Re: Whois vs GDPR, latest news

[Dan Hollis]

On Sat, 26 May 2018, Royce Williams wrote:

Naively ... to counter potential panic, it would be awesome to crowdsource
some kind of CC-licensed GDPR toolkit for small orgs. Something like a
boilerplate privacy policy (perhaps generated by answers to questions),
plus some simplified checklists, could go a long way - towards both
compliance and actual security benefit.


who is willing to accept the risk of being involved in creation of such a 
thing? would you?


if someone uses it and ends up being hit by eu regulators, you can bet 
the toolkit creators will be sued.


who would be willing to use a crowdsourced legal toolkit given the risks 
of a violation? would you?


-Dan

Re: Whois vs GDPR, latest news

[Royce Williams]

On Sat, May 26, 2018 at 4:57 PM Dan Hollis  wrote:

> I imagine small businesses who do a small percentage of revenue to EU
> citizens will simply decide to do zero percentage of revenue to EU
> citizens. The risk is simply too great.

That would be a shame. I would expect the level of effort to be roughly
commensurate with A) the size of the org, and B) the risk inherent in what
data is being collected, processed, stored, etc. I would also expect
compliance to at least partially derive from
vendor/cloud/outsource/whatever partners, many of whom should be
scaled/scaling up to minimally comply.

I would also not be surprised if laws of similar scope start to emerge in
other countries. If so, taking your ball and going home won't be
sustainable. If small, vulnerable orgs panic and can't realistically engage
the risk, they may be selecting themselves out of the market - an "I
encourage my competitors to do this" variant.

Naively ... to counter potential panic, it would be awesome to crowdsource
some kind of CC-licensed GDPR toolkit for small orgs. Something like a
boilerplate privacy policy (perhaps generated by answers to questions),
plus some simplified checklists, could go a long way - towards both
compliance and actual security benefit.

In a larger sense ... can any org - regardless of size - afford to not know
their data, understand (at least at a high level) how it could be abused,
know who is accessing it, manage it so that it can be verifiably purged,
and enable their customers to self-manage their portion of it??

I'm personally a big fan of undue diligence and all, but we need to
advocate for some ... realistic scaling of response.

Royce

Re: Whois vs GDPR, latest news

[Dan Hollis]

On Sat, 26 May 2018, Seth Mattinen wrote:

On 5/24/18 4:21 PM, Anne P. Mitchell Esq. wrote:
Actually, GDPR specifically requires processors to include statements of 
compliance right in their contracts;  we also strongly recommend that 
controllers insist on indemnification clauses in their contracts with 
processors, because if the processor screws up and there is a breach, 
the_controller_  can also be held liable, and the financial penalties in 
GDPR are very stiff.
Good luck getting multiple millions worth of fines out of small businesses 
that never even touch a million a year in revenue, let alone the added 
expenses of trying to do all the crap GDPR thinks everyone can suddenly 
afford out of nowhere.


I imagine small businesses who do a small percentage of revenue to EU 
citizens will simply decide to do zero percentage of revenue to EU 
citizens. The risk is simply too great.


-Dan

Re: Whois vs GDPR, latest news

[valdis . kletnieks]

On Sat, 26 May 2018 10:31:29 +0200, "Michel 'ic' Luczak" said:

> "When the regulation does not apply

> Your company is service provider based outside the EU. It provides services
> to customers outside the EU.  Its clients can use its services when they 
> travel
> to other countries, including within the EU. Provided your company  doesn't
> specifically target its services at individuals in the EU, it is not subject 
> to
> the rules of the GDPR.”

Now here's the big question - a *lot* of companies are targeting "anybody with
a freemail account like GMail and a valid Visa or Mastercard card" or similar
business models - does that count as "specifically targeting at EU", or not?



pgpgBXNoceMAK.pgp
Description: PGP signature

Re: Whois vs GDPR, latest news

[Rob McEwen]

On 5/26/2018 3:36 PM, JORDI PALET MARTINEZ via NANOG wrote:

Talking from the experience because the previous laws in Spain, LOPD and LSSI


Jordi,

LOPD/LSSI does not = GDPR

But even if there was a probability that GDPR would operate like they do: (1) it is 
alarming that the fines mentioned on GDPR are 10-20X higher than even LOPD/LSSI's higher 
fines -AND- regarding LOPD/LSSI's relatively low minimum fine of 600 EUROs that you 
mentioned - it was explicated mentioned on the page you referenced - HOWEVER there is NOT 
any similar official (relatively) low-cost fines mentioned for GDPR anywhere there is 
only that NOT-reassuring "up to" phrase.

For someone hit with a GDPR fine, I don't think telling them, "JORDI PALET MARTINEZ 
claimed that the fine will be more reasonable for a smaller business that had a less 
egregious offense" - is going to necessarily make it so.

Believe me, I WANT you to be my GDPR fairy. I really really do. But I have to 
operate my business more realistically.

--
Rob McEwen
https://www.invaluement.com

Re: Whois vs GDPR, latest news

[JORDI PALET MARTINEZ via NANOG]

Talking from the experience because the previous laws in Spain, LOPD and LSSI 
(which basically was the same across the different EU countries).

They had "maximum" fines (it was 600.000 Euros). They start for small law 
infringement with 600 euros, 1.500 euros, unless is something very severe, then 
it come to something like 30.000 euros, etc.

If you keep repeating the law infringement, then the 2nd time it may become 
150.000 Euros.

If it is massive infringement (for example massive spam), then it comes to 
300.000 or even 600.000 euros.

Here there is an explanation for the LOPD fines, is in Spanish, but a 
translator should work:
http://www.cuidatusdatos.com/infracciones/

My guess is that the GDPR maximum fines are there just as maximum, and there 
will be agreements among the EU DPAs, to better define how much is the fine, in 
a similar way they are doing now.

Regards,
Jordi
 
 

-Mensaje original-
De: NANOG  en nombre de Rob 
McEwen 
Fecha: sábado, 26 de mayo de 2018, 21:06
Para: 
Asunto: Re: Whois vs GDPR, latest news

On 5/26/2018 2:36 PM, Michel 'ic' Luczak wrote:
> Original text from EU Commission:
> "Infringements of the following provisions shall, in accordance with 
paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the 
case of an undertaking, up to 2 % of the total worldwide annual turnover of the 
preceding financial year, whichever is higher”
>
> -> Administrative fines_up to_  10M (or 2% if your 2% is higher than 10M).
>
> It’s a cap, not a minimum.


Thanks for the clarification. But whether that fine will be less than 
10M is extremely vague and (I guess?) left up to the opinions or whims 
of a Euro bureaucrat or judge panel, or something like that... based on 
very vague and subjective criteria. I've searched and nobody can seem to 
find any more specifics or assurances. Therefore, there is NOTHING that 
a very small business with a very small data breach or mistake, could 
point to... to give them confidence than their fine will be any less 
than 10M Euros, other than that "up to" wording - that is in the same 
sentence where it also clarifies "whichever is larger".

All these people in this discussion who are expressing opinions that 
penalties in such situations won't be nearly so bad - are expressing 
what may very with be "wishful thinking" that isn't rooted in reality.

-- 
Rob McEwen
https://www.invaluement.com
  





**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Whois vs GDPR, latest news

[Florian Weimer]

* Mark Andrews:

> Domain whois is absolutely useful.  Try contacting a site to report
> that their nameservers are hosed without it.

A lot of WHOIS servers do not show who's running the name servers, or
who maintains the data served by them.  Those that do usually provide
information which is provably wrong.

> Remember that about 50% of zones have not RFC compliant name servers
> (the software is broken) and that newer resolver depend on default
> behaviour working correctly.

If WHOIS records were useful for contacting operators, you wouldn't
have to raise these issues on public lists periodically.

Re: Whois vs GDPR, latest news

[Rob McEwen]

On 5/26/2018 2:36 PM, Michel 'ic' Luczak wrote:

Original text from EU Commission:
"Infringements of the following provisions shall, in accordance with paragraph 
2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an 
undertaking, up to 2 % of the total worldwide annual turnover of the preceding 
financial year, whichever is higher”

-> Administrative fines_up to_  10M (or 2% if your 2% is higher than 10M).

It’s a cap, not a minimum.



Thanks for the clarification. But whether that fine will be less than 
10M is extremely vague and (I guess?) left up to the opinions or whims 
of a Euro bureaucrat or judge panel, or something like that... based on 
very vague and subjective criteria. I've searched and nobody can seem to 
find any more specifics or assurances. Therefore, there is NOTHING that 
a very small business with a very small data breach or mistake, could 
point to... to give them confidence than their fine will be any less 
than 10M Euros, other than that "up to" wording - that is in the same 
sentence where it also clarifies "whichever is larger".


All these people in this discussion who are expressing opinions that 
penalties in such situations won't be nearly so bad - are expressing 
what may very with be "wishful thinking" that isn't rooted in reality.


--
Rob McEwen
https://www.invaluement.com
 

Re: Whois vs GDPR, latest news

[Michel 'ic' Luczak]

> On 26 May 2018, at 20:28, Seth Mattinen  wrote:
> 
> 
> 
> On 5/26/18 8:15 PM, Michel 'ic' Luczak wrote:
>> The two levels depend on the nature of the infringement, but it says clearly 
>> “up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the 
>> “less serious” infringements. So no, there is no minimum fine actually.
> 
> 
> To me that says the fine is 10M if your 2% is lower than 10M. Or it wasn't 
> originally written in English and the translation is flawed.

Original text from EU Commission:
"Infringements of the following provisions shall, in accordance with paragraph 
2, be subject to administrative fines up to 10 000 000 EUR, or in the case of 
an undertaking, up to 2 % of the total worldwide annual turnover of the 
preceding financial year, whichever is higher”

-> Administrative fines _up to_ 10M (or 2% if your 2% is higher than 10M). 

It’s a cap, not a minimum. 

Re: Whois vs GDPR, latest news

[Seth Mattinen]

On 5/26/18 8:15 PM, Michel 'ic' Luczak wrote:

The two levels depend on the nature of the infringement, but it says clearly 
“up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the 
“less serious” infringements. So no, there is no minimum fine actually.



To me that says the fine is 10M if your 2% is lower than 10M. Or it 
wasn't originally written in English and the translation is flawed.

Re: Whois vs GDPR, latest news

[Michel 'ic' Luczak]

> On 26 May 2018, at 19:37, Rob McEwen  wrote:
> 
> The *MINIMUM* fine is 10M euros.
> 
> SEE: https://www.gdpreu.org/compliance/fines-and-penalties/ 
> 
The two levels depend on the nature of the infringement, but it says clearly 
“up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the 
“less serious” infringements. So no, there is no minimum fine actually.

Re: Whois vs GDPR, latest news

[Rob McEwen]

On 5/26/2018 12:29 PM, JORDI PALET MARTINEZ via NANOG wrote:

I don't recall right now the exact details about how they calculate the fine



The *MINIMUM* fine is 10M euros.

SEE: https://www.gdpreu.org/compliance/fines-and-penalties/

This is true no matter how small the business, and (potentially) even if 
there was just one minor incident.


And the law is so vague and expansive - and with such massive minimum 
fines - that I wonder if this might be exploited to target political 
rivals/enemies? Or those who donate to such? It certainly could easily 
be weaponized!


And before it even gets nearly to that point, it could also turn into 
the equivalent of the tiny city of Waldo, Florida (USA) (population 
1K)... who turned their police force into a speeding-ticket revenue 
factory for some time before the State of FL shut them down. Certainly, 
the Euro bureaucrats are incentivized.


--
Rob McEwen
https://www.invaluement.com

Re: Whois vs GDPR, latest news

[Owen DeLong]

I’m not sure that’s true. I think that the notice is sufficient to indicate 
that I have no intention to have EU persons visiting my web site and thus 
should not be subject to their extraterritorial overreach.

Obviously time will tell what happens.

Owen


> On May 26, 2018, at 09:29 , JORDI PALET MARTINEZ via NANOG  
> wrote:
> 
> I don't recall right now the exact details about how they calculate the fine, 
> which is appropriate for each case, but the 4% of turnover or 20 million 
> Euros is just the maximum amount (per case). I'm sure there is something 
> already documented, about that, or may be is each country DPA the one 
> responsible to define the exact fine for each case.
> 
> For example, up to now (with the previous law, LOPD for Spain), the maximum 
> fine was 600.000 euros, and the "starting" fine was 1.500 euros. So, 
> depending on the number of people affected, the degree of infringement, if it 
> is the first time or if the company has been warned or fined before, you can 
> get a fine in the "middle" of those figures.
> 
> I'm sure it will be the same way for the GDPR.
> 
> Regards,
> Jordi
> 
> 
> 
> -Mensaje original-
> De: NANOG  en nombre de Seth Mattinen 
> 
> Fecha: sábado, 26 de mayo de 2018, 16:00
> Para: 
> Asunto: Re: Whois vs GDPR, latest news
> 
> 
> 
>On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote:
>> I don't think, in general the DPAs need to use lawsuits.
>> 
>> If they discover (by their own, or by means of a customer claim) that a 
>> company (never mind is from the EU or outside) is not following the GDPR, 
>> they will just fine it and the corresponding government authorities are the 
>> responsible to cash the fine, even with "bank account embargos". If the 
>> company is outside the EU, but there are agreements with that country, they 
>> can proceed to that via the third country authorities.
> 
> 
>If someone were to show up and issue me a 10 or 20 million euro fine 
>(more in USD), I'd just laugh since I'll never see that much money at 
>one time in my whole life.
> 
>I'm not convinced they will limit reach to the Facebooks and Googles of 
>the world until a lower limit is codified. I suspect that won't happen 
>until enough small guys are fined 10-20 million euros who could never 
>hope to repay it in a lifetime.
> 
>~Seth
> 
> 
> 
> 
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or 
> confidential. The information is intended to be for the exclusive use of the 
> individual(s) named above and further non-explicilty authorized disclosure, 
> copying, distribution or use of the contents of this information, even if 
> partially, including attached files, is strictly prohibited and will be 
> considered a criminal offense. If you are not the intended recipient be aware 
> that any disclosure, copying, distribution or use of the contents of this 
> information, even if partially, including attached files, is strictly 
> prohibited, will be considered a criminal offense, so you must reply to the 
> original sender to inform about this communication and delete it.
> 
> 
> 

Re: Whois vs GDPR, latest news

[JORDI PALET MARTINEZ via NANOG]

I don't recall right now the exact details about how they calculate the fine, 
which is appropriate for each case, but the 4% of turnover or 20 million Euros 
is just the maximum amount (per case). I'm sure there is something already 
documented, about that, or may be is each country DPA the one responsible to 
define the exact fine for each case.

For example, up to now (with the previous law, LOPD for Spain), the maximum 
fine was 600.000 euros, and the "starting" fine was 1.500 euros. So, depending 
on the number of people affected, the degree of infringement, if it is the 
first time or if the company has been warned or fined before, you can get a 
fine in the "middle" of those figures.

I'm sure it will be the same way for the GDPR.

Regards,
Jordi
 
 

-Mensaje original-
De: NANOG  en nombre de Seth Mattinen 

Fecha: sábado, 26 de mayo de 2018, 16:00
Para: 
Asunto: Re: Whois vs GDPR, latest news



On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote:
> I don't think, in general the DPAs need to use lawsuits.
> 
> If they discover (by their own, or by means of a customer claim) that a 
company (never mind is from the EU or outside) is not following the GDPR, they 
will just fine it and the corresponding government authorities are the 
responsible to cash the fine, even with "bank account embargos". If the company 
is outside the EU, but there are agreements with that country, they can proceed 
to that via the third country authorities.


If someone were to show up and issue me a 10 or 20 million euro fine 
(more in USD), I'd just laugh since I'll never see that much money at 
one time in my whole life.

I'm not convinced they will limit reach to the Facebooks and Googles of 
the world until a lower limit is codified. I suspect that won't happen 
until enough small guys are fined 10-20 million euros who could never 
hope to repay it in a lifetime.

~Seth




**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Juniper BGP Convergence Time

[Baldur Norddahl]

Add a static default route on both routers. This will be invalidated as
soon the interface goes down. Should be faster than relying on the BGP
process on withdrawing the route. Also does not require any config changes
at your upstreams.

Regards
Baldur


ons. 16. maj 2018 18.52 skrev Adam Kajtar :

> Erich,
>
> Good Idea. I can't believe I didn't think of that earlier. Simple and
> effective. I will go ahead and request the defaults from my ISP and update
> the thread of the findings.
>
> Thanks!
>
> On Wed, May 16, 2018 at 10:03 AM Kaiser, Erich 
> wrote:
>
> > A last resort route (default route) could still be good to take from your
> > ISP(s) even if you still do full routes, as the propagation is happening
> on
> > the internet side, you should at least have a path inbound through the
> > other provider.  The default route at least would send the traffic out if
> > it does not see the route locally.  Just an idea.
> >
> >
> >
> > On Wed, May 16, 2018 at 8:22 AM, Adam Kajtar 
> > wrote:
> >
> > > I could use static routes but I noticed since I moved to full routes I
> > > have had a lot fewer customer complaints about latency(especially when
> it
> > > comes to Voice and VPN traffic).
> > >
> > > I wasn't using per-packet load balancing. I believe juniper default is
> > per
> > > IP.
> > >
> > > My timers are as follows
> > >  Active Holdtime: 90
> > >  Keepalive Interval: 30
> > >
> > > Would I be correct in thinking I need to contact my ISP to lower these
> > > values?
> > >
> > > An interesting note is when I had both ISPs connected into a single
> MX104
> > > the failover was just a few seconds.
> > >
> > > Thanks again.
> > >
> > >
> > >
> > > On Tue, May 15, 2018 at 8:42 PM Ben Cannon  wrote:
> > >
> > >> Have you checked your timeouts ?
> > >>
> > >> -Ben
> > >>
> > >> > On May 15, 2018, at 4:09 PM, Kaiser, Erich 
> > wrote:
> > >> >
> > >> > Do you need full routes?  What about just a default route from BGP?
> > >> >
> > >> > Erich Kaiser
> > >> > The Fusion Network
> > >> > er...@gotfusion.net
> > >> > Office: 815-570-3101
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >> On Tue, May 15, 2018 at 5:38 PM, Aaron Gould 
> > wrote:
> > >> >>
> > >> >> You sure it doesn't have something to do with 60 seconds * 3 = 180
> > >> secs of
> > >> >> BGP neighbor Time out before it believes neighbor is dead and
> remove
> > >> routes
> > >> >> to that neighbor?
> > >> >>
> > >> >> Aaron
> > >> >>
> > >> >>> On May 15, 2018, at 9:10 AM, Adam Kajtar <
> akaj...@wadsworthcity.org
> > >
> > >> >> wrote:
> > >> >>>
> > >> >>> Hello:
> > >> >>>
> > >> >>> I'm running two Juniper MX104s. Each MX has 1 ISP connected
> running
> > >> >>> BGP(full routes). iBGP is running between the routers via a two
> port
> > >> 20G
> > >> >>> lag. When one of the ISPs fails, it can take upwards of 2 minutes
> > for
> > >> >>> traffic to start flowing correctly. The router has the correct
> route
> > >> in
> > >> >> the
> > >> >>> routing table, but it doesn't install it in the forwarding table
> for
> > >> the
> > >> >>> full two mins.
> > >> >>>
> > >> >>> I have a few questions if anyone could answer them.
> > >> >>>
> > >> >>>  - What would a usual convergence time be for this setup?
> > >> >>>  - Is there anything I could do speed this process up? (I tried
> > >> >> Multipath)
> > >> >>>  - Any tips and tricks would be much appreciated
> > >> >>>
> > >> >>> Thanks in Advance
> > >> >>> --
> > >> >>> Adam Kajtar
> > >> >>> Systems Administrator
> > >> >>> City of Wadsworth
> > >> >>> akaj...@wadsworthcity.org
> > >> >>> -
> > >> >>> http://www.wadsworthcity.com
> > >> >>>
> > >> >>> Facebook * |* Twitter
> > >> >>>  *|* Instagram
> > >> >>>  *|* YouTube
> > >> >>> 
> > >> >>
> > >> >>
> > >>
> > >
> > >
> > > --
> > > Adam Kajtar
> > > Systems Administrator, Safety Services
> > > City of Wadsworth
> > > Office 330.335.2865
> > > Cell 330.485.6510
> > > akaj...@wadsworthcity.org
> > > -
> > > http://www.wadsworthcity.com
> > >
> > > Facebook * |* Twitter
> > >  *|* Instagram
> > >  *|* YouTube
> > > 
> > >
> >
>
>
> --
> Adam Kajtar
> Systems Administrator, Safety Services
> City of Wadsworth
> Office 330.335.2865
> Cell 330.485.6510
> akaj...@wadsworthcity.org
> -
> http://www.wadsworthcity.com
>
> Facebook * |* Twitter
>  *|* Instagram
>  *|* YouTube
> 

Re: Whois vs GDPR, latest news

[Seth Mattinen]

On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote:

I don't think, in general the DPAs need to use lawsuits.

If they discover (by their own, or by means of a customer claim) that a company (never 
mind is from the EU or outside) is not following the GDPR, they will just fine it and the 
corresponding government authorities are the responsible to cash the fine, even with 
"bank account embargos". If the company is outside the EU, but there are 
agreements with that country, they can proceed to that via the third country authorities.



If someone were to show up and issue me a 10 or 20 million euro fine 
(more in USD), I'd just laugh since I'll never see that much money at 
one time in my whole life.


I'm not convinced they will limit reach to the Facebooks and Googles of 
the world until a lower limit is codified. I suspect that won't happen 
until enough small guys are fined 10-20 million euros who could never 
hope to repay it in a lifetime.


~Seth

Re: Whois vs GDPR, latest news

[JORDI PALET MARTINEZ via NANOG]

I don't think, in general the DPAs need to use lawsuits.

If they discover (by their own, or by means of a customer claim) that a company 
(never mind is from the EU or outside) is not following the GDPR, they will 
just fine it and the corresponding government authorities are the responsible 
to cash the fine, even with "bank account embargos". If the company is outside 
the EU, but there are agreements with that country, they can proceed to that 
via the third country authorities.

Same as when you don't pay a traffic fine in the EU and you are from non-EU 
countries (some allow the embargo, others not).

This has been happening, in most of the EU countries for a while. In recent 
months, the Spanish DPA has ordered fines of 600.000 euros (with the previous 
law, LOPD), to companies such as Facebook, Google, Whatsapp, and many others ...

Regards,
Jordi
 
 

-Mensaje original-
De: NANOG  en nombre de Nick Hilliard 
Fecha: sábado, 26 de mayo de 2018, 11:29
Para: Seth Mattinen 
CC: 
Asunto: Re: Whois vs GDPR, latest news

Seth Mattinen wrote on 26/05/2018 08:41:
> Good luck getting multiple millions worth of fines out of small 
> businesses that never even touch a million a year in revenue, let alone 
> the added expenses of trying to do all the crap GDPR thinks everyone can 
> suddenly afford out of nowhere.

You can put the straw man away - Europe isn't the US.  No Data 
Protection Authority in Europe is going to sue a mom & pop business in 
the US for millions because they haven't clarified their cookies policy. 
The upper limits of the fines are aimed at the robber barons of the world.

The DPAs in Europe are for the most part lawsuit-averse and engage with 
companies to build alignment rather than taking the punitive approach 
and liberally dishing out lawsuits and fines.  The emphasis on GDPR 
compliance is aiming at reasonable steps rather than pretending that 
every organisation is going to end up redesigning their entire existence 
around GDPR on may 25.

Nick




**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Whois vs GDPR, latest news

[JORDI PALET MARTINEZ via NANOG]

However, if an EU citizen or resident uses the services of those companies, 
they are bound to comply with the GDPR.

So, if you target your services to people outside the EU, you must have a way 
to DENY that anyone in the EU register to your services, or even sent a request 
via a form in your web, etc.

I don't think that's so easy as to make 100% proof ... and maybe the cost of 
complying the GDPR is even cheaper/easier and you open your services to the EU 
as well (or EU people, for example, visiting US).

Regards,
Jordi
 
 

-Mensaje original-
De: NANOG  en nombre de Michel 'ic' Luczak 

Fecha: sábado, 26 de mayo de 2018, 10:34
Para: "Anne P. Mitchell Esq." 
CC: "Gary T. Giesen via NANOG" 
Asunto: Re: Whois vs GDPR, latest news


> On 23 May 2018, at 19:12, Anne P. Mitchell Esq.  
wrote:
> 
> 
> 
>> On May 23, 2018, at 11:05 AM, K. Scott Helms  
wrote:
>> 
>> Yep, if you're doing a decent job around securing data then you don't 
have much to be worried about on that side of things.  The problem for most 
companies is that GDPR isn't really a security law, it's a privacy law (and set 
of regulations).  That's where it's hard because there are a limited number of 
ways you can, from the EU's standpoint, lawfully process someone's PII.  Things 
like opting out and blanket agreements to use all of someone's data for any 
reason a company may want are specifically prohibited.  Even companies that 
don't intentionally sell into the EU (or the UK) can find themselves dealing 
with this if they have customers with employees in the EU. 
> 
> Or if someone who is a U.S. citizen and resident goes to the org's 
U.S.-based website and orders something (or even just provides their PII)... 
but happens to be in a plane flying over an EU country at the time.  Because 
GDPR doesn't talk about residence or citizenship, it talks only about a vague 
and ambiguous "in the Union", and I can certainly envision an argument in which 
the person in the plane claims that they were, technically, "in the Union" at 
the time. 
> 

Actually, the EU Commission is pretty clear about the non-E.U. person 
travelling to E.U. and using a service not specifically targetting E.U. users :

"When the regulation does not apply
Your company is service provider based outside the EU. It provides services 
to customers outside the EU.  Its clients can use its services when they travel 
to other countries, including within the EU. Provided your company  doesn't 
specifically target its services at individuals in the EU, it is not subject to 
the rules of the GDPR.”


https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en

There are many other examples on their website which leave pretty little 
doubts about when it applies and when it does not.

Regards, Michel






**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Whois vs GDPR, latest news

[Nick Hilliard]

Seth Mattinen wrote on 26/05/2018 08:41:
Good luck getting multiple millions worth of fines out of small 
businesses that never even touch a million a year in revenue, let alone 
the added expenses of trying to do all the crap GDPR thinks everyone can 
suddenly afford out of nowhere.


You can put the straw man away - Europe isn't the US.  No Data 
Protection Authority in Europe is going to sue a mom & pop business in 
the US for millions because they haven't clarified their cookies policy. 
The upper limits of the fines are aimed at the robber barons of the world.


The DPAs in Europe are for the most part lawsuit-averse and engage with 
companies to build alignment rather than taking the punitive approach 
and liberally dishing out lawsuits and fines.  The emphasis on GDPR 
compliance is aiming at reasonable steps rather than pretending that 
every organisation is going to end up redesigning their entire existence 
around GDPR on may 25.


Nick

Re: Whois vs GDPR, latest news

[Michel 'ic' Luczak]

> On 23 May 2018, at 19:12, Anne P. Mitchell Esq.  wrote:
> 
> 
> 
>> On May 23, 2018, at 11:05 AM, K. Scott Helms  wrote:
>> 
>> Yep, if you're doing a decent job around securing data then you don't have 
>> much to be worried about on that side of things.  The problem for most 
>> companies is that GDPR isn't really a security law, it's a privacy law (and 
>> set of regulations).  That's where it's hard because there are a limited 
>> number of ways you can, from the EU's standpoint, lawfully process someone's 
>> PII.  Things like opting out and blanket agreements to use all of someone's 
>> data for any reason a company may want are specifically prohibited.  Even 
>> companies that don't intentionally sell into the EU (or the UK) can find 
>> themselves dealing with this if they have customers with employees in the 
>> EU. 
> 
> Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based 
> website and orders something (or even just provides their PII)... but happens 
> to be in a plane flying over an EU country at the time.  Because GDPR doesn't 
> talk about residence or citizenship, it talks only about a vague and 
> ambiguous "in the Union", and I can certainly envision an argument in which 
> the person in the plane claims that they were, technically, "in the Union" at 
> the time. 
> 

Actually, the EU Commission is pretty clear about the non-E.U. person 
travelling to E.U. and using a service not specifically targetting E.U. users :

"When the regulation does not apply
Your company is service provider based outside the EU. It provides services to 
customers outside the EU.  Its clients can use its services when they travel to 
other countries, including within the EU. Provided your company  doesn't 
specifically target its services at individuals in the EU, it is not subject to 
the rules of the GDPR.”

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en

There are many other examples on their website which leave pretty little doubts 
about when it applies and when it does not.

Regards, Michel

Re: Whois vs GDPR, latest news

[Seth Mattinen]

On 5/24/18 4:21 PM, Anne P. Mitchell Esq. wrote:

Actually, GDPR specifically requires processors to include statements of 
compliance right in their contracts;  we also strongly recommend that 
controllers insist on indemnification clauses in their contracts with 
processors, because if the processor screws up and there is a breach, 
the_controller_  can also be held liable, and the financial penalties in GDPR 
are very stiff.



Good luck getting multiple millions worth of fines out of small 
businesses that never even touch a million a year in revenue, let alone 
the added expenses of trying to do all the crap GDPR thinks everyone can 
suddenly afford out of nowhere.


~Seth