GDPR is not relevant to this. It’s not about enforcing copyright on people’s work.
It’s about ensuring that companies only store and process privacy-sensitive information about people which they are given consent to store and only used for the purposes the consent was given.
There is nothing privacy related wrt the author in a public article published worldwide for everyone to read. Clearly outside the domain of GDPR.
It’s not hard people, just common sense. Just treating user-data with respect. Let’s not fool ourselves into thinking it’s harder than it actually is.
I assume they'll continue as now: take down copies on request. It's not like they didn't have to deal with content people didn't want to archive them before.
I doubt it. GDPR is the obvious next step in the war on GPC (memory specifically). archive.org exists to fix that. If they fall because some other country has no 1st, they fail. Other people have copies.
I haven't read GDPR in details, but isn't GDPR concerned only with personal/private data? The Wayback Machine only archives public pages as far as I can tell...
Yes but the article itself is user-provided content to Medium that the author has a right to ask to be deleted (under GDPR), presumably? So perhaps it will be simply a matter of the The Wayback Machine having to have a policy to delete things if requested?
No! GDPR is about personal data, which is well defined in the regulations and does not include blog posts. The right to delete data (or "be forgotten") is nothing to do with GDPR.
If the original post contained personal data, it is a different issue but if that was put out into the public domain, it is a hard problem to solve.
No, if you intentionally made that data public then it's done. GDPR doesn't, say, force you to remove political views of Theresa May from newspapers, despite that being covered by personal data, because Theresa May made those views public.
The Wayback Machine has always had a policy to delete things if requested, so there's no real change there. The most common way site owners do that is by changing robots.txt. In line with the Oakland Archive Policy [1], the Internet Archive respects robots.txt retroactively, so a site owner can get archived versions deleted just by excluding them in the robots file. Besides that, they respond to DMCA takedowns, one-off removal requests [2], etc.
Changing robots.txt does not delete content from their archives. If you remove the robots.txt file, the content becomes viewable again.
There's no scenario where they can respond to the vast scale of GDPR violations that their archive likely represents, when it comes to manually removing content. There are only three possibilities: avoid the EU as much as possible, dump the archives and start over with an entirely different approach, or shut down. Besides that, these laws are going to get a lot more strict and difficult to comply with, not less strict, over time. This is merely the beginning of aggressive regulation of the Internet. Regulation of the Internet will only move one direction from here, in the direction of increasing burden and ever greater regulation. It's hard to imagine Archive.org's archives surviving what's coming.
There's no scenario where they can respond to the vast scale of GDPR violations that their archive likely represents, when it comes to manually removing content.
"GDPR violations". What's that, exactly? As far as I know, you only have to remove personal data upon request, no preemptively. So I don't see how they are "violations".
Will a lot of people make these requests? Possibly, but where's the evidence of that? People have been able to use copyright takedown requests (e.g. under the DMCA) forever, yet the Archive is still around.
Actually the recommended data handling says you should specifically state the purpose for needing the data, and that it should be reasonably limited to that need; i.e. if you don't need it any more you should pro-actively delete it.[0]
Read the law before posting wildly misleading comments like this.
If you explicitly make something public, you can’t later come and claim that this information is actually crucial to your privacy. If so, you yourself was the one who violated that privacy, not the company later archiving/caching/processing your public article.
GDPR is all about decency and common sense wrt. user data and privacy.
No need to spread FUD about something that simple. SV proved tech companies can’t be trusted to act ethically, so here comes the regulation. Deal.
Given the immense scale of Archive.org, there must be a truly incredible number of sites & pages with personal data & content in the pages. Millions upon millions of pages, due to the repeat archiving.
Comments with usernames. Comments with ip addresses (sometimes old comment systems would allow you to comment without registering but they'd show all or part of your ip address). Comments with personal information in the messages. Comments with email addresses. Blog posts with all sorts of personal details from the author. Personal user account pages, such as the kind you see on sites like Ask.fm or similar, with vast amounts of user information and personal details that can't be deleted. And on it goes. Archive.org is storing all of that and does not allow it to be deleted. Further, it would be nearly impossible to figure out what content is compliant and what is not within the archives. It's a giant GDPR violation system. Their only sane bet is to stay way from the EU jurisdiction wise as much as possible, or shut down.
Why would GDPR apply to the internet archive? It's a US based nonprofit. As far as I can tell they don't do anything that even remotely hints at them providing services to EU residents (like offering their site in European languages, having the €-symbol somewhere on their donations page or any of the other more subtle things mentioned in GDPR).
I think he refers to the fact that each EU country notifies one official language and only UK picked English. But I guess they have found, or will find, a way to maintaing things as they are.
Who cares? Me posting my (very German) name and address on somebody else's website (blog comment, forum or whatever) doesn't magically make that person have to comply with GDPR.
According to [1] the law applies to:
1.) a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2.) a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.
The internet archive doesn't offer goods or services in the EU (if you want to know how that's defined you have to read the actual law I'm afraid) and they're certainly not "monitoring the behaviour of individuals in the EU".
You are missing the point. The EU makes laws that govern - and at least try to - protect its citizens. If a document on the archive is created by a European citizen, then it is under EU law. That's why every company in the world right now that deals with European citizens is working on supporting GDPR. That also applies here.
Not quite. The EU might want that but it gets into jurisdiction.
The EU cannot enforce its law on entities that are entirely US based. It can only enforce it on non-EU sites if that site has some sort of business that’s within the EU (like offices or employees).
The EU can say that some businesses are so uncompliant with GDPR that they're not able to be used by EU companies. It seems weird to chose to limit your market just because you don't want to protect user data.
Not GDPR-specific, but France.com had its web domain seized by France recently[1]. It was a private US-based business (not a squatter) that the government of France had actually cooperated with for years, until they suddenly decided it violated French trademark law and seized the domain. The domain itself had been in one person's possession since 1994.
Enforcement of national laws is very much a thing across borders, so private businesses outside the EU are right to be apprehensive about what is going to happen as GDPR enforcement ramps up.
GDPR doesn't change anything in this respect. Copyright law applies.
Why would the owner of the copyright make a complaint to the data protection authorities of the EU who might choose to do nothing when they could directly file a copyright infringement case? I suppose you could add insult to injury, but the data protection agency is likely to rule that the issue is one of copyright infringement.
There is plenty of nuance to copyright, such as public forums, public domain, fair use, etc. You have those defenses available to you. However, a person can bring a civil action against you anytime you make a copy of their protected work. The case may or may not be meritorious but already defending against a lawsuit is a penalty. Archival facilities are already exposed to this risk and they actively lobby for protecting their activities as fair use to varying degrees of success.
A person cannot bring civil action against you under the GDPR. They may make a complaint to the data protection authorities who may bring action against you if your use of the data is unlawful. Therefore, there is no way to force a person to have to even face a trial under GDPR. If your use of the data is unlawful, you certainly have no license, so you are not protected less under the GDPR than under copyright law. If your copy counts as fair use, then it will count as being lawful under Article 6.1 (e) and no action can occur under the GDPR.
It absolutely is the right to speak at any private forum that allows you to do so, AND it is the right to be heard by people who are purposefully choosing to listen.
Yes, if a private forum chooses to not let you speak, you can't force them to accept you. But if they DO choose to let you speak, then you do have that right.
Also, this IS about the government attempting to censor people.
It is the Internet Archives freaking website, that they own!
I thought free speech was the ability to make commentary on the letter on the pole, but not to reproduce it.
It's the equivalent of it being technically illegal to take a photo of the Eiffel tower at night, because the light show is a copyrighted artistic display.
They already take down pages on request and retro-actively apply robots.txt rules so that solves "right to be forgotten" or other circumstances where PII is present and shouldn't be.
They have sufficiently defensible reason to keep and present the archived information otherwise.
Their key problem will remain copyright and publishing rights arguments not matters of personal data, at least not more so than currently.
(caveat: while I have an understanding of the regulation due to it very much having an effect on our clients and to a lesser extent on us directly, I am not a lawyer by any definition so don't take my interpretation as gospel in any way)
They can't, and I would like to know what Europe wants to do about it. Block wayback machine in Europe ? Well, I can still access it with a VPN if I want. Also I want to know what they will do about git and GitHub, or even blockchain project (how you delete something from a blockchain ?)
The problem is that GDPR is a stupid legislation written by incompetent people that doesn't understand the subject and imposed with no possibility of choice on member states, like all the regulations from the EU (cookie banner law, for example).
And of course GDPR doesn't impact to much the companies that they aim to fight, like Facebook, Google, etc, they have teams of layers payed millions with the sole purpose to find ways to circumvent these regulations, they will just update the terms of services and done, the ones that will be more affected are small companies, startups, personal no project side projects, people that doesn't have money to spend in a layer for a project that doesn't make him any revenue.
I think that in Europe it's not more possible to do anything, if you have a good and innovative idea and you want to realize it, better take a flight to the US...
The law is meant to allow me to delete my account from your cool SV startup, and delete meaning actually delete the data and not deactivate the account but continue using or selling my data.
The cookie law is a problem because lazy web developers did not implement it right, probably you complain about don't spam me law because it adds a bit of extra work for adding the unsubscribe link and implement the requierements.
The laws are done for the good of the society and not for helping a minority to implement some move fast break things, pivot and try again.
There is big difference in law and regulation between intention and real-world effects. For instance, making marijuana illegal has the intention of decreasing drug addiction and dependence but has the effects of disproportionately encarcerating youth aka "criminals" under the new law for drug consumption, and thus limiting their opportunities in the socio-economic system.
If you look into it I think parent is most likely correct with his predictions since they are easily verifiable i.e. big coorps do have massive teams and monetary funds to deal with this legislation, startups and one-man shops do not. This is completely ignoring the deontological question of what should be the case, where I think most would be in agreement.
big coorps do have massive teams and monetary funds to deal with this legislation, startups and one-man shops do not.
That applies to literally every piece of legislation. Yet we don't decide that small restaurants should be exempt from food hygiene laws, or that small construction teams should be exempt from health and safety laws.
what personal data is being exposed - the EU isn't keen on anonymous publishing in general eg in the UK any thing published by a political party during elections etc must have both the printers name and their agents - the penalties are quite severe .
We haven't seen how they're going to enforce it yet, people throwing tantrums about it doesn't help.
If it's the same as the cookie law or spam rules, they'll come in and say "we've had a complaint, you're doing this wrong, fix it". Then if you don't fix it, they'll fine you.
Not only that, but many of the regulatory enforcers responsible for this in the EU are not particularly well funded and why would they spend the limited resources they have investigating one man bands?
But the public is presented as if its purpose was to curb drug addiction. Could be the same with GDPR - great intentions, but the true reason is to entrench big corporations and introduce more barriers of entry for the small guy, which is inline with socialist agenda.
Are you from US? In EU we had many similar rules that were in the public favor and hit the big corporations, the one I am thinking now is the roaming phone charges, big companies lost a lot of profit from this, so you can see that this big companies do not have the power yet to change the laws for their own profits.
But I see a lot of anti EU sentiments here on HN, anything EU does is painted as anti american or anti startups when from inside EU we see it as for the people/society
> from inside EU we see it as for the people/society
No we don't. Some of us do and some of us do not. You are self-admittedly in the former group, I am not.
Also, just because something cost big companies money on one front does not mean it doesn't increase the monopolistic power of said companies and even increase revenues on another. Let me use your own example as a hypothesis we will be able to observationally falsify or not in the coming years. By eliminating roaming charges many smaller companies in the space will have to compensate for the loss of funds and will therefore either have to reduce their current plans, drop service offerings outside of the current country, or eventually collapse entirely. Regardless of the outcome, the total market competition has decreased and ultimately the mega corporations stand to win through decreased overall competition in the space. Additionally, due to lack of monetary incentives, I would expect the rate of innovation in large-scale roaming technology and infrastructure to decrease compared to countries which do not have such legislation.
Socio-economical systems are complex and nonlinear in nature, unfortunately, we i.e. humans have not evolved to think well about nonlinearities neither have we built ourselves sufficient tooling to augment our prediction capabilities for such systems. IMHO, this is the well-spring for the difference between intentions and outcomes in regulatory policy.
I think we should not be afraid of making laws and rules because we are afraid of unintended consequences, if we have such side effects we can update the law.
Your point is that we should not have made the security belt mandatory in cars because there could be a side effect somewhere like a person won't be able to evacuate in time, the idea is to calculate the benefits and the drawbacks and if benefits are much larger then we make the law and update it later.
I am sorry if a small telecom company can't adapt and compete without the roaming charges but we should not pay billions to the big companies so this small company also survives, we can make laws to help small companies like preventing abuses from big companies
We need this law, there are enough terms in it and range on how it will applied so the little guys won't have much trouble if their intentions are to comply.
I know that laws get abused but do you see the OP asking to remove laws that are in his favor like copyright law or patents law?
And the effect is quite the opposite as consumption of drug and addiction is much more prevalent than in the places where it is legal. So regulation could have good intentions - and a lot of people believe in the intentions - but the effects are the opposite.
> because lazy web developers did not implement it right
No, because the legislators fundamentally misunderstood cookies. Almost any website needs to have some basic tracking of users for fraud detection, bot detection, and yes, basic analytics.
Instead of writing out a thoughtful approach, we get a mandatory nag screen right up there with "This product is known to cause cancer in the state of California" on anything sold ever. Users ignore them because the information isn't useful - infinite noise, no signal.
This is the opposite of the CAN SPAM law which did have thoughtful requirements - allowing exceptions for account related emails, requiring one-click unsubscribe but also giving systems a period to obey that to handle mail already in transit.
GDPR has so far been grossly in the cookie nag screen category, except instead of a tiny bar on visiting a page I get a multi-select based dialog of doom. The answer most companies are going to take is simply not market services to folks in the EU, and those that do will implement annoying nag screens.
More rules blindly applied rarely solves problems.
For the love of god, please stop spreading these misinformed views.
1. Nobody in Europe will be blocking anything.
2. The Wayback machine will continue to operate.
3. GDPR is generally pretty well-written legislation, based on extensive experience by privacy regulators across Europe.
There are some questions about exactly how the rules will evolve in practice. The thing to bear in mind is that privacy regulators are interested in compliance, not in punishment.
I don't disagree (nor agree), but trusting Europe to not block anything is wrong. There are EU countries that are right now blocking something. Porn in UK, foreign gambling sites in Czech Republic and of course Telegram in Russia.
Edit: I of course know that Russia is not in the EU, lol. Parent said "Europe" and I added Telegram as a fun remark after two serious examples (and there are more). Calm down with the downvotes.
Certain types of porn are illegal in the UK (for example depicting female squirting or face sitting). In April they supposed to introduce age check to all porn websites willing to operate in the UK, which essentially means every website that has porn (for example Reddit) should be behind the pay wall, as age check supposed to be done via credit card transaction. Now this has been delayed, but I don't think they are backing out on that. Furthermore this is going to be a huge problem, because:
1) Payment processors are frowning upon the idea of servicing porn websites. That means it is going to be very expensive to implement unless government figures out a different way.
2) Companies will have to store more personal data about their viewers and users will be forced to give up that data.
3) That poses a huge risk in case of the data breach as someone sexual preferences are sensitive data forced to be collected.
There's a new one coming into effect that will force websites to verify people's age using their ID (possibly by an external provider). Or I guess be blocked? Still a fucking stupid idea.
If your site only uses cookies for operational reasons, such as enabling login or maintaining a basket, you don't need to inform the user.
So anytime you see a cookie-banner that indicates that the site is doing something additional with cookies. Like tracking for ad-networks. It's a yellow-flag.
Except every single website just has a banner anyways because it's easier to cover your back then get legal involved every time you tweak something. So it has no meaning at all, in any way, except it's very confusing to some users.
The average computer user has difficulty searching their email or scheduling a meeting. You expect them to complete a nag screen about how their personal information is going to be used, with sliders for opt-in versus opt-out, every time they visit a new website?
Like the cookie nag, users are going to blindly click through until the confusing nag screen goes away and then be upset that it wasted their time.
Like many aspects of culture, we may have to rely on pirate outfits to archive and preserve things, until the original parties are no longer interested in fighting about it either way, or a long enough time passes that the archived history increases in value and decreases in personal stakes.
What a large number of people fail to realise is that the GDPR applies to any person (natural or legal; a data controller and/or data processor) that holds personal data on a EU citizen or EU resident, regardless of where the data controller (or data processor) is. Obviously EU law can only be enforced in the EU but if you are a business then any funds in the EU that belong to the data controller can be frozen or used to pay court levied fines. Or if an infringing data controller travelled to the EU (or a country with an extradition treaty and similar criminal code) they could potentially be held if a court decides that the behaviour was criminal in nature (some EU jurisdictions are more strict than others).
The only way to completely avoid the GDPR is to not hold personal data of EU citizens or EU residents.
I was talking about in the context of the medium post / businesses which is what I was replying to. I don't think I have seen anyone complaining about household activities. A red herring.
Nitpick, but as far as I understand it, it's only EU residents (regardless of their citizenship). The specific text says "data subjects who are in the Union", and citizen never appears in it.
(This is for foreign businesses. EU businesses have to apply it to everyone, regardless of their location or citizenship.)
This means this should be applied to everyone because how do you check that someone is an EU resident? Should websites display a page requesting visitor to upload their residency certificate to be complaint?
I guess they could vest it in some corporation that has no feet down within the EU. Aside from actually cordoning off a section of the Internet there's not much they could do otherwise.
Though now that I think of it, perhaps blocking [the archive.org crawler] could then become mandatory for GDPR compliance ...
This seems to have annoyed a few people. I didn’t mean this as an actual practical strategy, or facetiously, was more meant as a commentary on modern global corporotisation, and a thought experiment on the limits to which the EU can enforce itself online.
