The Mud Connector

Author Topic: What, if any, affect does the GDPR have on MU*'s?  (Read 3865 times)

Darkozx

  • Sr. Member
  • ****
  • Posts: 479
  • Owner of Dragonball Evolution
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #30 on: May 28, 2018, 2:11 PM »
So I think this boils down to who is going to be the snitch? Like always, I vote DBE to be reported first because I would love to be sued for 20 million euros or whatever. It would be rather funny to see them attempt to collect on a poor guy. The snitch is upon us but who is it? Are they ballsy enough to admit to being a future snitch about this? Find out next episode of Drag....
Dragonball Evolution, the longest running DBZ MUD online!
Address: evolution.wolfpaw.net
Port: 1874
Website: www.dbemud.com

Agda

  • New to TMC
  • *
  • Posts: 31
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #31 on: May 28, 2018, 2:52 PM »
It would be more than just blocking you, they could fine you if you have even one person from the EU's personal data and the fine is a minimum of 20 million EU.  This does affect people in the US because of the EU-US privacy shield agreement.  And just because you are compliant with the privacy shield laws, doesn't mean you are GDPR compliant.  It just means you have the minimum requirements to function in the EU.  The GDPR is a step beyond the privacy shield agreement.
authority figure in the event of a breach within a 72 hour period.

Maximum, not minimum. And I don't think MUDs come even close to that amount of fine, if they get a fine at all...

Quote
Fines under the GDPR will likely vary significantly, with a maximum of the greater of either €20,000,000 or 4% of annual worldwide turnover, depending on the seriousness of the violation.

Zeno McDohl

  • New to TMC
  • *
  • Posts: 30
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #32 on: May 29, 2018, 4:48 PM »
It would be more than just blocking you, they could fine you if you have even one person from the EU's personal data and the fine is a minimum of 20 million EU.  This does affect people in the US because of the EU-US privacy shield agreement.  And just because you are compliant with the privacy shield laws, doesn't mean you are GDPR compliant.  It just means you have the minimum requirements to function in the EU.  The GDPR is a step beyond the privacy shield agreement.

So, because of agreements between the EU/US, it means they can come after you.  Would they, who knows.

This article really talks about it more (https://wp.nyu.edu/compliance_enforcement/2017/12/11/the-general-data-protection-regulation-a-primer-for-u-s-based-organizations-that-handle-eu-personal-data/).  There is a fair amount of legalese in it, but it lays it out pretty clearly what US organizations need to do.

Assuming the information in the link is correct, then the GDPR has nothing to do with MUs or even small-business resellers who allow you to purchase online and pay by logging into PayPal.  There's no stipulation here that IP Addresses are considered protected or identifying information in the hands of the first, second, or third party to receive that information such as by link-referral or even direct HTTP redirects.  The stipulation here is that if you transmit a person's IP Address along with their credit card number, the IP Address becomes personally identifying information.  That is if and only if you collect the IP and the credit card number yourself and store it and then give that information to a 3rd Party for "processing" of any kind.

According to this documentation, logging connect-from IPs, collecting email addresses, and even collecting credit card numbers for internal use wouldn't require any extra measures than a non-mongoloid would take to protect their own business data in the first place.  The only stipulation in this case is making an advisory statement to some overseeing authority figure in the event of a breach within a 72 hour period.

Not sure if that's true. I'd done various reading:

If only it was that easy. A reasonable reading of GDPR makes standard web server logs (which contain IP addresses) a punishable offense [if it's without consent], even if you don’t have a nexus in Europe.
https://news.ycombinator.com/item?id=16472774

Standard server logs with IP addresses must be disclosed in a privacy policy but you do not have to seek consent for them because you collect them as part of a business critical need to prevent fraud. See Recital 47, which includes the language: "The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned." https://www.privacy-regulation.eu/en/r47.htm

The user can request I delete all of the data related to them without “undue delay”. Are you ready to purge all references to certain IP addresses in your logs? Don’t forget backups.
https://news.ycombinator.com/item?id=16479995

It's [an IP address] a unique identifier. So yep, technically counts if you wanna cover yourself.

Same as VRNs, same as emails, same as mobile numbers


https://www.reddit.com/r/gdpr/comments/8bku21/firewall_logs_contain_ip_addresses_counts_as/dx7w7hc/

nullscan

  • TMC Member
  • ***
  • Posts: 139
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #33 on: May 29, 2018, 5:40 PM »
The user can request I delete all of the data related to them without “undue delay”. Are you ready to purge all references to certain IP addresses in your logs? Don’t forget backups.
https://news.ycombinator.com/item?id=16479995

I'm just going to say this source is ridiculously untrustworthy.  If this were true, that would mean the EU's legislators were busily smoking crack rock and chugging everclear when they should have been considering reality.  In reality this would mean that every insurance company, HMO, and even Medicare itself would have to choose between violating patient data security as mandated by HIPAA regulations or violating the GDPR if US Citizens access those websites to check payment/deductible status while travelling in Europe.

Beyond that, there are companies who keep backups over hideously long periods who would literally end up paying more to pull old HDs from storage, jack them into a computer, and delete or modify logs dating back decades at any random user's whim.

On top of that, as I've said over and over again, IP Addresses don't belong to the users who have them.  They belong to the ISP that issued them.  Only that particular ISP can link any given IP Address to any given user and/or a government agency would be able to legally compel that ISP to make that link and disclose the information to them.

Finally, by this logic, someone can perform a DoS attack against any server, or make brute-force hacking attempts at will, and then demand that the proprietor of the server or site scrub references to their IP Address.  Anyone stupid enough to buy this particular interpretation would do so out of hand and then not be able to report the violation of laws that are much older and more important to the data security of everyone on the internet than GDPR is to individuals.

Zeno McDohl

  • New to TMC
  • *
  • Posts: 30
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #34 on: May 29, 2018, 6:00 PM »
The user can request I delete all of the data related to them without “undue delay”. Are you ready to purge all references to certain IP addresses in your logs? Don’t forget backups.
https://news.ycombinator.com/item?id=16479995
If this were true, that would mean the EU's legislators were busily smoking crack rock and chugging everclear when they should have been considering reality. 

Welcome to the real world: people writing these kinds of laws are not IT experts. As someone who works in healthcare IT, this is abundantly clear when you read HIPAA too.

Again, I'm not a lawyer. I tried some more searching:

https://eugdprcompliant.com/personal-data/

A much discussed topic is the IP address. The GDPR states that IP addresses should be considered personal data as it enters the scope of ‘online identifiers’. Of course, in the case of a dynamic IP address – which is changed every time a person connects to a network – there has been some legitimate debate going on as to whether it can truly lead to the identification of a person or not. The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address. However, the chances of this happening are small, as the ISP has to meet certain legal obligations before it can hand the data to a website provider. The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.

(Your mention of HMOs etc probably are fine, as the GDPR line "processing is necessary for the purposes of the legitimate interests pursued by the controller" is likely enough that HIPAA lets them meet this legitimate interest. Meanwhile, us as MUDs, probably not so much)

nullscan

  • TMC Member
  • ***
  • Posts: 139
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #35 on: May 29, 2018, 7:05 PM »
Hi, Zeno.  Go back into earlier pages of this thread and check out the OP's links to the EU AG's actual ruling regarding IP Addresses "as personal information."  I suspect you'll agree with me that the language is quite explicit and aims to make abundantly clear that this only applies if and when the IP Address in question is in the hands of a government or other entity that can legally make the ISP give up that user's information.  Whether that IP Addy is statically or dynamically allocated isn't even discussed!

Zeno McDohl

  • New to TMC
  • *
  • Posts: 30
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #36 on: May 29, 2018, 7:48 PM »
There are no links in the OP. Are you referring to https://gdpr-info.eu/art-8-gdpr/ later on in the thread? I'm not talking about child consent here under GDPR, but the overall GDPR for all individuals within the EU/EEA. That one page seems to only talk about child consent. If you are referring to a different page, can you link that page?

nullscan

  • TMC Member
  • ***
  • Posts: 139
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #37 on: May 29, 2018, 9:59 PM »
First page.  OP is Original Poster, not original post.

https://www.alstonprivacy.com/ecj-declares-ip-addresses-personal-data/