
GDPR fines were meant to rock the data privacy world - cloudyo
https://www.wired.co.uk/article/gdpr-fines
======
TazeTSchnitzel
I am still convinced fines will, but big investigations take a long time.
There's an ongoing case about Google's real-time ad auctions for example.

~~~
blub
The data protection commissioners have their work cut out for them for the
next decade.

It's just that the current privacy abuses of software companies are so complex
and egregious that it takes a long time to sort things out.

Essentially _every_ US company was doing things wrong for example. Just the
other day I was reading LinkedIn's cookie notice which can be paraphrased as
"accept our tracking commoner". And this is a bug company owned by MS, the new
heroes of open source (and spyware).

It's the wild wild west out there.

------
mgliwka
[https://www.reuters.com/article/us-austrian-post-
fine/data-p...](https://www.reuters.com/article/us-austrian-post-fine/data-
privacy-fine-to-hit-austrian-posts-2019-profit-idUSKBN1X81R7)

Austrian Post sold voter preference data without having the right processes in
place and was fined 10% of last years profits.

Noyb.eu is also an interesting organization to watch. They are a non profit
taking lawsuits against large incumbents with egregious privacy practices with
the backing of the GDPR. They triggered the 50 million € Google fine.

~~~
blub
Deutsche Wohnen, the much criticized apartment rental company from Berlin just
got smacked with a fine of 14 Million EUR for collecting credit rating data
after being warned several times.

------
joaodlf
It might not have "rocked" the data privacy world, but it is having an impact
on how businesses operate.

A lot of businesses (big and small) were getting too cozy with collected data.
With little regard to what was being collected and how long it was stored for.
GDPR forced businesses to take a hard look at their data and ask some
difficult questions, and I genuinely believe it has changed the way people
look at data.

Personally, I was professionally shocked to find how some businesses dealt
with data - If anything, GDPR forced common sense down some technologically
inept management teams.

------
tannhaeuser
The effect that GDPR has as far as I'm concerned as a user is that many or
even most sites accessed from EU come with a prominent banner warning about
PII data collection for targetted ads, including a large portion of sites
linked from HN. Maybe this isn't noticed on the other side of the pond, but it
has a very profound effect on my usage, as I'm immediately turned away from
such sites. OTOH, platform sites without ads such as github, where you
supposedly already have agreed to their ToS, and where data isn't being used
for ads (for the time being) don't suffer from this effect, yet.

~~~
thrower123
All that I have seen is that now there is one more popup window obscuring the
content I'm trying to view, which is especially egregious on mobile.

At this point, I might see one or two lines of text for a news article on
initial load between their gommy sticky header, a couple of ads, and their
"We're using cookies here, if you don't like it, go screw" popup. Of course
that's assuming it's not paywalled.

The net effect of the GDPR, from my perspective as a user, has been to make
the internet even shittier to use. There's also the developer side that I have
to deal with, but to be honest, after an initial flurry a year or so ago,
nobody even asks about whether the software we provide is GDPR compliant
anymore.

------
tjoff
It's the starting point we needed. Every time some company tries to get away
with being unreasonable (see gitlab and ubiquiti from just last weeks) GDPR is
one aspect that is quickly brought up. One they can not ignore as easily.

The privacy options we suddenly ot from large companies from companies such as
facebook were unheard of before GDPR.

It have already drastically changed how the world handles data, but it is a
slow process. It will take decades and more work.

Massive success all in all, thanks to GDPR there is now hope for the future.

------
Angostura
No. They weren't GDPR was meant to get conpanies to take the user security and
data ownership seriously and change their ways. Unless you are being
egregious, you will get a warning and guidance and hit with fines if you
continue being stupid. As is sensible.

------
balfirevic
Fun fact: in my country (Croatia), police officials cite GDPR as a reason they
consider recording police officers in public illegal.

~~~
Thiez
The GDPR doesn't cover processing of personal data "by a natural person in the
course of a purely personal or household activity". So I imagine that at least
some instances of recording police officers in public are exempt, especially
if you don't follow them around or upload the videos to your local police
recordings online community. Of course I also wouldn't argue with the people
with the batons.

------
lidHanteyk
Don't worry, CCPA is on the way, and the Bay-dle will rock.

------
pbreit
Has any web site been fined for not displaying the cookie notice?

~~~
tirpen
Of course not. There is no law requiring cookie notice popups, there never
was.

~~~
fyfy18
That's not true. It is law in the EU and companies have been fined:

[https://www.cookielaw.org/blog/2014/2/5/spanish-cookie-
law-f...](https://www.cookielaw.org/blog/2014/2/5/spanish-cookie-law-fines/)

~~~
matthewmacleod
It is exactly true. Companies have been fined for not complying with law. Law
does not require a “warning” of the sort being discussed.

------
probo23
GDPR: A well-intentioned EU measure that unfortunately hurts the smallest and
weakest and fails to have an impact on the big ones that it should target.
Noble in thought, weak in action

~~~
sleepyhead
That’s not true. Google, BA, Marriott and other big companies have got huge
fines.
[http://www.enforcementtracker.com/](http://www.enforcementtracker.com/)

~~~
twblalock
They paid the fines, but and what changed?

Are users any better off now because those companies got fined? Did those
companies stop collecting user data? Has online privacy improved because of
those fines? Nope!

~~~
asdfasgasdgasdg
I think there's an argument to be made that GDPR had some effects. For
example, you can now enable or disable ads personalization on Google at
[https://adssettings.google.com](https://adssettings.google.com). I don't
think that was there before GDPR. Google also presumably did explicit opt-in
for EU users, since otherwise they'd have already faced some pretty massive
fines.

It may be that most users consented, but I think the take away from that
should be that most users do not consider ads personalization a significant
violation of their privacy.

------
twobat
GDPR as applied is a joke. At one of the places I work they keep talking about
"we can't backup this data anymore because it has personal info".

~~~
tsimionescu
That's not enforcement, that's misreading...

~~~
akvadrako
Not really - you need a way to scrub user data on demand from backups and they
should also have limited duration.

~~~
matthewmacleod
You do not require a way to “scrub user data on demand from backups”. This is
just untrue; please don’t spread it.

~~~
akvadrako
What are you talking about? Part of GDPR is deleting personal data on demand.

~~~
matthewmacleod
You have misunderstood the requirements of the GDPR. CNIL, for example, has
made it explicitly clear that so long as an effective retention policy is in
place then PII does not need to be removed from backups on demand.

~~~
akvadrako
If by that you mean backups need to be deleted after a certain period then
it's effectively the same thing.

------
piokoch
Yeah, they were meant. Yet wherever I go on the web I am being asked to opt-
out from tracking since default I am opted-in - this is clear violation of
GDPR, however is seems nobody is trying to enforce this.

Opt-out is typically covered by a ton of shady UI patterns, so it is hard to
do this. Another clear violation of GDPR is punishing those who does not agree
for tracking by serving them crippled content or no content at all.

And just to make it clear: I am strongly against extraterritorial laws like
GDPR or FATCA. US does not have any rights to enforce their regulations
outside US, similarly EU does not have any rights to tell people outside EU
how their websites should look like. This is clear abuse of the economic and
military power that US/EU have.

GDPR has some good points (like PII data storage rules), however some of its
regulations, like the once that force open forums to provide "right to be
forgotten" for posts, are pure crap.

The unfortunate vagueness of this regulation does not help either - real live
example from Poland: if school teacher takes home pupils copybooks, which are
signed with a pupil first and last name, does this mean that GDPR rules apply
to the teacher (getting consents, proper handling and storage for copybooks,
etc.)? Some lawyers claim they does not, some say they does, some have no
idea. As a result in some schools pupils are forbidden to sign anything that
enters the school building with a full name... Overreaction? Probably. But you
never know when some mean parent would want to use GDPR against the school.

~~~
blub
Have you considered that almost everyone was abusing your privacy before and
it takes a long time to sort things out? At least now you know you're dealing
with assholes.

I don't see why your example from Poland is bad. Teachers are now thinking
about the privacy of their pupils - this is mandatory in today's world.

------
randomcarbloke
it was never about principles or good intentions it was always a tax because
the various governments felt they had missed the boat on making money from
their subject's data.

------
detail-oriented
The only companies worth fining are rich as F, unless you plan to take 10% of
market cap they won't care. The other companies will just go bankrupt, which
might be desirable.

