Google will argue that while this data is intimate (religion, age, personal preferences), it is not personally identifiable.
I have access to one of these data feeds of bid requests, and for the most part, they're right. Pick a random entry and even after hours of searching and correlating with the other data we have on file, it's unlikely I'd be able to identify exactly who it was (ie. Their name and address) on that website.
Some requests totally are identify-able though, for example if the user goes on to click one of our ads, buy something, and give us their postal address. In the eyes of the law, we have broken the rules there by re-identifying previously anonymous data.
While I think Google is technically in the right here, they're gonna loose big time because they're a foreign company and don't have much love with the public.
> I have access to one of these data feeds of bid requests, and for the most part, they're right. Pick a random entry and even after hours of searching and correlating with the other data we have on file, it's unlikely I'd be able to identify exactly who it was (ie. Their name and address) on that website.
That's you, but what if Vodafone buys this data? They know the personal data of their broadband users but they don't necessarily have religion or other personal preferences... should they?
Or how about when it's me? Maybe I just know this space better? I can get email addresses from pretty much anywhere, md5 them, check against the email hash from Lotame (or someone; it's almost always unsalted md5), and match that against Google's Bidstream. Bingo: Now I have email to "intimate" data[1], which probably surprises a lot of people!
[1]: I like that term better than both "special category data" and the older "sensitive personal data"... I think I'm going to use it
As the linked article (and the API docs linked from that article) indicates, it contains a Google user ID, which is unique to a user. That by itself already makes it PII.
Furthermore, you probably know the IP of the user you're serving a page to, that combined with this data also makes it PII..
It's not about wether you can determine the person's name, mail address or whatever, it's wether this combination of data is or can be unique to a single person.
The type of personalized ads you describe only trigger if the user has clicked on the "allow personalized ads" button. If they did not only non-personalized things happen this is things what the website is about and course location (city or zipcode) (the latter is not personalized information as they lawyers explained to me because "it can't identify a person").
That may be true, but allowing personalised ads is something completely different from 'share my personal information with thousands of unnamed third parties', which is what this is about.
"Allow personalized ads" is on by default, which is iffy under the GDPR. Especially considering that, when it's enabled, they match you to your Google account even if your current browser isn't signed in to the Google account.
No it is not! Google requires each individual website to gather consent affirmative for personalized ads before Google will provide personalized ads. There was big issue over if Google would effectively force everyone to use it's solution as it would be the only way Google could be 100% sure the publisher isn't cheating. In the end Google allowed publishers to use whatever method they want.
But in practice, doesn't “affirmative consent” means clicking the big yellow “OK” button below a paragraph of vague weasel words instead of the little white “Configure privacy options” link, or in the case of website operators like Oath, not going three pages deep?
The phrase "personally identifying information" does not occur anywhere in the text of GDPR. The term used throughout is "personal data", which is defined differently.
>It's not about wether you can determine the person's name, mail address or whatever, it's wether this combination of data is or can be unique to a single person.
Uniqueness is irrelevant unless there is sufficient identifying data to associate that data with an identifiable natural person. Unless you have some means of ultimately figuring out "this data belongs to Joe Bloggs of 123 Any Street", then it isn't personal data.
Art. 4 (1):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Pseudonymous data falls within the scope of GDPR if other information could be used to associate that data with an identifiable natural person. Truly anonymous data is exempt - you might know a lot about person X, but that's only personal data if you can figure out that Person X is actually Joe Bloggs. It really isn't clear to me that Google are in breach in this instance; it's highly plausible that they are, Brave's allegations certainly warrant investigation, but the law is relatively complex and it's also somewhat plausible that Google are sailing very close to the wind while just barely remaining in compliance.
> Unless you have some means of ultimately figuring out "this data belongs to Joe Bloggs of 123 Any Street", then it isn't personal data.
That's not exactly accurate.
I like the ICO's literature on this[1] because they put a little more colour on what it means to be "indirectly" identifiable, and they are pretty clear:
• You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
• It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
• That additional information may be information you already hold, or it may be information that you need to obtain from another source.
That's the case here: An ISP such as Vodafone knows the IP addresses of their broadband users, and perhaps even some of their cookies -- they have this other piece of data that makes what Google is providing personal data. To my knowledge Google isn't attempting to even argue otherwise, instead they have taken the position that the person has consented (using various consent managers or click-to-accept dialog boxes), so therefore it's pseudonymous, which makes your next paragraph a little more important:
> Pseudonymous data falls within the scope of GDPR if other information could be used to associate that data with an identifiable natural person. Truly anonymous data is exempt...
This is incorrect. Again from the ICO:
• Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
• Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.
Very clear: All it takes is for the data to relate to a person.
> It really isn't clear to me that Google are in breach in this instance
It's not clear to me either, or (to my knowledge) to the Irish DPC at this stage, but part of their responsibility is to figure it out. They have released very little information so far[2] so there's little point armchair-lawyering on what their position or defence would be.
If it's not exposed to the internet no problem.
Not true unfortunately under the GDPR nor it's predecessor, if the notes are publicly available:
Bodil Lindquist v Åklagarkammaren (2003)
Mrs. Lindquist (whose purposes were mostly charitable and religious) published on a private home page personal data about her colleagues, including telephone numbers and information about a coworker’s injured foot and medical leave. This case raised the question if a private home page accessible to only those who have the address is permitted under one of the exclusions (household activity). The European Court of Justice ruled that it is not.
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Not true unfortunately under the GDPR nor it's predecessor, if the notes are publicly available:
Bodil Lindquist v Åklagarkammaren (2003)
Mrs. Lindquist (whose purposes were mostly charitable and religious) published on a private home page personal data about her colleagues, including telephone numbers and information about a coworker’s injured foot and medical leave. This case raised the question if a private home page accessible to only those who have the address is permitted under one of the exclusions (household activity). The European Court of Justice ruled that it is not.
A "private home page accessible to only those who have the address" is a public page.
That's not a private note, and I'd be livid if somebody was posting my contact and medical details online. I see no problem with this ruling, nor do I see it as evidence contrary to the idea that one may keep private notes.
In response to a comment about keeping notes, which any reasonable person would interpret as meaning private notes.
What got my goat, though, wasn't the mere, if silly, clarification that notes are only protected if they're private. It's the phrasing of the quote to suggest that somehow these notes should have been considered private because the publisher didn't intend on anyone reading them (despite publishing them such that they could).
What court wording are you referencing? The judgment says "private home page which is none the less accessible to anyone who knows its address", a very different turn of phrase.
I meant do you have a source for the court notes where they said that. It doesn't sound like a quote to me, it sounds like a precis.
In fact it sounds like a precis of the quote I provided, but I could also imagine the defendant's lawyer saying it in the more loaded way presented here.
> they're gonna loose big time because they're a foreign company
I think it's somewhat irresponsible to throw out accusations this big without even feeling the need to offer any evidence for them.
FWIW I once summed up the various fines (anti-trust etc.) doled out by the EU by country/continent. It turned out that US companies were, collectively, fined slightly less than their share of economic activity in the EU, while Asian companies were fined more and EU companies were about level.
This corresponds rather well with a non-corrupt process largely blind to companies' nationality, assuming that US companies are rather well-regulated in the US compared to Asian companies.
I haven't done the reverse for US fines of European companies. But, subjectively, the cases that made the news (mostly VW and Deutsche Bank) gel rather nicely with my (Germany-based) impression of companies with malignant corporate culture and do not require any nationalistic motivation to explain.
I know it may seem like a minor point in this context. But if we always assume all institutions are corrupt, that becomes a self-fulfilling prophesy. Institutions such as the court system and, more generally, the rule of law, are the reason we (some of us) can enjoy life in peace, and shouldn't be torn down just by empty cynicism.
> This corresponds rather well with a non-corrupt process largely blind to companies' nationality, assuming that US companies are rather well-regulated in the US compared to Asian companies.
The trouble is this doesn't really prove anything for the exact reason you're identifying. What you have to compare is the level of enforcement compared to the level of compliance. If US companies are more compliant than average then there should be less enforcement than average, but then you still don't know whether there is more or less than there should be. If US companies are fined 75% as much even though they break the rules 50% as much, that's evidence of bias rather than a lack of it.
Moreover, major US companies are hard sticklers for following rules. They're full of lawyers because their home country is and they'll get their pants sued off otherwise.
That actually seems to be the problem. The EU passes some complicated stack of rules, the US companies have their lawyers go through them and figure out how to comply without disrupting their business, but disrupting their businesses was the motivation for the rules. Then the EU comes around and fines them again. Everybody who dislikes them cheers, but it smells rotten because the companies knew they were under scrutiny and had good lawyers, so it's difficult to find explicit violations and consequently huge fines get meted out over behavior which is not even clearly a violation of the rules.
The issue is that US companies are following the letter of the rules while violating the spirit. If the spirit of the law is to ban your business model, switch to a different one or stop operating.
A company that tries to weasel around the rules while knowing exactly what the EU meant is just taking the regulators and courts for fools.
> good lawyers
If US companies keep getting fined despite having "good lawyers", maybe those lawyers aren't that good after all.
> The issue is that US companies are following the letter of the rules while violating the spirit.
"The spirit of the law" is the refuge of people that can't be bothered to make good laws to begin with and just want to make up whatever rules they want ex post facto.
> If the spirit of the law is to ban your business model, switch to a different one or stop operating.
If the spirit of the law is to ban their business model then stop pussyfooting around it and just make that the letter of the law.
> If US companies keep getting fined despite having "good lawyers", maybe those lawyers aren't that good after all.
> "The spirit of the law" is the refuge of people that can't be bothered to make good laws to begin with and just want to make up whatever rules they want ex post facto.
That's a good approach if you want to play silly games, but fortunately the EU prefers effective regulation. And its courts are reliable enough that we can rely on its judges having common sense when interpreting the law. Maybe the US is different.
> If the spirit of the law is to ban their business model then stop pussyfooting around it and just make that the letter of the law.
It is, actually. But the good lawyers of US companies apparently believe, for example, that "freely given consent" means "clicking a button to make an overlay go away because we make the provision of our service conditional to spying on them". What does the GDPR say?
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
US companies are openly breaking the GDPR and violating people's privacy. Frankly, 4% is far too low for this kind of insolence.
> That's a good approach if you want to play silly games, but fortunately the EU prefers effective regulation.
Regulation can only be effective if people know how to follow it. Otherwise you're just a bully punishing people for things they can't predict ahead of time, and you can't produce the desired behavior because you've failed to identify what it actually is.
> It is, actually. But the good lawyers of US companies apparently believe, for example, that "freely given consent" means "clicking a button to make an overlay go away because we make the provision of our service conditional to spying on them".
You seem to be claiming that things like this do not exist:
How is the service "conditional to spying" if you can turn it off or delete the data and still use the service?
> US companies are openly breaking the GDPR and violating people's privacy. Frankly, 4% is far too low for this kind of insolence.
You obviously have strong opinions about Google. But is there a reason you don't just stop using their services? I can't think of any that has no competitors.
> Regulation can only be effective if people know how to follow it. Otherwise you're just a bully punishing people for things they can't predict ahead of time, and you can't produce the desired behavior because you've failed to identify what it actually is.
Stop pretending that the GDPR doesn't do that.
> How is the service "conditional to spying" if you can turn it off or delete the data and still use the service?
You obviously don't know what you are talking about. You can't turn Google's spying off. They show a modal that you can only dismiss by "agreeing" that they use your data for their purposes.
> You obviously have strong opinions about Google. But is there a reason you don't just stop using their services? I can't think of any that has no competitors.
Because they're useful. That's why people use services. Idiotic question.
If it did that then there would be more lobbying the legislature to change it while complying with it and fewer lawsuits being filed because people disagree about what's necessary to comply with it.
> You can't turn Google's spying off.
Then why do they have a bunch of settings where you can turn it off?
> Because they're useful. That's why people use services. Idiotic question.
It seems like you want "free" services funded by targeted advertising but you don't want targeted advertising. Is that not an inherent conflict? If the end result is that you end up paying for your services with money, why don't you just start there?
> If it did that then there would be more lobbying the legislature to change it while complying with it and fewer lawsuits being filed because people disagree about what's necessary to comply with it.
I'm not interested in theoretical arguments contradicting easily verifiable facts.
> Then why do they have a bunch of settings where you can turn it off?
You can't turn the privacy violations off that Google commits for their own profit.
> It seems like you want "free" services funded by targeted advertising but you don't want targeted advertising. Is that not an inherent conflict? If the end result is that you end up paying for your services with money, why don't you just start there?
Why on earth would I pay for a service I can get for free? It's not my problem that Google doesn't charge for their services. No, they aren't trading services for privacy since you cannot trade services for privacy in the EU anymore.
> I'm not interested in theoretical arguments contradicting easily verifiable facts.
Which of these do you think is more likely: That Google knows the specific things that will cause it to be fined and just doesn't care about tens of billions of dollars, or that they're trying to but can't figure out ahead of time what behavior will result in fines?
> You can't turn the privacy violations off that Google commits for their own profit.
Then what do those settings do?
> Why on earth would I pay for a service I can get for free?
Somebody is paying for it. If you get them to stop doing that, what do you expect to follow?
> No, they aren't trading services for privacy since you cannot trade services for privacy in the EU anymore.
At which point you have the possibility of most people "voluntarily" sharing their data and the service continuing to be free, or the alternative that they don't and everybody has to pay for it directly. But the first one is basically the status quo and if you're angling for the second one then, again, why don't you just start there?
> Which of these do you think is more likely: That Google knows the specific things that will cause it to be fined and just doesn't care about tens of billions of dollars, or that they're trying to but can't figure out ahead of time what behavior will result in fines?
I'm not interested in theoretical arguments contradicting easily verifiable facts that are phrased as false dilemmas.
> Then what do those settings do?
I don't know -- Google doesn't let me access them without logging in. Nor do I care. It definitely doesn't let you turn off the data collection that Google forces you to "consent" too. The whole point of forcing someone is not giving them a choice.
> Somebody is paying for it. If you get them to stop doing that, what do you expect to follow?
The services currently funded with corporate propaganda are instead funded in a saner way. Ideally the public funds it, but even charging people individually makes more sense than ads. However, other goods and services become slightly cheaper because their producers and providers don't spend as much on advertising. This more than compensates having to pay for services since you only have to pay for the service itself, not the service and the ad companies that charge you for the service in a stealthy and horribly convoluted way.
> At which point you have the possibility of most people "voluntarily" sharing their data and the service continuing to be free, or the alternative that they don't and everybody has to pay for it directly. But the first one is basically the status quo and if you're angling for the second one then, again, why don't you just start there?
Because I'm a dirty commie who is not in the habit of donating money to multinational for-profit corporations. Is that a serious question?
> I'm not interested in theoretical arguments contradicting easily verifiable facts that are phrased as false dilemmas.
Theoretical arguments apply to things that aren't happening. This is happening right now.
False dilemmas imply that there is a choice presented as binary which really has more than two alternatives. Since Google is being fined billions of dollars, one option is that they knew ahead of time what would cause that to happen and did it anyway, the other is that they failed to predict that their conduct would have that result. What is your proposed third alternative?
> I don't know -- Google doesn't let me access them without logging in. Nor do I care. It definitely doesn't let you turn off the data collection that Google forces you to "consent" too.
How do you know if you don't know?
Tracking preferences are state. They have to be attached to something in order to be applied to it. What do you propose they use to assign your tracking preferences to you, if not an account?
> The services currently funded with corporate propaganda are instead funded in a saner way. Ideally the public funds it, but even charging people individually makes more sense than ads.
Both of those options are already available. You could have your government fund competing services or pay for them yourself right now, or ten years ago, or at any point in the future.
> However, other goods and services become slightly cheaper because their producers and providers don't spend as much on advertising.
This is plausible, but then why all the indirection? Pass a law expressly prohibiting targeted advertising.
Note that there is a counterargument however. If advertising is less effective, companies will still pay for it but attract fewer new customers to the industry and correspondingly sustain fewer competitors and sell fewer units to amortize fixed costs over, and it becomes more difficult for new competitors to gain customers, which reduces competition and raises retail prices per unit.
It's not clear which of these is the case and it's probably a different result for different industries.
You ignore half of what I write, instead you keep asking the same questions again and again. You ask inane questions such as why I prefer not to donate to Google. I have no idea why someone arguing in good faith would act like this. You clearly don't have the slightest clue about the contents of the GDPR or European law in general. Please educate yourself. This discussion is over.
"Rule of law" is the one where the letter of the law is a clear and unambiguous true statement of the intent of the legislature.
"Rule of lawyers" is what happens when it isn't and then you need a rhetorician to have an ex post facto political debate about "the spirit of the law" in a courtroom rather than in the statehouse where it belongs to begin with.
I feel like you're just setting me up for the line where in American court dramas the government is reasonable, the courts are just and the defendants are bad, so if it's different in Europe...
But seriously, if you're at the point of having to rely on "the spirit of the law" it's pretty much always because the letter of the law is poorly drafted. It doesn't really matter which continent you're on.
In Europe politicians are generally not lawyers unlike USA, so the legal system cannot work in the same way. "Spirit of the Law" is what a non lawyer would assume the law to mean, since most laws are drafted by non lawyers. Legal battles are usually cheaper in Europe than in USA so it seems to work as intended even if you think that it wouldn't work in theory.
> But seriously, if you're at the point of having to rely on "the spirit of the law" it's pretty much always because the letter of the law is poorly drafted.
There is a truth to that. We need to rely on the spirit of the law because lawmakers, like everyone else, are neither omniscient nor do they never make mistakes. Letting people use unintended loopholes makes sense if you treat the law as a game, not if you treat it as a mechanism to achieve justice.
It's not a question of infallibility. Legislators will make mistakes. They're human.
The question is, what do you do when you find one?
Option one is that you go back to the legislature and have them fix the law, which then applies to future conduct. Particularly for issues affecting ongoing operations on this scale, this is a completely reasonable option.
Option two is that you go to the court and ask them to remake the law and apply it retroactively to past conduct, then impose billions of dollars in fines for following the law as it was written.
But option one doesn't extract revenue from foreign companies. Which is why people are suspicious of your motives when you jump to option two.
Option one also has the advantage that it can produce more coherent results, because the legislature doesn't have to operate under the pretext that it isn't making a change to the law when it really is.
> But option one doesn't extract revenue from foreign companies. Which is why people are suspicious of your motives when you jump to option two.
I don't think we need to cater to paranoid Americans.
> Option one also has the advantage that it can produce more coherent results, because the legislature doesn't have to operate under the pretext that it isn't making a change to the law when it really is.
It's perfectly reasonable for a legislature to assume it isn't changing the law when the law isn't being changed and it's not the legislature that is acting.
> I don't think we need to cater to paranoid Americans.
A fine position if you don't care about businesses abandoning the European market and the US government using it to justify retaliation against EU companies in the US market.
> It's perfectly reasonable for a legislature to assume it isn't changing the law when the law isn't being changed and it's not the legislature that is acting.
If a court is interpreting the law to mean something other than what it says, it's changing the law.
> A fine position if you don't care about businesses abandoning the European market and the US government using it to justify retaliation against EU companies in the US market.
Oh well. We might become as isolated as China. Businesses don't care about rule of law when there is profit to be made. Also most people are capable of understanding how laws and courts work.
> If a court is interpreting the law to mean something other than what it says, it's changing the law.
If a court is making jokes and filming sketches, it's a comedy troupe.
>If the spirit of the law is to ban your business model, switch to a different one or stop operating.
That may end up happening. With the copyright directive and these fines, companies may find that serving EU consumers is not worth it and may start blocking EU users from their services.
You're right it's important to unpack these allegations, but I don't think they are just random cynicism.
> US companies were, collectively, fined slightly less than their share of economic activity in the EU,
I can imagine why you would control for economic activity, but I have no idea what impact that had on the results relative to other reasonable controls. If we're wondering about punishing bad decisions, you could have instead controlled for the number of decisionmakers from these companies in the EU. Or you could have controlled for the number of different endeavors or types of products or lines of business (because each different source of revenue is a source of malfeasance moreso than each individual euro earned). I'm really mostly concerned about that last one. What is the chance each revenue stream will get more scrutiny by being foreign? Court cases don't target individual euros earned, they target a certain product or way of doing business.
Regardless of controls, it doesn't change the tortured logic in some high profile cases comparing US and EU institutions under the same standard. If the Spanish media publicizes something as widely as it can, that's great, because it's good for the public to have that information. If an American tech firm allows people to access those publications, that's bad, because it's bad for the public to have that information.
I'd love to change my mind about the bias in the EU, I'm open to new evidence. All it would take is a few EU cases where they found that the big American company was blameless, but the small European company should be fined.
I find it irritating when people move the goalposts and don't acknowledge opposing evidence, so I think it's really important to stop here and acknowledge that this is relevant evidence, even though it wasn't exactly what I said I was looking for originally.
It's not a case where the US and EU companies are on the same side like I originally proposed, but those might be too rare to test anyway, so I was probably being a bit silly.
Failing back to these more common cases, I don't think (and shouldn't have implied that) one case alone in a decade completely decides the question of bias, but it should definitely shift the probabilities here, if you want to be bayesian about it.
After digging in on this series of case law, it's also important to note it has its origins in the L'Oreal decision that lets Google off the hook but is mostly about fining eBay.
It's a complicated counterexample to the premise that the EU is preoccupied with fining US companies.
> All it would take is a few EU cases where they found that the big American company was blameless, but the small European company should be fined.
We are less likely to hear about small companies getting fined by prominent bodies, because they have less impact, because their case doesn't receive public attention, because they don't lawyer up in long protracted battles, etc.
> the Spanish media vs. American tech firm
One is a press organization, the other is (usually) an ad-tech business. Different rules apply for different deontology sets. Much like FB doesn't get the same slack as the NYT when it comes to disclosing stuff.
For further background, there were two surveys of top economists, one for European economists, one for US economists, where the economists were asked if the EU used its antitrust powers to protect EU-based firms from international competition, rather than to promote greater competition in European markets.
At least in the academic economist community, there is disagreement on the EU's use of antitrust powers (although it leans toward the EU promoting competition more than being protectionist).
I generally interpret this data to mean that viewing the application of EU antitrust as protectionist is a defensible, although uncommon, opinion.
FWIW I once summed up the various fines (anti-trust etc.) doled out by the EU by country/continent
I would be interested in seeing this analysis, but I'd also be interested in knowing two things:
1. When was it done?
2. Were you analysing fines by member states or fines by the Commission itself?
My very strong impression is that in recent years there's been a new phenomenon of the EU itself dishing out fines of vast new magnitude - not an EU member state, but the Commission. This wasn't true 10 years ago, but it feels like it's started in earnest now. Indeed GDPR and Vestager's time as anti-trust commissioner are relatively new.
Institutions such as the court system and, more generally, the rule of law, are the reason we (some of us) can enjoy life in peace, and shouldn't be torn down just by empty cynicism
Whilst I fully agree, there are some other factors at play here.
One is that EU level fines aren't levied by the court system. The EU bureaucracy acts as judge, jury and executioner. Fines simply ... appear. There is no right of defence. Fined firms may then appeal to the ECJ, but this takes a very long time and I don't know if there are any cases yet where an appeal went against the Commission.
This is not how normal justice works of course. Normally the government has to prove a firm guilty of criminal behaviour first, then punish it second. The EU reverses it. That's a fundamental change.
Secondly the ECJ is a corrupt court. It has a history of corrupt and ideologically motivated practices. For instance it has heard a case where the plaintiff didn't know they were part of a court case at all. When informed of this state of affairs by journalists, the ECJ ignored it and continued. There have been a long string of rulings where the ECJ openly and blatantly ignored what the written law of the treaties actually said, with Kafka-esque interpretations of language the treaty authors thought was bulletproof.
Why is the ECJ like that? Because like all EU institutions it is created and staffed by people who are ideologically committed to the furtherance of the EU project. They are not independent; they are fully bought into the Federalist agenda. That agenda is currently suffering due to member states not wishing to grant the EU more money, and because the UK is leaving (trying to leave), which will cause a large drop in budget. Endless vast fines against tech firms for violating laws so vague all sorts of ordinary behaviours could conceivably be illegal is a perfect vehicle for them to top up the bank balance ... because that's where fines go. Straight into the EU's own institutional pockets.
You last paragraph reads reallt badly:
"
Why is the US supreme court like that? Because like all US institutions it is created and staffed by people who are ideologically committed to the furtherance of the United States Government. They are not independent; they are fully bought into the Union agenda.
"
And you bit about budget is complete nonsense! Where did you even get this?
These fines are minuscule compared to the EU overall budget, they aren't there to cover some kind of budget shortfall.
You can't make that comparison because the Supreme Court is not dedicated to the agenda of the US Government, in fact, it's not even meaningful to say the US Government has any sort of long term agenda because what the USG wants to do tends to change every time a new President or Congress gets elected.
The EU is different because it has a long term overriding Federalist agenda independent of EU elections, which can't actually change anything.
As for the budgets, maybe you're running behind the times.
Let's take the UK's budget contribution to the EU in 2017, it's about £13 billion. That's a lot of money, the UK is one of the biggest budget contributors.
Just one single fine of one single company, the 2018 fine against Google, clocks in at $5 billion! Earlier in that year the EU fined Qualcomm $1 billion. In 2017 Google was fined $2.7 billion.
The fines against US tech firms alone are in the same range as the entire contribution of one of Europe's biggest economies. There is an absolutely vast conflict of interest there, on a scale never seen before.
Somehow I think it's unlikely that Google is not violating a law that was in part passed to stop Google from doing what it's doing.
> While I think Google is technically in the right here, they're gonna loose big time because they're a foreign company and don't have much love with the public.
They don't need love with the public, just with the ECJ.
> Google will argue that while this data is intimate (religion, age, personal preferences), it is not personally identifiable.
IANAL but I would assume that all it takes is one incident of it actually being personally identifiable to erase this argument. All it takes is one data point that is "unique enough" to map it to one person. Imagine a very unique combination of these three values (religion, age, personal preferences: muslim, 21, likes curling) and add an equally unique location (Iceland) and you may be in trouble.
I also used to work in buy-side ad-tech and the industry cannot possibly function without making a wide (global, industrial scale) swathe of individuals and institutions vulnerable to espionage, social engineering, blackmail etc... The fact that these vulnerabilities are not exploited more widely or more aggressively is a minor miracle (then again ... maybe they are and we just don't know about it yet...)
This presumes that the customers of the ad industry would stop buying ads without this personal data. It's an arms race, advertisers buy ads from the best source and more personal information makes your market better. Eliminating this arms race won't make advertisers stop advertising.
Even if you cannot use the data to identify a person, maybe your ISP or the police could, making the information "personally identifiable". According to https://www.groundlabs.com/what-is-pii-for-gdpr/ IP addresses count as PII.
> Some requests totally are identify-able though, for example if the user goes on to click one of our ads, buy something, and give us their postal address.
And if you operate at scale, that might happen thousands of times per day.
IMHO this is a serious GDPR infringement.
Do you notify users that you process PII, even if you don't bind on this request? Do you give users the option to opt-out before you do? If not, you are in serious trouble.
So, if you can tie this information that you receive from Google to a particular person then wouldn't this violate the spirit of the law? Similar to the way precursor chemicals are illegal or tightly controlled in drug law.
Obama should have never intervened to stop the FTC from suing Google on antitrust issues in the U.S. either. Google has only gotten much more brazen after that to the point that many people no longer believe the company's "don't be evil" propaganda, which I believe has served Google very well initially. Google started ruining its own image through its recent actions and it will only make government actions against the company that much more likely to succeed now. Google used to have a lot of "soft power" on these issues, and it's been rapidly declining over the past few years.
It's just like power in any other form; legitimate power comes from the ability to influence others, but exercising that power to coerce others is a trade. If Google wants that power back, they need to earn it.
Let's not confuse Personally Identifiable Information (PII) the US definition, with Personal Data, the EU definition. From the UK ICO [1] "Personal data is information that relates to an identified or identifiable individual. (Emphasis mine.)
So, if it is possible to correlate the personal data with other records that identify an individual (whether by you or a third party with whom the data is shared) it is personal data.
Full disclosure: I work for Veritas Technologies, which, among many other things, provides technologies that help companies find, filter and take action on PII and personal data. Opinions shared here are my own, and do not necessarily represent the views of my employer.
Having seen Twitters data on me (they think I’m older than I am by a decade, and have 4 kids, when I have 2), I too wonder how accurate this data can really be.
Anymore I just straight up “lie” about personal details. A relationship with a tech company is based upon serving my needs first, not theirs, IMO. And at least for me the need they fill is convenience of not having to build the service they provide. Which I would do if said service did not exist.
So there’s that. Have my fake data. Sell emotional but technically inaccurate promises to advertisers all ya want, SV.
Lying about personal details online might get you into trouble with fraud laws.
Sure they won't directly come after you, but if you're in court for some other reason, the fact you put 'hwpsn62#!' as your mother's maiden name might add one more charge...
Your Google search history will show if you have searched for a political party, religion and then your Google profile name is visible. How is that GDPR filtered?
I am also dubious since its Ireland and Google offices,servers is located on Ireland. Thus Ireland data regulation authority might rule in favor for Ireland.
> Some requests totally are identify-able though, for example if the user goes on to click one of our ads, buy something, and give us their postal address. In the eyes of the law, we have broken the rules there by re-identifying previously anonymous data.
You are either compliant or not. Claiming that you are 90% GDPR compliant still makes you non-compliant.
> While I think Google is technically in the right here,
No, they are not technically right, because even being 99% right makes you 1% wrong, which in case of Google would affect 70M people.
> they're gonna loose big time because they're a foreign company and don't have much love with the public.
The love of the public doesn't have any legal influence, and being a foreign company doesn't mean that company can play by it's own or their home country rules.
By the same logic, one could argue that Volkswagen, Deutsche Bank and Monsanto got fined hefty only because they are foreign companies, and that they would be either not fined, or fined much less if they were US based. Oh, wait ...
It's worth noting that the same re-identification problem also applies to advert placement that doesn't use any information about the person being advertised to and is based solely on the topic of the website or webpage, and - according to this blog post - this investigation is in fact going after Google for using that information in ad placement. They're basically trying to kill Google's online advertising business full stop.
This is something that annoyed me about “anonymous” ad techniques. It’s pretty easy, I think, for an unethical company to make a very specific ad that still has thousands of people “10 miles of DC, male, >60, English speaker, Spanish speaker, college graduate, etc” that still has a population in tens of thousands and have the click through offer a signup with email. So the site gets the email and knows from the targeted campaign lots of info about the person they would not share with the site normally.
Do this enough and you end up in Cambridge Analytica-town with portfolios on millions of email addresses that can then be sold independently of the advertiser’s knowledge.
So what? If you don't want some random person to know you by your email address, don't give them your email address. Or use a separate email address for them.
I was working in adtech company and heard that a lot about GDPR. Oh, we had some loses due to GDPR, it is ruining the ad industry etc. Guess what? The population didn't change there's the same number of internet users. What changed is how much information you are able to collect about users, and not just you but your competitors as well. You might need to adapt, but that happens in every industry.
Frankly laws like GDPR might actually be saving the industry, because the arms race to figure out how much information you can get about users is why users start using ad blockers.
How lucky for them the EU won't treat them the way RIAA persecuted file sharers. Hundreds of billions of violations every day, each single one a separate "count"!
Thanks for pointing it out, because that changes what the parent comment says completely. I initially read it as prosecute, which tripped me quite a bit.
It's a shame an otherwise interesting article is plastered with the author repeatedly trying to promote and self-congratulate himself, and take credit for something which has undoubtedly been reported by hundreds, if not thousands, of people. Anyhow, I sincerely hope Google gets slapped with a huge fine, and that one day individual-user-targeted-ads will become illegal.
I want no ads, but apparently it's impossible to build a business these days without also trying to manipulate me into buying random other stuff. If I can't go around them, I'd still prefer to ignore generic ads rather than targeted ones. It's easier to do and less creepy from their side.
the industry hasn't managed to solve this situation for decades now. the best solution has been ads. otherwise there's the subscription model, which reduces access to information.
The problem is people who would pay to avoid ads are those worth targeting... I'd love if a single service could let me opt out of all tracking and ads internet wide for a fixed fee, say $50-$100 a month.
Google actually provided exactly this service (for all Google-based ads, which is a high %) for a little over a year before it was discontinued, supposedly because nobody actually used it.
I don't have the exact number (I had only just signed up as a publisher about a month before they closed it -- maybe someone else can pop in with exact numbers) but I remember it being really low, around 5-7%.
It was low enough that it wasn't really a factor when determining what to price your ad-free pages at (most people went with 1-2 cents per load) -- most people just priced at whatever average your ads were pulling in currently without worrying about the cut, since it was a fraction of a cent.
One requires a network that tracks your every step and analyzes your behavior in a way that makes most totalitarian regimes green with envy. The other knows nothing about you except that the site you are browsing right now is about computer hardware and there might be a slight chance that you want to buy computer hardware right now.
agree, but they're there to pay the bills.
and most "computer hardware" websites i visit already offer "computer hardware" targeted ads. nothing special about this.
Generic ads are more useful to me anyway. When the ads are targeted, it's usually for products I already have an opinion about, and about which I have therefore already made up my mind.
Generic ads, on the other hand, can be about topics/products I usually would never consider or have a strong opinion about, when I realise it might be helpful to a problem I've been neglecting or something like that.
Put another way: Targeted ads are never useful to me, generic ads are sometimes useful to me.
That's because when a targeted ad is general enough to be useful, you misclassify it as a nontargeted ad. Nontargeted ads are pretty much only punch-the-monkey mortgage an dcar insurance scams.
There are two ad campaigns which caused me to try a new product. Neither time was I actually looking for a new product. (The products were Old Spice and Dos Equis. I figured they earned a try just for entertaining me. And I ended up liking both of them.)
I see generic ads as a signal that a company strongly backs its product. I see targeted ads a way for companies hocking cheap products to squeeze value out of their impressions.
The billboards on highway 80/101 in SF are usually rented by big brands with large corporate backing, but their products are usually solid, whereas AdSense ads usually show me what I assume must be dropshipped goods with little quality control (but usually have some sort of novelty value).
then i'm sorry to say, but ads are the least of your problems. in my country my ISP checks and stores all the urls i visit. and pro-actively blocks urls.
and what about governments and their spy agencies? shouldn't they be the focus of your discontent?
It’s not the least of my problems. A to me unknown but large number of companies try to track as much as possible of what I do online, and buy and sell this intensely personal data, causing a very concrete risk that private information about me becomes public. I’m not consulted about this, and I get nothing of value out of it, only risk of disaster.
Yes, there are other big privacy problems. They are all, to varying degrees, the focus of my discontent, and they have barely anything to do with this discussion.
“Targeted” ads almost never show me anything of interest and insist on compromising my privacy. “Generic” ads are more likely to be interesting to me and don't attack my privacy.
I think these terms are misleading though. Traditional advertising is targeted: at the audience of some particular media which takes advertising. And that kind of advertising is actually very effective, and still is. What do viewers of a technology YouTube channel perhaps have an interest in? Technology! What might readers of a gardening magazine want to buy? Gardening tools!
And traditional advertising also advertises to people things at the time they are most receptive to it: when am I thinking most about buying video games? Perhaps when I'm watching others playing them.
Would generic ads really be more interesting for you? Don't forget, the United States is not the only country in the world nor is English the only language. I hope you're ready for ads in Chinese, Russian, German, French etc.
You're fine with political campaign ads targeting you? Only showing their support of wedge issues you agree with, while hiding their support of issues you disagree with? Sorry, but that's just too manipulative.
The problem is less with me seeing personalized ads, and more with the ad-server and/or the website getting my PII, and anyone who sees my screen or sniffs my traffic acquiring PII by observing which ads I get.
Apart from obvious privacy concerns, I started getting much more interesting ads on sites that respect my settings. One time I found an ad for a poem this way.
Targeted ads simply show me what I bought or was interested in recently(there's always a delay).
You're joking, right? I'd be far more likely to buy something from an ad based on the content of the page I'm currently looking at as it's something I'm obviously interested in. The targeted ads I've seen tend to be for things I've already bought (how many mattresses does one man need!?)
I've worked in advertising for 15 years, in different parts of the industry and in different roles.
The thing is: ad tech doesn't want your personal data. Ad tech doesn't even want 'individually-targeted' ads. Advertising is applied sociology and works with statistics and its laws of large numbers.
What ad tech really wants is to assign you to broad classes of sociological groups. ('Gamer', 'parent', 'hobbyist', 'instagram user', etc.)
The insane spree of personal data collection by Google and Facebook isn't driven by advertising needs. It's a deeper and more insidious strategy for things in the future that aren't advertising-related. (I think the strategy bosses in these FAANG companies imagine a future with something like China's social credit system, except on steroids. But this is just my hunch.)
I think it needs to be considered that you are an outlier within the advertising business. To wit, every advertiser I have worked with (especially ones that are high up in a company) believes that they need as much data on their customers as they can get their hands on.
There's a huge incentive for both EU and Google to have the latter just pay a fine every now and then and remain in business.
I see this as an indirect way to solve the problem of tax havens, because little known fact: the money that goes to pay the fines effectively reduces the pool of EU member contributions, because it's distributed using the same method.
The EU is not short on money, and its existence and effectiveness do not hinge on how much money it "makes".
Google is pretty big, but not that big if compared to 27 sovereign countries and their combined GDPs.
The biggest problem the EU has is credibility with its populations. Taking on online privacy for their citizens was a huge win. It made a lot of people aware that the EU can be more than boring fish-quota and agricultural subsidies.
The chance of Google getting away with paying a fine every now and then is pretty much non-existent.
To illustrate: Google has a yearly revenue of ~90 Billion Euros. The maximum penalty for violating the GDPR is 4% of that = 3.6 Billion Euros. The EU has ~450 Million citizens without the UK.
If the EU fined Google for the maximum amount (which is rare) every year, it would raise 8 Euros per citizen.
There is no cap of 4% per year. If you just continue your violations the EU can continue levying fines and go past the 4% until you comply with the lawful order. I am not sure what the cap is in practice, because as far as I know no company has continued to just ignore EU for more than a few months.
I think the only cap is that at some point, a company has no property left in the EU that can be confiscated and all their managers the EU can get hold of are imprisoned for contempt of court. There is no way that the EU just gives up saying "oh well, we tried".
> There's a huge incentive for both EU and Google to have the latter just pay a fine every now and then and remain in business.
For the EU, making a decision frequently means getting the consensus of 28 governments with sometimes very different ideologies. I don't think it's capable of plotting.
Sure. You have twenty-eight governments, each with multiple ministers. A mix of socialists, liberals, christian democrats and fascists. None of them value markets and low taxes (the difference between liberals and socialists is that the latter like red). They somehow trust each other to keep their conspiracy secret. Oh, and half the European Parliament is part of the plot as well.
At the same time, they have serious problems agreeing on tax reform. Because somehow, their interests are only aligned when it comes to secretly taxing Google.
Please take off your tinfoil hat. When the EU properly taxes Google, it will do so openly.
The heads of government and ministers don't get to keep the fines for themselves. It's in their self-interest to get themselves bribed by Google, not to fine them.
Secretly taxing Google by making a privacy law, giving businesses years to prepare for it and hoping Google violates it anyway doesn't even make sense. Taxing them using, well, taxes is easier, quicker and more likely to work.
You're right. But that isn't because it's impossible to write a working tax law, but because the EU hasn't managed to agree on passing one without someone insisting on loopholes.
(The people who decided to expand the EU to 28 members without overhauling its decision-making processes, which were designed for a community of 5 members with a much more limited scope, must have been on drugs.)
You wrote that all countries are interested in money. To an extent that is of course true, and it also applies to Ireland.
Huh? There are two places where he talks about himself. One spot in the beginning where he mentions how the investigation was triggered.
> The probe was triggered by a formal complaint from Dr Johnny Ryan, Chief Policy Officer at Brave, the private web browser.
Which seems fair to me. And another where he's mentioned amongst others who've put in complaints.
> Duplicate complaints were also submitted to the UK Information Commissioner by Jim Killock, Executive Director of the Open Rights Group and Dr Michael Veale of University College London. Dr Ryan, Dr Veale and Mr Kilock are represented by Mr Ravi Naik of ITN Solicitors in London.
Some time ago there was a scandal because apparently they create profiles for content creators which aren't signed up on their platform and accept money on their behalf. Afterwards Brave spouted very dubious arguments with things like ominous legalese to HN comments with an "trust us, we're nerds too" vibe.
From a cynical perspective, it looked a lot like smoke and mirrors from an entity currently sitting on a pile of money acquired by impersonating people.
Isn't this anyway their own tokens? So no matter whether the providers do have an own account or not, if they don't cash it out then there's no cost to brave. So its.just that they were incorrectly giving the impression that someone is getting paid?
I'm far more sceptical of Google. Brave's movitvation is to supply privacy compliant browser as an alternative to Chrome. Google's motivation is to sell ads and hoard data on people.
What’s their extortion based business model? I thought their deal was they pay sites with their schrutebucks based on user monthly pay-in (ie, I pay $10/month, I spend 50% of my time on HN, therefore HN gets $5 minus Brave’s 30% or whatever).
If participation in the program was purely under completely voluntary terms then it would be fine but it isn't. Instead Brave extorts sites to participate in their program by blocking their current funding method and forcing Brave's terms upon them if they want to recover some of the lost revenue.
"Brave extorts sites to participate in their program by blocking their current funding method" is an interesting rephrasing of "Brave has a build-in adblocker."
Sounds like one of those a descriptions of technology you hear in the news from some ancient company's legal team, invented to explain some run-of-the-mill technology (that's not going away) using a prior era's analogy. ie "Stealing a file on the internet".
Most recently (as far as big news goes) it turns out Brave collects donations even if content creators don't participate. AFAIK it's an opt-out feature right now, not opt-in. So Brave is putting donation buttons on YouTuber pages, which only allows the Brave user to donate BAT (Basic Attention Tokens - an altcoin that Brave created on Ethereum), and they hold them until the YouTuber claims it. They also take certain BAT back from the YouTuber if it's not claimed within a year - but those are the free BAT that they give out to Brave users to encourage adoption. BAT donated to YouTubers that the Brave user bought themselves stays in an escrow for now.
Can you provide a complete list of which immoral actions by one party do and don't justify immoral actions by others? Or is it if someone acts immorally any action is response is therefore moral?
> Brave's motivation is to push people to use their browser in order to further their extortion based business model.
Thats Google. Google store information on you -- Brave don't really have data centres of peoples search history and profile info. My big problem with Brave is -- it just simply isn't a good browser yet. It doesn't work properly with lots of sites I use e.g. teamwork.com
Their motives here are not questionable. Everyone knows exactly what their motives are. Google makes Chrome, a competitor to Brave. Also, Brave’s whole schtick is that it is better on privacy than other browsers. So their motive to make this complaint was simple and self-serving: they are trying to take their competitor down and use the publicity from it to boost their business. This isn’t the first abuse of GDPR by a jealous competitor, and it won’t be the last.
Intentionally or not, GDPR was designed in a way that will drive complaints and cross complaints by competitors large and small, across the world. As companies realize how easy it is to weaponize GDPR to impose significant defense costs on competitors at no cost to themselves, regardless of the legitimacy of their complaint, filing such complaints will become a competitive necessity.
Disclaimer: I work at Google and did some GDPR verification on some products, but I’m not a lawyer and will try to avoid legal speculation. I worked with the advertising team but not on it; my impression of those folks is that they took legal responsibilities _very_ seriously. We even had to make new controls in Firebase for you to enable sharing your Firebase analytics data with your Firebase Functions.
I’m curious which kind of party Brave is accusing Google of being (Controller or Processor). I’m also curious what kind of “leak” Brave is accusing Google of making.
The advertiser could certainly filter for some specific terms, but not PII. If you get a large group, differential privacy et. al. should protect the individual and protect a leak.
There’s some interesting theoretical attacks in the threads but they involved a host site asking for the PII after the ad campaign.
Do any attorneys want to comment who the Controller and Processor would be in this situation?
Do any multi-site owners want to comment on whether any advertising UserIDs are even shared across sites, or are they salted per recipient?
From what I can tell it looks like advertisers who already have user IDs can use this in their ad campaign but all google_ fields are stripped from ad redirects.
Just today attended a massive conference where they were showing how a pregnant customer goes on an real estate website,browses for a few properties,then goes on a website that sells cots,browses a few of them and gets served a customised ad from a bank.Once clicked on the ad,it opens the banking app with some details prefilled and ready to submit an application for a mortgage.I understanding I'm in this CRM industry and benefitting from it heavily, however this is just a way to far...
I wonder if anyone can explain more about how ad bidding works? Does information from bidders (websites) go beyond the ad exchange? Do ad exchanges log bids? How does information leakage happen, and what gets leaked?
There's a lot of stuff to dislike about the nuts and bolts of the GDPR. But I do wish that the U.S. would move in the general direction of protecting user data instead of the incredibly vague and stupid calls for "BREAK UP BIG TECH!"
All of the political stuff that's happening here blithely assumes that the problems with Apple, Google, and Facebook are pretty much the same and can be solved in the same way. There's a fundamental approach here of basically, "don't get too successful."
I'd rather see them approached specifically and recognize that they each present very different challenges. One of the biggest for ad-driven companies is that they're successful because of the way they use data. It's not really about how big they are. If you can regulate how people are allowed to make money off of user data effectively, that solves a huge part of the problem.
There's another part of the puzzle about what exactly it means to be an anti-competitive monopoly in the modern era, but I'm actually kind of okay with that being litigated for now. The system moves slowly, but it is moving. And for people saying the current system can't account for new technology, it's worth realizing that people do recognize the need for change, and the Supreme Court just recognized that old rules about how things work need to change.
The UK currently has larger complaint numbers than France or Germany [1] at around 6,000-16,000 each which is weird, but it does show that many people are taking individual privacy rights seriously
In all likelihood Facebook and google will be able to adequately address any issues related to GDPR and judo throw the regulation into allowing them to become further entrenched by suppressing any competition.
I think you underestimate the EU, if Microsoft couldn't escape their wrath back in 2007 I'm pretty sure Facebook and Google won't today. The EU is even stronger than it was in those days, too.
I think it is probable that big players would lawyer-up their way out but GDPR has little impact on honest competition, sure, if you want to join the dodgy-club without deep pockets and a legal department, it is gonna a bit harder, but tough cookies.
Brave is a product built on Chromium - work of many Google engineers (mostly). And still they call Google an "evil behemoth corporation". And now this article - pathetic example of black PR and double-dealing.
So while Chromium is undoutably the work of many Google employees it's not entirely the work of Google employees which is one of the reasons it's licensed the way that it is.
I think all things considered, today Chromium is probably 90% Google engineering. There is almost no Khtml code left and big chunks of webkit code are heavily modified and rewritten. Also, rendering engine is not the browser.
> How's that for information-to-inflammation ratio?
Still very low. What evidence do you have for any or this? There's a comment up thread which says fines handed out to European companies have actually been higher than American ones. I think you need to bring that sort of evidence to the table, not just state what you believe in a longer form.
It's still a rather aggressive take on the GDPR. The GDPR has nothing to do with taxation and would be a terrible system of taxation. GDPR is about protecting data. If it was just about taxing big US tech companies, why would they target their own businesses? They could have easily have carved out exceptions for that.
The whole tax haven schemes are being addressed through other measures, including the proposed per transaction taxes in lieu of income taxes.
Fines of up to 4% of global turnover for a company like Google are more than they've actually been able to collect via traditional direct taxes. Again, I'm not saying Google shouldn't have to pay more. But I'd rather the EU closed their legal loopholes.
> If it was just about taxing big US tech companies, why would they target their own businesses? They could have easily have carved out exceptions for that.
Because it is not necessary to carve out those exceptions. DPC has discretion on how it wants to allocate its resources and they most definitely will go after companies with the ability to pay and companies that help spread information that is not appropriately censored. Decisions on what is "appropriate" are up to the people in charge, the EU has few freedom of speech protection laws.
I believe, in a few years, when historical data from the fines is available, it will become clear this regulation is disproportionately affecting American companies.
> The whole tax haven schemes are being addressed through other measures, including the proposed per transaction taxes in lieu of income taxes.
> I believe, in a few years, when historical data from the fines is available, it will become clear this regulation is disproportionately affecting American companies.
Affecting the companies with the most revenue, biggest influence and worst track records for mishandling personal data? That just shows that the law is working as intended. The fact that most of these companies happen to be based in America is irrelevant.
If anything it highlights just how poor the culture around the handling of personal data actually is in America.
All of this conveniently ignores everything that everyone has said about their reasons for promoting GDPR, and the history of data protection and privacy in Europe, in favour of injecting your own explanation of "what's really happening".
Copyright reform is rather different - I suspect you'll find that among the people lobbying for that are quite a lot of multinational/American record labels and film industry, as well as German and Spanish publishers.
Some time ago there was a scandal because apparently they create profiles for content creators which aren't signed up on their platform and accept money on their behalf. Afterwards Brave spouted very dubious arguments with things like ominous legalese to HN comments with an "trust us, we're nerds too" vibe.
From a cynical perspective, it looked a lot like smoke and mirrors from an entity currently sitting on a pile of money acquired by impersonating people.
It's built on telling others "hey guys, we think your business model is evil so we're just gonna turn it off -- if you want [a smaller portion of] that money you need to go through us to get it now" or you get nothing at all.
It's kind of like walking into a store and saying, "I want this bag of chips but the way you're charging for it is evil. I'm going to eat it now, but if you want paid you can go across the street and get a money order from my mom in the car. Oh, and she'll pay what she thinks it's worth."
This is another example of the EU trying to "tax" US companies through fines. If you disagree with how Google uses your data _you have a choice_, stop using Google!
1) there's no one "taxing" anyone
2) this is not a judgement, its the start of an investigation into rule violation
3) this investigation was launched after a formal complaint by another company. If Google finds others in violation it can equally file complaints
4) it's not the EU doing the investigation, but rather the Irish data protection authority.
Please read the information closely rather than just assume it confirms whatever preconceptions you bring to the table.
But you don't have a choice. Google's advertising systems track you regardless of whether you use Google. You have to avoid any site which uses Google advertising.
That’s never been our (socialist) way. That’s the USA way.
The governments will go after companies no matter what legalese they get the customers to sign if it’s the best interest of the citizens.
You could flip the whole thing: why doesn’t Google just ban EU customers?
Just try to understand that we are culturally different from you guys and try to keep in mind both perspectives as if Google was not an American company.
I have access to one of these data feeds of bid requests, and for the most part, they're right. Pick a random entry and even after hours of searching and correlating with the other data we have on file, it's unlikely I'd be able to identify exactly who it was (ie. Their name and address) on that website.
Some requests totally are identify-able though, for example if the user goes on to click one of our ads, buy something, and give us their postal address. In the eyes of the law, we have broken the rules there by re-identifying previously anonymous data.
While I think Google is technically in the right here, they're gonna loose big time because they're a foreign company and don't have much love with the public.