
Europe’s New Privacy Rules Favor Google and Facebook - RestlessMind
https://www.wsj.com/articles/how-europes-new-privacy-rules-favor-google-and-facebook-1524536324
======
nickpp
The true cost of GDPR doesn't come from compliance itself. It comes from
trying to protect oneselef from the legal vulnerability it creates for
businesses.

Like any regulation, once enacted, it creates yet another reason to harass,
burden and encumber businesses - no matter what business model they have or if
they are shady or not.

Large companies truly love this. Their already considerable legal departments
chew any new regulation the moment it appears while the newly erected walls
keep those pesky startups away.

Small business do not even pay the price - they simply cease to exist, to be
founded. It's a chilling effect. The prospective founder says "why bother with
this shit when I can simply get a job"?

The visible end result: an Europe more and more hostile to startups staying on
the sidelines while the US wins the innovation race for the future. Fewer
startups means also fewer large business (just look at the most valuable
companies in the world, how many of those are European?) and thus fewer well
paid jobs in the future (just check out the difference between an IT salary in
USA vs Europe).

~~~
AstralStorm
Yes, let's allow companies process personal data indiscriminately because it
will help small businesses. /s

Please provide actual evidence that it will do so and that small data
processing businesses actually had to endure big legal fees due to privacy
protections.

The lack of start-up scene in most of Europe is caused by very different
factors, mostly more conservative and less wealthy investors.

------
havkom
Not related to the ads industry but GDPR compliance in general for smaller
companies (which is discussed in various other comments to this article), I
would like to add these remarks:

I think ”GDPR compliance” is not a binary thing - there are levels of
compliance. No smaller normal company or Google or Facebook will be able to
“fully comply” at any point in time. There will always have to be incremental
improvements over time, hopefully in the right direction.

Also recognize that the obligations in GDPR “scales” with the size of
operation/amount of data that is processed. For example smaller companies:

\- are exempted from some of the record keeping obligations,

\- may not have to appoint a data protection officer,

\- may often not have to do data protection impact assessments,

\- may not have to set up and implement some policies relating to data
protection

\- may also have less obligations when it comes to Privacy by Design (since
reasonable costs are a recognized factor)

\- may generally have fewer data processing activities that requires consent
(most normal personal data processing does not)

I would also forget about scares of 4% fines unless you are doing something
really bad or do not care at all even after a fine, repremand or warning from
a Data Protection Authority.

My guess is that the “normal level of fine amount” will not change with GDPR
for data protection violations in the EU (compared to current UK levels). This
seems to be what the UK:s Data Protection Authroity (ICO) is going around and
telling everyone as well (if I have not misunderstood).

~~~
downandout
_No smaller normal company or Google or Facebook will be able to “fully
comply” at any point in time._

Which makes it ripe for abuse. By making a regulation that is impossible to
fully comply with, they have created a situation where any (or all) of the 28
countries in the EU can fine any company at will, because they're never fully
in compliance. Further, individual users can seek compensation under GDPR -
companies will be deluged with such claims.

Just having to depend on the goodwill of regulators who you think will just be
attempting to enforce the spirit of the law is a terrible position to put
companies in. When these countries and individual citizens are starved for
cash, all of a sudden the letter of the law will be the only thing that
matters, as is always the case with regulations that put all market
participants in violation by default.

~~~
havkom
The level of fines looks like it will be harmonized by EDPB (a board of all
Data Protection Authorities) so individual DPAs will probably not be able to
set arbitrary levels. There are also the one-stop-shop rules so a company will
normally only have to deal with one DPA.

When it comes to compensation, you have to show what material or non-material
damages you’ve suffered. Class actions are generally not a big thing in the
EU. Sure, there is an exposure here but in practice I think it will be very
limited, especially for smaller companies.

~~~
downandout
_When it comes to compensation, you have to show what material or non-material
damages you’ve suffered_

You realize that "material or non-material damages" can mean just about
anything right? If it were limited to "material" damages, that would at least
impose some form of sanity. The way this is written, it's a free-for-all.
Saying _" I have had alot of trouble sleeping since I found out that only 45
of 46 tracking companies were listed on the disclosure"_ is all it would take
for an individual to obtain money from a company under this absurd regulation.

~~~
DanBC
They'd have to prove in court (to the balance of probabilities) that they have
insomnia and that the insomnia was caused by the non-disclosure. They would
also have to show that this is an expected result of non-disclosure.

Assuming they do this - how much do you think a compensation payput for
insomnia is worth? How many thousands of pounds do you think people would get?

~~~
downandout
I don’t know, but if you multiply the cost of defending one of them by the
millions of such nuisance claims that will be filed by people, and it will
quickly add up.

~~~
DanBC
You're saying millions of people will be willing to commit several criminal
offences in order to attempt to get a payout of about £1000, in a system that
routinely doesn't pay for psychological harm?

I mean, those people can already do this, and they don't appear to do it, so
I'm not persuaded GDPR will trigger a bunch of claims.

~~~
downandout
Is it a criminal offense though? How can it be disproven that you haven't been
sleeping as well as you normally do, or that you've been having anxiety
because an externally loaded PNG served a cookie that wasn't disclosed
(because the website operator didn't know about it)? They'd have to disprove
that to jail you for making a false claim.

------
RestlessMind
As suspected, smaller companies seem to be hurting a lot more than the giants.
From the article:

 _A digital-advertising firm called AdUX recently closed a service that
harvested location data from people’s smartphone apps to show them targeted
ads, said CEO Cyril Zimmermann, because his firm had little hope of asking
for—much less getting—consent from users. Instead, AdUX will aggregate data
from bigger companies. He said the shift has cut into revenue. “For them, it’s
easy,” he said. “The problem is, who knows AdUX?”_

~~~
jon_richards
How does GDPR affect selling personal data? Once I've given permission for a
company to collect my data, can they just sell it to whoever they want? Is
there any way to get rid of that data once it's been sold? Is there any way to
find out who's bought it?

~~~
michaelbuckbee
That's a lot of questions. To sum up, the GDPR is forcing:

\- granular consent (like you might opt into a newsletter, but not retargeting
ads)

\- right to request what a company knows about you

\- right to get that data in digital format (json, xml)

\- right to know when your data is exposed in a data breach

\- right to request that your data be deleted

\- right to request that an organization stop processing data about you

fwiw - I wrote a bunch more about it (link) and am happy to answer questions.

[https://blog.varonis.com/gdpr-requirements-list-in-plain-
eng...](https://blog.varonis.com/gdpr-requirements-list-in-plain-english/)

~~~
jon_richards
So as long as there are 1000s of companies like AdUX that purchase my data
without telling me or acquiring my consent, I don't really have any hope of
actually having my information deleted.

I suppose someone could make a service that lets you request every known
company delete your info.

~~~
PeterStuer
If they want to comply all those 1000's of companies will have to get you to
reaffirm your consent under the new GDPR rules. Didn't you notice already a
lot of the services/sits you use asking you to re-agree ('We've updated our
privacy policy etc.')

~~~
jon_richards
Are you sure that all applies to companies that _purchase_ personal
information and not just companies that _collect_ it?

~~~
AstralStorm
They also _process_ the data which is explicitly mentioned in GDPR.

------
bencollier49
This strikes me as a fluff PR piece to try to head off similar legislation in
the US.

------
IBM
I've posted this before: GDPR is good independent of any effects it has on
competition.

Governments already have the tools to deal with market dominance: antitrust
enforcement. The EC has three antitrust cases against Google. One decision has
already been given, and the Android decision will be made sometime within the
next few months. The Federal Cartel Office in Germany has opened a probe into
Facebook [1][2].

[1] [https://www.politico.eu/article/facebook-data-collection-
cou...](https://www.politico.eu/article/facebook-data-collection-could-be-an-
antitrust-abuse-in-germany/)

[2] [https://www.reuters.com/article/us-facebook-privacy-
germany/...](https://www.reuters.com/article/us-facebook-privacy-
germany/facebooks-hidden-data-haul-troubles-german-cartel-regulator-
idUSKBN1HU108)

~~~
woolvalley
A $100+ million revenue company has the capital to comply with GDPR. The 1-5
man bootstrapped start up does not. They will be in the 3 felonies a day type
of non-compliance and hunted by bureaucrats looking for easy targets. Other
countries have a philosophy of exempting small business from complicated
regulations because of this. The EU tends to not do this.

That is the fundamental issue and it has nothing to do with monopoly.

Just like you need progressive taxation to not choke out the poor, you need
progressive regulation to not choke out the small business.

~~~
realusername
I did not see anything in GDPR which does not make sense to me, it looks like
common sense applied to data management.(Edit: It's rare enough to have some
legal text in IT which makes sense in real life, I'm surprised). I don't see
why small businesses should be exempt for basic regulation, small businesses
are not exempt from fire safety regulation either.

> The 1-5 man bootstrapped start up does not.

In my current company we are only two developers and we will comply with GDPR,
it's going to take us a week or two worth of technical work, it's really not a
big deal.

~~~
woolvalley
The GDPR seems easy, but I get a feeling you haven't tried to actually
properly implement the GDPR regs, talking to lawyers and everything. If you
have you'll see there is far more involved than you think.

I wish it was easy as just manually looking for user data after an email,
deleting it, and keeping that email request as part of the 'audit log'. And
getting affirmative consent during signup.

Most small businesses would be fine with something that casual.

EDIT: If you guys winged it by actually just reading the regulations and
winging it, you probably did something wrong.

~~~
rectang
The GDPR is inconvenient with many of the shady business models popular among
web-centric companies.

In the long run, it's good for all of us if those business models are
discouraged.

~~~
woolvalley
It's inconvenient for the non-shady, non adtech, we give you a service in
exchange for money businesses too!

I think the best thing to take away from GDPR compliance is 'it's not as easy
as you think it is', 'it's not as obvious as you think it is', and small
businesses who totally respect privacy will probably still be breaking GDPR.

~~~
rectang
I'm OK with that and I accept that cost, because in my eyes stopping the
savage victimization of users is worthwhile. For you (or the WSJ) to persuade
me that the GDPR is problematic, I'd have to believe that first, that's
something that those opposed to the GDPR actually care about, and that it's
something that could be achieved through other means.

~~~
chrischen
Except this does nothing to really stop the savage victimization of users by
Facebook or Google. If anything it solidifes their dominance.

The abuses are happening from these big companies, not the thousands of tiny
startups that live and die within months that have a few hundred thousand
users.

~~~
rectang
So your proposal is a return to the status quo ante and unlimited exploitation
of users? Not good enough. I will take the imperfect good of the GDPR as an
incremental improvement over the option of abject surrender.

~~~
woolvalley
No the proposal is to apply the GDPR to the large organizations that can
afford to implement it properly. It's not black and white ;)

~~~
AstralStorm
GDPR is not applied indiscriminately you know. It has various responsibilities
indeed depending on company and/or database size.

------
montrose
“It is paradoxical,” said Bill Simmons, co-founder and chief technology
officer of Dataxu , Boston-based company that helps buy targeted ads. “The
GDPR is actually consolidating the control of consumer data onto these tech
giants.”

~~~
rnnr
he probably haven't heard the term "Revolving door". Simple study of antitrust
policies would reveal him that this is the case.

[https://en.wikipedia.org/wiki/Revolving_door_(politics)](https://en.wikipedia.org/wiki/Revolving_door_\(politics\))

~~~
AstralStorm
I'm pretty sure previous privacy laws did little to EU businesses. (Some local
more restrictive ones like German neither.) LThis one will not do anything
much like you said either. There ate much mote critical laws that are being
tampered with such as tax code and employment laws.

------
msravi
I still don't understand how this is going to be enforced. If I'm a website or
app provider in China or Philippines or Russia or India, and I collect
information on EU residents who visit/use my website/service, how is GDPR
going to be enforced? How are they going to fine me 4% of my revenue?

~~~
woolvalley
You arrest company officers flying into the EU (even for a layover, even for
emergency landings) for default judgements.

You block their companies from doing business in the EU. You confiscate bank
accounts set in the EU, you confiscate shipments to/from the EU.

~~~
pcr0
For a public company, sure. How would you find company officers of private
offshore companies located in Cayman/Seychelles/BVI?

~~~
guitarbill
Of course you can always do illegal stuff. GDPR won't change that. You can
still buy e.g. stolen credit cards on the black market. But personal
information? Doesn't seem worth the hassle, especially when you can anonymize
it and keep using it. Or get consent. If you're smart enough not to get
caught, you're probably smart enough to come up with a business model that
isn't shitty.

------
paulgerhardt
Currently going through GDPR certification/signoff as a primarily US based
company.

As a hacker, I enjoy the spirit of the thing. It’s nowhere near as dumb as the
cookie pop-up law. Categorically I would prefer default third party services
to flush logs rather than retain.

As a founder, the cruel business logic very much favors removing
support/refusing to onboard European users.

Your exposure is in a fine for 4% of global revenue or 20 million euros.
Whichever is greater. No big deal. Europe may make up 10% of your revenue. The
effort is going to decrease resources by 20%+ in the short term, add unknown
long term complexity and overhead, and longer term employing a compliance
officer. Also can we go back to the 20 million Euro fine thing for a second?
Any potential acquirer is going to want to double down on diligence before
assuming risk like that.

The requirements initially seem innocent enough - ability to hard
delete/export user history. Easy right. Some notes from my meeting with legal:

Well what about backups? Do you retroactively go through your backups and
remove R2BF users? Do you only keep backups for 6 days? What happens if you
delete the user and restore from a 5 day old backup? Do you keep a second list
of users who requested you delete their data - and if so how do you store
that? How do you now represent activity that materially effected other users
still on the platform? Is this subbed out with a “blank shadow” user? The
legislation very much does not solve for the recursive logic of “how do you
track users who’ve requested deletion”. Counter-intuitively we would now have
to log more user activity so we can gracefully handle rendering deleted data.
Why do we have to file with a third party that we’ve deleted info on a user
that requested we remove all trace of them?? What if a user enter’s PII in
table entries owned by other users through that other users account? What if
they do it through a third party API? Speaking of, how do you ensure your
third party API partners are in compliance? What if a user enters in PII in a
field that you thought should have no PII in it? How do you treat EU citizens
using your service outside the EU vs inside it? What if they use it in both
places? What if you have an American user who happens to be located...

Sure most of these are solvable along with the another hundred edge cases not
illustrated, but for bigger apps at 50+ person companies almost every one of
those points is a bullet point in a meeting that requires nuanced development
from multiple stakeholders. Don’t think it’s hard? Try roll into a meeting a
Twitter and explain to them how easy it would be to add a button that lets you
edit tweets. Some requirements are a BFD - you can imagine how things went
over in a meeting where we half-jokingly suggested we no longer make backups
rather than take on the burden of implementing a backup policy that may or may
not be compliant with a new law that has no precedents in court to guide
drafting a spec.

The net result is implementing it with the least effort and suddenly it’s just
this dogpile of cludgey UI popover screens that people click through without
reading and TOS updates and mandatory log outs and a lot of other things
besides that add overhead to make it “non-trivial.”

It’s a big deal because pre-series A startups will choose to avoid these
waters rather than navigate them.

~~~
exergy
While I'd love to say I sympathise, I do not. The end goal is not to make life
easy for small businesses. The end goal is protecting the consumer.

All your remaining points seem more easily solved than the backup bit, but I
do not understand what could be so hard about deleting a user from a backup.
Perhaps I'm dumb, but just go in there and delete it retroactively? If it
affects other users, that's ok. They see a [deleted] a la Reddit.

You're not responsible for ensuring the API partners are in compliance. Those
companies should have to fend for themselves.

When you delete _everything_ you stored about a user, you also delete _all_
potential personally identifiable information, so I again do not see what the
problem is.

It just sounds like a bit of whining from where I am standing. It's like a
small bridge builder saying "but the standards are too damn hard!". We start
with the end goal of safe Bridges and safe users and then go backwards. Not
the other way around.

~~~
Matt3o12_
One problem with backups is that you don’t want them to be always online
(store them offline and off site for disaster recovery). Backups can also be
helpful in case of bugs that delete your whole database so that you can
recover the data after the bug is fixed. Imagine the follow query `delete from
users where id = 372936 or status = inactive`. Unfortunately, due to a bug,
all users have been marked as inactive. Now you destroyed the whole database.
No problem you think, just restore it from a backup. Due to the new law, this
script ran also on your backup. Congratulations, you have now lost all your
users. Hence, you never want to “change” backups. You only ever want to
restore from them.

The easiest way to comply with it would be have a list with all user deletion
requests stored somewhere else and every time you restore from a backup, you
also apply this list from the backup. But have you really deleted users if you
keep backups?

~~~
exergy
It's not a shell script that you will write each time a user asks for a
deletion though, would it? It will be a carefully tested and automated
procedure.

It certainly sounds like the possibility of deleting all your users might
actually make us all more careful, less gun-slinging, shoot-from-the-hip
programmers.

~~~
Matt3o12_
It will probably be an SQL query and if software development has thought us
anything is that testing is not enough. Proper testing can be very helpful and
prevent many errors but it can never prevent all because you just cannot test
for all circumstances. This is why backups are helpful and why backups should
not be changeable. It is a reason why backups were made on magnetic tab back
in the day so it wouldn’t be overridden by mistake. Backups were just as
important back when programming wasn’t all about that fast iterating and push
updates and fix later – or gun-slinging programming as you call it – as they
are now.

------
zmyrgel
By looking through the comments it seems many seem to think that smallest GDPR
violation will immidiately see 20M fine. Isn't it the last method if previous
methods are ignored like giving a warning, smaller fines etc.

So you don't have to do every single perfectly, just that you the basics done
properly and your filling to fix things as they are shown to be broken. Well,
unless your broken system leaks millions of users data into the wild I'd guess
you're pretty safe.

------
car_invasion
I believe GDPR is like a pre-annoucement of GFoC but for Europeans.

------
shiado
How will GDPR interact with the goals of intelligence agencies and their
contractors? Is there going to be a wave of problems for intelligence
contractors and their possession of data or are European countries going to
let it slide?

~~~
woolvalley
Isn't what most intelligence agencies do illegal in other countries already?

~~~
shiado
Probably. Although there is the Five Eyes style arrangement where you don't
spy on your own citizens and instead spy on citizens of other countries and
then share the data between each other so it all becomes legit. This is
described here:
[https://en.wikipedia.org/wiki/Five_Eyes#Domestic_espionage_s...](https://en.wikipedia.org/wiki/Five_Eyes#Domestic_espionage_sharing_controversy)

~~~
woolvalley
I think those agreements come from the fact that the agencies cannot 'spy'
inside their home country, but can get information from other agencies that
happen to have info about their country.

I still think it is illegal for those other agencies to spy within the home
country. Not to mention countries they don't have agreements with.

The home agency does not do anything illegal itself, but the other agency does
illegal stuff for them.

------
Buge
>Unlike the giants, the ad tech firms have no direct relationship with
consumers. They say Google’s and Facebook’s response pressures publishers to
seek consent on behalf of dozens of ad tech firms that people have never heard
of.

This is exactly what I said back in November.

[https://news.ycombinator.com/item?id=15769544](https://news.ycombinator.com/item?id=15769544)

~~~
tjoff
Target the site, not the users. Simple as that, arguably you'd have much
better accuracy targeting an interest rather than trying to profile each IP
anyway.

------
bkor
Due to the GDPR Facebook added all kinds of new controls. I looked through
them today.

Stuff Facebook has tracked, despite not using their app on my phone (preloaded
but completely disabled) and using their website only with uBlock Origin):

a) everywhere you ever used Facebook to login to a website. I thought I never
did this but apparently I still had 5+ websites linked to this. They seem to
use this to profile you. Facebook mentions about this _"These are active apps
and websites. This means that you recently logged in to them using Facebook,
and they can request information you've chosen to share with them."_ I never
wanted to share anything, but Facebook often changes settings or pretends I
did

b) every time you connected an app to your Facebook account. Apparently I
again did at a few times (to easily upload some photos). I also saw old phones
in here, Runkeeper (don't recall using that), Tinder (haven't used in years).
All of those seem to forever be able to get information from you.

c) topics (yet another new name). Not sure how they figured things like that
out. Fortunately you can completely disable the personal tracking, though you
need to do that in various different places.

d) advertisers whom added their contact list to Facebook. Really!! So some
other company shared my details with Facebook. Which means they've also shared
details of people not using Facebook with Facebook.

e) used websites and apps. This is surprisingly accurate and complete
(hundreds of sites+apps!), despite having the Fb app disabled plus always
using uBlock Origin. I really wonder if they somehow are able to retrieve the
browser history. It seems Facebook also tracks you using "apps using Facebook
technology", which I guess is a library to show ads or something which uses
the app permissions to further track the user.

f) it uses your profile (relationship status, employer, job title, education)
to targets ads

g) somehow puts you into categories. E.g. "uses a mobile device (xx to xx
months)". I disabled this crap yesterday, it updated it today with more
information. I assume through Whatsapp/Instagram or maybe some kind of
Facebook ad library? Again, I don't want it to track me, yet they seem to be
easily able to do this. I turned off all the settings but apparently still
missed a few.

i) ads topics. Not sure how topics differs from the 3 other ways they call
this.

j) your location. It doesn't show what it does with this. You cannot disable
the location tracking; it suggests to turn it off in the phone settings (which
is a cop-out). I'll need to download my data to further determine this. I'm
pretty sure Facebook is big enough to figure out additional ways of location
tracking than just what Android/iPhone allows.

k) websites visited. I assume any link clicked. This is somehow different than
all the other ways it already showed websites.

l) the existing "Who can contact you using email address / phone number". It
says "Who", but it is used for the API as well, that's not a user so I find
the usage of "Who" misleading.

Despite doing all of this, still not sure how to prevent something like
Cambridge Analytica from downloading my data through others ("friend").
Further as I already mentioned it seems to continue tracking me despite
turning everything off. Not cool.

------
ThatHNGuy
why do you keep posting paywalled content?

------
IloveHN84
Why do people keep posting WSJ paywalled content here?

~~~
nemothekid
They often have quality content.

~~~
tjoff
This sure doesn't seem like it.

------
M_Bakhtiari
Fine by me. Do we really need more “small ad firms”?

