The national agencies evaluates the complain and take a decision, which I hope will happen before the end of the year. Exactly how it happens depends on the country, as the GDPR leaves room for national legislation also on the section on the Supervisory authority.
GDPR could end free internet services. Maybe it is the outcome that the EU desires, I'm not sure, but I don't see how you can run non-transactional, free services without monetizing them via the best possible advertising. Do they want everyone to go back to punch-the-monkey and mortgage ads exclusively?
I was able to find an Alex Jones / Infowars video about it, but I'm unable to watch to see if it's just infotainment bluster, or based off of something more concrete that the parent poster could be referring to.
Free services existed before megatracking. Advertisements will go back to being targeted contextually, which will raise the value of views on "Tom's Train Fan Web Hub (and camera reviews)" at the expense of "Zuckerberg's Universal Website for Everyone." Look at Duck Duck Go for an example of advertising that is contextualized only with the current page, as opposed to the entirety of your personal history.
I welcome the old days. Everything has been heading in the direction of data grabbing and market share focused turf wars between big tech companies all trying to establish the most profitable monopoly.
The best part is: by revealing the true "cost" of the free services and slowly starting to curb their behaviors, high-quality paid services and content are becoming more palatable and viable.
I don't remember anyone running services with offerings similar to e.g. Gmail back then without income from targeted advertising. Back then, my mailbox had 10 MB capacity while Gmail offered 1 GB thanks to the money from advertising.
It's unclear to me how much of Gmail was made possible due to immediate pocket lining potential, and how much was possible due to their bringing the model of "offer orders of magnitude more service than what the average person will use, and absorb the outliers in the margins" to a web app service.
I don't think Gmail started out with heavy email content harvesting and integrated advertising but I could be misremembering.
The current state of your mailbox seems like a good corpus for memory-less targeting. Other than your emails, which the email provider obviously has to store, no personal information would have to be kept. As a result I'm not sure that the GDPR would impede Gmail, except to make it more valuable by increasing the scarcity of having that much data in one place.
I wasn't talking about email harvesting. It was their targeted ad income in general that made it possible to bootstrap this service at the beginning and then make use of the e-mail data to further improve their otherwise free offering.
Competition doesn't matter unless a competitor actually make things better. Back then, everything sucked. Gmail actually pushed the industry to the next level.
Most other services today are no better than a pop/imap inbox as before, just with a bigger storage quota.
They're old crappy protocols designed a long time ago. There's a reason why no modern email system uses them but only offers a mapping interface at best for older clients.
That's a different question. 3 random examples don't really mean anything. IPv4 is old, HTTP/1 is old, SSLv1 is old. Sure they work, but we also have newer better stuff.
The old email protocols do not properly support modern features like syncing across multiple devices and servers with lightweight and efficient payloads, along with fast and safe attachment handling, consistent message ids, message threading, labels, contacts, push-based notifications, and many other things that people take for granted today. All modern email systems have built their own and don't use pop/imap because they're too outdated to even use as a foundation.
Here's JMAP from Fastmail if you want more details on a open-source email protocol: https://jmap.io/
I don't think it's a foregone conclusion that advertising needs to be based around tracking your every move to make the best or most effective ads. Domain relevance is still one viable path in some cases.
The rise of adblocking and the ongoing arms race from that would prompt innovation and change eventually.
I don't think we need to underestimate the advertising industry's ability to route and innovate around regulation and irritated consumers.
That's not a bad thing. The general public has never wanted web companies to spy on them, and tech companies have been taking advantage of people's ignorance.
Everybody in the ad world knows it, too, and that's why so many companies are freaking out. They'll never get permission from people to spy on them like they have been. They whined about the "Do not track" header in the same way - they want to hide what they're doing as much as possible.
If asking "customers" to opt-in in to your business model is going to hurt your business, it was a shitty business model in the first place.
Unlikely. Most people are going through be clickinc yes. The ones that wouldn’t are already using ad blockers. Gdpr launch has created a privacy hysteria but that will go away.
They are not free. Someone pays for them. If someone wants to pay for an internet service by giving advertisers access to their PII -- that's fine. But it doesn't mean that this monetization scheme should be applied to anyone using the service. Internet companies should provide a paid, tracking-free, and GDPR-compliant access mode, as an alternative to a free ad-based one.
Who knows, maybe brick & mortar companies would also accept this double-monetization model, so that when you come to Starbucks next time you would be able to get a free coffee in exchange for your PII and a non-removable tracking bracelet.
For the proponents of GDPR, do you think that these are good ideas? edit: Why? What's the argument for them?
> The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent
> a penalty of 4% of global revenue
edit: On the first, if companies use (for example) personalized ads to pay for the service, why should they be forced to provide the service without the source of funding? If you disagree with that, you can just not use the service.
I prefer some targeted ads. I'd like to be able to opt in or out. Why do you think that what I want from Google should not be allowed if it's a win for me, Google, and advertisers?
I wouldn’t, but if anyone thinks their privacy violations are so egregious then they should refrain from using their services. No one is forcing them to use the service.
To the person that downvoted this - anyone can use DuckDuckGo, Apple Map, Dropbox, Airtable, any one of hundreds of email service providers, etc to avoid Google. It’s actually fairly easy to avoid.
Perhaps a middle-ground will be centralized batch opt-in services that opt you into collecting for most ad networks and sites.
The requirement not to deny service for people who don't opt-in should prevent that from being used as an end-run around the regulations, but we'll see.
There's the possibility of digital citizenship for some EU member states but I have no clue if it grants any of these rights or protections, or is even legal for most countries (or specifically, America).
Because "in the EU, personal information cannot be conceived as a mere economic asset: according to the case law of the European Court of Human Rights, the processing of personal data requires protection to ensure a person's enjoyment of the right to respect for private life and freedom of expression and association".
I do think these are good ideas. I think so, because "If you disagree with [services using your data to finance themselves], you can just not use the service" is not actually a thing for the following reasons:
1) These services have no interest in actually providing you with truthful, complete or comprehensible information about what they do with your data. You actually cannot form an opinion that would allow you to judge the situation.
2) Even as someone in IT, who frequently reads about information being correlated or used in creative ways to cause damage, I do not feel like I could fully judge the impact of giving any piece of information about me to a company, even when I'm fully informed about the things they do with my data. The way they anonymize data might get proven to be deanonymizable. We might have crazy advances in technology, leading to modern cryptography being a joke and criminals decrypting the information that I produce right now. We might have some change in government, which for whatever fuck kind of reason feels like anyone who can be proven to have smiled at a Jew in their life, should be executed.
And if I am in no position to judge something like that, the layperson is certainly not either and does need the law to help them out.
3) It's not anymore possible to live life by just not using services that violate your privacy.
Most webpages have Google Analytics on them. Or Google Ads. Google anything.
The prevailing desktop operating system is Windows, which is headed towards Windows 10.
The prevailing mobile operating system is Android.
The prevailing social network is Facebook.
The prevailing messenger is WhatsApp.
The prevailing video platform is YouTube.
And far too many people see no problem sharing your e-mail conversations with Google.
Even the bloomin train that I take to work has a surveillance cam in it, like it was the most normal of things. Which hadn't been legal prior to the GDPR either, they just didn't give a shit, because punishment was basically nonexistent.
And no, I don't consider setting up a farm in the middle of buttfuck nowhere to be "living life". I cannot afford to be a social outcast, to not use the internet etc..
About #2, I'm not clear on this: to many services, esp ones like Facebook, a user who does not want targeted ads would not hand over any less data about themselves. And the user would have no additional transparency into their behind the scenes tools or operations under GDPR.
can someone explain how would this make consent popups go away? I think consent popups are here to stay, what this lawsuit may change is what buttons will be on them
I think The Atlantic’s version is a great example, with a bunch of opt-in options clearly laid out. In the end the rest will probably end up looking more or less like that, or go down in much-deserved flames.
So what exactly is the overall outcome that people (in the support camp) are expecting from GDPR? Obviously targeted content and advertising is not going to stop. But maybe the 0.01% of the population that wants to opt-out of targeting or download their data can (BTW most of this was already possible with most big players)? And they want this at the cost of much higher cost of compliance for hobbyists and startups? And what does all this mean in terms of net gain to society?
I politely disagree. The law is clear that it can go on with user consent as long as there is provision for deletion and download. Which means it is going to be business as usual (with a lot of inconvenience to comply).
From the article: "The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR). Consequently access to services can no longer depend on whether a user gives consent to the use of data."
Laws can't demand a service be offered without consideration unless the government intends to socialize or pay for it. This is unlikely to hold up beyond allowing complaints by people feeling entitled enough to do so, although I'm sure FB and the rest will happily roll out subscription plans if necessary.
You can't legislate that online services be provided any more than you can legislate that Apple provide iPhones for everyone. The government can offer subsidies or refunds or some other consideration, but there must be something in return.
GDPR would have been a sensible regulation if it only applied to large companies. With respect to complaints against Facebook and Google, I have no qualms.
Regulatory interactions are inherently costly. It doesn’t matter if you do everything correctly. People will mis-understand and file complaints; you’ll need lawyers earlier than otherwise. This inhibits business formation. For large companies, whose data represents the greatest systemic threat, I think the trade-off is worth it. For smaller companies, having an EU lawyer on staff is not.
I have a client who is a freelance writer. She has basically ZERO technical knowledge. It was a struggle for her to get Wordpress set up. She is absolutely terrified of GDPR, to the point that she's scared to log in to her website.
To her, what does being "mindful of their user's privacy" even mean?
She probably has analytics installed. Maybe she collects some emails.
There is zero chance she is going to be abusing her user's privacy. All GDPR has done for her is cause stress -- and caused her to spend more money on basically useless "GDPR plugins" for Wordpress.
There are countless people like her, who are spending money effectively on nothing. Because of GDPR. It's horrible. In my opinion.
> There is zero chance she is going to be abusing her user's privacy. All GDPR has done for her is cause stress -- and caused her to spend more money on basically useless "GDPR plugins" for Wordpress.
If her admin password is 'password123' and her database and analytics get dumped by someone, it doesn't matter if she wouldn't abuse users privacy, because others will.
That's a common sentiment, unfortunately, the Google and Facebook tracking scripts on your little private blog are doing just the same damage as the same scripts on a big newspaper's web site. Both track in exactly the same way.
What happens when a GDPR claim is dismissed by a court? Are the plaintiffs required to compensate the defendants? Can Facebook/Google counter-sue for damages?
What's stopping anyone from randomly filing GDPR claims against every other website? How many such claims can the system handle at any given time before succumbing to years-long queues?
In these 4 cases they have been reported to the regulator. For 3 of them the reports will be passed to the regulator in Eire as that's where they have an EU presence.
So if it is "dismissed" that essentially means the regulator decides no action is required. Or the regulator might decide a phone call or letter will suffice for a first offence.
Max Schrems could take a case to court against Facebook or whoever, with all the usual costs, penalties and potential for appeals etc.
The odd thing is that lots of companies are abusing forced consent, but Google isn't one of them from what I've seen. Instead it's mostly publications like the Washington Post, Forbes, and Fortune just to name the last three I encountered this on. Google seems quite happy to let you refuse to let them use your personal information for ad targetting or any kind of personalisation of results and continue using their services, whereas a lot of publications just plain won't let you view their site unless you agree to this.
Because Google needs the reputation. And if publications like Washington Post, Forbes, Fortune do it on behalf of Google, because ultimately what they deploy is Google Analytics, Google Tag Manager, Google Ads and so forth, then that's a double win for Google.
What about github? What happens if someone that have been a contributor to several projects and then says to github that they have to remove the data that is in those repositories. However they just cannot go in and erase history in companies repos?
From Article 17, Right to erasure (‘right to be forgotten’) [0], "the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
If one can argue the personal data is still necessary, e.g. for the purpose of attribution in a repo, then the controller is not obliged to erase it.
Paragraph 3 is all about exceptions including ones for freedom of expression and "establishment, exercise or defence of legal claims," e.g. copyright or other IP.
But attribution is not permanent legal requirement it’s eventually going to expire. And copyright or IP is about the owner of the repository, but not the personal information in a repository. I find it hard that “copyright” or IP applies to personal information unless you are the one owning it, which you don’t if you work for a company. However it could be kind of funny if you work another company contributing to a project owned by another company.
About “defense of legal claims”, removing people from the history will only strengthen your claim as the owner of the repo?
I’m not convinced that paragraph 3 actually applies here, not sure what exact claims can be done for keeping that information as it is. And can github “hide” behind such vague exceptions?
GitHub may have to add some capabilities but I'm thinking about the people running the repo; retaining attribution of submissions as a defense against accusations of code theft. I was also mainly thinking about public repos open source, not code contributions by employees in a work-for-hire situation.
113 comments
[ 63.0 ms ] story [ 1511 ms ] threadI don't think Gmail started out with heavy email content harvesting and integrated advertising but I could be misremembering.
Most other services today are no better than a pop/imap inbox as before, just with a bigger storage quota.
Everything is built upon them though.
Why can't things be built upon POP and IMAP?
Why are they crappy protocols?
That's a different question. 3 random examples don't really mean anything. IPv4 is old, HTTP/1 is old, SSLv1 is old. Sure they work, but we also have newer better stuff.
The old email protocols do not properly support modern features like syncing across multiple devices and servers with lightweight and efficient payloads, along with fast and safe attachment handling, consistent message ids, message threading, labels, contacts, push-based notifications, and many other things that people take for granted today. All modern email systems have built their own and don't use pop/imap because they're too outdated to even use as a foundation.
Here's JMAP from Fastmail if you want more details on a open-source email protocol: https://jmap.io/
Also my last comment already links to a new protocol. Perhaps you should look at that.
Then again: with re-targeting and other "very advanced" techniques, so are other ads I get.
I wish I'd get actually relevant ads. Perhaps a "universal" micro-payment system may make me actually give away money.
Perhaps data-banks will actually happen.
The days of the ad-rush seem to be coming to an end.
The rise of adblocking and the ongoing arms race from that would prompt innovation and change eventually.
I don't think we need to underestimate the advertising industry's ability to route and innovate around regulation and irritated consumers.
Everybody in the ad world knows it, too, and that's why so many companies are freaking out. They'll never get permission from people to spy on them like they have been. They whined about the "Do not track" header in the same way - they want to hide what they're doing as much as possible.
If asking "customers" to opt-in in to your business model is going to hurt your business, it was a shitty business model in the first place.
They are not free. Someone pays for them. If someone wants to pay for an internet service by giving advertisers access to their PII -- that's fine. But it doesn't mean that this monetization scheme should be applied to anyone using the service. Internet companies should provide a paid, tracking-free, and GDPR-compliant access mode, as an alternative to a free ad-based one.
Who knows, maybe brick & mortar companies would also accept this double-monetization model, so that when you come to Starbucks next time you would be able to get a free coffee in exchange for your PII and a non-removable tracking bracelet.
> The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent
> a penalty of 4% of global revenue
edit: On the first, if companies use (for example) personalized ads to pay for the service, why should they be forced to provide the service without the source of funding? If you disagree with that, you can just not use the service.
The second... I don‘t care whether it‘s 3, 4 or 5 percent. But the big idea is „global“ and „revenue“, which again is excellent.
It remains to be seen if that ideal is upheld, and what kind of creative workarounds and ideals companies will try to explore.
As with any regulation or law, it has potential to be overbearing, favor incumbents and/or end up doing the opposite of its initial intentions.
That's the nature of anything society tries to do, though. If it doesn't work right, change it later.
The GDPR does not outlaw ads. It only makes using the worst types of ads difficult or maybe even impossible.
And that‘s unequivocally good!
It simply doesn‘t allow you to decide for me that I would really love targetted ads.
Hence, „consent“.
Perhaps a middle-ground will be centralized batch opt-in services that opt you into collecting for most ad networks and sites.
The requirement not to deny service for people who don't opt-in should prevent that from being used as an end-run around the regulations, but we'll see.
I'm seeing targeted ads so where did I opt in? I'm not saying I didn't but the fact that I can't recall doing so is a bit of puzzle?
EDIT: typo.
But why make this one illegal?
We can make wedding planners illegal if we don't like them and then just say "not all business models are legal.
But that doesn't explain why. Why stop people from engaging in a transaction that both sides consider to be a win?
https://edps.europa.eu/sites/edp/files/publication/16-09-23_...
I don't think not giving you services if you don't opt in violates your "enjoyment of the right to respect for private life..."
Are you saying that you shouldn't be allowed to trade use of your personal information for services?
If not, how does your quote tie in?
That's the principle behind the GDPR, yes.
I think that's the crux.
That information is to be regarded as part of some inalienable rights, that those who have those rights cannot give up, even if they want to.
Not allowing people to waive their rights prevents a race to the bottom, in theory.
For the same reason we disallow duels, even if both parties feel it would be a great way to settle a dispute.
What is that reason exactly? I don't see what the two have in common.
Is this the basis of our disagreement?
Unlike some Internet and Silicon Valley types (who always seem to lean ultra-libertarian), I like living in a society. And society has a fabric.
This discussion is a bit like the one about minimum wage. You probably don't like it. Many people ("society") do.
Searching for mechanisms to limit these models seems fair. I hope it is carried forth on good faith and gets good results.
1) These services have no interest in actually providing you with truthful, complete or comprehensible information about what they do with your data. You actually cannot form an opinion that would allow you to judge the situation.
2) Even as someone in IT, who frequently reads about information being correlated or used in creative ways to cause damage, I do not feel like I could fully judge the impact of giving any piece of information about me to a company, even when I'm fully informed about the things they do with my data. The way they anonymize data might get proven to be deanonymizable. We might have crazy advances in technology, leading to modern cryptography being a joke and criminals decrypting the information that I produce right now. We might have some change in government, which for whatever fuck kind of reason feels like anyone who can be proven to have smiled at a Jew in their life, should be executed.
And if I am in no position to judge something like that, the layperson is certainly not either and does need the law to help them out.
3) It's not anymore possible to live life by just not using services that violate your privacy.
Most webpages have Google Analytics on them. Or Google Ads. Google anything.
The prevailing desktop operating system is Windows, which is headed towards Windows 10.
The prevailing mobile operating system is Android.
The prevailing social network is Facebook.
The prevailing messenger is WhatsApp.
The prevailing video platform is YouTube.
And far too many people see no problem sharing your e-mail conversations with Google.
Even the bloomin train that I take to work has a surveillance cam in it, like it was the most normal of things. Which hadn't been legal prior to the GDPR either, they just didn't give a shit, because punishment was basically nonexistent.
And no, I don't consider setting up a farm in the middle of buttfuck nowhere to be "living life". I cannot afford to be a social outcast, to not use the internet etc..
In practice, companies will continue to assume the opposite, and we'll see how things shake out with the regulators and courts.
It's the cornerstone behind any teeth in the GDPR.
Exciting times.
I concede that chances are low, but I contend they are non-zero.
You can't legislate that online services be provided any more than you can legislate that Apple provide iPhones for everyone. The government can offer subsidies or refunds or some other consideration, but there must be something in return.
The EU is not the USA - the majority of small businesses will never need a lawyer at all!
To her, what does being "mindful of their user's privacy" even mean?
She probably has analytics installed. Maybe she collects some emails.
There is zero chance she is going to be abusing her user's privacy. All GDPR has done for her is cause stress -- and caused her to spend more money on basically useless "GDPR plugins" for Wordpress.
There are countless people like her, who are spending money effectively on nothing. Because of GDPR. It's horrible. In my opinion.
If her admin password is 'password123' and her database and analytics get dumped by someone, it doesn't matter if she wouldn't abuse users privacy, because others will.
What's stopping anyone from randomly filing GDPR claims against every other website? How many such claims can the system handle at any given time before succumbing to years-long queues?
They just wrote a letter to the data protection agencies that – in their opinion – someons is doind something wrong.
Facebook/Google et al. have no quarrel with Max Schrems, but with the data protection agency, if it decides to act on this.
Therefore it's obvious that Max Schrems cannot be liable for anything.
In these 4 cases they have been reported to the regulator. For 3 of them the reports will be passed to the regulator in Eire as that's where they have an EU presence.
So if it is "dismissed" that essentially means the regulator decides no action is required. Or the regulator might decide a phone call or letter will suffice for a first offence.
Max Schrems could take a case to court against Facebook or whoever, with all the usual costs, penalties and potential for appeals etc.
[0] https://www.git-tower.com/learn/git/faq/change-author-name-e...
If one can argue the personal data is still necessary, e.g. for the purpose of attribution in a repo, then the controller is not obliged to erase it.
Paragraph 3 is all about exceptions including ones for freedom of expression and "establishment, exercise or defence of legal claims," e.g. copyright or other IP.
[0] https://gdpr-info.eu/art-17-gdpr/
About “defense of legal claims”, removing people from the history will only strengthen your claim as the owner of the repo?
I’m not convinced that paragraph 3 actually applies here, not sure what exact claims can be done for keeping that information as it is. And can github “hide” behind such vague exceptions?