This is nice in theory but I no longer have hope that it'll be effective. Remember that the GDPR is supposed to rid us of any non-consensual data collection and annoying cookie pop-ups, and yet years after it went into effect it's still not being enforced anywhere near enough and companies openly breach it.
I see ten fines applied to big tech companies that are over 10 million Euro and three that are over 50 million Euro.
GDPR is definitely being enforced but mostly on big tech companies not small ones which I'd imagine is part and parcel of the intent of the regulation.
Compare the amount total fine amount to Google or Facebook with their yearly profits, the majority of which are earned by illicit data collection.
Not to mention, to this day both these companies are still breaching the GDPR, so the fines clearly didn't have any effect and they are still happy to continue acting in bad faith regarding personal data.
The reason the fines are low is because they exist to push for compliance, not to punish. That's also why they are increasing up to 4% global revenue. If that's not enough, the maximum can always be increased. More money for the EU countries.
It's really funny how US-oriented thinking made HN go up in arms about how GDPR fines were too excessive to how ineffective they are meanwhile the fine structure didn't change at all.
> they exist to push for compliance, not to punish
Well that clearly doesn't seem to be working.
> It's really funny how US-oriented thinking made HN go up in arms about how GDPR fines were too excessive to how ineffective they are meanwhile the fine structure didn't change at all.
Just FYI I'm UK-based and never had any of these US-centric concerns regarding the GDPR.
The fines are not enough right now, but they'll just keep on increasing until compliance is satisfied. There's no reason to start high and bringing small companies to ruin when everything will work out in the long term
Those "privacy score cards" for apps on both iOS and Android, filled out for 1st to 3rd party apps? GDPR in action.
The ability to reject tracking (which might cost money for a subscription or something - which will actually be tracking-free, instead of earning on both ends of the market, by selling a subscription _and_ tracking the hell out of their customers)? GDPR in action.
There are some dark patterns around the cookie consent popups, but it's up to people to report them, there's no EU privacy police squad digging up these cases on their own. There are only so many hours Max Schrems can spend every day (it's rumored to be 24hs or less, except maybe for one day a year) on running his non-profit to do that for you, me and everybody.
That stuff has ramp-up time, and as mentioned, the goal is compliance, not collecting fees. As practices _under GDPR_ are becoming established, and stuff went through court a few times, I'd expect schedules for compliance to shorten.
It would be a PR disaster for all things privacy if DPAs were to go all in on some case (taking 4% of global annual revenue), then losing the case in court. Given how many media companies are big in advertising and surveillance tech as well (with media mostly existing to attract eyeballs for their "real" business[0]), there'd be no end to the assault on privacy. Rather take it slow.
[0] e.g. https://venturebeat.com/2015/09/29/business-insider-buyer-ax... "Adblock Plus said Axel Springer’s lawyers asserted that “The core business of the plaintiff is to deliver ads to its visitors. Journalistic content is just a vehicle to get readers to view the ads.”"
> Those "privacy score cards" for apps on both iOS and Android
The GDPR already requires clear disclosure for data processing. If the "privacy score cards" were due to the GDPR then we should've seen them 3 years ago.
The privacy score cards actually demonstrate the lack of enforcement of the GDPR. A private company (Apple) successfully did something in a few months that the regulation couldn't in years. That shows how these potential "4% of global revenue" are really seen and they're not as threatening as they sound.
> The ability to reject tracking
Where? The vast majority of apps and websites still include Facebook SDK malware and similar, and in the rare cases where they actually do ask for consent there's no easy "decline" option, or the decline option is a sham (as in "disable cookies in your browser so we fall back to browser fingerprinting").
> but it's up to people to report them, there's no EU privacy police squad digging up these cases on their own [...] There are only so many hours Max Schrems can spend every day [...] on running his non-profit to do that for you, me and everybody.
This seems like a problem if the effort of investigating breaches is offloaded to laypeople, especially when finding out non-compliant cookie banners can be done automatically with a trivial web scraper.
> It would be a PR disaster for all things privacy if DPAs were to go all in on some case (taking 4% of global annual revenue), then losing the case in court.
Why is doing nothing considered better then? In either case nobody is complying with the regulation. At least an in-progress court case (that's likely to take years) is going to be a much bigger threat than current situation of nothing.
> A private company (Apple) successfully did something in a few months that the regulation couldn't in years
My point was that Apple started that effort only due to GDPR. And given that such work takes a while (the UI might be simple, but the decisions on what to model in the first place and how to represent it, and how to do that so that the same model can ideally be reused when other regions enact their own, slight different regulations, OMG...) the timeline might add up to this happening in direct response to GDPR.
> offloaded to laypeople
... offloaded to people with the specialized knowledge. DPAs are filled to the brim with lawyers and similar folks that I wouldn't want to let near a web scraper (or have them do app traffic analysis)
> Why is doing nothing considered better then?
"nothing" is not what happens.
This is a wild mix of technology, legal considerations, politics and PR.
"no time to waste" vs. "half a year" (plus at least 1-2 years in which they already discussed with Facebook how to make their product compliant) is how schedules work in governance, and it's not out of laziness: It's simple to turn a tiny ship but that doesn't say much about the flexibility of a supertanker.
The fun thing about the German DPA is that he's actually a computer scientist by training, so yeah, I guess he could run a web scraper.
He's using this role (and the authority it offers) somewhat different: His office's social media presence is on a self-run Mastodon install. According to what he wrote (on his personal account he had before already) it took them several months of auditing, writing legalese etc to ensure that they could do that, and that Mastodon can be configured in a fully compliant way. So now there's a show case that a few more offices joined (social.bund.de is open to German federal offices and for state Parliaments), and I seem to remember that they mentioned that the legalese and audit work is available to their clients in case they want to set up their own.
"Anybody" can run a web scraper (not necessarily doing a good job, but script kiddies do it all the time), but it takes a DPA to do _that_. I'd rather have his (modestly sized) team work on things that I simply cannot do.
[0] It's not a demand but a "strong recommendation", but not because there won't be consequences. I fully expect Kelber to start investigations into this first thing in 2022 but I guess this leaves the recipients of that recommendation the option to find a different way to come into compliance. Unlikely, but not entirely impossible.
The only decent fine was the Amazon one and even that one was minuscule compared to their net income. It was also covered in secrecy and will likely be overturned and drastically lowered like the other big cases like British airways and Marriott.
This for a law that took four years to finalize, to me it sums up to a very mediocre outcome, at best.
You are right that it’s being enforced, there’s just not very much force in the enforcing.
Is WhatsApp still a separate company? The real reason WhatsApp exists is to provide Facebook a backdoor into people's contacts so they can infer their social graph. Whatever "revenue" WA earns is peanuts, the real value is the collected data.
If you only look at it as pure loss, which would be wrong, WhatsApp (Facebook) most likely made a lot more money (and will continue to so) with the data, than they were fined.
That is a laughable case count compared to all the violations just everywhere.
If it would be enforced all of US BigTech would need to be outright banned from the EU until the US fixes its no-go issues like CLOUD Act or that secret FISA court.
That's the one part.
The other part is that also almost no domestic companies comply. More or less every business and all the country governments in the EU breach the GDPR in one or another way (for example by using US BigTech products behind the scenes as all governments do, or simply just collecting personal information without consent labeling it "legitimate interest" like almost every websites does).
All big German media outlets have for example right now a case in court for noncompliance with the GDPR. It will take years in court of course, and than nothing will happen, as every time before.
The same goes for things like "Privacy Shield v3.0" the EU Commission is working on. This new version is obviously illegal for the same reasons as it was the case for v1 and v2. But they don't care. The courts need many years to stop it again. Until then this illegal regulations that obviously violate the GDPR will stay in place.
for an example that is a bit less annoying - the EU website used to do a blocking top banner that was super annoying back when GDPR was being taken seriously, now they just bury it (like lots of others do).
Please see the EU website itself - All normal websites are using cookies. The EU itself is doing a banner - they have (thankfully) made it a lot less obtrusive where you can still use the site now without giving explicit consent.
But this is I think the "big lie" of the GDPR folks - no banners needed, when even the EU itself and its agencies etc all use it.
So you expect random joe blow website to overthink this even further, go against what they see the EU itself doing? It's total garbage.
I'm browsing europa.eu a fair while now (in a private browser session to avoid any old cookie from maybe interfering) and the only banner they show is "An official website of the European Union - How do you know?"
There are two links to the cookie page (https://europa.eu/european-union/abouteuropa/cookies_en or equivalent for the currently used language), one in the top nav bar, one in the bottom. Interestingly, that page talks about the cookie banner and how they need consent for analytics and stuff, but I never saw that.
So, given how they explicitly state that they need it for analytics, I went to my browser settings and disabled sending the DNT header - and there was the cookie consent popup.
So: State outright and by default that you don't want to be analyzed and they won't bother you.
My only question is why they see a need to do analytics. Without that they wouldn't require that stuff _at all_.
No banners are needed. They are required when you start tracking your users because that when you need their consent to do so. And that's quite proper.
I think the point is that no one knows which activities call for consent, or what all of their transitive dependencies do, and so they show it out of an abundance of caution. As should have been predictable by intelligent legislators, which the EU generally are.
Websites could do a better job and if browser makers would get involved to standardize the popup for Accept All/RejectAll/Manage Cookies then you could have a perfect experience.
Today I hit for the first time a site that made it as easy to Accept or Reject startrek.com
also many sites now offer option to delete my account and even JS APIs for tracking now have options for GDPR to not store private data. So YES things improved but are not perfect, to blame is not the law but the jerks.
Browser vendors tried to establish such a standard but it pretty much died when Microsoft enabled it by default for IE9 and some ad brokers began to claim that they can now ignore DNT because it doesn't actually reflect user intent anymore. (see https://www.theregister.com/2015/04/03/microsoft_reverses_ie...)
With that it became deprecated. Thank you, Microsoft and Yahoo.
You still find people here on HN that want to be tracked, they are convinced that tracking is necessary. So a browser could implement something to shut this people up, Instead of a simple flag On or off, you can start with 3 states, On, Off, Unset and you can have it set per webpage.
This is a fair point. I suppose I just meant relative to most legislators. It's a very, very low bar - which is partly understandable, given their explicit job is to be the ultimate judge of a vast range of things in none of which they are experts.
But that it votes on something is significant and often leads to implementation of something similar eventually. And since you know that it does not mean implementation and I know this then we both should assume many or enough people know this.
After "long talks" (maybe there is even money involved, who knows) with the parliament the things that the Council and / or Commission want get implemented.
Maybe the parliament is allowed to keep some wording form it's proposals as long as it stays mostly symbolic form the practical point of view.
The EU is a "democracy simulation" as we call it. Neither the Council nor the Commission are elected by the EU people but the laws are made by those institutions in practice.
Usually in systems where you need A and B to agree to pass a legislation, if A start blocking B's initiatives, B starts blocking A's initiatives in response. If the Council and the Commission always go against the Parliament's will, I expect the Parliament to block their initiatives in return, causing a permanent state of gridlock, until some truce can be reached. If this does not happen in reality, why doesn't it?
Other than immigration policy was absolutely not what Brexit was about, unless you mean made up stories about EU banana regulations or Boris Johnson's kippers.
You have no clue. The EU is an illegitimate, antidemocratic, aggressive, power hungry entity that will destroy anything in its path, in particular the sovereignty of countries and civilians. One out of a million legislations is sensible, the rest is colonialist garbage.
Who cares what the EU Parliament voted for? They can't make laws.
It will start to be interesting when the EU Commission makes its point. And everybody knows the true rulers of the EU want to extend the surveillance and police state further no mater what the people's parliament thinks about that. This has by now a long tradition. All previous regulation went in that direction. They won't make just now a 180 turn. That's clear.
48 comments
[ 3.2 ms ] story [ 100 ms ] threadI see ten fines applied to big tech companies that are over 10 million Euro and three that are over 50 million Euro.
GDPR is definitely being enforced but mostly on big tech companies not small ones which I'd imagine is part and parcel of the intent of the regulation.
Not to mention, to this day both these companies are still breaching the GDPR, so the fines clearly didn't have any effect and they are still happy to continue acting in bad faith regarding personal data.
It's really funny how US-oriented thinking made HN go up in arms about how GDPR fines were too excessive to how ineffective they are meanwhile the fine structure didn't change at all.
Well that clearly doesn't seem to be working.
> It's really funny how US-oriented thinking made HN go up in arms about how GDPR fines were too excessive to how ineffective they are meanwhile the fine structure didn't change at all.
Just FYI I'm UK-based and never had any of these US-centric concerns regarding the GDPR.
The fines are not enough right now, but they'll just keep on increasing until compliance is satisfied. There's no reason to start high and bringing small companies to ruin when everything will work out in the long term
Those "privacy score cards" for apps on both iOS and Android, filled out for 1st to 3rd party apps? GDPR in action.
The ability to reject tracking (which might cost money for a subscription or something - which will actually be tracking-free, instead of earning on both ends of the market, by selling a subscription _and_ tracking the hell out of their customers)? GDPR in action.
There are some dark patterns around the cookie consent popups, but it's up to people to report them, there's no EU privacy police squad digging up these cases on their own. There are only so many hours Max Schrems can spend every day (it's rumored to be 24hs or less, except maybe for one day a year) on running his non-profit to do that for you, me and everybody.
That stuff has ramp-up time, and as mentioned, the goal is compliance, not collecting fees. As practices _under GDPR_ are becoming established, and stuff went through court a few times, I'd expect schedules for compliance to shorten.
It would be a PR disaster for all things privacy if DPAs were to go all in on some case (taking 4% of global annual revenue), then losing the case in court. Given how many media companies are big in advertising and surveillance tech as well (with media mostly existing to attract eyeballs for their "real" business[0]), there'd be no end to the assault on privacy. Rather take it slow.
[0] e.g. https://venturebeat.com/2015/09/29/business-insider-buyer-ax... "Adblock Plus said Axel Springer’s lawyers asserted that “The core business of the plaintiff is to deliver ads to its visitors. Journalistic content is just a vehicle to get readers to view the ads.”"
The GDPR already requires clear disclosure for data processing. If the "privacy score cards" were due to the GDPR then we should've seen them 3 years ago.
The privacy score cards actually demonstrate the lack of enforcement of the GDPR. A private company (Apple) successfully did something in a few months that the regulation couldn't in years. That shows how these potential "4% of global revenue" are really seen and they're not as threatening as they sound.
> The ability to reject tracking
Where? The vast majority of apps and websites still include Facebook SDK malware and similar, and in the rare cases where they actually do ask for consent there's no easy "decline" option, or the decline option is a sham (as in "disable cookies in your browser so we fall back to browser fingerprinting").
> but it's up to people to report them, there's no EU privacy police squad digging up these cases on their own [...] There are only so many hours Max Schrems can spend every day [...] on running his non-profit to do that for you, me and everybody.
This seems like a problem if the effort of investigating breaches is offloaded to laypeople, especially when finding out non-compliant cookie banners can be done automatically with a trivial web scraper.
> It would be a PR disaster for all things privacy if DPAs were to go all in on some case (taking 4% of global annual revenue), then losing the case in court.
Why is doing nothing considered better then? In either case nobody is complying with the regulation. At least an in-progress court case (that's likely to take years) is going to be a much bigger threat than current situation of nothing.
My point was that Apple started that effort only due to GDPR. And given that such work takes a while (the UI might be simple, but the decisions on what to model in the first place and how to represent it, and how to do that so that the same model can ideally be reused when other regions enact their own, slight different regulations, OMG...) the timeline might add up to this happening in direct response to GDPR.
> offloaded to laypeople
... offloaded to people with the specialized knowledge. DPAs are filled to the brim with lawyers and similar folks that I wouldn't want to let near a web scraper (or have them do app traffic analysis)
> Why is doing nothing considered better then?
"nothing" is not what happens. This is a wild mix of technology, legal considerations, politics and PR.
https://www.reuters.com/technology/german-privacy-tsar-tells... cites the German federal DPA in a single paragraph: "there is no time to waste" and "I strongly recommend[0] you switch it off by the end of the year."
"no time to waste" vs. "half a year" (plus at least 1-2 years in which they already discussed with Facebook how to make their product compliant) is how schedules work in governance, and it's not out of laziness: It's simple to turn a tiny ship but that doesn't say much about the flexibility of a supertanker.
The fun thing about the German DPA is that he's actually a computer scientist by training, so yeah, I guess he could run a web scraper. He's using this role (and the authority it offers) somewhat different: His office's social media presence is on a self-run Mastodon install. According to what he wrote (on his personal account he had before already) it took them several months of auditing, writing legalese etc to ensure that they could do that, and that Mastodon can be configured in a fully compliant way. So now there's a show case that a few more offices joined (social.bund.de is open to German federal offices and for state Parliaments), and I seem to remember that they mentioned that the legalese and audit work is available to their clients in case they want to set up their own.
"Anybody" can run a web scraper (not necessarily doing a good job, but script kiddies do it all the time), but it takes a DPA to do _that_. I'd rather have his (modestly sized) team work on things that I simply cannot do.
[0] It's not a demand but a "strong recommendation", but not because there won't be consequences. I fully expect Kelber to start investigations into this first thing in 2022 but I guess this leaves the recipients of that recommendation the option to find a different way to come into compliance. Unlikely, but not entirely impossible.
You are right that it’s being enforced, there’s just not very much force in the enforcing.
That is a laughable case count compared to all the violations just everywhere.
If it would be enforced all of US BigTech would need to be outright banned from the EU until the US fixes its no-go issues like CLOUD Act or that secret FISA court.
That's the one part.
The other part is that also almost no domestic companies comply. More or less every business and all the country governments in the EU breach the GDPR in one or another way (for example by using US BigTech products behind the scenes as all governments do, or simply just collecting personal information without consent labeling it "legitimate interest" like almost every websites does).
All big German media outlets have for example right now a case in court for noncompliance with the GDPR. It will take years in court of course, and than nothing will happen, as every time before.
The same goes for things like "Privacy Shield v3.0" the EU Commission is working on. This new version is obviously illegal for the same reasons as it was the case for v1 and v2. But they don't care. The courts need many years to stop it again. Until then this illegal regulations that obviously violate the GDPR will stay in place.
Under GDPR you MUST pop-up consent requests with explicit consent.
Luckily at least the EU website now does them at the bottom rather than the top.
https://europa.eu/european-union/index_en
for an example that is a bit less annoying - the EU website used to do a blocking top banner that was super annoying back when GDPR was being taken seriously, now they just bury it (like lots of others do).
You actually don't, if you don't do any activity that calls for consent.
But this is I think the "big lie" of the GDPR folks - no banners needed, when even the EU itself and its agencies etc all use it.
So you expect random joe blow website to overthink this even further, go against what they see the EU itself doing? It's total garbage.
There are two links to the cookie page (https://europa.eu/european-union/abouteuropa/cookies_en or equivalent for the currently used language), one in the top nav bar, one in the bottom. Interestingly, that page talks about the cookie banner and how they need consent for analytics and stuff, but I never saw that.
So, given how they explicitly state that they need it for analytics, I went to my browser settings and disabled sending the DNT header - and there was the cookie consent popup.
So: State outright and by default that you don't want to be analyzed and they won't bother you.
My only question is why they see a need to do analytics. Without that they wouldn't require that stuff _at all_.
Today I hit for the first time a site that made it as easy to Accept or Reject startrek.com also many sites now offer option to delete my account and even JS APIs for tracking now have options for GDPR to not store private data. So YES things improved but are not perfect, to blame is not the law but the jerks.
Browser vendors tried to establish such a standard but it pretty much died when Microsoft enabled it by default for IE9 and some ad brokers began to claim that they can now ignore DNT because it doesn't actually reflect user intent anymore. (see https://www.theregister.com/2015/04/03/microsoft_reverses_ie...)
With that it became deprecated. Thank you, Microsoft and Yahoo.
The general sentiment seems to be that "if you want it, you want it, and who would want it explictly off?"
this is certainaly debatable
in every subject I'm a... subject matter expert in: it's been pretty bad
we got a bootlicker folks.
As long as you're not spying on your users or stealing their data.
Simple as that.
For example:
https://noyb.eu/en
https://codeberg.org/
See any consent banners? No? Just guess why.
... the European Parliament doesn't have the ability to legislate
it has the ability to "suggest" legislation and the ability to block any that has been proposed, but that's it
and I doubt the commission or the council will be interested in banning this technology
the Council sets the legislative agenda, and the Council consists of the member states governments
similar to how the US senate was before the 17th amendment
So is the EU in a perpetual state of legislative gridlock?
After "long talks" (maybe there is even money involved, who knows) with the parliament the things that the Council and / or Commission want get implemented.
Maybe the parliament is allowed to keep some wording form it's proposals as long as it stays mostly symbolic form the practical point of view.
The EU is a "democracy simulation" as we call it. Neither the Council nor the Commission are elected by the EU people but the laws are made by those institutions in practice.
you can create a majority somehow most of the time
https://apnews.com/article/congress-moves-to-avert-partial-g...
The European Union muddles on through in a very undramatic and ugly fashion, same like every other government.
It will start to be interesting when the EU Commission makes its point. And everybody knows the true rulers of the EU want to extend the surveillance and police state further no mater what the people's parliament thinks about that. This has by now a long tradition. All previous regulation went in that direction. They won't make just now a 180 turn. That's clear.
Some evidence:
https://www.justsecurity.org/36098/era-mass-surveillance-eme...
https://www.statewatch.org/automated-suspicion-the-eu-s-new-...
https://www.tagesspiegel.de/gesellschaft/sicherheitspolitik-...