Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

[R.S.]

W dniu 2017-08-14 o 18:29, Ron Hawkins pisze:

Then tell me why my overseas banks contacting me to provide details under FBAR.

What's good for the goose...


Yes, my bank also contacted me in regard of FBAR (or other US 
regulation). Neither me nor the bank has businesses in US.


--
Radoslaw Skorupka
Lodz, Poland




==


   --
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.plsąd Rejonowy dla m. st. Warszawy XII 
Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców 
KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał 
zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych.
   


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

[Charles Mills]

For exactly the same reason. US law effectively applies to non-US banks, just 
like EU law effectively applies to US banks.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Ron Hawkins
Sent: Monday, August 14, 2017 12:30 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

Then tell me why my overseas banks contacting me to provide details under FBAR.

What's good for the goose...

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Saturday, August 12, 2017 2:06 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] GDPR for US companies (Was: Scrubbing sensitive data in 
dumps)

@Tony, thanks for starting a new thread. I was about to do so, realizing I had 
hijacked a perfectly good dump-scrubbing thread.

There was a lot of "how are they going to enforce it on us?" at the SHARE 
sessions. My reply was "if you have deep pockets, I'm sure there is a team of 
lawyers that would be happy to help you be a test case." I'm not a lawyer, but 
my daughter is (albeit not an international justice lawyer) and might have some 
experience in this area. I am with her next week and will ask her.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

[Ron Hawkins]

Then tell me why my overseas banks contacting me to provide details under FBAR.

What's good for the goose...

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Saturday, August 12, 2017 2:06 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] GDPR for US companies (Was: Scrubbing sensitive data in 
dumps)

@Tony, thanks for starting a new thread. I was about to do so, realizing I had 
hijacked a perfectly good dump-scrubbing thread.

There was a lot of "how are they going to enforce it on us?" at the SHARE 
sessions. My reply was "if you have deep pockets, I'm sure there is a team of 
lawyers that would be happy to help you be a test case." I'm not a lawyer, but 
my daughter is (albeit not an international justice lawyer) and might have some 
experience in this area. I am with her next week and will ask her.

The borderline examples are myriad. Here was mine. You are a bank. A customer 
checks off US citizen on the account form and gives a US address. But she also 
is an EU National and has an EU residence. You would have no way of knowing 
that.

And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so 
they have to make all the preparations for a law that will soon not affect them.

There was discussion about how you would erase every trace of someone's 
existence if you have DB2 volume backup tapes buried deep in Iron Mountain. And 
what if the lawyers were also telling you "you can't erase that -- we have an 
open discovery action going on that"?

I thought the most interesting observation came from two different companies 
that said "we have to implement this -- so we might just as well do it for all 
of our customers."

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tony Thigpen
Sent: Saturday, August 12, 2017 12:21 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

Charles,

Even if the regulation says:

"Non-Eu businesses processing the data of EU citizens will also have to appoint 
a representative in the EU."

What legal recourse does the EU have to go after a US company that does not 
"appoint a representative in the EU"?

I think the trick here is that should a company "appoint a representative in 
the EU" thinking that it's something simple to appease the EU, then they have a 
business presence in the UA. Once they have "a representative in the EU", then 
the EU has a legal entity to go after for non-compliance.

The company I work for has determined that under no circumstance will we 
"appoint a representative in the EU". And, if the EU attempts legal action, our 
defense is that EU do not apply to a US business that only does work in the US. 
Just because a EU citizen chooses to use our services while in the US, that 
does not constitute a EU business presence. (No matter what the GDPR is trying 
to claim.)

Take a simple example. A EU person stays at a Florida based Bed & Breakfast. 
And, the guest supplies his address and phone number. The GDPR 'claims' that 
the GDPR now applies. But, such a claim violates the the sovereignty of the 
USA. And, since the Bed & Breakfast does not have a presence in the EU, that 
sovereignty protects it.

In other words, the GDPR can claim to reach into other countries, but legally, 
it can not. It's just trying to scare people into compliance.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

[Timothy Sipples]

Tony Thigpen wrote:
>In other words, the GDPR can claim to reach into other countries, but
>legally, it can not.

*Legally*, of course they can. GDPR is a set of European Union regulations.
They say what they say.

It's a separate question whether, when, and how the European Union and its
member countries enforce GDPR. For your hypothetical bed and breakfast in
Florida there's probably not much the European Union can immediately do if
there's a GDPR violation. However, the B's proprietors might want to
avoid visiting the EU. :-)

Practically every country demands that other countries (and the entities
within them) treat its citizens according to certain minimum standards.
GDPR will soon become part of the minimum standards that EU countries
demand.


Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

[Charles Mills]

Mmm, a reverse hijack.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Edward Gould
Sent: Saturday, August 12, 2017 6:09 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

> On Aug 12, 2017, at 4:05 PM, Charles Mills  wrote:
> 
> @Tony, thanks for starting a new thread. I was about to do so, realizing I 
> had hijacked a perfectly good dump-scrubbing thread.
> 
> There was a lot of "how are they going to enforce it on us?" at the SHARE 
> sessions. My reply was "if you have deep pockets, I'm sure there is a team of 
> lawyers that would be happy to help you be a test case." I'm not a lawyer, 
> but my daughter is (albeit not an international justice lawyer) and might 
> have some experience in this area. I am with her next week and will ask her.
> 
> The borderline examples are myriad. Here was mine. You are a bank. A customer 
> checks off US citizen on the account form and gives a US address. But she 
> also is an EU National and has an EU residence. You would have no way of 
> knowing that.
> 
> And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so 
> they have to make all the preparations for a law that will soon not affect 
> them.
> 
> There was discussion about how you would erase every trace of someone's 
> existence if you have DB2 volume backup tapes buried deep in Iron Mountain. 
> And what if the lawyers were also telling you "you can't erase that -- we 
> have an open discovery action going on that"?
> 
> I thought the most interesting observation came from two different companies 
> that said "we have to implement this -- so we might just as well do it for 
> all of our customers."
> 
> Charles

Charles: 
This per se is not about dump scrubbing, but it does have to do with dumps.
In the 1980’s I had a job interview with an unnamed part of the government.
To say the least they handled a lot of Top Secret data.
I asked how they handled the dumps with IBM. Their answer was they didn’t. I 
asked, How do you send dumps to IBM. Their answer was that you didn’t.
All problem determination was done on the spot. I then asked what about IBM 
source? You can’t debug (very much) by looking at just instructions.
Their answer was (the best I can remember) was something like this, “the 
problem is not fixed”, I asked incredulously and you can work like this?
Their answer was “yes”.
Now, since then I have found out that at other secret installations, they have 
IBM people that have the right clearences that can talk on secure likes to 
other IBMers to resolve these types of issues.
Apparently this installation did not do this.
I turned down the job mainly because of that and I didn’t like living out in 
the desert.
Ed 
> 


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

[Edward Gould]

> On Aug 12, 2017, at 4:05 PM, Charles Mills  wrote:
> 
> @Tony, thanks for starting a new thread. I was about to do so, realizing I 
> had hijacked a perfectly good dump-scrubbing thread.
> 
> There was a lot of "how are they going to enforce it on us?" at the SHARE 
> sessions. My reply was "if you have deep pockets, I'm sure there is a team of 
> lawyers that would be happy to help you be a test case." I'm not a lawyer, 
> but my daughter is (albeit not an international justice lawyer) and might 
> have some experience in this area. I am with her next week and will ask her.
> 
> The borderline examples are myriad. Here was mine. You are a bank. A customer 
> checks off US citizen on the account form and gives a US address. But she 
> also is an EU National and has an EU residence. You would have no way of 
> knowing that.
> 
> And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so 
> they have to make all the preparations for a law that will soon not affect 
> them.
> 
> There was discussion about how you would erase every trace of someone's 
> existence if you have DB2 volume backup tapes buried deep in Iron Mountain. 
> And what if the lawyers were also telling you "you can't erase that -- we 
> have an open discovery action going on that"?
> 
> I thought the most interesting observation came from two different companies 
> that said "we have to implement this -- so we might just as well do it for 
> all of our customers."
> 
> Charles

Charles: 
This per se is not about dump scrubbing, but it does have to do with dumps.
In the 1980’s I had a job interview with an unnamed part of the government.
To say the least they handled a lot of Top Secret data.
I asked how they handled the dumps with IBM. Their answer was they didn’t. I 
asked, How do you send dumps to IBM. Their answer was that you didn’t.
All problem determination was done on the spot. I then asked what about IBM 
source? You can’t debug (very much) by looking at just instructions.
Their answer was (the best I can remember) was something like this, “the 
problem is not fixed”, I asked incredulously and you can work like this?
Their answer was “yes”.
Now, since then I have found out that at other secret installations, they have 
IBM people that have the right clearences that can talk on secure likes to 
other IBMers to resolve these types of issues.
Apparently this installation did not do this.
I turned down the job mainly because of that and I didn’t like living out in 
the desert.
Ed 
> 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

[Charles Mills]

@Tony, thanks for starting a new thread. I was about to do so, realizing I had 
hijacked a perfectly good dump-scrubbing thread.

There was a lot of "how are they going to enforce it on us?" at the SHARE 
sessions. My reply was "if you have deep pockets, I'm sure there is a team of 
lawyers that would be happy to help you be a test case." I'm not a lawyer, but 
my daughter is (albeit not an international justice lawyer) and might have some 
experience in this area. I am with her next week and will ask her.

The borderline examples are myriad. Here was mine. You are a bank. A customer 
checks off US citizen on the account form and gives a US address. But she also 
is an EU National and has an EU residence. You would have no way of knowing 
that.

And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so 
they have to make all the preparations for a law that will soon not affect them.

There was discussion about how you would erase every trace of someone's 
existence if you have DB2 volume backup tapes buried deep in Iron Mountain. And 
what if the lawyers were also telling you "you can't erase that -- we have an 
open discovery action going on that"?

I thought the most interesting observation came from two different companies 
that said "we have to implement this -- so we might just as well do it for all 
of our customers."

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tony Thigpen
Sent: Saturday, August 12, 2017 12:21 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: GDPR for US companies (Was: Scrubbing sensitive data in dumps)

Charles,

Even if the regulation says:

"Non-Eu businesses processing the data of EU citizens will also have to appoint 
a representative in the EU."

What legal recourse does the EU have to go after a US company that does not 
"appoint a representative in the EU"?

I think the trick here is that should a company "appoint a representative in 
the EU" thinking that it's something simple to appease the EU, then they have a 
business presence in the UA. Once they have "a representative in the EU", then 
the EU has a legal entity to go after for non-compliance.

The company I work for has determined that under no circumstance will we 
"appoint a representative in the EU". And, if the EU attempts legal action, our 
defense is that EU do not apply to a US business that only does work in the US. 
Just because a EU citizen chooses to use our services while in the US, that 
does not constitute a EU business presence. (No matter what the GDPR is trying 
to claim.)

Take a simple example. A EU person stays at a Florida based Bed & Breakfast. 
And, the guest supplies his address and phone number. The GDPR 'claims' that 
the GDPR now applies. But, such a claim violates the the sovereignty of the 
USA. And, since the Bed & Breakfast does not have a presence in the EU, that 
sovereignty protects it.

In other words, the GDPR can claim to reach into other countries, but legally, 
it can not. It's just trying to scare people into compliance.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN