Hacker News new | past | comments | ask | show | jobs | submit login
Facebook ordered to delete illegally collected data by Belgian court (theguardian.com)
418 points by 317070 on Feb 16, 2018 | hide | past | web | favorite | 230 comments



That's still pretty mild compared to what will be possible past May 15th. FB better count its blessings that this happened now.

https://www.gdpreu.org/compliance/fines-and-penalties/

No cap, up to 4% of worldwide annual revenues for these kind of transgressions of the law.


I am happy that things are finally moving in the right direction. A person stalks you and they (rightfully) get punished. {Google, Facebook, ad networks} stalk you across the net, recording information about your interests, your fears, and your secrets, without permission. And they get away with a free pass. In fact, we celebrate them as startup success stories and want to work for them.

We should at least have a choice on whether they can track us or not. And when we say 'no thank you', that should be respected.


I agree with you, and saying "no thank you" should not even be necessary. Continuing your example, should stalkers be allowed to stalk you up until the point where you deliberately request that they don't?


It's a bit more complicated than that. Is the stalker analogy even a thing? Because if you were to continue to the analogy then you would be hanging out at the stalker's house, eating the stalker's food and then pissed he's collecting data in his house?

I get it when it comes to analytics, beacons, tracking outside of the ecosystem.


No, stalker has a security camera company, and you visited the stalker's house once because of this great party and left when it seemed dead. Stalker now knows you and starts noting every shop you visit through the cloud connected cameras. You had downloaded an app to get into that party and forgot to remove it later. You start getting notifications about the last restaurant you visited.


This metaphor is getting stretched to the point of complete craziness, but all of this is totally possible. But my bigger question is, when does autonomy and agency end when it comes to these "invasions" (quotes only because we all allow it in varying forms, but it's the creepy emotional factor that seems to elicit a response)


I don't associate with this stalker, I've blocked them from my contacts, moved away, told my friends about them, and I still experience moments of anxiety associated with their incessant invasion of my personal space, and the fact that they conspire with other stalkers to build the most complete profile of me possible.

And the police don't seem to care at all, nor do their masters.


Should a sender of a letter have the right to say that the recipient can't put their address into their rolodex?


I think the better analogy would be the postal service using return addresses to populate a database.


Doesn't the postal service already scan every piece of mail and put those images in a database?


>> Should a sender of a letter have the right to say that the recipient can't put their address into their rolodex?

How is a global surveillance network and database like a Rolodex?


Google, facebook, etc are pretty horrible surveillance networks if that is what they are, considering you can just choose to not communicate with their services and they aren't surveilling you any more.


That's pretty disingenuous though, given that FB and Google both track you across the net whether you have an account with them or not. Logging out of your account doesn't stop them or increase the difficulty of them tracking you, or associating that trail with you.


How does facebook and google track me if I, say, install ublock or adblock?


That's actively taking steps to block their tracking rather than just not using their service. And while technically, you can use uBlock Origin to block everything from Google, that would result in many webpages being broken.

You're also likely to be using Google's DNS (8.8.8.8) without knowing, because some piece of software decided to hardcode that DNS server.

And your friends have almost certainly already uploaded your data to Google's Android backup service and to WhatsApp's database.


Your analogy fails because for most people facebook is not a "stranger" as they already have an account with them. In the case of acquaintances there is more of an onus to inform them if you wish to minimize your contact.


I suspect that most people do not in fact have a Facebook account. Last I checked, world population was over 7 billion and Facebook did not have 3.5 billion accounts. Or did you mean "most people who live near where I live"? But even there, the existence of Facebook shadow accounts means they will stalk you even if you do not have an account.

As a further point of fact, Facebook (and Google; Facebook is not alone here) stalks even people who _can't_ have a Facebook account. For example, children under 13 in the US.


Certainly there is no defense there. I will say though, much like real life one should be careful of the company they keep - in this case websites which partner with these companies. We should be just as pissed or more at the websites enabling this behavior.


Yeah, I really wish websites would just stop embedding Facebook Like buttons. That would already help a lot.


>As a further point of fact, Facebook (and Google; Facebook is not alone here) stalks even people who _can't_ have a Facebook account. For example, children under 13 in the US.

Surely this is illegal, though? One way to get the laws to ban this sort of dragnet commercial surveillance of people would be to appeal to the 'think of the children' argument and ban companies from tracking information about anyone under 13. That would also stop them from tracking information about anyone that hasn't totally confirmed that they're over 13.


> Surely this is illegal, though?

I don't know enough about the law on this to comment.

> would be to appeal to the 'think of the children' argument

Tempting, though I worry about unleashing demons even if you think they're on your side... ;)


Facebook tracks you even without an account.


So if I buy a watch from someone on Craigslist, he's no longer a "stranger" and the onus is now on me to explicitly inform him to not follow me around? Doing business with someone or some business should not imply consent to their monitoring you.


You describe a one-off transaction in which no expectation of future contact is anticipated. Facebook is an account with an on going relationship. Its the difference between seeing someone multiple times and saying hello to a stranger on the train.

I'm not saying they don't take it too far, but certainly someone with an account has invited facebook to do some data collection and tracking.


Fine, so instead of Craigslist Guy, let's use Home Depot, where I shop often. Just shopping there does not imply my consent to them tracking where else I go and shop throughout my day. Merely having an account somewhere or regularly doing business somewhere should not imply consent to tracking and data collection, to which I must opt out.

ADD: I probably have 100+ accounts at various sites online. Do these guys all get free passes to collect data and track me because I happen to have created an account there?


If you opened a credit account with Home Depot or had their loyalty card you'd be literally consenting to more tracking. That's the difference between an account and a one off transaction.

Facebook certainly operates outside of even this rather liberal framework so I wouldn't defend them wholesale. However I don't like false equivalencies.


It's one thing to track me on facebook.com where I signed up, another to track me on blogs, newspapers and everywhere else.


> Its the difference between seeing someone multiple times and saying hello to a stranger on the train.

It goes further than that, as it affects other people too.

See also: Eben Moglen's talk about how privacy is ecological, not transactional.

http://snowdenandthefuture.info/PartIII.html


Facebook also spies on people who have never used the service.


Cal Pen Code § 646.9 . Stalking. (2008) (a) Any person who willfully, maliciously, and repeatedly follows or willfully and maliciously harasses another person and who makes a credible threat with the intent to place that person in reasonable fear for his or her safety, or the safety of his or her immediate family is guilty of the crime of stalking...

In California, stalking requires both malice AND a credible threat to safety. Comparing Facebook or Google tracking to stalking is, at least in California, highly inaccurate.

There is actually no crime in following someone around. The crime happens when it's done maliciously and with the intent to create a reasonable fear. Facebook isn't trying to instill fear. That's not their intent at all.

To be clear, I'm not defending Facebook, I'm just calling out the hyperbolic nonsense that gets thrown around in these discussions.


> Facebook isn't trying to instill fear

Except for when they're running psychological experiments designed to manipulate the emotional state of their users.


I would consider the mental/emotional manipulation of billions of people solely for monetary gain to be malicious. Fear is a cash cow for advertising. Your safety is indeed at stake when so much sensitive personal information is aggregated and centralized by anonymous persons and then sold to other unknown parties.


In daily use people (at least here) will also use the word 'stalking' for obsessively following a person physically or online.

Or if you want to stick to definitions:

verb (used with object)

5. to pursue (game, a person, etc.) stealthily.

http://www.dictionary.com/browse/stalking?s=t


People don't get punished for that definition of "stalking", which you specifically referenced in your first post.


I wonder, if a European implementation of the TPP existed and passed, whether Facebook could have sued Belgium('s public coffers) back for lost profits.


"No thank you" is such an archaic term; The cool kids these days are given the option to "Agree later".


I like your analogy. This is classic stalking and I'm glad that something is finally being done about it.


Consumers have a choice of not using the service. It's possible to survive without using Facebook.


Except for the fact that facebook tracks you even if you do not nor have ever created an account. We can survive without facebook, but it is a leech that cannot survive without our data.


Are facebook 'shadow' profiles not real?


True. But we are not the average consumer. We know better and can make an informed decision.


Facebook is tracking everyone including non users. That's what those Like buttons do.


How can Facebook not know your interests, isn’t that the whole point of the Like button? How do you propose having a social network that lets you Like and Reshare stuff and not let them know?


If Facebook tracks me outside of Facebook's website because that other website has tracking code or a like button (which I didn't click) and I don't have an account on Facebook, I'm not ok with that.

I think that's what GP is referring to.


I'm not crazy about the current state of internet privacy, but I think it's a missed opportunity if we don't teach the general public just how much control they have over it. Most tracking being done can be prevented by a few modifications to web browser configuration. At the end of the day, we are sending Facebook our ID to be tracked. This is avoidable for a user with some knowledge and agency.


I don't think the answer is to put the onus on users to be tech savvy. We should be structurally preventing the behaviour.


Why not both?

We can remind people that the internet is still a dangerous place, while also trying to discourage bad behaviour


By structural, you mean regulatory. I agree that data stewardship should be much better-regulated than it is now.

But right now I can install any number of tools on Google's own browser that mitigate most common tracking/privacy concerns. I don't necessarily agree that we need to increase government regulation to address a concern that a Chrome extension is already serving.


the answer to privacy violations cannot just be technological solutions on the consumer end. It's like having people break into your house every week and someone tells you to buy a good pair of boxing gloves.

This warrants a political solution and I'm glad that the EU is moving into the right direction.


While that should be taught, it should also be taught to companies that they should respect people's right to privacy.


If Facebook tracks me outside of Facebook's website because that other website has tracking code or a like button (which I didn't click) and I don't have an account on Facebook, I'm not ok with that.

Then your beef is not with FB but the website which _chose_ to embed FB like button. You should stop using that website if you are not ok.


Yeah, that's like 40% of the internet, including almost all news.

The argument "just don't participate in society if you don't want people tracking every news report you read" doesn't really sit well with me.


Well these are the terms of using the site. You are not entitled to anything.


Can you practically view those terms without loading one of these buttons beforehand?


That's an issue, I agree.


I think you can already block thoses connections, so yes


What if blocking is against the terms of service?


You were not aware before reading thoses terms


Aren’t the Like buttons distributed around the Web and used on purpose by publishers? If your reading the New York Times, there’s a like button on the story, if you click it, aren’t you explicitly telling Facebook your interested?

Perhaps you object to the page impression being tracked even if you don’t like it? This seems unavoidable unless you mandate publishers host their own copy of the code behind these buttons and use a public API only to record the likes.


Facebook was tracking users even if they didn't click the Like button. This has nothing to do with page view tracking.

And they were tracking even non-Facebook users this way. There's zero consent here no matter how you cut it.

Worse yet, Facebook did this for years, and in the first years it swore it doesn't do that, and when they were caught doing it they said it was "just a bug"...twice.

Facebook has 0% credibility at this point. Just look how they're ruining people's trust in 2FA security, too, now (although if they end-up ruining the trust in SMS 2FA, that wouldn't be too bad of an outcome actually...).

This is a good article (although not complete, and only until 2014) on Facebook's awful, no-good, history of lying and tracking users without their consent:

https://www.propublica.org/article/its-complicated-facebooks...


There's zero consent here no matter how you cut it.

Thats not true. You implicity consent to usage policy of that website which then gave permission to FB. Ofcourse GDPR makes it illegel but until May 25 its not.


Is it possible to even view the usage policy on one of these sites without hitting a page that loads one of these like buttons first?


2FA notif scam was the last straw for me. Just deleted my account. So long and thanks for all the fish!


Loading the like button is enough for facebook to track you and infer your interests. You never have to click it.


As far as I know, Like buttons are partially served by Facebook, which then knows I've accessed the site (the NYT in your example). This happens even if I do not click the button, do not hover over it, and do not have a Facebook account.


> Like buttons are partially served by Facebook

Yes, the default configuration has your page include javascript from facebook.net which the browser will request on every page view

https://developers.facebook.com/docs/plugins/like-button

In the case of this the theguardian.com page it looks like they've got a webbug as the last element of the body, which results in a request to https://www.facebook.com/tr?

Having facebook count views of your like button is probably considered a feature to publishers.


> This seems unavoidable unless you mandate publishers host their own copy of the code behind these buttons and use a public API only to record the likes.

If Facebook means no harm, they could make this the encouraged way to include the like button.


> This seems unavoidable unless you mandate publishers host their own copy of the code behind these buttons and use a public API only to record the likes.

Yes, that's the consequence (well, it does't really have to be an API triggered from the server, it can send the user there). Or a pattern where a user has to click a locally hosted link/button which then loads the Facebook one, and/or records permission to load it with further page visits.

It's not really that much difference from an integration perspective if you include code in your page that loads a facebook iframe, or code that only does that after user interaction.


Why not blame the other website that added the fb button on their page?


I blame both. I never said I only blame Facebook.


The problem is that you are tracked by FB and Google on other websites, they know what you are reading and canalizing it, say they know what politics site you visit, what technology site you are reading, any other pages and then they put you in a bucket for advertising(say rich dude likes expensive tech, car videos, prefers dark color sites, not that smart, prefers this party, has X opinions on y)

Google analytics should not be allowed without me getting a prompt to allow it or not, FB button should be a simple static image without tracking unless I click on it. Also they track users that are not logged in or do not have accounts.


> Google analytics should not be allowed without me getting a prompt to allow it or not

One way to go about it could be to force all these data collectors to show what they know about us, how much they shared and with whom, and allow us to delete that data on request. I'd really like to know everything FB tracks on those like buttons, it's probably an obscene amount of personal data.

Once people see how much data they retain, there would be a righteous outrage. These datasets have been provably used to manipulate elections, subvert democracy and target us with fake news. I'd like a report of what fake news and politically motivated ads I've been served by their recommenders. Maybe if they are forced to come out in the clear about what they do with our personal info, they would change their tactics. We need reverse surveillance on FB and the other tech giants and ad companies.


> I'd really like to know everything FB tracks on those like buttons, it's probably an obscene amount of personal data.

When you request a page like this guardian article, all they'd have access to would be:

  * The url you requested, along with time and IP            
  * Any facebook.com/facebook.net cookies you have stored      
  * Any other headers your browser sends       
  * Metadata about the page itself that the publisher publishes via "og:" tags
Said og: tags look like this: <meta property="og:title" content="Facebook ordered to stop collecting user data by Belgian court"/>

How does that compare with what you meant by "obscene amount of personal data"?


Knowing who you are and what pages you visited in last years it is a lot of data that they mine and tag you and sell it to the advertisers. I think they can do a good profile of you by knowing all the obscure links you visit and how much time you spend there.

The users should have a choice, "Do you want this site to share your data with Fb,Google ?" If you do not accept you can't use it, but it is your choice not to use the website, the users will get informed because now I am sure most of the people don't even know about the tracking.


So at minimum they've got your identity and much of your browser history.

Seems reasonable to call that obscene.


If you're not in the US or Canada, you can ask for all the data FB is storing about you: http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data...


You don't need to save each and every action for ever to build up a profile, you can just use it for the moment and then forget it.

Just like on HN there is no page with 'favorite articles'.

Oh wait ;)


The fact that the favorites list is public is known and explicit. If you want to keep it private you can upvote what interests you.


I really think that all of you who are salivating at the prospect of the GDPR destroying FB should prepare yourself for disappointment. The intent behind the law might be good, but it's unlikely to accomplish what you want it to.

1. It's a bad law, because it's so overly broad and vague that it's going to be impossible to be fully compliant. For example, an EU resident hits your server while they're on vacation in Australia. You've stored analytics, IP addresses, etc. Congrats, you're now in violation. That's the tip of the iceberg. The law also broadly contradicts loads of other laws about how data must be retained for legal and compliance purposes. So now that everyone is breaking this law, regulators are free to just decide who they want to punish and how much. That's incredibly damaging to the fundamental idea of the rule of law.

2. It sets a really bad precedent regarding jurisdiction and the internet. So now any jurisdiction in the world can declare that if you do something they don't like that even remotely affects them, you owe them whatever they want. What if some oppressive regime passes a law that if your website is shown to one of their citizens and doesn't have a message praising their leader, you owe them 100% of your global revenue in perpetuity. Why not? You've violated their laws regarding behavior towards their citizens!

3. As item #2 gets at, countries can pass whatever laws they want, but they're limited by their ability to enforce those laws. If the EU gets overly broad and punitive here (as I'd argue they have), then companies will either just leave, or shift their digital operations to jurisdictions where courts can't enforce those laws.

Ultimately, I think that the realistic path here is that Google and Facebook will fundamentally change almost nothing. The user experience will just get worse, because we'll have to constantly be agreeing to a long list of terms about how our data will be used, etc, etc. And people will just agree and move on. Look at the cookie thing. Yes, I know you think it's different this time because of X, Y, and Z, but I'm skeptical. We'll see.

Regardless, the idea that we're suddenly going to live in a new golden age of digital privacy because the GDPR has good intentions is laughable.


GDPR isn't enforceable in jurisdictions that don't have corresponding local laws. Take Privacy Shield in the US - this is an agreement betwee the US government and the EU stating the FTC and Chamber of Commerce will act as the supervisory authorities for GDPR enforcement against companies registered in the US.

You're right, the fundamental functioning of Google, Facebook, et al. won't change. They will update their privacy policies, and give users access to view, update or delete all of their information more easily. The uses of that information will be disclosed and there will be consequences for misuse or failure to protect that information. GDPR is setting expectations for the protection of data previously where it was an anything-goes or minimum-effort policy.

I can see how those opposed to government regulation would hate GDPR, but no other industry standard on data privacy has gained traction and data breaches are happening more frequently at the expense of real people.


It will not change anything for 99% of users. But for me it will, I'll call FaceBook, Google, my government and will ask the law to be applied. They won't like it but they'll have to comply. Now, with that data, what will I do ? I'll be able to explain what data collection means to those who don't care, to show examples.


I think you’re headed for a reality check. There’s this underlying narrative in a lot of the digital privacy stuff that consumers just don’t know what’s happening. If they knew, they’d revolt.

I just don’t see it. I think people kinda know, but they just don’t care that much.

Hell, I bet half the users on HN have a pretty good understanding of what data is collected, but don’t care enough to check out. We still buy smartphones and use all these sites and put Alexa in our houses. It’s not that we don’t know, we just don’t care.


I would agree. If you don't use ad/track blockers, you already see that ads follow you around, and are targeted based on recent browsing and shopping.

So you intuitively know, at some level, that all these sites are tracking you. I agree that the average person doesn't care too much, based on the lack of serious outrcy about it.


You shouldn't be storing anything without first obtaining consent. Why are you using analytics indiscriminately?

The GDPR does actually have exceptions for cases where local law requires you to store data.

Any jurisdiction can already enforce their laws upon you if you affect their citizens. There's nothing new here.


> You shouldn't be storing anything without first obtaining consent. Why are you using analytics indiscriminately?

tail -f /var/log/nginx/access.log

Did you turn off nginx's default logging?


You shouldn't be storing anything without first obtaining consent. Why are you using analytics indiscriminately?

Sorry, I find this ludicrous. Using analytics "indiscriminately"? What does that even mean? The most basic use case for analytics is to use them indiscriminately to see how visitors are using your site.

Not to mention that this is basically impossible, since storing IP addresses in Apache log files is also probably a breach. Someone in the EU sends you an email, now you're in violation because the header info is PII. A german walks into your hospital in Miami and signs in; if you don't have a special snowflake data management process for them that runs alongside your standard HIPAA-compliant one, you're probably in violation.

Any jurisdiction can already enforce their laws upon you if you affect their citizens.

No, they can't. They can declare any law, but that doesn't mean they can enforce it.

I really think that basically every business around the world who doesn't have a direct EU presence in terms of office, employees should (and probably will) just ignore the GDPR. It's a huge violation of sovereignty, the freedom and ideals of the internet, and a great example of how people will be pleased to let their governments enact policies no matter how harmful or dangerous as long as they're against an "enemy" that they hate.


So what is your beef then?

Businesses that operate in the EU have to comply, businesses that don't interact with EU residents don't.

As the US has a special relationship with EU (Privacy Shield, ..), it recognizes GDPR as valid.

Don't like it? Focus on China, where WeChat is now your national ID card and is also linked to your personal credit score. Violate any government rules - your credit score goes down. Medical reps now have to register with the Chinese government before they're allowed to enter hospitals and their personal credit score is linked to their behavior. There you go, full data transparency nirvana.

The world is a big and complicated space and big regions define their culture differently. Europe is not business-focused, but puts the citizen first. The US considers businesses as citizens, data privacy a hindrance for profitability - and China wonders what this citizen thing is.


Some random EU resident visiting your website != operating in the EU, by any reasonable definition.


So, again, there is no big problem.

Easiest step: stop logging every single hit on your site (IP, browser, etc).

You want a bit more analytics?

Log general attributes, but not the IP. Just that a hit occurred, browser, general geo (country). that's it. Perfectly compliant.

Want them to fill out a form? Welcome to GDPR, as you should.

As Maciej Cieglowski (idlewords, pinboard) so eloquently states, over and over again, you don't have to store and hoard all this data. It's BS to begin with, and dangerous in the long run.


How would you then detect that there is a bot net messing with your service? How would you discriminate between bad actors from Romania? Are you going to mass ban huge chunks of possible customers because you dont have granulary enough data? The hard problem is that most of the data logged about you has very "good" uses, but in the same time it can be used for bad things. And there is no way to properly enforce only the good uses. Mass banning groups will only cripple the tech advances we see happening today.


Actually, easiest step: completely ignore this, just like I would any random law from some international bureaucracy that has no jurisdiction over me.


aka “The Burning Bridges” plan. It could work, assuming you don’t like to travel, and never do business in those countries, and the global geopolitical situation does not radically change. A bit short-sighted...


Maybe so, but I’m not going to let every random bureaucrat around the world with an inflated sense of their importance dictate how I do business. If their enforcement mechanisms become such that I need to worry about it, I’ll do so then.

Unless you think that the EU is going to monitor every website on the internet and magically divine who owns them and what they’re doing behind the scenes with user data, and then develop a blacklist for those people so they can’t travel or they can go after them after WW3?

I guess I’ll really regret it if that’s the case. Until then, I’ll ignore.


Not how it works, but you show an attitude that is clearly hobbyist/freelance, which is fine.

Enterprise and anything related to big money cares. Not like the EU is a small market.

You'll also be surprised how much the US and EU cooperate, legally and economically. MS, Google, FB,... endless legal resources and yet the EU hammer is inescapable.

The most interesting thing to me is how you don't see the opportunity that GDPR represents to MAKE money. We're all raking in contracts and work consulting clients and updating products - but hey, I guess you don't want to compete. Good luck!


Ouch. You’re probably right about the hobbyist mindset. If I were responsible for a large enterprise I’m sure I’d be more circumspect about the stewardship I’d have over the company, employees, and customers. I hope that wouldn’t mean I’d decide it was fair and reasonable, just that I’d be more constrained on a practical level.

But I’m not, so...

Regardless, I have no interest in consulting to help companies solve an invented problem based on a bad law. I make plenty of money without making the world a worse place.


Well, good luck with thst, but the world is full of random bureaucrats who can make your life massively difficult. It might or might not be right or fair, but it is and you play pretend at your own peril. Right now monitoring all sites can’t work, but how about five or ten years? Bureaucratic institutions can have very long memories.


And how will the legislator know what I'm logging and what not?


They don't.

GDPR kicks in once a EU resident files a complaint. GDPR also enforces a data report card - so if a EU resident (not just a citizen!) asks you about their data, you have to comply and give a complete answer. If you then reveal you store PII without their consent or fail to reveal everything and get caught, the fines will kick in.

Don't screw over EU residents and you're fine.

And if you think this laughable, remember that it was a single Austrian law student, Max Schrems, who went after Facebook and killed the EU-US Safe Harbor agreement.

EU pensioneers and students are what will kill you, endless time on their hands.

:)


What's the reasonable definition of operating in the EU?


- Being located in EU.

- Or in case where you aren't located in EU, providing services specifically to EU residents, which can be hinted by having a language choice mostly spoken in EU countries, allowing EU currencies (Euro, British pound and so on) or specifically mentioning supporting EU, for instance by saying that your website can deliver packages to European Union.

Facebook for instance has offices in EU, which makes it clear that they are under GDPR, but even if they didn't, they do provide Facebook in EU languages.


English is an EU language; the UK is still in the EU, and Ireland is not expected to leave.


Malta has English as official language, just so people remember.


So, for instance, you can pretend that you're not operating in France if your website is in English and you only accept payments in USD?

I would argue that this is a bad definition because what you described is just operating in a jurisdiction but without localization.

I prefer the definition where you're making money(directly or indirectly) by providing services in a jurisdiction.

An example would be collecting French users data and then selling it to ad agencies(or being acquired by Google?).


Yes. That's how the current GDPR law works. And it seems reasonable to me.

Accepting payments in USD is a pretty clear signal that a website mostly cares about US users, and if someone else uses the website, oh well, it happened, doesn't really change anything under GDPR.

(although you probably could have French support anyway, just expand the website to Canada as well ;), of course it isn't the same French as in France, but it's still French somewhat, EU currencies are trickier however)


French is widely spoken in Africa as well.


Why not? It would certainly be ludicrous for a brick and mortar establishment to be subjected to that, but if you’re offering a global product, welcome to the rest of the world.


> Any jurisdiction can already enforce their laws upon you if you affect their citizens.

Isnt't that already done by the US? The case against Kim Dotcom comes to my mind.


Kim Dotcom made the mistake of operating servers in the US jurisdiction. New Zealand made the mistake of complying with the US requests to extradite him. The US could not have effectively enforced its laws upon Kim Dotcom without New Zealand's assistance.

If China comes after me for something terrible I say about Mao (stray absurd example), and the US turns me over to China because they're influenced and or intimidated by China, that would be a similar premise: the US would bear immense, near total responsibility for capitulating, showing no backbone.


I'm definitely not defending US jurisdictional overreach.


> So now any jurisdiction in the world can declare that if you do something they don't like that even remotely affects them, you owe them whatever they want

This ship sailed a long time ago, unfortunately. That court in Texas with effective global patent jurisdiction. UK libel law. The Sklyarov case which got me interested in digital rights all the way back in 2001: https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd.

(Arguably it goes all the way back to British maritime law...)


It’s a trend, but I don’t think people realize how scary this is. Do we really want a global system of interlocking jurisdictions and reciprocal treaties such that we’re all subject to the most restrictive and oppressive laws in the world? It’s not OK when it’s privacy, because next it may be free speech, or indecency, etc. Do we want a world where we have free speech, unless we say something online against Putin, and then the US is happy to extradite us? Seems fanciful, but I don’t see how it’s fundamentally different than what GDPR tries to assert.


Ultimately we have to say that not all law is bad, surely? Then take it on a case by case basis. The Internet itself makes world legal convergence a necessity.

Pick one:

- EU citizens can have their rights violated by US companies

- US companies are not allowed to communicate with EU citizens (ie great firewall of Europe)

- Everyone gives up on the idea of law where the internet is concerned and crosses a national line (cyberpunk anarchy; sort of the status quo; everyone gets surveilled and ultimately leaked a la Equifax)

- EU gives up on having its own law and acceeds to US law (e.g. Switzerland, which is not the EU but proudly independent, eventually gave up its banking secrecy to US KYC/AML)


The Internet itself makes world legal convergence a necessity.

Disagree.

I reject your premise, and the false dilemma it leads to.

The actual answer is the same as as the answer for international travel, which doesn’t necessitate global legal convergence: if you go to another country, you’re bound by their laws. If you come to America and something happens to you here that’s not illegal here but is in the EU, or you do something here that’s illegal here but not in the EU, you may feel your rights have been violated, but it doesn’t matter. You’re held responsible for the actions you take within a jurisdiction, whether you’re a guest there or not. And by contrast, that jurisdiction isn’t responsible for enforcing your home country’s laws just because you came.

It’s the same with the web: if you want better protection for your data than the US provides: do not send your data to the US.

Obviously companies in the EU should comply with EU law, but the GDPR asserts that a citizen can expand the EU jurisdiction globally by sending a request to a company anywhere in the world, and then demanding that the request be handled according to EU law under penalty of fines.

Ludicrous, and I seriously doubt that most countries are going to play ball. If you seriously think that the US government is going to let the EU fine some US-based business without any EU presence millions of dollars because Brussels passed some law, you’re headed for disappointment.


> if you want better protection for your data than the US provides: do not send your data to the US.

You don't have a choice. A citizen of Brussels who doesn't have a Facebook account could be surfing a website that Facebook doesn't own and Facebook will still be tracking and recording that person's activity without consent.

So the situation essentially becomes similar to a phishing scammer in India making fraudulant phone calls to U.S. Citizens pretending to be the IRS. Did that person break U.S. law? They sure did. Did they break Indian law? Maybe not. Should they be extradited to the U.S. to face our jurisdiction? Of course, because they were taking advantage of their geographic location to undermine our jurisdiction.

It wouldn't be that hard for a global company worth hundreds of billions of dollars to implement some sort of geo-fence that properly identifies EU citizens and complies with local laws on a local level. Facebook wrote their own hard drive firmware for their data centers. Why do we care about the feasibility or financial repercussions of asking Facebook to comply with laws to protect actual people?


Should they be extradited to the U.S. to face our jurisdiction?

I don’t think so. I don’t want India to have the power to extradite me if I send an email to a someone in India that they deem blasphemy or destabilizing or whatever. You’re talking about clearcut fraud, which is more sympathetic but the underlying legal precedent is what terrifies me.

It is a violation of human rights to subject people to laws that they have no democratic say in.

Also, in your example about Facebook, you do have a choice. Leaving aside that they’re global and have an EU presence and should thus be complying, if Facebook was US-based only, you are sending a request to their servers. You’re responsible.

Now, maybe the site in question also bears some culpability for what their partners do with their customers’ data, but I don’t see how Facebook is responsible for every law and jurisdiction for where those requests originate. If you don’t want Facebook to have your data, don’t send it to them! Blocking those requests is incredibly trivial, and the onus should be on you the sender, not the receiver.


> if you want better protection for your data than the US provides: do not send your data to the US

Should EU companies be allowed to send my data to the US, then?

> If you seriously think that the US government is going to let the EU fine some US-based business without any EU presence millions of dollars because Brussels passed some law, you’re headed for disappointment.

The US shut down a lot of non-US poker businesses, including PokerStars in the Isle of Man. And sent the FBI to New Zealand to seize Kim "dotcom". If a US based business becomes a sufficiently big problem for EU privacy, it's going to get fined, and we're going to find out whether the EU-US cooperation is bidirectional.


Should EU companies be allowed to send my data to the US, then?

Of course not. Businesses should be bound by the laws of their jurisdictions.

And you won’t catch me defending the US throwing its weight around to violate the sovereignty of other nations either. It’s wrong for us to do it too.


> UK libel law.

No.


> For example, an EU resident hits your server while they're on vacation in Australia. You've stored analytics, IP addresses, etc. Congrats, you're now in violation.

If you don't do business in the EU (Take money from EU customers), there's practically nothing that the EU can do to you.

> That's the tip of the iceberg.

This is a very unimpressive iceberg.

> The law also broadly contradicts loads of other laws about how data must be retained for legal and compliance purposes. So now that everyone is breaking this law, regulators are free to just decide who they want to punish and how much. That's incredibly damaging to the fundamental idea of the rule of law.

Fortunately, we have something called 'the courts' that will iron out these ambiguities. And as other posters indicate, this is actually addressed by the GDPR.


> I really think that all of you who are salivating at the prospect of the GDPR destroying FB should prepare yourself for disappointment.

That's got to be the mother of all strawmen. FB will not be destroyed by the GDPR, but - ideally - the GDPR will cut back some of the worst excesses such as tracking users who are not even members of FB through embedded JS on other people's properties.

> It's a bad law, because it's so overly broad and vague that it's going to be impossible to be fully compliant.

It's actually a pretty good law compared to the predecessor.

If you feel that it is impossible to be fully compliant then maybe you need someone to interpret the law for you - such as a lawyer or a judge -, there are some fields of tension but on the whole it is not at all impossible to be compliant at least with the spirit of the law. Acting in good faith is a good first step.

> For example, an EU resident hits your server while they're on vacation in Australia. You've stored analytics, IP addresses, etc. Congrats, you're now in violation.

Contrived example, do not pass go.

> That's the tip of the iceberg. The law also broadly contradicts loads of other laws about how data must be retained for legal and compliance purposes.

And makes special mention of that and has exceptions for those cases.

> So now that everyone is breaking this law, regulators are free to just decide who they want to punish and how much. That's incredibly damaging to the fundamental idea of the rule of law.

Except that's not how it works, which makes this another strawman.

> 2. It sets a really bad precedent regarding jurisdiction and the internet.

How so? If you want to argue something is bad then you need to show how it is bad because of negative consequences, what 'any jurisdiction in the world' declares is their business, but the EU has stepped up for the rights of its citizens, and as one of those citizens, I'm pretty happy about it.

> So now any jurisdiction in the world can declare that if you do something they don't like that even remotely affects them, you owe them whatever they want.

This has nothing to do with the GDPR.

> What if some oppressive regime passes a law that if your website is shown to one of their citizens and doesn't have a message praising their leader, you owe them 100% of your global revenue in perpetuity.

Yet another strawman.

> Why not?

Well, why not? Indeed, except, it hasn't happened.

> You've violated their laws regarding behavior towards their citizens!

Yes, and you're free to ignore them, except in those cases where you wish to have a business presence in the country of said oppressive regime.

> 3. As item #2 gets at, countries can pass whatever laws they want, but they're limited by their ability to enforce those laws.

Exactly. But the EU can and does enforce its laws.

> If the EU gets overly broad and punitive here (as I'd argue they have), then companies will either just leave, or shift their digital operations to jurisdictions where courts can't enforce those laws.

That's fine, at least we have proven malicious intent on their part then. Complying with this law isn't all that hard. But it is hard if you are coming at the whole concept of privacy as a party that does not care about it.

> Ultimately, I think that the realistic path here is that Google and Facebook will fundamentally change almost nothing.

We'll see. My guess is that they like the money too much to do 'nothing'.

> The user experience will just get worse, because we'll have to constantly be agreeing to a long list of terms about how our data will be used, etc, etc. And people will just agree and move on.

So what are you worried about then?

> Regardless, the idea that we're suddenly going to live in a new golden age of digital privacy because the GDPR has good intentions is laughable.

Nobody claimed that, could you please lay off the strawmen, you can do much better than that.


[flagged]


They are bad arguments not because I think the end justifies the means but simply because it is very hard - impossibly hard - to imagine the intent of this law revolving around the examples you are giving. The intent of this law is to curtail some of the worst offenses when it comes to the privacy of EU citizens and that is definitely not something aimed at FB though they could very well end up in the cross hairs for enforcement because of their blatant disregard in this respect to date.

But those EU companies that are clued in as a whole are taking this pretty seriously.

Bad laws are bad laws because they have unintended consequences outside of the spirit of the law, so far I have not seen any or even a credible suggestion of such a bad consequence. Let us give it some time before we start declaring the law dead on arrival.


I see the "spirit of the law" and "intent" being thrown around here.

Elizabeth Denham, UK's information commissioner in charge of data protection enforcement, had this to say:

"Having larger fines is useful but I think fundamentally what I'm saying is it's scaremongering to suggest that we're going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm. Our office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven't made any effort."

Now, whether you trust large bureaucratic institutions to use elastic, broadly defined, excessive powers granted to them wisely, applying self-restraint for the general good, is a function of your general political leaning and life experience more than legal nuance, I suppose.


You’re making my case for me. Of course that’s not the intent of the law, and it’s a bad law precisely because of unintended consequences, ambiguity, and unequal enforcement due to everyone being out of compliance in some way.

But you keep just falling back on what they’re trying to do, which matters less than what they’re going to end up doing.

What they’re actually going to end up doing is fail to really curb much abuse, introduce lots of costs and uncertainty, drive businesses out of the EU, worsen the UX of the internet, entrench the largest players who can afford to be mostly compliant and defend themselves legally, and further erode the concepts of national sovereignty and the ideals of the web.

How about this: if EU citizens want more privacy protections than those provided by laws of my country, stop sending HTTP requests to my server in America and asking me to send information back to them. Why the hell is it on me to figure out where those requests are coming from and what bizarre set of laws that person’s country thinks I should have to care about with regard to what I do with the content that their citizen voluntarily sent me?


The same counts for US and the security law. If you market your offering to an American, even if they are in Europe, and you actively ban all the US traffic, SEC has a right to go after you.


> For example, an EU resident hits your server while they're on vacation in Australia.

If you don't provide specifically targetting EU with your services, you aren't under GDPR scope. Specifically targetting means stuff that shows that you specially consider EU users, for instance by allowing payments in EUR currency or having a website in a language only spoken in EU.

> You've stored analytics, IP addresses, etc.

Even if you were under GDPR scope, storing information purely for ensuring network security is perfectly fine under a law.

> The law also broadly contradicts loads of other laws about how data must be retained for legal and compliance purposes.

GDPR allows for storage of data for legal and compliance purposes. In fact, feel free to read https://ico.org.uk/for-organisations/guide-to-data-protectio...

> So now any jurisdiction in the world can declare that if you do something they don't like that even remotely affects them, you owe them whatever they want.

No, GDPR doesn't apply to everyone. If you don't provide services specifically to European Union countries, you don't need to care about GDPR at all. For instance, if your website has a Greek language option, it's understandable that you are offering services to Greece or Cyprus (both of which are European Union countries), and GDPR applies to your website. GPDR only applies when it would be enforceable to begin with.

> What if some oppressive regime passes a law that if your website is shown to one of their citizens and doesn't have a message praising their leader, you owe them 100% of your global revenue in perpetuity.

They would have difficulties in enforcing it, as you likely don't specifically provide service to them. And even if you did, you could just disable the website for that country instead of paying 100% of your global revenue. Similarly, with GDPR, you can just remove support for EU languages, EU currencies, and so on.

> If the EU gets overly broad and punitive here (as I'd argue they have), then companies will either just leave, or shift their digital operations to jurisdictions where courts can't enforce those laws.

True, that's an option, but at the same time, EU is a big market that may be not worth ignoring.

> Ultimately, I think that the realistic path here is that Google and Facebook will fundamentally change almost nothing. The user experience will just get worse, because we'll have to constantly be agreeing to a long list of terms about how our data will be used, etc, etc. And people will just agree and move on.

GDPR is not EU Cookie Law (which actually was badly designed law, unlike GDPR) where you could just put some silly notice and that's about it. For example, an user may demand his information to be removed, and you actually have to handle this request or you risk being sued for not complying with GDPR.


> GDPR is not EU Cookie Law (which actually was badly designed law, unlike GDPR)

everyone that has ever written code to set a cookie predicted what the industry response to that cookie legislation would be, but even that trivial foresight was beyond the EU's abilities

if they can't write a good law for something trivial like cookies why would you have any confidence in their abilities to produce a much larger, wider reaching piece of legislation, let alone the ability to predict the second order effects?


Did you know that functional cookies are exempt from the cookie law?


They are, but the failure of a law is that people did not know that, and just put cookie warnings to be safe, and in the end all websites had cookie warnings making the entire thing pointless.


What's a functional cookie? What makes it separate from an essential cookie? What, exactly, links it to a user?

Knowing that certain types of cookies is exempt is insufficient knowledge.


Is there no possibility that they might actually learn from the failures of the cookie law and use than knowledge to write a better law this time?


It's not hard to imagine that, at some point, the sensible business strategy for certain types of US companies may be to simply not operate in the EU or certain other countries. That's not commentary on the rightness or wrongness of EU regulation but simply that, at some point,it may just not be worth operating in some geographies. GDPR is one example but so is right to be forgotten, etc.


Competitors would pop up willing to abide by the local laws, and they'll make quiet a bit of money doing it.


This came up a few days ago as well.

You can't just abide by these laws because it's so unclear what they mean and say. Notice how the findings are always that a firm didn't do "enough". What is enough? Where in law does it say what enough is?

The EU can chase American firms out of the EU. All it means is people will use the American websites without them having any corporate HQs in Europe, or simply be locked out entirely. The local competitors will probably suck - judging from the past attempts to compete.


And the competitor will be able to operate in the USA, whereas FB won't be operating in EU, giving the compeditor an advantage.


Maybe for large companies serving large-scale needs. But tiny companies w/ not-that-popular services might not have a version in that region (simply not worth the risk) and the citizens lose out. IIRC, there is not a way for a citizen to say "I understand what these companies do and choose to accept it"


I'll be pretty happy to "lose out" from being tracked and profiled.


Right, you speak for yourself (and probably the overwhelming majority). That is my point.


How do citizens lose out from "don't be tracked"?


See GP's comment. The lose out on companies that have now chosen not to operate there. Like small companies that don't want to risk being fined €20 million. It's not that they are companies that track you, it's that for many smaller/early companies that don't need EU customers yet, why even risk a mistake? And why risk the amount of that mistake on non-codified promises and subjective enforcement levels (i.e. "we promise only to use that number on the big players)?

If I were a VC, I'd tell my companies that didn't need EU customers yet not to sell to them until they are large enough to make sure they won't fall afoul of rules. Regulations almost always benefit the larger companies, even if they are well-intended. Smaller, more nimble companies almost always thrive in more open environments. Citizens of more open and less restriction/regulation encumbered environments often get a larger variety of businesses to use (sometimes to a fault, like tracking).


It's the "yet" that'll kill them. With the focus on growth, a VC backed company will not be able to ignore the massive EU market forever. Can it pivot, quickly, to be respecting of privacy? If you've build your whole business on collecting and using personal data, how can you change?


You're missing my point. They haven't built their business collecting data. They were just mitigating risk. I am not talking about businesses collecting personal data. Just a normal company that doesn't want to worry about compliance in the early days (even though they are probably compliant). I specifically said "It's not that they are companies that track you".

When ready, they will be able to enter the EU market quite easily, but at least with capital and size they can do the work necessary to feel comfortable in their compliance. Until then, EU citizens don't get access to the company. This is what I mean about regulations favoring the larger companies. It's almost always the case.


Can Facebook operate if they don't track people to the degree they are doing now? Can they offer good adverts? Can Google?


Again - what are citizens possibly losing if the company Connor do business without tracking and selling their data? Because that sounds like it’s not those citizens losing - it’s US citizens losing.


Again - because they aren't tracking and selling their data, they are just managing risk. When doing business, it's not a blind "well, we're doing nothing wrong, we have nothing to worry about", it's "we're doing nothing wrong, but a mistake can bankrupt us in this market that is not required for us to sustain growth." Nobody wants to trust even-handedness application by regulators when it's just a ridiculously high penalty ceiling...well, nobody except those large companies that can absorb it. Citizens lose because they don't get to use products by otherwise well-intentioned companies that are scared of penalties because they are so high and subjectively enforced.


If I'm following your hypothetical situation correctly, you're claiming that an international company would rather not do business than to email the privacy commission for feedback? Which is standard procedure when in doubt...


It's not about doubt of the rules. Though there is extreme subjectivity, that's not my point in these posts. It's about risk mitigation (i.e. the extreme size of the penalties coupled with potential subjective enforcement). I'm not claiming anything about an international company, I am talking about small startups that might not even go completely international at first. Why, if I have all the customers I can handle right now as I grow would I subject myself to more regulations for no reason?

It's not that hypothetical as I've been in this with young companies where we were deciding where to launch first (for beta or actual launches). Granted there was nothing then precluding EU users in those times, in fact we preferred it to help w/ i18n vetting. Nowadays, I'd just as soon leave EU countries off of the select box on my signup form, and not worry about GPDR compliance (again, even though I am probably compliant and believe in the spirit of the rules).


Exactly. To a large extent, I - a citizen of an EU country - can already see the effect. Just look at how many electronics companies don’t sell in EU. There’s a Swiss company making great routers that outright says it’s because of RoHS.

And as of the earlier arguments like “no loss” or “competition would step up” - look how few EU tech companies there are. There’s a reason for that.

The armchair commenters here aren’t EU business people, and it shows. Around here, GPDR is considered a disaster, in the usual style of EU’s heavy-handed, poorly thought-out regulations. It adds so much bureaucracy and expenses - even for companies that do nothing shady - that it is absurd.


Half a billion people, biggest market in the world - it's not easy to tell your shareholders you're going to ignore it.


Lots of US companies are primarily domestic. If, for whatever reason--conflicting regulation, existing competitors, different consumer preferences, etc.--it doesn't make sense to expand internationally there's nothing saying that a given company needs to be global. If your strategy from the beginning is to remain focused on a specific market, I don't see an issue with that.


Examples?

The only domestic only companies I can think of aren't competitive in an international market, hence being domestic only.


The US is the least dependent major economy on the planet, when it comes to foreign trade. The vast majority of all US companies operate with between zero and minimal exports. The US is a highly self-contained economy (it should be obvious that's not the same as entirely self-contained), few other nations come even remotely close to being comparable.

https://i.imgur.com/QZyjKdZ.jpg


I totally agree with you that the US is very self contained compared to many countries, though I wonder if that would also be true of the EU as a bloc. The graph you posted treats the US as one unit but each EU country as a separate unit. I think it EU/US or EU country/US state would be more comparable.


it's not easy to tell your shareholders you're going to ignore it.

It can be if there is too much risk or uncertainity. It can be even easier if there is anti-business characteristics to the policies.

I would say EU classify as such.


If supporting the privacy rights of your citizens is considered "anti-business", then maybe businesses need a rethink


You can phrase it any way you want, like "If adding regulations with potential fines even on mistakes to bankrupt a company, then maybe regulators need a rethink". Why is everyone so focused on what the intention of the rules are and not the practicalities? Often I feel these regulations are throwing spaghetti against a wall praying it sticks (e.g. cookie law). Because there's a problem, so the government must solve it. People can't be asked to self-regulate and governments can't be asked to encourage alternatives. It should be after those alternatives fail that the law is used as a last resort, and even then, marginally until the impacts are understood.


You need to read up on GDPR and what it really means.

You’re probably as annoyed by those ever-present cookie banners everywhere. That’s a direct result of another poorly thought-out EU regulation with good privacy intentions behind it. EU is not an indisputable force for good as you seem to think.


Of course it would be easy if operating in the market provided an existential risk to the company.


> biggest market in the world

How so? What about China and India?


Not in number of people.


Of course this is “commentary on the rightness or wrongness”: it’s the same old “I’m taking my toys and going home” we’ve been reading in the comments for every single story on EU regulation for decades. I remember people making it for Microsoft’s European antitrust troubles in the 90s.

The fact that no company ever did such a thing should be a clue as to the wisdom of a strategy based on one’s fragile nationalistic ego.


Companies exit geos (or never enter them) all the time. [1] No, it's not usually just about some law. But it may well have to do with nature of the market, regulatory climate, need to work through partners, cost of labor, work rules, etc. It's nothing to do with nationalist egos and everything to do with "it's just business" to avoid markets that aren't profitable or introduce too much business risk.

I really couldn't care less if there's some demand for my product/service in some market if it doesn't make business sense for me to sell there.

[1] For a random list. http://fortune.com/2015/01/16/international-retail-exits/


We could see the (continued) decline of the global internet. China is already its own bubble; it's not implausible that it could spread to other regions due to conflicting interests.

If we continue down that path, will there be the equivalent of free tree agreements to limit the fragmentation?


Facebook is by definition breaking the Internet by having created a walled garden. If we continue down this path maybe at some point companies will start relying on open protocols to allow it's users to communicated with other outside the bubble.


We'll survive I'm sure. I see the US not as example but as a warning.


I am sure that US will have their counterpart to GDPR at some point. US has HIPAA and FERPA which protect privacy in healthcare education very well.


There is no way Zuck writes that check, and I believe Trump would be happy to create an international incident in support of a scofflaw.


Facebook headquartered itself in the EU to tax dodge. They're directly under EU jurisdiction.

Double Irish with a Dutch Sandwhich, but alas they'll have to eat their Brussels Sprouts.


You do realize FB has a European headquarters, in Dublin, Ireland?


Yes, and I don't think that would stop it. Ego takes precedence in the US these days.


This specifically targets US I believe, it is desgined to add cost and barrier to US companies to operate in EU. I see this as an evidence that EU no longer trust US to reign its own market and will happily initiate their own internal replacements.

Trump, of course won't like it, but with his American First philosophy, he has no argument if others follow his lead to put their own interests first.


I work in a company in Norway. We are in the EØS (European Economic Area), but not the EU itself but we still have to implement this for our own Norwegian customers. We don't have any customers outside of Norway.

Still we are investing millions to be compliant so I fail to see how this is specifically targeting US companies.

Edit: It also seems that many think it is illegal to store personal information anymore but it's not, you just have to justify having it and only use it for the reasons you store it, provide data portability and the delete functions.

For some reasons you also need user consent like marketing or analytics.


Bollocks. The companies that will be hit first by this are European companies. And Foreign companies that make a point of ignoring the law, but obviously that is their own choice.


EU companies will have no choice but oblige, if foreign companies choose to not comply will be subject to other restrictions like not able to use Euro as currency. It is like China's situation, if you are not actively harmonising yourself with the regulation, in it will surely backfire at some point, which result you are out of business.


I am in complete disagreement with the idea of fines based on worldwide revenues, that is nothing short of imposing fees on users from other countries without their agreement or to their benefit.


This is obviously a consequence of the clever tax avoidance schemes companies like Facebook have used to minimise local revenue. Fining an international corporation based on the local revenue is pointless when the corporation can shift numbers around to turn that revenue into close to nothing.


You think Facebook is going to start charging fees to people in the US to pay for fines from the EU? Well I heard that if this post gets 1000 likes Zuckerberg will cancel his plans to charge for Facebook.

(It's also arguable that greater privacy protections are to the benefit of everyone, unless Facebook only enables in them in the EU)


So you think the EU doesn't account for more than 4% of their worldwide revenue? It's not like the fine is for 100%.


I think it is now time for society to regulate Facebook, Google, and whatever other company out there, that seeks to collect information on people.

Facebook and Google, are now collecting and tracking users across the Internet, just so that they can make a few extra dollars per person, but on aggregate, they will make billions.

They have essentially removed the right for us to browse the Internet anonymously.

This is what the libraries tried to protect for so long: your privacy on what books you check out. But now, with the Internet, there is no anonymous browsing anymore. It's all recorded.

It is already terrible enough that the government is doing it. But at least we know that the government is doing it.

But for a commercial enterprise to do it, without proper regard for consumer information, privacy, and protection. Then, this is a step too far. In fact, we don't even know what these private companies are doing. And the people that they employ don't have any special training, or any security clearances to handle such private information.

When Facebook goes bankrupt, like Yahoo did, then what is the first thing that they will do? They will immediately sell off all that valuable data that they have collected on the population for nearly 20 years.

What they have taken from us, is the right to be forgotten. The right to control the privacy of our lives, after we die. Sure, some people may not mind having all of their private digital history published, for all the world to see. But for some other people, we want to maintain that privacy, and take it to our grave.


> It is already terrible enough that the government is doing it. But at least we know that the government is doing it.

This argument feels so weird to me. We have a group of self-interested companies that that will sell your privacy for a nickel (Google, Facebook, etc...) and then we have a government that values your privacy at nothing. The government views even trying to keep your matters private (like encrypting your phone, as advocated by the big, self interested companies) as being inherently linked with crime and terrorism. And we now we want the government (you know, the “if you have nothing to hide you have nothing to fear” guys), to be in charge of regulating internet privacy? Thanks, but no thanks.

Given how much the majority US congress cares about privacy (almost 0) and how little they understand technology, I am quite sure whatever they create would be a giant cluster fuck.

In Germany or some other place with enlightened politicians? Yes, please, go ahead. But dear god if the FCC or some such is put charge or regulating privacy it’s going to make the TSA look like geniuses.


A new, stronger, EU data protection law (GDPR) is coming into force in May this year.


How can I pretend to be from the EU so that I get better protection from Facebook? Are there any cheap and trustable VPNs (I don't use Facebook a lot, and certainly not to watch bandwidth/traffic intensive videos) that would help for this? Any other solutions? How can such solutions be spread around so that more users get these protections, regardless of where they physically live?


> How can I pretend to be from the EU so that I get better protection from Facebook

You don't have to. You can start today by not giving facebook any more information (stop using their service). If facebook bleeds enough users, maybe they'll become motivated to change. I seriously doubt, at least in the US, that we'll see any legislation that forces them to change here.


Facebook will still have a lot of data on you, even if you don't use their services.

Their Like-Buttons that are spread on a lot of the web, allow them to track your IP-address and what webpage you're on (thanks to the HTTP referrer). They also have an analytics library that some webpages use, giving them the same data and more.

And your friends probably have you in their contacts on their phones, which is uploaded to WhatsApp's server (unless none of them uses WhatsApp).


> Facebook will still have a lot of data on you, even if you don't use their services.

That doesn't mean you should not stop giving them even more information by you directly using their services.

There are various mechanisms to preventing tracking like using an ad blocker to prevent loading tracking elements, preventing 3rd party cookies from being set, using something like noscript to block javascript from facebook/google/etc, and using Tor. Many of these don't take long at all to configure.


Which is definitely not what I was trying to argue here.

You implied that one does not need governmental help to protect against Facebook. That's what I argued against. No matter how informed you are about Facebook's practices and no matter how technologically skilled you are, you cannot be sure that Facebook doesn't have your data.


It's not that I don't agree you don't need governmental help to protect against facebook, but rather that it's very unlikely to come from the US government any time soon. You'd be better off taking active steps to protect yourself as much as possible (admittedly won't be complete protection) than sitting around hoping someone in DC will care enough to protect you. The current trend is that things will get worse before they get better (if ever). Write your congress folks, etc etc, I guess.


I agree with you on principle and wish I could do that. I already protect myself quite a bit from Facebook. I always use a browser with ad blocking, tracker blocking, etc. I don't go around "liking" cat videos and whatever other "cool" stuff or entertainment that others post. I don't visit my news feed. I don't even use it to post any personal stuff, and use it for specific social causes and some events around that. I can't avoid Facebook (though I hate the company and its practices) because this is where most of my target audience is.


> If facebook bleeds enough users, maybe they'll become motivated to change

By that point, they'll he on their last leg, and we'll be worrying about the next social network.


Facebook will acquire and own the next social network. They have Instagram, Whatsapp and tbh already. Facebook.com is just the older network and 1 shell of the entire Facebook machine.



Well that's interesting. It's still not clear after reading the FAQ whether or not you'd become a citizen or not. It largely seems to be a way to register your company in the country (and pay taxes to them). Are you still afforded the same protections as citizens of EU countries? (if not, then this obviously wouldn't help GP in the quest to protect themselves from facebook)


From their page when you click apply:

> NB! Please be aware that e-Residency does not confer citizenship, tax residency, residence or right of entry to Estonia or to the European Union. It is not a visa or residence permit.

Too bad. It looks like this can't make you a citizen of the EU.


Related question: is it enough to be a EU citizen, or must one also live in the EU?


It is sufficient to be an EU Citizen (to the best of my understanding).


How is this different than Google Analytics?

Both companies are tracking users and Google is doing this even more than Facebook.


As long as tracking is not connected to personal information (name, IP, email) it is OK by GDPR. So Google Analytics is not affected (as long as you specify the anonymizeIps option) as it does not associate a user with their actual identity.


Actually, the law is defined quite broadly, not restricting itself to "name, IP, email".

Have you considered how a combination of innocuous data points, such as "browser + city + top 3 popular sites" can make a person uniquely identifiable?

Or any other of the billions of combinations of your browsing patterns or seemingly random daily activities. Your entropy fingerprint, if you will.

Check out "differential privacy" to learn more [0].

We've built a product to help companies identify the more obvious "private data" cases (https://pii-tools.com), but we're not fooling ourselves that we've solved "personal data". Or that the task is even solvable. A dedicated person or algorithm can identify people from surprisingly little information (in the extreme, think Sherlock Holmes). Identification is a matter of degree, rather than a binary "name, IP, email" thing.

[0] https://en.wikipedia.org/wiki/Differential_privacy


> Have you considered how a combination of innocuous data points, such as "browser + city + top 3 popular sites" can make a person uniquely identifiable?

While this is certainly the case. As long as you do not use the data in that way it is not illegal to collect it. Intent and actions are very important in GDPR.

Standard law: Purchasing a knife is not illegal, but using it to kill is.

GDPR: Collecting browser, behaviour and city is not illegal, but correlating it in order to connect collected data to a single person is.


But GDPR says even if data us anonymized but can be tied to a natural person in “reasonable” manner it is still illegal. then it gives some vage examples of what might be considered reasonable... so a lawyer could still make a case that tracking data is illegal.

you also have to explain to your user in clear and plain language using visualization where possible on how data collected is processed.


Maybe they decided to take one company on at a time and flipped a coin and FB lost.


Google supposedly does not know who you are exactly. Facebook links it to individual profiles.


Regardless of whether this is a good idea or not, how will it possibly be enforced against a multinational giant like Facebook, with private source code and machines to store data all over the world?


Generally by leveraging the fact that Facebook probably wants to remain on reasonable terms with most governments. Modulo appeals etc, once they've finally lost (provided that's the final decision), they'll probably just comply.

If they refuse, the government can seize any assets Facebook might hold in Belgium, possibly other EU countries, they could block or fine Belgian companies and individuals that do business with Facebook and such things, and escalate all the way to issuing warrants for Facebook executives' arrests, which with the European Arrest Warrant could be effectuated across the EU.

https://www.bloomberg.com/news/articles/2017-01-09/volkswage...


Is the Court of First Instance like a district court/appeals court? Because I remember Facebook winning here:

https://www.reuters.com/article/us-facebook-belgium/facebook...

Or is this a different case?


Not a lawyer and I had to translate from Dutch, but the first legal encounter involved the Privacy Commission looking for interim measures. Facebook first lost, then won the appeal. This is (sort of?) the same case, but now they're looking for a final judgment on the merits of the case.

The current process started a couple of months ago: https://deredactie.be/cm/vrtnieuws.english/News/1.3080677


I'm not sure why any mega-companies bother with running EU business units. Just put your offices and data centers outside EU jurisdiction (Hello Switzerland, Turkey, Morocco and now England) and pay your engineers enough to compensate for being in a less desirable location (in some cases) and you're still way ahead of the game.


1-2k€ vs $10k salaries?

At least that's what they do in my EU country.


Taxes? Market? Users?


Recently facebook pixel started collecting information on pretty much everything a user does on the website naming them "microdata". Those users have no clue they are being tracked in that manner.


I'm looking at this on mobile, and the cookie policy footer is taking up more than half the screen. Oh the irony.


I'm curious - if I have a clean browser history(no Facebook login ever), and Facebook still tracks me, how does that information benefit Facebook?

Alternatively, how does it affect me?


Their official stance is that these cookies are used for fraud detection: https://www.facebook.com/notes/alex-stamos/preserving-securi... In theory, Facebook could also sell these ghost profiles to web sites that have the Facebook like button or Facebook comments and want to show personalized ads.


>Alternatively, how does it affect me?

They still record your IP address and link it to all the sites you visit that have a facebook script.


just wondering here, but what would stop them -or any other multinational big corp- from say redirecting any web connection from a country A where X is illegal to one of their servers in country B,C,D etc. where it is legal, do all number crunching there and send unrecognizable results back to A?


The relevant laws generally don't care about server locations, or only in a negative sense (data processing in jurisdictions with weaker protections requires additional steps to be acceptable)

Since in general evidence for these things is not collected by grabbing local servers and searching them, this doesn't really give them any benefit.


Why was the Belgian court illegally collecting data in the first place? ;-)


Ethnic cleansing was so much easier with the church records.


Best part about this article is that the Guardian has Facebook tracking code that collects user data on it. https://imgur.com/a/UrSyt


This 'argument' comes up in almost every article critical of shady browser tracking purposes, as if it's the end-all-be-all argument for why we should disregard the article.

Yes, journalism makes a bunch of money from ad impressions collected by cookies and trackers right now. No, a lot of the actors in the business don't want it that way, but they still want to earn a paycheck for the time being.

Further, I'm sure that journalists have no control over their specific page-- they can't just say "Oh it would look pretty bad if there was a content tracker on this specific page, so let's demonetize this article". No, the paper has a policy for how they collect their revenue, and I guarantee that that department is well separated from the journalism department.

Sometimes people climb hills to get to the mountains. We don't say "Why aren't you climbing mountains, I thought you were a mountain climber!? You must be a crappy mountain climber if you only climb hills.".


I didn’t realize sites got paid for the facebook thumb. I just assumed that it mainly provided value for facebook and social media coordinators eager to show growth. I’m a little more sympathetic if the guardian actually gets something from the button.


> mainly provided value for Facebook

Why would so many sites do this for Facebook's benefit?

The sole purpose is for advertising, which is how they make money. The thumb will have the article show up to your friends, and people who have similar interests to you. The pixel also helps with advertising, because they build a picture of who you are and can give you relevant ads.


Well, I personally pay for a guardian subscription, but block ads. This is because I consider ads a net-negative in my life: they actively lower the quality of pretty much everything around me, including the content pimping the ads.

Meanwhile, a facebook thumb button is net-negative only if the guardian doesn't get paid--it essentially becomes a transaction where I pay facebook with information and then facebook pays the guardian with money.

If this assumption is false, I'm happy to continue blocking the passive pixel and thumb trackers and continue to support the guardian directly.


Why is that the best part?


It’s the best part because it shows us how ridiculously out of control the issue of third party tracking & data collection is. You can’t even read what’s being done to address it without being subject to it.


Yeah I'm with you here. I think people could either interpret what you're saying as "they're hypocrites" or "this is absurdly pervasive."


because we are being socialized to over-react to even the hint of hypocrisy as invalidating rather than engaging in meaningful evaluation of information sources quality.


It doesn’t invalidate the article at all. Quite the opposite.


If someone can suggest a non-translated article we can update the link here.






Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: