
Two years in, GDPR defined by mixed signals, unbalanced enforcement - joering2
https://www.complianceweek.com/gdpr/two-years-in-gdpr-defined-by-mixed-signals-unbalanced-enforcement/28972.article
======
volak
I would pay a subscription to a news site if they spent all their time
evaluating 2-5 year old events and determining which side was right.

2 years ago comments of "this will only benefit the lawyers" would be -50
points. Turns out... actually yeah.

~~~
kodablah
There is a bit deja vu, since at that time we were pointing out similar flaws
in the DPD (lack of enforcement, lack of clarity, govt inefficiencies, the
inability for proponents to separate intent from reality, etc).

Sadly, there is an absolute "for or against" mentality out there. You can't
make it clear that the implementation of such a law would be poor enough to
not justify it being enacted in the first place lest you are told "well,
should we do nothing?". We can easily start with easy-to-understand/implement
transparency requirements (maybe even just as guidelines or requirements for a
form of certification at first while encouraging technical solutions in the
meantime). Never-realized scary fines might as well have never been brought
forth.

~~~
volak
I think the app should be called "Captain Hindsight"

------
av501
Nothing says GDPR is something that can't be improved upon. Better
enforcement, refinement of laws, everything is possible. It has to begin
somewhere and that beginning is rarely perfect. Every failure is also an
opportunity to learn what to do better. As some other people have commented,
the intent is right, the execution has to be improved. Edit: Fixed grammar and
some words

~~~
Mirioron
The issue is the collateral damage. The EU doesn't have a thriving web/tech
sector to begin with when compared to the US or China. These kinds of things
likely make it worse.

~~~
Nextgrid
I see this argument every so often but I'm wondering, what did we actually
lose?

Nasty social media that makes their money on outrage and exposing people to
scam ads? That's about the only thing I can think of, and I don't think it's a
big loss. The legal environment of the EU might actually pave the way for
_better_ social media, if the market wasn't already monopolized by the current
incumbents.

As a counter-argument, Europe and especially the UK has a thriving fintech
scene that produces solutions light-years ahead of what's currently in the US,
despite the stronger consumer protection laws that we have.

~~~
burntoutfire
We didn't lose that much because I suspect big business in Europe is largely
ignoring the more difficult parts of the GDPR. I work for a large bank that is
totally non-compliant with GDPR and does not really even have a strategy for
getting there. My impression is that we (the bank) looked at the draconian
requirements of the bill, realized that, with the total mess that the IT of
the bank is in, implementing GDPR would cost billions, and just sort of gave
up. It looks like we wait for the regulators to fine us and hope that it won't
be a nine figure fine.

~~~
Dylan16807
Which parts are so difficult? Trying to find all the data about a user in the
system?

I have _some_ sympathy for an giant mash of databases like that.

I have no sympathy if someone claims that adding a tracking toggle to a single
web site is too hard.

~~~
erik_seaberg
Normally it's hard enough to ensure that you have retained an authoritative
copy of data, but now it's even harder to ensure that you have destroyed every
incidental copy throughout the org on short notice. Then there's the
bureaucratic "prior consultation" that will delay launches by _months_ …

------
barking
_We care about your privacy notices_ have become the bane of my life.

~~~
Nextgrid
The majority of these aren't actually compliant.

Tracking should be opt- _in_ and consent should be _freely given_. If your
notice is annoying enough that most people click accept (or if clicking
decline is harder) then you are already in breach.

A lot of websites also consider analytics cookies as essential and don't
provide a way to decline those which isn't compliant either.

These websites can be detected very easily by running a web scraper and
looking for one of these non-compliant "consent management" solutions (looking
at you TrustArc) and fining every single company that uses it.

~~~
JumpCrisscross
> _The majority of these aren 't actually compliant_

There is insufficient evidence attempting to comply with GDPR is worth the
cost.

~~~
Nextgrid
Absolutely, given the current lack of enforcement. However, if you're going to
be in breach, you might as well improve UX and not bother with the whole
"consent management" thing, not to mention that the TrustArc garbage solution
doesn't seem cheap.

~~~
Mirioron
But then it's much more apparent that you are in breach. If you _pretend_ to
care then the chance of being caught is much lower.

------
MattGaiser
Has anyone beyond big tech actually figured out what the rules are yet?

~~~
Nextgrid
The rules are very clear once you look past the fear-mongering. Don't stalk
people, and if you want to stalk them you need to ask them nicely and allow
them to decline. Don't be careless with user data so you minimize the
likelihood of a breach, and if you do get breached then report it to the
regulator and cooperate with them.

In fact, "big tech" has figured out how to _get around_ the rules by
exploiting the lack of enforcement. The majority of big tech is knowingly not
GDPR-compliant.

~~~
umvi
> Don't stalk people, and if you want to stalk them you need to ask them
> nicely and allow them to decline

Ok, that's nice in a fantasy world, but in the real world a lot of
people/sites rely on ad revenue, and ad revenue for the most part, requires
tracking built in. So now if you legally force me to allow users to decline
"stalking" you are basically allowing users to decline my monetization model
and use my website/product for free. And why should I allow that?

Why can't I say: "accept that my site is ad-supported or don't use my site?"

~~~
smichel17
The argument goes, if the monetization model is unethical, then it shouldn't
exist. I'll demonstrate this by taking your post and rewriting it about a
different industry. I am NOT saying these are the same situation, because most
people have different views on tracking vs child labor. I am demonstrating
that the argument makes sense IF you think tracking is similarly immoral.

> Ok, that's nice in a fantasy world, but in the real world a lot of
> people/clothing companies rely on cheap manufacturing, and cheap
> manufacturing for for the most part, requires child labor. So now if you
> legally force clothing companies to allow consumers to decline "child labor"
> you are basically allowing consumers to reject clothing companies'
> monetization model and get their clothes at a loss to the company. And why
> should clothing companies allow that?

edit: maybe I've couched my argument a little too much. I think it's a pretty
good comparison, actually: I think most (but not all!) people agree that
tracking and child labor are bad, but turn a blind eye because they enable
cheap/free stuff.

~~~
Aunche
The child worker is a third party that has nothing to do with the customer and
the merchant. If the merchant is offering me content for the exchange of
information, why should the government able to stop this transaction between
parties that mutually agree?

It's already legal to "force" your customers to exchange money for content. If
anything, it's even worse because a lot of children end up malnourished
because their parents spent to much money on entertainment.

~~~
smichel17
> The child worker is a third party that has nothing to do with the customer
> and the merchant

This is a fair counterpoint; it is not a perfect comparison. I think it did
its job though, to clarify (now with your help) the actual point of
contention:

> why should the government able to stop this transaction between parties that
> mutually agree?

Most nations have a concept of human/inalienable/natural rights, which cannot
be signed away. For example, it's usually illegal to sell yourself into
slavery. In the GDPR's view, privacy is such a right.

Do you think the government should not be able to stop these transactions at
all, or do you think privacy should not fall into that category? Or a
different objection I haven't thought of.

\---

I have my own views, but I'm not really interested in arguing them. It largely
comes down to what moral system you subscribe to, which I think is a waste of
time to discuss on HN (or any public forum) -- there's too many people on the
internet to argue with everyone you disagree with; better to learn to get
along, and focus advocacy on communities closer to home. As for why I comment
at all: figuring out how to frame issues is not a waste of time — it's much
easier (less emotional) and provides a useful reference for future
conversation.

~~~
Aunche
I appreciate your response, and I think my view is broadened as well :)

> do you think privacy should not fall into that category?

This one. Supermarket rewards are an example exchanging privacy for money that
is rather uncontroversial. Obviously tech companies collect a lot more
information, but I believe the same principle applies.

------
moksly
I work as a developer in the European public sector, we already took privacy
and security rather serious because the laws governing it had always been and
are still tougher than the GDPR.

I actually like that the EU is doing something, and I guess this is the best
you get from a bureaucracy, but what it’s changed is that we document
everything. Whenever I build anything that moves privacy data, even if it’s
just hooking up a new system to our ADFS which accesses employee names, I need
to fill out 4 forms and write a risk assessment. It all goes somewhere I
suppose, I’m not sure because once I file them I never hear anything about it
unless my wording wasn’t good enough.

As far as security goes, it hasn’t actually changed anything. I guess it does
if you weren’t taking security very serious before, but the idea that we as
developers will think about security first or design better systems if a bunch
of lawyers force us to fill out forms and write essays on what can go wrong...
I just can’t wrap my head about why anyone would actually believe that stuff.

Like I said, it’s a great idea, on paper, but the bureaucracy that is
enforcing it is just so clueless. Passing inspections is more about having the
right answers and documentation than having actual security, so it’s no wonder
that the outcome is full of mixed signals and weird enforcement.

Still better than nothing, in my opinion, and it’ll probably get better with
time.

~~~
ThePhysicist
Not sure why this is getting downvoted, seems to be a perfectly reasonable
point?

~~~
Barrin92
because there's a rabid anti-regulation and anti-EU bias on this site. Well
thought out answers get frequently downvoted while free market platitudes get
upvoted.

------
hypersoar
The fears about GDPR when it passed, if I remember correctly, were mainly
around arbitrary draconian enforcement. This article seems to only be talking
about _under_ enforcement. The causes of this under enforcement seem fixable.
Ireland, putatively afraid of the big tech companies choosing to put their
Europe HQs elsewhere, has been dragging their feet on privacy investigations.
But the investigations are happening. Then there are some countries not
putting enough money into it. The rest seems to be the various countries not
being in alignment. For a sweeping, two-year-old regulation that has spent
about an eighth of its life in the time of a major global crisis, this doesn't
strike me as all that shocking.

Does anyone have any actual examples of draconian fines being handed out for
good-faith misunderstandings of the regulation? Big Tech has professed
confusion over how they're supposed to comply, but it seems to me like like
they would simply prefer not to.

------
duxup
I think GDPR has its heart in the right place.

I don't think it really helps and I suspect that is because users themselves
really don't know what is actually happening behind the scenes and no amount
of banners or otter things changes their level of knowledge.

And I fear even if they know, users don't care and are happy to click past a
banner / trade their privacy for free things.

GDPR seems to play out as a strangely legally mechanical beast that people are
largely disconnected from.

~~~
buboard
> users don't care and are happy to click past a banner / trade their privacy
> for free things.

Are we discounting the possibility that users make a rational choice that we
happen not to like?

~~~
luckylion
Tough question. For some things, I'd say that informed consent is hard to give
- if you consent, you're not informed.

I don't believe that the average user is making informed choices. The choices
may be rational as long as the users don't understand the consequences. It's
perfectly rational to trade in your life savings for a fancy meal if you don't
understand what "life savings" means.

~~~
duxup
I wonder how much information can be provided, much of the "giving your data"
is really about the side effects and possible consequences....

But you can only tell people so much. Just saying "hey you're giving google
your location" (just a generic example here) ... honestly if that's all I know
... so what?

But really the larger issues are other implications.

That's a hard thing to explain.

~~~
luckylion
Exactly, and I think we're usually way off intuitively.

For example when considering how many facts of what nature I'd need to
individually identify you. SSN? Ok, done, everybody knows that. But how far do
I get with birth date, height and city? What if I add one chronic health
issue, no matter how small? Chronic sinusitis, born on August 8th, lives in
$city and is 186cm? In most cases, I probably don't even need all four.

But most people intuitively don't think about it in combination, they figure
"oh so you know I live in $city, big deal, so do a million other people", "oh
so you know my birthday, well a million other people in the country have that
birthday".

------
ashton314
_We value your privacy. Like, it 's valuable. We sell it for money. We're
going to nag you until you click this button so we can't get in trouble for
profiting off the data you give us._

Good legislation is important to let us penalize bad actors—does any one know
of any accounts of some bad actors getting stopped by the GDPR?

What do you guys think: are there laws that _should_ be in place to
incentivize privacy-preserving tools?

~~~
Nextgrid
> We're going to nag you until you click this button so we can't get in
> trouble for profiting off the data you give us.

That is explicitly against the regulation. Consent should be freely given
otherwise it's invalid.

The problem is that there is no enforcement around this (despite it being very
easy to detect this behavior at scale by running a web scraper) so they keep
doing it and profiting off it.

~~~
clarry
> Consent should be freely given otherwise it's invalid.

I tried to figure out what this actually means but it's very hazy. A naggy
news website isn't performing a contract. Are they provisioning a service
(assuming you did not buy or order or subscribe to anything)?

"When assessing whether consent is freely given, utmost account shall be taken
of whether, inter alia, the performance of a contract, including the provision
of a service, is conditional on consent to the processing of personal data
that is not necessary for the performance of that contract."

[https://gdpr-info.eu/art-7-gdpr/](https://gdpr-info.eu/art-7-gdpr/)

~~~
Nextgrid
For starters, it simply means that if declining consent is harder/more
annoying than accepting then it's already in breach, regardless of anything
else.

If your website takes 1 click to accept tracking but several clicks to deny it
then you're already in breach (assuming the law was actually enforced, which
it isn't at the moment).

~~~
clarry
Can you link a reliable source?

~~~
Nextgrid
This is from the ICO, the UK privacy regulator: [https://ico.org.uk/for-
organisations/guide-to-data-protectio...](https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/lawful-basis-for-processing/consent/)

> Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other
> method of default consent.

If providing consent requires a single click (accept the pre-ticked options)
but declining consent requires multiple clicks (to untick the pre-ticked
options) then that is already in breach.

> Be specific and ‘granular’ so that you get separate consent for separate
> things. Vague or blanket consent is not enough.

A big "accept" button for everything is not good enough either.

------
justignoregdpr
Guys, we have a lot of European customers and we completely ignored GDPR
rules. After it was introduced, only 2 potential customers asked us about it
and we just moved their emails to trash. Not worth the hassle! There is
nothing they can do anyway to force it if you are not living within the EU
(unless there is a special agreement between your country and EU). I even know
some startups who are located within the EU, but still don't care about GDPR
:D

------
HissingMachine
This has been a constant headache, not the rules or how to apply it, but our
customers still act like there isn't such a thing like GDPR, and actively
demand, DEMAND that we put in place functionality that is in clear violation
of GDPR, and when you try to inform and explain to them who things work they
get mad at me and threaten that they will get a more professional shop to do
things for them _shrugs_

~~~
luckylion
Given that enforcement would have to be stepped up considerably to even be
called selective, compliance means your competition has a large advantage.

~~~
HissingMachine
I'm not going to lie, if one of them switches shop and they make what they
asked us, I'm going to report, in Finland law isn't selective even if it isn't
enforced.

------
schrototo
The worst effect the GDPR had was on offline bureaucracy. "Data protection"
has become the go-to excuse for blocking every single goddamn thing.

~~~
hindsightbias
Beyond the impact of crushing knowledge transfer, it’s going to kill a lot of
people.

In companies with world-wide products/solutions/support, older employees tend
to have a broad base of knowledge and learning from being exposed to all
customer experiences and issues. Now, everything is in a protected silo and
new employees will only learn through a soda-straw looking glass. Older
employees are learning to say “not my problem” when getting cleared to look at
something overseas because there are 3 layers of data protection officers and
it cant be proven there’s not 1 bit of PPD in that 10GB dump.

Some day soon, an industrial or other large-scale accident will kill people
and someone in the back office will say “That team didn’t know about X? Doh!”

------
stevenbruce569
I'm happy to see this as the top post on Hacker News, though would wonder if
anyone would be able to provide me with a summary of the article since $399 is
a bit steep for me (as in, I can afford it, but it's obviously WAY too much
for what's promised by the title).

I'd also be interested in case anyone has any thoughts on what the short or
long-term outcome of the situation would be. Come to think of it, I'd like it
if someone could give me a rough outline of GDPR at all.

I'm a software developer working in Britain, and I reckon the local
consequences are "the lawyers make lots of money", but am always keen to hear
other viewpoints.

~~~
Nextgrid
At the moment, lawyers and all the scummy industry around the GDPR (whether
it's advice/consulting or "consent management") are indeed the only ones
making the money.

There is very little enforcement and flawed solutions from the aforementioned
industry are allowed to proliferate despite not actually being compliant (the
majority of "consent management" solutions are in breach, so they are making
money while not even helping their client become compliant).

~~~
joering2
Another good page with stats [1] including this:

$63 million in fines issued

$57 million of that issued to Google

[1] [https://www.varonis.com/blog/gdpr-effect-
review/](https://www.varonis.com/blog/gdpr-effect-review/)

~~~
Nextgrid
> Google was hit with a fee of $57 million for not making it clear to users
> how they were harvesting data from the Google search engine, YouTube and
> Google Maps for personalized ads. This fine only amounts to .04% of Google’s
> yearly revenue.

Not only does this not cover Google's main offense (tracking of users and non-
users with Google Analytics even on non-Google properties) but the fine is so
minimal that it's basically the cost of doing business.

I wish people would stop bringing this one up.

------
paulie_a
Personally I am just annoyed by the cookie warning on every site. Gdpr does
not apply to vast portions of the internet.

~~~
MattGaiser
>Gdpr does not apply to vast portions of the internet

Europe wants it to apply to anything a European might touch.

~~~
thejynxed
Of course they do, and just like my ancestors did in 1776 I am free to tell
them to mind their own business on their own side of the pond.

------
emilfihlman
GDPR was known to be, is known to be, and will known to be a shit law that's
not tied to reality. It did have some good (allowing you to know what they
have on you in general, and asking them to delete some of that), but the rest
is just bad, bad, bad.

I wish people would be rational when supporting privacy increasing things.
GDPR could have been much better and it saddens me that it was ruined, and
defended by, zealots.

~~~
emilfihlman
A person commented and asked me about suggestions, but deleted his comment
before I could answer so here it is anyways:

Super quickly (I'm sure you have heard of, or can quickly use a search engine
to find the commonly listed issues):

Damages: damages need to be scaled according to the company size, severity and
amount. GDPR was created to punish Big Players, but the wording that would
have fit them is equally (and should be, laws should be equal) applied to
small companies resulting in an impedance mismatch. Frankly, the damages are
too small for the Big Players, but insane to the small ones. GDPR also does
not apply to the state, but holy shit it fucking should!

Enforcement: it needs to be equally enforced and you need to be able to sue by
yourself over it instead of just limiting it to a state organisation.

Data: it should be data that is directly tied to you, ie leave the normal web
logs etc out of it. PII is just a sham as it's defined today. A factor of
usage also needs to play into it, ie normal web server ip logs that are
separate and don't feed into a user specific connection into a database should
not be a consideration.

Access: access _needs_ to be able to be done online if the data is collected
or transferred online. Ie no this "you need to physically mail us a certified
mail with your id" shit. GPDR is a fucking failure in this aspect. Also no
required strong authentication: access should be just directly through your
account you can access normally without strong authentication.

Usage: GDPR does not allow you to trade tracking for access (ie monetisation
of content is almost impossible if you care about user privacy): this is
insane. GDPR also supposedly does not allow for those complicated "accept all
or modify your preferences" windows, but it should have no saying in that: if
a site wants to make the experience painful, that's up to them. It is up to
the user to select if they want to use that site or not.

------
Romanulus
Who could have predicted that an overarching government program to control and
regulate content on the internet is failing?

------
legitster
It is worth pointing out GDPR is really two sets of laws - one around data
security and breaches, and another set of laws around privacy. It's the second
set of laws that get the most criticism for their opaqueness, but I don't know
if they are better or worse than the first.

They probably should have held off completely on the second set - the upcoming
ePrivacy regulations are promised to actually _do_ something, rather than just
provide a really frustrating and opaque set of consent guidelines.

As it is now, the law doesn't require anyone to actually stop what they are
doing. The only difference now is you have to retain a lawyer to do it.

