GDPR

From IndieWeb
Jump to: navigation, search


GDPR is the EU General Data Protection Regulation which sets much tighter guidelines on use of personally identifiable information, and is backed by law, including fines for non-compliance. Enacted on May 25, 2016, organizations were permitted a two-year grace period to bring their processes into compliance. Organisations which are not compliant after May 25, 2018 face penalties of up to 4% of annual global turnover or €20 Million.

does it apply to my Indieweb site?

Purely personal sites are exempt per Article 2. If on the other hand your website contains paid ads or advertising for your services or products made by you, it is within scope of GDPR.

Consent

GDPR requires consent to data processing [1]. The Guidelines warn:

  • if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

Data Portability

GDPR also requires data portability – that data can be moved from one service to another in a safe, standard, usable way.

Regarding which data the guidelines (PDF) eg. say:

As an example, the titles of books purchased by an individual from an online bookstore, or the songs listened to via a music streaming service are examples of personal data that are generally within the scope of data portability, because they are processed on the basis of the performance of a contract to which the data subject is a party.

This extends to “posts on social networking websites”, as noted on the official FAQ page. Your data will have to be provided to you “free of charge, in electronic format” [2] and you are allowed to give the data to another website [3]. This could make up for silos not offering native export options.

Data Erasure

Building on the 'Right to be Forgotten' decision in the European Courts, the Regulation for the first time codifies the right to have personal data erased by data processors. There are limits to this right, which must be balanced against freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims.

Extra Territoriality

Unlike the previous law (Data Protection Directive 95/46/e) the GDPR applies to all companies processing the personal data of all persons residing in the European Union, regardless of the company’s location. This is a major shift to the previous law, which required the establishment of a business in a member State of the Union. Furthermore, the previous gap in the law where data was 'processed' outside the EU no longer applies, as it is the subject of the data now has rights.

See Also