This is a european law right?  So if a nz website stores the details of a european which does not comply with the GDPR, I don't see how the EU can do anything about it. 

Although I guess companies that have more significant business with the EU region would want to comply anyway to avoid any hassles. 

surfisup1000:

This is a european law right?  So if a nz website stores the details of a european which does not comply with the GDPR, I don't see how the EU can do anything about it. 

But alas, you have to... I am not a lawyer but yes if you are dealing with any information regarding EU users like cookies/ip address/email address etc you have to do something.

If you have AdSense for example you can’t show the Ads until they consent to the cookies.

Although I guess companies that have more significant business with the EU region would want to comply anyway to avoid any hassles. 

 

 

I've seen several articles stating that it applies outside the EU but haven't been able to find any further details. If I don't comply with GDPR then what NZ law have I violated? If I haven't violated NZ law then how can I get in trouble for it if my servers and I are in NZ? Can someone clarify?

Edit: The only article I've been able to find so far that addresses the question directly is this one, which states that "in practice EU data protection regulators may find it difficult to enforce their decisions against organisations that do not have assets in the EU". It goes on to say that you're supposed to have a "representative" in an EU country that they can take action against, but again I don't know what would happen if you didn't have this representative.

https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12054476

As it was an EU law, Kiwi businesses didn't necessarily have to pay the fines.

But if a number of New Zealand companies flouted the law, Parry believed, it was possible that the EU could try to shame us.

As I thought, the EU have no jurisdiction to enforce this law in New Zealand. 

Although, international law is complex and detailed in various bi-lateral treaties and UN agreements. 

I think a foreign government can extradite as long as the foreign crime is also a crime here in New Zealand. And, breaching the GDPR is certainly not a crime here. 

Easiest thing to do is probably to block traffic from the EU.

timmmay:

 

Easiest thing to do is probably to block traffic from the EU.

 

Nope - you have then monitored IP addresses belonging to European Data residents.

Here is where I get a bit confused / worried.

I run web and mail and other servers.

I keep lists of ip addresses in my logs. This is a natural part of the Linux logs, Apache logs etc.

According to the GDPR IP addresses constitute identifiable data that comes under their legislation

I use these ip addresses to ban crackers (authentication logs with so many fails in a period of time or use of invalid log in names)

I often report these attempts back to the IP providers ? ISPs / Mail providers they come from. I have now trafficked data across borders regarding European data residents.

I cant afford a European representative.

I cant afford to piddle around with a lawyer to figure out how this affects me

I don't care who views my site - I'm not selling stuff, but in order to provide a good service I might use GA or other analytic data to make decision such as putting a caching server /  CDN closer to frequent visitors.

I'm small enough that I wont get hit by these laws - but I'm still technically in breach of them as far as I can figure out - all because I have IP addresses in my logs and report dirt bags to their providers.

Hey wait up - I'm not European. How come I should be so worried about a law put out by a country I am not a part of? Maybe NZ could draft a law stating European dirt bags get fined $1000 per breach or 1/5th of what they are worth. After all if their laws apply to us then our laws should apply to them....

Also  - if i use a VPN exiting in a European country - doesn't that make me a European resident for legal data purposes?

surfisup1000:

 

I think a foreign government can extradite as long as the foreign crime is also a crime here in New Zealand. And, breaching the GDPR is certainly not a crime here. 

 

Wait until they are through negotiating the EU FTA, -

Its been publically quoted that the EU will expect compliance with GDPR in any future deals (and that will include NZ)

https://www.ft.com/content/e489abba-0dc5-11e8-8eb7-42f857ea9f09

So you run a small business online in New Zealand?

You are a nobody in the world.

Chances are they won't even waste their time.

But if you want some extra protection, operate through a Ltd company. Which is probably what you should do anyway.

nunz:

 

Here is where I get a bit confused / worried.

 

I run web and mail and other servers.

 

I keep lists of ip addresses in my logs. This is a natural part of the Linux logs, Apache logs etc.

 

According to the GDPR IP addresses constitute identifiable data that comes under their legislation

 

By my reading of the law, you have a justifiable reason. The question is for how long is it justifiable?

1 week? 1 month? 1 year?

At that point just delete the logs. What point is old log information anyway?

Disclaimer - IANAL.

MichaelNZ:

 

So you run a small business online in New Zealand?

 

You are a nobody in the world.

 

Chances are they won't even waste their time.

 

But if you want some extra protection, operate through a Ltd company. Which is probably what you should do anyway.

 

And have a clear privacy statement outlining what you collect and why along with an "agree to terms and conditions" tick box. We have reviewed and updated that and checked we are not collecting anything that we don't need to perform the service being offered. 

nutbugs:

 

And have a clear privacy statement outlining what you collect and why along with an "agree to terms and conditions" tick box. We have reviewed and updated that and checked we are not collecting anything that we don't need to perform the service being offered. 

 

Which is pretty much what I have done. I alreday had a privacy statement to comply with the Privacy Act and merchant (Visa/Mastercard) requirements.

A good GDPR chart here.

freitasm:

A good GDPR chart here.

nunz: Nope - you have then monitored IP addresses belonging to European Data residents.

 

[...]

 

According to the GDPR IP addresses constitute identifiable data that comes under their legislation

This is bizarre. First of all, don't the IP addresses belong to the ISPs (or maybe the registrars; I'm not exactly sure)? Are companies considered to be "residents"?

And even then, in this age of CG-NAT, an IP address can't even identify a city let alone an individual. My connection has a static IP, but again it could identify anyone in my household and not me specifically.

It seems that once again we're dealing with politicians that don't understand technology...