I’m not the biggest fan of Ben Evans, but he’s right on “privacy fanatism”:
> At a certain point EU privacy regulators will realise:
When an EU citizen requests a US internet resource, they provide a US server with their IP address;
An IP address is PII;
The CIA could record that;
Therefore it is illegal to provide any internet resource to anyone in the EU
Extraterritorial jurisdiction + global nature of the internet causes these problems. We've already seen lots of the reverse: it's illegal to provide gambling to Americans. https://en.wikipedia.org/wiki/United_States_v._Scheinberg
Really the only workable outcomes are a global agreement on internet-touching governance (which the US will never accept on principle) or Balkanization. Or I suppose an eternal chasing into new as yet unbanned services.
Thanks, that’s was really insightful. I wonder if global agreements are really unimaginable. There have been quite a few from the old days, e.g. international marine conventions. What do you think?
The last two data exchange agreements between US/EU were overturned. I think it's unlikely at this point unless the USA adjusts some of its surveillance laws.
That gets to the heart of it. Europeans are increasingly uncomfortable using US based services due to how the data is used. It is not inconceivable that there will be multiple Internets based on legal jurisdiction, we already see this with China.
Do you imagine the EU blocking EU citizens from accessing US services? I find that hard to believe. "We're blocking your access to the outside world for your protection" must ring pretty hollow to the people who vote. It works in China because nobody gets a vote.
Extra-territorial laws are one way of achieving the same effect. A logical next-step would be blocking websites from jurisdictions where such extra-territorial laws are unenforceable.
"This website is in a territory not subject to EU regulations governing privacy, security, and content. Do you wish to proceed?"
> Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors.
My website has no banner, and is completely legal. I just use cookies for what they were meant for: As login cookie and to store preferences such as dark mode.
It’s not the EU law that’s broken. It’s intentional that if you want to sell someone’s firstborn you need actual approval and not a clause hidden in the ToS
It is already a reality that you can't access certain US websites as a European. They block you out because they don't want/don't know if they comply with GDPR. Same effect.
I remember when the Great Firewall was considered the manifestation of evil by old-time internet users.
It'll be hilarious if European nations decide pursuing GDPR cases is intractable when so many services Europeans use are fully outside the country (and beyond EU enforcement of jurisdiction) and they decide a firewall is necessary to protect their citizens from American surveillance. It would prove China was just ahead of the curve.
I suspect there's a third outcome within crypto many are quietly pursuing. Looked through the lens of "what if the internet were its own country" a lot of web3 makes a bit more sense.
Or maybe I've read too many Neal Stephenson novels.
That was my "eternal chasing into new as yet unbanned services". The ban wave has largely caught up with big ICOs, but not with "governance tokens" or "NFT based communities".
There's going to be a cycle of "web3 gets big money", "big money fraud in web3", "SEC enforcement against web3", and then the launch of "web4" in 2030.
There’s no issue with that. If a person manually takes their information and mails it to the CIA, that’s also fine.
The issue is if a person visits a resource from a company in the EU, they should be able to expect that that information won’t be passed along to any third party that’s not absolutely necessary. Especially not to foreign governments.
You wouldn’t expect a visit to latimes.com to leak your information to the Chinese Party either.
Maybe I'm just old-school, but I expect when I visit a site I'm leaking some PII (my IP address) to every router between my client and latimes.com to do with as they will.
I wouldn't necessarily expect the CCP to be involved unless Internet routing is having a very bad day, but I'd expect the American government to be involved when hitting an American server.
> Maybe I'm just old-school, but I expect when I visit a site I'm leaking some PII (my IP address) to every router between my client and latimes.com to do with as they will.
Presumably you don't expect the american government to get involved after your request has reached latimes.com though?
Technically, the only thing stopping them is SSH, and that can be handled (as Snowden publicized) by tapping latimes.com's systems on the other side of decryption.
Old-school me would not have expected that to happen. Post-Snowden? It's a definite possibility.
It's neither favorable not disfavorable to me; it just is. Something I file away in the back of my head about how the Internet works right now. Individual uses can be favorable or disfavorable.
If I walk into a store and buy some gum, my face is on their security camera. If the cops are hunting for a murderer, they can pull that camera feed. Is this favorable? shrug. I like my privacy but I also like catching murderers. And I have no expectation of privacy when I step in someone's store; similarly, once I've shipped 1s and 0s to someone else, my expectation is they'll use them as they will, and if I don't like it I'll stop shipping 1s and 0s to them.
This is probably just my American sensibilities talking, but growing up in a culture where I was building a credit score before I knew what that was, I'm not surprised services like Google Analytics are e-gossiping on my preferences (any more than I'd have been surprised if two BBS owners, back in the day, gossiped about their users).
> The issue is if a person visits a resource from a company in the EU
Does it have to be a company in the EU? I thought the GDPR covered any website an EU citizen, resident, or visitor might use, in which case US-based websites might have contradictory obligations to the GDPR and US law.
Is that not what 2(a) says- if a service is being provided to an EU data subject, that the regulation applies? At least, that is clearly what the EU seems to be claiming? Sure, if no EU data subject actually accesses the site, it doesn't apply, but the moment one does...
Well I mean think of a store which doesn't accept EU payment or ship to EU addresses, nor target EU residents with Advertising. You'd be hard pressed to say they service EU residents even if the site was able to be visited by EU residents.
No where in Article 3 does it say anything about "targeting" them- it only says if the "service" is "offered", whether or not payment is required. So in broad interpretation, simply serving a webpage to an EU data subject is an act of processing personal data (IP address) of an EU data subject related to offering them a service (the web page itself). That is as long as it doesn't fall into one of the carve outs in Article 2- https://gdpr-info.eu/art-2-gdpr/
It could be argued that such an act "falls outside the scope of Union law;" but that seems to be a matter of contention.
Thank you, that does seem to alleviate some of my concerns as above. I'm not as familiar with EU law, it seems that recitals aren't legally binding equally with the "operative" text. But given the context, it seems unlikely a small blog or web shop that doesn't target EU customers would be in scope.
1. They are the legal justification for legislating; The EU is not sovereign, so it cannot legislate of its own accord, the EU must show that the legal powers flow from the treaties. So recitals set out which provisions of the treaties apply, and why the legislators think the law is necessary under them.
2. They are an aid to interpretation; the main body of the law should be read "in the light of" the recitals to understand the legislators' intent and to help ensure there is a consistent application of the law between all of the different courts and tribunals in the EU. These recitals are, of course, not part of the actual legal text and are thus not binding, but they're not inoperative.
They're not legally binding since they're written to be understood as clarifications for the lay-person. Ie, not written in the strict language that courts understand and hence, you might hit edge cases the courts might interprete in ways that you don't expect.
It seems somewhat strange that a company selling a service to EU customers might be in trouble for using Google Fonts in a jurisdiction (e.g. Germany) where there are ways to identify a user by means of IP address [0]; but a weblog that was using Google Fonts might not be, since it's a blog and not a goods-and-services site. Google ends up with the IP address equally in both cases.
Well, the obvious responses here are that (1) the law does no such thing, and (2) even if it did, the right target for public concern should be the CIA and the government theoretically controlling its behavior, not the EU.
Even if it came to a point where the EU decided that the only for to keep its citizens safe from US intelligence monitoring were to cut out all access between EU and USA internets, the problem would be the US intelligence framework, not the EU.
Really you should just stop using Google analytics. I know all the data is really fun to look at and can even be useful but it’s a bit like poisoning people just for walking into your business.
He is not right. Does anyone really think that EU regulators don't know that every request provides the server with an IP address?
Will they start sueing every US company that doesn't comply with GDPR? Of course not. The EU is doing this to build pressure against the US and their surveillance fetish. And it's good that they are, because otherwise, who will?
The US government has proven time and over again that they do not care about their citizens' privacy and straight up lie to their faces. And then there is the CLOUD act, which now starts to affect non-US citizens, too.
There were rulings finding IP addresses by themselves are already PII[0], because an IP address might be tracked back to a person. E.g. an IP address can potentially be used to go to an ISP and request the subscriber information, and the subscriber information potentially identifies the user of the IP address at a given time, if the subscriber cannot name anybody else who could have reasonably used used the IP address at a given time. Courts found that this abstract risk is enough to qualify IP addresses as PII, as they can potentially identify people indirectly.
The recent German ruling about loading Google Fonts without prior consent explicitly mentioned these rulings and made them a core part of their own conclusions.
[0] The most important ruling is the Breyer ruling (C‑582/14), that found, answering question one, that "dynamic" IP addresses are PII. Further rulings have regularly found that "static" IP addresses are PII, and that you cannot really know what is a "dynamic" and a "static" IP address with reasonable certainty anyway.
"Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person."
These rulings are about personal data, not PII. Please don't confuse the two; it's extremely relevant for IPs.
They are personal data because they are a fact about an identifiable person and thus fall under the GDPR's processing requirements esp. relevantly when transferring to third-parties; but they are not per se PII.
> ... When an EU citizen requests a US internet resource, they provide a US server with their IP address; An IP address is PII; The CIA could record that; Therefore it is illegal to provide any internet resource to anyone in the EU
Forget that. An EU user visiting an EU site might have their packets routed through an entity outside the EU anyway, without their intent and certainly without their explicit consent.
An IP address can legally identify a person, e.g. in the industry of lawyers sending cease & desist notices (and taking you to court) if you torrent something.
There’s a whole bunch of legal precedent for that in the EU.
> In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, [...] a transfer [...] of personal data to a third country or an international organisation shall take place only on one of the following conditions:
> [...]
> (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request
> [...]
GDPR does not forbid providing internet resources to EU users, that is simply a lie. All it requires is that data handling happens in the best interest of the user.
True, but storing the IP address server-side for purposes other than serving the HTTP request doesn't fall under (b).
Diagnostic logging (e.g. apache logs) is probably okay as long as the organization can show that these logs are destroyed in a reasonable timeframe, but FAFAIK even that is legally a gray area (in the sense that it isn't explicitly forbidden nor allowed).
That case is not about accessing first party resources. It was about a German website which (effectively) shared data with a third party provider from a country with no adequate privacy protection.
What's next, Twitter geniuses realizing it's also not legal for the CIA to poison people in foreign countries? Supply weapons to militias? Trade narcotics?
That seems a ridiculous interpretation. US companies liable for actions performed by the CIA? Forget GDPR, the entire population of the USA is guilty of war crimes.
If the CIA required web sites to explicitly include a privacy invading snippet, even then it is dubious since it is under duress. And in any case, exactly the sort of stuff you would want laws like GDPR to hinder.
Business outside the EU, interacting with users in the EU are bound by the GDPR. There might not really be a way (currently) to impose penalties on those businesses for violations, but they are certainly bound by them.
This is such a weird argument. Let's say those things are true (and I think they are reasonably true).
- When an EU citizen requests a US internet resource, they provide a US server with their IP address
- An IP address is PII (well, personal data as far GDPR is concerned, but that's a nitpick)
- The CIA could record that
I don't think how you would go to a conclusion from those that "it is illegal to provide any internet resource to anyone in the EU".
First, it's worth noting that GDPR only applies to companies that specifically target its services at individuals in the EU. Targeting means having an EU office, using an EU domain, providing EU languages such as Polish or allowing payments in EU currencies. If your service makes no effort to provide service specifically for European users there is no need to worry about GDPR - even if you are in the US.
Second, while US services targeting individuals in the EU are legally problematic, this doesn't affect other countries - so I see no reason to say "any" here. For example, a Japanese server is free to provide services at individuals in the EU provided they comply with GDPR as EU has an adequacy decision for Japan.
Also, I would like to point out you can replace US with North Korea in this argument. I think it would be ridiculous to say that if European Union were to disallow sending personal data to North Korea (including IP address) then it would mean that it's illegal to provide any internet resource to anyone in the EU.
> In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
What a tangled web of legal niceties and hypothetical interpretations
we've woven here. But the moral arithmetic, toward which European
thought is tending, is more brutal and something to which American
corporations had better pay serious attention to if they want to keep
playing this game.
In general; we hold that "ignorance of law is no excuse", yet in
contract law _capacity_ is a key construct, and ignorance very much
_does_ play a part. It's not just minors, the mentally-ill, or those
incapacitated by drugs or alcohol, discombobulated or bamboozled by
other means, who cannot give consent in a contractual relation. In an
age where most lawyers and judges, like everyone, mindlessly
click-through "agreements" and shrink-wrap EULAs, there's a strong and
growing argument to be made that non-expert adults lack genuine
capacity to understand technologically mediated relations.
In other words, it's the contract law that underlies this stuff that's
coming up for revision, not the surface interpretations. The important
matter now is not deliberating whether the letter of the law creates
"consent" on this or that occasion, but whether the spirit of the law
allows for consent even in principle, given societal standards of
digital literacy and the complexity of modern digital interactions.
> In an age where most lawyers and judges, like everyone, mindlessly click-through "agreements" and shrink-wrap EULAs ..
That's an interesting problem. I'm a little disappointed that the route we've gone is having courts decide that this or that bit of EULA isn't binding, but people are still expected to read them and be somehow bound by them. It's kind of difficult for the common man to find out which parts of an EULA are or can be legally binding, so why should they ever be read?
For a while now I've been thinking that EULAs should also be made simple and clear and understandable, kinda like they're forced companies to do now with consent dialogs. No walls of text, no small print, no legalese, and definitely no tons of obviously unenforceable but chilling terms (that the poor reader might think are enforceable).
It does not feel right that people are "agreeing" to something they didn't read anyway (and which if they did, most people wouldn't really understand anyway), and they can only find out what their rights are after the fact.. so maybe we should just say that such agreements are not okay, stop it. It should be easy to understand exactly what you are agreeing to (or possibly we could just have the terms in law and stop this silly game altogether).
For the consumer market I agree. It's not fair to force consumers to accept a one-sided unnegotiable contract.
I think the silly interpretation of copyright law (that any transient copies made by your computer when you install or run a program constitutes copying and thus require the copyright holder's permission) should be undone. You shouldn't need a license to use a program any more than you need a license to listen to a music disk or read a book or watch a movie or painting. I think that interpretation of copyright law is fully based on a technical gotcha and not in line with the spirit of the law.
For a while I tried to actually read EULAs because I wanted to know what I was agreeing to and felt which parts are overly generic gave a good indication of what a company might want to do without explicitly stating it.
But it's just too much and too overwhelming and most of it is just completely cookie cutter legal babble which I can't waste my time with. I recently bought a video game to play for fun and when I first started it I was asked to sign off on a ridiculously long legal text followed by five(!) revised versions of it from various updates. What am I to do? Spend a few evenings reading and comparing those instead of playing the game I'd bought? Realize that I couldn't play the game I'd bought and ask for a refund? Or just scroll through, click to make it go away and enjoy my game without thinking more about it.
This is going to be a hot topic in Germany once the German courts rule it out. Should it say it's illegal to load, we have got loads of work in front of us. One simpler solution that I have seen Zaraz by Cloudflare, which seems to solve this issue. Has anyone had experiences with this?
Good article. We need more of these. GDPR and integrating with 3rd party services can be quite a legal minefield.
I would like to see an article regarding Google Recaptcha. I am currently considering Recaptcha during a login process as a means of protecting against credential stuffing and password brute forcing. But I do not know if this counts as "legitimate interest" as defined by GDPR. And if it doesn't, there really isn't any way to ask for consent in this case, because "denying" consent sidesteps the entire security measure...
Rate limiting doesn't protect against credential stuffing either -- it doesn't manifest as a brute-force attack, they rarely originate from a single ip/network you could reasonably rate limit against, and even if you could magically rate limit them you've already lost because you let the bots try their stolen credentials in the first place. Your only real defense is to have a system that identifies bots directly to make it so attackers can't automate spamming credentials across a bunch of different sites.
If you let attackers have like 10 attempts per ip per minute and you're a site where a bunch of people have accounts then you're gonna become an instant favorite for testing stolen creds.
I just buy captcha solvers in india or use a bypass like the Recaptcha Text to Speech challenge that regulary gets abused by extensions like Buster. (Yes, you can use google speech to text to solve the text to speech captchas.)
Captchas don't really work, the only things they do is let google track more people and annoy humans. You let your users train their AI for little to no protection agains a willing attacker. I'll admit captchas protect against many scriptkiddies that buy passwords. I'd rather teach my users to use a password manager or support passwordless login than let them click on cars for "security".
Opt-out means on by default, opt-in is off by default (sorry to state the obvious).
The users above are referring to opting in/out of the tracking rather than the blocking of the tracking - so GA on Firefox by that standard is opt-in, even though in a Firefox specific context the setting is opt-out.
Obviously the EU wouldn't be cool with "but a competing browser with a small market share blocks us by default anyway".
Yeah, I guess it depends on what the opting is for. I could have phrased that better.
What I meant to say: third-party tracking is still opt-out, since you need to actively enable the content blocking to avoid being tracked. The blocking of said content trackers is opt-in of course, but that's not what I was referring to.
That's true in one sense. In another sense it refers to not requesting the tracking scripts in the first place (ie. not opting-in). That perspective works better if you think of the browser as a user-agent.
It's not really an importance distinction in the end though.
> At a certain point EU privacy regulators will realise: When an EU citizen requests a US internet resource, they provide a US server with their IP address; An IP address is PII; The CIA could record that; Therefore it is illegal to provide any internet resource to anyone in the EU
Source: https://twitter.com/benedictevans/status/1492102034409066504
PS: saying this a German citizen…