Hacker News new | past | comments | ask | show | jobs | submit login
Europe’s New Privacy Rules Favor Google and Facebook (wsj.com)
66 points by RestlessMind on April 24, 2018 | hide | past | favorite | 177 comments

The true cost of GDPR doesn't come from compliance itself. It comes from trying to protect oneselef from the legal vulnerability it creates for businesses.

Like any regulation, once enacted, it creates yet another reason to harass, burden and encumber businesses - no matter what business model they have or if they are shady or not.

Large companies truly love this. Their already considerable legal departments chew any new regulation the moment it appears while the newly erected walls keep those pesky startups away.

Small business do not even pay the price - they simply cease to exist, to be founded. It's a chilling effect. The prospective founder says "why bother with this shit when I can simply get a job"?

The visible end result: an Europe more and more hostile to startups staying on the sidelines while the US wins the innovation race for the future. Fewer startups means also fewer large business (just look at the most valuable companies in the world, how many of those are European?) and thus fewer well paid jobs in the future (just check out the difference between an IT salary in USA vs Europe).

Yes, let's allow companies process personal data indiscriminately because it will help small businesses. /s

Please provide actual evidence that it will do so and that small data processing businesses actually had to endure big legal fees due to privacy protections.

The lack of start-up scene in most of Europe is caused by very different factors, mostly more conservative and less wealthy investors.

Not related to the ads industry but GDPR compliance in general for smaller companies (which is discussed in various other comments to this article), I would like to add these remarks:

I think ”GDPR compliance” is not a binary thing - there are levels of compliance. No smaller normal company or Google or Facebook will be able to “fully comply” at any point in time. There will always have to be incremental improvements over time, hopefully in the right direction.

Also recognize that the obligations in GDPR “scales” with the size of operation/amount of data that is processed. For example smaller companies:

- are exempted from some of the record keeping obligations,

- may not have to appoint a data protection officer,

- may often not have to do data protection impact assessments,

- may not have to set up and implement some policies relating to data protection

- may also have less obligations when it comes to Privacy by Design (since reasonable costs are a recognized factor)

- may generally have fewer data processing activities that requires consent (most normal personal data processing does not)

I would also forget about scares of 4% fines unless you are doing something really bad or do not care at all even after a fine, repremand or warning from a Data Protection Authority.

My guess is that the “normal level of fine amount” will not change with GDPR for data protection violations in the EU (compared to current UK levels). This seems to be what the UK:s Data Protection Authroity (ICO) is going around and telling everyone as well (if I have not misunderstood).

No smaller normal company or Google or Facebook will be able to “fully comply” at any point in time.

Which makes it ripe for abuse. By making a regulation that is impossible to fully comply with, they have created a situation where any (or all) of the 28 countries in the EU can fine any company at will, because they're never fully in compliance. Further, individual users can seek compensation under GDPR - companies will be deluged with such claims.

Just having to depend on the goodwill of regulators who you think will just be attempting to enforce the spirit of the law is a terrible position to put companies in. When these countries and individual citizens are starved for cash, all of a sudden the letter of the law will be the only thing that matters, as is always the case with regulations that put all market participants in violation by default.

The level of fines looks like it will be harmonized by EDPB (a board of all Data Protection Authorities) so individual DPAs will probably not be able to set arbitrary levels. There are also the one-stop-shop rules so a company will normally only have to deal with one DPA.

When it comes to compensation, you have to show what material or non-material damages you’ve suffered. Class actions are generally not a big thing in the EU. Sure, there is an exposure here but in practice I think it will be very limited, especially for smaller companies.

When it comes to compensation, you have to show what material or non-material damages you’ve suffered

You realize that "material or non-material damages" can mean just about anything right? If it were limited to "material" damages, that would at least impose some form of sanity. The way this is written, it's a free-for-all. Saying "I have had alot of trouble sleeping since I found out that only 45 of 46 tracking companies were listed on the disclosure" is all it would take for an individual to obtain money from a company under this absurd regulation.

They'd have to prove in court (to the balance of probabilities) that they have insomnia and that the insomnia was caused by the non-disclosure. They would also have to show that this is an expected result of non-disclosure.

Assuming they do this - how much do you think a compensation payput for insomnia is worth? How many thousands of pounds do you think people would get?

I don’t know, but if you multiply the cost of defending one of them by the millions of such nuisance claims that will be filed by people, and it will quickly add up.

You're saying millions of people will be willing to commit several criminal offences in order to attempt to get a payout of about £1000, in a system that routinely doesn't pay for psychological harm?

I mean, those people can already do this, and they don't appear to do it, so I'm not persuaded GDPR will trigger a bunch of claims.

Is it a criminal offense though? How can it be disproven that you haven't been sleeping as well as you normally do, or that you've been having anxiety because an externally loaded PNG served a cookie that wasn't disclosed (because the website operator didn't know about it)? They'd have to disprove that to jail you for making a false claim.

Yes. Exactly what non-material damages means will be up to CJEU to decide eventually. I do not think many ppl expects it to mean “free-for-all” and I do not think your “sleeping example” would suffice. Admittedly, no one can know for sure at this point in time though.

I just want to add for the record that I am not a fan of very complicated principles based legislation (which GDPR is) by myself. It is not easy to comply with and it has clear drawbacks.

But now we have GDPR I wanted to state facts (as I understand them) so people can get a more nuanced view of what to expect and hopefully help them with how to deal with compliance in a reasonable manner.

As suspected, smaller companies seem to be hurting a lot more than the giants. From the article:

A digital-advertising firm called AdUX recently closed a service that harvested location data from people’s smartphone apps to show them targeted ads, said CEO Cyril Zimmermann, because his firm had little hope of asking for—much less getting—consent from users. Instead, AdUX will aggregate data from bigger companies. He said the shift has cut into revenue. “For them, it’s easy,” he said. “The problem is, who knows AdUX?”

That is exactly the kind of cancer that GDPR is intended to remove.

As they explicitly said, there is no way anyone would volunteer this yet somehow they think it is ok to abuse it just because they could.

This truly is wonderful.

So a spyware producer had to shutdown a spyware based product because of the GDPR? That's working as intended.

Hopefully it will bite the giants the same way.

Giants have too much at stake and too many resources at their disposal. Either they will throw tons of resources to fend off the problem or they will take a few bites. As an example, Google's stock was unaffected even after being fined $2.6B last year.

>As an example, Google's stock was unaffected even after being fined $2.6B last year.

What is this supposed to be an example of?

How government regulations and penalties won't really bite the giants. (to address GP's point)

The fine didn't really come as a surprise, I'm not sure why you'd expect it to have a visible effect on the stock price?

That may be because the market already had accounted for it.

Do you really feel sorry for them? I don't.

How does GDPR affect selling personal data? Once I've given permission for a company to collect my data, can they just sell it to whoever they want? Is there any way to get rid of that data once it's been sold? Is there any way to find out who's bought it?

That's a lot of questions. To sum up, the GDPR is forcing:

- granular consent (like you might opt into a newsletter, but not retargeting ads)

- right to request what a company knows about you

- right to get that data in digital format (json, xml)

- right to know when your data is exposed in a data breach

- right to request that your data be deleted

- right to request that an organization stop processing data about you

fwiw - I wrote a bunch more about it (link) and am happy to answer questions.


So as long as there are 1000s of companies like AdUX that purchase my data without telling me or acquiring my consent, I don't really have any hope of actually having my information deleted.

I suppose someone could make a service that lets you request every known company delete your info.

If they want to comply all those 1000's of companies will have to get you to reaffirm your consent under the new GDPR rules. Didn't you notice already a lot of the services/sits you use asking you to re-agree ('We've updated our privacy policy etc.')

Are you sure that all applies to companies that purchase personal information and not just companies that collect it?

They also process the data which is explicitly mentioned in GDPR.

Yep. If a company purchases PII and then uses it for any reason, say marketing, they have to store how they got consent from the users to use that information.

It applies to all companies that process personal information, where processing also means access.

Under the GDPR, who would they buy it from? A company that sells the data would have to have the user’s consent to sell on their personal data.

> can they just sell it to whoever they want?

No. If you process my data you can only give / sell it to other companies that are GDPR compliant.

People keep saying that GDPR means you must have consent, but that's not true for all forms of GDPR compliance.

If I have a small business with 5 employees, and I use a company to do payroll, I don't need to get my employee's permission to send their data to the payroll company. I do need to tell them it's happening, and give them the ability to query what data is being held and processed, and to make corrections to incorrect data.

This strikes me as a fluff PR piece to try to head off similar legislation in the US.

I've posted this before: GDPR is good independent of any effects it has on competition.

Governments already have the tools to deal with market dominance: antitrust enforcement. The EC has three antitrust cases against Google. One decision has already been given, and the Android decision will be made sometime within the next few months. The Federal Cartel Office in Germany has opened a probe into Facebook [1][2].

[1] https://www.politico.eu/article/facebook-data-collection-cou...

[2] https://www.reuters.com/article/us-facebook-privacy-germany/...

A $100+ million revenue company has the capital to comply with GDPR. The 1-5 man bootstrapped start up does not. They will be in the 3 felonies a day type of non-compliance and hunted by bureaucrats looking for easy targets. Other countries have a philosophy of exempting small business from complicated regulations because of this. The EU tends to not do this.

That is the fundamental issue and it has nothing to do with monopoly.

Just like you need progressive taxation to not choke out the poor, you need progressive regulation to not choke out the small business.

I did not see anything in GDPR which does not make sense to me, it looks like common sense applied to data management.(Edit: It's rare enough to have some legal text in IT which makes sense in real life, I'm surprised). I don't see why small businesses should be exempt for basic regulation, small businesses are not exempt from fire safety regulation either.

> The 1-5 man bootstrapped start up does not.

In my current company we are only two developers and we will comply with GDPR, it's going to take us a week or two worth of technical work, it's really not a big deal.

The GDPR seems easy, but I get a feeling you haven't tried to actually properly implement the GDPR regs, talking to lawyers and everything. If you have you'll see there is far more involved than you think.

I wish it was easy as just manually looking for user data after an email, deleting it, and keeping that email request as part of the 'audit log'. And getting affirmative consent during signup.

Most small businesses would be fine with something that casual.

EDIT: If you guys winged it by actually just reading the regulations and winging it, you probably did something wrong.

> EDIT: If you guys winged it by actually just reading the regulations and winging it, you probably did something wrong.

Most of the work in my company for GDPR is around user profiles, we store very few data about the users so we don't have that much to take care of. I guess if your business is to gather customer data, it's a completely different story.

You are responsible to everyone who you have data about, regardless of whether or not they are your user.

If I use your service to store a photo of my mom, you now have a legal obligation to her even though you don't even know she exists. Any text that you store, you are required to know who is mentioned in it and give them tools for download, right to be forgotten, etc.

> You are responsible to everyone who you have data about, regardless of whether or not they are your user.

We have zero data on non-users so this part is not relevant to us, like I said it's not a data-gathering company. For the tools to download, remove data, consent... That's what I meant with that one or two weeks worth of work.

this isn't true. Because it's not personally identifiable information.

If I take a photo of a crowd of people and upload it to a cloud service, that does not create an obligation on either me or the cloud service to identify all those people and give them to opportunity to opt out (or in).

I own the copyright of photos I take. I don't need permission from people to take their photo in a public space. They have no right to ask me to delete the photo or remove their face from any photo that includes them. Even if I store it on a computer.

If I provide a service that identifies all the people in a photo, then I am storing personally-identifiable information and I need to give the person I have identified the opportunity to remove their data from my system.

That doesn't mean removing their face from the photo, but does mean removing the data that allowed me to identify them in the photo. There's a difference.

All I know is that my company stores image data and we don' do any face recognition but the lawyers say that to comply we need to start removing faces.

that's interesting. Do they say why?

Because faces are personal information under the gdpr.

Why? You do not know which user uploaded which picture?

Accidental uploads of private data by the user are perfectly fine in terms of GDPR but you must allow for these to be removed on request.

If you automatically scrub them it is good, but you do not really have to do that. Telling the user how any pictures will be used and how to get rid of them is enough.

Which user uploaded which picture is irrelevant - whoever's face is in the picture has rights under gdpr.

I'm not a lawyer, but surely their face must be identified to be covered? A random face in a crowd is not identification of a person...

That's like screening all your binary executables for accidental inclusion of someone's name in ASCII amongst the bytes.

What you are suggesting would not only make compliance of GDPR impossible for any company that accepts any form of user submitted data, it would also violate the privacy of the users submitting said data.

If I, party A, send a message to party B that happens to contain information about party C, party C does not get to see the messages between parties A and B just because it concerns them or has personally identifying information about them.

Actually under GDPR they do you need to perform data discovery to identify that data.


GDPR does not cover only data you collect through your primary business model but ALL DATA defined as Personal Information under the GDPR.

Not really true, unless it was explicitly submitted as protected data.

What toy have to doo is to provide a way to scrub accidental data leaks.

I'm thinking cases like "someone posted a picture of their friend with a cat on your site". Not explicitly labelled "send in a photo of yourself".

Or if someone posted another's address. You should respond to it at least in request, preferably earlier.

The discovery service is mostly to help people transition by checking their third party operators if they do not know who that is.

The GDPR is inconvenient with many of the shady business models popular among web-centric companies.

In the long run, it's good for all of us if those business models are discouraged.

It's inconvenient for the non-shady, non adtech, we give you a service in exchange for money businesses too!

I think the best thing to take away from GDPR compliance is 'it's not as easy as you think it is', 'it's not as obvious as you think it is', and small businesses who totally respect privacy will probably still be breaking GDPR.

I'm OK with that and I accept that cost, because in my eyes stopping the savage victimization of users is worthwhile. For you (or the WSJ) to persuade me that the GDPR is problematic, I'd have to believe that first, that's something that those opposed to the GDPR actually care about, and that it's something that could be achieved through other means.

Except this does nothing to really stop the savage victimization of users by Facebook or Google. If anything it solidifes their dominance.

The abuses are happening from these big companies, not the thousands of tiny startups that live and die within months that have a few hundred thousand users.

So your proposal is a return to the status quo ante and unlimited exploitation of users? Not good enough. I will take the imperfect good of the GDPR as an incremental improvement over the option of abject surrender.

No the proposal is to apply the GDPR to the large organizations that can afford to implement it properly. It's not black and white ;)

GDPR is not applied indiscriminately you know. It has various responsibilities indeed depending on company and/or database size.

Actually, it does. Thanks to GPDR you now has to opt in to allow facebook to track you in photos etc.

And startups that exploit users don't really provide much of anything anyway.

Facebook’s harm comes from wasting your time and putting you in an echo chamber of agreeable people and agreeable thoughts.

They can make it all opt-in fairly easily as a requirement for using certain features. People will blindly click and continue like normal.

Well, there are tons of people that use facebook to the smallest extent possible and that only because they are forced if they want to be informed of certain events etc. This is a huge step in the right direction for a lot of people.

This argument is of the "we can't solve the problem completely, so let's do nothing about it" kind. The abuse is happening from both camps and we all know it, especially here on HN where some of us are actively developing user-tracking schemes and ad-targeting platforms for a living.

IMO, it's less "both camps are doing it" and more have we now insulated these giants from any future competition.

For example, how do the decentralized social platforms (mastadon, diaspora), exist under GDPR?

Under explicit consent of the people putting the data in. All this needs is a nice informative screen on how the data will be used and that it will be publicly available, which may mean being processed by other registered users and unknown third parties.

The networks will not be able to process the data in other ways than making it available.

If you break someone's privacy laws you will be liable directly.

Probably also a note that data on this network cannot be completely deleted for specific technical reasons.

I think this objection sounds vague. Could you give some examples of regulations where one should talk with a lawyer before implementing?

Do you have any european contacts on your mobile phone? Hope you have consent for those. We’re at this level of inconvenience.

Do you think you have contacts on your phone from people who are not OK with it, and if that's the case do you think you should be allowed to keep them as contacts against their will?

GDPR or not, that could already be judged as some form of stalking by the already existing national laws.

Edit, people don't seem to like that, but the fact is that just having saved the contact info of people who did not want it has already been used as sufficient proof in harassment (I think? "harcèlement") cases in France. I would be surprised if it was not already the case elsewhere as well.

If your contacts are synced to the cloud, were they informed that their information will be transferred and processed overseas?

Probably not. But it would be great if you could prevent your own contact info from being sent to companies outside the EU, indeed. In practice however, I don't think that will happen.

One of the problems stems for this dichotomy:

I did not see anything in GDPR which does not make sense to me, it looks like common sense applied to data management


I get a feeling you haven't tried to actually properly implement the GDPR regs, talking to lawyers and everything

Which can be further shortened to:

common sense versus talking to lawyers

While interpretation of laws by necessity is at best difficult and at worst fraught with peril - reality in all its complexities is hard to catch in a few written pages - the legal profession has turned themselves into virtual toll collectors for anything related to law. Ask a lawyer about the legal implications of preparing a peanut butter sandwich and you'll be first presented with a legal disclaimer - pay me if you want advice - and then treated to a tale worthy of Lewis Carroll. GDPR is a $deity-send in this respect, good for many a year of steady income, especially given the stiff fines which threaten.

...which does not mean the person who used common sense to interpret the law is wrong. He is very much likely to be right and, having spent two weeks of technical work to prepare their infrastructure they're probably set to fulfil the obligations the law puts on them. It might need some fine-tuning here and there but that can mostly likely be handled as well without incurring the wrath of the courts.

In short, talking to a lawyer about being able to do something like this by yourself is more or less guaranteed to give the same reply as e.g. talking to someone who does data rescue whether you could replace the head stack on a hard drive by yourself. In both cases it is possible as long as you're careful and use the right tools, in both cases the answer will be 'you could do this at your own peril, disaster is waiting to strike, you take up enormous risks, let the professionals handle it'. Which is true to a certain level, there are risks just like there are risks in any venture.

So, honest question for you and others who have know more about this stuff: is it possible that perhaps you're erring on the side of caution a little too much?

It's a lawyer's job to worry about everything that could go wrong, and assume a worst-case scenario, but surely in many cases GDPR will be about the spirit of the law rather than the letter?

For example, while I personally think the backing-up-now-deleted-user-data issue is not insurmountable, assuming it's not, I cannot imagine that these 'small companies' will be fined left and right for failing to remove a user's data from every backup. And that's even assuming that there's a high likelihood that said backups will be investigated.

To make an analogy: there are quite a number of regulations in effect concerning invoicing that are flagrantly violated by almost every single small-business owner that I know. Some of them have won the 'audit-lottery' and did not suffer any significant consequences, because their transgression was relatively minor (stuff like correcting an invoice and sending it without properly sending a credit-invoice first to nullify the initial invoice).

Again, I'm way out of my depth here so by all means yell at me for being irresponsible about this :).

As someone responsible for implementation -- yes, we are probably erring on the side of caution too much, but "probably" doesn't cut it with the potential fines on the line.

-How big is "probably? 5% chance? 0.01% Chance? -Maybe they will be lax on cookie policy slipups but not on purging delete requests from backups, how are we to know on May 26? -Maybe they will only investigate the big public giants, or maybe they will respect maliciously-intented complaints from competitors?

This is why, for example, Delaware is the chosen state for corporations -- case law is settled and has a very predictable legal frame work. In the absence of data, its hard to know WHERE people will get the hammer.

This post will be illegal in a month and fault will be with hacker news:

Doesn’t seem to make a whole lot of sense.

I don't see the link between your comment and GDPR.

I think what GP is trying to do is to post their IP address in a comment, which is personal information under GDPR.

No it isn't. IP addresses are not personal data unless you link it to a natural person.

And that’s where you’re wrong. Logically? Yes. In GDPR scope? They are personal data.

Guys debating with you is a blast but if you keep downvoting all correct information because it doesn’t match your gut feelings you’ll just become even more of a circlejerk of what you already have here.

> correct information

You are being downvoted because you are factually incorrect. IP addresses are only personal data if you can identify a natural person from them. You can't do so unless you've linked them to other information. Thus, by themselves IP addresses are not personal information.

Article 4: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

> 1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

> directly or indirectly

Keyword indirectly. There’s plenty literature regarding ip and gdpr.

“The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address.”


And many others up and including the gdpr preamble

Please stop confusing the readers on the matter.


Why would the "website provider" ever be given access to the dynamic IP assignments of an ISP? This information will normally only be given out by court order and/or police request, at least in my native Sweden.

Doesn’t matter. This is what the eu justice court said when it was challenged in court: going from ip to identity is one simple legal request away so it is personal identifyable data. End of the story.

Your second link above ( https://www.jdsupra.com/legalnews/ecj-confirms-dynamic-ip-ad... ):

In particular, if the website operator cannot legally access third party information that could be used to identify an IP address owner, or if access to such third party information is “practically impossible”, then the IP address is not personal data from that operator’s perspective.


There ya go. You sucker can keep downvoting facts as you wish, reality won’t care.

So then all he needed to do is write his name in addition to his IP address in the comment?

that's personal data for which hacker news doesn't have a consent form. even if I don't ask a deletion, that's a huge liability for the site owner.

it's not like down voting these post changes the GDPR wording and definitions guys.

You volunteered that information (without being asked, to boot), so it was obviously not taken without your consent.

How do you know that is his IP address, or someone else's IP address? Under GDPR it doesn't matter who's they are.

Here is another piece of GDPR PII:

9-5 Allée des 4 Vents 69160 Tassin-la-Demi-Lune, France

Random address I pulled from google maps of someone's house.

There’s nothing in gdpr about data being given up voluntarily

It's not personal data until it's linked to a natural person.

Nope ip are personal data by themselves

No they aren't. They're only personal data if they can be linked to a natural person.

Who is

Article 4:


> 1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Keyword: indirect



Etc. That’s what the european justice court said last time it was called to determine whether ip were personal information or not. What you gonna do now, downvote the proceedings?

From the articles that you provided:

> an internet service provider ("ISP") has a record of the temporary "dynamic IP address" assigned to a particular user's device (potentially identifiable data); and

Here they're not talking about "IP addresses", they're talking about "IP addresses assigned to particular users".

> In answering the BGH’s first question, the ECJ confirmed that dynamic IP addresses are considered personal data within the meaning of the Directive in circumstances where the data collector (e.g., a website operator) is likely or reasonably able to obtain information from a third party that would allow it to identify the user.

This clearly says that an IP address by itself is not personal information. It only becomes personal information when you can identify a natural person - when you link it with other data.

> when you link it with other data.

> reasonably able

it clearly states 'legal means' to identify the user. a subpoena is a perfectly reasonable and legal way to disclose an identity from an ip and doesn't require access to any other personal data, merely that such a link from ip to identity exists. the link is the "third party information to identify the user". it's not that you correlate an ip with a cookie or other technical means. you have to get out of the engineering mindset.

Except for the fact, that you can easily adjust to your taxation as gorw, but that doesn't really apply to designing your software product. The advantage of the GDPR applying to everyone is that in the future startups have to think about privacy first, rather than second. That's a good thing in my book.

The startup could just respect their users privacy. It's only a matter of decency. Most people don't have much problems with it.

GDPR is about protecting human rights. My personal info staying safe is non-negotiable prerequisite, and your 3-person startup making money is totally optional. If you are unable to comply to GDPR then you shouldn’t be allowed to touch other people’s data. I won’t pity you for exactly the same reason I would not pity drug dealer complaining that his latest heroine delivery was intercepted by DEA.

I think it’s good that EU tries to eradicate “let me steal and sell your secrets” business model that most SV startups are built on

I am glad that the EU won't exempt small businesses from GDPR compliance. Here's why ...

Everybody in the business knows that big companies become targets.

Therefore for startups it's a land grab, aka break as many social rules as you can before getting big enough to get noticed.

Just to give an example — Google's AdX platform has been anonymizing IPs given to participating advertisers at least since 2013 when I interacted with them. They also tightly controlled what kind of content and JavaScript you could serve on participating websites. For example we were not allowed to set our own cookies and even loading ad content dynamically (via JS) was a problem. The smaller ad exchanges, like MoPub and below? They didn't give a fuck.

The most immoral companies around are the startups. The difference being that they don't have the resources or the reach of big companies. But that's no excuse.


On progressive taxation, that's simply a tax on productivity, plain and simple. The majority being made of people that earn minimal to medium wage and of socially assisted folks, it's simply a way to increase taxes without pissing off the electorate. And it's choking the middle class and the small businesses.

And that's because the big companies and the big earners have good lawyers and accountants that can come up with legal tax evasion schemes. The EU can't wait to fine the likes of Google and Facebook, as they've been evading a lot of taxes ;-)

> They will be in the 3 felonies a day type of non-compliance and hunted by bureaucrats looking for easy targets.

NO THEY WON'T. This is just untrue. We've had decades of regulation - the regulators are not new - and so you can see how they work. They do not pursue everyone looking for easy cases. They go after the worst offenders, and they write letters asking them to come back into compliance.

This makes no sense. Why would understaffed EU prosecutors comb through hundreds of small companies instead of going for big headline grabbing companies they could levy giant sums of money from in the revenue-% based fines? This thinking is upside down.

There are also some relaxed rules in GDPR for SMEs also.

Because it's easier to get a successful judgement against a small timer who is probably not doing it correctly vs a well funded large company. Both will happen, for different career incentive reasons.

Antitrust enforcement is not sufficient to protect against market consolidation caused by burdensome regulations.

A company that can afford to comply with the regulations can squash competitors who can't without being a monopoly.

And even companies that are declared monopolies benefit from burdensome regulations in the sense that people thinking of starting startups that might compete with them decide not to.

Are there other instances where I can demand people's time without compensation? Where I can demand they forget something all the way down to the fact someone visited their location? I see this is as a move in the WOGPC.

Pressing the crosswalk button as a pedestrian and making traffic stop?

In fact the law requires us to do many things for other people without compensation. Part of the give and take of living in society.

Interesting counterexample, if you have more I would love to hear them. Where I live, I am required to render help if someone needs water etc. I like that law very much. Back to your example: In one case, I can press the button and then cross or not (I could stand there all day pressing the button). Without getting into local law, I bet that attack is illegal in most places, I suspect it is where I live. In the GDPR case, I can press every button in an entire union, apparently every 40 days.

EDIT: regarding response times, I found a breakdown: https://www.burges-salmon.com/news-and-insight/legal-updates...

Obviously this kinda-example ignores the point about forced forgetting which will be interesting in many ways; the astroturf market for example.

> I can press every button in an entire union, apparently every 40 days.

In most cases that will be considered "repetitive" and "excessive" - Art. 12 (5) - and businesses will be allowed to charge for fully responding to your "button presses".

Is it legal to ask every GDPR subject company? Is there a way to accomplish that? How often is it OK to ask (all of them)?

This is similar outlawing free speech and then blaming everyone else for not doing the same because free speech keeps leaking back across your borders. Non-EU corporations will get the intel business, and that's a good thing. A demonstration of why sovereignty is important in the WOGPC.

GDPR allows you to ask reasonably. Repeated attempts to overwhelm the target are not allowed.

“It is paradoxical,” said Bill Simmons, co-founder and chief technology officer of Dataxu , Boston-based company that helps buy targeted ads. “The GDPR is actually consolidating the control of consumer data onto these tech giants.”

he probably haven't heard the term "Revolving door". Simple study of antitrust policies would reveal him that this is the case.


I'm pretty sure previous privacy laws did little to EU businesses. (Some local more restrictive ones like German neither.) LThis one will not do anything much like you said either. There ate much mote critical laws that are being tampered with such as tax code and employment laws.

I still don't understand how this is going to be enforced. If I'm a website or app provider in China or Philippines or Russia or India, and I collect information on EU residents who visit/use my website/service, how is GDPR going to be enforced? How are they going to fine me 4% of my revenue?

You arrest company officers flying into the EU (even for a layover, even for emergency landings) for default judgements.

You block their companies from doing business in the EU. You confiscate bank accounts set in the EU, you confiscate shipments to/from the EU.

For a public company, sure. How would you find company officers of private offshore companies located in Cayman/Seychelles/BVI?

Of course you can always do illegal stuff. GDPR won't change that. You can still buy e.g. stolen credit cards on the black market. But personal information? Doesn't seem worth the hassle, especially when you can anonymize it and keep using it. Or get consent. If you're smart enough not to get caught, you're probably smart enough to come up with a business model that isn't shitty.

And obviously, you block the service in the EU. Most users are not technically proficient, and a simple DNS block is enough.

Then Chinese people can teach them how to cross the 'WALL'.

As is the case with the Chinese firewall, most people will not bother. They will instead use alternate sane businesses offering similar services.

you don't need the chinese, DNS blocking is used in many european countries even today, to block torrent or streaming sites.

Hmm.. might work if it's not a one-person shop with no company name, etc.

Yeah, might work if you have no plan on monetizing your product in any way. Not selling to users in the EU, not selling to advertisers in the EU, not selling anything to anyone in the EU, then you might get away with collecting data of your EU users ... for what exactly?

I found the US crackdown on online poker fascinating and disturbing in this regard. The poker sites were operating in offshore locations and abiding all local rules and regulations. The US then passed some laws stating that US players could not play online poker after extensive lobbying from local casino interests. These sites did not overtly stop US players from playing. And they were careful to keep all interactions with the US separated from themselves. For instance they did not handle financial interactions with US players or banks - instead it was all done through independent third parties.

Regardless the US decided to 'bring em democracy' which in this case translated to seizing their domains, freezing assets in banks worldwide, and staging arrests in all nations with extradition treaties. This cooperation by banks was quite surprising and disturbing, but I suppose the US is in a position to make them an offer they can't refuse. It's unclear if the EU would go the 'Team Merica' route, but we're increasingly deciding that laws are no longer constrained to borders.

> I still don't understand how this is going to be enforced.

As much as the "cookie law" was enforced. 99.9% of all websites on the net were in infraction. To people supporting this under pretense of fighting for privacy, it will have no effect on Facebook or Google business model.

Currently going through GDPR certification/signoff as a primarily US based company.

As a hacker, I enjoy the spirit of the thing. It’s nowhere near as dumb as the cookie pop-up law. Categorically I would prefer default third party services to flush logs rather than retain.

As a founder, the cruel business logic very much favors removing support/refusing to onboard European users.

Your exposure is in a fine for 4% of global revenue or 20 million euros. Whichever is greater. No big deal. Europe may make up 10% of your revenue. The effort is going to decrease resources by 20%+ in the short term, add unknown long term complexity and overhead, and longer term employing a compliance officer. Also can we go back to the 20 million Euro fine thing for a second? Any potential acquirer is going to want to double down on diligence before assuming risk like that.

The requirements initially seem innocent enough - ability to hard delete/export user history. Easy right. Some notes from my meeting with legal:

Well what about backups? Do you retroactively go through your backups and remove R2BF users? Do you only keep backups for 6 days? What happens if you delete the user and restore from a 5 day old backup? Do you keep a second list of users who requested you delete their data - and if so how do you store that? How do you now represent activity that materially effected other users still on the platform? Is this subbed out with a “blank shadow” user? The legislation very much does not solve for the recursive logic of “how do you track users who’ve requested deletion”. Counter-intuitively we would now have to log more user activity so we can gracefully handle rendering deleted data. Why do we have to file with a third party that we’ve deleted info on a user that requested we remove all trace of them?? What if a user enter’s PII in table entries owned by other users through that other users account? What if they do it through a third party API? Speaking of, how do you ensure your third party API partners are in compliance? What if a user enters in PII in a field that you thought should have no PII in it? How do you treat EU citizens using your service outside the EU vs inside it? What if they use it in both places? What if you have an American user who happens to be located...

Sure most of these are solvable along with the another hundred edge cases not illustrated, but for bigger apps at 50+ person companies almost every one of those points is a bullet point in a meeting that requires nuanced development from multiple stakeholders. Don’t think it’s hard? Try roll into a meeting a Twitter and explain to them how easy it would be to add a button that lets you edit tweets. Some requirements are a BFD - you can imagine how things went over in a meeting where we half-jokingly suggested we no longer make backups rather than take on the burden of implementing a backup policy that may or may not be compliant with a new law that has no precedents in court to guide drafting a spec.

The net result is implementing it with the least effort and suddenly it’s just this dogpile of cludgey UI popover screens that people click through without reading and TOS updates and mandatory log outs and a lot of other things besides that add overhead to make it “non-trivial.”

It’s a big deal because pre-series A startups will choose to avoid these waters rather than navigate them.

While I'd love to say I sympathise, I do not. The end goal is not to make life easy for small businesses. The end goal is protecting the consumer.

All your remaining points seem more easily solved than the backup bit, but I do not understand what could be so hard about deleting a user from a backup. Perhaps I'm dumb, but just go in there and delete it retroactively? If it affects other users, that's ok. They see a [deleted] a la Reddit.

You're not responsible for ensuring the API partners are in compliance. Those companies should have to fend for themselves.

When you delete everything you stored about a user, you also delete all potential personally identifiable information, so I again do not see what the problem is.

It just sounds like a bit of whining from where I am standing. It's like a small bridge builder saying "but the standards are too damn hard!". We start with the end goal of safe Bridges and safe users and then go backwards. Not the other way around.

One problem with backups is that you don’t want them to be always online (store them offline and off site for disaster recovery). Backups can also be helpful in case of bugs that delete your whole database so that you can recover the data after the bug is fixed. Imagine the follow query `delete from users where id = 372936 or status = inactive`. Unfortunately, due to a bug, all users have been marked as inactive. Now you destroyed the whole database. No problem you think, just restore it from a backup. Due to the new law, this script ran also on your backup. Congratulations, you have now lost all your users. Hence, you never want to “change” backups. You only ever want to restore from them.

The easiest way to comply with it would be have a list with all user deletion requests stored somewhere else and every time you restore from a backup, you also apply this list from the backup. But have you really deleted users if you keep backups?

It's not a shell script that you will write each time a user asks for a deletion though, would it? It will be a carefully tested and automated procedure.

It certainly sounds like the possibility of deleting all your users might actually make us all more careful, less gun-slinging, shoot-from-the-hip programmers.

It will probably be an SQL query and if software development has thought us anything is that testing is not enough. Proper testing can be very helpful and prevent many errors but it can never prevent all because you just cannot test for all circumstances. This is why backups are helpful and why backups should not be changeable. It is a reason why backups were made on magnetic tab back in the day so it wouldn’t be overridden by mistake. Backups were just as important back when programming wasn’t all about that fast iterating and push updates and fix later – or gun-slinging programming as you call it – as they are now.

If backups are now live data you need to backup the backups. What happens if the procedure bugs out? It’s backups and scripts all the way down.

> All your remaining points seem more easily solved than the backup bit, but I do not understand what could be so hard about deleting a user from a backup. Perhaps I'm dumb, but just go in there and delete it retroactively?

I do backups for a living. I do them on tape, every day, and then once a month a trucks takes them to a dedicated safe. 6 backups are incremental, one is full. Please explain it to me how I'm going to delete one single user. Thank you.

You don't keep the backup forever. GDPR forces you to reasonable measures for deletion.

You could also keep a record of "to-delete" primary keys in event of a restore along with your backups.

All of this should have been implemented a long time ago, some European countries demanded this already.

I am surprised by the lack of imagination of people if they don't want to implement something (too burdensome, technically impossible,...) who can come up with decent solutions if it fits them.

A little anecdote for this: Recently I wanted to buy some insurance. The insurance company demanded wide leeway in handling personal data which by law (in Germany) has to be opt-in. I returned the paperwork, explicitly stating that I do not consent to use of the data beyond what is strictly necessary for the contract. I was told that contract can be made only with consent and that I could revoke consent later (the latter is mandated by law. What a bull-shit show. I am looking forward to GDPR coming into effect to give these businesses a middle-finger.

It's not impossible, it's just terribly complicates very simple things. No image back ups. No incremental image backups. No incremental backups of the DB. No backup od DB dumps. You need to reorganize everything, and in this case it complicates things a lot. For small and middle-size companies dealing with a lot of customer data (like hospitality industry), this is a major headache. And we do keep our records very well.

I agree completely.

Want to hoover up all available data, well then you'd better go to great lengths keeping it safe. Find yourself holding data that you now need to do something about? Delete it, unless it's business critical.

I really don't buy into this idea that the backups thing is that hard of a problem: if you're a startup, you'd design your infrastructure from the ground up with GDPR in mind which is going to put you in front of the competition and incumbents. Is it really, really, really that hard to have something that deletes stuff from backups? How long are we planning to keep backups anyways? Surely, when a user requests their data to be deleted it can be deleted from the main production database. Then when that db is backed up it'll overwrite previous versions (this new update then replicated out to other places) and just like that you've successfully (and easily) removed all applicable user data from all current db's and backups...

> While I'd love to say I sympathise, I do not. The end goal is not to make life easy for small businesses. The end goal is protecting the consumer.

I understand your sentiment, but I think dismissing the issue of barrier to entries for small businesses is very shortsighted. Remember that excessive consolidation in the Internet industry is what led to the wholesale violation of consumer's privacy in the first place. So enforcing stricter data handling rules and protecting small businesses's ability to compete are two sides of the same coin. To truly protect consumers in the long run, regulators need to address both issues in a comprehensive way.

How would you propose we do both simultaneously, though? All else being equal, I'd very much want to have both. I try to avoid big companies in all kinds of walks of life. But if I have to choose between the two options, I'd very much choose the GDPR way.

I personally am not competent enough in this field to propose changes to GDPR that would better balance these constraints. Which is why it's so important that regulators attack the problem in a holistic way - they are the only ones with the mandate, resources and expertise to do so. If GDPR in its current form makes it harder for small businesses to compete, in my opinion that makes GDPR incomplete, and we should pressure regulators to keep improving it. To achieve that, the first step is for us as a community to agree on the scope of the problem, which is why I'm trying to convince you :-)

Most on HN do not appreciate the complexity of this -- perhaps more will after they are asked to implement it (or after they've implemented it and then found their implementation was wholly unsatisfactory after an unlucky legal investigation into the company). Dealing with backups is a significant expense, but dealing with data on a person that they themselves did not put on the platform is a much larger can of worms which makes it effectively impossible.

There is really no perfect way to do it, and it speaks to how unreasonable 'the right to be forgotten' actually is. When did people ever have a right to be forgotten? No one can force me to forget embarrassing things I've witnessed others do, and vice versa. The same goes for my local copies of photos, videos, diary entries, etc. of such events. Can't make me destroy those love letters you sent. You can't instigate a county-wide manhunt to destroy copies of every local newspaper that covered you in some way you want to forget. You cannot delete most of your public records in real estate, justice, business, etc. You cannot start fresh on your credit history whenever you want.

Sure, there is more easily accessible data on the average person with the Internet now, but the majority of the types of data already existed in the pre-Internet-era, perhaps with the exception of ad profiles. Consider all of the political scandals (particularly ones that happened long before they were unearthed) in the pre-Internet era.

So, what about when companies have data breaches and expose your data? I think they should absolutely be held liable. But it should be their choice to choose to be liable and determine how much they would need to forget to avoid liability. Furthermore, all of the active users are still compromised with GPDR -- only the people who opted to be forgotten benefit. So instead, there needs to be a framework for addressing data breaches and poor security, rather than deleting every trace of a specific type of data profile that a user and/or associated users posted on your platform.

The Right To Be Forgotten is a reaction to how easy it is to search for information. If I happen to be in a newspaper 5 years ago, you'd had to spend a serious amount of time to find it. With the internet you can just search and get it in a few seconds.

> only the people who opted to be forgotten benefit

That is not true. One of the main points of GDPR is that you only store data as long as it is reasonable for your business. If I haven't been a customer at a store for 5 years, I can fully expect that my data has been deleted. How long reasonable is will be determined in the court, but I expect it is going to be in the customers favor.

It's an overreaction -- people want to have their cake and eat it, too. The thing is, you can't participate in this connected, global world with all its benefits (including an immense amount of available information about everything, including people who have participated in it) and then undo your participation in this information sharing economy. It's an attempt at time travel / rewriting the past, and it's expensive and ultimately impossible to do perfectly. Furthermore, it is unfair to the other participants in this information economy who expect reliable, consistent information.

Exceptions for slander and copyrighted information (e.g. photos) that were posted by other users? (or even regular content posted by the user that they 100% own) Absolutely -- but even in these cases, requiring that the third-party platform owners track down all potentially offensive content (much of which may be posted by other users) and then purge every layer of their backups after removing the offending content is overkill and shifts the responsibility away from the offender (whoever posted the content, even if it was the user himself) to the platform owner.

Ultimately, the ability to un-publish content you own that you published should be sufficient regulation-wise, and most popular platforms already enable that as a basic feature.

Is it? Before all this tech only specific targeted effort would store information about me. Now everyone is tracked by multiple entities all the time.

It's not about undoing participation in information sharing. GPDR does not require Wikipedia to delete everything I've contributed, but the fact that I have contributed is subject to be deleted if I request so. Furthermore, there must be explicit opt-in, and that is a good thing.

It's a trivial problem to purge from the backup, really. It's not a hard problem to solve. Many companies have done so before, and now we might even see standard tools to do so.

> When did people ever have a right to be forgotten?

Rehabilitation of offenders act came into force in UK in 1974, so over 40 years.


> As a founder, the cruel business logic very much favors removing support/refusing to onboard European users.

Do it, that's fine. I'd prefer to know if you can't be trusted with my data.

People whined about HTTPS, it was often an afterthought. Now you wouldn't dream of submitting stuff via HTTP. GDPR will be the same, just on a business level instead of a technical one.

> What if a user enters in PII in a field that you thought should have no PII in it?

> What happens if you delete the user and restore from a 5 day old backup?

> What if they enter PII in table entries owned by other users through that other users account?

A lot of these are a red herrings, put in there to muddy the debate. Mistakes happen, the GDPR "punishments" acknowledge that. On the other hand, many companies already treat free-form user entered text as sensitive information. Everybody who's been neglecting privacy will have a bad time adopting this. Technical debt or over-complicated systems will also make it harder, but that is also to be expected.

> How do you ensure your third party API partners are in compliance?

If I had to guess, for many companies outside the EU, this is going to be the biggest issue.

I work at a small company that non the less deliver EDRMS system to a large part of the public sector. GDPR is intentionally vague, and most of it seems to be that you have to show reasonable effort. The backup problem require some additional logic and procedure, but that is the least of the problems.

One of my main issues with GDPR is the increased Red Tape. If I need customer data for whatever reason, extract data and deliver to Risarkivet (required by law every now and then), I must get a Data Processor Agreement. Fair enough, except if I need to do a different thing the customer asks me for, I need a new DPA. Only thing that'll happen is that we have a standard made by Datatilsynet, put in customer details and job detail, and that is it. A mail provides exactly the same, it could even reference the standard DPA. That just isn't accepted by the law. I guess middle managers need something to do as well.

As a founder, the cruel business logic very much favors removing support/refusing to onboard European users.

After consultation with GDPR experts, this, unfortunately, is the conclusion we came to at my company as well - and is the same one that many other smaller companies will arrive at as they try to comply with this unwieldy and burdensome regulation. It might take a few years, but the incredibly unhealthy end result of this law will be two Internets: one that people in the EU have access to, which will mostly be operated by large companies that can afford to implement GDPR, and another including all sites that the rest of the world can access. My guess is that this will also have a significant negative impact on EU startup funding, as the risk of being wiped out by fines for even minor violations of this very complicated law that is subject to unique legal interpretations in each of 28 different countries is quite high. Few investors are going to take on that kind of risk.

In short, this law is already on track to create a fractured Internet that deprives EU citizens of access to the vast majority of Internet services, and consolidates the private data that their regulators are so worried about in the hands of a few giants.

"The vast majority of internet services" I haven't seen a single service preparing to explicitly tell EU users to go somewhere else, except random comments on HN claiming so. Also the EU economy is about the size of the US so can't easily be ignored fortunately.

Also, why does a company or anyone else "own" personally identifiable information in the first place? The logic is completely inverted and we seem to have all been OK with it in the first place. Why does a company like Facebook "own" what is mine from the beginning — is it just because it is in a row in their database? Is it because I once clicked OK on a TOS? Now I can revoke this consent and Facebook and others have to comply. Previously they could just tell me to FO. Sounds like a great win for users!

Again, large companies will have no problem implementing it. They have multi-million dollar budgets for lawyers etc. At first, most smaller companies won't turn away EU traffic, nor will they comply with GDPR. But as more companies become aware of the regulation and the extraordinary financial liability that comes with EU traffic, most outside the EU will simply turn away that traffic. It might take a few years or even a decade - but it will happen. It won't take too many horror stories about how small companies were destroyed by huge fines out of Germany, for example, to turn the blocking of EU traffic into standard operating procedure.

The issue isn't really even about any desire on the part of companies to abuse personal data. It comes down to the many ways that even companies with the best of intentions can violate this regulation.

You seem to be forgetting that small companies have small databases. Getting removed from a manually handled filling cabinet is easy. Add is from a manually managed database, even when it is backed up regularly.

It is also trivial to enforce a routine manual scrub of small amounts of private data.

The only people who might have trouble are "small" data resellers having millions of accounts of personal data. It is good they will have to comply.

Deletion is one tiny part of this terrible law. I suspect that most of the trouble will come from undisclosed third party trackers that the site may not even know is there. For example, imagine a company uses an image from an image hosting company like imgur on some of its pages, and at some point the image host decides to start sending its own cookies. That completely innocent scenario could result in millions of dollars in fines for the site under GDPR. Because of this singular issue, all forums that have ever allowed users to post images from third party sites (which most do) will likely run afoul of the GDPR, simply because they will be causing tracking cookies to load that they don’t even know about - and this is just one of hundreds of examples of issues that will put massive swaths of sites in violation and make them subject to fines by revenue-hungry EU member states.

If you did not know the breach has occurred, you're legally in the clear. Once you do know, you have some obligations. For bigger companies, you have to appoint a data protection officer who is supposed to know. (This includes big as in amounts of data too.)

If you're using a third party service, you will have to use it with prejudice. No more randomly including J. Random noncompliant Ad Agency as a middle man illegitimate handler and washing hangs of it.

Also URLs are perfectly fine as you're not processing the data. The thing that changes is that you have to specify which third party service you use and that it is externally managed. Probably link to their privacy policy and they also have to be compliant with GDPR. This will make it possible to actually get rid of the images and protect your privacy.

I used to work for an automotive company. The EU pollution standards were always the strictest. So we made multiple versions of our vehicles, with the cleanest ones for the European market. Even though it only saved us a few cents per vehicle, we used worse parts for non EU markets.

Guess where the air is purest?

>Guess where the air is purest?

Not the EU, that's for sure.


Actually European cities have really shitty air becausr of all the diesels. Thay can't be outlawed soon enough.

Maybe that's a chance for European internet startups? Entry barriers for foreign startups give European companies a headstart, while successful, more mature foreign companies will comply with EU standards to get access to the market. Sure, Europe loses access to products of early stage startups, but maybe that's a good trade-off? (Disclaimer: I have no hard opinion on this matter, just a thought).

I think that any startup that allows EU traffic to access its services is going to be a tough sell to investors in a GDPR world. Who wants to put, say $1 million, into a startup that could easily be fined that amount or more for inadvertent violations? There's a whole other world of markets out there and only one that imposes this risk on companies. GDPR just introduces too much risk, even for those companies with the best of intentions.

Backups to restore services are okay since their purposes is to restore services.

Archives should be pruned.

* Take Backup 1 which contains users A,B and C.

* User A requests to be deleted and is from prod.

* Deploy bad code between backup 1 and 2 - oh noes prod is corrupted!

* Restore backup 1, which restores user A

So - how doesn't this work for GDPR?

Your procedure should include what to do with the deleted users when you backup. You'd have to keep logs of it anyway. Trivial problem to solve.

If US companies take that route, that would give fledgling EU startups that have no choice but to comply with GDPR from day one a nice little moat around a market of half a billion people. (And cause the survivors to come stronger out of it, unlike most protectionist-type measures.)

Now let's try to figure out that tricky backup problem!

> Well what about backups? Do you retroactively go through your backups and remove R2BF users?

Good one, hadn't even though of this. I planned on my VPN provider handling off-site backups for me, but this would mean I'm unable to delete a use from backups.

Does anybody have a solid solution for this?

Keep backups for less than the timeframe you have for "right to erasure" (less than 30 days is probably safe), make them non-accessible by default/to normal staff, only use them to restore in an emergency, job done.

It's not fucking hard, although a lot of people seem to be struggling with the concept of not hoarding data, or privacy in general.

Thanks, this is pretty good advice.

By looking through the comments it seems many seem to think that smallest GDPR violation will immidiately see 20M fine. Isn't it the last method if previous methods are ignored like giving a warning, smaller fines etc.

So you don't have to do every single perfectly, just that you the basics done properly and your filling to fix things as they are shown to be broken. Well, unless your broken system leaks millions of users data into the wild I'd guess you're pretty safe.

I believe GDPR is like a pre-annoucement of GFoC but for Europeans.

How will GDPR interact with the goals of intelligence agencies and their contractors? Is there going to be a wave of problems for intelligence contractors and their possession of data or are European countries going to let it slide?

Isn't what most intelligence agencies do illegal in other countries already?

Probably. Although there is the Five Eyes style arrangement where you don't spy on your own citizens and instead spy on citizens of other countries and then share the data between each other so it all becomes legit. This is described here: https://en.wikipedia.org/wiki/Five_Eyes#Domestic_espionage_s...

I think those agreements come from the fact that the agencies cannot 'spy' inside their home country, but can get information from other agencies that happen to have info about their country.

I still think it is illegal for those other agencies to spy within the home country. Not to mention countries they don't have agreements with.

The home agency does not do anything illegal itself, but the other agency does illegal stuff for them.

Follow up question if anyone feels like speculating, can GDPR compliance be used as a stick when intelligence agencies and law enforcement are looking to collect information on individuals? "Now that all your user information is definitely queryable give us everything you have"?

I generally feel positive about the law but I'm curious how this feels from a position of paranoia. (Very tangential followup this is just the first time I've seen intelligence agencies and GDPR mentioned at the same time).

Intelligence agencies and law enforcement don't need that stick, becuase they have others.

This is a mixed blessing.

Laws like RIPA (in the UK) sound draconian and scary, but they do mean that almost all law enforcement activity comes under a legal framework and that there are checks and balances on use of investigatory powers.

The UK has more CCTV than any other country in the world, but now CCTV is regulated by the information commissioner. We even have a surveillance commissioner to look at what the security services are doing.

The GDPR has special exemptions for legal compliance such as data retention and lawful intercept.

>Unlike the giants, the ad tech firms have no direct relationship with consumers. They say Google’s and Facebook’s response pressures publishers to seek consent on behalf of dozens of ad tech firms that people have never heard of.

This is exactly what I said back in November.


Target the site, not the users. Simple as that, arguably you'd have much better accuracy targeting an interest rather than trying to profile each IP anyway.

Due to the GDPR Facebook added all kinds of new controls. I looked through them today.

Stuff Facebook has tracked, despite not using their app on my phone (preloaded but completely disabled) and using their website only with uBlock Origin):

a) everywhere you ever used Facebook to login to a website. I thought I never did this but apparently I still had 5+ websites linked to this. They seem to use this to profile you. Facebook mentions about this _"These are active apps and websites. This means that you recently logged in to them using Facebook, and they can request information you've chosen to share with them."_ I never wanted to share anything, but Facebook often changes settings or pretends I did

b) every time you connected an app to your Facebook account. Apparently I again did at a few times (to easily upload some photos). I also saw old phones in here, Runkeeper (don't recall using that), Tinder (haven't used in years). All of those seem to forever be able to get information from you.

c) topics (yet another new name). Not sure how they figured things like that out. Fortunately you can completely disable the personal tracking, though you need to do that in various different places.

d) advertisers whom added their contact list to Facebook. Really!! So some other company shared my details with Facebook. Which means they've also shared details of people not using Facebook with Facebook.

e) used websites and apps. This is surprisingly accurate and complete (hundreds of sites+apps!), despite having the Fb app disabled plus always using uBlock Origin. I really wonder if they somehow are able to retrieve the browser history. It seems Facebook also tracks you using "apps using Facebook technology", which I guess is a library to show ads or something which uses the app permissions to further track the user.

f) it uses your profile (relationship status, employer, job title, education) to targets ads

g) somehow puts you into categories. E.g. "uses a mobile device (xx to xx months)". I disabled this crap yesterday, it updated it today with more information. I assume through Whatsapp/Instagram or maybe some kind of Facebook ad library? Again, I don't want it to track me, yet they seem to be easily able to do this. I turned off all the settings but apparently still missed a few.

i) ads topics. Not sure how topics differs from the 3 other ways they call this.

j) your location. It doesn't show what it does with this. You cannot disable the location tracking; it suggests to turn it off in the phone settings (which is a cop-out). I'll need to download my data to further determine this. I'm pretty sure Facebook is big enough to figure out additional ways of location tracking than just what Android/iPhone allows.

k) websites visited. I assume any link clicked. This is somehow different than all the other ways it already showed websites.

l) the existing "Who can contact you using email address / phone number". It says "Who", but it is used for the API as well, that's not a user so I find the usage of "Who" misleading.

Despite doing all of this, still not sure how to prevent something like Cambridge Analytica from downloading my data through others ("friend"). Further as I already mentioned it seems to continue tracking me despite turning everything off. Not cool.

why do you keep posting paywalled content?

Why do people keep posting WSJ paywalled content here?

You can read it via archive.is.

They often have quality content.

This sure doesn't seem like it.

Fine by me. Do we really need more “small ad firms”?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact