258 comments

[ 2.9 ms ] story [ 262 ms ] thread
Corruption is everywhere. The way GDPR is enforced is a joke.
Everywhere I look in society, another instance of corruption pops out
There should be zero negotiation between the EU and the tech giants when it comes to privacy from my perspective.

There should be a no track law that disallows any company to hold private data without an explicit direct customer relationship. Data would have to deleted completely at end of any business relationship with a short grace period.

There should also be a digital fast track process to report and receive damages when companies are fast tracked with similar legal penalties to illegally harboring medical information.

The acceptance of data trading should end yesterday.

I think consulting tech companies should be something they need to do, otherwise we end up with crap like that cookie banner.
Why can't they just hire expert advisors themselves? That way they don't need to consult companies who have conflicts of interest.
Imagine the number of ex-bigcorp applicants for those positions that coincidentally left their previous employee on exactly the date the job offers went up ;)
Just exclude anyone with any relation to corporations.
Filling corruption-sensitive positions is a really difficult problem. On one hand it's near impossible to trust the purity of anyone with ties to the opponent, whilst on the other it is precisely and pretty much only those people that have expertise, experience, and inside knowledge that one requires to achieve meaningful success.

Also, if you were chief evil at bigco, wouldn't you keep some people without any backlink around precisely for situations like these?

They do. I know software engineers who work for the government on regulations etc. Then those experts consults with the company experts to talk about what regulations should look like.
That cookie banner is mostly corporations trying to be sneaky and trying to trick people into giving consent, or just flat-out misunderstanding the regulation.

You need no cookie banner if you only use cookies as required by the service you provide to the user.

For instance if a user is trying to log in, you don't need to ask for permission to set a cookie for that. The consent is implicit.

If you want to set tracking cookies on the other hand...

> That cookie banner is mostly corporations trying to be sneaky and trying to trick people into giving consent, or just flat-out misunderstanding the regulation.

If the cookie banner satisfies the regulations and is the path of least resistance, then companies are going to use it.

If the EU doesn’t want the cookie banner everywhere then the regulations need to not allow it.

It is much, much easier to put a banner up than to audit every application and technology used to ensure nothing tracks the user.

> If the cookie banner satisfies the regulations

That's joke though. Most of them don't. And upon getting called out and/or fined, corporations right now just edge a bit further towards an actually compliant implementation - rinse and repeat. Currently we're in the state of "what if we made it really sloooow and convoluted to opt out?" - which is also not compliant because that makes not giving consent harder than giving consent.

At some point we're going to be there, but right now we're not.

The cookie banners as they are implemented right now are mostly wishful thinking by adtech: "Hopefully this will be enough?"

It's not. But nobody wants to be the first to stop widely tracking people and going back to good old contextual ads. They're going to wait until the EU turns the heat up to 100 and maybe even then wait for a competitor to blink first.

Max Schrems' (of the SchremsI and SchremsII court decisions) noyb group is now aiming for sites with non-compliant banners[1], having filed a first round of over 400 GDPR complaints. It will take years before the regulators come up with rulings and those decisions have been litigated, like it usually does, but it's good to see that somebody at least started the process as the regulators themselves have been - as usual - dragging their feet.

[1] https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-ner...

Regulators are massively understaffed. Except maybe the DPA in Ireland, that office seems to have enough resources to rubber stamp whatever comes their way from outside the EU.
> It is much, much easier to put a banner up than to audit every application and technology used to ensure nothing tracks the user.

It is REQUIRED to audit every application and technology to determine what tracks the user. That isn't negotiable, it's the law: you must know where, when and for what purposes you are handling personal data.

After that audit, you can either show a cookie banner etc, or remove the problem applications/technologies.

https://gdpr-info.eu/art-30-gdpr/

You still need to audit every application and technology so that you can create a cookie banner that lets you disable them, if necessary.
At this point, I don’t think they misunderstand. They try to be sneaky.

Thought experiment: if the cookie consent banner was a payment form, things would be A LOT easier to understand. They are ambiguous on purpose. From a UX perspective, most of them don’t make sense at all.

They make perfect sense as dark patterns.
They should consult organizations that aren't out to invade privacy for monetary gain. For example, EFF.
The banner is not because of the law, it's because of the sites. You don't have to put that banner: just don't track people.

When you see such banner, don't get angry at the law, get angry at all those websites that are tracking you.

> explicit direct customer relationship

Be careful what you wish for.

Which is better?

Cookies "without consent" (which you can trivially clear with the click of a button, or have the browser clear automatically) every time you visit YouTube or Google search.

Or no YT or Search for you unless you make a Google account tied to your real email (no 10minutemail) and real phone number.

GDPR is privacy snakeoil.

They are way beyond tracking by cookies or account, they just fingerprint your device. And cookie consent questions are better because you can sue them if they still track you with them. It is not only about technology and possibilities but also about laws and rights.

GDPR is leverage.

So then they'll just make signup mandatory and circumvent the legislation that way.

Device fingerprinting is still something you (or the browser vendor) can mitigate.

Mandatory signup doesn't get them rid of the GDPR. You still aren't simply allowed to store data that isn't necessary to deal with your customer or user or the service you are providing.
(comment deleted)
Well, maybe that's what they think. But EU is coming with new security and AI regulations that will change things forever.
I think they've realized that privacy centrism creates an industry in which the EU can compete well, independently from the US and China. Or at least I hope so.
It just pours cement on industry~wide invention and replaces it with bureaucratic innovation.
Take it far enough and it will force new innovations in the fields of p2p and distributed networks, homomorphic encryption, etc.

It’s still profitable enough with data silos that this is not happening yet

Which invention/innovation couldn't have come out with better privacy laws? I guess Palantir? Do you have another example? Theranos?
It's not about what you can and can't do, it's the friction and cost associated with achieving compliance. I'm not against privacy protections, but having released digital products in Europe I can say that the cost of achieving GDPR compliance could very well make the difference between whether some companies can succeed or not.
I wonder if these kinds of discussions can be easier to have if concerns and critiques brought up were framed, from the start with an understanding that the cost to achieve and maintain compliance with the standard is a cost that gets paid either in money or work-hours (like for example SOC2 or PCI), that it can very tangibly halt non-compliance workloads and rollouts; instead of starting from a footing of assuming complaints are the cloaked dressing for being against user privacy.

Understanding full well each standard solves different problems, for some of us in tech achieving compliance is a non-trivial amount of critical work and maintaining it similarly isn’t always something you easily drop everything and make happen in a day or two.

I think that’s 100% relevant and shouldn’t be immediately responded to as others have by assuming the relevance comes from a position of opposing the regulation or standing against user privacy

> instead of starting from a footing of assuming complaints are the cloaked dressing for being against user privacy.

The problem with this is twofold:

a: 'Most' (by loudness or other perception) of the complaints are known to be bad faith because they're coming from malicious actors like Facebook or Google which we know are against user privacy (since that's their business model).

b: You have to go out of your way to build a site that interferes with actual user privacy, for example by actively adding Google Analytics scripts or faux-CAPTCHAs, or actively demanding a real name and actively doing something about it if the user lies to you. (Technically you get IP addresses by default, but much like mailing addresses, obscuring these pretty much has to be the user's responsibility, since how else would you respond to them.)

So if you want a assumption of good faith, you need to be clear that you're complaining about the bureaucratic compliance overhead (eg having a particular data processing officer or whatever GDPR calls it), rather than about having to change your object-level service to eliminate spyware that you went out of your way to incorporate in the first place.

>> the cost of achieving GDPR compliance could very well make the difference between whether some companies can succeed or not.

Is this a bad thing? If we take privacy seriously then it shouldn’t be. We don’t see too many people fighting food or drug regulations intended to keep us safe because it might be costly for companies to comply. Maybe if a company cannot afford to comply with privacy regulation they should not be handling our personal information. I guess the reason it seems heavy handed in the tech/web world is that the barrier to entry started at next to zero and so much of what we put on the web is not monetised that any cost/compliance seems like a massive burden.

It is a trade-off which is not always acknowledged. It is not something that has 0 potentially negative consequences. And the competition and innovation that is stifled is often invisible (hard to see what could have been).

If you had less intervention with respect to privacy would there be more dynamic market-driven initiatives to fill the gaps? Would there be more incentive to develop technology that would be effective for privacy? I don't know.

Regulation is just hard because reality is complex and dynamic and regulation is often complex but not very dynamic.

> If you had less intervention with respect to privacy would there be more dynamic market-driven initiatives to fill the gaps?

This is hilarious. Because we had that, and it was lacking, to put it mildly. And some people still have that, in a way that's easy to compare (e.g. EU vs US, CA vs other states). For me, the results are in and obvious. Privacy regulations are the only thing that reflects the privacy externalities they might impose on society back onto them (and the shareholders).

I don't think it's necessarily a bad thing. Like you say, some regulations are needed, and we wouldn't want to allow unsafe cars on the road just because crash-tests are a barrier to entry for startups.

However it does serve as a moat for players with more capital, and that's something we should also be mindful of. For instance, maybe we could have some of the requirements scale and only kick in when a product meets certain thresholds in terms of numbers of users.

Theranos is largely agnostic to privacy laws; it came about due to shoddy medical regulation (specifically, while medicines and medical devices deployed to hospitals and homes are heavily regulated in the US, medical labs are not).

Also, arguably, shoddy financial regulation. In many countries, large private companies have to submit audited accounts to the regulators, and that would likely have raised alarms about the other problems with the business earlier.

Medical labs are heavily regulated. Theranos mislead inspectors by not showing them their entire lab.
Well, depends on how you define ‘heavily’. Theranos did hide a lab, but even beyond that they were depending on rules that allowed novel tests with very minimal oversight, provided they were done in a lab rather than in the field.
(Also, the regulator was presumably aware that Theranos made proprietary medical devices; it said so on their website. So, when they were shown a lab full of Siemens stuff, they should probably have asked about that. The problem here was really hiding in plain sight, and a competent, sufficiently empowered regulator would have caught it)
Theranos happened because the founders chose to lie. Plenty of laws were violated there. Medical regulation is not to blame. Investor hubris is.
Oh, sure! But the primary purpose of regulatory enforcement is to catch people lying, and Holmes was pretty effective at exploiting the weak points in the regulatory regime to avoid that detection.
What? Holmes (allegedly) misled people that were willing accomplices in being misled. There wasn't a regulatory failure, just investors that did not do their homework.
So beyond the investors, Theranos injured quite a lot of real people. They were actually doing blood tests, which largely did not work. With different regulation, some of this might have been averted (in particular, if the FDA was responsible for diagnostic labs, that might have helped).

Frankly, dodgy companies screw over the people unwise enough to invest in them every day. Theranos was unusual in that it also directly screwed over members of the public.

> while medicines and medical devices deployed to hospitals and homes are heavily regulated in the US, medical labs are not

Relatively speaking, this is as it should be. There are ways to cope with arbitrarily-convincingly fake lab reports (most generically, do multiple tests and compare them), whereas there's not a procedural fix for your X-ray machines occasionally going THERAC. Those measures generally aren't actually in place, but they should be anyway to cope with eg human error.

But the regulations actually in place on both patient-proximate and lab-based equipment are insufficiently stringent. (Annoyingly, they're also gratuitously burdensome.)

I shrunk down the interactive (with server-side or external functionality, like third-party comment-boxes) features my sites a lot because of being worried about GDPR, basically killing a small community and having a direct negative effect on users. The overhead/worry is real, even if as a consumer I'm a big fan of it. The toolchain/conventions may eventually catch up so that things are GDPR-compliant by default, but the downsides are still very palpable.

[ And even with all of those cutbacks, I'm still not really compliant on all my sites... (legacy software/not knowing what exactly my data server is logging/etc.) ]

But, as a direct answer to your question: I don't think many things in principle are impossible with the current privacy laws. But that doesn't mean it's not having a chilling effect.

Although I understand your worry about not being compliant, from my understanding it’s unwarranted. The intent of any enforcement action is not punitive but to enforce compliance. In other words small companies will be told “please comply” and given a chance to comply. It’s only if they refuse that action such as fines is taken. Maybe this has changed but at least when I was studying this a few years ago this seemed to be the case.
Alternately, it may counter incentives towards digital monopolies.

I’m not convinced that large amounts of personal data is required for search to work well, at the very least I’m not convinced the personal data must leave an individuals control.

We don’t see a lot of innovation in this direction as hyper personalized search seems to work reasonably well and the startup costs to compete are massive.

I’d love it if Duck Duck Go would let me assign priority to websites. Prefer Wikipedia, GitHub, StackOverflow over spammy copy cats. Maybe the ability to flag results as spammy copy cats would also be nice.
They already do this at scale for everyone. Sometimes they fail.
I'd love it if DDG didn't pointlessly ignore operands.
> may counter incentives towards digital monopolies.

Doesn't the cost of compliance inherently favor larger companies with better lawyers and deep experience in passing audits?

Here's the issue. Google can use private data in the US to design a model such as say a personal voice assistant. It then deploys this model in the EU and then uses no EU private data either for training or running it live. Google can then use non-private data to adjust the model to the EU market.

A company in the EU has to design the whole model with no private data which means they will have more difficulty competing with Google rather than less.

Poverty wages, child labor, ignoring emissions regulations, evading taxes, etc are all ways a company could improve margins and charge lower prices. That doesn't mean you want to legalize all of that just to compete in the global market.
Why do you put words in my mouth that we should legalize something when I said nothing of the kind? If this is how you react when someone points out flaws with a legislative approach then good luck ever getting one that isn't flawed.
It's ultimately going to be a race to the bottom if you allow companies who engage in those practices all over the world into your market on even terms. That's honestly what tariffs are for. Tax your citizens for engaging in commerce with companies that gain efficiencies through operating in ways that disagree with local values.
Couldn’t you use the same line of argument for tariffs on a vast number of imports? (Electronics, software, services, etc.)

It could even extend to most consumer product. e.g. Some obscure chemical compound for plastics is much more costly to produce in an environmentally friendly way, therefore it’s nearly all produced in the least regulated jurisdictions, therefore the compound and all derivative products have to be tariffed from those jurisdictions?

That would only work for the percentage of the European population who uses English as their primary language. It'd be damned near useless.
I already noted that and plenty of languages are spoken outside the EU aside from just English.

>Google can then use non-private data to adjust the model to the EU market.

Google can do everything a EU-only company can do. They can also do things a EU-only company cannot do. The reverse is not true. So at worst they'll be roughly as good and at best much better.

And why is the company EU-only? What X-only company is trying to compete with Google anyways?
No they won't.

There are regional differences between the same language that can be pretty severe, all the way down to the pronoun level.

So, no they can't.

I don't think you understand the point. Google can get all the same data as an EU company. They literally can do the same job an an EU company by simply not leveraging US data. The fact they have US data doesn't mean they are forbidden of getting EU compliant data like any other company.

They can also get US data that doesn't follow EU privacy requirements. So Google has two source of data they can combine into a better product.

The same goes for the US. but there are always regional differences, the bigger point is that people are not just a simple lookup table, they can adapt to a personal assistant that only understands an imperfect understanding by changing they way they speak to the device. People will do this without even being conscious of it.
Nope.

In the US the dialects are very similar and usually separated mostly by accent.

When dealing with different countries, entire groups of words do not mean the same thing because either (a) the language has changed, or (b) those things literally did not exist at the time the split occurred. Training an AI on Parisian French will result in an utterly broken experience for Haitian French and Cajun French.

My point is, that if you trained an AI on Parisian French, people in Quebec would be annoyed but could adapt to the differences if they wanted to use the system. People in southern Germany may be annoyed they have to speak high German, but they know it. There are very few people, if any, who only understand Cajun French and the issue.

Also, the biggest difference would be the pronunciation differences vs words being different. The word differences are easily modeled after any ASR, if the developer understands the differences and plans for it in their NLU models.

If you wanted to ensure that only companies with the resources of FAAMG could operate in your jurisdiction, you could hardly do better than the EU has done.
I still see plenty of small companies operating online in the country I live in. GDPR isn't particularly hard or expensive to follow if you are small and barely have any data, especially if you build your system to be GDPR compliant from the start. The expensive part comes when you are already large and have to make that large system GDPR compliant after it is already built.
As a consumer, all I got for GDPR is a lipservice in the form of cookie banners and annoyance everywhere on the web.
Exactly, cookie banners are an annoyance where the user ends up clicking Accept All just to make the banner go away.
You got the ability to demand to see your data from every company and get it deleted, you didn't have that before. They could just keep whatever data they want and there is nothing you could do to discover or stop them from doing that.

If you care about privacy at all you should be very happy that is possible today. It is how we got all those articles showing what data Google and all other companies collects about you, since they asked about this referring to this EU law and the companies has to comply. So even if you don't use it yourself it greatly helps you anyway.

I can see this useful for sites that collect a lot of data (Banks, Social Media, etc.) but for buying shoes from a shopify website, I really don't give a shit. If anything, GDPR has been a nuissance to me as a consumer. Being 100% honest. Cookier banners are so ubiquitious that we've all gotten used to just accepting them and moving on.

This is the problem with EU regulation. Good intentions, bad implementations and unforeseen consequences. In fact this goes so far into the reasons why EU cannot harbor a growing startup scene or make rockets. I am not against regulations but if you lay a landmind in front of every endeavor in the form of regulations, it bears down on people that want to disrupt existing and overweight companies that can afford to abide by regulations. I've talked to many Europeans and they resonate with the same sentiments.

I own a small business and I've gone through the process GDPR compliance. It is not too bad but there is a reason why there are upteen number of GDPR compliance consulting firms and checklist makers out there.

What should have happened is a complete solution to privacy in the browser instead of playing cat and mouse games with businesses that will find loop holes.

> Cookier banners are so ubiquitious that we've all gotten used to just accepting them and moving on.

Cookie banners has nothing to do with GDPR.

> I own a small business and I've gone through the process GDPR compliance. It is not too bad but there is a reason why there are upteen number of GDPR compliance consulting firms and checklist makers out there.

The reason is that GDPR compliance gets more expensive the more technical debt you have. For big enough companies with bad engineering practices it can costs hundreds of millions of dollars. For a small business with a straightforward product they likely are all but compliant without even trying.

> What should have happened is a complete solution to privacy in the browser instead of playing cat and mouse games with businesses that will find loop holes.

GDPR has nothing to do with browsers, it has to do with forcing companies to ask for and track data they keep on you no matter where it comes from. It applies to apps, to hiring interviews, to storing transaction data when you buy groceries etc. What you are talking about is a completely different issue.

I am sorry Jensson, but everything you said is wrong and misleading.

> The proliferation of such alerts was largely triggered by two different regulations in Europe: the General Data Protection Regulation (GDPR), a sweeping data privacy law enacted in the European Union in May 2018; and the ePrivacy Directive, which was first passed in 2002 and then updated in 2009. They, and the cookie alerts that resulted, have plenty of good intentions. But they’re ineffectual.

https://www.vox.com/recode/2019/12/10/18656519/what-are-cook...

You are talking about the ePrivacy Directive, not GDPR. Cookie banners has been a thing for well over a decade.

What you probably meant is the user data banners/popups you have to click on that are new since GDPR. They are not cookie banners, they are a different thing, calling them cookie banners gives people the wrong impression.

The fact that you mix these two makes it look like you don't understand what you are talking about here. Especially since you talk as if this was the only thing GDPR changed. The cookie law is stupid, but GDPR is not.

>You got the ability to demand to see your data from every company and get it deleted, you didn't have that before.

This matters to the nerds on HN and Reddit,some clout chasers on Twitter, and no one else.

You couldn't be more wrong, so many people are afraid of stuff like their old Tinder profile leaking etc. So having a law that forces companies to delete your profile rather than keeping it around forever is really important to people. You can see leaks from another site like that embarrassing a lot of people who thought that they had deleted all data related to them, they certainly would have wanted GDPR back then.

People don't care about most data, you are right about that, but they care a ton about some data.

GDPR is just about that, make you own your own data rather than companies owning it. Companies has to ask for it rather than just taking it, and you can revoke that right at any moment and the company has to comply.

For larger companies i can tell you that the red tape and additional overhead from GDPR is horribly expensive to implement.

Not to mention the reduced happiness from working with GDPR.

If Google could help remove GDPR and the Cookie law i would welcome it.

I am really happy that EU forces you to properly track what and where you store data about users. Sloppily just storing data everywhere and not properly deleting it is a huge security/privacy hazard, making such reckless behaviour illegal is a great thing.
>Not to mention the reduced happiness from working with GDPR.

I'm of the opinion it should be even more onerous to deal with people's data than it currently is. GPDR doesn't go far enough.

>For larger companies i can tell you that the red tape and additional overhead from GDPR is horribly expensive to implement.

My company had about a week of design of our data handling infographic and policy page and that was it for GDPR. The transition was incredibly simple, as we just didn't keep such data in the first place.

Because we did collect voluntarily submitted items from users which might contain such protected data, we simply explained our retention process to users and documented in full the data's life-cycle once it hit our servers. I think we had to add a few extra S3 regions for uploads also, but that was just a few clicks.

GDPR is anything but a headache unless you're trying to do the things the GDPR doesn't want you to be doing; then yeah, it's probably quite a headache.

I think you are spot on, but maybe for a different reason. The EU has looked at the practices of large tech companies in the USA and decided that the way that these companies are collecting personal information and selling it for profit is something that should be progressively phased out. So not being able to create a company that harvests personal data seems like a win for the GDPR. The next step would be to reign in the large companies that have been able to use their resources to continue the practices that the GDPR has set out to limit.

As a side point, I work in a tech startup in the EU that was founded post GDPR. We have no issues being competitive and also complying with the GDPR, however we do not make our revenue by selling personal data.

The thing I noticed most is that in Denmark, Danish sites follow both the letter and thespirit of GDPR. I was looking at trying to pay my electricity bill the other night and got told that because my version of FF sent the Do Not Track header, they'd automatically "objected" to all cookies and branding beyond necessary ones and I didn't need to do anything else. Those big banners have a simple "yes to only necessary" or "yes to all" button at the bottom.

American sites on the other hand tell me either "tough, take our spyware if you want to see this site, or to to a restricted list of five pages" (which I'm pretty sure isn't legal under GDPR); throw up the gauntlet of 1000 tick-boxes, infinitely nested, or say "you're from the EU and we can't serve you page".

The problem is cultural. I've de-googled myself as much as possible, but I don't like the fact that all of my real mobile device choices are written in California and made in china.

Samsung is neither Chinese nor Californian. Their phones are designed in south korea and manufactured in South korea, indonesia and brazil.
The GP’s point was that Android/G-Suite/Firmware, the software on Samsung phones, is substantially “written in California”. That seems true enough in spirit.
Almost every site has the "Yes to necessary" or "yes to all" now, it's not in the banner but generally IME if I click the "select" option it automatically has all the "optional" cookies turned off. Just two clicks instead of one. I think since the majority of people are too lazy for two clicks they see "select which ones", say whatever and just accept all so hiding the fact you don't actually have to select works in the site's favor.
I've heard this a lot on HN, any data to back it up?
I can guarantee you, from conversations I have had with senior executives at these companies, that they fully believe they’ve got the regulators in their back pockets. Until we throw people like Nick Clegg in prison for their revolving door betrayal of their citizens, you’ll have some suspiciously incompetent and sympathetic politicians handling these issues. The whole Federal Reserve stock trading scandal should show you that these “public servants” will bend their morals for depressingly small amounts of money.
Should we be more surprised that they’re selling us out, or more angry that it’s for so little?
It costs about £150k to become an unelected member of the UK permanent legislature, and bribe your way into an office of state: https://www.dailyrecord.co.uk/news/politics/arise-lord-offor...
Those are the donations that were declared, to maintain a pretense of propriety. What sits in Panama, you'll probably never know. 150k is too low a price for that seat, particularly since the cash-for-peerages practice is now so old that the competition must be significant. Either there is more undeclared or this guy knows where the bodies are buried.
(comment deleted)
A certain amount of regulation runs the risk of leaving us in a situation where a competitive moat is established between companies large enough to handle the regulatory burden and everyone else for whom it represents an unsurpassable barrier between them and the EU market. It wouldn’t surprise me at all to find that large tech companies are encouraging “just so” regulation of this sort.

[I do not speak for my employer.]

(comment deleted)
General question to EU people: do you enjoy trading data privacy for consolidation of goods/services into larger and larger corporations? After all, they are the only ones can afford such expensive relationships.

Edit: This question isn’t about compliance. That’s easy. It’s about the downstream impact of “missing” data in the advertising ecosystem.

Some posters have pointed out that the EU still has a viable local press and a history of supporting smaller businesses. All true and something that sets it apart from the US.

Also, my original question is a admittedly cheeky, but I am interested in how smaller companies actually compete if their options for targeted marketing are limited.

The alternative being weak data privacy laws and the same consolidation happening anyway?

But yes, I'm fine with it. Compliance is really not that hard until you reach the scale of those same dominant players.

So you’re saying yes because you believe the consolidation is happening regardless?

Probably true in Europe. Regulation and taxation schemes are onerous there. Only the large can survive.

That's a very weird reading of that response. But no, that's not at all what I said.
I just read your edit. It doesn’t seem like I had a weird reading at all.
The companies consolidate in USA regardless of what Europe does, nothing Europe does will change that.
Big companies dominate much more in USA than Europe though, Europe has way more small local companies that compete with Amazon etc.
Absolutely a fair point. How do they get your attention though?
They play local ads? Google lets you advertise in an area, you see them in Google, in youtube, in facebook etc. And since these companies has much stronger local brand recognition than the American giants they win out in the local markets.

Also advertisements is more than just spending money, you need to mesh with the local culture as well. An American multinational doesn't really mesh well with most people and people reject their marketing, while local companies understand much better what the local people wants. In theory the giants could just hire locals, but in practice that has been really hard for them to do, as we can see every country has their own grocery store chains, brands etc.

But local ads without interest context are really no different than large scale brand ads. What's missing is the information about the users interests, which in turn makes the ads more relevant.
It is good that you are concerned, but EU is not lacking small companies. Where I live Uber is not the biggest ride sharing app for example, an European based competitor that started after Uber is bigger. They started after GDPR, so from my perspective it isn't EU that needs to fix its small businesses, it already works. It is USA that needs to prevent businesses from growing huge and dominating their entire market and effectively making it impossible for new entrants to appear.

Anyway, we can't refute all your points. It is really easy to just ask more and more questions, but at the end the results is what matters. And the real world results says that Europe is very good for small new businesses.

Today this is not something that affects day-to-day lives in any meaningful way I don't think.

Additionally, the EU seems to be big enough of a market for corporations to still bother with providing privacy-friendly variants of their products that mostly function in exactly the same way.

But how do smaller companies make you aware of their products if they can’t target you?
I don’t know, I have all ads blocked everywhere and still discover new products. I also discovered new things, before the internet was such an ad-ridden mess that adblockers became a requirement for decent UX.
Just like before there were targeted ads?
Well, before targeted ads there were blogs and they were well read. Not so much anymore since Google decimated that channel.
Think "before blogs". Windows 3.1 rose to dominance when the Internet wasn't a factor for the vast majority of computer users (and even less for everybody else).

How could they possibly have acquired customers back then?!?

With money… lots and lots of it spent on brand level marketing in print media as well as with direct sales reps.
Sometimes I have a problem that could be solved with money. I google/whatever favorite search engine is for a product that solves the problem that I want to solve. At no point adtech is required, in fact I would prefer if adtech wasn't involved.
Do they really need to know with which hand I am likely to wipe my arse with, though?

Smaller companies using the services provided by the bigger fish have caused a self-perpetuating circle of ever increasing imbalances in many areas.

The resources that are being spent on not only keeping this machine in tact, but as seen in the article, grow it even further, show that this machine isn't going to stop itself and that higher intervention is required.

This is going to be costly and hurt in other ways, but with it being a massive stap towards a sort of post-scarcity society as was shown in Star Trek and by the Venus project, it's worth every tear and every penny.

If anything the society depicted in Star Trek has even less privacy, but ok.
I don't want privacy just for the sake of having it. It's a tool that serves a purpose that's no longer or significantly less relevant in that story.
The data privacy laws makes people think harder about the collection and usage of data. That’s definitely a good thing. What I don’t want to see is big corporations subvert that
But how do smaller companies function in such an environment without being subsumed into larger marketplaces?
-
Lack of accurate targeting leads to lower ROI. If you’re trying to build a direct sales business that would seem to be a rather large impediment.
The same way they have for the last thousand years?

Tech isn't magic. It's still just a business.

Larger and larger corporations are needed to violate EU privacy rules and get away with it.

After the initial scare of the GDPR, most organisations found a way to live with them.

But obviously, it will become very tricky, and potentially costly if you want to violate people's privacy.

I guess it depends on the products and services and where they originate. Many media companies outside the EU have simply opted out of doing business there. I know the same is true of some smaller direct retailers.
That makes sense. For company that has a few potential customers in a region with complex legislation it may make sense to get avoid those customers because of cost of complying with the legislation may be higher than what the customers are worth.

A similar example is that many banks outside the US prefer not to have US citizens as customer. This is also because complying with US laws is more costly than the money made from US citizens.

When it comes to smaller retailers, that is probably due to the EU tax rules. That's a pity. But possibly hard to improve.

Yes, the VAT structure is particularly painful for retailers outside EU for many reasons.
I believe you are misinformed and have formed a false dichotomy here. It's easy to primarily use small businesses, who are doing relatively fine. The only exception I can think of is grocery stores but that was the case here long before GDPR and also isn't the case in the rest of Europe. I suspect it's to do with the geography of my country.
Then explain how a smaller company markets goods and services in the EU without resorting the brand level advertising? Lack of targeting data makes it financially impossible until a company reaches a certain size.
The same way they always have, obviously? Also, they seem to have no problem reaching me on Facebook (the only place I can't block ads.)
I use newspaper ads, billboards and social media presence. Works fine. I don't need to see your nudes, know your friends, hoard your browsing history.
Newspaper ads are a fair point. Europe still has a functional local press ecosystem. That’s dead in the US.
I type into Google "buy computer online" and get 9 different local online shops where I can buy computers, none of them are Amazon. One of them was an ad, but the rest were just search results.

Not sure why you think this wouldn't work in Europe.

> Lack of targeting data makes it financially impossible until a company reaches a certain size.

This seems to be a premise you are working with, but as someone with my feet in Europe, it just is not true. Lack of targeting data may make it a bit more expensive to market goods, not "financially impossible". I see ads from small companies all the time. Some are even related to my interest, specially when they are located close to things related to the ads.

As an IT professional, I don't like it at all. The plethora of laws makes it much harder to do business in the EU: If you want to process any kind of data you are immediately forced to spend a lot of money on security certifications. This increased cost and velocity reduces the competitiveness of EU based companies which need to capture their home-market first. This is one of the potential factors why the EU loses out to other markets in startup-friendliness.
This is what I expected to hear. We had similar issues in the US with corporate tech when various financial regulations came down in the early ‘00s
That turned out well for American and the world in 2008 didn’t it?
So you're going to keep asking people until you hear what you expect to hear instead of looking at the evidence? Based on your behavior here, it seems like you have already formed your conclusion and are only looking to hear specifically what you want instead of listening to the majority.
(comment deleted)
> If you want to process any kind of data you are immediately forced to spend a lot of money on security certifications

No, you don't

> This is one of the potential factors why the EU loses out to other markets in startup-friendliness.

No, it doesn't.

What it "loses out on" is on price dumping through unlimited investor money and wholesale private data collection

Do you actually work for a small to medium-sized EU business? Because I do and the amount of money we need to throw at compliance, both in direct costs and dev hours, is immense. And we're not doing ads, user targeting, or any other such "nasty" industry practices. Our product is widely thought of by both our customers and investors, as wholesome! But our product does require customer accounts and data storage because wheeling in a server rack to wherever they are is the last thing they want.

I used to be think GDPR was a good thrust for user privacy but years later what I see is an adorned web already suffering under the weight of its own crap super-adorned with these cookie banners that impact my actual, day to day life of the net.

That's not a failure of the companies doing the tracking, that's a failure of regulation. The EU could have legally enforced the existing Do Not Track flag but instead we get a worse web that has literally shaved off hours (days?) of my life clicking through cookie forms. And no number of uBlock scripts that promise to erase them from the web has been enough to stop them.

So, report these privacy invading companies to your local data protection body, you say! Sir, madam or epithet of your choice, have you tried reporting a breach to the Danish Data Protection Agency? They will do everything in their power to invalidate your claim. That was the last straw for me. Our protectors are indolent or powerless and here we proclaim victory!

All I've seen from these rulings is spinning wheels, wasted labor, money set fire and pain.

Our German clients have screamed and hollered (thanks, Schrems II!) to bifurcate our clouds so that one side is AWS and the other is a German cloud that moves with the glacial pace of the 90s and with that decade's service portfolio. Don't even get me started on the service level difference:

AWS: how can we literally give you everything you need to build your successful business? How about these free recruits who just graduated out of our program that specifically re-trains people from disadvantaged backgrounds to be cloud all-stars? How about regular consulting sessions with our teams to identify how you can save money with us?

German cloud: let's make setting up a managed DB the most horrifically onerous process possible that's unreliable and flaky with your data and then charge you thousands of euros for support fees fixing the things that were our fault to begin with.

> Do you actually work for a small to medium-sized EU business?

I did. And I do.

> Because I do and the amount of money we need to throw at compliance, both in direct costs and dev hours, is immense.

It's not immense, with emphasis. It's just the cost of doing business.

If you run into having to do compliance or certification, it means that you're doing something that requires you to be, you know, compliant.

For example, financial institutions have to be compliant. And we, as society, really-really want them to be compliant and responsible for what they are doing. Not like Equifax in the US.

> And we're not doing ads, user targeting, or any other such "nasty" industry practices.

It doesn't matter, if you do it or not. The "immense" cost of compliance is just your business deciding to cut corners and then realising that no, you shouldn't cut corners, and then scrambling to fix that when you were most likely caught red-handed.

I worked at a company which was a bit lax with its practices, and then had a run-in with an unexpected audit. Omg, you wouldn't believe, but the cost of compliance with laws was immense as we rushed to meet al requirements before the deadline imposed on us. Had we not been lax, this wouldn't even be a problem.

> I used to be think GDPR was a good thrust for user privacy but years later what I see is an adorned web already suffering under the weight of its own crap super-adorned with these cookie banners that impact my actual, day to day life of the net.

Ah yes. Another person who complains about compliance, and then immediately pretends that the state of the web is the result of a law.

No, the web is the way it is now precisely because these companies flaunt and break the law. All those cookie banner with dark patterns? They are illegal. The only real downside of GDPR is that it's not enforced as rigidly as required, and nowhere on the required scale.

As for compliance with GPDR, it's essentially zero added cost for small companies with greenfield projects. For small-to-medium companies the cost of GDPR compliance is the function of data practices. If it's "immense" for you, this only means that you were already siphoning user data you didn't need and did nothing to protect it. I can't feel sorry for you.

> Our German clients have screamed and hollered (thanks, Schrems II!) to bifurcate our clouds so that one side is AWS and the other is a German cloud that moves with the glacial pace

Once again, you blame your own technical decisions on the law. Of course German customers would want their data in Europe. Why wouldn't they? Data on American servers is basically forfeit, and can be examined, analysed, and seized by the US at any moment. Wow, I can only imagine why German customers would not want that. Whatever might be the case, hm?

> German cloud: let's make setting up

Once again: it was your decision. AWS (and GCP, and Azure) literally provides a service to European customers where they keep data in Europe only, and that is more than enough for most any compliance (I know banks in Europe who use AWS and/or GCP). [1]

So, your poor technical decisions have lead you to suffer increased costs, and you blame that on laws. Keep it up, it's a good way to stay in business.

[1] AWS: https://aws.amazon.com/compliance/eu-data-protection/, Azure: https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boun..., GCP https://support.google.com/cloud/answer/6329727?h...

You don't know my company and you've ascribed practices to my company that we don't practice to create a straw man. Please don't do this.

We're working, willingly and early, with an independent auditor we hired.

As for the German cloud, no AWS Outpost or anything else we (and AWS' legal team) pitched was enough.

> The only real downside of GDPR is that it's not enforced as rigidly as required, and nowhere on the required scale.

Whose actual fault is this? The EU pushed through a ruling without teeth. It's a lose-lose for everyone from business all the way down to the person assaulted by these cookie notices.

> So, your poor technical decisions have lead you to suffer increased costs, and you blame that on laws. Keep it up, it's a good way to stay in business.

This is just rude, please don't.

> If it's "immense" for you, this only means that you were already siphoning user data you didn't need and did nothing to protect it.

Why are you continuing to state things as fact you don't have a clue of? This is completely false.

> You don't know my company and you've ascribed practices to my company that we don't practice to create a straw man.

You've asked if I worked at small-to-medium company in the EU. I told you I did. My experiences are significantly different from yours. This only tells me that there's definitely something wrong you're doing, and blaming it on the law. Since you're not giving any details, it's pure speculation at this point.

> Whose actual fault is this?

I think no one could even predict the scale of the issue. No one could imagine that:

- even well-to-do commercial companies would include literally hundreds of trackers on their web pages

- almost literally everyone would decide to break the law instead of, you know, stopping wholesale data consumption

The ad industry played a nice trick: now everyone believes the EU with its GDPR is the bad guy, and not the motherf@ers who siphon your data to 500 advertisers on every page.

As for the teeth, GDPR can fine you for a significant chunk of your global turnover. So yes, it has teeth.

> Why are you continuing to state things as fact you don't have a clue of?

Are you the only one allowed to state things?

This. Thank you very much for the example!

Additionally, let's break out out of the HN bubble and assume the role of somebody who is not a tech aficionado. E.g. the C-level exec of small and medium sized producing company in Germany (e.g. automotive). Now they not only face the burden of having to modernize their often dated tech system but also get the handicap of having a whole new sea of GDPR complexity before them which, if something goes wrong, can be business ending. I've seen this being a preoccupying topic for meetings for years for companies which really should not have to care (producers of automobile parts). It's a significant part of the IT budget going down the drain which could've been spend improving existing processes.

> who is not a tech aficionado. E.g. the C-level exec of small and medium sized producing company in Germany (e.g. automotive). Now they not only face the burden

Let's start with this question: how are they running their business?

> also get the handicap of having a whole new sea of GDPR complexity before them which, if something goes wrong, can be business ending.

1. There's nothing complex about GDPR

2. GDPR is not business ending, as data controllers are expected to help and guid the companies who are found to be in breach of GDPR

> I've seen this being a preoccupying topic for meetings for years for companies which really should not have to care

It means they don't care in the least. GDPR is an amalgamation of the various data protection laws that existed before GDPR. So, these "poor companies who are in meetings for years" didn't care about data protection then.

Then companies were given two years of transition to get in shape and get their act together. Omg, these "poor non-technical companies" are still "in talks for years".

GDPR has been in force since May 25 2008.

So. At least a decade of data protection laws (and German laws have always been quite strict) + 2 years of transition period + 3.5 years of the law being in effect. And it's still " preoccupying topic for meetings for years"?

> It's a significant part of the IT budget going down the drain which could've been spend improving existing processes.

Yes, indeed. If 15 years later they still can't figure out why they shouldn't keep personal data around, they definitely need to improve their processes. And IT has nothing to do with it.

s/since May 2008/since May 2018
What are these security certifications you are referring to, and who required you to get them?
What kinds of security certifications? GDPR doesn't require any certifications
This really gives me "Western regulations on labor hurts its economy compared to China" vibes.
It shouldn't. Arguments on HN are often reduced to China vs West where the tech world is much more global nowadays, e.g. Israel, India, Brazil.
Human rights also makes it much harder to do business in the EU. Your point?
I would argue that human rights make it easier to do business in the EU.

For example, a government which ensures that you don't go to jail for some bs reason is a government which I would be more trustful of as an enterpreneur.

As a human being who wants his information to be secure, I love it. If companies are going to peddle the personal information of individuals, and that information could potentially harm them if it became public, then getting security certifications is the very LEAST a company can do if they want to do business in that sphere. Everyone everywhere should demand it.
As a European running multiple sites and services, you seem to have no idea what you're talking about. The EU rules are quite simple and easy to follow, and I love having real privacy protection from corporate interests.
Sure they are simple to follow. The question I have for you is how do you attract new customers?
By providing useful products or services?
As a company you need to follow the law. As a company, to attract new customer you sell something useful. Those two aren't mutually exclusive. For example, you can sell a service to a customer even if you respect their privacy.
Ads are still legal, that hasn’t changed. You can still target customer based on the sites the visit or the sesrches they make.

Sales people, well agencies, are just super pissed that they now have to do actual work. For years they’ve been able to make money by clicking around in AdWords and Facebook ads, now the real sales people has to get back to work.

A couple people here have said "make something useful." Fascinating. So make something useful but then how do you actually get it in front of people without resorting to very expensive and inefficient brand advertising?
I can see how reworking an existing system to be GDPR compliant can be a major headache. But for anything designed from the ground up the rules are really easy to follow and quite sensible.
Smaller companies have fewer compliance concerns and thus have an easier and cheaper job conforming.

As for the comment about "consolidation of goods/services into larger and larger corporations", that's very much an Americanisation. It's usually the American firms that go for global monopolies. I'm not saying we don't have large multi-nationals in the Europe as well but there is a real culture for supporting independent businesses here which I've not noticed in America (it might exist there but I've not seen it as prevalent there during my visits).

Frankly, the only people GDPR affects is those it's expressly there to protect us from. So I consider that a win.

The culture for supporting small businesses is a very fair point. Americans talk about it but in practice the support is very weak.

Europe also retains strong local press operations so advertising in newspapers is actually viable. That’s dead in the US.

I wonder what demographic is reading physical newspapers in Europe to cause a difference compared to the US.
In general I feel the EU bureaucracy doesn't understand the problems well enough, so the solutions typically tend to be annoying and expensive without mitigating the problem (and often the problem they attempt to solve sounds like it was formulated 10-15 years ago).
People saying that the laws are only there to ruin your business are mainly non-Europeans who have at most read a shallow blog posts on the topic, also written by non-Europeans.

The EU laws and regulations are quite simple to follow, and I dare say that it's much more difficult for those large corporations you mentioned because they usually have much more responsibilities. Smaller companies with a smaller scope do not have to worry about rules which do not concern them and their business.

So, to answer your question, yes, this is exactly what I want personally. For-profit actors need to be scrutinized.

But if the rules impact a smaller company’s ability to market against larger and better funded competitors isn’t that an issue as well?

Ultimately my question isn’t about compliance. That is relatively simple. It’s about the downstream effects.

> do you enjoy [...] consolidation of goods/services into larger and larger corporations?

I mean, it seems the US has completely abandoned their policy of breaking anti-competitive companies in favor of what essentially looks like surveillance mercantilism.

In that context, your question is ambiguous: are you, as often happens here, arguing that EU attempts at regulation entrench monopolies, or are you arguing that the EU should take significant actions to break US tech monopolies' presence in Europe?

In the first case, I believe there is ample evidence that anti competitive behaviour by tech companies is widespread enough that regulation doesn't significantly improve their position.

As for the second argument, the US government has always vigourously pushed back against any EU attempt at unfavourable regulation.

Neither actually. My question is more about downstream impacts on smaller companies.

For example, Apple rolls out privacy controls in iOS 14. The story is about big adtech vs Apple privacy, but the downstream impact is that smaller businesses can no longer target effectively.

GDPR and similar privacy moves in Europe have the same impact.

The result is that smaller companies either evaporate or move to marketplaces because they can no longer acquire customers at acceptable rates.

> The result is that smaller companies either evaporate or move to marketplaces because they can no longer acquire customers at acceptable rates.

I am a bit stuck here, what do you call smaller businesses? Rolling out effective targeted advertising is hard in the first place. It's even more so in an environment like Europe where potential buyers are fragmented across countries with different languages, cultures, and so on.

If anything, effective privacy laws levels the playing field. That's good for companies that can't afford a large marketing budget.

Let’s say companies with revenue between 500K and 5M Euro in annual income, but certainly smaller businesses can stand up targeted ads even if they’re just going self-serve.
The arrogance In The comments is incredible. The gasping fetish for “targeting” and hoarding data and any attempt to put manners on said activities by the EU as making business not worthwhile is really laughable.
What’s been hard recently in regards to EU privacy laws is the impact of SchremsII ruling. We have found multiple EU countries that interpret the guidance of “you can’t use US-owned clouds (Ie all of them)” even with client encryption and data locality enforcement for fear of FISA.

That’s not privacy concerns but it piggybacks on privacy concerns via GDPR.

https://www.theregister.com/2020/11/23/european_recommendati...

There’s still a lot to work out for these privacy laws.

We have the same “problem” the AWS team is most helping customers migrate of AWS to on-prem (well our datacenters). Nothing new have been built on public cloud for almost a year.

That’s also why I’m currently extremely negative about new SaaS solution presented on HN. We can’t use ANY of them. There’s a huge market for anyone who care to built and ship on-prem software right now. Atlassian for instance just left a massive hole in the EU market, by killing Jira and Confluence server products.

> Atlassian for instance just left a massive hole in the EU market, by killing Jira and Confluence server products.

They still provide the Data Center product for those who really want to self-host, but the cost is a lot higher.

I know, we use data center edition, but we have perhaps 15 customers who cannot afford the licens, but also can’t use Atlassian Cloud.
Uhmm...need to dig deeper into this SchremsII rullling. Looking at the comments going on in the Register reference you included and what are the moment recommendations:

https://edpb.europa.eu/sites/edpb/files/consultation/edpb_re...

...It would look like using GSuite or Office365 would also not be allowed.

Although I am strongly in favor all possible privacy measures, the move to onsite solutions is likely to cause an decrease in privacy safety. Most data center and private companies are completely unable to match anything near the SOC controls and internal procedures of most cloud providers.

That’s correct. Conservative interpretation of SchremsII is that US privacy Shield is dead and no US-owned asset may hold sensitive EU data. We have found in practice since this ruling that each country has different interpretations as to what “countermeasures” are allowed. From “yeah just make sure to use data locality” to “use sgx enclaves but you’re ok after that.” To “if you cannot resist fisa, we cannot trust you.”
That’s eminently sensible. What country, if I may ask?
All of the EU. It's a ruling by the Court of Justice of the European Union.
I can’t say which countries have been MOST conservative and which haven’t for confidential reasons. However some countries, like France, have recently come around and said “yeah we need an eu cloud but for right now just use an American cloud.” https://www.google.com/amp/s/venturebeat.com/2021/05/17/fran...

Another country we deal with doesn’t agree and has no legal path, despite customer controlled keys and SGX, to use a US cloud.

I agree the French position is a stunning capitulation, specially from a country that is generally hard-nosed on sovereignty issues and quite justifiably cynical about espionage.
Europe continues to slowly make itself a no-man's land for tech. How long until the great firewall of the EU?
(comment deleted)
I'd like to see the reaction from libertarian types who always insist that regulation just entrenches large incumbents and makes competitors emerging tougher. (Ben Thompson of Stratechery has been banging this drum forever). If large companies actually want privacy regulation because it slows down emerging rivals- why did Google 'slow down' European privacy rules here? This seems to disprove Thompson's argument
The narrative here seems not so hard to predict. Large incumbents may still have revenue which is negatively impacted by the regulation at the same time that the regulation raises the barrier to entry for smaller competitors. They're not mutually exclusive concepts.
Yes, a pebble in the shoe of Google but could be a mountain in the way of smaller company.
The cost of GDPR is mostly related to technical debt, not company size. A small company with little debt will not face any issues with GDPR. Google just bet on they themselves having much less technical debt than the other giants.
Sure, but this NYT times piece that says Google specifically tried to 'slow down' European privacy rules disproves Thompson's argument that they want privacy to impede competition. It's pretty binary- if they wanted privacy regulations they wouldn't have slowed them down, if they slowed them down then clearly they don't want privacy regulations. I don't see what other conclusion could be drawn
One reason to slow it down could be that the company needed more time for implementation work to get compliant.

At Google's scale, I wouldn't be surprised if this was a factor.

I m a european, GDPR did not change anything substantially. Instead people have to click a few hundreds "I accept" boxes per day and whatever was left of european advertising has completely vanished now. The EU did not have a plan to change advertising, instead you got a rather inane law for the web , spearheaded by the german green left, that did nothing to correct the course of the advertising industry. The EU after gdpr should have required google to break up in europe, to force it to become one of the players. Instead we get politicians flexing and patting themselves on the back for the large fines they are able to impose on US tech, while the EU continues to render itself internet-irrelevant. The brussels microcosm is an overpaid crowd that s not good for business
I’m a libertarian type, but I think any company that is large enough to sway government policy is a danger to society and should be broken up until their influence is indistinguishable from noise. No idea how to effectively execute that idea, though.
My thinking is that companies can grow that large due to the capital assets under their command.

Taking some inspiration from geo-libertarian thinking the key would be to figure out if, and how, those capital assets can be made into a commons rather than privately owned.

Sadly, the breaking up companies does very little to the political influence of the people who own them, other than giving them a lot of different names to speak in the same voice.

You break up companies, I think, in order to make room for innovative competitors, and to make corruption more difficult by making the lines of communication lengthier (and forcing them to stretch between companies.) When it comes to politics, industries aren't afraid to "unionize" amongst themselves and speak with a pretty singular voice. Most of their interests will always be identical.

Those massive accumulations of power aren't actually located in supercorporations or ideal groups of competing companies making up an industry, but in individuals. The problem is that there's such an wealth/income disparity that small groups of people are going to be more powerful than larger groups of people by orders of magnitude, and that they're naturally going to use that power to increase that disparity. Their ideal world has the people who have accumulated the most ruling the rest through a system of benevolence and patronage. That's what libertarianism is.

edit: The breakup of Standard Oil made Rockefeller far more wealthy and influential than he was pre-breakup.

> the political influence of the people who own them

We have this concept called progressive taxation that's supposed to help with that. (Not it's actually used in practice, but it is a known thing.)

I guess maybe I'm missing the scandal, but this is why they employ people in "policy" positions, isn't it? It's rather open that they're out to alter the law in their favor.

e: Another article in the front page suggests this is highlighted because it draws attention to Google's supposed pro-privacy position as a sham. I hadn't realized they had one but OK.

I think the scandal could be in the "successfully slowed down" part. if you employ people to openly state your position on certain issues and represent your interests, that's ok - that has always been the justification for "good" lobbyism.

(Though enough people point out that the ability for groups to effectively "represent their interests" differs dramatically between groups)

However, the memo sounds as if they didn't simply stated their position - but also used their power to sabotage the lawmaking process itself and undercut all the usual mechanisms of democratic will formation. That's abuse of power and rightly seen as a scandal - even though google is likely far from the only one doing it.

I don't understand the distinction you're making. Influencing lawmakers and regulators to change policy in your favor is exactly what lobbying is.
If someone influenced lawmakers by promising to pay them a lot of money if they voted in their favour, that would be different, would it?
It would, but that is not what the unredacted docs say.
Well, legally speaking, yes, that would likely constitute bribery, which is illegal. But in your case you're saying the lobbying is scandalous because it worked, not because someone broke the law.
> Well, legally speaking, yes, that would likely constitute bribery, which is illegal.

Trading law for campaign cash is not illegal in the US, at least not in any meaningful way.

Nor is that sort of bribery objectionable to most US voters or news orgs - again, in any meaningful way.

>Nor is that sort of bribery objectionable to most US voters or news orgs - again, in any meaningful way.

Where did you get that idea?

AFAICT, most Americans are for getting money out of politics[0][1][2][3].

Am I missing something here?

[0] https://www.citizen.org/article/polls-on-citizens-united-and...

[1] https://www.issueone.org/new-poll-shows-money-in-politics-is...

[2] https://www.pewresearch.org/fact-tank/2018/05/08/most-americ...

[3] https://www.pri.org/stories/2018-05-10/study-most-americans-...

>> Nor is that sort of bribery objectionable to most US voters or news orgs - again, in any meaningful way.

> Where did you get that idea?

Voters overwhelming vote for incumbent pols of their party - pols who passed law in response to campaign donations they received. Reelection is a pretty solid approval indicator.

Likewise, the dearth of coverage about pols passing laws for campaign cash shows news orgs' ongoing lack of interest.

> Voters overwhelming vote for incumbent pols of their party - pols who passed law in response to campaign donations they received.

Do voters feel they have an actual choice here? If the impression is that all candidates engage in this, voting results might not mean much here, especially if direct opinion polling states there is interest in the topic.

> Likewise, the dearth of coverage about pols passing laws for campaign cash shows news orgs' ongoing lack of interest.

Indeed, but this is the interest of news orgs, not voters.

> Reelection is a pretty solid approval indicator.

I think this is the same logic trap like the common argument "We added feature X to our product and people are still buying it, therefore people must like feature X." That's not true - product decisions are a result of a multitude of factors. People may buy the product despite feature X because it's outweighted by other factors.

Similarly, corruption scandals may be outweighted by other motivations when voting - but that still wouldn't mean that voters approve of bribery.

>Do voters feel they have an actual choice here? If the impression is that all candidates engage in this, voting results might not mean much here, especially if direct opinion polling states there is interest in the topic.

I agree. However, it's not about choice or whether or not certain candidates raise money.

In the current system, all candidates, incumbent or not, spend a significant portion of their time and energy fundraising. Not because they're necessarily corrupt, but because if they don't, they can't compete with those who do.

The problem is that our political system pretty much requires it unless you're extraordinarily wealthy. And even then, most will fund-raise anyway.

The system we have incentivizes money over all else. Which is counterproductive and creates the avenues for prioritizing the well-heeled and wealthy special interests.

Voters understand this, which is why most want to get the running sewer of filthy lucre out of our politics and elections.

What is necessary is public funding of elections, with strict limits on spending and much more regulation of lobbying.

Doing so would allow a much broader cross-section of folks to run for office and give those who are elected much more leeway in servicing their constituents.

And that's, IMHO, what most Americans want.

> Do voters feel they have an actual choice here?

What is the voter scenario that you're visualizing here? Do you see voters considering the instances where their pols have traded law for cash, gritting teeth and voting anyway?

I'm fairly sure that first part never happens - because voters know ~0 instances where their pols have traded law for cash - because cash-for-power rarely catches news orgs' interest.

That last bit is to counter where you infer the lack of concern by news orgs isn't related to the lack of concern by voters.

There are all kinds of caveats which is why I went with "likely."
> which is illegal.

So if the law were changed to legalize bribery, and then someone influenced lawmakers by promising to pay them a lot of money, that would be okay? Does this philosophy also extend to, to pick a deliberately extreme example, murder?

OK let's back up. It's not even an open secret but just regular, acknowledged fact that this sort of result is the purpose of lobbying. Is the scandal, in this case, that the lobbying worked? Why are we particularly shocked about this instance and not many others?
> Why are we particularly [outraged][0] about this instance []and not many others[]?

Ah, yes. Fair enough. I agree that there are many other cases of legal but unconscionable lobbying that also need to be criminalized and prosecuted (but won't be).

0: I don't think "shocked" per se is a reasonable characterization, but that doesn't seem to be your point.

There are many who do argue that lobbying as a whole should be abolished.

I personally don't quite agree with that. I think there is a place for "transparent" lobbying - e.g. openly stating the concerns of your interest group as part of normal public debate. However, this is a power that must be available to all interest groups. Additionally, groups must be willing to make compromises or accept if their arguments are dismissed by the public.

What I think is not ok is for a group to use power, connections and manipulation to push through their interests even against public opinion. That's what bribery or obstructive tactics are doing.

> What I think is not ok is for a group to use power, connections and manipulation to push through their interests even against public opinion.

Then you should be opposed to lobbying tout court and, honestly, perhaps even regular grassroots advocacy.

> perhaps even regular grassroots advocacy.

I can say it a third time, I'm not against political advocacy.

There is "astroturfung", i.e. pretending you're a grassroots movement when it's actually orchestrated. There is also uber-style "grassroots" campaigning, where you use your existing reach to push your narrative to a broad number of people who are dependent on you.

I think the former is deceptive and the latter is unfair. However both are distinct enough from normal awareness campaigns or organic grassroots movements that I don't see a problem.

To make an analogy, consider a game like soccer. Soccer is inherently competitive, so it makes no sense to get upset about the fact that there is competition. However, mostly, that competition is restricted by the rules of the game. Even this is not the whole picture: There are a number of rules violations which are generally accepted as part of the game and are even part of strategy, such as tackling other players or drawing out the clock. However, there are other rules violations which are clearly outside the acceptable territory, such as defending the goal with a handgun or bribing the referee. I think a similar case can be made for lobbying.

> Why are we particularly shocked about this instance and not many others?

Good question. Fatigue, cynicism, better media spin. There can be a lot of reasons why we're not sufficiently shocked about the other scandals.

However in general, if you look at statistics about the trust of the general population in politics (and magacorps), you can see a decline in the last decades. Seems to me, a lot of people are simply reacting to all of this by losing trust - because there is not much else for them to do.

I don't know why, but my reaction today upon reading some of the quotes was along the lines of, jeez who ARE all these sad, scheming paranoiacs? Obviously Google hired them to be just that, but it's a far fuckin cry from "innovation" of the sort that's always being defended and trumpeted. Clearly innovation is a pretense now, maybe always was? Or maybe finding innovative ways of circumventing the public will still counts as innovation?
> who ARE all these sad, scheming paranoiacs?

Same, it's puzzling to me what is the mechanism that creates people like this.

I bet they think we're the fools though!
I imagine it's the steady state result of getting promoted a lot of times for bringing home truckloads of money for Google
The same ones that call privacy advocates the "screeching minority".
> what is the mechanism that creates people like this.

I think it's pretty straightforward: take one part a person who sees an opportunity to earn a sizable income, and one part a person with ethics different than yours. And there you go. It's not complex.

A good law IMO is: provide quantifiable anonymity metrics and post it visibly on your website somewhere (like nutrition labels). For example your likelihood of being personally identified is 14%). This obviously needs a body of research to come up with these metrics and methods to verify them. Governments can fund that research.

Yet right now all I've seen from EU and California regulations have been friction upon friction both for the end user and the service provider:

Every website I visit I need to go adjust cookie settings (enable essential and telemetry and remove targeting).

So I'd vote for repealing all these useless laws

> Every website I visit I need to go adjust cookie settings (enable essential and telemetry and remove targeting).

> So I'd vote for repealing all these useless laws

This is called malicious compliance, and you're falling right for it. The entire goal of these "settings" is to trick/tire users into accepting fake consent that has not been freely given. They are a priori illegal under most privacy laws as well as common law principles. But enforcement takes time and resources. Meanwhile companies can play dumb, straight up lie about the necessity of such dialogs, and get users to mistakenly assign blame to those pesky laws rather than the malicious companies themselves.

I don't think so. The law can simply ban it but they know it'll break things. So they opt for the most annoying alternative.

This reminds me of California prop 65 which is as useless if not more than the cookie law. You see it at every random place with the note that "this product may contain a chemical known to the state of California to cause cancer or birth defects ..." People have become fully desensitized to it because it shows up at the parking garage of their work place. If it was a real deal well perhaps it should've been banned.

I'd like to repeal both prop 65 and these cookie laws. Either ban something or fine the perpetrators if it's harmful or stfu /rant

The laws recognize that there are legitimate reasons for processing personal information - banking, medical records, utility bills, etc. I personally wouldn't mind living in a world where use of personal information for all of those activities were outright banned, but it's understandable that the law would attempt to make carve outs for them.

The actual problem is the inability to update the law as companies iterate on their malicious compliance. And ascribing the bad faith actions of companies as consequences of government helps erode the political will required to enact sane updates.

The prop 65 issue is somewhat orthogonal as it's the result of an impossible ask by California's citizen initiative process. Ideally that too would have been updated as its failings became apparent.

Have you ever smelled a Harbor Freight store before prop 65 and after? The difference is night and day.
I don't often go to harbor freight. What was the difference?
Presumably it smells a lot less due to lower volatile organic compounds, although I don't have firsthand experience with the ones in CA. Although aren't VOC limits a separate regulatory push, apart from Prop 65?

As an aside, I do have some experience with California paints and they're terrible. I'd much rather have a day or two of leaving the windows open after painting, than to have paint that never really dries and releases low level VOCs for a month.

> Every website I visit I need to go adjust cookie settings (enable essential and telemetry and remove targeting).

Easiest way to not care about the cookie notices much is to always use incognito or private mode with each website on their own container. It’s not foolproof of course as multiple fingerprinting tests will reveal but combined with tracker blockers at system level it’s better than most and don’t have to worry about those cookie notices.

Visiting everything in incognito mode has the side effect of being asked each time what I want to do with my cookies. https://klima.com/ is the first website I ever visit that actually respects the do not track request from my browser.
There are nice cookie notice blockers lists for most of these sites. Just have to add to uBlock origin or equivalent.
I had a cookie consent form today that literally spun and said “processing” with a progress bar for a while. Clearly, it’s artificial and it’s just pushing me to accept all. The cookie consent stuff is trash because of implementers being malicious in implementation. If anything, the laws need to go further and keep the consent, but ban/enforce against dark patterns.
From a technical POV, the cookie stuff makes no sense. It should be done browser-side and the websites shouldn't have a say in the matter. I have:

- Third-party cookies disabled with a few exceptions (disqus)

- A filter list to hide cookie notices

I completely agree, the individual websites asking almost seem to paint a picture that managing 3rd party cookies is a chore, where as the browser is the agent that makes cookies possible in the first place.
Most websites work fine with third-party cookies disabled so there's not much to manage either. Those that break are usually owned by companies that monetize with ads (some of yandex's services), which is telling, or are just very poorly made (aliexpress).
The GDPR is not about cookies but about data collection and tracking irrespective of the implementation.

If browsers block cookies by default, websites will just use other methods to store and correlate the information.

> If anything, the laws need to go further and keep the consent, but ban/enforce against dark patterns.

Many of the dark patterns used today are already illegal. Noyb actively reaches out to the owners of those sites and threatens (and probably will) sue them if they don't fix it.

> Every website I visit I need to go adjust cookie settings (enable essential and telemetry and remove targeting).

Funny, the most annoying offenders I find myself just ultimately avoiding. I'm glad. It's a proper chilling effect. The web is a crappy, overweight timesink populated primarily with the most meager scraps of information wrapped in an ad-laden turd sandwich, and all these cookie popups just remind me how much carnival barking and creepy stalking is going on, and I just don't want it.

The web was so great in the 1990s, but now it just doesn't deserve my time anymore--ok, HN, har har--and maybe it will just implode....and we can sneak off to something better. Like what? A new kind of BBS, who knows....Imaginations are so weak these days. We couldn't possibly do anything different, or over. Oh wait, those hundreds of billions of dollars aren't going to make themselves.

I've sat in countless PPP meetings in Brussels on this topic.

The goal was indeed to make a label similar to nutrition labels (or energy usage labels). It cannot be done. Privacy is not something you can distill to kcal, grams of salt or kWh.

It is extremely complex and the industry will never fully align on a shared definition.

Google motto is "don't be evil".
Nope, they scrapped that years ago.

And I really, really want to know exactly what happened at that meeting. Did someone sit there and say something like 'Look, I'm not saying we should "be evil"...'? How does that conversation start?

Would you bring your kids to Disney World if its motto was "we won't kill your children"?
Not sure about that, but I'd definitely take then there if other amusement parks killed children.

Better yet, I'd take them there if their motto was "don't be evil".

Google's old motto wasn't "we don't kill our users", so I don't really see what you're getting at here...

> Not sure about that, but I'd definitely take then there if other amusement parks killed children.

I bet most people would just find other forms of entertainment for their children.

> Google's old motto wasn't "we don't kill our users", so I don't really see what you're getting at here...

My point is that corporate evil is a concept that is too abstract for most people to understand, therefore I made it more concrete, at the same time showing how nonsensical the motto really is.

I always wondered this too. Would love to have been a fly on the wall in the "let's drop the 'don't be evil' motto" meeting.

Maybe at the time it seemed intuitive, not representative of the _positive_ goals of the company, and just something people could point at whenever there was a minor disagreement. In hindsight they may have been able to avoid the dumpster fire that they're in now if they had kept it.

On the first slide was a graph where the "evil" line was moving up and to the right.
And then two that showed with P < 0.05 that profits and evil are correlated.
The two people working for the EU's privacy organization must be scratching their heads.
Maybe lobbying should be illegal. But right now, it isn't.