Europe has issued a new unified set of rules about privacy.

http://europa.eu/rapid/press-release_MEMO-18-387_en.htm

There are millions of web sites with "private" information. Some
show for example a link to uncles, siblings or nephews. If the
web site is in Europe, then the web site can be sued. Prepare to
see disappear millions of web sites...


Denis

--
Denis Beauregard - généalogiste émérite (FQSG)
Les Français d'Amérique du Nord - www.francogene.com/genealogie--quebec/ French in North America before 1722 - www.francogene.com/quebec--genealogy/
Sur cédérom à 1785 - On CD-ROM to 1785

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 24/05/18 15:28, Denis Beauregard wrote:

Europe has issued a new unified set of rules about privacy.

http://europa.eu/rapid/press-release_MEMO-18-387_en.htm

There are millions of web sites with "private" information. Some
show for example a link to uncles, siblings or nephews. If the
web site is in Europe, then the web site can be sued. Prepare to
see disappear millions of web sites...

It's a good deal more nuanced than that.

1. GDPR only applies to persons resident in the EU. To be resident
there one has to be alive. My understanding is that it has /always/
been best practice not to put details of living people onto genealogical
sites without their permission. At the very least this is a matter of
common courtesy.

2. It doesn't apply to statutory information. That includes civil
registration data.

3. The first recourse of an EU resident is to contact the site to
require a take-down of the data. That's not the same as sueing.

4. If the site doesn't respond it's up to the relevant local data
regulator to take action. If they're not satisfied with the response
they can issue fines. That's not the same as being sued either.

5. It doesn't matter where the web-site is located, it matters where the
data subject is resident.

That's a brief overview of the issues raised in Denis's post. There's a
lot of other detail such as defining Data Controllers, Data Processors
and their roles and responsibilities.

To quite a large extent the provisions of the regulation were present in
the previous directive and in individual countries' legislation. The difference between a directive and a regulation in the EU is that the
former has to be enacted by local legislation while the latter is
EU-wide legislation in itself. The regulation, however, closes a number
of loopholes (e.g. you can't make provision of a service conditional on
the provision of excessive data or on the provider's being able to use
data more widely than needed to provide the service) and it increases
fines to a level that should grab the attention of the boards of even
the largest corporations.

Ian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 5 Jun 2018 11:00:50 +0100, Ian Goddard
<goddai01@hotmail.co.uk> wrote in soc.genealogy.computing:

On 24/05/18 15:28, Denis Beauregard wrote:

Europe has issued a new unified set of rules about privacy.

http://europa.eu/rapid/press-release_MEMO-18-387_en.htm

There are millions of web sites with "private" information. Some
show for example a link to uncles, siblings or nephews. If the
web site is in Europe, then the web site can be sued. Prepare to
see disappear millions of web sites...

It's a good deal more nuanced than that.

1. GDPR only applies to persons resident in the EU. To be resident
there one has to be alive. My understanding is that it has /always/
been best practice not to put details of living people onto genealogical >sites without their permission. At the very least this is a matter of
common courtesy.

FamilyTreeDNA is located in Houston, TX, and changed completely
their rules about privacy. World Families Network, which was
apparently hosted in USA, closed because of that. So, a lot of
people seems to worry about the GDPR even if not in EU.

New rules at FTDNA made the administrators of projects (who are
not employees) reponsible when they put the data on other sites
even if neither is in Europe.

2. It doesn't apply to statutory information. That includes civil >registration data.

3. The first recourse of an EU resident is to contact the site to
require a take-down of the data. That's not the same as sueing.

4. If the site doesn't respond it's up to the relevant local data
regulator to take action. If they're not satisfied with the response
they can issue fines. That's not the same as being sued either.

5. It doesn't matter where the web-site is located, it matters where the
data subject is resident.

Actually, it is a European law that is applied to not-European
countries, which could be enough to be ruled as not legal, at least
by the lawyers when the 1st complaints will happen. By the way, they
already happened, against Facebook and Google.

That's a brief overview of the issues raised in Denis's post. There's a
lot of other detail such as defining Data Controllers, Data Processors
and their roles and responsibilities.

To quite a large extent the provisions of the regulation were present in
the previous directive and in individual countries' legislation. The >difference between a directive and a regulation in the EU is that the
former has to be enacted by local legislation while the latter is
EU-wide legislation in itself. The regulation, however, closes a number
of loopholes (e.g. you can't make provision of a service conditional on
the provision of excessive data or on the provider's being able to use
data more widely than needed to provide the service) and it increases
fines to a level that should grab the attention of the boards of even
the largest corporations.

Fine can be 10% of the annual sales...


Denis

--
Denis Beauregard - généalogiste émérite (FQSG)
Les Français d'Amérique du Nord - www.francogene.com/genealogie--quebec/ French in North America before 1722 - www.francogene.com/quebec--genealogy/
Sur cédérom à 1785 - On CD-ROM to 1785

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)