EU citizens will also have to
appoint a representative in the EU."
What legal recourse does the EU have to go after a US company that does
not "appoint a representative in the EU"?
I think the trick here is that should a company "appoint a
representative in the EU" thinking that it's something simple to appease
the EU, then they have a business presence in the UA. Once they have "a
representative in the EU", then the EU has a legal entity to go after
for non-compliance.
The company I work for has determined that under no circumstance will we
"appoint a representative in the EU". And, if the EU attempts legal
action, our defense is that EU do not apply to a US business that only
does work in the US. Just because a EU citizen chooses to use our
services while in the US, that does not constitute a EU business
presence. (No matter what the GDPR is trying to claim.)
Take a simple example. A EU person stays at a Florida based Bed &
Breakfast. And, the guest supplies his address and phone number. The
GDPR 'claims' that the GDPR now applies. But, such a claim violates the
the sovereignty of the USA. And, since the Bed & Breakfast does not have
a presence in the EU, that sovereignty protects it.
In other words, the GDPR can claim to reach into other countries, but
legally, it can not. It's just trying to scare people into compliance.
Tony Thigpen
Charles Mills wrote on 08/12/2017 10:05 AM:
My understanding is that the XBridge product was successful at this technically. CA has a new
product in this area that is successful technically. (By "technically" I mean that the
technology is successful in recognizing credit card numbers, SSNs, and so forth. There is more
pattern to a credit card number than just "16 numeric digits.")
These products address files and datasets, but the same pattern recognition
would apply to dumps.
The problem as I see it -- after taking several sessions at SHARE on data privacy -- is that the
definition of "personal information" is endlessly elastic. Read "What constitutes
personal data?" on http://www.eugdpr.org/gdpr-faqs.html.
And by the way, if you are in the US and think that the GDPR is a Europe-only thing, read "Who
does the GDPR affect?" and "What are the penalties for non-compliance?" on the same
page. Also note the countdown clock on their home page!
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Paul Gilmartin
Sent: Friday, August 11, 2017 11:23 PM
To: [email protected]
Subject: Re: Scrubbing sensitive data in dumps
On Fri, 11 Aug 2017 17:09:10 -0400, Jim Mulder wrote:
We did have a meeting in z/OS development quite a few years ago to
discuss someone's wish for this type of function for z/OS dumps. We
concluded that in general, identifying the sensitive data to be
modified would be so problematic that it was not worth pursuing.
This is reminiscent of a question posed (here?) (years?) ago concerning
detecting credit card numbers in data sets, with the objective of obfuscating
them.
OK. Any 16 numeric digits, or packed, or 64-bit binary in range, or ...
Validate check digit?
Same answer.
Or SSNs.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
