Ok so what's the actual minimum you've said two weeks here but where is this actually defined ?

It's not defined, because it depends on why you're processing the data.

Different reasons would entail different retention times.

There's no hard limit here provided by the law or otherwise. Some of the local data protection offices say that they find something of "up to 30 days" reasonable, so I guess that's a good starting point. Cutting that time in half will show good faith and you'll still be able to analyze logs, I think.

Ok 30 days do you have a link for that?

Well, you'll for example find the 30 days in this document of the data protection office of Bavaria: https://www.lda.bayern.de/media/muster_1_verein_verzeichnis.... (It's a sample for sport clubs etc.) and it's also what our lawyer has recommended to our company as the upper limit.

>Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.

The vague, uncodified "intent" is my biggest problem with GDPR and GDPR-like laws, especially when it comes to small businesses. Even with the best intent, I've seen startups in my community get into "real" trouble trying to comply with mixed results. Not every company can afford to allocate the time/money necessary to comply with sudden deadlines and/or new technical requirements. Not every company can afford to take the risk of "I think this PII is absolutely necessary, but... could I prove it in court? Can I even afford the lawyers to try?" If I didn't read HN, I doubt I'd even know laws like this new French one even existed; I can't afford to dedicate someone to monitor changing laws around the world.

Saying "it's important for businesses to allocate sufficient resources toward researching evolving law in every country they might do business in, and it's okay if businesses fail if they can't afford to do so" is reasonable.

Saying "if you're trying to do the right thing, you'll be fine" is, quite frankly, the complete opposite experience I've seen from most well-meaning companies in my sphere trying to accomodate GDPR rules with limited budgets.

Of course, I am located in the US so maybe this is the intended result.

Depends on what the logs contain. If they contain no personal information at all, EU data protection laws do not apply.

IP addresses are considered to be PII so you need to either truncate them before saving or have a deletion routine in place.

IP addresses are PII when they can identify a person, and that's not always the case, e.g. a company network using NAT for outgoing connections so that dozens, if not hundreds of people appear from the same IP address.

How are you supposed/able to make that decision on a log level?

There's no way you can make that decision, which is why the simplest course of action, or the less risky one, is to treat any IP address as it actually conveyed PII, even 192.168.0.1.

The whole point is that "your" logs contain personal data about others. That data is theirs not yours. Moreover if you get asked about "your" logs by the US government you have to hand "their" data over to them, for which there is no legal recourse for the person owning the data.

To make this more obvious, the EU is essentially saying that you can create a post service that routes all their letters through the US where they can be opened by the FBI, without any legal recourse.

I'm always amazed how people (even very technical) argue that things are perfectly fine for electronic data when they would completely oppose the same thing for physical things, e.g. letters. I guess years of propaganda have worked

> That data is theirs not yours.

I fundamentally disagree. You can't come to my house with a red hat then demand I never tell anybody you have a red hat and forget I saw it. That's absurd.

I dont think ownership of a red hat would be considered personally identifiable information under the GDPR.

I should have a right that you should not save my personal information longer than needed. Now what?

No, you shouldn't. If I make an observation, that's my observation, my data. I should have full rights to observations I made myself, regardless of if it involves you. Europe has this 100% backwards.

What would you think if somebody told you this, after following you or your kids the entire day, while taking pictures and notes?

It would be weird, but sure, no difference. This is what a private investigator already does legally.

Do you think some laws might apply to private investigators and how they do that work?

Not everywhere. It depends on the jurisdiction.

But surely an US private investigator would have to respect french laws when following people in France?

The core of the issue is about fundamentally transnational transactions, and who has jurisdiction in that matter.

You do, but not user’s ip addresses