Jump to content

General Data Protection Regulation


Recommended Posts

  • 2 months later...
  • 1 month later...
  • Level 5*
2 hours ago, Thrane said:

I need some sort of agreement with you according to the new law.

Can you provide more details on the agreement you require.

We know the new law relates to unencrypted uploaded data; the regulation seems to apply to you.
I'm thinking you need to encrypt data before uploading it to Evernote, but I don't know the details

Link to comment
  • Level 5*
20 minutes ago, Thrane said:

Evernote has to make a data processor agreement like MailChimp, Box.com and similar companies that handles userdata.

https://kb.mailchimp.com/accounts/management/about-mailchimp-the-eu-swiss-privacy-shield-and-the-gdpr

Attached the agreement I have with MailChimp.

MailChimp Data Processing Addendum.pdf

Thankyou for the details

Link to comment
  • Level 5

Hi there,

Here is the information I was able to find regarding GDPR:

The EU General Data Protection Regulation (GDPR) does not take effect until 25 May 2018. Evernote has been in compliance with many of the GDPR's key privacy principles since our founding. We remain committed to our 3 Laws of Data Protection (https://evernote.com/privacy) and maintaining our certifications to the EU-US Privacy Shield and the Swiss-US Privacy Shield. In line with our commitment to our users, we are currently working to update our policies and procedures to take into account additional GDPR requirements.

Link to comment

Hi Evernote,

could you please provide your European user with information about your plans concerning the General Data Protection Regulation (GDPR) of the European Union?

Any Evernote-user in the European Union who uses personal data in Evernote (which might just be a client's name) will need a data processing agreement with Evernote signed by 25th May this year latest. Without this agreement, we will not be allowed to use Evernote anymore

So will you provide us with this agreement and where will we find it?

Thank you!

Link to comment

I have a security question for Evernote moderators.

I'm security conscious, so I have a very strong alphanumeric + symbols password and I use 2FA. I'm also aware I can encrypt text inside of notes, but I cannot encrypt a note with attachments (documents, photos, recordings, html, etc) and I cannot encrypt an entire notebook.

I'm also aware that there have been measures to secure the Evernote cloud by moving over to the Google Cloud Platform (GCP).

  1. My first question is specific to the desktop versions for Windows and Mac as well as the app version for iOS. Is it correct, as is reported here -- https://www.lifewire.com/evernote-tips-you-should-avoid-153286 - that " third-party tests reveal that in the local database, the selected text still remains searchable in plain text."
  2. My second question is "what has Evernote done to ensure it is GDPR compliant for Europe?"
  3. My third question is "how does Evernote comply with strict data privacy laws in Austria? (that's in Europe, not down under)
  4. My final question is when can users expect to be able to encrypt entire notebooks and when can we expect to encrypt notes that have file attachments?
Link to comment
  • Level 5*
On 2018-03-05 at 2:40 AM, jarad69 said:

My first question is specific to the desktop versions for Windows and Mac as well as the app version for iOS. Is it correct, as is reported here -- https://www.lifewire.com/evernote-tips-you-should-avoid-153286 - that " third-party tests reveal that in the local database, the selected text still remains searchable in plain text."

I'm on a Mac.  I have a full copy of the database on my machine in my home folder.  Its in plain text and I can search it
Being my home folder, the data can only be accessed by my userid.  My hard disk is also encrypted to prevent unauthorized access

>> I cannot encrypt a note with attachments (documents, photos, recordings, html, etc) 

For sensitive data, I use the native encryption[ in attachments; pdfs, office/iwork documents, ....

>>when can users expect to be able to encrypt entire notebooks and when can we expect to encrypt notes that have file attachments?

There's no indication Evernote is interested in extending the encryption features in the product

Link to comment
On 2/27/2018 at 5:33 PM, Katrin said:

Hi Evernote,

could you please provide your European user with information about your plans concerning the General Data Protection Regulation (GDPR) of the European Union?

Any Evernote-user in the European Union who uses personal data in Evernote (which might just be a client's name) will need a data processing agreement with Evernote signed by 25th May this year latest. Without this agreement, we will not be allowed to use Evernote anymore

So will you provide us with this agreement and where will we find it?

Thank you!

Is there any movement at all at Evernote HQ on this issue? GDPR is the biggest change to data privacy the world has seen. I will have to stop using Evernote for certain things if this issue is not adequately addressed prior to May 25th.

As an American working on cybersecurity and privacy issues in Europe, I've been told that American companies "don't get it" regarding data privacy in Europe. I'm beginning to wonder if there is truth to that.

Anyone at Evernote want to contribute something from your legal department on this issue? There are potential fines of €20 million or 4% of global gross revenue for non-compliance (whichever is GREATER). It seems this should be on the radar at the CEO level over there.

Link to comment
On 3/5/2018 at 4:47 PM, DTLow said:

I'm on a Mac.  I have a full copy of the database on my machine in my home folder.  Its in plain text and I can search it
Beigh my home folder, the data can only be accessed by my userid.  My hard disk is also encrypted to prevent unauthorized access

>> I cannot encrypt a note with attachments (documents, photos, recordings, html, etc) 

For sensitive data, I use the native encryption[ in attachments; pdfs, office/iwork documents, ....

>>when can users expect to be able to encrypt entire notebooks and when can we expect to encrypt notes that have file attachments?

There's no indication Evernote is interested in extending the encryption features in the product

This is going to pose some substantial business problems fro Evernote in the European Union. GDPR goes into effect on 25 May 2018 and potential fines for non-compliance are €20 million or 4% of gross global revenue - whichever is greater.

If Evernote doesn't address this issue, it will have to pull out of Europe or risk devastating fines. In addition, anyone using Evernote for business in Europe will have to stop using it, so all revenue across the 28 member states will dry up immediately.

I'm stunned that Evernote's CEO and legal department are not on top of this issue.

Link to comment

I'm not on the legal team, but I know there is someone there who has been working on GDPR compliance very intensively, and I personally had a task for a couple of weeks making sure that data related to search wasn't being kept too long, as part of GDPR compliance.

I'm sorry that I can't provide more info, but I do know it's something we care about and are working hard on.

Link to comment
6 hours ago, rezecib said:

I'm sorry that I can't provide more info, but I do know it's something we care about and are working hard on.

No IT admin in the business world would dare go ahead trusting your (feeble) words. Maybe Evernote  can afford to work on the basis of let it happen, but if you believe that a couple of months ahead of Day Zero and nothing better than  'working hard on it' is more than a pathetic joke,  you are in for some rude awakening. 

Link to comment
11 hours ago, jarad69 said:

As an American working on cybersecurity and privacy issues in Europe, I've been told that American companies "don't get it" regarding data privacy in Europe. I'm beginning to wonder if there is truth to that

Stop wondering, just take it as a fact. 

If Evernote's 'top notch' European office at Zurich, Switzerland is anything to go by...:D

Link to comment
9 hours ago, rezecib said:

I'm not on the legal team, but I know there is someone there who has been working on GDPR compliance very intensively, and I personally had a task for a couple of weeks making sure that data related to search wasn't being kept too long, as part of GDPR compliance.

I'm sorry that I can't provide more info, but I do know it's something we care about and are working hard on.

Hi rezecib,

Thank you for the reply. I’m an American that emigrated to Austria 3.5 years ago. I work at an international market research consultancy & my focus is privacy and cybersecurity, which means I have to look at regulatory compliance and corporate governance issues. 

I was a keynote speaker at a security conference in 2015, before I’d been in Europe for 1 year. The comment some told me privately was that American companies just don’t get it regarding privacy in Europe. I’ve come to realize that’s an accurate assessment. Privacy here is enshrined in the law as a basic human right.

GDPR:

1 - further solidifies that position 

2 - addresses the out of control problem of companies not taking sufficient steps to prevent data breaches

3 - sets forth an enforcement penalty regime intended to get the attention of companies at the board of directors level 

4 - enables examples to made of companies that display willful non-compliance - €20 Million or 4% of gross annual revenues, whichever is greater.

5 - It also holds liable companies that use services that do t comply with GDPR - in other words, your customers!

As an Industry Principal with 18 years analyzing markets and the IT vendors in those markets, I have to tell you, your CEO, your BoD, and your investors that Evernote is clearly not ready for a globally game changing regulation in one of the biggest trading blocks in the world. 

My inability to get real answers from Evernote on this issue, as a paying customer,  tells me that your company won’t be ready by 25 May 2018, which will put Evernote in the crosshairs of every DPA (data protection authority) across the 28 member state block - Britain included, because despite BREXIT, the UK govt supports GDPR implementation.

 I’m wondering now if my company should write an Insight article on American companies that put their own business and the business of their enterprise customers at risk by not having set plans to comply with GDPR.

With respect to what Evernote has built and how enthusiastic I personally am about the platform, GDPR goes into law in about 9 weeks. To comply, you need to have already been working on/implementing technology, process, and policy changes. Clearly that hasn’t happened. That means all personally identifiable information (PII) I have in the system needs to be deleted, starting with a few hundred business cards.

I trust that you will pass this up to the office of the CEO, because from my perspective, Evernote management is asleep at the wheel.

Link to comment
2 hours ago, JohnLongney said:

Stop wondering, just take it as a fact. 

If Evernote's 'top notch' European office at Zurich, Switzerland is anything to go by...:D

Painful to admit, but I fear you are correct. 

Link to comment
13 hours ago, jarad69 said:

It's official. The IT Department in my company has prohibited Evernote for work because it is not GDPR compliant.

Does not surprise me in the least. The IT department had no other option. 

As for the ignorance of some American business establishments on  European legislation and vice versa I must say that with determination on both sides usually ways can be found. 

Microsoft, as one example, just to satisfy their big German business clients desire (need?) for extra-strength cloud storage some time ago started to rent Deutsche Telekom's servers located somewhere inland.  Right now Microsoft intend to set up their own domestic servers here, run by their own local subsidiary.  Nobody needs to feel sorry for Microsoft because their services spell $$$ but at the end of the day it is a fair deal.

If the responsible heads at Evernote , despite having set up an office in the heart of Europe and presumably also relying on other sources of information,  not felt any urgency re the final date for compliance throughout the EU,  one explanation that comes to mind is that the loss in revenue hurts less than compliance would cost. 

Should however make other data privacy and security concerned users think hard. After all, In one way or other we are all in the same boat.

Link to comment
  • Level 5

Based on headlines, it looks like something is going to have back down before the May 2018 deadline.  I haven't seen studies indicating large numbers of successes in GDPR implementation.

Headlines
* Oct 2017 - Information Age
Only 5% of EU companies ready for GDPR compliance

* Jan 2018 - ZDNet
GDPR: Deadline looms but business still aren't ready

* Jan 2018 - MarTechToday
Only 1/3rd of startups are GDPR-compliant study finds
Mailjet study of 4,000 (mainly UK and France) companies shows an average GDPR-readiness score of 4.1 out of 10

 

Link to comment
8 hours ago, JohnLongney said:

If the responsible heads at Evernote , despite having set up an office in the heart of Europe and presumably also relying on other sources of information,  not felt any urgency re the final date for compliance throughout the EU,  one explanation that comes to mind is that the loss in revenue hurts less than compliance would cost. 

Should however make other data privacy and security concerned users think hard. After all, In one way or other we are all in the same boat.

I’m not convinced that non-compliance for GDPR is cheaper than compliance. Here’s my back of the napkin analysis...

  • Evernote has approximately 220 million users
  • Stated assumption 1 - 5% are paying users
  • Stated assumption 2 - all pay €59.99 for an annual subscription 
  • Possible revenue under those assumptions is €659.89 million
  • non-compliance penalties for GDPR are either €20 million or 4% of global gross revenue - whichever is greater 
  • using assumptions 1 and 2, potential fines for GDPR non-compliance for Evernote would be €263.95 million 
  • that would be the potential fine for only one major data breach where PII is compromised. Each additional breach that comprises PII, will theoretically start the fines all over again
  • As we know, many companies have had multiple data breaches - Yahoo in the USA, TalkTalk in the UK, etc.
  • GDPR also holds responsible the companies using a service who put PII into that service, so enterprise clients of Evernote could theoretically be hit with devastating fines as well.

Today, it looks like there is no other option for people in Europe other than to drop Evernote and migrate to Microsoft SharePoint. It’s not my preferred option, but I’ve been put into a corner by C-Level execs at Evernote!

Link to comment

The issue is that there has already been approximately 2 years for business to get ready. If I were a DPA (data protection authority), I’d have no sympathy for any company that isn’t prepared. If one cannot meet a 24 month implementation period, should that mean that a law is suspended or its implementation should be pushed back until everyone is ready?

If that’s the way the world worked, every business globally could decide to pick and choose which regulations would be implemented and which ones wouldn’t.

I suspect, but won’t know until after 25 May, that there will be an example or two made as a warning shot across the bow of all enterprise doing business in Europe to send a clear signal that they need to get their affairs in order fast!

Link to comment
  • Level 5
3 hours ago, jarad69 said:

If one cannot meet a 24 month implementation period, should that mean that a law is suspended or its implementation should be pushed back until everyone is ready?

If half of the companies cannot meet the 2-year GDPR requirement, then yes, I think implementation should be pushed back. It appears smaller companies are the ones having the most difficulty, due to the financial costs and IT manpower required.

But as I said, I have not seen any conclusive studies that show an accurate analysis on what percentage is actually compliant. If the percentage meeting the compliance requirements is 80% or higher, then it would make sense to proceed.

Link to comment
On 3/21/2018 at 11:35 AM, jana-mala@centrum.cz said:

Please, 

our company need  "data processor agreement" to be done until 25th May please can you provide us more information about where to find it on your offical website or our profiles? Its necesary to have this agreement between our companies. Thank you in advance for your respond, Best regards, Jana

I’ve pressed the GDPR issue pretty hard via multiple channels at Evernote. The first official response from a support guy identified as Anderson A. was an exercise in dodging the issue and refusing to provide direct answers.

I refused to accept that and demanded an answer to my questions. 

Jason C., Technical Support Manager replied with a direct answer, albeit an unsatisfactory one. Pasted below are excerpts from that email:

  1. A formal GDPR compliance explanation is being worked on and will be available between now and May 25. I don't have a more specific date I can give you there. We are committed to complying with GDPR as we have with other EU laws and regulations. We have many customers in Europe and we understand how important this is to their ability to continue to use Evernote.
  2. It is possible to dive in to the database file and view that content as plain text. It takes some work but the content is there.
  3. This isn't true for encrypted note text.
  4. We don't have any plans at the moment to permit entire notes or notebooks to be encrypted.

Based on that response, companies need to make contingency plans to migrate in case the official stance falls short of compliance. It also means that everything in Evernote that has attachments, has formatting (such as bulleted text, bold, underlined, or italicized text) CANNOT be encrypted and if a company has the app on laptops and those devices are compromised by malware, your cyber adversary will be able to access the data you have In Evernote.

Because the Evernote app does not provide proper data security of data in its database on endpoints (laptops, desktops, etc),  full disk encryption is your best defense against data breaches, but that will still not protect your data when your endpoint is compromised by malware and you decrypt your hard drive to work in Evernote. 

Whatsmore, Evernote has migrated its cloud to Google, which  means your data might be stored on servers in the USA and could be swept up by a FISA court warrant that Evernote cannot fight and that your company will never know about.

 

Link to comment
  • Level 5*
4 hours ago, jarad69 said:

It also means that everything in Evernote that has attachments, has formatting (such as bulleted text, bold, underlined, or italicized text) CANNOT be encrypted

For my sensitive data, I use the native encryption of attachments; PDFs and office/iwork documents can be encrypted by their apps.

>>full disk encryption is your best defense against data breaches

I use FileVault on my Mac.  However Evernote is a cloud service; my data is also uploaded and stored on the servers.

Link to comment
2 hours ago, DTLow said:

For my sensitive data, I use the native encryption of attachments; PDFs and office/iwork documents can be encrypted by their apps.

>>full disk encryption is your best defense

I use FileVault on my Mac.  However Evernote is a cloud service; my data is also uploaded and stored on the servers.

I commend you on password protection of sensitive documents, but with MS Office, one can easily get tools to perform brute force attacks to find the passwords ==>  https://www.iseepassword.com/recover-ms-word-password.html

The other thing is that when you encrypt the documents on Evernote, it eliminates a core function of Evernote Premium (searching inside of documents) -- I suppose that encrypting text notes inside of Evernote does the same thing however.

Security as with many other things in life, is a matter of trade offs, which I think you understand since you use encryption regularly. 

Many others here won't understand the implications of encrypting all documents before putting them into Evernote, which is something that should be pointed out so everyone understands.

That said, I may have to start encrypting all documents I put into Evernote as well. The serious pain in the *** is that with Text notes, you can't even have formatting (bulleted lists, bold, italics, underlining, etc) in any note that you want to encrypt. That is a serious functionality drawback and eliminates the use to Evernote for notes on business projects. That is quite frankly shortsighted & yes I'll say it -- stupid!

Link to comment
  • 1 month later...

Has anyone heard any news on Evernote and GDPR compliance? The page mentioned above says absolutely nothing that can be used and right now it looks like we might have to migrate to Evernote. 

Link to comment
  • 2 weeks later...
  • Level 5
On 3/23/2018 at 8:24 AM, jarad69 said:

That said, I may have to start encrypting all documents I put into Evernote as well. The serious pain in the *** is that with Text notes, you can't even have formatting (bulleted lists, bold, italics, underlining, etc) in any note that you want to encrypt. That is a serious functionality drawback and eliminates the use to Evernote for notes on business projects. That is quite frankly shortsighted & yes I'll say it -- stupid!

1

GDPR day has arrived. The 2-year ramp-up period has turned out not as simple as some of the Europeans suggested. 

Today's Headline: Blocking 500 Million Users Is Easier Than Complying With GDPR

For some of America’s biggest newspapers and online services, it’s easier to block half a billion people from accessing your product than comply with Europe’s new General Data Protection Regulation.

The Los Angeles Times, the Chicago Tribune, and The New York Daily News are just some [companies] telling visitors "Unfortunately, our website is currently unavailable in most European countries."

Blanket blocking EU internet connections isn’t limited to newspapers. 

https://www.bloombergquint.com/business/2018/05/25/blocking-500-million-users-is-easier-than-complying-with-gdpr#gs.3w_eFcU

Link to comment
  • Level 5*
On 3/23/2018 at 5:24 AM, jarad69 said:

That said, I may have to start encrypting all documents I put into Evernote as well. The serious pain in the *** is that with Text notes, you can't even have formatting (bulleted lists, bold, italics, underlining, etc) in any note that you want to encrypt. That is a serious functionality drawback and eliminates the use to Evernote for notes on business projects. That is quite frankly shortsighted & yes I'll say it -- stupid!

You're referring to Evernote's text encryption feature.

My sensitive data  is encrypted using the native encryption built into file  attachments; PDFs, office/iwork documents, ...

Link to comment
  • 3 months later...
  • Level 5
On 5/25/2018 at 2:43 PM, jbenson2 said:

GDPR day has arrived. The 2-year ramp-up period has turned out not as simple as some of the Europeans suggested. 

Today's Headline: Blocking 500 Million Users Is Easier Than Complying With GDPR

For some of America’s biggest newspapers and online services, it’s easier to block half a billion people from accessing your product than comply with Europe’s new General Data Protection Regulation.

The Los Angeles Times, the Chicago Tribune, and The New York Daily News are just some [companies] telling visitors "Unfortunately, our website is currently unavailable in most European countries."

Blanket blocking EU internet connections isn’t limited to newspapers. 

https://www.bloombergquint.com/business/2018/05/25/blocking-500-million-users-is-easier-than-complying-with-gdpr#gs.3w_eFcU

3 months after implementation, US-based news companies are ignoring Europe's heavy-handed GDPR by blocking the EU users.

Excerpt from Security Now! episode #679

"Nearly 1,200 U.S.-based news sites are deliberately remaining inaccessible, that is, they are blocking visitors from the EU as a consequence of the EU's adoption of the high-fine GDPR regulations, which has just freaked everyone out.  And these deliberately blocked sites are not all obscure since they include, get this, the Los Angeles Times.  Yup.  Cannot bring up the L.A. Times from Europe.  The Chicago Tribune.  The New York Daily News.  Dallas News.  The Baltimore Sun.  The Sun Chronicle.  The St. Louis Post Dispatch.  And Newsday.  None of them are currently available to people in the EU."

"Companies who do not adhere to the GDPR, risk facing massive fines of as much as 4% of their annual revenue, which for major ongoing operations is significant.  And again, I think it's rational for them to just say, you know, we didn't do this on purpose.  Some other country has just decided that we're liable for behavior that nobody else in the world has a problem with.  So, fine, we're just going to block you."
 

Link to comment
  • 5 months later...
On 3/26/2018 at 11:34 PM, Shane D. said:

Hi All,

Thank you for your patience!

I wanted to provide an update as we just added more official information regarding GDPR here:

https://evernote.com/privacy/gdpr

As mentioned on the page, if you have specific questions regarding Evernote's GDPR compliance, please reach out directly via email here:

privacy@evernote.com

Thank you!

Any news on status of GDPR  and Evernote ?

The page you refer to is great ... Totally empty ... 😂

https://evernote.com/privacy/gdpr

Link to comment
  • Level 5

For me as well. The statement is quite o.k., I have seen worse. I have just asked for a Data Processing Agreement via E-Mail.

Let‘s see what I will get.

Once such an agreement is in place, and the usual data protection measures are taken by client and provider, the use of EN should be compliant to European law. There is no need to encrypt the database itself while it is inside of the protected data processing environment.

Link to comment
  • Level 5

Hello everybody concerned about the EU-GDPR. I‘ve just signed my Data Processing Agreement with Evernote.

The process was similar to other service providers I use, which means completely online and professional. The only difference was that it had to be initiated through a support ticket, and EN wanted to know in brief words why I was interested in signing a DPA. In my case it was because of my freelancing work as a consultant. From then on, no problem at all.

From my side „AAA“ for the formal EU-GDPR-compliance on behalf of EN !

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...