Tag Archives: gdpr

US Press Admits Incompetence

Today is the day that enforcement of the GDPR, the new European data protection regulation starts. A novel part of the GDPR is that the rights of the individual described by the data follows the data. So if a US company collects my data, they are subject to the GDPR.

Compliance with the GDPR is pretty common sense, and not all that far from the data protection regulations that went before. You need to know which data you collect, have a proper reason why you collect it, have determined how long you keep data, and have protections in place to mitigate the risks of data exposure. On top of that you need to be able to demonstrate those points, and people described by your data have rights (to see what you know about them, to correct things or have data deleted, to export their data).

Compliance can be complicated if you don’t have your house fully in order, and need to do a lot of corrective steps to figure out what data you have, why you have it, whether it should be deleted and whether your protection measures are adequate enough.

That is why when the law entered into force on May 4th 2016, 2 years ago, a transition period was created in which no enforcement would take place. Those 2 years gave companies ample time to reach compliance, if they already weren’t.

The GDPR sets a de facto global norm and standard, as EU citizens data always falls under the GDPR, regardless where the data is located. US companies therefore need to comply as well when they have data about European people.

Today at the start of GDPR enforcement it turns out many US press outlets have not put the transition period to good use, although they have reported on the GDPR. They now block European IP addresses, while they ‘look at options’ to be available again to EU audiences.

From the east coast

to the west coast

In both cases the problem likely is how to deal with the 15 or so trackers those sites have that collect visitor data.

The LA Times for instance have previously reported on the GDPR, so they knew it existed.

A few days ago they asked their readers “Is your company ready?”, and last month they asked if the GDPR will help US citizens with their own privacy.

The LA Times own answers to that at the moment are “No” and “Not if you’re reading our newspaper”.

Suggested Reading: Barcelona, LETS, Freedom of Speech and more

Some links I thought worth reading the past few days

This Blog Is Now GDPR Compliant

At least I think it is…. Personal blogs don’t need to comply with the new European personal data protection regulations (already in force but enforceable from next week May 25th), says Article 2.2.c. However my blog does have a link with my professional activities, as I blog here about professional interests. One of those interests is data protection (the more you’re active in transparency and open data, the more you also start caring about data protection).

In the past few weeks Frank Meeuwsen has been writing about how to get his blog GDPR compliant (GDPR and the IndieWeb 1, 2 and 3, all in Dutch), and Peter Rukavina has been following suit. Like yours, my e-mail inbox is overflowing with GDPR related messages and requests from all the various web services and mailing lists I’m using. I had been thinking about adding a GDPR statement to this blog, but clearly needed a final nudge.

That nudge came this morning as I updated the Jetpack plugin of my WordPress blog. WordPress is the software I use to create this website, and Jetpack is a module for it, made by the same company that makes WordPress itself, Automattic. After the update, I got a pop-up stating that in my settings a new option now exists called “Privacy Policy”, which comes with a guide and suggested texts to be GDPR compliant. I was pleasantly surprised by this step by Automattic.

So I used that to write a data protection policy for this site. It is rather trivial in the sense that this website doesn’t do much, yet it is also surprisingly complicated as there are many different potential rabbit holes to go down. As it concerns not just comments or webmentions but also server logs my web hoster makes, statistics tools (some of which I don’t use but cannot switch off either), third party plugins for WordPress, embedded material from data hungry platforms like Youtube etc. I have a relatively bare bones blog (over the years I made it ever more minimalistic, stripping out things like sharing buttons most recently), and still as I’m asking myself questions that normally only legal departments would ask themselves, there are many aspects to consider. That is of course the whole point, that we ask these types of questions more often, not just of ourselves, but of every service provider we engage with.

The resulting Data Protection Policy is now available from the menu above.

Personal Data Protection Policy

What this is

You are at https://www.zylstra.org/blog, which since 2002 is the personal weblog of me, Ton Zijlstra, its author. Although personal weblogs aren’t subject to the GDPR (the European personal data protection regulations), I do write about my professional interests here, and one of those is data protection. So I added a data protection policy anyway. My contact info is listed in the right hand column.

What personal data my site collects and why

When you visit this site, some technical data is automatically collected, such as your IP address. This is used for anti-spam, security and a few very basic analytical purposes. When you comment on a posting, a name and email address will be asked. When your own website alerts my website that you link to me (Webmention), your name and website address may appear in my comment section. In some postings other website’s content may be embedded (like a Slideshare presentation, a Youtube video, or an image on Flikcr), that track some of your data themselves.

Comments and Webmentions

When visitors leave comments on the site the data shown in the comments form is collected (name and email address), and also the visitor’s IP address and browser user agent string to help spam detection. The name you use in the comment form is shown publicly on the website once your comment is approved.

The email address you provided will not be published, but will be stored with your comment, for as long as that comment is published. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your Gravatar profile picture is visible to the public in the context of your comment.

Webmentions are an automatic way in which your own website alerts my website that you link to it. Metadata in your own website’s markup explicitly makes that data available to my website I only publish metadata, such as your name, url or profile picture of your site, that you yourself submit, underneath my own postings. I only publish a link to your own website along the lines of “this article was mentioned on [your website]“, so no excerpt or fragment of your content will be displayed. I do not use webmention for anything other than trackbacks, and don’t collect and display social backfeeds, such as mentions and likes on Twitter, Facebook and other social media platforms that are walled gardens and do not themselves support webmention. I use the WordPress plugin Webmention for this.

Subscriptions

You have the option to subscribe by e-mail to new postings. Those subscriptions are managed by WordPress.com. The e-mail addresses are not used for anything else. I do ocassionally clean up the list removing e-mail addresses that are connected to spammers.

Contact forms

There is no contact form, so no data is collected there. My contact info is listed on the right hand side.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies stored on your own computer. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. You can delete these cookies from your browser anytime if you want.

My blog does not set any other cookies.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if you have visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

I don’t use specialized analytical tools. However data such as your IP address, and the pages an IP has requested are stored in the server logs of my web hosting company, Your-Webhost. Their data protection policy is at https://www.your-webhost.nl/whois/terms.html. Whenever there are server problems, I may ask my hosting provider to look into their logs to see what happened. The server logs are processed on my webserver into aggregated analytical data with a tool called Awstats, that is available by default from my hosting company. I never look at it, though that may change.

By default WordPress, the tool I use to make this site, does not collect any analytics data. However, I use a plugin that does collect analytical data (such as IP addresses). Jetpack is a plugin by Automattic, the creator of WordPress, that provides me basic analytics concerning number of visitors, most viewed articles, country of origin based on IP address, referrers (the link you followed to come here), and external links clicked (the link you followed away from the site). It does not provide information on your specific visit, nor on the path of links you followed through the site. I am not seeking to increase the traffic to this site, so I don’t try to optimise content, and analytics is not of interest to me. Jetpack also helps me fight spam and malicious attempts to gain access to my site. Find the Jetpack Automattic privacy policy here.

Who I share your data with

I don’t share your data (the little that I may have) with others, except for the plugins that I use for spam and malicious attack protection.

How I retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. The same is true for Webmentions. This is so I can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

If you subscribe to my blog by e-mail, I retain the e-mail address you used until you unsubscribe.

Aggregated statistics in Awstats are kept for 5 years maximum, although I may delete them earlier to free up space on my hosting account.

What rights you have over your data

If you have an account on this site (you don’t, only I do), or have left comments, you can request to receive an exported file of the personal data I hold about you, including any data you have provided to me. You can also request that I correct or erase any personal data I hold about you. This does not include erasure of any data I may be obliged to keep for administrative, legal, security or other legitimate purposes. You can also at any time request the removal of one or all webmentions originating from your website.

Where I send your data

Visitor comments and visitor’s IP addresses are checked through an automated spam and attack detection service. I use Jetpack, Wordfence and Akismet for this.

My contact information

You can contact me using the information on the right hand side. You can use encrypted email to do so.

How I protect your data

All interaction with this website is encrypted traffic, by using https. My webserver, on which all data for this blog is stored, is protected by my web hosting company Your-Webhost. I cannot circumvent or alter their protective measures, nor do so without breaching their terms of service. My own access to this website, the back-end at my hosting company, and the front-end WordPress, is protected with strong passwords and non-standard usernames. I use three plugins, Jetpack, Akismet and Wordfence to shield against spam and attacks.

What data breach procedures I have in place

If you think data on this site may have been breached please contact me. With my web-hosting provider I will look into it, and report back to you.
If I get notified about a breach by my web-hoster I will inform those that have commented, and will post an announcement in my blog itself.
If I suspect there may have been a breach I will notify my web-hosting provider and work with them to prevent futures breaches, inform those who have commented on my site and post an announcement in my blog itself.

What automated decision making and/or profiling I do with user data

If you submit a comment to this site, or if you try to gain access to this website’s controls, you may be automatically classified as spammer or a malicious attacker and automatically blocked or blacklisted. If you submit a comment for the first time, or a comment that contains weblinks, it will be automatically held for moderation, and will not be published until I have looked at it. If you have previously approved comments published on my blog, you will be automatically permitted to do so again using the same credentials.

Suggested Reading: DNA, Reboot, Decentralisation and more

Some links I thought worth reading the past few days

Ton Zijlstra

30 April, 2018

Given how company websites ask you for more info than they should, and aren’t GDPR compliant that way, filling out forms with incorrect information is acceptable civic resistance to data hungry websites. And my default tactic.

Ton Zijlstra

30 April, 2018

Funny how #datagovernance companies publishing #gdpr compliance guides aren’t compliant themselves when asking personal data for downloads: no explicit opt-ins, hidden opt-ins (such as hitting download also subscribes you to their newsletter), no specific explanations on what data will be used how, asking more personal information than necessary.

Twitter Not GDPR Compliant (nor Flickr, nor ….)

Many tech companies are rushing to arrange compliance with GDPR, Europe’s new data protection regulations. What I have seen landing in my inbox thus far is not encouraging. Like with Facebook, other platforms clearly struggle, or hope to get away, with partially or completely ignoring the concepts of informed consent and unforced consent and proving consent. One would suspect the latter as Facebooks removal of 1.5 billion users from EU jurisdiction, is a clear step to reduce potential exposure.

Where consent by the data subject is the basis for data collection: Informed consent means consent needs to be explicitly given for each specific use of person related data, based on a for laymen clear explanation of the reason for collecting the data and how precisely it will be used.
Unforced means consent cannot be tied to core services of the controlling/processing company when that data isn’t necessary to perform a service. In other words “if you don’t like it, delete your account” is forced consent. Otherwise, the right to revoke one or several consents given becomes impossible.
Additionally, a company needs to be able to show that consent has been given, where consent is claimed as the basis for data collection.

Instead I got this email from Twitter earlier today:

“We encourage you to read both documents in full, and to contact us as described in our Privacy Policy if you have questions.”

and then

followed by

You can also choose to deactivate your Twitter account.

The first two bits mean consent is not informed and that it’s not even explicit consent, but merely assumed consent. The last bit means it is forced. On top of it Twitter will not be able to show content was given (as it is merely assumed from using their service). That’s not how this is meant to work. Non-compliant in other words. (IANAL though)

Suggested Reading: GDPR, Fintech, China and more

Some links I think worth reading today.

GDPR as De Facto Norm: Sonos Speakers

Just received an email from Sonos (the speaker system for streaming) about the changes they are making to their privacy statement. Like with FB in my previous posting this is triggered by the GDPR starting to be enforced from the end of May.

The mail reads in part

We’ve made these changes to comply with the high demands made by the GDPR, a law adopted in the European Union. Because we think that all owners of Sonos equipment deserve these protections, we are implementing these changes globally.

This is precisely the hoped for effect, I think. Setting high standards in a key market will lift those standards globally. It is usually more efficient to internally work according to one standard, than maintaining two or more in parallel. Good to see it happening, as it is a starting point for the positioning of Europe as a distinct player in global data politics, with ethics by design as the distinctive proposition. GDPR isn’t written as a source of red tape and compliance costs, but to level the playing field and enable companies to compete by building on data protection compliance (by demanding ‘data protection by design’ and following ‘state of the art’, which are both rising thresholds). Non-compliance in turn is becoming the more costly option (if GDPR really gets enforced, that is).