eBay

otherego · ‎24-01-2018

GDPR - General Data Protection Regulation. An EU thingy coming into force in May - and if I'm not mistaken, it's to be enshrined in UK law post-Brexit.

I've not read the whole thing, or even much of it. I'd hate to have to! My impression, though, is that hidden in all the dry, dusty legalese lies greatly improved privacy protection for those who conduct any sort of commerce on the internet.

This has to be a good thing. IMHO, a lot of big companies have pretty much abused users by slurping their data up, presumably largely in order to sell it on to advertisers and the like.

Perhaps a couple of our posters who're good at this sort of thing might like to comment. @bankhaunter and @richardmsstuff are two that come to mind, if they could bear to add their remarks. Apologies to those extra-eBay experts I've overlooked - it'd be great to hear from everyone.

One of the most interesting aspects of the GDPR is that from May (I think) onwards, people will have to actively opt-in to sharing any data with companies. To the best of my knowledge, this will be retrospective, and I'd be surprised if users can't change their mind as desired in future.

Pre-ticked opt-ins will, presumably, no longer be allowed.

More interestingly, no company will be allowed to withhold its services to anyone unwilling to share any data beyond that needed for the site to perform its function.

Doubtless, behemoths like Facebook, Google, eBay and PayPal will have the whole thing in hand, supported by their considerable legal teams. Their sheer size, of course, makes them particularly vulnerable to being monitored by the powers-that-be, and to finding themselves subject to the results of users advising the powers-that-be of perceived infractions. It'll be interesting to see how that works out - at the very least, hopefully no more rubbish along the lines of "By using this site, you agree to...blah blah."

It's the smaller businesses that I feel sorry for. Compliance with this sort of complexity will be challenging.

It also raises all sorts of questions - doubtless easily answered by those who actually fully understand things like Data Controllers, Data Processers and the like. For instance, if a courier demands a telephone number before delivering an item to someone (a pet hate), who is responsible for making sure that all traces of that number vanish once the delivery has been made successfully? Data's only meant to be retained for as long as it is needed for a valid function to be performed - I think.

The delivery man has the number. The courier firm has the number. The person selling the item has the number. The site he sold it on has the number. And so on and forth. Who, exactly, is at risk should any complaint arise?

All very challenging, and it's going to be interesting to see what happens on eBay. And Facebook. And so on.

The usual link to el Reg:

https://www.theregister.co.uk/2018/01/24/ukgov_survey_shows_smes_still_unaware_of_gdpr/ - the user comments are well worth a read.

One of them links to this "simple" guide. It's pretty good, but makes me shudder to think what the whole GDPR is like to wade through:

http://www.sqlservercentral.com/articles/GDPR/165180/

It would be interesting to hear how folk here think the GDPR is likely to affect us as users of internet sites, and how it's likely to affect the sites themselves.

richardmsstuff · ‎25-01-2018

@otherego wrote:
...

It's the smaller businesses that I feel sorry for. Compliance with this sort of complexity will be challenging.

...

I confess I'm not up to speed on GDPR. It's a lot more complex than its predecessor, the Data Protection Act (DPA). The question of Compliance in general is an interesting one. Big companies like ebay have to pay a lot of attention to regulatory compliance and in multiple jurisdictions. Covering more than just data protection, it's a huge task, so they often have entire departments dedicated to education, advising, auditing, and intervening.

A small business selling on ebay just can't match that. It's pretty clear that typical small ebay sellers operate mostly in complete ignorance of the laws and regulations that they're subject to. So long as they trade fairly and honestly, applying common sense and "doing the right thing" they are probably OK. Whether they know it or not, ebay is handling most of the compliance for them - while ensuring the fees cover the cost. Problems arise when sellers get greedy, vengeful, or become that sort of seller that sees themselves as fighting some sort of war against their customers and ebay. At that point, they rapidly become non-compliant with ebay rules and all kinds of laws.

But then there's a problem of enforcement. The UK has lots of laws and ebay has lots of rules, but legislators and rule makers don't really invest much in monitoring and enforcement. Indeed, when money is tight it's an area which is among the first to be cut. You can see this happening, when people ask "why doesn't ebay police the site?" The answer is that ebay mainly leaves that to others - who also don't do it.

So, back to GDPR. If it's 10 times (say) more complex than the DPA then Compliance is going to cost 10 times as much. Clearly a small ebay seller isn't suddenly going to start spending money on GDPR compliance (except maybe what's taken from them in ebay fees). But what I would recommend is taking a look at the 6 basic principles of GDPR and thinking about whether what you do is in the spirit thereof - from a common sense point of view.

In a way, this is about risk management -as so many things are. Eliminating the risk of non-compliance is a large, complex, and expensive task. Therefore it's better to reduce the risk as far as is practicable.

Anyone lacking in common sense is stuffed (but probably not for the first time).

―――――――――――
I should of used a verb

otherego · ‎28-01-2018

What you say about common sense makes an awful lot of *ahem* sense.

As more and more everyday activity moves online, I suppose we're going to see bigger and bigger problems for those (like me) who have "tinfoil hat tendencies." I absolutely loathe my privacy being infringed in any way, and really don't trust any online entity - especially large and powerful ones - to resist the temptation to grab as much of my data as they can possibly get away with.

Part of the problem is probably going to be balancing "security" against "privacy." I've pretty much decided that, for me, privacy trumps security.

If, like some friends and relatives, I enjoyed an international lifestyle, I might have to rethink this. As it is, I'd rather walk to the bank and talk to somebody than engage in online banking. I really resent giving eBay or PayPal any information at all. Oh, sure - one can check their terms and conditions and so on - but these are subject to change, and the deal seems to be that, "If you don't like the changes, feel free to close your account."

Hopefully, the GDPR and its eventual UK equivalent might - to some extent - put the brakes on this sort of thing.

That doesn't really get around the security problem.

If vendors were allowed to use more detailed information about their buyers to verify that the buyers really are who they say they are, and where they say they are, then - yes, security is enhanced.

Privacy isn't.

I suspect I'd stop using eBay/Amazon etc before giving them even more data than they have now. Copies of identity documents? Mobile telephone numbers? Just - no.

Most people wouldn't see a problem, of course, having become so de-conditioned to the whole privacy thing. (Facebook, anyone?)

This again makes legislation like the GDPR a Good Thing, protecting people from themselves - privacy-wise. It might make improving security against cyber-muggings more difficult, though.

*Sigh*

Imagine if one had to visit a lawyer in order for him/her to certify to the site you're applying to that you're actually you - in order to avoid giving that site any identifying information. Perhaps the answer is for sites to offer that as an option for those who really care - I honestly don't know.

In the meantime, though, I'd go with your suggestion that common-sense goes a long way - and hope that those who want "improved verification of users" etc will actually think the implications of such policies through.

In the meantime - I do hope that GDPR and its UK equivalent legislation go at least some way to keeping the giants honest, without dropping the "little guys" into too much hot water.

mouthpieces · ‎22-03-2018

Is Ebay GDPR compliant|? I cant find anything on Ebay although customer service said they are but were not able to give any info to reassure me that ebay is.

mouthpieces · ‎22-03-2018

@otheregowrote:
GDPR - General Data Protection Regulation. An EU thingy coming into force in May - and if I'm not mistaken, it's to be enshrined in UK law post-Brexit.

I've not read the whole thing, or even much of it. I'd hate to have to! My impression, though, is that hidden in all the dry, dusty legalese lies greatly improved privacy protection for those who conduct any sort of commerce on the internet.

This has to be a good thing. IMHO, a lot of big companies have pretty much abused users by slurping their data up, presumably largely in order to sell it on to advertisers and the like.

Perhaps a couple of our posters who're good at this sort of thing might like to comment. @bankhaunter and @richardmsstuff are two that come to mind, if they could bear to add their remarks. Apologies to those extra-eBay experts I've overlooked - it'd be great to hear from everyone.

One of the most interesting aspects of the GDPR is that from May (I think) onwards, people will have to actively opt-in to sharing any data with companies. To the best of my knowledge, this will be retrospective, and I'd be surprised if users can't change their mind as desired in future.

Pre-ticked opt-ins will, presumably, no longer be allowed.

More interestingly, no company will be allowed to withhold its services to anyone unwilling to share any data beyond that needed for the site to perform its function.

Doubtless, behemoths like Facebook, Google, eBay and PayPal will have the whole thing in hand, supported by their considerable legal teams. Their sheer size, of course, makes them particularly vulnerable to being monitored by the powers-that-be, and to finding themselves subject to the results of users advising the powers-that-be of perceived infractions. It'll be interesting to see how that works out - at the very least, hopefully no more rubbish along the lines of "By using this site, you agree to...blah blah."

It's the smaller businesses that I feel sorry for. Compliance with this sort of complexity will be challenging.

It also raises all sorts of questions - doubtless easily answered by those who actually fully understand things like Data Controllers, Data Processers and the like. For instance, if a courier demands a telephone number before delivering an item to someone (a pet hate), who is responsible for making sure that all traces of that number vanish once the delivery has been made successfully? Data's only meant to be retained for as long as it is needed for a valid function to be performed - I think.

The delivery man has the number. The courier firm has the number. The person selling the item has the number. The site he sold it on has the number. And so on and forth. Who, exactly, is at risk should any complaint arise?

All very challenging, and it's going to be interesting to see what happens on eBay. And Facebook. And so on.

The usual link to el Reg:

https://www.theregister.co.uk/2018/01/24/ukgov_survey_shows_smes_still_unaware_of_gdpr/ - the user comments are well worth a read.

One of them links to this "simple" guide. It's pretty good, but makes me shudder to think what the whole GDPR is like to wade through:

http://www.sqlservercentral.com/articles/GDPR/165180/

It would be interesting to hear how folk here think the GDPR is likely to affect us as users of internet sites, and how it's likely to affect the sites themselves.

Is Ebay GDPR compliant|? I cant find anything on Ebay although customer service said they are but were not able to give any info to reassure me that ebay is.

ceristan · ‎26-03-2018

As far as I can see, eBay is not yet compliant - eg their site registration still assumes that by signing up you're happy to opt in to marketing from eBay (the wording on their registration page is as follows: 'By selecting Register, I agree I've read and accept the eBay User Agreement, am at least 18 years old, plus I agree to the processing of my data- opens in a new window or tab - and to receiving marketing communications (including emails and texts) from the eBay Inc. corporate family. You may change your preferences at any time in your preference centre.' Also the privacy policy currently live on their site appears to have been last updated in 2015.

However, they don't have to be compliant till 25 May 2018, and as a behemoth organisation, they probably have big teams working on compliance with GDPR by the deadline. There's an awful lot to GDPR beyond what will ever be obvious to your average consumer (eg how they store data, records they keep, their security systems etc etc).

As others have suggested, it is indeed a big deal for smaller businesses - but an important step in terms of data protection.