New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I would say in most if not all countries no.
The host is not really responsible for what their customers host.
Depending on the country you can request a takedown notice.
Webhost companies do not take responsibility for customer websites, as web sites owners are liable to be GDPR compliant.
It’s exactly the same as town or cities don’t take responsibility for companies who trading inside town!
I recommend to read about the laws and regulations.
A takedown to who? Host or website itself?
If a company is hosting their website with google, and their cookie statement text or policy is not according to gdpr requirements, can Google be held liable for hosting this website unless they terminate it when they are made aware that the webistes cookiepolicy is not according to gdpr standards?
I don't think they can be held liable for the gdpr violation itself but if they receive a takedown notice and don't proceed it, they can be held liable for not following that order.
Why not? This must be discussed properly in a court instance.
/
BS. There's no such thing as a GDPR "takedown notice". Enforcement of GDPR is delegated to the national data protection authorities. There's nothing you can do except complain to the relevant country's DPA. Unless you do something exceptionally stupid like not report a massive data breach, your compliant will likely be ignored.
Not having a proper privacy policy can be a hurdle with some payment providers or advertising platforms though.
I sell you my knife brand. I should be responsible if someone or you, kill a person with my knife brand?
The dpa can issue a takedown request if he finds you're violating law (e.g. gdpr), it works just like with any other digital law enforcement.
So many extremely shitty takes. C’mon, if you don’t have any clue why answer as if you know?
Law questions always end up like this ..
I haven’t spent much time with GDPR yet but this is wrong, how to interpret EU legislation is decided by CJEU and is not up to any country to decide.
Not at all the same thing. Furthermore, this is just your opinion on society; not relevant to what’s actually the law.
Issue it to who?
The website or Google who are hosting the site?
As I explained above (I know you didn’t quote me) I have no experience with GDPR law but I’ve seen cases of our DPA going after companies, not hosts; so I know one of them is possible but I can’t exclude the other:
https://gdprhub.eu/index.php?title=Datainspektionen_-_DI-2018-9274
I'm not sure what the actual process looks like, it might be that the website owner is formally requested in a first step to comply with gdpr and if he doesn't in a timely manner, the host will be request to remove public access to this site. Might start with the last step though.
So if you host with Google, it would be forwarded to their local gpdr agent.
Yes, the host won't be charged for the gdpr violation. The host will just be requested to take down public access to this website which works just like with any other form of law violation (e.g. cp, hate etc.). If the host doesn't follow the take down request, he'll be charged for not following it, no matter what the actual violation was (e.g. cp or gpdr).
Also, I don’t wish to come across as looking down on people with no law experience but the EU and its’ legislation are some of the most complicated legal systems in the world.
It’s impossible to understand without really understanding law; and also quite impossible even if you do.
For example, the way that CJEU interprets their own legislation differs, and it differs a lot.
They’re extremely free.
Also, every piece of legislation is drafted to a whole bunch of languages, often contradicting and guess what; they’re all just as binding.
So which is the ”most binding”? Up to the CJEU.
In reality, the complexity of this system is the reason why basically no body but the EU itself can fully understand it and also why people distrust this generally wonderful system; because it’s too hard to grasp to ever become transparent and maybe even fully democratic.
And, to make things worse, in reality very few cases are presented in front of the CJEU, most of the time, the national courts and national practice (such as how takedowns are handeled) is decided by local courts trying to ”guess” how the CJEU would have rule if they were to rule.
So yeah, it’s not a very ”easy to get a hang of” system.
In my experience it's getting complicated only when living on the (legal) edge/grey zone. Else the simply rule of thumb is to add an extra layer of security or whatever process to be on the safe side.
Oh, sorry; finally:
GDPR dosen’t even always apply to everyone. The host can’t know the in’s and out’s of these either.
For example; take a look at Article 85.
”Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information”
I.e. If it’s required to guarantee free speech GDPR can be ”obsolete”.
No, just the part of personal data but gdpr is a lot more.
Yes, but I’d imagine in complaints these are often the cited articles.
Huge (national) ruling coming up ”soon” that’ll clearify this with Mrkoll.
Will be interesting.
Are you just guessing or do you actually know?
DPA can issue fines for as long as the infringement are ongoing.
Do they even have jurisdiction to request a webhost to "take down public access" to a website?
A fine can either be a max, fixed amount or 2% of yearly revenue. If they issue a fine to the host for their customers non-compliant action, is this fine based on the non-compliant websites company revenue, or will it be based on Googles (the host) yearly revenue?
Eh.
Costa v ENEL - ECJ ruled that EU legislation goes before national legislation and formed the priciple, without it ever being voted nor decided upon
The ECJ can use a so-called "meta teologisk" (I have no clue what what would translate to) interpretation method when deciding upon the outcome - that's what they did in the case above.
It basically means that they can:
C-70/88 another example of this.
It starts with the proposition that a Community rule would be desirable, and deduces from this that such a rule must therefore be inherent in the Treaty, a confusion of 'ought' and 'is' that no ordinary lawyer would make - Hartley 1999, p. 60
There have been lawsuits in the US against firearms manufacturers. I'd wager there have been some against knife makers.
AFAIK those were about the improper sales of such weapons not the manufacturing per se.
In the case of knives, those are dual use goods, even less likely to succeed than in the case of the weapons of war which have one purpose only.
As for the GDPR, I think the approach is wrong.
A company could be found in violation of that, the website owner could be charged, a takedown notice could be served by the judge who decided the company has to stop operating or has been bankrupted by the GDPR action even if the lease is still valid for the site.
I don't see how else it could even be issued, a takedown notice, other than in such cases.
A foreign (not from the countries where the GDPR directive and legislation applies) entity is not obliged to act on that legislation/directive therefore there is no reason to serve it with a takedown notice in the first place, at most it could be blocked in the relevant countries.
I know people compare it with the DMCA or anti-piracy acts, but the difference is that such legislation is in force almost everywhere is some form and, while the DMCA might not apply in many places, the local legislation would.
The GDPR does not have many equivalents around the world.
In Denmark we have a so called "e-handelsloven" (roughly translated to Internet Trading Law". In this, it states that providers are not accountable for what others do online as it's not reasonable to expect providers to know this. However, if the provider is made aware of something illegal on their services and fails to act on it then they can be held liable. Roughly speaking. I believe it is similar in many European countries.
The DPA isn't creating a takedown request.. He's identifying illegal behavior in terms of gdpr and this will be treated by law enforcement authorities who have the right to take down.
Yes, I think this is the proposal by the EU which most countries adopted to their national law.
This is what I tried to explain by that a host can be fined for not following a takedown request (because if he receives a takedown notice, he's made aware of the illegal content on his services).
I'm not sure thats correct.
GDPR violations are by law enforced by DPA. The only form of penalty for being non-compliant are fines. How do you escalate it something that's not backed up by the gdpr law?
If LEA can send out "stop being gdpr non-compliant" or a "gdpr cease-and-desist" request, which law, other than gdpr, grants them such right?
Up to my understanding, the dpa is only enforcing on the one who is actually violating the gdpr law (e.g. the website owner) but if this person/company isn't responding or fixing the issue, it's being passed on to another instance to deal with it because this is no longer a case of gpdr compliance only but one of not following official orders to comply with law or however this is called. This instance will send a takedown request to the host. It musn't be correct for every EU country but this is my understanding of the general process adopted by many countries.
Where does it says gdpr violations can be escalated to other government agencies or LEA?
Consider the following scenario:
I run a webiste and due to sloppy coding my users IP, real name, address etc, are posted on their profile open for everyone to see. The DPA send me a letter giving me a fine and 14 days to fix the issue before I will start receing additional fines.
I don't comply.
What can LEA do? It's still a gdpa issue. Can they use non-gdpa laws to enforce gdpa violations? On what basis other than gdpa can LEA send me a letter and request I fix my code?
But more imporant, what can they demand from my webhost?
Not complying with such an order is another, different offend.. For this your host will be asked to disconnect your site. Not your gdpr issue. That's why I said, at this stage your issue doesn't matter, it can be cp, hate or gdpr or whatever.