GDPR, Stacks and local libraries

That Google (and others) is now compliant to the to the GDPR solves only one problem. The other problem is that there are personal information still transferred outside the EU. That is the main problem and we have to ensure that our websites do not sent any information anywhere (especially outside the EU).

to be precise: it IS permitted to transfer personal data outside the EU. It just takes explicit consent of the visitor of the website. That’s what we need to ensure: that our sites don’t transmit ip addresses without explicit consent of the visitors to do so. Which requires the consent before any other library is being loaded from CDNs.

we have to ensure that our websites do not sent any information anywhere

it’s my understanding that’s exactly what Google is doing in order to attain compliance. and, just from a broad view – it seems a little hard to believe that the EU will outlaw all CDNs entirely. many high-traffic sites rely on them and would fail utterly without them.

but it’s totally A-OK by me if you don’t believe that – or if you want to remove all CDNs just to play it safe. my goal is just to make sure stacks works for people that want to CDNs and for people that don’t – no matter the reasons. :smiley:

3 Likes

Ok, let me just quickly elaborate the basic requirements:

  1. IP addresses are considered personal data under GDPR.
  2. GDPR requires explicit consent by the owner for the collection, use and forwarding of their personal information. Implied consent is not enough. Additionally, GDPR requires that the users are being informed about which data are being collected and for which purposes, that they have the right to withdraw their consent and to view their collected information.
  3. It seems easier to load things like jQuery, fontawesome, Google fonts locally (host them yourself) than to try to prevent a website from loading them from CDNs before the user has given consent. That is why this unfinished feature (or bug :wink: is so important to me. Loading the stuff from my own server makes the question marks all disappear. No ip addresses being transmitted elsewhere.
  4. Every CDN that handles personal data on behalf of a website needs to do so in compliance with GDPR (this is where Google’s compliance declaration is helpful, but for nothing else). They must declare this compliance in an agreement with the owner of the website. This applies to hosting providers, CDNs, all kinds of data processing companies a.s.o. Most hosting companies in Germany already offer generic agreements that they automatically send you to make things easier for you.

These are propably the most important requirements GDPR brings to websites and webdesigners. But there is a lot more, when it comes to daily business data processing. My wife is a doctor, I can tell you…WEBDESIGN IS SO SIMPLE! :wink:

1 Like

I’ve added a bug to the Stacks 3 public bug tracker. You can follow along or report any problems once the beta is released. We’re still running a few tests, but hopefully if all goes well, we’ll build a beta later this afternoon.

Update: The new beta build is available on our Slack channel: http://slack.yourhead.com

But if it’s not done by then, it’ll have to wait until tomorrow – I have tickets to a Foo Fighters show tonight and I’m really looking forward to it. :wink: :guitar::metal:

Worst case scenario, it should show up tomorrow bright and early. :smiley:

3 Likes

Thanks Isaiah!
I have installed the beta and I can now see all four tick boxes. Great. Uploaded the site and it seems to work. However in my developer tools I can see two similar error messages of resources not being able to load. I guess it is due to a typo: in the source code the folder rw_common/plugins/stacks/jquery-ui-1.11.4 is written with a capital Q (which doesn’t resolve, of course).
I suppose this should be easy to solve, right?
Thanks for the quick reaction. How was the Foo Fighters gig?

i’ll take a look into the issue.

for the future… i post betas to the slack channel to try to keep beta bug fixing details (which is only temporarily useful info and very chatty) out of the main forum (which people can view forever so encourages more thoughtful posting).

do you happen to know the name of the stack you’re using that requires jQuery UI?

Only if the person is identifiable. If only the IP is sent anonymously it is not personal data. JQuery would need to be sending other data alongside the IP to make the IP personal information such as a person’s name and address or email.

If you read through various sources, you will find the conclusion that the IP address is personal data, as it is an online identifier.

I’ve spent the last month on GDPR as I do live in the UK. I’ve spoken with the ICO and attended a number of seminars on GDPR. Also the ICO commissioner has said that IP addresses on their own are not personal data (https://www.out-law.com/page-8060). They have to be combined with other data.

This means that IP’s are only personal data if they are combined with other data. To quote Elizabeth France the ICO in 2001:

“If dynamic or static IP addresses are collected simply to analyse aggregate patterns of website use they are not necessarily personal data. They will only become personal data if the website operator has some means of linking IP addresses to a particular individual, perhaps through other information held or from information that is publicly available on the internet. ISPs will of course be able to make this link but the information they keep will not normally be available to a website operator.”

If my website is only sending IP’s free from any other form of information for the purpose of statistic collection, then the data is not personal and not subject to GDPR.

1 Like

And exactly there is the point. With linking eg. Analytics or Fonts from Google in the U.S., you are forcing the website visitor to share their IP with them.

You as website owner might not be able to combine a name with an IP address, but Google is. And you are responsive for your website and requests you enforce to other sources.

TL;DR
You are not sending the IP address to someone. You before the end user browser to do so.

But this is anonymous, no other data is shared. If Google then profile and combine it with other data to make it personal information, that will reflect on their compliance to GDPR. In terms of my compliance I have not shared personal information.

Sorry, this doesn’t make sense?

Typo. You enforce the end users browser to access information from the U.S.

There are different oppinions on this topic. I will stop discussion and prepare for the worst, as I am located in Germany. I had to learn today (thanks to @tav ) that you even don’t need an imprint in the UK, which could lead to a adhortatory letter in Germany directly.

I have been studying the regulations as well for the last few weeks and I can definitely tell you that in Germany the absolutely common understanding is that IP addresses are personal data. I cannot imagine that official bodies in various European countries have so diverse opinions on how to interpret the common law. But who knows? All I can tell you is that if you’re working with German clients or have German visitors you must prevent unauthorized transmission of IP addresses. That is for sure.

But this misses the point of GDPR. It’s about personal and sensitive data. Personal data is that it is only personal data if it identifies a specific living individual.

IP 81.141.128.212 does not enable you to identify a specific living individual. You need to add additional data to make it personal. Therefore I cannot understand why Germany has taken such a stance. In the UK the Information Commissioner’s Office (ICO) who are responsible for regulating GDPR in the UK are clear that on it’s own an IP is not personal data. The GDPR does give provision for member states to add more to the legislation, but this would be an odd thing for Germany to decide that all IP’s are personal information, in fact it couldn’t because this would be redefining personal information. Something is not right here.

1 Like

Yeah I’ve created a german site and they have some pretty crazy laws, such as the “Impressum”.

1 Like

Full Ack :slight_smile:

It’s not only in Germany. There was a judgment of the European Court of Justice (19.10.2016, reference C-582/14) that defined the IP as personal data

Let’s be accurate:

On 19 October 2016, the Court of Justice of the European Union (the “CJEU”) published its judgment in Case 582/14 – Patrick Breyer v Germany, in which it held that IP addresses are personal data in certain circumstances. (emphasis added)

See last paragraph: Are Dynamic IP Addresses Personal Data