Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)
W dniu 2017-08-14 o 18:29, Ron Hawkins pisze: Then tell me why my overseas banks contacting me to provide details under FBAR. What's good for the goose... Yes, my bank also contacted me in regard of FBAR (or other US regulation). Neither me nor the bank has businesses in US. -- Radoslaw Skorupka Lodz, Poland == -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.plsąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)
For exactly the same reason. US law effectively applies to non-US banks, just like EU law effectively applies to US banks. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Ron Hawkins Sent: Monday, August 14, 2017 12:30 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps) Then tell me why my overseas banks contacting me to provide details under FBAR. What's good for the goose... -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Saturday, August 12, 2017 2:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] GDPR for US companies (Was: Scrubbing sensitive data in dumps) @Tony, thanks for starting a new thread. I was about to do so, realizing I had hijacked a perfectly good dump-scrubbing thread. There was a lot of "how are they going to enforce it on us?" at the SHARE sessions. My reply was "if you have deep pockets, I'm sure there is a team of lawyers that would be happy to help you be a test case." I'm not a lawyer, but my daughter is (albeit not an international justice lawyer) and might have some experience in this area. I am with her next week and will ask her. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)
Then tell me why my overseas banks contacting me to provide details under FBAR. What's good for the goose... -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Saturday, August 12, 2017 2:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] GDPR for US companies (Was: Scrubbing sensitive data in dumps) @Tony, thanks for starting a new thread. I was about to do so, realizing I had hijacked a perfectly good dump-scrubbing thread. There was a lot of "how are they going to enforce it on us?" at the SHARE sessions. My reply was "if you have deep pockets, I'm sure there is a team of lawyers that would be happy to help you be a test case." I'm not a lawyer, but my daughter is (albeit not an international justice lawyer) and might have some experience in this area. I am with her next week and will ask her. The borderline examples are myriad. Here was mine. You are a bank. A customer checks off US citizen on the account form and gives a US address. But she also is an EU National and has an EU residence. You would have no way of knowing that. And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so they have to make all the preparations for a law that will soon not affect them. There was discussion about how you would erase every trace of someone's existence if you have DB2 volume backup tapes buried deep in Iron Mountain. And what if the lawyers were also telling you "you can't erase that -- we have an open discovery action going on that"? I thought the most interesting observation came from two different companies that said "we have to implement this -- so we might just as well do it for all of our customers." Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tony Thigpen Sent: Saturday, August 12, 2017 12:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: GDPR for US companies (Was: Scrubbing sensitive data in dumps) Charles, Even if the regulation says: "Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU." What legal recourse does the EU have to go after a US company that does not "appoint a representative in the EU"? I think the trick here is that should a company "appoint a representative in the EU" thinking that it's something simple to appease the EU, then they have a business presence in the UA. Once they have "a representative in the EU", then the EU has a legal entity to go after for non-compliance. The company I work for has determined that under no circumstance will we "appoint a representative in the EU". And, if the EU attempts legal action, our defense is that EU do not apply to a US business that only does work in the US. Just because a EU citizen chooses to use our services while in the US, that does not constitute a EU business presence. (No matter what the GDPR is trying to claim.) Take a simple example. A EU person stays at a Florida based Bed & Breakfast. And, the guest supplies his address and phone number. The GDPR 'claims' that the GDPR now applies. But, such a claim violates the the sovereignty of the USA. And, since the Bed & Breakfast does not have a presence in the EU, that sovereignty protects it. In other words, the GDPR can claim to reach into other countries, but legally, it can not. It's just trying to scare people into compliance. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)
Tony Thigpen wrote: >In other words, the GDPR can claim to reach into other countries, but >legally, it can not. *Legally*, of course they can. GDPR is a set of European Union regulations. They say what they say. It's a separate question whether, when, and how the European Union and its member countries enforce GDPR. For your hypothetical bed and breakfast in Florida there's probably not much the European Union can immediately do if there's a GDPR violation. However, the B's proprietors might want to avoid visiting the EU. :-) Practically every country demands that other countries (and the entities within them) treat its citizens according to certain minimum standards. GDPR will soon become part of the minimum standards that EU countries demand. Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)
Mmm, a reverse hijack. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Edward Gould Sent: Saturday, August 12, 2017 6:09 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps) > On Aug 12, 2017, at 4:05 PM, Charles Millswrote: > > @Tony, thanks for starting a new thread. I was about to do so, realizing I > had hijacked a perfectly good dump-scrubbing thread. > > There was a lot of "how are they going to enforce it on us?" at the SHARE > sessions. My reply was "if you have deep pockets, I'm sure there is a team of > lawyers that would be happy to help you be a test case." I'm not a lawyer, > but my daughter is (albeit not an international justice lawyer) and might > have some experience in this area. I am with her next week and will ask her. > > The borderline examples are myriad. Here was mine. You are a bank. A customer > checks off US citizen on the account form and gives a US address. But she > also is an EU National and has an EU residence. You would have no way of > knowing that. > > And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so > they have to make all the preparations for a law that will soon not affect > them. > > There was discussion about how you would erase every trace of someone's > existence if you have DB2 volume backup tapes buried deep in Iron Mountain. > And what if the lawyers were also telling you "you can't erase that -- we > have an open discovery action going on that"? > > I thought the most interesting observation came from two different companies > that said "we have to implement this -- so we might just as well do it for > all of our customers." > > Charles Charles: This per se is not about dump scrubbing, but it does have to do with dumps. In the 1980’s I had a job interview with an unnamed part of the government. To say the least they handled a lot of Top Secret data. I asked how they handled the dumps with IBM. Their answer was they didn’t. I asked, How do you send dumps to IBM. Their answer was that you didn’t. All problem determination was done on the spot. I then asked what about IBM source? You can’t debug (very much) by looking at just instructions. Their answer was (the best I can remember) was something like this, “the problem is not fixed”, I asked incredulously and you can work like this? Their answer was “yes”. Now, since then I have found out that at other secret installations, they have IBM people that have the right clearences that can talk on secure likes to other IBMers to resolve these types of issues. Apparently this installation did not do this. I turned down the job mainly because of that and I didn’t like living out in the desert. Ed > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)
> On Aug 12, 2017, at 4:05 PM, Charles Millswrote: > > @Tony, thanks for starting a new thread. I was about to do so, realizing I > had hijacked a perfectly good dump-scrubbing thread. > > There was a lot of "how are they going to enforce it on us?" at the SHARE > sessions. My reply was "if you have deep pockets, I'm sure there is a team of > lawyers that would be happy to help you be a test case." I'm not a lawyer, > but my daughter is (albeit not an international justice lawyer) and might > have some experience in this area. I am with her next week and will ask her. > > The borderline examples are myriad. Here was mine. You are a bank. A customer > checks off US citizen on the account form and gives a US address. But she > also is an EU National and has an EU residence. You would have no way of > knowing that. > > And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so > they have to make all the preparations for a law that will soon not affect > them. > > There was discussion about how you would erase every trace of someone's > existence if you have DB2 volume backup tapes buried deep in Iron Mountain. > And what if the lawyers were also telling you "you can't erase that -- we > have an open discovery action going on that"? > > I thought the most interesting observation came from two different companies > that said "we have to implement this -- so we might just as well do it for > all of our customers." > > Charles Charles: This per se is not about dump scrubbing, but it does have to do with dumps. In the 1980’s I had a job interview with an unnamed part of the government. To say the least they handled a lot of Top Secret data. I asked how they handled the dumps with IBM. Their answer was they didn’t. I asked, How do you send dumps to IBM. Their answer was that you didn’t. All problem determination was done on the spot. I then asked what about IBM source? You can’t debug (very much) by looking at just instructions. Their answer was (the best I can remember) was something like this, “the problem is not fixed”, I asked incredulously and you can work like this? Their answer was “yes”. Now, since then I have found out that at other secret installations, they have IBM people that have the right clearences that can talk on secure likes to other IBMers to resolve these types of issues. Apparently this installation did not do this. I turned down the job mainly because of that and I didn’t like living out in the desert. Ed > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: GDPR for US companies (Was: Scrubbing sensitive data in dumps)
@Tony, thanks for starting a new thread. I was about to do so, realizing I had hijacked a perfectly good dump-scrubbing thread. There was a lot of "how are they going to enforce it on us?" at the SHARE sessions. My reply was "if you have deep pockets, I'm sure there is a team of lawyers that would be happy to help you be a test case." I'm not a lawyer, but my daughter is (albeit not an international justice lawyer) and might have some experience in this area. I am with her next week and will ask her. The borderline examples are myriad. Here was mine. You are a bank. A customer checks off US citizen on the account form and gives a US address. But she also is an EU National and has an EU residence. You would have no way of knowing that. And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so they have to make all the preparations for a law that will soon not affect them. There was discussion about how you would erase every trace of someone's existence if you have DB2 volume backup tapes buried deep in Iron Mountain. And what if the lawyers were also telling you "you can't erase that -- we have an open discovery action going on that"? I thought the most interesting observation came from two different companies that said "we have to implement this -- so we might just as well do it for all of our customers." Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tony Thigpen Sent: Saturday, August 12, 2017 12:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: GDPR for US companies (Was: Scrubbing sensitive data in dumps) Charles, Even if the regulation says: "Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU." What legal recourse does the EU have to go after a US company that does not "appoint a representative in the EU"? I think the trick here is that should a company "appoint a representative in the EU" thinking that it's something simple to appease the EU, then they have a business presence in the UA. Once they have "a representative in the EU", then the EU has a legal entity to go after for non-compliance. The company I work for has determined that under no circumstance will we "appoint a representative in the EU". And, if the EU attempts legal action, our defense is that EU do not apply to a US business that only does work in the US. Just because a EU citizen chooses to use our services while in the US, that does not constitute a EU business presence. (No matter what the GDPR is trying to claim.) Take a simple example. A EU person stays at a Florida based Bed & Breakfast. And, the guest supplies his address and phone number. The GDPR 'claims' that the GDPR now applies. But, such a claim violates the the sovereignty of the USA. And, since the Bed & Breakfast does not have a presence in the EU, that sovereignty protects it. In other words, the GDPR can claim to reach into other countries, but legally, it can not. It's just trying to scare people into compliance. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN