383 comments

[ 31.6 ms ] story [ 2577 ms ] thread
(comment deleted)
This is the crux of the problems with how companies are interpreting the GDPR. Every service I've seen with a privacy policy pop up within the last 24 hours has basically justified all of their current data collecting practices as being necessary for their business. The spirit of the GDPR is to improve privacy, not just make Terms of Service pages longer.
Yeah, but the law of unintended consequences is sure to apply. The GDPR hits adtech companies fundamentally.
This is not "unintended consequences", it is explicitly anticipated by the law. Which is why people can and are suing. We'll see how it shakes out in the courts.
The law explicitly said "within hours of taking effect, these specific companies are to be sued due to not preparing sufficiently for GDPR"?
“Within hours”

You mean “within the 2 years probation period + a few hours”

GDPR has been law for two years, since 25 May 2016, a point your downvoters seem to be missing.
Yeah, that may be true, but it doesn't matter. Nobody was talking about it back then. /s
Let them downvote. I’d be downvoting left and right too, if those pesky EU bureaucrats had ruined my moneymaking scamvertising scheme.
What a refreshingly honest question.
I know it seems like a stupid question, but I wanted to make sure I understood the parent commenter's point.
The law is explicitly aimed at direct marketing. It's mentioned in the text: (article 21)

"Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes."

(also I think "In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications." means that suddenly people are required to respect Do Not Track, which will be .. entertaining)

All laws enable action to be taken against people who are not following them at the time they come into effect. That's what "coming into effect" means.

Fair. I appreciate the input.
People are not "suing," they're filing complaints.

It's a small but important difference, since a lot of the uncertainty and doubt around the GDPR seems to revolve around being sued out of existence in courts of law, which is not a thing: you can't get sued randomly by disgruntled users.

You are absolutely right, sorry for the imprecise/misleading language.
They're not being sued, and it's not a case for the courts.

They're being reported to the Data Protection Agencies in various EU countries.

Yes, but that's the first step to being sued.
No, if a company gets reported, the DPA is supposed to investigate, and help the company get compliant if it finds that it isn't.

If the company is willfully refusing to become compliant, the DPA can slap the company with a proportional fine to make non-compliance more expensive than complying.

And if the company is fined, the company can probably sue the DPA in question if they think the fine was unreasonable or unapplicable or no good very bad and unfair.

Does the DPA also get to choose who is making a strong effort and who isn't. Reporters can probably start pre-typing the corruption scandal articles.
> The GDPR hits adtech companies fundamentally.

Hopefully...

I'm not holding my breath. To paraphrase Jurassic Park "Money finds a way".
Actually the spirit of GDPR is also to make Terms of Service shorter by being clear and understandable. If you as a user is unable to understand what you are agreeing to then it is a violation of GDPR.
> unable to understand

What if he is not very smart? Or even better, what if he is very dumb?

At which level should those be written then?

The literal text of the GDPR is as follows:

>the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language

Yes, and before that it says ` If the data subject's consent is given in the context of a written declaration which also concerns other matters,` which means i can use legalese but only if it does not concern other matters in the same document? :)
You'd hope not, but I also thought the phrasing in that sentence was sloppy.
that’s the whole issue with the regulation unfortunately :(
Our policies got much longer with GDPR. We only collect information for legitimate reasons (i.e we need it for the service they are using), we ask for it, and we never target it / sell the data. It helps that our customers are paying customers and not using a free service.

So our TOS used to be quite simple in plain english that all the data we request is only for the purpose of providing the service.

Now we had to outline all the information we collection (even though they are the ones who provide it, so they know what we collect) and outline all our services we use where that data we collect ends up (AWS, Sentry, Loggly, etc... the services we need to run our system and support them). Most of our clients have no idea what any of the information we added is because its all technical details about how we are providing the service to them.

GDPR required us to do a lot of work that ended up costing us time and money and literally nothing changed because we were already making sure we protected our users privacy.

Hopefully some bad actors get hit but for now GDPR has left a bad impression on me.

Theoretically yes. Practically you need to be rather verbose in certain cases (e.g. you need to specifically name which articles of the GDPR you're using to justify collection) while also being told to be concise. The general advice I've heard is to have a human-readable summary and then follow it up with the lawyer speak for compliance.
Considering that large sites with teams of lawyers are failing to follow the rules, how does a small site run by a few regular folks supposed to comply?
"large sites with business models developed around shady stuff GDPR is supposed to protect from" - there, FIFY.
their business model probably isn't selling user data
The easiest way to comply is to not collect any PII. That is only a problem for companies that make data collection their core business.
or anyone who has a public httpd with default log settings
Default logging settings retain log files forever?
I don't know how long you are allowed to store PII under GDPR (I'm not a lawyer)

This article indicates that default settings are problematic: https://www.ctrl.blog/entry/gdpr-web-server-logs

> All of these logs contains personal information by default under the new regulation. IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49. The logs can also contain usernames if your web service use them as part of their URL structure, and even the referral information that is logged by default can contain personal information (e.g. unintended collection of sensitive data; like being referred from a sensitive-subject website).

> Article 4, Point 1

Article 4 Point 1 is:

> (1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

It is very far from clear that that covers IP addresses, which tend to be recycled, and would need a police warrant + actual evidence to then map to a specific human

> and Recital 49

http://www.privacy-regulation.eu/en/r49.htm

Failing to see the relevance

https://eugdprcompliant.com/personal-data/

> [...] The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.

https://privacylawblog.fieldfisher.com/2016/can-a-dynamic-ip...

> What does the GDPR say?

> [...] Recital 30 clarifies that "online identifier" includes IP addresses.

http://www.privacy-regulation.eu/en/r30.htm

> (30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

> It is very far from clear that that covers IP addresses, which tend to be recycled

Enter stage left: Address van Six, carrying an EUI64 card in his right hand.

A quick read of that article suggests to me that it is just wrong.
I was actually looking for a way to configure something like filebeat to replace IPs with country codes, before shipping the logs of to a central logging server.

On the face of it, it was more trouble than I could be bothered to deal with at the time, but now I may have to take another look.

For that matter, could you just slice it down to a /16 or /24?
That would be equally good. I just want to avoid shipping complete IPs to a log-host.
IP addresses are PII, as defined in the law. Every website you visit gets your IP. HN has yours now, and now had a headache to deal with.
Reconfigure your server to stop logging IPs, and/or stop storing logs forever. Here, done.
That's not always possible. A number of shared hosting services will automatically log IP addresses and do not provide a means to prevent logging.

Of course, in that situation an argument could be made that the web host is the data controller, but that won't stop people taking legal action against the website's operator.

Was there anything stopping people taking legal action against website operators before GDPR?
No, but with the GDPR, they'd have more of a case, and it's easier to file a complaint. Whether that's a good or bad thing is a matter of perspective.
Would they have more of a case even when they direct the complaint to the wrong business?
Whether it's the right business or the wrong business would be something decided upon in court. The prosecution could make the argument that the business in question broke the law. If the defence does not present a strong case and the judge sides with the prosecution, the business could still be reprimanded, regardless of whether they feel it is just or not.
If that's the case, you'll need to switch your provider.

I am pretty sure that any of the big providers who want to make business in the EU offers the possibility to prevent logging. If not, there is hope that they will soon.

> but that won't stop people taking legal action against the website's operator.

The GDPR doesn't allow individuals to take legal action against non-compliant companies. It allows individuals to report companies to their local data protection agency.

Yes, reporting to the data protection agency was what I meant. My use of the term "legal action" was probably incorrect. Thanks for pointing that out.
Don't forget to scrub the headers! Your software stack might store something as well.
You are legally responsible for whatever your computer systems do, and you've always been.
The age of unlicensed computing is coming to an end.
You can store IP addresses for security reasons and then delete them when not needed anymore and would be compliant. https://gdpr-info.eu/recitals/no-49/

Also you don't have to log the IPs if you don't need them...

Every website you visit can elect not to store IP addresses. In fact if you had German users their IPs were already protected, it's just that nobody cared to comply with individual EU member's privacy laws until they combined their weight into GDPR: https://blog.philippklaus.de/2011/05/modify-apache-logging-t...
Not necessarily. They may even be required to store access information, due to legal regulations in some countries. Also, providing service may become practically impossible if it is not possible to keep logs and similar data.
Other legal requirements trump the GDPR data minimization. In that case you only need to provide that data when the user wants a data export.
Exactly, if you're providing a special service that requires logging (financial, etc.) then you need to follow other laws that trump GDPR, same as you need to obey traffic lights except if you drive an ambulance and there's an emergency, at which point other laws trump the general driving code.
At which point it becomes "Legitimate Interests" (or whatever the correct term is).
> IP addresses are PII, as defined in the law.

No, that's far from fucking clear, but appears to have been repeated over and over and over again.

It’s in the faq, you can’t be upset with people repeating it.

https://www.eugdpr.org/gdpr-faqs.html

[edit] faq linked has been changed in the last weeks. How about this one https://ec.europa.eu/info/law/law-topic/data-protection/refo...

"IP address" does not appear in that text.
> This website ... is NOT an official EU Commission website.
New link in comment to European Commission Page. It clearly lists IP address.
I would love for you to be right. A search for "gdpr are ip addresses personal data" only shows me articles that confirm what I said, including a ECJ ruling.
Define retention policies and explain you would keep IP addresses up to xxx months to ensure service operation/troubleshoot/etc.

Prune the logs.

There you have it.

"IP addresses are logged to ensure we can comply with requests from law officers"
Even then, you have to delete them at some point, b/c the retention policy has to specify duration.
Sounds like a legal headache for anybody who wants to set up a personal blog or blog for their company, with a penalty of up to 20 million euros if you get it wrong.
> with a penalty of up to 20 million euros if you get it wrong

Much like if you set up your billing software wrong, you could go to jail for years for fraud. Or you could violate a safety regulation and get shut down for months.

Staring at the worst possible punishment is hopelessly hyperbolic.

What? You can setup log rotation in 1 minute. In 3 minutes you can write a small paragraph that explains you only use IP addresses for security reasons and only store them for a few weeks.

Also, the claim that you immediately get the maximum fine of 20 million euro for every small detail that you get wrong, is false: https://www.joyfulbikeshedding.com/blog/2018-04-17-should-no... (claim backed up by a book written by an IT lawyer)

You overestimate my abilities! You also overestimate the abilities of non-technical people.

Judge's discretion on the fine, and he probably won't like me.

Again, let's read the text.

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

An IP address is an "identifier". However, an IP address does not identify a natural person; you know that, I know that, and even the GDPR knows that.

However, if you start building a map of IP addresses to user real names, or some other form of profile construction, then the IP addresses become personal information.

So truncating logs is an overreaction? There is no need to do that for GDPR? I see many people saying the opposite.
It's not strictly necessary but it's a good idea anyway, even outside of GDPR. The key question is, what kind of processing are you doing on the logs? If you're using it to build user profiles that needs careful consideration. You should also think about whether the URL in a web log contains personal data that affects that: if you know that 192.168.100.blah has accessed "/logged-in-user/joe-bloggs", then that IP address may now be personal data.
(comment deleted)
Because they're not failing due to misunderstanding the law, they're getting sued because their 'compliance' to the GDPR is against the spirit of it, and in most cases is actually in direct violation of multiple clauses. They're trying to follow the letter of the law and remain in the grey areas - if a 'small site run by a few regular folks' isn't doing anything shady, and isn't being basically negligent with their users data, they will be fine.
I'm not sure about Facebook due to not using it, but Google's actually one of the less shady companies in this area. At least they do let you opt out of tracking-based advertising. Other sites don't. For instance, I just tried to view a Forbes article and it redirected to an interstitial which defaulted to letting them track me for advertising purposes, then when I changed the setting to only allow essential cookies it made me wait for several minutes with only a Cancel button, then finally redirected every page on the site to a message saying "You have arrived at this page because you have chosen not to consent to the use of cookies that help us provide a great experience (and great content) to you free of charge" and not allowing me to do anything but change my settings back.

Journalists are just a lot less willing to criticise the state of the free press than they are to attack companies like Google and Facebook that eat into their collective profits.

Small sites have it easy because their systems are a lot smaller.

It has taken us fairly minimal effort to ensure GDPR compliance. Remember that you don't need automated systems to give users all the information you have or to delete users, it can just be an email form.

The smaller the site (and the newer) the easier it is to comply. Don’t amass mountains of ad data and you’re fine.
> "The GDPR explicitly allows any data processing that is strictly necessary for the service - but using the data additionally for advertisement or to sell it on needs the users' free opt-in consent"

This is the key point. As the saying goes, on Facebook, you aren't the customer, you are the product.

The GDPR just changed this -- rightfully, in my opinion.

yeah but now the product is not free.
It'd be great if companies offered a "buy back your privacy" subscription model. For the services I really don't want to stop using (Twitter ...) I'd definitely be using that.
They would take your money and track you anyway, and everyone knows it
And be fined into oblivion.
How would anyone find out, and provide proof for this?

Can we expect a EU government agency to validate companies on a regular basis? And if not, would they even cooperate with white-hat hackers to find offenders?

Also, from what I read, data protection agencies have been understaffed and overworked for years now.

Tracking which doesn't result in any visible effect to the users is fairly harmless. The more concerning stuff involves handing the data to third parties like direct marketers and political campaigns. Those commercial relationships are a lot harder to hide and generate a paper trail.

"Why did this company pay you $x million?"

".. stuff?"

You can choose to be paranoid about everything if you want to. Maybe your dentist is drilling fake cavities or your lawyer is giving you bad advice so you spend more money.
(comment deleted)
The users that can afford and would buy this service are exactly the ones that advertisers want to reach. If you stop showing them ads or only share data for people not willing to pay, the data becomes useless.
Tough luck.

There is no fundamental right allowing tracking or advertising.

There is a fundamental right to privacy.

(comment deleted)
Right, but what this means is a business often can't support itself via a mix of subscription and ads - if you offer both for the same content the value of your adds will likely crash, so it's mostly equivalent to just being subscription based
https://gsuite.google.com/

A lot of people don't seem to know that GSuite is both usable (useful, even) and affordable (cheap!) even if you are a solo user.

Here's a quick howto:

1. Go buy your own domain name (~$10/yr, https://www.gandi.net/). Make it something you like, something professional. This is for your personal email address. firstname@lastname is the most common pattern. I recommend everybody do this. Even if you want to stay on gmail, yahoo, aol or whatever you can set up redirects. This becomes an email address you truly own, and your email provider cannot hold you hostage anymore.

2. Create a new GSuite account ($5/mo, https://gsuite.google.com) - The entire setup is guided and completely painless if you're even slightly technically-aware.

3. Migrating from a previous Google account: You can use Google Takeout to get a lot of your data (https://takeout.google.com/). Unfortunately, migrating the data automatically is hard. For email you can set up IMAP from gmail, for Drive there's migration scripts. But you also don't have to migrate immediately, Google is good at multiple accounts.

I know I'm sounding like a Google shill right now, but GSuite really is what people tend to ask for when they talk about Google's handling of data and say they'd pay $5/month to "regain their privacy". Well, here's your occasion to do so.

Is GSuite better from a privacy perspective? It doesn't show ads in gmail, but I'm pretty sure they're still tracking you and feeding that into ads on youtube etc.
from the DPA that you can sign with Google with regard to GSuite:

> 5.2 Scope of Processing. > 5.2.1 Customer’s Instructions. By entering into this Data Processing Amendment, > Customer instructs Google to process Customer Personal Data only in accordance > with applicable law: (a) to provide the Services and related technical support; (b) as > further specified via Customer’s use of the Services (including the Admin Console > and other functionality of the Services) and related technical support; (c) as > documented in the form of the applicable Agreement, including this Data Processing > Amendment; and (d) as further documented in any other written instructions given > by Customer and acknowledged by Google as constituting instructions for purposes > of this Data Processing Amendment.

So no, they probably can't track and feed that into youtube ads, because it is not a cause that provides the service or support.

Afaik Google announced last year that they stopped processing GSuite account emails to a large degree.

> Afaik Google announced last year that they stopped processing GSuite account emails to a large degree.

Well, that's surely reassuring.

Where does it say that paying for GSuite means that Google stops invading your privacy? I can't find it, and can only assume the only difference is you don't see the ads.
> This becomes an email address you truly own, and your email provider cannot hold you hostage anymore.

It's hardly yours. Using a custom domain for anything sensitive like banking is not a good idea. Your registrar is almost certainly a lot easier to phish/social engineer/whatever than Google.

a) 2FA for your bank account

b) Who is going through all the trouble to target me specifically with a phishing attempt.

> Your registrar is almost certainly a lot easier to phish/social engineer/whatever than Google.

Please don't spread unsourced FUD. I'm not saying registrars are perfect (although Gandi, which I linked, has an impeccable track record), but everyone uses registrars for their domain name, even the biggest businesses out there.

If you have a problem with a particular registrar, I invite you to source it and share it. But the general idea that the potential for a point of attack makes the email "not yours" is nonsensical.

What matters is the email address you give out to people. Where that email is stored and ends up doesn't matter. Which registrar owns the domain doesn't matter.

> but everyone uses registrars for their domain name, even the biggest businesses out there.

Everyone uses registrars, but in some cases you can be your own registrar. Like in Finland, when .fi domain registrations were moved to exclusively to registrars (initially you would register domains with Finnish FCC equivalent, later option was added to let registrar handle that for you and finally it was moved to just registrars), quite a few companies and individuals registered to become registrar for .fi domain.

I'm not spreading FUD. I'm spreading Maciej Ceglowski's information: https://techsolidarity.org/resources/congressional_howto.htm...

@pinboard has explained on Twitter that registrars can get tricked into letting an attacker into your domain account (of course they can). And from there they can update your zone file to send your mail wherever they want.

This isn't about the storage of your email.

Even if such an attack were to take place, that doesn't mean you don't "own" your email. You own it far more than an @gmail.com address...
Good now they have to make it worth paying for.
(comment deleted)
It wasn't before either. You were just paying with a different currency.
Somebody has to pay for it in the end, so Facebook could simply say "agree to targeted advertising and use the site for free or do not agree and pay a monthly fee for the site".
Sign me up!

The sad truth though is that the users who are most likely to pay to get rid of ads, are also the users that are most valuable to advertisers, because that's a signal they have more money to spend than the rest.

What if they say it's $20 a month? And it's just facebook. Google also asks for $20, Reddit too, etc.

It won't be cheap.

We already donate to reddit.
Google services with guaranteed no tracking and profiling?

$20 is cheap.

Huh? A Google Suite account is 4 euros a month. No tracking and profiling.
So you are stipulating an account worth is 240USD a year at facebook? Instead of 20, why won't you say 100, make it round.

Seriously though, behemoths do fall and if facebook ceases to exist there will be no harm but good in my book.

The number that's been kicked around for he value of North American user is about $50/year. So $5/month will cover it.
The problem is that even if I pay Facebook this company is so utterly untrustworthy that I don't believe for one second that they wouldn't run their data sucking shenanigans on paid accounts.
I agree, but at least if the ad market is much smaller, the data will have that much less value.

Various companies will probably still gather and sell data for even more nefarious purposes, like manipulating elections, but that’s a different battle.

And that's why you want to have regulations. In the case you suggest, you could ask e.g. EFF if you suspected that they are abusing the contract, to sue FB in behalf of the users. Or even kick-start a big court case yourself.
That's not the number that is being kicked around.

Facebook will yield more than $100 per active user in the US and Canada for fiscal 2018. That's going to $200 from here over the next six or seven years (it doubled from 2015 to 2017). No meaningful number of users are paying $15 per month out of pocket for Facebook.

Google search is similarly worth a lot per user in the US. People would be irate if they had to pay $10 or $20 per month to use search engines after commonly enjoying the free utility of that for the last two decades.

Per daily active user or monthly active user?

I also think it's conceivable in a more equitable arrangement with paid subscriptions that you could easily have a sizable number of paying users not being active in a given month.

Last time someone claimed they knew the numbers I asked them to explain how. They disappeared without replying. So I'll ask you the same thing.

If you divide revenue by users you get between $1-$2 USD. I need to know how NA are 50-100 times that.

Facebook publishes revenue per MAU on page 37 of their 2017 annual report:

https://investor.fb.com/financials/default.aspx

Note that it is reported quarterly (I had some numbers but took them out when I realized I was using 1 quarter instead of the year).

OK thanks. Indeed, $100 isn't a bad number to use.
I've seen this so many times, but if this future comes I think there will be a lot of angry ass people complaining about the $100s of dollars it costs to make the internet useful.
Every recipe site runs on ads as one example. Now five million recipes across 1,000 prominent sites are to be locked behind paywalls, and you must pay $5 per month for access to each site due to the extreme drop in traffic they suffer (nobody is signing up to pay except at the largest sites, smaller sites have to charge more to make up for that, they implode accordingly).

The result: 973 of those sites disappear. Diversity of choice just collapsed. Starting a new recipe site or blog just got 100x more difficult. But hey, in Communist Internet, who needs lots of recipe sites.

What do you think the creative work is for running a recipe site? And what about the technical work/costs?

I guess you mean the kind where either there are users providing those for free or it uses a huge number of compiled one, not some person inventing new ones.

I would wager that 970 of those sites can be run for virtually no cost, either maintained by loyal community or the wide internet.

Many recipe sites are basically blogs, so yes, there is a lot of cost associated with each of them. I do not know if they tend to make money their money on ads or on books or on other methods.
First of all, ethical ads are possible, and more so on a website already very targeted like a recipes website. I can easily guess what sorts of ads would be useful.

Furthermore, I agree the sibling commenter in that these sorts of websites usually just publish what community submits anyways, so we can have a bunch of wikis instead.

P.S.: Everybody should know the difference between trying to overcome the status quo which is selling yourself to companies and hoping that they do not abuse you, and things like communism or government overreach. And if businesses will lose money or get closed if they stop bad, malevolent practices of theirs, good riddance. Let the sanity get the better of them.

I would actually pay a small amount to have a read-only account for facebook that doesn't track me at all. I don't want to post anything, but I would like to view stuff more easily on the platform. Especially since so many events are organized through fb.
Have you tried the mobile site with JavaScript disabled. Or have to tried Facebook command line where you can simply query for posts in the terminal?
Are you saying the free market doesn't apply to pricing for these services?
I am more than willing to pay $20 a month for both Google and Facebook. Do you hear me? Take my money!
Google gsuite pricing is $5 / month for the basic version.
That model already works for streaming TV! At least it’s working pretty well for Netflix, Amazon, HBO... (It’s definitely not ideal for viewers, but at least now it’s easy to get TV without ads.)
You can disable Google's ad targeting at any time: https://adssettings.google.com/ You don't have to pay anything. What you get instead is untargeted ads, like ads for cars, potato chips, and shampoo, just like on TV. Personally I find those to be a lot more annoying.

Facebook's ad targeting can be similarly disabled under https://www.facebook.com/ads/preferences/?entry_product=ad_s...

> What you get instead is untargeted ads, like ads for cars, potato chips, and shampoo, just like on TV. Personally I find those to be a lot more annoying.

I'm genuinely curious: what's so much more annoying to you about untargeted ads? I've never found targeting to be effective at showing me ads that were genuinely better or less annoying.

I feel more comfortable with untargeted ads, since I can be much more confident nothing truly sneaky is going on, especially technology ever gets good enough to reliably manipulate me to buy more now.

(comment deleted)
>I've never found targeting to be effective at showing me ads that were genuinely better or less annoying.

I'm not the guy you're responding to, but I think the key difference is this statement. I had untargeted ads on for about a year and they were always irrelevant. Since returning to targeted ads, I now see things all the time that I'm at least mildly interested in (mostly startups and new services, and/or tools/software I want to try out).

I don't care if I'm being coaxed into buying more: the things they're tempting me with are legitimately interesting and I have the ultimate say on whether I buy it or not.

Untargeted ads don't give that choice: they're just always irrelevant to my interests.

I consider most advertising-delivered information to be suspect. I find about things I'm interested in organically, through interest-based websites and the like.

In any case, except for a few specific circumstances, I've rigorously used ad-blocker so I haven't had to deal with any ads at all. The last ads that I have seen were on Facebook, but even it couldn't seem do a good job, even though it's purportedly the master of targeting

So... I have to be logged in or have a Google cookie in order to not be tracked by Google. This is complete bullshit and worthless for anyone using private browsing.
Does this disable Facebook's data hoovering about you?

I wouldn't think so.

"What you get instead is untargeted ads, like ads for cars, potato chips, and shampoo, just like on TV. Personally I find those to be a lot more annoying."

Really? I kind of despise the targeted Ads. They're typically poor quality, and often it's some website I visited months ago to look at one product constantly dangling that product in my face in a desperate attempt for me to come back and buy it.

Show me the cars and potato chips, please!

This is retargeting, and is pretty much the least sophisticated ad targeting out there.
For me I don't really care whether ads are targeted or untargeted. It's the data collection they use to target the ads that's the real concern. I suspect that's true for most people but for some reason these discussions are typically framed as targeted vs untargeted, which IMO misses the point.

That said, I also really don't like seeing ads at all.

It also puts users in the mindset of starting to consider if their time on Facebook is worth $X/mo.
Yes, but when that point hits hard enough maybe people will stop saying "Why do you not use Facebook/Gmail, it is free".

Now someone can actually try and compete with a free service. It might not work but its a step closer to happening. For example we have had open source federated social networks, and non-profits that ran email services.

That other free service also encounters the same dilemma. They have to pay for the site, so either they take your data or make you pay.
You can have ads without tracking. But frankly I'm 100% happy if you actually have a choice of "give your data or pay". It's a massive improvement over "give your data or don't use the service" or "give your data and pay" which is what we have today.
If people force the issue then I expect big sites will give you this option. But it won't be necessarily cheap, so most people will opt to use the free version instead.
I’m pretty sure Facebook can’t do that. The point of the GDPR, as I understand it, is to make control of your data a right which can’t be bargained away, much like employers can’t try to bargain away your right to sick leave.
depends really, the law says you can't deny service, but doesnt say you get to get the exact same service. I would expect the same for people who deny ad cookies - they 'll get more ads shown.
(comment deleted)
(comment deleted)
I, and I believe most of the world too, would be perfectly fine with Facebook valuation of say 1 billion $. Then you don't need so much income to sustain/be profitable. I mean it's basically the same website as before, just few smaller services and Oculus. They do scale a lot (with years of painful basic technical errors), but then again its just overengineered single page of news feed.

The whole valuation is on data spied or voluntarily given up from users

I didn't think that was possible. Otherwise it would make determination of a fair price very messy -> In the extreme facebook could set an arbitraily high price if they didn't want to change their business model.
That's not possible with GDPR. You have to be able to access the same service 'without detriment' even if you do not want targeted advertising.
That would be a violation of the current policy. I don't wish to be rude, but it doesn't seem that hard to understand, and i'm a little surprised by the number of people making mistakes like this.
It's important to note that the GDPR doesn't ban ads without consent. It bans tracking users without consent.
The GDPR ensures that only Facebook will be able to comply, and prospective competitors shouldn't even bother.

The regulation counts 58 000 words.

I see so many people parroting this but I just don't get it. Surely it won't be a problem at all for a new startup handling data correctly from day 1? Facebook has a mountain of historical data that was collected using non-GDRP-compliant methods that now falls foul of EU law.
You need somebody that knows the regulations and developers that are capable of auditing the whole system. That's added fixed costs, which is an advantage for incumbents.
But these regulations are not that complicated! Heck, in the EU we've been observing most of them in the last years already. Most things are really straightforward. Things get complicated when your core business is making users' data available to third parties. But it's not different from any other business: if you want to make money in catering for example, you need to read and adhere to relevant laws, too.
Is an IP address PII or not? I have read multiple different interpretations today.

Is a hash of an IP address PII?

Is this really that complex? If it can be linked to the individual, then it is. https://www.whitecase.com/publications/alert/court-confirms-...
So IP + timestamp of my ticket system logs is invalid because I also have a timestamp of ticket updates by a user. Actually, just IP because I have a timestamp on the log file. So the latest line has an IP, so I can take the file timestamp and see the latest ticket comment and now I've linked it to an individual. You're right, this is easy. Even easier now that I can't think of a way of storing an IP without the ability to at least correlate the latest one.
> So IP + timestamp of my ticket system logs is invalid

What makes it "invalid"? If you can identify a person by their IP, then the IP becomes a part of their personal data. For most websites it's irrelevant, because people just visit and leave. But if someone signs in with their real name, you just need to update the ToS saying that apart from their other data you also store their IP. How complicated is that?

Ok, just update the ToS. No ability needed to provide opt out of that IP collection? No ability needed to go, upon request, and delete all these IP+timestamp logs that I could use to correlate with their name? Handwaving all of this stuff away as clear and easy is at the least ignorant to real people's concerns and at most willfully dishonest.
How can anyone "opt out of that IP collection"? It's not the way the Internet works: logging is an essential part of of its infrastructure (and in certain jurisdictions it's required by law). The only problem is if the IP is associated with personal data. If the user really wants to remove it, they can remove their personal data, and in this way the problem disappears.

On the other hand, if you plan to sell the IPs associated with some other data to a third party that can easily link it to people (Google and Facebook can), you may want to consult a lawyer.

Can you point to the bit of the law that requires website owners to delete data upon request? Or the bit of the law that requires website owners to ask for consent to gather IP addresses?
Writing style can be linked to individuals.

Can I still have a forum where users submit text?

The regulation's big but it's probably not larger than a sprawling API documentation, etc. and you approach it the same way: just read what you need.

IIRC almost _half_ of the actual regulation is about what and how the member countries should set up their internal supervisory authorities and the rest is similarly specific.

There are innumerable checklists, summaries and guides on how to deal with GDPR as well.

The two I like are:

https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...

and

https://ico.org.uk/for-organisations/guide-to-the-general-da...

I love all these posts that assume because they've never been on a software that team that makes compliance part of their job, that it's completely outside the grasp of a small team.

Those of us in fields regulated prior to GDPR are laughing at you.

Is that what they are saying though? I'm not reading it as 'small teams can't comply'. I'm reading it as if you comply, you will make less money advertising, and that affects the dynamics in a social app.

If you have to charge money, your chance to overcome the network effect of FB or an established site is difficult, because en masse migration of users to a new service typically goes hand in hand with that new service being offered freely.

Conversely if you don't charge money, your ability to fund the development of a competitor is based on reduced ad income since you can't offer targeted ads, which is going to shorten your runway by a significant amount.

These two things seem to indicate that the likelihood of building something that replaces one of the existing social services goes down. I don't think it makes it impossible, but the law seems to make it less likely that the social app incumbents get replaced (if that was at all possible).

As far as those in other regulated fields having done this for some time, I can't think of many regulated fields where the network effect is so high as social apps, so it is probably a bit apples to oranges. Presumably it is not as large a deal in those markets where social network dynamic is not as strong.

I am trying to think what the secondary consequences of GDPR are going to be.

If any user can see their data on any service than any government can quickly plug-in to access all user data on any service. This is like NSA Prism for everything.

If a user can export their data easily from any service, they can easily resell their own data for money to services that seek to monetize that data. They could even rent out their data by the day for model training using the right to delete.

Account takeovers by hackers will lead to much more severe data breaches, since all data on that user in the system is easily accessible.

The information apocalypse is made all that more easy because acount takeover + deep fakes + lyrebird plus all that easily accessible juicy data = impersonate anyone.

Data renting will create a way to monetize account takeover. The account takeover will include all possible information used to identify a person so how are the data brokers supposed to know it isn't you and how are you supposed to get your data back once it's out there getting monetized?

The option to monetize your own data is an amazing idea: a startup that pays you to upload the data you can download from your google, apple, facebook, BIGNAME account, basically renting it daily until you revoke consent, then uses it to do all sort of shit you can with it. You’ll get hypeprofiled and harassed with all sorts of advertising, but you’re actually getting real money for that.
When “you are the product”, you can sell that product.
you would have to find a market for them first. realistically private data is useless outside of a marketing platform like google or facebook. Maybe you can fill up some forms or polls for a few cents, that's it.
The problem with that model is... how much money is a single profile worth, really?

I'd love to be proven wrong and for a company to implement this. But as far as I know, it's not being done because the math doesn't work out. It's too cheap for regular people to be interested, and an incentive for spamtech to mass create fake profiles and get paid pennies for it.

In fact, the one variant I am aware of that works is survey sites, but that's because you get paid per result rather than for your data as a whole. If you're just renting your data daily, you'd get a lot less.

> The problem with that model is... how much money is a single profile worth, really?

I remember some estimates, facebook profile with a few years of history is around 1$, a few profiles from different sites of the same person 5$.

(comment deleted)
What do you think changed for governments?

If there is a search warrant, police could and still can access data. GDPR didn't change anything in this regard.

My feeling is that in the EU there is a different view of government: it's not a third adversarial entity.

Many other remarks you've made don't have anything to do with GDPR, for example fake accounts and takeovers.

> My feeling is that in the EU there is a different view of government: it's not a third adversarial entity.

That should be the de facto stance regarding government in democratic countries, in my opinion.

The government is a third party that intermediates, fundamentally, between:

* individuals/groups of individuals and other individuals/groups of individuals, all inside the same country

* itself and the governments of other countries

The first point is very important, a society of a big enough scale, in the absence of hierarchy invariably degenerates into an anarchy where the only law is the law of the jungle: the strongest survive. That's why we add this third party that can intervene for the weak. This third party can be corrupted by various interests, but the hope is that these interests balance themselves out.

And even a corrupt state is better than no state at all (or even a very weak state). Look at current day Somalia, Iraq post 2001, Libya post 2011.

> EU there is a different view of government: it's not a third adversarial entity.

We are not from another planet. EU likes to portray itself as trustworthy - it largely is - but that doesn't mean there are no problems. EU governments can vastly differ in quality , you just happen to hear from the most accountable ones.

On the positive side, it could also reduce product lock-in by increasing data portability. For example if I'm creating a social network startup, and users can export their data from Facebook in a parseable format, then it's trivial for me to offer an "import your data from Facebook" feature. The interesting question then becomes, could Facebook do anything about that? In the past they would be able to sue the startup for appropriating data that Facebook was granted an exclusive license to via TOS. Now it's not so clear. Where are the limits of my control of my own data?
The data belongs to the user. There's nothing Facebook can do to prevent exporting if it's via the data backup. They can just design it in a way that is easy to read by humans but very challenging for parsers.
Yeah, I understand it belongs to the user and they can export it. But does any third party service then have a right to allow the users to import their data from Facebook?
Yes, the user owns the data and can give consent.
>They can just design it in a way that is easy to read by humans but very challenging for parsers.

This is explicitly forbidden in article 20.1

Machine readable only means no images. You can still structure it in a way that it's a pain to import. Or use changing structures. Definitely violates the spirit of the law but don't think Facebook cares about that.
I'd argue that the GDPR is entirely about spirit.
well they can make a big, very readable screenshot of your data, handwritten by an adversarial DNN
What's with generated images (some crap like facebook frames or generated slideshows etc) doesn't have facebook the copyright on those - at least the designs? Should those be included in the export?
I don't understand how a facebook post made by me 'belongs' to me. It was addressed to specific audience that facebook made available to me, it wouldn't have existed in the first place if facebook didn't exist. How does it completely belong to me.
If you make a song on a Gibson guitar, should the song belong to Gibson?
I think your analogy holds true for the documents you write on MS word that you bought. Posting on facebook is equivalent to recoding on a song in Gibson's studio, in which case it doesn't completely belong to you.
Facebook has been offering their data for free for a very long time. in fact that's what they re accused of. They also have export tools since long ago, like twitter IIRC.

I think their terms specifically say that your data belongs to you.

Well, to an extent. They still reserve the right to block apps from using their API if they infringe on Facebook business interests. For example you can’t make an alternative newsfeed app. People have tried to make apps that aggregate multiple social account feeds, and they got sued / C&Ded IIRC.
The assumption you're making with most of your points is that, currently, data is only safe from governments/hackers because its not readily available to users, and for some reason it being not easily accessible by users means its safer (correct me if I'm reading what you're saying wrong).

I don't think making the data more available to users means it's now inherently less safe - actually, it could be argued that having all the data in one place makes it easier to protect ('Keep all your eggs in one basket, and put that basket in Fort Knox'). Additionally, if PII isn't stored securely enough, as it should, and that data gets breached, the company is at fault - again, which it should. Making these companies more liable incentivises them to take their security more seriously, which I think is good.

(I also trust my government, but that's a separate argument)

You have expanded the surface area for hackers for sure esp. if you have an automated system. If your system is manual, like a phone number, that's not immune to phishing/stolen identity attacks.
> If any user can see their data on any service than any government can quickly plug-in to access all user data on any service. This is like NSA Prism for everything.

This could streamline processing of warrants, but beyond that, not much changes. If company's infrastructure was vulnerable to governments, it probably still will be. Maybe less so, given that GDPR also adds extra motivation for keeping users' data secure.

> If a user can export their data easily from any service, they can easily resell their own data for money to services that seek to monetize that data. They could even rent out their data by the day for model training using the right to delete.

As it should be? They own it, so they can sell it.

> Account takeovers by hackers will lead to much more severe data breaches, since all data on that user in the system is easily accessible.

Not necessarily. GDPR isn't about storing all user data in one big table named PII. It's about knowing, via company procedures, what data you store and what the lifecycle of that data is. Also, with rights to delete data and revoke consents, there'll likely be less data available for an attacker to exfiltrate.

> The information apocalypse is made all that more easy because acount takeover + deep fakes + lyrebird plus all that easily accessible juicy data = impersonate anyone.

Not sure how this is relevant to GDPR. Could you elaborate?

> Data renting will create a way to monetize account takeover. The account takeover will include all possible information used to identify a person so how are the data brokers supposed to know it isn't you and how are you supposed to get your data back once it's out there getting monetized?

How was this different before GDPR? I don't see anything changing in that regard; what you wrote is already the case. Again, if anything, GDPR will reduce the amount of information an attacker can extract from a compromised account, because companies are incentivized to reduce the amount of data they store.

Nothing in the directive requires the access to personal data to be done "in band" through the normal login only. It's a valid interpretation of GDPR to only accept "give me all my data" requests by post, and require additional ID to confirm that you're giving it to the right person.

"The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means."

"Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject."

(article 12)

> If a user can export their data easily from any service, they can easily resell their own data for money to services that seek to monetize that data. They could even rent out their data by the day for model training using the right to delete.

This has been tried infinitely. It doesn't work. Say your service can extract $5/year/user from advertisers. At 25million users, you can pull a $125m revenue. That's huge. But if users were to sell their data, it'd only give $2-3 if you take commissions into questions.

As people realize that their data does not bring much cash, and the invasiveness of the procedure (will you agree to share your weekly grocery purchases for one year with 202 advertiser, and you get paid $2?).

Most people will disagree as they realize how a horrible on an equation it is. Only bots and kids with no disposable income will remain.

It's about time to see no-win no-fee services to file a complaint against companies for GDPR breach. How long will it take?
It is not how it works in Europe. No-win no-fee is a typical American thing. We don't have class actions either.

It doesn't mean it won't happen, but that would be unusual.

That's not exactly true. There are services which take your cases for delayed or canceled flights for keeping a percentage of the redeemed money. It must be said that carriers brought that to themselves by stonewalling customers despite pretty clear laws. But this is rather an exemption.

Personally I would love to see similar services for GDPR. However the structuring of the law makes this unlikely, I believe.

The proceeding would be undertaken by the state and the companies might be fined.
All in all, GDPR reminds me of how legislation and regulation was constructed in USSR and now in Russia.

The rules are such that it is practically impossibly to comply; it is then left to the powers-that-be to decide which ones of those in breach are investigated and prosecuted.

It's the perfect setup for arbitrary and selective application of justice system to attack political opponents, dissidents etc.

Exactly how politicians like it
>The rules are such that it is practically impossibly to comply; it is then left to the powers-that-be to decide which ones of those in breach are investigated and prosecuted.

I'd not say they are impossible to comply at all, coming from a company extremely heavily impacted by the GDPR, with multiple divisions loosely connected (hence harder to ensure forgetfulness) and a lot of customer interaction. I do consider GDPR a very good tool/means to enforce some thought and discipline during development process.

If this is what Online Marketing Hell looks like, please tell me where one can apply for a job as Junior Devil
The 'loophole' here would be the definition of 'legitimate intrests', where businesses can defend not giving users a choice in many of these matters due to the activity being critical for the service to work or the business to survive.

I.e. Facebook _could_ argue that users would have to have their data collected and analysed, as this would enable them to sell ads which in turn is their core interest.

Another example could be automatic enrollment into newsletters or data collection/analyzation with the option to opt-out by going to settings. You don't _have_ to give users the explicit consent checkbox during signup if you can defend the activity by it being in your legitimate interests.

This article goes into more detail: https://medium.com/mydata/five-loopholes-in-the-gdpr-367443c...

Somebody on Reddit posted a list of Tumblr's "partners" that they share data with by default: https://i.imgur.com/YCNvEMa.png

I'm finding it difficult to believe that they can come up with a "legitimate interest" for all of those that would also actually hold up in court.

Good lord. I’m glad we’re finally getting the chance to see just how pervasive this problem is.
Twitter’s “partners” are the same (you can request a list from your privacy settings)
I think those are just the members of the new IAB consent framework. This is how programmatic ads work, you "partner" with a bunch of ad networks and serve an ad from whichever is paying the most at that moment.
Actually 'my business model depends on it' isn't a legitimate interest. That clause only applies when the service itself relies on it (a real-time maps service requiring location data, for example).
Yes and I think because of that 'legitimate interest' clause companies like Facebook will be allowed to work as ususal.

I am not big Facebook fun, but I understand that they business model relays on selling targeted ads, so they have 'legitimate interest' to track their users, because otherwise they would have to go out of business - I don't think it should be possible to force someone to radically change business model because of GDPR.

The interesting part is that GDPR is something that will be enforced an the countries level, so each country might have different interpretation of that clause and I see that there will be competition among countries who will offer 'better' interpretation from business perspective.

My big problem with this is that the complaints are too quick (unless Google, Facebook, et al are stupid, which I don't think they are). First you have to make a request to see what they are using the data for. Then you can complain that it is being used for the wrong things. Unless the aforementioned companies are blatantly saying "We're sharing your data for targeted advertising without consent", then I think we have to wait a month for real complaints.
Isn't the tracking a claim they make to advertisers, and can I opt out without declining the entire ToS?
Edit: Just to be clear. I'm not in the EU, so I can't check the ToS. If they are being stupid, then that's pretty stupid of them ;-)

The thing is, it is possible that as of today they have stopped tracking. I agree that it's very unlikely, but unless they actually tell you that they are tracking you, how would you know? You get ads, but they could be completely random. Who knows? As of today, maybe all EU residents are getting random ads? Until you make a request, I think you can't quite complain (again, unless they are stupid and actually telling that they are tracking you).

FYI: GDPR provide a framework allowing investigations from the EU... So the EU might ask to get enough informations on algorithms - and even to audit code - to check if there's some hidden targeting ads. And then...
I can’t inagine anyone being surprised by this. It was explicitly said the deadline of yesterday (or today, I forget) represented the end of the grace period, which lasted the last two years.

If laws don’t have effects then what are they good for? Companies are going to get in trouble and get fined because of this law, that means it’s working.

It was expected that activist groups will say that these two companies are breaking GDPR, it is not so obvious that they will be actually fined (as the requests need to be processed by specific institution and might be found unwarranted).
I am reading through the complaints,

The first one: https://noyb.eu/wp-content/uploads/2018/05/complaint-android...

The User sets up a "new" (non Google) phone, and isn't given an option to decline consent to Googles ToS.

Now how does this work with a physical product? It needs to be compliant on the 25th of May 2018, but the version of Android may be old and not updated (given its Android). Even if there was an update waiting to resolve GDPR related issues, you would need to agree to the ToS to get that update, to enable opt-out?

In that point of view, it seems a rather unfair complaint. I havn't checked the other's yet, but I start to feel that perhaps these have been filed too early, without enough thought and examination, just to get headlines?

Companies have had two years to get their act sorted out on this.
I can still purchase a "new" 2 year old phone. I think that is a valid question.
Aren‘t the ToS pulled from the web when you set it up with a google account? I doubt you‘re agreeing to two year old ToS.
Possibly, but it still might not be possible for Google to provide a means to decline the ToS without issuing an update (which, as has been pointed out, wouldn't be possible to install anyway without accepting the ToS).
Then it's a device that does not comply the regulation and must not be sold.
Sure, that argument could certainly be made. But unless someone is taken to court over this (or at the very least, threats are made), I think people will continue selling such phones. After all, most sellers aren't going to realise their products are in violation of the law.
If they flag compliant devices, it would be possible on the server side to limit data collected that comes in without the "GDPR-Compliant: true" flag.
Even if the ToS are pulled from the web, it might just pull the document, not the UI, providing opt-outs, etc
They could replace it with a document saying “There are no conditions of use. Enjoy your new phone!”
fwiw, the phone in the complaint is from 2018.
If a product that was in compliance goes out of compliance due to legal changes, it generally has to be pulled from the shelves. I'm saying this strictly from a legal perspective, not endorsing it per se, and I acknowledge the significant expense involved. But this sort of thing happens pretty frequently in a lot of other industries, and the result is pulled product and often a lot of destruction of unsold product.

In this case, fortunately, the hardware may not necessarily need to be destroyed, but it couldn't be sold until the software stack complies. Or, more likely economical, ship the phones somewhere where they are still legal and ship new stock into the EU with updated software. Or make sure there's an immediate update available for the phones and petition the EU for a variance on the grounds that as long as they update, they'll get compliant software. There's a number of options.

If google had made software updates available, which gave the correct options and are GDPR compliant.

But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)

It's Google's terms, and Google is the one who determined the mandatory flow of that setup as per agreement with the hardware vendor. The EU could absolutely hold them responsible for not having this sorted out with their partners, it isn't like the OEM put the terms on a device and sold it without Google's permission.
But the OEM is responsible for software support for their devices (this is the entire Android model and why Google has been working so hard on the Treble project the past year+). Since the current version of Android doesn't have this problem, I don't see how this is Google's problem.
It's Google's terms for an agreement with Google. How could any reasonable person make the claim it is not Google's problem? Especially considering they had two years to prepare, and 2018 phones still have this problem.

Presumably, if moderately recent phones were compliant, Google could ensure that outdated/invalid consent forms were only tentatively accepted until Play Services updated within the first day or so of activation, and then presented a remedial consent form which was GDPR compliant. The EU would very likely accept this solution as a technical best effort method to ensure older devices were respecting people's rights.

But it sounds like they never really put in the effort. What version of Android is GDPR compliant? 8.1?

Interesting line of argument; if it was a CE compliance issue it would clearly be the vendor/importer. But the GDPR doesn't talk about devices, it talks about data controllers.

Information commissioners can't require data controllers to do things which cannot reasonably be done. So I think this ends up with "the existing phones are fine for technically necessary data processing, but buying an Android phone cannot be direct marketing consent in and of itself".

> But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)

Great question. I have no idea, and with the GDPR having been looming on the horizon for two years now, is something that would be beneficial (and cost-effective) to spend money on getting quality legal advice.

To anyone who has seen the complaints about startups having to spend $20k on a lawyer to explain the GDPR to them, a small startup won't be facing complicated legal questions like these (and those who insist on doing so, have been given ample warning).

A friend of mine has an online business that involves offering/reselling/managing a client's domain registrations (as part of a package of specialised hosting services). Meaning he can't really get around sharing his clients' information with third parties (registrar, other domain shop, I'm not sure). 25th of May approaching. He reads up on the GDPR, makes some adjustments how or what data he stores (because earlier, you know, it was considered good practice to "store all the things" just-in-case), writes a 3-page license agreement (I suppose he took a boilerplate example and adjusted it to his needs), sends it to his clients to agree, and done. Less than a week's work.

Well, think about cars and emission issues that need updates - manufacture does recalls and fixes it for everyone. Not sure what's different here? Why not just pull it from stores and fix it if its violating law?
> and isn't given an option to decline consent to Googles ToS

You can turn off the phone and sell it on Ebay

Hobson's Choice regarding tracking / data collection consent is specifically a breach of GDPR.
The option to refuse the new terms is there, it's just not explicit. I'm not saying this is nice or good, but OP's comment sounded like there's no option, they just made it less obvious.
Less obvious and not explicit terms are violations of GDPR.
If you live in the USA. However, as an European you have more rights, and in the next years we will witness a lot of battles between EU users and American corporations desperately trying to maintain the old status quo.
To downvoters: I'm curious to hear your counter-arguments. Yes, as a European I have more rights related to personal data than Americans. American companies can continue playing the same old tricks on American citizens with no consequences. It's not possible to do the same to Europeans anymore.
You were probably downvoted for your the absoluteness of your statement. For instance, you do not have more rights as a European business owner. Even as just a user, you have fewer rights to enter agreements now with these tech companies free from government involvement. What you may call rights, others call restrictions and limitations of rights.
Agreed. As an American, reading the term rights associated with increased government control is nonsensical. I understand the European viewpoint, its just much different in America
This is actually very interesting. It seems to me that many Americans really don't care how their personal data are (ab)used and will happily agree to absurd ToS-es without complaining. In Europe, we have quite different culture of doing things. And yes, the misnomed "right to be forgotten", i.e. the ability to remove my own personal data from a website, is an important right. Not being tracked is an important right. Not being profiled - ditto. It's really shocking to me that the narrative in the USA is that GDPR is evil, whereas many people in Europe consider it a very positive development, in spite of additional work that needs to be done.
Americans for the most part hates being told what to do by the government. For me, I hate it because government intervention tends to cripple economic growth. I value economic growth > social welfare (used in the non derogatory way, in America "welfare" has an immediate negative connotation). I am also aware of this and can understand why other cultures would reverse that equation
That's correct: government intervention stifles economic growth, be it GDPR or the Paris Agreement. The point is, these laws are proposed where self-regulation fails, and the corporate greed lead us to the situation that is worse to the society as a whole than without it.
Put simply: Americans prefer corporate overreach to government overreach. The latter is seen as only needed in extreme circumstances because there is often no going back. It's why you see hate for things like the cloud act and GDPR... it doesn't matter where they are enacted, some people don't want the government involved on these things at this point.
Genuine question: So Americans actually prefer the corporate Black Mirror-esque tracking and profiling that has become endemic and out of control over what I would consider a reasonable update to the old DPA?

How is it overreach and how is it solved without regulation? Equally, how is there any going back from the corporate overreach without?

Edit: typos.

You have deviated into the absolutist approach I mentioned before. You don't even have to do without regulation, just not more and larger. Among solutions there includes: education, enforcement of existing statutes, reduced scope legislation until enforcement catches up, promotion of alternative approaches, tacit support for technical defenses, etc, etc. There are so many more. Adopting this large sweeping legislation is a myopic approach taken by those who think they wield a toolbox with only one tool in it. Sometimes even, if the unfortunate choice is corporate or government overreach, we should not be so hasty to counteract the former with the latter. Work towards it.
GDPR really isn't that much more than the previous DPA which was in place 20 years without problem. Businesses and startups were still formed.

To stick to the general. Who pays for education and promotion of alternatives against industries spending billions? Either it's coming out of tax or a regulation is required to force educational messages and disclaimers. If neither it just seems a way to assert the status quo as any interested party or user rights group that does get a little visibility will be immediately advertised against by those with a financial interest but far deeper pockets.

Regulation might not be perfect, but seems to be the only viable way left to limit the problems that come with unrestricted commerce.

I think anti social media PSAs are as reasonable as any other PSAs. It's ok to encourage people to go outside instead of play video games or encourage people to not talk on the phone while driving. The video game and phone industries are big too. It's ok to give grants to projects that already have other players in the industry. It's ok to suggest people use ad block. There's no need to be so defeatist assuming nothing will work. We can't even really discuss these types of solutions if everything but law is assumed to not work for internet privacy issues when law is the only one that has been shown not to work. Absolutist phrases like "unrestricted commerce" (as though that exists) "regulation [...] only viable way left" are the reason nobody can see alternatives. It's like self-imposed blinders.
It's OK but ineffectual when up against industries spending orders of magnitude more. It can never be a level playing field.

You give using a phone while driving as an example. UK tried PSAs for years before ultimately outlawing it. Enough were seen ignoring that law that they doubled the penalty some years later. From the occasional piece I've seen on US sites that mention the issue I get the impression that distraction from phones is a disappointing but accepted facet of modern driving.

The older I get the more agreeable I feel to more regulation and adequate enforcement. Without it companies large and small, and individuals, are too inclined to be abusive - of pollution, of privacy, of financial misselling and so on. All to make that sale or commission. Caveat emptor works when it's a consumer against the local greengrocer, or taking a survey before house purchase. Not so much when it's a consumer against multi-nationals employing psychologists and so forth which is why most UK consumer regulation has been steadily moving away from that model for years.

As a European I can look as the US, who prefer minimal regulation, and see it as providing much confirmation that I don't want to do it that way. I'm a little disappointed that UK governments frequently do wish to adopt a US-lite approach.

> As an American, reading the term rights associated with increased government control is nonsensical.

This is nonsensical. You can not have rights w/o government anyways. You may have privileges or power to force others to comply, but "rights" are defined by a third party entity that enforce them.

You have those backward. Natural rights, at least, are considered to exist before and outside of government. Enumerated rights may derive from government, as do privileges. The "lege" in privilege literally means "law".

Enumerated rights are the rights the GP was talking about. These are defined in law, though may derive from natural rights.

Yeah, good luck enforcing that natural rights w/o any entity to protect you from those who are stronger than you and keen on violating your "rights" for their own good. If I have a gun and you don't, and nobody can enforce your right to life, the chances are that I can kill you and your right to life with a single movement of a finger any time I want. And because not everybody can become warlords, w/o any organisation to enforce those natural rights, they'll only belong to those with more guns. And such organisation, in one form or another, is some sort of government. Calling some rights "natural rights" and believing that they "exist before and outside of government" are just naivety in the least, if you don't have nobody to make sure nobody violates them. We don't live in philosophical wonderlands, unfortunately. In our lands some A. Nix guy can easily acquire data of 50million people in a country and put that to use of unlawful, evil organisations. And just like everybody will kill everybody if you don't have jails to put killers in, these companies will continue on forming and exploiting until there are grave consequences to doing so.
I'm just clearing up some confusion about definitions here, not making any comment on enforcing rights.
I'm actually kinda curious what role the US government will end up playing in all of this
So far Google and FB has no complaints about GDPR - that was the word from EU regulators. Why would you think they are so desperate?
In that point of view, it seems a rather unfair complaint

It is an unfair complaint. But to be fair to the regulators, these complaints were filed by users, and may well be dismissed once reviewed by regulators. This type of unfair complaint will be an interesting test to see just how abusive the GDPR enforcers may or may not be.

The real test is how Google behaves.

Google shouldn't be collecting data from users who agreed to share their data based on outdated ToS that are no longer legally valid.

They should ask for agreement to new GDPR-compliant terms just as they do for users who agreed to the old terms before GDPR was law.

Why do you think that previous ToS was outdated and no longer legally valid? Why do you think consent given x years earlyer would not be valid?
Because the new law says the user can’t be assumed to consent, unless the specific parts of the contract are stated more explicitly, are opt-in rather than opt-out, etc. The old ToS become invalid and unenforceable.

If they stop collecting data for those users (at least until they opt in to an updated ToS) that would work around the problem.

Anyway, I'm in EU and I received mailon 12th may about updated privacy policy. In my native language that is used only by <2m ppl.
I'm pretty sure that's incorrect at least today, it's possible to skip through the initial setup on a stock Android device without adding a Google account or accepting a ToS.
If there is, they don't make it obvious. Whenever I've tried setting up a stock Android phone, I've looked for a way to do so without adding a Google account, but found no such option.

Perhaps it's possible to do so by pressing or holding some obscure sequence of buttons, but in that case it is reasonable to argue that a 'hidden' option isn't really an option at all. After all, you can't hide microscopic text on a paper contract and expect signees to be bound by it.

There may be stock Android phones out there that do provide a clear option to not use a Google account, but there are certainly many phones that do not.

"Add a google account, enter your email"

On the bottom of that page in grey is a skip button. You do that and you've skipped over it.

I am using a chinese noname Android phone without a Google Account. It is somewhat useable even without Internet connection and without SIM card. For example, I can use a camera, radio, music player, a dictionary or offline maps.
China gets your data now.
That's why I thought about either routing all traffic through my server or replacing proprietary ROM with open source software.
Good luck downloading apps though. I can't see how it's necessary for Google to track all your stuff, just to permit you to download an app.
You can use third party app repositories like the FOSS-only F-Droid, or even simply download apps directly from individual creators if they release the apk.
Also there are sites that allow you to download .apk file from Google Play without Google Account.
(comment deleted)
"you would need to agree to the ToS to get that update"

If you have to agree to their ToS before you can use the device, it should be before you purchase.

Google intentionally waited until they had your cash to say GOTCHA! We require an additional payment of your soul. Now its biting them in the ass, it is entirely fair.

That is entirely false.

If you buy from the Google store, you'd have to agree before buying (you can't buy without an account).

If you don't, then the seller had to notify you before your purchase. Google had little influence there.

And your argument doesn't work if you're taking about third party devices, which the parent was.

Android itself is open source. OEMs aren't forced to bundle the Google services with it. This can't be blamed on Google either.

They're probably still violating gdpr, and I'm looking forward to the first real cases. These are just silly

Google has a checklist of things that each OEM has to do in order to distribute the Google Apps, which are not open source. If the OEMs are in compliance with Google's terms for OEM distributors, I would say that it is an issue with Google's terms.

I am curious, I have a Samsung device and I note that I can't uninstall Gmail. Is that Google's choice or Samsung's choice?

honestly, i think the best choice would be to 'accept', and use the google services, or deny -- and just not get any google apps installed.

this would give privacy oriented people the option to simply opt out of anything google and still uphold the pretty good stock experience.

but this is imo still not google's task. OEMs choose to just flash google's services and apps by default right into their OS. that should only be done after the user said 'yes, i want to tell google everything i do'

If denying would mean that I am denied service of their apps, then that would be a violation of gdpr. That is the point of the regulation.
> In that point of view, it seems a rather unfair complaint

Regulations arent necessarily designed to be "fair" though.. if GDPR is written in a way that manufacturers need to recall all stock and update phones, its cost is part of GDPR compliance and a fair tradeoff for its benefits as per EU citizens

Google and the manufacturer had 2 years to ensure this wouldn't be an issue.
Apparently that didn't work. I think we're all curious what they can/will do now, because it is an issue.
Android has the ability to push updates to phones that haven't been set up yet; when you first turn on a new phone the first thing it does is ask for wifi so it can check for updates. Google has the ability to update the phone before literally any other part of setup occurs. You do not need to consent to the ToS first; the setup steps on Android are really carefully thought through from a legal perspective.

(I know this because I worked both on the setup system and on one of these "zero-day updates", where we fixed some bugs between when we sent the "final" image to the manufacturer and when we actually shipped devices)

Google cannot update a phone that uses an OS built by another OEM. Since the OEM cited in this complaint is a low end Huawei phone they're responsible for pushing the update.
> forcing people to accept wide-ranging data collection in exchange for using a service is prohibited under GDPR

Erm... I don't think that's true.

As long as you are open and transparent about what you are doing, and give users the right to request, update and delete the data you hold on them, then AFAIK this is allowed

Nope thats actually true. You cant force say tracking, if its not absolutely needed, for the product to work. And i think thats why a lot of the popups have dark patterns, to hide the fact, that you can no opt out to these things.
Hmm, seems you are right, I just found this PDF from the ICO: https://ico.org.uk/media/about-the-ico/consultations/2013551...

"Avoid making consent a precondition of a service"

"consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service"

I assume Facebook et al will simply find a way to make everything 'necessary'.

They have, and thats why they are going to be sued.. they made tracking a precondition for using the service.
For consent this is true, but there are other legal ways for you to collect the data. One is legitimate interest, this one is more abstract but requires a bit more work from you.

I think a lot of the future court cases will be around trying what one can use legitimate interest for.

https://ico.org.uk/for-organisations/guide-to-the-general-da...

Legitimate interest is meant for when it's in the user's best interest... but I've no doubt that, given sufficient lawyers, Facebook et al could argue almost any data-hoovering is in their users best interest
Part of that is because consent is only one of the 6 ways to claim compliance for data processing, and is not always the appropriate way to be compliant. In fact, most people who are using the word "consent" are wildly misinterpreting the GDPR, using "consent" as a catchall term, when in fact the GDPR takes a far narrower view.

The legal basis that is probably FAR more important but isn't being talked about is the contractual basis, and there are two. When I say people are overusing "consent", I mean that entering into a contract requires ~consent~ in loose everyday conversation, but is actually not "consent" for the purposes of the GDPR - its a contract.

Because of the difference between the loose meanings in everyday conversation and the (slightly) more precise definitions in the GDPR, you are seeing a LOT of articles push back on using the consent basis for compliance because what you are actually talking about, in GDPR terms, is a contractual basis, or a "legitimate use" basis attached to a contractual basis.

Most online businesses view their Terms of Service as establishing a contract. Therefore, no "consent" required because you using their website is a contract, even though in loose conversation you would say that you ~consented~ to enter that contract.

The document you posted is consistent in trying to hammer home the distinction. Read this excerpt:

> The ‘consent’ is a condition of service

If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for the processing. In some circumstances it won’t even count as valid consent.

Instead, if you believe the processing is necessary for the service, the better lawful basis for processing is more likely to be that the “processing is necessary for the performance of a contract” under Article 6(1)(b). You are only likely to need to rely on consent if required to do so under another provision, such as for electronic marketing.

It may be that the processing is a condition of service but is not actually necessary for that service. If so, consent is not just inappropriate as a lawful basis, but presumed to be invalid as it is not freely given. In these circumstances, you would usually need to consider ‘legitimate interests’ under Article 6(1)(f) as your lawful basis for processing instead.

Targeted advertising has become such a big deal, and implemented at such high cost, that I wonder if the trade off is even worth it now. I could imagine Apple or Samsung simply "sponsoring" Facebook for a week or month at a time with banners and messaging - tastefully done of course! - and how much less hassle that would all be, rather than aggregating millions upon millions of cookies and chasing people around the internet, winding them up, etc.

Targeting ads for anonymous searches, fine: search for cars, see car adverts. Simple!

I'm sure there is plenty of data that shows how terrible this whole idea is in terms of wasted ad spend, missed opportunities, so it'll never happen, but it's a nice dream :-)

If this were the case I'd genuinely turn off my adblocker.
I possibly would too; I wouldn't begrudge the more innocent revenue generation tbh, provided ads were sufficiently unobjectionable!
Targeted advertising has always seemed pretty dumb, to me most advertising is done by Coke and their target is every where.
Exactly - traditional advertising has long been about product and brand awareness and giving people the warm fuzzies about their logos, slogans, imagery etc. Treat online as exactly that with clickthroughs as a bonus!
> Targeted advertising has always seemed pretty dumb, to me most advertising is done by Coke and their target is every where.

Doc Searls made a good point: targeted advertising isn't advertising, it's really direct marketing (like spam and junk mail).

Coke is doing advertising, but the adtech "targeted" advertisers are just spamming you using new technology.

https://blogs.harvard.edu/doc/2018/05/12/gdpr/comment-page-1...

Absoultely every site that has had a new GDPR warning is just the same as the old cookie banner. "By using the site you agree..." Some have updated privacy pages which describes how you can delete or deny cookies... An absolute joke, nobody is following the law.

It should be simple. A new banner that asks "allow tracking", yes, no. Either option allows you to use the site freely.

Are they also planning to sue Apple? I can get it activated without creating account.
I think Facebook's lawyers have determined that they can use the 'legitimate interest' basis for showing targeted ads to their users [0]. This basis does not require consent from users except as part of the take-it-or-leave-it initial terms of service.

Here are the parts of the 'legitimate interest' basis which are most useful to Facebook:

The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business.

So Facebook's lawyers can simply say, "It's in our legitimate interest to maximise advertising revenue".

You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose.

Facebook's lawyers can say, "It is necessary for us to use personal information about our users, such as their age and location, in order to maximise our advertising revenue".

The GDPR is clear that the interests of the individual could in particular override your legitimate interests if you intend to process personal data in ways the individual does not reasonably expect.

Facebook's lawyers can say, "People expect that we use their personal information such as age and location to determine what ads to show them, so the interest of the user does not override our legitimate interest of maximising advertising revenue."

[0] https://ico.org.uk/for-organisations/guide-to-the-general-da...

If companies successfully argue that maximising revenue is a legitimate interest and thus, don't need users consent, then the GPDR will worth less the paper it was written on.

I would be extremely surprised if the EU goes through all this tome, effort, and money just to let corporations continue with business as usual

> I would be extremely surprised if the EU goes through all this tome, effort, and money just to let corporations continue with business as usual

trust me, you didn't see what the eu already gone through, just to keep existing.

Eu cookie law is one prior example of this. That worked out to “business as usual” in the end, didn’t it?
Think of the GDPR as a bug-fix release to remove the loopholes those legal hackers used.
Nope. It was a nice step that showed everyone how even the most unexpected website tracks you with some cookies.
> I would be extremely surprised if the EU goes through all this tome, effort, and money just to let corporations continue with business as usual

I wouldn't. EU is all about bureaucracy and hordes of civil servants doing meaningless jobs. If GDPR becomes fruitless like Cookie Law, then they'll say tough luck, hire more civil servants and start working on another useless law.

There was a lot of lobbying done to water down the GDPR.

But on the other hand, corporations are all about unscrupulous behaviour and doing the minimum possible (if that) to claim they respect the law. If the GDPR works, they'll just hire more lobbyists.

Lawyers can say such things and I'm sure that Facebook will try to fight it, but I don't think they'll be able to do so successfully, because the GDPR is very specific about what a "legitimate interest" is.

See here for an explanation: https://www.gdpreu.org/the-regulation/key-concepts/legitimat...

PS: the EU can't wait to give fat fines to companies like Facebook and Google, due to their tax evasion schemes. It's the whole reason for why these companies haven't been able to stop GDPR, with all of their lobbying prowess. And I don't care about such motives, as an EU citizen I'm glad that GDPR exists.

As an American citizen I'm glad that GDPR exists. Our own government will never strongarm Big Tech into respecting their users - especially in this political climate - so I'm glad someone else is.
I think it is naive at best. To me, it's like the EU is a spoiled child who wants everything for free without paying for it. Most of the web is payed for by targeted advertising and getting rid of that would make the web suck as their would be way less money to actually pay for content. Also, non-targeted ads suck as they usually end up being like Viagra ads since they pay the most.
I don't see what is naive. The EU has never said that you can't have ads. You can do ads without using and selling user data. For instance, you can have contextual ads (depending on what you read, not who you are) or just random ads.

GDPR is not against the ad business, it is only setting limits and obligations on how you can use personal data. It is saying that it is not normal for businesses to build huge user profiles without oversight or even consideration.

> GDPR is not against the ad business

Yet somehow, I doubt that GDPR would exist if Google and Facebook were German companies, rather than American ones.

Is that relevant in any way?

And Germans are more privacy aware than Americans, for obvious historical reasons.

There's nothing inherently wrong with storing user data or using targeted advertising as long as it's not abused. Instead of outlawing only cases of abuse like any sensible law would do, the EU just chooses to throw the baby out with the bathwater because it's not their baby.
The EU tried that. Google and friends gave a shit. Then result was creating a regulation more painful to them. These companies apply their US based understanding of right and wrong to the globe. You see China, EU and Russia are reacting and applying their local rules. With different methods, but they do.
No, data can be sold or leaked and abused at any point in time, it doesn't matter that it doesn't happen right now.

People that blame Cambridge Analytica are missing the point, which is that Facebook is a threat to everything we know just by existing.

They would never be German companies. We (Germans) would have regulated them bancrupt long time ago :).

You are right. GDPR is a very German thing. We essentially have a two digit party (the greens) which rose because of the rejection of a general census (and nuclear energy). In Europe we are also not alone with that (see pirate party).

Oh and regards sensibility: The EU tried that. Google and friends gave a shit. Then result was creating a regulation more painful to them. These companies apply their US based understanding of right and wrong to the globe. You see China, EU and Russia are reacting and applying their local rules. With different methods, but they do.

> non-targeted ads suck as they usually end up being like Viagra ads since they pay the most.

Ads on TV have been non-targeted since the TV was invented, TV stations have survived thus far and are doing a little better than online publishers.

Note that we are talking of tracking individuals. You can still say a lot about the demographics of a TV show and thus do ads targeting based on the actual content being watched. That's not user profiling and while you can infer a lot about those watching, it's not dangerous either, because you're not keeping a history of what that user watched.

Saying that tracking individuals is necessary for getting revenue is disingenuous.

Besides, in case you aren't watching the news, the biggest problem for publishers is by far ad-blocking, not GDPR. If they would have respected people's privacy, security and time, we wouldn't have been in this mess and we wouldn't need laws. In our country we have a saying, you sleep in the bed you make ;-)

> Saying that tracking individuals is necessary for getting revenue is disingenuous.

I'm definitely not saying that. I'm saying non-targeted ads generate a lot less money than targeted ones which means the content on the internet won't be as good as companies will generate less money to pay for the content.

In the extreme cases as we are seeing now, businesses are shutting down or blocking all EU users because the peanuts they would make from generic ads are not worth the server costs, content creation costs, costs to comply with the law, and potential fine costs (risk).

Shutting down or blocking all EU users is perfectly fine by me. At least I'd know which are the companies I should stay away from.

But no, it won't happen, because the EU is the world's second biggest market. If China can afford to coerce companies into censorship and violating people's rights, the EU can afford to impose some privacy laws as well.

And as I've been saying elsewhere, targeted ads are only needed at this point because people are fed up with ads due to abuse, this being a race to the bottom anyway. Pretty soon targeted ads won't work well either, how well they work right now is questionable and all of that data will have been collected already, ready to be sold and abused.

> If China can afford to coerce companies into censorship and violating people's rights, the EU can afford to impose some privacy laws as well.

Take this with a grain of salt since I am not from China and really only know about it from HN: The EU is not nearly as powerful as the Chinese government nor do I think the general Chinese population is aware of how much better G/FB/other sites are outside of china (admittedly speculation on all accounts), nor are they in a country where they can vote to change laws (pretty sure on this one from what I have read on HN).

If G/FB suddenly stopped supporting EU users, they would most likely cry out so loud that the law would get reversed in days. This law seems to target privacy and opt-ins mostly and I as a programmer don't even give a shit about those since they give me amazing services for it. I highly think most people want the free apps with targeted ads over a full block or paywalls.

> * The EU is not nearly as powerful as the Chinese government*

Not sure what that's supposed to mean.

> If G/FB suddenly stopped supporting EU users

But they won't because they are not stupid. Instead they'll start respecting the privacy of EU citizens, which is going to be a win for us.

> I highly think most people want the free apps with targeted ads over a full block or paywalls.

Most people aren't aware of the threat to their privacy.

Also, do you work for a company that makes its living off targeted ads?

Not that I judge you or anything, I worked on a startup in the past building a platform for serving ads on bidding exchanges (what Criteo has been doing, except they succeeded). And now I'm working on anti-ad-blocking technologies. But I'm also privacy aware, as I've seen full well what targeting can do and I don't suffer from double standards.

The people that defend ads targeting are those that work in the ads industry.

TV stations have survived thus far and are doing a little better than online publishers.

The number of TV stations has a hard limit, so that's why the average TV station makes more in ad revenue than the average online publisher. But the top online publishers (Google and Facebook) make much, much more in ad revenue than the top TV stations.

Perhaps we should just give out operating licenses to 1000 websites and force the rest to shut down :)

Setting aside older ad-showing media (newspapers, magazines, cable TV), even the web itself did just fine before today's holistic individual ad-targeting. For the most part, today's problematic practices started happening after the Dot Com boom.

It's amazing the point we've reached, where egregious tracking is so normalized that we assume it's fundamental to the internet's feasibility. Facebook and Google aren't meek charity-organizations, trying to give the world free stuff and only asking for the pittance of our data, to help keep the lights on. Their profit margins are enormous. They could do quite well for themselves without any tracking at all, just showing random ads. Not to mention that many people would pay for their services if it meant getting rid of ads altogether.

The reason they don't offer individuals the option to pay for their services instead of being tracked isn't out of charity. It's because they would make less money. Your data is more valuable than any reasonable monthly fee you'd be willing to pay.

If GDPR puts an end to the gold-rush that's happening at the expense of everyone else in society, forcing tech companies to make a normal amount of money instead of an insane amount of money, that sounds to me like an unambiguous good.

(comment deleted)
> Also, non-targeted ads suck as they usually end up being like Viagra ads since they pay the most.

You can still have targetted ads without tracking user data. Show ads for gaming content on eurogamer/ign, or ads for technology on techcrunch, or ads for Viagra on WebMD

> EU can't wait to give fat fines to companies like Facebook and Google, due to their tax evasion schemes.

How does GDPR relate to "tax evasion" at all? Also, Google and FB set up to pay taxes in Ireland, which is a member of the E.U. That seems legal to me. See https://en.wikipedia.org/wiki/Double_Irish_arrangement

The 4% of worldwide revenue aspect is almost exclusively pointed at the giant US tech companies. Europe has few meaningfully large tech companies, with large global sales, such that taxing worldwide revenue matters (this is why they didn't just make it an EU revenue tax).

It's meant to try to plunder some of the global revenue that Google, Facebook, Microsoft, Netflix, Apple, Amazon, Twitter, Snapchat, etc. are generating. They're betting that these companies will slip up at some point (who the hell taxes revenue, instead of profit, other than the backwards Russian state anyway?).

Amazon is going to $400 billion in sales (and is about to have a giant, lucrative ad business). Google is going to $200 billion in sales. Facebook is going to $100 billion in sales. Netflix will have 250 million subscribers. Apple is pushing toward $250 billion in sales.

GDPR itself wasn't designed just to tax the US giants. The 4% tax on worldwide revenue however does exist solely to try to get loot from the US tech dominance. As the EU gets left further and further behind the US tech colossus, their rage and envy will increase by the year.

The Germans like to snark at the Americans about how they should build better cars. Well, Europe should learn to build better tech, and learn to pay their engineers what they're actually worth if they want to compete with the US that pays 3x or 5x more.

There's no 4% tax on revenue in the GDPR as far as I can tell. It's a 4% fine for violations. Which is potentially far greater than a 4% tax, since it applies to every violation.
If fines are impossible to avoid without going out of business or leaving the market, they're taxes by another name.
They are impossible to avoid if and only if they continue to give a shit about user's rights.

I agree however that the law targets the big tech companies. They ignored previous laws and regulations so they got a meaner more targeted one.

Btw, constitutions start with "we the people" not with "we the companies".

> Europe should learn to build better tech, and learn to pay their engineers what they're actually worth if they want to compete with the US that pays 3x or 5x more.

I'm an European and I must say that's bullshit.

Yes, you can earn 3x to 5x more in Silicon Valley. Property prices are crazy expensive however, many people don't afford to live near their office, with crazy commute times being common, the schools there are either expensive and crazily competitive or poor, if you work on your own or in a startup it's pretty common to not have health insurance, in which case you can get fucked, plus your gun control is pretty broken and it's horrific to see kids shot in US schools all the time.

I live in Romania. I'm within 15 minutes of my office that I do by bike, I have both public and private health insurance for cheap (and in spite of popular opinion, Bucharest has some of the best trained medical personnel in the world), my earnings are well above the average which means that for me the cost of living is cheap, my 8 year old son goes to a good public school, I own my own apartment and we'll build a house in the future too and I freely travel to Berlin, Munich, London, Barcelona, Rome, etc. yearly for conferences and I can walk the streets of Bucharest without fear, gun-related murders and murder in general being almost unheard of.

People in Silicon Valley may be earning 5x, but the cost of living is 10x at least.

If anything, Silicon Valley is only attractive because all the cool companies are there. But you know what, due to the high competition, nowadays you've got plenty of companies hiring remotely or opening offices in Europe. I'm fine with that.

Keep in mind that in absolute terms, earning 5x more and 10x cost of living might be larger savings. It sounds like Romania is a nice place, so you could even save for 5 years and retire there.

That said, I dislike rewarding california a single cent of tax revenue for them to piss their LSD-addled urine into the wind, fuck SF go to austin TX (state income tax, easiest 10% raise of your life! pay is same as SF)

Most of this is pretty irrelevant to the comment you're replying to. The argument is that EU companies don't pay tech talent what they're worth. School shootings and bike lanes don't have anything to do with that.

And I'm completely sympathetic to the argument that you're making about compensation vs. cost-of-living, but I think you're mistaken. The cost of living isn't 10x that of Europe. Taking into account taxes and government benefits that we have to pay for ourselves, it's probably more like 50-100% more expensive to live in, say, the Bay Area or NYC vs. any major metro area in Europe other than Eastern Europe, which will catch up eventually. I could be wrong though! I live in NYC, in a very nice 2 bedroom apartment in a doorman building right next to a large park. My daughter attends an expensive private school. We have excellent healthcare, travel a LOT, eat out frequently, etc. Total basic budget (not including taxes, savings, or other splurges) is ~$10k - 12k / month. Is your budget for similar lifestyle around $1k / month?

In general, those of us in the US who are lucky enough to work in tech and live in HCOL areas and work for high salaries aren't irrational; the tradeoff is usually worth it, especially if you enjoy urban areas.

That is a good argument, but some things are priced as absolutes and not as a percent of CoL. So, true, in Romania your salary is ~ 10x your CoL and in SV it would be 5x maybe, but the money left over in absolute terms (9x Romainan_CoL vs 5x SV_CoL) is significantly different. So, if you want something that is priced absolutely, like a plane or a boat, SV is still better.
> Europe should learn to build better tech, and learn to pay their engineers what they're actually worth if they want to compete with the US that pays 3x or 5x more.

Funny, I see plenty of happily employed engineers with 30 days PTO, mandatory sick pay, national healthcare, stable security nets, support for maternity (and in some cases even paternity) leave.

> who the hell taxes revenue, instead of profit, other than the backwards Russian state anyway?

Both Washington and Texas for starters....

New companies can't benefit from that scheme anymore, since 2014 actually.

"Finance Minister Michael Noonan closed the Double Irish to new schemes in October 2014 (existing schemes to close in 2020), and expanded the Capital Allowances for Intangibles scheme as a replacement"

Yes, it's tax avoidance, not tax evasion. On the other hand, EU seems to want to make the current arrangement tax evasion in the future.
> So Facebook's lawyers can say, "It's in our legitimate interest to maximise advertising revenue".

They can say it is their interest to have enough revenue to operate the site and some (how much?) profit above that. Maximizing revenue is an other angle.

Though if we accept that we live in capitalist society then maximizing profits is one of the core tenets of that.

Well, in case of "need enough revenue to operate" they could just add reasonable "no tracking" monthly fee.
Can they? I was under the impression that GDPR does not allow “accept tracking or else pay money”. If it does then that seems like an easy, obvious solution to the problem. So easy and obvious that the fact no one is implementing it makes me suspect it is not actually compliant.
"Legitimate interest" works for regular data (Article 8).

You cannot claim "legitimate interest" for sensitive data (Article 9), such as political and religious views, or sexual orientation.

That’s probably ok though, as I imagine those features are somewhat less important to advertisers.
You could probably take it a step further and say that it is in the user’s best interest to see targeted rather than generic advertising, because you can show fewer ads and make the same revenue. I don’t know if regulators will buy it though.

I for one am very interested to see how this continental experiment changes the experience of internet users in Europe. And I’m sure glad (at least in this dimension) that I’m not there. (Overall I think I’d be better off living in Europe despite the occasional law I disagree with, but that’s another story.)

> You could probably take it a step further and say that it is in the user’s best interest to see targeted rather than generic advertising, because you can show fewer ads and make the same revenue. I don’t know if regulators will buy it though.

It would be hard to argue that when none of these companies are in fact showing "fewer ads" as a result of targeting.

You don’t know that, because you don’t know how many ads they would be showing in the alternate reality where they only show non-targeted advertisements.
So regulators should just take their word for it and allow them to slide on compliance because they claim they would be showing more ads in some alternate reality if it weren't for targeting? That sounds like a loophole that would allow pretty much everyone to ignore GDPR completely, and I think you'd actually have to live in an alternate reality to consider that reasonable. The entire advertising industry would be exempt from GDPR.

By that logic, they could fill an entire site with ads, and claim that since those ads are targeted it's still a benefit to users, because if the ads weren't targeted they would have to make the site larger in order to fill it with even more ads. There's no limit to how far you could take that.

I wouldn’t say they should take their word for it. They should hear the argument and decide if it is reasonable and supported by the data.
I don't think they 'll manage to convince anyone that maximum profit can be a legitimate reason - at least not in the current climate. They can claim however that, since facebook's business is selling targeted ads (which is truly their source of revenue), their system simply needs user's data to work.

I believe that facebook DID ask about permission with its terms pop-up that i saw on the web. In any case however, any complaint against facebook will be judged emotionally at this time, so the details may matter less.

At the scale at which Facebook operates there are billions at stake and they will litigate these things until the last breath rather than to give up these lucrative revenue streams. Look forward to FB pulling out of Ireland if that's what it comes down to.
It appears many companies try not to comply to the spirit of the law. Stack Overflow, for example, sent an e-mail claiming to have opt-in permissions to promotional messages, while not actually having them and only providing opt-out settings:

"With your continued permission, we will send you promotional messages based on your preferences. To see and change your opt-in preferences, manage your Email Settings."

I guess with such attitudes it's not going to be enforced much, otherwise there will be no one left to enforce it on.

Solution: Pay a few bucks a year or see ads. What's so difficult about that? That could solve the problem somewhat at least...
for europe it would be around $20 i believe.
Oh, one thing important to note that people might forget/ignore: this is just the beginning. See: https://en.wikipedia.org/wiki/Brussels_effect

A lot of countries look up to the EU, have trade agreements with it. Unless the GDPR totally falls flat on its face (unlikely), more and more countries will realize the benefits of this kind of legislation.

Also the GDPR will act as an icebreaker and it will "soften up" company stance on this matter. As a result it will be easier for the second line of countries adopting such laws to demand things from companies.

I'd say: get used to it. It's not going away, it's not going to become easier to use and sell personal data.

The Facebook/Cambridge Analytica thing definitely seemed to open up more US legislators to the idea. Between the EU taking the lead on antitrust against tech monopolies, and now privacy laws, it honestly makes them look bad: The EU is doing the job most people would've expected the US to take the lead on back in the day.

As GDPR will not end the world or pop the tech bubble or whatever, it's increasingly likely that the US will just go "yeah, we want all that too".

The EU is eager to "clean the clocks" of these big liberal, privacy destroying California based megaliths. Go Max go.
And here I'm hoping for the EU GDPR to kick all of these guys in the balls pretty hard. In the last few hours, I have been getting dozens of emails. Basically: Take it or leave. Some of them sent an email "if you don't leave, you are taking it".

And you are not given a choice to download your data or temporarily access your account to sort out things. Your hands are getting forced to accept the rules or potentially be locked out of your account.

I'm taking note of these little evil services. And in all fairness, my banking provider actually gave two options: one is required and the other is optional (marketing data collection). I was able to unselect it successfully.

I used Hope Fulwood to confirm the infidelity of my ex-wife and i am forever grateful to him. He helped my hack her phone which he held so dearly and i found out-numerous dating sites she was registered to, her emails, all her social network apps and even text messages. I was heartbroken but its better to know and act upon your knowledge than being played a fool. i will recommend Hope Fulwood and you can contact him via email...

GMAIL: trusthackerslounge2018 WEBSITE: https://trusthackerslounge.wixsite.com/mysite