> Based on our investigation so far, we believe that Disqus could not rely on legitimate interest as a legal basis for tracking across websites, services or devices, profiling and disclosure of personal data for marketing purposes, and that this type of tracking would require consent
Good to see them taking this seriously. I get the impression a lot of sites/services make expansive use of the legitimate interest provision.
Yes, it is really maddening: they make you consent to their "legitimate interest" cookies, conflating legal terms to confuse people into accepting everything.
Ad-tech companies get more and more emboldened lately. They see that the GDPR is not really enforced, they assume that big, cash-rich companies will get taken on first, competitors are doing it too, so they gamble they can get away paying lip service to GDPR while continuing their illegal tracking practices.
I have seen several startups pitching schemes that seem blatantly illegal to me, while assuring that their tech is fully compliant. Often using the words "legitimate interest" to prove this point.
To play devil's advocate: that might become the going strategy. They're gonna be profitable as hell until they get fined and aren't allowed to continue after all...
But then it's just a matter of closing that enterprise down and creating a new one. They can keep apis stable and give the big corporations plausible deniability as "the contractor said they're compliant"
this part wont work w/ GDPR - this is not the US. I've mentioned it someplace else - the contracts with the contractors have quite explicit clauses about liabilities about data breaches/leaks as the fines would still be applied to the main entities.
With regard to GDPR, personal data is a liability and it should be handled with appropriate care.
Question to anyone who knows; I am assuming if you don’t live in the EU they can’t make you pay a fine. What do they actually do to stop you from doing business in the EU then? Do they outright block your website? I can’t think of how they’d stop you from collecting ad revenue from EU visitors otherwise.
Yes if push comes to shove they could obviously just shut down websites or go after companies that continue to use Disqus and they in turn will drop it. There's also plenty of countries outside the EU who have adopted GDPR compatible laws and so the EU could likely pursue them in their national jurisdictions. Also EU and US regulatory agencies tend to cooperate routinely because it's in either case to keep market access so if the case is large enough I wouldn't bet on being sheltered from enforcement.
There was for example one case of Canadian firm 'AggregateIQ' being pursued by the UK's ICO over privacy violations, and Canadian regulators agreed.
The article contains no reference to the Canadian enforcement action. It is about a European enforcement action against the Canadian company in question for work it did in Europe.
Dude are you intentionally trying to be obtuse. The British data watchdog noticed that a Canadian company, AggregateIQ, was mistreating data relating to the Brexit campaign. It then talked to the Canadian data watchdog, which pursued a privacy inquiry against said company because of its mistreatment of British user data. This is one of the first examples of the sort of extrajudicial enforcement of GDPR that OP wanted to know about, Jesus.
There might of been some sort of extrajudicial enforcement of the GDPR in this case, but the second article presented only showed that intrajudicial enforcement of the GDPR occurred based on actions that took place inside the EU with respect to the data of people living in the EU.
The first article actually doesn't mention any enforcement at all in Canada, just comments by a provincial and the federal privacy commissioner. Those comments were entirely based on Canadian law, not the GDPR.
I'm curious about this, too. I once commented that, say, my hobby website isn't subject to the GDPR because I love, work, and play in the US and that's where my blog is, too. Turns out some people have very strong opinions about this and insisted that I am subject to the GDPR. But as a practical matter, how? I don't have a presence outside the US. Even if I violated a EU law, is there a reason I'd ever need to care? For instance, I know I've violated some Chinese laws by criticizing their government, but I'm OK with that because, really, what are they going to do about it?
As an aside, I'm completely behind GDPR, CCPA, and related privacy laws. I think they're great. I definitely comply with the spirit of the laws in my hobby projects by doing things like not tracking anonymous users, not retaining identifiable logs, etc. This isn't me trying to get away with something nefarious. More like, I don't (and won't) bother with things like cookie banners even if GDPR would want me to.
GDPR doesn't actually require cookie banners. If all the tracking and data protection you do is justified, justifiable and obviously necessary for the lowest-common-denominator service you provide, you don't even need to ask for consent (though do let your users know what's up, anyway, with at minimum a Privacy Notice in the footer, because that's just common decency).
If a company asks for GDPR consent, either:
• They have cool, optional features of their site / service / system (though they could just ask at run-time, when you try to use those features, in most cases); or
• They're doing something dodgy and want to wave a magic wand and remove the dodginess by getting you to “consent”.
More background: The fine is mainly based on the fact that Disqus forgot to enroll Norwegian IP-addresses into their GDPR «privacy mode».
That meant that websites that had enabled a specific setting ("Enable anonymous cookie targeting") in Disqus were tracking Norwegian without informing them. Most of the websites in Norway and elsewhere did not know they were sharing users data through Disqus.
Major sites like the Wirecutter, The Hill, 9to5mac, Breitbart had enabled the setting in 2019. Of the 23 websites I contacted, all 11 that responded told me they were unaware of the tracking and had turned the setting off.
(I wrote the investigative articles in 2019 for the Norwegian public broadcaster NRK.)
You could already download most of the comment data from them by querying their API. Similar to profile pictures on Gravatar, emails were only hashed with MD5. They’re easy to reveal with some wordlist attacks.
"Most of the websites in Norway and elsewhere did not know they were sharing users data through Disqus."
Not to sound too clever, but I would assume if I embed a third party on my website, all bets are off considering privacy/data flow. Only the biggest services with the biggest publicity like GA have rudimentary privacy (opt-out, IP anonymization).
> embed a third party on my website, all bets are off considering privacy/data flow.
That's definitely not the case. It'd be true only if there is no contract w/ the 3rd party at all. Many contracts cover data leaks and the like and the contractual obligations are "non-trivial" to put it mildly.
Then our experiences differ somehow. Most Disqus users don't look like they have a contract, rather they accept terms and services than can be unilaterally changed by Disqus.
I've signed some DPAs and those that I've signed were very vague and liberal on what data they take - at least none of them felt that they would not try to get all the data that they can.
> Not to sound too clever, but I would assume if I embed a third party on my website, all bets are off considering privacy/data flow.
That you have to take care of these things is kind of the point of GDPR. If you don't know what some embedded server will do with users data, don't use it. No more fast and loose.
My point was more about companies embedding Javascript on their sites and "did not know they were sharing data".
Sadly European data protection agencies are vastly understaffed. I've filed some complaints, and have been waiting for an answer for them for years in some cases. I regularily get letters sent from agencies which say "we're still on it, but it takes more time".
One complaint was about an UK company ("Boden") filed with the Berlin data protection agency. Then they transfered it to the UK, then back to Berlin, it currently is in the Netherlands.
Forgetting for a single country (which is also not part of the EU) certainly seems plausible, more plausible than a targeted attempt at undermining the GDPR in a very specific country
For people who are not aware, if you write the value no in YAML, it parses it as the boolean false which is then usually converted back to the string "false". The solution is to write "no" and not no, but Norway is the only country code requiring this so a lot of people forget about it.
For example I noticed this week that an environment variable in a few of my Norwegian company's deployments was "false" and not "no".
Agree, but they probably aren't off the hook just because of that.
I think user data is "fissile material" and the "fallout" from a high profile "meltdown" at certain places can easily destroy more lives than the Chernobyl actully ended up destroying.
Given this yaml and a number of other known problematic technologies probably shouldn't be used anywhere near the "reactors".
It's EU regulation and Norway is part of EEA which adapted these GDPR regulations. Feels like some risk and compliance officer at Disqus has been sleeping
"Norwegian internet users were tracked by Disqus because the company did not know that Norway introduced the common European privacy regulation GDPR in 2018. It thus took 511 days before Norwegians were incorporated into the company's "privacy mode" for GDPR countries and previously collected information was deleted."[0]
It seems that there was some setting that is enabled by default in all other countries than countries with the GDPR law.
Also, from an earlier article:
"The company also claims that they have not shared Norwegians' online visits with anyone other than the parent company Zeta Global. Zeta Global describes itself as a 'data-driven marketing company"' that has information on over two billion identities."[1]
As a Norwegian, it will be interesting following this case.
In case anyone should be wondering, the 25M NOK fine is just about $3M USD. Not something that will seriously hurt the creepy jerks running Disqus, but at least enough for them to notice.
Good reason to mention "Disqus, a dark commenting system" again to remind everyone to avoid using it on your blog or website (it comes integrated with a lot of projects, like static site generator themes).
What is the deal with the GDPR vis-a-vis US companies?
If we have a company incorporated solely in the USA that has web content that violates the GDPR but shows a popup and states in its ToU that the website is not to be used by any person or entity in countries that follow the GDPR, can our company be fined under the GDPR?
In other words, do GDPR countries claim jurisdiction over non-GDPR countries' websites?
I guess if you have a company that is completely isolated from the EU, you just ignore EU fines.
But is that the case with Disqus? They are collecting marketing information on citizens of the EU. Who is buying that information? I would assume that Disqus does business with EU companies that want that information. Either that, or they do business with other international companies that do business with EU companies.
At some point, Disqus is probably trapped within a graph that connects them and their legal obligations to the EU.
> I guess if you have a company that is completely isolated from the EU, you just ignore EU fines.
Ignoring legitimate fines seems like a pretty bad idea. I think most countries have law to the effect that the directors of the company being fined are liable, so if you skip those fines then one of the directors goes on holiday to that country then they could be sent to prison.
Any EU citizen in our out of country has their PII protected by EU law, regardless of who processes that data.
A pop-up or ToU would not skirt the visitors rights, regardless of what the message said and regardless of the action the user took as a result of the message
On the other hand, geoblocking e.g. by ip address (and then completely not letting EU visitors access the website) would probably work, but somehow most companies don't want to do that.
Huh? Plenty of sites do that. I've noticed many US local news sites that block EU users. I assume that any other company that isn't already blocking EU users won't do it because they want those users.
People like to infer from this that those sites are gathering and processing data in ways that would be hard to make GDPR-compliant.
My guess is that in a lot of cases though it is that they simply do not want to deal with Article 27. Article 27 is a hassle even if all your data processing itself is fully compliant with GDPR.
Article 27 requires entities not in the Union to designate a representative intheUnion that people and governments can use as a contact when they have GDPR concerns.
(Don't confuse this with Article 37, which requires the appointment of a "data protection officer". Article 37 only applies in most cases if you are doing large scale processing).
The representative seems to be more than just a communications go-between to provide an easy way for people in the EU to contact the processor/controller. One of the Recitals says "The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation" and "The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor".
There are EU companies that provide as a service being your Article 27 representative, but because it seems to be more than just a simple communications go-between they charge typically at least a couple hundred Euros or so a year for the service (sometimes much more).
That provision is not so hard. Most companies I have talked to don't know what data they have collected, where it is stored, and who it is shared with. That is the thing that gets the attention of US companies.
I'm not sure I buy that. It really comes down to the question of why do small, local US news sites care about the GDPR at all? I can think of three reasons:
1. They are actually all owned by a multi-national entity that is scared of the GDPR because it also operates in Europe
2. The news sites and their owner(s) aren't bothered; but the ad networks are. Maybe it's a "cross-contamination" issue. So they say something like "to keep using us, block European visitors, we'll provide that capability", and the news sites are probably fine with it because European visitors are a tiny fraction
3. It's a political statement, not an actual GDPR issue
Another technique is to run a stripped down version of your site with whatever content/functionality fits into the GDPR. Set your log retention to under a month (not a GDPR requirement, just a tactic that makes compliance easier), redact sensitive information under the GDPR, ask for consent, offer DSAR tools if applicable, etc.
I noticed this being employed by some media sites when I was vacationing in Europe. No Discus comments, no account creation or login, just articles and banner ads. The sites loaded so much faster. I’ve done similar things at work when building out privacy law compliance. It’s a good pattern if you don’t need one to one feature equivalency between your US and EEA/GB presence.
It doesn't change much. If you have to jump through a VPN to get there, they can make a very reasonable claim that they're not targetting or serving the european market.
It doesn't have to be bulletproof, it just has to support the claim.
GDPR applies to processors or controllers not in the Union if the processing activities are related to:
1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
(See Article 3).
I believe that in most cases the point of geoblocking is not so much to try to actually stop people in the EU from accessing the sites, but rather to try to ensure that any data processed falls under #1.
One of the Recitals for that section says:
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
> Any EU citizen in our out of country has their PII protected by EU law, regardless of who processes that data.
That's a common misconception. GDPR applies to "data subjects who are in the Union". Whether or not the data subjects are EU citizens is irrelevant.
It also applies to all data processing of processors or controllers who are in the Union, regardless of where the processing takes place or whose data is being processed.
For processors or controllers not in the Union processing data of a subject in the Union it applies if (1) the processing is related to the offering of goods or services in the Union, or (2) the monitoring of behavior that takes place within the Union.
Some examples:
If I, a US citizen who has never set foot outside the US, has some interaction with a German company then GDPR applies. The German company is in the Union so it applies to all their data subjects regardless of citizenship or location.
If a French citizen comes to the US and some local US business gathers all kinds of personal information about them GDPR does not apply. The data subject is not in the Union and the processing is not being done by an entity in the Union, so no GDPR.
>Any EU citizen in our out of country has their PII protected by EU law, regardless of who processes that data.
No, that's wrong.
First of all, the GDPR does not take in to consideration citizenship, at all. The Regulation targets location rather than nationality. In other words, if either the data subject or data controller are in the EU/EEA then the GDPR applies, even if the other party is not in the EU/EEA (The UK GDPR is the same, but replace "EU/EEA" with "UK").
Secondly, the GDPR regulates the use of Personal Data, not PII. PII is a US legal term and has multiple definitions. Personal data is a broader concept than PII.
Incorrect. When talking about companies and other orgs, the GDPR's territorial scope does reach overseas, but is limited. It also doesn't turn on having citizenship of the EU/an EU country; case in point, the UK regulator (ICO) upheld the GDPR rights of a US professor against Cambridge Analytica. What matters is whether either (1) the entity's handling ("processing") of personal data - anywhere in the world - is related to the activities of one of its EU offices, subsidiaries etc; OR (2) if [1] doesn't apply, then GDPR can still apply if you're processing data about persons in the EU/EEA (citizens, tourists, whatever) AND either (a) the processing is related to services or goods you offer those EU persons, or (b) you are monitoring their behaviour in the EU/EEA. There's lots that this test - despite being quite broad - would not catch (and isn't designed to).
Oddly enough, the disclaimer might actually increase the chance that you're subject to GDPR.
The relevant part of GDPR is Article 3, and Recital 23 (full law text in the links below--read them, they're short!).
GDPR applies to a non-EU website that "envisages offering services to data subjects" in the EU. Recital 23 explicitly says that a website merely being available does not count. Offering localized content (e.g. languages, currency for ecommerce) counts. And if your website treats users in the EU differently (such as by having a pop-up that mentions GDPR), that shows evidence that you believe users from Europe are in the target audience of your site.
Actually enforcing fines are a different matter, and will require some locus of business in the EU.
Thanks for your reply and for citing the law text.
This is an interesting passage.
It seems to me that saying to ALL visitors of the website that the goods and services are not offered to GDPR places should be sufficient to preclude GDPR jurisdiction.
> In other words, do GDPR countries claim jurisdiction over non-GDPR countries' websites?
It's not that uncommon. As a concrete example, I know that US expats in Germany are having problems with some banks because FATCA[1], a US law, imposes more controls over every bank in the world dealing with US citizens. At least one German bank [2] has stopped taking US citizens as customers, and I have informally heard of more.
Sibling comments already gave legal advice, but what I'd ask is: why would you want to?
If you are transparent about what tracking you do and don't do stuff that people don't want, all that's left is including some boilerplate text like "you have rights X, Y and Z and you can contact us at our@email" and you're GDPR compliant.
To me at least, 95% of GDPR compliance is just acting ethically.
1. It seems to me that a common question many would like answered is: whats the simplest way that I can serve http requests without incurring the wrath of the GDPR?
2. It was my understanding that GDPR compliance is extremely expensive, is this not the case? Perhaps it is very simple.
2. Depends on what your business is. A company heavily reliant on profiled advertising will have much higher costs than the typical small business with minimal (or no) advertising.
The small business (perhaps with a mailing list and a database of previous customers and invoices) should have been compliant with the earlier laws (Data Protection etc), and the changes required for them are often minor.
>In other words, do GDPR countries claim jurisdiction over non-GDPR countries' websites?
GDPR is not about web or technology. It applies for information on paper too, so there is no clever workaround with hosting your website somewhere else or other tricks.
In short if you don't want to respect GDPR then do what some websites do and reject users from EU.
> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union […]
And no, there is no exception for a disclaimer. The only thing you can do to workaround it is to simply not collect the data, which is what some sites have attempted do with geo-blocks on their sites.
There are some nuisances on jurisdiction, but if a company tracks users in Europe they may fall under the purview of European data protection authorities.
There are several factors that play in. For example that the data controller offers the delivery of goods in EU Member States, say a plugin like Disqus. It could also be that they have a .eu top level domain.
The Norwegian DPA also writes this in their advanced notice: "Online tracking using cookies and behavioural advertising are explicitly mentioned as activities which constitute monitoring of behaviour in the EDPB Guidelines on the territorial scope of the GDPR."
You would have to check each user documents like a passport to confirm they don't have EU citizenship. Even if you have one EU user (doesn't matter if you block EU IP addresses etc. they can still use VPN) you have to comply with GDPR.
If you have "significant" amount of EU users then you are also liable for the upcoming terreg regulation that requires you to set up a legal entity in the EU for the purpose of censorship. You will have 1 hour SLA to delete any content that EU deems to be undesirable.
If you have any user generated content it also means you are likely be mandated to use content filters in the EU.
I have routinely asked this question and I routinely get pushed aside by GDPR zealots. I am not really interested in the GDPR bit as much as I am "what responsibilities do strictly web companies have when dealing with customers who are in a different country"
I think it's a load of bunk shit.
Companies should be following the law of their country, not of other countries.
I don't want businesses to be forced to bow to the will of Europe, or Iran, or China, or any country other than their own.
It sets up a weird quazi-legal precident where companies could be in the position of trying to play ball with multiple legal systems.
See russia, they want russians data to be on russian servers, even if your company is not there.
Why? Probably so they can seize the digital assets of citizens they want to send to the gulag.
I don't like it one bit, I don't like google working with china, I don't GDPR effecting American companies.
You need to be careful and follow the law of your country.
It pertains to tax as well, which I never understood how a different country wants to impose a tax on a company that doesn't operate there. They might have customers there - but they don't operate there in any meaningful sense more than they 'operate' there if I go onto a US website into it while on vacation in a foreign country.
From the link "We consider the infringements to be serious. Disqus has tracked which news sites and articles readers in Norway have visited. Additionally, this has happened without the users’ knowledge."
Based on that statement a lot will follow.
Not so long ago I stumbled on https://data.disqus.com, which basically outlines what they were fined for. They should probably take that site down soon...
"Our services: [...] Identity Matching", "Hundreds of data points to create cross device profiles", "215M emails collected". Hallmarks of a company you definitely want to embed on your site...
Aside: isn't it weird how often "email addresses" is shortened to "emails"? At first glance I had to contextually infer whether it was 215M addresses or 215M messages (pieces of mail) because we also often shorten the latter to "emails" when working through our inboxes.
If you're running a marketing campaign and say "today we finally hit 1000 emails" without further clarification, nobody will know if that's 1000 subscribers or 1000 newsletters.
I thought their title mis-summarized the text (text says 25 million Norwegian Kroner, title says 2.5 million Euro). Actually it's close enough, Google says NOK 25 million is EUR 2.484 million.
Norway kind of has a special relationship with the EU. They aren't members, but they follow some of the laws and participate in some programmes.
Wiki quote on Norway:
> After the 1994 referendum, Norway maintained its membership in the European Economic Area (EEA), an arrangement granting the country access to the internal market of the Union, on the condition that Norway implements the Union's pieces of legislation which are deemed relevant (of which there were approximately seven thousand by 2010) Successive Norwegian governments have, since 1994, requested participation in parts of the EU's co-operation that go beyond the provisions of the EEA agreement. Non-voting participation by Norway has been granted in, for instance, the Union's Common Security and Defence Policy, the Schengen Agreement, and the European Defence Agency, as well as 19 separate programmes.
Norway is often quicker to implement EU regulations than EU countries themselves, for example, in 2018 only Malta had implemented more regulations than Norway [1] (the comparison is a bit skewed as not all regulations applies to Norway so they have fewer to implement)
We part of the European Economic Area (EEA) which is quite close to being a EU member, but without voting rights. Norway voted two times on membership and the compromise was EEA.
To add to this: almost all EU regulations and rights – except those pertaining to agriculture and fisheries – apply to the whole of the EEA, meaning all of the EU + Norway, Iceland and Liechtenstein (in addition, many also apply to Switzerland, but in that case through a complicated set of bilateral Swiss-EU agreements that sorta-kinda emulate EEA membership, but isn't).
Did the Norwegian fishing (salmon farming) industry have a big part in the EU vs EEA decision? From what I’ve seen lately about Norwegian Salmon farming I wonder if it would get past the EU regulations, if they even have any related to fish farming.
Some documentaries even call it the worlds most toxic food.
I did a lot of research on salmon aquaculture at work last year (random, I know).
Norway has one if the most well-developed aquaculture industries in the world, and it is heavily regulated.
I'd be very surprised if Norwegian aquaculture rules didn't exceed EU rules in about every single way.
I learned a lot about aquaculture, not all of which was very nice. But now when I buy farmed salmon, I specifically choose Norwegian salmon over my native Scottish salmon.
> Did the Norwegian fishing (salmon farming) industry have a big part in the EU vs EEA decision?
We definitely have to split the Norwegian fisheries industry into two: Norway has, and has for a long time had, a sizable wild fishing industry. The fish farming industry is a much newer one.
I was a kid last time we had a referendum on membership (1994), so I'm not sure, but I believe the fish farming industry wasn't even a major thing back then. The classical fisheries industry definitely was a big part of the reasoning. Today, I would wager that opponents of full membership are mostly riding on the same vague of opaque euroskepticism that brought us Brexit, combined with the sickening idea that Norwegians are somehow magically special and exceptionally good at things. Granted, my personal views on the matter definitely color this take.
> From what I’ve seen lately about Norwegian Salmon farming I wonder if it would get past the EU regulations, if they even have any related to fish farming.
I doubt that would be an issue.
> Some documentaries even call it the worlds most toxic food.
I really wish people would stop spreading this unsubstantiated bullshit. I have no connection with or investments in fish farming, but this claim was making the rounds a few years back, and as far as I can tell it's a completely unsubstantiated smear. It keeps getting repeated, but trying to actually get to the source just reveals a tangled web of self-referential claims.
There's plenty of problems with fish farming without having to make up shit about "toxic food". The two biggest being the horrid effect the escaped farmed fish have on the natural populations (they carry different diseases and parasites that can wipe out whole rivers of salmon, for instance), and the effect of over-feeding on the nearby ecosystem (you dump enormous amounts of feed into a relatively small volume of water, and far from all of it is actually consumed by the farmed fish). In addition to this, the feed often comes from just as unsustainable sources as the worst of the "Amazon beef". Hopefully the latter can be fixed with transparancy and regulations, though.
Plenty of problems with fish farming without needing to fabricate new ones. But then again, it may be the only solution to prevent overfishing (if we want to keep eating fish, which is certainly better overall than eating beef).
The GDPR is great for the citizens! My wish is that more countries follow the EU and implement similar and compatible laws. An interesting example of this is that the UK made sure to implement a clone of GDPR in UK law before leaving the EU/EEA.
It goes much further than just "often aligning with EU laws":
Almost all EU regulations and rights – except those pertaining to agriculture, fisheries and the customs union – apply to the whole of the EEA, meaning all of the EU + Norway, Iceland and Liechtenstein (in addition, many also apply to Switzerland, but in that case through a complicated set of bilateral Swiss-EU agreements that sorta-kinda emulate EEA membership, but isn't).
For all intents and purposes, apart from the three areas stipulated above + voting rights, Norway is an EU member. A business that operates in Norway (outside of the agriculture or fisheries sector) can be seen as operating in the EU. Likewise, Norway-based users of a service with a business presence in the EU are protected by EU laws, like the GDPR.
Norwegians have the same access to the EU labor market as, say, Germans. And EU citizens have the same right to take up residence in Norway and interact with the Norwegian state under the same conditions as a Norwegian.
I thought it said 2.5B, and thought “they’re finally enforcing the GDPR; great!”
Oh well.
(Edit: their revenue was $368M over the last 12 months, so €2.5B would be too high. The current fine is still an order of magnitude or two too low to change meaningfully change anyone’s behavior. It’s a couple of days of revenue. They could simply write it off as the cost of doing business, especially if they think the GDPR compliance will impact business growth)
I doubt they can really write it off as the cost of doing business, I imagine they are running in the red with respect to the country of Norway this year, which is the place they made the mistake.
Good to see them taking this seriously. I get the impression a lot of sites/services make expansive use of the legitimate interest provision.