No ads, no tracking, no cookies, not even Javascript. Just plain HTML+CSS and JPEG images. The whole front page is around 650 KByte, and by far most of this is in the image files. As a result the page looks very clean and loads very fast.
This is what all news web sites should look like, not just for EU readers (although I fear that this is just a temporary solution until they've figured out that whole GDPR thing...
>https://eu.usatoday.com/ is fantastic, loads instantly, no clutter, smooth experience, I love it.
I am willing to believe it to be someones idea of sarcasm, lets strip our website of all the "goodies", give viewers poorer experience and watch the cries!!1 Except its actually better, and I wouldnt be surprised if it vanishes really quickly once they realize it backfired by reminding users how fast and clean web once was.
Surely the greatest innovators in Silicon Valley could focus on creating sustainable business models that don't rely on data harvesting? Necessity is the mother of invention.
Might be a little more lucrative than juice bag startups.
But it's also great if the whole thing gets shut down because it finds itself to be unsustainable without harvesting my personal data and selling it off to third parties.
That looks fantastic, I would actually read USA Today if this lean site sticks around.
If they want to monetize, publishers should control their own generic ad inventory (like they used to in old pre internet days) and ask for opt-in if you want customization.
"This site does not collect personally identifiable information or persistent identifiers from, deliver a personalized experience to, or otherwise track or monitor persons reasonably identified as visiting our Site from the European Union. We do identify EU internet protocol (IP) addresses for the purpose of determining whether to direct you to USA TODAY NETWORK’s EU Experience.
This site provides news and information of USA TODAY NETWORK. We hope you enjoy the site."
Colour me impressed. I sincerely hope it catches on.
Of course, that vision of what the internet could be never really answered the question of where the money was coming from to pay for the servers that are delivering that content.
USA Today originally distributed their advertisements on paper without any user tracking. I don't see why advertising without tracking is so unthinkable today.
I'm of the opinion that at some point USA Today had demographic data on it's users. Maybe polled directly, or based on a list of names in their subscriber database cross referenced with some other database.
The idea that "user tracking" is now happening on the internet and not in print isn't true. Yes, internet tracking can follow you specifically, but that's because the systems have gotten faster and more connected.
This was true for a huge number of newspapers - user data was an enormous part of the ad business in the print days as well, and has some striking similarities to what happens today online.
Back then it took the form of the subscriber database as you suggest, and was used to help target and sell ads in the paper. The print industry often "sold" the subscriber list in detail to prospective advertisers to demonstrate the potential reach.
Losing detailed subscriber data was one of the primary objections many papers expressed to Apple's app store distribution model which can effectively render readers anonymous, as this was apparently one of the most valuable things they had.
Because it is two orders of magnitude less effective. Putting an ad for a blender in front of someone recently searching for blenders is 100x more effective than putting it in front of a random person.
This means the revenue they can charge for that ad is 100x less, which means that any sites without massive, massive user bases will perish, and those that survive will do it on a pittance.
I mean: GDPR didn't forbid money. Not even advertising. Only using personal informations without explicit consent... Please, don't be too ridiculous and stop watching FoxNews :-D
And it was funded by universities and a defense department project. Once we got the private sector into the experiment, it needed to pay for itself. Bandwidth isn't free, and neither is content creation.
Look at it: that's an RSS feed, basically. They could have had paywalled feeds with a standard payment system that people could write clients and aggregators for. No ads, just subscriptions.
The irony is that we'll get there, eventually: Apple and Google are slowly agreeing a payment system and then they will push it into the browser, and everyone will use it.
If the payment system allows for microtransactions (and, ideally, allows for ads or alternative payment methods for people who don't have the cash to be micro'd), we get a worldwide web somewhat shaped like the one we have today. That seems similar to what Google is pursuing with Contributor (https://contributor.google.com/v/marketing).
If we just do big-dollar monthly or daily subscription paywalls, we end up with a Balkanized web where I can't read the article you're reading unless I pay for it. That'll significantly change the way interactions happen on the worldwide web.
I call BS on this. You’re going to read a publication because of the relevance and quality of the content. USA Today Europe will no longer have metrics to sell advertising which may then force them to dial back on their writers salaries.
This is, I think, a great illustration of the problems with a lot of economic reasoning.
Sure, maybe that's exactly what would happen, but changing one variable in a toy model is not proof that it will.
There are successful news sites that do just fine without becoming relentless clickbait optimization mills - and in fact, those are exactly the sites I tend to read. Two examples, so we're talking about something specific: talkingpointsmemo.com and techdirt.com are both daily reads for me.
TPM is, for want of a better term, the more advertiser-friendly of the two, but it intentionally works fine with ad blockers. Techdirt is probably well-known to most folks here.
The other commonality is that both of them work hard to not be enslaved by the adtech surveillance machine - they both have non-ad revenue streams.
And I think that is the real trick missed by overly simple reasoning - even when it is correct (and it is, frequently), it obscures more than it helps. And somewhat more nebulously, I think it trains people into a way of thinking that blinds them to options. After all, if you "know" you can't reduce your surveillance metrics below industry-average intrusiveness, you won't look at possibilities involving doing so. Instead, you'd look at additional non-ad revenue as "more and better" and do both - thereby losing me as a potential customer.
Is that a good tradeoff? I don't know - and that's the point. These are much more complicated questions than econ 101 will guide you through.
> it trains people into a way of thinking that blinds them to options.
It's also a dilemma of sorts. If you stop running ads, then there is one less outlet for them, which means rates for all the other outlets are likely to grow. If enough people do it, the few players left will make very good business. Would you rather move out, risking your livelihood on experimental business models, or stay in with the devil you know, ensuring nobody is going to do better than you?
To demonstrate the way it blinds people to options:
What you mean is running 3rd party ads via ad networks.
It's perfectly feasible to show an image that links to some advertiser's site for a negotiated fee. This is the equivalent of a paper magazine with advertisements. Not renting out injection points to executing whatever foreign code on their visitor's devices.
My ad blocker won't even block it (well not by default, and only as long as you play nice, it's not like online advertising has any goodwill left over, or ever acted to deserve it).
You're right that people don't read publications because of the layout, it's all about the content.
Still it's hard to deny that the (presumably temporary) EU site is a much nicer experience. It's certainly faster.
They have plenty of metrics on the ads still, just not on the users. It's not going to be an issue to see how often an ad is shown, they just don't know if it's relevant to the reader. The good thing is that no they have a way of measuring the effectiveness of targetted ads, because the entire EU is available as a control group.
For a newspaper, like USA Today, I honestly doubt that targetted ads convert much better than random ones. EDIT: Random or based on the content of the article.
What it means for me personally is that The Washinton Post as well as the NPR can't be relied upon for reporting news, since they are apparently unable to even marginally interpret a legal document aiming for clarity and instead channel their incompetence into snarky behaviour that still isn't compliant with the GDPR.
To wit (washpo):
"You consent to the use of cookies and tracking by us and third parties to provide you with personalized ads"
Where is the "No I don't. Just give me regular/random ads" button?
and,
"Premium EU subscription"
"No on-site advertising or third-party ad tracking"
There's nothing specifically EU about that, in fact, it sounds like a good service to offer to all your readers. But still, there's a big difference between on-site advertising and third-party ad tracking, and that difference is at the heart of the GDPR. A half decent journalist could have figured that out. Maybe that's their real problem.
But most importantly, and frighteningly, instead of these two stunts being knee-jerk backlash reactions, maybe they're serious and most data-peddlers aren't shady figures in smoke-filled backrooms, but simply the fourth estate en large.
They may have just done that as a cheap and easy way to comply with the new regulations while they wait for the dust to settle. Especially since the text-only version already existed.
Also, I wonder how much of Washington Post and NPR's revenue comes from Europeans. It might not even make sense for them to spend resources to be more precise in their compliance.
There are a ton of great business models for financing content that do not require smart ads or the kind of tracking we see today. They are not as exciting but ... tough cookies.
Wow, you just made my day. It's so fast. I don't think I've ever experienced such a fast latency in a nontrivial website. I was around since the NCSA Mosaic times and I remember a much simpler Web than today, but at that point computers and connections were rather crappy so it wasn't that fast either.
A pity I'm not from the US so most of the news aren't that interesting to me, I hope some European news outlet follows suit (although it won't happen).
The most interesting part of that website is its certificate. It includes 342 different news websites domains. There are many duplicates for the wildcards, but even 171 is a big number.
This just shows us how big and influential the media giants are becoming.
One way to think of it is that “a business” is not “a user tracking, ad targeting website.” Whatever the business is, it’s not equal to the website, which is just one means of distribution of information or content.
If the business was so predicated on user tracking and selling that data or using it to target ads, I think GDPR (in spirit) is saying “that’s not a business” and requiring a greater form of transparency and informed consent before a website can inflict that on a (possibly unwitting) user.
I’m not trying to say this point of view is right or wrong, just that I think there is a spirit here in the intention of GDPR to say “that’s not something we’ll allow to be called a business model.” (Obviously it doesn’t fully go that far, but it’s the idea.)
It’s not that different in spirit than regulating usury or payday loan businesses. If your business model profitably works only because it preys on people, the spirit of the regulation is to say, “that’s not a business model,” and regulate or disallow it. Usury laws in the case of excessive short-term interest rates; GDPR in the case of excessive user tracking and data privacy concerns.
So when you ask, “how can be a business sustainable in this way?” it sort of has the wrong premise.
Instead, if the business could not be profitable without this then it wasn’t actually ever a business— rather it was some other data exploitation entity, and the lack of an alternate way to be profitable in compliance with GDPR is a signal that the entity was unable to determine a way to exist without causing the kinds of harm that GDPR aims to prevent.
Again, I’m just trying to represent what I think the spirit is behind the GDPR choices— not saying they were right or wrong.
Everything's fine if they add generic, non-targeted ads that are completely under control of the news publisher, hosted on their servers, don't track users, don't use cookies. Just like print media and TV does since forever.
The problem is that those ads could not be pay-per-click because you need cookies, javascripts and other tricks to combat clickfraud and impression spam.
If that USA Today site sticks around and adds advertising, it will presumably be low quality inventory like the internet used to be flooded with - casinos, punch the monkey etc.
No it will be high quality, like an astronomy magazine negotiating a deal with a telescope producing business.
The shitty early-web ads were already a result of shady 3rd-party ad networks selling private data.
Does a paper magazine need to run unsavoury ads? Because they don't have pay-per-click. They don't even record impressions, they have to negotiate the deal beforehand with the advertiser.
As I understand, you still can use cookies and IP addresses, but you should not keep them for long time and should not give those data to Google and Facebook. Do you really need to track user across all the Internet (like Google and Facebook do) and keep that data forever, buy and sell them to data brokers? Definitely not.
I don't want data about me to be someone's asset. I want an Internet shop to delete data about me as soon as possible after I made a purchase. That's why I want GDPR in my coutry too.
I have no answer to this, but the targetted ad business has driven traditional news outlets/traditional ads out of the market almost completely, so I think it has no good standing to ask for protection. In fact, I think GDPR proponents will welcome the collateral damage to targetted advertising.
People have tried lots of other stuff in the last 10-15 years, it was not sustainable (micro-transactions never took off, subscription-based newspapers are the exception rather than the norm etc). I'm personally fine with newspapers like the LA Times collecting and selling my personal data as long as I can read articles for "free" on their website, I think it's a pretty fair deal.
Part of the reason for the failure of those other models is their need to compete with an exploitative ad driven model. When you remove the lowest common denominator, you make it is easier for the market to accomplish something better.
If payment is optional then you are only likely to hand over money out of principle, or your own personal values.
I don’t think it’s as simple as finding the same news elsewhere for free though, or accepting this level of data collection, or subscribing to every site with micro transactions.
I would pay to use HN if the articles I clicked through to (or upvoted, or engaged with in the comments) got a piece of the pie. I’d pay a fair amount because I get a lot of value out of the aggregation and community HN offers. There’s no obvious allegiance to a particular perspective on life so one day I can enjoy a spiritual read and another I can learn about baking bread. I’m not only challenged, my curiosity is being piqued. It may be that HN works this way because there is no direct profit motive in HN itself except to point budding startups to Y Combinator.
I’m unlikely to pay an individual publication (say, The Guardian) because such publications have a specific editorial viewpoint, and more often than not it’s going to be the point of view that supports my own. My money is wasted on an echo chamber that makes me mad about the state of the world.
Neither am I likely to pay a publication that I persistently disagree with because our values are incompatible. I might read them if they have something profound to say but I’m not going to commit to them for that.
So maybe there’s something in a co-operative effort where the community collectively funds the content it engages with. But rather than it being an individual thing like with Patreon or individual subscriptions, it’s a pool you contribute to in order to participate further in the community.
I have never, ever, ever seen a single reputable source to support this claim. As far as I can tell, this is just something that people blindly repeat to justify their exploitative business models.
On the other hand, there's quite a lot of evidence of successful businesses operating on a subscription model because they provide a good value proposition. Which leads me to conclude that your claim is simply false.
I've never felt exploited by advertisers. Nor do most other people, otherwise they would keep their internet usage to a minimum when what we see is the exact opposite.
Please stop attacking services and sites that hundreds of millions or billions of people find useful because of your own over the top histrionics.
Most users on the internet are completely incapable of understanding what tracking even means. Those users, therefor, can not consent to that tracking in an informed way.
There are more histrionics in this reply than the person you’re responding to.
The parent makes an excellent point: it’s easy to argue the other models (micro transactions, subscriptions, paywalls) failed because they were in competition with an industry that has safely operated with little to no regulation for a decade or two.
The ad industry in this situation has an insane advantage because it can make money from end-users without them even being aware that they are involved in a transaction. They don’t have to see a banner ad in order for dozens or hundreds of other businesses to learn about them.
There is no explicit contract between the website and the user in the way that there is when you agree to pay the business money in exchange for the value it offers.
So GDPR levels the playing field by removing that advantage. If an advertiser or another business runs above board they don’t have a problem. More to the point, if they can convince a user to opt in, then they have a serious value proposition to the user too.
Advertising itself is an easy and almost fallacious target. People know about adverts so they use Adblock. People have no idea what a business will do with all of the data that reaches their servers without any JS required.
> i.e. "It's easier for horses to compete with cars if you set the speed limit everywhere to 5 miles per hour."
I think that elides pretty important aspects from the equation. In reality, it's more like: "It's easier for Bill-brand horses to compete with John-brand horses; if you ban the steroids, amphetamines, and cruel practices John uses to get his results."
I might be exaggerating, but you can say the same thing about environment protection laws, anti-slavery laws, worker protection laws etc. They made some businesses unsustainable too.
Probably not sustainable as an ad supported business. We may see a bigger push to a subscription based model—-one many people have come to hate, but was one twenty years ago people paid $10-30, mo. for the subs to their favorite daily.
Now sure those prices were subsidized by ads. But they can still use utargeted ads, in addition, cost of the “medium” and distribution is much lower.
People will actually visit the site... so they get traffic. They could then advertise to through more creative, less user-unfriendly ways (besides having giant ad networks that store tons of user data on each person, along with 20 different vendors’ trackers to make sure each department gets the same data about each user in a very slightly different way).
There is no fundamental right for a business to be "sustainable" if it hinges on being able to sell off my personal data to 3rd parties. That is almost literally what this law is about.
You sound like the other people complaining "you know how much money I have to spend on lawyers to ignore this law??".
> It's a very European thing to think of the E.U. as the indispensable center of the world.
Huh? Culturally, that has absolutely not been my experience - quite the contrary.
In the case of the GDPR, it's simply a matter of "if you can't respect our citizen's basic rights, then we don't want to be doing business with you".
That has nothing to do with considering the EU to be the 'center of the world', and everything with setting the conditions for trading with it. You can either take or leave those.
You are correct. That's what makes visiting another country/region fun for many people. They like to explore and encounter things they don't have available to them where they live. Otherwise, why leave home?
Hopefully what will happen is that it will be more expensive to advertise and publishers will earn more on dumber ads
Obviously if ads are less targeted then they may be less effective so advertisers will make less on ads that cost more. This will hurt their bottom line, which in turn will make the products we buy more expensive. But that's exactly the end goal. I want to pay for things (information, products) with more money rather than with slightly less money and all my integrity.
I remember the tedium of non-targeted advertising---it's what ultimately pushed me away from most traditional print and broadcast media and online. Targeted advertising occasionally brings me information I actually want; non-targeted advertising feels like such a waste of everybody's time.
I hope someone takes on the experiment of opt-in GDPR compliant ads.
Targeted advertisement can be done if the user is entirely in control of the data and the consent process. No one would be against that. This is a technical problem that can be solved, there was just no incentive to do it. Now perhaps there is.
It would be nice to give people the option. I personally would love everything to be free, and show me ads instead. I don't see how my integrity has anything to do with it.
>Obviously if ads are less targeted then they may be less effective so advertisers will make less on ads that cost more. This will hurt their bottom line, which in turn will make the products we buy more expensive. But that's exactly the end goal. I want to pay for things (information, products) with more money rather than with slightly less money and all my integrity.
I'm sure you considered all the poor people across the world that are subsidized by the ad driven model we use today. What we truly need on the internet is data gated behind pay walls to protect important information such as which facebook groups you clicked like on.
I'm sure you considered all the poor people across the world that are subsidized by the ad driven model we use today.
A lot of them are poor, because we don't want to pay a decent amount for the products that we consume and instead rely on people working in sweatshops in third-world countries.
You don't solve poverty by giving them 'free' products that require them to give you all their private data. You solve poverty by giving people a decent wage, so that they make these decisions themselves.
This is a false dilemma. There's no reason we can't both work towards better wages for everybody and support cheaper services for poor people in the meantime.
So us having our right to privacy using paywalls, means that we deprive those less well off of valuable information. Or everyone forfeits their right to privacy for free stuff. I'm sure there's a middle ground here.
They can also be quite smart. What was your referrer, what's your user flow through the site, what do similar users do when arriving from the same pages and searches? What time of day is it for the visitor?
ie: figure out why they are doing what they're doing and direct them to ads that capture that intent.
I keep seeing this argument. But the reason I don't see this happening is the giant amount of fraud out there. Sure ad fraud is an arms race, but if you can't do js fingerprinting, cookies, etc it would be impossible to verify ad impressions are real humans, not bots. And actual clicks from real humans would be impossible to differentiate - not coming from the same bot clicking over and over again (can't store ip, cookie, etc I'm not sure how you'd distinguish).
To fight fraud you can use some short-term temporary tracking without saving data for a long time, without linking cookies and IP to email or real name, without exchanging data with other companies (like Google), without buying or selling data to data brokers.
To show ads you don't have to report about all of your site visits to Facebook and Google.
Sure you could store IPs, as you can also use cookies. I think there's a hysteria regarding GDPR. It won't break the web. Perhaps we need to give it some time to settle in and then draw our conclusions.
AdSense was definitely a revolution in many fronts, especially because it enabled small sites to start earning a decent income. And for that we'd be eternally grateful to Google. On the other hand Google back then didn't have the variety of products they have now so profiling was much less intrusive.
It wasn't privacy invasions that made the ads better, it was Google making the process easier. Instead of dealing with shady smaller networks, or individual sites (which only businesses that extracted high value from online presence could afford, e.g. gambling,) any business could then easily and safely publish their ads widely. That is not going away, and advertising in the EU will still exist.
In the mid-term I'm glad to be subsidised by American users who forego their privacy and are willing to get served a lot of ads.
In the long term I would be happier if we'd all be treated with equally high privacy standards and pay for the content we consume. For that to happen we only need one thing, Americans and their legislators need to start valuing their privacy too.
Right, but it seems Americans (and probably everyone outside the EU) are being redirected like the parent. I was, which is a shame since I’d love to see that version of the site. It’s almost like a good unintended consequence of the regulation.
Business don't comply with regulations because it is easy, but because it's needed to do business.
If a service didn't had a big user base in Europe, most countries don't speak English, it may be cheaper to remove the service.
The New York Times or The New Yorker that even have physical copies available in Europe work as usual.
I work in a gambling company and this is our day to day business. To enter a new market means to follow a new set of regulations. To do the adaptation or not is an strategic decision based in complexity, expected revenue and other factors. GDPR is just another regulation to add to the long list related to tax evasion, responsible gambling, fair play, etc.
Regulations tend to favor incumbents, decreasing competition, and thereby increase monopoly and creating central hubs of systemic risk. There is no free lunch with one-size-fits-all rule making. Unfortunately regulators think there is.
I was thinking about getting in to the car market but all these pesky requirements that I sell a car with airbags and seatbelts and fuel efficiency compliance are just there to protect existing incumbents.
Snark aside, that doesn't dispute the thesis that regulations tend to favor incumbents.
Some regulations are good. Some regulations are bad. Some regulations are smart. Some regulations are dumb. Reasonable people can disagree on the quality or intelligence of a given regulation, or its impact on a given industry, but that doesn't change that most regulations do tend to make products more expensive to manufacture and by proxy, more expensive to buy.
In Europe, if you want to sell eggs, you're required not to wash them or get them wet, because doing so erodes the natural coating that protects them from diseases. This is a regulation implemented to prevent salmonella.
In America, if you want to sell eggs, you're required to wash them in water at least 90 degrees, to make sure that they're clean, then rinse them with a chemically infused spray, then because you've got them wet, they need to be thoroughly dried to prevent bacterial growth. Further, because you've now washed and dried them, removing the natural protective coating, they need to be refrigerated in transit, at the store, and at home.
Both regulations are imposed to defend against Salmonella, and both are apparently quite effective, but the American regulations in play require the purchase of (conservatively) thousands of dollars in washing, sanitizing and drying equipment, and at least a partnership with a refrigerated trucking company. If you're selling the eggs in California, there's the additional requirement that the eggs were laid by free-range hens, which of course increases the amount of land required to raise the chickens upon, which of course makes it harder to prevent and protect the hens against predators.
Like I said, reasonable people can disagree on any given regulation, but it's hard to make the claim that egg regulations in America are more effective than those in Europe, or that the American regulatory environment doesn't make it the egg business a more capital intensive affair.
> Snark aside, that doesn't dispute the thesis that regulations tend to favor incumbents.
Not only that, even auto safety regulations do favor incumbents. There were far more new independent car companies created before the 1970s when the safety regulations were passed, and they were often created by small groups of people rather than huge established companies.
It's possible that the safety improvement is worth that cost, but that doesn't mean the cost isn't still there.
When we start talking about other industries where the result isn't literally a matter of life and death, it becomes much more likely that the cost outweighs the benefit. You're essentially talking about destroying competition -- the same competition that keeps companies from doing things you don't like.
If you want to pass regulations that destroy competition, those regulations had better prevent companies from doing more evil on net than competitive pressure does. Which is a pretty high bar.
There are benefits to washing the eggs, isn't there? I have read that in Europe as a consumer it's a lot more important to wash the eggs before using them.
I have lived all my life in Europe, in three different countries and with friends and colleagues from many more. and I have never seen or even heard about anyone washing eggs. So if it happens, it is certainly not a Europe-wide norm.
Yes. I have chickens (hence the anecdote above), and if you're getting eggs from friends, you should definitely wash them. I've personally just made it a habit to to wash all eggs in warm water, regardless of whether they're store-bought or fresh.
You should definitely wash the eggs before you cook with them. As you mention, that is de rigueur for Europeans, as it is in America for things like lettuce and potatoes.
You should wash the eggs before opening them. If you cook them in boiling water without opening them (except for the prick at the bottom), I don't see how washing them beforehand would make a difference.
What ? Is this legitimate or are you being funny ?
I'm European and have never washed an egg before cooking it in my life. what is this ? I crack it open and cook it and am still here.
I do wash my tomatoes when I make a salad with raw tomatoes though. And that's mostly to get stuff off since I'd argue my vinegrette would kill all the bacteria.
And washing your potato ? I'm so confused. Don't we all cook potatoes in boiling hot water ?
The incidence rate for salmonella is pretty low either way, but you should definitely wash eggs before cracking them open, for the same reasons you wash your tomatoes.
As for potatoes, no, we don't all cook them by boiling them in water -- many of us bake them, fry them, or use them for making hash browns. This might just be cultural, but I would actually be more inclined to wash them before boiling them, since the reason you wash potatoes is because they have dirt on them, and just as I wouldn't want to toss dirt into my boiling water, I would prefer to clean (or peel) my potatoes before boiling them.
Nope. In fact when I was in cookery school here in the EU, I was told that it is perfectly safe to eat raw egg here, but that in the US this is never advisable.
You can eat raw egg (yolks and whites) in the EU because chickens are inoculated against salmonella. This has absolutely nothing to do with whether or not salmonella is allowed to accumulate and/or incubate on the outside of the shell.
Not really, all regulation will favor incumbents - its just that some may with worth it. And it's worth noting that not all regulation is universally seen as useful.
You can make fun of it, but there's a reason that Silicon Valley venture capital goes to software engineering (where regulations have generally been lower) while significant disruption in the automotive space is coming from incumbents and one company founded by a guy with a net worth of $18 billion.
> there's a reason that Silicon Valley venture capital goes to software engineering (where regulations have generally been lower) while significant disruption in the automotive space is coming from incumbents and one company founded by a guy with a net worth of $18 billion.
Maybe it's because the auto industry is far more capital-intensive than software. I don't see anyone taking on incumbents in capital-intensive IT businesses, such as cloud services (do you want to compete with Google, Amazon, and Microsoft with your VC money?), or in software, operating systems in entrenched markets (desktop and smartphone).
That would be the self same reason the net is starting to attract regulation. Some of that significant disruption basically involves extending a middle finger to the laws and regulations of the country they want to do business in. I might call it taking the piss.
Taking the piss with laws and employment rights such as Deliveroo etc, or taking the piss with user data and personal privacy.
We'll be left with some of the regulation long after many of the disruptors that caused it have burnt out.
Conversely, people have also seen how some laws - like those protecting taxi drivers in this example - did nothing to help consumers. Not all regulations are being missed.
From the times I've been to the US I can see how disrupting NYC taxis could be a very good thing indeed. UK taxis? Nope, happy to keep those regulations and want to see them applied to Uber etc.
Vast difference between those examples, not least of which is that there are concrete rules around automotive safety to easily calculate the cost of implementation and verify compliance.
GDPR is full of vague terms and is global regulation based on principle rather than actual hard rules, which will increase costs and come nowhere near accomplishing the objectives it claims to do.
What is this, 1995? You're gonna need more than airbags and seat-belts and fuel efficiency.
Modern cars need ABS, TPMS, electronic stability control, passenger airbags, a backup camera and crash test standards all but demand side curtain airbags.
Don't get me started on emissions. Fuel economy really isn't a big deal or hard to meet. It's the half million other little things that need to be in a specific range that really waste the R&D time and money.
For something like a low end subcompact compliance is a huge chunk of the price.
Given the choice between a 1999 Toyota Solara (or whatever) which has one or two airbags for $5k or a new subcompact hatch with none of the listed safety features for $6k or $7k I'd probably take the subcompact. There's been huge improvements in all sorts of non-safety aspects of vehicle design in the past ~20yr that the subcompact has that the old sedan doesn't.
There's rapidly diminishing returns for regulating cars because by driving up the price of new cars you extend the time that the old ones stick around and the people who choose less safe alternatives (see mopeds in Asia)
Saying "regulation that mandates $goodthing is good" as a blanket statement is approximately of the same dumbness as saying "regulation is bad" as a blanket statement.
Relations, the regulators that make them, and the incumbents that support those regulators are under a sort of survival of the fittest to optimize for regulations that protect the incumbents but do so without being obvious and with some benefit to the consumer. Regulations that clearly support the incumbent and which clearly have no benefit to consumers will be the easiest to attack and remove. So if you want to cherry pick regulations, you can make them seem like perfect things that no sane person would ever have an issue with.
Look at how fines work, say with the GDPR. The maximum fine is 20 million or 4% of revenue, which ever is larger, which means that small businesses see a much larger risk as a percent of revenue from these regulations. This is independent of the chance of the max fine being applied. This inherently creates a pro-incumbent bias even if nothing else about the law created pro-incumbent bias.
Wouldn't it be sufficient to regulate outcome? I.e. mortality rate per passenger mile? Then, hypothetically, an AI company might be able to dispense with a lot of physical safety devices by taking advantage of the lower reaction times of a non-human driver.
What if - hypothetically - you came up with something safer then airbag & seatbelt? Even if all your customers found it to be self-evidently true that it was safer the only thing that would matter would be if the regulator thought it was safer. A regulator who is likely controlled by the incumbents.
Now with something like car safety it's easy to say - no one will come up with something like this or if they do then the regulator will immediately allow it. But what about something like Internet privacy? I think it's more likely in that case for the rules like the GPDR to be used to protect incumbents by keeping out competition.
Not only that - this is great weapon to shut down websites that are against current political agenda since virtually every site could be found non complaint.
Regulation can both help make people safer and also get in the way of innovation.
A more realistic example:
Regulations say cars are required to have steering wheels. They also say cars are expected to be under the control of a driver at all times.
Good and all if you expect to have human drivers. But it increases the cost of self-driving cars. And humans are terrible at mode-switching right before an emergency (we know this from studies on airplanes, as well as from studies on self-driving cars).
The two ways of solving this: (1) develop a self-driving car that doesn't need a steering wheel (ala trains under positive train control) or (2) restrict operation of self-driving cars to people who are highly trained and regularly operate cars in manual mode (ala the airplane industry).
Alphabet/Waymo/Google can afford the army of lawyers and lobbyists required to make this happen. All the other start-ups in this space had to get acquired by an incumbent (GM or Uber) or restrict their domain to something with less regulation (e.g. private land -- golf courses; university campuses; the Las Vegas Strip).
Car market in what sense? Making new automobiles? Yes you'll need to comply with the safety requirements of the markets in which you sell.
Selling used cars? Generally, as long as the car is sold as originally equipped, there's no issues. I can sell or drive a 1970s era car without having to add modern emissions equipment, bumpers, and airbags for example. At least I can where I live.
Airbags and seat belts were installed in cars long before they were required by regulators. The same goes for improvements in fuel efficiency. This all is driven by competing companies trying to make a profit.
Air bags were 'installed before they were required' because auto manufactures in the US were given a 7 year period to add them, not out of competition based on safety. This only after a decade of the auto industry fighting to keep those safety features from being required, exactly because the auto makers were worried about profits and not consumer safety.
"A Federal agency today abandoned the longdisputed requirement that automobile manufacturers install automatic crash protection, such as airbags or ''passive'' safety belts.
The action by the agency, the National Highway Traffic Safety Administration, drew immediate protest from safety groups and praise from the automobile industry."
>I was thinking about getting in to the car market but all these pesky requirements that I sell a car with airbags and seatbelts and fuel efficiency compliance are just there to protect existing incumbents.
I think by going to cars to prove your point proves how ridiculous regulation for websites are. For some reason there exists a group of people that believe that websites like facebook need regulations that are as strict as those required for developing cars.
People die from cars that are badly designed. People don't die from facebook (yes I'm sure you can find some contrived example.)
Unrelated but something that further adds to the irony of using cars as an example is that companies such as VW haven't even been fined for cheating on their emissions test.
I doubt a country like Germany would ever consider allowing the EU to fine 4% of Vws global revenue even though they broke the law in a way that has resulted in people's deaths.
My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.
The fact you think GDPR only applies to websites rather than the huge clusterfuck of personal data loss means you haven't understood the reason behind GDPR.
Equifax lost millions and millions of records and have so far faced no meaningful punishment from the UK regulators: as far as I can tell, they've so far made one brief statement on their website, and one tweet.
Major ISPs like TalkTalk lost millions of records (and ignored security researchers telling them about gaping security holes) and were given a slap on the wrist - £400,000 by the UK ICO. Mere pennies per user in fines; a drop in the bucket compared to their annual revenue. There is no economic interest to change their behaviour.
The negligence of these companies has led to millions of people having their personal and financial data stolen, having to keep eagle-eyed over bank statements and credit cards, having to worry that their transactions (or their travel bookings) might get flagged up as suspicious, that their credit rating gets eaten, and much else besides.
If a company you've entrusted your personal data with—not just your tweets or whatever, but sensitive personal data including health data, data about your religious affiliation, sexual orientation, etc. loses that data, as a UK citizen, you currently have no right to appeal the ICO failing to take action. GDPR/DPA2018 changes that balance.
Companies tell consumers "hey, trust us with your personal data". Consumers do in the false belief that there is some protection or basic responsibility taken. When they colossally fail to take the most basic steps to protect consumers from data loss, the status quo was this: nothing happens to them.
> My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.
You present a false dichotomy here. As much as the GP is wrong for boldly asserting the negative as fact, you are wrong for just as boldly asserting the opposite, without allowing for the panoply of options that inevitably arise from the point a regulation is conceived to the point that it is enacted. During the process of drafting the legislation, at least here in America, the existing players have a voice on the legislation's course, and the larger the existing player is, the louder their voice gets to be.
> During the process of drafting the legislation, at least here in America, the existing players have a voice on the legislation's course, and the larger the existing player is, the louder their voice gets to be.
Sounds like you need campaign finance and lobbying regulations. ;-)
In practice fining companies for getting hacked just boils down to a tax, as no company wants to be hacked, and the primary bottleneck to making software more secure is crap tools, crap platforms, poor training and inability to hire people who deeply understand security.
Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".
> In practice fining companies for getting hacked just boils down to a tax, as no company wants to be hacked
No, it boils down to an incentive. No company wants to get hacked, but a lot those same companies aren't willing to invest in security measures and training that could mitigate the risk.
> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".
I don't think anyone's proposing a regulation like that. However, it's not fair to put the costs of a data-theft squarely on the victims, when it was really the company that was responsible for securing the data.
But companies that do invest massively still get hacked. See: Google. Yahoo. Microsoft.
It's also not even always clear what hacking actually means. A common way users get hacked is by reusing the same password on every website. One of those small sites gets hacked, the hackers try the users password at bigger sites to see if they work. Big players like Google and Facebook have heuristic systems that try to detect and block that, but sometimes they don't work.
So who's at fault then? The user for losing control of their password? The small site, probably not EU based, doesn't give a shit? Or the big guys who tried to protect the user but failed? Given the way the GDPR is being done my guess is the big guys will get taken to the cleaners even though they did nothing wrong.
Basically, you can't stop a big company from getting hacked no matter how much you spend on security.
> Basically, you can't stop a big company from getting hacked no matter how much you spend on security.
I never said anything to the contrary, but the observation is irrelevant. You can't stop all pollution, but that doesn't mean you shouldn't pass regulations that ether ban it or impose liability for it.
That's an invalid metaphor. The point behind regulating specific types of pollution and fining companies that emit it is in fact to completely eliminate it. When total elimination isn't possible regulators have taken alternative approaches, like phase outs and carbon trading schemes.
The GDPR authors appear to believe that not being hacked is merely a matter of choice, despite all evidence to the contrary. They are clearly dangerously delusional. If even Google, with its pick of the crop, unlimited budget and massive security team, cannot avoid being hacked, then nobody else has a chance.
What they care about is how much data you had (and did you need all of it), did you tell the users, have you put things right, had you done anything to protect the data?
If you have a lump of data that you don't need, that you store with no attempt at encryption, and it's held behind software that you haven't bothered to update even though security patches have been released then yes, you're going to be regulated.
> it was really the company that was responsible for securing the data
It was the financial industry and government that were responsible for implementing an identity scheme with a less insane architecture than handing the same secret material to every relying party. I disagree that we can or should force everyone to tie themselves in knots supporting it.
You say that, but what are the attack vectors in these high-profile breaches?
- Unpatched, publicly documented vulnerabilities.
- Unauthenticated S3 buckets.
- Unencrypted laptops.
- Default passwords.
This isn't subtle crypto weaknesses or attack vectors missed in the security assessment of protocol designs. It's carelessness. It's stuff that any high school kid who's good with computers will tell you about, let alone any IT professional or software engineer.
> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".
It doesn't say "don't get hacked", it says "if (when?) you get hacked, minimize the the cost to people who trusted you with their data". And the easy way to conform is: 1. do not collect more than you need to provide the service, and 2. do not keep the data you don't need any more just in case. Which should be the default, but in the world of cheap storage and data mining seems to be forgotten, or an afterthought. E.g. when a user unsubscribes we tend to set the flag "subscribed" to false next to the rest of their data, instead of removing the e-mail address we don't need.
So now we get a new status quo: "These measures are onerous and bake in internationally-controversial concepts like 'right to be forgotten,' so now companies may actually decide to punt on doing business with 500 million customers because the risk outweighs the rewards.' "
>My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.
We'll see. I have a feeling that European consumers and web companies are in for a world of hurt.
>The fact you think GDPR only applies to websites rather than the huge clusterfuck of personal data loss means you haven't understood the reason behind GDPR.
I know that GDPR applies to everyone, I think it's pretty obvious it will be selectively enforced since the regulation is too burdensome. Do you think your local mom and pop hair salon that is not in compliance will ever be fined?
By the US and 2.8B is a fraction of what they deserved to be fined. All VW execs should be in prison for the rest of their lives for what they have done.
I guess it isn’t. There are laws which US considers to be broken by external entities, yet US introduces a comletely inhumane programme worth of DPRK. Where’s the logic.
The original poster believes software should be regulated like cars. I pointed out that the fines for violating gdpr are larger than any fine VW will ever receive from the EU for literally killing people.
>You must point to the laws violated. E.g. Schmidt made a false statement to the California Air Resources Board under the Clean Air Act.
>Trial in the court of opinion and mob lynching is not compatible with the Western tenements of law.
Stop trying to shift goalposts, my point is that if any company deserved to be fined 4% of global turnover it's VW and they have currently received a total of $0 in fines even though they have probably increased the likelihood of you getting cancer.
I thought we established they received a non-zero dollar fine.
Their annual profit is about $13BN, they were fined $2.8BN which is about 22%. I think that along with imprisoning an exec that was complicit in the lie is a significant and reasonable deterrent/punishment.
As for VW significantly increasing the likelihood of any given arbitrary citizen getting cancer I'd love to see the numbers on that. Sounds like hyperbole to me[0]
> People die from cars that are badly designed. People don't die from facebook (yes I'm sure you can find some contrived example.)
I think the public, and much of HN, disagrees and is beginning to believe that the lack of privacy is undermining democracy, liberty, and human rights.
There are actually some historic examples. A university once performed scientific research on a minority group. Then the Nazis acquired the list and murdered the participants.
Obviously that's at risk of happening again, but machine learning and AI are risk of learning to be discriminatory by training on data sets resulting from historic and modern discrimination.
When applying for jobs, it may be possible to enter somebody's info into a next generation background check software to get a % probability of the candidate voting for a specific political party, and declining to call/interview based on that alone.
Even when it's not intentionally discriminatory, this is leading to a future where the teller says "sorry, you were declined. I don't really know why, the computer just made the decision". Where's the accountability?
In credit reports, I can at least request my credit report and understand how to improve my score or dispute line items.
If my car crashes or I am extorted due to my sexuality or killed for my religion. All the same. It is deadly. Data Privacy is not a nebulous concept. It is a human right.
If you have to keep your religion secret to avoid being killed, you have MUCH bigger problems in your society that I don't think "nobody knowing who is secretly Jewish" is actually going to fix.
It's not like a future hypothetical fascist dictatorship isn't going to have access to the necessary records to piece it together or would follow its own GDPR constraints, nor would the GDPR stop it from arbitrarily deciding some people are Jewish without detailed evidence.
I'd like to think the GDPR is underpinned by better philosophy than a false hope it could prevent a future Holocaust.
I think it is generally based against discrimination and not focused on something extreme as a state organized Holocaust. Also GDPR does not care about this. For the GDPR these are just attributes which should be protected.
A core rule of data privacy is to restrict yourself to the necessary information you need. Religion like sexual orientation is rarely justifiable why it is collected at all.
Car manufacturers are required to put seatbelts in their cars because of regulation. In this case, it's not done to "decrease competition". It's not done to "increase monopoly". It's not done to "create central hubs of systemic risk". It's done to save lives.
Regulations affect profits, yes. Regulations may have unintended consequences. Making regulations that protect people and still allow for a healthy free market is a hard thing to do. It's heavily context- and market-dependent.
It is what it is and we have to live with it, but it's not as black-or-white as you make it sound.
And when it comes to European business law in particular, there's no reason to believe favoring incumbents and decreasing competition isn't an intended benefit.
When Amazon entered the French market, it tripped over laws putting a floor on discounts allowed that are intended to protect book sellers, not purchasers.
On the contrary, telecoms are very much regulated in the US. There is an entire commission for regulating radio/television/cable communications: the FCC.
I could hardly choose a more regulated industry than telecommunications.
The US has a problem of private industry infiltrating and co-opting government, and people largely normalizing it. The landscape for telecoms is simultaneously over-regulated with respect to allowing room for new players to enter the market, and under-regulated with respect to consumer rights. US regulations favor monopolies, and monopolies abuse their influence on regulatory boards to shut out new competition.
Regulation can mean different things to different people. It's just stupid, one-dimensional, shallow thought to try to paint all regulation with a broad good-vs-bad brush.
Name any system that does not experience entropy.. all 'regulations' over time become corrupted/exploited. That's the nature of evolution and natural selection.
The biggest area of regulations are food safety, health care, mining and transportation. There is a large theme for why does exist and rather established history on how things were before it.
And while all those has their share of monopolies, I do not see how the current data handlers on the web before GDPR is better. Google is massive. Facebook is massive. The number of online news papers that hold 90% of the market are few. Talking about how regulations is going to increase monopolies where its already monopolized seems strange.
> Regulations tend to favor incumbents, decreasing competition, and thereby increase monopoly and creating central hubs of systemic risk
I realize that I've heard that before, but what is that based on?
> There is no free lunch with one-size-fits-all rule making. Unfortunately regulators think there is.
I've never heard of regulators, at least in the U.S., not considering the cost of regulations. It would be hard to avoid in the legal rule-making process.
That it can, sure. It can also reduce barriers to entry. E.g. entering the ISP market anywhere in the EU is vastly simpler than it was, since the incumbents have faced legal requirements to lease last mile capacity at regulated prices (e.g. in the UK you can go to OpenReach's site and download the wholesale price lists), while they can also lay their own cables if then can afford it.
Not every claim on HN needs a backup. This one makes total sense to me. In this case, the article itself shows that regulation is definitely decreasing alternatives, which in turn can lead to monopolies
Glad you can tell how regulation affects a market after less than one day of being active law, and zero enforcement actions or cases suggesting how courts/regulators are going to interpret the rules.
You do know that GDPR is not the first regulation that has ever been written correct? There is a huge body of economic literature already dedicated to the subject.
And you do know that not all regulations are the same?
You are making it sound like some kind of universal consensus on the validity of regulations exists, but such a consensus does not exist because it's a way too complex, and wide, topic to be making blanket statements about.
Cutting access in Europe does not solve anything. I'm living in US but I am European. Thus I can visit any of the above listed website they are processing my data, and GDPR applies to me. So they are not complying and I could file a complaint.
File a complaint with who? There's no EU-wide data privacy regulator. Which specific EU country would have jurisdiction over an interaction which took place in the US?
> Which specific EU country would have jurisdiction over an interaction which took place in the US?
OP’s country. The "place" that interaction took place in is irrelevant here, unless the company "doesn’t specifically target its services at individuals in the EU"; OP is citizen of an EU country so the GDPR rules apply.
That's not how jurisdiction normally works. A French citizen working within the US for a US company can't demand that they follow French employment regulations.
That depends entirely on how the lawmakers in question decide to act. Many countries claim jurisdiction over certain types of events occurring outside their own borders. E.g Belgium claims jurisdiction over human rights violations. Norway and many others claim worldwide jurisdiction over sexual abuse of children. The US claims jurisdictions to tax US citizens worldwide. The question tends to rather be whether or not they are able to enforce them, and so normally in such cases the practice is to only prosecute if the people involved are within your own borders.
Your example is flawed in that most countries that use these kind of mechanisms will tend to either require a extraterritorial jurisdiction to be written into the law, or will assume that only certain classes of crimes transcend jurisdictions. E.g. in the case of Norway, Norway has traditionally claimed extraterritorial jurisdiction over Norwegian citizens, but with the practice that things that are legal in the country you are in are generally not possible to prosecute in Norway unless there is a law that specifically claims extraterritorial jurisdiction (sexual abuse of children being one such example, where Norway may prosecute people who return from countries with weak or non-existent protection of children younger than the Norwegian age of consent).
In other words: It's how jurisdiction works if your courts wants it to work that way.
How in the heck is "blocking all European users" a cute work around?
The laws apply to European people. What if a site just doesn't want any of these people to be customers?
The EU can't force you to accept it's users.
If anything, the business should sue the EU customers who accessed their website without permission. You are breaking the rules as a EU citzens by doing so.
Things like this will test how much EU citizens value their privacy. Of course there will be some sites they will not be able to visit but time will show if they are okay with that.
These rules are very similar to rules limiting loans. No matter how desperate a person is and how low credit they have, in the US you can't give them a loan for above a certain amount of interest. That could be terrible for a poor person who is about to be evicted if they don't get some money right away. But we as a society are willing to accept that if the result is that more loans will be "reasonable".
If GDPR is enforced as HN people say it will be (in a good way) then the result will probably be that a lot of free websites ban EU users and smaller companies take their place with products that either cost money or will be a bit worse.
If it enforced in a bad way then big companies who can navigate the law will get bigger because their small competitors will be to afraid of the law and shut EU users out.
So EU citizens will either revolt and destroy EU or read their news from somewhere else? More likely, will do the usual thing people do for geo-locked content: Use proxy or pirate until a convenient solution takes off. That convenient solution will be GDPR compliance by the offender or a competitor.
I mean, mild annoyance is nothing compared to the annoyance of war thorn continent, I wouldn't bet too much on the destruction of EU or even withdrawal of GDPR
> So EU citizens will either revolt and destroy EU or read their news from somewhere else?
Those are the only two options? Now that I know that, instead of what a practical person might deem as an option which is to repeal the law, the EU and GDPR proponents' mindsets make a lot more sense. I often wondered why new legislation was piled on older legislation that wasn't even enforced then, and why other statues wrt cookies and what not cannot be seen by legislators as more bad than good and worth removing. Now I know.
As an EU citizen, I don't think the law is bad but you are free to be upset about it, of course.
Please respect our laws and privacy or don't do business with us. We will be very sorry if your product is irreplaceable or we will use a competing product that complies with GDPR.
I didn't say the law was bad, I was saying if it turns out to be, repealing it should be an option. Too often there is no going back from these things because it's not considered an option. Instead only options like revolt, go elsewhere or use a VPN are presented.
Obviously the last incarnation of the GDPR didn't work for multiple reasons, the most oft-cited one being non-enforcement. Was the option to repeal and take other approaches to the problem considered? Nope...double down. Since people agree with the intent, the approach often appears above reproach.
Of course, it is an option, the problem is that you claim not to be and you claim that "the EU and GDPR proponents' mindsets make a lot more sense" because I asked a question to emphasize the "test" on the EU citizens.
I see you're in Texas. Don't worry too much about EU, we are doing fine. We will figure this thing out if it turns out to be more bad than good.
Please respect our laws and privacy or don't do business with us.
Stop sending us your data and money? I don’t leave the US to deal with EU customers. You send requests to my server in the US. If you’re unhappy with me, stop doing that.
And it’s pretty rich to complain about companies not complying and leaving the market, while also using VPNs to use their service anyway. Apparently protecting your data isn’t as important as you say?
I haven't been given an option not to make calls to your servers, those websites used to load 20 tracking scripts without asking me. Thanks to the GDPR now I will be able to stop sending requests. What's the problem?
See, how browsers work is that they load this thing called HTML that describes the content and can load other stuff without asking me. Apologies if I accidentally sent any data or money, it wasn't my call. It was in the HTML that I loaded because I was offered to view a free article.
If it’s your right to use an adblocker under the theory that you should control what requests your browser makes from your device, then which requests it makes are also your responsibility.
Regardless, whether you intended to send my server a request is your problem. The fact is that you did, and that hardly gives full control of my business to whatever legal jurisdictions claim you as their subject.
Well, as it turns out, it's your problem. Like, literally :)
Anyway, don't be too upset about all this. The law is not banning you from collecting my data, you just need to be explicit and informative about it so that I can decide if I am going to send a request to your servers.
I'm often disturbed by the mindset that people are some business' god given a right to exploitation. It's the other way around really, that is, if you can find a way to serve me or solve a problem of mine I might choose to do a business with you if I decide that the compensation you demand fair.
If your business is unprofitable when you have to ask me for permission in plain English maybe it simply means that you don't have a profitable Business and you should consider doing something else.
We don't see business people complaining that government regulations are hurting their organ harvesting businesses, right? People decided that they don't want other people to sell their kidneys on open markets, so that business doesn't exist.
People at some point decided that they don't want to get cancer from Asbestos, regulations kicked in and the Asbestos businesses were destroyed.
This time around people seem to be in control of their data, if that makes your business unprofitable or impossible do what others did: Something else.
Well, as it turns out, it's your problem. Like, literally :)
Only if the EU can enforce it, which they can’t. I don’t pay attention to laws from other countries that don’t apply to me and have no teeth, and I’ll ignore this one as well, until there’s some enforcement mechanism. At that point I’ll evaluate. I’d probably just block the EU though; not worth the hassle.
If your business is not profitable when you respect the privacy preferences of your users you simply don't do business.
This is a false dichotomy:
1. Fully comply with the GDPR, no matter the cost, even if that's just legal and administrative because you're not actually doing anything in terms of data practices that would violate the law.
2. Go out of business, because you clearly are intending to do shady things that violate user privacy.
if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business
Perfect example.
Say I run a burger shop that is perfectly clean and in compliance with all local laws, but the EU passes a law that says I need to fully audit all my food safety practices, publish them in a public place with their format, appoint a food safety rep in the EU, and comply with other vague requirements that they deem necessary, just in case an EU citizen visiting the US comes and eats at my shop.
Now, if I ignore that, am I "breaking the law"? I guess so. Just like I might be breaking some Indian law by serving beef at all (hypothetical). But does it actually matter? Can the law be enforced? Should I care as a matter of civic duty? Very likely not.
Worse, should the entire citizenry of the EU suddenly decide that my small town burger shop in Iowa clearly intends to feed every customer tainted beef and deserves their opprobrium and any fines that can possibly be levied by the EU, just because I didn't fully comply with their law?
And if they do develop some enforcement mechanism to use against small town USA burger shop, how is it not my right to put up a sign that says "Sorry, EU customers, but please don't eat here, as I don't comply with your laws"? Is your argument seriously that I should comply with every law from every jurisdiction in the world, just because a customer from that jurisdiction might wander into my shop, even when I've expressly told them not to?
See, that's not what GDPR does. Maybe In your alternative-facts GDPR, your case may have a point. I don't see why I should argue over a hypothetical GDPR, let's focus on the reality.
About the burger thing, we do not need to assume things here, we can examine the reality and the reality is that McDonald's complies with the EU regulations when doing business in the EU, local American burger shops that don't do business in the EU do not comply with the EU regulations. I hear that you have some amazing burgers in the USA, will definitely try few local shops!
OK, so let's say that hypothetically I run a small business in the US. I just sell access to software (that lives on my server in the US) instead of burgers. An EU visitor comes to my server in my country and buys something. Why should I care about their laws any more than the burger shop owner should?
Is your argument that someone else in the business should care or is your argument that EU visitors should not have rights to their data because it is inconvenient to you? Depending on your arrangement, if you are a reseller for example, you probably are not responsible for what that software does with your customer's data.
Also, burger shops that do business in EU(usually chains, McDonald's and Burger King) do care about the EU food regulations, why shouldn't they and why shouldn't you? You are aware that McDonald's isn't steamrolling in the EU, right? They do follow the EU food regulations. And no, you don't have to be a big company to sell burgers in the EU, we have plenty of local independent burger shops all over the continent.
Burger shops IN the EU are a completely different thing.
My primary argument is that the GDPR's attempt to regulate companies in other jurisdictions because EU citizens go INTO those jurisdictions and do business is a dangerous precedent. If there was an enforcement mechanism for all such laws, it implies that any business or individual anywhere in the world with a website should therefore have to comply with any laws from any jurisdiction that are similarly constructed.
If my website says things about Islam that Saudi Arabia passes a law against, I should be fined.
If my website disrespects the king of Thailand, I should be extradited for imprisonment.
If I encourage NK citizens to revolt against their oppressive regime, I should end up in a labor camp.
After all, those governments have a right to say that if I want to "do business in their jurisdiction", I must respect their laws, right?
(To be clear, I'm not talking about enforcement of these kinds of laws, because all of those countries might do the above if given the chance. I'm talking about what I SHOULD do as a matter of morality or ethics or civic duty or whatever, or what my government should cooperate with those governments on, because it's just.)
But the problem is that they're describing "doing business in their jurisdiction" as a citizen from their country (maybe even one who is currently visiting my country) going online and sending my server requests, data, and money. And apparently explicitly telling those citizens to please NOT do that, or blocking them, is not sufficient. The only way to make the majority of the EU users on HN happy is to comply. Why would that same logic not apply to all other kinds of laws?
So do you argue that businesses that do business over the internet should be subject to the laws where the business is legally based?
So, do you say that EU businesses should be able to operate in the USA but according to the EU laws and without any consideration to the US laws?
Or is your arguments something else, something selfish like all online businesses should operate according to the US laws or something like online businesses should not be bound by any laws whatsoever? Or something else?
So, do you say that EU businesses should be able to operate in the USA but according to the EU laws and without any consideration to the US laws?
If by "operate in the US" you mean that they are based in the EU and allow US residents to visit their website and purchase from them, then yes, absolutely. Why would it be any other way?
I just don't see how the alternative works at all. Why couldn't some city in France pass a law that if a citizen of their city buys something from your site based in Hong Kong, you owe that city a tax of $50k. That's obviously ridiculous and not enforceable, but why is it not based on the same underlying legal theory that a business is bound by the laws of jurisdiction where visitors or customers to their site originate from?
Well, "HQ based law" not the case and it's a much larger discussion that doesn't have anything to do with the GDPR or EU.
The USA too is going after foreign companies doing business with Iran or Cuba. The USA is not happy with cryptocurrency ICO's and it's enforcing it. The USA is forcing the world to respect DMCA.
The taxes are also an issue, even within the USA doe to different VAT in different states.
These are topics that have been in discussion since the beginning of the internet and the dust is just settling and the solution is not simple as "You obey to the laws according to the country you're based in". It's a huge huge topic.
Edit: And FYI, many countries do enforce a tax on foreign purchases. For example, Turkey will be forcing American internet giants to charge VAT to its Turkish clients and transfer that VAT to the Turkish government. Countries want to collect taxes, you can't really get away with "I am an American company so I operate tax-free" argument. Politicians will work out an arrangement like "I will make your tax law enforceable on my companies if you let me use your military base and purchase weapons".
You don't have to convince me that the US tramples on the sovereign rights of other countries just because it can.
The tax situation is a good example. Historically, sales tax has not been able to be levied by states against companies just because they have customers in that state. They have to have physical "nexus" in that state as well. There are a number of states trying to do an end run around that right now with "economic nexus", which will probably end up in the Supreme Court at some point.
Many countries try to say that VAT is due, but their ability to enforce is pretty limited. If you run a small business online and you WANT to pay attention to every single global tax jurisdiction and send them whatever tax they say is due, go for it. But if you don't, the practical reality is that there's nothing they can currently do about it.
I do agree that these issues are complicated and that the Internet has thrown a monkey wrench in a LOT of legal precedent in ways that will need to be sorted out.
I just don't think the GDPR is the right framework. Data privacy may be a human right, but so is democratic representation, and having governments all over the world pass laws that they say apply to my company is unjust.
> So do you argue that businesses that do business over the internet should be subject to the laws where the business is legally based?
Well, duh, businesses are subject to local laws! That is not an argument, but a fact. Don't take my word, ask your friendly lawyer.
What is your alternative? That online businesses are subject to the union of all the laws of all the countries whose citizens can reach them?! That's ridiculous. Do EU businesses follow Iranian regulations?
Of course, if they want to do business in Iran. The same goes for every company and country. Don't you believe me?
Go to your iPhone's Settings-> General -> About -> Legal -> Regulatory
There you'll see which regulation Apple follows. Despite being an US based company, Apple complies with the regulations of Canada, Europe, Japan, Singapure, Russia etc.
How do you even imagine that a company will be doing business in one country byt will be excepted from the regulations because it's based in some other country? That would not be possible, companies would simply move to the least regulated place with the lowest taxes. Oh and they do that wherever possible(i.e sell to EU from Ireland).
Not when a US site uses a "copy protection" mechanism to ban all EU users, and grants a copyright license giving full access to US users and no access to EU users. Then your EU-based choice to use a proxy becomes a copy protection circumvention under the ECD, and the user is subject to a lawsuit.
> then the result will probably be that a lot of free websites ban EU users and smaller companies take their place with products that either cost money or will be a bit worse.
Availability of quality free content is not a problem, the content will just be available from other source.
The big problem on the ads-monetized web today is ranking high enough, and the site that don't want to apply GDPR will just have to compete with the site that do have the extra push the EU market give them. On the advertizer side, they make direct money from content accessibility so they will upgrade their tracker so it is GDPR compliant for EU-traffic with no work from the content publisher. That is a non issue, this is just day one of a big change.
Let's also not paint a rosy picture of the web either. GEO blocking is a common daily reality for people outside the US. Any valuable and popular content is locked already, despite being monetized quite directly (see Netflix, Amazon Prime, ...)
>Availability of quality free content is not a problem
Only if all content on every web site around the world is equal. Which it is not.
If the quality was the same everywhere, and the same content was available everywhere, then people in Europe wouldn't have to go to web sites in other countries.
There are lots of reasons for companies in Europe to need to read the Chicago Tribune (PR clipping service, for example). But the Tribune's content is no longer available to the E.U., and will not be replicated elsewhere for copyright reasons.
As much as I dislike Tronc as an entity, I don't blame it for this decision. Within hours of GDPR going into effect, the lawsuits started flying. That's exactly why some companies decided it was easier to just opt out of Europe.
The question is - the sites that serve massive amount of content (images, videos, etc) - will they be able to cover their costs in the EU without making their apps paid? What about currently free games which rely on personalized ads?
You can still run a free website and be compliant with the GDPR. The EU/EEA is the largest market in the world, closing yourself for an market that size will hurt more than changing a few thing to be compliant.
>closing yourself for an market that size will hurt more than changing a few thing to be compliant
Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles? The fact that it's potentially a large market is irrelevant to me. In this case, any moderately tech-savvy consumers can get to my site anyway using a VPN. But I've sent a clear message that I'm not marketing to European consumers.
> Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles?
If you run a free website that depends on targeted ads to make money, you might want to expand to the EU but now you'd need to totally change your business model to do so. For some that would basically mean inventing a new company because their service is not the type people would pay for. So in this case, it may not be worth it.
> There are 6.5 billion non-Europeans, there's plenty of market outside of Europe.
The world doesn't have uniform GDP per capita. Potential European customers have more money to spend than most of those other potential customers. If you're looking for a new market, Europe is a juicy one.
They could still make some money from showing non-tracking ads to European users and tracking ads to American ones. Perhaps not as much, but as they have already written the content I don't see why you would just give up on that revenue stream.
The point is that, if I'm not making material money from EU residents today, it may be easier for me to just make it clear that I'm not trying to do business in the EU than figuring out if I need to do anything to become compliant. I may in fact be 100% compliant, but it may take effort to figure that out and there's potentially still some risk.
Personally, I do no tracking on my sites so it's irrelevant to me but I understand why news sites with primarily local readership would decide dealing with the EU is more trouble than it's worth.
This could definitely happen, but would not make sense for the Chicago Tribune and LA Times, which are big corporate entities united as subsidiaries of Tronc, Inc., and could even pool resources to have one compliance office among them from the parent company.
For a large, well-capitalized company to make this choice, it’s an indication of a few possibilities:
- Tronc doesn’t practice anything close to adequate IT practices to even know its compliance status, and pefers not to invest in doing so.
- Tronc can’t remain profitable if displaying GDPR-compliant pages in EU (this seems fleetingly unlikely, given the specific attempts to grow digital subscribership by marketing the papers as more global).
- Tronc is trying to make a political statement, like a boycott, hoping that many companies do this and it puts pressure on mitigating GDPR.
So while I agree with you for some small businesses just not wanting to mess with GDPR compliance or risks, however small, it certainly isn’t aviable explanation for these newspapers.
It's likely that it's just side effect of months of institutional paralysis. The Chairman of Tronc stepped down earlier this year after allegations of misconduct and I believe they were negotiating the sale of the LA Times to an investor and the rest of the company to Softbank.
I see this 'VPN' argument a lot, but it's wrong. If the Chicago Tribune tracks users accessing their site through a VPN, without informed consent, they are in violation. Art 3 para 2 in b makes the Regulation apply to them and doesn't make provisions about whether the controller or processor has a way to find out if the behaviour of the data subject takes place within the Union. I don't see any reason for a different interpretation in the Recitals, either. Furthermore note that subs a and b in art 3 para 2 are alternative, not cumulative requirements.
Let me rephrase: when you collect data on people with the goal to do behavioral / preference analysis on it, it doesn't matter any more whether or not you're 'marketing' to them, or even that you 'send them a clear message' you don't 'market to them'. The GDPR still applies to you.
The relevant language is in recital 24. “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
If the Chicago Tribune doesn't envisage offering goods or services to EU residents, it's not covered. And geofencing out EU residents is a pretty good indicator it's not. (Frankly, it probably doesn't have to--it's unclear why someone would think the Chicago Tribune was actively marketing to EU residents anyway--but geofencing them out certainly eliminates any ambiguity.)Someone can't find their way to a site, fake being outside the EU, yell gotcha, and expect European regulators to do anything about it whatever people may wish.
Sure, that's a criterion for art 3 para 2 sub a. What I am talking about is sub b, for which the question whether one offers goods and services is irrelevant (that's what I meant when I said 'a and b are alternative, not cumulative').
So the question is - does the Chicago Tribune 'monitor user behavior'. The recitals say about that
In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
If I look at the list of tracking scripts, it's rather obvious that this is what their 'data processors' are doing. Hence, the territorial scope extends to them.
I've been served ads on US outlets for products which clearly target my home market (Germany). This will make a hard time arguing that you are not targeting that audience. In my opinion, if you serve ads on your site which target EU consumers, you're doing business here. I don't think it matters whether you do that through a third party.
By blocking EU ip-ranges, that may change, I admit that. However, if by other measures like finger-printing the browser you serve EU-specific ads to vpn'd users you may be up to problems.
IANAL but it would seem pretty obvious that any content a visitor might seek on a website would fall under the rubric of "services." It seems like a tough position to argue that since e.g. the Chicago Tribune doesn't offer subscriptions denominated in Euros, that it isn't offering services ("news") globally.
The only thing that today makes clear is that this law is a mess, and it will take a lot of litigation before anybody really knows what it means.
So you're saying that if I block my site to EU IPs, and someone uses a VPN to look like they're coming from the US and bypass that, they can then sue me under the GDPR? No way.
No, they can't 'sue' you; they can make a complaint to their data authority who will then decide if and what to do about it. So if your site blocks EU IPs and you then violate the privacy of someone in the EU grossly enough to warrant the data authority to make a case out of it, then yes. (provided everything else also applies, e.g. the things being talked about in the rest of this thread).
Put it in your TOS that European users are forbidden from using your site, and then if they complain to a data authority press charges under the CFAA, and sue them for damages you incurred due to their violation. Then let the courts hash it out.
Such TOS would most likely be 'unduely onerous' or whatever the local term for this concept is in other EU jurisdictions.
I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.
Unduly onerous to say you're not allowed to access the site if you're in the EU?
So the EU regulators can say my TOS have to allow EU citizens to access my site and my site must follow the GDPR.
That seems unlikely, and the fact that there's so much ambiguity around this is why so many websites are opting to block the EU rather than dealing with it.
In many civil law systems, there are limits to contracts. Sometimes these limits are codified, sometimes they're not. Let's take Dutch law here as an example, because well that's what my degree is in. The Dutch civil code has a list of so-called 'black' and 'gray' clauses in terms and conditions; the black ones are always void, the grey ones sometimes (obviously grossly simplifying here, I'm not going to type a paper on a phone). Many catch-all statements are either black or grey, especially when they are designed to absolve one party from their legal obligations. Nobody is saying anything about requiring you to allow EU citizens. What I'm saying is the GP's plan is an obvious scheme to avoid one's legal obligations, and will be treated as such - and hence won't be a defense or obstacle when an authority goes after a non-compliant processor.
Hence my comment up thread - the law is not a closed system you can program like a code wars game, where if you're clever enough a judge will say 'oh you outsmarted me here because your logic is internally perfectly consistent, have a good day sir'.
That point was part of a general observation. When something 'matters', that doesn't mean there cam be other factors. In thi specific case I see no reason why the territorial scope would not extend to processors outside the EU when they monitor user behavior. Taking some limited technical measures to prevent access doesn't absolve them from the law to apply.
This is only your opinion. It doesn't say that on the page you pasted. To be complaint you probably must clearly state that the service is not for EU resident and ask them to leave. Even that could be too little.
"...the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union [...] is insufficient to ascertain such intention"
I don't even see in the law whether or why the dpa would disclose the identity of the complainant. Maybe there are procedural situations where it would happen, I haven't really thought about it. I think people are too hung up on a specific person making a complaint. It's the dpa that will take action, probably removed a few steps from the initial complainant(s). This is not Law and Order style legal proceedings.
When you don't a competitor steps in and if the day comes that you want some EU sales, you will have to spend huge sums to establish your brand if you are not a huge brand that's on TV shows and the News all the time.
Geo-locked products are nothing new. I lived in a communist country, few EU countries and a middle eastern country and I can promise you that when a certain brand is not available a local competitor pops up and after the original brand becomes available it stays remain a curiosity unless it's a massive pop culture icon(McDonald's, CocaCola, Amazon, Netflix etc. - stuff that's on American TV shows all time. The TV Shows are also geo-locked but local pirates make them available few hours after the USA. Even in Cuba).
So, it's not a simple problem of if(profit < feel like worth it) then block EU.
False. The marginal cost of an EU customer is no longer zero. Why should I put in a bunch of work for GDPR compliance if the cost to implement it exceeds the initial marginal cost of an EU user. There is still the rest of the world.
Good. if you do not value my privacy, I dont want you to do business here. another product will replace your own. And in all likeness an EU one, meaning less euros leaving the eurozone.
Exactly. The most basic/outrageous example: anyone in the EU who installs Apache and leaves it in its default configuration which logs all page visits indefinitely is now a criminal.
Spin up a DO/Linode/etc. instance and apt-get install apache2? You're now theoretically liable for a 20 million Euro fine.
Nobody would have said this a year ago. How are people getting so swept up in this privacy zeitgeist that they think web admins keeping logs is horrendous?
At my company doing this would be in complete violation of our data retention policy (not GPDR related). Where are companies running production services without handling logging of sensitive information? Regulation or not that kind of data is a huge liability for our legal department.
I know! Just imagine...your (likely dynamic) IP address exists in forgotten log files all over the web. The horror!
One of the most annoying things about the GDPR fandom is the black and white nature it seems to inevitably take. If your log files store IP addresses, you're clearly evil and shady and are violating human rights, just as bad as if you're recording people's conversations at home with the intent to deprive them of insurance or publish their sexual histories or whatever.
What possible "horrendous" harm is there from apache's default config storing IP addresses? Can you give me an actual harm that has befallen someone as a result of this that isn't some freak one-in-a-billion example?
you can log ip adresses. keeping them forever is bad.
It means that any future government, no matter how evil it is, could query your log and know precisely what I am doing on the internet right now. I might not want that.
Yes. It's fine to retain IP addresses for a reasonable amount of time if you have a good reason to keep them, such as security. Just rotate them as usual, and don't keep them longer than you need.
Do the same, but from any country in the world, and make sure your welcome page has multiple languages, including some EU ones. Now you're specifically targeting EU users and you're liable for up to $20 million euros.
The response from GDPR fans is that: a) regulators would never levy such a fine, or b) they can't enforce it, or even c) that of course you should be fined because you're a filthy scammer who is stealing people's data and violating their human rights!
But all that misses the point: in what universe is it reasonable to even make such a claim to begin with? And why should I have to trust that the regulators will be more reasonable than the law requires, or that they won't be able to enforce what they'd like to do? And why should I have to comply because you sent me your info voluntarily??
Is there something that makes the internet different here? If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?
> If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?
Everyone I've tried to make this point to has ultimately said something to the effect of "yes, you're violating their rights by not throwing out the letter." It's baffling.
That's optimistic ... but there is no reason to believe in many niche areas that another equally good product will do that. It is very plausible that in fact what will happen is that EU customers will be significantly delayed in accessing valuable services and products. And in many cases the web sites provide those would be making no meaningful intrusion on privacy in the first place.
Please don't believe your own propaganda. EU/EEA revenue is a fraction of US revenue for all large multinationals. Small businesses probably make even less from the EU.
> the result will probably be that a lot of free websites ban EU users
Good riddance, at least we know what websites we shouldn't have visited in the first place.
> smaller companies take their place with products that either cost money or will be a bit worse.
Or they will be better and still be free.
News companies are dying, news is commodity, if I can't read something on the LA times, I'm sure I'll find that same article on some other news site.
> small competitors will be to afraid of the law and shut EU users out
It's not a complicated piece of legislation, the short version is this simple: only collect data you actually need on your user to offer your service and be prepared to explain why, that's basically it.
> But we as a society are willing to accept that if the result is that more loans will be "reasonable".
The actual reason is that if you don't limit the loans, your economy will collapse.
You assume that just because someone doesn’t want to got through all the hassle of being GDPR compliant that the website is somehow bad? Among other things this includes setting up an EU represeneitive—a high bar for a free product..... Obviously you haven’t had to deal with GDPR compliance.
> You assume that just because someone doesn’t want to got through all the hassle of being GDPR compliant that the website is somehow bad?
If they are not collecting any personal data, there is no hassle.
Do you think it's somehow bad for a car manufacturer to not want to go through the hassle of making their cars conform to the safety standards?
> Among other things this includes setting up an EU represeneitive
Citation needed.
> a high bar for a free product
The product is not really free because users pay for it with their data, which was unclear before.
> Obviously you haven’t had to deal with GDPR compliance.
Obviously from what? Are you a GDPR compliance expert?
> Do you think it's somehow bad for a car manufacturer to not want to go through the hassle of making their cars conform to the safety standards?
Ah yes, the old "all regulations are equal" argument. It should come as no surprise to you that people view safety regulations on automobiles as vastly different than regulations on what a company can do with data about you.
And there are people that think that seat-belt laws are an affront to human dignity. What's the point?
Safety regulations exist because people wanted them, and the same is true here for privacy and data protections. Unless you can convince EU citizens en mass that they don't want the rights and protections afforded to them by this law then it really doesn't matter what anyone in particular person thinks.
>Obviously from what? Are you a GDPR compliance expert?
You don't need to be a GDPR compliance expert to know that the costs of implementing GDPR are huge and I doubt any GDPR experts actually even exist today.
You only have had to gone through the implementation challenges personally to know that it’s hard and the costs (to do it by the letter) are high. In fact to do it by the letter you’re going to have to hire a law firm to ensure you’re compliant and they’re going to err on the side of caution and take you down a rabbit hole of implementation changes.
>News companies are dying, news is commodity, if I can't read something on the LA times, I'm sure I'll find that same article on some other news site.
Or the original news simply ceases to exist as is already happening at the local level in many cases. There's probably a continuing market for some global news organizations that are at least muddling through with subscriptions and other products. (Or not. See story on Time Inc. recently.) But I suspect the non-national/international journalism will continue to decline.
Website could be compliant already, but don't want to spend money on an audit that would still be inconclusive as there is no official interpretation of the law.
Ironically, imgur shows a wholly non-compliant 'when you click yes here, you agree to all our default opt-in tracking, storing and sharing' popup when you open that link. But I have to give it to them - when you actually go into the scary-looking part, they do spell out in detail in what ways you're being tracked.
If those businesses are heavy shadow tracking/ads companies which don't even know which user data are they collecting, to who are they sending them and for which final use, man, I am so damn happy.
Because the risk and costs of compliance are borne by all, not just the non-compliant. I would hope that "but laws only affect the bad guys" or "if you're doing nothing wrong you have nothing to worry about" would no longer be reasonable arguments these days.
> Because the risk and costs of compliance are borne by all, not just the non-compliant. I would hope that "but laws only affect the bad guys" or "if you're doing nothing wrong you have nothing to worry about" would no longer be reasonable arguments these days.
That's like saying that drug regulations are bad, because all opiate producers take on "the risk and costs of compliance," not just the street pushers.
The whole point is to actually raise standards for all of society. What you're criticizing is enforcing higher standards than the current status quo.
If you had used drug laws, e.g. marijuana laws, in your analogy it would make more sense. They think they are raising standards too. It's not about what the point is, it is about the implementation. It's so tough to have reasonable discourse about the topic because if you are against the approach people think you are against the whole point.
They claim that everyone had a lot of time, but what about the 1-3 person startup that’s been around for 4-5 years who is just getting by and didn’t have the resources to re-engineer their entire application or to write up a complex privacy policy or hire an EU Representative (Yes, apparently that is required as well). If the EU does clamp down on forced consent I think the long tail of small startups and publications and side projects will simply block EU visitors because they won’t have the means to become compliant.
I’d be interested to hear how problematic this is for new startups who are building GDPR complianance into the systems from scratch. It would seem to amount to needed bespoke permissioning for every user because forced consent is not permitted (although being widely used).
If the 1-3 person startup's application is geared around personal information and it needs a complex privacy policy to describe what it does with data, then yes, it will have to work very hard to comply with GDPR, but that will also result in meaningful improvements in privacy and data control for its customers.
Do you have examples of startups where data is not a core business concern, who still find it very onerous to comply with GDPR (and why it is so difficult)?
I'm sorry to come off as unsympathetic, but I feel I've seen a lot of complaints about GDPR, as though the impact on their business is accidental or a side-effect, coupled with apparent denial or inability to understand that their business practices are exactly the problem that GDPR intends to fix.
I have a profitable, bootstrapped SaaS business based in US . It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.
I've been talking to a very well known giant corporation (also based in US, but has many global offices) for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.
I think once the dust settles and it becomes clearer how the law is being handled, it is going to get easier.
My first job twelve years ago was at a company similar to yours in Switzerland. A small bootstrapped SaaS targeted at enterprise and government. Switzerland is quite serious about privacy with strict laws regarding them, but since they have been around for a long time, nobody freaked out about it. It is just part of the daily business for everyone.
I can't remember compliance with such constraints being a serious competitive disadvantage for the company. In fact after Snowden the label "Made in Switzerland" and images of datacenters in mountain bunkers became an advantage internationally.
This is how "well known giant corporations" are. They have chosen not to understand the GDPR, gotten a lawyer to state that "ISO27001 certified vendors" will not pose a risk to them under the GDPR's security requirements, and so have set policy that they cannot purchase from vendors that are non-compliant.
Their policy office is probably still busy waiting for Y2K.
It sucks, but HIPPA was exactly the same, and I heard exactly the same complaint from tiny companies back then too.
You can get ISO27001 for as little as $5k. My advice is that if you can afford it, suck it up, if you can't, offer ISO27001 on-prem installation for an extra $10k. If they walk. They walk. You can probably get them later (see below).
But see, it's important to understand that you're wrong: This isn't a side-effect of the GDPR.
This is a side-effect of capitalism: With no laws requiring that they keep personal data safe, it is to their benefit to keep the data in as insecure a form as possible.
Look at Equifax[1], who have lost control of perhaps every single american's name, DOB, SSN, and address.
Data Protection laws are designed to protect people. Eventually, people will get used to them; the dust will settle. You'll have an opportunity to explain the actual risk/reward clearly to your potential customer's CIO office because the savings/efficiency you're promising will make it worthwhile.
But right now? Too much fucking hyperbole about the GDPR for anyone to be thinking clearly.
>It's a trivial application that stores mostly already public data
So wtf are you worrying about then? Only shady companies are afraid of GDRP, the fact that you look at GDPR as a problem is a huge let down in trust for your company
That's a gross generalization. In fact, the parent explained quite well why GDPR can become a problem for smaller companies.
It's not the law itself that matters in this case but the clients' (quite possibly wrong) interpretation of that law. As of now, GDPR unfortunately leaves a lot of room for interpretation.
Article 27 stipulates that data processors outside the EU should designate a representative, a whipping boy, if you will. The representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.
In most cases it would probably be the same person fulfilling both the representative and DPO functions but those are actually two separate roles.
>It's called Data Protection Officer and you only need to appoint one if processing personal data is your core business, which is reasonable.
Not commenting on the validity of this statement but it's interesting how I can tell from which continent you are from just by you saying that the regulation forcing a business to hire DPO is reasonable.
Yes, I'm from Europe, and it's my opinion that the GDPR is very necessary and mostly reasonable.
I say that even though it caused me a lot of work for the past months.
The requirement to hire a DPO is not a new thing, by the way - many countries in the EU already required this. This is true for many provisions in the GDPR - in Germany, for example, very little changes from the way it used to be, their data protection law was strict to begin with.
The big difference is that companies would just ignore the laws in, say, Germany since they were operating from Ireland, and would claim that the German courts had no jurisdiction. Now, it's the same everywhere in Europe, which makes it much easier to enforce.
>The requirement to hire a DPO is not a new thing, by the way - many countries in the EU already required this. This is true for many provisions in the GDPR - in Germany, for example, very little changes from the way it used to be, their data protection law was strict to begin with.
Good for those countries? I'm not going to be happy with the idea of hiring some idiot to sit around and do nothing all day.
Jesús Christ, how disingenuous can you be? "Hiring" a DPO basically means appointing someone to the role who will take over these responsibilities. Depending on the size of your firm, the workload might be quite low and somebody can do it on the side, or, if you're talking Facebook, you might have a small department to do it.
I am writing replies on GDPR topics the other way around ("I see you are from the US"). GDPR is a regulation for a topic which is important in the European societies. Not so much in the US (free capitalism) or China (social score).
I mean, fine. I'm not an EU citizen, I think GDPR is a pain in ass but ultimately is not my decision no matter how much I judge you all.
But it does frustrate me that you all believe that GDPR will somehow be good for you. I've seen it said multiple times that when a massive American media company decides to pull out of the EU that a European alternative will emerge that is GDPR compliant and replace it.
Do you actually believe that if the economics of GDPR compliance did not work for a large American business that it will somehow work out for a small EU startup? The only way I can see it work out is if GDPR is selectively enforced against American business which it seems obvious to me that will be the case.
I never believed that the GDPR is a protective regulation. It is a focused on huge players which coincidentally are all US based.
The winners of GDPR continue to be the big five. Hopefully, they will adjust their behaviors (after paying some painful fines) in spirit of this regulation. Despite he GDPR, these companies will stay the technology and innovation leaders they are today. This will not change by that. This regulation will hopefully just enforce them to consider data privacy as something a lot of people really value.
I think GDPR is a pain in ass but ultimately is not my decision no matter how much I judge you all.
Why judge at all? Europe has an extremely troubled history when it comes to abuse of private data - WW2, Franco, the Stasi, infiltration of moderate left-wing groups when the RAF was active, communism in East Europe. So, can you blame us for being protective of our privacy?
But it does frustrate me that you all believe that GDPR will somehow be good for you.
Why not? Many countries already had strong privacy protections, but non-EU companies could retract itself in various ways. So, it hasn't been a level playing field for a long time, since EU companies had to provide these protections. So, it is good for EU companies. It is exceptionally good for European citizens - they have a choice in how their data is used. US companies will eventually come around, Europe is a large and wealthy market. And complying with regulations is a walk in the park compared to e.g. China, Russia, or India.
The only way I can see it work out is if GDPR is selectively enforced against American business which it seems obvious to me that will be the case.
Please let this myth die for once and for all. The largest fines handed out by the EC affect European companies:
It really annoys me how many self-styled "Europeans" on HN feel free to speak for an entire continent.
Firstly, the EU is not the same thing as Europe. Yes EU officials and supporters love to use the word "Europe" when they mean EU - I find it nasty and manipulative.
Secondly, I'm from an EU country, now live in Europe but not in the EU, and I think GDPR is absurd. A great example of the general malaise and decline of the continent. As I have pointed out elsewhere, GDPR is not even remotely an important topic to people in the EU. Actual opinion polls run by the EU Commission have shown for years that the top concerns of the citizenry are immigration, terrorism and the economy, in that order.
Data protection simply doesn't feature in it at all. It's a dog and pony show put on by the EU to distract people from its failings.
> It really annoys me how many self-styled "Europeans" on HN feel free to speak for an entire continent.
> As I have pointed out elsewhere, GDPR is not even remotely an important topic to people in the EU.
Just pointing out the irony...
I can't speak on behalf of anyone except myself, but I can confirm that, while it's not the #1 thing people are concerned about, people do worry about privacy. Especially in Germany and the neighboring countries.
I am referring to opinion polls. By pointing out what opinion polls say, I am not "speaking for all of Europe". That would be me giving my personal opinion as if it was commonplace or standard in Europe.
It will certainly depend on the application. Compliance could be as simple for many apps as deleting a user's data manually when you get a support ticket/email from them asking to. You don't need to build automated systems. Same if they ask for the data collected on them.
It would be prudent for these companies to spend an afternoon creating a list of all the places where data is being stored about a user. That would just help if it ever becomes necessary to actually delete data.
See elsewhere in these comments for information on appointing an EU representative. It is not required in most cases.
"Bespoke permissioning" is also required if you have tiers of users with different feature sets (free, basic, premium). So just treat whatever private-data-requiring-thing as a feature that needs consent.
Incidently, the evolution of smartphone permissions has also gone in this way, allowing fine grained allowing/disallowing. You have to expect that you wont have all the permissions you want. The GDPR just makes it so that you don't get to say "all or nothing" for the things that don't need permission. But, the good apps were already doing this anyways.
A sometimes unintentional and often intentional side-effect of regulation is helping the big guys fend off competition from the scrappy upstarts.
What seems like something aimed to protect the consumer may have unintended consequences further consolidating information into the hands of a few large behemoths.
"Business" means website visit from a US/EU citizen travelling Europe. And even blocking them by IP and logging it is a violation.
User can file a complaint against you, resulting in a ruling. Whether you ever see an "invoice" or see police officers is another topic. But you violate the regulation/law in another country.
That's the takeaway I'm arriving at as well. We (as an industry) had about two decades to be responsible and hold others to account with user data online. Instead we opted to pretend like a weasely Terms of Service replaced a sense of morality.
Now we face regulation because, as it turns out, people care about how we use their data and how we influence them. Not exactly shocking that we ended up here.
Do people care that much about we use their data? I mean they care a little bit, but I still think given the choice between where we're at technologically and where we'd be if no one had access to users data -- I think the vast majority would take where we're at today.
The funny thing is that I generally wish companies did more with my user data. Why don't events sites do a better job just showing me events it thinks I'll like -- when was the last time I showed any interest in country music? I think customization is a huge value.
That's great and your choice it shouldn't be the default for everyone. If someone sees the benefit in an algorithm learning what they like then let them pick that option. It's not up to engineers to assume what someone cares about.
As someone else is pointing out, a business needs to have a positive reason to follow this regulation. If the very vast majority of my business is from US readers/customers and practically no money comes in from European readers why would I put any effort in at all to comply rather than just block. The only scenario where this would happen is of compliance was cheaper than blocking.
This "pet law" is the law of 500 million people, has been in effect for two years (two years was a grace period to comply with it), and exists exactly because shady businesses didn't even comply with existing data protection laws.
It's not "bitter HN users". It's bitter European citizens. No wonder that it's mostly American companies who have the most trouble complying with it.
It's not necessarily that American companies are having trouble complying. Some of them like the ones the article is about just have little incentive to do so. If I'm in essence doing no business in Europe it's more efficient to just block European visitors.
Having grown up in Europe I'm much more sensitive to privacy concerns than most Americans, but it's not proper to assume that anyone who just blocks European visitors is up to something nefarious. It just doesn't make business sense for everyone to comply.
Whether they are "nefarious" might depend on who you ask, I suppose, but anyway, fair enough. As an American who cares deeply about online privacy, I will be actively avoiding US companies who don't comply with European privacy laws (easy way to filter). I'm willing to bet the real incentives will turn out to be bigger than many of these companies think.
Pass whatever law you want, just don’t expect me to care. This law has nothing to do with me. If you don’t want to do business with me because I’m not compliant, don’t send me server requests, data, or money.
False equivalence. I don't misuse any user data, never have or will. But I'm still not compliant, nor will I be for the foreseeable future, unless someone can tell me why I should care about a law from some other country that has no mechanism of enforcement?
OK, if you don't trust me, then please avoid using my service. It's no problem for me.
But I won't jump through hoops to reassure you. The cost is too high for too little benefit.
Two things could swing this in another direction:
1. The EU figures out how to levy fines or force compliance against small businesses in other countries.
2. The revenue loss from EU users and possibly others is so large that the benefits once again outweigh the costs.
Very skeptical on both counts.
Until then, the GDPR goes on a large pile of perhaps well-meaning laws passed by foreign governments that don't apply to me and that I can safely ignore.
> Pass whatever law you want, just don’t expect me to care.
That was exactly the position of too many companies: pass whatever law, I don't care.
Well. It has gone on for too long, so, hopefully, now companies will start to care.
> If you don’t want to do business with me because I’m not compliant, don’t send me server requests, data, or money.
The EU is 500 million people. It looks to me that it's you who doesn't want to do business just because you think that other countries' laws and other countries' rights are bullshit and you don't care about them.
Your previous comments notwithstanding, this comment does have a legitimate point. If you truly do intend to take good care of your users’ data, then the goal should be to have you demonstrate that whilst making it as easy as possible for you to do so (without compromising the said care).
I’m hoping that over the coming weeks and months the enforcement of GDPR and various court cases will add clarity and allow the development of improved guidelines for becoming compliant. If a random SaaS company that users emails for logins and communication with active customers could look at a simple 5 point check list which they could check though in a day then things would be better for everyone.
Less burden for customers, wider services for users, and those firms that can see they could make a few small changes to become compliant would be more incentivised to do so.
I attribute it to European jealously over american tech success. Hi tech success that flies in the face of their supposed social, cultural and moral superiority.
User tracking is not really why we don't have nice things, look at the success of moviepass even after they publicly admitted what they were tracking. People want part of the spoils which is exactly the purpose of GDPR.
Isn't Moviepass hæmmoraging $20 million a day while its share price tanks?
No, if you knew how Europeans think, you'd realise that this is really just about securing privacy. Most of the regulators are really focussed on ensuring compliance, not levying fines.
They are losing money because they have an unsustainable pricing model. Other cinema services were saying Movie pass would fail as soon as they started.
> I attribute it to European jealously over american tech success. Hi tech success that flies in the face of their supposed social, cultural and moral superiority.
The EU isn't the US. This kind of misplaced pride is not a part of the culture in most of Europe.
GDPR is significant because for the first time in this history of the Internet an (EU) user no longer has a marginal cost of zero.
The cost to write an application to be GDPR compliant is high and frankly will not be worth it for many entepreurs developing an MVP.
I don’t need email addresses any more than, say, Pinterest. But now it is one more barrier to entry for side projects. It is definitely not easy to be compliant as many here suggest.
You can collect email addresses still, so long as you have a legitimate reason to, you seek consent, you store them securely and remove them if consent is withdrawn. These are things that you should be doing anyway! Even if it's an open source side project.
Sure. But let’s not pretend that it is cheap to do. All I’m saying that if you are cheering govt stepping into the equation then let’s have an honest discussion on who it hurts and who it benefits. Let’s take a stock of the impact to garage innovations. That is all.
OK. Why is forcing people to consider the ethics of gathering data that have hither to proven to be lacking morally and ethically a bad thing?
In terms of "impact to garage innovations", there shouldn't be any if there is nothing nefarious about it. The cost of designing and engineering software ethically is minimal.
>You can collect email addresses still, so long as you have a legitimate reason to, you seek consent, you store them securely and remove them if consent is withdrawn. These are things that you should be doing anyway! Even if it's an open source side project.
Where in your statement do you refute the fact that it is hard to comply with GDPR?
Even if you have a legitimate use case you still need to provide users a way to access all their information and delete all their information.
If you already are using more than one database this is not trivial.
This is my guesstimate but I am confident in saying that GDPR adds $25k worth of work to the cost of starting up a business in the EU assuming an experienced software engineer is worth $150k a year. There will simply be a huge layer of boiler plate code added to every project now that will be necessary whenever you are processing data.
I wonder if it's really necessary to stop using e-mail addresses as usernames / unique identifiers. Presumably you need some sort of unique identifier for each user, and such an identifier can, by definition, be tied to an individual. Would such an identifier not fall under "data required to provide the service"?. And since any such identifier is effectively PII, does it really matter if you use an e-mail address vs. some other user name?
You could also use a hash of the email so that you don't retain and can't reconstruct the original address. Then the recovery process can look for a valid account based on the provided email's hash, and if one is found, a recovery email can be sent to the provided address. Include an expiring, one-time-use token in the recovery link so you can immediately forget the address again.
Really? Do you have an EU representative for your MVP? Did you hire a legal team to review your site and write up your terms of service? Send me your MVP and I’ll show you 10 thing a that are wrong with it and if you are complaint somehow then I doubt the product will be viable at all.
So my MVP is an imaginary service that does X for you. It charges $5/month and it uses your email as the log in. It captures no data other than what you give it to do said service. Other than good data practices which should be followed anyway, please described the huge GDPR hurdles that will make this service not viable.
> Basically this means the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data
Are there exemptions for very small companies?
If you can prove you don't process any user data, at all, does this exempt you from having to appoint a DPO?
> Are there exemptions for very small companies? If you can prove you don't process any user data, at all, does this exempt you from having to appoint a DPO?
From the site:
> Under the GDPR, you must appoint a DPO if:
> * you are a public authority (except for courts acting in their judicial capacity);
> * your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
> * your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
So as far as I can see, yes, for small companies or side projects (i.e. not a public authorities, not working with large scale monitoring of individuals, not dealing with criminal convictions) you don't need a DPO.
There's a lot of confusion around this because GDPR actually specifies two different kinds of representative.
There is the Data Protection Officer (DPO), which comes from Article 37, and a representative in the Union (EU Rep), which comes from Article 27.
The purpose of the DPO is to oversee data protection. Whether or not a company needs one depends on the nature and volume of data they handle. I'd expect most small companies that are selling a product or service would not need one.
The purpose of the EU Rep is to provide a point of contact in the Union for data subjects and regulators to contact the company. It is only required for companies that are not in the Union. If the company only occasionally processes data, does not process data from certain particularly sensitive categories, and the processing is unlikely to result in a risk to rights and freedoms of natural persons, no EU Rep is required.
The DPO requirement seems to generate a lot more discussion than the EU Rep requirement, which I find odd. The EU Rep seems to me a much bigger deal from the point of view of small non-EU companies, because the EU Rep has to be in the Union.
you are a public authority (except for courts acting in their judicial capacity);
your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
"""
So if you're not doing 'large scale behaviour tracking', you would not need one. A simple company that sells a subscription service should not need one, unless they are also selling targeted ads, and maybe if they are doing identifiable tracking of how a given user uses the service. Aggregated metrics with no identifiable data do not count (This feature has been used X times). If you are, then it becomes a question of what is 'large scale' in terms of the GDPR.
I have no idea what that means. If my B2B business has a lot of revenue but few customers, am I 'large scale'? If my B2C business has little revenue but a lot of customers, am I 'large scale'? Or maybe 'large scale' applies to the number of servers I use? I have no idea the criteria.
1. Are you a public authority? (not sure what this is)
2. Do your organisation's core activities involve tracking and monitoring people's behaviour (for example on the internet, or on CCTV) on a large scale?
3. Do your organisation's core activities involve processing on a large scale 'special categories' of personal data, or large scale criminal convictions or offences data?
(By 'special categories' we mean personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data about a person's sex life or sexual orientation, or genetic or biometric data where it woiuld [sic] identify a living person.)
>1. Are you a public authority? (not sure what this is)
In the UK at least this is already a widely-known category of organisation and covers things like national and local government bodies, schools, hospitals, fire authorities, the police etc.
Add invoices which contain personal data in the recipient address and must be stored for 10 years safe from manipulation (and then deleted). Combine that with a deletion request, and now you need to delete some data about a customer and keep the rest, which is pretty annoying (yay referential integrity), especially if you're changing existing software, and don't develop from scratch. Of course for the data you can't delete, you now have to restrict access as much as possible, so for every feature in your software you have to figure out if it should use the censored or full data.
Then you have to figure out how much of the order history (up/downgrades etc.) you need to keep so you can keep track of who changed what in case of disputes, etc.
You need to keep track of payments and invoices for accounting and tax purposes, and of course accounting records must be immutable.
Then write documentation describing all the ways you process data and ensure you have a valid updated data privacy contract with all your service providers.
Really disappointed when I see these kinds of scare tactics. Compliance (or at least a good-faith attempt at compliance) is quite easy for small/new projects. I'm willing to bet that courts aren't out to make an example of every small infringement, and there's really no reason to discourage people from starting new projects.
Exactly. I have been in contact with the regulation authority a few times to make sure we're compliant and in all cases we found that they are super-helpful. And the GDPR is - while being CEO of an ecommerce comppany for 15 years now - the easiest and most well-written ecommerce law I have seen. Everything in it makes sense if you just read the freaking law and the recitals included in the law. Period.
Regardless of whether the app has a cost in and of itself, the process of appointing a compliance officer and making sure that they understand their responsibilities under EU law is a necessary cost unless you happen to be developing the app yourself and already understand everything involved.
Read Article 27(2). There's a good chance that you don't need an EU representative unless your product is based around the processing of personal data. Also read Article 37(1), you _don't_ need a compliance officer unless you are dealing with one of the special classes of personal data or performing "regular and systematic monitoring".
> Read Article 27(2). There's a good chance that you don't need an EU representative unless your product is based around the processing of personal data.
To fall under that, the processing has to be "occasional". I've not been able to find any authoritative guidance on what that means.
Sort of. The technical cost is effectively zero, as everything technical which is required by GDPR ought to be done anyways. However, there are a lot of non-technical compliance issues in meatspace that have a very real cost. Most of that cost may be deferred until the first GDPR-based request, however that just means you're kicking the can down the road. The cost is still there.
GDPR is significant but not for the reasons you mention. If you want to have European users you have to comply with European laws. That was the case before GDPR as well.
The response to GDPR is interesting. If they are handling and selling your data in ways that are not compatible with GDPR, then you should seriously consider using someone else for that information.
> If they are handling and selling your data in ways that are not compatible with GDPR
Very few businesses actually sell data the way you are imagining and if all GDPR did was ban that business model I would be happy with the existence of GDPR. GDPR is much more than that and this insinuation that every business that doesn't want to deal with this hassle is somehow evil and selling ultra detailed profiles on you to the highest bidder is highly mistaken.
I am worried regulations will make the Internet more geographically fragmented. The best thing about the Internet is how it captures the long tail. A random person in Slovenia can read a local news site in Kansas if they wish. Even if spending just one minute of effort making itself available in Slovenia would be a loss for said news site. The Internet is by default global and everything is available to everyone. It takes extra effort to block regions, but I'm afraid regulations will make people spend that extra effort.
There's no scenario where the 'open' Internet doesn't rip apart.
Globally there will be dozens of GDPR type regulations, and that's just covering privacy. There will be a lot more for economic rules, cultural rules (eg governing speech), etc.
Want to operate a service in 100+ countries? You'll have to comply with thousands of rules. Only giant companies will be able to do it. It's already extremely difficult to do. In the physical goods world, generally only very large companies can operate in 100+ countries; that's exactly how it will be for Internet companies in the near future.
In the case of the US, there will be an immense advantage for tech services & sites. I can make a lot of money on ads just in the single large US market, far more than necessary to support a global operation. I can then project out into the rest of the world, without concern for complying with everyone's individual rules (unless it makes economic sense). For those localities to stop me, they all have to implement draconian Chinese-style repression of their people and what they can see online (which most will not do).
I really think the EU guaranteed US tech dominance with this law. How many months of work did the EU just add to getting out an MVP? How are EU startups even going to do AB testing to improve their product without collecting user data?
I'm in the UK atm. I just took a look at CNN.com, and uBlock is still blocking dozens of trackers there. I disabled it to see if I would get a GDPR consent popup, but all I saw was an accept cookies notification, nothing about the dozens of third party trackers on the site, other than some sparse information. There is no way to opt out of them, and there is only an “I accept” option on the accept cookies box. So CNN is not GDPR compliant, even though they've been running stories about it recently?
Facebook, Google, Instagram and WhatsApp are accused of forcing users to consent to targeted advertising to use the services.
Privacy group noyb.eu, led by activist Max Schrems, said people were not being given a "free choice".
I mean, that just isn't a valid complaint IMO. You have a choice -- you can not use Facebook, or not use Google, or not use Instagram, or not use WhatsApp.
If you're using a "free" service that is ad-funded, why do you think you have a right to use it without consenting to the ads?
Then you don't understand the most fundamental thing about the GDPR: "Kopplungsverbot" (german privacy law had that for ages before GDPR). You can't force someone to consent to marketing because he wants to use your service. Everything that is not part of the core service needs consent that can be withdrawn at every time. The core service of facebook is access to the network, not that my data is processed to show me better advertising. The advertising is in facebook's interest, not mine. "But we make our revenue from ads" is not a valid explanation. If your service was "sign up to see better ads", then that would be your core business and no consent needed. Best thing ever happend.
That is insane. As a private company they have the right to do business with whom they please. If a company refuses service because a potiential customer doesn't agree to their term, it is the companies right. No one is entitled to a good or service of some one else.
That is absolutely incorrect for a multitude of reasons, ranging from anti-discriminatory laws, to antitrust laws, to contract law, to indeed privacy legislation.
This kind of "corporations have absolute rights to do whatever they want as long as it's agreed to" stance is specific to the US. The rest of the Western world doesn't do that, and for very good reason - it makes for an extremely unhealthy society where corporations no longer act in the best interest of society.
It is a very valid complaint and becomes even more valid as Facebook is scrutinized even further.
Zuckerberg's EU hearing was a rather good indicator of where this is heading when MEP's specifically singled out:
- Facebook's business practices in general, the MEP's do not believe that what Facebook is doing can be done in the same way while respecting users privacy. Thus they kept asking how Facebook is planning to monetize it's service in the future while respecting their user's data.
- Having Facebook admit to its monopoly position in the EU by asking Zuckerberg for any Facebook competition he knows of, in the EU.
There's also this whole issue with Facebook simply slurping up WhatsApp, and all its user's data, even tho WhatsApp users never consented to any of that. I made a point of never giving Facebook my mobile number, a point that's made completely irrelevant when Facebook just throws money around to get any data they want complete with some manufactured opt-out consent.
No, Facebook, Google, Instagram, and Whatsapp have a choice, on whether they want to continue operating in the European market.
> why do you think you have a right to use it without consenting to the ads?
Consenting to targetted ads. That's a big difference. All operators can show ads like they always have, but they can't specifically tailor them to the individual, using accumulated data, without their consent.
What decision have they made? I'm fairly sure they both will be compliant.
> They will only operate for users that have given their consent
Well, they can't. It's not their choice to make anymore: users in the EU can no longer sign their online privacy away. If that is not something a company can live with, they should be looking for darker pastures elsewhere.
I honestly hope they do this. Every EU citizens should have their FB accounts, Gmail accounts, and all other internet services deleted, and then blocked from the majority of internet services.
Then those citizens can decide if it was all worth it.
They don't, and this argument by Max Schrems is ridiculous. There is no provision in the GDPR that says if you fund your site with ads, you now have to provide an ad-free version.
I see no reading of the GDPR that would lead you to that conclusion...
The GDPR requires many things, but there's nothing in there that says you can't reject the customer if they don't opt-in to the things you want them to opt-in to.
Do you have a citation from the GDPR that leads you to believe that I am wrong on that point?
"Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance"
Recital 43 is a fair objection -- I should rephrase what I said in light of it. I should have said:
> "The GDPR requires many things, but there's nothing in there that says you can't reject the customer if they don't opt-in to the things you need them to opt-in to in order to provide the service."
The last sentence of recital 43 says that consent can only be given to those personal data processing operations that are necessary for the performance of a contract/provision of the service.
In Google and Facebook's case, collection of personal data for the purpose of targeted ads is necessary for the service because targeted ads provides the source of revenue for the service's operation.
Your business model's success is not "providing the service".
EDIT: Quoth the British agency responsible for implementation: "The processing must be necessary to deliver your side of the contract with this particular person. If the processing is only necessary to maintain your business model more generally, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests."
Thank you for the citation; this is an interesting and useful discussion.
The contract that Facebook has with its users is not merely to serve as their social media platform. The contract includes personalized advertising.
Facebook, in the terms of their contract with you, give you X in exchange for Y. X is the social media platform. Y is personalized advertising. This is the contract. AFAICT from the GDPR, they don't specify boundaries for the terms of the contract itself, do they?
The ICO talks at length about what it means for processing to be "necessary" for the purpose of fulfilling a contract. But it doesn't state what the boundaries are as far as what constitute legitimate contracts.
For example, this would be a valid contract under the GDPR, AFAICT:
I offer to make you free sandwiches in exchange for you telling me some personal information about you and targeting you with advertisements while you're my sandwich shop or elsewhere; and I provide you an ability to revoke this contract at any time (and whereupon I will delete the data I've collected). Of course, this means you don't get free sandwiches anymore. This would not be an illegal contract under the GDPR, AFAICT.
Now, if my contract were just "I'm going to give you free sandwiches." Then yes, collecting data and advertising would not be necessary for that contract. But that isn't the contract.
From same source: "The processing must be necessary to deliver your side of the contract with this particular person."
That is - these regulations refer to the performance of a contract by the service provider. If the data isn't necessary for creating the sandwich, you're not allowed to deny use of the service based on the user not giving you the data.
GDPR was specifically written by smart lawyers and regulators to prohibit the specific kind of contract you're describing. The whole point of regulations like this (also minimum wage, regulation of arbitration agreements, etc.) is to limit the kinds of contracts people can enter into.
Specifically, they're allowed to consent to give you that data, but that's not allowed to be a condition for the use of the service.
EDIT: More specific sourcing on the way that GDPR regulates contracts, in Article 7(2): "Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding."
EDIT 2: And in fact, we've gone in a circle. Again, as Recital 43 states: "Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
> Specifically, they're allowed to consent to give you that data, but that's not allowed to be a condition for the use of the service.
You seem to be trying to say that Recital 43 rules out certain types of items as being part of the terms of a contract between a person and a service provider. Namely, the term `you will be shown targeted ads` is an invalid term in a contract. (If this is a misunderstanding of your position, please let me know.)
But this is not what Recital 43 actually says. Recital 43 talks about the performance of a contract. It does not speak to the terms of a contract.
The phrase "performance of a contract" is, I believe, a specific thing in contract law: it refers only to the execution of some established contract.
If Recital 43 or some other part of the GDPR wanted to limit the terms of legal contracts to exclude targeted advertising, they could have done that. But they did not, AFAICT.
The activity they restrict isn't showing targeted ads; it's collecting the data necessary to show targeted ads. That is to say, you're not allowed to collect data that would show that the user is e.g. a 33-year-old African-American male living in Fremont, CA and with an interest in certain sports, which is necessary to show targeted ads. If you could show such ads without collecting that information, I'm sure GDPR drafters would be totally fine with it.
Recital 43 says you're not allowed to collect any data that isn't necessary for performance of a contract. In contract law, "performance" specifically refers to the actions one side is obligated to take by a contract; that is, the service provider is only allowed to collect information that is required in order to "perform" (that is discharge their obligations under) the contract. If the contract says the user's performance of the contract requires handing over data? Tough luck. The service provider isn't allowed to collect it.
You’re saying that Recital 43’s citation of “performance of a contract” refers to merely the performance of the provider — the good or service handed off by the provider to the customer. (It’s the sandwich in our example from earlier.) It does NOT also include whatever good the user provides to the service provider as their side of the contract.
So if a service provider says “You need to give me data in order for me to serve you targeted ads, and this is payment for the free service,” the user could not “freely consent” to providing that data, because it is a condition that is not necessary to provide the free service.
Okay, now another question: If the data given by the sandwich eater to get his free sandwich isn’t “freely given consent,” does that matter? Consent was never the legal basis under which the data was handed over in the first place; it was contractual fulfillment, which is a valid legal basis for processing personal data.
What am I missing?
Edit: I do remember the citation you gave earlier from ICO saying that contractual obligation is not a legal basis in the case where it has nothing to do with the performance of services on the part of the provider. I reviewed their site again, looking for a citation for why this is, but they don’t say. I assume they’re pulling that from recital 43, but again — that would seem to me to be a misreading of 43. That only means that the user didn’t freely consent to give that data. But that doesn’t matter because their data is not being processed under the legal basis of consent.
You're correct about Recital 43 not applying to the contract case - what it does is establish that the main alternative to "necessary for the performance of a contract" isn't there in the sandwich example.
The core of the regulation is Article 6(1), which is basically a big old "or" statement; you have to fulfill one of the conditions listed in order to lawfully process data. [1]
a) is consent, as explained in Recital 43 and clarified in other places. The sandwich vendor clearly doesn't have that, since they've conditioned the service on the delivery of data.
b) is "necessary for the performance of a contract". This is the option on which your free-lunch-giver is leaning. "Necessary" is not well-defined in the EU-wide regulation, but judging by the UK example I linked (the ICO), implementing Member State agencies are going to take a narrow view of "necessary" - as in where it's impossible for the controller to perform the contract without processing the data. By contrast, Recital 43 uses "dependent" to refer to the service provider establishing conditions. This also fits well with the usage of the word in the other tines of the Article 6(1) fork. (c: "necessary for the compliance with a legal obligation", d: "necessary to protect the vital interests of [actual people]", e: "necessary for the performance of a task carried out in the public interest or in in the exercise of official authority" [2]). This interpretation is also, in practical terms, the only one that makes sense, as otherwise the consent option (a) would be redundant.
[2] This interesting clause stemming from an even more interesting feature of GDPR: it applies to government agencies. Meaning the regulation needs specific language to specify that yes, the Ministry of Transportation in your country is allowed to use your vehicle registration information as part of its road planning process.
This is not the interpretation I've seen everywhere.
GDPR says 'accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.'
The user needs to be able to use the service in the way they expect to, without needing to give their personal data for targeted advertising. Another way of putting it is personal data can no longer be used to pay for a service.
Yes there is. It's all over it. I'm not going to even bother linking to it.
Making consent a precondition of service is an illegal method of obtaining consent, unless the service relies on that consent. So a run tracking app may legitimately say consent to track location is a precondition, because they need that data to actually deliver their service. Facebook and Google though? Obviously not. Also the run tracking app can't then sell that data to an ad network without permission, and that can't be a precondition, because that's not why the data is being supplied.
Facebook and Google may try and argue they need it in court. We will see what happens, but I hope they lose and we can finish this dark, Orwellian chapter of the internet sooner rather than later.
I'm in the EU, and a couple of the corporate VPNs I have used here have had their exit IP in the U.S. or Canada. Which means that when I'm at work, I appear to be in Seattle, and these sites are not blocked.
Based just on that, I'd argue that "Blocking 500M Users Easier Than Complying with GDPR" is probably not even a true statement.
I doubt EU regulators will go after these sites because they really aren't that consequential, but I wonder if setting up an IP block isn't just painting a target on yourself. It's basically a statement that the company was and still is violating GDPR.
What exactly do you want here? Do you want every site to have you upload your passport? Or are you just saying that any jurisdiction in the world should be able to effectively force every company globally to comply with their laws, and that they can’t pull out of those markets if they find the law too onerous?
Forget about the intent of the GDPR, what about the broader principle when applied to laws you don’t like?
What if the US passes the anti-GDPR next week, that you MUST track all available data for US residents or citizens, no matter where in the world they are? What then?
My comment doesn't make a statement about how things should be. It's a statement about the complexities of a technical implementation:
_If_ it is true that the GDPR covers an EU person's data held by any company worldwide, regardless of how or whether it should, an IP block might not be accepted as compliance. Or it might, if the EU regulators decide that best-effort is enough.
The important point is that many Europeans are browsing the net through non-EU IP addresses without the knowledge that they are doing so. Most people do not pay attention to what their corporate public IP address is. They may use "non-EU" services entirely unintentionally, and EU regulators may or may not take that into account in the unlikely case that they investigate one of these companies.
I am curious how this will play out. I am not sure how else EU regulators could play it out without essentially saying that all users must identify themselves honestly to a site.
What happens if a person marks their country of origin as US even if they aren't in the US and their IP isn't. They lie in that case, but are they still protected?
Eh, I'm not sure we want to go down that road either, but it's an interesting thought experiment. If you declare that EU visitors are unwelcome and unauthorized, are they violating the law by working around that? I find the idea both horrifying and interesting. So many GDPR fans here seem outraged at sites blocking access to them, which seems an acknowledgement that they want to have their cake and eat it too. What if criminal penalties for attempting such enter the mix?
Intent matters. The website clearly indicates that they do not want to serve EU users. EU law does not apply to them unless they have a physical presence in the EU.
It's trivial for end users to bypass any restriction through technical means (whether legal or illegal). The fact that they bypassed the block is an act that indicates that they are bypassing the rules and thus are forfeiting some of the protections they would enjoy otherwise.
There are so many wrong things with this approach. First, what do you do when you have existing users, delete them? Second, I believe the law protects EU citizens regardless of where they are. If you're an EU citizen and register for a service somewhere in the US using VPN or while physically being outside the EU, that service/company will still need to comply. The safest approach is to comply. We're a tiny startup, but we decided to bite the bullet and comply because its much easier and quite frankly better for all in the long run. Oh and, disclosure sets you free.
> Second, I believe the law protects EU citizens regardless of where they are. If you're an EU citizen and register for a service somewhere in the US using VPN or while physically being outside the EU, that service/company will still need to comply.
If the controller or processor is established in the Union (regardless of where they actually process data), then GDPR applies to all processing of personal data regardless of citizenship or location of the data subject.
If the controller or processor is not established in the Union, GDPR applies to processing of personal data if (1) they are offering goods or services to data subjects in the Union, or (2) they are monitoring behavior of such data subjects that takes place in the Union.
See Article 3 for details.
If a US site that is not also established in the Union is trying to block access from the EU, and someone uses a VPN to get around that, the site would probably not be subject to GDPR, as they are probably not offering goods or services to data subjects in the Union. Recital 23 explains that offering goods or services means more than just their site can be reached from in the Union:
" In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
> Second, I believe the law protects EU citizens regardless of where they are.
That's incorrect. That is the attempted naive reach of the EU in action. The correct formulation is: the EU would like for GDPR to apply to all EU citizen data globally.
US sites/services with no business reach into the EU, do not need to comply with EU privacy laws. 99% of businesses around the world (most small businesses), those outside of the EU, will entirely disregard GDPR - because they have no business dealings with the EU.
The EU has no jurisdiction over the US economy or its laws. That will remain the case. The EU also doesn't control China, or India, or Japan, or Brazil, or South Africa.
A simple example for illustration: I can establish a new US service that is ad based (with eg 100% of revenue being derived from the US market), I can keep all of my infrastructure & business operations outside of the EU, I can take on EU users at will, and I can do anything I want to - in compliance with US law - with their information without concern for GDPR: because the EU does not lord over the US, their laws do not rule the US. This is legally how GDPR actually works, despite the amusing propaganda campaign to pretend GDPR requires global compliance.
> the EU does not lord over the US, their laws do not rule the US. This is legally how GDPR actually works
The number of people who have lost sight of this is unbelievable. It actually seems especially rampant on HN, which is kind of surprising, to be honest.
I think it's because of a deep cultural divide. EU users who are big fans of the GDPR genuinely admire the law, both its intent and implementation, and also have a very positive view of the government. They believe that regulators will try to help companies comply, and will only fine as a last resort. Whereas in the US, we tend to be fairly skeptical of government. And as a consequence, since EU users think this law is a good thing for user privacy and the world at large, they want to see it applied globally by any means necessary.
But aside from that, I can't understand how EU users are unable or unwilling to separate the intent of this specific law from the broader principle that it represents, and how other countries might misuse this principle.
If any jurisdiction in the world can pass a law no matter how ridiculous that forces any business in the world with a website to comply with, on the chance that a user from that jurisdiction might stumble on that site, AND there's any kind of enforcement mechanism, then the Internet will cease to exist. Either that or become ultra-balkanized, where every user has an identifier that will ONLY give them access to sites which are fully compliant with their jurisdictions.
What if the US to passes a law that Americans are too fat and are no longer allowed to be sold gelato (they're allowed to buy gelato, but no longer allowed to be sold gelato), and then levy a multi-million dollar fine against every gelato shop in Italy where Americans visit on vacation?
Bear in mind GDPR seems to have become some sort of totemic issue for the small minority of people in Europe who are true-blue died in the wool ideological supporters of the EU project. They are flooding GDPR discussions with these sorts of views. A good give away is they say "speaking as a European" or use the term "EU citizen" (there is no such thing, the EU as an institution does not have citizens or issue passports, it's only member states that do that).
But Europe is full of people who aren't so in thrall to the EU as an idea, as evidenced by one of its most important countries voting to leave despite the population being threatened with massive chaos and severing of all cooperation and trade relationships with their neighbours should they choose to do so. Bad regulation was one of the most common talking points during the Brexit campaigns and GDPR is a good example of why.
These sort of people aren't posting so much on HN but they are quite common.
Yeah? Show me someone who's a citizen of the EU but not a member state.
They don't exist. The EU loves to dress itself in the clothes of nation states, that which it so desires to become, but ultimately the concept of "citizenship" in the EU sense has nothing to do with the normal concept of citizenship.
> News sites within the Tronc and Lee Enterprises media publishing groups were affected.
> Tronc's high-profile sites include the New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun.
Why would either of these papers be subject to the GPDR? Am I wrong in assuming they’re purely US based companies? Or is there a chain of ownership that includes EU jurisdiction?
Doing business in the EU is only one path that causes the GDPR apply to you, processing personal data of people located within the EU, not necessarily EU citizens, is another one and probably the one relevant here.
Article 3(2): This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Maybe they could arrest employees on a visit to the EU? Maybe you could even get arrested at home due to extradition agreements? Or get assets in the EU frozen or seized? But that is all pure speculation, I have no idea what actually can and can not be done or what is likely to happen.
It's still unknown how exactly they will enforce the GDPR, but they've got data on Europeans thus need to comply. The US does this quite often as well having their laws applied to foreign companies, without them being physically present in the US.
Foreign laws are not enforceable in the US unless we a) have a treaty saying so and b) have an analogous law here. I see a lot of Europeans and tech bros that don’t seem to get this. They can make a law saying people or corporations must kiss the rings of every EU citizen no matter where they are or face fines... likewise not enforceable here, and hopefully that example makes that clear to you.
Not sure why this is getting downvoted, since it's true. As a thought experiment, why should this have any more relevance to a company that's in the US than the Thai law that prevents criticism of their king.
I wouldn't be at all surprised if they were caught off guard on GPDR. There are some who seem to feel that the pending deadline was universal knowledge, but I don't think it was for many of us in the US. I hadn't heard of it until the recent Monal kerfuffle here on HN.
Blocking access at geographic level across pretty clear signal they don't care about users/readers in those regions (I think it's hard to argue otherwise, the law has been coming for 2 years).
Obviously they cater to people interested in local news in those regions. However, I hope they will rectify and allow access again for EU users at some point soon. It seems to go against the idea of a borderless internet, and I blame the companies for that, not the EU.
Or, it could mean they hadn't realised how much work it'd take to be GDPR compliant, and decided to temporarily use geographical blocking until they can be compliant.
When you have competing priorities and finite time and budget, people often don't investigate external requirements, assuming that they'll just comply when they no longer have a choice.
That's why the first few audits (SOX, PCI, etc...) for a company new to them, are always such a struggle, people starting to look at the months of work needed the same week the auditors are planned to come in.
edit/PS: Did you notice how many "We changed our policy" emails you've received in the past 2 weeks, including from very large international companies like google, yahoo, etc... Companies for which not being open for business in Europe would have financially impact. Probably a good indication that they ended up with a lot more work to comply that they had anticipated, and still made it just in time. Now imagine the same situation in smaller companies running on very thin resources that cannot afford a sudden increase in staff!
> However, I hope they will rectify and allow access again for EU users at some point soon.
Honestly, I don't. I don't want this precedent of government overreach to stand. I wish more international companies would stop doing business with US citizens for the same reasons.
> It seems to go against the idea of a borderless internet, and I blame the companies for that, not the EU.
You don't blame border-based rules for harming the traditional borderless approach? How illogical.
> Honestly, I don't. I don't want this precedent of government overreach to stand.
Why is it overreach?
It's literally why we invented government! I, the little guy, couldn't find giants like Facebook or Google. That's why I asked my democratically elected government to work on the problem.
To me it's overreach because smaller measures could have been a better first step, this won't help the problem much, and it hurts the non-targets. I understand it's why you asked your government to work on the problem. We just need to stop pretending that any way they work on the problem is a good one.
Smaller measures were taken. The Data Protection Directive was adopted in 1995 and hasn't worked at preventing EU citizens' human rights from being abused.
So using the law didn't work. What is a rational reaction? To try one of many other approaches? Of course not...draft and pass more laws, but bigger this time. If someone has a hammer and everything looks like a nail, all they are going to do when the hammer doesn't work is tweak the hammer. Instead of stepping back and saying that a provision in the law can be fixed here and there (e.g. requiring regulators to do something as if words are enough to usurp apathy), why not question whether the method in the first place is the problem?
No, just because they do something doesn't mean it's good. I don't like it, but then again I don't like the cloud act, some dmca provisions, etc. We can disagree whether the law is good or not, it's just that this topic (not you specifically) causes people to assume being against the legislation means being against its purpose. I think there were many better ways to work on the problem.
Because the EU is targeting companies beyond it's own borders, including companies that have no representation in the EU. Google, Apple, Facebook, etc. have the means to affect policy worldwide, making them international. Smaller companies do not.
Ma and Pa's Midwest Quilting Shop is really going to hate it, when they eventually get around to disovering they've got a problem. It sucks for a lot of people who depend on advertising, but imagine how bad it's going to be for niche sellers (quilting supplies, Americana dealers, woodworking tool sellers, etc.) It's an opportunity for someone over here to make a pile of cash, but there's no way it's not going to suck for the little guys.
Nine times out of ten it probably doesn't matter. What happens in France happens in France and that's not really our problem to worry about. This is that tenth time.
I suspect there's more than a few Europeans having a big, fat cup of haterade-flavored schadenfreude with their afternoon tea who wanted exactly this to happen.
You should ask an attorney, not take random advice from the internet.
But since you asked, here’s some random advice that HN will hate but can’t refute: you should ignore it. You shouldn’t misuse user data, but that’s always been true. But you shouldn’t worry about the latest laws or regulations from any countries that have no effective jurisdiction over you, even if they claim to. If New Zealand sees a blog post of mine that they dislike and sends me a bill for a $100 fine, it’s going straight in the garbage. There’s nothing they can do. Same with the GDPR.
Don’t misuse user data, ask an attorney, you’ll be fine.
Frankly, I don't really collect user data that isn't effectively public... I've run a telnet BBS and thinking of throwing it up again, and like most developers have a few ideas on creating something. I don't do metrics tracking, but might throw up something like google analytics, or even adds in a game/web-app.
In the end, I frankly don't even like using passwords, I'd rather just have users use SSO from one of so many provider options. One of my criticisms early on of FB is they didn't have an early option to JUST get the real name and email address of their users. That's all most of these identity providers should give... enough to shoot a notification email and know the name of the person.
In the end though, who knows... working on something now, I may comply as much as possible just to be nice. Exported data will only have hashed IDs of "friend" accounts, with everything else effectively public.
I generally try to do the right thing in what I do always. It gets harder in a politically charged society at large.
Enforcement in practice is almost certain to be "at the edge" with things like payment processors and ad networks that have direct business operations in the EU and are easy to demand third-party compliance from.
If you literally don't do any business with EU entities, even at arm's length, enforcement is going to be impractical and unlikely.
I also believe this. If you run a side project by yourself and you don't target EU users directly, but might have a few, it most likely won't be worth the effort to actually follow through on enforcement.
However, that seems like a very arbitrary line and governments love to waste money.
Ha. You’re insane if you think that the US Congress is going to start letting 28 agencies in the EU start fining small businesses that have no EU presence whatsoever. The political ads write themselves.
I have an answer: no way is the EU going to cut ties with the US over this, and no way is the US going to let the EU trample their national sovereignty by letting regulators start fining small businesses with no US presence because some EU citizen sent their data INTO the US. That’s ludicrous.
Look at it this way: "my website is in the EU, my servers are in the EU, why would I care about DMCA?" The truth is that if a company had a way to discriminate their EU users without any possibility of failure they could only apply these things to them but that approach has proven to not be cost effective.
Does your website serve users from EU region or do you intend to block incoming traffic form EU? If you serve them then you might want to collect some data points about them. It is like being on the internet you are by default given a chance to operate business (website in this case) in whatever country a user access your website from. You are not going to open a franchise in Germany and not abide by their local laws concerning about German shoppers right?
This is an insane argument. So now by having a blog, I’m under the jurisdiction of 200 countries and countless other small jurisdictions? What happens when they all contradict each other? Or when I can’t tell what jurisdiction a user belongs to? Or when they pass crazy laws like anti-blasphemy or demand half my revenue, or whatever?
There’s a difference between actually being under the jurisdiction of a government and them claiming that you are. My contention here is with so many people claiming that I should care as a matter of morality or something. That the EU’s claim here is right and just. Under that logic, so is Thailand’s. Is that really the world we want?
Obviously if the EU has some enforcement mechanism, I should be cautious, even if they’re in the wrong (like Thailand). But they don’t have any actual enforcement mechanism, so this just seems irrelevant to me.
So, you're saying if someone from Saudi Arabia sees a German website that shows a woman's bare knees, that the German site will have to pay Saudi fines?
The fans of this law seem incapable of separating its intent from the practical realities of the underlying principle it introduces. Namely, that every website on the internet is now subject to any laws by any jurisdiction in the world (down to the city level) because some subject of that jurisdiction might visit their site. It’s insane.
Did you just compare a data privacy law with some hypothetical obscure privacy law? Amusing. Per your analogy, if German website still wants to be shown in SA then either they get SA govt on board with w/e content they are serving (bare knees in this case) or they stop traffic coming in from SA altogether or they simply comply with SA local laws and censor content (bare knees). You should do some research on how US based website show content in Chinese region.
(Reply to a deleted comment on the burden of compliance as a US business)
If you truly do intend to take good care of your users’ data, then the goal should be to have you demonstrate that whilst making it as easy as possible for you to do so (without compromising the said care).
I’m hoping that over the coming weeks and months the enforcement of GDPR and various court cases will add clarity and allow the development of improved guidelines for becoming compliant. If a random SaaS company that users emails for logins and communication with active customers could look at a simple 5 point check list which they could check though in a day then things would be better for everyone.
Less burden for customers, wider services for users, and those firms that can see they could make a few small changes to become compliant would be more incentivised to do so.
Here's what I get when I try to visit the LA Times:
> Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.
If the sites determined that they cannot or will not show ads in compliance with GDPR, then why would they pay for the bandwidth it takes, knowing they can't monetize it without being in violation?
It's the equivalent of the whole of the EU putting uBlock on their computers. Companies that make the majority of their money on advertising are responding.
We're so acclimated to having no choice that I was genuinely surprised when I clicked on "Do not accept" at the http://politico.com web site and... nothing bad happened. I could read it as always.
Clicking "Do not accept" made me nervous and feel somewhat rebellious.
The limitations of internet technology means that any computer located in the EU, whether or not the user controlling it is in the EU, can enjoy the beneficial effects of the GDPR. (Those limitations and effects being in part that companies will attempt to distinguish EU natural or legal persons based on IP address.)
The GDPR finally provides a legitimate, compelling rationale for users to employ longstanding methods of partially controlling the flow of their traffic through the internet, e.g. setting up a hosting account that uses servers located in the EU and using those computers to access www sites. An ssh account on a server located in the EU has gained new value.
Accessing the www from a computer located in the EU has new advantages, thanks to the GDPR. To users who are aligned with the goals of the GDPR, it is possible that www sites located in the EU have become more appealing than those located outside the EU.
How will EU news sites treat users from outside the EU? Is there a benefit to using EU news sites from outside the EU?
No, it doesn't. It applies to natural persons in the EU.
Article 3 GDPR:
---
Territorial scope
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
---
Note that the above does not reference citizenship.
What if the US to passes a law that Americans are too fat and are no longer allowed to be sold gelato (they're allowed to buy gelato, but no longer allowed to be sold gelato), and then levy a multi-million dollar fine against every gelato shop in Italy where Americans visit on vacation.
The difference is that one is an example of actual and well-thought out legislation in the EU which is generally welcomed by the people most affected by it: EU citizens.
The other is a trumped up example by someone on whom the GDPR self-admittedly has hardly any bearing but who still insists on throwing a hissy fit because legislation is somehow un-american or something.
I disagree on "well thought out", but it doesn't really matter. I don't think that legislation is "un-american" or that the EU shouldn't have passed this law for its citizens. My issue is with the attempt to declare that it applies so broadly to organizations in other countries who have no connection to the EU except that EU visitors might come to their website. I'm going to assume you're intentionally not trying to understand the broader principle here, but just in case:
Reposted from another comment:
My primary argument is that the GDPR's attempt to regulate companies in other jurisdictions because EU citizens go INTO those jurisdictions and do business is a dangerous precedent. If there was an enforcement mechanism for all such laws, it implies that any business or individual anywhere in the world with a website should therefore have to comply with any laws from any jurisdiction that are similarly constructed.
If my website says things about Islam that Saudi Arabia passes a law against, I should be fined.
If my website disrespects the king of Thailand, I should be extradited for imprisonment.
If I encourage NK citizens to revolt against their oppressive regime, I should end up in a labor camp.
After all, those governments have a right to say that if I want to "do business in their jurisdiction", I must respect their laws, right?
(To be clear, I'm not talking about enforcement of these kinds of laws, because all of those countries might do the above if given the chance. I'm talking about what I SHOULD do as a matter of morality or ethics or civic duty or whatever, or what my government should cooperate with those governments on, because it's just.)
But the problem is that they're describing "doing business in their jurisdiction" as a citizen from their country (maybe even one who is currently visiting my country) going online and sending my server requests, data, and money. And apparently explicitly telling those citizens to please NOT do that, or blocking them, is not sufficient. The only way to make the majority of the EU users on HN happy is to comply. Why would that same logic not apply to all other kinds of laws?
If you don't do business with the EU, the EU has nothing on you. They have no other mechanism for enforcing compliance.
If you would disrespect the king of Thailand, and you would go to Thailand, they might act on their laws and lock you up.
If you would break Eu privacy laws, and you would try and do business with the EU, they might act on their laws and enforce their fines.
There is no precedent being set here. Even the US is more than willing to freeze assets of foreign actors when they believe they have been wronged abroad.
If you ignore the EU and the GDPR completely, nothing can touch you, you just can't do business with them until you stop ignoring them
As a non EU member I'm jealous. I would love to see a uBlock filter list targeting all non GPDR compliant addresses. Maybe something like the 'Badware risks' list that allows you to proceed but not before displaying a warning.
I could buy "hysteria" as an explanation for the little startup apps or blogs that have shown up on HN these last few days, but these papers have revenues in excess of $2 billion. I have to assume there was some due diligence involved.
In general, the online site of a newspaper doubtless does a lot of ad tracking. To the degree that readership is mostly local (as it is for most newspapers with relatively few exceptions), geofencing seems like a pretty rational response to potential compliance headaches. More trouble than it's worth is a wholly rational business justification for a case where a geo is currently unimportant and there's no business plan to expand there in the future.
The problem is ads. Many networks track their users, and the site is responsible for that too. Eliminating all ads means the EU users become only a cost.
They need to integrate GDPR-compliant ad networks to serve to EU users, and they probably didn't do the work.
If you have a webpage with text and iamges, no user accounts and subscriptions then why you prefer to block the users then load the page without tracking, and show some static ads,better then nothing.
Showing a popup with things like
-we have Google analytics that track you in this way
-we have FB scripts that do this
-we have ad company X script that tracks this
-we have Y product that tracks your focus
....
would also be good,then I know what "I lost" not getting access to that page
No, it's not better than nothing. In fact, it's worse than nothing. Which is why they're not doing that.
It's extremely difficult for classic news media to make money in the internet-world. They're not tracking you because they hate privacy, they're tracking you because they need to show you ads to earn a few cents to pay for their newsroom.
No. They are tracking you because they are entirely oblivious to privacy and to the stuff they run on their websites.
A lot of those links and trackers and what-nots come from affiliate networks, or because some marketing manager said it would be better that way. And now they are suddenly alerted to the fact that they run 30+ trackers on their sites, and believe you me they have very vague idea about what those trackers are doing.
In 1y every website will have a click through EULA with 20 pages that loads before everything else and doesn't store IPS - and which no one is reading - privacy served. Just when they install from the App store or install Microsoft Office.
"Click here to agree to everything we do" schemes are explicitly forbidden by the GDPR. You need to individually opt-in to every single use case, and you need to consent to every transfer to each individual third party as well.
It's in the "Guidelines for Consent" document, in "3.1.3 Granularity":
"A service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes."
And they give an example:
"Within the same consent request a retailer asks its customers for consent to use their data to send them
marketing by email and also to share their details with other companies within their group. This consent is not
granular as there is no separate consents for these two separate purposes, therefore the consent will not be
valid."
You do need explicit consent if you're trying to sneak something in the user wouldn't expect. So if you sign up for cat pictures but the service sells off your data to a dating service, that's surprising and requires explicit consent because the user can't be expected to give informed consent to that by just skimming your privacy policy.
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and
unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her,
such as by a written statement, including by electronic means, or an oral statement. This could include ticking a
box when visiting an internet website, choosing technical settings for information society services or another
statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed
processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute
consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the
processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be
given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive
to the use of the service for which it is provided.
> Where processing is based on the data subject's consent, the controller should be able to demonstrate that the
data subject has given consent to the processing operation. In particular in the context of a written declaration
on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to
which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent preformulated
by the controller should be provided in an intelligible and easily accessible form, using clear and plain
language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at
least of the identity of the controller and the purposes of the processing for which the personal data are
intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is
unable to refuse or withdraw consent without detriment.
> In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing
of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in
particular where the controller is a public authority and it is therefore unlikely that consent was freely given in
all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow
separate consent to be given to different personal data processing operations despite it being appropriate in the
individual case, or if the performance of a contract, including the provision of a service, is dependent on the
consent despite such consent not being necessary for such performance.
And yet, that seems to be the solution most sites are already taking. "Click here to agree to tracking and continue to our site." Concrete example: theverge.com
Hopefully they will be slapped down for it pretty soon.
This is the EU, not the US. This law was specifically crafted to prevent the kind of reptilian behavior that you're describing here. I honestly (and perhaps naively) expect you to understand the source material a little bit better if you're going to make blanket statements about it here.
Always a good idea to include a personal attack in your comment, well done!
Second, my point is not about what I'm doing but about what others will do. I have not and will not work for companies who base their business model on selling data without consent, ad networks or in duping people. I've declined several very lucrative CTO offers in large companies due to their privacy stand.
Third, I'm for more data protection and privacy and removed my Facebook and other social media accounts years ago. I would also not click such EULAs as I do not care about "news" sites.
Nowhere do I imply that you are exhibiting reptilian behaviour, I said that you are describing it. What you could take personally is that I said you should not talk about things which you do not understand (unless it is to ask questions, which I could have added), which doesn't sound at all unreasonable to me. Why you assume that was a personal attack is completely outside of how I can read my own comment.
Yes. Intent matters. The website is showing that they do not want EU visitors as they don't want to deal with the high cost of GDPR. If an EU visitor manages to bypass this restriction in some way like a VPN then they lose their EU protection as they are hiding their identity as a EU citizen.
They use Cloudflare which has gone out of their way to be compliant (to the point of offering US citizens and the rest of the world the same protections as EU citizens), and nothing else is included on the page that could track you (check it if you don't believe me).
You can anonymize your profile, you can edit it and you can use one of several services to get your data out. On the whole it is pretty good.
AFAIK you can't delete all your messages on HN, nor even delete your profile. They also do fingerprinting, or else how can they detect people with multiple accounts?
they have a public api/funnel to random services, can't edit data / can't download / delete my archive. their privacy policy is not updated, no cookie notice. i was fairly sure they used google analytics but it seems they removed them
Some people say that their use of <table>s and inline styles is a punishable offence, i beg to differ.
Just the fact that you use some GDPR-compliant service doesn't mean that your product is GDPR-compliant. Because your product has to make sure that it stores, processes, removes, rotates etc. personally-identifiable data in a GDPR-compliant way.
E.g. HN doesn't offer a way to request the data they have on me, or to delete my account. This is not GDPR-compliant.
It only "doesn't offer a way" if you write an email to HN and they refuse to do it, or don't answer. I haven't requested that myself, so I don't know what answer you'd get. But I think, unless there's evidence that someone's got such an answer from them, it would be wrong to assume they won't/can't do it.
Deleting data etc. doesn't have to be automated i.e. with a button to do it. Writing to them and them doing it is sufficient.
Spot on. That's exactly how it is. It would be nice if the GDPR mandated automated procedures for all of the above that are no more complex than it is to sign up and post in the first place. But that's not quite how it works. There are such requirements in some of our laws with respect to signing up and cancelling paid services.
If the EU wants to pass laws that say every company around the world (almost all of which have ZERO democratic representation in EU government) has to fully comply or face huge fines that will drive them out of business, let’s see how they feel when all those companies just shrug and turn their back on the market.
I know the GDPR fans here will just say “good, we’re better off without them!” and I guess on that we agree. Go in peace.
Hello Ryan (I like your business advice newsletter), honest question: In the USA we have FICA laws that can fine foreign banks, in foreign countries, not here, for most of a year’s income if they make a single error in reporting financial,records of US citizens. Most banks in foreign countries simply refuse US citizens as customers.
Are you thinking of FATCA? I’m not an expert, but from what I can tell, I’m not a fan. I think telling US citizens that they have to report is fine, asking foreign banks to report is fine, and requiring foreign banks that also have a US presence to comply is fine.
But if FATCA applies to some small community bank in Japan, then that’s ridiculous.
Regardless of GDPR, this is good in the short term. Organizations can comply with regulations (and ostensibly reduce market failures) or not comply and lose market share. If all regulations fell into the former camp we haven't tried enough strict regulations.
More generally I think a big problem with compliance is
1) Current business model practices. We don't know how all the ways to make money on the Internet because it hasn't been around that long so we just sell data/ads.
2) Technical limitations. The Internet is organized around centralized systems but this doesn't have to be the case. It's just hard to build a comparable decentralized system easily with the current tools.
I agree with this, and hope that it will cause innovation on both points. I know there are a lot of regulation-phobes on here, but good regulation is a driver of (good) innovation, as opposed to further innovation in fields like spying on customers and exfiltrating as much data on them as possible.
Innovation will always be made, and I feel that currently, many great minds are being utilised to make people click on ads. Hopefully this is a step towards changing that.
That's an surprisingly unimaginative viewpoint. Off the top of my head:
- You have friends/family in that area
- You actually live in that area, but you are currently travelling
- You are considering visiting the area
- You are doing some kind of research about the area, say, how often a certain type of crime is reported in local media
I'm sure the list can be made much, much longer if we spend some time thinking about it...
In 1y every website will have a click through EULA with 20 pages that loads before everything else and doesn't store IPs - and which no one is reading - privacy served. Just when they install from the App store or install Microsoft Office.
Forcing users to accept a 20 page EULA is not compliant, that's what's so great about this directive. If all you have to do to be compliant is add a new clause to your 20 page EULA, then the law would have no purpose - we're already trained to just click accept when presented with any kind of lawyerese. The whole point is to get away from that.
I've not said that this is the only thing you need to do. EULAs don't make you compliant. I've said websites will have EULAs (and be internally compliant) and do everything - except selling - with your data that they do now.
The only real benefit of the GDPR for users is that old (e.g. 2y) data needs to be deleted and companies can't keep your personal data 10y for future use cases.
But you can do most of the things you like with consent and if you do not couple it to your offer.
But the GDPR does not prevent any business model or collecting any data as long as there is consent, you are transparent, you can export the data, consent can be revoked and data can be deleted on request.
That's not the only real benefit. The strongest benefit is that all tracking and sharing of collected data is made explicit to all users in plain language and now requires explicit opt-in. Before this directive, companies could just hide that shit somewhere in their EULA. It's this practice that's being regulated.
IANAL but after working on GDPR topics for months with a lot of reading I'd say they would work.
Selling data is still hard to argue, I'd not do that for EU citizens ("tag EU citizens to opt out from selling data").
Everything else should be possible. Using Art 6/1(a) and Art. 7 GDPR you can store most of the data from your visitor. You need to make sure they can inform them about your usage, revoke their aggreement and make you delete it. Coupling ("click EULA or else") is a little bit more difficult, but with clever UI most visitors will accept the EULA instead of opting out, no coupling needed.
I'm sure in 1y publishing systems will provide all of this out of the box.
No, not a dark pattern, like LinkedIn, just a "yes" & "no", but if you place "yes" to the right side people will more likely click on "yes". If you space them at the bottom of the EULA, "no" to the left border, "yes" to the right border more people will click on "yes".
This is not something I would do, but my salary is not coming from placing ads on a site and selling personal data. But this is what will happen.
No ads, no tracking, no cookies, not even Javascript. Just plain HTML+CSS and JPEG images. The whole front page is around 650 KByte, and by far most of this is in the image files. As a result the page looks very clean and loads very fast.
This is what all news web sites should look like, not just for EU readers (although I fear that this is just a temporary solution until they've figured out that whole GDPR thing...