
How to effectively evade the GDPR and the reach of the DPA - thierryzoller
https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html
======
Sebb767
We've actually been threatened with a lawsuit because RocketReach displayed
some obviously inflated revenue for one of our customers. Luckily, we were
able to prove that the numbers were changed recently and threatened to report
them for fraud, which ended this pretty quickly.

Seriously shady company.

~~~
cutemonster
> threatened with a lawsuit

I don't understand, who threatened you with a lawsuit? Why did they care about
RocketReach?

~~~
Sebb767
We used a product from a company (I'd prefer not to name them) and received an
official letter from them that on of our customers had more than 10 million in
revenue, which in turn would require us to buy a larger plan from them[0].
They cited the companies (inofficial) RocketReach page as a source and
demanded 30k USD (iirc).

They only retracted the thread after we could prove (via Google Cache and
archive.org) that the page was very recently modified to show such a big
revenue and threatened to report them for fraud.

We probably could've deflected the case since the company was public and
therefore its revenue was also public, but, as a very small company, we had
neither time nor money to spare for an useless lawsuit. And we assume that
this was their bet. We switched to a competitor after this, obviously.

[0] It later actually turned out that this AGB change was after our purchase
and not yet affecting us, but we didn't know that at the time.

~~~
tomxor
Sounds like that company was as shady as rocketreach... someone who threatens
their own customer in bad faith (or negligence) just for 30k is likely to be
more trouble and of less value to you in the future if that's their focus of
increasing revenue.

Good call ditching them.

[edit] speculative aside...

What if they were intentionally feeding rocketreech miss-information? it might
seem far fetched but these personal data collecting companies like rocketreach
or even equifax obtain their information from a variety of untrustworthy
sources.

I was a victim of this through my own foolishness a couple years ago:

I was using a car insurance comparison site and guessed one piece of the
required information I couldn't completely remember - a speeding ticket date -
I couldn't remember the exact year. Turns out I entered it exactly one year
off, and it was so long ago anyway that it had no bearing on the quotes.

After continuing with my existing insurer, a few months later my insurer sent
me a demand for a rather large quantity of money... that's right, they
attempted to backcharge me for 5 years worth of insurance over an extra
speeding ticket they had "discovered". Obviously there was no way I would pay
them but it was extremely difficult to convince them to stop harassing me for
this money even though they had no proof. Even after demanding they provide
evidence of their discovery which they refused.

It's scary how easy this is to do, and I wasn't even trying.

~~~
Sebb767
> someone who threatens their own customer in bad faith (or negligence) just
> for 30k is likely to be more trouble and of less value to you in the future
> if that's their focus of increasing revenue.

Yes, that was really strange. We though they might need quick money, as this
was right at the beginning of the corona crisis. Still, not acceptable.

> What if they were intentionally feeding rocketreech miss-information?

That's possible but quite strange. This information is public in our country,
so there is a known reliable source and they should've known better.

> Obviously there was no way I would pay them but it was extremely difficult
> to convince them to stop harassing me for this money even though they had no
> proof.

Yes, this is quite usual. We were seriously lucky we discovered the change;
but, given that they backed up so quick after calling it a fraud, I'm
seriously assuming it was.

------
ThePhysicist
Currently there's not much the data protection authorities in the EU can do
about foreign companies abusing the data of users.

I assume that in the coming years (or decade?) there will be more efforts to
ensure the enforcement of EU law for foreign companies that offer services to
EU citizens as part of trade deals.

Right now there's e.g. a flourishing industry of data brokers in Israel that
illegally collects data from EU (and US) citizens and sells it, a practice
which is hard to stop as well since most of these companies don't have offices
in the EU.

I think another possible strategy would be to go after the clients of these
companies. If they can't legally sell their data to companies in the EU or US
their business model would falter. The GDPR actually mandates that you as a
data controller validate that companies which process data for you adhere to
GDPR principles. Right now it seems this isn't being enforced much yet but I
think it will be soon, which hopefully will have an effect on data brokers
outside the EU as well.

~~~
imhoguy
It is enforced and viral in EU. Think of it like radioactive materials, any
operation needs to be fully tracked.

While accessing any user personal details you need to have user consent to
process their personal data. You can't simply buy the dataset and assume it
has consent. When you buy data from data provider you need to make sure user
gave consent to handle data by third-parties to that provider in accordance to
GDPR. Users can revoke the consent, every party needs to be ready to handle
that scenario. Any data export outside EU GDPR also needs consent. Moreover
the dataset needs to be registered with local regulator.

~~~
Silhouette
_While accessing any user personal details you need to have user consent to
process their personal data._

Consent is only one of the lawful bases for processing data under the GDPR. In
practice, it's the one almost everyone tries not to rely on unless they can't
avoid it, because it comes with extra obligations that other bases might not.

~~~
pas
Could you list the others? Or at least provide some examples?

Basically all I know are based on either mandatory by law record keeping, or
records used to fulfill whatever service/product/goods the user purchased, but
even in these cases the processing must be described, right?

~~~
Silhouette
The GDPR itself is actually quite readable, so if you're interested in the
details, you can got to the source. There's a neatly formatted version hosted
here:

[https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/)

What the source material _won 't_ tell you, for better or worse, is how these
are interpreted in reality by data controller, processors and regulators. The
two main things to know in that respect are:

1\. Relying on the subject's consent is usually the last resort. It comes with
lots of extra strings attached.

2\. The "legitimate interests" provision is open to interpretation. It is
widely used as an excuse for processing that many of us might consider far
from desirable. But it is also a risk for data processors doing things many of
us might consider reasonable, because any regulator can take a different view
and they get to win by default.

------
oarsinsync
I'm not sure how I feel about the screenshot at the end, showing that various
policy makers also have their personal information being sold.

I guess the information is out there, and doing so also makes it definitively
personal for the policy makers / enforcers involved.

That said, the policy makers / enforcers may be genuinely hamstrung. The US
imposes its laws globally because of it's status as a global reserve currency
(trading in USD requires the transaction to route via the US, thus making the
entity subject to US law).

The EU doesn't have such status or power over US companies. The most it can do
is try to prevent them from operating in the region.

As a person who almost certainly has his personal information being sold on
this platform, I'm not pleased, and would love to see something done to
prevent this kind of activity. Unfortunately, that depends on the US
government to take action, and the last 12 years haven't been a flying
endorsement of the effectiveness of the current government system. (This is
not meant as an statement regarding the effectiveness of either President, but
rather a regarding the low output from the system as a whole)

~~~
burntoutfire
> trading in USD requires the transaction to route via the US

Is this correct? How's that enforced? Say, I have a company in Poland which
sells some goods for a million dollars to another company in Poland. We both
have USD accounts in Polish banks and the transfer is between these accounts.
How does the money route via the US?

~~~
PeterisP
It's not _enforced_ but it's a de facto practical requirement.

If Polbank (forgive me for the bastardized names) wants to give 1M USD to
Bankpolska, they either need to ship cash (which can be done but is expensive
or tricky) or have a specific bilateral agreement betwene them (which can be
done and is done sometimes, but linking every bank with every other bank
bilaterally does not scale), or need some interbank settlement system that
will do that, but there's no such system in which they can participate. E.g.
there's Fedwire but neither Polbank or Bankpolska can be direct members as far
as I understand (they generally are not members; I'm not certain if it's
caused by some strict limitation or just practicalities and costs.)

So the standard means is to use 'correspondent banks' e.g. USA banks that do
that for them. Polbank might have an USD account with Chase or Citi, and
Polbank can ask Chase (via a SWIFT message usually) "hey transfer $1m from our
account to Bankpolska, it's cover for a customer deal #1234" \- but this means
that the transaction "goes through" USA.

Alternatively, multinational banks may have branches in both USA and Poland
and so they can be direct participants and settle this directly, however, then
it would involve a Fedwire transfer (in USA, subject to USA laws and
limitations) between Polbank USA branch and Bankpolska USA branch.

That's standard practice for pretty much every currency. EUR settlement
between two American banks usually (not always, there are various options)
goes through EU, RUB settlement usually goes through Russia, etc.

If there's a sufficient need, Polish banks _could_ establish an interbank
settlement system through which they could transfer USD directly (e.g. similar
to the one they have for transfering Polish zloty), but it's a hassle and has
costs, so currently they have not done so because for them it's generally not
a problem to route all USD payments through USA.

~~~
dogma1138
Euro dollars are constantly traded without going through the US.

CLS currencies and any currency which is fully convertible can be used in
transactions without any involvement of the jurisdiction that minted the
currency in the first place.

The USD has a huge settlement infrastructure that is completely independent of
the US.

~~~
inshadows
Doesn't it still involve accounts in US banks though? Please see my direct
reply PeterisP for explanation. I cannot see how could it work without Fed
oversight as it would allow it to "print" dollars.

Also, could you please share more info? I'm very interested in financial
settlement system, especially for USD and EUR, but sadly there's too little
public resources.

------
villgax
This same BS is perpetuated by YC backed Apollo.io by simply scraping public
LinkedIn profiles & then masking asterisked emails & numbers(usually your
company public numbers) & asking people to sign up.

And when you do request them to remove the same, they ask you to provide ID
proof. As if one would provide the same to a company which didn't take your
consent for the initial profile data either.

I somehow managed to get hold of the CEO's mail ID got mine removed. But I can
only imagine what everyone else would have to do when they want to control
their web-presence.

~~~
gingerlime
I've been in touch with a company called Acxiom, who shared my details on
Facebook. I've never heard of it, so I submitted a Data subject request to see
what they know about me.

They then asked me to provide my address to confirm my identity. Given that I
moved quite frequently, and that I'm now asked to share more personal data
with a company who's mishandling my data, I wasn't keen on it.

I mentioned that my full name is globally unique, but they refused. I tried to
ask them to share some masked data that I can confirm in full (e.g. "give me a
partial address and house number, I can give you the full address"). They
refused.

They definitely try to make it hard for you, and to dodge responsibility.

~~~
culturestate
Acxiom is one of the largest (and oldest, they started in the 1970s) data
brokers in the world. I think they, like a lot of other creaky corporations,
don't necessarily make things difficult _on purpose_ but they...don't go out
of their way to make the bureaucracy any more navigable than it has to be.

In other words, it's not a bug, it's an accidental feature.

~~~
Silhouette
One good thing about the GDPR is that it was basically designed to allow the
regulators to beat up businesses that do that. If you're too old or inflexible
to live up to your obligations, congratulations, it's now a liability that
could into substantial fines.

~~~
Lio
Has the EU actually shown any teeth to these outfits?

It's one thing to say something is illegal but if you don't enforce that these
firms will be able to operate with impunity.

~~~
gsnedders
Note that in principle it's not up to the EU to enforce because the GPDR is a
directive; it's up to the individual member states to enforce the directive as
enshrined in their law.

~~~
Silhouette
GDPR isn't a directive, it's a regulation. It's literally what the R stands
for.

The major difference between the two in terms of how the EU makes laws is that
directives are the indirect one: individual member states are required to
incorporate the provisions into their own legal systems to give them force of
law. An EU regulation is the direct equivalent: it carries force of law across
all member states immediately. In the case of the GDPR, the UK government has
also stated that its provisions will continue here after Brexit and the
related transition arrangements.

However, you're right that enforcement will normally be done by an individual
member state, because it is typically the national data protection or privacy
authority in each state that acts as regulator and has enforcement powers
under the GDPR. In theory, there's supposed to be some coordination so one of
those regulators will take the lead on any given investigation or enforcement
action instead of 28 different organisations all diving in at once, but it
doesn't seem to be clear yet how that aspect will work post-Brexit.

------
gingerlime
Data sharing seems so prevalent, and I would dare say even with EU companies,
the chances of getting caught (let alone fined) by the GDPR are pretty slim.

An interesting exercise: If you have a Facebook account, go to this page[0] or
this one[1] and see if you even _recognize_ some of the companies that shared
data about you. Not to mention gave explicit consent to sharing your data ...

My list includes companies I never gave consent to (e.g. Amazon, Uber), never
signed up for or gave any details to (e.g. Robinhood, Triplebyte) and some I
have zero clue about, but the name alone sounds dodgy (Opteo, Mindshare
Biddable Digital ...).

[0]
[https://www.facebook.com/ads/preferences/?entry_product=info...](https://www.facebook.com/ads/preferences/?entry_product=information_about_you&section_id=interacted#)

[1]
[https://www.facebook.com/off_facebook_activity/activity_list](https://www.facebook.com/off_facebook_activity/activity_list)

------
perch56
I had a very similar experience with Apollo.io. Somehow my professional data
(business email, personal phone number, name, job title and my LinkedIn
network and connections) ended up on this website without my consent. I’m
assuming it was collected from several sources such as LinkedIn (Even though I
had my privacy settings tight) and some conferences I attended in the past
year. Either way I contacted them and they sent me a document to confirm my
identity and then proceeded to remove my data from their website after I sent
it back. I was a bit shocked as it’s basically asking to confirm my identity
and give them more information about me when I haven’t even granted them
permission in the first place. Such “data brokers” need to be regulated. The
most annoying thing is that they only remove data under GDPR, CCPA if I am a
resident of California, UK or EEA. Well what if I’m from a country that
doesn’t fall under one of those 2 regulations?

~~~
Jommi
Vote for a better government that cares about its citizens digital rights?

------
AndyMcConachie
The achilles heel of the GDPR is that you must act through a DPA. In the case
of the Shrems he had to basically sue the Irish GPA in order for them to do
their job. And instead of actually doing their job, the Irish DPA instead
fought Shrems on behalf of Facebook.

As an EU citizen and resident, it's abundantly clear to me that getting a DPA
to act in my best interest is mostly hopeless. I'm reminded of the CANSPAM Act
where a US citizen can send their spam to the FTC and have them investigate
it. Only they never will. All spam sent to the FTC just goes into blackhole,
and next to no one is ever prosecuted. Even when it's clear who the spammer
is.

I don't think many people realize this fact. That a politically motivated
entity controls European's access to privacy restitution, and they're rarely
motivated to actually do anything. This makes the GDPR is my eyes primarily a
joke. It certainly isn't about securing my rights as an EU citizen. It seems
more written to benefit lawyers and others who make money because things are
complicated.

If the EU actually cared about my privacy rights they would allow all
Europeans access to restitution without mediating it through national
agencies. I want to be able to hire a lawyer and directly take abusive firms
to court over GDPR violations. I shouldn't have to act via some pre-court
mediator who gets to arbitrarily determine if my claims have merit.

~~~
tzs
What about Article 79, "Right to an effective judicial remedy against a
controller or processor"? It reads:

> Without prejudice to any available administrative or non-judicial remedy,
> including the right to lodge a complaint with a supervisory authority
> pursuant to Article 77, each data subject shall have the right to an
> effective judicial remedy where he or she considers that his or her rights
> under this Regulation have been infringed as a result of the processing of
> his or her personal data in non-compliance with this Regulation.

> Proceedings against a controller or a processor shall be brought before the
> courts of the Member State where the controller or processor has an
> establishment. Alternatively, such proceedings may be brought before the
> courts of the Member State where the data subject has his or her habitual
> residence, unless the controller or processor is a public authority of a
> Member State acting in the exercise of its public powers.

------
ratherbefuddled
Lusha in NY does this too except they claim the deletion magically happened
automatically because of "algorithms".

I'd made a subject access request because they'd sold my personal email
address linked to my business position to random spammers. That association
didn't exist in any legitimately accessible data, only in the linkedin data
breach.

------
cblconfederate
Looks like rocketreach is aggregating information that is public on
fb,linkedin etc. He forgot to mention that the google search result he got is
already selling those, but maybe we ve become blind to that? Rocketreach is
packaging and selling it directly, google does it indirectly. Same thing
though, are those illegal?

~~~
GrumpyNl
This information can also obtained from the chamber of commerce in the
netherlands

------
StopHammoTime
Fundamentally the thing which everyone is missing is that the regulatory
authorities can simply say that the data can not be used within the European
Union by Rocket Reach. They may not be in the European Union but they can make
their product useless in the European Union.

------
secondcoming
Now watch the entire currently-EU based adtech industry relocate out of the
EU...

~~~
ivan_gammel
It’s like drug cartels relocating from Mexico: noone will feel sorry.

~~~
koheripbal
They would be relocating their corporation only - they'd still be operating in
the EU on EU customers.

~~~
fnordian_slip
In that case they would still be subject to the GDPR.

~~~
koheripbal
...yet since it's unenforceable, then they probably don't care.

~~~
gruez
Why not? If they have offices in EU, raid them. If they have customers in the
EU, freeze their bank accounts or sanction their payment processors.

~~~
koheripbal
> If they have offices in EU, raid them.

They won't - that's what relocation means.

> If they have customers in the EU, freeze their bank accounts or sanction
> their payment processors.

This is comical. The government isn't going to start shutting bank accounts
for GDPR violations on small foreign corporations, as if they're smuggling
nuclear fuel to Iran. Half the bank accounts in the world would be closed if
we were so sensitive to regulations.

------
fmajid
Yes, it's hard for EU authorities to enforce its laws on a company that has no
EU presence or revenues to threaten. At least the Luxembourg DPA is doing
something about it, unlike the Irish DPA that deliberately does nothing (or
worse, colludes with Facebook to help them skirt GDPR with highly dubious and
most likely legally invalid semantic contortions).

------
PeterisP
In this particular case, GDPR can get enforced for the _buyers_ of data.

Rocket Reach and similar companies may be outside the reach of GDPR, however,
all the advertisers and global platforms who actually want to target EU
customers _are_ within the reach of GDPR so it's illegal for them to buy data
from Rocket Reach.

------
dasdasd22
Another company collecting and selling your personal data right there in
Silicon Valley: [https://eightfold.ai](https://eightfold.ai)

------
indziektor
I don't know if there's another good example, but Poland fined an EU company
under the GDPR for scraping profile data without giving proper notification:
[https://news.ycombinator.com/item?id=19530087](https://news.ycombinator.com/item?id=19530087)

You shouldn't have to guess where your personal data is going, and how it's
being used. When the GDPR was first coming into force, I remember getting
bombarded with all these notification emails from all these companies coming
out of the woodwork that I didn't recognize. But I don't think I've ever been
notified by email, SMS, phone or smoke signal since then.

The biggest flaw of the GDPR in my opinion is that it leaves the definition of
what's considered personal identifying information with too much wiggle-room
for creative interpretation. Maybe it's hard to pin down exactly, but there's
often too much emphasis on the word "identifying", as if it's otherwise OK to
gather every intimate online detail and build a profile that is a unique
identity in and of itself. It's even worse when real-world decisions can be
based on it without your knowledge.

I recently had my own rude awakening learning about these data brokers and
risk analysis services. The matter itself was relatively trivial, but I didn't
realize the extent of this before and the scope of what personal information
they're gathering. And it doesn't matter if you think it won't affect you,
since you've done nothing wrong. From what I read elsewhere, even exercising
fundamental consumer rights may be held against you.
[https://news.ycombinator.com/item?id=21440526](https://news.ycombinator.com/item?id=21440526)

~~~
gsnedders
> The biggest flaw of the GDPR in my opinion is that it leaves the definition
> of what's considered personal identifying information with too much wiggle-
> room for creative interpretation.

Note that this is the totally normal approach for Civil Law systems: you
define the general principles of what the menace is, and leave it down to the
courts to determine whether or not those principles have been violated. In
essence, you can view it as every case being decided on the basis of the
mischief rule as exists in many Common Law systems.

------
jtbayly
> Instead of pursuing Rocketreach locally on that basis alone, the CNPD just
> gives up arguing it has no jurisdiction in the US.

Which is true and obvious. Why anybody ever thought the GDPR would have teeth
outside the EU is beyond me. It was always laughable to me that anybody
believed that the EU had made a law that applied to every company in every
country in the world.

------
rovek
I had a similar experience with a company called RateSetter.

\- They email me some marketing

\- I respond with DSAR

\- They acknowledge receipt of DSAR

\- 6 months pass

\- I bump the email thread

\- They respond saying they have deleted my data as per my request (I
requested access, not deletion)

\- I point this out

\- They apologise and offer £100 to drop the complaint

\- I refuse and complain to ICO

\- Obviously nothing happens

GDPR is toothless.

------
jalonso510
The Privacy Shield framework that was just declared invalid by the EU included
a requirement that US companies make themselves available for arbitration of
disputes brought by EU data subjects. GDPR by itself doesn't include that
concept. But if GDPR is going to be enforceable, the negotiation around a
successor to Privacy Shield should probably include it.

------
csense
I've always wondered about the practical side of how GDPR is supposed to work
for companies outside the EU.

If you've got actual _stuff_ in the EU, it's easy. You get fined under GDPR
and if you never show up to argue your side in court or an administrative
hearing or whatever, they seize your real estate or bank accounts or physical
servers or whatever, and sell it to pay your fines.

If you're US-based, how does it work? Hmm, if you're a modern shop you
probably have stuff hosted by big companies, like servers on Amazon's AWS or
code on Microsoft's Github. Then the EU could presumably tell those companies
to stop hosting your stuff, or they'll become liable for fines as an accessory
to the violation. Microsoft and Amazon probably have a lot of bank accounts
and physical stuff in the EU that could be seized and sold, so they couldn't
simply ignore the fine. They'll probably drop you as a customer immediately
once Europe starts making them pay fines, and maybe try to sue you in the US
court system to try to recover those costs.

I've never heard of this happening though. So maybe this isn't actually a
thing.

If all your stuff is on US soil, and you're careful not to use providers with
any European presence, how would they do it? Does the EU have some way to
order all European ISP's to blackhole traffic from your company's IP ranges?
When your executives come to Europe for vacation or conferences or whatever,
could they get hauled off the plane in handcuffs and taken to a European jail
over your company's GDPR violations?

Again, I haven't heard of this actually happening. But it seems to me that
would be how they'd do it, if they really wanted to prevent overseas companies
from simply ignoring GDPR.

If there's no threat of enforcement, why bother with GDPR at all, unless
you're planning on having seizable _stuff_ like real estate or bank accounts
or physical servers in Europe someday?

------
askjdlkasdjsd
Is crunchbase/owler/cb insights and every other public data aggregator/lead
generator service also illegal by the same logic?

~~~
jiveturkey
define illegal.

and no, those aggregators don't process PII / Personal Data.

~~~
askjdlkasdjsd
They typically have a person's different social media account links and work
history. Isn't that personal data?

------
EGreg
I figured that the European Union would simply act to block such a website
from being resolved in Europe by DNS resolvers?

------
gostsamo
This constitutes denial of justus and you can sue them either in your country
or in the European Court of Justus.

------
paulie_a
For most, you can simply ignore it since it doesn't apply anyways

~~~
paulie_a
I'd to hear why I was downvoted. it is a fact people forget. Most have
websites have that stupid cookie notification when 99 don't need to. Here is
how to evade the gdpr, ignore it like it doesn't exist

------
Krasnol
It's always nice to not find yourself in one of those databases.

Data frugality ftw.

------
082349872349872
GDPR compliance would be trivial if web browsers used a stateless request-
response hypertext transfer protocol.

 _O Tempora O Mores_

------
arpinum
Does GDPR apply here? They might not be selling to the EU, and they aren’t
monitoring EU persons but just selling historic information. I don’t read GDPR
as applying globally to any and all trade in EU personal data.
[https://gdpr.eu/companies-outside-of-europe/](https://gdpr.eu/companies-
outside-of-europe/)

~~~
ThrustVectoring
GDPR applies, it has worldwide scope for data on EU citizens. On the other
hand, European courts lack jurisdiction to enforce their laws on companies
without EU offices and assets.

FWIW I'm _really_ glad that EU courts lack this jurisdiction - any gain from
privacy would more than be wiped out from losses to free speech, especially
with the extensive history of libel tourism.

~~~
garmaine
It’s hard to make an argument for the EU courts having that jurisdiction
without also granting the same to Saudi Arabia and China.

~~~
himinlomax
The way it works is that the EU fines their EU-based operations or stops them
from operating in the EU. And if they don't have any, those of their customers
who do could not legally acquire their data on EU citizens without the
subject's informed consent anyway.

------
bjornsing
Typical of this kind of regulation: the real purpose is less about ensuring
individual rights and more about giving bureaucrats more power. The GDPR is
great in the latter sense. It’s impossible to predict the outcome of a legal
process even if you do your very best to comply, and you can be slapped with
incredible fines... Cross the wrong bureaucrat and your days are numbered (in
an economic sense).

~~~
bjornsing
Ops, that was obviously a controversial standpoint. Just to be clear: I’m all
for individual rights. But laws need to have predictable consequences and be
fairly and equally enforced, and my impression is that the GDPR is not. As an
example I’m pretty sure the local court here in Malmö, Sweden has violated my
rights under the GDPR. Do you think anybody would give a rats ass if I
complained? I highly doubt it...

~~~
samus
It might depend on the country, but Austrian authorities treat GDPR compliance
very seriously. Even if the authorities got away, such cases make for
embarassing press coverage and can threaten precarious coalitions, especially
when elections are close.

------
burfog
"Rocketreach has not met the requirement of the GDPR to name an EU
representative (Art27) to account for the processing of European Personal
Data. In their answer, the CNPD makes it sound like it is optional, it isn't.
Instead of pursuing Rocketreach locally on that basis alone"

LOL, yes.

I'm sure they also do not meet the legal requirements of North Korea, Saudi
Arabia, and many others.

Likewise, various EU corporations do not meet the legal requirements of non-EU
places like those. Would he prefer that they did?

Even more interesting, since he expects the US to follow EU law, how does he
feel about the EU following US law? The US has that Patriot Act, and lots of
EU companies are not compliant. Maybe he should report a few EU companies to
the FBI.

~~~
dtech
> I'm sure they also do not meet the legal requirements of North Korea, Saudi
> Arabia, and many others.

China is the most straightforward example, companies cannot operate unless
they basically do it through an - implicitly Chinese state controlled -
partner company. China also has a literal Great Firewall monitoring, modifying
or stopping all cross-border traffic. So yes, you have to play by their rules
if you want access to the market.

US, EU and other western countries also require you to follow their - much
more lenient - laws and rules for access to their market, but for now it's
rarely enforced through blocking etc. Saudia Arabia, Russia, India, Turkey and
other "second world" countries block a lot of services that don't follow their
laws or government commands. Same thing: follow da rulez or our market is
closed to you.

North Korea has their own exclusive "internet" and blocks all access to the
regular internet except for a few highly monitored and controlled locations
like universities and government institutes, which are not connected to the NK
internet. Not comparable at all.

> Even more interesting, since he expects the US to follow EU law, how does he
> feel about the EU following US law? The US has that Patriot Act, and lots of
> EU companies are not compliant.

This is effectively already the case for a large part. All non-china global
IaaS companies are US, so everyone has to play by US rules and law. I don't
believe for a second that the NSA cannot get the data from the European
Google/Amazon/Microsoft data centers.

~~~
lvturner
I think your information may be a bit out of date, in China you can own and
operate as a WFOE

[https://en.m.wikipedia.org/wiki/Wholly_foreign-
owned_enterpr...](https://en.m.wikipedia.org/wiki/Wholly_foreign-
owned_enterprise)

~~~
tripletao
WFOEs indeed exist, but there are many restrictions on the types of business
they can conduct, both directly[1] and indirectly because activities require
licenses[2] that WFOEs can't get. The grandparent post was wrong in the
details, but it's still a different world from the USA or EU.

1\. [https://www.fdichina.com/blog/china-company-
registration/ftz...](https://www.fdichina.com/blog/china-company-
registration/ftz-negative-lists/)

2\. [https://www.china-briefing.com/news/entry-strategy-chinas-
on...](https://www.china-briefing.com/news/entry-strategy-chinas-online-
gaming-market-opportunities-license-compliance/)

------
ohazi
When are we going to admit that GDPR is a failure?

Asserting a bunch of rights around personal privacy is great, but I've yet to
see any compelling evidence that the relevant courts and bureocracies are
capable of enforcing the law effectively. EVERYBODY is cheating.

Every time this is brought up on HN, the response is to wait for when the big
fines start coming.

It's been two years. They're not coming.

~~~
jacquesm
Some pretty big fines have been issued already. See:

[https://www.enforcementtracker.com/](https://www.enforcementtracker.com/)

Over time I expect them to go up further as companies can no longer claim they
did not have enough time or were not aware of the law (that never was a
defense anyway but DPAs tend to be lenient. So far).

Since the GDPR has come into effect I see in my practice that companies are a
lot more aware of their responsibilities towards their users, have better
processes and security in place. Is it perfect? Not by a long shot but the
improvement is immense and as time goes by and more companies end up setting
an example of how things should be done and those that don't end up getting
find I expect this trend to continue.

What I like most about the GDPR is that it steers towards compliance, not
towards making life of businesses unnecessary harder.

Contrary to you I think the GDPR is a resounding success, the only thing that
would make it much better still is if other areas of the world would take up
similar legislation so the playing field would level.

~~~
jaclaz
I dont know.

From what I can understand of German/Google translate, the third from top:

[https://www.enforcementtracker.com/](https://www.enforcementtracker.com/)

Link to .pdf:

[https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180927_DSB_D5...](https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180927_DSB_D550_084_0002_DSB_2018_00/DSBT_20180927_DSB_D550_084_0002_DSB_2018_00.pdf)

Is the Austrian Authorities making a 300 Euro fine to a "common citizen"
making "illegal" use of a dashcam (it seems - but I am not sure about it -
that the issue is that the car is not - how? - visibly marked as
videorecording?).

Anyone more familiar with German (and legal German) can clear the
matter/explain?

~~~
jacquesm
Why would you pick that example, rather than the 16 million fine an Italian
company received?

~~~
jaclaz
As a counter example to the "success" you mentioned.

Again if I got it right a "common user" got stinged because of a dashcam.

The Italian example you refer to is actually a success, like most other ones,
I was objecting not to the Law in itself (that is IMHO a good one) but rather
on how it is applied, here and there, in spots and seemingly in a random way.

