49 comments

[ 4.6 ms ] story [ 114 ms ] thread
https://www.eugdpr.org as they didn't provide link in article
That website is run by a private company. A lot of the information on that website is wrong.

Here is a correct explanation in English of GDPR from the Irish regulator: http://gdprandyou.ie/

Also the UK regulator: https://ico.org.uk/for-organisations/guide-to-the-general-da...

One of the most “interesting” parts of GDPR is that it delegates enforcement to ~25 member countries.

This leads to the situation where the interpretations can vary greatly from country to country. We might see a very pro business Irish agency saying one thing and the Danish saying another.

Remains to be seen if that will lead to compliance shopping like in some finance regimes or if every enforcement group will get to come after every firm.

If and when a business has a lead regulator is discussed in the A29 WG.
I thought this was an interesting angle:

"U.S. policymakers argue that American data protection standards, enshrined in the constitution and enforced aggressively by the Federal Trade Commission, do more to guard against misuse than European standards, which often can be more bark than bite."

Can someone more familiar with the US constitution elaborate on what exactly it says about data protection?

They didn't do much about equifax so I'd be very suspicious of such statements about American data protection standards.
Nothing in the gdpr would ban equifax. Creditors will continue to have the right (legitimate interests) to create, submit data to, and use credit reports in decision making.

GDPR would have attached more liability to equifax (though 4% of global revenues really isn't that much), including a much shorter timeline on reporting the breach.

https://www.eugdpr.org/key-changes.html

Apart from the fine and the notification of the breach. Equifax would have been different because of.

- Consent : " companies will no longer be able to use long illegible terms and conditions full of legalese " - Right to Access : " Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. " - Right to be Forgotten - Data Portability - Data Protection Officers

But Europe ( the countries that i know about ) have different requirements rules for credit bureaus all together. So AFAIK there is little incentive for Equifax to hold European data at all.

The majority of those rights don't apply for reasons that should be obvious if you had even a modest understanding of the gdpr (see legitimate interest basis) and other related legislation. It is distinctly not helpful to spew misinformation on HN.

So that people don't rely on your lack of understanding of the gdpr:

* consent isn't required; it's merely one basis to permit processing

* since consent isn't required, it will be an extraordinary stretch to exercise a right to be forgotten. In fact, credit reports are probably one of the canonical cases where LI override most rights of the data subject.

* data access is not new; see DPA

* Equifax does, in fact, have an EU business; it is in the UK. And has offered £2 access to credit reports since 2010-ish. I recognize 2 > 0, but it is not significantly different.

Last I checked, hundred billion dollar companies were getting "record fines" of a couple million dollars for multi-year privacy violations. So those policymakers are either clueless or lying.
Well its difficult for the EU to go after US companies. Take Facebook, they have a direct line to the US administration and before you know it there's a diplomatic incident going on.
I think the statement is accurate with regards to the "bark or bite" criticism of current EU privacy law. Enforcement of these laws lacks the efforts expended on, for example, antitrust enforcement.

Among the problems is that Europe doesn't have "class action" lawsuits. Coupled with the fact that any single individual usually incurs only relatively small harm from privacy violations, the incentives to invest in lawsuits just aren't there.

Public enforcement is also delegated to privacy watchdogs in each member state. Because jurisdiction is based on a company's registration, there is an obvious conflict of interest in these positions. This has played out, for example, in numerous cases against Facebook: It is (like Google and others) registered in Ireland, where the government has long been rather sympathetic to industry interests.

The US Constitution says absolutely nothing about privacy, but the Supreme Court has found it reading between the lines of the 4th (unreasonable search and seizure), as well as the 1st. There's also the 9th ("This list of rights is not intended to be exhaustive" or something to that effect). In practice, US data protection lacks the EU by a wide margin, except for certain, specific cases such as video surveillance (which the UK uses far more) and health data (HIIPA seems to work rather well).

It doesn't say anything about data protection specifically. The Fourth Amendment deals with people being (theoretically; the reality is not great) safe from unreasonable searches and seizures perpetuated by the government.

I don't really know of anything that deals with giving people more power to direct how private entities can use (or not use) their data.

Frankly, US privacy and data protection laws are terrible, and what little we do have ends up being weak enough that companies and the government can usually find ways around it when it's inconvenient for them.

Not sure how well the GDPR will work in practice; this is going to rely on broad but even-handed enforcement. The fines are hefty enough that not complying would actually do financial harm to companies, but that'll only work if the EU actually enforces the law properly. Only time will tell if they do.

What a utter non-sense tone for the article!

> Europe wants to conquer the world all over again.

So Europe makes new regulations that improve the life of european people and they try to spin it up as a global domination move. As a European I am really happy that I am more protected. If a company wants to make business with me I expect them to follow the local regulations! That is not a new world order plot, cmon.

Stronger regulation some times is better when made with the citizens in mind, see the TTIP. Why would we (europeans) want to reduce our food quality regulations? Why wouldn't we want a better data protection?

Specially after Equifax scandal, I am so happy that things are changing over Europe.

Edit: specified better what I think is non-sense

> Europe wants to conquer the world all over again.

Politico Europe is a pretty pro-EU publication, so it would indeed be worrying if they saw a return to colonisation.

Luckily, the authors are just employing what's called a metaphor. The last sentence arguably does a better job of summing up the article's thesis:

“This is part of Europe’s exporting its soft power,” said Kuner, the co-chair of the Brussels Privacy Hub. “In terms of regulatory influence, Europe is definitely a superpower.”

This is just one line in the article--it's meant to grab the readers attention.

The rest of the article provides real substance. Silly to claim the who article is nonsense based on one line.

I would have thought the same if the rest of the article didn't try to prove how it is a world domination move (just a few examples):

> Data protection is a good example of Europe trying to extend its influence over other countries

> In response, legislators worldwide are scrambling to update their domestic legislation

> the upcoming data protection changes risks being viewed as yet another diktat handed down by former colonial powers in

> We’re already seeing a number of countries falling in line with Europe

So you think the present state of data protection laws in the various countries of the world, including the US, is just fine? Or if you think, like any sane person, that it is simply awful, then do you think it could get fixed by any other means than what the EU is doing?

My guess is you work for someone like Facebook that wants to keep things the same, and doesn't care what damage that causes.

(comment deleted)
More protected? I guess that is one way of looking at it. Like the law about the cookie popup. Brings nothing of value but you can get in trouble if you don’t have it, does it make you feel more protected?

I mostly see this as a way to fine big companies and put some money in the pocket. Also like with tax and other laws if the enforcement is delegated to the members we will have same situation like we do now with tax in Ireland or the way Volkswagen and Co. put their cars to sales first in specific countries to bypass German standards.

A lot of this also makes no sense from technology perspective, it would be easier to force browsers not to accept 3rd party cookies then to make me ruin user experience cos i have a youtube video embedded in the site.

EU learned a lot how to be a nanny state from Germans, which in a way and kills a lot of freedoms under guise of security... But I for one would rarely sacrifice freedom for security...

Really trying to tick off all the buzzwords in this one, eh? Only thing missing is probably "live free or die" while an eagle flies through the scenery.

The EU law aims at giving citizens in the European Union more control over their own data. They should be informed what a company does with their personal information and they should need to consent to it. In other words, they have a right to make a transparent, informed decision.

I don't know what this has to do with nanny states or taking away anybody's freedom. In fact this is a great tool to give individuals freedom and ownership over their data.

For example Uber has a long time habit on trying to get drivers to do what they want by using their information in ways that drivers are likely not aware of. The goal of legislation in the future must be to empower those drivers to be conscious of this and have a right to demand in what way information is used to control them.

I don't want to end up in a world of nanny businesses because we're too afraid to legislate them.

Buzzwords... like empowering? One example is that now my websites need to have full screen agreement popup for each 3rd party cookie which will not help anyone do anything. You can already set 3rd party cookie preferences in browser.

Do you think think this will stop data collection and mining in anyway?

These kinda a laws is why germany has no free wifi anywhere cos owner gets fined for anything that happens on his wifi... so good luck to find decent hotspot in Berlin for example...

There should be regulations but when they are too stiff they don’t help anyone in this case

my websites need to have full screen agreement popup for each 3rd party cookie

Oh please. Please be factual even in your rants. For one, a single notice is quite enough. And secondly, it's not about cookies, but all forms of user tagging, including e.g. browser fingerprinting, which does not require any client-side data.

Do you think think this will stop data collection and mining in anyway?

I hope not. I really look forward to those massive fines.

Single notice doesn't make it better, and sorry if my phrasing is not the best.

And it is about cookies too...

What about massive fines for small companies? Large ones will pay and continue making money off your data while the small companies will go bust for even simple mistakes.

> These kinda a laws is why germany has no free wifi anywhere cos owner gets fined for anything that happens on his wifi...

The law has changed. Since October 13th 2017 the owner of the internet access point is no longer responsible for what happens through his access as long as he doesn't collude with those, that do mischief with his access.

Yes, so do we have to have similar laws now and wait for them to backfire to take them away again?

This law has seriously impacted WiFi availability in Germany for some time.

Torrent laws are used by lawyers and scamers to send out fines to random people and scam them for money, what does a consumer get out of those laws? Nothing...

Same way this law imposes so many rules that for smaller companies it just makes things harder while the big companies will pay and forget about it.

> Torrent laws are used by lawyers and scamers to send out fines to random people and scam them for money, what does a consumer get out of those laws? Nothing...

If you are a provider of internet access for example via WiFi, and you didn't collude with the users to breach the law, and you are sent a Abmahnung by a lawyer, then you can demand them to take back the Abmahnung including any financial demands after explaining to them said situation and making credible that you weren't exclusively using your internet access. You also don't need to investigate who was the perpetrator, and no ask no tell works. If the laywers don't step back, you can sue them with a Negative Feststellungsklage.

Websites display cookie popups, therefore EU regulations are bad for individuals.

All of these are different issues.

I think you got off at the tangent... the article is about the global influence in the legislation of pro-privacy laws and regulations, "conquering the world" was probably just a metaphoric joke which the author insisted way too much. Definitely the new rules had their global impact without being that a conquer.
American companies are kinda pissed, but they can always decline to do business here. Unlike the US the European Union doesn't claim to police the world.
Power and influence flow through the end of a pen rather than a gun. Very EU. Considering the generally poor state of data privacy and use of data about people, I must admit I think GDPR is for the good.
This is interesting. Maybe one of the few things Europe contributes/exports (in tech)
You can thank EU also for microusb being (having been?) a standard for all smartphones and devices.

And don't forget those GREAT cookie privacy popups on every site you visit! /s

Ah you’re right, the stupid bar that is hunting us all... forgive me
> You can thank EU also for microusb being (having been?) a standard for all smartphones and devices.

I do. Say what you will about that connector, but it was definitely an improvement over the situation that preceded its standardization.

I think the cookie popup thing got rescinded.
The thing is, a website doesn't need a cookie popup if it's only for their use (sessions, etc). IIRC

The fact that every website now has like 5 3rd parties tracking visitors is what requires the popup.

My site doesn't have a cookie popup, but then it's one of the few that don't ship all the user tracking data to Google.
(comment deleted)
I had just posted this GDPR guide with steps to implement the mandatory data protection:

https://news.ycombinator.com/item?id=16310501

It actually looks like a good guide... enough to get started in the topic... at least until I saw the question on how to implement GDPR:

"If you’re not sure about their compliance, time to act. You’ll need to contact them and make sure they confirm they’re GDPR complaint. That image needs to be 100% completed."

I know the knee-jerk reaction on Hacker News will be that this is really a positive outcome ... but I think people are not actually digesting the consequences of the wholesale export of EU regulations across the world.

The EU has many regressive regulations based on outdated notions with regards to the rights of individuals.

Just one example: in the US if someone is involved in egregious fraud (such as ripping off thousands of individuals in a scam) then the US says that such information constitutes news and that even if its old information from a decade ago its relevant, and a platform like Kickstarter or Google can keep the information online for users to assess before transacting with the individual.

In Europe this could be deemed illegal. There's a right to be forgotten in Europe. And sometimes even relevant and newsworthy information can be ordered to be purged from databases.

The Europeans don't want companies or users deciding on the rules for platforms. They want to make one rule and apply it across all platforms. Not only that, they don't really think through the implications of some standards. Like if there is a right to be forgotten, can companies like Kickstarter really afford to scrutinize every request for deletion of data and use a lawyer to determine if the request is justified? Of course not. They will just make an algorithm and automatically delete the information. The value of the platform in the long term will decline as fraud from years ago is purged.

There is a cost and benefit to all types of censorship. Censorship of information about individuals isn't always just positive. There are lots of serial fraudsters who get away with decades of shenanigans because information about them is not readily available.

Also, and this is more controversial, I happen to think many types of privacy (but not all) are really just cultural artifacts of right now and don't have much utility from a political and economic perspective. Of course there is a value to protecting the privacy of private communication to prevent the rise of totalitarian states, etc., but some other kinds of privacy are really just around to avoid personal embarrassment. But the standards for embarrassment are always changing. At one time we were all running around half-naked and fornicating in small tribes where there was literally no privacy. So there's nothing innate in our nature that says that certain activities must be kept private. Its merely custom that such and such activities can be used to embarrass an individual.

In the future, it may be that even presidential candidates will have some embarrassing selfies distributed online, and maybe even some dic pics or boob shots from their youth ... and probably nobody will care much ... except to say ... damn, my future president has a fire crotch ... or something like that. But it will be said in passing, and nobody will care much. Just like nobody gave two shits about Obama smoking choom.

Think your point that the value of different kinds of privacy varies with cultural norms and as such, may be over-valued, is an interesting one but have to object to this part - don't think it's a good example.

> Just one example: in the US if someone is involved in egregious fraud (such as ripping off thousands of individuals in a scam) then the US says that such information constitutes news and that even if its old information from a decade ago its relevant, and a platform like Kickstarter or Google can keep the information online for users to assess before transacting with the individual.

So long as it's profitable, scammers are going to find ways to scam no matter what, such creating fake identities in this case. I'd rather trade that against a teenager committing suicide because of revenge porn.

Legislators in the US can, and more states are, passing laws against revenge porn so I don't think that's a good example.

I do think fraudsters will attempt to use the GDPR to erase their fraud histories. Companies will need to carefully delineate what data is used as a legitimate interest vs consent bases to make sure they can continue to use fraud histories in their anti-fraud efforts.

It's not as easy as you think to shed an identity and make a new one for fraud when the identity is linked to real-world ID in many jurisdictions.

The teen suicide issue is unrelated. Facts, such as news stories about fraud, are not the same thing as media, such as a porn video. Regulations can easily bifurcate between the two so its a false tradeoff. What is telling is that the regulators in Europe have chosen NOT to make this distinction. And in fact they have EXPLICITLY protected people's right to purge news stories about their fraud ... showing a disdain for making such a judgment in favor of information freedom.

I do like the idea of a world where nations compete with themselves to offer the best data privacy protections.
My hat is off to EU, doing what is right to protect individuals from the evil do'ers/