The assumption you're making here is that GDPR is one and done. In all likelihood, most major jurisdictions are going to introduce privacy laws at some point. If you don't build your international service to allow for different rules in different jurisdictions you're going to have to follow the strictest of those laws. Heck, I'd put money on some countries forcing some web services to record some data for law enforcement purposes and other countries barring facebook from recording the same data for privacy reasons.
So really, you have to build this system in a way that can be tailored to each market you operate in.
GDPR doesn't penalize or prevent innovation. It just forces it out into the open.
This is a nice summary.
Compared to the freedoms of millions and billions of uses my 'developer freedom' is pretty far down the list of things that matter. As developers we are servicing people, they are not our lab rats.
If you don't want facebook to track you don't make an account on their website and don't click any of the stupid buttons on their website.
They still build a shadow profile of you from mentions and photos that friends upload.
It also tracks us through its widgets on other sites.
It requires a lot of effort to fully opt out.
Being open and honest with people really doesn't slow down development all that much.
This is like saying that prescription-drug regulations are limiting speed/freedom. When those things are dangerous to the user, they should be limited!
And I still don't agree that it slows anyone down. Want to launch a new feature quickly? No problem, go ahead and launch it. All you have to do is add an opt-in dialog at the beginning.
As far as freedom goes, we've seen the abuses of that freedom and it's time to limit it.
This is so sad.
The form usually proceeds by stating a view. You think attribution is more important than the propagation (or content) of the view, and that is fine. For me, the content and propagation usually rank higher.
In the case of FB, I think we all had enough proof that the quest for money is above everything. According to the latest leaks about their execs, even above human lives.
So, at this point, I find any attempt to defend them, even hypothetical, sad.
So no, I don't think that response is universal.
1. The administrative/maintenance cost of complying: this is sunk if you have European users at all.
2. The cost of the measures to your business model, if personal user data is a central part of your business model.
3. The adminstrative cost of maintaining radically different user data management systems for EU -vs- non-EU users.
Doing number 3 is only worthwhile if it's a lower cost than number 2. I would guess 3 would be higher than 2 for most companies. Clearly, 2 is extremely high for Facebook.
In the case of Facebook, it makes sense that they wouldn't want to offer privacy protection to their livestock.
So far, I don't think any cloud providers show you ads based on your usage, but it's only a matter of time :) / :(
You have HOAs acting as government, tech companies acting as intelligence organizations, private security acting as police, and heck even private companies buying up roads/bridges maintaining them and charging a fee.
The whole "make a different choice" retort whenever private organizations do something evil is getting less and less believable with every passing day. For example, in a lot of cities almost every neighborhood has a HOA.
So, if people should not have complete control over data about themselves, where should the line be drawn on the usage of that data when people can't tell companies what to do with it? Who should draw that line?
One person's right to be forgotten conflicts with the public's interest in knowing things. For example, if a given doctor has botched several surgeries, and I am considering to become his patient, the doctor's right to have those incidents forgotten conflicts with my interest in knowing his track record. This is one example, but such cases are myriad.
Of course the laws surrounding the right to be forgotten in Europe are not boundless (though they are, to my mind, quite vague) and I'm sure supporters will be quick to point out the the case of the doctor above may not be covered by the right to be forgotten. And that is a nice point in theory, but in practice is moot. Europe has put the burden of correctly determining what is in the public interest squarely on the shoulders of online aggregators. If an aggregator's interpretation of a broad set of laws is later found to not be in keeping with the opinion of European courts, the aggregators are the ones that will be footing the fines.
Forcing search engines to all become court systems which adjudicate millions of cases is extremely onerous. Companies are not going to spend billions doing that. They are just going to remove whatever requests they get, DMCA style. The end result is that Europe has given everyone a more or less unrestricted delete button. Google has already delisted more than a million URLs (including for a doctor that botched several surgeries).
Further, until the the whole world gets on board, I imagine there will always be access to search engines that do not delist results. So not only are companies forced to rubber stamp millions of delist requests, it's also completely pointless!
Personally, if society believes the right to be forgotten is worth enshrining, instead of shirking responsibility of actually enforcing it onto tech giants, we should have the courts adjudicate the requests so that the public interest will be appropriately weighed. Of course this will be much more expensive, but like health, education, and so on, doing the right thing is often expensive.
Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (3) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (4).
I believe UnderArmor's case is the norm we can expect going forward. As most companies are not "tech" in nature, unlike FB which happens to be one, it will make sense for them to keep just one security policy and the legally mandated strictest one may be the dominant policy across the enterprise.
It will be interesting to see the interpretation of that clause in action, specifically when looking at information such as IP address which is still considered a grey area.
So if the breach turns out to be a bit more major than then want every one to think it is and it turns out that it was major in the end, there either is a paper trail or worst case for them no paper trail and probably a worse fine.
I now live in a country where Facebook is a major part of how people function online. I deleted my profile and stayed off for 2 years when I still lived in the US, but here it's more vital to have one unfortunately.
Since everyone is on it, it would make sense that not using it would "exclude" you or a social standard or norm.
There are two sides to this.
First, I don't since exchanging on facebook is relevant or meaningful social exchange. Teamspeak or skype are more meaningful, but facebook only brings delayed text, photo and video, while real time matters more.
The second side is that as I've discussed already, there are no discovery feature on facebook. You don't make new friends thanks to facebook, you only do with Tinder, meetup, Uber, etc. The friendship relation in facebook is one of exclusivity. I don't think facebook events or groups are really attractive to users, or really do create new friendships, beyond the classical scenario of real life meeting. If you make new friends, it's not really thanks to facebook, because organizing an event can be done on any other platform, or even by email.
So it's true that user base matters a lot, but facebook seems to have little to no usefulness. It's just for messaging, posting photos, event exposure. It's just a very large myspace, with improved features, but it brings nothing new to the table.
You mean, except for FB Messenger (and Whatsapp, which should be included if one it talking about the company practices).
The second side is that as I've discussed already, there are no discovery feature on facebook.
I'm not a user, but AFAIK it does suggest friends to you. Plus, you often interact with friends-of-friends (e.g. through comments on posts of your friends), which does allow you to discover new people.
At that point, we could give up on privacy altogether.
Network effect and low friction is why it's useful but if everyone was on some other platform where I could find them by name I'd happily switch given I mostly use it for messaging and event planning.
After 10 days clean, buy yourself a beer.
I don't know if you have a fanpage or anything, but if you just do it personally, I have far more reach sharing on HN, reddit, and my personal site compared to Facebook.
The problem with Facebook other than bad privacy is that it doesn't take much to press the like button. Someone clicking like doesn't mean shit - maybe they're being nice to you. Most likely they're bored. Next 5 seconds their mind will be to something else. Plus, Facebook is ruthless to the freshness of things, so shit you spent a lot of time producing only gets a shot temporarily in the present and then imediatelly forgotten if they shared to 10 people and they don't care. You're not a creator, you're an easily replacacle cog in their system. I have had things that picked up long after I produced them on my site - I can't imagine doing that with Facebook.
That was inadvertantly a perfect way to describe the "info" people get from Facebook.
If a company wants to operate in Europe and accept European customers, they abide by the law.
If they can't manage to figure out they're servicing european customers and protect their data according to the law, then they get fined substantially.
It might be complicated, but the onus is on the company not the user, making this Facebook's problem to resolve.
It isn't clear to me that the burden should be on the service provider to discern the legal domicile of a user and to be required to adjust its business practices to accommodate the regulations of their 'home' jurisdiction. Wouldn't that rapidly devolve into every service provider being required to operate within the rules of some extremely complicated intersection of all possible jurisdictions?
I hope they do this, and don't try to cross-check against login IPs or anything. I just set my FB city and hometown to European ones to increase my chances of benefiting from the GDPR.
It is not so simple.
Protect EVERYONE'S data. Don't care where they are.
And how to you decide between <good-country>, <so-so-country>, and <evil-country>?
"Protect the user's privacy" is not at all the same thing as "follow all the laws of the user's home jurisdiction".
If there is a legal obligation to follow the laws regarding privacy then what about any other laws? What about disclosure laws where service providers in the home country are required to disclose information to the government? Should the foreign service provider be required to follow those laws also? If not, why not?
I'm saying if that you argue that country-a service provider is required to follow the laws of a user from country-b, perhaps because you agree with the laws of country-b (regarding "protection of privacy" in this case), then that logic creates a problem when you don't like the laws of country-b or when they in fact conflict with the laws of country-a.
I was specifically responding the the assertion that "If a company wants to operate in Europe and accept European customers, they abide by the law" and pointing out that accepting that logic may not lead where you want it to lead.
Sure you can refuse to do business with customers from other countries, but now you have to have some process for determining what jurisdiction the user is from including figuring out how to protect yourself from a foreign jurisdiction that decides that you didn't do enough to discern the true jurisdiction of the user (who may have given incorrect information, clicked through the form, etc).
It is not obvious exactly what would be the best way to manage that risk.
This is not true either. GDPR will apply to all of the EEA, like most EU regulations: https://planit.legal/blog/en/the-applicability-of-the-gdpr-w...
It's not even resident, the bar is far lower. A US resident on holidays to europe is covered.
See https://cybercounsel.co.uk/data-subjects/ (linked in a sibling comment)
The US commonly accepts utility bills in your name. The EU most likely requires you to have a residence permit.
Edit: that said, GDPR may still cover you while you are within the EU borders: https://news.ycombinator.com/item?id=16751963
In the EU laws on residency are different for each member state.
You become US tax resident based on the significant presence test without presenting any proof
You become a legal permanent resident in the US when you get a green card.
Proof of residency is only required in US states that follow REAL ID act which California only started conforming to this year.
Of course, Facebook has other options (many users just tell them where they live, you can even fill out an address) so you could try claiming to live in the EU there, too.
That won't be sufficient. If you're living in Antarctica and are on a summer holidays on an austrian glacier, you're covered by the GDPR.
I might have a moral obligation to use Facebook again.
This is not true. https://cybercounsel.co.uk/data-subjects/
Being a French citizen living in the United States is not having multiple nationalities, only one (French).
This is doubly attractive if they can have a European subsidiary that only pays the fine on European revenue.
(I’d rather see the penalties be strengthened, to be clear.)
That won’t work. It’s 4% max, per infringement.
Legal concepts like "beneficial ownership"  and the definition of an "affiliate" under U.S. securities law  deal with this.
TL; DR When it comes to taxes, modern law isn't tricked by incorporated Russian dolls .
If you're late to the party, which I think the majority businesses in and out of Europe are, means you have made other priorities.
Question is whether or not how hard they hit when GDPR goes live 25th of May. That remains to be seen, but it wouldn't surprise me if there's a `grace` period.
i think many small businesses are going to have to shut down EU operations because of GDPR
Unified project processes, mandatory architectural reviews, IT-driven planning... if you're in a domain with lots of personal data the answer to why can't be cowboys and ignore IT 'just this one time' goes from "because we are trying to do IT right, dammit" to "because it's illegal" or "because the compliance costs are too high".
It actually mandates that you need to protect the data, and if it gets breached you need to notify the data subjects. So for example uber couldn't have a massive breach and just pay the hackers off and keep quiet.
The GDPR is a massive good for users of online services.
The basics of it aren't hard: build your systems to not store too much data you don't need, get permission for the data you store, make sure it's secure and make sure you can delete it when needed. I don't think that is too much to ask, do you?
> Governments pressure private companies with this, but in the same time are making it easier and easier for themselves (govmnts) to spy on people and infringe on people's privacy
Looking at how prism and other programs worked/works it seems like what GDPR encourage (Don't store what you don't need) would have actually helped against that.
With GDPR it will be harder to create a service that stores everything about you forever to be retrived by FISA or whoever, and simpler to create a service that just stores what it needs, and encrypts everything it can.
I would understand if these features are available, though default to their 'current'/'non GDPR compliant' setting - but this does not seem to be the case.
Without an explanation how and why these decisions are being made, which is not 'legally' required; I think more and more users should question Facebook, and their motives.
I'd prefer "no comment atm" rather than this string of vague words, but then TC wouldn't have an article.
Unfortunately its hard to find any news outlet these days who refrains from such shady tactics :(
I hence started blacklisting news sites that I notice spreading FUD...even if that means I end up with no news.
On social media it’s actually less of a problem because I am able to engage with the person who shared it
[conclusion left as an exercise for the reader]
Does GDPR apply? Can I go around making annoying requests to apps and services I use?
I found this excerpt from https://cybercounsel.co.uk/data-subjects/ informative:
A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.
That kinda makes sense?
I wonder if this could be attractive? "By EU law, we won't sell your data" is stronger than an American company's promise.
EDIT: So to answer the question directly: No, if you use a US located business from outside the EU you aren't covered no matter your citizenship, unless the data is being processed in the EU at some point.
Here's Article 3, "Territorial Scope", from the regulations.
---- begin quote ----
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
---- end quote ----
In the following, I'm going to say "company" rather than "processor or controller", and am going to say "EU company" or "non-EU company" instead of all that verbiage about established in the Union.
From (1) we have that an EU company has to apply GDPR everywhere to everyone.
From (2) we have have that a company, regardless of whether it is an EU company or a non-EU company, has to apply GDPR if it offers good or services to people in the EU or monitors their behavior in the EU.
(3) is just telling us that non-EU companies may also fall under (1) if international law says so.
Putting this together, it seems that for an EU citizen abroad they are under GDPR as far as EU companies are concerned, but are NOT under it for non-EU companies unless they are abroad somewhere where (3) applies. They are under it for non-EU companies only when being offered goods or services in the EU or when being monitored in the EU, so only when they are not abroad.
For example , using google analytics in many cases in the EU will now require opt-in consent, even for anonymous visitors. But unless a user registers and says, "hey, I'm an EU Citizen actually" you wouldn't know ahead of time. Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.
That could be risky for EU users abroad or behind VPN's, no?
While I understand the 'plight' of companies who rely on data sucking in some way, this strikes me as a good reason to just assume everyone is from the EU and figure out how to make a profit despite that.
If I were FB I would want to cover my ass on that one and accept any signal at all that the user is within the EU. Just conjecture though.
We detect that traffic is coming from the EU so we treat you differently and ask for consent etc. If you are Non-EU its business as usual.
There are weird edge cases: If you are in the EU and use a VPN to appear to be in Virginia then we will not know you are really in the EU and you will get the non-GDPR treatment. Again, technically we can only do so much.
I mean, if you keep the logs in the same place you will still need to scrub IP addresses from them and every other thing that comes with it, so wouldn't it be easier to treat everyone with the most strict privacy standard?
I think we should start a campaign and lobby our own government to pass a law similar to GDPR.
No, they track everyone across the web via their embedded pixels and create "shadow profiles." I have never joined Facebook, but they still know me. I block their tracking by blocking their various websites. I'm not sure that's enough as I understand they still buy data. In their defense, I don't think they sell my data, except perhaps to the NSA.
Uhm, do those tools actually delete the data though? Are they not required to under GDPR?
My understanding is that GDPR would require a deep delete of user data from Facebook's systems. Anyone have info on how that would work with shadow profiles that Facebook creates on your behalf and without your consent? Seems like this would fall under the domain of GDPR. (Which also makes me think of just how misleading that quote is from Zuckerberg)
What's the difference? Well, it's helpful to have some context on how data is used in a place like FB. Data originates (for the most part) with the user. It get's dropped in one of the many operational data sources that back the service. From there, it's mostly waiting to be used by someone for some reason, which might be a ML project or something else. So, then you will want to move the data. You'll make some sort of pipeline from the source to where you want to work, such as ETL the data you want out or set up some sort of messaging system to handle things in an online way.
Maybe now that you have the data, you'll share it with other people working on the project. The data might be distributed (best case) through an environment meant to work with the data (e.g., Spark/HDFS/Hadoop) or might just be sent piecemeal as CSVs. Once the project is done, the data might just be left in place. Who knows where those CSV's go?
One of the big requirements of GDPR is deleting an individual's data EVERYWHERE. And while the above is a sort of simplified view of user of data in a logical manner, I can assure you someone out there somewhere is doing something that doesn't make sense. In light of that, getting rid of a person's data everywhere is a HUGE architectural/infrastructural/process problem for a platform like FB.
It will be interesting to see how this plays out. Will FB require users to stipulate that they do not have an EU passport? What happens if we all say we have one? How would they verify that?
A US citizen living in Hamburg is covered by GDPR.
An Austrian citizen living in the SF Bay Area is not covered by GDPR.
Don't know if this makes it easier or harder.
So, I honestly don't know how Facebook could possibly make this distinction in an efficient manner. So, as an American, I'm pretty happy.
I haven't yet read the whole of GDPR, so maybe there is something further in that changes this, but based on Article 3 that does not to be the case. Here's an earlier comment of mine that quotes Article 3 and discusses this . Here's a link to a nicely formatted online copy of GDPR .
It appears to require protection when either (1) the entity processing the data is in the EU or (2) the person whose data is being processed is in the EU.
I doubt it, but it would be interesting if Estonia's e-residency thing would be enough.
I think lots of EU law applies to residents, rather than citizens of an EU member state.
They already have to meet GDPR in Europe, it's actually easier to not maintain two separate sets of rules, so the decision to not give people worldwide the same protections as in Europe is an intentional choice to do more work to give people less privacy.
But it's more profitable to maintain two separate sets of rules in this case.
Am I missing something?
Going back to the top of the thread, the idea was that this is a decision that looks bad in a moment where everyone’s looking at Facebook.
If extending the behaviour worldwide were a difficult engineering feat, that’d provide a simple outward justification for Facebook to not bother.
But in reality, It’s more difficult to keep the two systems around.
Taking that path implies that Facebook actively benefits from breaking the EU law, and justifying it outwardly in the current climate means establishing how the EU law actively harms Facebook’s users... while not admitting that they violate user’s privacy, and profit from doing so.
[And as others have suggested... even if it’s the right move to implement things this way — it makes ~0 sense to draw attention to it.]
Now, could Zuck have said something more articulate than “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing?” Absolutely. He could have said "we'll be working to create a streamlined interface for people to achieve many of the most important benefits enjoyed by EU residents under the GDPR, without requiring them to jump through legal hoops and read a 90-page law to format a request correctly. This is all in progress, but we're committed to making radical transparency accessible to our users." Then there could have been positive spin. But instead the "less is more" approach leads to articles that assume the company to be operating in bad faith.
"If your enterprise has a presence on the internet in the form of a website and if your enterprise collects personal data from customers regardless of where those customers are located, it is subject to the provisions of the GDPR." 
Short of actually requiring you to upload your passport, how can Facebook make sure only European citizens get the added privacy?
Because I know, as a non-European, I want to get in on this action.
What about users who have two or more citizenships? What about users who have none? What about users who have citizenship only in countries the site doesn't recognize?
> Short of actually requiring you to upload your passport
Given that this is about the GDPR, wouldn't that only make things worse for the site? Edit: also, what about people who have neither a passport nor an identity card?
As long as one of them is in the EU, the GDPR would presumably apply. Generally you get all the rights (and responsibilities) of all your citizenships should you have multiple. Even without multiple citizenships this often arises since you have have rights as a resident in one country, while having a single citizenship in another country.
> What about users who have none?
The GDPR would not apply.
> ... what about people who have neither a passport nor an identity card?
The easy out would be to allow the GDPR benefits to anyone who claimed to be from the EU, without requiring them to prove it. This would be compatible with the GDPR, although it might allow some "leakage" (from Facebook's perspective) in that people outside of the EU might fraudulently claim the GDPR benefits.
Not possible. Can't say 100% about all countries, but in my country it's a must to have either passport or ID once you hit 16. There's even a small fine if you don't take out or renew personal document on time.
US and their passport-less life looks very strange from Europe. You can't do anything without ID in EU. No bank account, no employment, no driving license and the list couldgo on and on.
(However to get back onto topic, most people in the UK will have a passport, otherwise they should have a NINo allocated at birth. For the people who have neither, the GDPR is the least of their worries.)
However, personal number is not guaranteed to be unique because of how it's issued. We have funny stories once in a while when people with similar (or even identical) names happen to have same personal number. A photocopy of ID in important governmental or banking actions.
What happens if a site operator in Iowa just ignores it.
Okay, they might get a letter or two that they place in the circular file.
Other European businesses, will be banned from doing business with them. For facebook they can stop them buying advertising space, for others they might issue orders to block payments to them. Some small players in Iowa may still get away from things but no one notable will.
Can you enuciate where the GDPR excels and fails, or is national origin insinuation enough?
But it seems like a complex law and it's likely we won't know the hidden downsides until well after it's implemented.
Forget decide--why did he feel the need to make a personal announcement? He is too busy to testify in front of the United Kingdom's MPs . Yet he can find time to personally throw dirt on the EU's privacy rules?
For the head of a social network, this man is shockingly clueless.
Because it sends a bad message, and Parliament et al have the ability to materially affect facebook's revenue by passing & enforcing laws like the GDPR etc
The GDPR version of Facebook really can’t function as a social network - at least not the kind of social network that we would recognize today. So it may be easier to have one version, but that’s not going to happen, and it would be a disservice for the 99% of users that don’t care about privacy but do care about all of the features they are going to have to give up.
My point was that the law leaves massive room for interpretation. The threat of aggressive application and interpretation of this law could deliver significant leverage to the EU over these companies in matters reaching far beyond privacy.
Could you explain that?