No cap, up to 4% of worldwide annual revenues for these kind of transgressions of the law.
We should at least have a choice on whether they can track us or not. And when we say 'no thank you', that should be respected.
I get it when it comes to analytics, beacons, tracking outside of the ecosystem.
And the police don't seem to care at all, nor do their masters.
How is a global surveillance network and database like a Rolodex?
You're also likely to be using Google's DNS (18.104.22.168) without knowing, because some piece of software decided to hardcode that DNS server.
And your friends have almost certainly already uploaded your data to Google's Android backup service and to WhatsApp's database.
As a further point of fact, Facebook (and Google; Facebook is not alone here) stalks even people who _can't_ have a Facebook account. For example, children under 13 in the US.
Surely this is illegal, though? One way to get the laws to ban this sort of dragnet commercial surveillance of people would be to appeal to the 'think of the children' argument and ban companies from tracking information about anyone under 13. That would also stop them from tracking information about anyone that hasn't totally confirmed that they're over 13.
I don't know enough about the law on this to comment.
> would be to appeal to the 'think of the children' argument
Tempting, though I worry about unleashing demons even if you think they're on your side... ;)
I'm not saying they don't take it too far, but certainly someone with an account has invited facebook to do some data collection and tracking.
ADD: I probably have 100+ accounts at various sites online. Do these guys all get free passes to collect data and track me because I happen to have created an account there?
Facebook certainly operates outside of even this rather liberal framework so I wouldn't defend them wholesale. However I don't like false equivalencies.
It goes further than that, as it affects other people too.
See also: Eben Moglen's talk about how privacy is ecological, not transactional.
In California, stalking requires both malice AND a credible threat to safety. Comparing Facebook or Google tracking to stalking is, at least in California, highly inaccurate.
There is actually no crime in following someone around. The crime happens when it's done maliciously and with the intent to create a reasonable fear. Facebook isn't trying to instill fear. That's not their intent at all.
To be clear, I'm not defending Facebook, I'm just calling out the hyperbolic nonsense that gets thrown around in these discussions.
Except for when they're running psychological experiments designed to manipulate the emotional state of their users.
Or if you want to stick to definitions:
verb (used with object)
5. to pursue (game, a person, etc.) stealthily.
I think that's what GP is referring to.
We can remind people that the internet is still a dangerous place, while also trying to discourage bad behaviour
But right now I can install any number of tools on Google's own browser that mitigate most common tracking/privacy concerns. I don't necessarily agree that we need to increase government regulation to address a concern that a Chrome extension is already serving.
This warrants a political solution and I'm glad that the EU is moving into the right direction.
Then your beef is not with FB but the website which _chose_ to embed FB like button. You should stop using that website if you are not ok.
The argument "just don't participate in society if you don't want people tracking every news report you read" doesn't really sit well with me.
Perhaps you object to the page impression being tracked even if you don’t like it? This seems unavoidable unless you mandate publishers host their own copy of the code behind these buttons and use a public API only to record the likes.
And they were tracking even non-Facebook users this way. There's zero consent here no matter how you cut it.
Worse yet, Facebook did this for years, and in the first years it swore it doesn't do that, and when they were caught doing it they said it was "just a bug"...twice.
Facebook has 0% credibility at this point. Just look how they're ruining people's trust in 2FA security, too, now (although if they end-up ruining the trust in SMS 2FA, that wouldn't be too bad of an outcome actually...).
This is a good article (although not complete, and only until 2014) on Facebook's awful, no-good, history of lying and tracking users without their consent:
Thats not true. You implicity consent to usage policy of that website which then gave permission to FB. Ofcourse GDPR makes it illegel but until May 25 its not.
In the case of this the theguardian.com page it looks like they've got a webbug as the last element of the body, which results in a request to https://www.facebook.com/tr?
Having facebook count views of your like button is probably considered a feature to publishers.
If Facebook means no harm, they could make this the encouraged way to include the like button.
Yes, that's the consequence (well, it does't really have to be an API triggered from the server, it can send the user there). Or a pattern where a user has to click a locally hosted link/button which then loads the Facebook one, and/or records permission to load it with further page visits.
It's not really that much difference from an integration perspective if you include code in your page that loads a facebook iframe, or code that only does that after user interaction.
Google analytics should not be allowed without me getting a prompt to allow it or not, FB button should be a simple static image without tracking unless I click on it. Also they track users that are not logged in or do not have accounts.
One way to go about it could be to force all these data collectors to show what they know about us, how much they shared and with whom, and allow us to delete that data on request. I'd really like to know everything FB tracks on those like buttons, it's probably an obscene amount of personal data.
Once people see how much data they retain, there would be a righteous outrage. These datasets have been provably used to manipulate elections, subvert democracy and target us with fake news. I'd like a report of what fake news and politically motivated ads I've been served by their recommenders. Maybe if they are forced to come out in the clear about what they do with our personal info, they would change their tactics. We need reverse surveillance on FB and the other tech giants and ad companies.
When you request a page like this guardian article, all they'd have access to would be:
* The url you requested, along with time and IP
* Any facebook.com/facebook.net cookies you have stored
* Any other headers your browser sends
* Metadata about the page itself that the publisher publishes via "og:" tags
How does that compare with what you meant by "obscene amount of personal data"?
The users should have a choice, "Do you want this site to share your data with Fb,Google ?" If you do not accept you can't use it, but it is your choice not to use the website, the users will get informed because now I am sure most of the people don't even know about the tracking.
Seems reasonable to call that obscene.
Just like on HN there is no page with 'favorite articles'.
Oh wait ;)
1. It's a bad law, because it's so overly broad and vague that it's going to be impossible to be fully compliant. For example, an EU resident hits your server while they're on vacation in Australia. You've stored analytics, IP addresses, etc. Congrats, you're now in violation. That's the tip of the iceberg. The law also broadly contradicts loads of other laws about how data must be retained for legal and compliance purposes. So now that everyone is breaking this law, regulators are free to just decide who they want to punish and how much. That's incredibly damaging to the fundamental idea of the rule of law.
2. It sets a really bad precedent regarding jurisdiction and the internet. So now any jurisdiction in the world can declare that if you do something they don't like that even remotely affects them, you owe them whatever they want. What if some oppressive regime passes a law that if your website is shown to one of their citizens and doesn't have a message praising their leader, you owe them 100% of your global revenue in perpetuity. Why not? You've violated their laws regarding behavior towards their citizens!
3. As item #2 gets at, countries can pass whatever laws they want, but they're limited by their ability to enforce those laws. If the EU gets overly broad and punitive here (as I'd argue they have), then companies will either just leave, or shift their digital operations to jurisdictions where courts can't enforce those laws.
Ultimately, I think that the realistic path here is that Google and Facebook will fundamentally change almost nothing. The user experience will just get worse, because we'll have to constantly be agreeing to a long list of terms about how our data will be used, etc, etc. And people will just agree and move on. Look at the cookie thing. Yes, I know you think it's different this time because of X, Y, and Z, but I'm skeptical. We'll see.
Regardless, the idea that we're suddenly going to live in a new golden age of digital privacy because the GDPR has good intentions is laughable.
You're right, the fundamental functioning of Google, Facebook, et al. won't change. They will update their privacy policies, and give users access to view, update or delete all of their information more easily. The uses of that information will be disclosed and there will be consequences for misuse or failure to protect that information. GDPR is setting expectations for the protection of data previously where it was an anything-goes or minimum-effort policy.
I can see how those opposed to government regulation would hate GDPR, but no other industry standard on data privacy has gained traction and data breaches are happening more frequently at the expense of real people.
I just don’t see it. I think people kinda know, but they just don’t care that much.
Hell, I bet half the users on HN have a pretty good understanding of what data is collected, but don’t care enough to check out. We still buy smartphones and use all these sites and put Alexa in our houses. It’s not that we don’t know, we just don’t care.
So you intuitively know, at some level, that all these sites are tracking you. I agree that the average person doesn't care too much, based on the lack of serious outrcy about it.
The GDPR does actually have exceptions for cases where local law requires you to store data.
Any jurisdiction can already enforce their laws upon you if you affect their citizens. There's nothing new here.
tail -f /var/log/nginx/access.log
Did you turn off nginx's default logging?
Sorry, I find this ludicrous. Using analytics "indiscriminately"? What does that even mean? The most basic use case for analytics is to use them indiscriminately to see how visitors are using your site.
Not to mention that this is basically impossible, since storing IP addresses in Apache log files is also probably a breach. Someone in the EU sends you an email, now you're in violation because the header info is PII. A german walks into your hospital in Miami and signs in; if you don't have a special snowflake data management process for them that runs alongside your standard HIPAA-compliant one, you're probably in violation.
Any jurisdiction can already enforce their laws upon you if you affect their citizens.
No, they can't. They can declare any law, but that doesn't mean they can enforce it.
I really think that basically every business around the world who doesn't have a direct EU presence in terms of office, employees should (and probably will) just ignore the GDPR. It's a huge violation of sovereignty, the freedom and ideals of the internet, and a great example of how people will be pleased to let their governments enact policies no matter how harmful or dangerous as long as they're against an "enemy" that they hate.
Businesses that operate in the EU have to comply, businesses that don't interact with EU residents don't.
As the US has a special relationship with EU (Privacy Shield, ..), it recognizes GDPR as valid.
Don't like it? Focus on China, where WeChat is now your national ID card and is also linked to your personal credit score. Violate any government rules - your credit score goes down. Medical reps now have to register with the Chinese government before they're allowed to enter hospitals and their personal credit score is linked to their behavior. There you go, full data transparency nirvana.
The world is a big and complicated space and big regions define their culture differently. Europe is not business-focused, but puts the citizen first. The US considers businesses as citizens, data privacy a hindrance for profitability - and China wonders what this citizen thing is.
Easiest step: stop logging every single hit on your site (IP, browser, etc).
You want a bit more analytics?
Log general attributes, but not the IP. Just that a hit occurred, browser, general geo (country). that's it. Perfectly compliant.
Want them to fill out a form? Welcome to GDPR, as you should.
As Maciej Cieglowski (idlewords, pinboard) so eloquently states, over and over again, you don't have to store and hoard all this data. It's BS to begin with, and dangerous in the long run.
Unless you think that the EU is going to monitor every website on the internet and magically divine who owns them and what they’re doing behind the scenes with user data, and then develop a blacklist for those people so they can’t travel or they can go after them after WW3?
I guess I’ll really regret it if that’s the case. Until then, I’ll ignore.
Enterprise and anything related to big money cares. Not like the EU is a small market.
You'll also be surprised how much the US and EU cooperate, legally and economically. MS, Google, FB,... endless legal resources and yet the EU hammer is inescapable.
The most interesting thing to me is how you don't see the opportunity that GDPR represents to MAKE money. We're all raking in contracts and work consulting clients and updating products - but hey, I guess you don't want to compete. Good luck!
But I’m not, so...
Regardless, I have no interest in consulting to help companies solve an invented problem based on a bad law. I make plenty of money without making the world a worse place.
GDPR kicks in once a EU resident files a complaint. GDPR also enforces a data report card - so if a EU resident (not just a citizen!) asks you about their data, you have to comply and give a complete answer. If you then reveal you store PII without their consent or fail to reveal everything and get caught, the fines will kick in.
Don't screw over EU residents and you're fine.
And if you think this laughable, remember that it was a single Austrian law student, Max Schrems, who went after Facebook and killed the EU-US Safe Harbor agreement.
EU pensioneers and students are what will kill you, endless time on their hands.
- Or in case where you aren't located in EU, providing services specifically to EU residents, which can be hinted by having a language choice mostly spoken in EU countries, allowing EU currencies (Euro, British pound and so on) or specifically mentioning supporting EU, for instance by saying that your website can deliver packages to European Union.
Facebook for instance has offices in EU, which makes it clear that they are under GDPR, but even if they didn't, they do provide Facebook in EU languages.
I would argue that this is a bad definition because what you described is just operating in a jurisdiction but without localization.
I prefer the definition where you're making money(directly or indirectly) by providing services in a jurisdiction.
An example would be collecting French users data and then selling it to ad agencies(or being acquired by Google?).
Accepting payments in USD is a pretty clear signal that a website mostly cares about US users, and if someone else uses the website, oh well, it happened, doesn't really change anything under GDPR.
(although you probably could have French support anyway, just expand the website to Canada as well ;), of course it isn't the same French as in France, but it's still French somewhat, EU currencies are trickier however)
Isnt't that already done by the US? The case against Kim Dotcom comes to my mind.
If China comes after me for something terrible I say about Mao (stray absurd example), and the US turns me over to China because they're influenced and or intimidated by China, that would be a similar premise: the US would bear immense, near total responsibility for capitulating, showing no backbone.
This ship sailed a long time ago, unfortunately. That court in Texas with effective global patent jurisdiction. UK libel law. The Sklyarov case which got me interested in digital rights all the way back in 2001: https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd.
(Arguably it goes all the way back to British maritime law...)
- EU citizens can have their rights violated by US companies
- US companies are not allowed to communicate with EU citizens (ie great firewall of Europe)
- Everyone gives up on the idea of law where the internet is concerned and crosses a national line (cyberpunk anarchy; sort of the status quo; everyone gets surveilled and ultimately leaked a la Equifax)
- EU gives up on having its own law and acceeds to US law (e.g. Switzerland, which is not the EU but proudly independent, eventually gave up its banking secrecy to US KYC/AML)
I reject your premise, and the false dilemma it leads to.
The actual answer is the same as as the answer for international travel, which doesn’t necessitate global legal convergence: if you go to another country, you’re bound by their laws. If you come to America and something happens to you here that’s not illegal here but is in the EU, or you do something here that’s illegal here but not in the EU, you may feel your rights have been violated, but it doesn’t matter. You’re held responsible for the actions you take within a jurisdiction, whether you’re a guest there or not. And by contrast, that jurisdiction isn’t responsible for enforcing your home country’s laws just because you came.
It’s the same with the web: if you want better protection for your data than the US provides: do not send your data to the US.
Obviously companies in the EU should comply with EU law, but the GDPR asserts that a citizen can expand the EU jurisdiction globally by sending a request to a company anywhere in the world, and then demanding that the request be handled according to EU law under penalty of fines.
Ludicrous, and I seriously doubt that most countries are going to play ball. If you seriously think that the US government is going to let the EU fine some US-based business without any EU presence millions of dollars because Brussels passed some law, you’re headed for disappointment.
You don't have a choice. A citizen of Brussels who doesn't have a Facebook account could be surfing a website that Facebook doesn't own and Facebook will still be tracking and recording that person's activity without consent.
So the situation essentially becomes similar to a phishing scammer in India making fraudulant phone calls to U.S. Citizens pretending to be the IRS. Did that person break U.S. law? They sure did. Did they break Indian law? Maybe not. Should they be extradited to the U.S. to face our jurisdiction? Of course, because they were taking advantage of their geographic location to undermine our jurisdiction.
It wouldn't be that hard for a global company worth hundreds of billions of dollars to implement some sort of geo-fence that properly identifies EU citizens and complies with local laws on a local level. Facebook wrote their own hard drive firmware for their data centers. Why do we care about the feasibility or financial repercussions of asking Facebook to comply with laws to protect actual people?
I don’t think so. I don’t want India to have the power to extradite me if I send an email to a someone in India that they deem blasphemy or destabilizing or whatever. You’re talking about clearcut fraud, which is more sympathetic but the underlying legal precedent is what terrifies me.
It is a violation of human rights to subject people to laws that they have no democratic say in.
Also, in your example about Facebook, you do have a choice. Leaving aside that they’re global and have an EU presence and should thus be complying, if Facebook was US-based only, you are sending a request to their servers. You’re responsible.
Now, maybe the site in question also bears some culpability for what their partners do with their customers’ data, but I don’t see how Facebook is responsible for every law and jurisdiction for where those requests originate. If you don’t want Facebook to have your data, don’t send it to them! Blocking those requests is incredibly trivial, and the onus should be on you the sender, not the receiver.
Should EU companies be allowed to send my data to the US, then?
> If you seriously think that the US government is going to let the EU fine some US-based business without any EU presence millions of dollars because Brussels passed some law, you’re headed for disappointment.
The US shut down a lot of non-US poker businesses, including PokerStars in the Isle of Man. And sent the FBI to New Zealand to seize Kim "dotcom". If a US based business becomes a sufficiently big problem for EU privacy, it's going to get fined, and we're going to find out whether the EU-US cooperation is bidirectional.
Of course not. Businesses should be bound by the laws of their jurisdictions.
And you won’t catch me defending the US throwing its weight around to violate the sovereignty of other nations either. It’s wrong for us to do it too.
If you don't do business in the EU (Take money from EU customers), there's practically nothing that the EU can do to you.
> That's the tip of the iceberg.
This is a very unimpressive iceberg.
> The law also broadly contradicts loads of other laws about how data must be retained for legal and compliance purposes. So now that everyone is breaking this law, regulators are free to just decide who they want to punish and how much. That's incredibly damaging to the fundamental idea of the rule of law.
Fortunately, we have something called 'the courts' that will iron out these ambiguities. And as other posters indicate, this is actually addressed by the GDPR.
That's got to be the mother of all strawmen. FB will not be destroyed by the GDPR, but - ideally - the GDPR will cut back some of the worst excesses such as tracking users who are not even members of FB through embedded JS on other people's properties.
> It's a bad law, because it's so overly broad and vague that it's going to be impossible to be fully compliant.
It's actually a pretty good law compared to the predecessor.
If you feel that it is impossible to be fully compliant then maybe you need someone to interpret the law for you - such as a lawyer or a judge -, there are some fields of tension but on the whole it is not at all impossible to be compliant at least with the spirit of the law. Acting in good faith is a good first step.
> For example, an EU resident hits your server while they're on vacation in Australia. You've stored analytics, IP addresses, etc. Congrats, you're now in violation.
Contrived example, do not pass go.
> That's the tip of the iceberg. The law also broadly contradicts loads of other laws about how data must be retained for legal and compliance purposes.
And makes special mention of that and has exceptions for those cases.
> So now that everyone is breaking this law, regulators are free to just decide who they want to punish and how much. That's incredibly damaging to the fundamental idea of the rule of law.
Except that's not how it works, which makes this another strawman.
> 2. It sets a really bad precedent regarding jurisdiction and the internet.
How so? If you want to argue something is bad then you need to show how it is bad because of negative consequences, what 'any jurisdiction in the world' declares is their business, but the EU has stepped up for the rights of its citizens, and as one of those citizens, I'm pretty happy about it.
> So now any jurisdiction in the world can declare that if you do something they don't like that even remotely affects them, you owe them whatever they want.
This has nothing to do with the GDPR.
> What if some oppressive regime passes a law that if your website is shown to one of their citizens and doesn't have a message praising their leader, you owe them 100% of your global revenue in perpetuity.
Yet another strawman.
> Why not?
Well, why not? Indeed, except, it hasn't happened.
> You've violated their laws regarding behavior towards their citizens!
Yes, and you're free to ignore them, except in those cases where you wish to have a business presence in the country of said oppressive regime.
> 3. As item #2 gets at, countries can pass whatever laws they want, but they're limited by their ability to enforce those laws.
Exactly. But the EU can and does enforce its laws.
> If the EU gets overly broad and punitive here (as I'd argue they have), then companies will either just leave, or shift their digital operations to jurisdictions where courts can't enforce those laws.
That's fine, at least we have proven malicious intent on their part then. Complying with this law isn't all that hard. But it is hard if you are coming at the whole concept of privacy as a party that does not care about it.
> Ultimately, I think that the realistic path here is that Google and Facebook will fundamentally change almost nothing.
We'll see. My guess is that they like the money too much to do 'nothing'.
> The user experience will just get worse, because we'll have to constantly be agreeing to a long list of terms about how our data will be used, etc, etc. And people will just agree and move on.
So what are you worried about then?
> Regardless, the idea that we're suddenly going to live in a new golden age of digital privacy because the GDPR has good intentions is laughable.
Nobody claimed that, could you please lay off the strawmen, you can do much better than that.
But those EU companies that are clued in as a whole are taking this pretty seriously.
Bad laws are bad laws because they have unintended consequences outside of the spirit of the law, so far I have not seen any or even a credible suggestion of such a bad consequence. Let us give it some time before we start declaring the law dead on arrival.
Elizabeth Denham, UK's information commissioner in charge of data protection enforcement, had this to say:
"Having larger fines is useful but I think fundamentally what I'm saying is it's scaremongering to suggest that we're going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm. Our office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven't made any effort."
Now, whether you trust large bureaucratic institutions to use elastic, broadly defined, excessive powers granted to them wisely, applying self-restraint for the general good, is a function of your general political leaning and life experience more than legal nuance, I suppose.
But you keep just falling back on what they’re trying to do, which matters less than what they’re going to end up doing.
What they’re actually going to end up doing is fail to really curb much abuse, introduce lots of costs and uncertainty, drive businesses out of the EU, worsen the UX of the internet, entrench the largest players who can afford to be mostly compliant and defend themselves legally, and further erode the concepts of national sovereignty and the ideals of the web.
How about this: if EU citizens want more privacy protections than those provided by laws of my country, stop sending HTTP requests to my server in America and asking me to send information back to them. Why the hell is it on me to figure out where those requests are coming from and what bizarre set of laws that person’s country thinks I should have to care about with regard to what I do with the content that their citizen voluntarily sent me?
If you don't provide specifically targetting EU with your services, you aren't under GDPR scope. Specifically targetting means stuff that shows that you specially consider EU users, for instance by allowing payments in EUR currency or having a website in a language only spoken in EU.
> You've stored analytics, IP addresses, etc.
Even if you were under GDPR scope, storing information purely for ensuring network security is perfectly fine under a law.
> The law also broadly contradicts loads of other laws about how data must be retained for legal and compliance purposes.
GDPR allows for storage of data for legal and compliance purposes. In fact, feel free to read https://ico.org.uk/for-organisations/guide-to-data-protectio...
No, GDPR doesn't apply to everyone. If you don't provide services specifically to European Union countries, you don't need to care about GDPR at all. For instance, if your website has a Greek language option, it's understandable that you are offering services to Greece or Cyprus (both of which are European Union countries), and GDPR applies to your website. GPDR only applies when it would be enforceable to begin with.
> What if some oppressive regime passes a law that if your website is shown to one of their citizens and doesn't have a message praising their leader, you owe them 100% of your global revenue in perpetuity.
They would have difficulties in enforcing it, as you likely don't specifically provide service to them. And even if you did, you could just disable the website for that country instead of paying 100% of your global revenue. Similarly, with GDPR, you can just remove support for EU languages, EU currencies, and so on.
True, that's an option, but at the same time, EU is a big market that may be not worth ignoring.
> Ultimately, I think that the realistic path here is that Google and Facebook will fundamentally change almost nothing. The user experience will just get worse, because we'll have to constantly be agreeing to a long list of terms about how our data will be used, etc, etc. And people will just agree and move on.
GDPR is not EU Cookie Law (which actually was badly designed law, unlike GDPR) where you could just put some silly notice and that's about it. For example, an user may demand his information to be removed, and you actually have to handle this request or you risk being sued for not complying with GDPR.
everyone that has ever written code to set a cookie predicted what the industry response to that cookie legislation would be, but even that trivial foresight was beyond the EU's abilities
if they can't write a good law for something trivial like cookies why would you have any confidence in their abilities to produce a much larger, wider reaching piece of legislation, let alone the ability to predict the second order effects?
Knowing that certain types of cookies is exempt is insufficient knowledge.
You can't just abide by these laws because it's so unclear what they mean and say. Notice how the findings are always that a firm didn't do "enough". What is enough? Where in law does it say what enough is?
The EU can chase American firms out of the EU. All it means is people will use the American websites without them having any corporate HQs in Europe, or simply be locked out entirely. The local competitors will probably suck - judging from the past attempts to compete.
If I were a VC, I'd tell my companies that didn't need EU customers yet not to sell to them until they are large enough to make sure they won't fall afoul of rules. Regulations almost always benefit the larger companies, even if they are well-intended. Smaller, more nimble companies almost always thrive in more open environments. Citizens of more open and less restriction/regulation encumbered environments often get a larger variety of businesses to use (sometimes to a fault, like tracking).
When ready, they will be able to enter the EU market quite easily, but at least with capital and size they can do the work necessary to feel comfortable in their compliance. Until then, EU citizens don't get access to the company. This is what I mean about regulations favoring the larger companies. It's almost always the case.
It's not that hypothetical as I've been in this with young companies where we were deciding where to launch first (for beta or actual launches). Granted there was nothing then precluding EU users in those times, in fact we preferred it to help w/ i18n vetting. Nowadays, I'd just as soon leave EU countries off of the select box on my signup form, and not worry about GPDR compliance (again, even though I am probably compliant and believe in the spirit of the rules).
And as of the earlier arguments like “no loss” or “competition would step up” - look how few EU tech companies there are. There’s a reason for that.
The armchair commenters here aren’t EU business people, and it shows. Around here, GPDR is considered a disaster, in the usual style of EU’s heavy-handed, poorly thought-out regulations. It adds so much bureaucracy and expenses - even for companies that do nothing shady - that it is absurd.
The only domestic only companies I can think of aren't competitive in an international market, hence being domestic only.
It can be if there is too much risk or uncertainity. It can be even easier if there is anti-business characteristics to the policies.
I would say EU classify as such.
You’re probably as annoyed by those ever-present cookie banners everywhere. That’s a direct result of another poorly thought-out EU regulation with good privacy intentions behind it. EU is not an indisputable force for good as you seem to think.
How so? What about China and India?
The fact that no company ever did such a thing should be a clue as to the wisdom of a strategy based on one’s fragile nationalistic ego.
I really couldn't care less if there's some demand for my product/service in some market if it doesn't make business sense for me to sell there.
 For a random list. http://fortune.com/2015/01/16/international-retail-exits/
If we continue down that path, will there be the equivalent of free tree agreements to limit the fragmentation?
Double Irish with a Dutch Sandwhich, but alas they'll have to eat their Brussels Sprouts.
Trump, of course won't like it, but with his American First philosophy, he has no argument if others follow his lead to put their own interests first.
Still we are investing millions to be compliant so I fail to see how this is specifically targeting US companies.
Edit: It also seems that many think it is illegal to store personal information anymore but it's not, you just have to justify having it and only use it for the reasons you store it, provide data portability and the delete functions.
For some reasons you also need user consent like marketing or analytics.
(It's also arguable that greater privacy protections are to the benefit of everyone, unless Facebook only enables in them in the EU)
Facebook and Google, are now collecting and tracking users across the Internet, just so that they can make a few extra dollars per person, but on aggregate, they will make billions.
They have essentially removed the right for us to browse the Internet anonymously.
This is what the libraries tried to protect for so long: your privacy on what books you check out. But now, with the Internet, there is no anonymous browsing anymore. It's all recorded.
It is already terrible enough that the government is doing it. But at least we know that the government is doing it.
But for a commercial enterprise to do it, without proper regard for consumer information, privacy, and protection. Then, this is a step too far. In fact, we don't even know what these private companies are doing. And the people that they employ don't have any special training, or any security clearances to handle such private information.
When Facebook goes bankrupt, like Yahoo did, then what is the first thing that they will do? They will immediately sell off all that valuable data that they have collected on the population for nearly 20 years.
What they have taken from us, is the right to be forgotten. The right to control the privacy of our lives, after we die. Sure, some people may not mind having all of their private digital history published, for all the world to see. But for some other people, we want to maintain that privacy, and take it to our grave.
This argument feels so weird to me. We have a group of self-interested companies that that will sell your privacy for a nickel (Google, Facebook, etc...) and then we have a government that values your privacy at nothing. The government views even trying to keep your matters private (like encrypting your phone, as advocated by the big, self interested companies) as being inherently linked with crime and terrorism. And we now we want the government (you know, the “if you have nothing to hide you have nothing to fear” guys), to be in charge of regulating internet privacy? Thanks, but no thanks.
Given how much the majority US congress cares about privacy (almost 0) and how little they understand technology, I am quite sure whatever they create would be a giant cluster fuck.
In Germany or some other place with enlightened politicians? Yes, please, go ahead. But dear god if the FCC or some such is put charge or regulating privacy it’s going to make the TSA look like geniuses.
You don't have to. You can start today by not giving facebook any more information (stop using their service). If facebook bleeds enough users, maybe they'll become motivated to change. I seriously doubt, at least in the US, that we'll see any legislation that forces them to change here.
Their Like-Buttons that are spread on a lot of the web, allow them to track your IP-address and what webpage you're on (thanks to the HTTP referrer). They also have an analytics library that some webpages use, giving them the same data and more.
And your friends probably have you in their contacts on their phones, which is uploaded to WhatsApp's server (unless none of them uses WhatsApp).
That doesn't mean you should not stop giving them even more information by you directly using their services.
You implied that one does not need governmental help to protect against Facebook. That's what I argued against. No matter how informed you are about Facebook's practices and no matter how technologically skilled you are, you cannot be sure that Facebook doesn't have your data.
By that point, they'll he on their last leg, and we'll be worrying about the next social network.
> NB! Please be aware that e-Residency does not confer citizenship, tax residency, residence or right of entry to Estonia or to the European Union. It is not a visa or residence permit.
Too bad. It looks like this can't make you a citizen of the EU.
Both companies are tracking users and Google is doing this even more than Facebook.
Have you considered how a combination of innocuous data points, such as "browser + city + top 3 popular sites" can make a person uniquely identifiable?
Or any other of the billions of combinations of your browsing patterns or seemingly random daily activities. Your entropy fingerprint, if you will.
Check out "differential privacy" to learn more .
We've built a product to help companies identify the more obvious "private data" cases (https://pii-tools.com), but we're not fooling ourselves that we've solved "personal data". Or that the task is even solvable. A dedicated person or algorithm can identify people from surprisingly little information (in the extreme, think Sherlock Holmes). Identification is a matter of degree, rather than a binary "name, IP, email" thing.
While this is certainly the case. As long as you do not use the data in that way it is not illegal to collect it. Intent and actions are very important in GDPR.
Standard law: Purchasing a knife is not illegal, but using it to kill is.
GDPR: Collecting browser, behaviour and city is not illegal, but correlating it in order to connect collected data to a single person is.
you also have to explain to your user in clear and plain language using visualization where possible on how data collected is processed.
If they refuse, the government can seize any assets Facebook might hold in Belgium, possibly other EU countries, they could block or fine Belgian companies and individuals that do business with Facebook and such things, and escalate all the way to issuing warrants for Facebook executives' arrests, which with the European Arrest Warrant could be effectuated across the EU.
Or is this a different case?
The current process started a couple of months ago:
At least that's what they do in my EU country.
Alternatively, how does it affect me?
They still record your IP address and link it to all the sites you visit that have a facebook script.
Since in general evidence for these things is not collected by grabbing local servers and searching them, this doesn't really give them any benefit.
Yes, journalism makes a bunch of money from ad impressions collected by cookies and trackers right now. No, a lot of the actors in the business don't want it that way, but they still want to earn a paycheck for the time being.
Further, I'm sure that journalists have no control over their specific page-- they can't just say "Oh it would look pretty bad if there was a content tracker on this specific page, so let's demonetize this article". No, the paper has a policy for how they collect their revenue, and I guarantee that that department is well separated from the journalism department.
Sometimes people climb hills to get to the mountains. We don't say "Why aren't you climbing mountains, I thought you were a mountain climber!? You must be a crappy mountain climber if you only climb hills.".
Why would so many sites do this for Facebook's benefit?
The sole purpose is for advertising, which is how they make money. The thumb will have the article show up to your friends, and people who have similar interests to you. The pixel also helps with advertising, because they build a picture of who you are and can give you relevant ads.
Meanwhile, a facebook thumb button is net-negative only if the guardian doesn't get paid--it essentially becomes a transaction where I pay facebook with information and then facebook pays the guardian with money.
If this assumption is false, I'm happy to continue blocking the passive pixel and thumb trackers and continue to support the guardian directly.