
‘Everyone is breaking the law right now’: GDPR compliance is falling short - ilamont
https://digiday.com/media/everyone-breaking-law-right-now-gdpr-compliance-efforts-falling-short/
======
davidhyde
> Part of the issue, experts say, is the vague regulation has been interpreted
> in wildly different ways. GDPR consent-request messages vary wildly across
> sites

What experts? I found the law to be pretty clear and there are plenty of
summarized versions out there. What some companies find confusing is that the
law has made their core business model illegal and no consent form can save
them. You cannot get your users to opt out via a consent form, how many times
do people have to repeat this? This is nothing like the cookie law.

The only vague part of the law is the fining system which was done on purpose.
If you have explicit fines then companies will have to make more money from
your private data to cover the explicitly priced fine leading to a worse
situation.

~~~
existencebox
I can't honestly agree. (re: ambiguity of interpretation, and cost being
limited only to privacy-violating business models) Two reasons.

1\. HN discussions themselves. Literally EVERY TIME this comes up, you see a
massive back and forth from various crowds of GDPR; some of whom swear that
it's perfectly comprehensible even as significant portions of the conversation
are interpreting the same points in a variety of ways. (Are IPs PII? What
exceptions can be allowed? What falls under "security requirement"? What forms
of data are associated PII? What sort of deanonymization is sufficient? IS it
sufficient? are some common questions I saw in the past, not even getting into
the wonderful world of third party data processors.) This seems like enough
pragmatic evidence that a (to give the benefit of the doubt) educated and
professional community hasn't reached consensus, so to say there's a variety
of interpretation seems very fair.

2\. I implemented GDPR for a small corner of a notable BigCo. I do not
consider myself an expert, but I certainly got my marching orders from
experts, (The legal teams who interpreted the document and evaluated the
implementation methods) and the sheer amount of horsepower put behind finding
an interpretation we believed and were confident in was staggering. Granted
this is something where we _really wanted to get it right_ but if it were
really trivial to interpret I question if the process would have been as
intensive as it was. (To preempt the inevitable; our (my team's) business
model has _literally nothing_ to do with your data, but we had many of the
same confusions/questions that I saw from companies who did, so I'd be
hesitant to say that the burden isn't somewhat widespread.)

~~~
JumpCrisscross
> _The legal teams...and the sheer amount of horsepower put behind finding an
> interpretation we believed and were confident in was staggering_

You shouldn't be getting down voted. I just went through a GDPR compliance
review. We have a service model which is incredibly serious about customer
confidentiality. We don't sell ads and, to my recollection, have never even
bought them. Still required an army of lawyers. Two top London law firms ended
up agreeing to disagree on major points, ultimately concluding the Polish data
regulator would probably rule one way and the French the other.

Complying with the spirit of a law doesn't mean complying with the statue of
it. With GDPR, it's the latter that's a pain in the ass.

~~~
craigsmansion
> Still required an army of lawyers. ... major points

What? Why? How?

Given that:

\- You don't sell your customer data.

\- That customer data is secure

\- Someone somewhere in your org can handle access requests and delete
customer data on request.

What here _requires_ an army of lawyers?

Maybe your corporate culture demands that army regardless, but that's hardly
the GDPR's fault.

~~~
hyperman1
Never underestimate the kind of mess lawyers can think up. I know of a big
organisation providing all kinds of services. I was involved from the
sidelines in GDPRing a small part of a very unimportant and almost forgotten
service of them.

My personal guess was they wouldn't need consent, as it was a clear-cut case
where all requested data was clearly needed to provide the service. And asking
for consent to use the data a customer just typed in the site for requesting
the service seems a sure-fire way to annoy them without any upside.

Then the GDPR lawyers came.

It turns out, if you interpret the company charter in a very nasty but still
legal way, there might be a very rare edge cases where a service was provided
to someone who was not strictly 100% a customer. Yeah, I'm a bit vague here,
sorry about that.

To be clear: No real-life example was found now or in the 10+ year history
records of the service, both the almost-but-not-quite customer and the company
would have to do insane things, and service delivered in the case was almost
non-existant, but theoretically, on paper, it was possible. I'm pretty sure
nobody would care if it happened, either.

So boom goes our legal base. Consent it is,then.

~~~
neffy
It doesn't matter if you need the data to provide the service, you still need
to ask for consent for any personal data - and personal data is defined
extremely broadly.

~~~
hyperman1
Sorry, but this is completely wrong. See art 6:

[https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/)

There are 6 options. Option a is the consent you are talking about. I am
talking about option b.

Basically, having multiple legale bases can't hurt, so our lawyers said: Get
both option a and b.

------
megous
I'm quite happay, my phone number and addresses slowly disappeared from the
google/bing/duckduckgo/... searchable internet over the past month. Often
times without my involvement.

Searches for my real name now vs prior to GDPR enforcement are like day/night.
Prior, it was all topped by aggressive (SEO wise) companies who clone public
registries and republish them en-masse without adding any value whatsoever.
They just use this as a trick to drive people searching for various people's
names to their online magazines and whatever. They basically parasite on other
people's names to prop up their revenue at those people's expense.

Now the searches are actually starting to return relevant things near the top,
like my past OSS contributions, etc.

For me, this side of GDPR compliance is working fine, and almost all comapnies
are pretty good at responding to requests. That is a law working pretty well
from the side of the data subject.

~~~
baxtr
_> Now the searches are actually starting to return relevant things near the
top_

How were the prior top search results not relevant before? Either google and
others are lousy or relevance means something different to you than most other
people when searching for your name.

~~~
megous
Top 10 or so results just contained the same info repeated over and over on
different websites. Half of the time outdated (old addresses, etc.). Yes,
google is lousy sometimes.

It was the result of name squatting, as I described earlier.

------
mgkimsal
I was onsite at a client's retail location and got chatting to a customer.
They learned I was in IT and said "I hope you're all set for GDPR!" and I said
"it doesn't affect us". "Oh yes it does! There's a lot of people living in
this area (in the US) who are European citizens - this affects _you_ right
here!" I tried to argue back politely that it didn't affect us, and she
started getting a bit... agitated, and the voice started to raise a bit. I
tried to de-escalate - other customers in the store would have started paying
attention once the raised voice went on. But... man on man... my comeback
question I was ready to put back - then stopped short - was "Do you think a 20
person brick and mortar in the middle of Spain is required to abide by US
laws? They're not, even when serving customers who happen to be US citizens."
I would have hoped it would have made it clear, but... stopped short of
getting in to a shouting match with my client's customers. :)

~~~
cletus
I hate to be the one to break it to you but just being in another country and
being small doesn't automatically exempt you from other countries' laws. Some
examples:

\- Australia has laws that about child sex tourism aimed at those that go to
Asian countries with lax laws or enforcement. These crimes are committed in
other countries [1]

\- Foreign financial institutions are subject to FATCA when serving US
customers, an issue that has made it difficult for US expats to even open bank
accounts in some jurisdictions [2]

\- Australia has some pretty strict insider trading laws such that two
foreigners who trade in inside information about an ASX listed company while
they're on foreign soil (may) have commited a crime in Australia

\- Sanctions on the likes of Iran and North Korea prevent US companies or
persons from trading with entities from sanctioned states even if such
transactions take place entirely on foreign soil.

\- US citizens living in other countries are required to file taxes with the
IRS even though during the tax year the citizen may never have stepped foot on
US soil and any income is earned and paid entirely in foreign jurisdictions.

So I'm not saying GDPR applies or doesn't. I honestly don't know. I'm just
saying not being in Europe and being small aren't the automatic defenses you
seem to think they are.

[1]: [http://www.thejakartapost.com/news/2017/12/13/australia-
intr...](http://www.thejakartapost.com/news/2017/12/13/australia-introduces-
tough-new-laws-on-child-sex-tourism.html)

[2]:
[https://en.wikipedia.org/wiki/Foreign_Account_Tax_Compliance...](https://en.wikipedia.org/wiki/Foreign_Account_Tax_Compliance_Act)

~~~
Karishma1234
What can EU potentially do to you? I have no plans to comply with my website
that gets only 5% traffic from EU. I would rather block access to those users
based on trade off.

~~~
bmer
I hope a Firefox extension comes out to automatically block visiting any
website that blocks EU users in general, regardless of whether you are in the
EU. I would use it.

~~~
volkl48
If you have negligible EU revenue and no intentions of changing that, it makes
no sense to expend any effort on complying with GDPR.

Blocking EU users is a smart business choice to avoid any possible legal
issues and far easier than compliance.

~~~
rickycook
fine; but it’s also a red flag for companies that do some pretty terrible
things with your data... id prefer not to use a service that gives off those
red flags than to chance it. we all have choices, and if a company chooses to
represent itself in a shady looking way, i’ll choose to take my business
elsewhere.

~~~
woolvalley
Or it means... they are a small business with no EU customers.

~~~
icebraining
Those are not in the scope of the GDPR anyway, as per Recital 23.

------
jillesvangurp
Gdpr is very straightforward to comply with. Yes there are fines but you
pretty much only get them at the end of an escalation process with plenty of
opportunity to fix things. If your business was breaking the pre gdpr laws by
doing things that were dodgy already, then, yes, this is now more likely to
happen. That's a good thing.

As for legislation and jurisdiction, doing business internationally has always
been complicated. Many big corporations have legal entities across the world
and funneling revenue via the eu is a popular way to dodge taxes in the us. If
you do business with such companies, that makes gdpr relevant for you even if
you have no direct eu ties as these companies may be forced to reconsider
their relationship with you otherwise. Think anything involving ad based
revenue, e-commerce, and other sectors involving non trivial revenue from the
EU.

Anyway, read the law text. It's surprisingly easy to find and digest and it
puts all the idiots interpreting each other's interpretations a bit in
perspective. Good summaries are available.

------
evancox100
Speaking of opting out... as a non-EU citizen, is there any way I can opt out
of the EU's internet regulation? Like some flag my browser can send so I don't
have to deal with the meaningless cookie/privacy popups?

~~~
andrewmackrodt
I'm an EU citizen and I've hoped for something similar since the cookie "law".
Maybe a callback that gets fired when the consent popup appears and then a
browser extension could hook into that and automatically accept.

Edit: replied to an out of date tab, another poster commented the same idea.

~~~
navs
Maybe if there was a browser feature providing an API for marketing consent.

------
alkonaut
Hopefully things will stabilize once a few big players with dark patterns are
taken to court, establishing some precedents.

For example, switches opting in by default or popups saying “by using the site
you agree to x”.

~~~
merinowool
Not every country in the EU has precedent based law, also what could be
considered bad in one EU country not necessarily could be considered bad in
another given how vague GDPR is.

~~~
curun1r
It's possible that the poster above isn't talking about legal precedents and
instead talking about practical precedents. After spending about a month
building a GDPR consent tool and now seeing many other "compliance" efforts on
various sits around the web, it's become clear to me that most businesses are
taking a wait-and-see approach.

They're doing the minimum necessary to claim they tried to comply while
changing absolutely nothing about the way they do business. They're waiting to
see how serious enforcement of the law is before making changes that
negatively impact their business. It's not about whether they'd lose in court
or have a regulatory judgment against them, it's about the likelihood that
non-compliance will get them in trouble.

If EU regulators show a willingness to do the legwork to fine smaller
companies, you'll start to see a lot of these site become much more compliant.
But those companies are not going to spend all that time and money proactively
only to see that the EU doesn't have the teeth to enforce the rules, so they
need practical precedents of companies being hit with huge non-compliance
fines to scare them into making the necessary changes.

------
marcrosoft
A lot of people are _not_ breaking their locals laws and "Confusion will
continue to reign" because there is a disproportionate amount of people that
think that EU laws apply to the entire world.

~~~
keithnz
I'm curious about this aspect. If you run and operate a website outside of
Europe, if a European then uses that site, you aren't breaking local laws.

What does the GDPR mean for these people? The europeans will still believe you
have broken their laws and try to use whatever international agreements they
have to go after you? Or if you enter europe they will hold you to account?

Google / Facebook have operations in Europe, so I can understand why they are
concerned, but what does it mean if you don't operate in Europe but have
Europeans using your site?

~~~
mgkimsal
> but what does it mean if you don't operate in Europe but have Europeans
> using your site?

My limited understanding is that generally, it doesn't mean much. However, if
you are actively targeting/marketing to Europeans, then you might fall afoul
of this, but probably won't be affected legally without hitting some sort of
moderate commercial size.

------
Sargos
If everyone is breaking the law then no one is.

~~~
JumpCrisscross
> _If everyone is breaking the law then no one is_

In the EU, if everyone is breaking the law then the foreign tech companies
are.

~~~
Jacqued
To be fair that’s pretty much the doj enforcement strategy too. Except you
don’t even have to serve American customers to be targeted there.

------
smileypete
I'd like to see some sort of browser request header that can set or deny
permissions on a global basis, dealt with by an options page in the web
browser.

Then sites only need to serve up the annoying dialogs if they need a
permission you haven't set, otherwise clearing cookies periodically means
being plagued by the dreaded things. >;-(

~~~
JaceLightning
I feel like this is against the spirit of the law.

------
techsin101
I feel US companies should have protection against badly implemented laws from
forgein governments. Regardless of treaties. I'd love to see someone quantify
loss of innovation, added cost of operation, and total delays cost by GDPR to
companies he re

~~~
Thiez
What would this protection look like, in your ideal world? How would it work?

------
Theodores
The whole thing was a shambles, there was no reference design that you could
just implement for your ecommerce store/blog/software service or anything else
that required it.

Instead we had people running around like headless chickens rushing to put in
place some extra tick-box on their website.

The funny thing was how people sent out those emails to their newsletter
subscribers and I do wonder how decimated those lists became. People got GDPR
fatigue and could not be bothered with the emails after a while. This
particularly affected smaller businesses who had legitimate reasons to email
customers.

Does anyone here have any anecdotal data on how badly some of these email
lists were purged?

~~~
throwawayqdhd
As I mentioned in another thread, the biggest winners from this entire GDPR
saga are Google and Facebook.

Email is control. You get someone's email once, you get to control how often
you contact them. You can send them hundreds of messages for next to no cost -
as long as they don't hit 'unsubscribe'

But if you can't rely on email, what do you turn to? Ads, of course!

I get that there are some nasty actors that abuse your privacy. But as a
consumer, I've never felt that spam was that big an issue to begin with, at
least not big enough to warrant small businesses ceding control and having to
rely on Google and Facebook to reach their audiences.

------
dmitrygr
That was _entirely_ the intent! If everyone is breaking the law, you can pick
and choose whom to enforce against, for a variety of reasons, including
political convenience, shakedowns, etc

~~~
frockington
I believe it was largely a way to try and unify the EU to combat recent
turmoil. By taking a stand against the evil American tech innovators, the EU
can look to its populace and say they accomplished something that a single
nation could not have

~~~
oblio
Because God forbid that us Europeans would actually want a law like this, it’s
just the Bruxelles bureaucrats that are pushing an anti-US agenda.

I’m being ironic, a decent chunk of Europeans want this (I’d say a majority
but I don’t have hard numbers).

~~~
rleigh
I've yet to hear any complaints from anyone I've been talking too; it's been
universally regarded as a good thing. I'd have to agree, and I'm not a
particular fan of the EU.

It's never been portrayed as "anti-US", and it isn't. It's pro-privacy, and
that's an entirely different thing. While I think certain US companies have
aggressively persued certain business strategies which are very much anti-
privacy, so have many companies around the world, and this legislation is long
overdue pushback against some very dubious business practices many people are
very, very uncomfortable with.

~~~
smileypete
Well I'd like to complain. It's not that there's no need for improvement, but
EU rules often end up imposing poor implementations, consequently with no
scope for better solutions.

------
Paianni
Everytime I see the GDPR acronym I immediately think 'German Democratic
Peoples Republic' and I can't think straight about it.

------
gist
Was a big media workup (like y2k) leading up to it and now it has faded from
memory. It's like everything else that is the issue of the day and then ceases
to matter at least in any way as much as whatever you read seem to make it
before hand 'sky is falling comply comply' so typical. After you have been
through similar things you know the way this type of thing is overhyped (I
mean by what will actually happen and who it will happen to way overblow ie
'shut down my shitty little website for fear' mode.)

~~~
NeoBasilisk
The Y2K issue did actually require a significant amount of patching for some
systems, and they absolutely would have failed if not for that patching.

Complying with government regulation is not really in the same class of
issues.

~~~
ghaff
It seems that "Y2K was much ado about nothing" is becoming an increasingly
popular school of thought. There was certainly lots of hype at the time. But a
huge amount of money and time went into mitigating problems. I don't know if
there would have been widespread power grid, etc. collapses or not if everyone
had taken the attitude of "Eh, we'll fix things if they break" but I'm pretty
convinced people would have been missing paychecks, bank account statements
would be wrong, and that sort of thing at least.

------
kisstheblade
Isn't the intent of the law quite easy to understand?

Do not track/store anything by default. And your site works perfectly and
without questions.

If you then have a legitimate need for some data, without which your site
doesnät work (eg. gps location data for a map), then you ask for it.

And if you need to use ads, then have some opt in button somewhere deep in the
settings where the user can go and click "please track me aggressively" if he
so chooses.

------
duxup
I feel like I'll have a way better idea of what is up once we see actual
enforcement.

------
eulers__number
Any kind of regulation will harm small businesses and create monopolies of
large companies who have teams of lawyers to del with this kind of situation

~~~
programmarchy
Counterexample: Anti-trust regulation

