We are about a month from launch (we have both been working on it part time for 6 months) but my co-founder is having second thoughts. He doesn't want to spend the time and money to bring us into GDPR compliance. I have been learning to code and I feel I could maintain our current code but not redesign it all to comply with GDPR. I am hoping some more experienced startup folks can provide some advice about what I should do
I say this as the technical co-founder of an EU based messaging startup with the vast majority of users and customers being subject to the GDPR. If your co-founder finds a little bit of legislation to be so troublesome that he wants to quit, then he's going to be worthless when things actually get difficult. Even if the worst case is true, in legal terms, and you decide that you're forced to redesign the system to make the right to be forgotten (and while I'm not a lawyer I really doubt that that is a sane explanation of the GDPR), then it's just some refactoring work. It's not fundamental to the design or business model of your app (you're a messaging app, not a "sell user data app") - it's just an efficiency thing. If your co-founder can't even deal with that, then I worry that he defibitely can't deal with the emotional rollercoaster that will start when you actually launch.
That said, and IANAL, but I really wouldn't sweat it. If you can run a custom query to delete user data when requested then you're all good. Use that to see how many right-to-be-forgotten requests you actually get and consider automating things only after you know that it's going to pay off.
Exactly. Unless the business model is built around collecting and reselling user data, then (without anymore context) it sounds like this should be a (slight) refactor, not an entire redesign.
Well, this example of deleting messages sent to other people has come up in other contexts before, it's one of the first questions people think of when asking about the RTBF. And as far as I know there's no canonical answer, like everything else it's open to interpretation.
You don't think it's "sane" but your entire argument is predicated on the assumption that GDPR is a sane law. IF you agree that such an interpretation would be insane, can you show that it's clearly wrong? And if not, would that change your opinion of the law?
a) data is still necessary (part of message chain)
b) consent wasn't necessary, the message was required for the messaging component of the service
c) again, necessary processing is excluded
d) it wasn't unlawful
e) I'm assuming you're not in one of the member states and this doesn't apply
f) it's not related to child consent
If anyone disagrees here, I'd be really interested to know why.
(Sethammons is right though that the headers / metadata would be likely covered)
The messages themselves constitute personal data, as defined in art.4(1). Data doesn't need to be tagged with someone's name, address and social security number to be personal data - if you could even hypothetically identify someone based on that data, then it's personal data. Even if the users of this service never divulge any personal information about themselves in the content of their messages under any circumstances, they could still be identified by stylometry.
There's a reasonable argument that retention of old messages is a necessary feature of the product, but I'd be strongly inclined to delete everything from the servers as soon as it's delivered. Old messages stored on the user's devices aren't your problem as long as your involvement in the processing of those messages was lawful. I'd also be strongly inclined to implement end-to-end encryption unless there's an overwhelming reason not to, because it adds a valuable layer of protection for both you and your users.
https://gdpr-info.eu/art-5-gdpr/
https://gdpr-info.eu/art-4-gdpr/
As a lean startup, I wouldn't pay my own lawyer to figure out what hundreds of well paid lawyers have already decided.
You could write tech support for these companies and ask exactly how their GDPR compliance works. I'm sure they'll be happy if not legally obligated to tell you.
Facebook can afford to play fast-and-loose with the rules. They have an army of lawyers waiting to contest any ruling from a supervisory authority. They have an army of developers ready to redesign their product if they're ordered to do so. They have an army of DBAs and CSRs to manage deletion requests and subject access requests.
If you're running a startup that collects and processes lots of personal data and your resources are rather more limited than Facebook, it's sensible to interpret the GDPR cautiously. The more data you collect and store, the greater your potential liabilities. We're habituated to hoarding personal data, because the cost of storage is effectively nil and it might be useful at some point in the future. GDPR makes Schneier's argument that "data is a toxic asset" into a business reality.
https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...
Replies are not deleted because those belong to the senders, not you.
As for Facebook, it is true that deleting your account does not delete your messages. That's something they have been criticised for. However, I believe deleting your messages does result in recipients being unable to access them (except from cache, of course).
What I have learnt about GDPR so far is that as long as you can argue the data is necessary and you get consent you are probably good to go. For the kind of service you are providing the messages are still necessary.
I wouldn't rely on the fact that messages are or are not personally identifiable information. This is in my opinion just too risky and unnecessary.
Again I'm not a lawyer and not a GDPR expert but you should talk to both. It's likely that your company needs a data security officer anyway and they should be the GDPR expert for you to consult in these matters.
But you don't need the rule of law. Myanmar locked some Reuters reporters up with no convincing legal basis; and yet I can visit the country with no special fear that I'll get locked up, because I know more or less what their government likes and dislikes, and I know that I'll stay well away from the line. You can do that too. The EU obviously won't come after you for the email deletion issue, just as Myanmar obviously won't lock up a visiting businessman who sticks to business--there are too many easier targets.
Your lawyers can't help you, because this isn't law. They'll just say "it depends", because that's all the text of the law allows them to say. (Although, I do enjoy watching people who seem to be general proponents of the GDPR confidently take contradictory positions here.) I seem to be the only one who think this degradation of the rule of law--from the EU, a region that basically invented the concept--is bad; but even I agree that it's no major obstacle to doing business.
There are some areas more settled than others, but this is a continuum, not a crisp boundary.
But again, you don't need law to do business. I can visit countries where people face the literal human death penalty with negligible due process, and still feel quite confident that I'll be fine. By the standards of worldwide lawlessness, the GDPR is great; but that's a pretty pathetic standard.
The theory is that laws should be written by politicians and merely applied to specific cases by judges, because politicians are accountable and judges are not.
When you have laws that state virtually nothing and rely entirely on interpretation, that's the same thing as moving power away from elected political bodies and into unaccountable elites. This is, not coincidentally, exactly what the entire EU project seems to be constantly engaged in, so it's perhaps no surprise that the EU particularly enjoys passing vague laws that move power away from national politicians and towards the Commission and ECJ (the ECJ judges are appointed by the same process that decides the makeup of the Commission).
In the US, at least, that's true in the rhetoric of one of the parties, but the opposing party doesn't argue the opposite side, just argues that the side that claims it is an issue is hypocritical in its rhetorical stance.
Denying a request is not a simple yes/no. You can delete some data but not others, or delete data under certain conditions but not others. The principle of Data Minimization still applies to your overriding legitimate interest: only retain the data that is strictly necessary for that specific interest, which is likely less than the original data necessary.
Probably the trickiest issue is going to be "what if the user sent a message that contains PII?"
I think even asking questions like this is missing the point by now. See the discussion above. The GDPR doesn't say if backups are OK or for how long. They might be or might not be depending on whether a random EU official believes your justification is "legitimate".
In other words, stay in the Commission's good books and you'll be fine. Take a position the Commission doesn't like and suddenly your backups might not be so legitimate after all.
Of course, you might have an Overriding Legitimate Interest for that, too. For example, you might be required by law to retain some customer data. And therefore you might be in a position to refuse to erase certain archived data.
But otherwise, there certainly could be situations where you would be required to erase archived data.
that said, you need actual legal advice here. it doesn’t sound to me like your current design can be compliant but you need expert counsel to decide. then if the answer is no, are you prepared to change your design?
also, you have “been learning to code?”. no, you need to bring on an experienced person if you want to deal with personal data. sorry, that’s table stakes in 2018.
I know the expression "This is why we can't have nice things" is trite and cliche, but every "good" thing I've seen online for over 40 years attracts parasites (depending on your definition of parasite). (Some of them are quite clever, ... so it makes me wonder why they don't point their genius at more positive activities...)
The regulatory agencies are an open question...
I doubt private firms actually will engage in that sort of trolling though, at least not at any volume. NGOs and activists on the other hand, I fully expect that. They're always looking for ways to punish firms who they dislike. Normally that's restricted to boycotts, in recent times they've experimented with attacking advertisers for companies that rely on advertising ... GDPR requests will likely become a new battleground.
If they're on your servers, it should not be necessary to keep multiple copies of the same message. You could make it so that if the sender deletes a message, it is removed from the database and becomes inaccessible to recipients.
If the messages are stored on users' own devices and not on your own servers, then that is a different situation and is more like email.
If a particular message has three recipients, then it will have three entries in this table. The 'deleted' column is a boolean that is initially false. But when a recipient deletes their copy, 'deleted' becomes true and the message will be hidden in the UI for that recipient only.
If it's the sender who is deleting the message, then just delete it in the Messages table, and no one else will be able to view it.
No. There is no "right to retention" in the GDPR. Users have the right to access any data you hold that relates to them (with some exceptions), but you are under no obligation to retain data. GDPR requires you to do the exact opposite - delete (or thoroughly anonymise) data as soon as possible.
Art.5(1)(e) says "Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed". If you're aiming for maximum GDPR compliance, it would be sensible to delete the messages from your server as soon as they have been delivered to the recipients. You're a messaging service, not an archival service; storing the messaging data or metadata indefinitely is contrary to the principles of the GDPR and exposes you to liability if that data is ever leaked.
I'd also question why you need plaintext access to user messages in the first place. End-to-end encryption protects you and your users. If you can't access the data, you can't inadvertently breach the GDPR.
https://gdpr-info.eu/art-5-gdpr/
Depending on whether it's targeting businesses or consumers, expectations and needs are different.
As for the GDPR: The GDPR applies to "personal data". A user's email is certainly personal data. But if someone says a person's name in an email, that is also personal data.
Your problem is you have to either cover everything under consent or use legitimate interests and weigh -- ie conduct a balancing test as (very hand-wavingly) specified by the GDPR -- the balance between a data subject requesting a deletion's right to privacy and the legitimate interests of the other message recipients in retaining messages. A privacy lawyer can help walk you through doing this. Your other alternative is, if you have a lead regulator, directly reaching out to them and asking for guidance. If you haven't, or can't, establish a lead regulator you may try the ICO. They've staffed up in an effort to be the one stop shop of choice, though the UK decided to leave the EU so who the hell knows what's going to happen. Alternatives include ie / DPC.
In particular, A17 specifies:
NB: A6.1.a is consent.
> (1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
> a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
> b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
So your path seems somewhat straightforward: remove the link from the deletion requester to the message, and make sure your statement of purpose in the consent says that you will delete iff all recipients request deletion. This does mean you need to carefully write your GDPR consent forms for your service, but see lawyer bit above.
Obviously, run this through your lawyer as I am not one.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Even if they're completely stripped of metadata, instant messages are highly likely to contain information that could indirectly identify the sender or recipient.
The complicated part is your intent to preserve it for the other participants in the thread. I think it's ok to allow a message author to cause their messages to be deleted from all other users as well (maybe leave a <deleted> bubble in its place). If an entire thread or account is deleted, you can just remove the association to the user and preserve the messages itself.
It's a bit messy the more you want to preserve despite a user's wish to GDPR-bomb their data, but I don't think untenable.
The upside here is that this investment also opens the possibility of giving your co-founder the confidence that they need to stay with the project, should the answer be that the compliance work is small / simple.
Save yourself some time and heartache - find a new co-founder
Get a good lawyer and have the CTO focus on delivering technical solution after all that his job, if the going gets tough and he gets weak knees get him out...
Ring fence your product to region for launching so you don't get side swiped...good luck.
My question is if your app simply passes on messages between users of the app and doesn't store these messages how can you be held accountable for what's being held on the users device, even if it is a different persons message? Your app has simply processed that users data with their consent, at the time, and passed it on as they wanted.
The other issue, if the answer to the above is: 'yes', is does the GDPR expect you to be able to go into a user's phone and delete content from their phone at the request of another user? Surely that's not legal?
Like I say I'm no expert, simply asking questions.
How many requests do you actually think you'll get in a year? Some industries mandate data retention which overrides GDPR.
Is your business model going to implode if 0.01% of messages are deleted with due cause? You are only liable if you fail to complete the request in time. Plus how much longer until you have a GDPR friendly agreement which lets users know once a message is sent it is no longer personal data? If the sender gets deleted the recipient would see from 'deleted user'. This is kind of how stackoverflow.com do it.
GDPR is extra work but it's not shut up shop work.
a) By sending a message, the user is consenting to the contents of the message being delivered.
b) The user is entitled to request that you (the messaging service) deletes their details but you have a legitimate business reason for retaining the message details (ie. someone else that you are serving is using them).
That said, if your co-founder isn’t more committed than this, then let him go—just make sure you have a legal document stating that he gives up all rights.
I doubt your case is any different.
It seems that your co-founder just doesn't like GDPR and users' rights. It is a political, not a technical problem.
If someone will post something that violates US laws (for example, terrorism-related content or child porn), will you refuse to delete it too?
It's going to take all of 30 seconds until someone sues Google and asks for them to delete sent messages from someone else's inbox. Regardless of whether or not what your doing is legal (and I think you're in the clear), you're not going to be the test case here.
And then you can complain to a regulator.
Bear in mind there are, like, 28 different data privacy regulators in the EU. So all it takes is a few people in each country to file such a request, get denied and file complaints with the regulator, and now you've got 28 official committees looking into it.
If all of them decide it's OK, no problem. If back here on Earth some of them disagree, well, there's a super-committee that's supposed to enforce a uniform treatment, so it'll get kicked up to the EU to decide.
And then what happens probably depends on who the test case is about. My guess - they'll ignore complaints until they're against the FAANG companies. And then they'll decide compliance wasn't good enough, and hand down a fine. Let's wait and see.
Sure, but that's nothing to do with GDPR and can be done today.
Tacking GDPR onto a frivolous suit doesn't add anything and also doesn't set any precedent.
The law clearly sets out how to handle GDPR complaints, and it's not via the courts.
I would abandon your project too. Messaging is the new Social Media, which is to say the market is already flooded and nobody needs another one. In addition to that matrix.org is going to kill it.
I was taught the best approach to programming is to find problems and solve them. Messaging hasn't been a problem since 2000 or earlier.