GDPR and Logos

I don't see, haven't seen, any information about the European General Data Protection Regulation ('GDPR') which comes into law tomorrow, Friday, on the Logos website or emails nor any (now required) email confirming explict opt-in coming from Logos.

It does not matter that Logos is an American company, they are selling services to EEA residents therefore they are bound by the personal data regulations of the GDPR — which are pretty substantial, as are the fines, up to 20 million Euros.

Also statements on the privacy page

https://www.logos.com/privacy

such as:

"At times Faithlife may make certain personal information available to strategic partners."

"By using our site, you consent to our online privacy policy."

will not, as I understand, cut it with the EU commission and the GDPR.

One of the foundational principles of the GDPR is that data subjects (natural persons) have (sole) ownership of their personal data — forever. That ownership remains inviolate, and companies, including non EU (i.e. American) companies, cannot attempt to 'contract out' data subjects from their right (of ownership).

So if I say that I do not agree (and I don't) that "Faithlife may make certain personal information [of mine] available to strategic partners" — then they may not do so.

I would be interested to hear comments from Logos.

==================

For those interested (for your interest, separate to my query to Logos above), two good information websites about the GDPR:

'GDPR in Plain English' (easy reading)

https://blog.varonis.com/gdpr-requirements-list-in-plain-english/

Good Detailed Information Site

https://www.i-scoop.eu/gdpr/

Find more posts tagged with

Comments

Robert M. Warren

So there.

Bob Pritchett

We are actively working on GDPR issues, and have engaged external advisers with even more expertise. We'll have updates soon.

Kevin A Lewis

https://community.logos.com/discussion/comment/980036#Comment_980036

Good to hear - for the sake of the company - there are some 'very' heavy fines for infractions. I will say that the regulations come into force today (25 May 2018).

Shalom

Paul Caneparo

https://community.logos.com/discussion/comment/980055#Comment_980055

Good to hear - for the sake of the company - there are some 'very' heavy fines for infractions. I will say that the regulations come into force today (25 May 2018).

Shalom

My understanding is that during the first 12 months no one will be fined - and that in a year's time enforcement by penalties will come into force. However during the next 12 months companies must be making every effort to comply.

Whyndell Grizzard

https://community.logos.com/discussion/comment/980056#Comment_980056

Sounds like a law we need here, but stricter. Love to see FB, Google and others like them just go bye, bye.

David Staveley

https://community.logos.com/discussion/comment/980036#Comment_980036

We are actively working on GDPR issues, and have engaged external advisers with even more expertise. We'll have updates soon.

What is clear from experts in Data Protection legislation in the EU, is that the permissions people have given to websites etc under the old legislation carries over into the new legislation. For example, according to the Information Commissioner (who is the watchdog for the UK's Data Protection Act), the flurry of emails we have all experienced recently asking for us to reconfirm our permissions for various websites (I am from the UK) are completely unnecessary, and in some cases illegal.

You can read all about it here:

[url=https://tinyurl.com/yb3ykoog]Read Here[/url]

Dustin Pearson

https://community.logos.com/discussion/comment/980056#Comment_980056

Good to hear - for the sake of the company - there are some 'very' heavy fines for infractions. I will say that the regulations come into force today (25 May 2018).

Shalom

My understanding is that during the first 12 months no one will be fined - and that in a year's time enforcement by penalties will come into force. However during the next 12 months companies must be making every effort to comply.

From Friday, European data regulators can impose fines of up to 4% of global annual sales each time the companies run afoul of the new law.

"There is no grace period," James Dipple-Johnstone, the deputy commissioner of the UK's data protection authority. "We will be looking at the algorithms they use to profit off data to make sure they are fair," he added.

http://money.cnn.com/2018/05/25/technology/gdpr-compliance-facebook-google/index.html

Jan Krohn

https://community.logos.com/discussion/comment/980074#Comment_980074

From Friday, European data regulators can impose fines of up to 4% of global annual sales each time the companies run afoul of the new law.

"There is no grace period," James Dipple-Johnstone, the deputy commissioner of the UK's data protection authority. "We will be looking at the algorithms they use to profit off data to make sure they are fair," he added.

I'd like to see them trying to enforce the fine onto a US based business with no EU presence at all. [:D]

JohnB

https://community.logos.com/discussion/comment/980076#Comment_980076

Don't bet your socks on that. Or anything for that matter.

Errr Facebook would seem to fit into your category yet their boss agreed to be hauled over the coals by the European Commision in person the other week. History tells us that every world power fades away after a time and the USA is not immune from that. neither is the EU come to that. The UK certainly was not immune although many of us in the UK seemed not to have noticed it yet! History also demonstrates the futility of fortune telling by any of us mere humans!

Francis

https://community.logos.com/discussion/comment/980092#Comment_980092

It is about time that such measures are implemented although they still lack what would really make them effective: cracking down against "forced consent". The idea of forced consent is that users are in effect coerced to agree to give up personal information in order to use a service although usage does not require such information. A good example of that is how many websites force users to accept cookies. There is no real yes or no choice given. Cookies are often just stated with the option to close the dialog (which is tantamount to saying that since you read it, you agree that to continue on the site you allow the cookie) or one single button that says you accept.

Services like to play on words by claiming that you do not have to accept but these are the terms for using the service. This obviously is problematic when (1) Services have a broader societal impact and have become "standard" (Facebook to sign on many websites, Linkedin, Google account, etc). In the professional world today, it is expected that you will be well connected or it will be a disadvantage; (2) Since nearly everybody does it, "refusing" is not just a matter of doing without one or two services. A systematic refusal of cookies and forced consents would essentially cripple one's ability to use many of the Internet most useful services. Companies are taking advantage of this to force people to give up information they don't really want to give. It has some analogy to professional environments that put pressure on women to "be nice" to the bosses to get advancement. They don't have to (and should not!) but if enough companies do this, the line "you don't have to work here if this does not work for you" is still abusive.

To return to privacy consent, marketers exploit this widespread situation heavily. "Default" opting in falls in that category and the disclaimer that one can turn it off if they don't want to falls within this area of legal but questionable ethics. I hope that further legislation will stop the madness. Let US websites lose business by continuing not to comply to the new regulations until the US has the guts to show that money is not all that counts. Faithlife also has opportunity to demonstrate a high commitment to ethical business by learning from these regulations and the legitimate concerns they bring out. This means, among other things, moderating marketing pushiness in order to opt for the ethical high ground. Does not seem like it should be very controversial as a question of Christian praxis.

Robert M. Warren

https://community.logos.com/discussion/comment/980158#Comment_980158

♫ And lawyers think to themselves, "What a wonderful world." ♫

scooter

https://community.logos.com/discussion/comment/980158#Comment_980158

Faithlife also has opportunity to demonstrate a high commitment to ethical business by learning from these regulations and the legitimate concerns they bring out. This means, among other things, moderating marketing pushiness in order to opt for the ethical high ground

I believe I had toset my rig so FL does not collect data on what I do with my resources. It seems to me I did this several years ago. [I cannot remember how I did this.]

It is my opinion that I never should have had to change the setting to ''no,'' as FL should have never auto-set the toggle to ''yes'' in the first place.

DMB

https://community.logos.com/discussion/comment/980158#Comment_980158

... The idea of forced consent is that users are in effect coerced to agree to give up personal information in order to use a service although usage does not require such information. A good example of that is how many websites force users to accept cookies. ...

I'm surprised a large paper I read periodically asked me to stop refusing adverts ... their bread and butter. My refusal isn't the adverts .... it's the tracking. It's like they demand to sit in my kitchen and take notes as I read their paper. Or else. I'm even happy to subscribe. Just stop the monitoring.

scooter, I'll admit maybe I'm being unfair to Logos. But their corporate personality never seemed to involve customer respect. I very much doubt you're not being watched .. resources, notes, etc. And not implying nefarious. They just view your data as their data ... simple. I also assume google's embedded. Don't know.

Off-line, copy from an active version is clean.

Don Awalt

https://community.logos.com/discussion/comment/980175#Comment_980175

Personal information - prayer lists, notes, clippings, sermons, reading lists, probably history too - are kept on servers, which makes sense as it is a cloud/distributed platform.

But in addition, despite pleading in the past on these forums, this data is NOT encrypted in the cloud. Most don't seem to care about that. I do, which is why any personal note taking and prayer lists are no longer used or kept in Logos.

JohnB

https://community.logos.com/discussion/comment/980212#Comment_980212

which is why any personal note taking and prayer lists are no longer used or kept in Logos

That I can appreciate if it involves other people. I personally have nothing i would be concerned about others knowing kept on Logos, But I would not put other peoples information or my personal details which could be used for identity theft on any servers of any organisation whether encrypted or not. As a general rule, for example, I use my correct date of birth with banks and a false on for all other organisations including email providers. I doubt if Logos really needs my correct date of birth as long as they have a consistent one (so I can only get one present a year!)!

JohnB

https://community.logos.com/discussion/comment/980076#Comment_980076

I'd like to see them trying to enforce the fine onto a US based business with no EU presence at all.

A number of USA newspapers (LA Times, Chicago and others) have currently closed access to their web sites from EU countries while they figure out a way to protect themselves against running foul of the regulations. Formal complaints have already been laid against Google, Facebook, Instagram and Whats App .

Well, before Logos close access to their sites to us EU users perhaps we should wish you outside the EU goodbye!

Hopefully that was an ironic joke of mine in poor taste but who knows. Logos have my best wishes on trying to navigate through it.

Patrick S.

We are actively working on GDPR issues, and have engaged external advisers with even more expertise. We'll have updates soon.

That is good to hear, however you need to get the external advisers to move faster as the GDPR is now law and FL is definitely not in compliance - and has to be, American company or not.

What is clear from experts in Data Protection legislation in the EU, is that the permissions people have given to websites etc under the old legislation carries over into the new legislation.

Except in almost all cases there was no real permission, if someone is holding a gun to your head saying "you agree, don't you" and you 'agree' then it's not really consent freely given.

I'd like to see them trying to enforce the fine onto a US based business with no EU presence at all.

Don't look now... but 'they' will. And don't think the American government is going to 'protect' any US businesses. It's a thing called international treaties - which even the USA has signed up to and has to follow.

♫ And lawyers think to themselves, "What a wonderful world." ♫

Mmmm, actually in this case it's more the case that people (or, to use the technical term, data subjects) are singing because large corporations who have abused peoples' rights will no longer be able to do it and get away with it. And that's something to sing about.

===========================

The first complaints - from a major privacy NGO, the lawyer who was instrumental in getting the US 'Safe Harbour' agreement scuttled - were submitted on the day the GDPR went into force.

https://techcrunch.com/2018/05/25/facebook-google-face-first-gdpr-complaints-over-forced-consent/

The complaints were submitted against Google, Facebook, Instagram & Facebook.

https://noyb.eu

the total maximum penalties being 7.6 Billion Euro (Mrd is European for Billion).

And as an example of (sorry again American) how some companies have been ‘making hay’ with individuals personal data monetising ( i.e. ‘appropriating’) it with ‘strategic partners’, go to the TechCrunch site (link above) from and EU located computer and click through their full screen permissions popup. They sell your personal data to around 60 companies. They use to do so with impunity, but no longer.

DMB

Also statements on the privacy page

https://www.logos.com/privacy

such as:

"At times Faithlife may make certain personal information available to strategic partners."

Probably who got prayed for (but not why, of course; competitive information). Kind of like publishing sermon editor.

Jan Krohn

https://community.logos.com/discussion/comment/980322#Comment_980322

That is good to hear, however you need to get the external advisers to move faster as the GDPR is now law and FL is definitely not in compliance - and has to be, American company or not.

All right, suppose China issues a new privacy law that all personally identifiable information by Chinese users has to be submitted to the Chinese government, by all businesses worldwide. Would it apply to US businesses? Yes, of course it would. Would it be enforceable? No...

Except in almost all cases there was no real permission, if someone is holding a gun to your head saying "you agree, don't you" and you 'agree' then it's not really consent freely given.

Just except that no-one was holding a gun. If a user didn't want to submit their information to Google, they had every option not to use Google, but alternative services such as DuckGoGo, or keep the browser's privacy mode switched on by default.

Don't look now... but 'they' will. And don't think the American government is going to 'protect' any US businesses. It's a thing called international treaties - which even the USA has signed up to and has to follow.

Please name the treaty that forces US businesses to comply with GDPR.

Mmmm, actually in this case it's more the case that people (or, to use the technical term, data subjects) are singing because large corporations who have abused peoples' rights will no longer be able to do it and get away with it. And that's something to sing about.

GDPR is silly. It's not restricted to businesses at all. It's far too broad and far too strict.

Is your church GDPR-compliant? Yes, it has to be!! It collects and processes personally identifiable information.

JohnB

https://community.logos.com/discussion/comment/980336#Comment_980336

Just except that no-one was holding a gun. If a user didn't want to submit their information to Google, they had every option not to use Google, but alternative services such as DuckGoGo, or keep the browser's privacy mode switched on by default.

Whether you like it or not, it is considered to be not a free choice.

GDPR is silly. It's not restricted to businesses at all. It's far too broad and far too strict.

It may be silly but that is also immaterial.

Is your church GDPR-compliant? Yes, it has to be!! It collects and processes personally identifiable information.

Not sure what you mean. Our churches in the EU, SHOULD be, MUST be compliant, but sadly I suspect that most are not - yet!

If Google, and Facebook etc want to operate in Europe in the future they will need to comply or pay a fine or persuade the EU to change the law or the interpretation of it. Now that is holding a gun to several heads!!

32 years of enforcing certain unpopular laws on part of our population taught me that you either follow the law or get it changed. Winging or grumbling about it only raises one's own blood pressure and achieves nothing except a possible early death.

Jan Krohn

https://community.logos.com/discussion/comment/980337#Comment_980337

Whether you like it or not, it is considered to be not a free choice.

How would you use Facebook for example, without providing them any personally identifiable data (be it real or fake data)? It's logically not possible. It's like wanting to eat a big mac without consenting to gaining weight.

Not sure what you mean. Our churches in the EU, SHOULD be, MUST be compliant, but sadly I suspect that most are not - yet!

I'm convinced that 9 out of 10 pastors in the EU, if they know about the GDPR at all, have no idea their church needs to be compliant.

Are you aware that once you accept a business card, you as an individual have to be GDPR compliant, if you take that law literally? If you accept a business card, you collect and process personally identifiable data.

(No-one will realistically do that of course, and hand the business partner a printed privacy policy in return for the business card, but those are the cases which cause me to say that the GDPR is silly.)

Robert M. Warren

https://community.logos.com/discussion/comment/980322#Comment_980322

♫ And lawyers think to themselves, "What a wonderful world." ♫

Lawyers (either legislators, their staff, or bureaucrats) write legislation/regulations.
Legislation gets passed; usually by lawyers.
Lawyers (maybe some of the same ones through the revolving door) advise businesses, initially on compliance, then on finding the loopholes so they can transact their business.
Lawyers write amended legislation to close the loopholes.
Rinse
Lather
Repeat

The only thing that really changes in the long run is the cost of doing business.

JohnB

https://community.logos.com/discussion/comment/980344#Comment_980344

How would you use Facebook for example, without providing them any personally identifiable data (be it real or fake data)? It's logically not possible. It's like wanting to eat a big mac without consenting to gaining weight.

Agreed but who ever claimed that the law is never an ass. Personally I could not care less if FB went belly up especially as they had a could not care less attitude about the data that they did keep hence their grovelling apology before the EU Commission. .

I'm convinced that 9 out of 10 pastors in the EU, if they know about the GDPR at all, have no idea their church needs to be compliant. Agreed, but probably more like 99 out of 100!! After chatting to a solicitor colleague at her office, a paralegal friend in my church has exited from the church Whats App group concerned that fall out from that could effects her job in the law department of a local authority.

Are you aware that once you accept a business card, you as an individual have to be GDPR compliant, if you take that law literally? If you accept a business card, you collect and process personally identifiable data.

No that is not correct. It is not quite that intrusive! GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means that I wouldn’t be subject to the Regulation although I keep personal contacts’ information on my computer or if I had CCTV cameras on my house to deter intruders on my property. To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity. I am retired and not engaged in economic enterprise.

Jordan Litchfield

https://community.logos.com/discussion/comment/980354#Comment_980354

I'm convinced that 9 out of 10 pastors in the EU, if they know about the GDPR at all, have no idea their church needs to be compliant.
Agreed, but probably more like 99 out of 100!!

I am a minister in the Methodist Church in Ireland, and I know that at least the Church of Ireland (Anglican) and our own denomination have taken this seriously. I don't think the numbers are anywhere near as bad as you make it. However, I do suspect that most independent churches will be oblivious or indifferent to the requirements on them from GDPR.

Graham Criddle

https://community.logos.com/discussion/comment/980366#Comment_980366

I'm convinced that 9 out of 10 pastors in the EU, if they know about the GDPR at all, have no idea their church needs to be compliant.
Agreed, but probably more like 99 out of 100!!

I am a minister in the Methodist Church in Ireland, and I know that at least the Church of Ireland (Anglican) and our own denomination have taken this seriously. I don't think the numbers are anywhere near as bad as you make it

I was thinking something similar - and wondering how it varies across the EU

As a Baptist minister in England, this has been something under consideration for the last nine months or so - with our Union providing guidance, training and template documents. I have been involved in some quite detailed discussions with other Baptist ministers about some of its implications as well as part of a team drafting policies etc for my own church.

Talking with ministers from other denominations I get the sense that similar things are happening there.

There is, clearly, a step (or two) from awareness to compliance but that's another story!

Jan Krohn

https://community.logos.com/discussion/comment/980354#Comment_980354

Are you aware that once you accept a business card, you as an individual have to be GDPR compliant, if you take that law literally? If you accept a business card, you collect and process personally identifiable data.
No that is not correct. It is not quite that intrusive! GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means that I wouldn’t be subject to the Regulation although I keep personal contacts’ information on my computer or if I had CCTV cameras on my house to deter intruders on my property. To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity. I am retired and not engaged in economic enterprise.

That's only the definition of "enterprise" in the GDPR. It doesn't say at all that the GDPR is restricted to enterprises. Some of the articles apply only to enterprises, or are stricter for enterprises.

As for individuals, the are exempt from the GDPR only in association with purely personal and household activity (Article 2.2.a). https://gdpr-info.eu/art-2-gdpr/

I'm not a lawyer, but I'd had a hard time arguing that for example church activities (by an individual) would not be covered under the GDPR. Although those are personal activities, I don't see how they are purely personal activities, as they're also church activities.

Again, I don't think anyone would be seriously bothered by a church member who for example stores the contact details of members of their home group on their phone, or even sue or fine them for doing so, but just the fact that such cases are not clearly excluded makes the GDPR silly.