EU General Data Protection Regulation (GDPR)

Here are a few things to get you started with European Union General Data Protection Regulation (GDPR).  First is a little introduction:

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. It will enter in force 20 days after its publication in the EU Official Journal and will be directly application in all members states two years after this date. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance will face heavy fines.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

And now a few key points from the Frequently Asked Questions page:

Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Interesting, right? Have a nice day now.

Is VPN Legal in Your Country?

TheBestVPN.com published a study of whether or not VPNs are legal in 196 countries around the world.  There is a summary for each, and some links to details of the research.

VPNs are legal, generally.

It depends largely on the country you’re physically sitting in while using a VPN. But even then, their laws and restrictions are often opaque.  What’s legal vs. illegal is not always clear.  Some activities, while frowned upon, are still shrouded in grey area.  In this research we fact-checked 196 countries laws and their opinions on VPNs.

VPNs are illegal in: China, Turkey, Iraq, United Arab Emirates, Belarus, Oman.

VPNs are some-what illegal in: Iran, North-Korea, Turkmenistan.

P.S.: If you can’t access the links above, VPN is probably illegal (or at least blocked) in your country or region.

Open Source Lawyer as a Career

OpenSource.com runs this article on “What to know before jumping into a career as an open source lawyer“.  Whether or not you are planning to take that path, the article has a few interesting links and quotes.

Recently, at work, we’ve been trying to get a hold of a lawyer with Open Source experience.  Just for the consultation or two.  I wasn’t very optimistic about it, as I had a feeling those are rare beasts.  My suspicion was confirmed to a degree.  But this article reaffirms it even further:

Only a few dozen new grads a year are hired to do anything even vaguely involving open source. Only a few dozen lawyers in the entire world dedicate more than a quarter of their time to open source. Only a lucky handful, like those at Software Freedom Law Center (SFLC) and Software Freedom Conservancy (SFC), work primarily directly for communities and volunteer developers.

The article also links to a couple of books on the subject, which I’m pretty sure I’ll need to buy and read soon, unless we find somebody who is actually a lawyer and has done some work in Open Source space.

The first one is “The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople“.

The Tech Contracts Handbook is a practical, user-friendly reference manual and training guide on cloud computing agreements, software licenses, and other IT contracts. It’s a clause-by-clause “how to” resource, covering the issues at stake and offering negotiation tips and sample contract language.

The Handbook is for both lawyers and businesspeople — including contract managers, procurement officers, in-house and outside counsel, salespeople, and anyone else responsible for getting IT deals done. Perhaps, most important, it uses clear, simple English, like a good contract.

Topics covered include:

  • Software-as-a-service (SaaS) subscriptions
  • Warranties and service level agreements (SLA’s)
  • Data security and privacy
  • Indemnities
  • Disaster recovery (DR)
  • Non-competes
  • Limitations of liability
  • Clickwraps
  • Open source software
  • Nondisclosure agreements (NDA’s) and confidentiality
  • Technology escrow
  • Copyright and other intellectual property (IP) licensing
  • Internet and e-commerce contracts
  • And much more …

The second one is “A Primer on Intellectual Property Licensing“.

A PRIMER ON INTELLECTUAL PROPERTY LICENSING (Second Edition) is a compact, practical guide to one of the most dynamic and popular areas of legal practice today-intellectual property licensing. Developed by an attorney in private practice who specializes in Silicon Valley technology licensing, this guide presents the basic rules of law you need to know for a licensing practice, along with helpful examples of contractual language, practice tips, and insights on custom and practice in the industry. This textbook is appropriate for a law school or business school seminar, or for practicing attorneys who wish to expand their practice into this exciting field. Individual chapters from this text are also available for seminars and CLE presentations (in electronic format).

GPL defense issues

A friend sent me a link to this email from Linus Torvalds to the Kernel Summit Discussion mailing list.  The subject of the conversation is the General Public License (GPL) and whether or not it should be enforced in courts.  Read the whole thing – it’s quite interesting.  Here are a few snippets just to get you started:

Let’s be clear about this: lawsuits destroy. They don’t “protect”.

Lawsuits destroy community. They destroy trust. They would destroy all the goodwill we’ve built up over the years by being nice.

And then this:

Because lawsuits – and even threats of lawsuits – makes companies way less likely to see you as a good guy. Even when you’re threatening
somebody else, everybody else around the target starts getting really
really antsy.

I talked to an Oracle lawyer a few months ago, and told him their
lawsuit just makes Oracle look bad. The lawyer was dismissive, and
tried to explain how it’s silly how people take lawsuits personally,
and talked about how layers _understand_ that lawsuits aren’t
personal, and that they are still friends outside the court.

I’m sure a lawyer can “understand” how lawsuits aren’t actually
something personal at all, but lawyers really seem to be the *only*
people who “understand” that.

The fact is, lawsuits (and threats of lawsuits) do not make for
friends. You just look like a bully.

GPL : Matt Mullenweg and Automattic vs. Wix

The General Public License (GPL) has been the source of many discussions since it was created in 1989 (with a few versions in following years) and applied to numerous Open Source Software projects.

Currently, there is one more such discussion going on.  It was kicked off by Matt Mullenweg, the founder and CEO of Automattic, the company behind WordPress:

Anyone who knows me knows that I like to try new things — phones, gadgets, apps. Last week I downloaded the new Wix (closed, proprietary, non-open-sourced, non-GPL) mobile app. I’m always interested to see how others tackle the challenge of building and editing websites from a mobile device.

I started playing around with the editor, and felt… déjà vu. It was familiar. Like I had used it before.

Turns out I had. Because it’s WordPress.

He proceeds with the open letter to Wix:

Dear Wix,

This explicitly contravenes the GPL, which requires attribution and a corresponding GPL license on whatever you release publicly built on top of GPL code. The GPL is what has allowed WordPress to flourish, and that let us create this code. Your app’s editor is built with stolen code, so your whole app is now in violation of the license.

What does Matt want Wix to do?  Very simple:

Release your app under the GPL, and put the source code for your app up on GitHub so that we can all build on it, improve it, and learn from it.

Did Wix respond?  Yes, they did.  First, one of their lead engineers, Tal Kol, wrote this blog post.  I think it’s quite sensible and boils down to a misunderstanding.  Or so I read it:

I apologize if I appeared to take credit for somebody else’s work. This was definitely not my intention. I think you guys are doing a great job.

Second one though is a bit less so, written by Wix CEO Avishai Abrahami.  While trying to appear friendly and casual, it does dodge the whole issue of the GPL violation, misrepresents the facts on the branding, and ends with an awkward invitation for a coffee.  WP Garage has a good summary of why this response is weak.

Here are a few more resources with commentary that help to understand the issue:

Personally, I am a big fan of GPL, Automattic, WordPress and Matt Mullenweg, who I had the opportunity to meet and talk to back a few years ago.  But as a CTO of a startup (and not for the first time), I have to admit that Open Source Software is difficult when it comes to business.  It requires a huge effort to make a company understand what Open Source Software is, what are the intricacies of the major licenses, and what are the consequences of using Open Source Software for different kinds of projects (internal tools, client projects, company products and services, etc).

Here are the important points that I want to highlight in regards to this conversion:

  • If you are using Open Source Software, make sure you understand the licensing and the culture behind it.
  • If you made a mistake, admit to it and figure out a way to resolve it.  Dodging or finger-pointing is not a resolve.
  • Legal action is not the only option.  Often, it is not even the most preferable.
  • Be nice to people. :)

I’d like to finish with this tweet, which I think highlights the most important point.

P.S.: Some people say that GPL has not been enforced in courts.  This page lists a few cases in several countries, which provide examples of the contrary.

How Google Uses and Contributes to Open Source

Here is a good Open Source story – “How Google Uses and Contributes to Open Source“, which goes into some detail and history of how Google is working with Open Source community.

I’ve seen this before:

“There are companies and people who just take the software and say, “I didn’t have to pay for it. I can do anything I want. The license file is a big blob of text. I’m not going to read that,” Merlin said.

And I’ve this (quite a few times actually):

Back in its early days, around 1998, Google was a small company. It was using open source just like any other small company. While Google was abiding by licences, they were not giving back much due to several reasons. “Some of it was just run fast and make sure that we have money next month to pay everyone’s salary,” said Merlin.

Having been involved in open sourcing companies’ projects new and old, this is what I firmly believe now is the best strategy:

Go open source from the beginning

Google changed that by writing a lot of things from the ground up as open source or to be open source ready. That was a good lesson that they learned, and that’s a problem many companies face when they want to open source their stuff but can’t because the code was not designed to be open source from the beginning.

This, I think, is an interesting approach too (if  you are too small of a company to have research papers and algorithms, consider blog posts, tips and tweaks, case studies, and the like):

Even if Google can’t open source certain code, they found a way to bring that work to the public. “We wrote papers talking about the magic algorithm that we used. We can’t give you the code for the reason I just explained, but we’re giving you the way they work so you can rewrite them,” said Merlin. Google has published hundreds of such papers and people are using it to create projects based on those ideas.

This bit on Android is mind blowing:

Now virtually all of Google’s open source code is on GitHub, except for Android. “The Android distribution is so big and it gets released in big chunks. So, when it gets released, everyone wants to sync that,” Merlin said. “It’s so huge that if we put it on GitHub, it would completely kill GitHub. We use our own mirrors for that, to help out.”

A word of caution for the companies using Open Source software:

Companies have to be extremely careful when using open source. Different projects use different licenses, and you need to be in compliance with them.

[…]

Things become complicated when you have projects that you ship. In the case of open source, you need to list the projects that you use and their licenses. In the case of BSD and MIT, you need to list the name and the copyright of the person you got that project from.

You’ll probably need a set of tools to deal with issues like this.  For PHP-based projects, composer is indispensable.  You can run “composer licenses” command and instantly get information about the project’s license, as well as licenses for each and every dependency in use (thanks to this blog post).

There is a good section on Contributor License Agreements (CLAs).  I am slightly familiar with the subject (I signed a few myself), but my experience is limited, especially from the company perspective.  I found this part useful, for that distant time when I’ll need to set it up:

Google uses the Apache foundation ICLA, without modifying it or putting anything special in it. CLAs ensure that companies like Google “can re-license your code under a different open source (license) if we need to. Sometimes we need to merge with other projects and that’s what the CLA allows us to do,” said Merlin.

These are just bits and pieces which I found interesting.  I wish more companies shared their practices and experiences – in particular those larger businesses, with years of history and a wide variety of challenges.

FormSwift – create and sign legal documents for free

FormSwift

More and more paper work is moving into the digital domain, including legal documents.  I’ve previously linked to Docracy – a service that provides a collection of legal documents, as well as tools to negotiate and sign them.  Today I was made aware of another service – FormSwift. Some might find it to be more comprehensive, up-to-date and user friendly than the alternatives.

Have a look at the FormSwift’s collection of the free legal forms, which cover such categories as business, family, financial, life planning, real estate and other.  Their tools are pretty sweet too, with support for Word and PDF files, and an online editor for PDF – not something you see every day.

Google vs. Oracle : API vs. implementation

Slashdot is running the story about the Google vs. Oracle court case.  I thought this bit was rather brilliant:

Schwartz’s second attempt at the breakfast menu analogy went much better, as he explained that although two different restaurants could have hamburgers on the menu, the actual hamburgers themselves were different — the terms on the menu were an API, and the hamburgers were implementations.”

Cyprus Tax, Facts & Figures 2016

PricewaterhouseCoopers (PwC) published their annual Cyprus tax, facts and figures brochure for the year 2016. It is a handy document to send to friends abroad who are interested in moving to Cyprus or starting a business here.

One thing that I found ironic in this document was the example they used for personal taxation (page 7-8 in the English PDF).  The example is for someone with a monthly salary of 5,885 EUR and additional income from rent, etc – a total income of 75,620 EUR per annum.  Looking at the average salary in European Union, Cyprus shows 1,833 EUR per month in 2014 and 1,574 EUR per month in 2015.

I hope PwC predicts a huge spike in average salaries in 2016.  That would be nice …