
Europe is drawing fresh battle lines around the ethics of big data - kawera
https://techcrunch.com/2018/10/03/europe-is-drawing-fresh-battle-lines-around-the-ethics-of-big-data/
======
sonnyblarney
The basic intent of all of this is fine, however, I don't believe this is
going to end up where we want it.

Particularly with upcoming legislation regarding 'link taxes' etc. , we're
already seeing hints of problematic issues.

Moreover, I think the end result will be just problems for Europeans and
frankly very little improvement in material identity protection and basically
no improvement in terms of quality of life for Europeans.

What's needed is another model for all of this, but it's way beyond the EU
commission to come up with that, as exemplified by the odd 'link tax' rules,
which hopefully will be amended.

------
csense
What is the mechanics by which GDPR is enforced against companies that are US
based? Like, you live in the US, your website is blatantly non-GDPR-compliant,
you get a court summons from Europe, and ignore it, and then a bill for a
fine, and you ignore that too, what happens?

Do they force European ISP's to blackhole traffic to your website's DNS / IP
if you don't comply? If you're hosted on AWS, do the European authorities make
Amazon an offer they can't refuse: Either Amazon takes down your GDPR-
violating site, or every Amazon package everywhere in Europe becomes illegal?
Can they force your bank to disgorge the fine directly from your bank account
without your consent (e.g. by threatening to cut the bank off from any ability
to legally transact with anyone anywhere in Europe)? Can they get an
extradition warrant and have US police arrest you and send you to stand trial
in Europe? If your company's CEO travels to Europe on vacation, does he risk
having European police waiting to handcuff him as soon as he steps off the
plane?

~~~
groestl
Nothing of that sorts, but: The GDPR applies only to non-EU organizations when
they specifically target people in the EU, e.g. local currency payment,
shipment to the EU, local support hotline. This usually requires contracting
services from EU companies. And while the violating company can ignore the
legislation, their service providers might be fully liable for any damage in
the chain, caused by gross negligence.

------
mpweiher
And yay to the Europeans! How long has the tech world complained, not entirely
earnestly, that the ad-financed, private surveillance internet is broken? What
has happened so far?

Sometimes a bit of well-placed regulation, which pretty clearly separates the
ethical from the unethical in general and understandable terms can go a long
way in getting action rather than just hand-wringing.

Those unethical things you are doing? Guess what, they're now illegal. So go
figure out a different business model. It's not optional.

------
amelius
It's good to keep in mind that:

"big data" != "privacy sensitive data"

by definition.

~~~
dcbadacd
I'm a bit confused by your definition.

What if the data becomes privacy sensitive after big data methods are applied
to it? Does your comment say it isn't possible or it's not big data when that
happens?

~~~
amelius
It's not a definition. I'm sorry, I should have said "per definition" instead
of "by definition".

------
exceptione
Slightly on topic, afaik, techcrunch does not adhere to GDPR rules. It forces
me to consent to ads and ad tracking while denying me the option to withheld
my consent.

~~~
johnchristopher
It doesn't force you to anything unless you click OK. And even then you can
manage your preferences then with Oath.

~~~
craigsmansion
It forces you to accept cookies that aren't necessary for the functioning of
the site to view the content.

According to the GDPR, you can't do that.

~~~
arcbyte
I don't know where this misconception comes from.

Consent is totally different from contract - and both are part of reasons
under the GDPR to use private data.

True, consent requires necessity, but contract is wide open. When you click
accept you aren't consenting, you are (theoretically) forming a contract, not
consenting.

~~~
yorwba
> you are (theoretically) forming a contract, not consenting.

How is forming a contract different from consenting? Do you mean to imply that
a contract can be formed without consenting to the contract terms?

The GDPR does allow processing if "[it] is necessary for the performance of a
contract to which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract" (
[https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/) ), but if
you want to argue that tracking is necessary to fulfill the contractual
obligation to display personalized ads, then first you'd need to get _consent_
for that contract.

How to get that consent is outlined in [https://gdpr-
info.eu/art-7-gdpr/](https://gdpr-info.eu/art-7-gdpr/) , which says e.g.:
"When assessing whether consent is freely given, utmost account shall be taken
of whether, _inter alia_ , the performance of a contract, including the
provision of a service, is conditional on consent to the processing of
personal data that is not necessary for the performance of that contract."

So is the contract with TechCrunch about reading articles or about looking at
ads? And is the reading of articles conditional on the ads?

~~~
arcbyte
GDPR doesn't change contract law - they're orthogonal. It is true that in the
everyday meaning of the word "consent", you would "consent" to a contract, but
that is not at all how it is being used in the GDPR - the consent is to the
one-sided, without consideration use of your private information. It has
nothing to do with consenting to anything else, whether the formation of a
contract or the shaving of your dog.

While I applaud you going to the source, your reference: "How to get that
consent is outlined in [https://gdpr-info.eu/art-7-gdpr/"](https://gdpr-
info.eu/art-7-gdpr/") does not mean what you think it means. It is simply a
specific callout to emphasize the "freely given" aspect of consent (and NOT
contracts) and remind enforcers that refusing to perform or taking some out
from performing a contract should be considered undue pressure to get consent
and therefore not "freely given". For instance, an extreme example would be
if, after you ordered and paid for a pizza, and after I agreed to make and
deliver you that pizza, I subsequently threaten to breach that pizza delivery
contract if you don't "consent" to give me a complete list of movies you've
watched this week. ALthough we do have a contract, we're not forming a new
movie-history contract because I'm not offering anything for it or agreeing to
do anything. I'm just using that pre-existing contractual relationship between
us to threaten you into something that you may not want to do. They're
completely separate concepts.

Note the phrase "inter alia" which means "among other things", which is a
signal from the authors that this is not the only consideration on "freely
giving" consent. It has nothing to do with consenting to form a contract. Note
also the word "performance" as it relates to a contract, which is completely
distinct from "formation" of a contract.

Furthermore, you've (theoretically) been forming contracts with these websites
every time you visit them and accept their ToS and privacy policies and
whatever else you click "OK" on - just go read them. They restrict you from
many things that you could possibly do (reverse engineering, automated
scraping, etc) in consideration for serving you up the content. GDPR is just
another line item to add into that list for you to accept in the (theoretical)
contract.

Lastly, I keep saying "theoretical" because at least in the US, I'm not aware
of a direct case on the topic of whether website ToS are actually enforceable.
There's a click-wrap case that is close, but other than that....

------
surak
Please, stop linking to Techcrunch on HN if you respect privacy. For those in
located Europe you have to go through a disrespective process to read a story.

~~~
mpweiher
With my JS blocker in-place and Reader View, it's actually fine :-)

~~~
randcraw
That'd be my thought too. Does this difficulty persist when you employ Ublock
Origin, Privacy Badger, Ghostery, etc? And a browser that doesn't override the
user's wishes, like Firefox or Opera?

Without defenses like these, for example, reuters.com is intolerably spammy.
But with them it's a delight. Same goes for TechCrunch.

------
Jonanin
The EU's war on big companies with big data feels too much like the opposite
of "focus on your users instead of your competitors". EU has been quick to
throw around a lot of fines and new regulations. But I what I don't see is any
European governments or companies offering superior alternatives to customers,
or any vision of what superior systems would look like.

The EU is too focused on figuring out what's wrong with the technology that
was invented 10-15 years ago to be the birth place of the next big
alternative.

------
miki123211
I think all this GDPR bullshit is just nonsense. The more acts like that we
get, the worse for real users, and especially developers it will be. Just
think about it for a second. Large companies have large departments full of
lawyers responsible just for that kind of thing. Yes, they might be resistant
to change, but if they're forced to change, they will either change or figure
out a way to not change while still staying compliant. Law is usually full of
loopholes and the bigger you are, the easier it is for you to abuse them. The
more law restricting what tech companies can or can't do we get, the harder it
will be to create a startup. Imagine being a twenty-something biologist and
creating a startup that's going to sell some medicines you created in the
garage because your grandma is sick and she can't afford the ones on the
market. The idea just sounds ridiculous. The number of certifications,
clinical trials, approvals and other regulatory hurdles you need to overcome
is just too high for someone without a full fledged legal department. I think
the same thing will happen in tech, eventually. There will be no more startups
made by two roommates at college who have just thought about some
revolutionary idea. If someone even tries, they will instantly shut him down
for not complyying with this or that regulation in some foreign country he
hasn't even visited. Wise founders might try to find a lawyer or two and make
their startup compliant with one country's laws and then do georestrictions.
Big companies, with their legal departments, however, will be able to navigate
that tangled mess much more easily. As a result, we will get big companies
tracking us anyway and no way for small startups to rival them, much slower
progress in countries with overly paranoid privacy regulations, which will
cause economic development of such countries to be slower, and a worse quality
of life for citizens in general.

~~~
Bjartr
What I've read on this seems to point to how European laws tend to be enforced
to the intent of the law rather than the letter. So it's harder for loopholes
to be explored in ways common to US law. Further, I think (though could be
getting GDPR and the copyright laws confused) there is a clause that says the
law should not be enforced in a way that is onerous to small and medium
businesses. Which, again, as I understand EU judges to act, should actually
mean it's still easy to start a company, but once you're pulling in sizeable
revenue you must invest some of that in ensuring compliance.

Take all of this with a huge grain of salt since I learned it from comments on
HN. I'd love it if anyone can lend a more experienced take on this to either
confirm or definitely what I've said here.

