113 comments

[ 63.0 ms ] story [ 1511 ms ] thread
What is the process between this complaint and a fine / order to rectify?
The national agencies evaluates the complain and take a decision, which I hope will happen before the end of the year. Exactly how it happens depends on the country, as the GDPR leaves room for national legislation also on the section on the Supervisory authority.
GDPR could end free internet services. Maybe it is the outcome that the EU desires, I'm not sure, but I don't see how you can run non-transactional, free services without monetizing them via the best possible advertising. Do they want everyone to go back to punch-the-monkey and mortgage ads exclusively?
Chinese websites are exempt. What does that tell you?
I can't find a reliable reference for this. Can you point me to something official about it?
I was able to find an Alex Jones / Infowars video about it, but I'm unable to watch to see if it's just infotainment bluster, or based off of something more concrete that the parent poster could be referring to.
Maybe because the EU has no jurisdiction or influence over China?
They certainly have both over Alibaba and JD.com which have European offices. And that's just two off the top of my head.
Free services existed before megatracking. Advertisements will go back to being targeted contextually, which will raise the value of views on "Tom's Train Fan Web Hub (and camera reviews)" at the expense of "Zuckerberg's Universal Website for Everyone." Look at Duck Duck Go for an example of advertising that is contextualized only with the current page, as opposed to the entirety of your personal history.
I welcome the old days. Everything has been heading in the direction of data grabbing and market share focused turf wars between big tech companies all trying to establish the most profitable monopoly.
The best part is: by revealing the true "cost" of the free services and slowly starting to curb their behaviors, high-quality paid services and content are becoming more palatable and viable.
You can’t say that until you see the price. Facebook would cost $20 per year per person. It s up to the users to decide if thats a good price
I wouldn't pay that to be offended by my relatives.
I don't remember anyone running services with offerings similar to e.g. Gmail back then without income from targeted advertising. Back then, my mailbox had 10 MB capacity while Gmail offered 1 GB thanks to the money from advertising.
It's unclear to me how much of Gmail was made possible due to immediate pocket lining potential, and how much was possible due to their bringing the model of "offer orders of magnitude more service than what the average person will use, and absorb the outliers in the margins" to a web app service.

I don't think Gmail started out with heavy email content harvesting and integrated advertising but I could be misremembering.

I did not say that it was thanks to email harvesting, it was the targeted ad income they had in general that made it possible.
The current state of your mailbox seems like a good corpus for memory-less targeting. Other than your emails, which the email provider obviously has to store, no personal information would have to be kept. As a result I'm not sure that the GDPR would impede Gmail, except to make it more valuable by increasing the scarcity of having that much data in one place.
I wasn't talking about email harvesting. It was their targeted ad income in general that made it possible to bootstrap this service at the beginning and then make use of the e-mail data to further improve their otherwise free offering.
Gmail can't use that data for ads unless they ask for consent separately (which the user can refuse).
AOL wasn't the only email provider back then and Gmail isn't now today either.
Yeah but it used to be the only one with more than 10 MB storage in days when disk space was very expensive.
Competition doesn't matter unless a competitor actually make things better. Back then, everything sucked. Gmail actually pushed the industry to the next level.

Most other services today are no better than a pop/imap inbox as before, just with a bigger storage quota.

What's wrong with pop/imap?
They're old crappy protocols designed a long time ago. There's a reason why no modern email system uses them but only offers a mapping interface at best for older clients.
MAC is old and designed a long time ago. IP is old and designed a long time ago. TCP is old and designed a long time ago.

Everything is built upon them though.

Why can't things be built upon POP and IMAP?

Why are they crappy protocols?

> Why can't things be built upon POP and IMAP?

That's a different question. 3 random examples don't really mean anything. IPv4 is old, HTTP/1 is old, SSLv1 is old. Sure they work, but we also have newer better stuff.

The old email protocols do not properly support modern features like syncing across multiple devices and servers with lightweight and efficient payloads, along with fast and safe attachment handling, consistent message ids, message threading, labels, contacts, push-based notifications, and many other things that people take for granted today. All modern email systems have built their own and don't use pop/imap because they're too outdated to even use as a foundation.

Here's JMAP from Fastmail if you want more details on a open-source email protocol: https://jmap.io/

Write up reference documents for a better protocol and make an RFC
Why? I'm not interested in writing an email protocol and really don't care.

Also my last comment already links to a new protocol. Perhaps you should look at that.

DDG ads are usually terribly irrelevant ("Shop for testicular cancer on Amazon").

Then again: with re-targeting and other "very advanced" techniques, so are other ads I get.

I wish I'd get actually relevant ads. Perhaps a "universal" micro-payment system may make me actually give away money.

Perhaps data-banks will actually happen.

The days of the ad-rush seem to be coming to an end.

Thats not (edit: better). I have enabled context ads in adsense now , the ads are just worse and annoying
What is not true?
(comment deleted)
I don't think it's a foregone conclusion that advertising needs to be based around tracking your every move to make the best or most effective ads. Domain relevance is still one viable path in some cases.

The rise of adblocking and the ongoing arms race from that would prompt innovation and change eventually.

I don't think we need to underestimate the advertising industry's ability to route and innovate around regulation and irritated consumers.

That's not a bad thing. The general public has never wanted web companies to spy on them, and tech companies have been taking advantage of people's ignorance.

Everybody in the ad world knows it, too, and that's why so many companies are freaking out. They'll never get permission from people to spy on them like they have been. They whined about the "Do not track" header in the same way - they want to hide what they're doing as much as possible.

If asking "customers" to opt-in in to your business model is going to hurt your business, it was a shitty business model in the first place.

Unlikely. Most people are going through be clickinc yes. The ones that wouldn’t are already using ad blockers. Gdpr launch has created a privacy hysteria but that will go away.
>GDPR could end free internet services.

They are not free. Someone pays for them. If someone wants to pay for an internet service by giving advertisers access to their PII -- that's fine. But it doesn't mean that this monetization scheme should be applied to anyone using the service. Internet companies should provide a paid, tracking-free, and GDPR-compliant access mode, as an alternative to a free ad-based one.

Who knows, maybe brick & mortar companies would also accept this double-monetization model, so that when you come to Starbucks next time you would be able to get a free coffee in exchange for your PII and a non-removable tracking bracelet.

Fortunately the EU has other things to worry about at the moment so GDPR hysteria should die down quick
For the proponents of GDPR, do you think that these are good ideas? edit: Why? What's the argument for them?

> The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent

> a penalty of 4% of global revenue

edit: On the first, if companies use (for example) personalized ads to pay for the service, why should they be forced to provide the service without the source of funding? If you disagree with that, you can just not use the service.

The first is an excellent idea.

The second... I don‘t care whether it‘s 3, 4 or 5 percent. But the big idea is „global“ and „revenue“, which again is excellent.

When taken with the main goal being compliance, not money extraction, yeah.

It remains to be seen if that ideal is upheld, and what kind of creative workarounds and ideals companies will try to explore.

As with any regulation or law, it has potential to be overbearing, favor incumbents and/or end up doing the opposite of its initial intentions.

That's the nature of anything society tries to do, though. If it doesn't work right, change it later.

Not all business models are legal. If the companies don't want to abide by the rules of the EU, they can opt not provide services to people in the EU.
Furthermore, they can adjust their business.

The GDPR does not outlaw ads. It only makes using the worst types of ads difficult or maybe even impossible.

And that‘s unequivocally good!

I prefer some targeted ads. I'd like to be able to opt in or out. Why do you think that what I want from Google should not be allowed if it's a win for me, Google, and advertisers?
You can! It's totally fine for Google to ask for your consent to track you! They just can't make your use of the site dependent on your consent.
Why not? As a consumer if I don't consent I simply don't use the service. Is it my right to use Google?
Would you seriously, actually ever stop to use Google? They have a gigantic monopoly on so many things.
I wouldn’t, but if anyone thinks their privacy violations are so egregious then they should refrain from using their services. No one is forcing them to use the service.
To the person that downvoted this - anyone can use DuckDuckGo, Apple Map, Dropbox, Airtable, any one of hundreds of email service providers, etc to avoid Google. It’s actually fairly easy to avoid.
Great! The GDPR allows that.

It simply doesn‘t allow you to decide for me that I would really love targetted ads.

Hence, „consent“.

You have to explicitly opt-in now.

Perhaps a middle-ground will be centralized batch opt-in services that opt you into collecting for most ad networks and sites.

The requirement not to deny service for people who don't opt-in should prevent that from being used as an end-run around the regulations, but we'll see.

'You have to explicitly opt-in now.'

I'm seeing targeted ads so where did I opt in? I'm not saying I didn't but the fact that I can't recall doing so is a bit of puzzle?

Are you a European citizen? If not, then I don't think there's much more you can do.
There's the possibility of digital citizenship for some EU member states but I have no clue if it grants any of these rights or protections, or is even legal for most countries (or specifically, America).

EDIT: typo.

> Not all business models are legal.

But why make this one illegal?

We can make wedding planners illegal if we don't like them and then just say "not all business models are legal.

But that doesn't explain why. Why stop people from engaging in a transaction that both sides consider to be a win?

Because "in the EU, personal information cannot be conceived as a mere economic asset: according to the case law of the European Court of Human Rights, the processing of personal data requires protection to ensure a person's enjoyment of the right to respect for private life and freedom of expression and association".

https://edps.europa.eu/sites/edp/files/publication/16-09-23_...

It's a little unclear to me how this answers the question. Can you connect the dots here?

I don't think not giving you services if you don't opt in violates your "enjoyment of the right to respect for private life..."

Are you saying that you shouldn't be allowed to trade use of your personal information for services?

If not, how does your quote tie in?

Are you saying that you shouldn't be allowed to trade use of your personal information for services?

That's the principle behind the GDPR, yes.

No. You are still allowed to do that, but you have to explicitly opt-in.
> Are you saying that you shouldn't be allowed to trade use of your personal information for services?

I think that's the crux.

That information is to be regarded as part of some inalienable rights, that those who have those rights cannot give up, even if they want to.

Not allowing people to waive their rights prevents a race to the bottom, in theory.

For the same reason we disallow indentured servitude, even if the poor guy would „really“ love to „work“ for the other guy.

For the same reason we disallow duels, even if both parties feel it would be a great way to settle a dispute.

Do you think Google requiring use of my personal info in exchange for free services should be banned for the same reason as duels?

What is that reason exactly? I don't see what the two have in common.

Ordre public (public policy).
So are your norms and morals offended enough to justify banning such a business model that requires opt-in?

Is this the basis of our disagreement?

This is not about my personal norms and morals, but about those of the society I live in.

Unlike some Internet and Silicon Valley types (who always seem to lean ultra-libertarian), I like living in a society. And society has a fabric.

This discussion is a bit like the one about minimum wage. You probably don't like it. Many people ("society") do.

I would reword. Not all business models are healthy for society. Or their workers. Or their consumers.

Searching for mechanisms to limit these models seems fair. I hope it is carried forth on good faith and gets good results.

I do think these are good ideas. I think so, because "If you disagree with [services using your data to finance themselves], you can just not use the service" is not actually a thing for the following reasons:

1) These services have no interest in actually providing you with truthful, complete or comprehensible information about what they do with your data. You actually cannot form an opinion that would allow you to judge the situation.

2) Even as someone in IT, who frequently reads about information being correlated or used in creative ways to cause damage, I do not feel like I could fully judge the impact of giving any piece of information about me to a company, even when I'm fully informed about the things they do with my data. The way they anonymize data might get proven to be deanonymizable. We might have crazy advances in technology, leading to modern cryptography being a joke and criminals decrypting the information that I produce right now. We might have some change in government, which for whatever fuck kind of reason feels like anyone who can be proven to have smiled at a Jew in their life, should be executed.

And if I am in no position to judge something like that, the layperson is certainly not either and does need the law to help them out.

3) It's not anymore possible to live life by just not using services that violate your privacy.

Most webpages have Google Analytics on them. Or Google Ads. Google anything.

The prevailing desktop operating system is Windows, which is headed towards Windows 10.

The prevailing mobile operating system is Android.

The prevailing social network is Facebook.

The prevailing messenger is WhatsApp.

The prevailing video platform is YouTube.

And far too many people see no problem sharing your e-mail conversations with Google.

Even the bloomin train that I take to work has a surveillance cam in it, like it was the most normal of things. Which hadn't been legal prior to the GDPR either, they just didn't give a shit, because punishment was basically nonexistent.

And no, I don't consider setting up a farm in the middle of buttfuck nowhere to be "living life". I cannot afford to be a social outcast, to not use the internet etc..

About #2, I'm not clear on this: to many services, esp ones like Facebook, a user who does not want targeted ads would not hand over any less data about themselves. And the user would have no additional transparency into their behind the scenes tools or operations under GDPR.
can someone explain how would this make consent popups go away? I think consent popups are here to stay, what this lawsuit may change is what buttons will be on them
Since things have to be opt-in, in theory you could ignore or block all such popups and benefit from the default of not having given consent.

In practice, companies will continue to assume the opposite, and we'll see how things shake out with the regulators and courts.

It's the cornerstone behind any teeth in the GDPR.

Exciting times.

I think The Atlantic’s version is a great example, with a bunch of opt-in options clearly laid out. In the end the rest will probably end up looking more or less like that, or go down in much-deserved flames.
So what exactly is the overall outcome that people (in the support camp) are expecting from GDPR? Obviously targeted content and advertising is not going to stop. But maybe the 0.01% of the population that wants to opt-out of targeting or download their data can (BTW most of this was already possible with most big players)? And they want this at the cost of much higher cost of compliance for hobbyists and startups? And what does all this mean in terms of net gain to society?
A few extra billions in fines
That is correct. They should have just gone the route of taxing more for that revenue.
No, because the fines encourage good behavior to avoid them.
I hope that your „obviously“ isn‘t quite so obvious and it does stop.

I concede that chances are low, but I contend they are non-zero.

I politely disagree. The law is clear that it can go on with user consent as long as there is provision for deletion and download. Which means it is going to be business as usual (with a lot of inconvenience to comply).
But why would most users consent?
Because they want access to the services and content.
From the article: "The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR). Consequently access to services can no longer depend on whether a user gives consent to the use of data."
Laws can't demand a service be offered without consideration unless the government intends to socialize or pay for it. This is unlikely to hold up beyond allowing complaints by people feeling entitled enough to do so, although I'm sure FB and the rest will happily roll out subscription plans if necessary.
Lawmakers have no obligation to preserve flawed business models.
Ok, but that has nothing to do with what I said.

You can't legislate that online services be provided any more than you can legislate that Apple provide iPhones for everyone. The government can offer subsidies or refunds or some other consideration, but there must be something in return.

Facebook is perfectly allowed to stop providing services, but they cannot make use of their service contingent on tracking and personalized ads.
GDPR would have been a sensible regulation if it only applied to large companies. With respect to complaints against Facebook and Google, I have no qualms.
As a small business owner, I disagree - all businesses should be mindful of their user's privacy.
(comment deleted)
Regulatory interactions are inherently costly. It doesn’t matter if you do everything correctly. People will mis-understand and file complaints; you’ll need lawyers earlier than otherwise. This inhibits business formation. For large companies, whose data represents the greatest systemic threat, I think the trade-off is worth it. For smaller companies, having an EU lawyer on staff is not.
> you’ll need lawyers earlier than otherwise

The EU is not the USA - the majority of small businesses will never need a lawyer at all!

I have a client who is a freelance writer. She has basically ZERO technical knowledge. It was a struggle for her to get Wordpress set up. She is absolutely terrified of GDPR, to the point that she's scared to log in to her website.

To her, what does being "mindful of their user's privacy" even mean?

She probably has analytics installed. Maybe she collects some emails.

There is zero chance she is going to be abusing her user's privacy. All GDPR has done for her is cause stress -- and caused her to spend more money on basically useless "GDPR plugins" for Wordpress.

There are countless people like her, who are spending money effectively on nothing. Because of GDPR. It's horrible. In my opinion.

> There is zero chance she is going to be abusing her user's privacy. All GDPR has done for her is cause stress -- and caused her to spend more money on basically useless "GDPR plugins" for Wordpress.

If her admin password is 'password123' and her database and analytics get dumped by someone, it doesn't matter if she wouldn't abuse users privacy, because others will.

That's a common sentiment, unfortunately, the Google and Facebook tracking scripts on your little private blog are doing just the same damage as the same scripts on a big newspaper's web site. Both track in exactly the same way.
It makes no difference where the script is if the regulation only applied to the large companies behind them.
What happens when a GDPR claim is dismissed by a court? Are the plaintiffs required to compensate the defendants? Can Facebook/Google counter-sue for damages?

What's stopping anyone from randomly filing GDPR claims against every other website? How many such claims can the system handle at any given time before succumbing to years-long queues?

Max Schrems/NOYB is not really a "plaintiff". They have started no legal proceedings.

They just wrote a letter to the data protection agencies that – in their opinion – someons is doind something wrong.

Facebook/Google et al. have no quarrel with Max Schrems, but with the data protection agency, if it decides to act on this.

Therefore it's obvious that Max Schrems cannot be liable for anything.

There's no court case here yet.

In these 4 cases they have been reported to the regulator. For 3 of them the reports will be passed to the regulator in Eire as that's where they have an EU presence.

So if it is "dismissed" that essentially means the regulator decides no action is required. Or the regulator might decide a phone call or letter will suffice for a first offence.

Max Schrems could take a case to court against Facebook or whoever, with all the usual costs, penalties and potential for appeals etc.

(comment deleted)
The odd thing is that lots of companies are abusing forced consent, but Google isn't one of them from what I've seen. Instead it's mostly publications like the Washington Post, Forbes, and Fortune just to name the last three I encountered this on. Google seems quite happy to let you refuse to let them use your personal information for ad targetting or any kind of personalisation of results and continue using their services, whereas a lot of publications just plain won't let you view their site unless you agree to this.
Because Google needs the reputation. And if publications like Washington Post, Forbes, Fortune do it on behalf of Google, because ultimately what they deploy is Google Analytics, Google Tag Manager, Google Ads and so forth, then that's a double win for Google.
What about github? What happens if someone that have been a contributor to several projects and then says to github that they have to remove the data that is in those repositories. However they just cannot go in and erase history in companies repos?
Code is not personal data. All they need to clean up is the contributer's name and contact information.
But that still requires to rewrite history in the repos [0]. What if the commits are signed etc.

[0] https://www.git-tower.com/learn/git/faq/change-author-name-e...

Ideally, they simply change the data for that user's identity, and everything that pulls it gets the anonymous info instead.
How?
Anything can be scripted.
Well, I don’t think Github can rewrite the history of a customers’ repo just like that.
Agreed, that would set a dangerous precedent that would force many to consider alternatives
There are a number of exceptions to the Right to be Forgotten provisions.
The exceptions are if there is an different law that supersedes GDPR. However none of them are indefinitely so sooner or later GDPR will apply.
From Article 17, Right to erasure (‘right to be forgotten’) [0], "the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

If one can argue the personal data is still necessary, e.g. for the purpose of attribution in a repo, then the controller is not obliged to erase it.

Paragraph 3 is all about exceptions including ones for freedom of expression and "establishment, exercise or defence of legal claims," e.g. copyright or other IP.

[0] https://gdpr-info.eu/art-17-gdpr/

But attribution is not permanent legal requirement it’s eventually going to expire. And copyright or IP is about the owner of the repository, but not the personal information in a repository. I find it hard that “copyright” or IP applies to personal information unless you are the one owning it, which you don’t if you work for a company. However it could be kind of funny if you work another company contributing to a project owned by another company.

About “defense of legal claims”, removing people from the history will only strengthen your claim as the owner of the repo?

I’m not convinced that paragraph 3 actually applies here, not sure what exact claims can be done for keeping that information as it is. And can github “hide” behind such vague exceptions?

GitHub may have to add some capabilities but I'm thinking about the people running the repo; retaining attribution of submissions as a defense against accusations of code theft. I was also mainly thinking about public repos open source, not code contributions by employees in a work-for-hire situation.