There are signs that it's getting better. I started seeing cookie dialogs with a Reject all button. Sometimes it's a big one, sometimes it's almost white on white, but it's there. Anyway the vast majority of those dialogs is still misleading. The usual We care about your privacy, accept all, settings thing.
I meant not bothering with it at all. I, and many others, don't care about cookie tracking. These "cookie warnings" waste users' time, and, to a lesser extent, developer time (but at least we get paid to implement pointless stuff.) Every time I see one of those pop ups, it raises my blood pressure.
You would find cookie consent options in your browser settings (for example, near "Privacy Settings"), and you would configure your rules there (with sensible defaults).
You shouldn't see any cookie consent pop-ups while browsing the web, as a result of that -- your browser would communicate your preferences for you.
As I said though: I'm unclear on the status of the ePrivacy Regulation.
Clearing browser data doesn’t help when the trackers are identifying you using fingerprinting, nor when they are associated with sources that remain or are reestablished every time, like a webmail login.
If you have a /etc/hosts file that redirects 10000 tracker domains to 0.0.0.0 then you don’t even need to clear any browsing data. Plus, you don’t see ads anymore without any browser plugins.
Sure, if your devices are always only in the same network. Or just run a script that pulls the newest version, cleans it up, and writes it to /etc/hosts. Whatever works best for your usecase.
But do you check your cookies have been wiped and not just blanked in MS Edge?
I have noticed that despite having all the settings to wipe data, not just cookies, cookies are still left.
These are my start page tabs in this order.
edge://settings/clearBrowserData tab all I have to do is click "Choose What to Clear", get the popup window, Time Range - All Time, all options ticked. Once completed but this can hang the browser for upto several minutes once done I switch to the second tab.
edge://settings/siteData tab hit refresh (F5) to see what cookies get left behind and thats when I see sometimes, cookies get left behind, usually youtube.com cookies, they will be blank but loads of youtube cookies.
edge://favorites/ tab, positioned to Favourites bar and have nothing on there because the browser pulls down site icons so you can identify people (browser fingerprinting) from the icon combination that gets pulled down.
edge://application-guard-internals/#status tab can see if its working properly, noticed when its on, youtube video's dont work its always trying to get get data, the stats for nerds show nothing comes downs or minimal 1kb amounts.
edge://policy/ tab because I like to switch these around to create a different fingerprint from the devices that are accessible.
The potential fines can get pretty enormous, enough to even make the big players worried - up to 4% of the company's global annual revenue. There's a reason Amazon, Google and Facebook haven't just eaten the fines and are paying a fortune fighting tooth and nail to appeal the fines that they've been issued so far.
Cookies aren't part of the GDPR, so they must be part of the ePrivacy Directive.
Consent is part of the GDPR, but the way I've seen it operate in practice is widely out of compliance. You're supposed to ask for consent in each specific instance of data collection, not present a blanket approval, and default to "no."
Cookies and the GDPR
The General Data Protection Regulation (GDPR) is the most comprehensive data protection legislation that has been passed by any governing body to this point. However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
What these two lines are stating is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
They are not required for cookies, but they are required for tracking cookies. If you are only using cookies for e.g. shopping cart or CSRF protection, you don't need a consent dialog, but that is not the case for those websites showing the dialog.
I hear you. These so-called "privacy activists" seem to have no clue how much European corporations are spending on data management, privacy controls, legal due diligence and finally serving the customers' GDPR requests. The last one is the publicly visible part, but it really is just the tip of an iceberg in investment on compliance.
This is made even more frustrating by that at least I find GDPR to be not very precise. There are lots of corner cases where it's not clear if some data is covered or not. The strictest interpretations would easily obsolete / criminalize vast majority of ALL software that people today absolutely depend on for their daily lives - like various financial backbone systems - and which largely predate the GDPR.
It's hard to not find the regulation a joke - sadly. While GDPR is not precise, I won't even go into the details about the ridiculous cookie law and the braindead portions of the new 2019 digital copyright directive (that French publishers lobbied in to hurt Google News). If GDPR left you in doubt, that idiocy really showed that these EU bureaucrats are completely out of touch with the reality in the field of technology they want to control.
Easy peasy unless your system was built before it became illegal to "haphazardly" process PII. Even organization that take GDPR very seriously and invest a lot on compliance do not generally really know all the places where their legacy systems are storing PII. The law is draconian.
If you are found in breach, the regulator would approach you in good faith and assuming you are in good faith. You will be given time to fix your systems and the regulator would allow some back and forth to get to the right result.
In order to get a fine you have to act evidently in bad faith or to lose your users’ PII or credit card information.
People don’t get fined billions because a legacy system saves an email address in the wrong table.
> Easy peasy unless your system was built before it became illegal to "haphazardly" process PII.
- GDPR-like legislation existed in most EU countries waaaaaay before GDPR.
- It was known for years that GDPR is coming.
- GDPR specifically gave companies two years after going in effect to get their act in order.
- We are now 4 years after GDPR went in effect.
If you're still complaining that it's "a drakonian law that doesn't let your company do haphazard PII processing aka collecting PII wholesale with no consent", then you company deserves to be sued and fined out of existence.
And the watchdogs are helpful. At my previous company, they basically spend 2 man-day (10 hour hands on deck) helping us drafting a compliant architecture document.
> Even organization that take GDPR very seriously and invest a lot on compliance do not generally really know all the places where their legacy systems are storing PII. The law is draconian.
I think this is an extremely poor excuse. You're basically saying they don't understand their systems well enough. It is like a chemical company blaming environmental legislation when they've left barrels of polluting chemicals all over the place and not kept track of them.
I think the GDPR is pretty clear: it is illegal to process personal data if you cannot apply an exception listed in the regulation. Also all data that might be deanonymized by some means is personal data. The message is clear: if you put others at risk, you are at risk to get fined.
Yes, this makes many, sometimes ideotic things, illegal. But not I also cross a red light on foot from time to time and I do not think it should be made legal. Regulations that leave a freedom what to prosecute are not bad by design.
Yes, GDPR is very clear until it's not. Tell me for example how would you respect the right to be forgotten for web server access logs? The information "IP x.y.z requested /index.html at dd/mm/yyyy" is PII under GDPR. Meaning you have to a) declare that you are collecting it, b) be able to produce all data for the person using IP x.y.z upon request, and c) be able to delete all log rows relating to x.y.z when they ask you to. Unless you have built your system from ground up with this requirement in mind, chances are you are in breach of GDPR.
> But not I also cross a red light on foot from time to time and I do not think it should be made legal. Regulations that leave a freedom what to prosecute are not bad by design.
This is not comparable as private citizens are able to petition and sue under GDPR. Hence, there is no similar discretion of what actually gets prosecuted as for jaywalking. It would be comparable if I, as a driver of a vehicle, was able to take any jaywalker to court. Which would be indeed complete madness.
Tell me for example how would you respect the right to be forgotten for web server access logs? The information "IP x.y.z requested /index.html at dd/mm/yyyy" is PII under GDPR. Meaning you have to a) declare that you are collecting it, b) be able to produce all data for the person using IP x.y.z upon request, and c) be able to delete all log rows relating to x.y.z when they ask you to. Unless you have built your system from ground up with this requirement in mind, chances are you are in breach of GDPR.
That’s actually very clear and a simple example that anybody with passing familiarity can answer - and specifically you do nothing, since there is no right to erasure in this case. The “right to be forgotten” only applies in specific circumstances, under article 17: https://gdpr-info.eu/art-17-gdpr/
You have a legitimate interest in keeping server logs, so your responsibility is basically to have a clear and justifiable policy for why you are storing it, store it securely and for a reasonable time, and to make subjects aware of all this.
Objections under Article 21(1) could require deletion under Article 17(1)(c), unless " the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject".
This is an inversion of the rule for legitimate interest processing, where the processing is legal unless there is an overriding interests, rights, and freedoms by the data subject. Basically, in the middle ground where neither set of rights and interests clearly override the other, the controller can legally process, but can also be forced to delete via the objection mechanism.
The fact that there is little clear guidance as to in what circumstances one set of interests, rights, or freedoms should override legitimate interests or vice versa, it does make this area of the law basically come down to somewhat arbitrary decisions of the relevant DPAs.
Recital 47 seems to suggest that for the normal direction of overriding interests, most situations where the average person would not be surprised/annoyed if informed about this processing in the specific circumstances is likely to be be permissible. But with Art 21(1)'s reversed burden, the guidance is simply "It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject." No guidance at all about how much or low little this differs from the what is permissible via Art 6(1)(f). Clearly some difference is intended since the wording is clearly reversed from Art 6(1)(f).
It leaves legitimate interests processing (which is by far the one of the most common processing reasons, and probably is common than all the other lawful reasons combined) as basically a giant minefield until the DPAs have established enough "case law" (for lack of a better term) to make sufficiently clear how they balance these competing interests and rights and freedoms.
Couldn't you for log requests just delete them after 24 hours? So at least you don't need to care for the right to be forgotten. Or instantly sanitize the IP so its not identifyable.
In which case is the IP address in the access log helpful?
These are all valid and sensible solutions if you are building a greenfield system. But GDPR applies to all systems, even those that were build years before its inception and the developers of whose could not in a million years have imagined that one day some crazy bureaucrats would criminalize logging IPs. Now think about even a moderately sized enterprise, that runs gazillions of individual apps (in-house, vendor-provided and SaaS), and the work required to auditting all the places you need clean when you want to delete all logs containing one IP.
And that's just one small aspect of becoming fully compliant, there are millions of other types of surprising data that can be PII, and hence a liability, under GDPR. Email and IM apps, like Slack, are another interesting conundrum. Under GDPR, a customer should be able to request that all emails and Slack messages that contain/discuss his/her personal information must be a) discoverable and b) erasable. How do you even begin to solve that is beyond me..
I agree it can be hard to fully comply. But I believe we should try to adhere and value the information (read: the consumers or clients).
For GDPR and any other law that enforce something on you, that it has to be reasonable for you to comply. So in my personal interpretation any data you provide and identifies should be auto deletable (a post linked to your account). If I post your PII and you request HN to delete it - they are required to delete it.
I don't think GDPR is too crazy .. but some people try to scare others because they scare to change because of making less money, ..
> Tell me for example how would you respect the right to be forgotten for web server access logs?
You don't, nor would you be required to, assuming those logs are being collected for a legitimate non-profiling interest, like detecting abuse, and are only kept for as long as reasonably necessary.
Lets take a look at the cases in which right to be forgotten even applies:
> the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
This would be fair enough if you are keeping the data for longer than necessary, but if you are doing so in such a scenario, you are almost certainly in violation in other ways.
>the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
Not consent based processing, so inapplicable.
> the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
22(2) is direct marketing related so inapplicable.
21(1) is interesting. It allows for subjects to object to legitimate interest processing. The controller must cease processing (including storage based "processing") the data upon such objection "unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims".
But it would not be hard to show that log data important for abuse prevention overrides the interests, rights, and freedoms of the subject here. We are talking about data that is almost certainly not particularly revealing or sensitive to the subject, with a relatively weak personal identifier (IP address), that is not publicly visible, that will automatically be deleted once it is too old to be relevant for such purposes. (probably after only one or two months). We are not talking about say a publicly available archived news article that mentions the street on which the subject lives or anything like that.
>the personal data have been unlawfully processed;
>the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
Neither of these would be applicable.
>the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Ok, if you are running a social network, or youtube or something, and the data subject is a child, but they are either over the age of 16, and under it, but had parents consent on their behalf, then technically these logs would fall under this bullet point, and would need to be deleted. Art 8(1) only applies to procesing by consent, but if such consent were given these logs would obviously be related to the offer of such services. This scenario is not really what was intended though, and is poor wording in the law. (The law has a lot of poor wording!).
The idea here looks like it was supposed to be that Children's data processed by consent must be deleted if consent revoked, even if you still retain other legal grounds for that processing. Normally those other grounds would let you refuse to delete the data, but because ramifications of providing data under consent may be unclear to children, they get to revoke it more strongly than adults.
> Also all data that might be deanonymized by some means is personal data.
One question I've always had with this is whether it counts as personal data if it can only be de-anonymized by combining it with other data. So Company A manages some subset of a person's data.Company B manages a different subset (different app or whatever). Individually it is completely anonymous but if you combine them, it's trivial to de-anonymize.
Is this covered by GDPR? Both companies? What if one company dissolves and that data set is deleted?
Obviously a contrived example but an interesting thought experiment, I think.
As far as I understand data can only become anonymous as soon as the part that can lead to reidentification is actually deleted. We have such a case with the release of an 'anonymized' dataset , where the original data or the reidentifying set still exists. As far as I heard the opinions of the DPOs involved, the original data needs to get deleted for the data to be actually anonymous (although the data in the wild will not change). The problem is that otherwise th GDPR would have no effect anymore and the controller could 'anonymize' sensitive information and only keep uncritical identifying information. The other question on what basis of article 6 such processing would be allowed, as also the anonymization proceedure would probably count as processing. However, I have also heard theopinion of DPOs that you do not have to care as a receiver/user about the effectiveness of the anonymization, while other experts clearly state that there is a risk of becoming a controler if you cannot trace the effectiveness of anonymization and even the legal basis for that back to the origin.
If GDPR left you in doubt, that idiocy really showed that these EU bureaucrats are completely out of touch with the reality in the field of technology they want to control.
Honestly, the main thing it revealed is how little value a particular segment of the technology community places on protection of individuals' data. It's actually hard for me to think of any better example of regulation that is designed and written to be in-tune with the technology involved.
> the biggest issue is inconsistent enforcement by DPAs. The other problems are overstated.
Wasn't this called out repeatedly over the years and obvious from the start? That a double forum shopping model will produce paperwork and voluntary compliance, in cases where the offender literally didn't know they were misbehaving, but little real action?
Just want to point out that this not an issue only between European countries but also a problem e.g. inside Germany. [1]: a major information breach at a car rental company went with literary no consequences, while other cases get fined so high that they can easily fight decisions in court. I understand people if they complain about GDPR because it produces paperwork but in the end nobody cares about it. A central European regulation might sound nice at first, but if you even can receive not even a symbolic fine for a clear breach because a DPA has pitty with you something is fishy...
> also a problem e.g. inside Germany. [1]: a major information breach at a car rental company went with literary no consequences, while other cases get fined so high that they can easily fight decisions in court
This is the problem of German regulators being too cozy with incumbents. (Also see: Wirecard.) It's related, in that if you're one of the incumbents a regulator is cozy with, you're going to fight to switch forum to Germany. But it's a different problem with different solutions.
> DPC = the official Irish body who should be responsible for enforcing GDPR… in bed with Facebook instead
Speaking as an Irish person, it's probably more accurate to say that the DPC is woefully under-resourced, and FB are super litigious so its more the government haven't given the DPC enough resources to do their job.
> Companies realize that competitors do not comply and that acting legally does not pay off. The wider non-compliance spreads, the harder it will get for authorities to gain back control with limited resources.
This is what makes writing good/effective law a non-trivial undertaking.
If the words on paper don't make positive sense, and negative behavior toward the words isn't backed up with punishment, then the effort corrodes and collapses.
We should get to a point where tracking requires users to install an app or a browser extension, I’m thinking of something similar to the ads toolbars of the 90s.
I shouldn’t have to tell people I don’t want to be spied, nor I should have to install privacy extensions and PiHoles and whatever.
Isn't this a matter of someone developing a browser that implements this? There are a few privacy focused browsers out there. As long as the most popular browser is developed by the company that benefits the most from tracking, there will always be browser-based tracking.
The data protection act before it was not enforced and wildly broken by businesses as well. The law is always in at least two parts, the text as written and the enforcement. If the enforcement is mostly via government funded bodies then one way a government can undermine that aspect of law is simply to under fund the public organisation and that has been happening throughout Europe with strongly right wing governments. Many of these organisations have not been effective since the data protection act was introduced. The law is reasonable but the enforcement doesn't function and never has.
This is an excellent quote that reflects a notable share of opinions that I see in the comments here on HN whenever the GDPR is discussed:
> Hardly any other area of law is politicized to that extent – at least I have never heard that building or tax codes were openly ignored with the argument that compliance would “undermine the business model” of a company. The privacy bubble accepts such narratives as a legitimate argument.
Nah, this type of argument is often brought up once someone (with a lobby) actually has to change their ways to comply. Safety features would make cars 3x as expensive, nobody in the world could feasibly implement such radical emissions standards ...
All the time. It's just important to recognize this type of argument as pointless.
That's a very strange argument by the OP, there are massive arguments about whether/how building codes and zoning laws undermine the ability of developers to build new housing.
> compliance would “undermine the business model” of a company
This is a disingenuous framing of the argument as it commonly appears on HN, sometimes by me.
The complaint isn't with respect to what the rules permit and prohibit. (Some people complain about that, but it's not the common mode.) It's the enforcement mechanism. Complaint initiated. Multi-forum and portable. Imprecise on implementation details. Those factors make compliance, even for someone looking to do everything right, expensive. Which raises barriers to entry. (And creates room for mischief.)
The closest similar thing in the U.S. is our approach to securities regulation. Complaint initiated. Each state has its own forum. Each side can complain and defend in different forums and then expensively argue over arcane rules for forum selection. Details hashed out through enforcement actions versus ex ante published rules. Now imagine there was no SEC corralling the mess. That's GDPR.
I have to disagree with that. I'd wager that even if with a hypothetical perfect GDPR, you'd still have the major advertisers fighting it tooth and nail.
Because when "you're the not the customer, you're the product" applies, then the GDPR does effectively undermine the business model. Targeted advertising appears to be immensely profitable; raising boundaries on how you process subject's data, and how/to what extent you profile them, cuts into those profits.
The GDPR recognized the protection of PII as a fundamental right. The way I read the argument I quoted, the problem is not that e.g. Facebook would like to comply with the GDPR but cannot do so for e.g. imprecise implementation details. The problem is the GDPR significantly impairs Facebook's ability to generate revenue. And to that end, it appears that Facebook is indeed "openly ignoring" the GDPR to some extent, at least from what I recall from the ongoing complaints by NOYB and others.
[To clarify, I don't disagree with your particular argument; on the contrary, the flaws you pointed out are evident. I just don't think that is was the argument being made here.]
As someone working in ad tech but not rooting for it to win at all costs: the biggest positive I see from GDPR is the fact that many ad tech data vendors have left Europe. I'm talking about vendors that aggregate personal data, track your location and the places you visit, the web sites you visit across multiple devices, etc.
Is there really no way to monitise an audience with ads without collecting their personal info?
That seems more of a problem than GDPR exposing that underlying issue.
edit: seems like Google have a non-personalised ad option, but it still uses cookies:
> A Non-Personalized Ads solution (Ad Manager Help Center, AdSense Help Center) allows you to present EEA and UK users with a choice between personalized ads and non-personalized ads (or to choose to serve only non-personalized ads to all users in the EEA and the UK). Non-Personalized Ads only use contextual information, including coarse general (city-level) location.
Although these ads don’t use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the ePrivacy Directive’s cookie provisions apply.
> Is there really no way to monetise an audience with ads without collecting their personal info?
There sure is: Contextual ads. DuckDuckGo does it, various documentation sites do it (https://www.ethicalads.io/), a dutch broadcaster does it (https://archive.ph/Zk4Pv). It's how newspapers used to work and TV channels still do, as well as YouTube sponsorships (and probably many more).
It improves the UX over personalized ads because
a) you don't have to invade your users' privacy (including asking them for permission to do it, obviously) and
b) the ad is actually relevant to the context the user is thinking about, instead of something completely unrelated from some other part of their life (or, more often than not, something completely random).
Contextual ads have their own set of problems for advertisers though. Think of a blog post writing about someone's traumatic experiences with pregnancy and miscarriages and the algo decides to put an ad for newborn clothes next to it. Ouch...
That can happen with personalized ads. One point of contextual ads is actually letting you control what is shown besides your content/what context you want your ad to be shown in.
Besides ... most current ads are distasteful regardless of context.
Yeah, there's also a reason our polluted rivers used to catch fire and children worked in mines, both those things were cheaper/more profitable to the decision maker too.
But have we forced every non abusive advertising platform out of business as a result of tolerating this abuse for so long?
A non abusive advertising platform wouldn't be subjected to GDPR problems, this should make it easier for them to compete and thrive not harder. When it was legal to just collect all data about users from everywhere and sell it etc then it was impossible for good actors to compete. What we see today is that all those bad actors who profited from all those bad actions are complaining and having problems, that is a good thing.
Not unless you're a NYT-level big player, and even those don't seem terribly keen on the idea. The fundamental problem is that advertisers want to know that their ads are being shown to actual people who are actually interested in what they're selling rather than bots run by fraudsters with fake websites full of fake traffic, which means tracking and attributing clickthrough, and that alone is enough to count as personally identifiable information for the purposes of laws like the GDPR. Contextual ads and not tracking users in order to select the ads doesn't solve this issue, it just reduces the profitability of advertising.
Google broke your website, to be clear, not the GDPR. They themselves don't comply with it. And they also regularly shut people out of Adsense for seemingly arbitrary reasons with no recourse. Bad practices from a company that treats its users like garbage is not an argument against the GDPR.
It's also not all that hard to comply with the GDPR as a small website.
GDPR aside, I had similar shock after getting a few million users for a viral language game, but finding that basically nobody was willing to sponsor it on Patreon, even to a level to cover the basic hosting costs. It was a little hard to process at the time.
Casual games are a tough market, because there's a shitload of competition and a lot of it's free.
I play Wordle most days. I do enjoy it. The amount I'd pay for it is $0, because there are a thousand other free options that would entertain me just as much. Maybe not even word games. Maybe just Microsoft Solitaire. Apple's Texas Hold 'Em. Minesweeper. Nokia Snake Game. Whatever. Despite playing Wordle so much, if you told me I had to pay $1/month for it or else it'd disappear completely, I wouldn't do it. Its competition includes free stuff like watching the clouds go by, or flicking little paper wads at the trash can.
Sponsorship (including merch) works for things people love - not stuff they casually use. In that case ads are probably the best option - but that's easily possible GDPR compliantly.
With side businesses/projects there's always a matter of balancing the hassle of maintenance with the potential for profit / happy users. GDPR does change this equation somewhat
It sounds like you encountered a small hurdle and chose to give up. Hundreds of thousands (millions?) of websites are GDPR compliant while running ads.
It takes the liberty to dynamically inject stuff into the site. Even after the user provided consent. Maybe so the user always has a menu to change their settings.
They seem to try to put that dynamically injected thing below the fold. So maybe blog like sites don't mind.
In the context of the GDPR, I just want to remind people of this thread where a HN user invokes their rights in order to make Spotify back down on a change that would have locked user playlists into their service for no good reason - https://news.ycombinator.com/item?id=24764371
(can't be 100% sure this is what made Spotify change direction, but it seems likely)
That was a great thread, thanks for surfacing it. My gut reaction was that there was no way the thread could be involved in changing spotify's mind. Color me convinced
Yikes, what an enlightening demonstration of how bad GDPR and it's users really are. Instead of taking control of their own music by having it on disk this user decided to rely a third party service and then became so upset when the service changed they threatened legal attacks. Services like this should probably block all nation states that support GDPR.
Gatekeeping music availability is weird. In most places, the idea of having all this music locally on a disk is impossible. How can someone in mongolia get a lossless, flac based discography of their favorite band from the 80s?
The music industry purposelessly makes it harder and harder to get lossless file based music for the first world, save for indie bands on bandcamp and the occasional release by a triple A band/label.And again, this is next to impossible in developing nations.
I don't have hundreds of hours and thousands of dollars to dedicate t getting every song I want to listen to on a whim in the above mentioned format, and I have much less time and money to manage those across my devices in a format that is anything short of maddening.
Background info: Noyb is the GDPR fan club (run by Max Schrems), trying to get governments to do their jobs to get proper enforcement. And you can join them! https://support.noyb.eu/join
I don't think the law has done much at all. I operate a business that serves as a data broker / processor under GDPR.
I have had a total of 66 data requests in 4 years. I handle data requests and follow the laws, but I also understand the EU/UK has zero grounds to enforce anything against my business if I were to flat out reject all requests.
They can't fine me, I don't have a physical or business presence in Europe, though I do have European customers.
The only reason I handle requests is to protect my customers, not myself.
This is an admirable position, and one of my biggest problems with GDPR. Honestly, my only problem with it.
The EU does not have the legal jurisdiction to tell any company based outside of the EU what to do with its data, whether that data is about EU citizens or not.
If I ran a SaaS I would probably do the same thing as you (out of respect for my customers) but I certainly wouldn't feel any legal compulsion to do so.
Is that really true? My understanding for example in the USA is that if you violate the laws in another country, you automatically violate the laws in the USA (under the Foreign Corrupt Practices Act - https://www.justice.gov/criminal-fraud/foreign-corrupt-pract...) - or is that really just limited to bribery? AFAIK some other countries have similar provisions.
Yes thank you, a more detailed read of FCPA would indicate it is primarily restricted to bribery (or at least payments that could be interpreted as bribery). But could a non-EU website operator still be fined for non-compliance with GDPR if it were to collect personal data on EU citizens? Do website analytics constitute personal data?
Jurisdiction issues are complex. In this case, the jurisdiction is defined by the location of the customer, not the business.
If your business ignores EU courts, that might not have an immediate impact, but in the longer-term, you have a liability if you ever do business in Europe, want to be acquired by someone with a business presence in Europe, and potentially in the future, travel to Europe.
GDPR is framed as a human rights law, and that has long-reaching claws.
It is currently not well-enforced, but there are many examples of clawbacks coming in. For US slavery, those clawbacks are coming 160 years later: buildings, businesses, and schools are being renamed. Statues are being torn down. In some cases, you're starting to see reparations (see Harvard). Milder versions of racism are subject to cancellations; things acceptable in 1980 are having repercussions on people's careers in 2020.
Then you've got issues of when you're persecuted for an unrelated reason, and the government is looking for an excuse or pretext to take you down. A famous mobster was taken down a century ago for tax evasion.
Jurisdiction is sometimes complex, but you don't have to be an attorney to see the disconnect in a court in say, Germany, claiming it has jurisdiction over the practices of a food blog run by someone in Kansas because someone in Berlin decided to sign up for their newsletter.
I want to be clear I think they have a moral and ethical obligation to delete that person's information if so requested. There's just no (legitimate) legal requirement. The huge jurisdictional overreach by GDPR is part of why you're seeing companies just outright ignore parts of it.
Reasonable people can disagree about whether or not GDPR actually covers anything in the spectrum of "human rights" but for the love of god slavery has nothing to do with anything about it.
Reasonable people cannot disagree about the framing of GDPR as a human rights law. The second sentence is "This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data."
Reasonable people can disagree about the extent to which privacy is a fundamental, human right, or where the bounds are, but that is literally the phrasing of the law.
Reasonable people can argue about a lot of issues, and views on rights change with time. Ancient Greeks and not-so-ancient Afghans had sex with kids. Just over a century ago, women couldn't vote. It's hard to predict how views on human rights will evolve. Right now, there are huge cultural disconnect about a lot of things digital. It's not clear where they'll land.
The one in GDPR trouble wouldn't be your company anyway, since you're a data processor. The data controller is the one who needs to make good on the data requests.
What I do not understand about GDPR is analytics. If you are operating a website outside the US and EU citizens access that website, my understanding is that applicability of GDPR is limited to only uses where the site is capturing data from EU citizens. If the server statistics include standard analytics (e.g. client IP address, client browser, client screen size, etc), are not those analytics the capture of personal data from EU citizens? In this regard, don't EU visits to all non-EU non-GDPR-compliant websites involve a violation of GDPR simply through accumulation of server analytics? Is there an exclusion for this? Or can any website operator anywhere in the world be fined for non-compliance on this basis?
I think the law is not well-defined because, as you mentioned, any visit to a country that doesn't provide that same data protection rules should be blocked based on the current law.
Also, I still find it weird that the EU (GDPR) laws apply at the client (visitor) rather than at the source (server). The question is: is the server providing a service in EU (sending a webpage) or is the client "going" to a server in the US?
GDPR is a good idea, but it seems to be top-down and pushing against megacorp and user alike. As it stands, the law is only making it more expensive to be in the data harvesting business. These extra risks and requirements raise the barrier to entry for new firms and so just ends up cementing the market position of existing players.
If people start caring enough to actually cancel services that harvest their data, then the harvesting would stop. But it is very easy to underestimate the power of machine learning and correlation, especially when the data being correlated is gently sipped over years.
> the law is only making it more expensive to be in the data harvesting business
Great. "Data harvesting" without explicit consent should not be a thing.
> If people start caring enough to actually cancel services that harvest their data, then the harvesting would stop.
I think that's quite naive. Much harvesting comes from websites that share data with each other about individual user behavior. There is no service to cancel unless you mean "browsing the web".
Agreed. At my 25 person company it gives me a lever to pull in conversations about data - when someone asks can I have X, I can pull the GDPR card as a reason not to do it.
No, it's pushing against megacorps (and corps) and they're trying to gaslight everyone into thinking it's pushing against users by annoying the users on purpose and telling them the GDPR forced them do it (while also breaking the law and still hovering up as much data as they can while they think they can get away with it).
Is anyone maintaining some custom NoScript or anything like that I could use to block GDPR/cookie law popups and such EU nonsense? I'm not even a subject of Brussels
In my experience, the annoyances list in ublock orogin (and possibly others), which is disabled by default, drastically reduces the amount of such pop-ups. The only remaining ones are unfortunately among the worst, which is to be expected since they went through the trouble to setup anti-adblock measures ...
Cookie banner has ruined the whole web.
- Does not protect people (99% are just fake. If you reject cookies you keep get them)
- Cost money to company (so cost to customers).
A simpler browser extension where you manage your preference once far all (default) with the possibility to personilize x site (think like you do for camera permission) would have solved the problem in a real way and without all the hussle.
> 99% are just fake. If you reject cookies you keep get them
Note that cookies that are technically required to serve the site don't need a cookie banner. This is something many people get wrong. Other people shift to LocalStorage instead. But the actual legislation does not distinguish between cookies and local storage (and similar techniques).
Also, there must be a "reject all" button which should appear visually equivalent to the "accept all" button. Rejecting all has to be as easy as accepting all. Additional clicks are not legal.
Another thing that is often ignored is that you have to wait for someone to consent before you give them cookies. Many sites just create the cookies when you open the page, then throw the banner, then whether you accept or reject, it makes no difference. Talk about compliance theater.
Indeed, kind of like the graphic disease labels on cigarette packs. It doesn't directly stop people smoking, but it does raise awareness of what can happen.
I don't work for an adtech company and I think GDPR has made the web demonstrably worse for everyone. I'd rather void EU clients altogether than put up a cookie banner/popup.
If that is your response then you haven't begun to understand the reason why the GDPR exists in the first place. You don't have to put up a cookie banner/popup. Have a look at my website: jacquesmattheij.com , no banner, no popup and yet 100% GDPR compliant.
And if they did that it would also make them GDPR compliant.
They chose to put up cookie banners as a way of making to seem like the people making the laws told them to do it.
> 99% are just fake. If you reject cookies you keep get them
This is silly. The rule is that people are allowed to opt 𝚘̶𝚞̶𝚝̶ in to tracking. Just because some companies use cookies for this doesn't mean that cookies are banned.
If you are using cookies to store your website's settings then that is perfectly fine.
Opting-in should be a client feature, not a website feature... make browsers block cookies by default, and then add a button next to the title bar to accept cookies for this webpage (for them to remember the login).
GDPR is not just about cookies. In fact cookies are already next-to-useless for tracking because modern browsers have countermeasures against it (which unfortunately does hinder legitimate usage like cross-domain SSO).
The GDPR is about data processing consent as a whole, regardless of how the data was collected. It includes data that you can’t withhold such as your IP address, browser fingerprint, etc.
> Does not protect people (99% are just fake. If you reject cookies you keep get them)
Fake cookie banners are illegal under the GDPR. Seriously, in what other aspects of life do people respond to terrible enforcement by saying the law is the problem? (Of course there exists a bunch of stupid laws that are also terribly enforced, but here the objective of the GDPR is not stupid – it's merely a matter of terrible enforcement)
> Cost money to company (so cost to customers)
Most regulation comes with a cost. The fact that this does, too, is kinda meaningless on its own. Food safety regulation comes at a cost – that, in itself, is not an argument against such regulation.
> A simpler browser extension where you manage your preference once far all (default) with the possibility to personilize x site (think like you do for camera permission) would have solved the problem in a real way and without all the hussle.
Are you seriously arguing that legislation to enforce such privacy standardization would be easier to enforce than the current GDPR? By all means, what you're proposing sounds great – better than the GDPR even – but massively harder to do.
No, all websites that have cookie banners do so because they were already ruining the web, the only thing you can blame GDPR for in that regard is visualizing it.
GDPR notices are obnoxious, but they are not the only source of popups, not even the most annoying (most of them are converging to standard patterns, so you can dismiss them quickly). These days many sites have a constant barrage of all kind of popups, browser notifications requests, registration nags, adverts and so on, often on a delayed trigger.
They're not obnoxious because GDPR made them that way, they're obnoxious because companies who think they have a right to unfettered and undisclosed abuse of people's data (because that's what they were used to) are trying to pretend that the law is the problem and not their malfeasance.
A fully compliant GDPR banner has two buttons, of equal prominence: reject all, and accept all. That's it. Any obnoxiousness is on thy implementor, and it's likely illegal.
Another fully compliant solution is to only collect the data you actual need and then you don't even need a banner at all.
GDPR is just about one more annoying popup you need to click away on each site you visit, and that some U.S. website became inaccessible without VPN at all. Good job.
I completely reject the premise of this, that one is somehow EU citizens are not personally responsible for the information they themselves put online.
The most hilarious thing is cookies!
For example, cookies exist, and they work a certain way... and despite not liking how they work.. they are here, and not going away, and imposing some kind of contract-law of cookies being accepted or rejected totally ignores that the user has, and always had, the ability to reject cookies at the browser level, unilaterally or with policies, without any contract laws.
The idea of cookies was to establish sessions - something which can be done by other means, so cookies aren't needed. It would be good to have browsers which would clean all cookies every browser restart. Not enough though, some browser sessions can last months, so a better solution is needed.
Yes, each request can explicitly (well, not for the end user) carry the session id - or, say, one of the previous request ids. Cookies do that automatically, but have side effects by remaining in the system.
Is there any way of maintaining session IDs across requests without JavaScript other than cookies? My understanding is, the whole point of cookies is that they're automatically sent by the user agent, anything else that was stored (such as in LocalStorage) could only be used by JS scripts.
I don't know if I'm remembering right, but I seem to remember some early PHP framework or templating system, $_SESSION variables could be configured to use query parameters instead of cookies. So every link generated by the framework automatically inserted a "?SESSIONID=12345" at the end of the link. The backend translated this into the PHP $_SESSION object.
If your whole website doesn't use JavaScript and every request reloads the page, that reloaded page can contain current session id, right? Why do we need to rely on automation which does this thing, with known drawbacks, but can't do that ourselves?
> that reloaded page can contain current session id, right
Right, through cookies - unless you want to embed the session ID in every single link or button in the whole page. The way pages "contain" session data like that _is_ cookies! snapetom mentions embedding in query parameters, which while a possible solution, seems even worse to me, as it means sharing a link to the current page you're on leaks your session token. I'm really not sure I'm following what you're saying here.
Cookie banner alone has probably done more harm in terms of wasted human life than anything else combined. 4.66 billion active internet users, 92% of which are web users, spending 5 secs per day on clicking all cookies allowed. That's 680 human years wasted per DAY on these banners.
Because big companies with deeply unethical business practices are basically saying: "if we annoy you to death, maybe you get governments off our backs and let us make even more money".
They're like Big Tobacco when tobacco ad regulations were introduced.
Honestly, never saw the point of GDPR. You add additional expenses for something big abusers will just bypass, ignore or even worse just retract from the market.
Well the idea is that with proper enforcement the big abusers shouldn't be able to bypass it. The legislation itself is sane, it's just that enforcement is lacking.
> even worse just retract from the market
I disagree that this is worse - if privacy-violating monopolies retract from the market then it opens the doors for privacy-respecting competition to take its place.
I find the right to be forgotten very valuable in a world where everything is permanent, searchable and every little mistake will be used against you in the future.
> Implement RTBF in context of IPFS.
How does IPFS deal with CSAM being published on it? Not saying it should detect CSAM, but once it is found, how does one go about having it removed? You use the same system to handle RTBF, and if you can't, then maybe a platform where it's literally impossible to delete something isn't a good idea (partly because undesirable content will ultimately outnumber legitimate content)?
> You get Splinternet. Several independent Internets, walled from each other.
If there's an internet where Facebook and Google can't spy on me, sign me up!
> You use the same system to handle RTBF, and if you can't, then maybe a platform where it's literally impossible to delete something isn't a good idea (partly because undesirable content will ultimately outnumber legitimate content)?
The impossibility of the assured annihilation of data is true of all protocols for data retrieval so long as client nodes are free and able to copy the data retrieved.
It's why removal of illegal content from the internet has been an abysmal failure.
This is like saying that regulating damage to the environment is bad because would make businesses that can't exist without doing said damage would retract from the market. Good riddance, if a business can't or isn't willing to protect EU's citizens data they should go away, like many polluting industries that had to adapt or die.
GDPR prevents companies like "safe"graph [1] from selling mined data:
>The GDPR (European Law)
> As of May 25, 2018, a new data privacy law known as the EU General Data Protection Regulation (or the "GDPR") went into effect through the EEA countries. SafeGraph does not offer products or services involving the collection or sale of “personal data” in EEA countries. We likewise seek not to collect such personal data from our data providers. Should any of the foregoing change, we will update this section of our Privacy Policy.
The point of GDPR is to smack companies that fail to meet it hard on the nose, so hard, in fact, that it might break. The maximum penalty is 2% of yearly turnover. That's hurtful even to megacorps. No one, not even them, needs a broken nose.
Amazon Europe Core S.à.r.l. Industry and Commerce LUXEMBOURG 746,000,000 euro Non-compliance with general data processing principles 16 Jul 2021
WhatsApp Ireland Ltd. Media, Telecoms and Broadcasting IRELAND 225,000,000 euro Insufficient fulfilment of information obligations 02 Sep 2021
In 2021, Amazon EU S.à r.l. had a revenue of over 51 billion euros
Can't find numbers on profit, but companies such as amz are experts on creativity, as indicated by eg this quote:
Amazon paid zero corporation tax in Luxembourg last year, despite seeing a record sales income of €44 billion.
As first reported by The Guardian, accounts for Amazon EU Sarl published online showed that despite making billions of dollars in sales, the company's Luxembourg unit, which oversees retail in countries across Europe, made a €1.2 billion loss and therefore paid zero tax.
Not only did the company not have to pay corporate tax, but it was also handed €56 million in tax credits to offset future tax bills in the event that it does turn a profit. That also comes on top of €2.7 billion in losses that have been carried forward and can be used to offset future tax bills.
This link gets posted all the time but if you compare the total amount fined across all companies and all countries it's laughable compared to the profits a single big offender (see Google, Facebook, etc) makes in just a year.
The purpose of GDPR is to help abusers legitimise the data they collect. Before GDPR it was a grey area, because users didn't explicitly consent to anything - GDPR fixes that. Ubiquitous pop ups where you agree for your data to be collected and processed, trained users to consent to anything that comes their way and corporations now have legal basis to use, process and sell that data.
It was quite clever - make people believe the legislation is for their benefit, whereas in reality it has been created to help with data abuse and make money off of it.
> trained users to consent to anything that comes their way and corporations now have legal basis to use, process and sell that data.
Sorta? I don't consent to much when I get the pop-up. You can revoke consent at any time as well and you're entitled to the data the company has on you.
Average person don't understand what they click on and they just want the pop up the get out of their way.
You have a bias for being a tech person who understand this, but vast majority of people have no idea what it is about and they just consent because they don't care or know the impact of their decision.
Most people I know are not tech savvy and from shoulder surfing, they click no to consent. One couple I know won’t even install an app if it asks for their location.
The GDPR has strict regulations on what counts as valid data processing consent. 90% of the consent popups you see out there do not fit that criteria and any "consent" obtained via them doesn't count.
