I wonder if it is Google's strategy to make to turn this GDPR thing into one massive confusing mess for everyone.

@NickMNS, I am beginning to wonder whether the EU's strategy is to turn it into a massive confusing mess.

Usually its because they do not talk to smaller businesses (e.g. VAT MOSS) or just do not understand what is going on (Cookie law) in this case they seem to have spoken to a lot of large businesses either (the people complaining about this). I think when it all plays out this law with strengthen Google and FB, and weaken smaller sites.

I 100% agree.
Big business has the resources to deal with this, that is lawyers and developers to allow them to find solutions that will make them untouchable. Whereas small business will be vulnerable. As a very small independent business the risk is pretty small, if any one comes after you close and get a job. But the businesses that have the most at risk are the large small businesses or mid-sized companies, where simply closing your doors is not a feasible option. It may be ultimate outcome but certainly not the desired one. So if barriers are created preventing small firms from growing into big firms, then the big firms will be more secure than ever, and thus will be i n a position to do what they like. FB in front of the US Congress or UK parliament is a perfect example.

if any one comes after you close and get a job.

That is not OK. If I had to do that it would mean changing my lifestyle, less time with my family, either moving or having a long commute, losing my dependence, losing much change to build the business.... it also means taking away competition (i.e. if a small firm closes down it will definitely never become a big one).

Other than that, you are right, its all about barriers - although I would say it will also deter some people from setting up a business in the first place.

although I would say it will also deter some people from setting up a business in the first place.

This is why big business generally loves the EU. Much of the regulation is done via consultancy with big business. It's hard to see where bureaucratic consultancy stops and lobbying begins. The end result is that nascent entrepreneurs are scared off. Or they trip up and close down.

In all highly regulated markets, it's the small business who loses out. Big business wins. Consumers might have higher standards, but they pay a corresponding cost in lost competition and lower levels of innovation.

I'm doing our compliance on GDPR. The principles are pretty sound, but the implementation is horrific. In particueverything needs to be documented (Article 5, Para 2 for demonstrating compliance; Art 30 for recording all processing activities). I mean seriously, this is too onerous.

(I would invite everyone to have a skim of the law as written, in it's original published form (link below). The preamble is 31 pages long! And Preamble Para (1) and (4) are doing gymnastics to avoid being mutually contradictory. Though I have previously read the actual law, I have only recently looked at the preamble. I wish I hadn't!)
[eur-lex.europa.eu...]

Can someone please help me understand the issue here? I honestly don't get it.

I read the article several times and I worked with the GDPR for weeks.

In my opinion it is the spirit of the GDPR that the user as the owner of the data has to consent to anything unusual happening to his or her data. To me this certainly is the case when a website enables a giant data accumulator with the power of some nation states to use the users data to create a profile. If 6(1)(f) would apply to this extreme case, an important part of the law would be pointless. Because accumulation of data and building profiles is the real issue here.

I see those publishers complaining about Google not wanting to merely be a data processor. But they never were just that and I don't see any obligation to change that. This is B2B, not B2C. They can even keep using AdSense, just not the personalized ads.

"publishers wrote that Google’s terms could multiply their exposure to “potentially ruinous” judgements by leaving them liable for misuse by Google and its partners". That is how I interpret the GDPR. I just deleted the part in the data privacy statement where is says that we are not liable for what third parties are doing with the users data. As far as I understand it, the user will sue us for damages and we will have to sue the third party.

I only see publishers being scared of losing revenue here.

spirit of the GDPR

Lots of American commentary is getting hung-up on this point- that really the EU wants companies to stop collecting data, so have come up with a draconian law to make it difficult.

But that is simply not what has happened. The EU just wants companies to be responsible with data, under threat of a potentially massive fine.

6(1)(f), for those who don't want to look it up, is the "Legitimate interests" grounds for data collection. It states:

Art. 6 GDPR Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
...
(f)processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

That's the letter of the law, and it is pretty easy to comply. The onerous bit is implementing encryption everywhere, documenting everything, implementing user access controls, creating data deletion regimes, training staff in Right to Erase, Right to Object, Right to Access etc.

Collecting data is still easy. Very easy. This is not a response to Facebook/Cambridge Analytica. It predates it.

All you have to do is state what you are collecting, that it is in your legitimate interests to collect it, and what you are using it for. And then not to REPURPOSE that data once you have it.

Actually, Google wanting to be a Controller is almost certainly a requirement. You can only be a Controller or a Processor. The Processor cannot make any decisions about utilising the data- they can only fulfil their contractual obligations from the Controller.

If the publishers were the Controllers, Google would take their marching orders from them. Google will not do this.

I will quote Recital (47) in full, emphasis mine:

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

But note Article 21 (italics mine):

Right to object
...
(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

(3) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

(4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

This is not "all you have to do is state you collect the data..."

The regulations require specific opt-in, not implied opt-in. Any software (like forums) that has a link in the registration screen that says to the effect "by registering you agree to our terms and conditions" is not in compliance. There must be the link and a check box saying they've agreed. Same with automatically opting them into a newsletter, etc.

There is a lot of software out there which simply doesn't comply. Its not a simply set of regulations, it's preamble alone is 30 odd pages.

I love how Google and others are scaring everyone, including people outside of EU to compliance. We barely have any EU visitors. We do not even collect any country/location specific data. Our company operates and was founded in the USA. But my American business partner, that lives in USA is scared #*$!less about the whole GDPR thing.

Google and other companies may collect GDPR specific data in EU. For EU citizens. So what? It is their problem. They're the ones that collect the data. All they really want is to avoid the hefty fines and put the blame on us if anything would happen. But we collect the data for them, not us they say (yeah right).

EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.

I feel for you guys that have to fully comply.

The regulations require specific opt-in, not implied opt-in.

Well, sort of. The Law says you must explicitly advise people of their right to opt-out. This explicit advice must be evidenced via an unchecked box that requires ticking (checking). See Art 21(4).

Personally, I would make Direct Marketing activities an explicit opt-in, but the law does not actually require it - just another legal basis (cf Art 6(1)(f) - Legitimate Interests; Recital 47 final sentence).

To comply, you must:
- Accept that Data Subject has Right to Object (AKA an Opt-out) - Art 21(2)
- Give explicit (active acknowledgement required) advice that they have the right to object (Art 21(4))
- Immediately cease DM activities, including profiling, on exercise of that right (Art 21(3))

Links:
Unofficial but easy-use: [gdpr-info.eu...]
Official but horrible (I wish fragment IDs worked here...): [eur-lex.europa.eu...] <- Add "#d1e2803-1-1" for speed