191 comments

[ 5.2 ms ] story [ 221 ms ] thread
Came here to mention Oath, but it seems the site has already covered it:

http://gdprhallofshame.com/5-techcrunch-engadget-and-oath-co...

Great idea for a site. I'm sure it won't lack content for quite some time.

I defied RSI to click all Yahoo partners, and opening a random sample of privacy policy links I found one that was written in Chinese. So much for consent.
It looks like the witch-hunting is about to start.
My favourite at the moment is sendwithus. They said their service will never be GDPR compliant. But fortunately they have a new "enterprise grade" product called sendwithus dyspatch. Same feature set, new price plus GDPR compliance. This is a price jump from $79/Month to a minimum of $24.000/year. And this is with discount for former sendwithus users. I would consider this to be mafia methods.
Not sure why I keep reading that as sandwitchus.
Why? This seems like good behavior. They're original product is supported by a business model that relies on user data. Now they are offering a similar product that doesn't make money off of user data but instead charges the user. I am all for the GPDR, but the regulations don't say you can't suck up all user data _and_ you still have to provide your service for free/discounted
So you're saying user's data is worth $23052 per year?
User data could or could not be worth that much. Having a team of programmers implementing and maintaining features that make the software GDPR compliant is perhaps the biggest contributing factor the price increase
Maybe, maybe not. If it's not I assume they'll be forced to lower their prices and go out of business. I don't have a problem with a company charging money for their product though.

The GDPR appears to be doing its job here because it's forcing a company out of a business model that is unethical and into one that's better for society, regardless of it's better or not for the company and some of its customers

No, that is just the cost of compliance.
(comment deleted)
I work for a competitor to sendwithus, and, while I can't speak to specifics or the industry as a whole, I can definitely say that it is proven possible to run a company whose revenue model is to charge something comparable to sendwithus's previous monthly subscription fees, be profitable, grow steadily, and not make a single dime on the side selling data to advertisers.
If they are offering the $79/month service in the EU, it doesn't matter that they have a GDPR compliant version.

They won't be able to sell the non-compliant version right?

The problem is you won't get an Data Processing Agreement (DPA) from them. And since email and names are sent through the service the DPA is mandatory. If someone somehow manages to detect your are sending his data to a non-compliant service you can get sued.
If an EU company who holds private data of their customers ("data controller") is buying services from some third party service provider ("data processor"), then it's the data controller's responsibility to ensure that they handle the data responsibly and don't ever give it out to noncompliant processors.

A B2B service can legally offer a non-compliant service in the EU, but then the buyer isn't allowed to put any privately identifiable data in it; GDPR article 28.1 "Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject."

So in the sendwithus case, GDPR would prohibit an EU company to use its $79/month service for handling private data, since it doesn't come with the required assurances.

The Instapaper one - #1 - is troubling for a non-obvious reason. One of the tenets of GDPR is that you have to be told how your data is being used. So the only explanation for this behaviour is that there's some shady shit going down that they want to stop before they have to admit to it.

If I used Instapaper I'd be filing a complaint with my local DPA about this.

> So the only explanation for this behaviour is that there's some shady shit going down that they want to stop before they have to admit to it.

No, it can something as simple as "we cannot guarantee that all your data is deleted with our current storage system". It would be a lot better if people stop being so alarmist.

Why can't they comment on it? It's very suspect.
I'd guess they're afraid of legal liability.
If it were something that simple and reasonable, they'd be happy to say so.

The fact of not giving an explanation implies that the real explanation is worse that you would expect.

The deletion doesn’t have to happen immediately, just in a reasonable time frame. A few weeks is okay, too.

So if it was just that, they wouldn’t shut down.

It would be a lot better if people stop being so alarmist.

Indeed. It's odd looking at discussions about the GDPR on HN.

On the one hand, we have people who argue that compliance isn't really that big a deal if you're not doing anything horribly wrong, most ethical businesses would already be mostly compliant anyway, etc.

On the other hand, we have people who argue that even if that is the case, the length and ambiguity of the regulations and guidance combined with the potential penalties still cause significant overheads and risks, particularly for smaller businesses without dedicated resources to deal with compliance matters.

There is some truth behind both of those positions, I think.

But then I've seen so many comments now on HN and other geek-friendly forums that seem to be based on the premise that most/all businesses are somehow doing evil things with personal data and they must be stopped. A noticeable number of people are advocating obviously vexatious use of the new subject rights, not in response to any specific concern or after some unsatisfactory attempt to resolve concerns reasonably, but as a weapon with the clear goal of causing maximum disruption and cost to organisations. I wonder how anyone can think giving so much "legal ammunition" to these people is a good idea.

    > so many comments now on HN and other geek-friendly forums that seem to be based on the premise that most/all businesses are somehow doing evil things with personal data and they must be stopped
I think it's pretty reasonable to have that premise when those businesses can't tell their users what they did or will do with personal data. No one could even tell whether it's evil or good if you don't show me some details. And sometimes, you assume it's good for me, but I think it's bad for me. Thank you for your good intention but all I want is just an opt-in option, not opt-out, is that so hard to accept? When you drag me into something I don't want, why would I assume you are doing something good? Users being alarmist is not users' fault, data companies' unethical use of data made users react this way.

    > "we cannot guarantee that all your data is deleted with our current storage system".
If so, just say it. But after that, you may want to explain to me why you can't even take care of my data while claiming you respect it. Did you collect my data then just forget where you store it? If the deletion is that hard, why should users trust such company in the first place?

GDPR is an action of defense, not a weapon for invasion. Only predator would think it's a weapon and be afraid. GDPR is not perfect for now, but complaining the ambiguity of it doesn't make internet companies' vague ToS or Privacy Policy clear as crystal. Let's not play double standards here.

I'm quite aware HN is full of people work in data industries, I just have to say it.

Hey there – Brian from Instapaper here – we have a pretty clear and accurate privacy policy around the data we collect and how we use it, you can find it here: https://instapaper.com/privacy
Hi Brian! Thanks for taking part in the discussion.

But what part of GDPR was it that caused you to have to close off European Union users?

close off European Union users? I don't see any info about that.
Am I misunderstanding you here? Instapaper's email literally starts with:

> Starting tomorrow May 24, 2018, access to the Instapaper service will be temporarily unavailable for residents in Europe

It's worth noting that GDPR applies to EU citizens regardless of where they happen to be in the world (or if they're using a proxy), so an IP ban does absolutely nothing to help comply with the law.

You'd think a real company would have talked to a lawyer about this.

No, it doesn't apply to EU citizens regardless of where they happen to be in the world.
How would that even make sense? A country enacts some arbitrary rule such as "You are not allowed to provide access to social media for its citizens." How do you possibly enforce that for citizens visiting or living in the US? (Short of demanding all users to verify their citizenship to access the site.)
That is incorrect.

GDPR makes no mention of EU citizens or residents.

The 2 main groups it applies to are:

1. activities of an establishment of a controller or a processor in the Union (so if the company is in the EU, ALL processing has to be GDPR compliant regardless of where the user is)

2. processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union (if the company is not in the EU, processing of data of people in the EU - note they just have to be in the EU and not residents or citizens - so if you are from the US and on holiday in the EU and you order pizza delivery to your hotel, that personal data has to be handled in a GDPR compliant way, notwithstanding that the pizza company is probably in group 1 anyway but hopefully you get the point. And the converse of that, if you live in the EU and are on holiday in America and order pizza, that personal data does NOT need to be GDPR compliant as you are not IN the EU)

There are a few other scenarios included too.

Edit: It's worth pointing out that 1 seems to have been completed missed in almost all GDPR coverage I have seen, possibly because most of the coverage has been heavily US centric. If the company is established in the EU, it has to comply with GDPR for ALL users, not just people in the EU. This is why Facebook [1] and others changed their terms so that only EU users have a contract with Facebook Ireland, and everyone else now has a contract with Facebook Inc (US) - previously everyone had a contract with Facebook Ireland.

[1] https://www.reuters.com/article/us-facebook-privacy-eu-exclu...

And that's the companies' out. Make shell companies that exist only in Europe to exfiltrate liability for the multinationals.

There's no real difference in "Facebook US" and "Facebook Ireland". The only difference is this methodology skirts the law.

Hopefully, the EU will climb up these jokes of shell companies and rightly smack them down.

Hi Brian, thanks for replying to my post. I apologise for my reactionary tone above, but do you understand how by declining to share specifics your tweet aroused suspicion?

EDIT: I've just read through your privacy policy and I wish other companies had a privacy policy as clear, straightforward and detailed.

How is this a big deal?

They probably sell your data or use it to show you ads or targeted content. Who cares?

People in this thread saw the title "GDPR Hall of Shame", possibly read it. Now they are trying to discuss stuff relating to "General Data Protection Regulation". My wild guess is people who are commenting on this thread care.
Do they really care or have they been pushed to care?
What the heck are you implying? Are you implying there's astroturfing going on? If so, that's ridiculous.
As long as you are telling the truth about only sharing anonymous and aggregate data with publishers and advertisers, I can't see anything in your privacy policy that would preclude you from being GDPR compliant right now.
Hi Brian, I've downloaded all my data to move to self hosting and deleted my account due to this. I hope you've actually deleted everything :)

P.S. I still have access in the UK...

That's extremely uncharitable.
I think we should reserve opinion here until bthdonohue gets back with fiiv's comment of "But what part of GDPR was it that caused you to have to close off European Union users?"
(comment deleted)
I'm not sure it's reasonable to expect an answer to that question; at least not from someone other than their legal representative.
Well, i'm reading their silence as "We don't give a fuck about protecting customers' data.... cause its mine!"

In the end, companies whom don't go through with the GDPR prep and implementation tell me precisely one thing: there's something in their process that makes it hard for them to comply. But not seeing "We're in progress to comply at $date" tells me that they're doing some pretty nefarious stuff. Is that actually the truth? Well, we don't know and can't figure that out.

It's either you comply with the GDPR globally, or for $reasons you don't. I choose to work with GDPR compliant orgs first. I know how my data will be used. And if I buy European IoT hardware, I know its not a spy-station.

Edit: FUCK rate limiting. Here's my response.

Given that I'm an American who has had many accounts exfiltrated or otherwise leaked, I'm frankly sick of companies treating me as a data pinata.

I could go on to cite countless examples, but that dead horse has been beaten time and again. And in many cases, my data is used even without my permission (sending to gmail addresses, facebook ghost profiles, etc).

It might be charitable initially, but I've seen my own impact on bad data practices. It was the wild west... And now the GDPR finally puts a stop to a lot of badness.

That seems like an uncharitable reading. I'd guess they just don't want to express anything that implies some specific interpretation of the law.

I'm not sure there's anything they're doing that's not compliant, but uncertainty about whether that's true might be sufficient for them to consider it too risky to conclude that they are.

I think, if anything, the facts that the law is written is relatively 'simple' language, doesn't specifically mention any technical examples, and is widely expected to be enforced 'spiritually' and not literally, makes it particularly hard for lots of organizations to know with reasonable certainty whether they're in compliance or not.

I think the instapaper one is just they aren't compliant yet, realize it, and are shutting down EU access until they reach compliance. There can be ways they are not compliant without necessarily selling data.
The #2 one seems a bit off. "RE:" stands for Regarding. Yes it makes people look at your email, but it isn't "fake."
The GDPR is about not intentionally deceiving users. That practice is clearly deceptive and clearly violates GDPR.
Yes but it's most commonly used in the medium of email as an indication of a reply.
In every email program, RE: stands for Reply. RE: is prefixed to a subject for showing that the current email is a reply to an earlier email. That is what is deceptive.

RE: is not Regarding in this context but appears designed to increase acceptance by lying about the recipient receiving a response to an earlier non-existent communication.

Email didn't magically change the meaning "Re" to "Reply." It still means regarding; it's regarding the subject of the previous email.
Don't argue for the sake of arguing. I didn't write that Email magically changed the meaning of a word! I wrote that email clients use RE: in a specific way.

Re can mean regarding, but in an email subject line Re: has been taken for decades by email programs to mean something very specific, "Reply".

I had this thought too, but this isn't the common usage and therefore someone was being deliberately deceptive when they decided to use it.
(comment deleted)
Hugged to death already?
Sorry, had to go up a few sizes on DigitalOcean
Curious: what tier were you using and what tier did you move up to? In case I ever get to the frontpage, I'd like to be prepared :)

And usually, what is it that causes outages like HN/reddit's hug of death? Number of open sockets / file descriptors? RAM? CPU? Network congestion?

If you have a static site, being on top of reddit/HN will barely be visible on the smallest instance you can find.
"Whoops, we can't secretly sell your data anymore! That means you can't control your smart wifi lightbulbs from now on!"

For me, this is a refutation of the "If you don't pay for the product, you are the product." There is no inherent reason why a company would only do that for a free product. If it works for free products, it works just the same for paid products.

Even if GDPR has flaws, and is gonna cause some disruption, I think we really needed something like this.

You are not the product. Exposure to you is the product.
No its not just showing you ads. Its selling any information they have on you to ad networks without you knowing about it.
...so that you can be shown more ads.
...which is made possible by both directly and indirectly collecting, evaluating, sharing or trading, and concatenating data about you.
...just so you can block and ignore the ads, all the same.
You're conflating control over personal data with one of the purposes for doing so, i.e., the presentation of ads. That is by far not what privacy or data protection is limited to.

Not to mention that blocking or hiding ads or trackers is not the same as preventing the collection of personal information. Unless you avoid visiting a service entirely, depending on the implementation you may not be able to inhibit any of it.

I think you've confused "if" with "if and only if"
The implication is clearly that you ought to pay for the products, so that you aren't the product. But if the incentives for paid and free products to monetize your data is the same, switching from one to the other doesn't help.

You have to specifically seek out products where your privacy and data is taken seriously. This can happen for both free (open source?) and paid products.

I agree, that's a good point.
I think it's true in a weak sense. If the customer is paying, that is one revenue source. If you sell data, that's a second revenue source. Adding the second revenue source might be worth it since it can increase profit. But it also adds business risk. Your customer might jump to a competitor that charges money but doesn't sell your data.

Of course, that assumes competition is effective, which requires consumers to be informed that it's even a potential issue, to care, and to be able to assess which company is better or worse.

For sure, GDPR is causing headaches for companies that were secretly selling your data. But it's also a big problem for companies that were (perhaps sloppily) logging & storing data for their own reasons or maybe even for no real reason. I think the latter is much more common than the former.
A lot of smaller sites don't necessarily know everything that they're collecting. Arguably, this is a good opportunity to figure that out. However, it's equally arguable that in many cases it's just easier to cut off EU access if there's any doubt and the EU just isn't important to their business (or hobby). If I ran a US centric ecommerce site, for example, I'd be very tempted to just stop selling in the EU for now.
What if EU citizens who are visiting US make purchases from your site?
Almost certainly does not apply. [1] For that matter, the same FAQ suggests that it's probably not necessary to block IP addresses if you're not located in the EU and aren't actively marketing to EU residents. But I can certainly understand small companies taking a better safe than sorry approach if they don't do material EU business.

[1] https://www.gdpreu.org/the-regulation/who-must-comply/

It wouldn't apply if you explicitly ask user if he/she is an EU resident, preferably by checking ID and route to /dev/null if user is.
It does apply. All EU residents are covered regardless where they are.
The misunderstanding of this is widespread. GDPR does not make any mention of EU citizens OR residents. It only says "data subjects who are IN the Union".

See my other comment for more detail:

https://news.ycombinator.com/item?id=17143923

It is not defined what "who are in the Union" means. The safest bet is that it means a subject is European Union resident. If they mean that person should be physically present in the European Union, the law would have stated that, but it is not.
Equally, if they had meant resident, they would have stated that.
"Resident" has a full scope of protection, whereas your interpretation has limited cover. I wouldn't have thought that GDPR would protect me only if I was physically in the EU territory - as if somehow once I stepped out of the EU my personal information is no longer worth protecting. Your interpretation makes no sense.
I think you are missing some context here.

Firstly if the company is established in the union then they need to be compliant for all their users no matter where they are [1] (so US resident, EU resident, whatever are equally protected).

So the relevant section for this is:

"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

the monitoring of their behaviour as far as their behaviour takes place within the Union."

So lets look at Amazon. They are a US company offering goods in the EU. So if you make a purchase from them as an EU resident (living in Germany) from amazon.de to your home address, then any personal data you give them as part of that purchase needs to be handled in a GDPR compliant way.

If you now go on holiday to the US and order something from Amazon.com to be delivered to your hotel, even though you are an EU resident, they do not need to handle that personal data in a GDPR compliant way. But just because you are now in the US doesn't mean the data they hold on you about your purchase on amazon.de is suddenly free from GDPR protections.

Or to put it another way. Imagine the law did mean EU resident. What does Amazon.com do? How do they ensure they process an order in the US to a US address in a GDPR compliant way for an EU resident? They can't without asking for additional data to establish each persons residency. Which GDPR doesn't allow.

[1] https://gdpr-info.eu/art-3-gdpr/

EU can apply its laws "in the Union", in its territories. If we want to expand those territories, we need wars etc.
Recital 23 states that sites based outside the EU are not subject to GDPR unless it is apparent that they “envisage” the offering of their goods or services to EU residents. The test for this is translation to EU-only languages, mentioning of EU users, targeting EU users, using an EU based domain extension, etc.

The easiest way to announce to the world that I do not “envisage” servicing EU customers is to block EU customers. If one happens to use a VPN or otherwise evades this block, it doesn’t matter. I’ve met the clear definitions under Recital 23 and you have no legal right to GDPR protections on my site.

One could argue that "Aww shucks! Ya know, we're jus' a Small Mom'n'Pop Business™! We're too small to have any darned idea what all that data we're collectin' is!" is no longer a valid excuse. No more valid than "We're too small to worry about worker safety!" or "We're too small to know what's in the waste we're dumping out back!"
This is the entire point of the GDPR really. It appears to be working.
I think there's also a sizable number of companies that basically were already compliant... but aren't sure. It's not like you can submit your processes to the EU for approval. You don't actually know if what you're doing is OK unless, some day, a regulator decides it isn't.
This kind of problem is what lawyers are for.

Unless, of course, one is shortsighted enough to compromise business in order to avoid being bothered with law compliance, a rather common attitude among the aggressive startup-minded audience of Hacker News. I look forward to GDPR-like laws in the USA.

The trouble with the GDPR is that there is so much ambiguity in even quite basic areas of the regulations and the official guidance so far that any formal opinion you get from lawyers, consultants, regulators and the like is riddled with vague terms like "reasonable", "legitimate", "proportionate" and "balanced". It's advice that doesn't actually answer any of the important questions like "Am I compliant?" or "What specific actions can I take to become compliant?".
I think that's intentional as it massively increases the risk of doing something negative for the end user and leaves loopholes uncertain and prone to interpretation. It will forces businesses to stay well clear of the line or pack up and go home. And that's not a bad thing.

Also it stops a whole legal and compliance industry appearing in the grey zone as no one wants to abstract liability.

It will forces businesses to stay well clear of the line or pack up and go home. And that's not a bad thing.

I'm not so sure. No-one knows where the line is, so many organisations can only be sure they're staying well clear by stopping all kinds of legitimate, reasonable data processing, which is throwing the baby out with the bathwater. An alternative, which I've seen quite a few small organisations and individuals adopting and now a few larger ones as well, is to just cut the EU off entirely if they're based outside and thus put themselves outside the scope of the GDPR for practical purposes, and then carry on as before under more liberal regimes like the US. Both of these strategies are harmful without really helping anyone.

Legitimate and reasonable data processing is just that: it's obviously compliant. If there is any doubt, it's excessive and careless data processing, even if not illegal and without malicious intent.

So there is no valuable baby that could be thrown out with the bathwater, and a well-behaved company has little or no bathwater to begin with.

Legitimate and reasonable data processing is just that: it's obviously compliant. If there is any doubt, it's excessive and careless data processing, even if not illegal and without malicious intent.

No, it isn't. Sorry, you can't just hand-wave the whole issue away that easily. If this were all so obvious, we wouldn't keep having these conversations, where even people who have been looking into this for months and taken real legal advice are still in doubt about what specific actions they can or must take to be compliant.

I should have been more explicit about my point: GDPR compliance is easy and inexpensive for restrained good companies that care about privacy, troublesome and expensive only for companies that behave inappropriately, and an existential threat only for true scum.

You are simply being forced to behave like you should have been behaving from the beginning of your online presence.

That is absolutely meaningless and opens up every business to constant unrelenting litigation. Your definition of obvious is not the same as someone else.
>riddled with vague terms like "reasonable", "legitimate", "proportionate" and "balanced"

You could be describing a very large proportion of laws.

To pick a random example, I'll go with the Road Traffic Act 1991 (England and Wales).

It is an offence under this act to drive a mechanically propelled vehicle dangerously on a public road. The definition of dangerous driving is: a) the way he drives falls far below what would be expected of a competent and careful driver, and b) it would be obvious to a competent and careful driver that driving in that way would be dangerous.

That's it. Are you driving like an absolute dick? Is it obvious that you're driving like an absolute dick? If so, you're committing an offence. We have lots of other, more specific motoring laws, but you can be convicted and sentenced based on those two subjective factors. We have lots of case law and guidelines, but the matter of whether your driving definitively is or isn't dangerous can only be decided in court.

https://www.legislation.gov.uk/ukpga/1991/40/part/I/crosshea...

The broad nature of GDPR is a feature, not a bug. Nothing about the way it is worded is particularly new or unusual. Large sections are cribbed from the Data Protection Directive, which came into force in 1995.

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...

I respectfully disagree with your example. We have very specific standards required for competent and safe driving, and in addition to the laws, there is well-established official practical guidance available in the form of the Highway Code. We have a regime of qualified instructors and examiners to guide and assess newcomers, and everyone has to pass a test to demonstrate their competence and understanding before being allowed out on the road independently. And then we're talking about criminal law, which means the burden of proof is heavily on the prosecution, you're going to be in court, and for more serious cases there is going to be a jury involved. And even then you have to fall far below the expected standard in a way that is obvious to someone who doesn't. None of those things applies in the context of GDPR.
(comment deleted)
I promise: we're not all like that. In fact, I suspect there is a significant minority of people--including myself--that think just like you. I look forward to the end of all these data and privacy abuses.
That one's more interesting because under the new regime, consent means meaningful, genuine consent. Demanding consent for one purpose in return for providing something important but unrelated is one of the big no-nos.
Even if you pay for the product, you are the product.
Of these, the worst are the "embedded" ones: the IoT lightbulbs and the Razer devices. Nobody ever expected their lightbulbs to be processing personal data on behalf of third parties.

The one that might be legitimate is the "cheap flights" one; after all, they require your consent for email marketing, and they can't offer you a discount flight without it.

If the definition of personal data includes IP addresses then I'd be surprised there are any internet-connected products that don't process personal data in some way.
>If the definition of personal data includes IP addresses

Yes it does.

> I'd be surprised there are any internet-connected products that don't process personal data in some way.

Consent is one of six lawful grounds for processing personal data. Another ground is legitimate interests, described in Article 5 as follows:

"Processing shall be lawful if... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

https://gdpr-info.eu/art-6-gdpr/

Recital 49 goes on to state:

"The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems."

Logging IPs for a reasonable period of time as part of your network security infrastructure is perfectly permissible under GDPR without consent. You can share your server logs with a third-party security company or pass data to a DDoS protection service if needed. If you use those IPs for any other purpose (ad tracking, analytics etc) then you'll need lawful grounds for those activities, which may or may not require consent.

What's your theory about why so many seem to be doing such a bad job meeting the letter and spirit of the law? Are they consulting with lawyers or other legal experts and bending over backwards to do the best they can given the advice they're given? Or are they maliciously flouting the obvious requirements as part of a concerted, and possibly coordinated, effort to undermine the law?
IMHO the process in many of these places was ran something like delegating it all to the legal department and treating it as a challenge of adjusting their privacy policies and other legal documents, but not expecting (or allowing) that project to change any of their core business processes.

However, in many (most?) cases that cannot possibly be sufficient to comply, so we're seeing how the legal people have done as much as they could to cover their arses, given that the actual behavior of the company around them wasn't allowed to change.

It also may be that some companies are intentionally planning a delaying tactic - i.e. a plan to flip the switch on private data processing only when the regulators will get to them and start writing stern letters, so that they can reap the benefits of (ab)using user data for some more months.

I think that there are two contrary trends.

Large companies that substantially profit from personal data are testing the boundaries of GDPR. They've got competent legal advice and know that a blatant effort would earn the wrath of the regulators, so they're being subtle about it. They're creatively interpreting grey areas. They're using complex and confusing opt-outs justified by spurious technical issues. They're carefully planning a strategy that will allow them to drag out the enforcement process and gain as much ground as possible, while maintaining the pretence that they're making a good-faith effort to comply. They'd rather avoid a heavy fine, but they're not afraid of butting heads with the regulators.

A lot of small companies without in-house counsel are going a bit crazy. Maybe they've spoken to a data protection consultant who has fed them a bunch of FUD, maybe they've just read a few articles in the press, but they haven't really scrutinised the text of the GDPR or spoken to a regulatory authority. They don't understand what their obligations are under the GDPR or the overarching principles of data protection, but they're doing something. Sometimes that thing is completely overzealous, sometimes it's totally inadequate. I've seen a lot of misguided efforts by SMEs to indemnify themselves against GDPR, akin to the "no copyright intended" statements you see in YouTube descriptions. Many of these companies had been completely ignoring the old Data Protection Directive, so they've got a lot of catching up to do.

I must admit, even as a critic of the GDPR in some respects, as an individual I am hoping that its heavy-handed approach will mean I can buy everyday things again without having spyware, telemetry, and so on coming as standard. I don't want a "smart" phone or a "smart" TV or a "connected" car, where the scare quotes denote entirely unnecessary invasion of privacy and/or security and safety risks. I buy a phone to communicate, a TV to watch stuff, and a car to get from A to B, and it will be nice if we can get back to doing those things better instead of tacking on all the user-hostile extras.
Then just buy older stuff nobody says you need a smartphone.
Every month it gets harder to buy a non-smart TV. They still exist, but mostly one ends up buying a smart TV and just never logging into it.
Have you tried buying a non-smart TV or a non-connected car recently? Or even a feature phone that is basic in features but good quality? I do have quite a few devices from just before the madness became almost inescapable, but it has become increasingly difficult to get hold of these things in recent years. Aside from the sales and marketing aspects, there are other pressures that are forcing older models into obsolescence prematurely, such as changing encodings and DRM mechanisms for video, changing standards for wireless communications, and environmental and safety issues that drive older cars off the roads.
(comment deleted)
Ive been enjoying all the emails from companies and watching them put on a show how they support user privacy and just needs me to continue agreeing to accepting being the product.

I dont think so. There are very few companies I actually use in my life, and less than a handful of them are online. The rest - bugger off.

> Ive been enjoying all the emails from companies

I've been receiving so many "here is our policy, if you continue your use, you accept it, kbye" emails... I truly hope EU will take the default-opt-in problem seriously.

I want to know if credit card companies Mastercard, Visa, etc. are subject to GDPR. They definitely sell or use your purchase data for purposes unrelated to the service.
Do they? Non-aggregated data, I mean.
I believe that they do lots of internal analytics but do not sell identifiable data on a per-person level; the laws regarding nondisclosure of banking data are old, well established and much stricter - for starters, intentional disclosure of confidential banking information outside of certain (though many) particular exceptions is an actual maybe-go-to-jail crime, not just a civil matter with some fines.

Surveillance violates the privacy of common folk and thus is somewhat permitted, but violation of banking privacy threatens the rich and influential people and their (shady?) dealings, so that has always been restricted and actually enforced.

Does GDPR distinguish between "identifiable" data and "non-identifiable"? If so, how do you decide which is which? A list of credit card transactions is pretty easy to de-identify...
The information of how many people in a certain age range have shopped at supermarkets in London this week is not identifiable information. So all marketing/spending info they sell is fine. Could only be problematic if it's so granular that you can infer the person.
1) GDPR cares only about personally identifiable data, defined in https://gdpr-info.eu/art-4-gdpr/ as "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;". Nonidentifiable data or aggregated data (even if derived from private data) are fully out of scope of GDPR if they can't be de-identified.

2) "A list of credit card transactions" is the kind of data that I'd assume that Visa/MC aren't selling to anyone ever, I'd expect any data sales to be on the level of "real time subscription to how (and how much) different demographic groups are shopping in company X or in location Y", but not on the level of individual transactions or individual accounts. Group them by zip-code and hour and you're fine even for GDPR requirements; and you can provide "individual" granularity for the merchants (e.g. for stock traders who want to predict revenues) since merchants generally have no privacy protections.

> Does GDPR distinguish between "identifiable" data and "non-identifiable"?Does GDPR distinguish between "identifiable" data and "non-identifiable"?

ico[1] is a useful resource for all GDPR related questions, but to answer your question: yes. Under GDPR, "personal data" is "any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier."[2]. You can also read the "Article 4 - definitions" section in the official regulation doc (pdf)[3].

For the most part, GDPR protections for "personal data" only apply to identifiable data, as would be expected.

1. https://ico.org.uk 2. https://ico.org.uk/for-organisations/guide-to-the-general-da... 3. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

tl;dr: under GDPR terms, anything is "personally identifiable" if you have the means to resolve it.

Technically, writing "John Smith" on a piece of paper can become anonymous data if there's no way to determine who wrote it and it doesn't mean anything to anyone who has access to the piece of paper (because there's a lot of people with that name or because they don't know anyone by that name) but of course names should be treated as personally identifiable to be on the safe side.

On the other end of the spectrum a vague description like "that chubby guy with the crew cut" can be personally identifiable information if you know who it refers to, even if someone else might see it and have no idea who you mean.

So the exact lines are highly contextual and pseudonymisation does not guarantee anonymisation: if you call a Rose by any other name, you still know it's her you're talking about.

On another note, does GDPR mean you can request credit report agencies to delete all their data on you?
Of course, but the result will propably be like an american who has never used a credit card: You can't get credit anywhere.
It does mean you can request it. It doesn't necessarily mean they have to delete said data. The Right to Erasure is not absolute, if the data controller can state an 'overriding legitimate interest' for the preservation of the data.

I don't have a good idea idea how legitimate a credit agency's legitimate interest really is. I might set aside some popcorn for seeing how this particular issue gets resolved.

"Credit reporting agencies" in the USA sense aren't really a thing in EU, there are similar but substantially different (and nation-specific, not EU-wide) mechanisms of verifying the creditworthiness of customers, often with specific national laws regulating the usage this data which would override GDPR.

Furthermore "please delete my data" doesn't really mean "delete all my data", it means something like "I revoke whatever consent I gave and delete all my data that you now have no right to use" - so the company is allowed to keep all the data for which the GDPR gives them a right to use without your consent.

I'm curious, in what sense do you mean "Credit reporting agencies" in the USA sense aren't really a thing in EU"?

I've lived in both the UK and USA and used credit products in each, and your access to such credit appears to me almost entirely determined by a handful of credit reporting agencies "scores" in both countries in a pretty similar way. Heck it's even often the same company - Equifax (one of the largest) operate in the UK as well.

There are many differences; it's hard to generalize because each EU country is different (there's no harmonization for this, and there are major differences especially along the "ex-Warsaw-Pact" border; half of EU had their whole financial system [re]built in 1990s), but you'll often see the following differences:

1) There's no "EU score", each lending market is somewhat separate. Past history in one location may or may not influence your score in another location.

2) Instead of a general/universal "credit score" calculated by an agency, there's often a concept of "credit history" which (depending on the country) may or may not list the amounts of existing loans, of previous loans, and history of late payments. The difference being that instead of lenders getting a score calculated by some agency, the lenders get the data and make their own decision, with possibly very different opinions on which factors are important. Not everywhere, of course, some countries (e.g. UK or Nordics) are more like USA.

3) The process tends to be highly regulated. If you're providing factual data as opposed to an opaque score, each item better be correct - distributing to all lenders "Bob defaulted on a loan in 1999" is libel if it's not true; the dispute process tends to be more consumer-friendly than USA - e.g. a requirement to remove the disputed items immediately and return them only if the debtor can prove its validity), maybe a requirement to expire entries of missed payments within x years, etc.

4) In some countries, that agency is run by the gov't, i.e. purely a central official registry of loans and/or bad loans, which is somewhat sufficient to verify creditworthiness. In others, it's like Equifax.

5) There often is a principle that the credit reporting agencies can't give/sell that data to anyone - you must give explicit permission for every company before they can gain access to that data.

6) In many countries there's no concept of "building credit" - where there only information provided is about negative events (e.g. defaults or missed payments), so having never taken a loan combined with good income gets a perfect rating, as it's not distinguishable from a long credit history and having never missed a payment.

So it's quite tricky - similar but different.

No. The right to erasure is conditional. Credit reference agencies have a lawful justification to collect, retain and share certain types of personal information without the consent of the data subject.

https://gdpr-info.eu/art-17-gdpr/

Everything is, there was a big deal here in the Netherlands about the local governments having to be compliant as well. The first thing that the dutch agency will check (no fines, but just make sure) is that each municipality has things set up properly.

On top of that, I don't think there's anything in the GDPR limiting it to internet related things, so brick & mortar stores will have to be compliant as well, afaik.

It's digital data that's covered by GDPR, so a bricks and mortar outfit with solely paper records wouldn't be affected.
The Yahoo! one [1] is definitely in violation of GDPR, right? GDPR doesn't cover me as I'm neither in the EU nor am I an EU citizen, so I really hope someone lets the regulators know about this. The first major penalty will be example setting.

Which made me curious: could a service exist where citizens not covered by GDPR submit complaints, so that a GDPR-covered citizen could put the complaint in formally?

[1] Hidden opt-out is non-compliant, but Yahoo! went ahead and opted you in to a hundred different ad services automatically: http://gdprhallofshame.com/content/images/2018/05/ouch.jpg

Yahoo is bad, especially concerning the opt-in, but by far not the worst. Those are Google and Facebook, which have made all of their services "all-or-nothing". If you don't accept every single bit of data processing, your only alternative is to delete your account. Literally runs counter to everything the GDPR stands for.
You are right, no "normal" person would want to delete their google/facebook account, so they just "accept" the tracking.

I mean, if you already have a android phone, NEST and use google everyday, would you want to delete your account? You can live without facebook, but google makes a lot of hardware that is quite useful.

Let see how it all ends :D

> Literally runs counter to everything the GDPR stands for.

If the idea is that no one should be able to avoid complying with the GDPR, even if they decide they no longer want to do business with whomever it is exactly that's covered by it, then maybe the whole thing was a bad tradeoff. I'll grant that Google and Facebook might be acting in bad faith – hell, I'll just assume they are – but surely, for some not-necessarily-insignificant number of other entities, it should be perfectly fine if they decide that the costs of compliance exceed the corresponding benefits.

> The Yahoo! one [1] is definitely in violation of GDPR, right?

I don't see any obvious reason why it would be. Yahoo! is being transparent about their data sub-processors, and letting you control how and with whom your data is shared. That's what GDPR says on the tin.

If there's an argument to be made, it's around the Principle of Data Minimization. But that's one of those subjective things. And, considering the size and scope of Yahoo!, it's not inconceivable they have legitimate (scare-quotes optional) uses for all those sub-processors.

Oh, it's perfectly fine to have as many sub-processors as they want. But default opt-in is non-compliant; if I understand the regulation correctly, the user has to manually opt into every processor. An opt-out dark pattern is specifically prohibited in GDPR.
Depends on what those dials actually represent (the screenshot is blurry for me). If the legal basis for the sub-processors is Legitimate Interest, then consent isn't required and the dials represent a Right to Erasure request. That would all be above-board and legit.

If the legal basis is Consent, then you are correct, it must be opt-in rather than opt-out.

> The Yahoo! one [1] is definitely in violation of GDPR, right?

They either made it much worse after the author did the screenshots, or it was already extremely bad --that I could not find the link to open up that huge list of third parties.

I clicked on all the links I could find in that screen except for that huge 'I Agree' button.

It'll be interesting to see how the EU reacts to all of the companies like Oath that, by default, share your data with 300+ ad agencies.

After the GDPR hype has died down, hopefully new tech companies will think twice about data privacy

To me, that one was the most striking. It shows how widespread data sharing is. In the end to whom did they NOT sell user data?
The EU Commission's very own website deserves an honourable mention at least.

Last time I looked (just a few days ago) it was the epitome of "What you're not allowed to do anymore according to GDPR.": Tracking and other cookies with no way to opt out, no privacy policy etc.

Then again, GDPR of course doesn't apply to them. The very least they could do in my opinion, however is to lead by example.

I nominate Slate https://slate.com/privacy for a creative interpretation of GDPR article 7.3 "It shall be as easy to withdraw as to give consent" (the "consent" happens through an uncloseable window with no other options where a single click sets that cookie):

"The Right to Withdraw Consent. If you would like to opt-out at any time, please delete the “gdpr_consent_1” cookie from your browser window. You will have to opt-in again in order to view Slate content."

I'm pretty sure that no European court would accept that. I doubt most users (and most judges) even know how to delete cookies. I don't even know how to do that on my phone (not sure if that's possible?). And not allowing users with mobile browsers to withdraw consent is definitely a violation.
It would be acceptable if consent involved manually adding a specific cookie (slightly harder than deleting an existing cookie).

Thinking of it, adding cookies manually and maintaining a cookie whitelist could be a useful browser feature in the coming years. Most cookie-based tracking would be forced to disappear.

NPR has decided that you either agree to let them do whatever they want with your data, or you're only allowed to see a ridiculously bare-bones plain-text version of the site lacking any functionality beyond links.

Ten minutes later I've got a user style set up and I'm quite happy with the plain version. But it's still a petty response from the organisation and shows that they don't feel they need to spend any time at all trying to help users control their own data.

https://choice.npr.org

(comment deleted)
GDPR and policies like it are an existential threat to a Big Data future where so much can be possible if we are able to amass as much data as possible without fear of consequences.

GDPR should be resisted by as many companies and startups as possible.

Whatever the case might be, companies have shown themselves to not handle people's personal data properly, as shown by the massive leaks in the past. Whatever utopia you're thinking of, it's not happening anytime soon, and GDPR is a rightful measure to slightly apply the brakes on rampant data collection and misuse.
Massive leaks are a security issue, and have nothing to do with users being able to delete their data at will.
It certainly is related. One core argument is that the vast majority of currently stored personal data has no good reason whatsoever to be there, the company should not be collecting, using and storing any personal data.

If half of the companies remove that private data which they shouldn't have, then that will reduce the impact of breaches, as there'll be twice less breaches where's something sensitive to leak.

I can't think of massive leaks that involved data that wasn't 'legitimate'. What's your go-to example?
No particular single example in mind, but just going through random large leaks:

The Republican National Committee leak (https://gizmodo.com/gop-data-firm-accidentally-leaks-persona...) - all the involved companies which swapped data records to make up this trove would not have had the permission to have much of that data under GDPR.

World Wrestling Entertainment 2017 leak - the leaked data included home and email addresses, birthdates, as well as customers' children's age ranges and genders where supplied, and even ethnicity; there's simply no reasonable reason why they should have had data like that in the first place. It it hadn't be collected, it couldn't have been leaked.

Joblink breach (https://www.identityforce.com/blog/americas-joblink-data-bre...) leaked among other things birthdate and social security number. There's no good reason to ask the birthdate in the first place, and to store the social security number after you've run whatever verification they do (presumably it gets used for background screening).

The big point is that almost always data minimization would have reduced the consequences. Companies keep old data forever, and that creates extra risk; Companies ask for and store more data than they need and that creates extra risk; Companies buy and sell data that shouldn't be bought and sold, and so the data copied in multiple organizations and again, creates extra risk.

Well, if it's their data, shouldn't they be able to delete it at will?
If you know something about me why is it my right to make you forget about it?
human memory isn't data storage.

companies aren't humans.

They can totally delete "their" data. It's not "their" data if someone else has it.
Why do you think users can delete their data at will?
Amassing as much data as possible always has consequences, which is why this legislation is needed.
I've been in the internet since the 80s.

Man what a nice thing we've built.

We have turned the internet into a network where people snitch on each other to marketers for fractions of a penny.

The 80s? Were you involved in ARPANet or something?
I first went onto the internet in 1990 when my BBS got a connection. It was quite well developed by the end of the 80s.
80s were still fairly early for Internet access. I was on the ARPANET as early as 1979 or so but just trading the occasional email in a lab. "Real" internet access, first at work and then through my BBS, was probably more like the early 1990s.
Oh yeah, I didn’t do anything on the Internet in 1990 apart from typing ‘go internet’ into CIX (my BBS at the time), sitting there wondering what you could do with it, then killing the connection when my dad pointed out that we paid by the minute for the phone line :) I don’t think I knew anyone online that wasn’t on CIX either.
I used CIS for some things but as you say the charges were pretty high. I mostly used a private local BBS at the time. I’m guessing it was more like 1994 or thereabouts when I started FTPing files and getting into Usenet.
People don't understand just how expensive early online access was.

Here's a page from 1988 Whole Earth Catalogue "Signal - Communication tools for the Information Age"

http://tinypic.com/view.php?pic=2janfrd&s=7#.WwcJwiAh200

Compuserve, charging $11 per hour, had "more than 250,000 subscribers".

The Source, charging $8 per hour, was popular for its conferencing system "parti".

Delphi, charging $6 per hour had a loyal but small (less than 10,000 users) following.

BIX, $9 per hour, grew from a magazine. I like the quote: "This is the computer industry as it used to be: people sharing ideas and solutions without the greed and grit with associated with today's corporate driven, litigation-laced, industry" (written 30 years ago).

http://www.wholeearth.com/issue-electronic-edition.php?iss=1...

CIX supplied Ameol (a most excellent offline reader) which could connect quickly and disconnect. In the UK we didn’t have the luxury of the US’s free local calls, so that was an added expense on top of that.
>In the UK we didn’t have the luxury of the US’s free local calls

Although free local calls could be quite limited in area. Intrastate long distance (which could be as little as 15 or 20 miles away) could actually be more expensive than interstate long distance. I don't remember the details but I used a private BBS service in the nearest major city in the 80s. I had some sort of phone plan that optimized for this but I still used offline tools to minimize my online time. (i.e. Login, suck down content, logoff, read and reply offline)

I used similar tools for Compuserve. As you say, it was extraordinarily expensive by today's standards. People complain about the pricing of a lot of things but telecoms and pretty much everything related to computing is incredibly cheap.

There are people here who invented ARPANet.
Perhaps that's why I asked if gerbilly was involved in ARPANet.
I was on the internet as an undergrad first at UofT in 1988, it was mostly FTP and usenet back then.

Our machines didn't even use DNS yet IIRC there was a HOSTS.TXT file sent around that had to be updated as new sites were added to the network.

It was fairly early, and I got to see the internet before the marketers started to take notice of it.

I remember the internet worm[1] and the Canter and Siegel usenet spam a bit later[2].

I'm glad the internet was made public of course but I wish the standards from back then had better security built in.

Of course encrypting everything back then would have been a significant drain on computational resources. We used to login 40 students at a time on TTYs to a Sun 3/280 (25mhz CPU!).[3]

[1] https://en.wikipedia.org/wiki/Morris_worm [2] https://en.wikipedia.org/wiki/Laurence_Canter_and_Martha_Sie... [3] https://en.wikipedia.org/wiki/Sun-3

(comment deleted)
Hey! I made this, mostly just to poke fun at my inbox being here in Europe and experiencing it first hand. Feel free to fire me a reply with any good ones you've spotted; I'll be actively adding through tomorrow and beyond.
The Endomondo app is a doozy. They require opt-in to two items to carry on using the app, but then also say that by clicking continue, you're agreeing to their privacy policy, which indemnifies them against GDPR. It's slightly clever misdirection, in my opinion. I clicked 'OK' in the end because the EULA appears to be invalid anyway; by borking the consent process they have no legal basis for processing my data.
Wow - got a screenshot of that one?
Judging from the CloudFlare 502s, you have successfully been HN'd. Might be time to add in a static cache in front of the site.
Could you take another look at Yahoo? I don't see the link you mentioned to walk through the huge list --I couldn't find any link that gets me to those two pages.

Thanks! :)

Edit: Thank you for making this!!

CCleaner deserves a special spot in this hall after the recent change with the "You cannot opt-out" privacy option in the free version of the program.

[1]https://www.ghacks.net/2018/05/24/ccleaner-update-introduces...

[2] https://forum.piriform.com/topic/51913-ccleaner-5436520-cann...

That's not how GDPR works. You're not allowed to make use of your product / service require acceptance of collection of data. You must either offer it without data collection as an option, or simply refuse service.
I'm guessing, if that's enforced, that a lot of these same organizations will opt to refuse service.
A lot are. GDPR Hall of Shame looks like a list of these companies.
Which ones? The list looks like a bunch of organizations trying to do a clumsy end-run around the intent of the law instead of refusing service.
Could somebody help me understand the criticism in this article of companies like Instapaper blocking EU users? When you face fines of up to 20M EUR, you’re not going to take on that liability if you have a choice.

Most companies outside the EU will eventually block EU traffic. GDPR is just too big of a liability. It has nothing to do with “selling user data” or bad intentions with user privacy. I won’t take EU traffic for the same reason that I don’t drive at 140mph in a 25mph zone - it’s irresponsibly dangerous.

Blocking EU users temporarily doesn't remove the need to comply - they're still holding data from these users.
OK but maybe your website should not use cookies without asking? You don't have a privacy policy either so not clear how u re going to use them. And maybe don't use google analytics without a privacy policy? Or at least anonymize the IP?