Hacker News new | past | comments | ask | show | jobs | submit login
WhatsApp told to stop sharing user data with Facebook by French authorities (reuters.com)
795 points by artsandsci on Dec 19, 2017 | hide | past | favorite | 408 comments

EU is one of my best hopes when it comes to privacy and really wish they start going after tech behemoths. I have given up on US authorities doing anything to reign them in. And policies in other significant countries (eg. China) would be even worse for user privacy.

I'm torn on this. On the one hand, I agree, the EU legislates privacy to a degree that no other political entity does as far as I'm aware, but on the other hand, they often do so with poorly designed policies. As an example, I'd point to the cookie notices that appear on almost every major website, which must have absorbed, globally, many careers worth of man-hours to implement while offering virtually no real-world privacy benefits.

Maybe I'm over-indexing on one bad example? I'd love to hear more informed opinions about this.

I guess the grass is always greener on the other side. I'm European, and I sure miss my perceived greater freedom and innovation of economical activities in the US. Things like having UBER banned for example in France or Germany completely throws me off. And in Germany you don't know yet what's living without cash and only with a credit card.

And those damn cookie notices!! Because they show up in every page, everybody accepts the policy without questioning, which completely defeats the purpose. And worse for the user experience, most often the implementation of websites for those notices is dummy, and show the notice upon refreshment, even after having accepted the policy before.

> And in Germany you don't know yet what's living without cash and only with a credit card.

That's because we had our own system established in 1984 (ELV, electronic direct debit based on the EC cards mentioned elsewhere). From a German point of view, a credit card is a downgrade.

- The system covered all German banks (private banks, public banks = Sparkassen, credit unions) because they got their act together and set up a single standard.

- It had lower fees than credit card transactions.

- Pretty soon the card was included with bank account fees, while credit cards cost extra.

- It worked with a magnet stripe and automated electronic clearing in a time when credit cards were merely a slight convenience over manually writing a check which needed to be mailed around the country (you do know why credit cards have name + card number embossed to this day, right? Check out credit part imprinters).

All that made it more attractive to merchants, and credit card companies weren't used to competing in a market that already had a big incumbent.

> From a German point of view, a credit card is a downgrade.

Not only germans use the german system. When other Europeans go to European institutions that are placed in Germany, we can't use electronic payments. A system established 34 years ago should not be an acceptable excuse for a subpar service.

It is a shame (and quite fraud-risky!) to go on a taxi and have to wait 5-10 minutes for the taxi driver to carbon copy your credit card details in the invoice (now he only needs to memorize 3-4 digits for the security number), whilst in the same country Uber, and other similar services that provide immediate payment facilities with no open handling of sensitive data, have been banned.

> A system established 34 years ago should not be an acceptable excuse for a subpar service.

The system was developed in those 34 years, both on user visible features (EMV card with chip&pin in 2004) and invisible (SEPA Cards Clearing, implemented in 2015). The latter allows any SEPA based participant (and those outside, apparently there's some interest in Brazil) to handle clearing of transactions compatibly. That should allow card based SEPA Credit/Debit Transfers (which draws from 34 years old ELV a lot).

Merging incompatible banking systems takes time, but IMHO that's better than just layering another rent seeker or two (the credit card company, plus potentially Stripe) on top.

Offtopic, but:

> whilst in the same country Uber has been banned

Maybe they should have read up on the local regulations instead of spouting their usual nonsense about fighting the taxi cartel? (nevermind that the biggest player in that space is Uber itself)

A cursory reading of the relevant laws got me three different ways to try to establish a legal setup in which they could have proved their contribution to the public transport system for a couple of years (after which that could be extended or be made part of the official playbook). But it sometimes looks like reading laws is a fireable offense at Uber.

Considering how widespread accepting cash only is, you'll end up paying more for ATM withdrawals than you save on the lower merchant fees (that is, if the merchant even passes those onto you). Unless you want to carry hundreds in cash on you.

I've also noticed that not many people pay contactless, even when the terminals support it... and the cashiers tend to assume that the card is not contactless for some reason.

ATM withdrawal typically is free (at the same banking group).

The merchant fees are part of the total cost, so lower fees provide a competitive edge to the merchant. (the listed price also contains VAT, so you pay what's on the sticker, not like in the US)

Aldi (a discount grocery chain) didn't accept _any_ cards for a long time to avoid these extra costs.

In short: the German market situation is rigged in favor of cash, which is "free", which is hard to compete with when you're selling credit card services for a living.

Why kind of world has people saying cash is rigged to be cheaper. It's the medium of exchange, everything else is on top of it. Of course it costs more!

I don't disagree with you. There are other entities that solve the issue for taxi service, such as mytaxi, that pay by the rules - still "an extra layer of rent seekers" though.

But in general, even if technically possible, not a lot of businesses accept visa or mastercard - be it that the bank does not provide the service, or that they charge extra, it is not available.

Luckily PSD2 will soon open the space to more players.

In Portugal is even a bit better, because all banks got around SIBS, which created a kind of mini-Internet with ATMs machines.

So we can use our debit cards for buying tickets for trains, concerts, cinema, money transfer, paying Internet shops, charging pre-pay phones,...

All without paying ATM taxes, regardless of the bank of origin.

So the majority of people, if they aren't traveling abroad or buying Internet stuff on foreign shops, don't have any need for credit cards.

So would bitcoin be a step back here?

Well, assuming that bitcoin can be tracked and deanonymized, it would. Although, all cryptocoins are a step back. There's no way they could support transactions-per-second necessary.

As much as I like cards, I also prefer paying for stuff with cash.

In Portugal it is illegal to buy an expensive computer, or high-end computer monitor, or a high-end TV with cash. Similar thing in France.

Imagine yourself throwing a dinner party in a restaurant with 10 guests and they eat and drink so much that it comes to a point where it's illegal to pay that dinner with cash. Ridiculous.

I would find more ridiculous (or suspicious) someone carrying 2000€ in cash in this day and age for whatever reason, to be honest.

It is clearly a measure created to prevent tax evasion, which in Portugal is a real issue (as in most Southern Europe countries, I'm Italian) http://www.theportugalnews.com/news/may-2016-portugal-named-....

Since, as your parent says, in Portugal cashless systems are convenient are efficient, I don't really see the issue, aside from your personal preference.

""" I would find more ridiculous (or suspicious) someone carrying 2000€ in cash in this day and age for whatever reason, to be honest.

It is clearly a measure created to prevent tax evasion, """

this shows the extent to which the banking system has brainwashed us, when 2 people cant conduct a large transaction directly without an intermediary and it seeming 'suspicious'

Why someone would risk or be inconvenienced carrying such larges amount of cash in order to carry a transaction is beyond me, and yes, I would find it suspicious.

If you lived in a country where every other week you see in the news some politician caught on camera while pocketing corruption money, you probably would have another viewpoint.

by that logic, if taxation is theft ==> cash is theft evasion

> I would find more ridiculous (or suspicious) someone carrying 2000€ in cash in this day and age for whatever reason, to be honest.

You'd think.

I bought a house in Japan and I had to pay my deposit in cash, approximately US$10,000. Walking around with that much money, I've never been more paranoid in my life.

Yes, it it seems Japan has a weird relationship with bank accounts and credit/debit cards, as I learned here:


> In Portugal it is illegal to buy an expensive computer (…) with cash.

A few questions:

  1. Are you sure it’s illegal?
  2. From what value does that apply?
  3. How is that enforced?
  4. More importantly, who is in trouble if they do so, the buyer or the seller?
I live in Portugal and have different friends that bought different brand computers on different stores on different years, both paid cash, and in no case was there a problem. In at least one of the cases the cashier just made a quick call to the manager, asked “can I accept it?” and it was done.

Just did a quick search, the limit for cash payments is 3 000 euro.


Thank you. For curious non-Portuguese speakers:

  * The article is from August 22nd 2017.
  * It prohibits cash payments for anything (not just electronics) from 3000€ on.
  * For non-residents, the limit is expanded to 10000€, or equivalent in a different currency.

Bitcoin, which costs ~$20 to make a transaction now, would be a step back pretty much anywhere this century, or much of the previous one.

A step to the side I'd say

I don't think that matters at all. Many countries have their own debit card system and for what it's worth, I think EC cards are great debit cards. They can, however, not replace credit cards.

All the benefits from credit cards really come from the fact that you're paying with credit: - Travel a lot? They sure accept Visa. - Want to pay some street vendor? Square is only possible because they don't need to dial your bank directly.

Also the fee per transaction might be cheaper on debit cards, but the cost to acquire a debit card reader from your bank is still high. That's why virtually all larger vendors do accept debit cards in Germany, only smaller businesses are cash only (from my perspective).

The advantages you give aren't directly related to the cards being real credit cards, though. Visa debit cards work fine all over the world, and with Stripe. (In my experience it's very common in Europe for debit cards to be dual network, domestic and Visa or MasterCard. I don't know about Germany, though.)

The real advantages of credit are spending money you don't have, and points/cashback.

You can get them with debit cards as well, depending on your bank account contract.

On some banks there are bank accounts with automatic credit, up to a certain limit of expenses.

> the cost to acquire a debit card reader from your bank is still high.

My friend owns a retail business, and acquired a debit card reader for it. I was surprised at how cheap it was (ISTR 50€ -- certainly below 100€). He's quite happy with the bank's tech support, too.

You think of credit cards as a way to transfer funds, but miss the "credit" part of the name.

I like having the option to to buy now and pay later at the same price point as paying right now.

Same price point, except that credit cards usually cost extra here.

Since bank transfers are immediate now (unlike in the past when monthly batching was cost effective) and most credit cards in Germany are managed by the banks and coupled to bank accounts, they could just reconcile all transactions immediately (and even reject those that overdraw too much).

In such a situation, credit would become a risk adjusted premium feature and you'd have to calculate if it's worth it (vs the bank's regular interest rate on overdraw).

Plus, according to the OECD Germans have somewhat higher household savings (relative to household income) than Americans, so the liquidity might be comparable without using credit.

You are missing my point. I don't care if credit reconciles immediately at the bank level or not, I care about what credit cards allow me to do, which is smooth over lumpy cashflow.

If I have expenses of 100K a year, without access to credit I have to make 100K a year without fail, or I am insolvent. With credit, I can make 100K one year, 0 the next and 200K (+ whatever interest I need to pay for Year 2) in the final year. The optionality is more than worth whatever interest and surcharges I encountered by using credit in Year 2.

Lest you think this is insane, this is how I bootstrapped my last business.

If it were insane nobody would do it. It does, however, come with a magnitude of risk that Americans seem more likely to accept than Europeans are.

Thank you very much for this background information, I was ignorant of it.

I'm now in China. We, in Western Europe, are really decades behind them in mobile payments. This is just so much more convenient.

And yes, it's probably a privacy nightmare, I agree. But at least you can make this choice in here.

How is getting your phone out and fumbling with a QR scanner more convenient than tapping your card against a RF surface?

It's convenient because everyone accepts it and the transaction charges appear to be half of credit card fees (or zero if the merchant uses Tencent's escrow system). When I travel to China, as a foreigner, I'm virtually the only one carrying any cash. None of the locals carry meaningful amounts of cash any more.

Well some European countries don't have any transaction fees at all when using a debit card.

Those mobile pay systems DO.

>Things like having UBER banned for example in France or Germany completely throws me off.

Funny, why would they ban a company simply for breaking the law? It throws me off too.

In all seriousness, Uber's business model seems to be a mixture of disregard for labour and transportation regulations and of using their endless supply of investment to aggressively drive the prices down. Do you expect the governments to sit and watch?

> Do you expect the governments to sit and watch?

No and if laws are broken something can be done, but there are too many cases / stories, like the one described for France in this thread, where the gov was not really interested until they got forced by some corrupt (smelling) means by the big taxi companies and their lobbies. And i'm sure (but maybe that's just cynicism from living life) those companies are not going out for 'the law' or against uber specifically; they would go after anything that is competition for them in any way they can. Uber just is easier because you can play a few cards which are internationally known; big trees catch a lot of wind as we say in NL.

Last I heard, Uber works just fine in France

> And in Germany you don't know yet what's living without cash and only with a credit card.

That's on the Germans (especially Berliners), rest of Europe uses cards a lot more. And I'm glad the US finally took their head out of the sand and are using Chip Cards

But yeah the cookie notice is pretty much useless (and I think it's been implemented badly by websites as well). Note not all cookies need the notice (which is a fact overlooked by most sites)

I live in Munich, Bavaria, and, to give an example, in most restaurants you will not be able to pay with a credit card. Having said that, you can pay once you reach a minimum amount with what they call an "EC-Karte", a sort of debit card.

Yup, this was quite surprising to me having travelled a fair bit but not been to Germany in 10 years or so. "I'm supposed to pay my dinner bill at a fancy restaurant.. in.. cash?"

"Germany is the land of cash." -- one of my German friends likes to say.

Germany doesn't have shit on Japan in this regard.

EC card works 99% of the time.

As a side note, I also use my German EC card abroad. Fees are surprisingly low and it is accepted in more countries than you'd expect.

  "I'm supposed to pay my dinner bill at a fancy restaurant.. in.. cash?" 
There are a lot of really fancy places in Japan, which will not accept credit cards.

Nor will they - unfortunately - accept reservations in English.

Seconded. Also a fella from Munich. In regular restaurants you have to pay at least 25 EUR to be able to pay with “EC Karte” which I find incredibly annoying. I don’t like carrying around any cash honestly. I have my cards and that’s it.

Yes, debit cards are much more accepted than Credit Cards. I don't use Credit Cards outside of online though

EC-cards are widely accepted, but debit cards are accepted to the same extent as credit cards are.

> Note not all cookies need the notice

Is there a reference for what kind of cookies do and don’t?


> Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29pdf include:

> user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases authentication cookies, to identify the user once he has logged in, for the duration of a session

> user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session

> load‑balancing cookies, for the duration of session user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)

> third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

Can someone tell me as a consumer what benefit those chips provide?

It’s slower and security isn’t my problem because fraud is covered by the CC company. So I still don’t get what the benefit is or how our heads are above sand now?

It creates a healthier society in long run if people cannot spend money they don't have. Some goes for the uber decision, I think it's healthier for the job market and society in general when this kind of exploitation of employees is not possible.

User experience of debit cards is just fine, I don't carry any cash, and typing a pin code is just as fast as singing your signature. And currently in the Netherlands debit cards also support contactless payment, where you can pay small amounts of money without proving a pin code. I don't use this though, as I don't feel the need to.

> It creates a healthier society in long run if people cannot spend money they don't have

Ok, now explain this:


Denmark, Holland and Norway are nobody's idea of unhealthy societies -- and households there have well over double the debt load of US households.

This debt, at least in Norways case, is probably mostly due to a very large portion of people buying their own home. Its a lot more common here than in other countries and when growing up, at some point buying your own home is almost expected of you. It is also heavily incentivized by the government through tax policy. This is probably creating a housing bubble of sorts, so i guess we'll see how well that turns out at some later date, but i assume that is the reason Norway is where it is on that chart.

I doubt Norwegian homeownership culture is anything as militant or debt-fueled as America's. Remember how the US nearly tanked itself with mortgage backed securities a few years ago?

As @farrisbris mentioned, this is mortgage based debt (in the Netherlands).

All debt is tracked, including the 'free' phone you get with your subscription. You can't go over a limit based on your income.

Also a large difference with for example the US is that in the Netherlands you don't need a down payment when buying a home. And until recently you could include the transfer tax, realtor, etc in the mortgage. All which make it easier to buy a home and thereby driving up the debt of a household.

Those countries have nowhere near the same consumerism culture as the United States.

With respect, that's a horrible generalization, and does nothing to refute my point that households Europe are in much more debt (as a share of disposable income) than US households.

The fraud is ultimately paid for by the userbase (cardholders and merchants) as a whole through paying fees. (Of course, whether a reduction in fraud cost results in a decrease in fee burden or an increase in issuer profits...)

  It’s slower 
In my experience it's definitely not. Especially when you pay contact less (something any chip containing credit card provides for the last few years) it's basically instantly.

  So I still don’t get what the benefit is or how our heads are above sand now? 
You get the benefit that your card is accepted throughout the world. I don't think that you can use any chipless card in Europe, nowadays.

The service available in France as UberX is what is known as UberBlack in the rest of the world - a black car and a professional driver (also applies to Pool). Uber in France is effectively a taxi company with an app (which is not a trivial improvement, but that's a separate discussion). This is strange because France is, philosophically, a "communist" country and sharing economy innovation is usually welcome and happily embraced; UberX and UberPool were extremely popular with millions of riders (I believe 7? 10% of the country) before they were made illegal.

How this came about is a textbook case study in government-industrial nepotism, including the family [1] controlling 60% of the taxi companies (edited) literally hiring the head of the French FBI to transfer a couple of months before retirement in the transport ministry, pass anti-Uber legislation, and then retire to a cushy job as the chairman of I think the second or third largest taxi company (owned by the same family). This was exposed in a long article in the Nouvel Obs, a real piece of journalism, which was taken offline about a week after publication (edit - seems to be back! [2]) and before I could take a copy (only the URLs I sent friends remain as testimony of its existence). [1] also claims that the Rousselet family blocked a direct rail link between CDG and central Paris (my Uber on that route last week cost 99 EUR), and has kept the number of taxi licenses "near 1930s levels". edit - [2] claims Paris has 1/5th as many taxis as London or New York, and that no new licenses were given between 1990 and 2002, during which CDG passengers increased almost 50%.

There is an embryonic version of Pool, in the form of Blablacar, an app that arbitrages the very high cost (for French citizen) of SNCF and Air France domestic intercity travel. You post your approximate trip, and riders can ask you to pick them up for a portion of the way. I've travelled 5 hours for 10 EUR this way, and used it frequently between Geneva and Annecy (about 45 minutes, no train link, infrequent buses). Since this app is effectively useless for last minute short trips within a city, it does not compete with taxis, which may explain why it is still around.

[1] Note that the father of the current chairman was the executor of the will of President Francois Mitterrand - https://www.challenges.fr/entreprise/pourquoi-il-est-impossi...

[2] https://tempsreel.nouvelobs.com/economie/20150212.OBS2398/de... - on the former security head: "fin 2007, le gouvernement Fillon demande un rapport sur les taxis au préfet Pierre Chassigneux [...] Coïncidence ? Ancien directeur des Renseignements généraux puis directeur de cabinet de François Mitterrand, l’homme est une vieille connaissance d’André Rousselet via le corps préfectoral. Son travail, publié en avril 2008, est si conservateur que la presse le qualifie de "contre-rapport Attali", qui vient, lui, de prôner une véritable libéralisation du métier. Mieux : ce même Pierre Chassigneux devient ensuite… président des Taxis bleus, poste qu’il occupe encore à ce jour !"

>This is strange because France is, philosophically, a "communist" country and sharing economy innovation is usually welcome and happily embraced; //

When I (UK) think of France in this context I think they're strongly in to workers rights and that probably Uber aren't (based on the kerfuffle in London)? That makes it completely unsurprising to me that Uber wouldn't be doing well in France??

Uber is super-capitalism, it's not communistic, it's lowering workers (proles) wages; and using capitalist investment in order to bottom out the market and bankrupt the other players so that the market can be captured by a single player. Could you perhaps describe why you think this sort of market manipulation, particularly the reduction in wages and reduction in worker rights (through machinations of "they're not employees") makes this communist in any way shape or form??

I'm not talking about politically, but about philosophy or spirit. Compared to the Anglosphere megacities, there is a certain comradeship amongst the French (which you find in other countries, like Japan), a sense of shared fate and community spirit, the idea that this goes before profit and efficiency.

The use of the word communism was deliberately ambiguous and a bit of a pun given the leaning of a sizeable portion of the population in the 20th century. "Commune" means a small town in French, and "commun" can mean "that belongs to all" or "shared".

The French job market is ultra-regulated which makes it relatively rigid with many people left out (and great conditions for the connected). I remember someone interviewing for selling ice-creams - there were 22 finalists! And most graduates will do year-long, low paid internships outside the regulated, cushy full time job system, which like post-docs in US academia can repeat ad infinitum if the economy is bad.

As everywhere else, UberX/Pool allows the marginalised to get an easy job that's a step up from pizza delivery, whilst drastically expanding the market for rides (and I've seen this play in a lot of countries). This is particularly helpful for the numerous people juggling many jobs, and parents (especially single parents) who appreciate the flexibility.

The market was already captured by a single player in France, the worst possible way - in a similar fashion as healthcare in the US. Other markets that have been completely captured by capitalist foreign mega corporations include web search, browsers, social networking, computers, fast food, fashion, real estate supplies, the auto industry (Renault and Peugeot are French only in name at this point)... I guess at least the Rousselet were French?

Perhaps it is time to see things in grey instead of black and white, to avoid labels, to judge companies and actions by their net welfare effect instead of saying "he's not from my team so he's bad" or "she's from my team so she's good" (I'm thinking of you, Democrats in the last election). Almost forgot - reduction in wages? The taxi companies employed many drivers on survival wages (particularly those with difficult immigration situation) and pocketed the difference. Uber's transparency is a net gain for the worker (and the state, which does not get tax-evaded).

UberPop was popular because it allowed people to car pool easily without talking about money, and decongested city centers particularly at rush hour. Enabling widespread, safe car sharing seems to have been perceived as a good thing given the high number of users. I never heard a bad comment about Uber from normal French people (drivers or riders), always from taxi drivers or the news.

Just FYI usually in English we would say communitarian where a French person might be tempted to translate as communistic or communist. Communist in common English is pretty much restricted to the political philosophy.

> The service available in France as UberX is what is known as UberBlack in the rest of the world - a black car and a professional driver

While they do follow taxi regs, I don't see how they aren't "UberX", UberBlack is just called UberBerline here: https://www.uber.com/en-IE/cities/paris/

> blocked a direct rail link between CDG and central Paris (my Uber on that route last week cost 99 EUR)

Well, true, there isn't a direct link, but there is a train link, also link to other cities. Last year an Uber from the city center to CDG had a fixed price (if I estimate the fare today it gives me 45Eur for X or 70Eur for UberBerline)

I haven't used Blablacar though

I'm not sure I understand. - both uberx and uber pool are legal in France - uber black elsewhere is a luxury service, which French uberx is not - maybe we don't have the same definition of professional driver, but you need them to be professionals for insurance and tax reasons. - there has been a direct rail link from CDG to central Paris since 1981. It's called RER B.

It's confusing because the terms are different internationally.

The RER B is not a direct train link - it's equivalent to taking the Piccadilly Line from Heathrow, you will take a long time through many stations and share with commuters. Think instead Hong Kong's express train or the Narita Express in Tokyo: a fast, clean, premium service that takes you from airport to city centre core locations in a couple of stops (the Heathrow Express is actually pretty bad for this as it arrives somewhere far from most places of interest which is why they're building CrossRail).

UberX/Pool in most of the world (although this is changing - e.g. license now required in Singapore) means the everyday salaryman who happens to commute by car and decides to pick people up on the way to bump up his end of month. Many people end up doing this full time but usually in between jobs. In some countries it's lucrative enough to become a career.

How nice an X/Pool car is depends on the local market. In Singapore it used to be old, entry level Toyotas but as the rental company business improved it became small SUVs (like the Honda Vezel). In Sydney you get anything from a Subaru WRX to an E-class.

Black in most of the world means "professional driver, new-ish sedan used for professional transport" and that depends again on the price locally. In Ho Chi Minh City it's a local market 8 seater van (like a bare bones Honda Odyssey with leather seats). In Singapore you can get the odd Mercedes E-class. In Hong Kong you get many Teslas, with the rest Audi A6 or larger.

In France, X/Pool now use professional drivers, and the cars are sedans: Renault Laguna, Volvo S60, etc. In that sense, the service is equivalent to Black in the rest of the world.

I agree about insurance and tax, but it really depends how you implement it. In Singapore, the license is very cheap and requires a few hours of training (for safety and to know your obligations). This is a stark contrast to 300k+ EUR/USD medallions.

There are actually direct RER B trains between the airport and gare du Nord in central Paris and other RER B trains that stops at all the stations between the airport and gare du Nord...

There is now a project to create another direct line between the airport and Gare de l'Est (and shutting down the direct trains of line B at the same time), the CDG express (https://en.wikipedia.org/wiki/CDG_Express and more info in French https://fr.wikipedia.org/wiki/CDG_Express). The project was indeed stopped in 2011 butis now alive again, and very likely to be made. Se also http://www.cdgexpress.com

Excellent news!

The last time I tried to take the RER (early 2010s), I was in a train full of graffiti, with drunks (or drug users?) passed out across the seats, and few escalators/lifts for my 20kg suitcase. So after this I thought it was less painful to pay for a taxi, the experience put me off trying the RER again.

This round, the problem was a strike which surge priced the fare into 8 minutes ETA and 2x the usual.

It's funny that CDG is actually a TGV station - you can probably reach other cities faster (and more comfortably) than Paris as a result.

> [1] also claims that the Rousselet family blocked a direct rail link between CDG and central Paris (my Uber on that route last week cost 99 EUR)

Well a regular "taxi parisien" between CDG and Paris is 50 € or 55 €: https://www.g7.fr/tarifs-taxis-paris Uber is not always cheaper…

What ?

SNCF is often pretty cheap.

Also Uber X seems pretty similar in France and in the US to me. It is not all big black cars.

Lost me here, but are you trying to say the US is ahead of the game in terms of card payments? Because the States is clearly miles behind the EU.

Do you guys even have chip and pin everywhere yet? Last time I was over, you didn’t, and we moved onto contactless in the UK years ago.

I don't think the complaint is about how fancy the card is. It's about how easy it is to pay with cards. I'd say cards are much more ubiquitously accepted in the US than anywhere I've visited.

> Things like having UBER banned for example in France

You have no idea what you're speaking about, do you? Uber is not banned in France. It's being investigated for multiple suspicions of breaking the law.

> Because they show up in every page, everybody accepts the policy without questioning

Well, if people can't read a notice, I can't see how that's the fault of the EU.

> And worse for the user experience, most often the implementation of websites for those notices is dummy

So now, it's the fault of the EU regulations if websites are cheating with the law and breaking UX.

Dunno about Germany but in most Europe i lived cashless. Maybe I am misunderstanding your line about living with only a credit card.

No. You are not misunderstanding me. You are right that there are several European countries with a well spread normalization of using credit cards. In the European countries that I've spent most of my life, and which are also some of the biggest ones (Germany, France, Spain) have still IMO a poor acceptance of credit cards. -- In contrast, for example, in London you can pretty much live without cash whatsoever.

What is so bad to pay with Cash? It's anonymous and sellers don't pay extra charges to any US company (Visa, PayPal, etc.). Also most of the restaurants hide their revenues from tax authorities (it was recently in the news) - otherwise the prices will be much higher, like our neighbors have (France, Italy).

> Also most of the restaurants hide their revenues from tax authorities (it was recently in the news) - otherwise the prices will be much higher, like our neighbors have (France, Italy).

Perhaps I'm misunderstanding but are you arguing that it's good restaurants evade taxes because it keeps their prices low?

Yeah, that's not really a good point. But the other two points stand and are two very good points.

Totally legit reason in some countries. In Czech republic this became such a topic that half a year ago the government implemented a new system. Now every single payment cash or cashless has to be sent in real time to central gov server. This also means that every merchant has to have digital terminal so almost all of them accept credit cards.

Many restaurants (especially those with good service + good price) had to increase their prices a lot since then.

> Totally legit reason in some countries.

Sorry but what is a legit reason and it's a legit reason for what?

I’m with you that Cash has the benefits of anonymity and no fees. However, it’s also inconvenient, specially when you are traveling. Digital transactions are also faster. — On a side note, that’s why I’m, besides all the hype, a strong believer of cryptocurrencies.

There is also a cost involved with handling cash. I don't know exactly how those costs add up relative to other payment methods, but I do know that certainly here in Sweden more and more shops and restaurants have stopped accepting cash all together, so presumably cost is non-trivial.

> sellers don't pay extra charges to any US company (Visa, PayPal, etc.)

The EU also recently introduced and controls on credit card fees (that a merchant pays) with the aim of making it as cheap to transact as cash. That is of course only true if cash isn't being used to avoid taxation.

You can go without cash for a lot on Germany. Train tickets, groceries, cinema, restaurants, bars.. All of those and more work fine without cash (you need Maestro, but everyone has one of those).

It fails if you want to buy food in the streets maybe, not every Doner can be paid by card.

But.. that's normal and aligns with what I see here in Singapore now: Cashless, unless small food shop/hawker place or something similar.

Germany doesn't accept _credit cards_ on a large scale. It does support paying with a card made of plastic usually..

Uber is still in France. I just used them last week. If I remember correctly, most of the controversy revolved around another uber-like app which had little to no regulation.

Uber undermines local taxi businesses offering mild comfort and some wows but also no job/social security and no quality standards (like the London Knowledge for example). It outcompetes taxis by sidestepping regulations. And just like airbnb while it was meant as a means to share one's own property for extra income, that's hardly the case in reality. People use both for full time commercial activity, and they evade taxes and regulations through them.

Do you want for your bank or government to cut you off from any funds at any time?

The cookie popup is terrible, I agree.

Some pros: Being able to force social networks to provide me with a physical copy of my data is alone a reason to get an EU citizenship. I don't even use the social networks, i just demand my data every 3 months to FB, Tinder and Linkedin to punish them for being so aggressive in their spamming and tracking.

Being safe from throttling, censorship and all the nice stuff that US ISPs are going to feed american citizens with is also pretty nice.

Also very efficiently getting my money back when companies try to scam me.

Ah also no roaming across countries and having aligned ALL phone producers on the micro USB phone charger standard have been really nice news

Is that slowing the uptake of USB-C with its standardized Power Delivery fast charging?

What does Google ship with Pixels? The same USB-C fast charger and USB-C cable, then toss in a micro-USB to USB-C adapter for regulatory compliance?

My Nexus 6P (France, Dec. 2015) came with

1) USB-C fast charger

2) USB-C cable

3) USB-C to USB-A cable

No adapter whatsoever. I assume it's the exact same as anywhere in the world. Therefore it seems USB-C is considered an acceptable next standard for phone charging in the EU.

On a side-related note, I wonder why Apple was never subjected to charging standards in the EU.

It was voluntary. The EU said sort this out or we will make a standard and require it. I think iPhones did come with an adapter for the standard charger at some point.

IIRC they threatened to regulate and then manufacturers "voluntarily" agreed to use Micro-USB.

Samsung includes the micro-USB to USB-C adapter. Not sure about Google.

I'm an EU citizen and was not aware of this "demand for data" thing. What does physical copy mean? Are they going to send me 20 boxes full of papers?

You are allowed to get a request of all personal data that someone/some company has one you. So you can contact Facebook and say "Please give me a copy of all the data you hold on me" and they have to give it to you. When Max Schrems did they first, Facebook did send a CD with a ~1,000 page PDF "print out". It garnered some media attention since it shows how much they do collect on people./

The maximum they can charge is set in law and is about €5.

More details for Facebook here: http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data...

The GDPR specifically addresses only a copy of your data in a widely used digital format.

I believe in Germany you can have someone send all your private data once a year in physical copy and you only need to pay for undue transport costs.

Not physical paper, but you can download all the data they have on you at any time if you want.

Wow. What sort of data do they send?

This varies in strange ways. I dont know how facebook does this and if i could get more but i have seen facebook datasets from three people including mine.

Usualy it is all photos and vids yove uploaded, comments etc.

Mine was most complete. Including some sort of keywords tags i am interested in. Not things i followed but what fb thinks i like.

Other datasets did not include this but one included all the times someone connected to the account including IP and location.

You can do this with phone companies in Denmark, and you'll get your location history. As they are required to keep that.

I don't even understand how a cookie notice is equivalent to consent [1].

Anyone who consumed the content in this message agrees to pay this user 1 BTC

[1] https://en.wikipedia.org/wiki/HTTP_cookie#EU_cookie_directiv...

It isn't. If you look at the EU's information about it [1], you must be able to refuse processing of information that's not necessary for the functioning of the site. Virtually no site outside the EU's own ones does that. Ironically, there are some that have them even though the only cookies they use are ones that are necessary for the functioning of the site, and so are exempt.

Note that this isn't just about cookies. It's pretty much any information being sent from the user's computer or stored on the user's computer: "Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller."

As far as I can tell, this is mostly because member states capitulated before online advertising exchanges (it's a directive, not a regulation, so it is implemented by member states) and allowed them to work around the clear intent of the directive.

[1] http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

Really this sounds like a situation where they're setting up a system where every actor is in violation, but there's an understanding that you won't be charged, unless someone doesn't like you.

That's worrisome when it applies to people, and I'd like to think its worrisome when applied to corporations too.

In websites using this technique, consent is not assumed until you keep browsing the website. Hence, the notice cannot be in past tense like yours :P

Shit, you got me! Post your BTC address please... :(

The cookie provision will probably be changed very soon [1]:

> Simpler rules on cookies: The so called "cookie provision", which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.


10th of Jan. 2017, and nothing has happened.

The new law comes into force in May 2018. Of course nothing has happened yet.

It's in the press release, also (see link above):

> With the presentation of the proposals today, the Commission is calling on the European Parliament and the Council to work swiftly and to ensure their smooth adoption by 25 May 2018, when the General Data Protection Regulation will enter into application. The intention is to provide citizens and businesses with a fully-fledged and complete legal framework for privacy and data protection in Europe by this date.

Apparently, the cookie notice is only supposed to show up if the cookies are not related to the site’s purpose; e.g. cookies that keep you logged in or similar are perfectly fine and don’t need a warning. The issue is that every website began using cookies for tracking, so the warnings jut became noise. It’s sad: this law was reasonable, but advertisers were able to completely subvert it into an annoyance for users, and in doing so, prevented the real problem from being solved.

When I looked into the cookie stuff I came to the conclusion that you only needed consent if your cookie tracked the user (except auth cookies)

Basically everything that isn't invading their privacy requires no notice.

'Basically everything that isn't invading their privacy requires no notice.'

True, but who bothers to actually read the legislation?

Cookie law was the only major f*ck up from EU on privacy. And it will be fixed as soon as GPDR is active. On the other hand, we have many successful and useful regulations and court orders. I don't think cookie law alone is enough to discredit EU in this fight for privacy.

Their solutions are not perfect as they are the result of a multi-party compromise (as in the end, they should be). Keep in mind that the cookie law is by far the worst example, and definitely not the average.

Yes. I'm not super sure if this is privacy only. I think the cookie part is also for data protection. So that the end user could have understanding she/he is the product.

I also wonder for what some of the sites use cookies in such a way they need to ask for that "You must agree on our cookies" -consent. Since so many type of cookies are exempt from the need: user‑input cookies, authentication cookies, user‑centric security cookies, multimedia content player cookies, load‑balancing cookies, user‑interface customisation cookies, third‑party social plug‑in content‑sharing


I think the cookie warnings might do something to get the idea of a cookie in consumer's minds.

I also don't think you can think of developer time like that. Imagine how many caterers have gone into making websites work on IE6. Stuff like that happens.


> they often do so with poorly designed policies

This is often what happens when legislatures take a first swing and regulating something. That rule about "build one to throw away" is just as relevant with law as it is code.

You will have to specify if you don't like the purpose of the law or the implementation. Because the implementation isn't really up to the EU. Google could implement a http header tomorrow that complied with the law (at least as much as a notice) and would act like other ways of accessing your browser (like web camera or location). The problem is everyone would turn off the tracking, which would affect their revenue.

About cookies, maybe on some sites some developers decided not to setup a useless cookies because of that law so it could have a small impact.

I've never understood that cookie notification, there is no "I agree" so I be simply hit the popup modals x and then the back button, or sometimes if the site is particularly terrible about it. I click an ad or two

> I've never understood that cookie notification

"We are required by law to inform you that we use cookies for the nefarious purpose of tracking your online behaviour and undermining your privacy."

Hope that's clear enough now.

I'm beyond "informed" opinions, I only can offer infected ones. The cookie directive is an infuriating irritant which is completely counter-productive.

The reality is that while the EU does not like US tech companies to have user data (of Europeans), they themselves are quite happy to get and exchange that data with US and other agencies, including most importantly secret services. The exact data they don't want Whatsapp to share with Facebook is very likely in the exchanges between secret services.

I could go into a long list about the privacy restricting laws passed all over Europe, specially Britain and France. Germany is somewhat better but they are essentially fighting a flood and most politician think its far easier to go with the flow and significant measures have been adopted even there.

I am far more afraid of being arrested because I violated some EU regulation about 'hacking tools'(yes, those are iligal in Germany, whatever it means), 'drugs' or any of many other freedom restricting or plain nonsensical polices in the EU.

If I can pick who can have all my data I would pick google, facebook and so an before I would ever, ever pick the EU (or most states). Mostly because google and facebook have little interest or care about my political views, my consumption habits or who I am sleeping with and who I associate with, unless it is to offer me deals to get these things easier.

While I know for sure that I am indexed on many list from the government about a potential problem because I was at Snowden and other political lectures and events that explained what happened when the state became angry at you. There are no lecture by people who hide out in Russia unable to see their family becase of google evil data collection.

The EU on the other hand seem very interested in pretty much every single aspect on my live and and am actively in violation to lots of these 'laws' already, indeed most people are. Not to mention that they have a continent wide security service, special forces, many spy agencies and large armies.

A further point relates to the problem that once states gain such control of how any company deals with data it is not gone be long before all companies are legally required to give standard access to all this data (a view already expressed by many, many politicians, police union chiefs and burocrates on al level all over Europe).

So I'm sorry I can't join your positivism about good guy Europe finally going after evil US cooperation (who have given me free services for pretty much my whole live, not to mention lots of Open Source code that I literally use every day).

> Not to mention that they have a continent wide security service, special forces, many spy agencies and large armies.

The EU has no special forces, spy agencies, or army. Let alone a large one. Yes: the EU's member states have armies. But so do the member states of the CERN cooperation. That doesn't mean it's a particle accelerator with an air force.

Nor does the EU have any impact on criminal law, so you won't be arrested for anything anytime soon.

It is also a myth that EU enforcement of privacy rights (or antitrust laws) is used for protectionism. The number and sums of fines levied on companies from the EU/US/Asia, for example, closely track each country/regions economic activity in the EU. If anything, EU and Asian companies are hit more often than their US counterparts–possibly because the US actually has rather high standards for corporate governance.

> A further point relates to the problem that once states gain such control of how any company deals with data it is not gone be long before all companies are legally required to give standard access to all this data

Stuff like this is purely conspiratorial. And it doesn't even make sense: If there's a "you must share user data with the government"-law in the making, how do privacy rules make it easier to pass today than at any point in the past? With privacy coming up in the news any time the EU picks a fight with one of these companies, it seems as if their actions would only serve to educate the public about the value of privacy. And would such rules not actually lessen the value of the data amassed by companies, making it less useful to gain access?

> a view already expressed by many, many politicians

Hi there, Mr. President!

The EU is of course a massivly complex beast and to talk about these issues in a hacker news comment I had to simplyfy.

While its correct that the EU does not have these things, even if they want to have them. The agreements for information exchange and other programs alonge these lines do get negotiated above the state-to-state level and the EU is absolutly involved.

Second, privacy laws that pass on the EU level are required to be implemented by memeber states.

Preventative saving of connection metadate is an example where germany had to pay fines to the EU because they did not comply (I can give more resources if you want). This caused the issue to come back again and again in Germany because compliance with EU level rules is a major political goal of many parties.

So yes, the EU is not yet as powerful as I made out. But the agreements between the member state make compliance to a common framework far more likely.

> It is also a myth that EU enforcement of privacy rights (or antitrust laws) is used for protectionism.

Your arguments don't confine me. Just because the EU also goes after its own cooperation very often as well, does not mean that all of these actions have the same motivation.

You can go and read in detail about how large media groups tried to use EU regulation against google, specifically google indexing of their results. They advanced HIGHLY privacy threading solutions and a large number of politicians go on board of of the anti-google train.

This is well documented in the German hacker community, there are lots of talks, podcast, write ups about this and other issues like it.

Now you can argue that the politicians were just good willed Samaritans but if you choice to believe that we don't really have to argue anymore.

> Stuff like this is purely conspiratorial. And it doesn't even make sense: If there's a "you must share user data with the government"-law in the making, how do privacy rules make it easier to pass today than at any point in the past?

You think regulation of internal company data usage of a foreign cooperation does not serve as precedence for further regulation about usage and law applying to that exact same data?

Again, this sort of things have been document again and again. The government starts collecting data for one reason, promising it will not be used for other things. Once it is established and the data exists, political pressure mounts because everybody wants it.

If the EU/France government has exact information and monitoring ability of all Facebook internal data movement, it will make it far more likely that will go further. That is simply public choice theory. Also, again, there are lots of examples, this is exactly what happened with the Maut system in Germany.

> With privacy coming up in the news any time the EU picks a fight with one of these companies, it seems as if their actions would only serve to educate the public about the value of privacy. And would such rules not actually lessen the value of the data amassed by companies, making it less useful to gain access?

The value lots is a far, far less then what you assume. These news are bigger in our bubble, most people in most of Europe know absolutely nothing about these data regulations and they don't know that France is trying to do anything. Even if they did, it would have no impact on the profit of google or Facebook. They have been in the news about these issues over and over again and there is absolutely no long term impact on their stock prices.

tl:dr; There are examples of all these mechanism in the EU and between the EU and members

This post is more reasonable than your previous one, but it doesn't add much meat to your initial thesis.

Initially you seemed to be objecting to the EU's privacy actions against private companies such as Facebook, based on what appeared to be the idea that it's hypocritical for the EU to do so while invading privacy themselves. You also suggested that EU privacy rules are drawn as part of a strategy to make it easier to get access to such data themselves.

I still fail to see any mechanism for these arguments to work: It's perfectly possible that the EU takes a hard line of private company's use of data with purely good intentions, while not living up to those standards themselves. That is, in fact, what Occam's Razor would suggest, considering we all see our use of user data as benign, at least in comparison to others'.

I still disagree with the idea that the EU itself is a bad actor with regards to private data. Conflating legislation in member states in your criticism only serves Anti-EU populism, when the EU has in reality been a force for citizens' right across the continent.

To use your own example: the EU's Data Retention Directive was actually invalidated by the European Court of Justice in 2013: https://en.wikipedia.org/wiki/Data_Retention_Directive. In the course of that case, it also established "that general and blanket data retention is no longer possible".

This has a lasting effect on efforts in member states to create their own data retention laws. Quote: In a television interview, the EU Advocate General Pedro Cruz Villalón highlighted the risk that the retained data might be used illegally in ways that are "potentially detrimental to privacy or, more broadly, fraudulent or even malicious".

As to the second point, namely that action on private data collection somehow makes it easier for governments to access such data, you fail to give a mechanism for this process, as well.

Yes, the toll-road example shows that any collection of data will sooner or later attract the attention of, for example, law enforcement. But how does action against WhatsApp/Facebook make any efforts to access WhatsApp/Facebook data easier? Everyone already knows that Facebook's data is incredibly valuable for law enforcement, yet also sensitive. Law enforcement agencies have for years accessed that data via court orders.

Toll Collect happens to be a great example showing that the best way to keep law enforcements' grubby hands off our data is to never collect such data in the first place. That's something called "data minimisation", and it's the cornerstone of the EU's privacy directive, and also at the heart of this WhatsApp/FB action.

The EU does not run a secret service or regulate the secret services of its member countries. You seem to be conflating EU trade policies and consumer protection, which is what's being discussed here, with the lack of consistency between whatever the EU is doing and what some European member countries are doing.

Technically that is correct, but many of the agreements are handled not individually between countries. So the EU does act as important structure around these issues.

Also there is ongoing effort to make many of these laws standard for the whole EU. For example, the saving of all phone and internet metadate for multible month is now mandetory for all EU states.

In germany the suprme court shut the initiative down and germany had to pay fines to the EU. Last I remembered this idea has come back in germany and all the fight german hackers (CCC) and co have put up did not work.

There is a large number of things here, and many have long lectures add Chaos Communication Congress during the last 10 years.

A lot of privacy protection has been thrown overboard in the name of the fight against terrorism here in the EU.

We've given all that up in the USA with the Patriot Act, though it sounds like the NSA stopped collecting everything in the last couple of years, it's trivial to get a court order to enable it for any individual. The pretension of the FISA court is transparent. https://www.npr.org/2013/06/13/191226106/fisa-court-appears-...

French security laws make the PATRIOT Act look like a toy.

Isn't your best choice when it comes to privacy to choose which services to use and which ones not to use, rather than relying on your government dictate rules they don't fully understand to companies which may put their entire business at risk?

In other words, in terms of things you care about absolute data privacy may be #1 on your list, others may be willing to accept less privacy for an internet that can continue to exist on an ad supported business model. Why should you have your way (enforced by the government) and others not get their way. We already have strong disclosure laws in both the US and Europe about data use, and at the end of the day it's your choice.

As an individual who is concerned about their own privacy facing corporations with terabites of information, how can you hope finding out what happened to your data without gaining leverage through the government?

Read the Privacy Policy where in the US and EU companies are required by law to say how they're using your data.

So, relying on governments to dictate rules to protect us, in other words.

Disclosure laws impose minimum negative effects on the end-businesses that are required to provide them, while being simultaneously beneficial for consumers. I think they are a good balance and end up being a net positive for society.

A strictly libertarian viewpoint would say that no disclosure should be required and you should just choose to avoid any service that doesn't provide full disclosure. After all, it's their right to not provide that information to you and it's your right to not use that service as a result.

It's not as simple as choosing which service not to use - for example, people who have your details in their address book might inadvertently leak your data without your knowledge.

So while I agree that people should be free to trade privacy for other things like getting a free service, I do wish there are stronger regulations to protect people who choose to opt out. And better transparency on how your data is being used.

That argument basically distills to: someone I have a contract with might break the contract, so I think the government should either prevent them from creating that contract or should actively audit that the party I want to do a deal with is fulfilling their end of the deal. Why should this be the responsibility of legislators ex ante rather than the responsibility of the court system ex post facto?

You're suggesting a free market approach. "Just don't use the service if you don't like the terms". That's fine. But there should be limitations on what people can sign away. You cannot agree to work for below minimum wage, and you cannot sell yourself into slavery, and you cannot sign away your personal data rights.

Please define "personal data rights". Should Best Buy not be allowed to know that you shop there and send you targeted offers based on what you've bought in the past? Should a group of department stores not be allowed to share anonymized customer purchasing data with each other? Why should this one particular thing be banned and enforced (by force) on businesses by the government? Is it actively harming society? If so, how?

Not much they can do against tech behemoths based in the US though. They can stop them from gathering EU citizen data, or at least approve laws that try to stop them but who knows what is really happening behind the scenes.

As the article says, under GDPR (coming in mid-2018) they will be able to fine 4% of global revenue, or 20m EUR, whichever is larger [1]. I'm not certain that this particular case is covered by the GDPR, but if it is, then that will compel action.

If Facebook declines to pay these fines, then presumably their execs would be arrested if they ever travelled anywhere in the EU.

While FB can claim that it “is only subject to the legislation of [the US].”, that is obviously not the case, and once the EU regulators gain their teeth, I'm sure we'll see FB change their tune.

[1]: https://www.eugdpr.org/key-changes.html

Or you'll see FB/others decide the EU isn't worth it over time.

It's interesting how many people here believe that there is no other possibility other than "we get what we want to happen".

Your faith is, IMHO, misplaced. There are many cases in history where other companies decided it wasn't worth the cost of doing business in certain countries.

Or they just successfully coopted the governments!

Honestly, I believe that the market is big enough to make it worth it anyway. But if they decide to leave, that could be a win-win. "Worst" case scenario, some EU-based company replace them and becomes a tech giant. I mean, look at Yandex or VK in Russia.

Facebook (the website) is not rocket science. As for Google, replacing it could take time, but in the long run it's good to destroy their monopoly in Europe.

> Honestly, I believe that the market is big enough to make it worth it anyway.

Not for some of us just starting our companies. "Worst" case scenario is smaller players that would otherwise play globally will now not play in the EU market.

I was told the other day, "don't worry about it if you don't have sensitive data." That misunderstands risk management. I have plenty of customer potential on this side of the pond, why even risk it until I am large and have saturated my pool? I plan on handling my data completely within the spirit of that law, I just don't want to risk it. Seems on risk alone, others will have to make the same decision as me. We're not losing out really (we can only grow so fast) but those in the EU that might want access to the global market, big or small, might be.

If smaller players do not want to comply with EU regulations, it's fine with me (I hope I got your point, but I'm not sure). If you want to do business in a place, you have to follow the local regulations. I don't see the problem there.

I get that regulations make it more difficult for companies to enter a market, but if that means more protection for the user privacy (in this specific case), I cannot see how that could be a problem.

The fact that the EU might have more data protection than, say, the US, could also be an added value to a service. Case in point: protonmail. It's not EU-based, but they use Swiss privacy regulations as a selling point. Some people are willing to pay more for that.

Google handles 500 000 deletion requests per year [1][2]. But can DuckDuckGo ? This kills every google competitior startup right on spot.

Anyone who thinks RTBF wont create internet graveyard is delusional. GDPR needs to explicitly exempt legally-obtained/user-submitted public PII ASAP.

[1] https://transparencyreport.google.com/eu-privacy/overview

[2] Which is obviously very low number. Imagine GDPR for 7 billion people.

I think the point that the GP post is making (which I agree with) is not to complain about the burden of complying with local regs, but to point out that consumers in the EU are going to miss out if small companies don't offer their services there due to regulatory concerns.

> I cannot see how that could be a problem.

This is a cost/benefit calculation, but not an easy one. In general a given set of regulations will have both costs to the consumer such as reduced choice and increased prices (due to regulatory costs being passed through), and benefits such as better protection of personal information in this case.

Now, the fact that users in the EU seem to currently be supportive of these regulations suggests that they are willing to pay that cost to get that benefit. And that's their decision!

But consider the scenario where this trend carries on, and startups are increasingly not able to get a toehold due to incredibly high compliance costs. That could stifle the economic development in the EU, and lead to further concentration of power as only large companies can afford to pay the lawyer bills to meet the regulations.

> I think the point that the GP post is making [...]

Yup, that was the point.

> And that's their decision

Some at least. It's modern European federalism. The same people that the lawmakers believe aren't able to make their own decisions about which services are good or bad for them are, yet, able to determine that these regulations will be beneficial.

> The same people that the lawmakers believe aren't able to make their own decisions about which services are good or bad for them are, yet, able to determine that these regulations will be beneficial.

That's a valid argument in a perfectly transparent world with even negotiating power. But companies are opaque or change their handling of data (that one is the basis of this story!) and there's a race to the bottom where most options are severely lacking in privacy.

And these regulations are a very minor impingement on free contract-making. You can still give up privacy, you just can't give it up irrevocably.

Even negotiating power would be a valid argument in a perfectly regulated world. But governments, often with good intentions, improperly or overly regulate many times only stifling us small guys and often not even knowing it (it's hard to quantify).

> And these regulations are a very minor impingement on free contract-making

Agreed, but it's a question of cost vs benefit. They may not be a minor impingement on smaller companies and consumer choice and may make minimal impact anyways. I think we can all see that, if the law is evenly applied, smaller companies stand to lose most. Granted, the EU tends to subjectively choose when to bring the hammer down and it's mostly on larger companies. But it's still not worth the risk.

I don't understand what noticeable burden there is here, especially compared to the actual risk of all this data.

Article 83, paragraph 5 says I can be fined 20 mil EUR (or 4% of revenue, whichever is greater...so 20 mil would be the number for me). You might say, "well don't break the law" (like that's an excuse for punishments some types of companies can afford and others can't) or "no, that's only for big companies" (like it's ok to rely on subjective enforcement). I'd rather just not risk going bankrupt or prevent myself from doing business in the EU until I'm big enough to handle that.

> All this data

What, from my two large customers? So EU says I violated article 5 and the personal data wasn't "processed lawfully, fairly and in a transparent manner in relation to the data subject". Ug, such subjectivity. It is so sad to see so many people want solutions to these problems that they assume the GPDR is it. I can't do business there just praying I don't misstep and go bankrupt or subjecting myself to the whims of these loaded terms like "transparency" until I am large enough to absorb the blow.

I get your point, but say you were selling food instead of services. It's on you to make sure that what you are importing doesn't break any rule (GMO, other stuff, etc...).

I think it's fair. You shouldn't break the law. That regulation may be overkill in terms of punishment, but that doesn't mean that the regulation itself is wrong. Laws are imperfect. Regulations exist in every industry and there's a reason for that. Over regulating is a burden for a business, but under regulating is bad for customers (or the environment, or whatever).

Yeah, we already saw how that went on China [1].

The reality is, no board will in any circumstance quit doing business in the largest economic area in the world by far [2], at least if they want to keep their job. Thinking otherwise is just naïve, I'm afraid.

In fact, my impression is that these policies encourage all involved actors into developing a better business model that can accommodate different sensibilities, and hopefully explore new revenue sources. I'm sure something good will come out out of this for FB and the rest of data moguls. The 'we sell your privacy for peanuts' is a rat race no matter how you look at it, and it is in fact slowly declining for everything but mobile according to some [3].

[1] https://www.nytimes.com/2017/12/13/business/google-ai-china....

[2] http://ec.europa.eu/trade/policy/eu-position-in-world-trade/

[3] http://www.businessinsider.com/online-ads-revenues-going-to-...

>Yeah, we already saw how that went on China [1].

I don't really see how this is comparable. Google has had a subset of things available in China forever (translate, as a clear example), and interacts with China for certain things (AlphaGo). That doesn't change the fact that none of its "moneymaker" consumer products have operated there for years.

If Facebook decides the EU isn't worth its time, it leaves the door wide open for competitors to use the EU as a springboard, the way Chinese companies are doing in China. It's a very dangerous situation for them even if you ignore the vast lost market opportunities.

Are you mad? Miss out on a market of 740+ million of the world's richest consumers, twice the size of the US, the bulk of the western world and most of the developed economies on the planet??

No, that's absolutely not going to happen.

Additionally, they'd never risk withdrawing from a market and letting a local competitor develop, take hold, expand, and attack them on home turf. Look at social networks and search engines in China.

EDIT: I see you are fairly highly placed in Google. I'm quite surprised if you genuinely think what you wrote, given the raw numbers you must surely know, but given your legal training, I am not at all surprised that you would posture as if you were unaware of this.

"EDIT: I see you are fairly highly placed in Google. I'm quite surprised if you genuinely think what you wrote, given the raw numbers you must surely know, but given your legal training, I am not at all surprised that you would posture as if you were unaware of this."

Character assassination, awesome!

Please leave the company i work for this out of this, always. I never speak for my company on hacker news unless i say otherwise. I've been very clear and consistent about that. Thanks!

However, given the personal attack, i'm done. This kind of stupid bullshit is one reason i've stopped contributing as much lately.

It's nice for you to present your opinion as if it was the only true possibility and everyone else is an idiot. It's not, however, a great way to foster a discussion. Tacking on a personal attack makes it even more welcoming.

I'm going to write in good faith, I hope to be read as such.

Firstly, you have not responded at all to my comment on your comment. A sensible and worthwhile discussion may come out of addressing those observations.

Secondly, crimes are in the eye of the judge, but as the accused perpetrator holding my own council, referring to your role in Google and your legal training was a kind of awe. I am a game theorist (the bridge between my applied mathematics and macroeconomics careers) and so I am well aware of the importance of signalling and posturing. I fully expect that a lawyer, schooled and practiced in the manner of approaching a debate, is equally attuned to how what is said and what is not said. The game theorist in me saw something closely resembling strategic pre-positioning, and entirely without second aims, I called it out for what it looked like. That is not character assassination (in my eyes) but just a tiny bit of critical reading of your prose.

If you really want your employer to be left out of this, you can signal that to us all by removing any references to Google on your (already impressive) profile. Or perhaps leave the reference to Google but also ad something to the effect of “leave my employer out of this".

Anyway, returning to the main argument: I doubt any internet behemoth can afford to pull out of the EU and lose access to 740 million affluent consumers because they'd instantly lose revenue that would ruin their bottom line while also giving local European companies a neo terra nullis to develop their products experimenting on their captive audience until they are ready to take the fight back to the behemoths’ home turf.

The internet blue-chips hate being excluded from anywhere because whenever they are excluded from somewhere their revenue drops and some new competitor starts to simmer.

I'm just here to say I love your HN comments and that your contributions are really appreciated, you're one of my favourite commenters. I even subscribe to your comments on RSS (along with other commenters) so I don't miss any.

Haters are disproportionately represented in replies.

> Please leave the company i work for this out of this, always.

I have no side in this debate, and I’m sure you already realize this, but having the company you work for (especially when you are at a higher than IC level) is the surest way for people to not do that.

This is probably the best way to prove his point for the record.

I'm okay if they, or anyone, thinks i "lost" or if makes them feel like their view is correct. That's always one of the possible consequences of doing what i did.

Plenty of folks on HN know i'm happy to participate, even in contentious topics.

I can get that kind of 'discussion' on Reddit. (IE Where the response would be someone pointing out that claiming someone else is posturing is itself posturing, etc).

Meanwhile, i'll stick to HN discussions with people who assume good faith and actually want to talk about the topic. When that stops being a possibility, i'll delete my account and go do something else with the time.

It’s probably my fault for adding the EDIT and providing the room to claim a personal attack. Still, it was a disappointing exchange.

That wasn't a character assassination. However, it's a very convenient cop-out for you to duck out of the discussion. Kindest regards, farewell.

"That wasn't a character assassination."

It quite literally was (ie it's literally dictionary definition character assassination), and if you don't understand that, i'm not sure what to tell you

"However, it's a very convenient cop-out for you to duck out of the discussion. "

So, just to get this straight, your way of having a "discussion" is:

1. slag on someone's character and background for no reason.

2. drag irrelevant stuff into the mix.

3. Cast aspersions on their motivations for refusing to participate as a result.

Yes, if that's how you have "discussions", please, feel free to keep me the hell out of them.

I've participated in plenty contentious discussions on HN with actually civil people.

I'm sure you're correct that there is a price that FB/others would not be willing to pay to stay in the EU. It's a valid concern for consumers in that region, and it's one that I suspect isn't discussed enough when privacy advocates cheer on the EU's increased requirements in this area.

I'd be very surprised if the case described in the OP was the last straw for FB in the EU though. By "change their tune" I really just meant that they will have to take another position than "your laws don't apply to us even though we do business in the EU". Exiting the EU would also be a change of tune as well!

(I don't have any numbers here, and would be interested in your thoughts, but I'd be very surprised if regulatory compliance was eating as much as 10% of FB's profit in the EU. I'd guess it's more like 1%. But that's just shooting from the hip based on my experience in a more regulated space than FB's. I'd expect FB to remain in the EU until regulatory costs made it unprofitable; it would seem hard to justify any other approach to their shareholders.)

Yes, it's possible that FB will abandon the EU market, but the EU is large, and I'm sure they get a lot of revenue from EU adverts.

If they turn off access for the EU, then many people will try to produce a new social network that can play by EU rules. You already know the features that are needed, just look at what FB does now. Social networks are very suspectible to the network effect. This/these new companies will be able to operate in the USA and EU, whereas facebook chooses to avoid EU. So what happens when there is another social network that's about as big as Facebook? Is that a good move for FB?

I am skeptical. FB desperately wants to get into China, which seems way worse than the EU.

> If Facebook declines to pay these fines, then presumably their execs would be arrested if they ever travelled anywhere in the EU.

Facebook Ireland Ltd is a company in Ireland (an EU member). Every FB user outside the US & Canada has a legal agreement with them. I don't know who you pay when an EU entity buys adverts on FB, but if it's to FB Ireland Ltd, then there's the money you take. FB also has offices all over the EU. That's the property you sieze and charge.

Or any of their assets or revenue in EU may end up getting seized.

I believe if EU's laws are widely publicized and proved to be useful in EU countries, then there can be enough political pressure in the US.

A tangential, but political relevant point: tech companies are in a particularly bad spot in the US because they are hated by both sides; republicans hate them because they are perceived as having liberal bias while democrats hate them because of tax avoidance, worsening inequality, job losses due to automation etc. So a political action against them would be easier to pull off compared to some other sectors like energy or finance.

> I believe if EU's laws are widely publicized and proved to be useful in EU countries, then there can be enough political pressure in the US.

Worked for universal healthcare, right?

If universal healthcare had not worked in other countries, US wouldn't even have received Obamacare. The fact that other OECD countries have good healthcare systems means you have a significant chunk of population who clamors for a better system here and who stops politicians from gutting what we already have. I say wait for 10-15 more years and we will get universal healthcare in the US.

I get the feeling that the perception of tech companies as being evil/hated is overblown. Link to a tweet with one survey that supports my claim. https://twitter.com/mattyglesias/status/942468649390100481

I agree. I think the distaste is more concentrated among tech circles itself.

Whether this is jealousy, or its because people in Tech understand better the power, control and knowledge these companies have than the regular joe is something that isn’t clear to me.

This is just protectionism at its finest. You better don’t think that would happen if FB was a french company. The industrial-governmental-complex is stronger in France than anywhere else in the western world.

We hear this argument over and over again. See, they want Apple and Starbucks to pay taxes despite special arrangements because protectionism. Guess what, they are now going after Ikea, a large company from the European Union.

CNBC compiled a lost of fines handed out by the EU and some of the largest ones concern companies from the EU:


The argument was about French companies, not EU companies. Ideally, you would demonstrate France making a regular fuss against French companies, not a single EU company; however, maybe that's difficult due to the legal arrangement between France and the EU?

For starters, in general the privacy laws of EU and it's member countries have significantly different rules for information stored in the country, versus outside of the country.

Part of the reason you will mostly hear of companies outside France running afoul of the rules, is that companies that is incorporated outside French jurisdiction is generally out of reach of French authority, and they try get away with ignoring them.

In the case with Facebook described in the article, Facebook refuse to even provide samples of what data they send, stating that they consider themselves not bound by French law and EU rules, but only by US rules.

French companies are more unlikely to get into that situation in the first hand, as if they would break data protection laws and ignore legal requests for information, the police could (potentially) walk in one day, only to walk out with all your storage arrays.

Given the history of Europe, it's almost certainly not all about protectionism, and part of it might also be about a different kind of protectionism then economic.

As the US election seems to show, availability of mass amounts of personal information can be a threath to democratic process itself, and Europe has seen information turned into weapons of population control long before internet was a thing, and the democracy we have is at the cost of tremendous amounts of blood and death.

Sure, having the information only available within a country doesn't negate the risk for that country, but it helps reduce it for all other. Privacy laws help ensure democratic processed is not as easily hijacked by either foreign states, or multinationals.

That seems reasonable - as long as the US maintains its protectionist stance of not letting people born in France compete for jobs on a level playing field with people born in the US, why should France allow employers in the US to compete on a level playing field with employers in France?

(Are you counting protectionist immigration laws as part of countries' industrial-governmental complexes?)

But that goes both ways: It's no easier for an American to move to and work in France than for a Frenchman to do so in the US. There are plenty of Americans who would love to make the move - to gain quality of life at the expense of a big chunk of their salary - if it weren't for immigration restrictions. A fairer comparison would ask whether the US government has taken any actions against European companies operating in the US similar to those enacted or threatened by Europe against Microsoft, Google, Facebook.

This was my experience when I looked into moving to France from the US a few years ago. I agree with your conclusion as well--this comparison is not a good one.

I would argue that immigration laws are not strictly economic or commercial policies. You’re drawing a false equivalence.

I could be reading it wrong, but your post came across as overly combative and an appeal to whataboutism.

I'd say both are protectionist and both are wrong. My interpretation of your parent was simply that it is protectionist of France to be doing this (and I'd argue that makes it as wrong as the American protectionism that you brought up).

Is it protectionist to ask US companies to pay tax and abide by our laws. Perhaps you could provide us with examples of French companies operating in the US that are breaking the law, not paying tax and getting away with it? Could I start a US chain of Jimnotgyms tomorrow and avoid tax by a dodgy brand license deal? I don't think so.

US tech companies (and in many cases the US government) have been operating as if the national laws of the rest of the world are sub-ordinate to theirs, or just in the way. Succesive UK governments have turned a blind eye due to the Special Relationship. However things are starting to catch up in the EU. There has been a distinct change in opinion towards the US in Europe I have detected. Bush jnr made the US look sub-intellectual, Obama made it seem inward-looking. I don't know anyone in Europe who thinks Trump is anything more than a deeply cynical character. People don't see the US as the land of opportunity and commerce anymore. They see it as self-serving and insular.

Great empires all come to an end. It takes time, but this one is in decline.

European companies know the rules and grow with these restrictions from the start.

FB wouldn’t have grown (that way) in France in the first place.

This is probably true, but you may see it another way: the fact that FB isn't french makes it possible for french to get proper legislation, because it makes our government free of all economical or job pressure.

Also, I don't agree with the protectionism part. We (unfortunately) don't even have the beginning of a french competitor to facebook or whatsapp, even in the whole Europe. So asking whatsapp to comply can not possibly be seen as a way to favor the local brands. In that sense, it's completely different from what China is doing in the field.

Edit: ironicaly, the fact that FB doesn't pay any tax in France also makes our government 100% free of all pressure :D

> the fact that FB isn't french makes it possible for french to get proper legislation

After watching that recent video by TechAltar where he speaks about the EU not having a lot of tech companies, I was feeling a bit low. But your point actually makes sense, and makes me think that perhaps it's for the best since the EU will actually have the political means to reign in big tech. companies - basically the big oil of this age.

> if FB was a french company

Let’s be honest, Facebook would have never had a chance as a French company.

This is no surprise. France once banned the importation of Japanese cars back in the '80s.

And yet, we (EU) have lost Net Neutrality before the US. It was shoehorned into the bill that ends roaming charges[1].

I’d be remiss not to mention it saddens me that every time the US has faced internet-related difficulties (SOPA, PIPA, this latest FCC decision), I’ve seen multiple Europeans making noise in support, yet I haven’t observed the reverse to be true at all. In our own fight for Net Neutrality or against the VAT reform that hurts mostly small business, what I saw from the US was crickets.

I agree with you that the EU is better than the US on these types of issues, but with every threat it faces, I see less results.

[1]: Which I appreciate and have taken good advantage of already, but would gladly give up for Net Neutrality.

Seems a German minister is not entirely on board with privacy. https://www.bleepingcomputer.com/news/government/germany-pre...

He is a nutjob, always has been. And part of the stupidity seems to come with his job: Everyone sitting in that chair seems to believe that crime has to be reduced before all.

He asking for random access to every device is like the minister of agriculture asking for stable and higher milk prices. Expected.

He's unfortunately not just sputtering what he wants, he also wants stupid and dangerous things and likes to play the "think of the children" (his predecessor really liked that one), "fight the terrorism" cards.

Every country has loonies.

The surprising part here is that every minister in that position started to spout the exact same nonsense, regardless of his party association. I really wonder how that is even possible.

I wish we would get a true liberal in that position soon, but our liberals are more concerned with deregulating companies than with citizen's rights.

Yeah lobbyists haven't entirely cracked EU parliament yet. Its made up of people from 27 countries from god knows how many different parties. Difficult to bribe efficiently.

The US is a lot easier, a two party system is heaven for corruption.

More and more the US resembles the wild west where only the fittest survive and how fit you are depends heavily on the success of your parents and the financial circumstances you were born into.

I liken it to capitalism 2.0 or a new form of corrupted monarchy where the 1% of royalty will protect their castles by slowly diminishing the power of the population’s representative government.

In China there seems to be at least some anxiety amongst the wealthy that the Comunist party’s eye of Sauron might gaze upon you and your life tossed into the flaming lava as it’s harder for a system without elections to be corrupted by lobbyists.

In the US the big money interests are supremely defiant.

Europe still scarred by the wars seems to understand the need for opportunity and decency on a much deeper level.

The US could be very well in on it. What if US companies could use the NSA data for business benefits? And that happened. The EU needs to stop seeing the US as its ally, and protect itself adequately. GDPR is one step in the right direction.

Legislative solutions are always bad.

What is needed is simply competition and for people who care about the things you care about to have influence among end user communities.

I value freedom more than privacy. I choose what to share and what to not share.

That is how free market works: everyone is free to collect and trade personal data.

I’ve noticed the data sharing between Instagram and Facebook, and purely as a user, it has been an annoyance so far.

I had been cultivating the two as separate networks, to avoid the algorithm’s tunnel vision and interact with a wider circle of people. I never linked my IG and FB accounts together. I use both of them for my business as an artist, and have thousands of people that I’ve never met on both. On instagram, they started emphasizing the posts of people I had recently interacted with on Facebook, and vice versa. Presumably, the algo does this because it deduced I’m particularly interested in those people. It’s an incorrect guess and is actually the opposite of what I’m trying to achieve by using the two apps.

When Instagram was purchased, I presumed that Facebook was going to slowly turning into Facebook and ruin it. It’s a typical story – a new product comes up that is successful or special for reasons that a large company can’t understand, and since they didn’t understand it enough to create it, once they own it, they can’t continue the recipe. Filtering the feed, ads, video, the snapchat copy, messaging... Turning Instagram into an extension of the Facebook network actually makes it a lot less useful. Once my parents are posting on there, I’m done.

A similar thing happened when Google+ tried to link accounts with YouTube, etc.

When will companies figure out that a brand has value by itself and should not be auto-merged with the rest of the universe?

It just makes me want to avoid doing pretty much anything, for fear of the next purchase out of my control just mixing things together.

» The CNIL said it had repeatedly asked WhatsApp to provide a sample of French users’ data transferred to Facebook but the company had explained it could not do so as it is located in the United States and “it considers that it is only subject to the legislation of this country.” «

That's a very interesting quote from Facebook, and explains why the GDPR has a special section explaining that it also applies to foreign companies that process data of EU citizen.

In general, Facebook is trying to set a dangerous precedent here. A company operating in our countries, taking our data, owning property in our countries, having employees in our countries, owning critical infrastructure in our countries (WhatsApp has basically replaced SMS and other messaging infrastructure), yet refusing to acknowledge the laws of the countries they operate in.

Don’t understand the downvote you’re facing. Whatsapp is operating in France so it must comply with the ruling here. Moreover the fact that they hide from the CNIL the data they are sharing probably mean they do not comply to the regulations (which are here to protect people). Too bad the sanctions are not dissuasive enough to force compliance. Politicians are allowing this situation from too long (same with taxes avoidance schemes).

It will be nightmare if you have to comply to every laws of a country just because you have users in it.

It's not a nightmare, it's a responsibility towards the people who use your product, and the society that allows you to gain wealth from such usage.

If you want to simplify the system, lobby for multiple nations to adopt a good standard, or move on.

So, are you going to report NK users to them if you host dissident contents? You have to comply to your local laws, not foreign laws.

You have a choice of not offering your services in these countries.

This isn't even a law, it's an order.

Don't want to comply? Don't accept users from that country. That's the reality of a multi-national...

After all this hypocrite talk about net neutrality, it's suddenly okay to block users based on their country?

What does net neutrality have to do that? That talk is about the role ISPs play on the Internet, and whether practices like zero-rating and shaping based on source and preferring your own services should be allowed.

Yes, if you want to provide services on the Internet and don't want to comply with the laws of some countries, then you have to make sure you don't provide services to those users.

You see it all the time in copyright related situations, where companies lack the rights to distribute something in certain countries -- so, Spotify doesn't work in every country, for example. Neither does Amazon Prime Video. Netflix has a different selection in each country it operates in, and is also not available in every country.

What's the difference?

It's pretty much like this for every country, Whatsapp can always set app to be not available for some countries if they are not happy with the local laws.

What's the alternative? You comply with the laws in your country of choice?

Comply with the laws where you based at. Other countries can't enforce their laws just because you communicate with their residents.

Well, that's not true - they certainly can, and (as in this case) are going to, the EU GDPR restrictions on personal data privacy (starting from May 2018) will affect many, many non-EU companies, starting from the largest global ones.

Perhaps you meant to say that other countries shouldn't enforce their laws just because you communicate with their residents?

It would be a nightmare to comply with the laws of a country I am visiting

> WhatsApp has basically replaced SMS and other messaging infrastructure

That's especially true here in Spain where SMS prices dropped long after 3G appeared. There's even road/trafic signs showing Whatsapp's dominance.



> the GDPR has a special section explaining that it also applies to foreign companies that process data of EU citizen

Is such a clause enforceable and/or valid? How could the EU punish a non-EU business for violating this? I guess they could block/get an injunction against them within the EU, but that seems like the sort of thing that would get challenged legally.

There is nothing that would stop this legally (what authority should hinder them?). Things that can be enforced are only limited by practicality.

Any non-EU business worth enforcing such a law against will very likely do business inside the EU (e.g. selling ads to local companies). Any money transferred can then be froozen to enforce this law.

Facebook in particular does business as an Irish company for its EU users, so no problem at all here.

So, if you sell products or services in China, you have to comply to all China regulations, not just exports? That doesn't make any sense.

That’s exactly what is happening: Windows 10 "China Edition" or some moves from Apple to comply with Chinese regulations for example.

Respecting local regulations is not a mind blowing fact. A foreign company cannot sell heroin in the USA under the pretext it is legal in their country.

So you mean I can't use <insert shitty country>'s child pornography app in the US?

I know it's an extreme case, but yeah, of course countries expect people who do business in them to respect their laws.

That is the way it currently works, yes. If your foreign web service is not approved by the Chinese government, it will most likely be blocked in China.

Why shouldn't it be valid? As a European accessing US servers I also have to comply to US anti-hacking laws. The only limit is enforceability.

It looks to be the same situation with Apple's Irish Taxes, finally Apple had to comply.

> taking our data

Hang on. You're GIVING it the data. People want "free" services, so I'm genuinely curious what people actually expect is going to happen when they use WhatsApp. Is it just something provided benevolently? How does WhatsApp make money? Are people really so ignorant to think that they can get a free lunch?

There's an implied quid pro quo -- you use a free service in exchange for providing data used to sell you products from advertisers.

You want to protect your privacy? Stop using so-called "free" services where you are the product.

Why should this even need regulation? People are making a choice to use Facebook/WA when they could be using conventional SMS or iMessage. But they get mad about paying for SMS -- so they trade privacy for "free." That's on the user. Who's supposed to pay for WhatsApp to run? Other than the early days when people paid $1/€1, it's free to users. Who pays for it?

> having employees in our countries

So providing jobs is a bad thing? What's the unemployment rate in France? It's over 10%. It seems like FB/etc. are actually providing a benefit to the country. Those employees also pay taxes, and buy stuff, thus benefiting the economy. You should be glad they have employees in those countries. I'm sure the employees are glad to have a job!

> owning property in our countries

And paying property tax. And making improvements. And attracting further economic development.

> owning critical infrastructure in our countries

?? They don't own the phone companies -- it's people's choice to not use conventional SMS, but conventional SMS and phone lines still exist. WhatsApp is hardly 'critical'. Any nontrivial use of WhatsApp (i.e. by emergency services) is just stupid. That's on the population, not the fault of Facebook and friends.

Maybe you don't remember, but WhatsApp used to cost money. I even bought it back then. So how can I opt out of this data sharing then?

Same for me, we paid WhatsApp to use a messenger that’s convenient, and isn’t Facebook.

And yet, this now happened.

It's not like the concept is very complicated. As soon as stuff like this goes open source/distributed, the model falls apart. The Linuxification of everything will destroy the world as we know it

I am glad as an US company we don't have to comply to the dumb EU cookie laws. Yeah, we know every websites in the world uses cookies. Don't need a modal everywhere.

Bad news friend. You have to comply with GDPR if any of your users are in the EU, even if they were originally not in the EU when they signed up. Your user merely needs to be a EU resident.



The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."


If you don't have an organization in EU, they can't sue you in the U.S. because it's allowed here. It's like the U.S. trying to sue local Amsterdam pot shop because they sell drugs to U.S. residents.

I have bad news for you: things like the Uniform Foreign Money Judgments Recognition Act exist which makes it possible to enforce foreign verdicts. Even if no such law applies, most US companies that do business with EU customers have by definition some assets in the EU even if only briefly (or else they couldn't charge them anything).

The US doesn't sue foreign pot shops because the sale happens abroad and they have decided to not bother with that but they absolutely could enacted such a law if they wanted. Who is there to stop them? The US actually does apply some of its laws abroad. Here is an example that is similar to yours https://www.insightcrime.org/news/analysis/as-us-prosecutes-...

Again, the problem is only enforceability. If they can't get hold of any money, a verdict is useless.

That's the point. If I run a US-based company and have 0 assets in X country, it doesn't matter. EU lawyers would also know this and also wouldn't bring it to court. It's just a waste of everyone's time. I'm certainly not going to do anything If I get a summons from a random country due to some random law. Especially if it means nothing in the country I'm currently located in.

It does matter if your bank will comply, and no bank will risk getting banned from the EU market for a small customer like you.

Some day you’ll wake up, and notice all your corporate bank accounts are empty and frozen.

And you have no plans to have assets or employees in the EU. Ever.

The cookie law makes perfect sense: most uses of cookies don't require any notification, only "invisible" tracking cookies need that.

Common confusion over the cookie law.

* It was never about all cookies. It was about 3rd party cookies.

* An agreement was only necessary if you were transferring a user's private data to a 3rd party.

It was a huge privacy leak. The EU tried to shut it down, so the world's corporations decided to keep doing what they were doing without changing a thing, whilst mocking cookies, and by proxy, the user's whose data they were fleecing.

Every websites use Google Analytics - or another third part analytics - and therefore has to display the modal. This law is just a waste of everything.

I wonder what the legal argument is behind this ruling. If one newspaper acquired another, couldn't the parent then market to the subsidiary's subscribers even if they continued to operate separately? The parent now owns everything anyway.

The argument is that WA always told us that they wouldn't share our data. This was a reason people signed up, you can't just "Oops we did it anyway" on so many people. At least not on People who have a government with their best interest in mind.

Is there legal precedent for "sharing" when the only entity you're providing the data to is your owner? Presumably if I bought WhatsApp, I would legally be allowed to query some database for someone's phone number if I so chose because I now own the database.

> I now own the database.

You might own the database, but you will never own the personal data that is stored in it. And in France (and in the near future the whole EU with GDPR) this personal data has a specific set of allowed uses (explicit or implicit when the user provided the data) attached to it, that you cannot change without asking the owner of the data (the user).

So you own the database, but you cannot use the personal data inside for purposes that were not allowed by the user when they provided it.

Seems like in that case it should be Facebook being reprimanded if they do something with the data that violates the original terms of use. "Sharing" is a bit misleading because as soon as Facebook acquired WhatsApp, they became the legal owners of the user database and data insofar as anyone can "own" user data. WhatsApp is Facebook.

But I think that's the point, WhatsApp doesn't own the data, and that carries over to Facebook. From what I gather, what they own is the database schema and whatever business logic is specific to WA/FB, and they 'lease' the data from users to populate their databases.

This piece is a nice argument for what FB/WA did wrong: https://www.engadget.com/2016/08/27/privacy-groups-call-foul...

You could but you'd have to tell the users in the terms of service. If you tell them that you won't query the database and then go on and decide to do so anyways you'd get sued. With WhatsApp having a quasi monopoly on messaging it's difficult for the to change the terms of service without giving their opponents the argument that the change was forced.

Sure, that makes sense to me. But this seems more like "the company said it wouldn't allow anyone else to query the database" before I bought it. Now that I'm owner, do I still count as "anyone else?" I'd argue not.

Edit: that's from a US perspective. Sounds like France (& the EU) put additional restrictions on how personal data may be used even after it's voluntarily provided.

> on how personal data may be used even after it's voluntarily provided.

That feels wrong. The personal data was provided under a contract. Now, you can pretend you're Vader and change your deal, but people can still attack you for changing the contract to terms they have not agreed on.

And so far in court, long lengthy legalese Terms & Conditions haven't always held up to scrutiny, and nor has any contract that states "we can change these terms at any time". [0]

Just buying the database doesn't let you do anything with it - you just bought the responsibility of fulfilling the contract.

[0] One example: https://law.justia.com/cases/federal/appellate-courts/ca2/11...

> And so far in court, long lengthy legalese Terms & Conditions haven't always held up to scrutiny, and nor has any contract that states "we can change these terms at any time". [0]

Especially not in the EU, many ToS that are completely legal in the US wouldn't see the light of the day in the EU due to consumer protection rights.

> Sure, that makes sense to me. But this seems more like "the company said it wouldn't allow anyone else to query the database" before I bought it. Now that I'm owner, do I still count as "anyone else?" I'd argue not.

I don't think the change of ownership matters. If I say that I won't allow anyone else to query the database, that statement isn't about restricting others from wandering into my offices and pulling up a Python prompt. What I'm really saying is that I commit to not querying the data with the purpose of sending it to others. Maybe that means I commit to not building something to query it for them; maybe it means I commit to not running a mysqld that accepts connections from them; maybe it means I commit to not doing a database dump and sending it, but in all cases, I'm the one not doing a thing.

So, the fact that you "own" the data doesn't mean you have the right to use it how you want - because if you could in fact use it how you want, you could send it to anyone you want. And if you transfer it, e.g., by selling your company, you don't transfer rights that you never had.

> I commit to not querying the data with the purpose of sending it to others.

Nobody's arguing with that. The problem is that there was no commitment to avoid querying the data with the purpose of sending it to yourself.

And when Facebook bought WhatsApp, they ceased to be "someone else".

The issue here, I think, is that you assume they have a blanket right to access the data. But EU regulations restrict not just transfers between companies, but set down principles for how personal data should be handled.

And those include among others that data should be collected for specified purposes, and should only be used for the purposes the person consented to, unless you obtain additional consent.

If I consent to sharing my data for use on site A, and site B buys site A, the fact that they are now owned by the same company is not necessarily relevant unless the permissions collected very explicitly allowed the data collected by site A to be used for purposes related to site B too.

That the sites suddenly have the same corporate owner is no guarantee that the consent collected made it expressly clear to users of site A that they could expect that their data might be shared with site B in the future.

Some sites do collect very broad consent and make very clear to their users that data may be transferred elsewhere, but even if they do this, they also do need to ensure the data is still treated in accordance with EU Data Protection regulations.

> how personal data may be used even after it's voluntarily provided

It was voluntarily provided under the requirement that said data will not be shared with third parties for commercial purposes. Once that restriction does not apply anymore, as the data ends up being shared with third parties for commercial purposes, neither does your right to use that "voluntarily provided data".

Imho private information should be handled like a license; Sure I can allow you to use it, but if you break against the rules we agreed on I reserve the right to revoke your license to use my personal information because at the end of the day it's still MY information.

> Presumably if I bought WhatsApp, I would legally be allowed to query some database for someone's phone number if I so chose because I now own the database.

It's not your data.

It's your users' data.

So no, you may own the database, but you do not own the data.

I don't understand how users own their own data. That doesn't make any sense. Where does that idea come from?

The same way that my bank does not own the contents of my savings account... Even if it is allowed to use that money (in highly limited and regulated ways) to, say, issue loans.

You don't own your users' data. Your users do. You may be allowed to use it in highly limited and regulated ways.

The legal concept is that despite having the data in your physical possession and control, you're not allowed to do whatever you want with it, and you have to ask the user's permission for many specific use cases.

This means that for a colloquial understanding of "owning data", you don't own it (since you can't do what you want) but they do (since they can limit the uses to what they want).

Photography laws are similar. I cannot just see you on the street, shove a camera in your face and take your portrait and then proceed to do whatever I want with the image. The resulting image is property of both the photographer and the subject. (Exceptions for people in the background of landscape/architecture etc and 'people of public interest' such as politicians.)

Common sense?

You do have to get specific permission to use data for a specific purpose under the GDPR. For instance, there are approved forms to ask customers for permission to add them to a mailing list. In that case, whether or not the company has the data stored somewhere is immaterial if it does not have the correct permission to use it for mailing.

Per European Privacy Law, you only own the data for the specific use-cases that you asked it for in your terms of use / privacy policy. I agreed to that when signing up. If you change that in the future, you have to ask for my consent again. If I deny, then you cannot use my data for your new use-case.

Then its a joke. The EULAs already contain huge outlays of information and are frequently amended with more. In the US they like to contain restrictions on your basic rights that you don't really expect.

The EULAs will just all be amended with terrible terms as take it or leave it for all services just like they are in the US.

No EULA terms will be considered valid consent for the GDPR.

The user has to explicitly give you consent to use the data for a purpose for you to be able to.

Basically, for every purpose you want to use the data for, you’ll need a separate button.

If the user chooses not to consent to data usage for some purposes, the rest of your service still has to work.

Is the revision opt in (express permission required, by default you do not agree)? Or is it opt out (by default you agree, unless you expressly refuse)?

In the U.S. terms of service are usually the latter. You'll get a notification of revised terms, and you can refuse. But as a consequence every company I'm aware of will then terminate service. Examples include insurance, banks, and (perhaps infamously) iTunes which had more revisions than the average number of needles on a pine tree.

Yes you can send them a note saying you do not agree to their new terms, and they'll send you a note your account is closed.

From EU Regulation 2016/679: (http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...)

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.

Your case is not opt-in, the user doesn't have a choice. It's accept the new conditions or get forcefully terminated.

That's enough to deny the claims, which is what is happening here.

In the EU you would need the explicit permission of the user to share their data with the new parent company.

Which isn't a huge issue since most users will accept any data privacy declaration.

Did WhatsApp charge anything? I thought for contracts you needed some kind of actual dollar amount (even $1) for it to be binding? Is that very US-law specific or am I way off here?

For a contract to be binding, you need consideration[1] from both parties. A contract where you give me something for nothing is not binding, we both need to be giving each other _something_. That something need not be money: A contract saying that you agree to give me your house if I give you my car would qualify. Google and Facebook extract enough value from targeting ads based on the personal information we agree to give them access to that access to said information is enough to qualify as consideration. I'd argue that, even if WhatsApp doesn't have a monetisation strategy that leverages said information, it's credible enough that it would qualify as consideration.

1. https://en.wikipedia.org/wiki/Consideration

I worked as a developer in the promotion and giveaway industry.

Consideration was always in interesting discussion by our company's general counsel when going through training.

On thing that stuck out to me was the company would always review entry criteria if it may any requirement beyond what would be commonly available to the lowest ranking member of society. This was typically considered to be a computer with internet access as it was likely to be available at a public library.

While mail has become a more accepted means of non-consideration entry, I believe there was a time where it was considered consideration. Counsel argued that mail-in entries required the submitter to own or purchase a stamp, a postcard, a writing device, and potentially an envelope for the postcard.

An "app only" contest was given extra scrutiny because it required the user to own some sort of smartphone or mobile digital device.


While, that was contests and promotions (in which case, they needed to avoid running an illegal lottery), I imagine a similar argument could be made for WhatsApp. WhatsApp is only available if you own a smartphone capable of downloading the app.

That still depends on the jurisdiction: Scotland, for example, does allow for contracts without consideration: https://en.wikipedia.org/wiki/Scots_contract_law

Same in Germany: you can contract to gift something.

Of course, German contract law is very strange and alien to every other legal tradition (except Japan, I think, and that‘s only because they modeled their civil law on ours).

As the page you linked explains, in Civil Law the consideration is not required.

IANAL, but only consideration is a common law thing, and is not required in the majority of EU countries, provided that I recall correctly.

It changes a lot depending on your jurisdiction, but is generally:

> A valid contract needs the following elements: People entering the contract must intend the contract to be binding. An offer is made by one person and is freely accepted by another. Some price (money, right or benefit) is paid in return for a promise. [0]

So the fact WhatsApp is providing a service, means some price has been "exchanged" (for lack of a more precise term). The price does not need to be financial, any benefit can be viewed that way.

So yes, it does appear that a legal contract was formed. Even in the US. [1]

(A financial benefit is not required, but it makes it more clear that the contract was valid. Hence the habit of ridiculous $1 contracts.)

[0] https://www.legalaid.vic.gov.au/find-legal-answers/consumer-...

[1] See under Consideration: https://www.entrepreneur.com/article/175238

Originally WhatsApp ran completely on a subscription model, users would pay a small fee to use the service and users were okay with that because it would mean nobody would try to commercialize their information.

Then Facebook gobbled them up, they removed the small subscription fee (not even giving an option to keep on paying it) and went: "All your data are blong to us".

It used to be the case. There were yearly subscriptions until some time after Facebook bought the service.

They charged me USD 1 sometime after I signed up.

Ironically thats what I loved about Whatsapp:

I paid them, they provided an awesome messaging client.

No spying. No ads.

The consideration thing is considered an exotic common law curiosity in continental law countries :-) Generally, an offer and an acceptance creates a binding contract inmost of Europe.

Didn't WhatsApp used to charge $1 per year to people in the early days?

Not sure if that was global but I did pay a Euro for it yep

Yes, it was global, it was how they financed their operation until Facebook bought them [0].

I wish they would still offer this as an option, tho I'd probably be skeptical of Facebook actually holding up their end of the deal and not tracking people who pay for WhatsApp.

[0] https://www.investopedia.com/articles/personal-finance/04091...

That's for Android users. For iOS users it was $1 to buy the app, but they changed that some time before they were purchased by FB

I paid for WhatsApp.

That was a few years before they were bought by FB.

That's not even a little bit true.

It's called consideration. It's one of the main tests for a contract.

But the consideration does not have to in the form of money, it just has to be "worth" something. The considerations in question here are personal information on the users' side and the Whatsapp app+service on the company's side.

In civil law consideration is not required.

Corporations are people. Can corporations lie?

Corporations are entities created by the state. They are not people, or citizens. They are made up of people who can lie on their behalf and as such corporations get the culpability whenever officers of that company lie.

When a corporation does it, it's called fraud. Securities fraud if it's a public company.

It's fraud in any case, it's just a matter of whether a human or a non-human entity is culpable. By shifting the liability to the corporation, it shifts the cost of wrong doing (ostensibly) from the person who commits it on behalf of the company to the company's shareholders.

Goldman Sachs used to be a partnership, not a corporation wih publicly traded shares. They most definitely took fewer risks when the partners were personally liable for wrong doing than once they became a corporation. https://hbr.org/2013/10/culture-not-leverage-made-wall-stree...

> If one newspaper acquired another, couldn't the parent then market to the subsidiary's subscribers even if they continued to operate separately? The parent now owns everything anyway.

Not in France, personal data is collected with a specified purpose (and bullshit/overly broad "purpose" can get you sued), using said data for other purposes is illegal.

You (as a company) never own personal data per-se, you are lent that data by the subject, if you will.

I wonder if this means EU users get less creepy specific advertising. I run uBlockOrigin so I don't see many ads, but I've heard cases of Facebook/Adobe/Google algorithms being so good that people see ads for things they've never looked up online, yet talked about out loud (leading many to believe Facebook/Instagram are capturing microphone data).

As a side not, this gets into the whole "Right to be Forgotten" which the EFF is mostly against, since in the EU it can be used by many as a form of censorship.

I do believe they are capturing microphone data because I can't think of any other explanation for the japanese ads (not about japanese stuff but actually written in japanese) I saw when rewatching my old anime DVDs.

I was watching anime in a old TV without any internet connection and at the same time browsing reddit on my laptop. Things like this make me feel no guilt for using ad-blocks.

I think it might be one of those situations where the microphone data is being captured using some other app and then shared into a data network as tar-getting data, providing a convenient and plausible deniability to Google and Facebook for shady practices.

Not really, as an EU users, also using uBlockOrigin, I still get these creepy "follow you around after reading your mind" ads.

I don't think that's something they can easily disable by region without breaking way too many things.

In what fashion can it be used as a form of censorship?

I've already seen this happen with commercial spammers in Germany. For a while I got a ton of really annoying spam, advertising for big name brands, but organized by some spam racket with no way to opt out and registered in some foreign country.

Some Googling led me to the trial of some German woman who was quite notorious among the anti-scammer community for running several spam rackets. People would spend a lot of time figuring out her connections between different font companies, data brokers, and whatnot.

Until one day Googling her name wouldn't give any results at all; Couldn't look up any addresses anymore, couldn't look up company registers with her name anymore, it all just came up blank with a notification on the bottom of the search results, informing me that Google removed some results due to the EU right to be forgotten.

It's very likely this woman is still running a very profitable spamming business with a side-business of selling data caches. Sure, one could argue that it's actually government agencies job to handle something like that, but these agencies also depend on search results, especially with something as obscure as the spam industry.

News organisations have to remove legitimate journalism as a result. The BBC lists it when it happens to them, eg: http://www.bbc.co.uk/blogs/internet/entries/1d0a67ff-ad97-4c...

I'm not entirely convinced, but the argument I've seen is:

Politician does something corrupt. Then they order takedown notices across the web, because it is about them personally.

The Right to Forget allows them to obscure their dirty deeds.

Not if this data is data about persons according to french law. You need consent from those persons to use the data for any purpose beyond the original purpose you mentioned when you collected the data.

sadly this is only in the french wikipedia


There is a european directive which addresses the same problems, though i do believe the french law is more explicit, and the french government has been enforcing it.

Correct. It is very similar in Slovenia and it is enforced.

Ah that makes sense. Thanks.

Facebook made a commitment they wouldn't connect the data in order to get permission from competition authorities for the merger. I don't know how legally binding that is.

> Facebook made a commitment they wouldn't connect the data in order to get permission from competition authorities for the merger. I don't know how legally binding that is.

Not quite. They said it's "technically impossible" and the EU fined them for $122M after Facebook did "the impossible" and started sharing WhatsApp data with Facebook.



When The Coca Cola Company (the folks who own the secret sauce) bought Coca Cola North America (N. America's largest bottler) there was an entire floor that TCCC empoyees weren't allowed into. CCNA had bottling agreements with TCCC's competitors.

The restrictions were strict!

Note that this:

>The parent now owns everything anyway.

does not (perhaps surprising to some) allow you to break laws or agreements entered into with other parties without consequences.

The acquisition was approved in Europe on the basis that WhatsApp would not share the data with Facebook. In this case, the European governments certainly have a legal basis to carry with penalties.

When doing business in the EU, Whatsapp and whatnot will have to abide by EU legislation, including EU data protection rules, EU consumer legislation and national rules on entering into and interpreting terms and conditions and other contracts.

Data may be used only for the purpose it was collected and transfer to other legal entities require consent. In May 2018, the data orotection regulation ebters into force and the mandatory rules will be even tougher.

Maybe one day one or more of those companies will even have to pay a bit of tax in the EU.

They don't pay tax? [citation needed]

You never allowed the parent to send you marketing. They shouldn't be allowed to.

Tell that to my physical mailbox. Or my email inbox.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact