On Wed, 21 Nov 2018, Rupert Gallagher wrote:
On Wed, Nov 21, 2018 at 03:41, John Hardin <jhar...@impsec.org> wrote:
On Tue, 20 Nov 2018, Rupert Gallagher wrote:
The email address is an address, part of your personally identifiable
data.
I'm not disputing that. I write software that deals with PII in my day job.
If an identifiable entity in the US sends mass mail to European
addresses, then they must have a representative in Europe and comply
with the GDPR.
(1) how do you *force* someone in the US to have a representative in
Europe?
You file a complaint with your national ombudsman. In your case, stress
the fact that they are processing political data in addition to common
data. Do not expect immediate termination of spam. The ombudsman will
proceed to verify the facts, identify the parties involved, check
compliance claims, and enforce the EU-US bilateral agreement.
see the discussion of the bilateral agreement below.
In the end, the spammers
Point of order: we're not talking about spammers per se, we're talking
about a legitimate US-only organization (NOT necessarily a business) that
is sending email to an EU correspondant, possibly at that person's
automatically-processed request (e.g. by subscribing to a mailing list).
will most likely refuse to appoint an EU representative,
Why would the organization do so, if their only interest is in the US?
and the EU will shut down their website.
If the organization has no presence in the EU, and the website is not
hosted in the EU, *how*? The EU is *not* the World Government and Ultimate
Internet Regulatory Authority.
(2) if they do no business in the EU, and do not have any presence in the
EU (sending email to addresses in the EU is not "having a presence in the
EU"), how are they subject to fines for violating the law in the EU?
If, for example, I - a private, non-commercial entity - hosted a mailing
list on my private server (which I have done in the past), and someone in
the EU subscribed and posted to that list and their email address was
captured in the list archives, and they later unsubscribed and asked for
their email address to be removed from the list archives, and I (for
whatever reason) did not do so, *how* would an EU court levy fines against
me?
The US is not a signatory to the GDPR as far as I am aware, and I have
*no* legal presence outside the US.
The US signed a bilateral agreement with the EU:
https://www.privacyshield.gov/
By my quick reading:
(1) that only applies to businesses and (apparently) common carriers - I
don't see any suggestion that something like a domestic political advocacy
group would be affected (I'm presuming that since such is not a commercial
entity or common carrier they are not subject to the jurisdiction of the
FTC or DOT), and certainly not a private citizen acting on their own
behalf (like in my mailing list hypothetical above).
(2) it is a *voluntary* framework for assuring your customers you abide by
requirements aligned with the GDPR, with certification by a third party
that you do so.
(3) it only provides for punishment of companies that have *voluntarily*
enrolled and don't actually implement the required controls, which is
punished as "deceptive advertising" (i.e. claiming to protect your
privacy but not actually doing so); there are fines, but apparently there
is no provision for the *huge* fines that GDPR threatens, and I see no
provision for "shutting down a website" (though that may be dragged in
via other FTC regulations related to deceptive advertising). If a company
persistently violates the terms of their enrollment they will be removed
from the program.
So: that does not appear to apply at all to me as a private citizen
running a mailing list, and *probably* does not apply to purely-US
non-business entities (e.g. a political advocacy organization) that have
not applied for membership in the program so that they can publicly claim
to be protecting your privacy under a framework similar to the GDPR.
On Tue, Nov 20, 2018 at 17:03, John Hardin <jhar...@impsec.org> wrote:
On Tue, 20 Nov 2018, Rupert Gallagher wrote:
Yes, if you are European, and might get some money as compensation.
From a US political advocacy group which has no commercial presence in EU?
How does GDPR apply in that situation?
On Mon, Nov 19, 2018 at 04:19, Joe Acquisto-j4 <j...@j4computers.com> wrote:
Gents,
I somehow became subscribed to a list, political in nature, in whose mail I
have no interest. This is a legitimate AFAIK, US organization.
Thus far, several uses of their unsubscribe link had not provided relief.
Direct email to the founder and operations manager seem to have been ignored as
well.
While I can just dump their mail, it offends my finely hones sense of
propriety, justice and my all around good nature. Besides, it hoses me off.
So, is there some "authority" to which I can report these a**holes? that might
have an effect?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Vista: because the audio experience is *far* more important than
network throughput.
-----------------------------------------------------------------------
601 days since the first commercial re-flight of an orbital booster (SpaceX)
