Part A: Privacy settings
- Facebook tried to claim that it is only subject to Irish law. Court disagrees since Facebook operates in Germany, so local law applies. [side note: this kind of confusion is exactly why the GDPR is needed]
- Law states that the imprint must be "easily" accessible. Court found this not to be the case (it took three clicks and was hidden behind a link called "explanation of your rights and duties").
- Law states that explicit, informed consent is necessary for the kind of data processing Facebook does. Facebook pointed users to the privacy settings page where all settings were enabled by default. Court found that this constitutes neither explicit nor informed consent - the settings would have to be opt-in, or the user needs to be explicitly informed about the full extent of how his data is used ("without any doubt").
Court explicitly states that presenting an opt-out after registration and login is not sufficient, especially if it is presented as an optional "privacy tour" that most users are going to ignore.
- Plaintiff stated that Facebook incorrectly claimed it was "free forever", when users were in fact incurring hidden costs by volunteering their personal data ["paying with their data"]. Court strongly disagrees - no money is changing hands, after all. They do recognize that there's a counterpart, but it's immaterial and as such does not constitute a "hidden cost". Court basically states that the meaning of "free" is not up to debate.
Court explains that "read and understood" clauses like this one are invalid. Clearly, the user didn't actually read and understood the whole thing - but the language in the terms forces him to admit he did, which would disadvantage him by implying informed consent about everything in it when he didn't explicitly consent to anything.
- There's a clause in the ToU stating that the user "agrees to use his real name". This does not constitute informed consent since the user isn't properly informed - Facebook does not state why his real name is required and how it will be used.
The court states that it is questionable whether a real name policy is at all legal, underlining the need for proper consent due to the significant consequences of volunteering one's real name.
- Same for "agreeing that personal data is transferred to the US" - no explanation why data is transferred, what it will be used for or even what data is transferred. In addition to that, there's no indication which data protection standards are applied.
- Similar case for "agreeing that the profile picture is used [...] commercially": no informed consent since the user is not informed about the consequences.
... and a few more clauses where the court finds that no informed consent is given by the user due to very broad clauses with little explanation.
- It's OK to have the user agree that he's 13 years or older. Facebook cannot possibly check whether it's true, and the age doesn't matter anyway since the contract would be valid even if it weren't the case.
: https://www.vzbv.de/sites/default/files/downloads/2018/02/12... (interesting part is page 22 onwards)
> The court states that it is questionable whether a real name policy is at all legal, underlining the need for proper consent due to the significant consequences of volunteering one's real name.
That represents an amazing win for online privacy. And seems totally at odds with core Facebook policy.
The modern understanding of "informed consent" came out of the Nuremberg trials. Not sure if the concept was strong in German law before that, or the German courts are now particularly interested for historical reasons, but it's not all that surprising that German courts would be keen on that.
I personally feel this is a particularly important concept with respect to digital rights.
I wonder if that renders most terms used by modern services invalid since, again clearly, nobody reads those 100 page terms or even understands them - regardless if it's Facebook, iTunes, Google Mail or most other services. Adn if so, what kind of language and how many pages can we expect a user to read/understand?
I suspect this clause is actually due to US law (COPPA).
Also, are kids allowed to agree to contracts in Germany? I believe that's not the case in the US.
As far as I know, kids can't sign contracts. They are not "geschäftsfähig" (business capable) until they are 18. Unless the parents explicitly agree to some contract.
Huh, that's interesting. I'm not familiar with German law, but in the Netherlands this would legally be simply not a contract at all. A contract (in the Netherlands) explicitly requires (actually is defined as such) that both parties have contractual duties, and a contract is the formalisation of the exchange of these ("this for that").
It makes a lot of sense too. If one party has no duties, they can't be held to the contract, so what's the use of even having one.
If you're under 13 any contract that exceeds reasonable monthly allowance is automatically invalid.
All other contracts or "floating/pending valid", ie valid until the parents agree. There is also a clause on 16 to 18 year old kids but IIRC it just shifts responsibility away from the parents more. A contract that is "floating/pending valid" is usually not a problem, it just means the parents can terminate the contract as if it never existed within reasonable bounds (if you bought something from the supermarket and ate it, your parents won't be able to get the money back)
This ruling will in the end contribute to Facebooks long term success and will cement its market position.
Also see my other comment
I frankly think it's each platforms right to do what they want, as much as it is people's right to not use a platform.
Therefore I believe lawmakers/courts are gonna refrain from regulating it
Your view on what should be platform's rights, kind of implies there is supposed to be as little regulation as possible.
And the problem with that view is, if you ask people why they are still using FB, given the knowledge of what they do with user data and privacy, the most heard excuse is that they feel they have little choice to use an alternative!
If you add to that the consideration that it is in the very nature of social network effect that this choice will be diminished to a singular monopoly (a social network is not very useful if your friends/family aren't on it), then you have to admit that the power in "people's right to not use a platform" is absolutely miniscule compared to your desired "platforms right to do what they want".
And it is that very imbalance, what regulations are intended to solve (or at least push somewhat towards fairness).
When someone in the street is speaking aloud, then you can't go to them and demand them to reveal their name, even if what is spoken is against the law. You can call the police and they can determine the name of the speaker. The internet is not a lawless place.
IDK how FB will ever be compliant with GDPR and survive that huge upcoming fines in the long term or in the worst case the withdrawal from these markets.
Most of the GDPR is about informed consent, having a valid reason for processing personal data and individual rights.
Facebook will do just fine, they had years to prepare and an army of lawyers. It will force them to be more transparent, which is a good thing.
Many EU member states like Germany already had very similar laws in place (like the BDSG), the GDPR unifies and standardizes them.
Here's an excellent introduction:
The rules are so vague that any firm could be argued to be in violation. And the EU acts as judge, jury and executioner. It looks like a way to tax the SV tech firms without needing a treaty change. After all there's no practical difference between a tax and a law that everyone is guaranteed to always be in violation of that has huge fines attached. The money all goes straight into EU central coffers.
How is that different from a US law like HIPAA? The structures of the law seem largely the same, in that they give you guidelines to follow, but provide no clarity about what specifically is required by it and what isn't.
Understanding HIPAA has largely come from companies doing their best to comply with their understanding, and clarifications tend to come from courts when there's an actual dispute in progress.
Then, the US (through it's various district courts, circuit courts, the supreme court, and regulatory bodies) acts as the "judge, jury, and executioner".
But this specific thread is about EU social network privacy fines, not US healthcare privacy fines.
The US courts aren't quite the same. They're a lot more independent. The ECJ has a history of surprising things, like hearing cases where one of the appellants wasn't aware he was involved in a court case at all and both sides turned out to be the same law firm, or simply voiding parts of the treaties they found to be inconvenient to the EU, or inventing new 'rights' on the fly (legislating from the bench). Like the right to be forgotten, which was invented by the judges in response to a lawsuit and required massive responses similar to the creation of entirely new regulations.
The Supreme Court is generally much better about following the Constitution, not inventing new laws on the fly and ensuring the cases before them are actually legitimate.
As someone who worked extensively on HIPAA covered data and systems, there are only three options here.
Option 1) Mandate no data protection. This is how you end up with hidden security dumpster fires like Equifax, when public companies are involved (cost of security vs profit).
Option 2) Strictly mandate how companies must behave to be compliant. Example: DoD (I believe?). Legal requirements always lag technical best practices.
Option 3) Generally mandate what compliance results in. Example: HIPAA. Results in lack of clarity and legal challenges.
Of these options, I'll take (3) every time.
If a startup isn't willing to make a best effort to comply (which is specifically worded into HIPAA and substantially reduces penalties), then I'd rather they not be able to touch my health data anyway...
You can't measure the true cost of hundreds of thousands of projects and startups that were never realized because HIPAA scared them away...and this is stuff that would have saved billions in healthcare costs, improved the public's health, and supported research/processes that could save lives.
Saying it's only a dynamic between "profit vs security" completely downplays the utility of technical progress in health care. This isn't just about quarterly profits of large mega-corporations.
As someone who started off working in the health space I can assure you I personally gave up on multiple potential projects because of HIPAA. And know of countless others who have to in spaces that seem "crazy" no one has yet built software for.
And I say this as a complete paranoid hawk on information security and privacy rights...
Based on what I saw in a couple of the top 5 largest insurance companies, these are IT departments that would be storing personal data in databases open to every employee of the organization, were there not a law discouraging them doing so.
Because IT isn't their business. That perspective is changing (gradually), but the resistance to anything aside from business as usual is staggering.
There are other important values than privacy in the world!
Good? This sounds like the law is doing what it's supposed to be doing - it's not enough to simply be smart, you have to also be sufficiently willing to pay attention to detail such that you don't accidentally design your systems in a way that leaks personal data. If you find this burdensome, maybe the world is better off if someone else develops it instead. (There are enough newly launched healthcare startups - Clover Health, Oscar, and One Medical all come to mind without even thinking - that I don't think that it's completely stifling innovation, which would be a different story.)
As a person who is much better at being smart than at being reliable and careful, I am totally okay being regulated out of this space - I don't trust myself not to just forget about something. I worry consciously about edge cases in my code because I know I won't worry about them subconsciously. If I want to go into this space, I imagine that I can just hire someone who's good at the regulatory part and willing to focus on getting that stuff right.
I don't understand this idea that smart people should be entitled to develop and market products in whatever way they want, simply because they're smart. I'm sure the Therac-25 programmers were very smart.
Sensitive personal medical info was routinely sent, by major companies, over insecure FTP or even plaintext email, on a regular basis.
Anyone who has ever had medical benefits at any point in their lives most likely has their benefit information, along with socials and more, sitting unencrypted in databases of a plethora of small companies/medical/insurance providers whose only concern for security is a mandatory HIPAA CYA compliance lecture for their every couple of years. The rest of the time they go about sending socials and pmi through plain text email or just leave shit on their desks for anyone to pick up.
American courts continue to create common law today. This happens less at the federal level only because the scope of federal common law is narrower.
I too have concerns over the breadth of the EU right to be forgotten, but not over the concept that a court could combine premises with a process of reasoning to arrive at such a conclusion.
The Supreme Court's focus on ensuring that the cases before it are actually legitimate is primarily for three reasons: keeping their workload manageable, deferring controversial decisions they don't actually need to make, and complying with the Case or Controversy Clause in the federal Constitution.
Notably, the Case or Controversy Clause does not bind the state courts. Whether they are willing to issue advisory opinions or perform other duties is a matter of state law.
1) Despite the GDPR being a regulation, the national courts will decide first and oly if appealed enough times, the ECJ will decide as highest court
2) The EU judiciary is base don the civil law system. In the US or UK or other common law countries, you have much more "legislating from the bench". Inf act, most US laws are created by the judiciary.
I think that's a good thing. So the law has to be interpreted by precedence set by the courts.
If the text of is too specific you could have the opposite effect of companies weaseling through.
It is not a tax. It's pretty clear that the EU expects companies to treat private user data with respect. If your company cannot operate without exploiting this info, than maybe the world is better off without it anyway.
Most EU countries follow civil law, and precedence has a much more limited role than in common law countries. So it actually matters that the statutes be written clearly.
I don't think that there are any others though.
Law is meant to be precise. If it's not, then ignorance of the law does become an excuse and law loses its moral authority.
Unfortunately the EU does seem rather keen on laws so vague that they're impossible to understand - it's rule by law, not rule of law.
As for your strawman that I somehow argued to abandon all law: I won't deal with that.
Only a few technical, minor points need to be spelled out in national regulations or laws.
Each country (or state, in the case of Germany I believe) will have their own privacy commissioner with substantial leeway. Now technically these differences won't be implemented as laws, but there will be substantial differences between eg the French and the UK privacy regulators.
The GDPR also allows for individual states to strengthen its provisions, eg for genetic data.
That’s true only if you regard he EU as a single entity. Laws made via the EU will be turned into national law, and independent judges will judge all cases, up to the EU high court. By the same right you could call the US judge, jury and executioner on all laws and rules made and enforced by the US government (FACTA anyone?)
The GDPR is not a directive so it does not have to be translated into national law. It is directly binding and applies immediately everywhere.
Fines have to be paid up front, before appeals are exhausted. Appeals can of course take years.
The EU courts have judges appointed by the same people who control the rest of the EU, and are ideologically aligned as such. They have a long history of legislating from the bench and making shocking and nonsensical decisions: consider the case where they simply voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK. The court simply decided it didn't like that bit of the treaty and so it did not apply. I do not regard the ECJ as a robust court. It will rule in whatever way is most favourable to the European project.
> voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK.
; did you read this in the UK press?
In the section "Wasn’t the UK supposed to get an opt-out from EU human rights laws?"
The summary is, when the Treaty of Lisbon awarded the EU new human rights powers the UK and Poland negotiated an opt out which was written in the treaty. It was a part of convincing the UK government to accept the new treaty without granting a referendum on it, as they had previously promised.
The opt out is very clear, really as clear as lawyers can make such things. It says:
The charter does not extend the ability of the CJEU, or any court or tribunal of… the United Kingdom, to find that the laws, regulations or administrative provisions, practices or action of… the United Kingdom are inconsistent with the fundamental rights, freedoms and principles that it reaffirms
In particular, and for the avoidance of doubt, nothing in Title IV of the Charter creates justiciable rights applicable to Poland or the United Kingdom except in so far as Poland or the United Kingdom has provided for such rights in its national law
In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.
A few years later the ECJ decided that the opt out was meaningless and voided it, under a new interpretation that they claimed meant they'd actually always had these powers, and therefore the treaty did not "extend" them, and so the opt out didn't "work" despite its apparently clear wording. They then began overturning UK laws.
It's unclear why the treaty had anything new in it at all if the courts had always had these powers of course, but this is how things go in the EU - no matter how plainly something seems to be written, no matter how clear the assurances seem to be at the time, the moment it becomes politically inconvenient to the project the rules are tossed out under bizarre and kafkaesque re-interpretations.
Same thing happened to Ireland with corporation tax. They were promised the EU wouldn't interfere with their tax policies. Then the EU decided low taxes were "state aid" and awarded itself the power to control Irish tax policy. Nobody had previously interpreted the state aid clauses that way.
> This Charter reaffirms [...] the rights as they result, in particular, from [various pre-existing sources].
The opt-out specifies that the Charter does not _extend_ the ability of the courts, but does not limit the powers that the ECJ already had prior to the implementation of the Charter. Even if the UK had a cast-iron opt-out (e.g. "The Charter, in its entirety, is not applicable to the UK, no rights are granted under it to UK citizens, and no court may refer to it in reaching a decision affecting the UK"), more or less the same results would likely be reached.
Also note Article 51(2): "The Charter does not extend the field of application of Union law beyond the powers of the Union or establish any new power or task for the Union, or modify powers and tasks as defined in the Treaties.". This is broadly similar to the UK/Polish opt-out, further suggesting that the Charter did not grant powers that the UK had not otherwise agreed to.
> In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.
It does not grant them _new_ abilities to do so, and the second statement only refers to a subset of the rights considered under the Charter.
EU promised not to meddle as long as preferential treatment wasn't given. As in if Ireland gave the exact same tax deal to every company in Ireland then it would have been fine.
(the no preferential treatment in taxation bit is part of getting access to the single market)
Erm...you are aware that this case has nothing to do with the ECJ, but with the ECHR, which isn't even an institution of the EU, but of the Council of Europe* , which is an entity completely separate from (and older than) the EU.
* not to be confused with the European Council or the Council of the European Union. Yeah, it's a bit silly.
Then again, all's fair in love, war and referendums :)
To be fair, the Google front page was split between two sides, which suggests that this may be an issue with some emotional salience.
Now, now, you make it sound like a single human actually endorses those three roles. Any state (or group of states) is judge, jury, and executioner. I also write and dictates laws…
And that's okay.
Even though I dislike em, I think the laws surrounding fair use and copyright are another example. Due to its nature, it's incredibly difficult to provide exhaustive guidelines.
As long as these large enterprises engage in a good faith attempt at complying with the law they shouldn't end up receiving huge fines.
I'm feeling a huge cultural gap in the discussions in this thread.
Americans seem to have a different tolerance for privacy abuse and draw the line elsewhere.
And I suppose that's okay, live and let live etc. However, so far it's really been mainly US tech companies pushing their views on privacy (read: less of it) in the EU market (kind of poisoning the field for EU companies as well, because obviously you can make more profit that way).
I don't see the (EU) public making a huge fuss about EU businesses taken to court over privacy violations (which happens), because we see it as justice as usual.
Now that the EU(/Germany) pushes back against a huge US corporation (ok multinational, technically), it's considered really harsh, from a US point of view. Some arguments going even as far as attacking our legal system (which is a bit much, coming from the US, IMHO. Americans themselves flat out admit justice is a matter of financial resources and consider that justice as usual). Apparently we have different values.
Personally, I agree it doesn't go far enough even though I'm very happy with the German ruling and hope other countries will follow suit.
I'm sure, they'll mostly ignore the law at first, and if they get sued, they'll claim having a legitimate interest , but that will be their strategy, because actually complying with the law voluntarily would likely cost them more.
And yes, especially Germany already had a very similar law in place, but Facebook did not actually need to keep to it most of the time, because they were operating from Ireland. GDPR does not care where you're operating from. The fines would have also not been much more than operational costs for Facebook (the highest fine placed in Germany for privacy violations so far is at 300,000€).
 section 1 f): https://gdpr-info.eu/art-6-gdpr/
But until someone sues them and that court case concludes, there's going to be a lot of time, in which they can probably make enough money by not properly implementing the GDPR requirements to easily recover however high that fine is in the end.
>Facebook will do just fine, they had years to prepare and an army of lawyers.
Large companies will simply pay their lawyers to deal with this. Small companies basically will have to do their best and hope they don't get sued.
It’s the end of an era...not too long ago anyone could compete with the big players...soon nobody will
The lack of competitors here is structural, not everything is an issue of 'we must remove the red tape!' That would do nothing because nobody is voluntarily going to switch away from an established social network monopolist. It's a nash equilibrium of sorts.
Same with Instagram, WhatsApp and Snapchat.
Anecdotally I know very few people who simultaneously use multiple messenger apps or switch around a lot. (For the reason outlined in the post before, you lose your network).
Lets use some math to answer this:
2 billion Smartphones users
2 billion Facebook users (Smartphone mostly)
1 billion Instagram users (Smartphone only)
1 billion WhatsApp users (Smartphone mostly)
So just looking at these numbers there must be a huge overlap in usage
They won't do fine. Don't want to go into details but their actual products/required architectures for their products just can't be GDPR compliant. And they didn't prepare anything. You confuse them with Google--they prepared GDPR but FB?
Btw, one of GDPR's key motivation was to take FB down.
So, this is a misunderstanding and again your aggressive tone is for somebody who is representing YC just sad.
Besides, thanks that you gave my profile more gravity when posting comments. Now my comments drop so quickly (first seconds after posting) and people with 0 karma move above me.
Great way to deal with different opinions, Dang.
So if you're a company that is relying on some mix of legitimate interests and consent to service your customers, market, and perform outbound, it's very difficult to understand what the rules are. And this is worse if you are an American company and therefore probably don't have a lead regulator and will have to attempt to comply with the (almost certainly) conflicting rules as decided upon by every privacy regulator instead of just one.
Much of the GDPR is quite reasonable (besides the DPOs, ie employment program for EU lawyers) -- privacy dashboards, the ability to delete data, SARs, etc. But it's wildly unreasonable to not have final regulations in place.
Thank you for your thorough explanation.
Do you have a citation for this claim?
this all seems very similar to the new VAT scheme, in that it was designed to target a foreign giant (Amazon), which was barely affected as a result, and instead ended up hurting the competitiveness of the EU's own small businesses
the EU Commission's response to small business concerns about that new VAT scheme? "we'll allocate some time to talk about that in 5 years"
This is not a cash sale in a local book store.
previously when I had a new idea that I might be able to turn into a business I could form a limited liability company for about £10, try the idea out with essentially no paperwork at all
then if the idea panned out I could worry about the huge-pain-in-the-ass-that-is-VAT later
now with this regulation it's a problem once I've made my first sale to a non-domestic EU customer, and my agility goes through the floor
EU countries have gone from being fantastic places to start a digital services micro-company to being at best mediocre ones, all to try to stop Amazon avoiding VAT
utter madness: small companies started as side projects turn into the big ones, but apparently we no longer want that
Well, so how do we deal with Amazon avoiding VAT and still being fair to all players on the market, big and small?
the significant problem is now the fact that I have to register for VAT domestically if I want to to sell to people in other EU countries
before if my turnover was below ~£70,000 I paid no VAT at all due to the exemption (giving me a competitive edge vs. big companies with better economies of scale)
after the new regulations if I make any EU sales I have to either fill in VAT returns for EU member state I've sold to (not feasible, that would be hundreds of VAT returns/year in many languages), or register for domestic VAT which will handle that for me, but kills my business model
the EU Commission doesn't see this as a significant problem, likely as it is a beneficiary of VAT (the VAT being an EU mandated tax)
having less turnover or income than the value at which you move above the zero rate band is not evasion
low income people aren't evading taxes by not earning enough to be liable to pay them
There are two hard parts to what the EU did, for businesses.
The first is you have to charge variable VAT rates and remit the collected tax. However VAT rates do vary not only by country but in some cases within countries too, and they do change, so you have to make sure you have a really up to date list of tax rates and geographies where they apply. Including varying rates down to the city levels.
But the real kicker is that you can't trust the user's claim about where they are. Users are financially incentivised to lie about their location because these are digital downloads. So if they claim to live in a low VAT region they pay less, but download the same files. Simple as that.
As a consequence the VAT regulations have a LOT of complicated edge cases and "guidance" in them about how to figure out where the user really is, not where they say they are. This is hard of course, the user may be using VPNs and so on. There is specific guidance on how to handle users who are on ships sailing between VAT regions, or planes that are in the air when a purchase is made. So you've got a really complex pile of logic to start with, and then you're also in an adversarial situation where the users are all trying to screw you over by forging their location. And if they succeed, you can suffer big fines.
Oh and finally of course, you can't use any technical tricks to figure out where the user actually is, because then you'd violate EU privacy laws ... have fun with all of this! In practice it has to all be outsourced, it is too much work to implement in house for all but the largest of firms.
Many small businesses were concerned that they would have to register for VAT in all EU countries and deal with individual VAT laws, but the implementation for small businesses allows you to basically register at your home countries tax authority and provide them with a list of sales broken down by country. (MOSS in the UK, iirc) The initial hubbub has largely died down.
This is grossly simplified, but captures the gist. No tax advice, yadda, yadda.
my solution was to stop selling into the EU, though amusingly once the UK leaves the EU I'll be able to start again (by just ignoring the EU's VAT rules)
> new VAT scheme
whereas this is from 2015. I was confused by language where you described it as a law to target Amazon. Now I see that was just an opinion.
> my solution was to stop selling into the EU
Interesting business decision. Was the cost of compliance that high, or was your revenue that trivial?
> though amusingly once the UK leaves the EU I'll be able to start again (by just ignoring the EU's VAT rules)
Well I was having a conversation with one of the UK's foremost VAT specialists on Friday, from one of the UK big 4 accountancy firms. He was very clear that the general opinion is that the UK will align with the EU for VAT. This was a response to my question about the catastrophic cashflow impact that losing the VAT rules on imports would have to UK businesses. He told me not to worry, as VAT alignment was simply a necessity.
the cost of having to pay VAT on all of my UK REVENUES (digital services, remember!) would vastly dominate the PROFIT (not revenue) made from my EU sales
compliance wise, I'd rather not have to fill in VAT returns if it is optional (this is a side business, not my main employment)
> Well I was having a conversation with one of the UK's foremost VAT specialists on Friday, from one of the UK big 4 accountancy firms. He was very clear that the general opinion is that the UK will align with the EU for VAT.
well I'm glad his crystal ball is operating well... saying that I'm sure we will have a similar VAT after leaving (payable to our exchequer instead of the EU), but unless something radically changes the EU's laws won't be directly enforceable in the UK post brexit, and it's unlikely the UK will go out of its way to collect EU specific taxes for the EU's benefit
regardless, all of my "is EU VAT optional outside the EU?" discussion in this post and above is only an interesting thought experiment, it's not worth the possible consequences in practice (especially if your main worry is the lack of UK VAT free allowance like me... maybe if you're a large US based SaaS provider it's different)
> the cost of having to pay VAT
Presumably you mean the higher price from charging VAT
> on all of my UK REVENUES
"your UK sales will not be liable, unless they’re above the UK VAT registration thresholds". So it makes no difference to your UK revenues at all, you either had to register for VAT because your total revenue was over the threshold, or you didn't.
> I'd rather not have to fill in VAT returns if I don't have to
Wouldn't we all love to avoid administering taxation.
> well I'm glad his crystal ball is operating well.
I think it is rather more than a crystal ball when you are the UK VAT lead for a big 4. This means you get consulted on it by the government, get to sit in on meetings with them, and work with the biggest companies in the UK who will also be lobbying the government. I think you rather trivialise their positions when you assume they know the same amount as me and you.
>(payable to our exchequer instead of the EU)
When did you ever pay VAT to the EU? I pay all of my VAT to HMRC despite trading extensively across Europe. It is possible as a consumer that you paid VAT that was passed on by the supplier to one of the member states tax authorities, but under what circumstances could it be paid to the EU?
> it can claim jurisdiction all it wants, enforcing it is another matter
Not at all, the UK government will enforce on its behalf, as we will expect them to enforce on our behalf.
> but unless something radically changes the EU's laws won't apply to me in the UK after the process is complete
The UK is in the process of bringing all EU law into UK law (where it isn't already) with the strangely titled Great Repeal Bill. So EU law will apply to you. Also the government have committed to an open border in Northern Ireland as mandated by the Good-Friday agreement. This will require a customs union, and a joint body of oversight (like the European court). The government has further committed that Northern Ireland will have the exact same terms as the rest of the UK under it's coalition deal with the DUP. Therefore the whole UK will be covered by that customs union. This is before we even discuss what EU oversight will be placed over a future trade deal with the EU. So whilst the government might bluster about what leaving the EU means, it is quite clear that it's options are
a) stay in the customs union and therefore under EU law
b) Leave the customs union and violate the Good-Friday Agreement, whilst also breaking the coalition agreement and therefore bringing down the government.
I wonder against that backdrop how you think you are going to be outside of EU law? You seem to have a downer on the EU, if you don't mind me saying?
given the cabinet doesn't seem to know what their objective is, this seems like a fantastical claim
> When did you ever pay VAT to the EU?
not directly, but that's why it exists and where (a chunk of) the money goes -- read about the history of the VAT, it used to form the 40% of the EU's budget (down to about 14% these days)
> Not at all, the UK government will enforce on its behalf, as we will expect them to enforce on our behalf.
doesn't work like that in practice, once we're out HMRC isn't going to spend money chasing people for taxes due in Bulgaria, in the same way it doesn't chase people for taxes owed in Russia today
> The UK is in the process of bringing all EU law into UK law (where it isn't already) with the strangely titled Great Repeal Bill.
> so EU law will apply to you.
no, at that point it will be UK law
> Also the government have committed to an open border in Northern Ireland as mandated by the Good-Friday agreement.
depends on what they mean by "open" -- regardless of that: there's nothing that prevents a customs border in the good-friday agreement (have a read, it's only about 10 pages long: )
> (various points based on the assumption that the government will commit absolutely to one policy voters don't care about and completely abandon all others)
the government has also committed to leaving the EU customs union and the single market
I agree that it's hard to see how both are possible, but politics is the art of the fudge
> I wonder against that backdrop how you think you are going to be outside of EU law?
I don't accept the premise or the conclusion -- b) doesn't violate the GFA or the confidence and supply agreement (not a coalition)
to be blunt: it seems like you're making things up
> You seem to have a downer on the EU, if you don't mind me saying?
why should I like it? if you're running a medium sized or big business it's fantastic (unless you're a large foreign business like Facebook, Amazon or Microsoft), but I'm trying to run a small business, and it seems like they're doing their best to kill me
hell, if in 5 years we're still subject to the ever increasing mountains of poorly thought out legislation written by morons, I suppose emigration is always an option
This was quite a hit to small companies, because now they have to manage collecting and remitting taxes to every country their consumer customers reside in. Previously they only had to collect and remit taxes to their own home country.
This is a pattern you see across a lot of regulation, even when perfectly well-intentioned: it tends to favor giant companies over smaller ones, because the big ones can devote lots of manpower to the complicated legal and technical challenges the regulation sets up. That might be a worthwhile tradeoff, but it's not the same as saying "the winners are everyone".
Instead of taking profit out of private data one has, it's possible to charge for the service. Alternatively, one can use the data to finance the business but also follow the rules and regulations. I don't see the big issue here.
Every piece of regulation is another headache for a business.
Take for example the combination of GDPR + backups.
If you have enough technical manpower, you can change the backups.
If you have enough legal manpower, you can argue that changing those backups counts as 'unreasonable'.
If you have neither you have a headache.
Don't forget that even usernames and IP addresses are part of the personal data that the GDPR covers. Are you sure those are not present on a harddisk collecting dust somewhere?
Software projects like apache2, nginx, or your favourite website framework should adapt to the GDPR to make it easier for those who use them.
How things will turn out is not settled yet. If you are a small company not focused on handling private data, and documentedly continuously work on compliance, then I see little you must fear.
Usually, if your business is handling private data of others, then you must simply know exactly what you record where, and what you don't record. That is an essential part of your business.
I'll repeat myself a little bit: IP addresses and user names are also private data.
Please provide me with an example of an IT business that doesn't deal with private data. No real names, no user names, no IP addresses.
I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.
> continuously work on compliance
That's the big part of the headache. Even if you're a one man shop, you have to spend time and effort to get informed and deal with it. Multiplied by all regulations that might effect your business.
Well, don't record IP addresses in the first place? Or if you need ip addresses for protection against technical attacks like DDOS-attacks, then delete them as soon as possible.
What is so difficult about deleting a real name and a user name stored by you if the owner of that account asks you to?
> I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.
Common sense gives that data on documents you are legally required to store like for example invoices are exempted from deletion during the legal storage duration. After that, why not anonimize them or delete completely?
Things become pretty easy if the default becomes not storing any data, and only make exemptions from it after careful consideration if it's really needed, what private data it contains and how it has to be handled based on that.
Data is not just a resource, it is also a liability.
Or it may be a great opportunity for them to differentiate developing not privacy invading business models protected from being undercut by "free" (because we sell your data) competitors.
I mean, just because a company believes they can claim to "respect your privacy" without actually being compliant to the EU regulations specifying they should do such, let's call it a cultural difference then.
You don't know that yet. There is not a great track record anywhere for implementing radical reform without significant unintended consequences.
It's totally reasonable to be cautiously optimistic, but when people are only barely not frothing around the mouth at the prospect of landing a punch on Goliath, I'd err on the side of caution, at least until we see how the chips fell.
Then the problem with technology laws is we have to live with them far beyond their usefulness since the tech evolves so quickly.
What good is your privacy if you are poor.
What about software patents? Or gene patents for that matter.
The EU has not done so well on regulating diesel autos for instance but the US is knocking that one of the park.
Really. Please point me at these people.
People that simply "don't care, yolo" do not count. People that have a stake in this because they have an interest in the tech business and fear that any decisions in this matter might negatively impact their business, also do not count (because a very specific yet vocal slice of the tech sector is hardly representative of what is "universally" considered right or wrong).
If you think that's too restrictive, and those are the only two groups you can point at, that's okay. I don't really believe those two groups (ignorance and business interest) should be considered representative of what is universally considered right or wrong. If you believe otherwise we'll have to agree to have a different view on ethics (which is a bit of a long discussion I'm not up for right now).
Everybody else I hear about this (I said "almost everybody" at first, but I can't think of anyone), DOES think it's bad, but admit that "what can you do, if everyone uses it" (hence the need for EU regulations!!) and because "it's really useful to keep in touch with long-distance friends and family, also to plan events etc", the latter being a reasonable point except there's nothing unique about FB's capability providing this service, and it's really easy enough to do it without violating privacy, if it weren't for FB dominating the social network sphere and forcing the privacy violations on the general public.
If indeed GDPR will enable those courts to "rule FB to death", and not, as repeatedly promised, be entirely reasonable to comply with, including for Facebook, obviously Facebook will shut down in Europe (and so will a good number of other popular services), and tell their millions of former users why. Here's a quick, free lesson in politics: that will not end well for the GDPR.
Because doing so is in the interest of EU corporate powers: let's drive away, or at least hinder, US companies on our soil, so we can develop our own. Even if the initial intent was not to put up a trade barrier, it will be used as such. Not that would be a bad thing: from what I have heard, the GDPR seems fine, as well as quite defensible.
So, that's the thing. Either, it's fine and defensible, and the Facebooks of the world will just comply, and so won't be a trade barrier, or it's not. It can't be both.
And also, don't wish for a "trade barrier" for this purpose, import substitution has been demonstrated over and over again to be really just awful policy.
Simply put, GDPR could be reasonable and sue Facebook to death (at least within its borders).
Also, by the way, this won't bring about the development of "our own" alternatives. Being European doesn't confer any particular skills required to build a GDPR-compatible Facebook, if Facebook itself can't even build it themselves.
Hence my predicting that traditional media would gang up against Facebook. It wouldn't be the first time there's a disconnect between television and the people. (Who's right is a separate issue.)
That's a very different kind of "trade barrier" than is being discussed here.
The barrier being thrown up here is in fact not so much about trade but about privacy values. I see that as a very different thing, if a business wants to draw the line for privacy ethics elsewhere, but that line happens to be subject to regulations which reflect our values, then that is indeed a barrier, but I don't see much wrong with it. Unless you want to argue that US values on privacy are somehow more right than the ones we decide on in the EU.
If FB leave the EU, then some EU company can copy the software (we know what kind of features people want), and this company will be able to operate in EU and USA, but FB will not be able to operate in EU, giving this EU company a massive benefit and safe harbor.
The first EU country is #10, and it won't even be an EU country in a few years.
I think Facebook would survive leaving the EU market just fine. I'm sure they really, really don't want to, but they could.
Edit: updated link
1) GDPR applies to the UK even if Brexit happens. It is already a matter of UK law. In fact it seems the UK is leading the way to GDPR adoption.
2) It is totally unclear that Brexit is going to cause any changes to the UK/EU regulatory arrangements in anything but name.
The rest of the EU is a bigger question. The EU is desperate for cash. It faces a huge budget shortfall, member states that don't want to pay more and it can't raise a corporation tax itself by treaty. Repeatedly fining tech firms looks like a nice way out for them.
But that said, hopefully the UK will repeal GDPR eventually along with associated EU nonsense like the cookie law.
Do Facebook have a presence in the UK? I thought they were headquartered in Dublin? Do Facebook pay tax in the UK? News to me.
> The ICO already said that it doesn't intend to use its big new fining powers under GDPR anyway, as there's no need.
Citation very much needed. The ICO will follow the law. The ICO is using it's DPA powers already. The
> The EU is desperate for cash
The EU organisation is handing rebates back to members at the moment...The UK just got one. Or perhaps you mean countries in the EU. Germany has a budget surplus, so I don't know what you could mean? you sound bitter?
> But that said, hopefully the UK will repeal GDPR eventually a
It seems extremely unlikely that the UK wont retain 'regulatory alignment'. This is actually part of the agreement over NI border? This will also be a prerequisite for a trade deal, and the UK will cintinue to make CE marked goods or they would not be able to sell them
> long with associated EU nonsense like the cookie law.
The EU is already on this one What other 'nonsense' consumer protection law do you want undone?
> Citation very much needed. The ICO will follow the law. The ICO is using it's DPA powers already
You can see how few people ICO impose fines on already, and that they have never imposed the maximum fine.
UK regulators really do take a light touch approach, aiming to get companies to change behaviour.
Why would they have to impose the maximum to be effective?
The maximum sentence for arson in the UK is life imprisonment, something you are unlikely to see imposed. That doesn't mean that everybody is going to start torching their houses for the insurance.
> UK regulators really do take a light touch approach, aiming to get companies to change behaviour.
Maybe the German ones did too, but Facebook chose to ignore them?
Here is a recent DPA case against a non US company btw.
And if you did see that, I suspect you'd start seeing that maximum imposed more - there's no reason why the ICO wouldn't do the same if lower fines were ineffective.
I'm not sure what it'd involve for contracts and payments. But many EU firms have US legal presences too. They could easily buy ads on Facebook through their US presence. Multi-nationalism works both ways.
It's not a market you can decide to leave on a whim if you're a serious business.
By limiting their use of personal data, according to the law? And by requesting informed consent from users, instead of silently opting them into all their anti-privacy features? And by not hiding this two thirds of the way through a 100 page TOS?
It's not like it's impossible to make a good faith attempt at all those things. Facebook isn't even trying.
When they make a good faith attempt, and get sued out of existance, you may have a point. They haven't, though.
A good example is the VAT law of Europe. No problem for big companies, but small companies struggle to comply (its a returning subject on HN). Or the net neutrality law in the US: it will become harder for a startup to disrupt YouTube.
The worst case? I think that's the best case, actually.
You do realize there's nothing special about Facebook at all, except for currently being the most popular and biggest social network. The major features I hear people repeat again and again for not leaving Facebook (keeping in touch with family and friends, planning events) also happen to the most basic, easily reproducible features. It's just getting the userbase that is hard.
So yeah, Facebook withdrawing from EU markets? PLEASE DO! I predict within no time, we'll have a whole bunch of replacement social networks (they already exist even), with better features, better privacy and hopefully interoperability.
It's not hard to switch at all, not even to the general public. They'll just register for whatever their friends are using. The only thing holding them hostage is that "everyone is on it". In fact teenagers already want to be on social networks their parents aren't on.
They might lose their timeline, comments, posts, memories, pictures? Guess who they'll blame.
Good, I would love to see FB be gone from EU altogether.
German law forbidds a real-name policy, has to allow pseudonymous usage and advertise this fact as long as it's technically possible and feasible.
German law is obvious, but not weather facebook is bound to it. The court ruled it is.
That makes a lot of sense but I've seen this often taken to extremes such that the perspective is used to absolve various levels of government, corporations, and organizations from responsibility over making decisions about common goods or on the behalf of others (things like healthcare, safety/protection, insurance, privacy, etc.).
So this position from Facebook seems (to me) to be a very American approach to take. ie. "We give you a plethora of options to secure your information, thus it's on you what information we get. After that, once we have it, then its ours and not yours anymore."
The privacy regulators have the authority to enter your business and server locations and look directly at the data you have and what you do with it.
Also, laws do have an impact even if there is no technical mean to enforce it. Working without paying taxes is forbidden but has no technical means of ensuring it. Yet, most pay taxes.
What is so difficult about deleting, not collecting and not using data?
When the privacy settings reset to "allow almost everything" at every update, you can guess Facebook tried really hard to make your changes ineffective.
Privacy settings only exist for plausible deniability. And that plausibility is dwindling every year.
For example, explain to someone who is illiterate in technology how the act of you "tagging" your friend in a photo is to offload image labeling work to train a deep neural network to infer your friend's face.
If you radically simplify the issue in line with GDPR by saying something like:
"Whenever you tag a friend in a photo you to help teach our computers to recognize what your friends face looks like"
It makes it seem way more terminator/ominous than it is to the average person.
Ok now do the same thing with all of the nlp, voice etc... data points.
I just don't see how facebook is going to deploy a worldwide education effort on big data effectively.
Personally, I think it's actually pretty ominous. Prompting people to consider what the consequences of their FB actions are can't be bad - I bet a lot of people wouldn't tag their friends if they knew what it was doing and really thought about the implications.
Just because someone thinks that it might sound bad is not a reason to not disclose it. If people think that FB image tagging training their systems to recognize people's faces is bad, that's probably a signal that shouldn't be ignored.
That's a good simple explanation IMO. If it sounds scary, maybe it is.
I think there has been a lack of reasonable and measured discussion about this issue, it's very polarized as with most things.
This doesn't mean, of course, that more regulations can fix things, but I think the world is changing, possibly for the worse, while some people say we should remain calm and do nothing, because nothing unusual is happening.
Edit: I am not suggesting people are becoming less ethical than in the past "just because" - I'm suggesting information technology is letting smart people increasingly subvert norms about transparency, because once you can quantify the effect of your customers' cognitive biases, competition makes it imperative to exploit them. Even if you don't realize what you're doing, you do enough A/B testing and it's automatic, I should think.
2 don't sell your soul to marketing parasites
Seems like common sense really but it has (US) companies scrambling. Good. We are GDPR!
For example in email, people can, and do, send everything including documents with sensitive information, pii, account/payment numbers, etc. to each other - which are likely not being stored in pci compliant, and/or other responsible ways, by the providers.
Social networks run platforms that facilitate others to provide information about you when you did not agree: whether you're on Facebook or not, you're on Facebook.
Same with contact apps where you fill in all your friends' contact info then simply pass it all to a company without the consent of your contacts: mass legal doxxing.
Any communication medium where the platform has access to the contents of the communication might be susceptible to serious future legal/moral ramifications. There is a non-zero possibility that today's business models might be fully illegal at some point. Perhaps replaced by decentralization/encryption/privacy/crypto/etc.
A lot of Germans use Fb with a fake name anyway
To FB the fake name is only yet another datapoint connected to your identity. Make no mistake, they know who you are and what you did last summer, and can pretty much predict what you will do next summer as well. Or worse, influence what you will do.
Part of the problem is that FB still compiles and uses data on people even if they're not FB users. FB assuredly has plenty of data on you, and uses that as they see fit, regardless of if you've agreed to their terms or not. I would hardly consider that to be 'zero effects'.
There's of course the way of other people giving them your data such as photos of you - but that's illegal and against FB TOS.
It's not "consent" as understood by GPDR and ePrivacy. You had no recourse not to give it, therefore it was not willing and informed. Implied consent ("agree or leave") is not deemed sufficient by GDPR. According to the law you can't condition the service you're providing on collecting unrelated (to that service) data.
If you read the first paragraph of the article, you'll notice that that is in fact the thing that the court is talking about: the degree of consent created by their terms of service process is deemed insufficient for the disclosure that agreement covers.
Even if you do that, most people don’t, regardless of country. “Disclosing” things by putting them in the middle of a document that people don’t read was deemed insufficient.
It reminds me of a cute exchange from Hitchhikers Guide to the Galaxy:
Mr Prosser: But, Mr Dent, the plans have been available in the local planning office for the last nine months.
Arthur: Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn’t exactly gone out of your way to call attention to them had you? I mean like actually telling anybody or anything.
Mr Prosser: But the plans were on display…
Arthur: On display? I eventually had to go down to the cellar to find them.
Mr Prosser: That’s the display department.
Arthur: With a torch.
Mr Prosser: The lights had probably gone out.
Arthur: So had the stairs.
Mr Prosser: But look, you found the notice, didn’t you?
Arthur: Yes yes I did. It was on display at the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying beware of the leopard.
That's a nice quote but you have to click a button that says 'I've read the TOS' and next to the button is a link leading to the TOS.
If you've chosen to not read them, it's entirely your problem.
I don't see the Valley's hold on social networking loosening any time soon. For all its faults the USA doesn't constantly fine its firms for not doing "enough", whatever that means.
2., The EU is a very rich, large market - considered the single largest economy in the world (GDP per capita). Good luck not targeting it with your products.
3., The pendulum around data protection is swinging back, this is normal. Apple saw it and adjusted already. Google is cooperating and staying quiet. Only FB is stupid enough to fight in courts.
Anyone can claim jurisdiction. Enforcement is another matter entirely. If there is no presence in Europe, I can't imagine how the they would collect.
I've worked with companies as small as 200 people who have a presence in the EU.
Facebook have no business in the EU unless they are selling advertising to EU companies
I would not rule it out on principle but it is highly unlikely.
If FB were to be shut down tomorrow I would probably not even notice.
Based just on the fact that you are on HN, this is, uhm... highly unlikely.
By the way, I wonder how it would actually look like. I mean, if FB was actually blocked in Germany or something like that, I imagine people (the victims of FB crimes) would very much vocally defend FB, claiming they don't give a fuck about their privacy. Which I cannot decide if it's funny or not.
GDP per cápita in the EU is around $37k. The US is $57k per cápita.
That puts it at 46th in the rankings.
So if a social media platform strictly based outside of the EU "exports PII" from an EU resident there isn't anything the EU can do about it, other than asking google or apple to take their app off the app store or somehow blocking the domain across the EU.
> You do realize the EU can stop or confiscate the money that is transferred to you from European customers?
I don't have any money being transferred to me from European customers.
Unless the EU has a treaty with the non-EU country me and my site are in that provides for the enforcement of EU fines in this area in me or my buyer's country, how are they going to actually enforce a fine against me?
• I run website W. W does not obey EU privacy and data rules, but I, my company, my server, etc., are all outside the EU in places without treaties that would allow enforcement of EU rules against me.
• I sell data from EU citizens who visit W. I sell this data to ad network N that is also outside the EU. (I'm selling N all my visitor data, not just data from EU visitors).
• Company C that is in the EU or sells products in the EU or has a presence in the EU buys ads through N. N uses the data they bought from me to show C's ads to visitors from the EU who visit websites using N's ad network.
1. Which of the various entities in this (me, N, C) are violating EU data and privacy laws, according to the EU?
2. Which of those entities could the EU actually enforce a fine against?
3. For those entities that are violating EU laws (according to the EU) but are out of the reach of EU fines, can the EU take alternate action such as ordering EU ISPs to block access to their websites?
I think that's the gist of the GDPR. Make personal data toxic.
2. I remember people saying that about China. The market was too big to ignore. Somehow Facebook got banned in China completely and did fine. Same for YouTube, Twitter, etc. They're companies any founder could be proud of. You could serve the US market and make money advertising to EU member state citizens without having a corporate presence in the EU, it'd still be a nice business.
3. Hardly, Apple / Ireland are appealing the EU tax ruling, Google has been getting fined repeatedly for things like Google Shopping and maybe Android, FB getting fined is nothing new. And what's "stupid" about fighting in courts ... unless you believe the EU's courts are kangaroo courts that are guaranteed to always take the EU's side? Why shouldn't they appeal? It's hardly like these cases are bulletproof. Most of them can't even explain what precisely was wrong.
Seems very clear what is wrong.
I'm thinking that perhaps it's a good thing that future companies like FB can't take off in Europe. The need for a product like FB is clear, and if the rules prohibit FB like companies from taking root, then it gives grassroots or open source a chance. We'll see.
Nor are any of the other cases clear cut. Apple's case isn't even about Apple, it's more like a power struggle between the Commission and the Irish government.
We saw how Germans reacted to the rise of Facebook years ago. It wasn't through some 'grassroots' social network or open source. It was simply a local clone of Facebook, China style, right down to cloning the UI:
If the EU succeeds in convincing the rest of the world that it sees their firms as cash cows, all that'll happen is that people who live in member states will have to live with crappy local ripoffs - no different to China.
> "Evidence shows that even the most highly ranked rival service appears on average only on page four of Google's search results, and others appear even further down"
I think this is a death sentence for any website whose that previously depended on unbiased search results. I remember reading sometime in the past that virtually all clicks go to the first two results, third and fourth barely receiving any, and other pages not even visited.
Combined with the fact that google supplied 90% of all search traffic it looks clear that they were starving their competitors.
To be honest I'm also skeptical of any open source, (hopefully distributed) social network from ever coming into existence. But I'm equally sure that what FB, and google, are doing with information about me is not the way to go. They are earning money with the information they are endlessly slurping up about me in any way they can. Rarely with my _informed_ consent. And if this is how the EU fights back, I'm all for it.
Like the bait and switch they do with youtube. I've had an account there for ages, long before social networks were a thing. I've got content up there, 2k video's that I've liked and would like to be able to keep visiting. But it has happened a number of times where I was forced to 'accept' the changes to the TOS. Youtube does not allow me to download my liked video's easily. Apparently what they are doing is not illegal, or maybe the courts have not caught up to the things like this yet. But it does create an adversarial relationship, therefore I dislike youtube, and loathe facebook and google these days. They are constantly taking steps to my disadvantage.
Don't get me started about the maps thing. They're very keen on defining Google search as Web search, and neatly divided search engines. Don't know about you, but if I put an address into Google search I expect a map back, and it's daft to expect Google to guess how to find it on a competitors sites when they have (likely better) data at their disposal. And yes, they got ruled against for this.(giving a helpful Google map result if I input an address)
Further, I fail to see why "voluntering" it is relevant at all.
I've got no recourse against this - or maybe I have because Facebook is big enough that it's worth it to create targeted block lists. But against the next 20 smaller companies who do the same?
This is why there needs to be something else than just blindly trusting everyone out there. Because someone will not play fair if theres a competitive edge to gain.
Citation needed? Facebook gets revenue from their ad network, which is used by European business customers and targets European users. Therefore they need to comply with European law.
I've never heard of this before, is it a part of GDPR?
The Facebook Europeans use is very much an EU company.
"Facebook is well understood as being a major customer of third-party data-brokers, who compile huge dossiers on people based on their spending, internet and phone usage, employment history and so on. In addition, Facebook encourages users to upload their entire address books to the system to "find your friends," and users generally don't appreciate that they may be leaking sensitive information, including nicknames, private numbers, and connections to the system.
Facebook mines this data to create "shadow profiles" of its billions of users. These are profiles that are filled with data about you that you have never consciously provided to the system -- data mined from third parties, including your friends, but also those spooky data-brokers. Facebook's shadow profile system was first confirmed in 2013 when it accidentally leaked users' shadow profiles to them along with their own data, something the company says it will never do again out of (ironic) respect for the privacy of the people who provided the data that goes into your shadow profile.
Facebook's shadow profiles are involuntary and there's no opt-out. Facebook has shadow profiles on people who don't use the service. For example, even though I'm not a Facebook user, multiple people have uploaded their address books containing my email and phone number to the system, allowing Facebook to create a profile of my contacts by looking at who lists me as a contact."
Facebook’s reckless use of private data is a public hazard not unlike passive smoking. It’s not going to be solved by an asymmetric fake free market where customers are free to choose an option that doesn’t exist.
In my recollection, in the US, 30 years ago restaurants had "smoking" and "non-smoking" sections. And non-smokers sometimes complained bitterly about smoke wafting into the "non-smoking" section. Which in fact led to some restaurants being all non-smoking before government intervention. The NY statewide ban on smoking in workplaces was only passed 15 years ago.
I don't know about bars 30 years ago, though. Because drinking has always been considered a "vice", I think people tended to group it with smoking and think if you're going to tolerate one, why not the other.
Smoking bans in restaurants and bars have made a significant difference in most states.
If I remember correctly, we had a non-binding agreement between the health ministry and our national restaurant and hotel organisation at first, but this did not change much.
Even most smokers I know agree that the laws were necessary, and that they are thankful for them because otherwise they would not go outside to smoke.
It also makes them more likely to buy them illegally.
That is an inappropriate accusation. In Germany, large data collections have been seen as very problematic since before social networks were a thing. Authoritive action and laws take time to adapt to new problems. Given the prevalance of social networks like Facebook nowadays sped up the process, but I'm confident it would have come sooner or later anyways.
Also, Europe is certainly a place where one can do business very fine. Handling data about other people they are not aware of or don't consent to is a very specific aspect. Just don't record data about other people and you are fine in this aspect.
"Facebook hides default settings that are not privacy-friendly in its privacy center and does not provide sufficient information about it when users register"
How is putting privacy settings in the privacy center hiding them? What is "sufficient" information when users register? Where in law are these things spelled out?
Germany isn't punishing Facebook for anything actually concrete or real. Rather the German courts and regulators seem to think they should design Facebook's UI instead of Facebook. This is not how free markets work and if you were creating a new company, why let some random German regional court waste your time on disputes over the position of widgets in your user interface?
There is no such thing as a fully free market, and that is a good thing.
The complaint is not that they want to control every detail. Certain parts of the agreements might simply not be valid just by clicking a check box, or the parts are not displayed in a form that is considered appropiate. Imagine a document with 15000 words that is unnegotiable by you. Will your mother read that so she can give meaningful consent? I don't think so, so the consent isn't valid. This line of reasoning is about common sense, and not about formalities, and I'm glad it is relevant in law.
Facebook is a national security risk and should not be let to reign free as it likes. I see no problem if we tame a vulnerability - the way it handles our personal data, how it uses it to push ads and politics, how it influences elections by tweaking the feeds. Not to mention that it doesn't like to pay taxes in EU.
Your brain has been broken by money.
2) It is a very politically stable block, with low crime and corruption, war etc.
3) 51% of the population speak English as a first or second language
4) High levels of literacy
5) Free market
Sounds like a really excellent place to sell advertising, as long as you don't mind not exploiting consumers. Why would you avoid it? In favour of where?
Social media is a psychological weapon that can disrupt a society to the point at which it can no longer function. Look at Libya or Syria. Look at how fractured the US is. If you want to point it at someone else, that would be nice.
From https://www.wired.com/story/inside-facebook-mark-zuckerberg-... it would appear that these lessons are being learned, somewhat slowly.
Zuckerberg had reason to take the meeting (with
Rupert Murdoch) especially seriously, according
to a former Facebook executive, because he had
firsthand knowledge of Murdoch’s skill in the
dark arts. Back in 2007, Facebook had come under
criticism from 49 state attorneys general for
failing to protect young Facebook users from
sexual predators and inappropriate content.
Concerned parents had written to Connecticut
attorney general Richard Blumenthal, who opened
an investigation, and to The New York Times,
which published a story. But according to a
former Facebook executive in a position to
know, the company believed that many of the
Facebook accounts and the predatory behavior
the letters referenced were fakes, traceable
to News Corp lawyers or others working for
Murdoch, who owned Facebook’s biggest competitor,
MySpace. “We traced the creation of the Facebook
accounts to IP addresses at the Apple store a
block away from the MySpace offices in Santa
Monica,” the executive says. “Facebook then traced
interactions with those accounts to News Corp lawyers.
When it comes to Facebook, Murdoch has been playing
every angle he can for a long time.” (Both News Corp and
its spinoff 21st Century Fox declined to comment.)
If I upload data to Dropbox, my bank, or my health insurance, I don't expect them to be sold to advertisers either. So what if there was a social network that actually respected its users and didn't exploit their data for its own ulterior motives? Seems to be an inconceivable notion to some.
So does the EU .
"The European Patent Convention states that software is not patentable. But laws are always interpreted by courts, and in this case interpretations of the law differ. So the European Patents Office (EPO) grants software patents by declaring them as 'computer implemented inventions'".
And nothing of value was lost.
The EU isn't fining its firms. It is fining US firms. Big difference.
The EU has long had stronger user-privacy protections. This isn't new or unique to the last year.
30 seconds of googling got me this WSJ article from 2015