Re: Whois vs GDPR, latest news

[Stephen Satchell]

This is really off-topic for NANOG.  Is there a better place where this
discussion can be found?

Re: Whois vs GDPR, latest news

[John Levine]

In article <230722.1527374...@turing-police.cc.vt.edu> you write:
>Now here's the big question - a *lot* of companies are targeting "anybody with
>a freemail account like GMail and a valid Visa or Mastercard card" or similar
>business models - does that count as "specifically targeting at EU", or not?

This is an excellent question, because anyone who purports to give you
an answer has self-identifed as a fool.

The closest thing to an answer is that nobody knows, maybe after some
rulings from various national authorities we'll have an idea, except
that they'll probably be inconsistent and contradictory.

R's,
John

Re: Whois vs GDPR, latest news

[niels=nanog]

* l...@satchell.net (Stephen Satchell) [Sun 27 May 2018, 23:17 CEST]:

On 05/27/2018 12:54 PM, niels=na...@bakker.net wrote:
You have this the wrong way around.  You'll need permission to 
store their IP address in logs that you keep and to inform third 
parties about their visits to your site.  And that is because that 
information belongs to the visitor, not to you.


This is going to run afoul of some data retention laws currently on 
the books in some places.  You *have* to keep logs, WITH IP 
addresses...


Owen doesn't.


-- Niels.

Re: Whois vs GDPR, latest news

[Stephen Satchell]

On 05/27/2018 12:54 PM, niels=na...@bakker.net wrote:
> You have this the wrong way around.  You'll need permission to store
> their IP address in logs that you keep and to inform third parties about
> their visits to your site.  And that is because that information belongs
> to the visitor, not to you.

This is going to run afoul of some data retention laws currently on the
books in some places.  You *have* to keep logs, WITH IP addresses...

Re: Whois vs GDPR, latest news

[Sander Steffann]

Hi,

>> The way GDPR is written, if you want to collect (and store) so much as
>> the IP address of the potential customer who visited your website, you
>> need their informed consent and you can’t require that they consent as
>> a condition of providing service.
> 
> What we were told is that since security > GDPR, storing IPs in logs is 
> obviously OK since it’s a legal requirement.

GDPR article 6.1c (legal obligation) and 6.1f (legitimate interests) would 
probably both qualify for logging HTTP requests.

In this context it's also not likely that the IP address is considered personal 
data at all. Personal data is defined as data related to "an identifiable 
natural person is one who can be identified, directly or indirectly, in 
particular by reference to an identifier such as a name, an identification 
number, [...]". If you have no way to determine who an IP address belongs to 
then it's not personal data to you.

This can actually be a tricky point: the ISP who provides connectivity to a 
customer obviously knows which IP address they provided, so to that ISP the IP 
address is definitely personal data. If you ask for someone's name on your 
website and you log the IP address together with answers then you suddenly turn 
that IP address into personal data, even regarding you web server logs.

To be safe, adding something like the following to the privacy notice on the 
website would be fine for this case: "In order to comply with law enforcement 
requirements and to be able to detect and investigate abuse of our website we 
log all requests in including the IP addresses of the requester. If our systems 
detect abuse they may block access to our services from that IP address. This 
data will be stored for up to 2 weeks and will then automatically be deleted.". 
Add boilerplate text for contact information etc and that should cover article 
13.

> Storing them in a database for targeting / marketing is not.
> 
> What is a gray area so far is any use of IDS/IPS…

Sounds like legitimate interests to me :)  But it really depends on what is 
done with that information. Just protecting your servers should be fine. The 
big change with the GDPR is that you have to tell your users that you do this.

Hmmm. It might be a good idea to write some boilerplate privacy policy text for 
common components like IDP/IDS, load balancers, web server logs, DDOS 
protection etc.

Cheers,
Sander

Re: Whois vs GDPR, latest news

[Michel 'ic' Luczak]

> On 27 May 2018, at 21:41, Owen DeLong  wrote:
> 
> The way GDPR is written, if you want to collect (and store) so much as
> the IP address of the potential customer who visited your website, you
> need their informed consent and you can’t require that they consent as
> a condition of providing service.

What we were told is that since security > GDPR, storing IPs in logs is 
obviously OK since it’s a legal requirement.

Storing them in a database for targeting / marketing is not.

What is a gray area so far is any use of IDS/IPS…

+

Re: Whois vs GDPR, latest news

[niels=nanog]

* o...@delong.com (Owen DeLong) [Sun 27 May 2018, 21:42 CEST]:
The way GDPR is written, if you want to collect (and store) so much 
as the IP address of the potential customer who visited your 
website, you need their informed consent and you can’t require that 
they consent as a condition of providing service.


You have this the wrong way around.  You'll need permission to store 
their IP address in logs that you keep and to inform third parties 
about their visits to your site.  And that is because that 
information belongs to the visitor, not to you.



Basically, the regulation is so poorly written that it is utterly 
nonsensical and I wonder how business in Europe intend to function 
when they can’t make collecting someone’s address a condition of 
allowing them to order something online.


Basically, this example is so bad that it's not even wrong.


-- Niels.

Re: Whois vs GDPR, latest news

[Owen DeLong]

> On May 26, 2018, at 18:42 , Royce Williams  wrote:
> 
> On Sat, May 26, 2018 at 4:57 PM Dan Hollis  wrote:
> 
>> I imagine small businesses who do a small percentage of revenue to EU
>> citizens will simply decide to do zero percentage of revenue to EU
>> citizens. The risk is simply too great.
> 
> That would be a shame. I would expect the level of effort to be roughly
> commensurate with A) the size of the org, and B) the risk inherent in what
> data is being collected, processed, stored, etc. I would also expect
> compliance to at least partially derive from
> vendor/cloud/outsource/whatever partners, many of whom should be
> scaled/scaling up to minimally comply.

Here’s the problem…

The way GDPR is written, if you want to collect (and store) so much as
the IP address of the potential customer who visited your website, you
need their informed consent and you can’t require that they consent as
a condition of providing service.

Basically, the regulation is so poorly written that it is utterly nonsensical
and I wonder how business in Europe intend to function when they can’t
make collecting someone’s address a condition of allowing them to order
something online.

> I would also not be surprised if laws of similar scope start to emerge in
> other countries. If so, taking your ball and going home won't be
> sustainable. If small, vulnerable orgs panic and can't realistically engage
> the risk, they may be selecting themselves out of the market - an "I
> encourage my competitors to do this" variant.

Let’s hope that if enough businesses take their ball and go home, the EU
and other regulators will wake up and smell the hydrogen-sulfide and write
better laws.

I’m not opposed to privacy protection, but GDPR contains way too much overreach
and way too little logic or common sense.

> Naively ... to counter potential panic, it would be awesome to crowdsource
> some kind of CC-licensed GDPR toolkit for small orgs. Something like a
> boilerplate privacy policy (perhaps generated by answers to questions),
> plus some simplified checklists, could go a long way - towards both
> compliance and actual security benefit.

The first word does a pretty good job of describing the rest of that paragraph
as mentioned by others.

> In a larger sense ... can any org - regardless of size - afford to not know
> their data, understand (at least at a high level) how it could be abused,
> know who is accessing it, manage it so that it can be verifiably purged,
> and enable their customers to self-manage their portion of it??

Yes. But even if an org does all of that, there are still significant problems
with GDPR.

Owen

Re: Whois vs GDPR, latest news

[Sander Steffann]

Hi,

>> Thanks for the clarification. But whether that fine will be less than 10M is 
>> extremely vague and (I guess?) left up to the opinions or whims of a Euro 
>> bureaucrat or judge panel, or something like that... based on very vague and 
>> subjective criteria. I've searched and nobody can seem to find any more 
>> specifics or assurances. Therefore, there is NOTHING that a very small 
>> business with a very small data breach or mistake, could point to... to give 
>> them confidence than their fine will be any less than 10M Euros, other than 
>> that "up to" wording - that is in the same sentence where it also clarifies 
>> "whichever is larger".
>> 
>> All these people in this discussion who are expressing opinions that 
>> penalties in such situations won't be nearly so bad - are expressing what 
>> may very with be "wishful thinking" that isn't rooted in reality.
> 
> Still on ec.europa.eu  they seem to try to reassure 
> SMEs that the penalties will be “proportionate” both to the nature of the 
> infringement and to the size to the company. It also seem to largely be 
> related to whether you infringed the regulation in good faith or not. At 
> least in France where I live the climate is pro-SMEs so I guess small 
> mistakes will be forgiven. The head of our DPA also gave an interview 
> recently saying that there will be no sanctions in the coming months and that 
> they’re available to answer questions when in doubt about what to do.

That is also what I see in the Netherlands.

> Lastly, our law firm told us that basically we have to wait until the first 
> settlements to see what will be done…

True. Considering that GDPR is an EU regulation and that in general European 
culture is a lot less litigious than in the US I don't expect massive fines 
unless the infractions are malignant + persistent + performed by a large 
corporation. Smaller companies (or people) that make mistakes will not get 
fines that would bankrupt them. That's just not the way the justice system 
works on this side of the pond :)

Cheers,
Sander

Re: Whois vs GDPR, latest news

[Michel 'ic' Luczak]

> On 26 May 2018, at 21:04, Rob McEwen  wrote:
> 
> Thanks for the clarification. But whether that fine will be less than 10M is 
> extremely vague and (I guess?) left up to the opinions or whims of a Euro 
> bureaucrat or judge panel, or something like that... based on very vague and 
> subjective criteria. I've searched and nobody can seem to find any more 
> specifics or assurances. Therefore, there is NOTHING that a very small 
> business with a very small data breach or mistake, could point to... to give 
> them confidence than their fine will be any less than 10M Euros, other than 
> that "up to" wording - that is in the same sentence where it also clarifies 
> "whichever is larger".
> 
> All these people in this discussion who are expressing opinions that 
> penalties in such situations won't be nearly so bad - are expressing what may 
> very with be "wishful thinking" that isn't rooted in reality.

Still on ec.europa.eu  they seem to try to reassure SMEs 
that the penalties will be “proportionate” both to the nature of the 
infringement and to the size to the company. It also seem to largely be related 
to whether you infringed the regulation in good faith or not. At least in 
France where I live the climate is pro-SMEs so I guess small mistakes will be 
forgiven. The head of our DPA also gave an interview recently saying that there 
will be no sanctions in the coming months and that they’re available to answer 
questions when in doubt about what to do.

Lastly, our law firm told us that basically we have to wait until the first 
settlements to see what will be done…

Regards, Michel

Re: Whois vs GDPR, latest news

[JORDI PALET MARTINEZ via NANOG]

I know that LOPD and LSSI is not the same as GDPR.

However, each country in the EU need to modify its own LOPD in order to adapt 
it to the GDPR.

*I've done some further reading and according to the 1st and 2nd paragraphs of 
GDPR Art. 83 each DPA will establish the fines, which should respect what is 
said in 4, 5 and 6 (including the maximum fines, so clearly 10 and 20 MEuros or 
2% and 4% of the previous year turnover).

So after that, I found what is going on and in the case of Spain, the council 
of Ministers approved the law 24th Nov. 2017 
(http://www.congreso.es/docu/docum/ddocum/dosieres/sleg/legislatura_12/spl_13/pdfs/1.pdf)
 and it was expected to be sanctioned by the Parliament last week, after some 
discussion and some changes. However seems to be delayed as the parliament 
asked for some amendments.

In this document, again, it is indicated that the DPA will follow what is being 
said in GDPR (see * above) and doesn't mention the amount of each fine, because 
"Each supervisory authority shall ensure that the imposition of administrative 
fines pursuant to this Article in respect of infringements of this Regulation 
referred to in paragraphs 4, 5 and 6 shall in each individual case be 
effective, proportionate and dissuasive." See also the text in p. 2 of the GDPR.

This facilitates the DPAs to take in consideration *each* individual case, or 
even to change the fines in the future.

However, the Spanish law, talks about some specific fine amounts in the article 
78, referred to the prescription of the infringements depending on the fine 
amount. For example, for fines up to 40.000 Euros, 300.000 euros and over 
300.000 euros.

What that means? Each DPA have to modify the "actual" LOPD and associated 
tables of fines, and the GDPR only stablishes the maximum amounts.

Other countries already have done that:
Italy: LEGGE 20 novembre 2017, n. 167
Germany: Bundesdatenschutzgesetz
France: looks like a similar situation as Spain

So, for the countries that have not yet finalized the approval of the "new 
LOPD", the fines are still the same as the ones defined in the "actual LOPD". 
So, I think I was right in my assertion, and the minimum fines in Spain, will 
be for sure lower than 40.000 euros, and my guess is that will start as today 
with 600 or so ... at the end in will depend on the "individual decision" 
(based in a categorization table, which the Spanish DPA for sure has already 
prepared, but will not make public until the new LOPD is approved by the 
parliament).

Of course I'm not saying that you should ignore the GDPR because the fines are 
low. I think everybody really need to adapt their data protection procedures to 
it.

Regards,
Jordi
 
 PD: An informal document that I've found say that the new fines are in the 
ranges of 900-40.000, 40.001-300.000 and 300.000-600.000.



-Mensaje original-
De: NANOG  en nombre de Rob McEwen 

Fecha: domingo, 27 de mayo de 2018, 0:16
Para: 
Asunto: Re: Whois vs GDPR, latest news

On 5/26/2018 3:36 PM, JORDI PALET MARTINEZ via NANOG wrote:
> Talking from the experience because the previous laws in Spain, LOPD and 
LSSI

Jordi,

LOPD/LSSI does not = GDPR

But even if there was a probability that GDPR would operate like they do: 
(1) it is alarming that the fines mentioned on GDPR are 10-20X higher than even 
LOPD/LSSI's higher fines -AND- regarding LOPD/LSSI's relatively low minimum 
fine of 600 EUROs that you mentioned - it was explicated mentioned on the page 
you referenced - HOWEVER there is NOT any similar official (relatively) 
low-cost fines mentioned for GDPR anywhere there is only that 
NOT-reassuring "up to" phrase.

For someone hit with a GDPR fine, I don't think telling them, "JORDI PALET 
MARTINEZ claimed that the fine will be more reasonable for a smaller business 
that had a less egregious offense" - is going to necessarily make it so.

Believe me, I WANT you to be my GDPR fairy. I really really do. But I have 
to operate my business more realistically.

-- 
Rob McEwen
https://www.invaluement.com






**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so