Will LindenLab comply with the RGPD ?

[samuel22200 Naxos]

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

Quote

The General Data Protection Regulation (GDPR)is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Legally, they have to comply because there are europeans users on second life.

So LindenLab will have to implement  features like

• “Forget me” –LL should have a method that takes a userId and deletes all personal data about that user (in case they have been collected on the basis of consent or based on the legitimate interests of the controller (see more below), and not due to contract enforcement or legal obligation).
• Notify 3rd parties for erasure 
• Export data – there should be another button – “export data”. When clicked, the user should receive all the data that you hold about them. What exactly is that data – depends on the particular usecase.

more info: https://techblog.bozho.net/gdpr-practical-guide-developers/

 

What do you think about it ?

[AyelaNewLife]

Yes.

While Linden Labs might try to play dumb and ignore a regulation like this from one or two small countries, the EU is too big of an economic bloc to ignore, and it is the single largest group of their customers outside the US itself. They aren't stupid enough to eat the fines and/or lawsuit over something that is this trivial to implement. 

[sirhc DeSantis]

https://strawberrysingh.com/2018/05/04/gdpr/

Google is your friend

[samuel22200 Naxos]

Ho cool

[Drake1 Nightfire]

1 hour ago, samuel22200 Naxos said:

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

Legally, they have to comply because there are europeans users on second life.

So LindenLab will have to implement  features like

• “Forget me” –LL should have a method that takes a userId and deletes all personal data about that user (in case they have been collected on the basis of consent or based on the legitimate interests of the controller (see more below), and not due to contract enforcement or legal obligation).
• Notify 3rd parties for erasure 
• Export data – there should be another button – “export data”. When clicked, the user should receive all the data that you hold about them. What exactly is that data – depends on the particular usecase.

more info: https://techblog.bozho.net/gdpr-practical-guide-developers/

 

What do you think about it ?

Why would you assume they wouldn't?

[Qie Niangao]

One might imagine some confusion here. I'm guessing that the scope of "personal data" for GDPR purposes is limited to "real world" data, so for Linden Lab that might include things such as account order histories and RL payment information about real persons, but nothing about avatars, their "profiles", nor in-world content generally. Some may think of avatars as "persons" but I think the courts laugh that off as simply delusional.

[ChinRey]

5 hours ago, Qie Niangao said:

One might imagine some confusion here. I'm guessing that the scope of "personal data" for GDPR purposes is limited to "real world" data,

Personal data is defined as "every piece of data that can be used to uniquely identify a person or data that is about an already identified person" and it's hard to see how that can apply to data that is only associated with an internet nickname.

LL does collect genuine personal data too, yout name, your email address, possibly even your credit card number. But at a quick glance, it seems to me that they only need to make a few fairly trivial changes to their routines to comply.

Edit: On second thought, there are a few features in SL which require LL to connect you account name to your accounts at other services, such as Facebook and Flickr and - of course - the user's email account. Those may well cause some problems.

Edited May 8, 2018 by ChinRey

[Chic Aeon]

I know folks working on this for real life internet companies ("small companies" by legal definition but certainly not all that small -- so Linden Lab sized folks). It is a lot more complex than one might think ^^.  But apparently this has been coming for a long time and the big companies like Amazon and Google have been working on it for a long while (I think two years was mentioned but don't quote me on that).  So I have to guess that this isn't a surprise for The Lab either --  if so they might be scrambling a bit.  And yes, there is plenty of REAL LIFE data collected so international companies do have to pay attention.  

We should probably know something by May 25th.  Get your reading glasses out. 

There is also a big "make the agreement in English" coming our way so hopefully we can get back to a TOS that folks might possibly (well not many but some) read. When I joined SL the TOS was extremely simple. Play nice with each other and we need to be able to show people your stuff for the world to work -- those were the main themes. Rules are fine but they don't need to go on for pages and pages.  So I am looking forward to THAT change for sure. 

I might possibly make it over to Sansar then LOL.

 

[Callum Meriman]

1 hour ago, Chic Aeon said:

There is also a big "make the agreement in English" coming our way so hopefully we can get back to a TOS that folks might possibly (well not many but some) read. When I joined SL the TOS was extremely simple. Play nice with each other and we need to be able to show people your stuff for the world to work -- those were the main themes. Rules are fine but they don't need to go on for pages and pages.  So I am looking forward to THAT change for sure.

That would be very nice. I'd love a situation where we can "kill all the lawyers" and simplify the TOS from many blog posts, millions of unwritten rules, conflicting community standards, and one sided legalese clauses into a proper (non-USA like) TOS that has a little bit of fairness for the customer.

LL's TOS would not hold water in my country, it would be ruled illegal in an instant.

[Klytyna]

3 hours ago, Callum Meriman said:

into a proper (non-USA like)

 

USA: "Ah Sergeant, I have orders for you..." 

"Sir! *salute* General Bombthebastards! *salute* Sir! *salute* sergeant Hershy B Dohnut reporting *salute* for duty Sir! *salute* Awaiting *salute* obediance-wise *salute* for orders pertaining *salute* military-wise to duties *salute* of a patriot-wise nature *salute* affirmative-wise *salute*Sir! *salute* General Bombthebastards! *salute* Sir! *salute*"

UK:  "Carry on Sergeant Shouty..."

"Sah!"

 

[Anna Nova]

Oh no not another 'our terms and conditions are changing' letter/email/message.

While I welcome the phEU making this regulation, the law of the untended flatulence of legal notices is being sorely tickled.

[Ethan Paslong]

there's already a post about this subject .. kinda derailled but thats happening with this one too

 

 

Edited May 9, 2018 by Ethan Paslong

[Phil Deakins]

18 hours ago, samuel22200 Naxos said:

Legally, they have to comply because there are europeans users on second life.

I'll make the same statement that I made in the other thread. No country, or group of countries can make laws that people in other countries have to comply with. So no, LL does not have to comply.

That doesn't mean that people in other countries won't comply with the EU's law. There are reasons why some should, for their own benefit, but none of them have to, and I do wish that people would stop saying they have to.

Incidentally, the fact that EU people use SL is irrelevant.

Edited May 9, 2018 by Phil Deakins

[Klytyna]

2 hours ago, Phil Deakins said:

I'll make the same statement that I made in the other thread. No country, or group of countries can make laws that people in other countries have to comply with. So no, LL does not have to comply.

You are right... They don't HAVE to comply with the regulations, they can, instead, choose to simply not do business with Europeans...

2 hours ago, Phil Deakins said:

Incidentally, the fact that EU people use SL is irrelevant.

Except for the fact that thery are a major chunk of the population of SL, and failing to comply with EU data protection regulations would end with them leaving SL, and thus in LL suffering a MAJOR drop in revenue as a sizable chunk of the population stopped buying L$, renting parcels, paying tier, forking out for Madlander Entitlement Club membership, etc., leading to LL possibly going under due to the sudden loss of income.

2 hours ago, Phil Deakins said:

There are reasons why some should, for their own benefit,

Such as not going into the red and closing down...

3 hours ago, Phil Deakins said:

I do wish that people would stop saying they have to

Yeah, they only have to if they want to maintain their income, hardly important right?
 

[Louise Fyrewik]

3 hours ago, Phil Deakins said:

I'll make the same statement that I made in the other thread. No country, or group of countries can make laws that people in other countries have to comply with. So no, LL does not have to comply.

That doesn't mean that people in other countries won't comply with the EU's law. There are reasons why some should, for their own benefit, but none of them have to, and I do wish that people would stop saying they have to.

Incidentally, the fact that EU people use SL is irrelevant.

Actually the DO need to comply, because it covers European Data, even is store on other servers. If they do not comply they are not allowed to save any data on European customers. Companies like Facebook, Google, Amazon are changing their privacy policies because they have to, but you think Linden Lab is big enough they do not have to?

The only way LL does not have to comply, is when they completely shut down all access to Secondlife for EU citizens. Other than that, It's European Data so European Jurisdiction.

[Phil Deakins]

1 minute ago, lavalois said:

Actually the DO need to comply, because it covers European Data, even is store on other servers. If they do not comply they are not allowed to save any data on European customers. Companies like Facebook, Google, Amazon are changing their privacy policies because they have to, but you think Linden Lab is big enough they do not have to?

The only way LL does not have to comply, is when they completely shut down all access to Secondlife for EU citizens. Other than that, It's European Data so European Jurisdiction.

That's not correct. One country cannot make laws that the residents of another country must abide by. Even international laws only have be complied with by those countries that have signed up to be included. People in other countries can please themselves.

It has nothing to do with whether or not EU residents use the U.S. SL system. For instance, I in the UK do not have to abide by U.S. laws, unless the laws in my country say that I have to. It may be that the U.S. law dictates that LL has to abide by EU laws in this matter but, unless the U.S. law says that, LL does not need to comply.

[Louise Fyrewik]

That is only partially true. In the digital age, you are the owner of your personal data. which means that if a US company misuses your data, you are eligible to sue them. IN RGPD, the EU represents all EU citizens in protecting their data. So yes, personal data of EU citizens is a perfect example of European Jurisdiction. The same would go the other way if the US would create some personal data protection plan.

So in this case, LL is using European data, so they have to abide to European laws.

[Qie Niangao]

This claiming of international jurisdiction never ends well. For the moment, we may like the idea of the EU "protecting" its citizens' data wherever it may roam, but that "protection" means those citizens have lost the right to do business with any foreign company that doesn't comply with EU regulations. That may sound good when it's "privacy" but what about when the governing body instead demands unencrypted backdoor access to all its citizens' encrypted data anywhere in the world as part of some "anti-terrorist" or "think of the children" measure?

(We're also about to see a much more dangerous overreach in jurisdiction as hawks in the White House attempt to pressure allies into reimposing sanctions on Iran. A different mechanism and a very different topic, sure, but another case of demanding extraterritorial compliance.)

Edited May 9, 2018 by Qie Niangao

[Buttacwup Float]

The important distinction in terms of making GDPR enforceable outside of the EU is not whether the citizens of the EU make use of something (clearly LL has many customers in the EU) but rather whether or not LL does business in the EU. A EU citizen on Second Life is doing business with Linden Lab, not really the other way around. Does Linden Lab have offices, pay for hosting or services, or otherwise engage in business in the EU? Amazon, Facebook, Google and other huge internet services have actual commerce in the EU. They have offices and permits to operate in those countries. They comply because they can be sued easily there, have assets frozen there. A US (or any other foreign company) simply doing business with citizens of the EU should comply but enforcement becomes far more difficult since very few US courts are likely to recognize the jurisdiction of the EU over a US company. I suppose they could block access to Second Life servers. I don't know if LL has actual business interests in the EU. I am pretty sure they have something in Great Britain.

[Phil Deakins]

1 hour ago, lavalois said:

That is only partially true. In the digital age, you are the owner of your personal data. which means that if a US company misuses your data, you are eligible to sue them. IN RGPD, the EU represents all EU citizens in protecting their data. So yes, personal data of EU citizens is a perfect example of European Jurisdiction. The same would go the other way if the US would create some personal data protection plan.

So in this case, LL is using European data, so they have to abide to European laws.

If I choose to pass some of my personal data to LL, then I lose all control over it in that country - unless the U.S. laws say otherwise to LL. Other than that, I do not have any right to sue LL for misuse of my personal data.

It's quite possible that the U.S. does take it into account, and I may be able to sue LL in a U.S. court, but not unless the U.S. law says so. What can't happen is for the UK (or the EU) to make a unilateral law giving me a right to sue LL in the U.S. I could try (if I want to waste a lot of money), but the law over here isn't upheld by U.S. courts unless the U.S. law says so.

In short, EU laws do not have to be complied with in other countries unless the laws in whatever country it happens say so. The EU cannot make laws that must be complied with in other countries. And neither can the U.S.

Edited May 9, 2018 by Phil Deakins

[Phil Deakins]

4 minutes ago, seanabrady said:

I don't know if LL has actual business interests in the EU. I am pretty sure they have something in Great Britain.

They did have the billing office in the northeast of the UK but I don't know if it's still there. That office didn't do actual business with anyone, but it could create a greyness if it's still there.

[Louise Fyrewik]

6 minutes ago, Phil Deakins said:

If I choose to pass some of my personal data to LL, then I lose all control over it in that country - unless the U.S. laws says otherwise to LL. Other than that, I do not have any right to sue LL for misuse of my personal data.

It's quite possible that the U.S. does take it into account, and I may be able to sue LL in a U.S. court, but not unless the U.S. law says so. What can't happen is for the UK (or the EU) to make a unilateral law giving me a right to sue LL in the U.S. I could try (if I want to waste a lot of money), but the law over here isn't upheld by U.S. courts unless the U.S. law says so.

In short, EU laws do not have to be complied with in other countries unless the laws in whatever country it happens say so. The EU cannot make laws that must be complied with in other countries. And neither can the U.S.

 

You are not seeing the point here. The fact at hand why this is something LL has to comply to, is that LL is handling EU Data, which falls under EU laws. Digital property does not stop at borders.

The fact that they are in the US does not change that fact. If LL wants to handle EU Data, LL needs to adhere to EU laws about data, simple as that. If LL does not comply to the EU law about that, LL is not allowed to handle EU data. Whether you give the data to them willingly does not even matter in this case.

Because of this law you as a EU citizen (for now at least), can request a transcript of the data LL has on you, and you can request to be erased completely from their systems.

Edited May 9, 2018 by lavalois

[Buttacwup Float]

7 minutes ago, lavalois said:

 

You are not seeing the point here. The fact at hand why this is something LL has to comply to, is that LL is handling EU Data, which falls under EU laws. Digital property does not stop at borders.

The fact that they are in the US does not change that fact. If LL wants to handle EU Data, LL needs to adhere to EU laws about data, simple as that. If LL does not comply to the EU law about that, LL is not allowed to handle EU data. Whether you give the data to them willingly does not even matter in this case.

Because of this law you as a EU citizen (for now at least), can request a transcript of the data LL has on you, and you can request to be erased completely from their systems.

The real question isn't whether or not LL is covered by it. They absolutely are in terms of data related to EU citizens. The question though is one of compliance. It is just very difficult to enforce a law when the organization doesn't directly operate in your jurisdiction. Compliance though is almost certain to happen. Linden Lab knows that if it doesn't already operate in the EU it may in the future and gaining access will be challenging if they have unresolved GDPR complaints.

I will be curious to see if some US companies (I don't think LL is someone that will do this) won't simply take any GDPR privacy requests as an opportunity to simply package up and delete the content along with the requestors account. Writing off the potential customer. I personally feel the rule is good in principal but generally over reaching and with an outrageous set of penalties for non-compliance.

[Louise Fyrewik]

1 minute ago, seanabrady said:

The real question isn't whether or not LL is covered by it. They absolutely are in terms of data related to EU citizens. The question though is one of compliance. It is just very difficult to enforce a law when the organization doesn't directly operate in your jurisdiction. Compliance though is almost certain to happen. Linden Lab knows that if it doesn't already operate in the EU it may in the future and gaining access will be challenging if they have unresolved GDPR complaints.

I will be curious to see if some US companies (I don't think LL is someone that will do this) won't simply take any GDPR privacy requests as an opportunity to simply package up and delete the content along with the requestors account. Writing off the potential customer. I personally feel the rule is good in principal but generally over reaching and with an outrageous set of penalties for non-compliance.

I know of at least two MMORPG servers that will delete all EU players data on May 25th, and block European access. Facebook is migrating all of their African, Asian, and other non European profiles away from their data center in Ireland, to avoid having to comply on GDPR on that data. The law applies to Foreign data on European servers, as well as European data on Foreign servers.

And LL might not operate directly in the EU jurisdiction, but the EU does have the power to order SecondLife to be blocked by all European Internet providers, effectively punishing LL by taking away a sizable amount of their revenue. Same as other companies, The EU has the power to place trade sanctions. So while they may not have direct jurisdiction, the EU does have sufficient power to punish companies not in compliance to GDPR.

And the organisation does operate directly in the EU jurisdiction when they save banking details from European citizens. It has nothing to do with whether the person has given the data willingly or not. The law is to prevent misuse. 

[Innula Zenovka]

2 hours ago, Phil Deakins said:

That's not correct. One country cannot make laws that the residents of another country must abide by. Even international laws only have be complied with by those countries that have signed up to be included. People in other countries can please themselves.

It has nothing to do with whether or not EU residents use the U.S. SL system. For instance, I in the UK do not have to abide by U.S. laws, unless the laws in my country say that I have to. It may be that the U.S. law dictates that LL has to abide by EU laws in this matter but, unless the U.S. law says that, LL does not need to comply.

I am not sure I follow this, Phil    The Data Protection Act applies in the UK, obviously, and -- as I understand it -- now applies to data collected in the EEA rather than only to data stored or processed in the EEA.   So if someone is in the UK when they supply the data to LL, then their data is protected by the Act.

The Act contains various enforcement procedure, which can be enforced by UK courts if necessary.   So if the Information Commissioner is unhappy at what LL, or any other, US company is doing with our data it can take the matter up with LL in San Francisco and, if necessary, issue enforcement notices and, if these are ignored, seek their enforcement through the British courts, who can fine companies up to (I think) 4% of their global turnover.   

 If the US company refuses to pay the fine, then courts in the UK and elsewhere in the EEA can seek to seize funds from the company's bank accounts in the EEA or, if there are no bank accounts to go after, from payment processors (credit card companies and PayPal) who receive funds on behalf of the delinquent US company, in the same way they might seek to collect fines or monies owed by an individual by having them deducted at source from the defendant's wages, salary or benefits.

So, no, I doubt a a British court could send the bailiffs round to Battery Street to collect a fine, but they don't need to.   They simply deliver the appropriate warrants to PayPal UK, Mastercard and Visa.

Edited May 9, 2018 by Innula Zenovka